[strongSwan] Verbose log : need info about algorithm negotiation
Dear community, is there any way to find what does strongSwan really do when negotiating encryption and authentication algorithms (e.g.using field* conn> esp=encr-auth-[dh]**)* , expecially I would like to know which algorithms are chosen as result of the negotiation. The log printed out on the terminal when using "*ipsec up *" doesn't show those information. Is there any way to make this log more verbose? Or is there any useful log file ? Thanks , Giulio ___ Users mailing list Users@lists.strongswan.org https://lists.strongswan.org/mailman/listinfo/users
Re: [strongSwan] Examples of connecting 2 raspberry
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Hello, Just look at the wiki[1] and work from there. [1] https://wiki.strongswan.org/projects/strongswan/wiki/UserDocumentation Mit freundlichen Grüßen/Kind Regards, Noel Kuntze GPG Key ID: 0x63EC6658 Fingerprint: 23CA BB60 2146 05E7 7278 6592 3839 298F 63EC 6658 Am 14.07.2015 um 16:36 schrieb User Qmail: > I wish to have a working example to connect two raspberrypu machines via PSK. > The raspberrypi are behind netgear and asus routers that I have port > forwar the ports > I compile the strongswan from sources and it is on a debian Jesse OS. > Can anyone give me a hand? > > Thanks > ___ > Users mailing list > Users@lists.strongswan.org > https://lists.strongswan.org/mailman/listinfo/users -BEGIN PGP SIGNATURE- Version: GnuPG v2 iQIcBAEBCAAGBQJVpSQtAAoJEDg5KY9j7GZY7cwP/RWtaflT3MVMzJa50lypbGPl qy/uMISsiwI3dU2iwK3wwxxAGKnBLNLUvHxzqhGG6Hlcc6alhPij2yxrwY2bYusQ zLcWf7reLeY1W8Us7aezSHzzIbEYTO05mwW8YXp58tRdrtlg0qPbsLDZNE+90ufc DyFJdGApbK7Afdt7901IAkNVvwF5B3A7fNFf24B9PwZ48lLCDFbvr4APdYAlAv27 C1pJxf0db8mzX7K3uUX32d4vUn4+xY/OrX5RLzOZm4cuOVTwpm0HHdD+2gwDgd3K qK2YGRMlBZP+L6ETwADeMWZMpoSLTTfOyVXo09ZIXIOZmcTu1OXu9RkTLjkro3uz 2bdcrFdLKN3olGdwh18qPDYJ7MjD8fvP8xHUoGsFwG2bGfGUz4lu64pCHPf/tPn6 1pBlyo63jdVsw+XfzQibFgXczwEKSrEGnu3vCFR9ifHIenkKWgIeO0cjn3xJsrWb iyQLMl+sM4MuuyhGWfOYABDcA5CRJ0OjzQuVCS/BfWHDaV2Upr8wR3X4jpU3pUrP wkCMkTJHG8PCdKgu++nfUIWzJZbZMCnx16BQm+/3Bx0Yw8b8P+klu2i6A5Z0Juhz S37lsQEC2qM/MSlNcI4OtSX+RBRYw0hn8aoWSK3fBJBbdMTxlnq7RaF2umKT9aip 9wGW3rox5ebtooMVrTU0 =NhU2 -END PGP SIGNATURE- ___ Users mailing list Users@lists.strongswan.org https://lists.strongswan.org/mailman/listinfo/users
[strongSwan] Examples of connecting 2 raspberry
I wish to have a working example to connect two raspberrypu machines via PSK. The raspberrypi are behind netgear and asus routers that I have port forwar the ports I compile the strongswan from sources and it is on a debian Jesse OS. Can anyone give me a hand? Thanks ___ Users mailing list Users@lists.strongswan.org https://lists.strongswan.org/mailman/listinfo/users
Re: [strongSwan] [strongSwan-dev] Verbose log : need info about algorithm negotiation
If you want to know which crypto algorithms are proposed and supported then either increase the debug level in ipsec.conf charondebug="cfg 2" or change the log level dynamically during runtime with sudo ipsec stroke loglevel cfg 2 Best regards Andreas On 07/14/2015 12:36 PM, Giulio Ambrogi wrote: > Dear community, > > is there any way to find what does strongSwan really do when > negotiating encryption and authentication algorithms (e.g.using > field/conn> *esp=encr-auth-[dh]*/*)* , expecially I would like to know > which algorithms are chosen as result of the negotiation. > The log printed out on the terminal when using "*ipsec up *" > doesn't show those information. > Is there any way to make this log more verbose? Or is there any useful > log file ? > Thanks , > > > Giulio > > > ___ > Dev mailing list > d...@lists.strongswan.org > https://lists.strongswan.org/mailman/listinfo/dev > -- == Andreas Steffen andreas.stef...@strongswan.org strongSwan - the Open Source VPN Solution! www.strongswan.org Institute for Internet Technologies and Applications University of Applied Sciences Rapperswil CH-8640 Rapperswil (Switzerland) ===[ITA-HSR]== smime.p7s Description: S/MIME Cryptographic Signature ___ Users mailing list Users@lists.strongswan.org https://lists.strongswan.org/mailman/listinfo/users
Re: [strongSwan] payload of type AUTH more than 1 times (2) occurred in current message
Hi Alexis, it looks as if the 3rd party VPN client sends two AUTH payloads in its IKE_AUTH request. This does not conform with the IKEv2 RFC. Could you send me a strongSwan log file with the log level set to charondebug="ike 3" in ipsec.conf. Best regards Andreas On 07/13/2015 09:23 PM, Alexis Salinas wrote: > Hello All, > I'm testing strongSwan as a VPN gateway for a 3rd party VPN client. PSK and > certificate authentication works fine, but when testing EAP-TLS and I get > this error message on the strongSwan side, after the EAP authentication > succeeds. > > Jul 10 16:42:11 debian-vm1-alexis charon: 14[ENC] payload of type AUTH more > than 1 times (2) occurred in current message > Jul 10 16:42:11 debian-vm1-alexis charon: 14[IKE] message verification failed > > See attachment for full logs. > > Here is my strongSwan configuration: > > # ipsec.conf - strongSwan IPsec configuration file > > config setup > # strictcrlpolicy=yes > # uniqueids = no > > conn %default > ikelifetime=60m > keylife=20m > rekeymargin=3m > keyingtries=1 > keyexchange=ikev2 > > conn rw-eap-tls > left=10.1.65.147 > leftid=o...@test.org > leftsubnet=10.99.0.0/24 > leftcert=ocmCert.pem > leftauth=pubkey > leftfirewall=yes > rightsourceip=172.22.0.0/24 > rightauth=eap-radius > rightsendcert=never > right=%any > auto=add > eap_identity=%identity > > Does any of you know what this is about? > > what is strongSwan expecting at this point? Looking at the RFC [1] there > should be a message type AUTH (message 7). > > I can enable more logging if needed. > > Thanks. > Alexis. > > > > [1] : https://tools.ietf.org/html/rfc7296#section-2.16 > > > > > ___ > Users mailing list > Users@lists.strongswan.org > https://lists.strongswan.org/mailman/listinfo/users > -- == Andreas Steffen andreas.stef...@strongswan.org strongSwan - the Open Source VPN Solution! www.strongswan.org Institute for Internet Technologies and Applications University of Applied Sciences Rapperswil CH-8640 Rapperswil (Switzerland) ===[ITA-HSR]== smime.p7s Description: S/MIME Cryptographic Signature ___ Users mailing list Users@lists.strongswan.org https://lists.strongswan.org/mailman/listinfo/users
[strongSwan] payload of type AUTH more than 1 times (2) occurred in current message
Hello All, I'm testing strongSwan as a VPN gateway for a 3rd party VPN client. PSK and certificate authentication works fine, but when testing EAP-TLS and I get this error message on the strongSwan side, after the EAP authentication succeeds. Jul 10 16:42:11 debian-vm1-alexis charon: 14[ENC] payload of type AUTH more than 1 times (2) occurred in current message Jul 10 16:42:11 debian-vm1-alexis charon: 14[IKE] message verification failed See attachment for full logs. Here is my strongSwan configuration: # ipsec.conf - strongSwan IPsec configuration file config setup # strictcrlpolicy=yes # uniqueids = no conn %default ikelifetime=60m keylife=20m rekeymargin=3m keyingtries=1 keyexchange=ikev2 conn rw-eap-tls left=10.1.65.147 leftid=o...@test.org leftsubnet=10.99.0.0/24 leftcert=ocmCert.pem leftauth=pubkey leftfirewall=yes rightsourceip=172.22.0.0/24 rightauth=eap-radius rightsendcert=never right=%any auto=add eap_identity=%identity Does any of you know what this is about? what is strongSwan expecting at this point? Looking at the RFC [1] there should be a message type AUTH (message 7). I can enable more logging if needed. Thanks. Alexis. [1] : https://tools.ietf.org/html/rfc7296#section-2.16 ~# tail -f /var/log/daemon.log Jul 10 16:42:10 debian-vm1-alexis charon: 09[NET] received packet: from 10.1.65.126[49300] to 10.1.65.147[500] Jul 10 16:42:10 debian-vm1-alexis charon: 09[NET] waiting for data on sockets Jul 10 16:42:10 debian-vm1-alexis charon: 03[NET] received packet: from 10.1.65.126[49300] to 10.1.65.147[500] (460 bytes) Jul 10 16:42:10 debian-vm1-alexis charon: 03[ENC] parsed IKE_SA_INIT request 0 [ SA KE No N(NATD_D_IP) N(NATD_S_IP) V V V V ] Jul 10 16:42:10 debian-vm1-alexis charon: 03[ENC] received unknown vendor ID: eb:4c:1b:78:8a:fd:4a:9c:b7:73:0a:68:d5:6d:08:8b Jul 10 16:42:10 debian-vm1-alexis charon: 03[ENC] received unknown vendor ID: c6:1b:ac:a1:f1:a6:0c:c1:08:00:00:00:00:00:00:00 Jul 10 16:42:10 debian-vm1-alexis charon: 03[ENC] received unknown vendor ID: cb:e7:94:44:a0:87:0d:e4:22:4a:2c:15:1f:bf:e0:99 Jul 10 16:42:10 debian-vm1-alexis charon: 03[ENC] received unknown vendor ID: 40:48:b7:d5:6e:bc:e8:85:25:e7:de:7f:00:d6:c2:d3:c0:00:00:00 Jul 10 16:42:10 debian-vm1-alexis charon: 03[IKE] 10.1.65.126 is initiating an IKE_SA Jul 10 16:42:10 debian-vm1-alexis charon: 03[IKE] IKE_SA (unnamed)[20] state change: CREATED => CONNECTING Jul 10 16:42:10 debian-vm1-alexis charon: 03[IKE] remote host is behind NAT Jul 10 16:42:10 debian-vm1-alexis charon: 03[ENC] generating IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(MULT_AUTH) ] Jul 10 16:42:10 debian-vm1-alexis charon: 03[NET] sending packet: from 10.1.65.147[500] to 10.1.65.126[49300] (376 bytes) Jul 10 16:42:10 debian-vm1-alexis charon: 10[NET] sending packet: from 10.1.65.147[500] to 10.1.65.126[49300] Jul 10 16:42:10 debian-vm1-alexis charon: 09[NET] received packet: from 10.1.65.126[49300] to 10.1.65.147[4500] Jul 10 16:42:10 debian-vm1-alexis charon: 09[NET] waiting for data on sockets Jul 10 16:42:10 debian-vm1-alexis charon: 12[NET] received packet: from 10.1.65.126[49300] to 10.1.65.147[4500] (1264 bytes) Jul 10 16:42:10 debian-vm1-alexis charon: 12[ENC] unknown attribute type (20002) Jul 10 16:42:10 debian-vm1-alexis charon: 12[ENC] unknown attribute type (20006) Jul 10 16:42:10 debian-vm1-alexis charon: 12[ENC] unknown attribute type (20007) Jul 10 16:42:10 debian-vm1-alexis charon: 12[ENC] unknown attribute type (20003) Jul 10 16:42:10 debian-vm1-alexis charon: 12[ENC] unknown attribute type (20004) Jul 10 16:42:10 debian-vm1-alexis charon: 12[ENC] unknown attribute type (20005) Jul 10 16:42:10 debian-vm1-alexis charon: 12[ENC] parsed IKE_AUTH request 1 [ V IDi CERT N(INIT_CONTACT) N(HTTP_CERT_LOOK) CERTREQ CPRQ(ADDR MASK DNS NBNS (20002) VER U_BANNER U_SAVEPWD U_DEFDOM (20006) (20007) U_SPLITDNS U_SPLITINC U_NATTPORT U_LOCALLAN U_PFS U_FWTYPE U_BKPSRV (20003) (20004) U_DDNSHOST (20005) U_DDNSHOST) SA No TSi TSr V N(MOBIKE_SUP) ] Jul 10 16:42:10 debian-vm1-alexis charon: 12[IKE] received end entity cert "C=CA, O=Test, CN=Client" Jul 10 16:42:10 debian-vm1-alexis charon: 12[CFG] looking for peer configs matching 10.1.65.147[%any]...10.1.65.126[172.22.0.101] Jul 10 16:42:10 debian-vm1-alexis charon: 12[CFG] selected peer config 'rw-eap-tls' Jul 10 16:42:10 debian-vm1-alexis charon: 12[IKE] initiating EAP_IDENTITY method (id 0x00) Jul 10 16:42:10 debian-vm1-alexis charon: 12[IKE] processing INTERNAL_IP4_ADDRESS attribute Jul 10 16:42:10 debian-vm1-alexis charon: 12[IKE] processing INTERNAL_IP4_NETMASK attribute Jul 10 16:42:10 debian-vm1-alexis charon: 12[IKE] processing INTERNAL_IP4_DNS attribute Jul 10 16:42:10 debian-vm1-alexis charon: 12[IKE] processing INTERNAL_IP4_NBNS attribute Jul 10 16:42:10 debian-vm1-alexis char
