[Openswan Users] need help with ipsec tunnel to iphone

Richard Pagotto richard at vspec.net
Wed May 25 07:15:41 EDT 2011


Hello Paul,
 
Thank you for looking over my errors and configuration, i very much appreciate your help.
 
I have reread the conf and secrets man pages and figured out what username and password i should be using.
despite your help and a total rewrite of my ipsec.conf it still doesnt work but it does get to the XAUTH phase.
 
Im also not using l2tp at all, im going for a pure ipsec tunnel.
 
im pretty sure ive done the cirtificates correctly, and put them in the correct location, theyve been signed, converted to p12, installed on the phone with the password and being used in the configuration.
 
if you want scrapes of my cirts i can happily supply them.
 
config is below.
 
May 25 19:39:49 linuxserver ipsec_setup: Starting Openswan IPsec U2.6.33/K2.6.21.5-smp...
May 25 19:39:49 linuxserver ipsec_setup: Using NETKEY(XFRM) stack
May 25 19:39:55 linuxserver ipsec_setup: ...Openswan IPsec started
May 25 19:39:55 linuxserver pluto: adjusting ipsec.d to /etc/ipsec.d
May 25 19:39:55 linuxserver ipsec__plutorun: adjusting ipsec.d to /etc/ipsec.d
May 25 19:39:57 linuxserver ipsec__plutorun: 002 loading certificate from /etc/ipsec.d/certs/strongswanCert.pem
May 25 19:39:57 linuxserver ipsec__plutorun: 002   loaded host cert file '/etc/ipsec.d/certs/strongswanCert.pem' (1330 bytes)
May 25 19:39:57 linuxserver ipsec__plutorun: 002 added connection description "iphone"
+ _________________________ plog
+ sed -n '5039482,$p' /var/log/secure
+ egrep -i pluto
+ case "$1" in
+ cat
May 25 19:39:55 linuxserver ipsec__plutorun: Starting Pluto subsystem...
May 25 19:39:55 linuxserver pluto[10620]: Starting Pluto (Openswan Version 2.6.33; Vendor ID OEghI_w\134ALFy) pid:10620
May 25 19:39:55 linuxserver pluto[10620]: LEAK_DETECTIVE support [disabled]
May 25 19:39:55 linuxserver pluto[10620]: OCF support for IKE [disabled]
May 25 19:39:55 linuxserver pluto[10620]: SAref support [disabled]: Protocol not available
May 25 19:39:55 linuxserver pluto[10620]: SAbind support [disabled]: Protocol not available
May 25 19:39:55 linuxserver pluto[10620]: NSS support [disabled]
May 25 19:39:55 linuxserver pluto[10620]: HAVE_STATSD notification support not compiled in
May 25 19:39:55 linuxserver pluto[10620]: Setting NAT-Traversal port-4500 floating to on
May 25 19:39:55 linuxserver pluto[10620]:    port floating activation criteria nat_t=1/port_float=1
May 25 19:39:55 linuxserver pluto[10620]:    NAT-Traversal support  [enabled]
May 25 19:39:55 linuxserver pluto[10620]: using /dev/urandom as source of random entropy
May 25 19:39:55 linuxserver pluto[10620]: ike_alg_register_enc(): Activating OAKLEY_TWOFISH_CBC_SSH: Ok (ret=0)
May 25 19:39:55 linuxserver pluto[10620]: ike_alg_register_enc(): Activating OAKLEY_TWOFISH_CBC: Ok (ret=0)
May 25 19:39:55 linuxserver pluto[10620]: ike_alg_register_enc(): Activating OAKLEY_SERPENT_CBC: Ok (ret=0)
May 25 19:39:55 linuxserver pluto[10620]: ike_alg_register_enc(): Activating OAKLEY_AES_CBC: Ok (ret=0)
May 25 19:39:55 linuxserver pluto[10620]: ike_alg_register_enc(): Activating OAKLEY_BLOWFISH_CBC: Ok (ret=0)
May 25 19:39:55 linuxserver pluto[10620]: ike_alg_register_hash(): Activating OAKLEY_SHA2_512: Ok (ret=0)
May 25 19:39:55 linuxserver pluto[10620]: ike_alg_register_hash(): Activating OAKLEY_SHA2_256: Ok (ret=0)
May 25 19:39:55 linuxserver pluto[10620]: starting up 1 cryptographic helpers
May 25 19:39:55 linuxserver pluto[10624]: using /dev/urandom as source of random entropy
May 25 19:39:55 linuxserver pluto[10620]: started helper pid=10624 (fd:7)
May 25 19:39:55 linuxserver pluto[10620]: Using Linux 2.6 IPsec interface code on 2.6.21.5-smp (experimental code)
May 25 19:39:56 linuxserver pluto[10620]: ike_alg_register_enc(): Activating aes_ccm_8: Ok (ret=0)
May 25 19:39:56 linuxserver pluto[10620]: ike_alg_add(): ERROR: Algorithm already exists
May 25 19:39:56 linuxserver pluto[10620]: ike_alg_register_enc(): Activating aes_ccm_12: FAILED (ret=-17)
May 25 19:39:56 linuxserver pluto[10620]: ike_alg_add(): ERROR: Algorithm already exists
May 25 19:39:56 linuxserver pluto[10620]: ike_alg_register_enc(): Activating aes_ccm_16: FAILED (ret=-17)
May 25 19:39:56 linuxserver pluto[10620]: ike_alg_add(): ERROR: Algorithm already exists
May 25 19:39:56 linuxserver pluto[10620]: ike_alg_register_enc(): Activating aes_gcm_8: FAILED (ret=-17)
May 25 19:39:56 linuxserver pluto[10620]: ike_alg_add(): ERROR: Algorithm already exists
May 25 19:39:56 linuxserver pluto[10620]: ike_alg_register_enc(): Activating aes_gcm_12: FAILED (ret=-17)
May 25 19:39:56 linuxserver pluto[10620]: ike_alg_add(): ERROR: Algorithm already exists
May 25 19:39:56 linuxserver pluto[10620]: ike_alg_register_enc(): Activating aes_gcm_16: FAILED (ret=-17)
May 25 19:39:57 linuxserver pluto[10620]: Changed path to directory '/etc/ipsec.d/cacerts'
May 25 19:39:57 linuxserver pluto[10620]:   loaded CA cert file 'strongswanCert.pem' (1330 bytes)
May 25 19:39:57 linuxserver pluto[10620]: Changed path to directory '/etc/ipsec.d/aacerts'
May 25 19:39:57 linuxserver pluto[10620]: Changed path to directory '/etc/ipsec.d/ocspcerts'
May 25 19:39:57 linuxserver pluto[10620]: Changing to directory '/etc/ipsec.d/crls'
May 25 19:39:57 linuxserver pluto[10620]:   loaded crl file 'crl.pem' (434 bytes)
May 25 19:39:57 linuxserver pluto[10620]: loading certificate from /etc/ipsec.d/certs/strongswanCert.pem
May 25 19:39:57 linuxserver pluto[10620]:   loaded host cert file '/etc/ipsec.d/certs/strongswanCert.pem' (1330 bytes)
May 25 19:39:57 linuxserver pluto[10620]: added connection description "iphone"
May 25 19:39:57 linuxserver pluto[10620]: listening for IKE messages
May 25 19:39:57 linuxserver pluto[10620]: adding interface eth0/eth0 192.168.0.2:500
May 25 19:39:57 linuxserver pluto[10620]: adding interface eth0/eth0 192.168.0.2:4500
May 25 19:39:57 linuxserver pluto[10620]: adding interface lo/lo 127.0.0.1:500
May 25 19:39:57 linuxserver pluto[10620]: adding interface lo/lo 127.0.0.1:4500
May 25 19:39:57 linuxserver pluto[10620]: adding interface lo/lo ::1:500
May 25 19:39:57 linuxserver pluto[10620]: loading secrets from "/etc/ipsec.secrets"
May 25 19:39:57 linuxserver pluto[10620]:   loaded private key file '/etc/ipsec.d/private/hostKey.pem' (963 bytes)
May 25 19:39:57 linuxserver pluto[10620]: loaded private key for keyid: PPK_RSA:XXXXX
May 25 19:40:20 linuxserver pluto[10620]: packet from 203.20.35.28:42884: received Vendor ID payload [RFC 3947] method set to=109
May 25 19:40:20 linuxserver pluto[10620]: packet from 203.20.35.28:42884: received Vendor ID payload [draft-ietf-ipsec-nat-t-ike] method set to=110
May 25 19:40:20 linuxserver pluto[10620]: packet from 203.20.35.28:42884: ignoring unknown Vendor ID payload [8f8d83826d246b6fc7a8a6a428c11de8]
May 25 19:40:20 linuxserver pluto[10620]: packet from 203.20.35.28:42884: ignoring unknown Vendor ID payload [439b59f8ba676c4c7737ae22eab8f582]
May 25 19:40:20 linuxserver pluto[10620]: packet from 203.20.35.28:42884: ignoring unknown Vendor ID payload [4d1e0e136deafa34c4f3ea9f02ec7285]
May 25 19:40:20 linuxserver pluto[10620]: packet from 203.20.35.28:42884: ignoring unknown Vendor ID payload [80d0bb3def54565ee84645d4c85ce3ee]
May 25 19:40:20 linuxserver pluto[10620]: packet from 203.20.35.28:42884: ignoring unknown Vendor ID payload [9909b64eed937c6573de52ace952fa6b]
May 25 19:40:20 linuxserver pluto[10620]: packet from 203.20.35.28:42884: received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-03] meth=108, but already using method 110
May 25 19:40:20 linuxserver pluto[10620]: packet from 203.20.35.28:42884: received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02] meth=107, but already using method 110
May 25 19:40:20 linuxserver pluto[10620]: packet from 203.20.35.28:42884: received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02_n] meth=106, but already using method 110
May 25 19:40:20 linuxserver pluto[10620]: packet from 203.20.35.28:42884: received Vendor ID payload [XAUTH]
May 25 19:40:20 linuxserver pluto[10620]: packet from 203.20.35.28:42884: received Vendor ID payload [Cisco-Unity]
May 25 19:40:20 linuxserver pluto[10620]: packet from 203.20.35.28:42884: received Vendor ID payload [Dead Peer Detection]
May 25 19:40:20 linuxserver pluto[10620]: "iphone"[1] 203.20.35.28 #1: responding to Main Mode from unknown peer 203.20.35.28
May 25 19:40:20 linuxserver pluto[10620]: "iphone"[1] 203.20.35.28 #1: transition from state STATE_MAIN_R0 to state STATE_MAIN_R1
May 25 19:40:20 linuxserver pluto[10620]: "iphone"[1] 203.20.35.28 #1: STATE_MAIN_R1: sent MR1, expecting MI2
May 25 19:40:21 linuxserver pluto[10620]: "iphone"[1] 203.20.35.28 #1: NAT-Traversal: Result using draft-ietf-ipsec-nat-t-ike (MacOS X): both are NATed
May 25 19:40:21 linuxserver pluto[10620]: "iphone"[1] 203.20.35.28 #1: transition from state STATE_MAIN_R1 to state STATE_MAIN_R2
May 25 19:40:21 linuxserver pluto[10620]: "iphone"[1] 203.20.35.28 #1: STATE_MAIN_R2: sent MR2, expecting MI3
May 25 19:40:22 linuxserver pluto[10620]: "iphone"[1] 203.20.35.28 #1: ignoring informational payload, type IPSEC_INITIAL_CONTACT msgid=00000000
May 25 19:40:22 linuxserver pluto[10620]: "iphone"[1] 203.20.35.28 #1: Main mode peer ID is ID_KEY_ID: '@#0x70736b'
May 25 19:40:22 linuxserver pluto[10620]: "iphone"[1] 203.20.35.28 #1: end certificate with identical subject and issuer not accepted
May 25 19:40:22 linuxserver pluto[10620]: "iphone"[1] 203.20.35.28 #1: X.509 certificate rejected
May 25 19:40:22 linuxserver pluto[10620]: "iphone"[1] 203.20.35.28 #1: no suitable connection for peer '@#0x70736b'
May 25 19:40:22 linuxserver pluto[10620]: "iphone"[1] 203.20.35.28 #1: sending encrypted notification INVALID_ID_INFORMATION to 203.20.35.28:42884
May 25 19:40:27 linuxserver pluto[10620]: "iphone"[1] 203.20.35.28 #1: ignoring informational payload, type IPSEC_INITIAL_CONTACT msgid=00000000
May 25 19:40:27 linuxserver pluto[10620]: "iphone"[1] 203.20.35.28 #1: Main mode peer ID is ID_KEY_ID: '@#0x70736b'
May 25 19:40:27 linuxserver pluto[10620]: "iphone"[1] 203.20.35.28 #1: end certificate with identical subject and issuer not accepted
May 25 19:40:27 linuxserver pluto[10620]: "iphone"[1] 203.20.35.28 #1: X.509 certificate rejected
May 25 19:40:27 linuxserver pluto[10620]: "iphone"[1] 203.20.35.28 #1: no suitable connection for peer '@#0x70736b'
May 25 19:40:27 linuxserver pluto[10620]: "iphone"[1] 203.20.35.28 #1: sending encrypted notification INVALID_ID_INFORMATION to 203.20.35.28:42884
May 25 19:40:28 linuxserver pluto[10620]: "iphone"[1] 203.20.35.28 #1: ignoring informational payload, type IPSEC_INITIAL_CONTACT msgid=00000000
May 25 19:40:28 linuxserver pluto[10620]: "iphone"[1] 203.20.35.28 #1: Main mode peer ID is ID_KEY_ID: '@#0x70736b'
May 25 19:40:28 linuxserver pluto[10620]: "iphone"[1] 203.20.35.28 #1: end certificate with identical subject and issuer not accepted
May 25 19:40:28 linuxserver pluto[10620]: "iphone"[1] 203.20.35.28 #1: X.509 certificate rejected
May 25 19:40:28 linuxserver pluto[10620]: "iphone"[1] 203.20.35.28 #1: no suitable connection for peer '@#0x70736b'
May 25 19:40:28 linuxserver pluto[10620]: "iphone"[1] 203.20.35.28 #1: sending encrypted notification INVALID_ID_INFORMATION to 203.20.35.28:42884
May 25 19:40:31 linuxserver pluto[10620]: "iphone"[1] 203.20.35.28 #1: ignoring informational payload, type IPSEC_INITIAL_CONTACT msgid=00000000
May 25 19:40:31 linuxserver pluto[10620]: "iphone"[1] 203.20.35.28 #1: Main mode peer ID is ID_KEY_ID: '@#0x70736b'
May 25 19:40:31 linuxserver pluto[10620]: "iphone"[1] 203.20.35.28 #1: end certificate with identical subject and issuer not accepted
May 25 19:40:31 linuxserver pluto[10620]: "iphone"[1] 203.20.35.28 #1: X.509 certificate rejected
May 25 19:40:31 linuxserver pluto[10620]: "iphone"[1] 203.20.35.28 #1: no suitable connection for peer '@#0x70736b'
May 25 19:40:31 linuxserver pluto[10620]: "iphone"[1] 203.20.35.28 #1: sending encrypted notification INVALID_ID_INFORMATION to 203.20.35.28:42884
May 25 19:40:32 linuxserver pluto[10620]: "iphone"[1] 203.20.35.28 #1: ignoring informational payload, type IPSEC_INITIAL_CONTACT msgid=00000000
May 25 19:40:32 linuxserver pluto[10620]: "iphone"[1] 203.20.35.28 #1: Main mode peer ID is ID_KEY_ID: '@#0x70736b'
May 25 19:40:32 linuxserver pluto[10620]: "iphone"[1] 203.20.35.28 #1: end certificate with identical subject and issuer not accepted
May 25 19:40:32 linuxserver pluto[10620]: "iphone"[1] 203.20.35.28 #1: X.509 certificate rejected
May 25 19:40:32 linuxserver pluto[10620]: "iphone"[1] 203.20.35.28 #1: no suitable connection for peer '@#0x70736b'
May 25 19:40:32 linuxserver pluto[10620]: "iphone"[1] 203.20.35.28 #1: sending encrypted notification INVALID_ID_INFORMATION to 203.20.35.28:42884
May 25 19:40:43 linuxserver pluto[10620]: "iphone"[1] 203.20.35.28 #1: ignoring informational payload, type IPSEC_INITIAL_CONTACT msgid=00000000
May 25 19:40:43 linuxserver pluto[10620]: "iphone"[1] 203.20.35.28 #1: Main mode peer ID is ID_KEY_ID: '@#0x70736b'
May 25 19:40:43 linuxserver pluto[10620]: "iphone"[1] 203.20.35.28 #1: end certificate with identical subject and issuer not accepted
May 25 19:40:43 linuxserver pluto[10620]: "iphone"[1] 203.20.35.28 #1: X.509 certificate rejected
May 25 19:40:43 linuxserver pluto[10620]: "iphone"[1] 203.20.35.28 #1: no suitable connection for peer '@#0x70736b'
May 25 19:40:43 linuxserver pluto[10620]: "iphone"[1] 203.20.35.28 #1: sending encrypted notification INVALID_ID_INFORMATION to 203.20.35.28:42884
May 25 19:41:31 linuxserver pluto[10620]: "iphone"[1] 203.20.35.28 #1: max number of retransmissions (2) reached STATE_MAIN_R2
May 25 19:41:31 linuxserver pluto[10620]: "iphone"[1] 203.20.35.28: deleting connection "iphone" instance with peer 203.20.35.28 {isakmp=#0/ipsec=#0}
+ _________________________ date
+ date
Wed May 25 19:41:45 EST 2011

ipsec.conf
 
config setup
        plutoopts="--perpeerlog"
        nat_traversal=yes
        virtual_private=%v4:10.0.0.0/8,%v4:192.168.0.0/16,%v4:172.16.0.0/12,%v4:25/8
        oe=off
        protostack=netkey
 
conn iphone
        auto=add
        dpdaction=clear
        dpdtimeout=15
        dpddelay=10
        pfs=no
        leftcert=/etc/ipsec.d/certs/strongswanCert.pem
        left=%defaultroute
        leftsubnet=0.0.0.0/0
        leftxauthserver=yes
        leftmodecfgserver=yes
        leftrsasigkey=%cert
        right=%any
        rightmodecfgclient=yes
        rightsubnet=vhost:%priv,%no
        modecfgpull=yes

 /etc/ipsec.secrets

: RSA /etc/ipsec.d/private/hostKey.pem "warez"
@username : XAUTH "password"

Thanks
Rich
 
________________________________

From: Paul Wouters [mailto:paul at xelerance.com]
Sent: Wed 25/05/2011 6:08 AM
To: Richard Pagotto
Cc: users at openswan.org
Subject: Re: [Openswan Users] need help with ipsec tunnel to iphone



On Tue, 24 May 2011, Richard Pagotto wrote:

> i have created certificates and emailed myself, installed fine on iphone
>
> not sure which account name and password to set on the phone, i had to put in the password i used for the cert to
> install it

The one you put in /etc/ppp/chap-secrets on the l2tp server (or if you use ldap/radius those)

That assumes you are using L2TP. If using XAUTH, then the user/pass comes from the /etc/ipsec.d/htpasswd
file or if compiled with system pam, from your system password.

>         dpddelay=10
>         authby=rsasig
>         pfs=no
>         leftcert=/etc/ipsec.d/certs/strongswanCert.pem
>         left=192.168.0.1
>         leftsubnet=0.0.0.0/0
>         leftxauthserver=yes
>         leftmodecfgclient=yes
>         right=%any
>         rightsourceip=192.168.0.2

Remove the rightsourceip= as the remote is not using openswan

>         rightcert=/etc/ipsec.d/certs/hostCert.pem
>         rightnexthop=%defaultroute

Same for rightnexthop=
>         rightxauthserver=yes
>         rightmodecfgclient=yes

Add: rightsubnet=vhost:%priv,%no

> May 24 21:28:52 linuxserver pluto[3517]: packet from 203.20.35.28:33009: initial Main Mode message received on
> 192.168.0.2:500 but no connection has been authorized with policy=RSASIG

It fails to match your connection. You're not even getting to the XAUTH phase yet.

Paul



-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.openswan.org/pipermail/users/attachments/20110525/5ddd7c65/attachment-0001.html 


More information about the Users mailing list