Hi, I'm not experienced in kernel modification. What do I have to do to get IPsec stacks loaded into the kernel?
The server.key has been created including extendedKeyUsage = serverAuth subjectAltName = DNS:THE FQDN OF THE SERVER authorityKeyIdentifier=keyid Thanks for your help! Andy > -----Ursprüngliche Nachricht----- > Von: Andreas Steffen [mailto:[email protected]] > Gesendet: Sonntag, 19. Oktober 2014 11:23 > An: raceface; [email protected] > Betreff: Re: [strongSwan] Problems connecting to Strongswan with WP8.1 > > Hi, > > It seems that Ubuntu 12.04 is running on an old 2.6.32 kernel > instead of the standard 3.2 kernel, but most of the IPsec > features in the kernel should work. > > But much worse is that the ipsec starter does not detect > and IPsec stack in the kernel at all: > > > no netkey IPsec stack detected > > no KLIPS IPsec stack detected > > no known IPsec stack detected, ignoring! > > Thus it is not surprising that now IPsec policies can be installed: > > > 00[KNL] unable to set IPSEC_POLICY on socket: Operation not permitted > > 00[NET] installing IKE bypass policy failed > > Thus try to fix your kernel installation, otherwise no IPsec tunnel is > going to be installed. > > On the IKEv2 side, the negotiation stops with the message > > > 11[ENC] generating IKE_AUTH response 1 [ IDr CERT AUTH EAP/REQ/ID ] > > 11[NET] sending packet: from the real IP[4500] to 80.187.107.73[2869] > > (908 bytes) > > Most probably the Windows 8.1 client does not accept the strongSwan > VPN gateway certificate. Is the FQDN contained as a subjectAltName > in the server certificate? And is the "serverAuth" Extended Key Usage > flag set in the certificate which is another mandatory requirement. > > Best regards > > Andreas > > On 10/18/2014 10:56 PM, raceface wrote: > > Hi, > > > > > > > > I am stuck in getting a connection from a Windows Phone 8.1 to > > strongswan 5.2.0 on a Ubuntu 12.04. > > > > > > > > Heres my ipsec.conf > > > > > > > > config setup > > > > uniqueids=never > > > > # charondebug="cfg -1, dmn 11, ike -1, net -1" > > > > > > > > conn myVPN > > > > left=%any > > > > leftsubnet=0.0.0.0/0 > > > > leftid=@took out the FQDN > > > > lefthostaccess=yes > > > > leftfirewall=yes > > > > leftcert=server.crt > > > > ike=aes256-sha1-modp1024! > > > > esp=aes256-sha1! > > > > rekey=no > > > > keyexchange=ikev2 > > > > ikelifetime=8h > > > > keylife=1h > > > > right=%any > > > > rightsourceip=192.168.188.50 > > > > rightauth=eap-mschapv2 > > > > compress=yes > > > > dpdaction=clear > > > > dpddelay=300s > > > > rightsendcert=never > > > > eap_identity=%any > > > > auto=add > > > > > > > > And this is the nofork output > > > > > > > > Starting strongSwan 5.2.0 IPsec [starter]... > > > > no netkey IPsec stack detected > > > > no KLIPS IPsec stack detected > > > > no known IPsec stack detected, ignoring! > > > > 00[DMN] Starting IKE charon daemon (strongSwan 5.2.0, Linux > > 2.6.32-042stab092.3, i686) > > > > 00[KNL] unable to set IPSEC_POLICY on socket: Operation not permitted > > > > 00[NET] installing IKE bypass policy failed > > > > 00[KNL] unable to set IPSEC_POLICY on socket: Operation not permitted > > > > 00[NET] installing IKE bypass policy failed > > > > 00[KNL] unable to set IPSEC_POLICY on socket: Invalid argument > > > > 00[NET] installing IKE bypass policy failed > > > > 00[KNL] unable to set IPSEC_POLICY on socket: Invalid argument > > > > 00[NET] installing IKE bypass policy failed > > > > 00[CFG] loading ca certificates from '/etc/ipsec.d/cacerts' > > > > 00[CFG] loaded ca certificate "C=DE, ST=Some-State, O=Andreas > Seiler, > > CN=took out the FQDN" from '/etc/ipsec.d/cacerts/ca.crt' > > > > 00[CFG] loading aa certificates from '/etc/ipsec.d/aacerts' > > > > 00[CFG] loading ocsp signer certificates from > '/etc/ipsec.d/ocspcerts' > > > > 00[CFG] loading attribute certificates from '/etc/ipsec.d/acerts' > > > > 00[CFG] loading crls from '/etc/ipsec.d/crls' > > > > 00[CFG] loading secrets from '/etc/ipsec.secrets' > > > > 00[CFG] loaded RSA private key from > '/etc/ipsec.d/private/server.key' > > > > 00[CFG] loaded EAP secret for phone > > > > 00[LIB] loaded plugins: charon curl pkcs11 aes des rc2 sha1 sha2 md5 > > random nonce x509 revocation constraints pubkey pkcs1 pkcs7 pkcs8 > pkcs12 > > pgp dnskey sshkey pem openssl gcrypt fips-prf gmp xcbc cmac hmac attr > > kernel-netlink resolve socket-default stroke updown eap-identity > > eap-mschapv2 eap-tls eap-ttls xauth-generic > > > > 00[LIB] unable to load 3 plugin features (3 due to unmet > dependencies) > > > > 00[JOB] spawning 16 worker threads > > > > charon (22973) started after 20 ms > > > > 08[CFG] received stroke: add connection 'myVPN' > > > > 08[CFG] left nor right host is our side, assuming left=local > > > > 08[CFG] adding virtual IP address pool 192.168.188.50 > > > > 08[CFG] loaded certificate "C=DE, ST=Some-State, O=Andreas Seiler, > > CN=took out the FQDN" from 'server.crt' > > > > 08[CFG] added configuration 'myVPN' > > > > 10[NET] received packet: from 80.187.107.73[500] to the real IP[500] > > (616 bytes) > > > > 10[ENC] parsed IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) > > N(NATD_D_IP) V V V V ] > > > > 10[ENC] received unknown vendor ID: > > 1e:2b:51:69:05:99:1c:7d:7c:96:fc:bf:b5:87:e4:61:00:00:00:09 > > > > 10[ENC] received unknown vendor ID: > > fb:1d:e3:cd:f3:41:b7:ea:16:b7:e5:be:08:55:f1:20 > > > > 10[ENC] received unknown vendor ID: > > 26:24:4d:38:ed:db:61:b3:17:2a:36:e3:d0:cf:b8:19 > > > > 10[ENC] received unknown vendor ID: > > 01:52:8b:bb:c0:06:96:12:18:49:ab:9a:1c:5b:2a:51:00:00:00:02 > > > > 10[IKE] 80.187.107.73 is initiating an IKE_SA > > > > 10[IKE] remote host is behind NAT > > > > 10[ENC] generating IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) > > N(NATD_D_IP) N(MULT_AUTH) ] > > > > 10[NET] sending packet: from the real IP[500] to 80.187.107.73[500] > (312 > > bytes) > > > > 11[NET] received packet: from 80.187.107.73[2869] to the real > IP[4500] > > (1324 bytes) > > > > 11[ENC] parsed IKE_AUTH request 1 [ IDi CERTREQ N(MOBIKE_SUP) > CPRQ(ADDR > > DNS NBNS SRV ADDR6 DNS6 SRV6) SA TSi TSr ] > > > > 11[IKE] received cert request for "C=DE, ST=Some-State, O=Andreas > > Seiler, CN=took out the FQDN" > > > > 11[IKE] received 48 cert requests for an unknown ca > > > > 11[CFG] looking for peer configs matching the real > > IP[%any]...80.187.107.73[10.69.240.130] > > > > 11[CFG] selected peer config 'myVPN' > > > > 11[IKE] initiating EAP_IDENTITY method (id 0x00) > > > > 11[IKE] peer supports MOBIKE > > > > 11[IKE] authentication of 'took out the FQDN' (myself) with RSA > > signature successful > > > > 11[IKE] sending end entity cert "C=DE, ST=Some-State, O=Andreas > Seiler, > > CN=took out the FQDN" > > > > 11[ENC] generating IKE_AUTH response 1 [ IDr CERT AUTH EAP/REQ/ID ] > > > > 11[NET] sending packet: from the real IP[4500] to 80.187.107.73[2869] > > (908 bytes) > > > > 12[NET] received packet: from 80.187.107.73[500] to the real IP[500] > > (616 bytes) > > > > 12[ENC] parsed IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) > > N(NATD_D_IP) V V V V ] > > > > 12[ENC] received unknown vendor ID: > > 1e:2b:51:69:05:99:1c:7d:7c:96:fc:bf:b5:87:e4:61:00:00:00:09 > > > > 12[ENC] received unknown vendor ID: > > fb:1d:e3:cd:f3:41:b7:ea:16:b7:e5:be:08:55:f1:20 > > > > 12[ENC] received unknown vendor ID: > > 26:24:4d:38:ed:db:61:b3:17:2a:36:e3:d0:cf:b8:19 > > > > 12[ENC] received unknown vendor ID: > > 01:52:8b:bb:c0:06:96:12:18:49:ab:9a:1c:5b:2a:51:00:00:00:02 > > > > 12[IKE] 80.187.107.73 is initiating an IKE_SA > > > > 12[IKE] remote host is behind NAT > > > > 12[ENC] generating IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) > > N(NATD_D_IP) N(MULT_AUTH) ] > > > > 12[NET] sending packet: from the real IP[500] to 80.187.107.73[500] > (312 > > bytes) > > > > 13[NET] received packet: from 80.187.107.73[500] to the real IP[500] > > (616 bytes) > > > > 13[ENC] parsed IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) > > N(NATD_D_IP) V V V V ] > > > > 13[IKE] received retransmit of request with ID 0, retransmitting > response > > > > 13[NET] sending packet: from the real IP[500] to 80.187.107.73[500] > (312 > > bytes) > > > > 14[NET] received packet: from 80.187.107.73[500] to the real IP[500] > > (616 bytes) > > > > 14[ENC] parsed IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) > > N(NATD_D_IP) V V V V ] > > > > 14[IKE] received retransmit of request with ID 0, retransmitting > response > > > > 14[NET] sending packet: from the real IP[500] to 80.187.107.73[500] > (312 > > bytes) > > > > 15[JOB] deleting half open IKE_SA after timeout > > > > > > > > Has anybody an idea what might be the problem? > > > > > > > > _______________________________________________ > > Users mailing list > > [email protected] > > https://lists.strongswan.org/mailman/listinfo/users > > > > > -- > ====================================================================== > Andreas Steffen [email protected] > strongSwan - the Open Source VPN Solution! www.strongswan.org > Institute for Internet Technologies and Applications > University of Applied Sciences Rapperswil > CH-8640 Rapperswil (Switzerland) > ===========================================================[ITA-HSR]== _______________________________________________ Users mailing list [email protected] https://lists.strongswan.org/mailman/listinfo/users
