Hello, strongswan-5.0.0rc1 which was released today comes with an IKEv1 Hybrid Mode example scenario:
www.strongswan.org/uml/testresults5rc/ikev1/xauth-id-rsa-hybrid/ Regards Andreas On 06/19/2012 08:06 AM, TrippyBoy.com wrote: > Hello, > > I would like to know how to configure Strongswan with "IPSec Hybrid > authentication with RSA" support. > > # My Strongswan has XAUTH+RSA and XAUTH+PSK support and they work fine. > > I believe Strongswan supports "Hybrid authentication", as it is > mentioned in the following link. > > ---------------------------------------- > CharonPlutoIKEv1 - strongSwan - strongSwan - IKEv2/IPsec VPN for > Linux, Android, FreeBSD, Mac OS X > http://wiki.strongswan.org/projects/strongswan/wiki/CharonPlutoIKEv1 > > "To configure the new Hybrid Mode, define leftauth=xauth and > rightauth=pubkey." > ---------------------------------------- > > I configured my Strongswan, ver5.0.0dr1, and installed it with the > options bellow. > > ./configure --prefix=/usr/ --sysconfdir=/etc/ --localstatedir=/var/ > --with-random-device=/dev/urandom --enable-cisco-quirks > --enable-xauth-generic --enable-xauth-eap > make&& make install > > I setup /etc/ipsec.d/hybrd-rsa.conf and restarted Strongswan. > After that, I executed "ipsec statusall" to see how my connections are > recognised > Then I tried to connect to my VPN server with Hybrid+RSA auth. > I checked /var/log/charon.log. > > The log says > -- > Jun 19 14:11:58 13[CFG] looking for HybridInitRSA peer configs > matching 192.168.246.210...192.168.248.101[192.168.248.101] > Jun 19 14:11:58 13[IKE] no peer config found > -- > > My questions are > 1: Does Strongswan support Hybrid Authentication? > 2: Does Strongswan support Hybrid Authentication with RSA? > 3: What kind of configration does Strongswan look for when the client > ask for "HybridInitRSA"? > > If 1st or 2nd of the questions avobe returns "YES", I would like to > know the way to do so. > > > ==== My Strongswan's profile ==== > > + /etc/ipsec.conf > config setup > plutodebug=all > plutostderrlog=/var/log/pluto.log > nat_traversal=yes > virtual_private=%v4:10.0.0.0/8,%v4:192.168.0.0/16,%v4:172.16.0.0/12 > > include /etc/ipsec.d/*.conf > > +/etc/ipsec.d/hybrid-rsa.conf > conn hybridrsasig > keyexchange=ikev2 > left=linux.hogehoge.jp > leftcert=serverCert.pem > leftauth=xauth > right=%any > rightsourceip=192.168.246.230/24 > rightcert=clientCert.pem > rightauth=pubkey > pfs=no > auto=add > > +/etc/ipsec.d/xauth-psk.conf > conn xauthpsk > keyexchange=ikev1 > xauth=server > authby=xauthpsk > left=linux.fj-ngmt.jp > leftsubnet=0.0.0.0/0 > right=%any > #rightauth=eap > rightsourceip=192.168.246.210/24 > pfs=no > auto=add > > +/etc/ipsec.d/xauth-rsa.conf > conn xauthrsasig > keyexchange=ikev1 > xauth=server > authby=xauthrsasig > left=linux.fj-ngmt.jp > leftcert=serverCert.pem > right=%any > rightsourceip=192.168.246.220/24 > rightcert=clientCert.pem > pfs=no > auto=add > > > +/var/log/charon.log > Jun 19 14:11:58 11[NET] received packet: from 192.168.248.101[500] to > 192.168.246.210[500] > Jun 19 14:11:58 11[ENC] parsed ID_PROT request 0 [ SA V V V V V V V V ] > Jun 19 14:11:58 11[IKE] received NAT-T (RFC 3947) vendor ID > Jun 19 14:11:58 11[IKE] received draft-ietf-ipsec-nat-t-ike-02 vendor ID > Jun 19 14:11:58 11[IKE] received draft-ietf-ipsec-nat-t-ike-02\n vendor ID > Jun 19 14:11:58 11[IKE] received draft-ietf-ipsec-nat-t-ike-00 vendor ID > Jun 19 14:11:58 11[IKE] received XAuth vendor ID > Jun 19 14:11:58 11[IKE] received Cisco Unity vendor ID > Jun 19 14:11:58 11[ENC] received unknown vendor ID: > 40:48:b7:d5:6e:bc:e8:85:25:e7:de:7f:00:d6:c2:d3:80:00:00:00 > Jun 19 14:11:58 11[IKE] received DPD vendor ID > Jun 19 14:11:58 11[IKE] 192.168.248.101 is initiating a Main Mode IKE_SA > Jun 19 14:11:58 11[ENC] generating ID_PROT response 0 [ SA V V V ] > Jun 19 14:11:58 11[NET] sending packet: from 192.168.246.210[500] to > 192.168.248.101[500] > Jun 19 14:11:58 12[NET] received packet: from 192.168.248.101[500] to > 192.168.246.210[500] > Jun 19 14:11:58 12[ENC] parsed ID_PROT request 0 [ KE No NAT-D NAT-D ] > Jun 19 14:11:58 12[ENC] generating ID_PROT response 0 [ KE No NAT-D NAT-D ] > Jun 19 14:11:58 12[NET] sending packet: from 192.168.246.210[500] to > 192.168.248.101[500] > Jun 19 14:11:58 13[NET] received packet: from 192.168.248.101[500] to > 192.168.246.210[500] > Jun 19 14:11:58 13[ENC] parsed ID_PROT request 0 [ ID HASH ] > Jun 19 14:11:58 13[CFG] looking for HybridInitRSA peer configs > matching 192.168.246.210...192.168.248.101[192.168.248.101] > Jun 19 14:11:58 13[IKE] no peer config found > Jun 19 14:11:58 13[ENC] generating INFORMATIONAL_V1 request 4275396946 > [ HASH N(AUTH_FAILED) ] > Jun 19 14:11:58 13[NET] sending packet: from 192.168.246.210[500] to > 192.168.248.101[500] > > > Thank you for your time in advance. > > Regards, > > Yukihisa kitagawa > -- > TrippyBoy.com http://trippyboy.com/ ====================================================================== Andreas Steffen [email protected] strongSwan - the Linux VPN Solution! www.strongswan.org Institute for Internet Technologies and Applications University of Applied Sciences Rapperswil CH-8640 Rapperswil (Switzerland) ===========================================================[ITA-HSR]== _______________________________________________ Users mailing list [email protected] https://lists.strongswan.org/mailman/listinfo/users
