[strongSwan] Nokia VPN Client & IKEv2

Robert Markula Fri, 18 Dec 2009 05:56:03 -0800

Hi,
I'm currently banging my head against the wall in trying to get a Nokia
E71 (Nokia VPN Client 3.1) connect to strongswan 4.2.9. It fails with
the following error on the Symbian VPN Client Log:


Error: Failed to activate VPN access point 'VPN nokia', reason code -15

As far as I can see, the tunnel is built just fine, it's just the Nokia
that's freaking out. Sooo... maybe someone from the nokia front here who
can give me a tip in the right direction?

Btw, the whole thing with the exact same certificates is working
perfectly with the Strongswan NetworkManager Plugin.

Have a nice weekend,
Robert


This is the serverside config I'm using:

/etc/ipsec.conf:
<snip>
config setup
        # charondebug="ike 2, cfg 2, knl 2, dmn 2"
        plutostart=no

ca strongswan
        cacert=/etc/ssl/test.com/cacerts/cacert.pem
        crluri=file://localhost/etc/ssl/test.com/crls/crl.pem
        auto=add

conn roadwarrior
        left=%any
        leftsubnet=192.168.0.0/24
        leftcert=/etc/ssl/test.com/certs/vpn_cert.pem
        left...@sun.test.com
        right=%any
        rightsourceip=10.38.241.0/24
        keyexchange=ikev2
</snip>

The phone settings were done using the rather nice (german) tutorial
from [1]. The actual Settings in the "Nokia Mobile VPN Client Tool" were:

<snip>
Policy name: Home intern
VPN gateway address: sun.dyndns.org
IKE mode: IKEv2
Authentication method: RSA_SIGNATURES
Identity type:
Remote ID type:
Certificate:
Private key:
Subject DN suffix:
RFC822NAME (FQDN):
Key length: 1024
Format: BIN
Data: [cacert.pem]
PKCS file: [nokia.p12]
VPC file:
</snip>

[1] http://mopoinfo.vpn.uni-freiburg.de/node/80

And below is the relevant output of /var/log/daemon.log (all IP
addresses and domains are purely fictional) - for better readability
please see http://paste.debian.net/54362/:

<snip>
Dec 18 12:10:16 sun charon: 01[JOB] spawning 16 worker threads
Dec 18 12:10:16 sun charon: 03[CFG] received stroke: add ca 'strongswan'
Dec 18 12:10:16 sun charon: 03[LIB]   loaded certificate file
'/etc/ssl/test.com/cacerts/cacert.pem'
Dec 18 12:10:16 sun charon: 03[CFG] added ca 'strongswan'
Dec 18 12:10:16 sun charon: 03[CFG] received stroke: add connection
'roadwarrior'
Dec 18 12:10:16 sun charon: 03[CFG] left nor right host is our side,
assuming left=local
Dec 18 12:10:16 sun charon: 03[LIB]   loaded certificate file
'/etc/ssl/test.com/certs/vpn_cert.pem'
Dec 18 12:10:16 sun charon: 03[CFG]   peerid sun.test.com not confirmed
by certificate, defaulting to subject DN
Dec 18 12:10:16 sun charon: 03[CFG] added configuration 'roadwarrior':
%any[C=DE, ST=AB, L=Test, O=Test, OU=IT Department,
CN=vpn.test.com]...%any[%any]
Dec 18 12:10:16 sun charon: 03[CFG] adding virtual IP address pool
'roadwarrior': 10.38.241.0/24

#### now the fun begins ####

Dec 18 12:11:30 sun charon: 12[NET] received packet: from
80.xxx.xxx.xxx[13054] to 192.168.0.1[500]
Dec 18 12:11:30 sun charon: 12[ENC] parsed IKE_SA_INIT request 0 [ SA KE
No N(NATD_S_IP) N(NATD_D_IP) ]
Dec 18 12:11:30 sun charon: 12[IKE] 80.xxx.xxx.xxx is initiating an IKE_SA
Dec 18 12:11:30 sun charon: 12[IKE] local host is behind NAT, sending
keep alives
Dec 18 12:11:30 sun charon: 12[IKE] remote host is behind NAT
Dec 18 12:11:30 sun charon: 12[IKE] sending cert request for "C=DE,
ST=AB, L=Test, O=Test, OU=IT Department, CN=ca.test.com"
Dec 18 12:11:30 sun charon: 12[ENC] generating IKE_SA_INIT response 0 [
SA KE No N(NATD_S_IP) N(NATD_D_IP) CERTREQ ]
Dec 18 12:11:30 sun charon: 12[NET] sending packet: from
192.168.0.1[500] to 80.xxx.xxx.xxx[13054]
Dec 18 12:11:31 sun charon: 13[NET] received packet: from
80.xxx.xxx.xxx[41035] to 192.168.0.1[4500]
Dec 18 12:11:31 sun charon: 13[ENC] parsed IKE_AUTH request 1 [ IDi CERT
N(INIT_CONTACT) CERTREQ AUTH CP SA TSi TSr ]
Dec 18 12:11:31 sun charon: 13[IKE] received cert request for "C=DE,
ST=AB, L=Test, O=Test, OU=IT Department, CN=vpn.test.com"
Dec 18 12:11:31 sun charon: 13[IKE] received end entity cert "C=DE,
ST=AB, L=Test, O=Test, OU=IT Department, cn=no...@test.com"
Dec 18 12:11:31 sun charon: 13[CFG]   using certificate "C=DE, ST=AB,
L=Test, O=Test, OU=IT Department, cn=no...@test.com"
Dec 18 12:11:31 sun charon: 13[CFG]   using trusted ca certificate
"C=DE, ST=AB, L=Test, O=Test, OU=IT Department, CN=ca.test.com"
Dec 18 12:11:31 sun charon: 13[CFG] checking certificate status of
"C=DE, ST=AB, L=Test, O=Test, OU=IT Department, cn=no...@test.com"
Dec 18 12:11:31 sun charon: 13[CFG]   fetching crl from
'file://localhost/etc/ssl/test.com/crls/crl.pem' ...
Dec 18 12:11:31 sun charon: 13[LIB] L0 - certificateList: ASN1 tag 0x30
expected, but is 0x2d
Dec 18 12:11:31 sun charon: 13[LIB] failed to create a builder for
credential type CRED_CERTIFICATE, subtype (2)
Dec 18 12:11:31 sun charon: 13[CFG] crl fetched successfully but parsing
failed
Dec 18 12:11:31 sun charon: 13[CFG] certificate status is not available
Dec 18 12:11:31 sun charon: 13[IKE] authentication of 'C=DE, ST=AB,
L=Test, O=Test, OU=IT Department, cn=no...@test.com' with RSA signature
successful
Dec 18 12:11:31 sun charon: 13[CFG] found matching peer config
"roadwarrior": C=DE, ST=AB, L=Test, O=Test, OU=IT Department,
CN=vpn.test.com...%any with prio 2.2
Dec 18 12:11:31 sun charon: 13[IKE] authentication of 'C=DE, ST=AB,
L=Test, O=Test, OU=IT Department, CN=vpn.test.com' (myself) with RSA
signature successful
Dec 18 12:11:31 sun charon: 13[IKE] scheduling reauthentication in 10217s
Dec 18 12:11:31 sun charon: 13[IKE] maximum IKE_SA lifetime 10757s
Dec 18 12:11:31 sun charon: 13[IKE] IKE_SA roadwarrior[1] established
between 192.168.0.1[C=DE, ST=AB, L=Test, O=Test, OU=IT Department,
CN=vpn.test.com]...80.xxx.xxx.xxx[C=DE, ST=AB, L=Test, O=Test, OU=IT
Department, cn=no...@test.com]
Dec 18 12:11:31 sun charon: 13[IKE] peer requested virtual IP %any
Dec 18 12:11:31 sun charon: 13[IKE] assigning virtual IP 10.38.241.1 to peer
Dec 18 12:11:31 sun charon: 13[IKE] CHILD_SA roadwarrior{1} established
with SPIs c7347aae_i 27c296e8_o and TS 192.168.0.0/24 === 10.38.241.1/32
Dec 18 12:11:31 sun charon: 13[ENC] generating IKE_AUTH response 1 [ IDr
AUTH CP SA TSi TSr N(AUTH_LFT) ]
Dec 18 12:11:31 sun charon: 13[NET] sending packet: from
192.168.0.1[4500] to 80.xxx.xxx.xxx[41035]
Dec 18 12:11:51 sun charon: 15[IKE] sending keep alive
Dec 18 12:11:51 sun charon: 15[NET] sending packet: from
192.168.0.1[4500] to 80.xxx.xxx.xxx[41035]
Dec 18 12:12:11 sun charon: 17[IKE] sending keep alive
Dec 18 12:12:11 sun charon: 17[NET] sending packet: from
192.168.0.1[4500] to 80.xxx.xxx.xxx[41035]
Dec 18 12:12:31 sun charon: 08[IKE] sending keep alive
Dec 18 12:12:31 sun charon: 08[NET] sending packet: from
192.168.0.1[4500] to 80.xxx.xxx.xxx[41035]
Dec 18 12:12:51 sun charon: 09[IKE] sending keep alive
Dec 18 12:12:51 sun charon: 09[NET] sending packet: from
192.168.0.1[4500] to 80.xxx.xxx.xxx[41035]
Dec 18 12:13:11 sun charon: 10[IKE] sending keep alive
Dec 18 12:13:11 sun charon: 10[NET] sending packet: from
192.168.0.1[4500] to 80.xxx.xxx.xxx[41035]
Dec 18 12:13:31 sun charon: 11[IKE] sending keep alive
Dec 18 12:13:31 sun charon: 11[NET] sending packet: from
192.168.0.1[4500] to 80.xxx.xxx.xxx[41035]
Dec 18 12:13:51 sun charon: 12[IKE] sending keep alive
Dec 18 12:13:51 sun charon: 12[NET] sending packet: from
192.168.0.1[4500] to 80.xxx.xxx.xxx[41035]
</snip>
_______________________________________________
Users mailing list
Users@lists.strongswan.org
https://lists.strongswan.org/mailman/listinfo/users

[strongSwan] Nokia VPN Client & IKEv2

Reply via email to