Oh strange, I received this mail privately but not via the mailinglist. Am Montag, 18. März 2013, 12:16:22 schrieben Sie: > Hi Michael, > > Your conn section is not loaded by the daemon. > > The reason is the comment here (also applies to the second comment in > > your config): > > conn ios > > > > keyexchange=ikev1 > > > > # authby=xauthrsasig > > ... > > Comments in ipsec.conf have to be indented the same way as the options. > > That is, the above should look something like this: > > conn ios > > > > keyexchange=ikev1 > > # authby=xauthrsasig
Thank you, I tried that:
conn ios
keyexchange=ikev1
# authby=xauthrsasig
xauth=server
left!2.69.162.156
leftsubnet=0.0.0.0/0
leftfirewall=yes
leftcert=serverCert.pem
leftauth=pubkey
leftauth2=xauth
right=%any
rightsubnet.0.0.0/24
rightsourceip.0.0.2
rightcert=zmiPadCert.pem
rightid="C=AT, O=Proteger, CN=*"
compress=no
auto�d
# pfs=no
Still no sign that it gets loaded...
Mar 19 11:26:59 sharepoint1 charon: 00[DMN] Starting IKE charon daemon
(strongSwan 5.0.2, Linux 3.8.2-zmi, x86_64)
Mar 19 11:26:59 sharepoint1 charon: 00[LIB] no RDRAND support on AuthenticAMD
CPU, disabled
Mar 19 11:26:59 sharepoint1 charon: 00[CFG] HA config misses local/remote
address
Mar 19 11:26:59 sharepoint1 charon: 00[LIB] plugin 'ha': failed to load -
ha_plugin_create returned NULL
Mar 19 11:26:59 sharepoint1 charon: 00[CFG] loading ca certificates from
'/usr/etc/ipsec.d/cacerts'
Mar 19 11:26:59 sharepoint1 charon: 00[CFG] loading aa certificates from
'/usr/etc/ipsec.d/aacerts'
Mar 19 11:26:59 sharepoint1 charon: 00[CFG] loading ocsp signer certificates
from '/usr/etc/ipsec.d/ocspcerts'
Mar 19 11:26:59 sharepoint1 charon: 00[CFG] loading attribute certificates from
'/usr/etc/ipsec.d/acerts'
Mar 19 11:26:59 sharepoint1 charon: 00[CFG] loading crls from
'/usr/etc/ipsec.d/crls'
Mar 19 11:26:59 sharepoint1 charon: 00[CFG] loading secrets from
'/usr/etc/ipsec.secrets'
Mar 19 11:26:59 sharepoint1 charon: 00[CFG] loaded RSA private key from
'/usr/etc/ipsec.d/private/myKey.der'
Mar 19 11:26:59 sharepoint1 charon: 00[DMN] loaded plugins: charon aes des
blowfish sha1 sha2 md4 md5 rdrand random nonce x509 revocation constraints
pubkey pkcs1 pkcs8 pgp dnskey pem openssl af-alg fips-prf gmp xcbc cmac hmac
attr kernel-pfkey kernel-klips kernel-netlink resolve socket-default stroke smp
updown eap-md5 eap-mschapv2 eap-tls xauth-generic xauth-eap xauth-pam whitelist
lookip certexpire unity
Mar 19 11:26:59 sharepoint1 charon: 00[JOB] spawning 16 worker threads
Mar 19 11:26:59 sharepoint1 ipsec_starter[8838]: charon (8841) started after
120 ms
Oh, I just see that sysconfdir is /usr/etc, fixing that...
Looks good now, but still doesn't work:
Mar 19 11:38:19 sharepoint1 charon: 04[ENC] parsed ID_PROT request 0 [ SA V V V
V V V V V V V V V V V ]
Mar 19 11:38:19 sharepoint1 charon: 04[IKE] received NAT-T (RFC 3947) vendor ID
Mar 19 11:38:19 sharepoint1 charon: 04[IKE] received draft-ietf-ipsec-nat-t-ike
vendor ID
Mar 19 11:38:19 sharepoint1 charon: 04[IKE] received
draft-ietf-ipsec-nat-t-ike-08 vendor ID
Mar 19 11:38:19 sharepoint1 charon: 04[IKE] received
draft-ietf-ipsec-nat-t-ike-07 vendor ID
Mar 19 11:38:19 sharepoint1 charon: 04[IKE] received
draft-ietf-ipsec-nat-t-ike-06 vendor ID
Mar 19 11:38:19 sharepoint1 charon: 04[IKE] received
draft-ietf-ipsec-nat-t-ike-05 vendor ID
Mar 19 11:38:19 sharepoint1 charon: 04[IKE] received
draft-ietf-ipsec-nat-t-ike-04 vendor ID
Mar 19 11:38:19 sharepoint1 charon: 04[IKE] received
draft-ietf-ipsec-nat-t-ike-03 vendor ID
Mar 19 11:38:19 sharepoint1 charon: 04[IKE] received
draft-ietf-ipsec-nat-t-ike-02 vendor ID
Mar 19 11:38:19 sharepoint1 charon: 04[IKE] received
draft-ietf-ipsec-nat-t-ike-02\n vendor ID
Mar 19 11:38:19 sharepoint1 charon: 04[IKE] received XAuth vendor ID
Mar 19 11:38:19 sharepoint1 charon: 04[IKE] received Cisco Unity vendor ID
Mar 19 11:38:19 sharepoint1 charon: 04[IKE] received FRAGMENTATION vendor ID
Mar 19 11:38:19 sharepoint1 charon: 04[IKE] received DPD vendor ID
Mar 19 11:38:19 sharepoint1 charon: 04[IKE] 81.217.108.227 is initiating a Main
Mode IKE_SA
Mar 19 11:38:19 sharepoint1 charon: 04[IKE] 81.217.108.227 is initiating a Main
Mode IKE_SA
Mar 19 11:38:19 sharepoint1 charon: 04[ENC] generating ID_PROT response 0 [ SA
V V V ]
Mar 19 11:38:19 sharepoint1 charon: 04[NET] sending packet: from
212.69.162.156[500] to 81.217.108.227[500] (136 bytes)
Mar 19 11:38:20 sharepoint1 charon: 03[NET] received packet: from
81.217.108.227[500] to 212.69.162.156[500] (292 bytes)
Mar 19 11:38:20 sharepoint1 charon: 03[ENC] parsed ID_PROT request 0 [ KE No
NAT-D NAT-D ]
Mar 19 11:38:20 sharepoint1 charon: 03[IKE] remote host is behind NAT
Mar 19 11:38:20 sharepoint1 charon: 03[IKE] sending cert request for "C=AT,
O=Proteger, CN=Proteger"
Mar 19 11:38:20 sharepoint1 charon: 03[ENC] generating ID_PROT response 0 [ KE
No CERTREQ NAT-D NAT-D ]
Mar 19 11:38:20 sharepoint1 charon: 03[NET] sending packet: from
212.69.162.156[500] to 81.217.108.227[500] (366 bytes)
Mar 19 11:38:21 sharepoint1 charon: 02[NET] received packet: from
81.217.108.227[4500] to 212.69.162.156[4500] (1180 bytes)
Mar 19 11:38:21 sharepoint1 charon: 02[ENC] parsed ID_PROT request 0 [ ID CERT
SIG CERTREQ N(INITIAL_CONTACT) ]
Mar 19 11:38:21 sharepoint1 charon: 02[IKE] ignoring certificate request
without data
Mar 19 11:38:21 sharepoint1 charon: 02[IKE] received end entity cert "C=AT,
O=Proteger, CN=iPad_ZMI"
Mar 19 11:38:21 sharepoint1 charon: 02[CFG] looking for XAuthInitRSA peer
configs matching 212.69.162.156...81.217.108.227[C=AT, O=Proteger, CN=iPad_ZMI]
Mar 19 11:38:21 sharepoint1 charon: 02[IKE] no peer config found
Mar 19 11:38:21 sharepoint1 charon: 02[ENC] generating INFORMATIONAL_V1 request
3956128409 [ HASH N(AUTH_FAILED) ]
Mar 19 11:38:21 sharepoint1 charon: 02[NET] sending packet: from
212.69.162.156[4500] to 81.217.108.227[4500] (92 bytes)
Trying to go back to what the wiki says:
conn ios
keyexchange=ikev1
authby=xauthrsasig
xauth=server
left=%defaultroute
leftsubnet=0.0.0.0/0
leftfirewall=yes
leftcert=serverCert.pem
leftauth=pubkey
leftauth2=xauth
right=%any
rightsubnet.0.0.0/24
rightsourceip.0.0.2
rightcert=zmiPadCert.pem
#rightid="C=AT, O=Proteger, CN=*"
#compress=no
auto�d
# pfs=no
and now I am on kernel 3.8.4, it makes this:
Apr 7 15:35:52 sharepoint1 ipsec_starter[6740]: Starting strongSwan 5.0.2
IPsec [starter]...
Apr 7 15:35:52 sharepoint1 ipsec_starter[6740]: # deprecated keyword
'nat_traversal' in config setup
Apr 7 15:35:52 sharepoint1 ipsec_starter[6740]: # deprecated keyword
'charonstart' in config setup
Apr 7 15:35:52 sharepoint1 ipsec_starter[6740]: ### 2 parsing errors (0 fatal)
###
Apr 7 15:35:52 sharepoint1 kernel: NET: Registered protocol family 15
Apr 7 15:35:52 sharepoint1 kernel: Initializing XFRM netlink socket
Apr 7 15:35:52 sharepoint1 charon: 00[DMN] Starting IKE charon daemon
(strongSwan 5.0.2, Linux 3.8.4-zmi, x86_64)
Apr 7 15:35:52 sharepoint1 charon: 00[LIB] no RDRAND support on AuthenticAMD
CPU, disabled
Apr 7 15:35:52 sharepoint1 kernel: NET: Registered protocol family 38
Apr 7 15:35:52 sharepoint1 kernel: sha1_ssse3: Neither AVX nor SSSE3 is
available/usable.
Apr 7 15:35:52 sharepoint1 kernel: AVX instructions are not detected.
Apr 7 15:35:52 sharepoint1 kernel: AVX instructions are not detected.
Apr 7 15:35:52 sharepoint1 kernel: AVX instructions are not detected.
Apr 7 15:35:52 sharepoint1 charon: 00[CFG] HA config misses local/remote
address
Apr 7 15:35:52 sharepoint1 charon: 00[LIB] plugin 'ha': failed to load -
ha_plugin_create returned NULL
Apr 7 15:35:53 sharepoint1 charon: 00[CFG] loading ca certificates from
'/etc/ipsec.d/cacerts'
Apr 7 15:35:53 sharepoint1 charon: 00[CFG] loaded ca certificate "C=AT,
O=Proteger, CN=Proteger" from '/etc/ipsec.d/cacerts/caCert.pem'
Apr 7 15:35:53 sharepoint1 charon: 00[CFG] loading aa certificates from
'/etc/ipsec.d/aacerts'
Apr 7 15:35:53 sharepoint1 charon: 00[CFG] loading ocsp signer certificates
from '/etc/ipsec.d/ocspcerts'
Apr 7 15:35:53 sharepoint1 charon: 00[CFG] loading attribute certificates from
'/etc/ipsec.d/acerts'
Apr 7 15:35:53 sharepoint1 charon: 00[CFG] loading crls from
'/etc/ipsec.d/crls'
Apr 7 15:35:53 sharepoint1 charon: 00[CFG] loading secrets from
'/etc/ipsec.secrets'
Apr 7 15:35:53 sharepoint1 charon: 00[CFG] loaded RSA private key from
'/etc/ipsec.d/private/serverKey.pem'
Apr 7 15:35:53 sharepoint1 charon: 00[CFG] loaded EAP secret for zmi
Apr 7 15:35:53 sharepoint1 charon: 00[DMN] loaded plugins: charon aes des
blowfish sha1 sha2 md4 md5 rdrand random nonce x509 revocation constraints
pubkey pkcs1 pkcs8 pgp dnskey pem openssl af-alg fips-prf gmp xcbc cmac hmac
attr kern
el-pfkey kernel-klips kernel-netlink resolve socket-default stroke smp updown
eap-md5 eap-mschapv2 eap-tls xauth-generic xauth-eap xauth-pam whitelist lookip
certexpire unity
Apr 7 15:35:53 sharepoint1 charon: 00[JOB] spawning 16 worker threads
Apr 7 15:35:53 sharepoint1 ipsec_starter[6751]: charon (6752) started after
420 ms
Apr 7 15:35:53 sharepoint1 charon: 15[CFG] received stroke: add connection
'ios'
Apr 7 15:35:53 sharepoint1 charon: 15[CFG] left nor right host is our side,
assuming left=local
Apr 7 15:35:53 sharepoint1 charon: 15[CFG] adding virtual IP address pool
10.0.0.2
Apr 7 15:35:53 sharepoint1 charon: 15[CFG] loaded certificate "C=AT,
O=Proteger, CN=sharepoint1.zmi.at" from 'serverCert.pem'
Apr 7 15:35:53 sharepoint1 charon: 15[CFG] id '%any' not confirmed by
certificate, defaulting to 'C=AT, O=Proteger, CN=sharepoint1.zmi.at'
Apr 7 15:35:53 sharepoint1 charon: 15[CFG] loaded certificate "C=AT,
O=Proteger, CN=iPad_ZMI" from 'zmiPadCert.pem'
Apr 7 15:35:53 sharepoint1 charon: 15[CFG] id '%any' not confirmed by
certificate, defaulting to 'C=AT, O=Proteger, CN=iPad_ZMI'
Apr 7 15:35:53 sharepoint1 charon: 15[CFG] added configuration 'ios'
Apr 7 15:37:43 sharepoint1 charon: 16[NET] received packet: from
81.217.108.227[500] to 212.69.162.156[500] (668 bytes)
Apr 7 15:37:43 sharepoint1 charon: 16[ENC] parsed ID_PROT request 0 [ SA V V V
V V V V V V V V V V V ]
Apr 7 15:37:43 sharepoint1 charon: 16[IKE] received NAT-T (RFC 3947) vendor ID
Apr 7 15:37:43 sharepoint1 charon: 16[IKE] received draft-ietf-ipsec-nat-t-ike
vendor ID
Apr 7 15:37:43 sharepoint1 charon: 16[IKE] received
draft-ietf-ipsec-nat-t-ike-08 vendor ID
Apr 7 15:37:43 sharepoint1 charon: 16[IKE] received
draft-ietf-ipsec-nat-t-ike-07 vendor ID
Apr 7 15:37:43 sharepoint1 charon: 16[IKE] received
draft-ietf-ipsec-nat-t-ike-06 vendor ID
Apr 7 15:37:43 sharepoint1 charon: 16[IKE] received
draft-ietf-ipsec-nat-t-ike-05 vendor ID
Apr 7 15:37:43 sharepoint1 charon: 16[IKE] received
draft-ietf-ipsec-nat-t-ike-04 vendor ID
Apr 7 15:37:43 sharepoint1 charon: 16[IKE] received
draft-ietf-ipsec-nat-t-ike-03 vendor ID
Apr 7 15:37:43 sharepoint1 charon: 16[IKE] received
draft-ietf-ipsec-nat-t-ike-02 vendor ID
Apr 7 15:37:43 sharepoint1 charon: 16[IKE] received
draft-ietf-ipsec-nat-t-ike-02\n vendor ID
Apr 7 15:37:43 sharepoint1 charon: 16[IKE] received XAuth vendor ID
Apr 7 15:37:43 sharepoint1 charon: 16[IKE] received Cisco Unity vendor ID
Apr 7 15:37:43 sharepoint1 charon: 16[IKE] received FRAGMENTATION vendor ID
Apr 7 15:37:43 sharepoint1 charon: 16[IKE] received DPD vendor ID
Apr 7 15:37:43 sharepoint1 charon: 16[IKE] 81.217.108.227 is initiating a Main
Mode IKE_SA
Apr 7 15:37:43 sharepoint1 charon: 16[IKE] 81.217.108.227 is initiating a Main
Mode IKE_SA
Apr 7 15:37:43 sharepoint1 charon: 16[ENC] generating ID_PROT response 0 [ SA
V V V ]
Apr 7 15:37:43 sharepoint1 charon: 16[NET] sending packet: from
212.69.162.156[500] to 81.217.108.227[500] (136 bytes)
Apr 7 15:37:43 sharepoint1 charon: 03[NET] received packet: from
81.217.108.227[500] to 212.69.162.156[500] (292 bytes)
Apr 7 15:37:43 sharepoint1 charon: 03[ENC] parsed ID_PROT request 0 [ KE No
NAT-D NAT-D ]
Apr 7 15:37:43 sharepoint1 charon: 03[IKE] remote host is behind NAT
Apr 7 15:37:43 sharepoint1 charon: 03[IKE] sending cert request for "C=AT,
O=Proteger, CN=Proteger"
Apr 7 15:37:43 sharepoint1 charon: 03[ENC] generating ID_PROT response 0 [ KE
No CERTREQ NAT-D NAT-D ]
Apr 7 15:37:43 sharepoint1 charon: 03[NET] sending packet: from
212.69.162.156[500] to 81.217.108.227[500] (366 bytes)
Apr 7 15:37:44 sharepoint1 charon: 02[NET] received packet: from
81.217.108.227[4500] to 212.69.162.156[4500] (1180 bytes)
Apr 7 15:37:44 sharepoint1 charon: 02[ENC] parsed ID_PROT request 0 [ ID CERT
SIG CERTREQ N(INITIAL_CONTACT) ]
Apr 7 15:37:44 sharepoint1 charon: 02[IKE] ignoring certificate request
without data
Apr 7 15:37:44 sharepoint1 charon: 02[IKE] received end entity cert "C=AT,
O=Proteger, CN=iPad_ZMI"
Apr 7 15:37:44 sharepoint1 charon: 02[CFG] looking for XAuthInitRSA peer
configs matching 212.69.162.156...81.217.108.227[C=AT, O=Proteger, CN=iPad_ZMI]
Apr 7 15:37:44 sharepoint1 charon: 02[IKE] no peer config found
Apr 7 15:37:44 sharepoint1 charon: 02[ENC] generating INFORMATIONAL_V1 request
1267733536 [ HASH N(AUTH_FAILED) ]
Apr 7 15:37:44 sharepoint1 charon: 02[NET] sending packet: from
212.69.162.156[4500] to 81.217.108.227[4500] (92 bytes)
What is the problem now?
--
mit freundlichen Grüssen,
Michael Monnerie, Ing. BSc | Tel: +43 660 415 6531
XING: https://www.xing.com/profile/Michael_Monnerie
Facebook: https://www.facebook.com/michael.monnerie
Twitter: @MichaelMonnerie https://twitter.com/MichaelMonnerie
LinkedIn: http://lnkd.in/uGx6ug
Google+: https://plus.google.com/u/0/100598203632716687928/
Protéger.at Internet Services Austria [gesprochen: Prot-e-schee]
http://protéger.at | http://proteger.at
Facebook: https://www.facebook.com/protegerat
Mitglied im it-management Netzwerk http://it-management.at
signature.asc
Description: This is a digitally signed message part.
_______________________________________________ Users mailing list [email protected] https://lists.strongswan.org/mailman/listinfo/users
