[strongSwan] Connect to a Cisco VPN Terminator

Rene Maurer Fri, 28 Jan 2022 01:24:41 -0800

Hello

I am trying to connect to a Cisco VPN Terminator. Unfortunately I do not have 
access to this point.


I have obtained certificate and key and entered them in /etc/ipsec.d/certs, 
/etc/ipsec.d/cacerts and /etc/ipsec.d/private.

But I get an AUTHENTICATION_FAILED notify error.

I don't know where to start.

Some questions:

My strongSwan version is 5.4.0. Too old?

Can I ignore the warning "opening triplet file /etc/ipsec.d/triplets.dat failed: No 
such file or directory"?

What about the warning "cert payload ANY not supported - ignored"?

My ipsec.conf file is simple. Especially concerning the right side. Do I need 
rightid for example?

I am glad for any hints.
Log and configurations below.

René

----------

# ipsec.secrets
: RSA ***mobile.key

----------

# ipsec.conf
config setup
    charondebug="ike 1, mgr 1, lib 1, cfg 1, net 1, enc 1, asn 1, job 1, knl 1, dmn 
1"

conn %default
    ikelifetime=86400
    lifetime=1090
    fragmentation=yes
    mobike=yes
    dpddelay=2
    dpdtimeout=10
    rekeymargin=3m
    keyingtries=%forever
    keyexchange=ikev2
    ike=aes128gcm16-sha512-ecp384,aes256-sha512-ecp384
    esp=aes256-sha512-ecp384!

conn one
    left=10.162.225.64
    leftsubnet=10.162.110.96/27
    leftid="C=**, ST=**, L=***, O=***, OU=***, CN=***, E=***"
    leftcert=***mobile.crt
    leftsendcert=always
    right=x.x.x.x
    rightsubnet=10.0.0.0/8
    rightauth=pubkey
    auto=start
----------

# ipsec start
Starting strongSwan 5.4.0 IPsec [starter]...
no netkey IPsec stack detected
no KLIPS IPsec stack detected
no known IPsec stack detected, ignoring!
# Jan 28 09:43:26 EGVxx_06717537 ipsec_starter[18258]: Starting strongSwan 
5.4.0 IPsec [starter]...
Jan 28 09:43:26 ipsec_starter[18258]: no netkey IPsec stack detected
Jan 28 09:43:26 ipsec_starter[18258]: no KLIPS IPsec stack detected
Jan 28 09:43:26 ipsec_starter[18258]: no known IPsec stack detected, ignoring!
Jan 28 09:43:26 charon[18267]: 00[DMN] Starting IKE charon daemon (strongSwan 
5.4.0, Linux 4.4.107, armv7l)
Jan 28 09:43:26 charon[18267]: 00[KNL] received netlink error: Address family 
not supported by protocol (97)
Jan 28 09:43:26 charon[18267]: 00[KNL] unable to create IPv6 routing table rule
Jan 28 09:43:26 charon[18267]: 00[CFG] loading ca certificates from 
'/etc/ipsec.d/cacerts'
Jan 28 09:43:26 charon[18267]: 00[CFG]   loaded ca certificate "DC=**, DC=***, 
DC=cert, CN=***" from '/etc/ipsec.d/cacerts/cacert.crt'
Jan 28 09:43:26 charon[18267]: 00[CFG] loading aa certificates from 
'/etc/ipsec.d/aacerts'
Jan 28 09:43:26 charon[18267]: 00[CFG] loading ocsp signer certificates from 
'/etc/ipsec.d/ocspcerts'
Jan 28 09:43:26 charon[18267]: 00[CFG] loading attribute certificates from 
'/etc/ipsec.d/acerts'
Jan 28 09:43:26 charon[18267]: 00[CFG] loading crls from '/etc/ipsec.d/crls'
Jan 28 09:43:26 charon[18267]: 00[CFG] loading secrets from '/etc/ipsec.secrets'
Jan 28 09:43:27 charon[18267]: 00[CFG]   loaded RSA private key from 
'/etc/ipsec.d/private/***mobile.key'
Jan 28 09:43:27 charon[18267]: 00[CFG] opening triplet file 
/etc/ipsec.d/triplets.dat failed: No such file or directory
Jan 28 09:43:27 charon[18267]: 00[CFG] loaded 0 RADIUS server configurations
Jan 28 09:43:27 charon[18267]: 00[LIB] loaded plugins: charon openssl pkcs11 
aes des rc2 sha2 sha1 md5 random nonce x509 revocation constraints pubkey pkcs1 
pkcs7 pkcs8 pkcs12 pgp dnskey sshkey pem fips-prf gmp xcbc cmac hmac attr 
kernel-netlink resolve socket-default stroke vici updown eap-identity eap-sim 
eap-aka eap-aka-3gpp2 eap-simaka-pseudonym eap-simaka-reauth eap-md5 eap-gtc 
eap-mschapv2 eap-dynamic eap-radius eap-tls eap-ttls eap-peap eap-tnc 
xauth-generic tnc-tnccs tnccs-20 tnccs-11 led
Jan 28 09:43:27 charon[18267]: 00[JOB] spawning 16 worker threads
Jan 28 09:43:27 ipsec_starter[18266]: charon (18267) started after 720 ms
Jan 28 09:43:27 charon[18267]: 05[CFG] received stroke: add connection 'one'
Jan 28 09:43:27 charon[18267]: 05[CFG]   loaded certificate "C=**, ST=**, L=***, 
O=***, OU=***, CN=***, E=***" from '***mobile.crt'
Jan 28 09:43:27 charon[18267]: 05[CFG] added configuration 'one'
Jan 28 09:43:27 charon[18267]: 07[CFG] received stroke: initiate 'one'
Jan 28 09:43:27 charon[18267]: 07[IKE] initiating IKE_SA one[1] to x.x.x.x
Jan 28 09:43:27 charon[18267]: 07[IKE] initiating IKE_SA one[1] to x.x.x.x
Jan 28 09:43:27 charon[18267]: 07[ENC] generating IKE_SA_INIT request 0 [ SA KE 
No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG) N(REDIR_SUP) ]
Jan 28 09:43:27 charon[18267]: 07[NET] sending packet: from 10.162.225.64[500] 
to x.x.x.x[500] (1008 bytes)
Jan 28 09:43:28 charon[18267]: 13[NET] received packet: from x.x.x.x[500] to 
10.162.225.64[500] (341 bytes)
Jan 28 09:43:28 charon[18267]: 13[ENC] parsed IKE_SA_INIT response 0 [ SA KE No 
V V N(NATD_S_IP) N(NATD_D_IP) CERTREQ N(HTTP_CERT_LOOK) ]
Jan 28 09:43:28 charon[18267]: 13[IKE] received Cisco Delete Reason vendor ID
Jan 28 09:43:28 charon[18267]: 13[ENC] received unknown vendor ID: 
46:4c:45:58:56:50:4e:2d:53:55:50:50:4f:52:54:45:44
Jan 28 09:43:28 charon[18267]: 13[IKE] cert payload ANY not supported - ignored
Jan 28 09:43:28 charon[18267]: 13[IKE] sending cert request for "DC=**, DC=***, 
DC=***, CN=***-CA"
Jan 28 09:43:28 charon[18267]: 13[IKE] authentication of 'C=**, ST=**, L=***, 
O=***, OU=***, CN=***, E=***' (myself) with RSA signature successful
Jan 28 09:43:28 charon[18267]: 13[IKE] sending end entity cert "C=**, ST=**, L=***, 
O=***, OU=***, CN=*** E=***"
Jan 28 09:43:28 charon[18267]: 13[IKE] establishing CHILD_SA one
Jan 28 09:43:28 charon[18267]: 13[IKE] establishing CHILD_SA one
Jan 28 09:43:28 charon[18267]: 13[ENC] generating IKE_AUTH request 1 [ IDi CERT 
N(INIT_CONTACT) CERTREQ IDr AUTH SA TSi TSr N(MOBIKE_SUP) N(ADD_4_ADDR) 
N(ADD_4_ADDR) N(EAP_ONLY) ]
Jan 28 09:43:28 charon[18267]: 13[NET] sending packet: from 10.162.225.64[4500] 
to x.x.x.x[4500] (2277 bytes)
Jan 28 09:43:32 charon[18267]: 15[IKE] retransmit 1 of request with message ID 1
Jan 28 09:43:32 charon[18267]: 15[NET] sending packet: from 10.162.225.64[4500] 
to x.x.x.x[4500] (2277 bytes)
Jan 28 09:43:39 charon[18267]: 08[IKE] retransmit 2 of request with message ID 1
Jan 28 09:43:39 charon[18267]: 08[NET] sending packet: from 10.162.225.64[4500] 
to x.x.x.x[4500] (2277 bytes)
Jan 28 09:43:44 charon[18267]: 05[NET] received packet: from x.x.x.x[4500] to 
10.162.225.64[4500] (65 bytes)
Jan 28 09:43:44 charon[18267]: 05[ENC] parsed IKE_AUTH response 1 [ 
N(AUTH_FAILED) ]
Jan 28 09:43:44 charon[18267]: 05[IKE] received AUTHENTICATION_FAILED notify 
error
----------

[strongSwan] Connect to a Cisco VPN Terminator

Reply via email to