Hi Tobias, I really appreciate your help Below the syslog by setting cfg=2 in /etc/ipsec.conf Nevertheless, by removing: `eap_identity` I got the same result.
On basis, I wanted to use StrongSwan as simple as possible without certificates CA. Does that mean that in any case, you have to set-up a CA in order to use strongSwan ? Even with a VPN IKEv2 with preshared Key ? Also my config was based on https://www.strongswan.org/testing/testresults/ikev2/rw-eap-md5-rsa/ where a replaced : eap-md5-rsa by eap-mschapv2 Regards Christian +-------------+ | | +---------------+ Private | NAT Gateway | Public +----------+ | 192.168.1.254/24 | | 78.229.20.105 | | +-------------+ ckl.freeboxos.fr | + | XXXXXXXXXXXXXXXX | XX XX | X (Home Network) XX + XX 192.168.1.0/24 XX XXXXXXXXXXXXXXX XXX XXX XXXXXXX XXXX XXXXXXXXXXXXXX XXX XX + X XX | XX INTERNET X | XXX X +---+ XX XX | XXXXX XXX + XXXXXXX+XXXXXXXX 192.168.1.29 | +--------+ +++ | VPN Pi | | | Roadwarrior +-+------+ | | Mobile BB10 ^ | | 80.xx.xx.xx | +++ | ^ | +----------------------------------------+ | +---> | VPN Network Tunnel Address 10.0.0.0/16 | <------+ +----------------------------------------+ Jul 19 12:04:08 raspberrypi charon: 00[DMN] signal of type SIGINT received. Shutting down Jul 19 12:04:10 raspberrypi charon: 00[DMN] Starting IKE charon daemon (strongSwan 5.5.0, Linux 4.4.13+, armv6l) Jul 19 12:04:10 raspberrypi charon: 00[CFG] loading ca certificates from '/etc/ipsec.d/cacerts' Jul 19 12:04:10 raspberrypi charon: 00[CFG] loading aa certificates from '/etc/ipsec.d/aacerts' Jul 19 12:04:10 raspberrypi charon: 00[CFG] loading ocsp signer certificates from '/etc/ipsec.d/ocspcerts' Jul 19 12:04:10 raspberrypi charon: 00[CFG] loading attribute certificates from '/etc/ipsec.d/acerts' Jul 19 12:04:10 raspberrypi charon: 00[CFG] loading crls from '/etc/ipsec.d/crls' Jul 19 12:04:10 raspberrypi charon: 00[CFG] loading secrets from '/etc/ipsec.secrets' Jul 19 12:04:10 raspberrypi charon: 00[CFG] expanding file expression '/var/lib/strongswan/ipsec.secrets.inc' failed Jul 19 12:04:10 raspberrypi charon: 00[CFG] loaded IKE secret for %any Jul 19 12:04:10 raspberrypi charon: 00[CFG] loaded EAP secret for alice Jul 19 12:04:10 raspberrypi charon: 00[LIB] loaded plugins: charon aes des rc2 sha2 sha1 md5 random nonce x509 revocation constraints pubkey pkcs1 pkcs7 pkcs8 pkcs12 pgp dnskey sshkey pem openssl fips-prf xcbc cmac hmac attr kernel-netlink resolve socket-default stroke vici updown eap-identity eap-md5 eap-mschapv2 eap-dynamic xauth-generic dhcp Jul 19 12:04:10 raspberrypi charon: 00[JOB] spawning 16 worker threads Jul 19 12:04:10 raspberrypi charon: 05[CFG] received stroke: add connection 'BB10' Jul 19 12:04:10 raspberrypi charon: 05[CFG] conn BB10 Jul 19 12:04:10 raspberrypi charon: 05[CFG] left=%any Jul 19 12:04:10 raspberrypi charon: 05[CFG] leftsubnet=192.168.1.0/24 Jul 19 12:04:10 raspberrypi charon: 05[CFG] [email protected] Jul 19 12:04:10 raspberrypi charon: 05[CFG] leftupdown=ipsec _updown iptables Jul 19 12:04:10 raspberrypi charon: 05[CFG] right=%any Jul 19 12:04:10 raspberrypi charon: 05[CFG] rightsourceip=10.0.0.0/16 Jul 19 12:04:10 raspberrypi charon: 05[CFG] rightdns=192.168.1.254 Jul 19 12:04:10 raspberrypi charon: 05[CFG] rightauth=eap-mschapv2 Jul 19 12:04:10 raspberrypi charon: 05[CFG] ike=aes128-sha256-modp3072 Jul 19 12:04:10 raspberrypi charon: 05[CFG] esp=aes128-sha256 Jul 19 12:04:10 raspberrypi charon: 05[CFG] dpddelay=30 Jul 19 12:04:10 raspberrypi charon: 05[CFG] dpdtimeout=150 Jul 19 12:04:10 raspberrypi charon: 05[CFG] mediation=no Jul 19 12:04:10 raspberrypi charon: 05[CFG] keyexchange=ikev2 Jul 19 12:04:10 raspberrypi charon: 05[CFG] adding virtual IP address pool 10.0.0.0/16 Jul 19 12:04:10 raspberrypi charon: 05[CFG] added configuration 'BB10' Jul 19 12:04:35 raspberrypi charon: 06[NET] received packet: from 80.12.59.253[1011] to 192.168.1.29[500] (400 bytes) Jul 19 12:04:35 raspberrypi charon: 06[ENC] parsed IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) ] Jul 19 12:04:35 raspberrypi charon: 06[CFG] looking for an ike config for 192.168.1.29...80.12.59.253 Jul 19 12:04:35 raspberrypi charon: 06[CFG] candidate: %any...%any, prio 28 Jul 19 12:04:35 raspberrypi charon: 06[CFG] found matching ike config: %any...%any with prio 28 Jul 19 12:04:35 raspberrypi charon: 06[IKE] 80.12.59.253 is initiating an IKE_SA Jul 19 12:04:35 raspberrypi charon: 06[CFG] selecting proposal: Jul 19 12:04:35 raspberrypi charon: 06[CFG] no acceptable PSEUDO_RANDOM_FUNCTION found Jul 19 12:04:35 raspberrypi charon: 06[CFG] selecting proposal: Jul 19 12:04:35 raspberrypi charon: 06[CFG] proposal matches Jul 19 12:04:35 raspberrypi charon: 06[CFG] received proposals: IKE:AES_CBC_256/AES_CBC_192/AES_CBC_128/3DES_CBC/DES_CBC/HMAC_SHA1_96/HMAC_MD5_96/PRF_HMAC_SHA1/PRF_HMAC_MD5/MODP_1024/MODP_768 Jul 19 12:04:35 raspberrypi charon: 06[CFG] configured proposals: IKE:AES_CBC_128/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_3072, IKE:AES_CBC_128/AES_CBC_192/AES_CBC_256/CAMELLIA_CBC_128/CAMELLIA_CBC_192/CAMELLIA_CBC_256/3DES_CBC/HMAC_SHA2_256_128/HMAC_SHA2_384_192/HMAC_SHA2_512_256/HMAC_MD5_96/HMAC_SHA1_96/AES_XCBC_96/AES_CMAC_96/PRF_HMAC_SHA2_256/PRF_HMAC_SHA2_384/PRF_HMAC_SHA2_512/PRF_AES128_XCBC/PRF_AES128_CMAC/PRF_HMAC_MD5/PRF_HMAC_SHA1/ECP_256/ECP_384/ECP_521/ECP_256_BP/ECP_384_BP/ECP_512_BP/MODP_3072/MODP_4096/MODP_8192/MODP_2048/MODP_2048_256/MODP_1024, IKE:AES_GCM_16_128/AES_GCM_16_192/AES_GCM_16_256/AES_GCM_12_128/AES_GCM_12_192/AES_GCM_12_256/AES_GCM_8_128/AES_GCM_8_192/AES_GCM_8_256/PRF_HMAC_SHA2_256/PRF_HMAC_SHA2_384/PRF_HMAC_SHA2_512/PRF_AES128_XCBC/PRF_AES128_CMAC/PRF_HMAC_MD5/PRF_HMAC_SHA1/ECP_256/ECP_384/ECP_521/ECP_256_BP/ECP_384_BP/ECP_512_BP/MODP_3072/MODP_4096/MODP_8192/MODP_2048/MODP_2048_256/MODP_1024 Jul 19 12:04:35 raspberrypi charon: 06[CFG] selected proposal: IKE:AES_CBC_128/HMAC_MD5_96/PRF_HMAC_MD5/MODP_1024 Jul 19 12:04:35 raspberrypi charon: 06[IKE] local host is behind NAT, sending keep alives Jul 19 12:04:35 raspberrypi charon: 06[IKE] remote host is behind NAT Jul 19 12:04:35 raspberrypi charon: 06[ENC] generating IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(MULT_AUTH) ] Jul 19 12:04:35 raspberrypi charon: 06[NET] sending packet: from 192.168.1.29[500] to 80.12.59.253[1011] (312 bytes) Jul 19 12:04:36 raspberrypi charon: 16[NET] received packet: from 80.12.59.253[64916] to 192.168.1.29[4500] (284 bytes) Jul 19 12:04:36 raspberrypi charon: 16[ENC] parsed IKE_AUTH request 1 [ IDi CPRQ(ADDR MASK DNS DNS NBNS NBNS VER) N(INIT_CONTACT) N(ESP_TFC_PAD_N) N(NON_FIRST_FRAG) SA TSi TSr ] Jul 19 12:04:36 raspberrypi charon: 16[CFG] looking for peer configs matching 192.168.1.29[%any]...80.12.59.253[alice] Jul 19 12:04:36 raspberrypi charon: 16[CFG] candidate "BB10", match: 1/1/28 (me/other/ike) Jul 19 12:04:36 raspberrypi charon: 16[CFG] selected peer config 'BB10' Jul 19 12:04:36 raspberrypi charon: 16[IKE] initiating EAP_MSCHAPV2 method (id 0x8C) Jul 19 12:04:36 raspberrypi charon: 16[IKE] received ESP_TFC_PADDING_NOT_SUPPORTED, not using ESPv3 TFC padding Jul 19 12:04:36 raspberrypi charon: 16[IKE] no private key found for 'ckl.freeboxos.fr' Jul 19 12:04:36 raspberrypi charon: 16[ENC] generating IKE_AUTH response 1 [ N(AUTH_FAILED) ] Jul 19 12:04:36 raspberrypi charon: 16[NET] sending packet: from 192.168.1.29[4500] to 80.12.59.253[64916] (76 bytes) 2016-07-19 12:10 GMT+02:00 Tobias Brunner <[email protected]>: > Hi Christian, > >> Below the result I got by activating the loglevel "cfg 2" > > You set it via stroke, which is a bit late as some of the interesting > bits would have been the messages after "received stroke: add connection > 'BB10'", which list the settings of the loaded config. Either set the > log level via `charondebug` or strongswan.conf (see [1]). > > But since you added `eap_identity` the immediate problem is now a > different one anyway: > >> Jul 18 16:05:17 raspberrypi charon: 09[IKE] no private key found for >> 'ckl.freeboxos.fr' >> Jul 18 16:05:17 raspberrypi charon: 09[ENC] generating IKE_AUTH >> response 1 [ N(AUTH_FAILED) ] > > Which makes sense as there is no certificate or private key loaded > during startup: > >> Jul 18 16:04:49 raspberrypi charon: 00[CFG] loading secrets from >> '/etc/ipsec.secrets' >> Jul 18 16:04:49 raspberrypi charon: 00[CFG] expanding file expression >> '/var/lib/strongswan/ipsec.secrets.inc' failed >> Jul 18 16:04:49 raspberrypi charon: 00[CFG] loaded IKE secret for %any >> Jul 18 16:04:49 raspberrypi charon: 00[CFG] loaded EAP secret for alice >> ... >> Jul 18 16:04:49 raspberrypi charon: 09[CFG] received stroke: add >> connection 'BB10' >> Jul 18 16:04:49 raspberrypi charon: 09[CFG] adding virtual IP address >> pool 10.0.0.0/16 >> Jul 18 16:04:49 raspberrypi charon: 09[CFG] added configuration 'BB10' > > Refer to [2] for an example using a similar setup (with configs and logs > etc. to compare to, but please read [3]). The how-to at [4] describes a > simple way to create keys and certificates, if you haven't done so yet. > > Regards, > Tobias > > [1] https://wiki.strongswan.org/projects/strongswan/wiki/LoggerConfiguration > [2] https://www.strongswan.org/testing/testresults/ikev2/rw-eap-md5-rsa/ > [3] > https://wiki.strongswan.org/projects/strongswan/wiki/ConfigurationExamplesNotes > [4] https://wiki.strongswan.org/projects/strongswan/wiki/SimpleCA > _______________________________________________ Users mailing list [email protected] https://lists.strongswan.org/mailman/listinfo/users
