[prev in list] [next in list] [prev in thread] [next in thread]
List: strongswan-users
Subject: Re: [strongSwan] FW: ikev2 vpn using PKI auth with a Blackberry Z10
From: "G. B." <gawd0wns () hotmail ! com>
Date: 2013-09-21 17:12:48
Message-ID: BAY175-W1EC3AD1B0FC915187BA2180230 () phx ! gbl
[Download RAW message or body]
[Attachment #2 (multipart/alternative)]
Does anyone have any other suggestions to try?
From: gawd0wns@hotmail.com
To: users@lists.strongswan.org
Subject: RE: [strongSwan] FW: ikev2 vpn using PKI auth with a Blackberry Z10
Date: Wed, 18 Sep 2013 21:13:39 -0200
> > z10{1}: 0.0.0.0/24 === 10.10.10.1/32
>
> Doesn't look like a valid subnet for your local side. What is your
> leftsubnet configuration?
During this connection attempt, I had leftsubnet set to 0.0.0.0/0. I have been \
trying different settings to see if it would have an effect. When I set the subnet \
to my actual LAN subnet, (leftsubnet=192.168.16.0/24), it doesn't work either. Here \
is the ipsec statusall output when it is set to my actual subnet:
Status of IKE charon daemon (strongSwan 5.0.4, Linux 2.6.22.19, mips):
uptime: 3 minutes, since Sep 18 19:13:10 2013
malloc: sbrk 221184, mmap 0, used 189456, free 31728
worker threads: 3 of 16 idle, 12/1/0/0 working, job queue: 0/0/0/0, scheduled: 2
loaded plugins: charon test-vectors curl ldap mysql sqlite pkcs11 aes des blowfish \
sha1 sha2 md4 md5 random nonce x509 revocation constraints pubkey pkcs1 pkcs8 pgp \
dnskey pem openssl gcrypt fips-prf gmp agent xcbc cmac hmac ctr ccm gcm attr \
kernel-pfkey kernel-klips kernel-netlink resolve socket-default socket-dynamic farp \
stroke smp updown eap-identity eap-md5 eap-mschapv2 xauth-generic xauth-eap dhcp \
whitelist led duplicheck addrblock unity Virtual IP pools (size/online/offline):
10.10.10.0/24: 254/1/0
Listening IP addresses:
99.234.220.200
192.168.16.50
Connections:
z10: myip.com...%any IKEv2
z10: local: [C=CA, O=none, CN=server] uses public key authentication
z10: cert: "C=CA, O=none, CN=server"
z10: remote: [C=CA, O=none, CN=z10] uses public key authentication
z10: child: 192.168.16.0/24 === dynamic TUNNEL
Security Associations (1 up, 0 connecting):
z10[1]: ESTABLISHED 3 minutes ago, 99.234.220.200[C=CA, O=none, \
CN=server]...24.114.94.100[C=CA, O=none, CN=z10]
z10[1]: IKEv2 SPIs: b44384ec9af2275b_i 9c09709370559f7d_r*, public key \
reauthentication in 52 minutes
z10[1]: IKE proposal: \
AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_2048
z10{1}: INSTALLED, TUNNEL, ESP in UDP SPIs: c5ab637d_i 633e50d9_o
z10{1}: AES_CBC_256/HMAC_SHA2_256_128, 384 bytes_i, 0 bytes_o, rekeying in \
11 minutes z10{1}: 192.168.16.0/24 === 10.10.10.1/32
Some additional output:
root:/opt/etc# ip route list table 220
10.10.10.1 via 99.234.220.1 dev vlan2 proto static src 192.168.16.50
My output from iptables -L doesn't look right, I have fewer rules than the \
configuration example on the strongswan website for gateway moon in a similar \
configuration (rw-cert): \
http://www.strongswan.org/uml/testresults/ikev2/rw-cert/moon.iptables
I have fewer FORWARD rules, and I don't see anything to allow esp (that I can tell).
root:/opt/etc# iptables -L
root@unknown:/opt/etc# iptables -L
Chain INPUT (policy DROP)
target prot opt source destination
ACCEPT udp -- anywhere anywhere udp dpt:4500
ACCEPT udp -- anywhere anywhere udp dpt:500
DROP all -- anywhere anywhere state INVALID
ACCEPT all -- anywhere anywhere state \
RELATED,ESTABLISHED shlimit tcp -- anywhere anywhere tcp \
dpt:ssh state NEW ACCEPT all -- anywhere anywhere
ACCEPT all -- anywhere anywhere
ACCEPT udp -- anywhere anywhere udp spt:bootps \
dpt:bootpc
Chain FORWARD (policy DROP)
target prot opt source destination
ACCEPT all -- 10.10.10.1 192.168.16.0/24 policy match dir in pol \
ipsec reqid 1 proto ipv6-crypt ACCEPT all -- 192.168.16.0/24 10.10.10.1 \
policy match dir out pol ipsec reqid 1 proto ipv6-crypt ACCEPT all -- anywhere \
anywhere DROP all -- anywhere anywhere state INVALID
TCPMSS tcp -- anywhere anywhere tcp flags:SYN,RST/SYN \
TCPMSS clamp to PMTU ACCEPT all -- anywhere anywhere \
state RELATED,ESTABLISHED wanin all -- anywhere anywhere
wanout all -- anywhere anywhere
ACCEPT all -- anywhere anywhere
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
Chain shlimit (1 references)
target prot opt source destination
all -- anywhere anywhere recent: SET name: \
shlimit side: source DROP all -- anywhere anywhere \
recent: UPDATE seconds: 60 hit_count: 4 name: shlimit side: source
Chain wanin (1 references)
target prot opt source destination
Chain wanout (1 references)
target prot opt source destination
How could I add those additional rules manually?
> Subject: Re: [strongSwan] FW: ikev2 vpn using PKI auth with a Blackberry Z10
> From: martin@strongswan.org
> To: gawd0wns@hotmail.com
> CC: users@lists.strongswan.org
> Date: Wed, 18 Sep 2013 14:34:11 +0200
>
>
> > z10{1}: 0.0.0.0/24 === 10.10.10.1/32
>
> Doesn't look like a valid subnet for your local side. What is your
> leftsubnet configuration?
>
> Possible that the updown script and/or iptables mess up with that.
>
> Regards
> Martin
>
[Attachment #5 (text/html)]
<html>
<head>
<style><!--
.hmmessage P
{
margin:0px;
padding:0px
}
body.hmmessage
{
font-size: 12pt;
font-family:Calibri
}
--></style></head>
<body class='hmmessage'><div dir='ltr'>Does anyone have any other suggestions to \
try?<br><br><br><div><hr id="stopSpelling">From: gawd0wns@hotmail.com<br>To: \
users@lists.strongswan.org<br>Subject: RE: [strongSwan] FW: ikev2 vpn using PKI auth \
with a Blackberry Z10<br>Date: Wed, 18 Sep 2013 21:13:39 -0200<br><br>
<style><!--
.ExternalClass .ecxhmmessage P {
padding:0px;
}
.ExternalClass body.ecxhmmessage {
font-size:12pt;
font-family:Calibri;
}
--></style>
<div dir="ltr">> > z10{1}: 0.0.0.0/24 === 10.10.10.1/32<br>> \
<br>> Doesn't look like a valid subnet for your local side. What is your<br>> \
leftsubnet configuration?<br><br>During this connection attempt, I had leftsubnet set \
to 0.0.0.0/0. I have been trying different settings to see if it would have an \
effect. When I set the subnet to my actual LAN subnet, \
(leftsubnet=192.168.16.0/24), it doesn't work either. Here is the ipsec \
statusall output when it is set to my actual subnet:<br><br>Status of IKE charon \
daemon (strongSwan 5.0.4, Linux 2.6.22.19, mips):<br> uptime: 3 minutes, since \
Sep 18 19:13:10 2013<br> malloc: sbrk 221184, mmap 0, used 189456, free \
31728<br> worker threads: 3 of 16 idle, 12/1/0/0 working, job queue: 0/0/0/0, \
scheduled: 2<br> loaded plugins: charon test-vectors curl ldap mysql sqlite \
pkcs11 aes des blowfish sha1 sha2 md4 md5 random nonce x509 revocation constraints \
pubkey pkcs1 pkcs8 pgp dnskey pem openssl gcrypt fips-prf gmp agent xcbc cmac hmac \
ctr ccm gcm attr kernel-pfkey kernel-klips kernel-netlink resolve socket-default \
socket-dynamic farp stroke smp updown eap-identity eap-md5 eap-mschapv2 xauth-generic \
xauth-eap dhcp whitelist led duplicheck addrblock unity<br>Virtual IP pools \
(size/online/offline):<br> 10.10.10.0/24: 254/1/0<br>Listening IP \
addresses:<br> 99.234.220.200<br> \
192.168.16.50<br>Connections:<br> \
z10: myip.com...%any \
IKEv2<br> z10: \
local: [C=CA, O=none, CN=server] uses public key \
authentication<br> \
z10: cert: "C=CA, O=none, \
CN=server"<br> z10: \
remote: [C=CA, O=none, CN=z10] uses public key \
authentication<br> z10: \
child: 192.168.16.0/24 === dynamic TUNNEL<br>Security Associations (1 up, 0 \
connecting):<br> z10[1]: ESTABLISHED \
3 minutes ago, 99.234.220.200[C=CA, O=none, CN=server]...24.114.94.100[C=CA, O=none, \
CN=z10]<br> z10[1]: IKEv2 SPIs: \
b44384ec9af2275b_i 9c09709370559f7d_r*, public key reauthentication in 52 \
minutes<br> z10[1]: IKE proposal: \
AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_2048<br> \
z10{1}: INSTALLED, TUNNEL, ESP in UDP SPIs: c5ab637d_i \
633e50d9_o<br> z10{1}: \
AES_CBC_256/HMAC_SHA2_256_128, 384 bytes_i, 0 bytes_o, rekeying in 11 \
minutes<br> z10{1}: \
192.168.16.0/24 === 10.10.10.1/32<br><br>Some additional output:<br>root:/opt/etc# ip \
route list table 220<br>10.10.10.1 via 99.234.220.1 dev vlan2 proto \
static src 192.168.16.50<br><br>My output from iptables -L doesn't look right, \
I have fewer rules than the configuration example on the strongswan website for \
gateway moon in a similar configuration (rw-cert): \
http://www.strongswan.org/uml/testresults/ikev2/rw-cert/moon.iptables<br><br>I have \
fewer FORWARD rules, and I don't see anything to allow esp (that I can \
tell).<br><br>root:/opt/etc# iptables -L<br>root@unknown:/opt/etc# iptables \
-L<br>Chain INPUT (policy DROP)<br>target prot opt \
source \
destination<br>ACCEPT udp -- \
anywhere \
anywhere udp \
dpt:4500<br>ACCEPT udp -- \
anywhere \
anywhere udp \
dpt:500<br>DROP all -- \
anywhere \
anywhere state \
INVALID<br>ACCEPT all -- \
anywhere \
anywhere state \
RELATED,ESTABLISHED<br>shlimit tcp -- \
anywhere \
anywhere tcp \
dpt:ssh state NEW<br>ACCEPT all -- \
anywhere \
anywhere<br>ACCEPT all -- \
anywhere \
anywhere<br>ACCEPT udp -- \
anywhere \
anywhere udp \
spt:bootps dpt:bootpc<br><br>Chain FORWARD (policy \
DROP)<br>target prot opt \
source \
destination<br>ACCEPT all -- \
10.10.10.1 \
192.168.16.0/24 policy match dir in pol ipsec reqid 1 \
proto ipv6-crypt<br>ACCEPT all -- \
192.168.16.0/24 \
10.10.10.1 policy match dir out \
pol ipsec reqid 1 proto ipv6-crypt<br>ACCEPT all \
-- anywhere \
anywhere<br>DROP all -- \
anywhere \
anywhere state \
INVALID<br>TCPMSS tcp -- \
anywhere \
anywhere tcp \
flags:SYN,RST/SYN TCPMSS clamp to PMTU<br>ACCEPT all \
-- anywhere \
anywhere state \
RELATED,ESTABLISHED<br>wanin all -- \
anywhere \
anywhere<br>wanout all -- \
anywhere \
anywhere<br>ACCEPT all -- \
anywhere \
anywhere<br><br>Chain OUTPUT (policy ACCEPT)<br>target prot \
opt source \
destination<br><br>Chain shlimit (1 references)<br>target \
prot opt source \
destination<br> all \
-- anywhere \
anywhere recent: \
SET name: shlimit side: source<br>DROP all \
-- anywhere \
anywhere recent: \
UPDATE seconds: 60 hit_count: 4 name: shlimit side: source<br><br>Chain wanin (1 \
references)<br>target prot opt \
source \
destination<br><br>Chain wanout (1 references)<br>target prot \
opt source \
destination<br><br><br><br>How could I add those additional rules \
manually?<br><br><br><div>> Subject: Re: [strongSwan] FW: ikev2 vpn using PKI auth \
with a Blackberry Z10<br>> From: martin@strongswan.org<br>> To: \
gawd0wns@hotmail.com<br>> CC: users@lists.strongswan.org<br>> Date: Wed, 18 Sep \
2013 14:34:11 +0200<br>> <br>> <br>> > z10{1}: 0.0.0.0/24 === \
10.10.10.1/32<br>> <br>> Doesn't look like a valid subnet for your local side. \
What is your<br>> leftsubnet configuration?<br>> <br>> Possible that the \
updown script and/or iptables mess up with that.<br>> <br>> Regards<br>> \
Martin<br>> <br></div> </div></div> </div></body> </html>
_______________________________________________
Users mailing list
Users@lists.strongswan.org
https://lists.strongswan.org/mailman/listinfo/users
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic