[vpn-help] Shrew - Strongswan connection not completed
Jeroen J.A.W. Hermans
j.hermans at epsys.nl
Sat Nov 30 06:01:50 CST 2013
Dear all,
I have a question: i have a setup with a strongswan server (version 5.1)
and a Shrewsoft VPN client (2.2.2). Yesterday i was able to make a
connection between the two, but after exporting and importing (making a
copy of the working config) the Shrew configuration it stopped working.
I am using mutual RSA keys.
I hope someone can enlighten me what is going wrong here. It seems the
server's certificate "C=NL, ST=L, L=Panningen, O=Shoetime Retail BV,
CN=host.epsys.nl, E=j.hermans at epsys.nl" is not accepted by Shrew, but i
believe that is included in the p12 certificate rw-Jeroen.p12
Thank you very much for your help.
Kind regards,
Jeroen Hermans
Strongswan config:
config setup
strictcrlpolicy=no
conn %default
rekeymargin=3m
keyingtries=1
conn rw
authby=rsasig
leftrsasigkey=%cert
rightrsasigkey=%cert
leftcert=******.epsys.nl.2048.crt
auto=add
leftsubnet=192.168.0.0/24,10.10.20.0/24,10.10.21.0/24,10.10.22.0/24,10.10.23.0/24,10.10.24.0/24,10.10.25.0/24,10.10.26.0/24,10.10.10.0/24,192.168.51.0/24,10.10.26.64/27,194.1.1.0/24
right=%any
rightsourceip=192.168.2.0/24
rightsubnet=192.168.2.0/24
rightid="C=NL, ST=L, L=Panningen, O=Shoetime Retail BV,
OU=Thuiswerkers, CN=*, E=*"
keyingtries=3
keyexchange=ikev1
ike=aes256-sha2_256-modp2048
esp=aes256-sha2_256-modp2048
Shrew config:
n:network-ike-port:500
n:client-addr-auto:0
n:network-natt-port:4500
n:network-natt-rate:30
n:network-dpd-enable:1
n:network-frag-enable:1
n:network-frag-size:1300
n:client-banner-enable:0
n:network-notify-enable:1
n:client-wins-used:0
n:client-wins-auto:1
n:client-dns-used:1
n:client-dns-auto:0
n:client-splitdns-used:0
n:client-splitdns-auto:0
n:phase1-dhgroup:14
n:phase1-life-secs:86400
n:phase1-life-kbytes:0
n:phase2-life-secs:3600
n:phase2-life-kbytes:0
n:policy-list-auto:0
n:phase1-keylen:256
n:phase2-keylen:256
s:network-natt-enable:enable
s:phase2-compress:none
s:policy-list-type:include
s:policy-entry-network:192.168.2.0 / 255.255.255.0
n:client-dns-suffix-auto:0
b:auth-server-cert-data:<longcertdata>
b:auth-client-cert-data:<long certdata>
b:auth-client-key-data:<longcertdata>
n:version:4
n:network-mtu-size:1380
n:vendor-chkpt-enable:0
n:policy-nailed:0
s:network-host:xxx.xxx.xxx.xxx
s:client-auto-mode:disabled
s:client-iface:virtual
s:client-ip-addr:192.168.2.5
s:client-ip-mask:255.255.255.0
s:network-natt-mode:enable
s:network-frag-mode:enable
s:client-dns-addr:194.1.1.31
s:client-dns-suffix:domain.nl
s:auth-method:mutual-rsa
s:ident-client-type:asn1dn
s:ident-server-type:asn1dn
s:auth-server-cert-name:rw-Jeroen.p12
s:auth-client-cert-name:rw-Jeroen.p12
s:auth-client-key-name:rw-Jeroen.p12
s:phase1-exchange:main
s:phase1-cipher:aes
s:phase1-hash:sha2-256
s:phase2-transform:esp-aes
s:phase2-hmac:sha2-256
s:ipcomp-transform:disabled
n:phase2-pfsgroup:14
s:policy-level:auto
s:policy-list-include:192.168.0.0 / 255.255.255.0,192.168.51.0 /
255.255.255.0,194.1.1.0 / 255.255.255.0,10.10.20.0 /
255.255.255.0,10.10.21.0 / 255.255.255.0,10.10.22.0 /
255.255.255.0,10.10.23.0 / 255.255.255.0,10.10.24.0 /
255.255.255.0,10.10.25.0 / 255.255.255.0,10.10.26.0 / 255.255.255.0
s:client-saved-username:
Strongswan log:
Nov 30 12:49:33 host charon: 02[IKE] received
draft-ietf-ipsec-nat-t-ike-00 vendor ID
Nov 30 12:49:33 host charon: 02[IKE] received
draft-ietf-ipsec-nat-t-ike-02\n vendor ID
Nov 30 12:49:33 host charon: 02[IKE] received
draft-ietf-ipsec-nat-t-ike-03 vendor ID
Nov 30 12:49:33 host charon: 02[IKE] received NAT-T (RFC 3947) vendor ID
Nov 30 12:49:33 host charon: 02[IKE] received FRAGMENTATION vendor ID
Nov 30 12:49:33 host charon: 02[IKE] received DPD vendor ID
Nov 30 12:49:33 host charon: 02[IKE] received Cisco Unity vendor ID
Nov 30 12:49:33 host charon: 02[IKE] xxx.xxx.xxx.xxx is initiating a
Main Mode IKE_SA
Nov 30 12:49:33 host charon: 16[IKE] ignoring certificate request
without data
Nov 30 12:49:33 host charon: 16[IKE] remote host is behind NAT
Nov 30 12:49:33 host charon: 16[IKE] sending cert request for "C=NL,
ST=NB, L=Eindhoven, CN=Epsys 1024b CA, E=j.hermans at epsys.nl"
Nov 30 12:49:33 host charon: 16[IKE] sending cert request for "C=NL,
ST=NB, L=Eindhoven, O=Epsys 2048b CA, CN=Epsys 2048b CA,
E=j.hermans at epsys.nl"
Nov 30 12:49:33 host charon: 08[IKE] received end entity cert "C=NL,
ST=L, L=Panningen, O=Shoetime Retail BV, OU=Thuiswerkers, CN=Jeroen15,
E=j.hermans at epsys.nl"
Nov 30 12:49:33 host charon: 08[CFG] looking for RSA signature peer
configs matching yyy.yyy.yyy.yyy...xxx.xxx.xxx.xxx[C=NL, ST=L,
L=Panningen, O=Shoetime Retail BV, OU=Thuiswerkers, CN=Jeroen15,
E=j.hermans at epsys.nl]
Nov 30 12:49:33 host charon: 08[CFG] selected peer config "rw"
Nov 30 12:49:33 host charon: 08[CFG] using certificate "C=NL, ST=L,
L=Panningen, O=Shoetime Retail BV, OU=Thuiswerkers, CN=Jeroen15,
E=j.hermans at epsys.nl"
Nov 30 12:49:33 host charon: 08[CFG] using trusted ca certificate
"C=NL, ST=NB, L=Eindhoven, O=Epsys 2048b CA, CN=Epsys 2048b CA,
E=j.hermans at epsys.nl"
Nov 30 12:49:33 host charon: 08[CFG] checking certificate status of
"C=NL, ST=L, L=Panningen, O=Shoetime Retail BV, OU=Thuiswerkers,
CN=Jeroen15, E=j.hermans at epsys.nl"
Nov 30 12:49:33 host charon: 08[CFG] certificate status is not available
Nov 30 12:49:33 host charon: 08[CFG] reached self-signed root ca with
a path length of 0
Nov 30 12:49:33 host charon: 08[IKE] authentication of 'C=NL, ST=L,
L=Panningen, O=Shoetime Retail BV, OU=Thuiswerkers, CN=Jeroen15,
E=j.hermans at epsys.nl' with RSA successful
Nov 30 12:49:33 host charon: 08[IKE] authentication of 'C=NL, ST=L,
L=Panningen, O=Shoetime Retail BV, CN=host.epsys.nl,
E=j.hermans at epsys.nl' (myself) successful
Nov 30 12:49:33 host charon: 08[IKE] deleting duplicate IKE_SA for peer
'C=NL, ST=L, L=Panningen, O=Shoetime Retail BV, OU=Thuiswerkers,
CN=Jeroen15, E=j.hermans at epsys.nl' due to uniqueness policy
Nov 30 12:49:33 host charon: 08[IKE] deleting IKE_SA rw[10] between
yyy.yyy.yyy.yyy[C=NL, ST=L, L=Panningen, O=Shoetime Retail BV,
CN=host.epsys.nl, E=j.hermans at epsys.nl]...xxx.xxx.xxx.xxx[C=NL, ST=L,
L=Panningen, O=Shoetime Retail BV, OU=Thuiswerkers, CN=Jeroen15,
E=j.hermans at epsys.nl]
Nov 30 12:49:33 host charon: 08[IKE] sending DELETE for IKE_SA rw[10]
*Nov 30 12:49:33 host charon: 08[IKE] IKE_SA rw[11] established between
yyy.yyy.yyy.yyy[C=NL, ST=L, L=Panningen, O=Shoetime Retail BV,
CN=host.epsys.nl, E=j.hermans at epsys.nl]...xxx.xxx.xxx.xxx[C=NL, ST=L,
L=Panningen, O=Shoetime Retail BV, OU=Thuiswerkers, CN=Jeroen15,
E=j.hermans at epsys.nl]*
Nov 30 12:49:33 host charon: 08[IKE] scheduling reauthentication in 10559s
Nov 30 12:49:33 host charon: 08[IKE] maximum IKE_SA lifetime 10739s
Nov 30 12:49:33 host charon: 08[IKE] sending end entity cert "C=NL,
ST=L, L=Panningen, O=Shoetime Retail BV, CN=host.epsys.nl,
E=j.hermans at epsys.nl"
Shrew log:
13/11/30 12:49:32 ii : ipc client process thread begin ...
13/11/30 12:49:32 <A : peer config add message
13/11/30 12:49:32 <A : proposal config message
13/11/30 12:49:32 <A : proposal config message
13/11/30 12:49:32 <A : client config message
13/11/30 12:49:32 <A : remote certificate data message
13/11/30 12:49:32 !! : libeay : .\crypto\pkcs12\p12_kiss.c:110
13/11/30 12:49:32 !! : error:23076071:PKCS12 routines:PKCS12_parse:mac
verify failure
13/11/30 12:49:32 !! : remote certificate read failed, requesting password
13/11/30 12:49:34 <A : file password
13/11/30 12:49:34 <A : remote certificate data message
13/11/30 12:49:34 ii : remote certificate read complete ( 991 bytes )
13/11/30 12:49:34 <A : local certificate data message
13/11/30 12:49:34 ii : local certificate read complete ( 1046 bytes )
13/11/30 12:49:34 <A : local key data message
13/11/30 12:49:34 ii : local key read complete ( 1192 bytes )
13/11/30 12:49:34 <A : remote resource message
13/11/30 12:49:34 <A : remote resource message
13/11/30 12:49:34 <A : remote resource message
13/11/30 12:49:34 <A : remote resource message
13/11/30 12:49:34 <A : remote resource message
13/11/30 12:49:34 <A : remote resource message
13/11/30 12:49:34 <A : remote resource message
13/11/30 12:49:34 <A : remote resource message
13/11/30 12:49:34 <A : remote resource message
13/11/30 12:49:34 <A : remote resource message
13/11/30 12:49:34 <A : peer tunnel enable message
13/11/30 12:49:34 DB : peer ref increment ( ref count = 1, obj count = 0 )
13/11/30 12:49:34 DB : peer added ( obj count = 1 )
13/11/30 12:49:34 ii : local address 10.1.2.22 selected for peer
13/11/30 12:49:34 DB : peer ref increment ( ref count = 2, obj count = 1 )
13/11/30 12:49:34 DB : tunnel ref increment ( ref count = 1, obj count = 0 )
13/11/30 12:49:34 DB : tunnel added ( obj count = 1 )
13/11/30 12:49:34 DB : tunnel ref increment ( ref count = 2, obj count = 1 )
13/11/30 12:49:34 ii : obtained x509 cert subject ( 154 bytes )
13/11/30 12:49:34 DB : new phase1 ( ISAKMP initiator )
13/11/30 12:49:34 DB : exchange type is identity protect
13/11/30 12:49:34 DB : 10.1.2.22:500 <-> yyy.yyy.yyy.yyy:500
13/11/30 12:49:34 DB : 83210a938f80ad18:0000000000000000
13/11/30 12:49:34 DB : phase1 ref increment ( ref count = 1, obj count = 0 )
13/11/30 12:49:34 DB : phase1 added ( obj count = 1 )
13/11/30 12:49:34 >> : security association payload
13/11/30 12:49:34 >> : - proposal #1 payload
13/11/30 12:49:34 >> : -- transform #1 payload
13/11/30 12:49:34 >> : vendor id payload
13/11/30 12:49:34 ii : local supports nat-t ( draft v00 )
13/11/30 12:49:34 >> : vendor id payload
13/11/30 12:49:34 ii : local supports nat-t ( draft v01 )
13/11/30 12:49:34 >> : vendor id payload
13/11/30 12:49:34 ii : local supports nat-t ( draft v02 )
13/11/30 12:49:34 >> : vendor id payload
13/11/30 12:49:34 ii : local supports nat-t ( draft v03 )
13/11/30 12:49:34 >> : vendor id payload
13/11/30 12:49:34 ii : local supports nat-t ( rfc )
13/11/30 12:49:34 >> : vendor id payload
13/11/30 12:49:34 ii : local supports FRAGMENTATION
13/11/30 12:49:34 >> : vendor id payload
13/11/30 12:49:34 >> : vendor id payload
13/11/30 12:49:34 ii : local supports DPDv1
13/11/30 12:49:34 >> : vendor id payload
13/11/30 12:49:34 ii : local is SHREW SOFT compatible
13/11/30 12:49:34 >> : vendor id payload
13/11/30 12:49:34 ii : local is NETSCREEN compatible
13/11/30 12:49:34 >> : vendor id payload
13/11/30 12:49:34 ii : local is SIDEWINDER compatible
13/11/30 12:49:34 >> : vendor id payload
13/11/30 12:49:34 ii : local is CISCO UNITY compatible
13/11/30 12:49:34 >= : cookies 83210a938f80ad18:0000000000000000
13/11/30 12:49:34 >= : message 00000000
13/11/30 12:49:34 -> : send IKE packet 10.1.2.22:500 ->
yyy.yyy.yyy.yyy:500 ( 364 bytes )
13/11/30 12:49:34 DB : phase1 resend event scheduled ( ref count = 2 )
13/11/30 12:49:34 DB : phase1 ref decrement ( ref count = 1, obj count = 1 )
13/11/30 12:49:34 <- : recv IKE packet yyy.yyy.yyy.yyy:500 ->
10.1.2.22:500 ( 140 bytes )
13/11/30 12:49:34 DB : phase1 found
13/11/30 12:49:34 DB : phase1 ref increment ( ref count = 2, obj count = 1 )
13/11/30 12:49:34 ii : processing phase1 packet ( 140 bytes )
13/11/30 12:49:34 =< : cookies 83210a938f80ad18:0148266b38ba27a2
13/11/30 12:49:34 =< : message 00000000
13/11/30 12:49:34 << : security association payload
13/11/30 12:49:34 << : - propsal #1 payload
13/11/30 12:49:34 << : -- transform #1 payload
13/11/30 12:49:34 ii : matched isakmp proposal #1 transform #1
13/11/30 12:49:34 ii : - transform = ike
13/11/30 12:49:34 ii : - cipher type = aes
13/11/30 12:49:34 ii : - key length = 256 bits
13/11/30 12:49:34 ii : - hash type = sha2-256
13/11/30 12:49:34 ii : - dh group = group14 ( modp-2048 )
13/11/30 12:49:34 ii : - auth type = sig-rsa
13/11/30 12:49:34 ii : - life seconds = 86400
13/11/30 12:49:34 ii : - life kbytes = 0
13/11/30 12:49:34 << : vendor id payload
13/11/30 12:49:34 ii : peer supports XAUTH
13/11/30 12:49:34 << : vendor id payload
13/11/30 12:49:34 ii : peer supports DPDv1
13/11/30 12:49:34 << : vendor id payload
13/11/30 12:49:34 ii : peer supports nat-t ( rfc )
13/11/30 12:49:34 >> : key exchange payload
13/11/30 12:49:34 >> : nonce payload
13/11/30 12:49:34 >> : cert request payload
13/11/30 12:49:34 >> : nat discovery payload
13/11/30 12:49:34 >> : nat discovery payload
13/11/30 12:49:34 >= : cookies 83210a938f80ad18:0148266b38ba27a2
13/11/30 12:49:34 >= : message 00000000
13/11/30 12:49:34 DB : phase1 resend event canceled ( ref count = 1 )
13/11/30 12:49:34 -> : send IKE packet 10.1.2.22:500 ->
yyy.yyy.yyy.yyy:500 ( 417 bytes )
13/11/30 12:49:34 DB : phase1 resend event scheduled ( ref count = 2 )
13/11/30 12:49:34 DB : phase1 ref decrement ( ref count = 1, obj count = 1 )
13/11/30 12:49:34 <- : recv IKE packet yyy.yyy.yyy.yyy:500 ->
10.1.2.22:500 ( 648 bytes )
13/11/30 12:49:34 DB : phase1 found
13/11/30 12:49:34 DB : phase1 ref increment ( ref count = 2, obj count = 1 )
13/11/30 12:49:34 ii : processing phase1 packet ( 648 bytes )
13/11/30 12:49:34 =< : cookies 83210a938f80ad18:0148266b38ba27a2
13/11/30 12:49:34 =< : message 00000000
13/11/30 12:49:34 << : key exchange payload
13/11/30 12:49:34 << : nonce payload
13/11/30 12:49:34 << : cert request payload
13/11/30 12:49:34 << : cert request payload
13/11/30 12:49:34 << : nat discovery payload
13/11/30 12:49:34 << : nat discovery payload
13/11/30 12:49:34 ii : nat discovery - local address is translated
13/11/30 12:49:34 ii : switching to src nat-t udp port 4500
13/11/30 12:49:34 ii : switching to dst nat-t udp port 4500
13/11/30 12:49:34 == : DH shared secret ( 256 bytes )
13/11/30 12:49:34 == : SETKEYID ( 32 bytes )
13/11/30 12:49:34 == : SETKEYID_d ( 32 bytes )
13/11/30 12:49:34 == : SETKEYID_a ( 32 bytes )
13/11/30 12:49:34 == : SETKEYID_e ( 32 bytes )
13/11/30 12:49:34 == : cipher key ( 32 bytes )
13/11/30 12:49:34 == : cipher iv ( 16 bytes )
13/11/30 12:49:34 >> : identification payload
13/11/30 12:49:34 >> : certificate payload
13/11/30 12:49:34 == : phase1 hash_i ( computed ) ( 32 bytes )
13/11/30 12:49:34 >> : signature payload
13/11/30 12:49:34 >= : cookies 83210a938f80ad18:0148266b38ba27a2
13/11/30 12:49:34 >= : message 00000000
13/11/30 12:49:34 >= : encrypt iv ( 16 bytes )
13/11/30 12:49:34 == : encrypt packet ( 1501 bytes )
13/11/30 12:49:34 == : stored iv ( 16 bytes )
13/11/30 12:49:34 DB : phase1 resend event canceled ( ref count = 1 )
13/11/30 12:49:34 -> : send NAT-T:IKE packet 10.1.2.22:4500 ->
yyy.yyy.yyy.yyy:4500 ( 1548 bytes )
13/11/30 12:49:34 ii : fragmented packet to 1514 bytes ( MTU 1500 bytes )
13/11/30 12:49:34 ii : fragmented packet to 82 bytes ( MTU 1500 bytes )
13/11/30 12:49:34 DB : phase1 ref decrement ( ref count = 0, obj count = 1 )
13/11/30 12:49:34 <- : recv NAT-T:IKE packet yyy.yyy.yyy.yyy:4500 ->
10.1.2.22:4500 ( 108 bytes )
13/11/30 12:49:34 DB : phase1 not found
*13/11/30 12:49:34 ww : ike packet from yyy.yyy.yyy.yyy ignored, unknown
phase1 sa for peer**
*13/11/30 12:49:34 ww : ee1cae58ae62f91e:e1270a88ddd66f06
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.shrew.net/pipermail/vpn-help/attachments/20131130/26452823/attachment-0001.html>
More information about the vpn-help
mailing list