[vpn-help] Shrew - Strongswan connection not completed

Jeroen J.A.W. Hermans j.hermans at epsys.nl
Sat Nov 30 06:01:50 CST 2013 

Dear all,

I have a question: i have a setup with a strongswan server (version 5.1) 
and a Shrewsoft VPN client (2.2.2). Yesterday i was able to make a 
connection between the two, but after exporting and importing (making a 
copy of the working config) the Shrew configuration it stopped working. 
I am using mutual RSA keys.
I hope someone can enlighten me what is going wrong here. It seems the 
server's certificate "C=NL, ST=L, L=Panningen, O=Shoetime Retail BV, 
CN=host.epsys.nl, E=j.hermans at epsys.nl" is not accepted by Shrew, but i 
believe that is included in the p12 certificate rw-Jeroen.p12
Thank you very much for your help.
Kind regards,

Jeroen Hermans


Strongswan config:
config setup
     strictcrlpolicy=no

conn %default
         rekeymargin=3m
         keyingtries=1

conn rw
         authby=rsasig
         leftrsasigkey=%cert
         rightrsasigkey=%cert
         leftcert=******.epsys.nl.2048.crt
         auto=add
leftsubnet=192.168.0.0/24,10.10.20.0/24,10.10.21.0/24,10.10.22.0/24,10.10.23.0/24,10.10.24.0/24,10.10.25.0/24,10.10.26.0/24,10.10.10.0/24,192.168.51.0/24,10.10.26.64/27,194.1.1.0/24
         right=%any
         rightsourceip=192.168.2.0/24
         rightsubnet=192.168.2.0/24
         rightid="C=NL, ST=L, L=Panningen, O=Shoetime Retail BV, 
OU=Thuiswerkers, CN=*, E=*"
         keyingtries=3
         keyexchange=ikev1
         ike=aes256-sha2_256-modp2048
         esp=aes256-sha2_256-modp2048

Shrew config:
n:network-ike-port:500
n:client-addr-auto:0
n:network-natt-port:4500
n:network-natt-rate:30
n:network-dpd-enable:1
n:network-frag-enable:1
n:network-frag-size:1300
n:client-banner-enable:0
n:network-notify-enable:1
n:client-wins-used:0
n:client-wins-auto:1
n:client-dns-used:1
n:client-dns-auto:0
n:client-splitdns-used:0
n:client-splitdns-auto:0
n:phase1-dhgroup:14
n:phase1-life-secs:86400
n:phase1-life-kbytes:0
n:phase2-life-secs:3600
n:phase2-life-kbytes:0
n:policy-list-auto:0
n:phase1-keylen:256
n:phase2-keylen:256
s:network-natt-enable:enable
s:phase2-compress:none
s:policy-list-type:include
s:policy-entry-network:192.168.2.0 / 255.255.255.0
n:client-dns-suffix-auto:0
b:auth-server-cert-data:<longcertdata>
b:auth-client-cert-data:<long certdata>
b:auth-client-key-data:<longcertdata>
n:version:4
n:network-mtu-size:1380
n:vendor-chkpt-enable:0
n:policy-nailed:0
s:network-host:xxx.xxx.xxx.xxx
s:client-auto-mode:disabled
s:client-iface:virtual
s:client-ip-addr:192.168.2.5
s:client-ip-mask:255.255.255.0
s:network-natt-mode:enable
s:network-frag-mode:enable
s:client-dns-addr:194.1.1.31
s:client-dns-suffix:domain.nl
s:auth-method:mutual-rsa
s:ident-client-type:asn1dn
s:ident-server-type:asn1dn
s:auth-server-cert-name:rw-Jeroen.p12
s:auth-client-cert-name:rw-Jeroen.p12
s:auth-client-key-name:rw-Jeroen.p12
s:phase1-exchange:main
s:phase1-cipher:aes
s:phase1-hash:sha2-256
s:phase2-transform:esp-aes
s:phase2-hmac:sha2-256
s:ipcomp-transform:disabled
n:phase2-pfsgroup:14
s:policy-level:auto
s:policy-list-include:192.168.0.0 / 255.255.255.0,192.168.51.0 / 
255.255.255.0,194.1.1.0 / 255.255.255.0,10.10.20.0 / 
255.255.255.0,10.10.21.0 / 255.255.255.0,10.10.22.0 / 
255.255.255.0,10.10.23.0 / 255.255.255.0,10.10.24.0 / 
255.255.255.0,10.10.25.0 / 255.255.255.0,10.10.26.0 / 255.255.255.0
s:client-saved-username:



Strongswan log:
Nov 30 12:49:33 host charon: 02[IKE] received 
draft-ietf-ipsec-nat-t-ike-00 vendor ID
Nov 30 12:49:33 host charon: 02[IKE] received 
draft-ietf-ipsec-nat-t-ike-02\n vendor ID
Nov 30 12:49:33 host charon: 02[IKE] received 
draft-ietf-ipsec-nat-t-ike-03 vendor ID
Nov 30 12:49:33 host charon: 02[IKE] received NAT-T (RFC 3947) vendor ID
Nov 30 12:49:33 host charon: 02[IKE] received FRAGMENTATION vendor ID
Nov 30 12:49:33 host charon: 02[IKE] received DPD vendor ID
Nov 30 12:49:33 host charon: 02[IKE] received Cisco Unity vendor ID
Nov 30 12:49:33 host charon: 02[IKE] xxx.xxx.xxx.xxx is initiating a 
Main Mode IKE_SA
Nov 30 12:49:33 host charon: 16[IKE] ignoring certificate request 
without data
Nov 30 12:49:33 host charon: 16[IKE] remote host is behind NAT
Nov 30 12:49:33 host charon: 16[IKE] sending cert request for "C=NL, 
ST=NB, L=Eindhoven, CN=Epsys 1024b CA, E=j.hermans at epsys.nl"
Nov 30 12:49:33 host charon: 16[IKE] sending cert request for "C=NL, 
ST=NB, L=Eindhoven, O=Epsys 2048b CA, CN=Epsys 2048b CA, 
E=j.hermans at epsys.nl"
Nov 30 12:49:33 host charon: 08[IKE] received end entity cert "C=NL, 
ST=L, L=Panningen, O=Shoetime Retail BV, OU=Thuiswerkers, CN=Jeroen15, 
E=j.hermans at epsys.nl"
Nov 30 12:49:33 host charon: 08[CFG] looking for RSA signature peer 
configs matching yyy.yyy.yyy.yyy...xxx.xxx.xxx.xxx[C=NL, ST=L, 
L=Panningen, O=Shoetime Retail BV, OU=Thuiswerkers, CN=Jeroen15, 
E=j.hermans at epsys.nl]
Nov 30 12:49:33 host charon: 08[CFG] selected peer config "rw"
Nov 30 12:49:33 host charon: 08[CFG]   using certificate "C=NL, ST=L, 
L=Panningen, O=Shoetime Retail BV, OU=Thuiswerkers, CN=Jeroen15, 
E=j.hermans at epsys.nl"
Nov 30 12:49:33 host charon: 08[CFG]   using trusted ca certificate 
"C=NL, ST=NB, L=Eindhoven, O=Epsys 2048b CA, CN=Epsys 2048b CA, 
E=j.hermans at epsys.nl"
Nov 30 12:49:33 host charon: 08[CFG] checking certificate status of 
"C=NL, ST=L, L=Panningen, O=Shoetime Retail BV, OU=Thuiswerkers, 
CN=Jeroen15, E=j.hermans at epsys.nl"
Nov 30 12:49:33 host charon: 08[CFG] certificate status is not available
Nov 30 12:49:33 host charon: 08[CFG]   reached self-signed root ca with 
a path length of 0
Nov 30 12:49:33 host charon: 08[IKE] authentication of 'C=NL, ST=L, 
L=Panningen, O=Shoetime Retail BV, OU=Thuiswerkers, CN=Jeroen15, 
E=j.hermans at epsys.nl' with RSA successful
Nov 30 12:49:33 host charon: 08[IKE] authentication of 'C=NL, ST=L, 
L=Panningen, O=Shoetime Retail BV, CN=host.epsys.nl, 
E=j.hermans at epsys.nl' (myself) successful
Nov 30 12:49:33 host charon: 08[IKE] deleting duplicate IKE_SA for peer 
'C=NL, ST=L, L=Panningen, O=Shoetime Retail BV, OU=Thuiswerkers, 
CN=Jeroen15, E=j.hermans at epsys.nl' due to uniqueness policy
Nov 30 12:49:33 host charon: 08[IKE] deleting IKE_SA rw[10] between 
yyy.yyy.yyy.yyy[C=NL, ST=L, L=Panningen, O=Shoetime Retail BV, 
CN=host.epsys.nl, E=j.hermans at epsys.nl]...xxx.xxx.xxx.xxx[C=NL, ST=L, 
L=Panningen, O=Shoetime Retail BV, OU=Thuiswerkers, CN=Jeroen15, 
E=j.hermans at epsys.nl]
Nov 30 12:49:33 host charon: 08[IKE] sending DELETE for IKE_SA rw[10]
*Nov 30 12:49:33 host charon: 08[IKE] IKE_SA rw[11] established between 
yyy.yyy.yyy.yyy[C=NL, ST=L, L=Panningen, O=Shoetime Retail BV, 
CN=host.epsys.nl, E=j.hermans at epsys.nl]...xxx.xxx.xxx.xxx[C=NL, ST=L, 
L=Panningen, O=Shoetime Retail BV, OU=Thuiswerkers, CN=Jeroen15, 
E=j.hermans at epsys.nl]*
Nov 30 12:49:33 host charon: 08[IKE] scheduling reauthentication in 10559s
Nov 30 12:49:33 host charon: 08[IKE] maximum IKE_SA lifetime 10739s
Nov 30 12:49:33 host charon: 08[IKE] sending end entity cert "C=NL, 
ST=L, L=Panningen, O=Shoetime Retail BV, CN=host.epsys.nl, 
E=j.hermans at epsys.nl"

Shrew log:
13/11/30 12:49:32 ii : ipc client process thread begin ...
13/11/30 12:49:32 <A : peer config add message
13/11/30 12:49:32 <A : proposal config message
13/11/30 12:49:32 <A : proposal config message
13/11/30 12:49:32 <A : client config message
13/11/30 12:49:32 <A : remote certificate data message
13/11/30 12:49:32 !! : libeay : .\crypto\pkcs12\p12_kiss.c:110
13/11/30 12:49:32 !! : error:23076071:PKCS12 routines:PKCS12_parse:mac 
verify failure
13/11/30 12:49:32 !! : remote certificate read failed, requesting password
13/11/30 12:49:34 <A : file password
13/11/30 12:49:34 <A : remote certificate data message
13/11/30 12:49:34 ii : remote certificate read complete ( 991 bytes )
13/11/30 12:49:34 <A : local certificate data message
13/11/30 12:49:34 ii : local certificate read complete ( 1046 bytes )
13/11/30 12:49:34 <A : local key data message
13/11/30 12:49:34 ii : local key read complete ( 1192 bytes )
13/11/30 12:49:34 <A : remote resource message
13/11/30 12:49:34 <A : remote resource message
13/11/30 12:49:34 <A : remote resource message
13/11/30 12:49:34 <A : remote resource message
13/11/30 12:49:34 <A : remote resource message
13/11/30 12:49:34 <A : remote resource message
13/11/30 12:49:34 <A : remote resource message
13/11/30 12:49:34 <A : remote resource message
13/11/30 12:49:34 <A : remote resource message
13/11/30 12:49:34 <A : remote resource message
13/11/30 12:49:34 <A : peer tunnel enable message
13/11/30 12:49:34 DB : peer ref increment ( ref count = 1, obj count = 0 )
13/11/30 12:49:34 DB : peer added ( obj count = 1 )
13/11/30 12:49:34 ii : local address 10.1.2.22 selected for peer
13/11/30 12:49:34 DB : peer ref increment ( ref count = 2, obj count = 1 )
13/11/30 12:49:34 DB : tunnel ref increment ( ref count = 1, obj count = 0 )
13/11/30 12:49:34 DB : tunnel added ( obj count = 1 )
13/11/30 12:49:34 DB : tunnel ref increment ( ref count = 2, obj count = 1 )
13/11/30 12:49:34 ii : obtained x509 cert subject ( 154 bytes )
13/11/30 12:49:34 DB : new phase1 ( ISAKMP initiator )
13/11/30 12:49:34 DB : exchange type is identity protect
13/11/30 12:49:34 DB : 10.1.2.22:500 <-> yyy.yyy.yyy.yyy:500
13/11/30 12:49:34 DB : 83210a938f80ad18:0000000000000000
13/11/30 12:49:34 DB : phase1 ref increment ( ref count = 1, obj count = 0 )
13/11/30 12:49:34 DB : phase1 added ( obj count = 1 )
13/11/30 12:49:34 >> : security association payload
13/11/30 12:49:34 >> : - proposal #1 payload
13/11/30 12:49:34 >> : -- transform #1 payload
13/11/30 12:49:34 >> : vendor id payload
13/11/30 12:49:34 ii : local supports nat-t ( draft v00 )
13/11/30 12:49:34 >> : vendor id payload
13/11/30 12:49:34 ii : local supports nat-t ( draft v01 )
13/11/30 12:49:34 >> : vendor id payload
13/11/30 12:49:34 ii : local supports nat-t ( draft v02 )
13/11/30 12:49:34 >> : vendor id payload
13/11/30 12:49:34 ii : local supports nat-t ( draft v03 )
13/11/30 12:49:34 >> : vendor id payload
13/11/30 12:49:34 ii : local supports nat-t ( rfc )
13/11/30 12:49:34 >> : vendor id payload
13/11/30 12:49:34 ii : local supports FRAGMENTATION
13/11/30 12:49:34 >> : vendor id payload
13/11/30 12:49:34 >> : vendor id payload
13/11/30 12:49:34 ii : local supports DPDv1
13/11/30 12:49:34 >> : vendor id payload
13/11/30 12:49:34 ii : local is SHREW SOFT compatible
13/11/30 12:49:34 >> : vendor id payload
13/11/30 12:49:34 ii : local is NETSCREEN compatible
13/11/30 12:49:34 >> : vendor id payload
13/11/30 12:49:34 ii : local is SIDEWINDER compatible
13/11/30 12:49:34 >> : vendor id payload
13/11/30 12:49:34 ii : local is CISCO UNITY compatible
13/11/30 12:49:34 >= : cookies 83210a938f80ad18:0000000000000000
13/11/30 12:49:34 >= : message 00000000
13/11/30 12:49:34 -> : send IKE packet 10.1.2.22:500 -> 
yyy.yyy.yyy.yyy:500 ( 364 bytes )
13/11/30 12:49:34 DB : phase1 resend event scheduled ( ref count = 2 )
13/11/30 12:49:34 DB : phase1 ref decrement ( ref count = 1, obj count = 1 )
13/11/30 12:49:34 <- : recv IKE packet yyy.yyy.yyy.yyy:500 -> 
10.1.2.22:500 ( 140 bytes )
13/11/30 12:49:34 DB : phase1 found
13/11/30 12:49:34 DB : phase1 ref increment ( ref count = 2, obj count = 1 )
13/11/30 12:49:34 ii : processing phase1 packet ( 140 bytes )
13/11/30 12:49:34 =< : cookies 83210a938f80ad18:0148266b38ba27a2
13/11/30 12:49:34 =< : message 00000000
13/11/30 12:49:34 << : security association payload
13/11/30 12:49:34 << : - propsal #1 payload
13/11/30 12:49:34 << : -- transform #1 payload
13/11/30 12:49:34 ii : matched isakmp proposal #1 transform #1
13/11/30 12:49:34 ii : - transform    = ike
13/11/30 12:49:34 ii : - cipher type  = aes
13/11/30 12:49:34 ii : - key length   = 256 bits
13/11/30 12:49:34 ii : - hash type    = sha2-256
13/11/30 12:49:34 ii : - dh group     = group14 ( modp-2048 )
13/11/30 12:49:34 ii : - auth type    = sig-rsa
13/11/30 12:49:34 ii : - life seconds = 86400
13/11/30 12:49:34 ii : - life kbytes  = 0
13/11/30 12:49:34 << : vendor id payload
13/11/30 12:49:34 ii : peer supports XAUTH
13/11/30 12:49:34 << : vendor id payload
13/11/30 12:49:34 ii : peer supports DPDv1
13/11/30 12:49:34 << : vendor id payload
13/11/30 12:49:34 ii : peer supports nat-t ( rfc )
13/11/30 12:49:34 >> : key exchange payload
13/11/30 12:49:34 >> : nonce payload
13/11/30 12:49:34 >> : cert request payload
13/11/30 12:49:34 >> : nat discovery payload
13/11/30 12:49:34 >> : nat discovery payload
13/11/30 12:49:34 >= : cookies 83210a938f80ad18:0148266b38ba27a2
13/11/30 12:49:34 >= : message 00000000
13/11/30 12:49:34 DB : phase1 resend event canceled ( ref count = 1 )
13/11/30 12:49:34 -> : send IKE packet 10.1.2.22:500 -> 
yyy.yyy.yyy.yyy:500 ( 417 bytes )
13/11/30 12:49:34 DB : phase1 resend event scheduled ( ref count = 2 )
13/11/30 12:49:34 DB : phase1 ref decrement ( ref count = 1, obj count = 1 )
13/11/30 12:49:34 <- : recv IKE packet yyy.yyy.yyy.yyy:500 -> 
10.1.2.22:500 ( 648 bytes )
13/11/30 12:49:34 DB : phase1 found
13/11/30 12:49:34 DB : phase1 ref increment ( ref count = 2, obj count = 1 )
13/11/30 12:49:34 ii : processing phase1 packet ( 648 bytes )
13/11/30 12:49:34 =< : cookies 83210a938f80ad18:0148266b38ba27a2
13/11/30 12:49:34 =< : message 00000000
13/11/30 12:49:34 << : key exchange payload
13/11/30 12:49:34 << : nonce payload
13/11/30 12:49:34 << : cert request payload
13/11/30 12:49:34 << : cert request payload
13/11/30 12:49:34 << : nat discovery payload
13/11/30 12:49:34 << : nat discovery payload
13/11/30 12:49:34 ii : nat discovery - local address is translated
13/11/30 12:49:34 ii : switching to src nat-t udp port 4500
13/11/30 12:49:34 ii : switching to dst nat-t udp port 4500
13/11/30 12:49:34 == : DH shared secret ( 256 bytes )
13/11/30 12:49:34 == : SETKEYID ( 32 bytes )
13/11/30 12:49:34 == : SETKEYID_d ( 32 bytes )
13/11/30 12:49:34 == : SETKEYID_a ( 32 bytes )
13/11/30 12:49:34 == : SETKEYID_e ( 32 bytes )
13/11/30 12:49:34 == : cipher key ( 32 bytes )
13/11/30 12:49:34 == : cipher iv ( 16 bytes )
13/11/30 12:49:34 >> : identification payload
13/11/30 12:49:34 >> : certificate payload
13/11/30 12:49:34 == : phase1 hash_i ( computed ) ( 32 bytes )
13/11/30 12:49:34 >> : signature payload
13/11/30 12:49:34 >= : cookies 83210a938f80ad18:0148266b38ba27a2
13/11/30 12:49:34 >= : message 00000000
13/11/30 12:49:34 >= : encrypt iv ( 16 bytes )
13/11/30 12:49:34 == : encrypt packet ( 1501 bytes )
13/11/30 12:49:34 == : stored iv ( 16 bytes )
13/11/30 12:49:34 DB : phase1 resend event canceled ( ref count = 1 )
13/11/30 12:49:34 -> : send NAT-T:IKE packet 10.1.2.22:4500 -> 
yyy.yyy.yyy.yyy:4500 ( 1548 bytes )
13/11/30 12:49:34 ii : fragmented packet to 1514 bytes ( MTU 1500 bytes )
13/11/30 12:49:34 ii : fragmented packet to 82 bytes ( MTU 1500 bytes )
13/11/30 12:49:34 DB : phase1 ref decrement ( ref count = 0, obj count = 1 )
13/11/30 12:49:34 <- : recv NAT-T:IKE packet yyy.yyy.yyy.yyy:4500 -> 
10.1.2.22:4500 ( 108 bytes )
13/11/30 12:49:34 DB : phase1 not found
*13/11/30 12:49:34 ww : ike packet from yyy.yyy.yyy.yyy ignored, unknown 
phase1 sa for peer**
*13/11/30 12:49:34 ww : ee1cae58ae62f91e:e1270a88ddd66f06
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.shrew.net/pipermail/vpn-help/attachments/20131130/26452823/attachment-0001.html>

More information about the vpn-help mailing list