[prev in list] [next in list] [prev in thread] [next in thread]
List: strongswan-users
Subject: [strongSwan] mobileconfig configuration
From: Alex Sharaz <alex.sharaz () york ! ac ! uk>
Date: 2017-08-25 13:09:23
Message-ID: CAMp5yPmpzinmkLWx0kE6noWeXV9LZXLPec_prQqtV2vRhnRTsA () mail ! gmail ! com
[Download RAW message or body]
Hi,
quick question about incorporating te CA chain in a .mobileconfig file
I've used the apple configurator to create a .mobileconfig file for use
against our SSwan 5.5.3 VPN service.
Initially we used a locally generated server cert from our internal CA so
I included the intermediate and root CAs in the .mobileconfig payload.
We've since moved to a public CA cert and again, I've got a mobile config
file that "just works" which has the public root and intermediate certs in
the .mobileconfig file.
I've been asked to remove the root CA from the config file working on the
basis that as its a generally available cert it should be on the client
machine anyway and therefor we don't need to install it.
The problem is that if I remove either the root or rot + intermedate CAs
the VPN fails to connect.
I'm using x509 cert to identify the server to the client and eap-peap via
the eap-radius module to authenticate the user.
For the case without the CAS inserted I see :-
Aug 25 13:17:42 07[NET] <1> received packet: from
2001:630:61:2000:6838:887b:6bfc:70[500] to 2001:630:61:180::1:c7[500] (432
bytes)
Aug 25 13:17:42 07[ENC] <1> parsed IKE_SA_INIT request 0 [ SA KE No
N(REDIR_SUP) N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) ]
Aug 25 13:17:42 07[IKE] <1> 2001:630:61:2000:6838:887b:6bfc:70 is
initiating an IKE_SA
Aug 25 13:17:42 07[ENC] <1> generating IKE_SA_INIT response 0 [ SA KE No
N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(MULT_AUTH) ]
Aug 25 13:17:42 07[NET] <1> sending packet: from 2001:630:61:180::1:c7[500]
to 2001:630:61:2000:6838:887b:6bfc:70[500] (448 bytes)
Aug 25 13:17:47 15[NET] <2> received packet: from
2001:630:61:2000:6838:887b:6bfc:70[500] to 2001:630:61:180::1:c7[500] (432
bytes)
Aug 25 13:17:47 15[ENC] <2> parsed IKE_SA_INIT request 0 [ SA KE No
N(REDIR_SUP) N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) ]
Aug 25 13:17:47 15[IKE] <2> 2001:630:61:2000:6838:887b:6bfc:70 is
initiating an IKE_SA
Aug 25 13:17:47 15[ENC] <2> generating IKE_SA_INIT response 0 [ SA KE No
N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(MULT_AUTH) ]
Aug 25 13:17:47 15[NET] <2> sending packet: from 2001:630:61:180::1:c7[500]
to 2001:630:61:2000:6838:887b:6bfc:70[500] (448 bytes)
Aug 25 13:17:47 06[NET] <2> received packet: from
2001:630:61:2000:6838:887b:6bfc:70[4500] to 2001:630:61:180::1:c7[4500]
(380 bytes)
Aug 25 13:17:47 06[ENC] <2> unknown attribute type (25)
Aug 25 13:17:47 06[ENC] <2> parsed IKE_AUTH request 1 [ IDi N(INIT_CONTACT)
N(MOBIKE_SUP) IDr CPRQ(ADDR SUBNET DHCP DNS MASK ADDR6 SUBNET6 DHCP6 DNS6
(25)) N(ESP_TFC_PAD_N) N(NON_FIRST_FRAG) SA TSi TSr ]
Aug 25 13:17:47 06[CFG] <2> looking for peer configs matching
2001:630:61:180::1:c7[vpn.york.ac.uk]...2001:630:61:2000:6838:887b:6bfc:70[UoY
VPN User]
Aug 25 13:17:47 06[CFG] <it-services-ikev2|2> selected peer config
'it-services-ikev2'
Aug 25 13:17:47 06[IKE] <it-services-ikev2|2> initiating EAP_IDENTITY
method (id 0x00)
Aug 25 13:17:47 06[IKE] <it-services-ikev2|2> received
ESP_TFC_PADDING_NOT_SUPPORTED, not using ESPv3 TFC padding
Aug 25 13:17:47 06[IKE] <it-services-ikev2|2> peer supports MOBIKE
Aug 25 13:17:47 06[IKE] <it-services-ikev2|2> authentication of '
vpn.york.ac.uk' (myself) with RSA signature successful
Aug 25 13:17:47 06[IKE] <it-services-ikev2|2> sending end entity cert
"C=GB, ST=City of York, L=YORK, O=University of York, OU=IT Services, CN=
vpn.york.ac.uk"
Aug 25 13:17:47 06[IKE] <it-services-ikev2|2> sending issuer cert "C=BM,
O=QuoVadis Limited, CN=QuoVadis Global SSL ICA G3"
Aug 25 13:17:47 06[ENC] <it-services-ikev2|2> generating IKE_AUTH response
1 [ IDr CERT CERT AUTH EAP/REQ/ID ]
Aug 25 13:17:47 06[ENC] <it-services-ikev2|2> splitting IKE message with
length of 4044 bytes into 4 fragments
Aug 25 13:17:47 06[ENC] <it-services-ikev2|2> generating IKE_AUTH response
1 [ EF(1/4) ]
Aug 25 13:17:47 06[ENC] <it-services-ikev2|2> generating IKE_AUTH response
1 [ EF(2/4) ]
Aug 25 13:17:47 06[ENC] <it-services-ikev2|2> generating IKE_AUTH response
1 [ EF(3/4) ]
Aug 25 13:17:47 06[ENC] <it-services-ikev2|2> generating IKE_AUTH response
1 [ EF(4/4) ]
Aug 25 13:17:47 06[NET] <it-services-ikev2|2> sending packet: from
2001:630:61:180::1:c7[4500] to 2001:630:61:2000:6838:887b:6bfc:70[4500]
(1216 bytes)
Aug 25 13:17:47 06[NET] <it-services-ikev2|2> sending packet: from
2001:630:61:180::1:c7[4500] to 2001:630:61:2000:6838:887b:6bfc:70[4500]
(1216 bytes)
Aug 25 13:17:47 06[NET] <it-services-ikev2|2> sending packet: from
2001:630:61:180::1:c7[4500] to 2001:630:61:2000:6838:887b:6bfc:70[4500]
(1216 bytes)
Aug 25 13:17:47 06[NET] <it-services-ikev2|2> sending packet: from
2001:630:61:180::1:c7[4500] to 2001:630:61:2000:6838:887b:6bfc:70[4500]
(592 bytes)
Aug 25 13:18:12 05[JOB] <1> deleting half open IKE_SA with
2001:630:61:2000:6838:887b:6bfc:70 after timeout
Aug 25 13:18:17 06[JOB] <it-services-ikev2|2> deleting half open IKE_SA
with 2001:630:61:2000:6838:887b:6bfc:70 after timeout
With the CAs installed I get
Aug 25 13:12:10 07[NET] <1> received packet: from
2001:630:61:2000:31f3:614f:10ed:bf93[500] to 2001:630:61:180::1:c7[500]
(432 b
ytes)
Aug 25 13:12:10 07[ENC] <1> parsed IKE_SA_INIT request 0 [ SA KE No
N(REDIR_SUP) N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) ]
Aug 25 13:12:10 07[IKE] <1> 2001:630:61:2000:31f3:614f:10ed:bf93 is
initiating an IKE_SA
Aug 25 13:12:10 07[ENC] <1> generating IKE_SA_INIT response 0 [ SA KE No
N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(MULT_AUTH) ]
Aug 25 13:12:10 07[NET] <1> sending packet: from 2001:630:61:180::1:c7[500]
to 2001:630:61:2000:31f3:614f:10ed:bf93[500] (448 bytes)
Aug 25 13:12:10 08[NET] <1> received packet: from
2001:630:61:2000:31f3:614f:10ed:bf93[4500] to 2001:630:61:180::1:c7[4500]
(412 bytes)
Aug 25 13:12:10 08[ENC] <1> unknown attribute type (25)
Aug 25 13:12:10 08[ENC] <1> parsed IKE_AUTH request 1 [ IDi N(INIT_CONTACT)
N(MOBIKE_SUP) IDr CERTREQ CPRQ(ADDR SUBNET DHCP DNS MASK ADDR6 SUBNET6
DHCP6 DNS6 (25)) N(ESP_TFC_PAD_N) N(NON_FIRST_FRAG) SA TSi TSr ]
Aug 25 13:12:10 08[IKE] <1> received cert request for "C=BM, O=QuoVadis
Limited, CN=QuoVadis Root CA 2 G3"
Aug 25 13:12:10 08[CFG] <1> looking for peer configs matching
2001:630:61:180::1:c7[vpn.york.ac.uk]...2001:630:61:2000:31f3:614f:10ed:bf93[UoY
VPN User]
Aug 25 13:12:11 08[CFG] <it-services-ikev2|1> selected peer config
'it-services-ikev2'
Aug 25 13:12:11 08[IKE] <it-services-ikev2|1> initiating EAP_IDENTITY
method (id 0x00)
Aug 25 13:12:11 08[IKE] <it-services-ikev2|1> received
ESP_TFC_PADDING_NOT_SUPPORTED, not using ESPv3 TFC padding
Aug 25 13:12:11 08[IKE] <it-services-ikev2|1> peer supports MOBIKE
Aug 25 13:12:11 08[IKE] <it-services-ikev2|1> authentication of '
vpn.york.ac.uk' (myself) with RSA signature successful
Aug 25 13:12:11 08[IKE] <it-services-ikev2|1> sending end entity cert
"C=GB, ST=City of York, L=YORK, O=University of York, OU=IT Services, CN=
vpn.york.ac.uk"
Aug 25 13:12:11 08[IKE] <it-services-ikev2|1> sending issuer cert "C=BM,
O=QuoVadis Limited, CN=QuoVadis Global SSL ICA G3"
Aug 25 13:12:11 08[ENC] <it-services-ikev2|1> generating IKE_AUTH response
1 [ IDr CERT CERT AUTH EAP/REQ/ID ]
Aug 25 13:12:11 08[ENC] <it-services-ikev2|1> splitting IKE message with
length of 4044 bytes into 4 fragments
Aug 25 13:12:11 08[ENC] <it-services-ikev2|1> generating IKE_AUTH response
1 [ EF(1/4) ]
Aug 25 13:12:11 08[ENC] <it-services-ikev2|1> generating IKE_AUTH response
1 [ EF(2/4) ]
Aug 25 13:12:11 08[ENC] <it-services-ikev2|1> generating IKE_AUTH response
1 [ EF(3/4) ]
Aug 25 13:12:11 08[ENC] <it-services-ikev2|1> generating IKE_AUTH response
1 [ EF(4/4) ]
Aug 25 13:12:11 08[NET] <it-services-ikev2|1> sending packet: from
2001:630:61:180::1:c7[4500] to 2001:630:61:2000:31f3:614f:10ed:bf93[4500]
(1216 bytes)
Aug 25 13:12:11 08[NET] <it-services-ikev2|1> sending packet: from
2001:630:61:180::1:c7[4500] to 2001:630:61:2000:31f3:614f:10ed:bf93[4500]
(1216 bytes)
Aug 25 13:12:11 08[NET] <it-services-ikev2|1> sending packet: from
2001:630:61:180::1:c7[4500] to 2001:630:61:2000:31f3:614f:10ed:bf93[4500]
(1216 bytes)
Aug 25 13:12:11 08[NET] <it-services-ikev2|1> sending packet: from
2001:630:61:180::1:c7[4500] to 2001:630:61:2000:31f3:614f:10ed:bf93[4500]
(592 bytes)
Aug 25 13:12:11 10[NET] <it-services-ikev2|1> received packet: from
2001:630:61:2000:31f3:614f:10ed:bf93[4500] to 2001:630:61:180::1:c7[4500]
(92 bytes)
Aug 25 13:12:11 10[ENC] <it-services-ikev2|1> parsed IKE_AUTH request 2 [
EAP/RES/ID ]
Aug 25 13:12:11 10[IKE] <it-services-ikev2|1> received EAP identity '
as1558@york.ac.uk'
Aug 25 13:12:11 10[CFG] <it-services-ikev2|1> sending RADIUS Access-Request
to server 'primary'
Aug 25 13:12:11 10[CFG] <it-services-ikev2|1> received RADIUS
Access-Challenge from server 'primary'
Aug 25 13:12:11 10[IKE] <it-services-ikev2|1> initiating EAP_PEAP method
(id 0x01)
Aug 25 13:12:11 10[ENC] <it-services-ikev2|1> generating IKE_AUTH response
2 [ EAP/REQ/PEAP ]
Aug 25 13:12:11 10[NET] <it-services-ikev2|1> sending packet: from
2001:630:61:180::1:c7[4500] to 2001:630:61:2000:31f3:614f:10ed:bf93[4500]
(76 bytes)
Aug 25 13:12:11 09[NET] <it-services-ikev2|1> received packet: from
2001:630:61:2000:31f3:614f:10ed:bf93[4500] to 2001:630:61:180::1:c7[4500]
(76 bytes)
Aug 25 13:12:11 09[ENC] <it-services-ikev2|1> parsed IKE_AUTH request 3 [
EAP/RES/NAK ]
Aug 25 13:12:11 09[CFG] <it-services-ikev2|1> sending RADIUS Access-Request
to server 'primary'
Aug 25 13:12:11 09[CFG] <it-services-ikev2|1> received RADIUS
Access-Challenge from server 'primary'
Aug 25 13:12:11 09[ENC] <it-services-ikev2|1> generating IKE_AUTH response
3 [ EAP/REQ/MSCHAPV2 ]
Aug 25 13:12:11 09[NET] <it-services-ikev2|1> sending packet: from
2001:630:61:180::1:c7[4500] to 2001:630:61:2000:31f3:614f:10ed:bf93[4500]
(108 bytes)
Aug 25 13:12:11 11[NET] <it-services-ikev2|1> received packet: from
2001:630:61:2000:31f3:614f:10ed:bf93[4500] to 2001:630:61:180::1:c7[4500]
(156 bytes)
Aug 25 13:12:11 11[ENC] <it-services-ikev2|1> parsed IKE_AUTH request 4 [
EAP/RES/MSCHAPV2 ]
....
and I've a successful VPN connection.
Configwise on the server I've got
conn it-services-ikev2
left=%any
leftauth=pubkey
leftcert=vpn.york.ac.uk.pem
leftid=@vpn.york.ac.uk
leftsendcert=always
leftsubnet=0.0.0.0/0,::/0
leftfirewall=yes
right=%any
rightauth=eap-radius
rightsendcert=never
rightgroups="Cserv"
eap_identity=%any
keyexchange=ikev2
rightsourceip=%itservices
fragmentation=yes
auto=add
Rgds
Alex
[Attachment #3 (text/html)]
<div dir="ltr">Hi,<div>quick question about incorporating te CA chain in a \
.mobileconfig file</div><div><br></div><div>I've used the apple configurator to \
create a .mobileconfig file for use against our SSwan 5.5.3 VPN service. \
</div><div><br></div><div>Initially we used a locally generated server cert from \
our internal CA so I included the intermediate and root CAs in the .mobileconfig \
payload. We've since moved to a public CA cert and again, I've got a mobile \
config file that "just works" which has the public root and intermediate \
certs in the .mobileconfig file.</div><div><br></div><div>I've been asked to \
remove the root CA from the config file working on the basis that as its a generally \
available cert it should be on the client machine anyway and therefor we don't \
need to install it. </div><div><br></div><div>The problem is that if I remove either \
the root or rot + intermedate CAs the VPN fails to connect.</div><div>I'm using \
x509 cert to identify the server to the client and eap-peap via the eap-radius module \
to authenticate the user.</div><div><br></div><div>For the case without the CAS \
inserted I see :-</div><div><br></div><div><div>Aug 25 13:17:42 07[NET] <1> \
received packet: from 2001:630:61:2000:6838:887b:6bfc:70[500] to \
2001:630:61:180::1:c7[500] (432 bytes)</div><div>Aug 25 13:17:42 07[ENC] <1> \
parsed IKE_SA_INIT request 0 [ SA KE No N(REDIR_SUP) N(NATD_S_IP) N(NATD_D_IP) \
N(FRAG_SUP) ]</div><div>Aug 25 13:17:42 07[IKE] <1> \
2001:630:61:2000:6838:887b:6bfc:70 is initiating an IKE_SA</div><div>Aug 25 13:17:42 \
07[ENC] <1> generating IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) \
N(NATD_D_IP) N(FRAG_SUP) N(MULT_AUTH) ]</div><div>Aug 25 13:17:42 07[NET] <1> \
sending packet: from 2001:630:61:180::1:c7[500] to \
2001:630:61:2000:6838:887b:6bfc:70[500] (448 bytes)</div><div>Aug 25 13:17:47 15[NET] \
<2> received packet: from 2001:630:61:2000:6838:887b:6bfc:70[500] to \
2001:630:61:180::1:c7[500] (432 bytes)</div><div>Aug 25 13:17:47 15[ENC] <2> \
parsed IKE_SA_INIT request 0 [ SA KE No N(REDIR_SUP) N(NATD_S_IP) N(NATD_D_IP) \
N(FRAG_SUP) ]</div><div>Aug 25 13:17:47 15[IKE] <2> \
2001:630:61:2000:6838:887b:6bfc:70 is initiating an IKE_SA</div><div>Aug 25 13:17:47 \
15[ENC] <2> generating IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) \
N(NATD_D_IP) N(FRAG_SUP) N(MULT_AUTH) ]</div><div>Aug 25 13:17:47 15[NET] <2> \
sending packet: from 2001:630:61:180::1:c7[500] to \
2001:630:61:2000:6838:887b:6bfc:70[500] (448 bytes)</div><div>Aug 25 13:17:47 06[NET] \
<2> received packet: from 2001:630:61:2000:6838:887b:6bfc:70[4500] to \
2001:630:61:180::1:c7[4500] (380 bytes)</div><div>Aug 25 13:17:47 06[ENC] <2> \
unknown attribute type (25)</div><div>Aug 25 13:17:47 06[ENC] <2> parsed \
IKE_AUTH request 1 [ IDi N(INIT_CONTACT) N(MOBIKE_SUP) IDr CPRQ(ADDR SUBNET DHCP DNS \
MASK ADDR6 SUBNET6 DHCP6 DNS6 (25)) N(ESP_TFC_PAD_N) N(NON_FIRST_FRAG) SA TSi TSr \
]</div><div>Aug 25 13:17:47 06[CFG] <2> looking for peer configs matching \
2001:630:61:180::1:c7[<a \
href="http://vpn.york.ac.uk">vpn.york.ac.uk</a>]...2001:630:61:2000:6838:887b:6bfc:70[UoY \
VPN User]</div><div>Aug 25 13:17:47 06[CFG] <it-services-ikev2|2> selected peer \
config 'it-services-ikev2'</div><div>Aug 25 13:17:47 06[IKE] \
<it-services-ikev2|2> initiating EAP_IDENTITY method (id 0x00)</div><div>Aug 25 \
13:17:47 06[IKE] <it-services-ikev2|2> received ESP_TFC_PADDING_NOT_SUPPORTED, \
not using ESPv3 TFC padding</div><div>Aug 25 13:17:47 06[IKE] \
<it-services-ikev2|2> peer supports MOBIKE</div><div>Aug 25 13:17:47 06[IKE] \
<it-services-ikev2|2> authentication of '<a \
href="http://vpn.york.ac.uk">vpn.york.ac.uk</a>' (myself) with RSA signature \
successful</div><div>Aug 25 13:17:47 06[IKE] <it-services-ikev2|2> sending end \
entity cert "C=GB, ST=City of York, L=YORK, O=University of York, OU=IT \
Services, CN=<a href="http://vpn.york.ac.uk">vpn.york.ac.uk</a>"</div><div>Aug \
25 13:17:47 06[IKE] <it-services-ikev2|2> sending issuer cert "C=BM, \
O=QuoVadis Limited, CN=QuoVadis Global SSL ICA G3"</div><div>Aug 25 13:17:47 \
06[ENC] <it-services-ikev2|2> generating IKE_AUTH response 1 [ IDr CERT CERT \
AUTH EAP/REQ/ID ]</div><div>Aug 25 13:17:47 06[ENC] <it-services-ikev2|2> \
splitting IKE message with length of 4044 bytes into 4 fragments</div><div>Aug 25 \
13:17:47 06[ENC] <it-services-ikev2|2> generating IKE_AUTH response 1 [ EF(1/4) \
]</div><div>Aug 25 13:17:47 06[ENC] <it-services-ikev2|2> generating IKE_AUTH \
response 1 [ EF(2/4) ]</div><div>Aug 25 13:17:47 06[ENC] <it-services-ikev2|2> \
generating IKE_AUTH response 1 [ EF(3/4) ]</div><div>Aug 25 13:17:47 06[ENC] \
<it-services-ikev2|2> generating IKE_AUTH response 1 [ EF(4/4) ]</div><div>Aug \
25 13:17:47 06[NET] <it-services-ikev2|2> sending packet: from \
2001:630:61:180::1:c7[4500] to 2001:630:61:2000:6838:887b:6bfc:70[4500] (1216 \
bytes)</div><div>Aug 25 13:17:47 06[NET] <it-services-ikev2|2> sending packet: \
from 2001:630:61:180::1:c7[4500] to 2001:630:61:2000:6838:887b:6bfc:70[4500] (1216 \
bytes)</div><div>Aug 25 13:17:47 06[NET] <it-services-ikev2|2> sending packet: \
from 2001:630:61:180::1:c7[4500] to 2001:630:61:2000:6838:887b:6bfc:70[4500] (1216 \
bytes)</div><div>Aug 25 13:17:47 06[NET] <it-services-ikev2|2> sending packet: \
from 2001:630:61:180::1:c7[4500] to 2001:630:61:2000:6838:887b:6bfc:70[4500] (592 \
bytes)</div></div><div><div>Aug 25 13:18:12 05[JOB] <1> deleting half open \
IKE_SA with 2001:630:61:2000:6838:887b:6bfc:70 after timeout</div><div>Aug 25 \
13:18:17 06[JOB] <it-services-ikev2|2> deleting half open IKE_SA with \
2001:630:61:2000:6838:887b:6bfc:70 after \
timeout</div></div><div><br></div><div><br></div><div>With the CAs installed I \
get</div><div><br></div><div><div>Aug 25 13:12:10 07[NET] <1> received packet: \
from 2001:630:61:2000:31f3:614f:10ed:bf93[500] to 2001:630:61:180::1:c7[500] (432 \
b</div><div>ytes)</div><div>Aug 25 13:12:10 07[ENC] <1> parsed IKE_SA_INIT \
request 0 [ SA KE No N(REDIR_SUP) N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) \
]</div><div>Aug 25 13:12:10 07[IKE] <1> 2001:630:61:2000:31f3:614f:10ed:bf93 is \
initiating an IKE_SA</div><div>Aug 25 13:12:10 07[ENC] <1> generating \
IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(MULT_AUTH) \
]</div><div>Aug 25 13:12:10 07[NET] <1> sending packet: from \
2001:630:61:180::1:c7[500] to 2001:630:61:2000:31f3:614f:10ed:bf93[500] (448 \
bytes)</div><div>Aug 25 13:12:10 08[NET] <1> received packet: from \
2001:630:61:2000:31f3:614f:10ed:bf93[4500] to 2001:630:61:180::1:c7[4500] (412 \
bytes)</div><div>Aug 25 13:12:10 08[ENC] <1> unknown attribute type \
(25)</div><div>Aug 25 13:12:10 08[ENC] <1> parsed IKE_AUTH request 1 [ IDi \
N(INIT_CONTACT) N(MOBIKE_SUP) IDr CERTREQ CPRQ(ADDR SUBNET DHCP DNS MASK ADDR6 \
SUBNET6 DHCP6 DNS6 (25)) N(ESP_TFC_PAD_N) N(NON_FIRST_FRAG) SA TSi TSr \
]</div><div>Aug 25 13:12:10 08[IKE] <1> received cert request for "C=BM, \
O=QuoVadis Limited, CN=QuoVadis Root CA 2 G3"</div><div>Aug 25 13:12:10 08[CFG] \
<1> looking for peer configs matching 2001:630:61:180::1:c7[<a \
href="http://vpn.york.ac.uk">vpn.york.ac.uk</a>]...2001:630:61:2000:31f3:614f:10ed:bf93[UoY \
VPN User]</div><div>Aug 25 13:12:11 08[CFG] <it-services-ikev2|1> selected peer \
config 'it-services-ikev2'</div><div>Aug 25 13:12:11 08[IKE] \
<it-services-ikev2|1> initiating EAP_IDENTITY method (id 0x00)</div><div>Aug 25 \
13:12:11 08[IKE] <it-services-ikev2|1> received ESP_TFC_PADDING_NOT_SUPPORTED, \
not using ESPv3 TFC padding</div><div>Aug 25 13:12:11 08[IKE] \
<it-services-ikev2|1> peer supports MOBIKE</div><div>Aug 25 13:12:11 08[IKE] \
<it-services-ikev2|1> authentication of '<a \
href="http://vpn.york.ac.uk">vpn.york.ac.uk</a>' (myself) with RSA signature \
successful</div><div>Aug 25 13:12:11 08[IKE] <it-services-ikev2|1> sending end \
entity cert "C=GB, ST=City of York, L=YORK, O=University of York, OU=IT \
Services, CN=<a href="http://vpn.york.ac.uk">vpn.york.ac.uk</a>"</div><div>Aug \
25 13:12:11 08[IKE] <it-services-ikev2|1> sending issuer cert "C=BM, \
O=QuoVadis Limited, CN=QuoVadis Global SSL ICA G3"</div><div>Aug 25 13:12:11 \
08[ENC] <it-services-ikev2|1> generating IKE_AUTH response 1 [ IDr CERT CERT \
AUTH EAP/REQ/ID ]</div><div>Aug 25 13:12:11 08[ENC] <it-services-ikev2|1> \
splitting IKE message with length of 4044 bytes into 4 fragments</div><div>Aug 25 \
13:12:11 08[ENC] <it-services-ikev2|1> generating IKE_AUTH response 1 [ EF(1/4) \
]</div><div>Aug 25 13:12:11 08[ENC] <it-services-ikev2|1> generating IKE_AUTH \
response 1 [ EF(2/4) ]</div><div>Aug 25 13:12:11 08[ENC] <it-services-ikev2|1> \
generating IKE_AUTH response 1 [ EF(3/4) ]</div><div>Aug 25 13:12:11 08[ENC] \
<it-services-ikev2|1> generating IKE_AUTH response 1 [ EF(4/4) \
]</div></div><div><br></div><div><div>Aug 25 13:12:11 08[NET] \
<it-services-ikev2|1> sending packet: from 2001:630:61:180::1:c7[4500] to \
2001:630:61:2000:31f3:614f:10ed:bf93[4500] (1216 bytes)</div><div>Aug 25 13:12:11 \
08[NET] <it-services-ikev2|1> sending packet: from 2001:630:61:180::1:c7[4500] \
to 2001:630:61:2000:31f3:614f:10ed:bf93[4500] (1216 bytes)</div><div>Aug 25 13:12:11 \
08[NET] <it-services-ikev2|1> sending packet: from 2001:630:61:180::1:c7[4500] \
to 2001:630:61:2000:31f3:614f:10ed:bf93[4500] (1216 bytes)</div><div>Aug 25 13:12:11 \
08[NET] <it-services-ikev2|1> sending packet: from 2001:630:61:180::1:c7[4500] \
to 2001:630:61:2000:31f3:614f:10ed:bf93[4500] (592 bytes)</div><div>Aug 25 13:12:11 \
10[NET] <it-services-ikev2|1> received packet: from \
2001:630:61:2000:31f3:614f:10ed:bf93[4500] to 2001:630:61:180::1:c7[4500] (92 \
bytes)</div><div>Aug 25 13:12:11 10[ENC] <it-services-ikev2|1> parsed IKE_AUTH \
request 2 [ EAP/RES/ID ]</div><div>Aug 25 13:12:11 10[IKE] \
<it-services-ikev2|1> received EAP identity '<a \
href="mailto:as1558@york.ac.uk">as1558@york.ac.uk</a>'</div><div>Aug 25 13:12:11 \
10[CFG] <it-services-ikev2|1> sending RADIUS Access-Request to server \
'primary'</div><div>Aug 25 13:12:11 10[CFG] <it-services-ikev2|1> \
received RADIUS Access-Challenge from server 'primary'</div><div>Aug 25 \
13:12:11 10[IKE] <it-services-ikev2|1> initiating EAP_PEAP method (id \
0x01)</div><div>Aug 25 13:12:11 10[ENC] <it-services-ikev2|1> generating \
IKE_AUTH response 2 [ EAP/REQ/PEAP ]</div><div>Aug 25 13:12:11 10[NET] \
<it-services-ikev2|1> sending packet: from 2001:630:61:180::1:c7[4500] to \
2001:630:61:2000:31f3:614f:10ed:bf93[4500] (76 bytes)</div><div>Aug 25 13:12:11 \
09[NET] <it-services-ikev2|1> received packet: from \
2001:630:61:2000:31f3:614f:10ed:bf93[4500] to 2001:630:61:180::1:c7[4500] (76 \
bytes)</div><div>Aug 25 13:12:11 09[ENC] <it-services-ikev2|1> parsed IKE_AUTH \
request 3 [ EAP/RES/NAK ]</div><div>Aug 25 13:12:11 09[CFG] \
<it-services-ikev2|1> sending RADIUS Access-Request to server \
'primary'</div><div>Aug 25 13:12:11 09[CFG] <it-services-ikev2|1> \
received RADIUS Access-Challenge from server 'primary'</div><div>Aug 25 \
13:12:11 09[ENC] <it-services-ikev2|1> generating IKE_AUTH response 3 [ \
EAP/REQ/MSCHAPV2 ]</div><div>Aug 25 13:12:11 09[NET] <it-services-ikev2|1> \
sending packet: from 2001:630:61:180::1:c7[4500] to \
2001:630:61:2000:31f3:614f:10ed:bf93[4500] (108 bytes)</div><div>Aug 25 13:12:11 \
11[NET] <it-services-ikev2|1> received packet: from \
2001:630:61:2000:31f3:614f:10ed:bf93[4500] to 2001:630:61:180::1:c7[4500] (156 \
bytes)</div><div>Aug 25 13:12:11 11[ENC] <it-services-ikev2|1> parsed IKE_AUTH \
request 4 [ EAP/RES/MSCHAPV2 ]</div></div><div>....</div><div><br></div><div>and \
I've a successful VPN connection.</div><div><br></div><div>Configwise on the \
server I've got</div><div><br></div><div><div>conn it-services-ikev2</div><div> \
left=%any</div><div> leftauth=pubkey</div><div> \
leftcert=vpn.york.ac.uk.pem</div><div> leftid=@<a \
href="http://vpn.york.ac.uk">vpn.york.ac.uk</a></div><div> \
leftsendcert=always</div><div> leftsubnet=<a \
href="http://0.0.0.0/0,::/0">0.0.0.0/0,::/0</a></div><div> \
leftfirewall=yes</div><div> right=%any</div><div> rightauth=eap-radius</div><div> \
rightsendcert=never</div><div> rightgroups="Cserv"</div><div> \
eap_identity=%any</div><div> keyexchange=ikev2</div><div> \
rightsourceip=%itservices</div><div> fragmentation=yes</div><div> \
auto=add</div></div><div><br></div><div>Rgds</div><div>Alex</div></div>
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic