Is this possible with the IPSec pki tool? Sent from my iPhone
On Apr 3, 2012, at 2:35 AM, Andreas Steffen <[email protected]> wrote: > Hello Chris, > > I think you misconfigured your certificates: > > You should create a CA certificate and put it in /etc/ipsec.d/cacerts/. > > Then you should create two X.509 end entity certificates with > matching private keys, one for strongSwan and one for sonicwall, > and sign both certificates with the private key of the CA. > > The private strongSwan key you put into /etc/ipsec.d/private/ and > the strongSwan certificate into /etc/ipsec.d/certs/. > > Then you package the private sonicwall key, sonicwall certificate > and CA certificate into a PKCS#12 file (*.p12) and import it into > your sonicwall box. > > The certificate request strongSwan sends should then be for the CA. > > RSA keys and certificates can be generated using either openssl-based > tools > > http://wiki.strongswan.org/projects/strongswan/wiki/CAmanagementGUIs > > or the ipsec pki command > > http://wiki.strongswan.org/projects/strongswan/wiki/SimpleCA > > Regards > > Andreas > > On 04/03/2012 05:11 AM, Chris Arnold wrote: >> I uninstalled strongswan and started over again with strongswan. This time i >> followed this: >> http://www.strongswan.org/uml/testre...psk/index.html >> under the sun heading. This time i try to ping the remote network from the >> subnet behind the sonicwall; i get a whole different set of logs: >> 3 04/02/2012 22:17:06.096 Warning VPN IKE IKEv2 Received notify error >> payload strongswan.public.ip, 500 sonicwall.public.ip, 500 VPN Policy: ELC >> VPN; Invalid Syntax >> 4 04/02/2012 22:17:06.096 Info VPN IKE IKEv2 Initiator: Received IKE_AUTH >> response strongswan.public.ip, 500 sonicwall.public.ip, 500 VPN Policy: ELC >> VPN; >> 5 04/02/2012 22:17:06.080 Info VPN IKE IKEv2 Initiator: Send IKE_AUTH >> request strongswan.public.ip, 4500 sonicwall.public.ip, 4500 VPN Policy: ELC >> VPN; >> 6 04/02/2012 22:17:06.064 Info VPN IKE IKEv2 NAT device detected between >> negotiating peers strongswan.public.ip, 500 sonicwall.public.ip, 500 VPN >> Policy: ELC VPN; Peer gateway is behind a NAT device >> 7 04/02/2012 22:17:05.912 Info VPN IKE IKEv2 Accept IKE SA Proposal >> strongswan.public.ip, 500 sonicwall.public.ip, 500 VPN Policy: ELC VPN; >> 3DES; HMAC_SHA1_96; DH Group 2; IKEv2 InitSPI: 0x78c7c9e9e8ee7c4d; IKEv2 >> RespSPI: 0x358c22dd808e74fa >> 8 04/02/2012 22:17:05.912 Info VPN IKE IKEv2 Initiator: Received IKE_SA_INT >> response strongswan.public.ip, 500 sonicwall.public.ip, 500 VPN Policy: ELC >> VPN; >> 9 04/02/2012 22:17:05.880 Info VPN IKE IKEv2 Initiator: Send IKE_SA_INIT >> request strongswan.public.ip, 500 sonicwall.public.ip, 500 VPN Policy: ELC >> VPN; >> >> According to log entry "3", it looks like strongswan is sending something >> with a "invalid syntax". Any ideas? >> >> On the strongswan side: >> added configuration 'teknerds' >> 03[NET] received packet: from sonicwall.public.ip[500] to 192.168.1.18[500] >> 03[ENC] parsed IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) V ] >> 03[ENC] received unknown vendor id: >> 2a:67:75:d0:ad:2a:a7:88:7c:33:fe:1d:68:ba:f3:08:96 :6f:00:01 >> 03[IKE] sonicwall.public.ip is initiating an IKE_SA >> 03[IKE] local host is behind NAT, sending keep alives >> 03[IKE] sending cert request for "C=US, ST=North Carolina, L=Durham, O=Edens >> Land Corp, CN=Jarrod, [email protected]" >> 03[ENC] generating IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) >> N(NATD_D_IP) CERTREQ N(MULT_AUTH) ] >> 03[NET] sending packet: from 192.168.1.18[500] to sonicwall.public.ip[500] >> 06[NET] received packet: from sonicwall.public.ip[4500] to 192.168.1.18[4500] >> 06[ENC] invalid X509 hash length (0) in certreq >> 06[ENC] CERTIFICATE_REQUEST verification failed >> 06[ENC] encrypted payload could not be decrypted and parsed >> 06[ENC] could not decrypt payloads >> 06[IKE] message parsing failed >> 06[ENC] generating IKE_AUTH response 1 [ N(INVAL_SYN) ] >> 06[NET] sending packet: from 192.168.1.18[500] to sonicwall.public.ip[500] >> 06[IKE] IKE_AUTH request with message ID 1 processing failed >> >> When it says this: >> 03[IKE] sending cert request for "C=US, ST=North Carolina, L=Durham, O=Edens >> Land Corp, CN=Jarrod, [email protected]" >> should i import the cert on the strongswan side into the sonicwall or do i >> need to generate a cert on the sonicwall? >> >> At this point i would like to know if you have to use certs with ikev2 and >> strongswan? >> >> >> >> ----- Original Message ----- >> From: "Chris Arnold" <[email protected]> >> To: [email protected] >> Sent: Monday, April 2, 2012 6:24:41 PM >> Subject: Re: [strongSwan] Question on IKEv2 >> >> >> On Apr 2, 2012, at 5:47 PM, Andreas Steffen <[email protected]> >> wrote: >> >>> Hi Chris, >>> >>> why do you go six years back in time? >>> >> Are you saying strongSwan 4.0 (the link I posted us 6 yrs old? >> >> Just have a look at our >>> >>> configuration examples: >>> >>> >>> >>> On 04/02/2012 10:34 PM, Chris Arnold wrote: >>>> I have been trying to get a tunnel between strongSwan 4.4.x and a >>>> sonicwall TZ180W to no avail. I have tried every combination known on >>>> the sonicwall and every combination i know on the strongSwan side. My >>>> last try was ikev2 and i think this might be the problem. This was >>>> found this on a StrongSong thread found >>>> http://download.strongswan.org/CHANGES42.txt >>>> >>>> strongswan-4.0.0 ---------------- >>>> >>>> - initial support of the IKEv2 protocol. Connections in ipsec.conf >>>> designated by keyexchange=ikev2 are negotiated by the new IKEv2 >>>> charon keying daemon whereas those marked by keyexchange=ikev1 or the >>>> default keyexchange=ike are handled thy the IKEv1 pluto keying >>>> daemon. Currently only a limited subset of functions are available >>>> with IKEv2 (Default AES encryption, authentication based on locally >>>> imported X.509 certificates, unencrypted private RSA keys in PKCS#1 >>>> file format, limited functionality of the ipsec status command). >>>> >>>> AES encryption, authentication based on locally imported X.509 >>>> certificates, unencrypted private RSA keys in PKCS#1 file format, >>>> limited functionality of the ipsec status command, is this a AND/OR >>>> list? Do you have to have certs to use ikev2 or can you do 1 of the >>>> other auth in the list? >>> >>> ====================================================================== >>> Andreas Steffen [email protected] >>> strongSwan - the Linux VPN Solution! www.strongswan.org >>> Institute for Internet Technologies and Applications >>> University of Applied Sciences Rapperswil >>> CH-8640 Rapperswil (Switzerland) >>> ===========================================================[ITA-HSR]== >> >> _______________________________________________ >> Users mailing list >> [email protected] >> https://lists.strongswan.org/mailman/listinfo/users >> >> _______________________________________________ >> Users mailing list >> [email protected] >> https://lists.strongswan.org/mailman/listinfo/users > > > -- > ====================================================================== > Andreas Steffen [email protected] > strongSwan - the Linux VPN Solution! www.strongswan.org > Institute for Internet Technologies and Applications > University of Applied Sciences Rapperswil > CH-8640 Rapperswil (Switzerland) > ===========================================================[ITA-HSR]== _______________________________________________ Users mailing list [email protected] https://lists.strongswan.org/mailman/listinfo/users
