Discussion:
Question on IKEv2
Chris Arnold
2012-04-02 20:34:33 UTC
Permalink
I have been trying to get a tunnel between strongSwan 4.4.x and a sonicwall TZ180W to no avail. I have tried every combination known on the sonicwall and every combination i know on the strongSwan side. My last try was ikev2 and i think this might be the problem. This was found this on a StrongSong thread found http://download.strongswan.org/CHANGES42.txt

strongswan-4.0.0
----------------

- initial support of the IKEv2 protocol. Connections in
ipsec.conf designated by keyexchange=ikev2 are negotiated
by the new IKEv2 charon keying daemon whereas those marked
by keyexchange=ikev1 or the default keyexchange=ike are
handled thy the IKEv1 pluto keying daemon. Currently only
a limited subset of functions are available with IKEv2
(Default AES encryption, authentication based on locally
imported X.509 certificates, unencrypted private RSA keys
in PKCS#1 file format, limited functionality of the ipsec
status command).

AES encryption, authentication based on locally imported X.509 certificates, unencrypted private RSA keys in PKCS#1 file format, limited functionality of the ipsec status command, is this a AND/OR list? Do you have to have certs to use ikev2 or can you do 1 of the other auth in the list?
Andreas Steffen
2012-04-02 21:47:10 UTC
Permalink
Hi Chris,

why do you go six years back in time?

strongSwan is currently one of the most complete IKEv2 implementations
that exist and already 4.4 supports all major authentication methods
including PSKs, X.509 certificates and EAP. Just have a look at our
configuration examples:

http://wiki.strongswan.org/projects/strongswan/wiki/IKEv2Examples

Regards

Andreas
Post by Chris Arnold
I have been trying to get a tunnel between strongSwan 4.4.x and a
sonicwall TZ180W to no avail. I have tried every combination known on
the sonicwall and every combination i know on the strongSwan side. My
last try was ikev2 and i think this might be the problem. This was
found this on a StrongSong thread found
http://download.strongswan.org/CHANGES42.txt
strongswan-4.0.0 ----------------
- initial support of the IKEv2 protocol. Connections in ipsec.conf
designated by keyexchange=ikev2 are negotiated by the new IKEv2
charon keying daemon whereas those marked by keyexchange=ikev1 or the
default keyexchange=ike are handled thy the IKEv1 pluto keying
daemon. Currently only a limited subset of functions are available
with IKEv2 (Default AES encryption, authentication based on locally
imported X.509 certificates, unencrypted private RSA keys in PKCS#1
file format, limited functionality of the ipsec status command).
AES encryption, authentication based on locally imported X.509
certificates, unencrypted private RSA keys in PKCS#1 file format,
limited functionality of the ipsec status command, is this a AND/OR
list? Do you have to have certs to use ikev2 or can you do 1 of the
other auth in the list?
======================================================================
Andreas Steffen andreas.steffen-***@public.gmane.org
strongSwan - the Linux VPN Solution! www.strongswan.org
Institute for Internet Technologies and Applications
University of Applied Sciences Rapperswil
CH-8640 Rapperswil (Switzerland)
===========================================================[ITA-HSR]==
Chris Arnold
2012-04-02 22:24:41 UTC
Permalink
Post by Andreas Steffen
Hi Chris,
why do you go six years back in time?
Are you saying strongSwan 4.0 (the link I posted us 6 yrs old?

Just have a look at our
Post by Andreas Steffen
Post by Chris Arnold
I have been trying to get a tunnel between strongSwan 4.4.x and a
sonicwall TZ180W to no avail. I have tried every combination known on
the sonicwall and every combination i know on the strongSwan side. My
last try was ikev2 and i think this might be the problem. This was
found this on a StrongSong thread found
http://download.strongswan.org/CHANGES42.txt
strongswan-4.0.0 ----------------
- initial support of the IKEv2 protocol. Connections in ipsec.conf
designated by keyexchange=ikev2 are negotiated by the new IKEv2
charon keying daemon whereas those marked by keyexchange=ikev1 or the
default keyexchange=ike are handled thy the IKEv1 pluto keying
daemon. Currently only a limited subset of functions are available
with IKEv2 (Default AES encryption, authentication based on locally
imported X.509 certificates, unencrypted private RSA keys in PKCS#1
file format, limited functionality of the ipsec status command).
AES encryption, authentication based on locally imported X.509
certificates, unencrypted private RSA keys in PKCS#1 file format,
limited functionality of the ipsec status command, is this a AND/OR
list? Do you have to have certs to use ikev2 or can you do 1 of the
other auth in the list?
======================================================================
strongSwan - the Linux VPN Solution! www.strongswan.org
Institute for Internet Technologies and Applications
University of Applied Sciences Rapperswil
CH-8640 Rapperswil (Switzerland)
===========================================================[ITA-HSR]==
Chris Arnold
2012-04-02 22:32:29 UTC
Permalink
Sorry I accidentally hit send... Cont'd below.
Post by Andreas Steffen
Post by Andreas Steffen
Hi Chris,
why do you go six years back in time?
--Are you saying strongSwan 4.0 (the link I posted is 6 yrs old?
Just have a look at our
I have looked at those and adapted the site to site with PSK for our needs. The problem is, some of those examples show the wrong stuff. For example, on the IPSec.conf link on the examples shows the load line uncommented. That did not work and I commented that load back. So, are you saying that the ikev2 config I have should work (no certs)?
Post by Andreas Steffen
Post by Andreas Steffen
Post by Chris Arnold
I have been trying to get a tunnel between strongSwan 4.4.x and a
sonicwall TZ180W to no avail. I have tried every combination known on
the sonicwall and every combination i know on the strongSwan side. My
last try was ikev2 and i think this might be the problem. This was
found this on a StrongSong thread found
http://download.strongswan.org/CHANGES42.txt
strongswan-4.0.0 ----------------
- initial support of the IKEv2 protocol. Connections in ipsec.conf
designated by keyexchange=ikev2 are negotiated by the new IKEv2
charon keying daemon whereas those marked by keyexchange=ikev1 or the
default keyexchange=ike are handled thy the IKEv1 pluto keying
daemon. Currently only a limited subset of functions are available
with IKEv2 (Default AES encryption, authentication based on locally
imported X.509 certificates, unencrypted private RSA keys in PKCS#1
file format, limited functionality of the ipsec status command).
AES encryption, authentication based on locally imported X.509
certificates, unencrypted private RSA keys in PKCS#1 file format,
limited functionality of the ipsec status command, is this a AND/OR
list? Do you have to have certs to use ikev2 or can you do 1 of the
other auth in the list?
======================================================================
strongSwan - the Linux VPN Solution! www.strongswan.org
Institute for Internet Technologies and Applications
University of Applied Sciences Rapperswil
CH-8640 Rapperswil (Switzerland)
===========================================================[ITA-HSR]==
_______________________________________________
Users mailing list
https://lists.strongswan.org/mailman/listinfo/users
Chris Arnold
2012-04-03 03:11:25 UTC
Permalink
I uninstalled strongswan and started over again with strongswan. This time i followed this:
http://www.strongswan.org/uml/testre...psk/index.html
under the sun heading. This time i try to ping the remote network from the subnet behind the sonicwall; i get a whole different set of logs:
3 04/02/2012 22:17:06.096 Warning VPN IKE IKEv2 Received notify error payload strongswan.public.ip, 500 sonicwall.public.ip, 500 VPN Policy: ELC VPN; Invalid Syntax
4 04/02/2012 22:17:06.096 Info VPN IKE IKEv2 Initiator: Received IKE_AUTH response strongswan.public.ip, 500 sonicwall.public.ip, 500 VPN Policy: ELC VPN;
5 04/02/2012 22:17:06.080 Info VPN IKE IKEv2 Initiator: Send IKE_AUTH request strongswan.public.ip, 4500 sonicwall.public.ip, 4500 VPN Policy: ELC VPN;
6 04/02/2012 22:17:06.064 Info VPN IKE IKEv2 NAT device detected between negotiating peers strongswan.public.ip, 500 sonicwall.public.ip, 500 VPN Policy: ELC VPN; Peer gateway is behind a NAT device
7 04/02/2012 22:17:05.912 Info VPN IKE IKEv2 Accept IKE SA Proposal strongswan.public.ip, 500 sonicwall.public.ip, 500 VPN Policy: ELC VPN; 3DES; HMAC_SHA1_96; DH Group 2; IKEv2 InitSPI: 0x78c7c9e9e8ee7c4d; IKEv2 RespSPI: 0x358c22dd808e74fa
8 04/02/2012 22:17:05.912 Info VPN IKE IKEv2 Initiator: Received IKE_SA_INT response strongswan.public.ip, 500 sonicwall.public.ip, 500 VPN Policy: ELC VPN;
9 04/02/2012 22:17:05.880 Info VPN IKE IKEv2 Initiator: Send IKE_SA_INIT request strongswan.public.ip, 500 sonicwall.public.ip, 500 VPN Policy: ELC VPN;

According to log entry "3", it looks like strongswan is sending something with a "invalid syntax". Any ideas?

On the strongswan side:
added configuration 'teknerds'
03[NET] received packet: from sonicwall.public.ip[500] to 192.168.1.18[500]
03[ENC] parsed IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) V ]
03[ENC] received unknown vendor id: 2a:67:75:d0:ad:2a:a7:88:7c:33:fe:1d:68:ba:f3:08:96 :6f:00:01
03[IKE] sonicwall.public.ip is initiating an IKE_SA
03[IKE] local host is behind NAT, sending keep alives
03[IKE] sending cert request for "C=US, ST=North Carolina, L=Durham, O=Edens Land Corp, CN=Jarrod, E=user-***@public.gmane.org"
03[ENC] generating IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) CERTREQ N(MULT_AUTH) ]
03[NET] sending packet: from 192.168.1.18[500] to sonicwall.public.ip[500]
06[NET] received packet: from sonicwall.public.ip[4500] to 192.168.1.18[4500]
06[ENC] invalid X509 hash length (0) in certreq
06[ENC] CERTIFICATE_REQUEST verification failed
06[ENC] encrypted payload could not be decrypted and parsed
06[ENC] could not decrypt payloads
06[IKE] message parsing failed
06[ENC] generating IKE_AUTH response 1 [ N(INVAL_SYN) ]
06[NET] sending packet: from 192.168.1.18[500] to sonicwall.public.ip[500]
06[IKE] IKE_AUTH request with message ID 1 processing failed

When it says this:
03[IKE] sending cert request for "C=US, ST=North Carolina, L=Durham, O=Edens Land Corp, CN=Jarrod, E=user-***@public.gmane.org"
should i import the cert on the strongswan side into the sonicwall or do i need to generate a cert on the sonicwall?

At this point i would like to know if you have to use certs with ikev2 and strongswan?



----- Original Message -----
From: "Chris Arnold" <carnold-lmTtMILVy1gHLEsm+***@public.gmane.org>
To: users-3+4lAyCyj6DkhV4RL1hkzWD2FQJk+8+***@public.gmane.org
Sent: Monday, April 2, 2012 6:24:41 PM
Subject: Re: [strongSwan] Question on IKEv2
Post by Andreas Steffen
Hi Chris,
why do you go six years back in time?
Are you saying strongSwan 4.0 (the link I posted us 6 yrs old?

Just have a look at our
Post by Andreas Steffen
Post by Chris Arnold
I have been trying to get a tunnel between strongSwan 4.4.x and a
sonicwall TZ180W to no avail. I have tried every combination known on
the sonicwall and every combination i know on the strongSwan side. My
last try was ikev2 and i think this might be the problem. This was
found this on a StrongSong thread found
http://download.strongswan.org/CHANGES42.txt
strongswan-4.0.0 ----------------
- initial support of the IKEv2 protocol. Connections in ipsec.conf
designated by keyexchange=ikev2 are negotiated by the new IKEv2
charon keying daemon whereas those marked by keyexchange=ikev1 or the
default keyexchange=ike are handled thy the IKEv1 pluto keying
daemon. Currently only a limited subset of functions are available
with IKEv2 (Default AES encryption, authentication based on locally
imported X.509 certificates, unencrypted private RSA keys in PKCS#1
file format, limited functionality of the ipsec status command).
AES encryption, authentication based on locally imported X.509
certificates, unencrypted private RSA keys in PKCS#1 file format,
limited functionality of the ipsec status command, is this a AND/OR
list? Do you have to have certs to use ikev2 or can you do 1 of the
other auth in the list?
======================================================================
strongSwan - the Linux VPN Solution! www.strongswan.org
Institute for Internet Technologies and Applications
University of Applied Sciences Rapperswil
CH-8640 Rapperswil (Switzerland)
===========================================================[ITA-HSR]==
Andreas Steffen
2012-04-03 06:35:20 UTC
Permalink
Hello Chris,

I think you misconfigured your certificates:

You should create a CA certificate and put it in /etc/ipsec.d/cacerts/.

Then you should create two X.509 end entity certificates with
matching private keys, one for strongSwan and one for sonicwall,
and sign both certificates with the private key of the CA.

The private strongSwan key you put into /etc/ipsec.d/private/ and
the strongSwan certificate into /etc/ipsec.d/certs/.

Then you package the private sonicwall key, sonicwall certificate
and CA certificate into a PKCS#12 file (*.p12) and import it into
your sonicwall box.

The certificate request strongSwan sends should then be for the CA.

RSA keys and certificates can be generated using either openssl-based
tools

http://wiki.strongswan.org/projects/strongswan/wiki/CAmanagementGUIs

or the ipsec pki command

http://wiki.strongswan.org/projects/strongswan/wiki/SimpleCA

Regards

Andreas
Post by Chris Arnold
http://www.strongswan.org/uml/testre...psk/index.html
3 04/02/2012 22:17:06.096 Warning VPN IKE IKEv2 Received notify error payload strongswan.public.ip, 500 sonicwall.public.ip, 500 VPN Policy: ELC VPN; Invalid Syntax
4 04/02/2012 22:17:06.096 Info VPN IKE IKEv2 Initiator: Received IKE_AUTH response strongswan.public.ip, 500 sonicwall.public.ip, 500 VPN Policy: ELC VPN;
5 04/02/2012 22:17:06.080 Info VPN IKE IKEv2 Initiator: Send IKE_AUTH request strongswan.public.ip, 4500 sonicwall.public.ip, 4500 VPN Policy: ELC VPN;
6 04/02/2012 22:17:06.064 Info VPN IKE IKEv2 NAT device detected between negotiating peers strongswan.public.ip, 500 sonicwall.public.ip, 500 VPN Policy: ELC VPN; Peer gateway is behind a NAT device
7 04/02/2012 22:17:05.912 Info VPN IKE IKEv2 Accept IKE SA Proposal strongswan.public.ip, 500 sonicwall.public.ip, 500 VPN Policy: ELC VPN; 3DES; HMAC_SHA1_96; DH Group 2; IKEv2 InitSPI: 0x78c7c9e9e8ee7c4d; IKEv2 RespSPI: 0x358c22dd808e74fa
8 04/02/2012 22:17:05.912 Info VPN IKE IKEv2 Initiator: Received IKE_SA_INT response strongswan.public.ip, 500 sonicwall.public.ip, 500 VPN Policy: ELC VPN;
9 04/02/2012 22:17:05.880 Info VPN IKE IKEv2 Initiator: Send IKE_SA_INIT request strongswan.public.ip, 500 sonicwall.public.ip, 500 VPN Policy: ELC VPN;
According to log entry "3", it looks like strongswan is sending something with a "invalid syntax". Any ideas?
added configuration 'teknerds'
03[NET] received packet: from sonicwall.public.ip[500] to 192.168.1.18[500]
03[ENC] parsed IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) V ]
03[ENC] received unknown vendor id: 2a:67:75:d0:ad:2a:a7:88:7c:33:fe:1d:68:ba:f3:08:96 :6f:00:01
03[IKE] sonicwall.public.ip is initiating an IKE_SA
03[IKE] local host is behind NAT, sending keep alives
03[ENC] generating IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) CERTREQ N(MULT_AUTH) ]
03[NET] sending packet: from 192.168.1.18[500] to sonicwall.public.ip[500]
06[NET] received packet: from sonicwall.public.ip[4500] to 192.168.1.18[4500]
06[ENC] invalid X509 hash length (0) in certreq
06[ENC] CERTIFICATE_REQUEST verification failed
06[ENC] encrypted payload could not be decrypted and parsed
06[ENC] could not decrypt payloads
06[IKE] message parsing failed
06[ENC] generating IKE_AUTH response 1 [ N(INVAL_SYN) ]
06[NET] sending packet: from 192.168.1.18[500] to sonicwall.public.ip[500]
06[IKE] IKE_AUTH request with message ID 1 processing failed
should i import the cert on the strongswan side into the sonicwall or do i need to generate a cert on the sonicwall?
At this point i would like to know if you have to use certs with ikev2 and strongswan?
----- Original Message -----
Sent: Monday, April 2, 2012 6:24:41 PM
Subject: Re: [strongSwan] Question on IKEv2
Post by Andreas Steffen
Hi Chris,
why do you go six years back in time?
Are you saying strongSwan 4.0 (the link I posted us 6 yrs old?
Just have a look at our
Post by Andreas Steffen
Post by Chris Arnold
I have been trying to get a tunnel between strongSwan 4.4.x and a
sonicwall TZ180W to no avail. I have tried every combination known on
the sonicwall and every combination i know on the strongSwan side. My
last try was ikev2 and i think this might be the problem. This was
found this on a StrongSong thread found
http://download.strongswan.org/CHANGES42.txt
strongswan-4.0.0 ----------------
- initial support of the IKEv2 protocol. Connections in ipsec.conf
designated by keyexchange=ikev2 are negotiated by the new IKEv2
charon keying daemon whereas those marked by keyexchange=ikev1 or the
default keyexchange=ike are handled thy the IKEv1 pluto keying
daemon. Currently only a limited subset of functions are available
with IKEv2 (Default AES encryption, authentication based on locally
imported X.509 certificates, unencrypted private RSA keys in PKCS#1
file format, limited functionality of the ipsec status command).
AES encryption, authentication based on locally imported X.509
certificates, unencrypted private RSA keys in PKCS#1 file format,
limited functionality of the ipsec status command, is this a AND/OR
list? Do you have to have certs to use ikev2 or can you do 1 of the
other auth in the list?
======================================================================
strongSwan - the Linux VPN Solution! www.strongswan.org
Institute for Internet Technologies and Applications
University of Applied Sciences Rapperswil
CH-8640 Rapperswil (Switzerland)
===========================================================[ITA-HSR]==
_______________________________________________
Users mailing list
https://lists.strongswan.org/mailman/listinfo/users
_______________________________________________
Users mailing list
https://lists.strongswan.org/mailman/listinfo/users
--
======================================================================
Andreas Steffen andreas.steffen-***@public.gmane.org
strongSwan - the Linux VPN Solution! www.strongswan.org
Institute for Internet Technologies and Applications
University of Applied Sciences Rapperswil
CH-8640 Rapperswil (Switzerland)
===========================================================[ITA-HSR]==
Chris Arnold
2012-04-04 00:02:44 UTC
Permalink
Can you do this with the IPSec pki command line?

Sent from my iPhone
Post by Andreas Steffen
Hello Chris,
You should create a CA certificate and put it in /etc/ipsec.d/cacerts/.
Then you should create two X.509 end entity certificates with
matching private keys, one for strongSwan and one for sonicwall,
and sign both certificates with the private key of the CA.
The private strongSwan key you put into /etc/ipsec.d/private/ and
the strongSwan certificate into /etc/ipsec.d/certs/.
Then you package the private sonicwall key, sonicwall certificate
and CA certificate into a PKCS#12 file (*.p12) and import it into
your sonicwall box.
The certificate request strongSwan sends should then be for the CA.
RSA keys and certificates can be generated using either openssl-based
tools
http://wiki.strongswan.org/projects/strongswan/wiki/CAmanagementGUIs
or the ipsec pki command
http://wiki.strongswan.org/projects/strongswan/wiki/SimpleCA
Regards
Andreas
Post by Chris Arnold
http://www.strongswan.org/uml/testre...psk/index.html
3 04/02/2012 22:17:06.096 Warning VPN IKE IKEv2 Received notify error payload strongswan.public.ip, 500 sonicwall.public.ip, 500 VPN Policy: ELC VPN; Invalid Syntax
4 04/02/2012 22:17:06.096 Info VPN IKE IKEv2 Initiator: Received IKE_AUTH response strongswan.public.ip, 500 sonicwall.public.ip, 500 VPN Policy: ELC VPN;
5 04/02/2012 22:17:06.080 Info VPN IKE IKEv2 Initiator: Send IKE_AUTH request strongswan.public.ip, 4500 sonicwall.public.ip, 4500 VPN Policy: ELC VPN;
6 04/02/2012 22:17:06.064 Info VPN IKE IKEv2 NAT device detected between negotiating peers strongswan.public.ip, 500 sonicwall.public.ip, 500 VPN Policy: ELC VPN; Peer gateway is behind a NAT device
7 04/02/2012 22:17:05.912 Info VPN IKE IKEv2 Accept IKE SA Proposal strongswan.public.ip, 500 sonicwall.public.ip, 500 VPN Policy: ELC VPN; 3DES; HMAC_SHA1_96; DH Group 2; IKEv2 InitSPI: 0x78c7c9e9e8ee7c4d; IKEv2 RespSPI: 0x358c22dd808e74fa
8 04/02/2012 22:17:05.912 Info VPN IKE IKEv2 Initiator: Received IKE_SA_INT response strongswan.public.ip, 500 sonicwall.public.ip, 500 VPN Policy: ELC VPN;
9 04/02/2012 22:17:05.880 Info VPN IKE IKEv2 Initiator: Send IKE_SA_INIT request strongswan.public.ip, 500 sonicwall.public.ip, 500 VPN Policy: ELC VPN;
According to log entry "3", it looks like strongswan is sending something with a "invalid syntax". Any ideas?
added configuration 'teknerds'
03[NET] received packet: from sonicwall.public.ip[500] to 192.168.1.18[500]
03[ENC] parsed IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) V ]
03[ENC] received unknown vendor id: 2a:67:75:d0:ad:2a:a7:88:7c:33:fe:1d:68:ba:f3:08:96 :6f:00:01
03[IKE] sonicwall.public.ip is initiating an IKE_SA
03[IKE] local host is behind NAT, sending keep alives
03[ENC] generating IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) CERTREQ N(MULT_AUTH) ]
03[NET] sending packet: from 192.168.1.18[500] to sonicwall.public.ip[500]
06[NET] received packet: from sonicwall.public.ip[4500] to 192.168.1.18[4500]
06[ENC] invalid X509 hash length (0) in certreq
06[ENC] CERTIFICATE_REQUEST verification failed
06[ENC] encrypted payload could not be decrypted and parsed
06[ENC] could not decrypt payloads
06[IKE] message parsing failed
06[ENC] generating IKE_AUTH response 1 [ N(INVAL_SYN) ]
06[NET] sending packet: from 192.168.1.18[500] to sonicwall.public.ip[500]
06[IKE] IKE_AUTH request with message ID 1 processing failed
should i import the cert on the strongswan side into the sonicwall or do i need to generate a cert on the sonicwall?
At this point i would like to know if you have to use certs with ikev2 and strongswan?
----- Original Message -----
Sent: Monday, April 2, 2012 6:24:41 PM
Subject: Re: [strongSwan] Question on IKEv2
Post by Andreas Steffen
Hi Chris,
why do you go six years back in time?
Are you saying strongSwan 4.0 (the link I posted us 6 yrs old?
Just have a look at our
Post by Andreas Steffen
Post by Chris Arnold
I have been trying to get a tunnel between strongSwan 4.4.x and a
sonicwall TZ180W to no avail. I have tried every combination known on
the sonicwall and every combination i know on the strongSwan side. My
last try was ikev2 and i think this might be the problem. This was
found this on a StrongSong thread found
http://download.strongswan.org/CHANGES42.txt
strongswan-4.0.0 ----------------
- initial support of the IKEv2 protocol. Connections in ipsec.conf
designated by keyexchange=ikev2 are negotiated by the new IKEv2
charon keying daemon whereas those marked by keyexchange=ikev1 or the
default keyexchange=ike are handled thy the IKEv1 pluto keying
daemon. Currently only a limited subset of functions are available
with IKEv2 (Default AES encryption, authentication based on locally
imported X.509 certificates, unencrypted private RSA keys in PKCS#1
file format, limited functionality of the ipsec status command).
AES encryption, authentication based on locally imported X.509
certificates, unencrypted private RSA keys in PKCS#1 file format,
limited functionality of the ipsec status command, is this a AND/OR
list? Do you have to have certs to use ikev2 or can you do 1 of the
other auth in the list?
======================================================================
strongSwan - the Linux VPN Solution! www.strongswan.org
Institute for Internet Technologies and Applications
University of Applied Sciences Rapperswil
CH-8640 Rapperswil (Switzerland)
===========================================================[ITA-HSR]==
_______________________________________________
Users mailing list
https://lists.strongswan.org/mailman/listinfo/users
_______________________________________________
Users mailing list
https://lists.strongswan.org/mailman/listinfo/users
--
======================================================================
strongSwan - the Linux VPN Solution! www.strongswan.org
Institute for Internet Technologies and Applications
University of Applied Sciences Rapperswil
CH-8640 Rapperswil (Switzerland)
===========================================================[ITA-HSR]==
Chris Arnold
2012-04-04 14:40:38 UTC
Permalink
Is this possible with the IPSec pki tool?

Sent from my iPhone
Post by Andreas Steffen
Hello Chris,
You should create a CA certificate and put it in /etc/ipsec.d/cacerts/.
Then you should create two X.509 end entity certificates with
matching private keys, one for strongSwan and one for sonicwall,
and sign both certificates with the private key of the CA.
The private strongSwan key you put into /etc/ipsec.d/private/ and
the strongSwan certificate into /etc/ipsec.d/certs/.
Then you package the private sonicwall key, sonicwall certificate
and CA certificate into a PKCS#12 file (*.p12) and import it into
your sonicwall box.
The certificate request strongSwan sends should then be for the CA.
RSA keys and certificates can be generated using either openssl-based
tools
http://wiki.strongswan.org/projects/strongswan/wiki/CAmanagementGUIs
or the ipsec pki command
http://wiki.strongswan.org/projects/strongswan/wiki/SimpleCA
Regards
Andreas
Post by Chris Arnold
http://www.strongswan.org/uml/testre...psk/index.html
3 04/02/2012 22:17:06.096 Warning VPN IKE IKEv2 Received notify error payload strongswan.public.ip, 500 sonicwall.public.ip, 500 VPN Policy: ELC VPN; Invalid Syntax
4 04/02/2012 22:17:06.096 Info VPN IKE IKEv2 Initiator: Received IKE_AUTH response strongswan.public.ip, 500 sonicwall.public.ip, 500 VPN Policy: ELC VPN;
5 04/02/2012 22:17:06.080 Info VPN IKE IKEv2 Initiator: Send IKE_AUTH request strongswan.public.ip, 4500 sonicwall.public.ip, 4500 VPN Policy: ELC VPN;
6 04/02/2012 22:17:06.064 Info VPN IKE IKEv2 NAT device detected between negotiating peers strongswan.public.ip, 500 sonicwall.public.ip, 500 VPN Policy: ELC VPN; Peer gateway is behind a NAT device
7 04/02/2012 22:17:05.912 Info VPN IKE IKEv2 Accept IKE SA Proposal strongswan.public.ip, 500 sonicwall.public.ip, 500 VPN Policy: ELC VPN; 3DES; HMAC_SHA1_96; DH Group 2; IKEv2 InitSPI: 0x78c7c9e9e8ee7c4d; IKEv2 RespSPI: 0x358c22dd808e74fa
8 04/02/2012 22:17:05.912 Info VPN IKE IKEv2 Initiator: Received IKE_SA_INT response strongswan.public.ip, 500 sonicwall.public.ip, 500 VPN Policy: ELC VPN;
9 04/02/2012 22:17:05.880 Info VPN IKE IKEv2 Initiator: Send IKE_SA_INIT request strongswan.public.ip, 500 sonicwall.public.ip, 500 VPN Policy: ELC VPN;
According to log entry "3", it looks like strongswan is sending something with a "invalid syntax". Any ideas?
added configuration 'teknerds'
03[NET] received packet: from sonicwall.public.ip[500] to 192.168.1.18[500]
03[ENC] parsed IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) V ]
03[ENC] received unknown vendor id: 2a:67:75:d0:ad:2a:a7:88:7c:33:fe:1d:68:ba:f3:08:96 :6f:00:01
03[IKE] sonicwall.public.ip is initiating an IKE_SA
03[IKE] local host is behind NAT, sending keep alives
03[ENC] generating IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) CERTREQ N(MULT_AUTH) ]
03[NET] sending packet: from 192.168.1.18[500] to sonicwall.public.ip[500]
06[NET] received packet: from sonicwall.public.ip[4500] to 192.168.1.18[4500]
06[ENC] invalid X509 hash length (0) in certreq
06[ENC] CERTIFICATE_REQUEST verification failed
06[ENC] encrypted payload could not be decrypted and parsed
06[ENC] could not decrypt payloads
06[IKE] message parsing failed
06[ENC] generating IKE_AUTH response 1 [ N(INVAL_SYN) ]
06[NET] sending packet: from 192.168.1.18[500] to sonicwall.public.ip[500]
06[IKE] IKE_AUTH request with message ID 1 processing failed
should i import the cert on the strongswan side into the sonicwall or do i need to generate a cert on the sonicwall?
At this point i would like to know if you have to use certs with ikev2 and strongswan?
----- Original Message -----
Sent: Monday, April 2, 2012 6:24:41 PM
Subject: Re: [strongSwan] Question on IKEv2
Post by Andreas Steffen
Hi Chris,
why do you go six years back in time?
Are you saying strongSwan 4.0 (the link I posted us 6 yrs old?
Just have a look at our
Post by Andreas Steffen
Post by Chris Arnold
I have been trying to get a tunnel between strongSwan 4.4.x and a
sonicwall TZ180W to no avail. I have tried every combination known on
the sonicwall and every combination i know on the strongSwan side. My
last try was ikev2 and i think this might be the problem. This was
found this on a StrongSong thread found
http://download.strongswan.org/CHANGES42.txt
strongswan-4.0.0 ----------------
- initial support of the IKEv2 protocol. Connections in ipsec.conf
designated by keyexchange=ikev2 are negotiated by the new IKEv2
charon keying daemon whereas those marked by keyexchange=ikev1 or the
default keyexchange=ike are handled thy the IKEv1 pluto keying
daemon. Currently only a limited subset of functions are available
with IKEv2 (Default AES encryption, authentication based on locally
imported X.509 certificates, unencrypted private RSA keys in PKCS#1
file format, limited functionality of the ipsec status command).
AES encryption, authentication based on locally imported X.509
certificates, unencrypted private RSA keys in PKCS#1 file format,
limited functionality of the ipsec status command, is this a AND/OR
list? Do you have to have certs to use ikev2 or can you do 1 of the
other auth in the list?
======================================================================
strongSwan - the Linux VPN Solution! www.strongswan.org
Institute for Internet Technologies and Applications
University of Applied Sciences Rapperswil
CH-8640 Rapperswil (Switzerland)
===========================================================[ITA-HSR]==
_______________________________________________
Users mailing list
https://lists.strongswan.org/mailman/listinfo/users
_______________________________________________
Users mailing list
https://lists.strongswan.org/mailman/listinfo/users
--
======================================================================
strongSwan - the Linux VPN Solution! www.strongswan.org
Institute for Internet Technologies and Applications
University of Applied Sciences Rapperswil
CH-8640 Rapperswil (Switzerland)
===========================================================[ITA-HSR]==
Chris Arnold
2012-04-04 22:25:31 UTC
Permalink
Thank you all for not calling me an id10t!! I read, completely, the email Andreas sent and saw where you can use the pki tool....
So, I followed the instructions and on the import of caCert.der into the sonicwall, I get the error, invalid format. Please use der or pem. The other 2 files import fine into the sonicwall and they too are der format.

Sent from my iPhone
Post by Chris Arnold
Is this possible with the IPSec pki tool?
Sent from my iPhone
Post by Andreas Steffen
Hello Chris,
You should create a CA certificate and put it in /etc/ipsec.d/cacerts/.
Then you should create two X.509 end entity certificates with
matching private keys, one for strongSwan and one for sonicwall,
and sign both certificates with the private key of the CA.
The private strongSwan key you put into /etc/ipsec.d/private/ and
the strongSwan certificate into /etc/ipsec.d/certs/.
Then you package the private sonicwall key, sonicwall certificate
and CA certificate into a PKCS#12 file (*.p12) and import it into
your sonicwall box.
The certificate request strongSwan sends should then be for the CA.
RSA keys and certificates can be generated using either openssl-based
tools
http://wiki.strongswan.org/projects/strongswan/wiki/CAmanagementGUIs
or the ipsec pki command
http://wiki.strongswan.org/projects/strongswan/wiki/SimpleCA
Regards
Andreas
Post by Chris Arnold
http://www.strongswan.org/uml/testre...psk/index.html
3 04/02/2012 22:17:06.096 Warning VPN IKE IKEv2 Received notify error payload strongswan.public.ip, 500 sonicwall.public.ip, 500 VPN Policy: ELC VPN; Invalid Syntax
4 04/02/2012 22:17:06.096 Info VPN IKE IKEv2 Initiator: Received IKE_AUTH response strongswan.public.ip, 500 sonicwall.public.ip, 500 VPN Policy: ELC VPN;
5 04/02/2012 22:17:06.080 Info VPN IKE IKEv2 Initiator: Send IKE_AUTH request strongswan.public.ip, 4500 sonicwall.public.ip, 4500 VPN Policy: ELC VPN;
6 04/02/2012 22:17:06.064 Info VPN IKE IKEv2 NAT device detected between negotiating peers strongswan.public.ip, 500 sonicwall.public.ip, 500 VPN Policy: ELC VPN; Peer gateway is behind a NAT device
7 04/02/2012 22:17:05.912 Info VPN IKE IKEv2 Accept IKE SA Proposal strongswan.public.ip, 500 sonicwall.public.ip, 500 VPN Policy: ELC VPN; 3DES; HMAC_SHA1_96; DH Group 2; IKEv2 InitSPI: 0x78c7c9e9e8ee7c4d; IKEv2 RespSPI: 0x358c22dd808e74fa
8 04/02/2012 22:17:05.912 Info VPN IKE IKEv2 Initiator: Received IKE_SA_INT response strongswan.public.ip, 500 sonicwall.public.ip, 500 VPN Policy: ELC VPN;
9 04/02/2012 22:17:05.880 Info VPN IKE IKEv2 Initiator: Send IKE_SA_INIT request strongswan.public.ip, 500 sonicwall.public.ip, 500 VPN Policy: ELC VPN;
According to log entry "3", it looks like strongswan is sending something with a "invalid syntax". Any ideas?
added configuration 'teknerds'
03[NET] received packet: from sonicwall.public.ip[500] to 192.168.1.18[500]
03[ENC] parsed IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) V ]
03[ENC] received unknown vendor id: 2a:67:75:d0:ad:2a:a7:88:7c:33:fe:1d:68:ba:f3:08:96 :6f:00:01
03[IKE] sonicwall.public.ip is initiating an IKE_SA
03[IKE] local host is behind NAT, sending keep alives
03[ENC] generating IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) CERTREQ N(MULT_AUTH) ]
03[NET] sending packet: from 192.168.1.18[500] to sonicwall.public.ip[500]
06[NET] received packet: from sonicwall.public.ip[4500] to 192.168.1.18[4500]
06[ENC] invalid X509 hash length (0) in certreq
06[ENC] CERTIFICATE_REQUEST verification failed
06[ENC] encrypted payload could not be decrypted and parsed
06[ENC] could not decrypt payloads
06[IKE] message parsing failed
06[ENC] generating IKE_AUTH response 1 [ N(INVAL_SYN) ]
06[NET] sending packet: from 192.168.1.18[500] to sonicwall.public.ip[500]
06[IKE] IKE_AUTH request with message ID 1 processing failed
should i import the cert on the strongswan side into the sonicwall or do i need to generate a cert on the sonicwall?
At this point i would like to know if you have to use certs with ikev2 and strongswan?
----- Original Message -----
Sent: Monday, April 2, 2012 6:24:41 PM
Subject: Re: [strongSwan] Question on IKEv2
Post by Andreas Steffen
Hi Chris,
why do you go six years back in time?
Are you saying strongSwan 4.0 (the link I posted us 6 yrs old?
Just have a look at our
Post by Andreas Steffen
Post by Chris Arnold
I have been trying to get a tunnel between strongSwan 4.4.x and a
sonicwall TZ180W to no avail. I have tried every combination known on
the sonicwall and every combination i know on the strongSwan side. My
last try was ikev2 and i think this might be the problem. This was
found this on a StrongSong thread found
http://download.strongswan.org/CHANGES42.txt
strongswan-4.0.0 ----------------
- initial support of the IKEv2 protocol. Connections in ipsec.conf
designated by keyexchange=ikev2 are negotiated by the new IKEv2
charon keying daemon whereas those marked by keyexchange=ikev1 or the
default keyexchange=ike are handled thy the IKEv1 pluto keying
daemon. Currently only a limited subset of functions are available
with IKEv2 (Default AES encryption, authentication based on locally
imported X.509 certificates, unencrypted private RSA keys in PKCS#1
file format, limited functionality of the ipsec status command).
AES encryption, authentication based on locally imported X.509
certificates, unencrypted private RSA keys in PKCS#1 file format,
limited functionality of the ipsec status command, is this a AND/OR
list? Do you have to have certs to use ikev2 or can you do 1 of the
other auth in the list?
======================================================================
strongSwan - the Linux VPN Solution! www.strongswan.org
Institute for Internet Technologies and Applications
University of Applied Sciences Rapperswil
CH-8640 Rapperswil (Switzerland)
===========================================================[ITA-HSR]==
_______________________________________________
Users mailing list
https://lists.strongswan.org/mailman/listinfo/users
_______________________________________________
Users mailing list
https://lists.strongswan.org/mailman/listinfo/users
--
======================================================================
strongSwan - the Linux VPN Solution! www.strongswan.org
Institute for Internet Technologies and Applications
University of Applied Sciences Rapperswil
CH-8640 Rapperswil (Switzerland)
===========================================================[ITA-HSR]==
_______________________________________________
Users mailing list
https://lists.strongswan.org/mailman/listinfo/users
Andreas Steffen
2012-04-05 07:57:10 UTC
Permalink
Hi Chris,

can you send me your caCert.der certificate?

Andreas
Post by Chris Arnold
Thank you all for not calling me an id10t!! I read, completely, the
email Andreas sent and saw where you can use the pki tool.... So, I
followed the instructions and on the import of caCert.der into the
sonicwall, I get the error, invalid format. Please use der or pem.
The other 2 files import fine into the sonicwall and they too are der
format.
======================================================================
Andreas Steffen andreas.steffen-***@public.gmane.org
strongSwan - the Linux VPN Solution! www.strongswan.org
Institute for Internet Technologies and Applications
University of Applied Sciences Rapperswil
CH-8640 Rapperswil (Switzerland)
===========================================================[ITA-HSR]==
Chris Arnold
2012-04-05 17:47:24 UTC
Permalink
OK, i have gotten a little further. When i run ipsec up <conn-name>, i get this:
initiating IKE_SA teknerds[1] to sonicwall.public.ip
generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) ]
sending packet: from 192.168.1.18[500] to sonicwall.public.ip[500]
received packet: from sonicwall.public.ip[500] to 192.168.1.18[500]
parsed IKE_SA_INIT response 0 [ N(INVAL_KE) ]
peer didn't accept DH group MODP_2048, it requested MODP_1024
initiating IKE_SA teknerds[1] to 75.177.187.225
generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) ]
sending packet: from 192.168.1.18[500] to sonicwall.public.ip[500]
received packet: from sonicwall.public.ip[500] to 192.168.1.18[500]
parsed IKE_SA_INIT response 0 [ SA KE No CERTREQ N(NATD_S_IP) N(NATD_D_IP) V ]
local host is behind NAT, sending keep alives
received cert request for "C=CH, O=ELC, CN=Edens Land Corp CA"
received cert request for unknown ca with keyid <removed>
sending cert request for "C=US, ST=North Carolina, L=Durham, O=Edens Land Corp, CN=Jarrod, E=***@address"
sending cert request for "C=CH, O=ELC, CN=Edens Land Corp CA"
authentication of 'edenslandcorp.com' (myself) with pre-shared key
establishing CHILD_SA teknerds
generating IKE_AUTH request 1 [ IDi CERTREQ IDr AUTH SA TSi TSr N(EAP_ONLY) ]
sending packet: from 192.168.1.18[4500] to sonicwall.public.ip[4500]
received packet: from sonicwall.public.ip[4500] to 192.168.1.18[4500]
parsed IKE_AUTH response 1 [ IDr AUTH SA TSi TSr N(INIT_CONTACT) ]
authentication of 'sonicwall id' with pre-shared key successful
constraint check failed: identity 'sonicwall id' required
selected peer config 'teknerds' inacceptable
no alternative config found

The sonicwall shows a active tunnel. Unable to ping from either network to the other side.
Ipsec statusall shows:
Status of IKEv2 charon daemon (strongSwan 4.4.0):
uptime: 8 minutes, since Apr 05 13:09:48 2012
worker threads: 9 idle of 16, job queue load: 0, scheduled events: 0
loaded plugins: curl ldap aes des sha1 sha2 md5 random x509 pubkey pkcs1 pgp dnskey pem openssl gcrypt fips-prf xcbc hmac gmp attr kernel-netlink socket-raw stroke updown resolve
Listening IP addresses:
192.168.1.18
Connections:
teknerds: 192.168.1.18...sonicwall.public.ip
teknerds: local: [edenslandcorp.com] uses pre-shared key authentication
teknerds: remote: [sonicwall id] uses any authentication
teknerds: child: 192.168.1.0/24 === 192.168.123.0/24
Security Associations:
none

Here is the ipsec.conf:
config setup
# plutodebug=all
# crlcheckinterval=600
# strictcrlpolicy=yes
# cachecrls=yes
# nat_traversal=yes
# charonstart=no
plutostart=no

# Add connections here.

conn %default
ikelifetime=28800s
keylife=20m
rekeymargin=3m
keyingtries=1
authby=secret
keyexchange=ikev2
mobike=no

conn teknerds
left=192.168.1.18
leftsubnet=192.168.1.0/24
leftid=@strongswan.id
#leftfirewall=yes
right=sonicwall.public.ip
rightsubnet=192.168.123.0/24
rightid=@sonicwall.id
auto=add

The sonicwall proposals are:
phase 1 - ikev2. group 2, 3des-sha1
phase 2 - esp, 3des, sha1 no pfs

----- Original Message -----
From: "Andreas Steffen" <andreas.steffen-***@public.gmane.org>
To: "Chris Arnold" <carnold-lmTtMILVy1gHLEsm+***@public.gmane.org>
Cc: users-3+4lAyCyj6DkhV4RL1hkzWD2FQJk+8+***@public.gmane.org
Sent: Thursday, April 5, 2012 3:57:10 AM
Subject: Re: [strongSwan] Question on IKEv2

Hi Chris,

can you send me your caCert.der certificate?

Andreas
Post by Chris Arnold
Thank you all for not calling me an id10t!! I read, completely, the
email Andreas sent and saw where you can use the pki tool.... So, I
followed the instructions and on the import of caCert.der into the
sonicwall, I get the error, invalid format. Please use der or pem.
The other 2 files import fine into the sonicwall and they too are der
format.
======================================================================
Andreas Steffen andreas.steffen-***@public.gmane.org
strongSwan - the Linux VPN Solution! www.strongswan.org
Institute for Internet Technologies and Applications
University of Applied Sciences Rapperswil
CH-8640 Rapperswil (Switzerland)
===========================================================[ITA-HSR]==
Kimmo Koivisto
2012-04-06 10:47:50 UTC
Permalink
Hello
Post by Chris Arnold
authentication of 'sonicwall id' with pre-shared key successful
constraint check failed: identity 'sonicwall id' required
selected peer config 'teknerds' inacceptable
no alternative config found
Sonicwall sends something (DN, IP address, FQDN, email) as it's ID and
you need to configure that ID to your ipsec.conf.

I'm guessing that Sonicwall sends it's IP address but you have
configured something else, such as rightid=@sonicwall.yourdomain.xx.
which is FQDN.
In this case, you shoud configure IP address as ID.

rightid=sonicwall.ip.address

Default rightid is the IP address from parameter right, so you can
also omit the rightid and it should work.

Regards,
Kimmo
Chris Arnold
2012-04-06 14:55:20 UTC
Permalink
Post by Chris Arnold
Hello
Hi Kimmo. Thanks for the reply!!
Post by Chris Arnold
authentication of 'sonicwall id' with pre-shared key successful
constraint check failed: identity 'sonicwall id' required
selected peer config 'teknerds' inacceptable
no alternative config found
Sonicwall sends something (DN, IP address, FQDN, email) as it's ID and
you need to configure that ID to your ipsec.conf.
Sonicwall sends it Unique ID which by default is the device serial number. That can be changed but in our case, it is the serial number. I have that ID set in the VPN policy on the sonicwall. I also have that set in the strongswan ipsec.conf (verified many times to be correct) and the ipsecsecrets.conf file (also verified many times).
Post by Chris Arnold
I'm guessing that Sonicwall sends it's IP address but you have
which is FQDN.
In this case, you shoud configure IP address as ID.
I changed it to the sonicwall ip address in the vpn policy on the sonicwall and the ipsec.conf and ipsecsecrets.conf. Stop/start ipsec and receive the same output as before. Also, the sonicwall sees the tunnel as up but ipsec statusall does not. I googled this and found this:
https://lists.strongswan.org/pipermail/users/2012-January/007048.html
In this he states he misconfigured the certs to show fqdn and not email address. I used pki tool to generate the certs and keys. How do i tell what my certs are configured for?
Kimmo Koivisto
2012-04-06 16:05:39 UTC
Permalink
Hello Chris

Are you using two configurations to test, one configured to use psk
(password) and one to use certificates?

You have this in your ipsec.conf:

authby=secret

, which means that you are using pre shared key (password) and not certificates.

Use authby=rsasig when using ikev1 and leftauth=pubkey when using ikev2

See ipsec.conf man page, look at authby and leftauth parameters.


Regards,
Kimmo
Post by Chris Arnold
Post by Chris Arnold
Hello
Hi Kimmo. Thanks for the reply!!
Post by Chris Arnold
authentication of 'sonicwall id' with pre-shared key successful
constraint check failed: identity 'sonicwall id' required
selected peer config 'teknerds' inacceptable
no alternative config found
Sonicwall sends something (DN, IP address, FQDN, email) as it's ID and
you need to configure that ID to your ipsec.conf.
Sonicwall sends it Unique ID which by default is the device serial number. That can be changed but in our case, it is the serial number. I have that ID set in the VPN policy on the sonicwall. I also have that set in the strongswan ipsec.conf (verified many times to be correct) and the ipsecsecrets.conf file (also verified many times).
Post by Chris Arnold
I'm guessing that Sonicwall sends it's IP address but you have
which is FQDN.
In this case, you shoud configure IP address as ID.
https://lists.strongswan.org/pipermail/users/2012-January/007048.html
In this he states he misconfigured the certs to show fqdn and not email address. I used pki tool to generate the certs and keys. How do i tell what my certs are configured for?
_______________________________________________
Users mailing list
https://lists.strongswan.org/mailman/listinfo/users
Chris Arnold
2012-04-06 14:29:29 UTC
Permalink
I got the 3 certs into the sonicwall and the tunnel appears to be up, stay up but i can not pass any traffic from either network. Ipsec statusall does not show any SA's:
ipsec statusall
Status of IKEv2 charon daemon (strongSwan 4.4.0):
uptime: 17 minutes, since Apr 06 09:41:57 2012
worker threads: 9 idle of 16, job queue load: 0, scheduled events: 0
loaded plugins: curl ldap aes des sha1 sha2 md5 random x509 pubkey pkcs1 pgp dnskey pem openssl gcrypt fips-prf xcbc hmac gmp attr kernel-netlink socket-raw stroke updown resolve
Listening IP addresses:
192.168.1.18
Connections:
teknerds: 192.168.1.18...sonicwall.public.ip
teknerds: local: [strongswan.id] uses pre-shared key authentication
teknerds: remote: [sonicwall.id] uses any authentication
teknerds: child: 192.168.1.0/24 === 192.168.123.0/24
Security Associations:
none

I get the same output from ipsec up <conn> as when i did not have all 3 certs installed on the sonicwall:
initiating IKE_SA teknerds[1] to sonicwall.public.ip
generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) ]
sending packet: from 192.168.1.18[500] to sonicwall.public.ip[500]
received packet: from sonicwall.public.ip[500] to 192.168.1.18[500]
parsed IKE_SA_INIT response 0 [ N(INVAL_KE) ]
peer didn't accept DH group MODP_2048, it requested MODP_1024
initiating IKE_SA teknerds[1] to sonicwall.public.ip
generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) ]
sending packet: from 192.168.1.18[500] to sonicwall.public.ip[500]
received packet: from sonicwall.public.ip[500] to 192.168.1.18[500]
parsed IKE_SA_INIT response 0 [ SA KE No CERTREQ N(NATD_S_IP) N(NATD_D_IP) V ]
local host is behind NAT, sending keep alives
received cert request for "C=CH, O=ELC, CN=Edens Land Corp CA"
sending cert request for "C=CH, O=ELC, CN=Edens Land Corp CA"
authentication of 'strongswan.id' (myself) with pre-shared key
establishing CHILD_SA teknerds
generating IKE_AUTH request 1 [ IDi CERTREQ IDr AUTH SA TSi TSr N(EAP_ONLY) ]
sending packet: from 192.168.1.18[4500] to sonicwall.public.ip[4500]
received packet: from sonicwall.public.ip[4500] to 192.168.1.18[4500]
parsed IKE_AUTH response 1 [ IDr AUTH SA TSi TSr N(INIT_CONTACT) ]
authentication of 'sonicwall.id' with pre-shared key successful
constraint check failed: identity 'sonicwall.id' required
selected peer config 'teknerds' inacceptable
no alternative config found

----- Original Message -----
From: "Andreas Steffen" <andreas.steffen-***@public.gmane.org>
To: "Chris Arnold" <carnold-lmTtMILVy1gHLEsm+***@public.gmane.org>
Sent: Friday, April 6, 2012 5:02:24 AM
Subject: Re: [strongSwan] Question on IKEv2

Hello Chris,

I know what the problem is. The openssl pkcs12 command does not
accept keys and certificates in binary DER format. Therefore
if you generate keys and certificates with ipsec pki,
use the option --outform pem (the default being der).

Alternatively, if you want to convert existing binary DER files you
can use:

openssl rsa -inform der -in peerKey.der -out peerKey.pem

openssl x509 -inform der -in peerCert.der -out peerCert.pem

Regards

Andreas
Andreas, It is actually the peerKey.der that will not import.
Attached are the peerCert.der, peerKey.der and caCert.der. I trust
you will destroy these for security purposes. Thank you for your
help. I tried to package the 3 files together using: openssl pkcs12
-export -out sonicwall.p12 -inkey peerKey.der -in peerCert.der
-certfile caCert.der
and get unable to load private key. I wonder if something is wrong
with the peerKey.der file..
----- Original Message ----- From: "Andreas
Sent: Thursday, April 5, 2012 3:57:10 AM Subject: Re: [strongSwan]
Question on IKEv2
Hi Chris,
can you send me your caCert.der certificate?
Andreas
Post by Chris Arnold
Thank you all for not calling me an id10t!! I read, completely,
the email Andreas sent and saw where you can use the pki tool....
So, I followed the instructions and on the import of caCert.der
into the sonicwall, I get the error, invalid format. Please use der
or pem. The other 2 files import fine into the sonicwall and they
too are der format.
======================================================================
strongSwan - the Linux VPN Solution!
www.strongswan.org Institute for Internet Technologies and
Applications University of Applied Sciences Rapperswil CH-8640
Rapperswil (Switzerland)
===========================================================[ITA-HSR]==
--
======================================================================
Andreas Steffen andreas.steffen-***@public.gmane.org
strongSwan - the Linux VPN Solution! www.strongswan.org
Institute for Internet Technologies and Applications
University of Applied Sciences Rapperswil
CH-8640 Rapperswil (Switzerland)
===========================================================[ITA-HSR]==
Loading...