Hi, I'm currently working on a prototype vpn setup which aims to connect a large number of iPads to our company network. My goal is to connect the iPads via the built-in Cisco-compatible IPsec client with authby=rsasig without xauth. The main reason for not using xauth is that the devices are centrally managed by a mdm system which allows to configure the vpn profile and certificates. We don't want our users to input a password upon every connect and as far as I know Apple doesn't allow to preconfigure user/pass for xauth. Using PSK isn't a solution for use due to the large number of devices.
When I activate xauth as described in the following wiki article http://wiki.strongswan.org/projects/strongswan/wiki/IOS_(Apple) the connection works. But if I change the authby to rsasig it seems as if the client still tries to enforce xauth: 12[NET] received packet: from a.b.c.d[4500] to e.f.g.h[4500] (2092 bytes) 12[ENC] parsed ID_PROT request 0 [ ID CERT SIG CERTREQ N(INITIAL_CONTACT) ] 12[IKE] ignoring certificate request without data 12[IKE] received end entity cert "***del*** [email protected]" 12[CFG] looking for XAuthInitRSA peer configs matching e.f.g.h...a.b.c.d[***del*** [email protected]] 12[IKE] no peer config found 12[ENC] generating INFORMATIONAL_V1 request 2873723852 [ HASH N(AUTH_FAILED) ] 12[NET] sending packet: from e.f.g.h[4500] to a.b.c.d[4500] (92 bytes) What do I have to do to enforce both sides to use rsasig only? Do I have to setup something in ipsec.secrets despite the : RSA server key? System configuration: CentOS 6.3 StrongSWAN 5.0.2 with unity plugin enabled (cisco_unity = yes) for split tunneling (./configure --prefix=/usr --sysconfdir=/etc --enable-curl --enable-ldap --enable-sqlite --enable-sql --enable-eap-radius --enable-xauth-eap --enable-attr-sql --enable-dhcp --enable-openssl --enable-unity --enable-ha --enable-lookip) ipsec.conf: config setup conn ipads keyexchange=ikev1 authby=rsasig left=e.f.g.h leftsubnet="10.16.0.0/12, 10.116.0.0/16" leftcert=server.pem leftca="DC=org, DC=example, CN=myca" right=%any rightsubnet=10.21.248.0/22 rightdns="10.17.0.1, 10.17.0.2" rightsourceip=10.21.248.0/22 rightca="DC=org, DC=example, CN=myca" auto=add I have a second issue which is not clear to me. Using authby=xauthrsasig charon tries to get the crl from our AD-integrated CA and fails: 01[CFG] checking certificate status of "***del*** [email protected]" 01[CFG] fetching crl from 'http://cert.example.org/CertEnroll/myca.crl' ... 01[CFG] using trusted certificate "DC=org, DC=example, CN=myca" 01[CFG] crl response verification failed 01[CFG] fetching crl from 'http://cert.example.org/CertEnroll/myca.crl' ... 01[CFG] using trusted certificate "DC=org, DC=example, CN=myca" 01[CFG] crl response verification failed 01[CFG] fetching crl from 'ldap:///CN=myca,CN=ad-dc1,CN=CDP,CN=Public%20Key%20Services,CN=Services,CN=Configuration,DC=example,DC=org?certificateRevocationList?base?objectClass=cRLDistributionPoint' ... 14[MGR] ignoring request with ID 0, already processing 12[MGR] ignoring request with ID 0, already processing 13[MGR] ignoring request with ID 0, already processing 01[LIB] LDAP bind to 'ldap:///CN=myca,CN=ad-dc1,CN=CDP,CN=Public%20Key%20Services,CN=Services,CN=Configuration,DC=example,DC=org?certificateRevocationList?base?objectClass=cRLDistributionPoint' failed: Can't contact LDAP server 01[CFG] crl fetching failed 01[CFG] certificate status is not available The error on fetching the ldap crl might be due to the fact that our AD doesn't allow anonymous binding. But why does the dowload fail from the http cert services (MS AD-integrated CA)? When using wget on the same box without any credentials the download works fine. Using tcpdump during the fetch process shows that the http response contains a status code of 200. Hope you can help me! Best regards Daniel Besuchen Sie WAREMA auf der ISH 2013 in Frankfurt. 12.03. - 16.03.2013, Halle 10.3, Stand A79 http://www.warema.de _______________________________________________ Users mailing list [email protected] https://lists.strongswan.org/mailman/listinfo/users
