Hi, I have updated my certificates and yet I am not able to establish a vpn connection. There are no rules currently in my iptables and I have flushed them using iptables --flush. The output of iptables --list is as follows. Chain INPUT (policy ACCEPT) target prot opt source destination Chain FORWARD (policy ACCEPT) target prot opt source destination Chain OUTPUT (policy ACCEPT) target prot opt source destination
This message also contains the output of ipsec start --nofork --debug-all; it contains my ipsec.conf file. As I said before I would like my mobile devices to access the Internet via this vpn server. I would like to use xauthrsasig for this setup. I would also like to know why am I still seeing "certificate status is not available" in the log file for the client. I have configures strongswan using the following command. ./configure --sysconfdir=/home/arao/etc --prefix=/home/arao/usr/ --libexecdir=/home/arao/usr/lib --enable-openssl --enable-agent --enable-xauth-generic --enable-gcrypt --enable-integrity-test --enable-openssl --enable-eap-gtc --enable-eap-md5 --enable-eap-mschapv2 --enable-eap-aka --enable-eap-aka-3gpp2 --enable-eap-identity --enable-md4 --enable-eap-radius --enable-xauth-eap I have updated my LD_LIBRARY_PATH and LD_RUN_PATH variables before running ipsec -- Starting strongSwan 5.0.0rc1 IPsec [starter]... Loading config setup Loading conn 'rw' auto=add authby=xauthrsasig xauth=server keyexchange=ikev1 left=%defaultroute right=%any leftcert=serverCert.pem [email protected] rightid="C=US, O=snowmane, CN=client" rightcert=clientCert.pem leftfirewall=no leftsubnet=0.0.0.0/0 rightsubnet=0.0.0.0/0 found netkey IPsec stack plugin 'kernel-netlink': loaded successfully listening on interfaces: eth1 sss.sss.4.186 fefe::abc:defg:pqrs:fedf Attempting to start charon... 00[DMN] Starting IKE charon daemon (strongSwan 5.0.0rc1) 00[KNL] listening on interfaces: 00[KNL] eth1 00[KNL] sss.sss.4.186 00[KNL] abcd::efg:hijk:lmno:pqrs 00[CFG] loaded 0 RADIUS server configurations 00[CFG] loading ca certificates from '/home/arao/etc/ipsec.d/cacerts' 00[CFG] loaded ca certificate "C=US, O=snowmane, CN=snowmane CA" from '/home/arao/etc/ipsec.d/cacerts/caCert.pem' 00[CFG] loading aa certificates from '/home/arao/etc/ipsec.d/aacerts' 00[CFG] loading ocsp signer certificates from '/home/arao/etc/ipsec.d/ocspcerts' 00[CFG] loading attribute certificates from '/home/arao/etc/ipsec.d/acerts' 00[CFG] loading crls from '/home/arao/etc/ipsec.d/crls' 00[CFG] loading secrets from '/home/arao/etc/ipsec.secrets' 00[CFG] loaded RSA private key from '/home/arao/etc/ipsec.d/private/serverKey.pem' 00[CFG] loaded RSA private key from '/home/arao/etc/ipsec.d/private/clientKey.pem' 00[CFG] loaded EAP secret for test 00[DMN] loaded plugins: aes des sha1 sha2 md4 md5 random nonce x509 revocation constraints pubkey pkcs1 pkcs8 pgp dnskey pem openssl gcrypt fips-prf gmp agent xcbc cmac hmac attr kernel-netlink resolve socket-default stroke updown eap-identity eap-aka eap-aka-3gpp2 eap-md5 eap-gtc eap-mschapv2 eap-radius xauth-generic xauth-eap 00[JOB] spawning 16 worker threads charon (6440) started after 40 ms 08[CFG] received stroke: add connection 'rw' 08[KNL] getting interface name for %any 08[KNL] %any is not a local address 08[KNL] getting interface name for %any 08[KNL] %any is not a local address 08[CFG] left nor right host is our side, assuming left=local 08[CFG] loaded certificate "C=US, O=snowmane, CN=snowmane.mydomain.edu" from 'serverCert.pem' 08[CFG] loaded certificate "C=US, O=snowmane, CN=client" from 'clientCert.pem' 08[CFG] added configuration 'rw' 11[NET] received packet: from ccc.ccc.7.68[500] to sss.sss.4.186[500] 11[ENC] parsed ID_PROT request 0 [ SA V V V V V V V V ] 11[IKE] received NAT-T (RFC 3947) vendor ID 11[IKE] received draft-ietf-ipsec-nat-t-ike-02 vendor ID 11[IKE] received draft-ietf-ipsec-nat-t-ike-02\n vendor ID 11[IKE] received draft-ietf-ipsec-nat-t-ike-00 vendor ID 11[IKE] received XAuth vendor ID 11[IKE] received Cisco Unity vendor ID 11[ENC] received unknown vendor ID: 40:48:b7:d5:6e:bc:e8:85:25:e7:de:7f:00:d6:c2:d3:80:00:00:00 11[IKE] received DPD vendor ID 11[IKE] ccc.ccc.7.68 is initiating a Main Mode IKE_SA 11[IKE] IKE_SA (unnamed)[1] state change: CREATED => CONNECTING 11[ENC] generating ID_PROT response 0 [ SA V V V ] 11[NET] sending packet: from sss.sss.4.186[500] to ccc.ccc.7.68[500] 10[NET] received packet: from ccc.ccc.7.68[500] to sss.sss.4.186[500] 10[ENC] parsed ID_PROT request 0 [ KE No NAT-D NAT-D ] 10[IKE] natd_chunk => 22 bytes @ 0x7fa7b2e9fa90 10[IKE] 0: EE D3 83 8C AA 1B A5 C3 B5 C7 24 76 F8 2C AD 6E ..........$v.,.n 10[IKE] 16: 80 D0 04 BA 01 F4 ...... 10[IKE] natd_hash => 20 bytes @ 0x7fa76c000d50 10[IKE] 0: 23 E9 88 EC 15 8B E0 8A A2 69 4C 1F D2 7C 58 68 #........iL..|Xh 10[IKE] 16: 15 26 9B E2 .&.. 10[IKE] natd_chunk => 22 bytes @ 0x7fa7b2e9fa90 10[IKE] 0: EE D3 83 8C AA 1B A5 C3 B5 C7 24 76 F8 2C AD 6E ..........$v.,.n 10[IKE] 16: AC 1C 07 44 01 F4 ...D.. 10[IKE] natd_hash => 20 bytes @ 0x7fa76c000d00 10[IKE] 0: D6 6D 58 D6 F0 6C 85 DA 91 C8 3E B6 97 34 54 AC .mX..l....>..4T. 10[IKE] 16: 6A DF 67 A0 j.g. 10[IKE] precalculated src_hash => 20 bytes @ 0x7fa76c000d00 10[IKE] 0: D6 6D 58 D6 F0 6C 85 DA 91 C8 3E B6 97 34 54 AC .mX..l....>..4T. 10[IKE] 16: 6A DF 67 A0 j.g. 10[IKE] precalculated dst_hash => 20 bytes @ 0x7fa76c000d50 10[IKE] 0: 23 E9 88 EC 15 8B E0 8A A2 69 4C 1F D2 7C 58 68 #........iL..|Xh 10[IKE] 16: 15 26 9B E2 .&.. 10[IKE] received dst_hash => 20 bytes @ 0x7fa76c000c00 10[IKE] 0: 23 E9 88 EC 15 8B E0 8A A2 69 4C 1F D2 7C 58 68 #........iL..|Xh 10[IKE] 16: 15 26 9B E2 .&.. 10[IKE] received src_hash => 20 bytes @ 0x7fa76c000cc0 10[IKE] 0: D6 6D 58 D6 F0 6C 85 DA 91 C8 3E B6 97 34 54 AC .mX..l....>..4T. 10[IKE] 16: 6A DF 67 A0 j.g. 10[IKE] sending cert request for "C=US, O=snowmane, CN=snowmane CA" 10[IKE] natd_chunk => 22 bytes @ 0x7fa7b2e9faa0 10[IKE] 0: EE D3 83 8C AA 1B A5 C3 B5 C7 24 76 F8 2C AD 6E ..........$v.,.n 10[IKE] 16: AC 1C 07 44 01 F4 ...D.. 10[IKE] natd_hash => 20 bytes @ 0x7fa76c0013d0 10[IKE] 0: D6 6D 58 D6 F0 6C 85 DA 91 C8 3E B6 97 34 54 AC .mX..l....>..4T. 10[IKE] 16: 6A DF 67 A0 j.g. 10[IKE] natd_chunk => 22 bytes @ 0x7fa7b2e9faa0 10[IKE] 0: EE D3 83 8C AA 1B A5 C3 B5 C7 24 76 F8 2C AD 6E ..........$v.,.n 10[IKE] 16: 80 D0 04 BA 01 F4 ...... 10[IKE] natd_hash => 20 bytes @ 0x7fa76c0027a0 10[IKE] 0: 23 E9 88 EC 15 8B E0 8A A2 69 4C 1F D2 7C 58 68 #........iL..|Xh 10[IKE] 16: 15 26 9B E2 .&.. 10[ENC] generating ID_PROT response 0 [ KE No CERTREQ NAT-D NAT-D ] 10[NET] sending packet: from sss.sss.4.186[500] to ccc.ccc.7.68[500] 13[NET] received packet: from ccc.ccc.7.68[500] to sss.sss.4.186[500] 13[IKE] received retransmit of request with ID 0, retransmitting response 13[NET] sending packet: from sss.sss.4.186[500] to ccc.ccc.7.68[500] 12[NET] received packet: from ccc.ccc.7.68[500] to sss.sss.4.186[500] 12[ENC] parsed ID_PROT request 0 [ ID CERT SIG ] 12[IKE] received end entity cert "C=US, O=snowmane, CN=client" 12[CFG] looking for XAuthInitRSA peer configs matching sss.sss.4.186...ccc.ccc.7.68[C=US, O=snowmane, CN=client] 12[CFG] selected peer config "rw" 12[IKE] HASH_I data => 615 bytes @ 0x7fa764002740 12[IKE] 0: 85 DD 3D EB BF 44 D5 6B F4 DB CD 2F 96 75 63 CA ..=..D.k.../.uc. 12[IKE] 16: E3 C8 6C EB 33 A4 98 4B D4 91 9A 0B ED 3C 96 EC ..l.3..K.....<.. 12[IKE] 32: 1A D5 99 0B FF E3 FC B1 94 54 80 75 DC FE 01 E5 .........T.u.... 12[IKE] 48: 8E 0A A5 77 A9 A4 43 6A F2 5D AB A6 50 06 76 51 ...w..Cj.]..P.vQ 12[IKE] 64: 79 8B 53 4A B1 6E 02 B0 82 57 23 89 FA 7F C1 23 y.SJ.n...W#....# 12[IKE] 80: 91 5A EC 6B BC 28 16 D2 A2 52 00 AC 5B 99 77 39 .Z.k.(...R..[.w9 12[IKE] 96: 7C FE 3C 3F 5B 5D 17 BF 1F 15 09 B1 3F 6F B0 EF |.<?[]......?o.. 12[IKE] 112: 3D E3 34 A3 6C 39 BE E9 A7 06 5D 4C F5 4E 6B 19 =.4.l9....]L.Nk. 12[IKE] 128: 20 09 80 78 B1 B1 0D F0 1D 56 B0 01 68 31 2C 84 ..x.....V..h1,. 12[IKE] 144: E1 44 A4 BD 56 90 8C 6E 79 55 99 CA 6E D7 CD 01 .D..V..nyU..n... 12[IKE] 160: 40 B7 94 0C 28 52 E0 07 0A 18 2F D7 EC A7 F5 9F @...(R..../..... 12[IKE] 176: F6 31 3F FA 2F FC 19 7F 64 B5 BD 41 9F FC F2 9F .1?./...d..A.... 12[IKE] 192: 91 63 E9 21 09 AF 72 46 9E 67 CB FB D5 E3 65 52 .c.!..rF.g....eR 12[IKE] 208: EE 4A F1 E6 E2 4D A3 CD 4A D1 2A 91 98 A3 C8 CE .J...M..J.*..... 12[IKE] 224: CB B7 CD 7B B4 85 FA 49 68 68 E6 AF 14 85 32 AE ...{...Ihh....2. 12[IKE] 240: 6B 11 05 C6 B2 5B F0 10 E5 F7 B5 87 A8 11 D5 3C k....[.........< 12[IKE] 256: EE D3 83 8C AA 1B A5 C3 B5 C7 24 76 F8 2C AD 6E ..........$v.,.n 12[IKE] 272: 00 00 00 01 00 00 00 01 00 00 01 18 01 01 00 08 ................ 12[IKE] 288: 03 00 00 24 01 01 00 00 80 0B 00 01 80 0C 70 80 ...$..........p. 12[IKE] 304: 80 01 00 07 80 0E 01 00 80 03 FD ED 80 02 00 02 ................ 12[IKE] 320: 80 04 00 02 03 00 00 24 02 01 00 00 80 0B 00 01 .......$........ 12[IKE] 336: 80 0C 70 80 80 01 00 07 80 0E 01 00 80 03 FD ED ..p............. 12[IKE] 352: 80 02 00 01 80 04 00 02 03 00 00 24 03 01 00 00 ...........$.... 12[IKE] 368: 80 0B 00 01 80 0C 70 80 80 01 00 07 80 0E 00 80 ......p......... 12[IKE] 384: 80 03 FD ED 80 02 00 02 80 04 00 02 03 00 00 24 ...............$ 12[IKE] 400: 04 01 00 00 80 0B 00 01 80 0C 70 80 80 01 00 07 ..........p..... 12[IKE] 416: 80 0E 00 80 80 03 FD ED 80 02 00 01 80 04 00 02 ................ 12[IKE] 432: 03 00 00 20 05 01 00 00 80 0B 00 01 80 0C 70 80 ... ..........p. 12[IKE] 448: 80 01 00 05 80 03 FD ED 80 02 00 02 80 04 00 02 ................ 12[IKE] 464: 03 00 00 20 06 01 00 00 80 0B 00 01 80 0C 70 80 ... ..........p. 12[IKE] 480: 80 01 00 05 80 03 FD ED 80 02 00 01 80 04 00 02 ................ 12[IKE] 496: 03 00 00 20 07 01 00 00 80 0B 00 01 80 0C 70 80 ... ..........p. 12[IKE] 512: 80 01 00 01 80 03 FD ED 80 02 00 02 80 04 00 02 ................ 12[IKE] 528: 00 00 00 20 08 01 00 00 80 0B 00 01 80 0C 70 80 ... ..........p. 12[IKE] 544: 80 01 00 01 80 03 FD ED 80 02 00 01 80 04 00 02 ................ 12[IKE] 560: 09 00 00 00 30 31 31 0B 30 09 06 03 55 04 06 13 ....011.0...U... 12[IKE] 576: 02 55 53 31 11 30 0F 06 03 55 04 0A 13 08 73 6E .US1.0...U....sn 12[IKE] 592: 6F 77 6D 61 6E 65 31 0F 30 0D 06 03 55 04 03 13 owmane1.0...U... 12[IKE] 608: 06 63 6C 69 65 6E 74 .client 12[IKE] HASH_I => 20 bytes @ 0x7fa7640009f0 12[IKE] 0: C5 DF A1 3A AB 84 C1 67 72 61 A9 9A 17 40 38 62 ...:...gra...@8b 12[IKE] 16: 56 B3 45 2D V.E- 12[CFG] using trusted ca certificate "C=US, O=snowmane, CN=snowmane CA" 12[CFG] checking certificate status of "C=US, O=snowmane, CN=client" 12[CFG] certificate status is not available 12[CFG] reached self-signed root ca with a path length of 0 12[CFG] using trusted certificate "C=US, O=snowmane, CN=client" 12[IKE] authentication of 'C=US, O=snowmane, CN=client' with RSA successful 12[IKE] HASH_R data => 590 bytes @ 0x7fa764003ce0 12[IKE] 0: 20 09 80 78 B1 B1 0D F0 1D 56 B0 01 68 31 2C 84 ..x.....V..h1,. 12[IKE] 16: E1 44 A4 BD 56 90 8C 6E 79 55 99 CA 6E D7 CD 01 .D..V..nyU..n... 12[IKE] 32: 40 B7 94 0C 28 52 E0 07 0A 18 2F D7 EC A7 F5 9F @...(R..../..... 12[IKE] 48: F6 31 3F FA 2F FC 19 7F 64 B5 BD 41 9F FC F2 9F .1?./...d..A.... 12[IKE] 64: 91 63 E9 21 09 AF 72 46 9E 67 CB FB D5 E3 65 52 .c.!..rF.g....eR 12[IKE] 80: EE 4A F1 E6 E2 4D A3 CD 4A D1 2A 91 98 A3 C8 CE .J...M..J.*..... 12[IKE] 96: CB B7 CD 7B B4 85 FA 49 68 68 E6 AF 14 85 32 AE ...{...Ihh....2. 12[IKE] 112: 6B 11 05 C6 B2 5B F0 10 E5 F7 B5 87 A8 11 D5 3C k....[.........< 12[IKE] 128: 85 DD 3D EB BF 44 D5 6B F4 DB CD 2F 96 75 63 CA ..=..D.k.../.uc. 12[IKE] 144: E3 C8 6C EB 33 A4 98 4B D4 91 9A 0B ED 3C 96 EC ..l.3..K.....<.. 12[IKE] 160: 1A D5 99 0B FF E3 FC B1 94 54 80 75 DC FE 01 E5 .........T.u.... 12[IKE] 176: 8E 0A A5 77 A9 A4 43 6A F2 5D AB A6 50 06 76 51 ...w..Cj.]..P.vQ 12[IKE] 192: 79 8B 53 4A B1 6E 02 B0 82 57 23 89 FA 7F C1 23 y.SJ.n...W#....# 12[IKE] 208: 91 5A EC 6B BC 28 16 D2 A2 52 00 AC 5B 99 77 39 .Z.k.(...R..[.w9 12[IKE] 224: 7C FE 3C 3F 5B 5D 17 BF 1F 15 09 B1 3F 6F B0 EF |.<?[]......?o.. 12[IKE] 240: 3D E3 34 A3 6C 39 BE E9 A7 06 5D 4C F5 4E 6B 19 =.4.l9....]L.Nk. 12[IKE] 256: B5 C7 24 76 F8 2C AD 6E EE D3 83 8C AA 1B A5 C3 ..$v.,.n........ 12[IKE] 272: 00 00 00 01 00 00 00 01 00 00 01 18 01 01 00 08 ................ 12[IKE] 288: 03 00 00 24 01 01 00 00 80 0B 00 01 80 0C 70 80 ...$..........p. 12[IKE] 304: 80 01 00 07 80 0E 01 00 80 03 FD ED 80 02 00 02 ................ 12[IKE] 320: 80 04 00 02 03 00 00 24 02 01 00 00 80 0B 00 01 .......$........ 12[IKE] 336: 80 0C 70 80 80 01 00 07 80 0E 01 00 80 03 FD ED ..p............. 12[IKE] 352: 80 02 00 01 80 04 00 02 03 00 00 24 03 01 00 00 ...........$.... 12[IKE] 368: 80 0B 00 01 80 0C 70 80 80 01 00 07 80 0E 00 80 ......p......... 12[IKE] 384: 80 03 FD ED 80 02 00 02 80 04 00 02 03 00 00 24 ...............$ 12[IKE] 400: 04 01 00 00 80 0B 00 01 80 0C 70 80 80 01 00 07 ..........p..... 12[IKE] 416: 80 0E 00 80 80 03 FD ED 80 02 00 01 80 04 00 02 ................ 12[IKE] 432: 03 00 00 20 05 01 00 00 80 0B 00 01 80 0C 70 80 ... ..........p. 12[IKE] 448: 80 01 00 05 80 03 FD ED 80 02 00 02 80 04 00 02 ................ 12[IKE] 464: 03 00 00 20 06 01 00 00 80 0B 00 01 80 0C 70 80 ... ..........p. 12[IKE] 480: 80 01 00 05 80 03 FD ED 80 02 00 01 80 04 00 02 ................ 12[IKE] 496: 03 00 00 20 07 01 00 00 80 0B 00 01 80 0C 70 80 ... ..........p. 12[IKE] 512: 80 01 00 01 80 03 FD ED 80 02 00 02 80 04 00 02 ................ 12[IKE] 528: 00 00 00 20 08 01 00 00 80 0B 00 01 80 0C 70 80 ... ..........p. 12[IKE] 544: 80 01 00 01 80 03 FD ED 80 02 00 01 80 04 00 02 ................ 12[IKE] 560: 02 00 00 00 73 6E 6F 77 6D 61 6E 65 2E 00 00 00 ....snowmane. 12[IKE] 576: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 mydomain .edu 12[IKE] HASH_R => 20 bytes @ 0x7fa7640028a0 12[IKE] 0: 28 D4 0C A0 E4 62 90 46 64 98 76 E5 10 A4 45 F2 (....b.Fd.v...E. 12[IKE] 16: 7C EF AD B0 |... 12[IKE] authentication of 'snowmane.mydomain.edu' (myself) successful 12[IKE] queueing XAUTH task 12[ENC] generating ID_PROT response 0 [ ID SIG ] 12[NET] sending packet: from sss.sss.4.186[500] to ccc.ccc.7.68[500] 12[IKE] activating new tasks 12[IKE] activating XAUTH task 12[IKE] Hash => 20 bytes @ 0x7fa7640064b0 12[IKE] 0: 14 5E CA D8 33 AD 53 76 0F A4 90 6A 82 F7 54 E1 .^..3.Sv...j..T. 12[IKE] 16: 49 8D AD 86 I... 12[ENC] generating TRANSACTION request 3975168956 [ HASH CP ] 12[NET] sending packet: from sss.sss.4.186[500] to ccc.ccc.7.68[500] 15[NET] received packet: from ccc.ccc.7.68[500] to sss.sss.4.186[500] 15[IKE] received retransmit of request with ID 0, retransmitting response 15[NET] sending packet: from sss.sss.4.186[500] to ccc.ccc.7.68[500] 02[IKE] sending retransmit 1 of request message ID 3975168956, seq 1 02[NET] sending packet: from sss.sss.4.186[500] to ccc.ccc.7.68[500] 16[NET] received packet: from ccc.ccc.7.68[500] to sss.sss.4.186[500] 16[IKE] received retransmit of request with ID 0, retransmitting response 16[NET] sending packet: from sss.sss.4.186[500] to ccc.ccc.7.68[500] 09[NET] received packet: from ccc.ccc.7.68[500] to sss.sss.4.186[500] 09[IKE] received retransmit of request with ID 0, retransmitting response 09[NET] sending packet: from sss.sss.4.186[500] to ccc.ccc.7.68[500] 08[IKE] sending retransmit 2 of request message ID 3975168956, seq 1 08[NET] sending packet: from sss.sss.4.186[500] to ccc.ccc.7.68[500] 11[NET] received packet: from ccc.ccc.7.68[500] to sss.sss.4.186[500] 11[IKE] received retransmit of request with ID 0, retransmitting response 11[NET] sending packet: from sss.sss.4.186[500] to ccc.ccc.7.68[500] 10[NET] received packet: from ccc.ccc.7.68[500] to sss.sss.4.186[500] 10[IKE] received retransmit of request with ID 0, retransmitting response 10[NET] sending packet: from sss.sss.4.186[500] to ccc.ccc.7.68[500] 13[NET] received packet: from ccc.ccc.7.68[500] to sss.sss.4.186[500] 13[IKE] received retransmit of request with ID 0, retransmitting response 13[NET] sending packet: from sss.sss.4.186[500] to ccc.ccc.7.68[500] 12[NET] received packet: from ccc.ccc.7.68[500] to sss.sss.4.186[500] 12[IKE] received retransmit of request with ID 0, retransmitting response 12[NET] sending packet: from sss.sss.4.186[500] to ccc.ccc.7.68[500] 15[NET] received packet: from ccc.ccc.7.68[500] to sss.sss.4.186[500] 15[IKE] received retransmit of request with ID 0, retransmitting response 15[NET] sending packet: from sss.sss.4.186[500] to ccc.ccc.7.68[500] 02[IKE] sending retransmit 3 of request message ID 3975168956, seq 1 02[NET] sending packet: from sss.sss.4.186[500] to ccc.ccc.7.68[500] 16[JOB] deleting half open IKE_SA after timeout 16[IKE] IKE_SA rw[1] state change: CONNECTING => DESTROYING > Hello > > My configuration for 5.0.0rc1 is as follows: > > conn mobilephones > keyexchange=ikev1 > ikelifetime=60m > keylife=20m > rekeymargin=3m > keyingtries=3 > left=my-public-ip > leftsubnet=0.0.0.0/0 > leftcert=my-vpn-server.crt > leftid=@server-cert-subject-cn > leftauth=pubkey > leftfirewall=no > right=%any > rightauth=pubkey > rightauth2=xauth-eap > rightsourceip=192.168.100.0/24 > auto=add > > and strongswan.conf has: > > > charon { > plugins { > eap-radius { > secret = secret-for-radius > server = 192.168.200.10 > } > attr { > dns = 192.168.200.11 > } > } > } > > > So, I'm using radius to authenticate users (IKEv1+Xauth using > certificates). I have created my own CA, server certificates and > client certificates. > > Without Radius, you could store credentials to ipsec.secrets or you > might be able (don't know) use some other EAP method to use local > credentials from server. > > Regards, > Kimmo > > 2012/6/28 Ashwin Rao <[email protected]>: >> Hi, >> >> I am using strongswan 5.0.0rc1 to setup a VPN tunnel between my mobile >> devices and server that has a public IPv4 address. I would like these >> mobile devices to access the Internet via my machine. I am seeing the >> messages (present at the end of the mail) while running my ipsec >> daemon. To summarise, my client is not able to connect with the VPN >> server, and I get the message >> * id 'snowmane' not confirmed by certificate, defaulting to 'C=US, >> O=snowmane, CN=snowmane.mydomain.edu' >> * no peer config found". >> I get the same errors while connecting my ipod touch and and android >> phone (v4.0) to the von server. >> >> I compiled strongswan using the following config params. >> ./configure --sysconfdir=/home/arao/etc --prefix=/home/arao/usr/ >> --libexecdir=/home/arao/usr/lib --enable-openssl --enable-agent >> --enable-xauth-generic --enable-gcrypt --enable-integrity-test >> --enable-openssl --enable-eap-gtc --enable-eap-md5 >> --enable-eap-mschapv2 --enable-eap-aka --enable-eap-aka-3gpp2 >> --enable-eap-identity --enable-attr-sql --enable-md4 >> >> My ipsec.conf file is as follows >> >> #ipsec.conf >> config setup >> >> # Sample VPN connections >> conn rw >> auto=add >> authby=xauthrsasig >> keyexchange=ikev1 >> xauth=server >> left=%defaultroute >> right=%any >> leftcert=serverCert.pem >> rightcert=clientCert.pem >> leftid=snowmane >> rightid=client >> leftfirewall=yes >> rightfirewall=no >> >> I have tried by removing leftid and rightid as well but it did not work. >> >> My strongswan.conf is as follows >> # for strongSwan 5.0.0+ >> charon { >> filelog { >> /var/log/charon.log { >> time_format = %b %e %T >> append = no >> default = 1 >> flush_line = yes >> } >> stderr { >> ike = 2 >> knl = 3 >> ike_name = yes >> } >> } >> syslog { >> identifier = charon-custom >> daemon { >> } >> auth { >> default = -1 >> ike = 0 >> } >> } >> } >> >> --- logs on running ipsec start --nofork --debug-all >> 00[DMN] Starting IKE charon daemon (strongSwan 5.0.0rc1) >> 00[CFG] attr-sql plugin: database URI not set >> 00[LIB] plugin 'attr-sql': failed to load - attr_sql_plugin_create returned >> NULL >> 00[KNL] listening on interfaces: >> 00[KNL] eth1 >> 00[KNL] <snowmane.mydomain.edu-ip-address> >> 00[KNL] <ipv6-address> >> 00[CFG] loading ca certificates from '/mypath/etc/ipsec.d/cacerts' >> 00[CFG] loaded ca certificate "C=US, O=snowmane, CN=snowmane CA" >> from '/mypath/etc/ipsec.d/cacerts/caCert.pem' >> 00[CFG] loading aa certificates from '/mypath/etc/ipsec.d/aacerts' >> 00[CFG] loading ocsp signer certificates from '/mypath/etc/ipsec.d/ocspcerts' >> 00[CFG] loading attribute certificates from '/mypath/etc/ipsec.d/acerts' >> 00[CFG] loading crls from '/mypath/etc/ipsec.d/crls' >> 00[CFG] loading secrets from '/mypath/etc/ipsec.secrets' >> 00[CFG] loaded RSA private key from >> '/mypath/etc/ipsec.d/private/serverKey.pem' >> 00[CFG] loaded EAP secret for test >> 00[DMN] loaded plugins: aes des sha1 sha2 md4 md5 random nonce x509 >> revocation constraints pubkey pkcs1 pkcs8 pgp dnskey pem openssl >> gcrypt fips-prf gmp agent xcbc cmac hmac attr kernel-netlink resolve >> socket-default stroke updown eap-identity eap-aka eap-aka-3gpp2 >> eap-md5 eap-gtc eap-mschapv2 xauth-generic >> 00[JOB] spawning 16 worker threads >> charon (12264) started after 40 ms >> 11[CFG] received stroke: add connection 'rw' >> 11[KNL] getting interface name for %any >> 11[KNL] %any is not a local address >> 11[KNL] getting interface name for %any >> 11[KNL] %any is not a local address >> 11[CFG] left nor right host is our side, assuming left=local >> 11[CFG] loaded certificate "C=US, O=snowmane, >> CN=snowmane.mydomain.edu" from 'serverCert.pem' >> 11[CFG] id 'snowmane' not confirmed by certificate, defaulting to >> 'C=US, O=snowmane, CN=snowmane.mydomain.edu' >> 11[CFG] loaded certificate "C=US, O=snowmane, CN=client" from >> 'clientCert.pem' >> 11[CFG] id 'client' not confirmed by certificate, defaulting to >> 'C=US, O=snowmane, CN=client' >> 11[CFG] added configuration 'rw' >> 12[NET] <1> received packet: from <clients-ipv4-address>[500] to >> <snowmane.mydomain.edu-ip-address>[500] >> 12[ENC] <1> parsed ID_PROT request 0 [ SA V V V V V V V V ] >> 12[IKE] <1> received NAT-T (RFC 3947) vendor ID >> 12[IKE] <1> received draft-ietf-ipsec-nat-t-ike-02 vendor ID >> 12[IKE] <1> received draft-ietf-ipsec-nat-t-ike-02\n vendor ID >> 12[IKE] <1> received draft-ietf-ipsec-nat-t-ike-00 vendor ID >> 12[IKE] <1> received XAuth vendor ID >> 12[IKE] <1> received Cisco Unity vendor ID >> 12[ENC] <1> received unknown vendor ID: >> 40:48:b7:d5:6e:bc:e8:85:25:e7:de:7f:00:d6:c2:d3:80:00:00:00 >> 12[IKE] <1> received DPD vendor ID >> 12[IKE] <1> <clients-ipv4-address> is initiating a Main Mode IKE_SA >> 12[IKE] <1> IKE_SA (unnamed)[1] state change: CREATED => CONNECTING >> 12[ENC] <1> generating ID_PROT response 0 [ SA V V V ] >> 12[NET] <1> sending packet: from >> <snowmane.mydomain.edu-ip-address>[500] to <clients-ipv4-address>[500] >> 13[NET] <1> received packet: from <clients-ipv4-address>[500] to >> <snowmane.mydomain.edu-ip-address>[500] >> 13[ENC] <1> parsed ID_PROT request 0 [ KE No NAT-D NAT-D ] >> 13[IKE] <1> sending cert request for "C=US, O=snowmane, CN=snowmane CA" >> 13[ENC] <1> generating ID_PROT response 0 [ KE No CERTREQ NAT-D NAT-D ] >> 13[NET] <1> sending packet: from >> <snowmane.mydomain.edu-ip-address>[500] to <clients-ipv4-address>[500] >> 02[NET] <1> received packet: from <clients-ipv4-address>[500] to >> <snowmane.mydomain.edu-ip-address>[500] >> 02[ENC] <1> parsed ID_PROT request 0 [ ID CERT SIG ] >> 02[IKE] <1> received end entity cert "C=US, O=strongSwan, CN=client" >> 02[CFG] <1> looking for XAuthInitRSA peer configs matching >> <snowmane.mydomain.edu-ip-address>...<clients-ipv4-address>[C=US, >> O=strongSwan, CN=client] >> 02[IKE] <1> no peer config found >> 02[IKE] <1> queueing INFORMATIONAL task >> 02[IKE] <1> activating new tasks >> 02[IKE] <1> activating INFORMATIONAL task >> 02[ENC] <1> generating INFORMATIONAL_V1 request 3114230574 [ HASH >> N(AUTH_FAILED) ] >> 02[NET] <1> sending packet: from >> <snowmane.mydomain.edu-ip-address>[500] to <clients-ipv4-address>[500] >> 02[IKE] <1> IKE_SA (unnamed)[1] state change: CONNECTING => DESTROYING >> >> _______________________________________________ >> Users mailing list >> [email protected] >> https://lists.strongswan.org/mailman/listinfo/users _______________________________________________ Users mailing list [email protected] https://lists.strongswan.org/mailman/listinfo/users
