<html>
<head>
<meta content="text/html; charset=ISO-8859-1"
http-equiv="Content-Type">
</head>
<body text="#000000" bgcolor="#FFFFFF">
Dear all,<br>
<br>
I have a question: i have a setup with a strongswan server (version
5.1) and a Shrewsoft VPN client (2.2.2). Yesterday i was able to
make a connection between the two, but after exporting and importing
(making a copy of the working config) the Shrew configuration it
stopped working. I am using mutual RSA keys.<br>
I hope someone can enlighten me what is going wrong here. It seems
the server's certificate "C=NL, ST=L, L=Panningen, O=Shoetime Retail
BV, CN=host.epsys.nl, <a class="moz-txt-link-abbreviated" href="mailto:E=j.hermans@epsys.nl">E=j.hermans@epsys.nl</a>" is not accepted by
Shrew, but i believe that is included in the p12 certificate
rw-Jeroen.p12<br>
Thank you very much for your help.<br>
Kind regards,<br>
<br>
Jeroen Hermans<br>
<br>
<br>
Strongswan config:<br>
config setup<br>
strictcrlpolicy=no<br>
<br>
conn %default<br>
rekeymargin=3m<br>
keyingtries=1<br>
<br>
conn rw<br>
authby=rsasig<br>
leftrsasigkey=%cert<br>
rightrsasigkey=%cert<br>
leftcert=******.epsys.nl.2048.crt<br>
auto=add<br>
leftsubnet=192.168.0.0/24,10.10.20.0/24,10.10.21.0/24,10.10.22.0/24,10.10.23.0/24,10.10.24.0/24,10.10.25.0/24,10.10.26.0/24,10.10.10.0/24,192.168.51.0/24,10.10.26.64/27,194.1.1.0/24<br>
right=%any<br>
rightsourceip=192.168.2.0/24<br>
rightsubnet=192.168.2.0/24<br>
rightid="C=NL, ST=L, L=Panningen, O=Shoetime Retail BV,
OU=Thuiswerkers, CN=*, E=*"<br>
keyingtries=3<br>
keyexchange=ikev1<br>
ike=aes256-sha2_256-modp2048<br>
esp=aes256-sha2_256-modp2048<br>
<br>
Shrew config:<br>
n:network-ike-port:500<br>
n:client-addr-auto:0<br>
n:network-natt-port:4500<br>
n:network-natt-rate:30<br>
n:network-dpd-enable:1<br>
n:network-frag-enable:1<br>
n:network-frag-size:1300<br>
n:client-banner-enable:0<br>
n:network-notify-enable:1<br>
n:client-wins-used:0<br>
n:client-wins-auto:1<br>
n:client-dns-used:1<br>
n:client-dns-auto:0<br>
n:client-splitdns-used:0<br>
n:client-splitdns-auto:0<br>
n:phase1-dhgroup:14<br>
n:phase1-life-secs:86400<br>
n:phase1-life-kbytes:0<br>
n:phase2-life-secs:3600<br>
n:phase2-life-kbytes:0<br>
n:policy-list-auto:0<br>
n:phase1-keylen:256<br>
n:phase2-keylen:256<br>
s:network-natt-enable:enable<br>
s:phase2-compress:none<br>
s:policy-list-type:include<br>
s:policy-entry-network:192.168.2.0 / 255.255.255.0<br>
n:client-dns-suffix-auto:0<br>
b:auth-server-cert-data:<longcertdata><br>
b:auth-client-cert-data:<long certdata><br>
b:auth-client-key-data:<longcertdata><br>
n:version:4<br>
n:network-mtu-size:1380<br>
n:vendor-chkpt-enable:0<br>
n:policy-nailed:0<br>
s:network-host:xxx.xxx.xxx.xxx<br>
s:client-auto-mode:disabled<br>
s:client-iface:virtual<br>
s:client-ip-addr:192.168.2.5<br>
s:client-ip-mask:255.255.255.0<br>
s:network-natt-mode:enable<br>
s:network-frag-mode:enable<br>
s:client-dns-addr:194.1.1.31<br>
s:client-dns-suffix:domain.nl<br>
s:auth-method:mutual-rsa<br>
s:ident-client-type:asn1dn<br>
s:ident-server-type:asn1dn<br>
s:auth-server-cert-name:rw-Jeroen.p12<br>
s:auth-client-cert-name:rw-Jeroen.p12<br>
s:auth-client-key-name:rw-Jeroen.p12<br>
s:phase1-exchange:main<br>
s:phase1-cipher:aes<br>
s:phase1-hash:sha2-256<br>
s:phase2-transform:esp-aes<br>
s:phase2-hmac:sha2-256<br>
s:ipcomp-transform:disabled<br>
n:phase2-pfsgroup:14<br>
s:policy-level:auto<br>
s:policy-list-include:192.168.0.0 / 255.255.255.0,192.168.51.0 /
255.255.255.0,194.1.1.0 / 255.255.255.0,10.10.20.0 /
255.255.255.0,10.10.21.0 / 255.255.255.0,10.10.22.0 /
255.255.255.0,10.10.23.0 / 255.255.255.0,10.10.24.0 /
255.255.255.0,10.10.25.0 / 255.255.255.0,10.10.26.0 / 255.255.255.0<br>
s:client-saved-username:<br>
<br>
<br>
<br>
Strongswan log:<br>
Nov 30 12:49:33 host charon: 02[IKE] received
draft-ietf-ipsec-nat-t-ike-00 vendor ID<br>
Nov 30 12:49:33 host charon: 02[IKE] received
draft-ietf-ipsec-nat-t-ike-02\n vendor ID<br>
Nov 30 12:49:33 host charon: 02[IKE] received
draft-ietf-ipsec-nat-t-ike-03 vendor ID<br>
Nov 30 12:49:33 host charon: 02[IKE] received NAT-T (RFC 3947)
vendor ID<br>
Nov 30 12:49:33 host charon: 02[IKE] received FRAGMENTATION vendor
ID<br>
Nov 30 12:49:33 host charon: 02[IKE] received DPD vendor ID<br>
Nov 30 12:49:33 host charon: 02[IKE] received Cisco Unity vendor ID<br>
Nov 30 12:49:33 host charon: 02[IKE] xxx.xxx.xxx.xxx is initiating a
Main Mode IKE_SA<br>
Nov 30 12:49:33 host charon: 16[IKE] ignoring certificate request
without data<br>
Nov 30 12:49:33 host charon: 16[IKE] remote host is behind NAT<br>
Nov 30 12:49:33 host charon: 16[IKE] sending cert request for "C=NL,
ST=NB, L=Eindhoven, CN=Epsys 1024b CA, <a class="moz-txt-link-abbreviated" href="mailto:E=j.hermans@epsys.nl">E=j.hermans@epsys.nl</a>"<br>
Nov 30 12:49:33 host charon: 16[IKE] sending cert request for "C=NL,
ST=NB, L=Eindhoven, O=Epsys 2048b CA, CN=Epsys 2048b CA,
<a class="moz-txt-link-abbreviated" href="mailto:E=j.hermans@epsys.nl">E=j.hermans@epsys.nl</a>"<br>
Nov 30 12:49:33 host charon: 08[IKE] received end entity cert "C=NL,
ST=L, L=Panningen, O=Shoetime Retail BV, OU=Thuiswerkers,
CN=Jeroen15, <a class="moz-txt-link-abbreviated" href="mailto:E=j.hermans@epsys.nl">E=j.hermans@epsys.nl</a>"<br>
Nov 30 12:49:33 host charon: 08[CFG] looking for RSA signature peer
configs matching yyy.yyy.yyy.yyy...xxx.xxx.xxx.xxx[C=NL, ST=L,
L=Panningen, O=Shoetime Retail BV, OU=Thuiswerkers, CN=Jeroen15,
<a class="moz-txt-link-abbreviated" href="mailto:E=j.hermans@epsys.nl">E=j.hermans@epsys.nl</a>]<br>
Nov 30 12:49:33 host charon: 08[CFG] selected peer config "rw"<br>
Nov 30 12:49:33 host charon: 08[CFG] using certificate "C=NL,
ST=L, L=Panningen, O=Shoetime Retail BV, OU=Thuiswerkers,
CN=Jeroen15, <a class="moz-txt-link-abbreviated" href="mailto:E=j.hermans@epsys.nl">E=j.hermans@epsys.nl</a>"<br>
Nov 30 12:49:33 host charon: 08[CFG] using trusted ca certificate
"C=NL, ST=NB, L=Eindhoven, O=Epsys 2048b CA, CN=Epsys 2048b CA,
<a class="moz-txt-link-abbreviated" href="mailto:E=j.hermans@epsys.nl">E=j.hermans@epsys.nl</a>"<br>
Nov 30 12:49:33 host charon: 08[CFG] checking certificate status of
"C=NL, ST=L, L=Panningen, O=Shoetime Retail BV, OU=Thuiswerkers,
CN=Jeroen15, <a class="moz-txt-link-abbreviated" href="mailto:E=j.hermans@epsys.nl">E=j.hermans@epsys.nl</a>"<br>
Nov 30 12:49:33 host charon: 08[CFG] certificate status is not
available<br>
Nov 30 12:49:33 host charon: 08[CFG] reached self-signed root ca
with a path length of 0<br>
Nov 30 12:49:33 host charon: 08[IKE] authentication of 'C=NL, ST=L,
L=Panningen, O=Shoetime Retail BV, OU=Thuiswerkers, CN=Jeroen15,
<a class="moz-txt-link-abbreviated" href="mailto:E=j.hermans@epsys.nl">E=j.hermans@epsys.nl</a>' with RSA successful<br>
Nov 30 12:49:33 host charon: 08[IKE] authentication of 'C=NL, ST=L,
L=Panningen, O=Shoetime Retail BV, CN=host.epsys.nl,
<a class="moz-txt-link-abbreviated" href="mailto:E=j.hermans@epsys.nl">E=j.hermans@epsys.nl</a>' (myself) successful<br>
Nov 30 12:49:33 host charon: 08[IKE] deleting duplicate IKE_SA for
peer 'C=NL, ST=L, L=Panningen, O=Shoetime Retail BV,
OU=Thuiswerkers, CN=Jeroen15, <a class="moz-txt-link-abbreviated" href="mailto:E=j.hermans@epsys.nl">E=j.hermans@epsys.nl</a>' due to
uniqueness policy<br>
Nov 30 12:49:33 host charon: 08[IKE] deleting IKE_SA rw[10] between
yyy.yyy.yyy.yyy[C=NL, ST=L, L=Panningen, O=Shoetime Retail BV,
CN=host.epsys.nl, <a class="moz-txt-link-abbreviated" href="mailto:E=j.hermans@epsys.nl">E=j.hermans@epsys.nl</a>]...xxx.xxx.xxx.xxx[C=NL,
ST=L, L=Panningen, O=Shoetime Retail BV, OU=Thuiswerkers,
CN=Jeroen15, <a class="moz-txt-link-abbreviated" href="mailto:E=j.hermans@epsys.nl">E=j.hermans@epsys.nl</a>]<br>
Nov 30 12:49:33 host charon: 08[IKE] sending DELETE for IKE_SA
rw[10]<br>
<b>Nov 30 12:49:33 host charon: 08[IKE] IKE_SA rw[11] established
between yyy.yyy.yyy.yyy[C=NL, ST=L, L=Panningen, O=Shoetime Retail
BV, CN=host.epsys.nl,
<a class="moz-txt-link-abbreviated" href="mailto:E=j.hermans@epsys.nl">E=j.hermans@epsys.nl</a>]...xxx.xxx.xxx.xxx[C=NL, ST=L, L=Panningen,
O=Shoetime Retail BV, OU=Thuiswerkers, CN=Jeroen15,
<a class="moz-txt-link-abbreviated" href="mailto:E=j.hermans@epsys.nl">E=j.hermans@epsys.nl</a>]</b><br>
Nov 30 12:49:33 host charon: 08[IKE] scheduling reauthentication in
10559s<br>
Nov 30 12:49:33 host charon: 08[IKE] maximum IKE_SA lifetime 10739s<br>
Nov 30 12:49:33 host charon: 08[IKE] sending end entity cert "C=NL,
ST=L, L=Panningen, O=Shoetime Retail BV, CN=host.epsys.nl,
<a class="moz-txt-link-abbreviated" href="mailto:E=j.hermans@epsys.nl">E=j.hermans@epsys.nl</a>"<br>
<br>
Shrew log:<br>
13/11/30 12:49:32 ii : ipc client process thread begin ...<br>
13/11/30 12:49:32 <A : peer config add message<br>
13/11/30 12:49:32 <A : proposal config message<br>
13/11/30 12:49:32 <A : proposal config message<br>
13/11/30 12:49:32 <A : client config message<br>
13/11/30 12:49:32 <A : remote certificate data message<br>
13/11/30 12:49:32 !! : libeay : .\crypto\pkcs12\p12_kiss.c:110<br>
13/11/30 12:49:32 !! : error:23076071:PKCS12
routines:PKCS12_parse:mac verify failure<br>
13/11/30 12:49:32 !! : remote certificate read failed, requesting
password<br>
13/11/30 12:49:34 <A : file password<br>
13/11/30 12:49:34 <A : remote certificate data message<br>
13/11/30 12:49:34 ii : remote certificate read complete ( 991 bytes
)<br>
13/11/30 12:49:34 <A : local certificate data message<br>
13/11/30 12:49:34 ii : local certificate read complete ( 1046 bytes
)<br>
13/11/30 12:49:34 <A : local key data message<br>
13/11/30 12:49:34 ii : local key read complete ( 1192 bytes )<br>
13/11/30 12:49:34 <A : remote resource message<br>
13/11/30 12:49:34 <A : remote resource message<br>
13/11/30 12:49:34 <A : remote resource message<br>
13/11/30 12:49:34 <A : remote resource message<br>
13/11/30 12:49:34 <A : remote resource message<br>
13/11/30 12:49:34 <A : remote resource message<br>
13/11/30 12:49:34 <A : remote resource message<br>
13/11/30 12:49:34 <A : remote resource message<br>
13/11/30 12:49:34 <A : remote resource message<br>
13/11/30 12:49:34 <A : remote resource message<br>
13/11/30 12:49:34 <A : peer tunnel enable message<br>
13/11/30 12:49:34 DB : peer ref increment ( ref count = 1, obj count
= 0 )<br>
13/11/30 12:49:34 DB : peer added ( obj count = 1 )<br>
13/11/30 12:49:34 ii : local address 10.1.2.22 selected for peer<br>
13/11/30 12:49:34 DB : peer ref increment ( ref count = 2, obj count
= 1 )<br>
13/11/30 12:49:34 DB : tunnel ref increment ( ref count = 1, obj
count = 0 )<br>
13/11/30 12:49:34 DB : tunnel added ( obj count = 1 )<br>
13/11/30 12:49:34 DB : tunnel ref increment ( ref count = 2, obj
count = 1 )<br>
13/11/30 12:49:34 ii : obtained x509 cert subject ( 154 bytes )<br>
13/11/30 12:49:34 DB : new phase1 ( ISAKMP initiator )<br>
13/11/30 12:49:34 DB : exchange type is identity protect<br>
13/11/30 12:49:34 DB : 10.1.2.22:500 <-> yyy.yyy.yyy.yyy:500<br>
13/11/30 12:49:34 DB : 83210a938f80ad18:0000000000000000<br>
13/11/30 12:49:34 DB : phase1 ref increment ( ref count = 1, obj
count = 0 )<br>
13/11/30 12:49:34 DB : phase1 added ( obj count = 1 )<br>
13/11/30 12:49:34 >> : security association payload<br>
13/11/30 12:49:34 >> : - proposal #1 payload <br>
13/11/30 12:49:34 >> : -- transform #1 payload <br>
13/11/30 12:49:34 >> : vendor id payload<br>
13/11/30 12:49:34 ii : local supports nat-t ( draft v00 )<br>
13/11/30 12:49:34 >> : vendor id payload<br>
13/11/30 12:49:34 ii : local supports nat-t ( draft v01 )<br>
13/11/30 12:49:34 >> : vendor id payload<br>
13/11/30 12:49:34 ii : local supports nat-t ( draft v02 )<br>
13/11/30 12:49:34 >> : vendor id payload<br>
13/11/30 12:49:34 ii : local supports nat-t ( draft v03 )<br>
13/11/30 12:49:34 >> : vendor id payload<br>
13/11/30 12:49:34 ii : local supports nat-t ( rfc )<br>
13/11/30 12:49:34 >> : vendor id payload<br>
13/11/30 12:49:34 ii : local supports FRAGMENTATION<br>
13/11/30 12:49:34 >> : vendor id payload<br>
13/11/30 12:49:34 >> : vendor id payload<br>
13/11/30 12:49:34 ii : local supports DPDv1<br>
13/11/30 12:49:34 >> : vendor id payload<br>
13/11/30 12:49:34 ii : local is SHREW SOFT compatible<br>
13/11/30 12:49:34 >> : vendor id payload<br>
13/11/30 12:49:34 ii : local is NETSCREEN compatible<br>
13/11/30 12:49:34 >> : vendor id payload<br>
13/11/30 12:49:34 ii : local is SIDEWINDER compatible<br>
13/11/30 12:49:34 >> : vendor id payload<br>
13/11/30 12:49:34 ii : local is CISCO UNITY compatible<br>
13/11/30 12:49:34 >= : cookies 83210a938f80ad18:0000000000000000<br>
13/11/30 12:49:34 >= : message 00000000<br>
13/11/30 12:49:34 -> : send IKE packet 10.1.2.22:500 ->
yyy.yyy.yyy.yyy:500 ( 364 bytes )<br>
13/11/30 12:49:34 DB : phase1 resend event scheduled ( ref count = 2
)<br>
13/11/30 12:49:34 DB : phase1 ref decrement ( ref count = 1, obj
count = 1 )<br>
13/11/30 12:49:34 <- : recv IKE packet yyy.yyy.yyy.yyy:500 ->
10.1.2.22:500 ( 140 bytes )<br>
13/11/30 12:49:34 DB : phase1 found<br>
13/11/30 12:49:34 DB : phase1 ref increment ( ref count = 2, obj
count = 1 )<br>
13/11/30 12:49:34 ii : processing phase1 packet ( 140 bytes )<br>
13/11/30 12:49:34 =< : cookies 83210a938f80ad18:0148266b38ba27a2<br>
13/11/30 12:49:34 =< : message 00000000<br>
13/11/30 12:49:34 << : security association payload<br>
13/11/30 12:49:34 << : - propsal #1 payload <br>
13/11/30 12:49:34 << : -- transform #1 payload <br>
13/11/30 12:49:34 ii : matched isakmp proposal #1 transform #1<br>
13/11/30 12:49:34 ii : - transform = ike<br>
13/11/30 12:49:34 ii : - cipher type = aes<br>
13/11/30 12:49:34 ii : - key length = 256 bits<br>
13/11/30 12:49:34 ii : - hash type = sha2-256<br>
13/11/30 12:49:34 ii : - dh group = group14 ( modp-2048 )<br>
13/11/30 12:49:34 ii : - auth type = sig-rsa<br>
13/11/30 12:49:34 ii : - life seconds = 86400<br>
13/11/30 12:49:34 ii : - life kbytes = 0<br>
13/11/30 12:49:34 << : vendor id payload<br>
13/11/30 12:49:34 ii : peer supports XAUTH<br>
13/11/30 12:49:34 << : vendor id payload<br>
13/11/30 12:49:34 ii : peer supports DPDv1<br>
13/11/30 12:49:34 << : vendor id payload<br>
13/11/30 12:49:34 ii : peer supports nat-t ( rfc )<br>
13/11/30 12:49:34 >> : key exchange payload<br>
13/11/30 12:49:34 >> : nonce payload<br>
13/11/30 12:49:34 >> : cert request payload<br>
13/11/30 12:49:34 >> : nat discovery payload<br>
13/11/30 12:49:34 >> : nat discovery payload<br>
13/11/30 12:49:34 >= : cookies 83210a938f80ad18:0148266b38ba27a2<br>
13/11/30 12:49:34 >= : message 00000000<br>
13/11/30 12:49:34 DB : phase1 resend event canceled ( ref count = 1
)<br>
13/11/30 12:49:34 -> : send IKE packet 10.1.2.22:500 ->
yyy.yyy.yyy.yyy:500 ( 417 bytes )<br>
13/11/30 12:49:34 DB : phase1 resend event scheduled ( ref count = 2
)<br>
13/11/30 12:49:34 DB : phase1 ref decrement ( ref count = 1, obj
count = 1 )<br>
13/11/30 12:49:34 <- : recv IKE packet yyy.yyy.yyy.yyy:500 ->
10.1.2.22:500 ( 648 bytes )<br>
13/11/30 12:49:34 DB : phase1 found<br>
13/11/30 12:49:34 DB : phase1 ref increment ( ref count = 2, obj
count = 1 )<br>
13/11/30 12:49:34 ii : processing phase1 packet ( 648 bytes )<br>
13/11/30 12:49:34 =< : cookies 83210a938f80ad18:0148266b38ba27a2<br>
13/11/30 12:49:34 =< : message 00000000<br>
13/11/30 12:49:34 << : key exchange payload<br>
13/11/30 12:49:34 << : nonce payload<br>
13/11/30 12:49:34 << : cert request payload<br>
13/11/30 12:49:34 << : cert request payload<br>
13/11/30 12:49:34 << : nat discovery payload<br>
13/11/30 12:49:34 << : nat discovery payload<br>
13/11/30 12:49:34 ii : nat discovery - local address is translated<br>
13/11/30 12:49:34 ii : switching to src nat-t udp port 4500<br>
13/11/30 12:49:34 ii : switching to dst nat-t udp port 4500<br>
13/11/30 12:49:34 == : DH shared secret ( 256 bytes )<br>
13/11/30 12:49:34 == : SETKEYID ( 32 bytes )<br>
13/11/30 12:49:34 == : SETKEYID_d ( 32 bytes )<br>
13/11/30 12:49:34 == : SETKEYID_a ( 32 bytes )<br>
13/11/30 12:49:34 == : SETKEYID_e ( 32 bytes )<br>
13/11/30 12:49:34 == : cipher key ( 32 bytes )<br>
13/11/30 12:49:34 == : cipher iv ( 16 bytes )<br>
13/11/30 12:49:34 >> : identification payload<br>
13/11/30 12:49:34 >> : certificate payload<br>
13/11/30 12:49:34 == : phase1 hash_i ( computed ) ( 32 bytes )<br>
13/11/30 12:49:34 >> : signature payload<br>
13/11/30 12:49:34 >= : cookies 83210a938f80ad18:0148266b38ba27a2<br>
13/11/30 12:49:34 >= : message 00000000<br>
13/11/30 12:49:34 >= : encrypt iv ( 16 bytes )<br>
13/11/30 12:49:34 == : encrypt packet ( 1501 bytes )<br>
13/11/30 12:49:34 == : stored iv ( 16 bytes )<br>
13/11/30 12:49:34 DB : phase1 resend event canceled ( ref count = 1
)<br>
13/11/30 12:49:34 -> : send NAT-T:IKE packet 10.1.2.22:4500 ->
yyy.yyy.yyy.yyy:4500 ( 1548 bytes )<br>
13/11/30 12:49:34 ii : fragmented packet to 1514 bytes ( MTU 1500
bytes )<br>
13/11/30 12:49:34 ii : fragmented packet to 82 bytes ( MTU 1500
bytes )<br>
13/11/30 12:49:34 DB : phase1 ref decrement ( ref count = 0, obj
count = 1 )<br>
13/11/30 12:49:34 <- : recv NAT-T:IKE packet yyy.yyy.yyy.yyy:4500
-> 10.1.2.22:4500 ( 108 bytes )<br>
13/11/30 12:49:34 DB : phase1 not found<br>
<b>13/11/30 12:49:34 ww : ike packet from yyy.yyy.yyy.yyy ignored,
unknown phase1 sa for peer</b><b><br>
</b>13/11/30 12:49:34 ww : ee1cae58ae62f91e:e1270a88ddd66f06<br>
</body>
</html>