Hello Andoreas, Thank you for this information! I will give it a try! :)
Regards, Yukihisa Kitagawa On 2012/06/19, at 18:08, Andreas Steffen <[email protected]> wrote: > Hello, > > strongswan-5.0.0rc1 which was released today comes with an IKEv1 Hybrid > Mode example scenario: > > www.strongswan.org/uml/testresults5rc/ikev1/xauth-id-rsa-hybrid/ > > Regards > > Andreas > > On 06/19/2012 08:06 AM, TrippyBoy.com wrote: >> Hello, >> >> I would like to know how to configure Strongswan with "IPSec Hybrid >> authentication with RSA" support. >> >> # My Strongswan has XAUTH+RSA and XAUTH+PSK support and they work fine. >> >> I believe Strongswan supports "Hybrid authentication", as it is >> mentioned in the following link. >> >> ---------------------------------------- >> CharonPlutoIKEv1 - strongSwan - strongSwan - IKEv2/IPsec VPN for >> Linux, Android, FreeBSD, Mac OS X >> http://wiki.strongswan.org/projects/strongswan/wiki/CharonPlutoIKEv1 >> >> "To configure the new Hybrid Mode, define leftauth=xauth and >> rightauth=pubkey." >> ---------------------------------------- >> >> I configured my Strongswan, ver5.0.0dr1, and installed it with the >> options bellow. >> >> ./configure --prefix=/usr/ --sysconfdir=/etc/ --localstatedir=/var/ >> --with-random-device=/dev/urandom --enable-cisco-quirks >> --enable-xauth-generic --enable-xauth-eap >> make&& make install >> >> I setup /etc/ipsec.d/hybrd-rsa.conf and restarted Strongswan. >> After that, I executed "ipsec statusall" to see how my connections are >> recognised >> Then I tried to connect to my VPN server with Hybrid+RSA auth. >> I checked /var/log/charon.log. >> >> The log says >> -- >> Jun 19 14:11:58 13[CFG] looking for HybridInitRSA peer configs >> matching 192.168.246.210...192.168.248.101[192.168.248.101] >> Jun 19 14:11:58 13[IKE] no peer config found >> -- >> >> My questions are >> 1: Does Strongswan support Hybrid Authentication? >> 2: Does Strongswan support Hybrid Authentication with RSA? >> 3: What kind of configration does Strongswan look for when the client >> ask for "HybridInitRSA"? >> >> If 1st or 2nd of the questions avobe returns "YES", I would like to >> know the way to do so. >> >> >> ==== My Strongswan's profile ==== >> >> + /etc/ipsec.conf >> config setup >> plutodebug=all >> plutostderrlog=/var/log/pluto.log >> nat_traversal=yes >> virtual_private=%v4:10.0.0.0/8,%v4:192.168.0.0/16,%v4:172.16.0.0/12 >> >> include /etc/ipsec.d/*.conf >> >> +/etc/ipsec.d/hybrid-rsa.conf >> conn hybridrsasig >> keyexchange=ikev2 >> left=linux.hogehoge.jp >> leftcert=serverCert.pem >> leftauth=xauth >> right=%any >> rightsourceip=192.168.246.230/24 >> rightcert=clientCert.pem >> rightauth=pubkey >> pfs=no >> auto=add >> >> +/etc/ipsec.d/xauth-psk.conf >> conn xauthpsk >> keyexchange=ikev1 >> xauth=server >> authby=xauthpsk >> left=linux.fj-ngmt.jp >> leftsubnet=0.0.0.0/0 >> right=%any >> #rightauth=eap >> rightsourceip=192.168.246.210/24 >> pfs=no >> auto=add >> >> +/etc/ipsec.d/xauth-rsa.conf >> conn xauthrsasig >> keyexchange=ikev1 >> xauth=server >> authby=xauthrsasig >> left=linux.fj-ngmt.jp >> leftcert=serverCert.pem >> right=%any >> rightsourceip=192.168.246.220/24 >> rightcert=clientCert.pem >> pfs=no >> auto=add >> >> >> +/var/log/charon.log >> Jun 19 14:11:58 11[NET] received packet: from 192.168.248.101[500] to >> 192.168.246.210[500] >> Jun 19 14:11:58 11[ENC] parsed ID_PROT request 0 [ SA V V V V V V V V ] >> Jun 19 14:11:58 11[IKE] received NAT-T (RFC 3947) vendor ID >> Jun 19 14:11:58 11[IKE] received draft-ietf-ipsec-nat-t-ike-02 vendor ID >> Jun 19 14:11:58 11[IKE] received draft-ietf-ipsec-nat-t-ike-02\n vendor ID >> Jun 19 14:11:58 11[IKE] received draft-ietf-ipsec-nat-t-ike-00 vendor ID >> Jun 19 14:11:58 11[IKE] received XAuth vendor ID >> Jun 19 14:11:58 11[IKE] received Cisco Unity vendor ID >> Jun 19 14:11:58 11[ENC] received unknown vendor ID: >> 40:48:b7:d5:6e:bc:e8:85:25:e7:de:7f:00:d6:c2:d3:80:00:00:00 >> Jun 19 14:11:58 11[IKE] received DPD vendor ID >> Jun 19 14:11:58 11[IKE] 192.168.248.101 is initiating a Main Mode IKE_SA >> Jun 19 14:11:58 11[ENC] generating ID_PROT response 0 [ SA V V V ] >> Jun 19 14:11:58 11[NET] sending packet: from 192.168.246.210[500] to >> 192.168.248.101[500] >> Jun 19 14:11:58 12[NET] received packet: from 192.168.248.101[500] to >> 192.168.246.210[500] >> Jun 19 14:11:58 12[ENC] parsed ID_PROT request 0 [ KE No NAT-D NAT-D ] >> Jun 19 14:11:58 12[ENC] generating ID_PROT response 0 [ KE No NAT-D NAT-D ] >> Jun 19 14:11:58 12[NET] sending packet: from 192.168.246.210[500] to >> 192.168.248.101[500] >> Jun 19 14:11:58 13[NET] received packet: from 192.168.248.101[500] to >> 192.168.246.210[500] >> Jun 19 14:11:58 13[ENC] parsed ID_PROT request 0 [ ID HASH ] >> Jun 19 14:11:58 13[CFG] looking for HybridInitRSA peer configs >> matching 192.168.246.210...192.168.248.101[192.168.248.101] >> Jun 19 14:11:58 13[IKE] no peer config found >> Jun 19 14:11:58 13[ENC] generating INFORMATIONAL_V1 request 4275396946 >> [ HASH N(AUTH_FAILED) ] >> Jun 19 14:11:58 13[NET] sending packet: from 192.168.246.210[500] to >> 192.168.248.101[500] >> >> >> Thank you for your time in advance. >> >> Regards, >> >> Yukihisa kitagawa >> -- >> TrippyBoy.com http://trippyboy.com/ > > ====================================================================== > Andreas Steffen [email protected] > strongSwan - the Linux VPN Solution! www.strongswan.org > Institute for Internet Technologies and Applications > University of Applied Sciences Rapperswil > CH-8640 Rapperswil (Switzerland) > ===========================================================[ITA-HSR]== _______________________________________________ Users mailing list [email protected] https://lists.strongswan.org/mailman/listinfo/users
