Hello, I would like to know how to configure Strongswan with "IPSec Hybrid authentication with RSA" support.
# My Strongswan has XAUTH+RSA and XAUTH+PSK support and they work fine. I believe Strongswan supports "Hybrid authentication", as it is mentioned in the following link. ---------------------------------------- CharonPlutoIKEv1 - strongSwan - strongSwan - IKEv2/IPsec VPN for Linux, Android, FreeBSD, Mac OS X http://wiki.strongswan.org/projects/strongswan/wiki/CharonPlutoIKEv1 "To configure the new Hybrid Mode, define leftauth=xauth and rightauth=pubkey." ---------------------------------------- I configured my Strongswan, ver5.0.0dr1, and installed it with the options bellow. ./configure --prefix=/usr/ --sysconfdir=/etc/ --localstatedir=/var/ --with-random-device=/dev/urandom --enable-cisco-quirks --enable-xauth-generic --enable-xauth-eap make && make install I setup /etc/ipsec.d/hybrd-rsa.conf and restarted Strongswan. After that, I executed "ipsec statusall" to see how my connections are recognised Then I tried to connect to my VPN server with Hybrid+RSA auth. I checked /var/log/charon.log. The log says -- Jun 19 14:11:58 13[CFG] looking for HybridInitRSA peer configs matching 192.168.246.210...192.168.248.101[192.168.248.101] Jun 19 14:11:58 13[IKE] no peer config found -- My questions are 1: Does Strongswan support Hybrid Authentication? 2: Does Strongswan support Hybrid Authentication with RSA? 3: What kind of configration does Strongswan look for when the client ask for "HybridInitRSA"? If 1st or 2nd of the questions avobe returns "YES", I would like to know the way to do so. ==== My Strongswan's profile ==== + /etc/ipsec.conf config setup plutodebug=all plutostderrlog=/var/log/pluto.log nat_traversal=yes virtual_private=%v4:10.0.0.0/8,%v4:192.168.0.0/16,%v4:172.16.0.0/12 include /etc/ipsec.d/*.conf +/etc/ipsec.d/hybrid-rsa.conf conn hybridrsasig keyexchange=ikev2 left=linux.hogehoge.jp leftcert=serverCert.pem leftauth=xauth right=%any rightsourceip=192.168.246.230/24 rightcert=clientCert.pem rightauth=pubkey pfs=no auto=add +/etc/ipsec.d/xauth-psk.conf conn xauthpsk keyexchange=ikev1 xauth=server authby=xauthpsk left=linux.fj-ngmt.jp leftsubnet=0.0.0.0/0 right=%any #rightauth=eap rightsourceip=192.168.246.210/24 pfs=no auto=add +/etc/ipsec.d/xauth-rsa.conf conn xauthrsasig keyexchange=ikev1 xauth=server authby=xauthrsasig left=linux.fj-ngmt.jp leftcert=serverCert.pem right=%any rightsourceip=192.168.246.220/24 rightcert=clientCert.pem pfs=no auto=add +/var/log/charon.log Jun 19 14:11:58 11[NET] received packet: from 192.168.248.101[500] to 192.168.246.210[500] Jun 19 14:11:58 11[ENC] parsed ID_PROT request 0 [ SA V V V V V V V V ] Jun 19 14:11:58 11[IKE] received NAT-T (RFC 3947) vendor ID Jun 19 14:11:58 11[IKE] received draft-ietf-ipsec-nat-t-ike-02 vendor ID Jun 19 14:11:58 11[IKE] received draft-ietf-ipsec-nat-t-ike-02\n vendor ID Jun 19 14:11:58 11[IKE] received draft-ietf-ipsec-nat-t-ike-00 vendor ID Jun 19 14:11:58 11[IKE] received XAuth vendor ID Jun 19 14:11:58 11[IKE] received Cisco Unity vendor ID Jun 19 14:11:58 11[ENC] received unknown vendor ID: 40:48:b7:d5:6e:bc:e8:85:25:e7:de:7f:00:d6:c2:d3:80:00:00:00 Jun 19 14:11:58 11[IKE] received DPD vendor ID Jun 19 14:11:58 11[IKE] 192.168.248.101 is initiating a Main Mode IKE_SA Jun 19 14:11:58 11[ENC] generating ID_PROT response 0 [ SA V V V ] Jun 19 14:11:58 11[NET] sending packet: from 192.168.246.210[500] to 192.168.248.101[500] Jun 19 14:11:58 12[NET] received packet: from 192.168.248.101[500] to 192.168.246.210[500] Jun 19 14:11:58 12[ENC] parsed ID_PROT request 0 [ KE No NAT-D NAT-D ] Jun 19 14:11:58 12[ENC] generating ID_PROT response 0 [ KE No NAT-D NAT-D ] Jun 19 14:11:58 12[NET] sending packet: from 192.168.246.210[500] to 192.168.248.101[500] Jun 19 14:11:58 13[NET] received packet: from 192.168.248.101[500] to 192.168.246.210[500] Jun 19 14:11:58 13[ENC] parsed ID_PROT request 0 [ ID HASH ] Jun 19 14:11:58 13[CFG] looking for HybridInitRSA peer configs matching 192.168.246.210...192.168.248.101[192.168.248.101] Jun 19 14:11:58 13[IKE] no peer config found Jun 19 14:11:58 13[ENC] generating INFORMATIONAL_V1 request 4275396946 [ HASH N(AUTH_FAILED) ] Jun 19 14:11:58 13[NET] sending packet: from 192.168.246.210[500] to 192.168.248.101[500] Thank you for your time in advance. Regards, Yukihisa kitagawa -- TrippyBoy.com http://trippyboy.com/ _______________________________________________ Users mailing list [email protected] https://lists.strongswan.org/mailman/listinfo/users
