StrongSwan VPN

I don’t see a strongswan forum so i thought i would ask here. I have a client that is running sles11 SP2 and wants a VPN. I have installed strongswan. Does anybody here use strongswan and can offer any insights/config?

Hi carnold6,

Does anybody here use strongswan and can offer any insights/config?

That question, even in context, is a bit… generic :wink:

We’re running a strongswan-based VPN since what feels like forever, so maybe I can assist.

strongswan offers many possibilities, both in what remotes to attach, which protocols to use and which way to go concerning configuration/session setup/etc. A good starting point would be to ask the customer which kind of VPN he wants - like site-to-site tunneling, hub/spoke or “road warrier”-type of setups - and what kind of remotes you have to expect to attach.

The next thing would then be the level of security to provide (which is a multi-fold question all in itself: strength/weakness of the VPN protocol, password/key infrastructure, access policies both at a road warrior end and at site access points, …).

Everything else will probably unfold along the way.

Regards,
Jens

PS: We’re running a hub/spoke site-to-site tunneling setup with strongswan at all ends (but not always SuSE-based), some road warriors with strongswan, and started experimenting with non-strongswan mobile clients (and for now excluded the latter :wink: ). It’s IPsec with certificate-based authentication and quite some dynamically adjusted access rules… if your technical questions go beyond that, “I’ll do my very best”.

Yea, my customer has no idea what type of VPN they want. The requirements are:
They will need access to our nas and we will need access to their server. They will also have approx. 6 road warriors that will need to connect to strongswan. I have selected a site to site to meet the access both networks req. and hope to be able to build into the strongswan side the roadwarriors req. I almost have ikev2 tunnel built but get these errors on the strongswan side:

strongSwan side:
ipsec up teknerds ****************************************************************************************************************************************************************
initiating IKE_SA teknerds[1] to sonicwall.publi.ip ***************************************************************************************************************************************
generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) ] ***********************************************************************************************sending packet: from 192.168.1.18[500] to sonicwall.publi.ip[500] ****************************************************************************************************************************
received packet: from sonicwall.publi.ip[500] to 192.168.1.18[500] ***************************************************************************************************************************
invalid X509 hash length (0) in certreq **************************************************************************************************************************************************
CERTIFICATE_REQUEST payload verification failed ******************************************************************************************************************************************
IKE_SA_INIT response with message ID 0 processing failed
retransmit 1 of request with message ID 0

weird, we are not doing certificates. We are using PSK.

Here is ipsec.conf:
config setup
*******plutodebug=all
*******charonstart=yes
*******plutostart=yes
*******nat_traversal=yes

conn %default
*******ikelifetime=28800s
*******keylife=20m
*******rekeymargin=3m
*******keyingtries=0

Add connections here.

conn teknerds
*******type=tunnel
*******auto=add

  • *auth=esp
  • *pfs=no
    *******authby=secret
    *******left=192.168.1.18
  • *leftid=@domain.com
  • *leftsubnet=192.168.1.0/24
  • *#leftnexthop=gateway ip address on roadwarrior side
  • *right=sonicwall.publi.ip
    *******rightsubnet=192.168.123.0/24
    *******rightid=@00xxxxxxx
  • *ike=3des-sha1-modp1024!
    *******keyexchange=ikev2
  • *esp=3des-sha1!

Logs from sonicwall:
04/01/2012 20:12:09.768 Info VPN IKE IKEv2 Responder: Send IKE_SA_INIT response sonicwall.publi.ip, 500 strongswan.pub.ip, 500 VPN Policy: ELC VPN; ***
19 04/01/2012 20:12:09.768 Info VPN IKE IKEv2 NAT device detected between negotiating peers strongswan.pub.ip, 500 sonicwall.publi.ip, 500 VPN Policy: ELC VPN; Peer gateway is behind a NAT device **
20 04/01/2012 20:12:09.560 Info VPN IKE IKEv2 Accept IKE SA Proposal strongswan.pub.ip, 500 sonicwall.publi.ip, 500 VPN Policy: ELC VPN; 3DES; HMAC_SHA1_96; DH Group 2; IKEv2 InitSPI: 0x1b1ea10e46bd802b; IKEv2 RespSPI: 0xea5d86507c5bb4de **
21 04/01/2012 20:12:09.560 Info VPN IKE IKEv2 Responder: Received IKE_SA_INIT request strongswan.pub.ip, 500 sonicwall.publi.ip, 500 ***
22 04/01/2012 20:12:05.560 Warning VPN IKE IKEv2 Initiator: Negotiations failed. Invalid input state. strongswan.pub.ip, 500 75.177.187.225, 500 VPN Policy: ELC VPN; Unable to find a valid input state **
23 04/01/2012 20:12:05.560 Info VPN IKE IKEv2 NAT device detected between negotiating peers strongswan.pub.ip, 500 sonicwall.publi.ip, 500 VPN Policy: ELC VPN; Local and Peer gateway are behind a NAT device

Appreciate any help and could give you access via teamviewer if you need it.

Hi carnold6,

seems the output got a bit garbled… so many asterisks :slight_smile:

IKEv2 between Sonicwall & Strongswan should work, according to what I’ve read on the net. I have not had a chance to play with Sonicwall yet, though.

From the sonicwall messages I get the impression that sonicwall gets a request (msg 21), accepts the parameters sent by strongswan (msg 20) and responds with a set of parameters unknown to us.

But: How do the messages sonicwall/strongswan fit together: The sonicwall log lists two requests from strongswan, the first one not being accepted (#22 - invalid input state). If that correlates to the first set of messages on the strongswan side, then you have the cause of the “payload problem” - some “empty”/non-existant or garbled response from sonicwall.

Then there is the retransmit from the strongswan side, which probably relates to sonicwall msg #21… but the strongswan log is cut off after the retransmit hint… anything that strongswan tells you about the response according to sonicwall #18 (I assume the first message to be #18)?

If you can fetch some syslog output from strongswan, with synchronized clocks, debugging will be easier.

Regards,
Jens

Here is the charon log after a stop/start of ipsec/strongswan:
signal of type SIGINT received. Shutting down
00[IKE] destroying IKE_SA in state CONNECTING without notification
00[KNL] received netlink error: Address family not supported by protocol (97)
00[DMN] Starting IKEv2 charon daemon (strongSwan 4.4.0)
00[KNL] listening on interfaces:
00[KNL] eth0
00[KNL] 192.168.1.18
00[KNL] received netlink error: Address family not supported by protocol (97)
00[KNL] unable to create IPv6 routing table rule
00[NET] unable to create raw socket: Address family not supported by protocol
00[NET] could not open IPv6 receive socket, IPv6 disabled
00[CFG] loading ca certificates from ‘/etc/ipsec.d/cacerts’
00[CFG] loading aa certificates from ‘/etc/ipsec.d/aacerts’
00[CFG] loading ocsp signer certificates from ‘/etc/ipsec.d/ocspcerts’
00[CFG] loading attribute certificates from ‘/etc/ipsec.d/acerts’
00[CFG] loading crls from ‘/etc/ipsec.d/crls’
00[CFG] loading secrets from ‘/etc/ipsec.secrets’
00[CFG] loaded IKE secret for @edenslandcorp.com @0006B131D5A4
00[DMN] loaded plugins: curl ldap aes des sha1 sha2 md5 random x509 pubkey pkcs1 pgp dnskey pem openssl gcrypt fips-prf xcbc hmac gmp attr kernel-netlink socket-raw stroke updown resolve
00[JOB] spawning 16 worker threads
06[CFG] received stroke: add connection ‘teknerds’
06[CFG] added configuration ‘teknerds’
07[CFG] received stroke: initiate ‘teknerds’
09[IKE] initiating IKE_SA teknerds[1] to sonicwall.public
09[ENC] generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) ]
09[NET] sending packet: from 192.168.1.18[500] to sonicwall.public.ip[500]
11[NET] received packet: from 75.177.187.225[500] to 192.168.1.18[500]
11[ENC] invalid X509 hash length (0) in certreq
11[ENC] CERTIFICATE_REQUEST payload verification failed
11[IKE] IKE_SA_INIT response with message ID 0 processing failed
12[IKE] retransmit 1 of request with message ID 0
12[NET] sending packet: from 192.168.1.18[500] to sonicwall.public.ip[500]
13[IKE] retransmit 2 of request with message ID 0
13[NET] sending packet: from 192.168.1.18[500] to sonicwall.public.ip500]
14[IKE] retransmit 3 of request with message ID 0
14[NET] sending packet: from 192.168.1.18[500] to sonicwall.public.ip500]
15[IKE] retransmit 4 of request with message ID 0
15[NET] sending packet: from 192.168.1.18[500] to sonicwall.public.ip[500]
03[IKE] retransmit 5 of request with message ID 0
03[NET] sending packet: from 192.168.1.18[500] to sonicwall.public.ip[500]
06[IKE] giving up after 5 retransmits
06[IKE] peer not responding, trying again (2/0)

This just repeats for 5 trys and then gives up.

Hi carnold6,

This just repeats for 5 trys and then gives up.

that’s strange… and you’re not seeing new requests at the sonicwall? Maybe it is the NATing router/firewall machine (at the customer network) that is doing the harm, like dropping the packets or mis-matching the replies?

Any chance you could analyze the IP traffic between the outer gateways (preferably at the NAT router end of the “Internet”) and contrast that with what’s coming through on the internal customer net?

If it were a simple negotiation problem, I’d expect to see responses from the sonicwall that are rejected (or handled somehow else & reported) by strongswan. But seeing an initial exchange and then one-way traffic only makes me suspicious. It seems like someone is dropping packets.

Regards,
Jens

I think this is a certificate issue. I got this from the writer of strongswan:
You should create a CA certificate and put it in /etc/ipsec.d/cacerts/.

Then you should create two X.509 end entity certificates with
matching private keys, one for strongSwan and one for sonicwall,
and sign both certificates with the private key of the CA.

The private strongSwan key you put into /etc/ipsec.d/private/ and
the strongSwan certificate into /etc/ipsec.d/certs/.

Then you package the private sonicwall key, sonicwall certificate
and CA certificate into a PKCS#12 file (*.p12) and import it into
your sonicwall box.

The certificate request strongSwan sends should then be for the CA.

RSA keys and certificates can be generated using either openssl-based
tools

What CA management can I use to get this done? Using kde desktop.

Hi carnold6,

I think this is a certificate issue

This then would be a policy issue, IMO: It should technically be possible either with psk or certificates, I believe. If one side (ie sonicwall) does not like psk, that’s no technical reason :wink: But IMO certificates are the way to go anyhow, so I really suggest to follow that advice.

What CA management can I use to get this done? Using kde desktop

SLES11 does have a CA module, so that would run under KDE. But as we’re running our own CA longer than we’re using Linux enterprise versions, we’re used to using the openssl command line interface and/or our own wrappers. A short openssl how-to can be found in the strongswan docs, i.e. http://www.strongswan.org/docs/readme4.htm#section_3. I suppose there are newer docs in the Wiki, but that old one should still apply. When it comes to questions about the YaST CA module, others will have to jump in…

When we tested some commercial VPN terminators, we sometimes had difficulties importing our own certificates into those devices: They expected the DN (“certificate subject”) to be outright simple, i.e. to consist of only a single element. That was against our CA policy, so we dropped those devices. But I trust your sonicwall to be more professional than that.

Regards,
Jens