Thank you all for not calling me an id10t!! I read, completely, the email Andreas sent and saw where you can use the pki tool.... So, I followed the instructions and on the import of caCert.der into the sonicwall, I get the error, invalid format. Please use der or pem. The other 2 files import fine into the sonicwall and they too are der format.
Sent from my iPhone On Apr 4, 2012, at 10:40 AM, Chris Arnold <[email protected]> wrote: > Is this possible with the IPSec pki tool? > > Sent from my iPhone > > On Apr 3, 2012, at 2:35 AM, Andreas Steffen <[email protected]> > wrote: > >> Hello Chris, >> >> I think you misconfigured your certificates: >> >> You should create a CA certificate and put it in /etc/ipsec.d/cacerts/. >> >> Then you should create two X.509 end entity certificates with >> matching private keys, one for strongSwan and one for sonicwall, >> and sign both certificates with the private key of the CA. >> >> The private strongSwan key you put into /etc/ipsec.d/private/ and >> the strongSwan certificate into /etc/ipsec.d/certs/. >> >> Then you package the private sonicwall key, sonicwall certificate >> and CA certificate into a PKCS#12 file (*.p12) and import it into >> your sonicwall box. >> >> The certificate request strongSwan sends should then be for the CA. >> >> RSA keys and certificates can be generated using either openssl-based >> tools >> >> http://wiki.strongswan.org/projects/strongswan/wiki/CAmanagementGUIs >> >> or the ipsec pki command >> >> http://wiki.strongswan.org/projects/strongswan/wiki/SimpleCA >> >> Regards >> >> Andreas >> >> On 04/03/2012 05:11 AM, Chris Arnold wrote: >>> I uninstalled strongswan and started over again with strongswan. This time >>> i followed this: >>> http://www.strongswan.org/uml/testre...psk/index.html >>> under the sun heading. This time i try to ping the remote network from the >>> subnet behind the sonicwall; i get a whole different set of logs: >>> 3 04/02/2012 22:17:06.096 Warning VPN IKE IKEv2 Received notify error >>> payload strongswan.public.ip, 500 sonicwall.public.ip, 500 VPN Policy: ELC >>> VPN; Invalid Syntax >>> 4 04/02/2012 22:17:06.096 Info VPN IKE IKEv2 Initiator: Received IKE_AUTH >>> response strongswan.public.ip, 500 sonicwall.public.ip, 500 VPN Policy: ELC >>> VPN; >>> 5 04/02/2012 22:17:06.080 Info VPN IKE IKEv2 Initiator: Send IKE_AUTH >>> request strongswan.public.ip, 4500 sonicwall.public.ip, 4500 VPN Policy: >>> ELC VPN; >>> 6 04/02/2012 22:17:06.064 Info VPN IKE IKEv2 NAT device detected between >>> negotiating peers strongswan.public.ip, 500 sonicwall.public.ip, 500 VPN >>> Policy: ELC VPN; Peer gateway is behind a NAT device >>> 7 04/02/2012 22:17:05.912 Info VPN IKE IKEv2 Accept IKE SA Proposal >>> strongswan.public.ip, 500 sonicwall.public.ip, 500 VPN Policy: ELC VPN; >>> 3DES; HMAC_SHA1_96; DH Group 2; IKEv2 InitSPI: 0x78c7c9e9e8ee7c4d; IKEv2 >>> RespSPI: 0x358c22dd808e74fa >>> 8 04/02/2012 22:17:05.912 Info VPN IKE IKEv2 Initiator: Received IKE_SA_INT >>> response strongswan.public.ip, 500 sonicwall.public.ip, 500 VPN Policy: ELC >>> VPN; >>> 9 04/02/2012 22:17:05.880 Info VPN IKE IKEv2 Initiator: Send IKE_SA_INIT >>> request strongswan.public.ip, 500 sonicwall.public.ip, 500 VPN Policy: ELC >>> VPN; >>> >>> According to log entry "3", it looks like strongswan is sending something >>> with a "invalid syntax". Any ideas? >>> >>> On the strongswan side: >>> added configuration 'teknerds' >>> 03[NET] received packet: from sonicwall.public.ip[500] to 192.168.1.18[500] >>> 03[ENC] parsed IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) V >>> ] >>> 03[ENC] received unknown vendor id: >>> 2a:67:75:d0:ad:2a:a7:88:7c:33:fe:1d:68:ba:f3:08:96 :6f:00:01 >>> 03[IKE] sonicwall.public.ip is initiating an IKE_SA >>> 03[IKE] local host is behind NAT, sending keep alives >>> 03[IKE] sending cert request for "C=US, ST=North Carolina, L=Durham, >>> O=Edens Land Corp, CN=Jarrod, [email protected]" >>> 03[ENC] generating IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) >>> N(NATD_D_IP) CERTREQ N(MULT_AUTH) ] >>> 03[NET] sending packet: from 192.168.1.18[500] to sonicwall.public.ip[500] >>> 06[NET] received packet: from sonicwall.public.ip[4500] to >>> 192.168.1.18[4500] >>> 06[ENC] invalid X509 hash length (0) in certreq >>> 06[ENC] CERTIFICATE_REQUEST verification failed >>> 06[ENC] encrypted payload could not be decrypted and parsed >>> 06[ENC] could not decrypt payloads >>> 06[IKE] message parsing failed >>> 06[ENC] generating IKE_AUTH response 1 [ N(INVAL_SYN) ] >>> 06[NET] sending packet: from 192.168.1.18[500] to sonicwall.public.ip[500] >>> 06[IKE] IKE_AUTH request with message ID 1 processing failed >>> >>> When it says this: >>> 03[IKE] sending cert request for "C=US, ST=North Carolina, L=Durham, >>> O=Edens Land Corp, CN=Jarrod, [email protected]" >>> should i import the cert on the strongswan side into the sonicwall or do i >>> need to generate a cert on the sonicwall? >>> >>> At this point i would like to know if you have to use certs with ikev2 and >>> strongswan? >>> >>> >>> >>> ----- Original Message ----- >>> From: "Chris Arnold" <[email protected]> >>> To: [email protected] >>> Sent: Monday, April 2, 2012 6:24:41 PM >>> Subject: Re: [strongSwan] Question on IKEv2 >>> >>> >>> On Apr 2, 2012, at 5:47 PM, Andreas Steffen >>> <[email protected]> wrote: >>> >>>> Hi Chris, >>>> >>>> why do you go six years back in time? >>>> >>> Are you saying strongSwan 4.0 (the link I posted us 6 yrs old? >>> >>> Just have a look at our >>>> >>>> configuration examples: >>>> >>>> >>>> >>>> On 04/02/2012 10:34 PM, Chris Arnold wrote: >>>>> I have been trying to get a tunnel between strongSwan 4.4.x and a >>>>> sonicwall TZ180W to no avail. I have tried every combination known on >>>>> the sonicwall and every combination i know on the strongSwan side. My >>>>> last try was ikev2 and i think this might be the problem. This was >>>>> found this on a StrongSong thread found >>>>> http://download.strongswan.org/CHANGES42.txt >>>>> >>>>> strongswan-4.0.0 ---------------- >>>>> >>>>> - initial support of the IKEv2 protocol. Connections in ipsec.conf >>>>> designated by keyexchange=ikev2 are negotiated by the new IKEv2 >>>>> charon keying daemon whereas those marked by keyexchange=ikev1 or the >>>>> default keyexchange=ike are handled thy the IKEv1 pluto keying >>>>> daemon. Currently only a limited subset of functions are available >>>>> with IKEv2 (Default AES encryption, authentication based on locally >>>>> imported X.509 certificates, unencrypted private RSA keys in PKCS#1 >>>>> file format, limited functionality of the ipsec status command). >>>>> >>>>> AES encryption, authentication based on locally imported X.509 >>>>> certificates, unencrypted private RSA keys in PKCS#1 file format, >>>>> limited functionality of the ipsec status command, is this a AND/OR >>>>> list? Do you have to have certs to use ikev2 or can you do 1 of the >>>>> other auth in the list? >>>> >>>> ====================================================================== >>>> Andreas Steffen [email protected] >>>> strongSwan - the Linux VPN Solution! www.strongswan.org >>>> Institute for Internet Technologies and Applications >>>> University of Applied Sciences Rapperswil >>>> CH-8640 Rapperswil (Switzerland) >>>> ===========================================================[ITA-HSR]== >>> >>> _______________________________________________ >>> Users mailing list >>> [email protected] >>> https://lists.strongswan.org/mailman/listinfo/users >>> >>> _______________________________________________ >>> Users mailing list >>> [email protected] >>> https://lists.strongswan.org/mailman/listinfo/users >> >> >> -- >> ====================================================================== >> Andreas Steffen [email protected] >> strongSwan - the Linux VPN Solution! www.strongswan.org >> Institute for Internet Technologies and Applications >> University of Applied Sciences Rapperswil >> CH-8640 Rapperswil (Switzerland) >> ===========================================================[ITA-HSR]== > > _______________________________________________ > Users mailing list > [email protected] > https://lists.strongswan.org/mailman/listinfo/users _______________________________________________ Users mailing list [email protected] https://lists.strongswan.org/mailman/listinfo/users
