Hi, IOS8 VPN Connection: Could not validate the server certificate.
Windows connected properly. ####################-------------------Error Messages----------------------####################### LOG Jul 21 10:07:28 localhost charon: 04[ENC] parsed ID_PROT request 0 [ SA V V V V V V V V V V V V V V ] Jul 21 10:07:28 localhost charon: 04[CFG] looking for an ike config for 112.91.xx.209...112.96.173.55 Jul 21 10:07:28 localhost charon: 04[CFG] candidate: %any...%any, prio 28 Jul 21 10:07:28 localhost charon: 04[CFG] candidate: %any...%any, prio 28 Jul 21 10:07:28 localhost charon: 04[CFG] found matching ike config: %any...%any with prio 28 Jul 21 10:07:28 localhost charon: 04[IKE] received NAT-T (RFC 3947) vendor ID Jul 21 10:07:28 localhost charon: 04[IKE] received draft-ietf-ipsec-nat-t-ike vendor ID Jul 21 10:07:28 localhost charon: 04[IKE] received draft-ietf-ipsec-nat-t-ike-08 vendor ID Jul 21 10:07:28 localhost charon: 04[IKE] received draft-ietf-ipsec-nat-t-ike-07 vendor ID Jul 21 10:07:28 localhost charon: 04[IKE] received draft-ietf-ipsec-nat-t-ike-06 vendor ID Jul 21 10:07:28 localhost charon: 04[IKE] received draft-ietf-ipsec-nat-t-ike-05 vendor ID Jul 21 10:07:28 localhost charon: 04[IKE] received draft-ietf-ipsec-nat-t-ike-04 vendor ID Jul 21 10:07:28 localhost charon: 04[IKE] received draft-ietf-ipsec-nat-t-ike-03 vendor ID Jul 21 10:07:28 localhost charon: 04[IKE] received draft-ietf-ipsec-nat-t-ike-02 vendor ID Jul 21 10:07:28 localhost charon: 04[IKE] received draft-ietf-ipsec-nat-t-ike-02\n vendor ID Jul 21 10:07:28 localhost charon: 04[IKE] received XAuth vendor ID Jul 21 10:07:28 localhost charon: 04[IKE] received Cisco Unity vendor ID Jul 21 10:07:28 localhost charon: 04[IKE] received FRAGMENTATION vendor ID Jul 21 10:07:28 localhost charon: 04[IKE] received DPD vendor ID Jul 21 10:07:28 localhost charon: 04[IKE] 112.96.173.55 is initiating a Main Mode IKE_SA Jul 21 10:07:28 localhost charon: 04[IKE] IKE_SA (unnamed)[11] state change: CREATED => CONNECTING Jul 21 10:07:28 localhost charon: 04[CFG] selecting proposal: Jul 21 10:07:28 localhost charon: 04[CFG] no acceptable ENCRYPTION_ALGORITHM found Jul 21 10:07:28 localhost charon: 04[CFG] selecting proposal: Jul 21 10:07:28 localhost charon: 04[CFG] no acceptable ENCRYPTION_ALGORITHM found Jul 21 10:07:28 localhost charon: 04[CFG] selecting proposal: Jul 21 10:07:28 localhost charon: 04[CFG] no acceptable DIFFIE_HELLMAN_GROUP found Jul 21 10:07:28 localhost charon: 04[CFG] selecting proposal: Jul 21 10:07:28 localhost charon: 04[CFG] no acceptable ENCRYPTION_ALGORITHM found Jul 21 10:07:28 localhost charon: 04[CFG] selecting proposal: Jul 21 10:07:28 localhost charon: 04[CFG] no acceptable ENCRYPTION_ALGORITHM found Jul 21 10:07:28 localhost charon: 04[CFG] selecting proposal: Jul 21 10:07:28 localhost charon: 04[CFG] no acceptable PSEUDO_RANDOM_FUNCTION found Jul 21 10:07:28 localhost charon: 04[CFG] selecting proposal: Jul 21 10:07:28 localhost charon: 04[CFG] no acceptable ENCRYPTION_ALGORITHM found Jul 21 10:07:28 localhost charon: 04[CFG] selecting proposal: Jul 21 10:07:28 localhost charon: 04[CFG] no acceptable ENCRYPTION_ALGORITHM found Jul 21 10:07:28 localhost charon: 04[CFG] selecting proposal: Jul 21 10:07:28 localhost charon: 04[CFG] no acceptable ENCRYPTION_ALGORITHM found Jul 21 10:07:28 localhost charon: 04[CFG] selecting proposal: Jul 21 10:07:28 localhost charon: 04[CFG] no acceptable ENCRYPTION_ALGORITHM found Jul 21 10:07:28 localhost charon: 04[CFG] selecting proposal: Jul 21 10:07:28 localhost charon: 04[CFG] no acceptable ENCRYPTION_ALGORITHM found Jul 21 10:07:28 localhost charon: 04[CFG] selecting proposal: Jul 21 10:07:28 localhost charon: 04[CFG] no acceptable ENCRYPTION_ALGORITHM found Jul 21 10:07:28 localhost charon: 04[CFG] selecting proposal: Jul 21 10:07:28 localhost charon: 04[CFG] no acceptable ENCRYPTION_ALGORITHM found Jul 21 10:07:28 localhost charon: 04[CFG] selecting proposal: Jul 21 10:07:28 localhost charon: 04[CFG] no acceptable ENCRYPTION_ALGORITHM found Jul 21 10:07:28 localhost charon: 04[CFG] selecting proposal: Jul 21 10:07:28 localhost charon: 04[CFG] no acceptable ENCRYPTION_ALGORITHM found Jul 21 10:07:28 localhost charon: 04[CFG] selecting proposal: Jul 21 10:07:28 localhost charon: 04[CFG] no acceptable ENCRYPTION_ALGORITHM found Jul 21 10:07:28 localhost charon: 04[CFG] selecting proposal: Jul 21 10:07:28 localhost charon: 04[CFG] no acceptable DIFFIE_HELLMAN_GROUP found Jul 21 10:07:28 localhost charon: 04[CFG] selecting proposal: Jul 21 10:07:28 localhost charon: 04[CFG] no acceptable PSEUDO_RANDOM_FUNCTION found Jul 21 10:07:28 localhost charon: 04[CFG] selecting proposal: Jul 21 10:07:28 localhost charon: 04[CFG] no acceptable ENCRYPTION_ALGORITHM found Jul 21 10:07:28 localhost charon: 04[CFG] selecting proposal: Jul 21 10:07:28 localhost charon: 04[CFG] no acceptable ENCRYPTION_ALGORITHM found Jul 21 10:07:28 localhost charon: 04[CFG] selecting proposal: Jul 21 10:07:28 localhost charon: 04[CFG] proposal matches Jul 21 10:07:28 localhost charon: 04[CFG] received proposals: IKE:AES_CBC_256/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1536, IKE:AES_CBC_256/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024, IKE:AES_CBC_128/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024, IKE:AES_CBC_256/HMAC_MD5_96/PRF_HMAC_MD5/MODP_1536, IKE:AES_CBC_256/HMAC_MD5_96/PRF_HMAC_MD5/MODP_1024, IKE:AES_CBC_128/HMAC_MD5_96/PRF_HMAC_MD5/MODP_1024, IKE:3DES_CBC/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024, IKE:3DES_CBC/HMAC_MD5_96/PRF_HMAC_MD5/MODP_1024, IKE:DES_CBC/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024, IKE:DES_CBC/HMAC_MD5_96/PRF_HMAC_MD5/MODP_1024 Jul 21 10:07:28 localhost charon: 04[CFG] configured proposals: IKE:AES_CBC_128/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_2048, IKE:3DES_CBC/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1536, IKE:AES_CBC_128/AES_CBC_192/AES_CBC_256/3DES_CBC/CAMELLIA_CBC_128/CAMELLIA_CBC_192/CAMELLIA_CBC_256/HMAC_MD5_96/HMAC_SHA1_96/HMAC_SHA2_256_128/HMAC_SHA2_384_192/HMAC_SHA2_512_256/AES_XCBC_96/AES_CMAC_96/PRF_HMAC_MD5/PRF_HMAC_SHA1/PRF_HMAC_SHA2_256/PRF_HMAC_SHA2_384/PRF_HMAC_SHA2_512/PRF_AES128_XCBC/PRF_AES128_CMAC/MODP_2048/MODP_2048_224/MODP_2048_256/MODP_1536/MODP_3072/MODP_4096/MODP_8192/MODP_1024/MODP_1024_160/ECP_256/ECP_384/ECP_521/ECP_224/ECP_192/ECP_224_BP/ECP_256_BP/ECP_384_BP/ECP_512_BP, IKE:AES_GCM_8_128/AES_GCM_8_192/AES_GCM_8_256/AES_GCM_12_128/AES_GCM_12_192/AES_GCM_12_256/AES_GCM_16_128/AES_GCM_16_192/AES_GCM_16_256/PRF_HMAC_MD5/PRF_HMAC_SHA1/PRF_HMAC_SHA2_256/PRF_HMAC_SHA2_384/PRF_HMAC_SHA2_512/PRF_AES128_XCBC/PRF_AES128_CMAC/MODP_2048/MODP_2048_224/MODP_2048_256/MODP_1536/MODP_3072/MODP_4096/MODP_8192/MODP_1024/MODP_1024_160/ECP_256/ECP_384/ECP_521/ECP_224/ECP_192/ECP_224_BP/ECP_256_BP/ECP_384_BP/ECP_512_BP Jul 21 10:07:28 localhost charon: 04[CFG] selected proposal: IKE:AES_CBC_256/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1536 Jul 21 10:07:28 localhost charon: 04[IKE] sending XAuth vendor ID Jul 21 10:07:28 localhost charon: 04[IKE] sending DPD vendor ID Jul 21 10:07:28 localhost charon: 04[IKE] sending FRAGMENTATION vendor ID Jul 21 10:07:28 localhost charon: 04[IKE] sending NAT-T (RFC 3947) vendor ID Jul 21 10:07:28 localhost charon: 04[ENC] generating ID_PROT response 0 [ SA V V V V ] Jul 21 10:07:28 localhost strongswan: 07[CFG] configured proposals: IKE:AES_CBC_128/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_2048, IKE:3DES_CBC/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1536, IKE:AES_CBC_128/AES_CBC_192/AES_CBC_256/3DES_CBC/CAMELLIA_CBC_128/CAMELLIA_CBC_192/CAMELLIA_CBC_256/HMAC_MD5_96/HMAC_SHA1_96/HMAC_SHA2_256_128/HMAC_SHA2_384_192/HMAC_SHA2_512_256/AES_XCBC_96/AES_CMAC_96/PRF_HMAC_MD5/PRF_HMAC_SHA1/PRF_HMAC_SHA2_256/PRF_HMAC_SHA2_384/PRF_HMAC_SHA2_512/PRF_AES128_XCBC/PRF_AES128_CMAC/MODP_2048/MODP_2048_224/MODP_2048_256/MODP_1536/MODP_3072/MODP_4096/MODP_8192/MODP_1024/MODP_1024_160/ECP_256/ECP_384/ECP_521/ECP_224/ECP_192/ECP_224_BP/ECP_256_BP/ECP_384_BP/ECP_512_BP, IKE:AES_GCM_8_128/AES_GCM_8_192/AES_GCM_8_256/AES_GCM_12_128/AES_GCM_12_192/AES_GCM_12_256/AES_GCM_16_128/AES_GCM_16_192/AES_GCM_16_256/PRF_HMAC_MD5/PRF_HMAC_SHA1/PRF_HMAC_SHA2_256/PRF_HMAC_SHA2_384/PRF_HMAC_SHA2_512/PRF_AES128_XCBC/PRF_AES128_CMAC/MODP_2048/MODP_2048_224/MODP_2048_256/MODP_1536/MODP_3072/MODP_4096/MODP_8192/MODP_1024/MODP_1024_160/ECP_256/ECP_384/ECP_521/ECP_224/ECP_192/ECP_224_BP/ECP_256_BP/ECP_384_BP/ECP_512_BP Jul 21 10:07:28 localhost strongswan: 07[CFG] selected proposal: IKE:AES_CBC_256/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1536 Jul 21 10:07:28 localhost strongswan: 07[IKE] sending XAuth vendor ID Jul 21 10:07:28 localhost strongswan: 07[IKE] sending DPD vendor ID Jul 21 10:07:28 localhost strongswan: 07[IKE] sending FRAGMENTATION vendor ID Jul 21 10:07:28 localhost strongswan: 07[IKE] sending NAT-T (RFC 3947) vendor ID Jul 21 10:07:28 localhost strongswan: 07[ENC] generating ID_PROT response 0 [ SA V V V V ] Jul 21 10:07:28 localhost strongswan: 01[ENC] parsed ID_PROT request 0 [ KE No NAT-D NAT-D ] Jul 21 10:07:28 localhost strongswan: 01[IKE] remote host is behind NAT Jul 21 10:07:28 localhost strongswan: 01[IKE] sending cert request for "C=CH, O=strongSwan, CN=strongSwan CA" Jul 21 10:07:28 localhost strongswan: 01[ENC] generating ID_PROT response 0 [ KE No CERTREQ NAT-D NAT-D ] Jul 21 10:07:28 localhost strongswan: 03[ENC] parsed ID_PROT request 0 [ FRAG ] Jul 21 10:07:28 localhost strongswan: 03[IKE] received fragment #1, waiting for complete IKE message Jul 21 10:07:28 localhost strongswan: 11[ENC] parsed ID_PROT request 0 [ FRAG ] Jul 21 10:07:28 localhost strongswan: 11[IKE] received fragment #2, reassembling fragmented IKE message Jul 21 10:07:28 localhost strongswan: 11[ENC] parsed ID_PROT request 0 [ ID CERT SIG CERTREQ N(INITIAL_CONTACT) ] Jul 21 10:07:28 localhost strongswan: 11[IKE] ignoring certificate request without data Jul 21 10:07:28 localhost strongswan: 11[IKE] received end entity cert "C=CH, O=strongSwan, CN=112.91.xx.209" Jul 21 10:07:28 localhost strongswan: 11[CFG] looking for XAuthInitRSA peer configs matching 112.91.xx.209...112.96.173.55[C=CH, O=strongSwan, CN=112.91.xx.209] Jul 21 10:07:28 localhost strongswan: 11[CFG] candidate "CiscoIPSec", match: 1/1/28 (me/other/ike) Jul 21 10:07:28 localhost strongswan: 11[CFG] candidate "XauthPsk", match: 1/1/28 (me/other/ike) Jul 21 10:07:28 localhost strongswan: 11[CFG] selected peer config "CiscoIPSec" Jul 21 10:07:28 localhost strongswan: 11[CFG] certificate "C=CH, O=strongSwan, CN=112.91.xx.209" key: 2048 bit RSA Jul 21 10:07:28 localhost strongswan: 11[CFG] using trusted ca certificate "C=CH, O=strongSwan, CN=strongSwan CA" Jul 21 10:07:28 localhost strongswan: 11[CFG] checking certificate status of "C=CH, O=strongSwan, CN=112.91.xx.209" Jul 21 10:07:28 localhost strongswan: 11[CFG] ocsp check skipped, no ocsp found Jul 21 10:07:28 localhost strongswan: 11[CFG] certificate status is not available Jul 21 10:07:28 localhost strongswan: 11[CFG] certificate "C=CH, O=strongSwan, CN=strongSwan CA" key: 4096 bit RSA Jul 21 10:07:28 localhost strongswan: 11[CFG] reached self-signed root ca with a path length of 0 Jul 21 10:07:28 localhost strongswan: 11[CFG] using trusted certificate "C=CH, O=strongSwan, CN=112.91.xx.209" Jul 21 10:07:28 localhost strongswan: 11[IKE] signature validation failed, looking for another key Jul 21 10:07:28 localhost strongswan: 11[CFG] using certificate "C=CH, O=strongSwan, CN=112.91.xx.209" Jul 21 10:07:28 localhost strongswan: 11[CFG] certificate "C=CH, O=strongSwan, CN=112.91.xx.209" key: 2048 bit RSA Jul 21 10:07:28 localhost strongswan: 11[CFG] using trusted ca certificate "C=CH, O=strongSwan, CN=strongSwan CA" Jul 21 10:07:28 localhost strongswan: 11[CFG] checking certificate status of "C=CH, O=strongSwan, CN=112.91.xx.209" Jul 21 10:07:28 localhost strongswan: 11[CFG] ocsp check skipped, no ocsp found Jul 21 10:07:28 localhost strongswan: 11[CFG] certificate status is not available Jul 21 10:07:28 localhost strongswan: 11[CFG] certificate "C=CH, O=strongSwan, CN=strongSwan CA" key: 4096 bit RSA Jul 21 10:07:28 localhost strongswan: 11[CFG] reached self-signed root ca with a path length of 0 Jul 21 10:07:28 localhost strongswan: 11[IKE] authentication of 'C=CH, O=strongSwan, CN=112.91.xx.209' with RSA successful Jul 21 10:07:28 localhost strongswan: 11[IKE] authentication of 'C=CH, O=strongSwan, CN=112.91.xx.209' (myself) successful Jul 21 10:07:28 localhost strongswan: 11[IKE] queueing XAUTH task Jul 21 10:07:28 localhost strongswan: 11[IKE] sending end entity cert "C=CH, O=strongSwan, CN=112.91.xx.209" Jul 21 10:07:28 localhost strongswan: 11[ENC] generating ID_PROT response 0 [ ID CERT SIG ] Jul 21 10:07:28 localhost strongswan: 11[IKE] sending IKE message with length of 1468 bytes in 3 fragments Jul 21 10:07:28 localhost strongswan: 11[ENC] generating ID_PROT response 0 [ FRAG ] Jul 21 10:07:28 localhost strongswan: 11[ENC] generating ID_PROT response 0 [ FRAG ] Jul 21 10:07:28 localhost strongswan: 11[ENC] generating ID_PROT response 0 [ FRAG ] Jul 21 10:07:28 localhost strongswan: 11[IKE] activating new tasks Jul 21 10:07:28 localhost strongswan: 11[IKE] activating XAUTH task Jul 21 10:07:28 localhost strongswan: 11[ENC] generating TRANSACTION request 2341071175 [ HASH CPRQ(X_USER X_PWD) ] Jul 21 10:07:28 localhost strongswan: 16[ENC] invalid HASH_V1 payload length, decryption failed? Jul 21 10:07:28 localhost strongswan: 16[ENC] could not decrypt payloads Jul 21 10:07:28 localhost strongswan: 16[IKE] message parsing failed Jul 21 10:07:28 localhost strongswan: 16[IKE] ignore malformed INFORMATIONAL request Jul 21 10:07:28 localhost strongswan: 16[IKE] INFORMATIONAL_V1 request with message ID 1611570210 processing failed Jul 21 10:07:28 localhost strongswan: 14[IKE] sending retransmit 1 of request message ID 2341071175, seq 1 Jul 21 10:07:28 localhost strongswan: 05[IKE] sending retransmit 2 of request message ID 2341071175, seq 1 Jul 21 10:07:28 localhost strongswan: 04[ENC] parsed ID_PROT request 0 [ SA V V V V V V V V V V V V V V ] Jul 21 10:07:28 localhost strongswan: 04[CFG] looking for an ike config for 112.91.xx.209...112.96.173.55 Jul 21 10:07:28 localhost strongswan: 04[CFG] candidate: %any...%any, prio 28 Jul 21 10:07:28 localhost strongswan: 04[CFG] candidate: %any...%any, prio 28 Jul 21 10:07:28 localhost strongswan: 04[CFG] found matching ike config: %any...%any with prio 28 Jul 21 10:07:28 localhost strongswan: 04[IKE] received NAT-T (RFC 3947) vendor ID Jul 21 10:07:28 localhost strongswan: 04[IKE] received draft-ietf-ipsec-nat-t-ike vendor ID Jul 21 10:07:28 localhost strongswan: 04[IKE] received draft-ietf-ipsec-nat-t-ike-08 vendor ID Jul 21 10:07:28 localhost strongswan: 04[IKE] received draft-ietf-ipsec-nat-t-ike-07 vendor ID Jul 21 10:07:28 localhost strongswan: 04[IKE] received draft-ietf-ipsec-nat-t-ike-06 vendor ID Jul 21 10:07:28 localhost strongswan: 04[IKE] received draft-ietf-ipsec-nat-t-ike-05 vendor ID Jul 21 10:07:29 localhost charon: 09[ENC] parsed ID_PROT request 0 [ KE No NAT-D NAT-D ] Jul 21 10:07:29 localhost charon: 09[IKE] remote host is behind NAT Jul 21 10:07:29 localhost charon: 09[IKE] sending cert request for "C=CH, O=strongSwan, CN=strongSwan CA" Jul 21 10:07:29 localhost charon: 09[ENC] generating ID_PROT response 0 [ KE No CERTREQ NAT-D NAT-D ] Jul 21 10:07:29 localhost strongswan: 04[IKE] received draft-ietf-ipsec-nat-t-ike-04 vendor ID Jul 21 10:07:29 localhost strongswan: 04[IKE] received draft-ietf-ipsec-nat-t-ike-03 vendor ID Jul 21 10:07:29 localhost strongswan: 04[IKE] received draft-ietf-ipsec-nat-t-ike-02 vendor ID Jul 21 10:07:29 localhost strongswan: 04[IKE] received draft-ietf-ipsec-nat-t-ike-02\n vendor ID Jul 21 10:07:29 localhost strongswan: 04[IKE] received XAuth vendor ID Jul 21 10:07:29 localhost strongswan: 04[IKE] received Cisco Unity vendor ID Jul 21 10:07:29 localhost strongswan: 04[IKE] received FRAGMENTATION vendor ID Jul 21 10:07:29 localhost strongswan: 04[IKE] received DPD vendor ID Jul 21 10:07:29 localhost strongswan: 04[IKE] 112.96.173.55 is initiating a Main Mode IKE_SA Jul 21 10:07:29 localhost strongswan: 04[IKE] IKE_SA (unnamed)[11] state change: CREATED => CONNECTING Jul 21 10:07:29 localhost strongswan: 04[CFG] selecting proposal: Jul 21 10:07:29 localhost strongswan: 04[CFG] no acceptable ENCRYPTION_ALGORITHM found Jul 21 10:07:29 localhost strongswan: 04[CFG] selecting proposal: Jul 21 10:07:29 localhost strongswan: 04[CFG] no acceptable ENCRYPTION_ALGORITHM found Jul 21 10:07:29 localhost strongswan: 04[CFG] selecting proposal: Jul 21 10:07:29 localhost strongswan: 04[CFG] no acceptable DIFFIE_HELLMAN_GROUP found Jul 21 10:07:29 localhost strongswan: 04[CFG] selecting proposal: Jul 21 10:07:29 localhost strongswan: 04[CFG] no acceptable ENCRYPTION_ALGORITHM found Jul 21 10:07:29 localhost strongswan: 04[CFG] selecting proposal: Jul 21 10:07:29 localhost strongswan: 04[CFG] no acceptable ENCRYPTION_ALGORITHM found Jul 21 10:07:29 localhost strongswan: 04[CFG] selecting proposal: Jul 21 10:07:29 localhost strongswan: 04[CFG] no acceptable PSEUDO_RANDOM_FUNCTION found Jul 21 10:07:29 localhost strongswan: 04[CFG] selecting proposal: Jul 21 10:07:29 localhost strongswan: 04[CFG] no acceptable ENCRYPTION_ALGORITHM found Jul 21 10:07:29 localhost strongswan: 04[CFG] selecting proposal: Jul 21 10:07:29 localhost strongswan: 04[CFG] no acceptable ENCRYPTION_ALGORITHM found Jul 21 10:07:29 localhost strongswan: 04[CFG] selecting proposal: Jul 21 10:07:29 localhost strongswan: 04[CFG] no acceptable ENCRYPTION_ALGORITHM found Jul 21 10:07:29 localhost strongswan: 04[CFG] selecting proposal: Jul 21 10:07:29 localhost strongswan: 04[CFG] no acceptable ENCRYPTION_ALGORITHM found Jul 21 10:07:29 localhost strongswan: 04[CFG] selecting proposal: Jul 21 10:07:29 localhost strongswan: 04[CFG] no acceptable ENCRYPTION_ALGORITHM found Jul 21 10:07:29 localhost strongswan: 04[CFG] selecting proposal: Jul 21 10:07:29 localhost strongswan: 04[CFG] no acceptable ENCRYPTION_ALGORITHM found Jul 21 10:07:29 localhost strongswan: 04[CFG] selecting proposal: Jul 21 10:07:29 localhost strongswan: 04[CFG] no acceptable ENCRYPTION_ALGORITHM found Jul 21 10:07:29 localhost strongswan: 04[CFG] selecting proposal: Jul 21 10:07:29 localhost strongswan: 04[CFG] no acceptable ENCRYPTION_ALGORITHM found Jul 21 10:07:29 localhost strongswan: 04[CFG] selecting proposal: Jul 21 10:07:29 localhost strongswan: 04[CFG] no acceptable ENCRYPTION_ALGORITHM found Jul 21 10:07:29 localhost strongswan: 04[CFG] selecting proposal: Jul 21 10:07:29 localhost strongswan: 04[CFG] no acceptable ENCRYPTION_ALGORITHM found Jul 21 10:07:29 localhost strongswan: 04[CFG] selecting proposal: Jul 21 10:07:29 localhost strongswan: 04[CFG] no acceptable DIFFIE_HELLMAN_GROUP found Jul 21 10:07:29 localhost strongswan: 04[CFG] selecting proposal: Jul 21 10:07:29 localhost strongswan: 04[CFG] no acceptable PSEUDO_RANDOM_FUNCTION found Jul 21 10:07:29 localhost strongswan: 04[CFG] selecting proposal: Jul 21 10:07:29 localhost strongswan: 04[CFG] no acceptable ENCRYPTION_ALGORITHM found Jul 21 10:07:29 localhost strongswan: 04[CFG] selecting proposal: Jul 21 10:07:29 localhost strongswan: 04[CFG] no acceptable ENCRYPTION_ALGORITHM found Jul 21 10:07:29 localhost strongswan: 04[CFG] selecting proposal: Jul 21 10:07:29 localhost strongswan: 04[CFG] proposal matches Jul 21 10:07:29 localhost strongswan: 04[CFG] received proposals: IKE:AES_CBC_256/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1536, IKE:AES_CBC_256/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024, IKE:AES_CBC_128/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024, IKE:AES_CBC_256/HMAC_MD5_96/PRF_HMAC_MD5/MODP_1536, IKE:AES_CBC_256/HMAC_MD5_96/PRF_HMAC_MD5/MODP_1024, IKE:AES_CBC_128/HMAC_MD5_96/PRF_HMAC_MD5/MODP_1024, IKE:3DES_CBC/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024, IKE:3DES_CBC/HMAC_MD5_96/PRF_HMAC_MD5/MODP_1024, IKE:DES_CBC/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024, IKE:DES_CBC/HMAC_MD5_96/PRF_HMAC_MD5/MODP_1024 Jul 21 10:07:29 localhost strongswan: 04[CFG] configured proposals: IKE:AES_CBC_128/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_2048, IKE:3DES_CBC/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1536, IKE:AES_CBC_128/AES_CBC_192/AES_CBC_256/3DES_CBC/CAMELLIA_CBC_128/CAMELLIA_CBC_192/CAMELLIA_CBC_256/HMAC_MD5_96/HMAC_SHA1_96/HMAC_SHA2_256_128/HMAC_SHA2_384_192/HMAC_SHA2_512_256/AES_XCBC_96/AES_CMAC_96/PRF_HMAC_MD5/PRF_HMAC_SHA1/PRF_HMAC_SHA2_256/PRF_HMAC_SHA2_384/PRF_HMAC_SHA2_512/PRF_AES128_XCBC/PRF_AES128_CMAC/MODP_2048/MODP_2048_224/MODP_2048_256/MODP_1536/MODP_3072/MODP_4096/MODP_8192/MODP_1024/MODP_1024_160/ECP_256/ECP_384/ECP_521/ECP_224/ECP_192/ECP_224_BP/ECP_256_BP/ECP_384_BP/ECP_512_BP, IKE:AES_GCM_8_128/AES_GCM_8_192/AES_GCM_8_256/AES_GCM_12_128/AES_GCM_12_192/AES_GCM_12_256/AES_GCM_16_128/AES_GCM_16_192/AES_GCM_16_256/PRF_HMAC_MD5/PRF_HMAC_SHA1/PRF_HMAC_SHA2_256/PRF_HMAC_SHA2_384/PRF_HMAC_SHA2_512/PRF_AES128_XCBC/PRF_AES128_CMAC/MODP_2048/MODP_2048_224/MODP_2048_256/MODP_1536/MODP_3072/MODP_4096/MODP_8192/MODP_1024/MODP_1024_160/ECP_256/ECP_384/ECP_521/ECP_224/ECP_192/ECP_224_BP/ECP_256_BP/ECP_384_BP/ECP_512_BP Jul 21 10:07:29 localhost strongswan: 04[CFG] selected proposal: IKE:AES_CBC_256/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1536 Jul 21 10:07:29 localhost strongswan: 04[IKE] sending XAuth vendor ID Jul 21 10:07:29 localhost strongswan: 04[IKE] sending DPD vendor ID Jul 21 10:07:29 localhost strongswan: 04[IKE] sending FRAGMENTATION vendor ID Jul 21 10:07:29 localhost strongswan: 04[IKE] sending NAT-T (RFC 3947) vendor ID Jul 21 10:07:29 localhost strongswan: 04[ENC] generating ID_PROT response 0 [ SA V V V V ] Jul 21 10:07:29 localhost strongswan: 09[ENC] parsed ID_PROT request 0 [ KE No NAT-D NAT-D ] Jul 21 10:07:29 localhost strongswan: 09[IKE] remote host is behind NAT Jul 21 10:07:29 localhost charon: 01[ENC] parsed ID_PROT request 0 [ FRAG ] Jul 21 10:07:29 localhost charon: 01[IKE] received fragment #1, waiting for complete IKE message Jul 21 10:07:29 localhost charon: 03[ENC] parsed ID_PROT request 0 [ FRAG ] Jul 21 10:07:29 localhost charon: 03[IKE] received fragment #2, reassembling fragmented IKE message Jul 21 10:07:29 localhost charon: 03[ENC] parsed ID_PROT request 0 [ ID CERT SIG CERTREQ N(INITIAL_CONTACT) ] Jul 21 10:07:29 localhost charon: 03[IKE] ignoring certificate request without data Jul 21 10:07:29 localhost charon: 03[IKE] received end entity cert "C=CH, O=strongSwan, CN=112.91.xx.209" Jul 21 10:07:29 localhost charon: 03[CFG] looking for XAuthInitRSA peer configs matching 112.91.xx.209...112.96.173.55[C=CH, O=strongSwan, CN=112.91.xx.209] Jul 21 10:07:29 localhost charon: 03[CFG] candidate "CiscoIPSec", match: 1/1/28 (me/other/ike) Jul 21 10:07:29 localhost charon: 03[CFG] candidate "XauthPsk", match: 1/1/28 (me/other/ike) Jul 21 10:07:29 localhost charon: 03[CFG] selected peer config "CiscoIPSec" Jul 21 10:07:29 localhost charon: 03[CFG] certificate "C=CH, O=strongSwan, CN=112.91.xx.209" key: 2048 bit RSA Jul 21 10:07:29 localhost charon: 03[CFG] using trusted ca certificate "C=CH, O=strongSwan, CN=strongSwan CA" Jul 21 10:07:29 localhost charon: 03[CFG] checking certificate status of "C=CH, O=strongSwan, CN=112.91.xx.209" Jul 21 10:07:29 localhost charon: 03[CFG] ocsp check skipped, no ocsp found Jul 21 10:07:29 localhost charon: 03[CFG] certificate status is not available Jul 21 10:07:29 localhost charon: 03[CFG] certificate "C=CH, O=strongSwan, CN=strongSwan CA" key: 4096 bit RSA Jul 21 10:07:29 localhost charon: 03[CFG] reached self-signed root ca with a path length of 0 Jul 21 10:07:29 localhost charon: 03[CFG] using trusted certificate "C=CH, O=strongSwan, CN=112.91.xx.209" Jul 21 10:07:29 localhost charon: 03[IKE] signature validation failed, looking for another key Jul 21 10:07:29 localhost charon: 03[CFG] using certificate "C=CH, O=strongSwan, CN=112.91.xx.209" Jul 21 10:07:29 localhost charon: 03[CFG] certificate "C=CH, O=strongSwan, CN=112.91.xx.209" key: 2048 bit RSA Jul 21 10:07:29 localhost charon: 03[CFG] using trusted ca certificate "C=CH, O=strongSwan, CN=strongSwan CA" Jul 21 10:07:29 localhost charon: 03[CFG] checking certificate status of "C=CH, O=strongSwan, CN=112.91.xx.209" Jul 21 10:07:29 localhost charon: 03[CFG] ocsp check skipped, no ocsp found Jul 21 10:07:29 localhost charon: 03[CFG] certificate status is not available Jul 21 10:07:29 localhost charon: 03[CFG] certificate "C=CH, O=strongSwan, CN=strongSwan CA" key: 4096 bit RSA Jul 21 10:07:29 localhost charon: 03[CFG] reached self-signed root ca with a path length of 0 Jul 21 10:07:29 localhost charon: 03[IKE] authentication of 'C=CH, O=strongSwan, CN=112.91.xx.209' with RSA successful Jul 21 10:07:29 localhost charon: 03[IKE] authentication of 'C=CH, O=strongSwan, CN=112.91.xx.209' (myself) successful Jul 21 10:07:29 localhost charon: 03[IKE] queueing XAUTH task Jul 21 10:07:29 localhost charon: 03[IKE] sending end entity cert "C=CH, O=strongSwan, CN=112.91.xx.209" Jul 21 10:07:29 localhost charon: 03[ENC] generating ID_PROT response 0 [ ID CERT SIG ] Jul 21 10:07:29 localhost charon: 03[IKE] sending IKE message with length of 1468 bytes in 3 fragments Jul 21 10:07:29 localhost charon: 03[ENC] generating ID_PROT response 0 [ FRAG ] Jul 21 10:07:29 localhost charon: 03[ENC] generating ID_PROT response 0 [ FRAG ] Jul 21 10:07:29 localhost charon: 03[ENC] generating ID_PROT response 0 [ FRAG ] Jul 21 10:07:29 localhost charon: 03[IKE] activating new tasks Jul 21 10:07:29 localhost charon: 03[IKE] activating XAUTH task Jul 21 10:07:29 localhost charon: 03[ENC] generating TRANSACTION request 1278118635 [ HASH CPRQ(X_USER X_PWD) ] Jul 21 10:07:29 localhost charon: 14[ENC] invalid HASH_V1 payload length, decryption failed? Jul 21 10:07:29 localhost charon: 14[ENC] could not decrypt payloads Jul 21 10:07:29 localhost charon: 14[IKE] message parsing failed Jul 21 10:07:29 localhost charon: 14[IKE] ignore malformed INFORMATIONAL request Jul 21 10:07:29 localhost charon: 14[IKE] INFORMATIONAL_V1 request with message ID 3171526170 processing failed ####################-------------------Configuration----------------------##################### #INSTALL yum -y install strongswan #CA cd /etc/strongswan/ipsec.d strongswan pki --gen --type rsa --size 4096 --outform pem > ca-key.pem chmod 600 ca-key.pem strongswan pki --self --ca --lifetime 730 --in ca-key.pem --type rsa --dn "C=CH, O=strongSwan, CN=strongSwan CA" --outform pem > ca-cert.pem #Server strongswan pki --gen --type rsa --size 2048 --outform pem > server-key.pem chmod 600 server-key.pem strongswan pki --pub --in server-key.pem --type rsa | strongswan pki --issue --lifetime 730 --cacert ca-cert.pem --cakey ca-key.pem --dn "C=CH, O=strongSwan, CN=x.x.x.x" --san "x.x.x.x" --flag serverAuth --flag ikeIntermediate --outform pem > server-cert.pem #Client strongswan pki --gen --type rsa --size 2048 --outform pem > client-key.pem chmod 600 client-key.pem strongswan pki --pub --in client-key.pem --type rsa | strongswan pki --issue --lifetime 730 --cacert ca-cert.pem --cakey ca-key.pem --dn "C=CH, O=strongSwan, CN=john" --san "[email protected]" --outform pem > client-cert.pem openssl pkcs12 -export -inkey client-key.pem -in client-cert.pem -name "John's VPN Certificate" -certfile ca-cert.pem -caname "strongSwan CA" -out john.p12 -password "pass:123" #copy \cp ca-key.pem /etc/strongswan/ipsec.d/private/ca.key \cp ca-cert.pem /etc/strongswan/ipsec.d/cacerts/ca.crt \cp server-key.pem /etc/strongswan/ipsec.d/private/server.key \cp server-cert.pem /etc/strongswan/ipsec.d/certs/server.crt \cp client-key.pem /etc/strongswan/ipsec.d/private/client.key \cp client-cert.pem /etc/strongswan/ipsec.d/certs/client.crt \cp john.p12 /usr/local/nginx/html/docs/ cd ~ #--->ipsec.conf<---# cat >/etc/strongswan/ipsec.conf<<EOF # ipsec.conf - strongSwan IPsec configuration file config setup uniqueids=never charondebug="cfg 2, dmn 2, ike 2, net 0" conn %default left=%defaultroute leftsubnet=0.0.0.0/0 leftcert=server.crt right=%any rightsourceip=10.11.0.5/24 conn CiscoIPSec keyexchange=ikev1 fragmentation=yes rightauth=pubkey rightauth2=xauth leftsendcert=always rekey=no auto=add conn XauthPsk keyexchange=ikev1 leftauth=psk rightauth=psk rightauth2=xauth auto=add conn IpsecIKEv2 keyexchange=ikev2 leftauth=pubkey rightauth=pubkey leftsendcert=always auto=add conn IpsecIKEv2-EAP keyexchange=ikev2 ike=aes256-sha1-modp1024! rekey=no leftauth=pubkey leftsendcert=always rightauth=eap-mschapv2 eap_identity=%any auto=add EOF #--->strongswan.conf<---# cat >/etc/strongswan/strongswan.conf<<EOF charon { load_modular = yes duplicheck.enable = no compress = yes plugins { include strongswan.d/charon/*.conf } dns1 = 8.8.8.8 dns2 = 8.8.4.4 nbns1 = 8.8.8.8 nbns2 = 8.8.4.4 } include strongswan.d/*.conf EOF #--->ipsec.secrets<---# cat >/etc/strongswan/ipsec.secrets<<EOF : RSA server.key : PSK "123" john %any : EAP "password" john %any : XAUTH "password" EOF systemctl enable strongswan.service systemctl start strongswan.service iptables -I INPUT -p udp -m state --state NEW -m udp --dport 500 -j ACCEPT iptables -I INPUT -p udp -m state --state NEW -m udp --dport 4500 -j ACCEPT Is not it wrong certificate configuration Thanks Cheer
_______________________________________________ Users mailing list [email protected] https://lists.strongswan.org/mailman/listinfo/users
