-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Hello Ilan,
Then I don't know what it could be. Maybe strongSwan uses a defective cert? That might be worth checking. Mit freundlichen Grüßen/Regards, Noel Kuntze GPG Key ID: 0x63EC6658 Fingerprint: 23CA BB60 2146 05E7 7278 6592 3839 298F 63EC 6658 Am 11.02.2015 um 19:47 schrieb Ilan Caspi: > Thanks Noel but still no joy, I'm pretty sure that the rest of the l2tp is > fine because it works with a shred secret but the certificates for some > reason are still off the current ipsec.conf looks like this > > keyexchange=ikev1 > > authby=rsasig > > rekey=yes > > keyingtries=2 > > leftsubnet=0.0.0.0/0 <http://0.0.0.0/0> > > leftca="CN=Pertino Dev Root CA G1, O=Pertino, C=US" > > leftcert=server.pem > > leftprotoport="17/1701" > > right=%any > > rightid=%any > > rightprotoport="17/1701" > > type="transport" > > auto=add > > The connection fails with this message: > > IKE_SA chromebook[1] state change: CONNECTING => ESTABLISHED > > 09[IKE] scheduling reauthentication in 13531s > > 09[IKE] maximum IKE_SA lifetime 14071s > > 09[IKE] sending end entity cert > "CN=do-c6176704.san-francisco-1.pertinoipsec.dev.pertino.com > <http://do-c6176704.san-francisco-1.pertinoipsec.dev.pertino.com>, OU=DEV, > O=pertino.com <http://pertino.com>, C=US" > > 09[IKE] sending issuer cert "CN=Pertino Dev Issuing CA G1, O=Pertino, C=US" > > 09[IKE] sending issuer cert "CN=Pertino Dev Intermediate CA G1, O=Pertino, > C=US" > > 09[ENC] generating ID_PROT response 0 [ ID CERT CERT CERT SIG ] > > 09[NET] sending packet: from 162.243.137.92[4500] to 50.204.245.210[4500] > (2092 bytes) > > 03[NET] sending packet: from 162.243.137.92[4500] to 50.204.245.210[4500] > > 02[NET] received packet: from 50.204.245.210[4500] to 162.243.137.92[4500] > > 02[NET] waiting for data on sockets > > 11[NET] received packet: from 50.204.245.210[4500] to 162.243.137.92[4500] > (68 bytes) > > 11[ENC] invalid HASH_V1 payload length, decryption failed? > > 11[ENC] could not decrypt payloads > > 11[IKE] message parsing failed > > 11[IKE] ignore malformed INFORMATIONAL request > > 11[IKE] INFORMATIONAL_V1 request with message ID 2808853053 processing failed > > 02[NET] received packet: from 50.204.245.210[4500] to 162.243.137.92[4500] > > 02[NET] waiting for data on sockets > > 12[NET] received packet: from 50.204.245.210[4500] to 162.243.137.92[4500] > (1092 bytes) > > 12[IKE] received retransmit of request with ID 0, retransmitting response > > 12[NET] sending packet: from 162.243.137.92[4500] to 50.204.245.210[4500] > (2092 bytes) > > 03[NET] sending packet: from 162.243.137.92[4500] to 50.204.245.210[4500] > > 02[NET] received packet: from 50.204.245.210[4500] to 162.243.137.92[4500] > > 02[NET] waiting for data on sockets > > 13[NET] received packet: from 50.204.245.210[4500] to 162.243.137.92[4500] > (68 bytes) > > 13[ENC] invalid HASH_V1 payload length, decryption failed? > > 13[ENC] could not decrypt payloads > > 13[IKE] message parsing failed > > 13[IKE] ignore malformed INFORMATIONAL request > > > On Wed Feb 11 2015 at 10:29:31 AM Noel Kuntze <[email protected] > <mailto:[email protected]>> wrote: > > > Hello Ilan, > > You are looking at a L2TP/IPsec configuration with certificate authentication > and transport mode. > The following config will be compatible: > > conn chromiumos > ike="3des-sha1-modp1024" > esp="aes128-sha1,3des-sha1,aes128-md5,3des-md5" > keyexchange="ikev1" > rekey=yes > left="%defaultroute" > leftprotoport="17/1701" > rightca="CN=Pertino Dev Root CA G1, O=Pertino, C=US" > leftca="CN=Pertino Dev Root CA G1, O=Pertino, C=US" > rightid="%any" > right=%any > rightprotoport="17/1701" > type="transport" > auto="add" > > You will need to adjust the leftca section or define the certificate manually > using leftcert. > You also need to run an l2tp daemon, like xl2tpd, as traffic will be tunneled > using l2tp. > > Mit freundlichen Grüßen/Regards, > Noel Kuntze > > GPG Key ID: 0x63EC6658 > Fingerprint: 23CA BB60 2146 05E7 7278 6592 3839 298F 63EC 6658 > > Am 11.02.2015 um 18:49 schrieb Ilan Caspi: > > Maybe this will shed some light on the subject. The chrombook is using the > > following configuration: > > > ipsec.conf > > > ike="3des-sha1-modp1024" > > > esp="aes128-sha1,3des-sha1,aes128-md5,3des-md5" > > > keyexchange="ikev1" > > > rekey=yes > > > left="%defaultroute" > > > > > leftcert="%smartcard1@crypto_module:719D7F5687E27E8DAD5E37FD84CFFA1027B29878" > > > leftprotoport="17/1701" > > > leftupdown="/usr/libexec/l2tpipsec_vpn/pluto_updown" > > > right="162.243.137.92" > > > rightca="CN=Pertino Dev Root CA G1, O=Pertino, C=US" > > > rightid="%any" > > > rightprotoport="17/1701" > > > type="transport" > > > auto="start" > > > strongswan.conf > > > libstrongswan { > > > plugins { > > > pkcs11 { > > > modules { > > > crypto_module { > > > path = /usr/lib/libchaps.so > > > } > > > } > > > } > > > } > > > } > > > charon { > > > accept_unencrypted_mainmode_messages = yes > > > ignore_routing_tables = 0 > > > install_routes = no > > > routing_table = 0 > > > } > > > > ipsec.secrets > > > 10.0.1.135 162.243.137.92 : PIN > > %smartcard1@crypto_module:719D7F5687E27E8DAD5E37FD84CFFA1027B29878 "111111" > > > I'm trying to dig into the chromium code and understand if this the only > > config chromeos will generate but assuming that is the case how can I set > > the strongswan server to answer that client config? > > > Thanks again for all the help > > > Ilan > > > > On Thu Feb 05 2015 at 3:32:52 PM Ilan Caspi <[email protected] > > <mailto:[email protected]> <mailto:[email protected] > > <mailto:[email protected]>>> wrote: > > > Hi Noel, > > > Unfortunately that wasn't the ticket > > > 14[CFG] candidate "chromebook", match: 1/19/28 (me/other/ike) > > > 14[IKE] no peer config found > > > 14[IKE] queueing INFORMATIONAL task > > > 14[IKE] activating new tasks > > > 14[IKE] activating INFORMATIONAL task > > > 14[ENC] generating INFORMATIONAL_V1 request 1417043180 [ HASH > > N(AUTH_FAILED) ] > > > > ipsec,conf > > > conn chromebook > > > keyexchange=ikev1 > > > authby=rsasig > > > rekey=no > > > keyingtries=2 > > > left=%defaultroute > > > leftsubnet=0.0.0.0/0 <http://0.0.0.0/0> <http://0.0.0.0/0> > > > leftprotoport=udp/l2tp > > > leftcert=server.pem > > > right=%any > > > rightprotoport=udp/%any > > > rightrsasigkey=%cert > > > rightid="CN=*, OU=1957, O=mydomain.com <http://mydomain.com> > > <http://mydomain.com>, C=US" > > > auto=add > > > aggressive=yes > > > > On Thu Feb 05 2015 at 1:27:22 PM Noel Kuntze <[email protected] > > <mailto:[email protected]> <mailto:[email protected] > > <mailto:[email protected]>>> wrote: > > > > Hello Ilan, > > > That could be the client trying to use agressive mode. > > Enable it in the conn section and see if it works with it. > > > Mit freundlichen Grüßen/Regards, > > Noel Kuntze > > > GPG Key ID: 0x63EC6658 > > Fingerprint: 23CA BB60 2146 05E7 7278 6592 3839 298F 63EC 6658 > > > Am 05.02.2015 um 19:17 schrieb Ilan Caspi: > > > Hi, > > > > I'm trying to connect a chromebook to Linux strongSwan > > > U5.1.2/K3.13.0-43-generic with not much luck. > > > > Using a secret the connection is just fine but when moving the > > > authentication using a CA things are going wrong. The certs should be ok > > > because they work with a different connection > > > > From reading the logs the authentication is going well but things are > > > starting to go wrong here: > > > > 15[ENC] generating ID_PROT response 0 [ ID CERT CERT CERT SIG ] > > > > 15[NET] sending packet: from 162.243.137.92[4500] to 50.204.245.210[4500] > > > (2092 bytes) > > > > 04[NET] sending packet: from 162.243.137.92[4500] to 50.204.245.210[4500] > > > > 03[NET] received packet: from 50.204.245.210[4500] to 162.243.137.92[4500] > > > > 03[NET] waiting for data on sockets > > > > 06[NET] received packet: from 50.204.245.210[4500] to > > > 162.243.137.92[4500] (68 bytes) > > > > 06[ENC] invalid HASH_V1 payload length, decryption failed? > > > > 06[ENC] could not decrypt payloads > > > > 06[IKE] message parsing failed > > > > 06[IKE] ignore malformed INFORMATIONAL request > > > > ipsec.conf > > > > config setup > > > > charondebug="cfg 2, dmn 2, ike 2, net 2" > > > > uniqueids=never > > > > conn %default > > > > authby=rsasig > > > > leftrsasigkey=%cert > > > > rightrsasigkey=%cert > > > > keyingtries=1 > > > > keylife=60m > > > > ikelifetime=240m > > > > rightdns=8.8.8.8 > > > > > conn ios > > > > keyexchange=ikev1 > > > > xauth=server > > > > left=%defaultroute > > > > leftsubnet=0.0.0.0/0 <http://0.0.0.0/0> <http://0.0.0.0/0> > > > <http://0.0.0.0/0> > > > > leftcert=server.pem > > > > right=%any > > > > rightid="CN=*, OU=1957, O=secretdomain.com <http://secretdomain.com> > > > <http://secretdomain.com> <http://pertino.com>, C=US" > > > > rightsourceip=172.27.0.0/16 <http://172.27.0.0/16> > > > <http://172.27.0.0/16> <http://172.27.0.0/16> > > > > rightsubnet=172.27.0.0/16 <http://172.27.0.0/16> > > > <http://172.27.0.0/16> <http://172.27.0.0/16> > > > > rightauth2=xauth-noauth > > > > ike=aes128-sha1-modp2048,3des-sha1-modp1536 > > > > esp=aes128-sha1-modp2048,3des-sha1-modp1536 > > > > rekey=no > > > > reauth=no > > > > dpddelay=10 > > > > dpdtimeout=30 > > > > dpdaction=clear > > > > auto=add > > > > fragmentation=yes > > > > > > conn chromebook > > > > keyexchange=ikev1 > > > > authby=rsasig > > > > rekey=no > > > > keyingtries=2 > > > > left=%defaultroute > > > > leftsubnet=0.0.0.0/0 <http://0.0.0.0/0> <http://0.0.0.0/0> > > > <http://0.0.0.0/0> > > > > leftprotoport=udp/l2tp > > > > leftcert=server.pem > > > > right=%any > > > > rightprotoport=udp/%any > > > > rightrsasigkey=%cert > > > > rightid="CN=*, OU=1957, O= secretdomain.com <http://secretdomain.com> > > > <http://secretdomain.com> <http://pertino.com>, C=US" > > > > auto=add > > > > ipsec.secrets > > > > : RSA /etc/ipsec.d/private/newserverkey.pem > > > > > > _______________________________________________ > > > Users mailing list > > > [email protected] <mailto:[email protected]> > > > <mailto:[email protected] <mailto:[email protected]>> > > > https://lists.strongswan.org/mailman/listinfo/users > > > <https://lists.strongswan.org/mailman/listinfo/users> > > > <https://lists.strongswan.org/mailman/listinfo/users > > > <https://lists.strongswan.org/mailman/listinfo/users>> > > > > _______________________________________________ > > Users mailing list > > [email protected] <mailto:[email protected]> > > <mailto:[email protected] <mailto:[email protected]>> > > https://lists.strongswan.org/mailman/listinfo/users > > <https://lists.strongswan.org/mailman/listinfo/users> > > <https://lists.strongswan.org/mailman/listinfo/users > > <https://lists.strongswan.org/mailman/listinfo/users>> > > > > -----BEGIN PGP SIGNATURE----- Version: GnuPG v2 iQIcBAEBCAAGBQJU27xrAAoJEDg5KY9j7GZYL90P/17G/OmCYE7QqLlniCvGbkF8 XVeDi+hvPiilDD/1pf1WIFZje+21G1jz2VX3e1XC4bhv3aqelNGZrK8Hk87WUYsF +IlM6k0Q0RJcSjoJm402rR/VoD7BF9K76TiJjFHeoZv7rNzFwxrxyUy+tVY80UpE 2smwBoNBrr2wf+5ED9lvb3eQHinVOFDJYCaDeB2OCLiz+n5NcmrQC94a96r0ikcN lW+obk0kcAz61qZdwKmYdWKkqGlerdQKcJzBCxCj3ROCmtVIG4gRe7l1UdHKr8DF 0/znlf1goRoqg/jQCIR2GqN3ysMuab+v18UdAMhiF1cDdqTqSHjvImWTduTI/044 CH6HJ3oFbYV3tLjdgb7bT0l9F74D0Ux34aTBK5sBkZ9gEiHuoiRTCt2urLMxgL7g GJhSCNYZm+D2xkaGWyqnbCsteT8fua78W/2tj3WNjABbwl9TnCwayZplVyUZQBjl /UzVjr5RMWhBxVgoXxthGkE3KHGIx6emNTe7cSZU+Umd8RQHmjqw6BGhg5OA4/2s DWLFu07IaMf10NqVxMj4l9ackkaTR8E60N5eNxxTwVF5KrfIVkr1EN+PUgmTExi1 eLIfLIpZzaDRqcJ4v7Wu0W9Ay1NnhX7zz0Hn+4+TBZa2lu41llcuYpQmz1BILK/V r8evGTFXJgJv5a1V9U9S =W0X4 -----END PGP SIGNATURE----- _______________________________________________ Users mailing list [email protected] https://lists.strongswan.org/mailman/listinfo/users
