[vpn-help] Shrew - Strongswan connection not completed
Jeroen J.A.W. Hermans
j.hermans at epsys.nl
Wed Dec 4 04:08:42 CST 2013
Hi all,
I still have not figured this out. Can anybody please have a look at the
logs below. It would be nice to be able to use Shrew to dial into my VPN.
Thank you very much in advance.
Kind regards,
Jeroen Hermans
On 30-11-2013 13:01, Jeroen J.A.W. Hermans wrote:
> Dear all,
>
> I have a question: i have a setup with a strongswan server (version
> 5.1) and a Shrewsoft VPN client (2.2.2). Yesterday i was able to make
> a connection between the two, but after exporting and importing
> (making a copy of the working config) the Shrew configuration it
> stopped working. I am using mutual RSA keys.
> I hope someone can enlighten me what is going wrong here. It seems the
> server's certificate "C=NL, ST=L, L=Panningen, O=Shoetime Retail BV,
> CN=host.epsys.nl, E=j.hermans at epsys.nl" is not accepted by Shrew, but
> i believe that is included in the p12 certificate rw-Jeroen.p12
> Thank you very much for your help.
> Kind regards,
>
> Jeroen Hermans
>
>
> Strongswan config:
> config setup
> strictcrlpolicy=no
>
> conn %default
> rekeymargin=3m
> keyingtries=1
>
> conn rw
> authby=rsasig
> leftrsasigkey=%cert
> rightrsasigkey=%cert
> leftcert=******.epsys.nl.2048.crt
> auto=add
> leftsubnet=192.168.0.0/24,10.10.20.0/24,10.10.21.0/24,10.10.22.0/24,10.10.23.0/24,10.10.24.0/24,10.10.25.0/24,10.10.26.0/24,10.10.10.0/24,192.168.51.0/24,10.10.26.64/27,194.1.1.0/24
> right=%any
> rightsourceip=192.168.2.0/24
> rightsubnet=192.168.2.0/24
> rightid="C=NL, ST=L, L=Panningen, O=Shoetime Retail BV,
> OU=Thuiswerkers, CN=*, E=*"
> keyingtries=3
> keyexchange=ikev1
> ike=aes256-sha2_256-modp2048
> esp=aes256-sha2_256-modp2048
>
> Shrew config:
> n:network-ike-port:500
> n:client-addr-auto:0
> n:network-natt-port:4500
> n:network-natt-rate:30
> n:network-dpd-enable:1
> n:network-frag-enable:1
> n:network-frag-size:1300
> n:client-banner-enable:0
> n:network-notify-enable:1
> n:client-wins-used:0
> n:client-wins-auto:1
> n:client-dns-used:1
> n:client-dns-auto:0
> n:client-splitdns-used:0
> n:client-splitdns-auto:0
> n:phase1-dhgroup:14
> n:phase1-life-secs:86400
> n:phase1-life-kbytes:0
> n:phase2-life-secs:3600
> n:phase2-life-kbytes:0
> n:policy-list-auto:0
> n:phase1-keylen:256
> n:phase2-keylen:256
> s:network-natt-enable:enable
> s:phase2-compress:none
> s:policy-list-type:include
> s:policy-entry-network:192.168.2.0 / 255.255.255.0
> n:client-dns-suffix-auto:0
> b:auth-server-cert-data:<longcertdata>
> b:auth-client-cert-data:<long certdata>
> b:auth-client-key-data:<longcertdata>
> n:version:4
> n:network-mtu-size:1380
> n:vendor-chkpt-enable:0
> n:policy-nailed:0
> s:network-host:xxx.xxx.xxx.xxx
> s:client-auto-mode:disabled
> s:client-iface:virtual
> s:client-ip-addr:192.168.2.5
> s:client-ip-mask:255.255.255.0
> s:network-natt-mode:enable
> s:network-frag-mode:enable
> s:client-dns-addr:194.1.1.31
> s:client-dns-suffix:domain.nl
> s:auth-method:mutual-rsa
> s:ident-client-type:asn1dn
> s:ident-server-type:asn1dn
> s:auth-server-cert-name:rw-Jeroen.p12
> s:auth-client-cert-name:rw-Jeroen.p12
> s:auth-client-key-name:rw-Jeroen.p12
> s:phase1-exchange:main
> s:phase1-cipher:aes
> s:phase1-hash:sha2-256
> s:phase2-transform:esp-aes
> s:phase2-hmac:sha2-256
> s:ipcomp-transform:disabled
> n:phase2-pfsgroup:14
> s:policy-level:auto
> s:policy-list-include:192.168.0.0 / 255.255.255.0,192.168.51.0 /
> 255.255.255.0,194.1.1.0 / 255.255.255.0,10.10.20.0 /
> 255.255.255.0,10.10.21.0 / 255.255.255.0,10.10.22.0 /
> 255.255.255.0,10.10.23.0 / 255.255.255.0,10.10.24.0 /
> 255.255.255.0,10.10.25.0 / 255.255.255.0,10.10.26.0 / 255.255.255.0
> s:client-saved-username:
>
>
>
> Strongswan log:
> Nov 30 12:49:33 host charon: 02[IKE] received
> draft-ietf-ipsec-nat-t-ike-00 vendor ID
> Nov 30 12:49:33 host charon: 02[IKE] received
> draft-ietf-ipsec-nat-t-ike-02\n vendor ID
> Nov 30 12:49:33 host charon: 02[IKE] received
> draft-ietf-ipsec-nat-t-ike-03 vendor ID
> Nov 30 12:49:33 host charon: 02[IKE] received NAT-T (RFC 3947) vendor ID
> Nov 30 12:49:33 host charon: 02[IKE] received FRAGMENTATION vendor ID
> Nov 30 12:49:33 host charon: 02[IKE] received DPD vendor ID
> Nov 30 12:49:33 host charon: 02[IKE] received Cisco Unity vendor ID
> Nov 30 12:49:33 host charon: 02[IKE] xxx.xxx.xxx.xxx is initiating a
> Main Mode IKE_SA
> Nov 30 12:49:33 host charon: 16[IKE] ignoring certificate request
> without data
> Nov 30 12:49:33 host charon: 16[IKE] remote host is behind NAT
> Nov 30 12:49:33 host charon: 16[IKE] sending cert request for "C=NL,
> ST=NB, L=Eindhoven, CN=Epsys 1024b CA, E=j.hermans at epsys.nl"
> Nov 30 12:49:33 host charon: 16[IKE] sending cert request for "C=NL,
> ST=NB, L=Eindhoven, O=Epsys 2048b CA, CN=Epsys 2048b CA,
> E=j.hermans at epsys.nl"
> Nov 30 12:49:33 host charon: 08[IKE] received end entity cert "C=NL,
> ST=L, L=Panningen, O=Shoetime Retail BV, OU=Thuiswerkers, CN=Jeroen15,
> E=j.hermans at epsys.nl"
> Nov 30 12:49:33 host charon: 08[CFG] looking for RSA signature peer
> configs matching yyy.yyy.yyy.yyy...xxx.xxx.xxx.xxx[C=NL, ST=L,
> L=Panningen, O=Shoetime Retail BV, OU=Thuiswerkers, CN=Jeroen15,
> E=j.hermans at epsys.nl]
> Nov 30 12:49:33 host charon: 08[CFG] selected peer config "rw"
> Nov 30 12:49:33 host charon: 08[CFG] using certificate "C=NL, ST=L,
> L=Panningen, O=Shoetime Retail BV, OU=Thuiswerkers, CN=Jeroen15,
> E=j.hermans at epsys.nl"
> Nov 30 12:49:33 host charon: 08[CFG] using trusted ca certificate
> "C=NL, ST=NB, L=Eindhoven, O=Epsys 2048b CA, CN=Epsys 2048b CA,
> E=j.hermans at epsys.nl"
> Nov 30 12:49:33 host charon: 08[CFG] checking certificate status of
> "C=NL, ST=L, L=Panningen, O=Shoetime Retail BV, OU=Thuiswerkers,
> CN=Jeroen15, E=j.hermans at epsys.nl"
> Nov 30 12:49:33 host charon: 08[CFG] certificate status is not available
> Nov 30 12:49:33 host charon: 08[CFG] reached self-signed root ca
> with a path length of 0
> Nov 30 12:49:33 host charon: 08[IKE] authentication of 'C=NL, ST=L,
> L=Panningen, O=Shoetime Retail BV, OU=Thuiswerkers, CN=Jeroen15,
> E=j.hermans at epsys.nl' with RSA successful
> Nov 30 12:49:33 host charon: 08[IKE] authentication of 'C=NL, ST=L,
> L=Panningen, O=Shoetime Retail BV, CN=host.epsys.nl,
> E=j.hermans at epsys.nl' (myself) successful
> Nov 30 12:49:33 host charon: 08[IKE] deleting duplicate IKE_SA for
> peer 'C=NL, ST=L, L=Panningen, O=Shoetime Retail BV, OU=Thuiswerkers,
> CN=Jeroen15, E=j.hermans at epsys.nl' due to uniqueness policy
> Nov 30 12:49:33 host charon: 08[IKE] deleting IKE_SA rw[10] between
> yyy.yyy.yyy.yyy[C=NL, ST=L, L=Panningen, O=Shoetime Retail BV,
> CN=host.epsys.nl, E=j.hermans at epsys.nl]...xxx.xxx.xxx.xxx[C=NL, ST=L,
> L=Panningen, O=Shoetime Retail BV, OU=Thuiswerkers, CN=Jeroen15,
> E=j.hermans at epsys.nl]
> Nov 30 12:49:33 host charon: 08[IKE] sending DELETE for IKE_SA rw[10]
> *Nov 30 12:49:33 host charon: 08[IKE] IKE_SA rw[11] established
> between yyy.yyy.yyy.yyy[C=NL, ST=L, L=Panningen, O=Shoetime Retail BV,
> CN=host.epsys.nl, E=j.hermans at epsys.nl]...xxx.xxx.xxx.xxx[C=NL, ST=L,
> L=Panningen, O=Shoetime Retail BV, OU=Thuiswerkers, CN=Jeroen15,
> E=j.hermans at epsys.nl]*
> Nov 30 12:49:33 host charon: 08[IKE] scheduling reauthentication in 10559s
> Nov 30 12:49:33 host charon: 08[IKE] maximum IKE_SA lifetime 10739s
> Nov 30 12:49:33 host charon: 08[IKE] sending end entity cert "C=NL,
> ST=L, L=Panningen, O=Shoetime Retail BV, CN=host.epsys.nl,
> E=j.hermans at epsys.nl"
>
> Shrew log:
> 13/11/30 12:49:32 ii : ipc client process thread begin ...
> 13/11/30 12:49:32 <A : peer config add message
> 13/11/30 12:49:32 <A : proposal config message
> 13/11/30 12:49:32 <A : proposal config message
> 13/11/30 12:49:32 <A : client config message
> 13/11/30 12:49:32 <A : remote certificate data message
> 13/11/30 12:49:32 !! : libeay : .\crypto\pkcs12\p12_kiss.c:110
> 13/11/30 12:49:32 !! : error:23076071:PKCS12 routines:PKCS12_parse:mac
> verify failure
> 13/11/30 12:49:32 !! : remote certificate read failed, requesting password
> 13/11/30 12:49:34 <A : file password
> 13/11/30 12:49:34 <A : remote certificate data message
> 13/11/30 12:49:34 ii : remote certificate read complete ( 991 bytes )
> 13/11/30 12:49:34 <A : local certificate data message
> 13/11/30 12:49:34 ii : local certificate read complete ( 1046 bytes )
> 13/11/30 12:49:34 <A : local key data message
> 13/11/30 12:49:34 ii : local key read complete ( 1192 bytes )
> 13/11/30 12:49:34 <A : remote resource message
> 13/11/30 12:49:34 <A : remote resource message
> 13/11/30 12:49:34 <A : remote resource message
> 13/11/30 12:49:34 <A : remote resource message
> 13/11/30 12:49:34 <A : remote resource message
> 13/11/30 12:49:34 <A : remote resource message
> 13/11/30 12:49:34 <A : remote resource message
> 13/11/30 12:49:34 <A : remote resource message
> 13/11/30 12:49:34 <A : remote resource message
> 13/11/30 12:49:34 <A : remote resource message
> 13/11/30 12:49:34 <A : peer tunnel enable message
> 13/11/30 12:49:34 DB : peer ref increment ( ref count = 1, obj count = 0 )
> 13/11/30 12:49:34 DB : peer added ( obj count = 1 )
> 13/11/30 12:49:34 ii : local address 10.1.2.22 selected for peer
> 13/11/30 12:49:34 DB : peer ref increment ( ref count = 2, obj count = 1 )
> 13/11/30 12:49:34 DB : tunnel ref increment ( ref count = 1, obj count
> = 0 )
> 13/11/30 12:49:34 DB : tunnel added ( obj count = 1 )
> 13/11/30 12:49:34 DB : tunnel ref increment ( ref count = 2, obj count
> = 1 )
> 13/11/30 12:49:34 ii : obtained x509 cert subject ( 154 bytes )
> 13/11/30 12:49:34 DB : new phase1 ( ISAKMP initiator )
> 13/11/30 12:49:34 DB : exchange type is identity protect
> 13/11/30 12:49:34 DB : 10.1.2.22:500 <-> yyy.yyy.yyy.yyy:500
> 13/11/30 12:49:34 DB : 83210a938f80ad18:0000000000000000
> 13/11/30 12:49:34 DB : phase1 ref increment ( ref count = 1, obj count
> = 0 )
> 13/11/30 12:49:34 DB : phase1 added ( obj count = 1 )
> 13/11/30 12:49:34 >> : security association payload
> 13/11/30 12:49:34 >> : - proposal #1 payload
> 13/11/30 12:49:34 >> : -- transform #1 payload
> 13/11/30 12:49:34 >> : vendor id payload
> 13/11/30 12:49:34 ii : local supports nat-t ( draft v00 )
> 13/11/30 12:49:34 >> : vendor id payload
> 13/11/30 12:49:34 ii : local supports nat-t ( draft v01 )
> 13/11/30 12:49:34 >> : vendor id payload
> 13/11/30 12:49:34 ii : local supports nat-t ( draft v02 )
> 13/11/30 12:49:34 >> : vendor id payload
> 13/11/30 12:49:34 ii : local supports nat-t ( draft v03 )
> 13/11/30 12:49:34 >> : vendor id payload
> 13/11/30 12:49:34 ii : local supports nat-t ( rfc )
> 13/11/30 12:49:34 >> : vendor id payload
> 13/11/30 12:49:34 ii : local supports FRAGMENTATION
> 13/11/30 12:49:34 >> : vendor id payload
> 13/11/30 12:49:34 >> : vendor id payload
> 13/11/30 12:49:34 ii : local supports DPDv1
> 13/11/30 12:49:34 >> : vendor id payload
> 13/11/30 12:49:34 ii : local is SHREW SOFT compatible
> 13/11/30 12:49:34 >> : vendor id payload
> 13/11/30 12:49:34 ii : local is NETSCREEN compatible
> 13/11/30 12:49:34 >> : vendor id payload
> 13/11/30 12:49:34 ii : local is SIDEWINDER compatible
> 13/11/30 12:49:34 >> : vendor id payload
> 13/11/30 12:49:34 ii : local is CISCO UNITY compatible
> 13/11/30 12:49:34 >= : cookies 83210a938f80ad18:0000000000000000
> 13/11/30 12:49:34 >= : message 00000000
> 13/11/30 12:49:34 -> : send IKE packet 10.1.2.22:500 ->
> yyy.yyy.yyy.yyy:500 ( 364 bytes )
> 13/11/30 12:49:34 DB : phase1 resend event scheduled ( ref count = 2 )
> 13/11/30 12:49:34 DB : phase1 ref decrement ( ref count = 1, obj count
> = 1 )
> 13/11/30 12:49:34 <- : recv IKE packet yyy.yyy.yyy.yyy:500 ->
> 10.1.2.22:500 ( 140 bytes )
> 13/11/30 12:49:34 DB : phase1 found
> 13/11/30 12:49:34 DB : phase1 ref increment ( ref count = 2, obj count
> = 1 )
> 13/11/30 12:49:34 ii : processing phase1 packet ( 140 bytes )
> 13/11/30 12:49:34 =< : cookies 83210a938f80ad18:0148266b38ba27a2
> 13/11/30 12:49:34 =< : message 00000000
> 13/11/30 12:49:34 << : security association payload
> 13/11/30 12:49:34 << : - propsal #1 payload
> 13/11/30 12:49:34 << : -- transform #1 payload
> 13/11/30 12:49:34 ii : matched isakmp proposal #1 transform #1
> 13/11/30 12:49:34 ii : - transform = ike
> 13/11/30 12:49:34 ii : - cipher type = aes
> 13/11/30 12:49:34 ii : - key length = 256 bits
> 13/11/30 12:49:34 ii : - hash type = sha2-256
> 13/11/30 12:49:34 ii : - dh group = group14 ( modp-2048 )
> 13/11/30 12:49:34 ii : - auth type = sig-rsa
> 13/11/30 12:49:34 ii : - life seconds = 86400
> 13/11/30 12:49:34 ii : - life kbytes = 0
> 13/11/30 12:49:34 << : vendor id payload
> 13/11/30 12:49:34 ii : peer supports XAUTH
> 13/11/30 12:49:34 << : vendor id payload
> 13/11/30 12:49:34 ii : peer supports DPDv1
> 13/11/30 12:49:34 << : vendor id payload
> 13/11/30 12:49:34 ii : peer supports nat-t ( rfc )
> 13/11/30 12:49:34 >> : key exchange payload
> 13/11/30 12:49:34 >> : nonce payload
> 13/11/30 12:49:34 >> : cert request payload
> 13/11/30 12:49:34 >> : nat discovery payload
> 13/11/30 12:49:34 >> : nat discovery payload
> 13/11/30 12:49:34 >= : cookies 83210a938f80ad18:0148266b38ba27a2
> 13/11/30 12:49:34 >= : message 00000000
> 13/11/30 12:49:34 DB : phase1 resend event canceled ( ref count = 1 )
> 13/11/30 12:49:34 -> : send IKE packet 10.1.2.22:500 ->
> yyy.yyy.yyy.yyy:500 ( 417 bytes )
> 13/11/30 12:49:34 DB : phase1 resend event scheduled ( ref count = 2 )
> 13/11/30 12:49:34 DB : phase1 ref decrement ( ref count = 1, obj count
> = 1 )
> 13/11/30 12:49:34 <- : recv IKE packet yyy.yyy.yyy.yyy:500 ->
> 10.1.2.22:500 ( 648 bytes )
> 13/11/30 12:49:34 DB : phase1 found
> 13/11/30 12:49:34 DB : phase1 ref increment ( ref count = 2, obj count
> = 1 )
> 13/11/30 12:49:34 ii : processing phase1 packet ( 648 bytes )
> 13/11/30 12:49:34 =< : cookies 83210a938f80ad18:0148266b38ba27a2
> 13/11/30 12:49:34 =< : message 00000000
> 13/11/30 12:49:34 << : key exchange payload
> 13/11/30 12:49:34 << : nonce payload
> 13/11/30 12:49:34 << : cert request payload
> 13/11/30 12:49:34 << : cert request payload
> 13/11/30 12:49:34 << : nat discovery payload
> 13/11/30 12:49:34 << : nat discovery payload
> 13/11/30 12:49:34 ii : nat discovery - local address is translated
> 13/11/30 12:49:34 ii : switching to src nat-t udp port 4500
> 13/11/30 12:49:34 ii : switching to dst nat-t udp port 4500
> 13/11/30 12:49:34 == : DH shared secret ( 256 bytes )
> 13/11/30 12:49:34 == : SETKEYID ( 32 bytes )
> 13/11/30 12:49:34 == : SETKEYID_d ( 32 bytes )
> 13/11/30 12:49:34 == : SETKEYID_a ( 32 bytes )
> 13/11/30 12:49:34 == : SETKEYID_e ( 32 bytes )
> 13/11/30 12:49:34 == : cipher key ( 32 bytes )
> 13/11/30 12:49:34 == : cipher iv ( 16 bytes )
> 13/11/30 12:49:34 >> : identification payload
> 13/11/30 12:49:34 >> : certificate payload
> 13/11/30 12:49:34 == : phase1 hash_i ( computed ) ( 32 bytes )
> 13/11/30 12:49:34 >> : signature payload
> 13/11/30 12:49:34 >= : cookies 83210a938f80ad18:0148266b38ba27a2
> 13/11/30 12:49:34 >= : message 00000000
> 13/11/30 12:49:34 >= : encrypt iv ( 16 bytes )
> 13/11/30 12:49:34 == : encrypt packet ( 1501 bytes )
> 13/11/30 12:49:34 == : stored iv ( 16 bytes )
> 13/11/30 12:49:34 DB : phase1 resend event canceled ( ref count = 1 )
> 13/11/30 12:49:34 -> : send NAT-T:IKE packet 10.1.2.22:4500 ->
> yyy.yyy.yyy.yyy:4500 ( 1548 bytes )
> 13/11/30 12:49:34 ii : fragmented packet to 1514 bytes ( MTU 1500 bytes )
> 13/11/30 12:49:34 ii : fragmented packet to 82 bytes ( MTU 1500 bytes )
> 13/11/30 12:49:34 DB : phase1 ref decrement ( ref count = 0, obj count
> = 1 )
> 13/11/30 12:49:34 <- : recv NAT-T:IKE packet yyy.yyy.yyy.yyy:4500 ->
> 10.1.2.22:4500 ( 108 bytes )
> 13/11/30 12:49:34 DB : phase1 not found
> *13/11/30 12:49:34 ww : ike packet from yyy.yyy.yyy.yyy ignored,
> unknown phase1 sa for peer**
> *13/11/30 12:49:34 ww : ee1cae58ae62f91e:e1270a88ddd66f06
>
>
> _______________________________________________
> vpn-help mailing list
> vpn-help at lists.shrew.net
> https://lists.shrew.net/mailman/listinfo/vpn-help
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.shrew.net/pipermail/vpn-help/attachments/20131204/01780660/attachment-0001.html>
More information about the vpn-help
mailing list