[Openswan Users] need help with ipsec tunnel to iphone

Richard Pagotto richard at vspec.net
Wed May 25 11:34:11 EDT 2011




-----Original Message-----
From: Richard Pagotto
Sent: Thu 5/26/2011 1:27 AM
To: Richard Pagotto; Paul Wouters; users at openswan.org
Subject: RE: [Openswan Users] need help with ipsec tunnel to iphone
 



-----Original Message-----
From: Richard Pagotto
Sent: Thu 5/26/2011 1:14 AM
To: Paul Wouters
Subject: RE: [Openswan Users] need help with ipsec tunnel to iphone
 



-----Original Message-----
From: Paul Wouters [mailto:paul at xelerance.com]
Sent: Thu 5/26/2011 12:21 AM
To: Richard Pagotto
Cc: users at openswan.org
Subject: RE: [Openswan Users] need help with ipsec tunnel to iphone
 
On Wed, 25 May 2011, Richard Pagotto wrote:

> I have reread the conf and secrets man pages and figured out what username and password i should be using.
> despite your help and a total rewrite of my ipsec.conf it still doesnt work but it does get to the XAUTH phase.
>  
> Im also not using l2tp at all, im going for a pure ipsec tunnel.

There might be proprietary xauth/cisco extensions involved with that, so you're in dangerous unknown waters.

> im pretty sure ive done the cirtificates correctly, and put them in the correct location, theyve been signed, converted
> to p12, installed on the phone with the password and being used in the configuration.

May 25 19:40:22 linuxserver pluto[10620]: "iphone"[1] 203.20.35.28 #1: end certificate with identical subject and
issuer not accepted

You generated the CA with the same CN= as one of your host certs. This is rejected because that host could
pretend to be a CA to other hosts. My advise is to always add "CA" to the CN= for a CA, and never to add
it for a host.

Paul

Paul,

i have re made and signed the cirts, ill tell you how i go :)

Rich


Paul,

Any help with this, i really appreciate your assistance

openssl req -x509 -days 3650 -newkey rsa:2048 -keyout private/OpenswanKey.pem -out cacerts/OpenswanCert.pem
CN=CA
cp cacerts/OpenswanCert.pem certs/
change openssl.conf
openssl req -newkey rsa:2048 -keyout private/hostKey.pem  -out reqs/hostReq.pem
CN=richard
openssl ca -in reqs/hostReq.pem -days 730 -out certs/hostCert.pem -notext
openssl pkcs12 -export -inkey private/hostKey.pem -in certs/hostCert.pem -name "newhost" -certfile cacerts/OpenswanCert.pem -caname "Openwan Root CA" -out host.p12

May 26 00:18:02 linuxserver pluto[10620]: shutting down
May 26 00:18:02 linuxserver pluto[10620]: forgetting secrets
May 26 00:18:02 linuxserver pluto[10620]: "iphone": deleting connection
May 26 00:18:02 linuxserver pluto[10620]: shutting down interface lo/lo ::1:500
May 26 00:18:02 linuxserver pluto[10620]: shutting down interface lo/lo 127.0.0.1:4500
May 26 00:18:02 linuxserver pluto[10620]: shutting down interface lo/lo 127.0.0.1:500
May 26 00:18:02 linuxserver pluto[10620]: shutting down interface eth0/eth0 192.168.0.2:4500
May 26 00:18:02 linuxserver pluto[10620]: shutting down interface eth0/eth0 192.168.0.2:500
May 26 00:18:03 linuxserver pluto[10624]: pluto_crypto_helper: helper (0) is  normal exiting
May 26 00:18:10 linuxserver ipsec__plutorun: Starting Pluto subsystem...
May 26 00:18:10 linuxserver pluto[11641]: Starting Pluto (Openswan Version 2.6.33; Vendor ID OEghI_w\134ALFy) pid:11641
May 26 00:18:10 linuxserver pluto[11641]: LEAK_DETECTIVE support [disabled]
May 26 00:18:10 linuxserver pluto[11641]: OCF support for IKE [disabled]
May 26 00:18:10 linuxserver pluto[11641]: SAref support [disabled]: Protocol not available
May 26 00:18:10 linuxserver pluto[11641]: SAbind support [disabled]: Protocol not available
May 26 00:18:10 linuxserver pluto[11641]: NSS support [disabled]
May 26 00:18:10 linuxserver pluto[11641]: HAVE_STATSD notification support not compiled in
May 26 00:18:10 linuxserver pluto[11641]: Setting NAT-Traversal port-4500 floating to on
May 26 00:18:10 linuxserver pluto[11641]:    port floating activation criteria nat_t=1/port_float=1
May 26 00:18:10 linuxserver pluto[11641]:    NAT-Traversal support  [enabled]
May 26 00:18:10 linuxserver pluto[11641]: using /dev/urandom as source of random entropy
May 26 00:18:10 linuxserver pluto[11641]: ike_alg_register_enc(): Activating OAKLEY_TWOFISH_CBC_SSH: Ok (ret=0)
May 26 00:18:10 linuxserver pluto[11641]: ike_alg_register_enc(): Activating OAKLEY_TWOFISH_CBC: Ok (ret=0)
May 26 00:18:10 linuxserver pluto[11641]: ike_alg_register_enc(): Activating OAKLEY_SERPENT_CBC: Ok (ret=0)
May 26 00:18:10 linuxserver pluto[11641]: ike_alg_register_enc(): Activating OAKLEY_AES_CBC: Ok (ret=0)
May 26 00:18:10 linuxserver pluto[11641]: ike_alg_register_enc(): Activating OAKLEY_BLOWFISH_CBC: Ok (ret=0)
May 26 00:18:10 linuxserver pluto[11641]: ike_alg_register_hash(): Activating OAKLEY_SHA2_512: Ok (ret=0)
May 26 00:18:10 linuxserver pluto[11641]: ike_alg_register_hash(): Activating OAKLEY_SHA2_256: Ok (ret=0)
May 26 00:18:10 linuxserver pluto[11641]: starting up 1 cryptographic helpers
May 26 00:18:10 linuxserver pluto[11645]: using /dev/urandom as source of random entropy
May 26 00:18:10 linuxserver pluto[11641]: started helper pid=11645 (fd:7)
May 26 00:18:10 linuxserver pluto[11641]: Using Linux 2.6 IPsec interface code on 2.6.21.5-smp (experimental code)
May 26 00:18:12 linuxserver pluto[11641]: ike_alg_register_enc(): Activating aes_ccm_8: Ok (ret=0)
May 26 00:18:12 linuxserver pluto[11641]: ike_alg_add(): ERROR: Algorithm already exists
May 26 00:18:12 linuxserver pluto[11641]: ike_alg_register_enc(): Activating aes_ccm_12: FAILED (ret=-17)
May 26 00:18:12 linuxserver pluto[11641]: ike_alg_add(): ERROR: Algorithm already exists
May 26 00:18:12 linuxserver pluto[11641]: ike_alg_register_enc(): Activating aes_ccm_16: FAILED (ret=-17)
May 26 00:18:12 linuxserver pluto[11641]: ike_alg_add(): ERROR: Algorithm already exists
May 26 00:18:12 linuxserver pluto[11641]: ike_alg_register_enc(): Activating aes_gcm_8: FAILED (ret=-17)
May 26 00:18:12 linuxserver pluto[11641]: ike_alg_add(): ERROR: Algorithm already exists
May 26 00:18:12 linuxserver pluto[11641]: ike_alg_register_enc(): Activating aes_gcm_12: FAILED (ret=-17)
May 26 00:18:12 linuxserver pluto[11641]: ike_alg_add(): ERROR: Algorithm already exists
May 26 00:18:12 linuxserver pluto[11641]: ike_alg_register_enc(): Activating aes_gcm_16: FAILED (ret=-17)
May 26 00:18:12 linuxserver pluto[11641]: Changed path to directory '/etc/ipsec.d/cacerts'
May 26 00:18:13 linuxserver pluto[11641]:   loaded CA cert file 'OpenswanCert.pem' (1330 bytes)
May 26 00:18:13 linuxserver pluto[11641]: Changed path to directory '/etc/ipsec.d/aacerts'
May 26 00:18:13 linuxserver pluto[11641]: Changed path to directory '/etc/ipsec.d/ocspcerts'
May 26 00:18:13 linuxserver pluto[11641]: Changing to directory '/etc/ipsec.d/crls'
May 26 00:18:13 linuxserver pluto[11641]:   Warning: empty directory
May 26 00:18:13 linuxserver pluto[11641]: loading certificate from /etc/ipsec.d/certs/OpenswanCert.pem
May 26 00:18:13 linuxserver pluto[11641]:   loaded host cert file '/etc/ipsec.d/certs/OpenswanCert.pem' (1330 bytes)
May 26 00:18:13 linuxserver pluto[11641]: added connection description "iphone"
May 26 00:18:13 linuxserver pluto[11641]: listening for IKE messages
May 26 00:18:13 linuxserver pluto[11641]: adding interface eth0/eth0 192.168.0.2:500
May 26 00:18:13 linuxserver pluto[11641]: adding interface eth0/eth0 192.168.0.2:4500
May 26 00:18:13 linuxserver pluto[11641]: adding interface lo/lo 127.0.0.1:500
May 26 00:18:13 linuxserver pluto[11641]: adding interface lo/lo 127.0.0.1:4500
May 26 00:18:13 linuxserver pluto[11641]: adding interface lo/lo ::1:500
May 26 00:18:13 linuxserver pluto[11641]: loading secrets from "/etc/ipsec.secrets"
May 26 00:18:13 linuxserver pluto[11641]:   loaded private key file '/etc/ipsec.d/private/hostKey.pem' (1743 bytes)
May 26 00:18:13 linuxserver pluto[11641]: loaded private key for keyid: PPK_RSA:AwEAAb3qE
May 26 00:18:44 linuxserver pluto[11641]: packet from 203.20.35.28:12596: received Vendor ID payload [RFC 3947] method set to=109
May 26 00:18:44 linuxserver pluto[11641]: packet from 203.20.35.28:12596: received Vendor ID payload [draft-ietf-ipsec-nat-t-ike] method set to=110
May 26 00:18:44 linuxserver pluto[11641]: packet from 203.20.35.28:12596: ignoring unknown Vendor ID payload [8f8d83826d246b6fc7a8a6a428c11de8]
May 26 00:18:44 linuxserver pluto[11641]: packet from 203.20.35.28:12596: ignoring unknown Vendor ID payload [439b59f8ba676c4c7737ae22eab8f582]
May 26 00:18:44 linuxserver pluto[11641]: packet from 203.20.35.28:12596: ignoring unknown Vendor ID payload [4d1e0e136deafa34c4f3ea9f02ec7285]
May 26 00:18:44 linuxserver pluto[11641]: packet from 203.20.35.28:12596: ignoring unknown Vendor ID payload [80d0bb3def54565ee84645d4c85ce3ee]
May 26 00:18:44 linuxserver pluto[11641]: packet from 203.20.35.28:12596: ignoring unknown Vendor ID payload [9909b64eed937c6573de52ace952fa6b]
May 26 00:18:44 linuxserver pluto[11641]: packet from 203.20.35.28:12596: received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-03] meth=108, but already using method 110
May 26 00:18:44 linuxserver pluto[11641]: packet from 203.20.35.28:12596: received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02] meth=107, but already using method 110
May 26 00:18:44 linuxserver pluto[11641]: packet from 203.20.35.28:12596: received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02_n] meth=106, but already using method 110
May 26 00:18:44 linuxserver pluto[11641]: packet from 203.20.35.28:12596: received Vendor ID payload [XAUTH]
May 26 00:18:44 linuxserver pluto[11641]: packet from 203.20.35.28:12596: received Vendor ID payload [Cisco-Unity]
May 26 00:18:44 linuxserver pluto[11641]: packet from 203.20.35.28:12596: received Vendor ID payload [Dead Peer Detection]
May 26 00:18:44 linuxserver pluto[11641]: "iphone"[1] 203.20.35.28 #1: responding to Main Mode from unknown peer 203.20.35.28
May 26 00:18:44 linuxserver pluto[11641]: "iphone"[1] 203.20.35.28 #1: transition from state STATE_MAIN_R0 to state STATE_MAIN_R1
May 26 00:18:44 linuxserver pluto[11641]: "iphone"[1] 203.20.35.28 #1: STATE_MAIN_R1: sent MR1, expecting MI2
May 26 00:18:45 linuxserver pluto[11641]: "iphone"[1] 203.20.35.28 #1: NAT-Traversal: Result using draft-ietf-ipsec-nat-t-ike (MacOS X): both are NATed
May 26 00:18:45 linuxserver pluto[11641]: "iphone"[1] 203.20.35.28 #1: transition from state STATE_MAIN_R1 to state STATE_MAIN_R2
May 26 00:18:45 linuxserver pluto[11641]: "iphone"[1] 203.20.35.28 #1: STATE_MAIN_R2: sent MR2, expecting MI3
May 26 00:18:47 linuxserver pluto[11641]: "iphone"[1] 203.20.35.28 #1: ignoring informational payload, type IPSEC_INITIAL_CONTACT msgid=00000000
May 26 00:18:47 linuxserver pluto[11641]: "iphone"[1] 203.20.35.28 #1: Main mode peer ID is ID_KEY_ID: '@#0x70736b'
May 26 00:18:47 linuxserver pluto[11641]: "iphone"[1] 203.20.35.28 #1: no crl from issuer "C=AU, ST=Victoria, O=vspec.net, CN=CA" found (strict=no)
May 26 00:18:47 linuxserver pluto[11641]: "iphone"[1] 203.20.35.28 #1: no suitable connection for peer '@#0x70736b'
May 26 00:18:47 linuxserver pluto[11641]: "iphone"[1] 203.20.35.28 #1: sending encrypted notification INVALID_ID_INFORMATION to 203.20.35.28:12596
May 26 00:18:50 linuxserver pluto[11641]: "iphone"[1] 203.20.35.28 #1: ignoring informational payload, type IPSEC_INITIAL_CONTACT msgid=00000000
May 26 00:18:50 linuxserver pluto[11641]: "iphone"[1] 203.20.35.28 #1: Main mode peer ID is ID_KEY_ID: '@#0x70736b'
May 26 00:18:50 linuxserver pluto[11641]: "iphone"[1] 203.20.35.28 #1: no crl from issuer "C=AU, ST=Victoria, O=vspec.net, CN=CA" found (strict=no)
May 26 00:18:50 linuxserver pluto[11641]: "iphone"[1] 203.20.35.28 #1: no suitable connection for peer '@#0x70736b'
May 26 00:18:50 linuxserver pluto[11641]: "iphone"[1] 203.20.35.28 #1: sending encrypted notification INVALID_ID_INFORMATION to 203.20.35.28:12596
May 26 00:18:52 linuxserver pluto[11641]: "iphone"[1] 203.20.35.28 #1: ignoring informational payload, type IPSEC_INITIAL_CONTACT msgid=00000000
May 26 00:18:52 linuxserver pluto[11641]: "iphone"[1] 203.20.35.28 #1: Main mode peer ID is ID_KEY_ID: '@#0x70736b'
May 26 00:18:52 linuxserver pluto[11641]: "iphone"[1] 203.20.35.28 #1: no crl from issuer "C=AU, ST=Victoria, O=vspec.net, CN=CA" found (strict=no)
May 26 00:18:52 linuxserver pluto[11641]: "iphone"[1] 203.20.35.28 #1: no suitable connection for peer '@#0x70736b'
May 26 00:18:52 linuxserver pluto[11641]: "iphone"[1] 203.20.35.28 #1: sending encrypted notification INVALID_ID_INFORMATION to 203.20.35.28:12596
May 26 00:18:56 linuxserver pluto[11641]: "iphone"[1] 203.20.35.28 #1: ignoring informational payload, type IPSEC_INITIAL_CONTACT msgid=00000000
May 26 00:18:56 linuxserver pluto[11641]: "iphone"[1] 203.20.35.28 #1: Main mode peer ID is ID_KEY_ID: '@#0x70736b'
May 26 00:18:56 linuxserver pluto[11641]: "iphone"[1] 203.20.35.28 #1: no crl from issuer "C=AU, ST=Victoria, O=vspec.net, CN=CA" found (strict=no)
May 26 00:18:56 linuxserver pluto[11641]: "iphone"[1] 203.20.35.28 #1: no suitable connection for peer '@#0x70736b'
May 26 00:18:56 linuxserver pluto[11641]: "iphone"[1] 203.20.35.28 #1: sending encrypted notification INVALID_ID_INFORMATION to 203.20.35.28:12596
May 26 00:18:57 linuxserver pluto[11641]: "iphone"[1] 203.20.35.28 #1: ignoring informational payload, type IPSEC_INITIAL_CONTACT msgid=00000000
May 26 00:18:57 linuxserver pluto[11641]: "iphone"[1] 203.20.35.28 #1: Main mode peer ID is ID_KEY_ID: '@#0x70736b'
May 26 00:18:57 linuxserver pluto[11641]: "iphone"[1] 203.20.35.28 #1: no crl from issuer "C=AU, ST=Victoria, O=vspec.net, CN=CA" found (strict=no)
May 26 00:18:57 linuxserver pluto[11641]: "iphone"[1] 203.20.35.28 #1: no suitable connection for peer '@#0x70736b'
May 26 00:18:57 linuxserver pluto[11641]: "iphone"[1] 203.20.35.28 #1: sending encrypted notification INVALID_ID_INFORMATION to 203.20.35.28:12596
May 26 00:19:09 linuxserver pluto[11641]: "iphone"[1] 203.20.35.28 #1: ignoring informational payload, type IPSEC_INITIAL_CONTACT msgid=00000000
May 26 00:19:09 linuxserver pluto[11641]: "iphone"[1] 203.20.35.28 #1: Main mode peer ID is ID_KEY_ID: '@#0x70736b'
May 26 00:19:09 linuxserver pluto[11641]: "iphone"[1] 203.20.35.28 #1: no crl from issuer "C=AU, ST=Victoria, O=vspec.net, CN=CA" found (strict=no)
May 26 00:19:09 linuxserver pluto[11641]: "iphone"[1] 203.20.35.28 #1: no suitable connection for peer '@#0x70736b'
May 26 00:19:09 linuxserver pluto[11641]: "iphone"[1] 203.20.35.28 #1: sending encrypted notification INVALID_ID_INFORMATION to 203.20.35.28:12596
May 26 00:19:55 linuxserver pluto[11641]: "iphone"[1] 203.20.35.28 #1: max number of retransmissions (2) reached STATE_MAIN_R2
May 26 00:19:55 linuxserver pluto[11641]: "iphone"[1] 203.20.35.28: deleting connection "iphone" instance with peer 203.20.35.28 {isakmp=#0/ipsec=#0}

i have also tryed adding rightid="@#0x70736b" to ipsec.conf, did ipsec setup reload, exactly the same error

Rich

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.openswan.org/pipermail/users/attachments/20110526/c64a9e7f/attachment-0001.html 


More information about the Users mailing list