Discussion:
How to configure Strongswan4.6.4/5.x with "IPSec Hybrid authentication with RSA" support
TrippyBoy.com
2012-06-19 06:06:24 UTC
Permalink
Hello,

I would like to know how to configure Strongswan with "IPSec Hybrid
authentication with RSA" support.

# My Strongswan has XAUTH+RSA and XAUTH+PSK support and they work fine.

I believe Strongswan supports "Hybrid authentication", as it is
mentioned in the following link.

----------------------------------------
CharonPlutoIKEv1 - strongSwan - strongSwan - IKEv2/IPsec VPN for
Linux, Android, FreeBSD, Mac OS X
http://wiki.strongswan.org/projects/strongswan/wiki/CharonPlutoIKEv1

"To configure the new Hybrid Mode, define leftauth=xauth and rightauth=pubkey."
----------------------------------------

I configured my Strongswan, ver5.0.0dr1, and installed it with the
options bellow.

./configure --prefix=/usr/ --sysconfdir=/etc/ --localstatedir=/var/
--with-random-device=/dev/urandom --enable-cisco-quirks
--enable-xauth-generic --enable-xauth-eap
make && make install

I setup /etc/ipsec.d/hybrd-rsa.conf and restarted Strongswan.
After that, I executed "ipsec statusall" to see how my connections are
recognised
Then I tried to connect to my VPN server with Hybrid+RSA auth.
I checked /var/log/charon.log.

The log says
--
Jun 19 14:11:58 13[CFG] looking for HybridInitRSA peer configs
matching 192.168.246.210...192.168.248.101[192.168.248.101]
Jun 19 14:11:58 13[IKE] no peer config found
--

My questions are
1: Does Strongswan support Hybrid Authentication?
2: Does Strongswan support Hybrid Authentication with RSA?
3: What kind of configration does Strongswan look for when the client
ask for "HybridInitRSA"?

If 1st or 2nd of the questions avobe returns "YES", I would like to
know the way to do so.


==== My Strongswan's profile ====

+ /etc/ipsec.conf
config setup
       plutodebug=all
       plutostderrlog=/var/log/pluto.log
       nat_traversal=yes
       virtual_private=%v4:10.0.0.0/8,%v4:192.168.0.0/16,%v4:172.16.0.0/12

include /etc/ipsec.d/*.conf

+/etc/ipsec.d/hybrid-rsa.conf
conn hybridrsasig
       keyexchange=ikev2
       left=linux.hogehoge.jp
       leftcert=serverCert.pem
       leftauth=xauth
       right=%any
       rightsourceip=192.168.246.230/24
       rightcert=clientCert.pem
       rightauth=pubkey
       pfs=no
       auto=add

+/etc/ipsec.d/xauth-psk.conf
conn xauthpsk
       keyexchange=ikev1
       xauth=server
       authby=xauthpsk
       left=linux.fj-ngmt.jp
       leftsubnet=0.0.0.0/0
       right=%any
       #rightauth=eap
       rightsourceip=192.168.246.210/24
       pfs=no
       auto=add

+/etc/ipsec.d/xauth-rsa.conf
conn xauthrsasig
       keyexchange=ikev1
       xauth=server
       authby=xauthrsasig
       left=linux.fj-ngmt.jp
       leftcert=serverCert.pem
       right=%any
       rightsourceip=192.168.246.220/24
       rightcert=clientCert.pem
       pfs=no
       auto=add


+/var/log/charon.log
Jun 19 14:11:58 11[NET] received packet: from 192.168.248.101[500] to
192.168.246.210[500]
Jun 19 14:11:58 11[ENC] parsed ID_PROT request 0 [ SA V V V V V V V V ]
Jun 19 14:11:58 11[IKE] received NAT-T (RFC 3947) vendor ID
Jun 19 14:11:58 11[IKE] received draft-ietf-ipsec-nat-t-ike-02 vendor ID
Jun 19 14:11:58 11[IKE] received draft-ietf-ipsec-nat-t-ike-02\n vendor ID
Jun 19 14:11:58 11[IKE] received draft-ietf-ipsec-nat-t-ike-00 vendor ID
Jun 19 14:11:58 11[IKE] received XAuth vendor ID
Jun 19 14:11:58 11[IKE] received Cisco Unity vendor ID
Jun 19 14:11:58 11[ENC] received unknown vendor ID:
40:48:b7:d5:6e:bc:e8:85:25:e7:de:7f:00:d6:c2:d3:80:00:00:00
Jun 19 14:11:58 11[IKE] received DPD vendor ID
Jun 19 14:11:58 11[IKE] 192.168.248.101 is initiating a Main Mode IKE_SA
Jun 19 14:11:58 11[ENC] generating ID_PROT response 0 [ SA V V V ]
Jun 19 14:11:58 11[NET] sending packet: from 192.168.246.210[500] to
192.168.248.101[500]
Jun 19 14:11:58 12[NET] received packet: from 192.168.248.101[500] to
192.168.246.210[500]
Jun 19 14:11:58 12[ENC] parsed ID_PROT request 0 [ KE No NAT-D NAT-D ]
Jun 19 14:11:58 12[ENC] generating ID_PROT response 0 [ KE No NAT-D NAT-D ]
Jun 19 14:11:58 12[NET] sending packet: from 192.168.246.210[500] to
192.168.248.101[500]
Jun 19 14:11:58 13[NET] received packet: from 192.168.248.101[500] to
192.168.246.210[500]
Jun 19 14:11:58 13[ENC] parsed ID_PROT request 0 [ ID HASH ]
Jun 19 14:11:58 13[CFG] looking for HybridInitRSA peer configs
matching 192.168.246.210...192.168.248.101[192.168.248.101]
Jun 19 14:11:58 13[IKE] no peer config found
Jun 19 14:11:58 13[ENC] generating INFORMATIONAL_V1 request 4275396946
[ HASH N(AUTH_FAILED) ]
Jun 19 14:11:58 13[NET] sending packet: from 192.168.246.210[500] to
192.168.248.101[500]


Thank you for your time in advance.

Regards,

Yukihisa kitagawa
--
TrippyBoy.com http://trippyboy.com/
Martin Willi
2012-06-19 08:21:20 UTC
Permalink
Hi,
Post by TrippyBoy.com
1: Does Strongswan support Hybrid Authentication?
2: Does Strongswan support Hybrid Authentication with RSA?
Yes, we support Hybrid Mode in our experimental 5.0 pre-release.
Post by TrippyBoy.com
3: What kind of configration does Strongswan look for when the client
ask for "HybridInitRSA"?
left=linux.hogehoge.jp
leftcert=serverCert.pem
leftauth=xauth
right=%any
rightsourceip=192.168.246.230/24
rightcert=clientCert.pem
rightauth=pubkey
Left seems to be your responder. In Hybrid mode, the responder
authenticates with a public key, the initiator with XAuth only. Try it
the other way round:

leftauth=pubkey
rightauth=xauth

Regards
Martin
TrippyBoy.com
2012-06-19 09:25:12 UTC
Permalink
Hello Martin,

Thank you for your quick response.
Post by Martin Willi
Post by TrippyBoy.com
1: Does Strongswan support Hybrid Authentication?
2: Does Strongswan support Hybrid Authentication with RSA?
Yes, we support Hybrid Mode in our experimental 5.0 pre-release.
Thank you for this information.
Now I know I was right to stop trying installing hybrid on Strongswan 4.6.4.
Post by Martin Willi
Post by TrippyBoy.com
3: What kind of configration does Strongswan look for when the client
ask for "HybridInitRSA"?
       left=linux.hogehoge.jp
       leftcert=serverCert.pem
       leftauth=xauth
       right=%any
       rightsourceip=192.168.246.230/24
       rightcert=clientCert.pem
       rightauth=pubkey
Left seems to be your responder. In Hybrid mode, the responder
authenticates with a public key, the initiator with XAuth only. Try it
  leftauth=pubkey
  rightauth=xauth
Yes, left is my responder which is my server. I say left for "Local".

I put "leftauth=pubkey" to let left authenticates with a public key,
thank you for your suggestion. And I put "rightauth=xauth" to allow
right peer to use xauth to authenticate with my VPN server.

I gave it a try.. I'm afraid I see no success :(

-- my new config

conn hybridrsasig
keyexchange=ikev2
left=linux.fj-ngmt.jp
leftcert=serverCert.pem
leftauth=pubkey
right=%any
rightsourceip=192.168.246.230/24
rightcert=clientCert.pem
rightauth=xauth
pfs=no
auto=add

-- start and stop strongswan, we call it restart.
[***@linux ipsec.d]# ipsec stop
Stopping strongSwan IPsec...
[***@linux ipsec.d]#
[***@linux ipsec.d]# ipsec start
Starting strongSwan 5.0.0dr1 IPsec [starter]...
[***@linux ipsec.d]#

-- ipsec statusall
[***@linux ipsec.d]# ipsec statusall | grep hybrid
hybridrsasig: 255/0/0
hybridrsasig: linux.fj-ngmt.jp...%any IKEv2
hybridrsasig: local: [C=JP, O=Strongswan, CN=linux.hogehoge.jp]
uses public key authentication
hybridrsasig: cert: "C=JP, O=Strongswan, CN=linux.hogehoge.jp"
hybridrsasig: remote: [C=JP, O=Strongswan, CN=client] uses XAuth
authentication: any
hybridrsasig: cert: "C=JP, O=Strongswan, CN=client"
hybridrsasig: child: dynamic === dynamic TUNNEL
[***@linux ipsec.d]#


I still get "no peer config found".

Jun 19 17:58:35 11[NET] received packet: from 192.168.248.101[500] to
192.168.246.210[500]
Jun 19 17:58:35 11[ENC] parsed ID_PROT request 0 [ SA V V V V V V V V ]
Jun 19 17:58:35 11[IKE] received NAT-T (RFC 3947) vendor ID
Jun 19 17:58:35 11[IKE] received draft-ietf-ipsec-nat-t-ike-02 vendor ID
Jun 19 17:58:35 11[IKE] received draft-ietf-ipsec-nat-t-ike-02\n vendor ID
Jun 19 17:58:35 11[IKE] received draft-ietf-ipsec-nat-t-ike-00 vendor ID
Jun 19 17:58:35 11[IKE] received XAuth vendor ID
Jun 19 17:58:35 11[IKE] received Cisco Unity vendor ID
Jun 19 17:58:35 11[ENC] received unknown vendor ID:
40:48:b7:d5:6e:bc:e8:85:25:e7:de:7f:00:d6:c2:d3:80:00:00:00
Jun 19 17:58:35 11[IKE] received DPD vendor ID
Jun 19 17:58:35 11[IKE] 192.168.248.101 is initiating a Main Mode IKE_SA
Jun 19 17:58:35 11[ENC] generating ID_PROT response 0 [ SA V V V ]
Jun 19 17:58:35 11[NET] sending packet: from 192.168.246.210[500] to
192.168.248.101[500]
Jun 19 17:58:35 12[NET] received packet: from 192.168.248.101[500] to
192.168.246.210[500]
Jun 19 17:58:35 12[ENC] parsed ID_PROT request 0 [ KE No NAT-D NAT-D ]
Jun 19 17:58:35 12[IKE] faking NAT situation to enforce UDP encapsulation
Jun 19 17:58:35 12[ENC] generating ID_PROT response 0 [ KE No NAT-D NAT-D ]
Jun 19 17:58:35 12[NET] sending packet: from 192.168.246.210[500] to
192.168.248.101[500]
Jun 19 17:58:35 13[NET] received packet: from 192.168.248.101[4500] to
192.168.246.210[4500]
Jun 19 17:58:35 13[ENC] parsed ID_PROT request 0 [ ID HASH ]
Jun 19 17:58:35 13[CFG] looking for HybridInitRSA peer configs
matching 192.168.246.210...192.168.248.101[192.168.248.101]
Jun 19 17:58:35 13[IKE] no peer config found
Jun 19 17:58:35 13[ENC] generating INFORMATIONAL_V1 request 1053667702
[ HASH N(AUTH_FAILED) ]
Jun 19 17:58:35 13[NET] sending packet: from 192.168.246.210[4500] to
192.168.248.101[4500]

I will give it a try with a client that used "Hybrid" authentication
without RSA and see if this works.

Also I will give it some tries if I can create "HybridInitRSA"
connection adding some left/rightauth2 field.

I would love you have more suggestions and support. :)
Post by Martin Willi
Regards
Martin
Regards
Yukihisa Kitagawa
--
TrippyBoy.com http://trippyboy.com/
Martin Willi
2012-06-19 09:37:23 UTC
Permalink
Post by TrippyBoy.com
rightcert=clientCert.pem
rightauth=xauth
No need for a right cert, in Hybrid mode the client authenticates with
XAuth only.
Post by TrippyBoy.com
hybridrsasig: remote: [C=JP, O=Strongswan, CN=client] uses XAuth authentication: any
Your configuration requires a remote identity "C=JP, O=Strongswan,
CN=client", read from the certificate.
Post by TrippyBoy.com
Jun 19 17:58:35 13[CFG] looking for HybridInitRSA peer configs
matching 192.168.246.210...192.168.248.101[192.168.248.101]
But your client sends "192.168.248.101" as IKE identity. If you remove
the rightcert option, you can define a rightid=192.168.248.101, or even
rightid=%any.
Post by TrippyBoy.com
I will give it a try with a client that used "Hybrid" authentication
without RSA and see if this works.
Hybrid mode is only defined with DSS or RSA as responder authentication
in [1]. We don't support DSS signatures, and no responder public key
authentication at all would be very insecure.

Regards
Martin

[1]http://tools.ietf.org/html/draft-ietf-ipsec-isakmp-hybrid-auth-05
TrippyBoy.com
2012-06-20 05:29:40 UTC
Permalink
Hello Martin,

Thank you very much for your help with the configuration.

I have successfully made my Strongswan support "Hybrid + RSA". Thank
you for that.
The configuration I used for my Hybrid authentication is as bellow.

---- config start ----

config setup

conn %default
keyexchange=ikev1
forceencaps=yes
left=192.168.246.210
rightsourceip=192.168.246.230/24
# added from
"http://www2.strongswan.org/uml/testresults5rc/ikev1/xauth-id-rsa-hybrid/moon.ipsec.conf"
ikelifetime=60m
keylife=20m
rekeymargin=3m
keyingtries=1

conn hybridrsasig
forceencaps=no
leftcert=serverCert.pem
leftid="C=JP, O=Strongswan, CN=linux.hoge.jp"
leftauth=pubkey
right=%any
rightauth=xauth
auto=add

----- config end -----

Now I have different problem. I put the part of charon.log bellow.

Actually I'm trying to connect my VPN with Android Ice Cream
Sandwich(ICS) 4.0.3, a future phone.
The log looks like Android ICS is not receiving right packet from my
VPN server and Android is asking
the VPN server to resend the packet "received retransmit of request
with ID 0, retransmitting response".

----- log start -----

Jun 20 14:04:50 10[CFG] looking for HybridInitRSA peer configs
matching 192.168.246.210...192.168.248.101[192.168.248.101]
Jun 20 14:04:50 10[CFG] selected peer config "hybridrsasig"
Jun 20 14:04:50 10[IKE] authentication of 'C=JP, O=Strongswan,
CN=linux.fj-ngmt.jp' (myself) successful
Jun 20 14:04:50 10[ENC] generating ID_PROT response 0 [ ID SIG ]
Jun 20 14:04:50 10[NET] sending packet: from 192.168.246.210[4500] to
192.168.248.101[4500]
Jun 20 14:04:50 10[ENC] generating TRANSACTION request 107931129 [ HASH CP ]
Jun 20 14:04:50 10[NET] sending packet: from 192.168.246.210[4500] to
192.168.248.101[4500]
Jun 20 14:04:53 11[NET] received packet: from 192.168.248.101[4500] to
192.168.246.210[4500]
Jun 20 14:04:53 11[IKE] received retransmit of request with ID 0,
retransmitting response
Jun 20 14:04:53 11[NET] sending packet: from 192.168.246.210[4500] to
192.168.248.101[4500]
Jun 20 14:04:54 12[IKE] sending retransmit 1 of request message ID
107931129, seq 1
Jun 20 14:04:54 12[NET] sending packet: from 192.168.246.210[4500] to
192.168.248.101[4500]
Jun 20 14:05:01 13[IKE] sending retransmit 2 of request message ID
107931129, seq 1
Jun 20 14:05:01 13[NET] sending packet: from 192.168.246.210[4500] to
192.168.248.101[4500]
Jun 20 14:05:02 14[NET] received packet: from 192.168.248.101[4500] to
192.168.246.210[4500]
Jun 20 14:05:02 14[IKE] received retransmit of request with ID 0,
retransmitting response
Jun 20 14:05:02 14[NET] sending packet: from 192.168.246.210[4500] to
192.168.248.101[4500]
Jun 20 14:05:11 07[NET] received packet: from 192.168.248.101[4500] to
192.168.246.210[4500]
Jun 20 14:05:11 07[IKE] received retransmit of request with ID 0,
retransmitting response
Jun 20 14:05:11 07[NET] sending packet: from 192.168.246.210[4500] to
192.168.248.101[4500]
Jun 20 14:05:14 06[NET] received packet: from 192.168.248.101[4500] to
192.168.246.210[4500]
Jun 20 14:05:14 06[IKE] received retransmit of request with ID 0,
retransmitting response
Jun 20 14:05:14 06[NET] sending packet: from 192.168.246.210[4500] to
192.168.248.101[4500]
Jun 20 14:05:14 08[IKE] sending retransmit 3 of request message ID
107931129, seq 1
Jun 20 14:05:14 08[NET] sending packet: from 192.168.246.210[4500] to
192.168.248.101[4500]
Jun 20 14:05:17 09[NET] received packet: from 192.168.248.101[4500] to
192.168.246.210[4500]
Jun 20 14:05:17 09[IKE] received retransmit of request with ID 0,
retransmitting response
Jun 20 14:05:17 09[NET] sending packet: from 192.168.246.210[4500] to
192.168.248.101[4500]
Jun 20 14:05:20 10[JOB] deleting half open IKE_SA after timeout

----- log end -----

I captured the packet comes and goes through port 500 and 4500 from
the client 192.168.246.101

---- tcpdump start ----

# tcpdump -v port 500 or port 4500 and host 192.168.248.101
tcpdump: listening on eth0, link-type EN10MB (Ethernet), capture size
65535 bytes

14:04:50.245977 IP (tos 0x0, ttl 62, id 0, offset 0, flags [DF], proto
UDP (17), length 504)
192.168.248.101.isakmp > linux.hoge.jp.isakmp: isakmp 1.0 msgid
00000000: phase 1 I ident:
(sa: doi=ipsec situation=identity
(p: #1 protoid=isakmp transform=8
(t: #1 id=ike (type=lifetype value=sec)(type=lifeduration
value=7080)(type=enc value=aes)(type=keylen value=0100)(type=auth
value=fadd)(type=hash value=sha1)(type=group desc value=modp1024))
(t: #2 id=ike (type=lifetype value=sec)(type=lifeduration
value=7080)(type=enc value=aes)(type=keylen value=0100)(type=auth
value=fadd)(type=hash value=md5)(type=group desc value=modp1024))
(t: #3 id=ike (type=lifetype value=sec)(type=lifeduration
value=7080)(type=enc value=aes)(type=keylen value=0080)(type=auth
value=fadd)(type=hash value=sha1)(type=group desc value=modp1024))
(t: #4 id=ike (type=lifetype value=sec)(type=lifeduration
value=7080)(type=enc value=aes)(type=keylen value=0080)(type=auth
value=fadd)(type=hash value=md5)(type=group desc value=modp1024))
(t: #5 id=ike (type=lifetype value=sec)(type=lifeduration
value=7080)(type=enc value=3des)(type=auth value=fadd)(type=hash
value=sha1)(type=group desc value=modp1024))
(t: #6 id=ike (type=lifetype value=sec)(type=lifeduration
value=7080)(type=enc value=3des)(type=auth value=fadd)(type=hash
value=md5)(type=group desc value=modp1024))
(t: #7 id=ike (type=lifetype value=sec)(type=lifeduration
value=7080)(type=enc value=1des)(type=auth value=fadd)(type=hash
value=sha1)(type=group desc value=modp1024))
(t: #8 id=ike (type=lifetype value=sec)(type=lifeduration
value=7080)(type=enc value=1des)(type=auth value=fadd)(type=hash
value=md5)(type=group desc value=modp1024))))
(vid: len=16)
(vid: len=16)
(vid: len=16)
(vid: len=16)
(vid: len=8)
(vid: len=16)
(vid: len=20)
(vid: len=16)
14:04:50.249779 IP (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto
UDP (17), length 164)
linux.hoge.jp.isakmp > 192.168.248.101.isakmp: isakmp 1.0 msgid
00000000: phase 1 R ident:
(sa: doi=ipsec situation=identity
(p: #1 protoid=isakmp transform=1
(t: #1 id=ike (type=enc value=aes)(type=keylen
value=0100)(type=hash value=sha1)(type=group desc
value=modp1024)(type=auth value=fadd)(type=lifetype
value=sec)(type=lifeduration value=7080))))
(vid: len=8)
(vid: len=16)
(vid: len=16)
14:04:50.286274 IP (tos 0x0, ttl 62, id 0, offset 0, flags [DF], proto
UDP (17), length 256)
192.168.248.101.isakmp > linux.hoge.jp.isakmp: isakmp 1.0 msgid
00000000: phase 1 I ident:
(ke: key len=128)
(nonce: n len=16)
(pay20)
(pay20)
14:04:50.293756 IP (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto
UDP (17), length 272)
linux.hoge.jp.isakmp > 192.168.248.101.isakmp: isakmp 1.0 msgid
00000000: phase 1 R ident:
(ke: key len=128)
(nonce: n len=32)
(pay20)
(pay20)
14:04:50.325885 IP (tos 0x0, ttl 62, id 0, offset 0, flags [DF], proto
UDP (17), length 124)
192.168.248.101.ipsec-nat-t > linux.hoge.jp.ipsec-nat-t:
NONESP-encap: isakmp 1.0 msgid 00000000: phase 1 I ident[E]:
[encrypted id]
14:04:50.330134 IP (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto
UDP (17), length 396)
linux.hoge.jp.ipsec-nat-t > 192.168.248.101.ipsec-nat-t:
NONESP-encap: isakmp 1.0 msgid 00000000: phase 1 R ident[E]:
[encrypted id]
14:04:50.330339 IP (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto
UDP (17), length 108)
linux.hoge.jp.ipsec-nat-t > 192.168.248.101.ipsec-nat-t:
NONESP-encap: isakmp 1.0 msgid 066ee5f9: phase 2/others R #6[E]:
[encrypted hash]
14:04:53.339226 IP (tos 0x0, ttl 62, id 0, offset 0, flags [DF], proto
UDP (17), length 124)
192.168.248.101.ipsec-nat-t > linux.hoge.jp.ipsec-nat-t:
NONESP-encap: isakmp 1.0 msgid 00000000: phase 1 I ident[E]:
[encrypted id]
14:04:53.340049 IP (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto
UDP (17), length 396)
linux.hoge.jp.ipsec-nat-t > 192.168.248.101.ipsec-nat-t:
NONESP-encap: isakmp 1.0 msgid 00000000: phase 1 R ident[E]:
[encrypted id]
14:04:54.331725 IP (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto
UDP (17), length 108)
linux.hoge.jp.ipsec-nat-t > 192.168.248.101.ipsec-nat-t:
NONESP-encap: isakmp 1.0 msgid 066ee5f9: phase 2/others R #6[E]:
[encrypted hash]
14:05:01.534131 IP (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto
UDP (17), length 108)
linux.hoge.jp.ipsec-nat-t > 192.168.248.101.ipsec-nat-t:
NONESP-encap: isakmp 1.0 msgid 066ee5f9: phase 2/others R #6[E]:
[encrypted hash]
14:05:02.357470 IP (tos 0x0, ttl 62, id 0, offset 0, flags [DF], proto
UDP (17), length 124)
192.168.248.101.ipsec-nat-t > linux.hoge.jp.ipsec-nat-t:
NONESP-encap: isakmp 1.0 msgid 00000000: phase 1 I ident[E]:
[encrypted id]
14:05:02.358219 IP (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto
UDP (17), length 396)
linux.hoge.jp.ipsec-nat-t > 192.168.248.101.ipsec-nat-t:
NONESP-encap: isakmp 1.0 msgid 00000000: phase 1 R ident[E]:
[encrypted id]
14:05:07.262699 IP (tos 0x0, ttl 62, id 0, offset 0, flags [DF], proto
UDP (17), length 29)
192.168.248.101.ipsec-nat-t > linux.hoge.jp.ipsec-nat-t:
isakmp-nat-keep-alive
14:05:11.360989 IP (tos 0x0, ttl 62, id 0, offset 0, flags [DF], proto
UDP (17), length 124)
192.168.248.101.ipsec-nat-t > linux.hoge.jp.ipsec-nat-t:
NONESP-encap: isakmp 1.0 msgid 00000000: phase 1 I ident[E]:
[encrypted id]
14:05:11.361964 IP (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto
UDP (17), length 396)
linux.hoge.jp.ipsec-nat-t > 192.168.248.101.ipsec-nat-t:
NONESP-encap: isakmp 1.0 msgid 00000000: phase 1 R ident[E]:
[encrypted id]
14:05:14.364938 IP (tos 0x0, ttl 62, id 0, offset 0, flags [DF], proto
UDP (17), length 124)
192.168.248.101.ipsec-nat-t > linux.hoge.jp.ipsec-nat-t:
NONESP-encap: isakmp 1.0 msgid 00000000: phase 1 I ident[E]:
[encrypted id]
14:05:14.365655 IP (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto
UDP (17), length 396)
linux.hoge.jp.ipsec-nat-t > 192.168.248.101.ipsec-nat-t:
NONESP-encap: isakmp 1.0 msgid 00000000: phase 1 R ident[E]:
[encrypted id]
14:05:14.496160 IP (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto
UDP (17), length 108)
linux.hoge.jp.ipsec-nat-t > 192.168.248.101.ipsec-nat-t:
NONESP-encap: isakmp 1.0 msgid 066ee5f9: phase 2/others R #6[E]:
[encrypted hash]
14:05:17.373363 IP (tos 0x0, ttl 62, id 0, offset 0, flags [DF], proto
UDP (17), length 124)
192.168.248.101.ipsec-nat-t > linux.hoge.jp.ipsec-nat-t:
NONESP-encap: isakmp 1.0 msgid 00000000: phase 1 I ident[E]:
[encrypted id]
14:05:17.374016 IP (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto
UDP (17), length 396)
linux.hoge.jp.ipsec-nat-t > 192.168.248.101.ipsec-nat-t:
NONESP-encap: isakmp 1.0 msgid 00000000: phase 1 R ident[E]:
[encrypted id]
^C
21 packets captured
21 packets received by filter
0 packets dropped by kernel
#

----- tcpdump end -----

The same client which is Android ICS 4.0.3 can connect to the same VPN
server with
XAUTH+RSA and XAUTH+PSK so I am not sure if this is been caused by my VPN server
or not.. Probably the future phone needs to be checked, like if it
receives packet from
my VPN server or not.

Regards
Yuki
Post by Martin Willi
        rightcert=clientCert.pem
        rightauth=xauth
No need for a right cert, in Hybrid mode the client authenticates with
XAuth only.
hybridrsasig:   remote: [C=JP, O=Strongswan, CN=client] uses XAuth authentication: any
Your configuration requires a remote identity "C=JP, O=Strongswan,
CN=client", read from the certificate.
Jun 19 17:58:35 13[CFG] looking for HybridInitRSA peer configs
matching 192.168.246.210...192.168.248.101[192.168.248.101]
But your client sends "192.168.248.101" as IKE identity. If you remove
the rightcert option, you can define a rightid=192.168.248.101, or even
rightid=%any.
I will give it a try with a client that used "Hybrid" authentication
without RSA and see if this works.
Hybrid mode is only defined with DSS or RSA as responder authentication
in [1]. We don't support DSS signatures, and no responder public key
authentication at all would be very insecure.
Regards
Martin
[1]http://tools.ietf.org/html/draft-ietf-ipsec-isakmp-hybrid-auth-05
--
TrippyBoy.com http://trippyboy.com/
Andreas Steffen
2012-06-19 09:08:42 UTC
Permalink
Hello,

strongswan-5.0.0rc1 which was released today comes with an IKEv1 Hybrid
Mode example scenario:

www.strongswan.org/uml/testresults5rc/ikev1/xauth-id-rsa-hybrid/

Regards

Andreas
Post by TrippyBoy.com
Hello,
I would like to know how to configure Strongswan with "IPSec Hybrid
authentication with RSA" support.
# My Strongswan has XAUTH+RSA and XAUTH+PSK support and they work fine.
I believe Strongswan supports "Hybrid authentication", as it is
mentioned in the following link.
----------------------------------------
CharonPlutoIKEv1 - strongSwan - strongSwan - IKEv2/IPsec VPN for
Linux, Android, FreeBSD, Mac OS X
http://wiki.strongswan.org/projects/strongswan/wiki/CharonPlutoIKEv1
"To configure the new Hybrid Mode, define leftauth=xauth and rightauth=pubkey."
----------------------------------------
I configured my Strongswan, ver5.0.0dr1, and installed it with the
options bellow.
./configure --prefix=/usr/ --sysconfdir=/etc/ --localstatedir=/var/
--with-random-device=/dev/urandom --enable-cisco-quirks
--enable-xauth-generic --enable-xauth-eap
make&& make install
I setup /etc/ipsec.d/hybrd-rsa.conf and restarted Strongswan.
After that, I executed "ipsec statusall" to see how my connections are
recognised
Then I tried to connect to my VPN server with Hybrid+RSA auth.
I checked /var/log/charon.log.
The log says
--
Jun 19 14:11:58 13[CFG] looking for HybridInitRSA peer configs
matching 192.168.246.210...192.168.248.101[192.168.248.101]
Jun 19 14:11:58 13[IKE] no peer config found
--
My questions are
1: Does Strongswan support Hybrid Authentication?
2: Does Strongswan support Hybrid Authentication with RSA?
3: What kind of configration does Strongswan look for when the client
ask for "HybridInitRSA"?
If 1st or 2nd of the questions avobe returns "YES", I would like to
know the way to do so.
==== My Strongswan's profile ====
+ /etc/ipsec.conf
config setup
plutodebug=all
plutostderrlog=/var/log/pluto.log
nat_traversal=yes
virtual_private=%v4:10.0.0.0/8,%v4:192.168.0.0/16,%v4:172.16.0.0/12
include /etc/ipsec.d/*.conf
+/etc/ipsec.d/hybrid-rsa.conf
conn hybridrsasig
keyexchange=ikev2
left=linux.hogehoge.jp
leftcert=serverCert.pem
leftauth=xauth
right=%any
rightsourceip=192.168.246.230/24
rightcert=clientCert.pem
rightauth=pubkey
pfs=no
auto=add
+/etc/ipsec.d/xauth-psk.conf
conn xauthpsk
keyexchange=ikev1
xauth=server
authby=xauthpsk
left=linux.fj-ngmt.jp
leftsubnet=0.0.0.0/0
right=%any
#rightauth=eap
rightsourceip=192.168.246.210/24
pfs=no
auto=add
+/etc/ipsec.d/xauth-rsa.conf
conn xauthrsasig
keyexchange=ikev1
xauth=server
authby=xauthrsasig
left=linux.fj-ngmt.jp
leftcert=serverCert.pem
right=%any
rightsourceip=192.168.246.220/24
rightcert=clientCert.pem
pfs=no
auto=add
+/var/log/charon.log
Jun 19 14:11:58 11[NET] received packet: from 192.168.248.101[500] to
192.168.246.210[500]
Jun 19 14:11:58 11[ENC] parsed ID_PROT request 0 [ SA V V V V V V V V ]
Jun 19 14:11:58 11[IKE] received NAT-T (RFC 3947) vendor ID
Jun 19 14:11:58 11[IKE] received draft-ietf-ipsec-nat-t-ike-02 vendor ID
Jun 19 14:11:58 11[IKE] received draft-ietf-ipsec-nat-t-ike-02\n vendor ID
Jun 19 14:11:58 11[IKE] received draft-ietf-ipsec-nat-t-ike-00 vendor ID
Jun 19 14:11:58 11[IKE] received XAuth vendor ID
Jun 19 14:11:58 11[IKE] received Cisco Unity vendor ID
40:48:b7:d5:6e:bc:e8:85:25:e7:de:7f:00:d6:c2:d3:80:00:00:00
Jun 19 14:11:58 11[IKE] received DPD vendor ID
Jun 19 14:11:58 11[IKE] 192.168.248.101 is initiating a Main Mode IKE_SA
Jun 19 14:11:58 11[ENC] generating ID_PROT response 0 [ SA V V V ]
Jun 19 14:11:58 11[NET] sending packet: from 192.168.246.210[500] to
192.168.248.101[500]
Jun 19 14:11:58 12[NET] received packet: from 192.168.248.101[500] to
192.168.246.210[500]
Jun 19 14:11:58 12[ENC] parsed ID_PROT request 0 [ KE No NAT-D NAT-D ]
Jun 19 14:11:58 12[ENC] generating ID_PROT response 0 [ KE No NAT-D NAT-D ]
Jun 19 14:11:58 12[NET] sending packet: from 192.168.246.210[500] to
192.168.248.101[500]
Jun 19 14:11:58 13[NET] received packet: from 192.168.248.101[500] to
192.168.246.210[500]
Jun 19 14:11:58 13[ENC] parsed ID_PROT request 0 [ ID HASH ]
Jun 19 14:11:58 13[CFG] looking for HybridInitRSA peer configs
matching 192.168.246.210...192.168.248.101[192.168.248.101]
Jun 19 14:11:58 13[IKE] no peer config found
Jun 19 14:11:58 13[ENC] generating INFORMATIONAL_V1 request 4275396946
[ HASH N(AUTH_FAILED) ]
Jun 19 14:11:58 13[NET] sending packet: from 192.168.246.210[500] to
192.168.248.101[500]
Thank you for your time in advance.
Regards,
Yukihisa kitagawa
--
TrippyBoy.com http://trippyboy.com/
======================================================================
Andreas Steffen andreas.steffen-***@public.gmane.org
strongSwan - the Linux VPN Solution! www.strongswan.org
Institute for Internet Technologies and Applications
University of Applied Sciences Rapperswil
CH-8640 Rapperswil (Switzerland)
===========================================================[ITA-HSR]==
北川 敬寿
2012-06-19 09:39:45 UTC
Permalink
Hello Andoreas,

Thank you for this information!
I will give it a try! :)

Regards,
Yukihisa Kitagawa
Post by TrippyBoy.com
Hello,
strongswan-5.0.0rc1 which was released today comes with an IKEv1 Hybrid
www.strongswan.org/uml/testresults5rc/ikev1/xauth-id-rsa-hybrid/
Regards
Andreas
Post by TrippyBoy.com
Hello,
I would like to know how to configure Strongswan with "IPSec Hybrid
authentication with RSA" support.
# My Strongswan has XAUTH+RSA and XAUTH+PSK support and they work fine.
I believe Strongswan supports "Hybrid authentication", as it is
mentioned in the following link.
----------------------------------------
CharonPlutoIKEv1 - strongSwan - strongSwan - IKEv2/IPsec VPN for
Linux, Android, FreeBSD, Mac OS X
http://wiki.strongswan.org/projects/strongswan/wiki/CharonPlutoIKEv1
"To configure the new Hybrid Mode, define leftauth=xauth and rightauth=pubkey."
----------------------------------------
I configured my Strongswan, ver5.0.0dr1, and installed it with the
options bellow.
./configure --prefix=/usr/ --sysconfdir=/etc/ --localstatedir=/var/
--with-random-device=/dev/urandom --enable-cisco-quirks
--enable-xauth-generic --enable-xauth-eap
make&& make install
I setup /etc/ipsec.d/hybrd-rsa.conf and restarted Strongswan.
After that, I executed "ipsec statusall" to see how my connections are
recognised
Then I tried to connect to my VPN server with Hybrid+RSA auth.
I checked /var/log/charon.log.
The log says
--
Jun 19 14:11:58 13[CFG] looking for HybridInitRSA peer configs
matching 192.168.246.210...192.168.248.101[192.168.248.101]
Jun 19 14:11:58 13[IKE] no peer config found
--
My questions are
1: Does Strongswan support Hybrid Authentication?
2: Does Strongswan support Hybrid Authentication with RSA?
3: What kind of configration does Strongswan look for when the client
ask for "HybridInitRSA"?
If 1st or 2nd of the questions avobe returns "YES", I would like to
know the way to do so.
==== My Strongswan's profile ====
+ /etc/ipsec.conf
config setup
plutodebug=all
plutostderrlog=/var/log/pluto.log
nat_traversal=yes
virtual_private=%v4:10.0.0.0/8,%v4:192.168.0.0/16,%v4:172.16.0.0/12
include /etc/ipsec.d/*.conf
+/etc/ipsec.d/hybrid-rsa.conf
conn hybridrsasig
keyexchange=ikev2
left=linux.hogehoge.jp
leftcert=serverCert.pem
leftauth=xauth
right=%any
rightsourceip=192.168.246.230/24
rightcert=clientCert.pem
rightauth=pubkey
pfs=no
auto=add
+/etc/ipsec.d/xauth-psk.conf
conn xauthpsk
keyexchange=ikev1
xauth=server
authby=xauthpsk
left=linux.fj-ngmt.jp
leftsubnet=0.0.0.0/0
right=%any
#rightauth=eap
rightsourceip=192.168.246.210/24
pfs=no
auto=add
+/etc/ipsec.d/xauth-rsa.conf
conn xauthrsasig
keyexchange=ikev1
xauth=server
authby=xauthrsasig
left=linux.fj-ngmt.jp
leftcert=serverCert.pem
right=%any
rightsourceip=192.168.246.220/24
rightcert=clientCert.pem
pfs=no
auto=add
+/var/log/charon.log
Jun 19 14:11:58 11[NET] received packet: from 192.168.248.101[500] to
192.168.246.210[500]
Jun 19 14:11:58 11[ENC] parsed ID_PROT request 0 [ SA V V V V V V V V ]
Jun 19 14:11:58 11[IKE] received NAT-T (RFC 3947) vendor ID
Jun 19 14:11:58 11[IKE] received draft-ietf-ipsec-nat-t-ike-02 vendor ID
Jun 19 14:11:58 11[IKE] received draft-ietf-ipsec-nat-t-ike-02\n vendor ID
Jun 19 14:11:58 11[IKE] received draft-ietf-ipsec-nat-t-ike-00 vendor ID
Jun 19 14:11:58 11[IKE] received XAuth vendor ID
Jun 19 14:11:58 11[IKE] received Cisco Unity vendor ID
40:48:b7:d5:6e:bc:e8:85:25:e7:de:7f:00:d6:c2:d3:80:00:00:00
Jun 19 14:11:58 11[IKE] received DPD vendor ID
Jun 19 14:11:58 11[IKE] 192.168.248.101 is initiating a Main Mode IKE_SA
Jun 19 14:11:58 11[ENC] generating ID_PROT response 0 [ SA V V V ]
Jun 19 14:11:58 11[NET] sending packet: from 192.168.246.210[500] to
192.168.248.101[500]
Jun 19 14:11:58 12[NET] received packet: from 192.168.248.101[500] to
192.168.246.210[500]
Jun 19 14:11:58 12[ENC] parsed ID_PROT request 0 [ KE No NAT-D NAT-D ]
Jun 19 14:11:58 12[ENC] generating ID_PROT response 0 [ KE No NAT-D NAT-D ]
Jun 19 14:11:58 12[NET] sending packet: from 192.168.246.210[500] to
192.168.248.101[500]
Jun 19 14:11:58 13[NET] received packet: from 192.168.248.101[500] to
192.168.246.210[500]
Jun 19 14:11:58 13[ENC] parsed ID_PROT request 0 [ ID HASH ]
Jun 19 14:11:58 13[CFG] looking for HybridInitRSA peer configs
matching 192.168.246.210...192.168.248.101[192.168.248.101]
Jun 19 14:11:58 13[IKE] no peer config found
Jun 19 14:11:58 13[ENC] generating INFORMATIONAL_V1 request 4275396946
[ HASH N(AUTH_FAILED) ]
Jun 19 14:11:58 13[NET] sending packet: from 192.168.246.210[500] to
192.168.248.101[500]
Thank you for your time in advance.
Regards,
Yukihisa kitagawa
--
TrippyBoy.com http://trippyboy.com/
======================================================================
strongSwan - the Linux VPN Solution! www.strongswan.org
Institute for Internet Technologies and Applications
University of Applied Sciences Rapperswil
CH-8640 Rapperswil (Switzerland)
===========================================================[ITA-HSR]==
Loading...