Hello,
I am using the DHCP plugin to supply an address to my Android(4.1)
strongSwan VPN Client that connects to a strongSwan(4.5.2)server with
IKEv2. I want the DHCP server to statically assign IP addresses based on
the client's FQDN. The FQDN is used as the CN in client's certificate and
as the subjectAltName. When identity_lease=yes is specified in the
strongswan.conf file, the DHCP Request’s Client Identifier field is set to
the DER ASN1 DN identifier of the client. I expected to see the FQDN in
this field so that it could be used for pre-configured static assignment in
the DHCP server’s configuration file. The DHCP server delivers an address,
but not the statically assigned one for the client, the file can't be
indexed by the DER ASN.1.
My preferred connection configuration in the server’s ipsec.conf has
rightid=%any and is similar to that in the dhcp-static-client-id test. I
have also tried multiple alternate configurations of rightid thinking this
might be why the identifier was defaulting to the DER ASN.1 DN. The result
was that the SA could not be established. Charon appears to be using the DER
ASN.1 DN from the client’s packet and comparing it to whatever rightid is
configured to for the connection in ipsec.conf. If rightid is anything but
%any or the fully specified DER ASN.1 DN, the SA fails. (Using email as the
subjectAltName and the rightid also failed.)
I would appreciate any help in identifying the error in my certificate or
connection configuration that prevents the FQDN from being used as the
client identifier in the DHCP request. Is it possible to generate a client
certificate and configure the connection in a way to force use of the
subjectAltName in the DHCP Request when rightid=%any? My configuration,
log, and DHCP Request capture is in the attached rightid_any file.
I also attached rightid_dns showing the failure of the SA establishment if
rightid is set to the DNS of the client. Since it is another case of the
DER ASN.1DN being used as the peer identifier instead of the subjectAltName
it seems possible this problem is related.
Thank you for any help provided.
-gs
# strongswan.conf - strongSwan configuration file
charon {
# number of worker threads in charon
threads = 16
plugins {
dhcp {
server = 10.49.2.1
identity_lease = yes
}
}
}
-------------------------------------------------------------------
# ipsec.conf - strongSwan IPsec configuration file
# basic configuration
config setup
nat_traversal=yes
charonstart=yes
charondebug= "default 4, ike 4, cfg 4, mgr 4, chd 4,net 4,asn 4, tls 4,
enc 4, lib 4"
crlcheckinterval=180
strictcrlpolicy=no
plutostart=no
ca sample
cacert=sampleCAshortcert.pem
auto=add
# Add connections here.
conn %default
type=tunnel
keyexchange=ikev2
reauth=no
rekey=no
authby=rsa
pfs=no
keyingtries=3
left=%defaultroute
leftsubnet=0.0.0.0/0
leftcert=sampleservershortCert.pem
leftid=sampleservershortKey.der
leftfirewall=yes
right=%any
rightsourceip=%dhcp
conn rw
#[email protected] # SA fails
#rightid="C=US,O=Sample,CN=rw1.sample.org # SA succeeds
rightid=%any # SA succeeds
auto=add
------------------------------------------------------------------------------
# ipsec.secrets
: RSA sampleservershortKey.der "xxxxxxxxxx"
-------------------------------------------------------------------------------
>> ipsec statusall
Security Associations:
rw[1]: ESTABLISHED 2 minutes ago, 192.168.55.141[C=US, O=Sample,
CN=servershort.sample.org,
[email protected]]...192.168.55.136[C=US, O=Sample,
CN=rw1.sample.org]
rw{1}: INSTALLED, TUNNEL, ESP in UDP SPIs: c0f5c282_i 2cf6250b_o
rw{1}: 0.0.0.0/0 === 10.49.2.20/32
Status of IKEv2 charon daemon (strongSwan 4.5.2):
uptime: 3 minutes, since Feb 13 01:10:27 2013
malloc: sbrk 282624, mmap 0, used 220288, free 62336
worker threads: 6 idle of 16, job queue load: 0, scheduled events: 0
loaded plugins: test-vectors curl ldap aes des sha1 sha2 md5 random x509
revocation constraints pubkey
pkcs1 pgp pem openssl fips-prf gmp agent pkcs11 xcbc hmac ctr
ccm gcm attr kernel-netlink
resolve socket-raw farp stroke updown eap-identity eap-aka
eap-md5 eap-gtc eap-mschapv2
eap-radius eap-tls eap-ttls eap-tnc nm dhcp led addrblock
Listening IP addresses:
192.168.55.141
Connections:
rw: 192.168.55.141...%any
rw: local: [C=US, O=Sample, CN=servershort.sample.org,
[email protected]] uses public key authentication
rw: cert: "C=US, O=Sample, CN=servershort.sample.org,
[email protected]"
rw: remote: [%any] uses any authentication
rw: child: 0.0.0.0/0 === dynamic
------------------------------------------------------------------------------
>>ipsec status
Security Associations:
rw[1]: ESTABLISHED 3 minutes ago, 192.168.55.141[C=US, O=Sample,
CN=servershort.sample.org,
[email protected]]..192.168.55.136[C=US, O=Sample,
CN=rw1.sample.org]
rw[1]: IKE SPIs: 5c8c30014a4cf504_i 3fcc51dc8813b4d4_r*, rekeying
disabled
rw[1]: IKE proposal: AES_CBC_128/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_2048
rw{1}: INSTALLED, TUNNEL, ESP in UDP SPIs: c0f5c282_i 2cf6250b_o
rw{1}: AES_CBC_128/HMAC_SHA1_96, 48 bytes_i (201s ago), 48 bytes_o
(201s ago), rekeying disabled
rw{1}: 0.0.0.0/0 === 10.49.2.20/32
--------------------------------------------------------------------------------
>> ipsec listcerts
ist of X.509 End Entity Certificates:
altNames: rw1.sample.org
subject: "C=US, O=Sample, CN=rw1.sample.org"
issuer: "C=US, O=Sample, OU=Sample CA, CN=ca.sample.org,
[email protected]"
serial: 10:1c
validity: not before Feb 12 21:01:43 2013, ok
not after Feb 12 21:01:43 2015, ok
pubkey: RSA 1024 bits
keyid: ...
subjkey: ...
authkey: ...
altNames: 192.168.55.141
subject: "C=US, O=Sample, CN=servershort.sample.org, [email protected]"
issuer: "C=US, O=Sample, OU=Sample CA, CN=ca.sample.org,
[email protected]"
serial: 10:19
validity: not before Feb 12 16:35:17 2013, ok
not after Feb 12 16:35:17 2015, ok
pubkey: RSA 1024 bits, has private key
keyid: ...
subjkey: ...
authkey: ...
-------------------------------------------------------------------------------
auth.log
Feb 13 01:10:27 eMAC ipsec_starter[8399]: Starting strongSwan 4.5.2 IPsec
[starter]...
Feb 13 01:10:27 eMAC sudo: pam_unix(sudo:session): session closed for user root
Feb 13 01:10:27 eMAC ipsec_starter[8425]: charon (8426) started after 100 ms
Feb 13 01:10:40 eMAC charon: 13[IKE] 192.168.55.136 is initiating an IKE_SA
Feb 13 01:10:41 eMAC charon: 14[IKE] IKE_SA rw[1] established between
192.168.55.141
[C=US, O=Sample, CN=servershort.sample.org,
[email protected]]
...192.168.55.136[C=US, O=Sample, CN=rw1.sample.org]
Feb 13 01:10:42 eMAC charon: 14[IKE] CHILD_SA rw{1} established with SPIs
c0f5c282_i 2cf6250b_o and TS 0.0.0.0/0 === 10.49.2.20/32
-------------------------------------------------------------------------------
syslog
Feb 13 01:10:27 eMAC charon: 00[CFG] loading ca certificates from
'/etc/ipsec.d/cacerts'
Feb 13 01:10:27 eMAC charon: 00[CFG] loaded ca certificate "C=US, O=Sample,
OU=Sample CA,
CN=ca.sample.org, [email protected]"
from '/etc/ipsec.d/cacerts/sampleCAshortcert.pem'
Feb 13 01:10:27 eMAC charon: 00[CFG] loading aa certificates from
'/etc/ipsec.d/aacerts'
Feb 13 01:10:27 eMAC charon: 00[CFG] loading ocsp signer certificates from
'/etc/ipsec.d/ocspcerts'
Feb 13 01:10:27 eMAC charon: 00[CFG] loading attribute certificates from
'/etc/ipsec.d/acerts'
Feb 13 01:10:27 eMAC charon: 00[CFG] loading crls from '/etc/ipsec.d/crls'
Feb 13 01:10:27 eMAC charon: 00[CFG] loading secrets from '/etc/ipsec.secrets'
Feb 13 01:10:27 eMAC charon: 00[CFG] loaded RSA private key from
'/etc/ipsec.d/private/sampleservershortKey.der'
Feb 13 01:10:27 eMAC charon: 00[CFG] sql plugin: database URI not set
Feb 13 01:10:27 eMAC charon: 00[LIB] plugin 'sql': failed to load -
sql_plugin_create returned NULL
Feb 13 01:10:27 eMAC charon: 00[CFG] loaded 0 RADIUS server configurations
Feb 13 01:10:27 eMAC charon: 00[LIB] plugin 'medsrv' failed to load:
/usr/lib/ipsec/plugins/libstrongswan-medsrv.so:
cannot open shared object file: No such
file or directory
Feb 13 01:10:27 eMAC charon: 00[CFG] mediation client database URI not defined,
skipped
Feb 13 01:10:27 eMAC charon: 00[LIB] plugin 'medcli': failed to load -
medcli_plugin_create returned NULL
Feb 13 01:10:27 eMAC NetworkManager[983]: <info> VPN service 'strongswan'
appeared; activating connections
Feb 13 01:10:27 eMAC charon: 00[CFG] HA config misses local/remote address
Feb 13 01:10:27 eMAC charon: 00[LIB] plugin 'ha': failed to load -
ha_plugin_create returned NULL
Feb 13 01:10:27 eMAC charon: 00[DMN] loaded plugins: test-vectors curl ldap aes
des sha1 sha2 md5 random x509 revocation
constraints pubkey pkcs1 pgp pem openssl
fips-prf gmp agent pkcs11 xcbc hmac ctr ccm
gcm attr kernel-netlink resolve socket-raw
farp stroke updown eap-identity eap-aka
eap-md5 eap-gtc eap-mschapv2 eap-radius
eap-tls eap-ttls eap-tnc nm dhcp led addrblock
Feb 13 01:10:27 eMAC charon: 00[JOB] spawning 16 worker threads
Feb 13 01:10:27 eMAC charon: 09[CFG] received stroke: add ca 'sample'
Feb 13 01:10:27 eMAC charon: 09[CFG] added ca 'sample'
Feb 13 01:10:27 eMAC charon: 04[CFG] received stroke: add connection 'rw'
Feb 13 01:10:27 eMAC charon: 04[CFG] loaded certificate "C=US, O=Sample,
CN=servershort.sample.org,
[email protected]" from
'sampleservershortCert.pem'
Feb 13 01:10:27 eMAC charon: 04[CFG] id 'sampleservershortKey.der' not
confirmed by certificate, defaulting to 'C=US, O=Sample,
CN=servershort.sample.org,
[email protected]'
Feb 13 01:10:27 eMAC charon: 04[CFG] added configuration 'rw'
Feb 13 01:10:40 eMAC charon: 13[NET] received packet: from
192.168.55.136[51161] to 192.168.55.141[500]
Feb 13 01:10:40 eMAC charon: 13[ENC] parsed IKE_SA_INIT request 0 [ SA KE No
N(NATD_S_IP) N(NATD_D_IP) ]
Feb 13 01:10:40 eMAC charon: 13[IKE] 192.168.55.136 is initiating an IKE_SA
Feb 13 01:10:41 eMAC charon: 13[IKE] remote host is behind NAT
Feb 13 01:10:41 eMAC charon: 13[IKE] sending cert request for "C=US, O=Sample,
OU=Sample CA, CN=ca.sample.org, [email protected]"
Feb 13 01:10:41 eMAC charon: 13[ENC] generating IKE_SA_INIT response 0 [ SA KE
No N(NATD_S_IP) N(NATD_D_IP) CERTREQ N(MULT_AUTH) ]
Feb 13 01:10:41 eMAC charon: 13[NET] sending packet: from 192.168.55.141[500]
to 192.168.55.136[51161]
Feb 13 01:10:41 eMAC charon: 14[NET] received packet: from
192.168.55.136[43483] to 192.168.55.141[4500]
Feb 13 01:10:41 eMAC charon: 14[ENC] parsed IKE_AUTH request 1 [ IDi CERT
N(INIT_CONTACT) CERTREQ AUTH CP(ADDR DNS)
SA TSi TSr N(MOBIKE_SUP) N(NO_ADD_ADDR)
N(MULT_AUTH) N(EAP_ONLY) ]
Feb 13 01:10:41 eMAC charon: 14[IKE] received cert request for "C=US, O=Sample,
OU=Sample CA, CN=ca.sample.org, [email protected]"
Feb 13 01:10:41 eMAC charon: 14[IKE] received 1 cert requests for an unknown ca
Feb 13 01:10:41 eMAC charon: 14[IKE] received end entity cert "C=US, O=Sample,
CN=rw1.sample.org"
Feb 13 01:10:41 eMAC charon: 14[CFG] looking for peer configs matching
192.168.55.141[%any]...192.168.55.136[C=US, O=Sample, CN=rw1.sample.org]
Feb 13 01:10:41 eMAC charon: 14[CFG] selected peer config 'rw'
Feb 13 01:10:41 eMAC charon: 14[CFG] using certificate "C=US, O=Sample,
CN=rw1.sample.org"
Feb 13 01:10:41 eMAC charon: 14[CFG] using trusted ca certificate "C=US,
O=Sample, OU=Sample CA, CN=ca.sample.org, [email protected]"
Feb 13 01:10:41 eMAC charon: 14[CFG] checking certificate status of "C=US,
O=Sample, CN=rw1.sample.org"
Feb 13 01:10:41 eMAC charon: 14[CFG] certificate status is not available
Feb 13 01:10:41 eMAC charon: 14[CFG] reached self-signed root ca with a path
length of 0
Feb 13 01:10:41 eMAC charon: 14[IKE] authentication of 'C=US, O=Sample,
CN=rw1.sample.org' with RSA signature successful
Feb 13 01:10:41 eMAC charon: 14[IKE] peer supports MOBIKE
Feb 13 01:10:41 eMAC charon: 14[IKE] authentication of 'C=US, O=Sample,
CN=servershort.sample.org, [email protected]'
(myself) with RSA signature successful
Feb 13 01:10:41 eMAC charon: 14[IKE] IKE_SA rw[1] established between
192.168.55.141[C=US, O=Sample, CN=servershort.sample.org, [email protected]]
...192.168.55.136[C=US, O=Sample,
CN=rw1.sample.org]
Feb 13 01:10:41 eMAC charon: 14[IKE] sending end entity cert "C=US, O=Sample,
CN=servershort.sample.org, [email protected]"
Feb 13 01:10:41 eMAC charon: 14[IKE] peer requested virtual IP %any
Feb 13 01:10:41 eMAC charon: 14[CFG] sending DHCP DISCOVER to 10.49.2.1
Feb 13 01:10:42 eMAC charon: 14[CFG] sending DHCP DISCOVER to 10.49.2.1
Feb 13 01:10:42 eMAC charon: 06[CFG] received DHCP OFFER 10.49.2.20 from
10.49.2.1
Feb 13 01:10:42 eMAC charon: 14[CFG] sending DHCP REQUEST for 10.49.2.20 to
10.49.2.1
Feb 13 01:10:42 eMAC charon: 06[CFG] received DHCP ACK for 10.49.2.20
Feb 13 01:10:42 eMAC charon: 14[IKE] assigning virtual IP 10.49.2.20 to peer
'C=US, O=Sample, CN=rw1.sample.org'
Feb 13 01:10:42 eMAC charon: 14[IKE] CHILD_SA rw{1} established with SPIs
c0f5c282_i 2cf6250b_o and TS 0.0.0.0/0 === 10.49.2.20/32
Feb 13 01:10:42 eMAC vpn: + C=US, O=Sample, CN=rw1.sample.org 10.49.2.20/32 ==
192.168.55.136 -- 192.168.55.141 == 0.0.0.0/0
Feb 13 01:10:42 eMAC charon: 14[ENC] generating IKE_AUTH response 1 [ IDr CERT
AUTH CP(ADDR) SA TSi TSr N(MOBIKE_SUP) N(ADD_4_ADDR) N(ADD_4_ADDR) ]
Feb 13 01:10:42 eMAC charon: 14[NET] sending packet: from 192.168.55.141[4500]
to 192.168.55.136[43483
---------------------------------------------------------------------------------------
DHCP Packet Trace
No. Time Source Destination Protocol Length Info
1 0.000000000 10.49.2.2 10.49.2.1 DHCP 406 DHCP Discover - Transaction Frame 1:
406 bytes on wire (3248 bits),
406 bytes captured (3248 bits) on interface 0
Ethernet II, Src: Advantec_4b:07:c7 (00:0b:ab:4b:07:c7), Dst: Dell_57:1f:3a
(00:12:3f:57:1f:3a)
Internet Protocol Version 4, Src: 10.49.2.2 (10.49.2.2), Dst: 10.49.2.1
(10.49.2.1)
User Datagram Protocol, Src Port: bootpc (68), Dst Port: bootps (67)
Bootstrap Protocol
Message type: Boot Request (1)
Hardware type: Ethernet
Hardware address length: 6
Hops: 0
Transaction ID: 0xa75ec47a
Seconds elapsed: 0
Bootp flags: 0x0000 (Unicast)
Client IP address: 0.0.0.0 (0.0.0.0)
Your (client) IP address: 0.0.0.0 (0.0.0.0)
Next server IP address: 0.0.0.0 (0.0.0.0)
Relay agent IP address: 10.49.2.2 (10.49.2.2)
Client MAC address: 7a:a7:ba:7f:91:a5 (7a:a7:ba:7f:91:a5)
Client hardware address padding: 00000000000000000000
Server host name not given
Boot file name not given
Magic cookie: DHCP
Option: (53) DHCP Message Type
Length: 1
DHCP: Discover (1)
Option: (61) Client identifier
Length: 57 ===================================================at line 214
Option: (55) Parameter Request List
Length: 2
Parameter Request List Item: (6) Domain Name Server
Parameter Request List Item: (44) NetBIOS over TCP/IP Name Server
Option: (255) End
Option End: 255
Padding
0000 00 12 3f 57 1f 3a 00 0b ab 4b 07 c7 08 00 45 00 ..?W.:...K....E.
0010 01 88 00 00 40 00 40 11 21 01 0a 31 02 02 0a 31 ....@.@.!..1...1
0020 02 01 00 44 00 43 01 74 ab c7 01 01 06 00 a7 5e ...D.C.t.......^
0030 c4 7a 00 00 00 00 00 00 00 00 00 00 00 00 00 00 .z..............
0040 00 00 0a 31 02 02 7a a7 ba 7f 91 a5 00 00 00 00 ...1..z.........
0050 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
0060 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
0070 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
0080 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
0090 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00a0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00b0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00c0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00d0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00e0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00f0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
0100 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
0110 00 00 00 00 00 00 63 82 53 63 35 01 01 3d 39 30 ......c.Sc5..=90
0120 37 31 0b 30 09 06 03 55 04 06 13 02 55 53 31 0f 71.0...U....US1.
0130 30 0d 06 03 55 04 0a 0c 06 53 61 6d 70 6c 65 31 0...U....Sample1
0140 17 30 15 06 03 55 04 03 0c 0e 72 77 31 2e 73 61 .0...U....rw1.sa
0150 6d 70 6c 65 2e 6f 72 67 37 02 06 2c ff 00 00 00 mple.org7..,....
0160 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
0170 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
0180 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
0190 00 00 00 00 00 00 ......
-------------------------------------------------------------
Log from Client (taken on a different run of same configuration
Log from Client (taken on a different run of same configuration
Feb 13 02:30:42 00[DMN] Starting IKE charon daemon (strongSwan 5.0.2dr4, Linux
3.0.31-381038, armv7l)
Feb 13 02:30:42 00[DMN] loaded plugins: androidbridge charon android-log
openssl fips-prf random nonce pubkey pkcs1 pkcs8 pem xcbc hmac socket-default
eap-identity eap-mschapv2 eap-md5 eap-gtc
Feb 13 02:30:42 00[JOB] spawning 16 worker threads
Feb 13 02:30:42 11[CFG] loaded user certificate 'C=US, O=Sample,
CN=rw1.sample.org' and private key
Feb 13 02:30:42 11[CFG] loaded CA certificate 'C=US, O=Sample, OU=Sample CA,
CN=ca.sample.org, [email protected]'
Feb 13 02:30:42 11[IKE] initiating IKE_SA android[124] to 192.168.55.141
Feb 13 02:30:42 11[ENC] generating IKE_SA_INIT request 0 [ SA KE No
N(NATD_S_IP) N(NATD_D_IP) ]
Feb 13 02:30:42 11[NET] sending packet: from 192.168.55.136[60306] to
192.168.55.141[500]
Feb 13 02:30:43 09[NET] received packet: from 192.168.55.141[500] to
192.168.55.136[60306]
Feb 13 02:30:43 09[ENC] parsed IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP)
N(NATD_D_IP) CERTREQ N(MULT_AUTH) ]
Feb 13 02:30:43 09[IKE] faking NAT situation to enforce UDP encapsulation
Feb 13 02:30:43 09[IKE] received cert request for "C=US, O=Sample, OU=Sample
CA, CN=ca.sample.org, [email protected]"
Feb 13 02:30:43 09[IKE] sending cert request for "C=US, O=Sample, OU=Sample CA,
CN=ca.sample.org, [email protected]"
Feb 13 02:30:43 09[IKE] sending cert request for "C=US, O=Sample, OU=Sample CA,
CN=ca.sample.org, [email protected]"
Feb 13 02:30:43 09[IKE] authentication of 'C=US, O=Sample, CN=rw1.sample.org'
(myself) with RSA signature successful
Feb 13 02:30:43 09[IKE] sending end entity cert "C=US, O=Sample,
CN=rw1.sample.org"
Feb 13 02:30:43 09[IKE] establishing CHILD_SA android
Feb 13 02:30:43 09[ENC] generating IKE_AUTH request 1 [ IDi CERT
N(INIT_CONTACT) CERTREQ AUTH CP(ADDR DNS) SA TSi TSr N(MOBIKE_SUP)
N(NO_ADD_ADDR) N(MULT_AUTH) N(EAP_ONLY) ]
Feb 13 02:30:43 09[NET] sending packet: from 192.168.55.136[52589] to
192.168.55.141[4500]
Feb 13 02:30:44 13[NET] received packet: from 192.168.55.141[4500] to
192.168.55.136[52589]
Feb 13 02:30:44 13[ENC] parsed IKE_AUTH response 1 [ IDr CERT AUTH CP(ADDR) SA
TSi TSr N(MOBIKE_SUP) N(ADD_4_ADDR) N(ADD_4_ADDR) ]
Feb 13 02:30:44 13[IKE] received end entity cert "C=US, O=Sample,
CN=servershort.sample.org, [email protected]"
Feb 13 02:30:44 13[CFG] using certificate "C=US, O=Sample,
CN=servershort.sample.org, [email protected]"
Feb 13 02:30:44 13[CFG] using trusted ca certificate "C=US, O=Sample,
OU=Sample CA, CN=ca.sample.org, [email protected]"
Feb 13 02:30:44 13[CFG] reached self-signed root ca with a path length of 0
Feb 13 02:30:44 13[IKE] authentication of 'C=US, O=Sample,
CN=servershort.sample.org, [email protected]' with RSA signature successful
Feb 13 02:30:44 13[IKE] IKE_SA android[124] established between
192.168.55.136[C=US, O=Sample, CN=rw1.sample.org]...192.168.55.141[C=US,
O=Sample, CN=servershort.sample.org, [email protected]]
Feb 13 02:30:44 13[IKE] scheduling rekeying in 35525s
Feb 13 02:30:44 13[IKE] maximum IKE_SA lifetime 36125s
Feb 13 02:30:44 13[IKE] installing new virtual IP 10.49.2.20
Feb 13 02:30:44 13[IKE] CHILD_SA android{108} established with SPIs 7f6bb189_i
cb6e5413_o and TS 10.49.2.20/32 === 0.0.0.0/0
Feb 13 02:30:44 13[DMN] setting up TUN device for CHILD_SA android{108}
Feb 13 02:30:44 13[DMN] successfully created TUN device
Feb 13 02:30:44 13[IKE] peer supports MOBIKE
# strongswan.conf - strongSwan configuration file
charon {
# number of worker threads in charon
threads = 16
plugins {
dhcp {
server = 10.49.2.1
identity_lease = yes
}
}
}
-------------------------------------------------------------------
# ipsec.conf - strongSwan IPsec configuration file
# basic configuration
config setup
nat_traversal=yes
charonstart=yes
charondebug= "default 4, ike 4, cfg 4, mgr 4, chd 4,net 4,asn 4, tls 4,
enc 4, lib 4"
crlcheckinterval=180
strictcrlpolicy=no
plutostart=no
ca sample
cacert=sampleCAshortcert.pem
auto=add
# Add connections here.
conn %default
type=tunnel
keyexchange=ikev2
reauth=no
rekey=no
authby=rsa
pfs=no
keyingtries=3
left=%defaultroute
leftsubnet=0.0.0.0/0
leftcert=sampleservershortCert.pem
leftid=sampleservershortKey.der
leftfirewall=yes
right=%any
rightsourceip=%dhcp
conn rw
[email protected] # SA
fails
#rightid="C=US,O=Sample,CN=rw1.sample.org # SA succeeds
#rightid=%any
# SA succeeds
auto=add
------------------------------------------------------------------------------
# ipsec.secrets
: RSA sampleservershortKey.der "xxxxxxxxxx"
-------------------------------------------------------------------------------
>> ipsec statusall
Status of IKEv2 charon daemon (strongSwan 4.5.2):
uptime: 3 minutes, since Feb 13 02:06:57 2013
malloc: sbrk 282624, mmap 0, used 231576, free 51048
worker threads: 6 idle of 16, job queue load: 0, scheduled events: 0
loaded plugins: test-vectors curl ldap aes des sha1 sha2 md5 random x509
revocation constraints pubkey pkcs1 pgp pem openssl fips-prf gmp agent pkcs11
xcbc hmac ctr ccm gcm attr kernel-netlink resolve socket-raw farp stroke updown
eap-identity eap-aka eap-md5 eap-gtc eap-mschapv2 eap-radius eap-tls eap-ttls
eap-tnc nm dhcp led addrblock
Listening IP addresses:
192.168.55.141
Connections:
rw: 192.168.55.141...%any
rw: local: [C=US, O=Sample, CN=servershort.sample.org,
[email protected]] uses public key authentication
rw: cert: "C=US, O=Sample, CN=servershort.sample.org,
[email protected]"
rw: remote: [rw1.sample.org] uses any authentication
rw: child: 0.0.0.0/0 === dynamic
Security Associations:
none
Security Associations:
none
-------------------------------------------------------------------------------
>> ipsec listcerts
List of X.509 End Entity Certificates:
altNames: 192.168.55.141
subject: "C=US, O=Sample, CN=servershort.sample.org, [email protected]"
issuer: "C=US, O=Sample, OU=Sample CA, CN=ca.sample.org,
[email protected]"
serial: 10:19
validity: not before Feb 12 16:35:17 2013, ok
not after Feb 12 16:35:17 2015, ok
pubkey: RSA 1024 bits, has private key
keyid: ...
subjkey: ...
authkey: ...
-------------------------------------------------------------------------------
auth.log
Feb 13 02:06:57 eMAC ipsec_starter[8525]: Starting strongSwan 4.5.2 IPsec
[starter]...
Feb 13 02:06:57 eMAC sudo: pam_unix(sudo:session): session closed for user root
Feb 13 02:06:57 eMAC ipsec_starter[8562]: charon (8563) started after 80 ms
Feb 13 02:07:09 eMAC charon: 13[IKE] 192.168.55.136 is initiating an IKE_SA
Feb 13 02:07
:59 eMAC charon: 10[IKE] 192.168.55.136 is initiating an IKE_SA
Feb 13
-------------------------------------------------------------------------------
syslog
Feb 13 02:06:57 eMAC charon: 00[DMN] Starting IKEv2 charon daemon (strongSwan
4.5.2)
Feb 13 02:06:57 eMAC charon: 00[LIB] Padlock not found, CPU is GenuineIntel
Feb 13 02:06:57 eMAC charon: 00[LIB] plugin 'padlock': failed to load -
padlock_plugin_create returned NULL
Feb 13 02:06:57 eMAC charon: 00[KNL] listening on interfaces:
Feb 13 02:06:57 eMAC charon: 00[KNL] eth2
Feb 13 02:06:57 eMAC charon: 00[KNL] 192.168.55.141
Feb 13 02:06:57 eMAC charon: 00[KNL] fe80::20b:abff:fe4b:7c4
Feb 13 02:06:57 eMAC charon: 00[CFG] loading ca certificates from
'/etc/ipsec.d/cacerts'
Feb 13 02:06:57 eMAC charon: 00[CFG] loaded ca certificate "C=US, O=Sample,
OU=Sample CA, CN=ca.sample.org, [email protected]" from
'/etc/ipsec.d/cacerts/sampleCAshortcert.pem'
Feb 13 02:06:57 eMAC charon: 00[CFG] loading aa certificates from
'/etc/ipsec.d/aacerts'
Feb 13 02:06:57 eMAC charon: 00[CFG] loading ocsp signer certificates from
'/etc/ipsec.d/ocspcerts'
Feb 13 02:06:57 eMAC charon: 00[CFG] loading attribute certificates from
'/etc/ipsec.d/acerts'
Feb 13 02:06:57 eMAC charon: 00[CFG] loading crls from '/etc/ipsec.d/crls'
Feb 13 02:06:57 eMAC charon: 00[CFG] loading secrets from '/etc/ipsec.secrets'
Feb 13 02:06:57 eMAC charon: 00[CFG] loaded RSA private key from
'/etc/ipsec.d/private/sampleservershortKey.der'
Feb 13 02:06:57 eMAC charon: 00[CFG] sql plugin: database URI not set
Feb 13 02:06:57 eMAC charon: 00[LIB] plugin 'sql': failed to load -
sql_plugin_create returned NULL
Feb 13 02:06:57 eMAC charon: 00[CFG] loaded 0 RADIUS server configurations
Feb 13 02:06:57 eMAC charon: 00[LIB] plugin 'medsrv' failed to load:
/usr/lib/ipsec/plugins/libstrongswan-medsrv.so: cannot open shared object file:
No such file or directory
Feb 13 02:06:57 eMAC charon: 00[CFG] mediation client database URI not defined,
skipped
Feb 13 02:06:57 eMAC charon: 00[LIB] plugin 'medcli': failed to load -
medcli_plugin_create returned NULL
Feb 13 02:06:57 eMAC NetworkManager[983]: <info> VPN service 'strongswan'
appeared; activating connections
Feb 13 02:06:57 eMAC charon: 00[CFG] HA config misses local/remote address
Feb 13 02:06:57 eMAC charon: 00[LIB] plugin 'ha': failed to load -
ha_plugin_create returned NULL
Feb 13 02:06:57 eMAC charon: 00[DMN] loaded plugins: test-vectors curl ldap aes
des sha1 sha2 md5 random x509 revocation constraints pubkey pkcs1 pgp pem
openssl fips-prf gmp agent pkcs11 xcbc hmac ctr ccm gcm attr kernel-netlink
resolve socket-raw farp stroke updown eap-identity eap-aka eap-md5 eap-gtc
eap-mschapv2 eap-radius eap-tls eap-ttls eap-tnc nm dhcp led addrblock
Feb 13 02:06:57 eMAC charon: 00[JOB] spawning 16 worker threads
Feb 13 02:06:57 eMAC charon: 04[CFG] received stroke: add ca 'sample'
Feb 13 02:06:57 eMAC charon: 04[CFG] added ca 'sample'
Feb 13 02:06:57 eMAC charon: 09[CFG] received stroke: add connection 'rw'
Feb 13 02:06:57 eMAC charon: 09[CFG] loaded certificate "C=US, O=Sample,
CN=servershort.sample.org, [email protected]" from
'sampleservershortCert.pem'
Feb 13 02:06:57 eMAC charon: 09[CFG] id 'sampleservershortKey.der' not
confirmed by certificate, defaulting to 'C=US, O=Sample,
CN=servershort.sample.org, [email protected]'
Feb 13 02:06:57 eMAC charon: 09[CFG] added configuration 'rw'
Feb 13 02:07:09 eMAC charon: 13[NET] received packet: from
192.168.55.136[44033] to 192.168.55.141[4500]
Feb 13 02:07:09 eMAC charon: 13[ENC] parsed IKE_SA_INIT request 0 [ SA KE No
N(NATD_S_IP) N(NATD_D_IP) ]
Feb 13 02:07:09 eMAC charon: 13[IKE] 192.168.55.136 is initiating an IKE_SA
Feb 13 02:07:10 eMAC charon: 13[IKE] remote host is behind NAT
Feb 13 02:07:10 eMAC charon: 13[IKE] sending cert request for "C=US, O=Sample,
OU=Sample CA, CN=ca.sample.org, [email protected]"
Feb 13 02:07:10 eMAC charon: 13[ENC] generating IKE_SA_INIT response 0 [ SA KE
No N(NATD_S_IP) N(NATD_D_IP) CERTREQ N(MULT_AUTH) ]
Feb 13 02:07:10 eMAC charon: 13[NET] sending packet: from 192.168.55.141[4500]
to 192.168.55.136[44033]
Feb 13 02:07:10 eMAC charon: 14[NET] received packet: from
192.168.55.136[44033] to 192.168.55.141[4500]
Feb 13 02:07:10 eMAC charon: 14[ENC] parsed IKE_AUTH request 1 [ IDi CERT
N(INIT_CONTACT) CERTREQ AUTH CP(ADDR DNS) SA TSi TSr N(MOBIKE_SUP)
N(NO_ADD_ADDR) N(MULT_AUTH) N(EAP_ONLY) ]
Feb 13 02:07:10 eMAC charon: 14[IKE] received cert request for "C=US, O=Sample,
OU=Sample CA, CN=ca.sample.org, [email protected]"
Feb 13 02:07:10 eMAC charon: 14[IKE] received 1 cert requests for an unknown ca
Feb 13 02:07:10 eMAC charon: 14[IKE] received end entity cert "C=US, O=Sample,
CN=rw1.sample.org"
Feb 13 02:07:10 eMAC charon: 14[CFG] looking for peer configs matching
192.168.55.141[%any]...192.168.55.136[C=US, O=Sample, CN=rw1.sample.org]
Feb 13 02:07:10 eMAC charon: 14[CFG] no matching peer config found
Feb 13 02:07:10 eMAC charon: 14[IKE] peer supports MOBIKE
Feb 13 02:07:10 eMAC charon: 14[ENC] generating IKE_AUTH response 1 [
N(AUTH_FAILED) ]
Feb 13 02:07:10 eMAC charon: 14[NET] sending packet: from 192.168.55.141[4500]
to 192.168.55.136[44033]
Feb 13 02:07:59 eMAC charon: 10[NET] received packet: from
192.168.55.136[57874] to 192.168.55.141[500]
Feb 13 02:07:59 eMAC charon: 10[ENC] parsed IKE_SA_INIT request 0 [ SA KE No
N(NATD_S_IP) N(NATD_D_IP) ]
Feb 13 02:07:59 eMAC charon: 10[IKE] 192.168.55.136 is initiating an IKE_SA
Feb 13 02:07:59 eMAC charon: 10[IKE] remote host is behind NAT
Feb 13 02:07:59 eMAC charon: 10[IKE] sending cert request for "C=US, O=Sample,
OU=Sample CA, CN=ca.sample.org, [email protected]"
Feb 13 02:07:59 eMAC charon: 10[ENC] generating IKE_SA_INIT response 0 [ SA KE
No N(NATD_S_IP) N(NATD_D_IP) CERTREQ N(MULT_AUTH) ]
Feb 13 02:07:59 eMAC charon: 10[NET] sending packet: from 192.168.55.141[500]
to 192.168.55.136[57874]
Feb 13 02:08:00 eMAC charon: 04[NET] received packet: from
192.168.55.136[49909] to 192.168.55.141[4500]
Feb 13 02:08:00 eMAC charon: 04[ENC] parsed IKE_AUTH request 1 [ IDi CERT
N(INIT_CONTACT) CERTREQ AUTH CP(ADDR DNS) SA TSi TSr N(MOBIKE_SUP)
N(NO_ADD_ADDR) N(MULT_AUTH) N(EAP_ONLY) ]
Feb 13 02:08:00 eMAC charon: 04[IKE] received cert request for "C=US, O=Sample,
OU=Sample CA, CN=ca.sample.org, [email protected]"
Feb 13 02:08:00 eMAC charon: 04[IKE] received 1 cert requests for an unknown ca
Feb 13 02:08:00 eMAC charon: 04[IKE] received end entity cert "C=US, O=Sample,
CN=rw1.sample.org"
Feb 13 02:08:00 eMAC charon: 04[CFG] looking for peer configs matching
192.168.55.141[%any]...192.168.55.136[C=US, O=Sample, CN=rw1.sample.org]
Feb 13 02:08:00 eMAC charon: 04[CFG] no matching peer config found
Feb 13 02:08:00 eMAC charon: 04[IKE] peer supports MOBIKE
Feb 13 02:08:00 eMAC charon: 04[ENC] generating IKE_AUTH response 1 [
N(AUTH_FAILED) ]
Feb 13 02:08:00 eMAC charon: 04[NET] sending packet: from 192.168.55.141[4500]
to 192.168.55.136[49909]
----------------------------------------------------------------------------
log from strongswan vpn client
Feb 13 04:11:11 00[DMN] Starting IKE charon daemon (strongSwan 5.0.2dr4, Linux
3.0.31-381038, armv7l)
Feb 13 04:11:11 00[DMN] loaded plugins: androidbridge charon android-log
openssl fips-prf random nonce pubkey pkcs1 pkcs8 pem xcbc hmac socket-default
eap-identity eap-mschapv2 eap-md5 eap-gtc
Feb 13 04:11:11 00[JOB] spawning 16 worker threads
Feb 13 04:11:11 09[CFG] loaded user certificate 'C=US, O=Sample,
CN=rw1.sample.org' and private key
Feb 13 04:11:11 09[CFG] loaded CA certificate 'C=US, O=Sample, OU=Sample CA,
CN=ca.sample.org, [email protected]'
Feb 13 04:11:11 09[IKE] initiating IKE_SA android[125] to 192.168.55.141
Feb 13 04:11:11 09[ENC] generating IKE_SA_INIT request 0 [ SA KE No
N(NATD_S_IP) N(NATD_D_IP) ]
Feb 13 04:11:11 09[NET] sending packet: from 192.168.55.136[41834] to
192.168.55.141[500]
Feb 13 04:11:12 12[NET] received packet: from 192.168.55.141[500] to
192.168.55.136[41834]
Feb 13 04:11:12 12[ENC] parsed IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP)
N(NATD_D_IP) CERTREQ N(MULT_AUTH) ]
Feb 13 04:11:12 12[IKE] faking NAT situation to enforce UDP encapsulation
Feb 13 04:11:12 12[IKE] received cert request for "C=US, O=Sample, OU=Sample
CA, CN=ca.sample.org, [email protected]"
Feb 13 04:11:12 12[IKE] sending cert request for "C=US, O=Sample, OU=Sample CA,
CN=ca.sample.org, [email protected]"
Feb 13 04:11:12 12[IKE] sending cert request for "C=US, O=Sample, OU=Sample CA,
CN=ca.sample.org, [email protected]"
Feb 13 04:11:12 12[IKE] authentication of 'C=US, O=Sample, CN=rw1.sample.org'
(myself) with RSA signature successful
Feb 13 04:11:12 12[IKE] sending end entity cert "C=US, O=Sample,
CN=rw1.sample.org"
Feb 13 04:11:12 12[IKE] establishing CHILD_SA android
Feb 13 04:11:12 12[ENC] generating IKE_AUTH request 1 [ IDi CERT
N(INIT_CONTACT) CERTREQ AUTH CP(ADDR DNS) SA TSi TSr N(MOBIKE_SUP)
N(NO_ADD_ADDR) N(MULT_AUTH) N(EAP_ONLY) ]
Feb 13 04:11:12 12[NET] sending packet: from 192.168.55.136[58769] to
192.168.55.141[4500]
Feb 13 04:11:12 13[NET] received packet: from 192.168.55.141[4500] to
192.168.55.136[58769]
Feb 13 04:11:12 13[ENC] parsed IKE_AUTH response 1 [ N(AUTH_FAILED) ]
Feb 13 04:11:12 13[IKE] received AUTHENTICATION_FAILED notify error
_______________________________________________
Users mailing list
[email protected]
https://lists.strongswan.org/mailman/listinfo/users
