strongSwan 4.5.2 com iOS e Mavericks, problemas de conexão

4

Estou tendo problemas para configurar o strongSwan 4.5.2 para trabalhar com o iOS 7 e OS X Mavericks. Eu segui estes dois guias, mas ainda estou encontrando problemas. link link

Suspeito que o problema esteja relacionado à versão antiga do strongSwan; infelizmente, meu servidor é um Raspberry Pi, e eu não acho que haja uma maneira fácil de obter o strongSwan 5.x no Pi.

Pode ser um arenque, mas suspeito que a seguinte mensagem de erro no meu /var/log/auth.log tenha algo a ver com o meu problema:

message ignored because it contains an unexpected payload type (ISAKMP_NEXT_SA)

Não consigo encontrar nada de útil on-line sobre essa mensagem de erro (pelo menos, nada em inglês; vi algumas menções em alemão).

Aqui está o conteúdo do /etc/strongswan.conf

# strongswan.conf - strongSwan configuration file

charon {

    # number of worker threads in charon
    threads = 16

    # send strongswan vendor ID?
    # send_vendor_id = yes

    plugins {

        sql {
            # loglevel to log into sql database
            loglevel = -1

            # URI to the database
            # database = sqlite:///path/to/file.db
            # database = mysql://user:password@localhost/database
        }
        dhcp {
            identity_lease = yes
        }
    }

    # ...
}

pluto {
      dns1 = 192.168.0.1
}

libstrongswan {

    #  set to no, the DH exponent size is optimized
    #  dh_exponent_ansi_x9_42 = no
}

Em seguida, o conteúdo do /etc/ipsec.conf

# ipsec.conf - strongSwan IPsec configuration file

# basic configuration

config setup
    # plutodebug=all
    # crlcheckinterval=600
    # strictcrlpolicy=yes
    # cachecrls=yes
    nat_traversal=yes
    #charonstart=yes
    plutostart=yes

# Add connections here.

conn %default
        keyexchange=ikev1
        authby=xauthrsasig
        xauth=server
        left=%defaultroute
        leftsubnet=0.0.0.0/0
        leftfirewall=yes
        leftcert=serverCert.pem
        right=%any
        rightsubnet=10.0.0.0/24
        rightsourceip=10.0.0.2
        rightcert=clientCert.pem
        pfs=no
        auto=add
conn rw-eap
    dpdaction=clear
    dpddelay=300s
    leftauth=pubkey
    leftcert=serverCert.pem
    rightauth=eap-mschapv2
    rightsendcert=never

include /var/lib/strongswan/ipsec.conf.inc

E copiei os seguintes arquivos, conforme indicado nos guias:

cp caCert.pem /etc/ipsec.d/cacerts/
cp serverCert.pem /etc/ipsec.d/certs/
cp serverKey.pem /etc/ipsec.d/private/
cp clientCert.pem /etc/ipsec.d/certs/
cp clientKey.pem /etc/ipsec.d/private/

Eu também editei meu arquivo /usr/lib/ssl/openssl.cnf para conter um subjectAltName apropriado, antes de gerar esses certificados.

Qualquer ajuda seria muito apreciada, mesmo apenas sugerindo como eu poderia ter uma nova versão do strongSwan no meu Pi! Obrigado!

A seguir estão algumas saídas de auth.log mais completas, com as datas removidas.

Iniciando servidor

sudo:       pi : TTY=pts/1 ; PWD=/home/pi ; USER=root ; COMMAND=/usr/sbin/ipsec start
sudo: pam_unix(sudo:session): session opened for user root by pi(uid=0)
ipsec_starter[22013]: Starting strongSwan 4.5.2 IPsec [starter]...
sudo: pam_unix(sudo:session): session closed for user root
pluto[22027]: Starting IKEv1 pluto daemon (strongSwan 4.5.2) THREADS SMARTCARD VENDORID
ipsec_starter[22026]: pluto (22027) started after 20 ms
pluto[22027]: listening on interfaces:
pluto[22027]:   eth0
pluto[22027]:     192.168.1.9
pluto[22027]: received netlink error: Address family not supported by protocol (97)
pluto[22027]: unable to create IPv6 routing table rule
pluto[22027]: loaded plugins: test-vectors curl ldap aes des sha1 sha2 md5 random x509 pkcs1 pgp dnskey pem openssl gmp hmac xauth attr kernel-netlink 
pluto[22027]:   including NAT-Traversal patch (Version 0.6c)
pluto[22027]: failed to load pkcs11 module '/usr/lib/opensc-pkcs11.so'
ipsec_starter[22026]: charon (22028) started after 740 ms
pluto[22027]: loading ca certificates from '/etc/ipsec.d/cacerts'
pluto[22027]:   loaded ca certificate from '/etc/ipsec.d/cacerts/caCert.pem'
pluto[22027]: loading aa certificates from '/etc/ipsec.d/aacerts'
pluto[22027]: loading ocsp certificates from '/etc/ipsec.d/ocspcerts'
pluto[22027]: Changing to directory '/etc/ipsec.d/crls'
pluto[22027]: loading attribute certificates from '/etc/ipsec.d/acerts'
pluto[22027]: spawning 4 worker threads
pluto[22027]: listening for IKE messages
pluto[22027]: adding interface eth0/eth0 192.168.1.9:500
pluto[22027]: adding interface eth0/eth0 192.168.1.9:4500
pluto[22027]: adding interface lo/lo 127.0.0.1:500
pluto[22027]: adding interface lo/lo 127.0.0.1:4500
pluto[22027]: loading secrets from "/etc/ipsec.secrets"
pluto[22027]: no secrets filename matched "/var/lib/strongswan/ipsec.secrets.inc"
pluto[22027]:   loaded private key from 'serverKey.pem'
pluto[22027]:   loaded XAUTH secret for peter.story 
pluto[22027]:   loaded host certificate from '/etc/ipsec.d/certs/serverCert.pem'
pluto[22027]:   id '%any' not confirmed by certificate, defaulting to 'C=CH, O=storyZone, CN=storyzone.us.to'
pluto[22027]:   loaded host certificate from '/etc/ipsec.d/certs/clientCert.pem'
pluto[22027]:   id '%any' not confirmed by certificate, defaulting to 'C=CH, O=storyZone, CN=piclient'
pluto[22027]: added connection description "rw-eap"

Tentativa de conexão do iOS

pluto[22027]: packet from 96.237.188.238:500: received Vendor ID payload [RFC 3947]
pluto[22027]: packet from 96.237.188.238:500: ignoring Vendor ID payload [4df37928e9fc4fd1b3262170d515c662]
pluto[22027]: packet from 96.237.188.238:500: ignoring Vendor ID payload [8f8d83826d246b6fc7a8a6a428c11de8]
pluto[22027]: packet from 96.237.188.238:500: ignoring Vendor ID payload [439b59f8ba676c4c7737ae22eab8f582]
pluto[22027]: packet from 96.237.188.238:500: ignoring Vendor ID payload [4d1e0e136deafa34c4f3ea9f02ec7285]
pluto[22027]: packet from 96.237.188.238:500: ignoring Vendor ID payload [80d0bb3def54565ee84645d4c85ce3ee]
pluto[22027]: packet from 96.237.188.238:500: ignoring Vendor ID payload [9909b64eed937c6573de52ace952fa6b]
pluto[22027]: packet from 96.237.188.238:500: ignoring Vendor ID payload [draft-ietf-ipsec-nat-t-ike-03]
pluto[22027]: packet from 96.237.188.238:500: ignoring Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02]
pluto[22027]: packet from 96.237.188.238:500: ignoring Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02_n]
pluto[22027]: packet from 96.237.188.238:500: received Vendor ID payload [XAUTH]
pluto[22027]: packet from 96.237.188.238:500: ignoring Vendor ID payload [Cisco-Unity]
pluto[22027]: packet from 96.237.188.238:500: ignoring Vendor ID payload [FRAGMENTATION 80000000]
pluto[22027]: packet from 96.237.188.238:500: received Vendor ID payload [Dead Peer Detection]
pluto[22027]: "rw-eap"[1] 96.237.188.238 #1: responding to Main Mode from unknown peer 96.237.188.238
pluto[22027]: packet from 96.237.188.238:500: received Vendor ID payload [RFC 3947]
pluto[22027]: packet from 96.237.188.238:500: ignoring Vendor ID payload [4df37928e9fc4fd1b3262170d515c662]
pluto[22027]: packet from 96.237.188.238:500: ignoring Vendor ID payload [8f8d83826d246b6fc7a8a6a428c11de8]
pluto[22027]: packet from 96.237.188.238:500: ignoring Vendor ID payload [439b59f8ba676c4c7737ae22eab8f582]
pluto[22027]: packet from 96.237.188.238:500: ignoring Vendor ID payload [4d1e0e136deafa34c4f3ea9f02ec7285]
pluto[22027]: packet from 96.237.188.238:500: ignoring Vendor ID payload [80d0bb3def54565ee84645d4c85ce3ee]
pluto[22027]: packet from 96.237.188.238:500: ignoring Vendor ID payload [9909b64eed937c6573de52ace952fa6b]
pluto[22027]: packet from 96.237.188.238:500: ignoring Vendor ID payload [draft-ietf-ipsec-nat-t-ike-03]
pluto[22027]: packet from 96.237.188.238:500: ignoring Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02]
pluto[22027]: packet from 96.237.188.238:500: ignoring Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02_n]
pluto[22027]: packet from 96.237.188.238:500: received Vendor ID payload [XAUTH]
pluto[22027]: packet from 96.237.188.238:500: ignoring Vendor ID payload [Cisco-Unity]
pluto[22027]: packet from 96.237.188.238:500: ignoring Vendor ID payload [FRAGMENTATION 80000000]
pluto[22027]: packet from 96.237.188.238:500: received Vendor ID payload [Dead Peer Detection]
pluto[22027]: "rw-eap"[1] 96.237.188.238 #2: responding to Main Mode from unknown peer 96.237.188.238
pluto[22027]: "rw-eap"[1] 96.237.188.238 #1: message ignored because it contains an unexpected payload type (ISAKMP_NEXT_SA)
pluto[22027]: "rw-eap"[1] 96.237.188.238 #1: sending notification INVALID_PAYLOAD_TYPE to 96.237.188.238:500
pluto[22027]: "rw-eap"[1] 96.237.188.238 #2: message ignored because it contains an unexpected payload type (ISAKMP_NEXT_SA)
pluto[22027]: "rw-eap"[1] 96.237.188.238 #2: sending notification INVALID_PAYLOAD_TYPE to 96.237.188.238:500
pluto[22027]: "rw-eap"[1] 96.237.188.238 #1: ignoring informational payload, type INVALID_PAYLOAD_TYPE
pluto[22027]: "rw-eap"[1] 96.237.188.238 #2: ignoring informational payload, type INVALID_PAYLOAD_TYPE
pluto[22027]: packet from 96.237.188.238:500: received Vendor ID payload [RFC 3947]
pluto[22027]: packet from 96.237.188.238:500: ignoring Vendor ID payload [4df37928e9fc4fd1b3262170d515c662]
pluto[22027]: packet from 96.237.188.238:500: ignoring Vendor ID payload [8f8d83826d246b6fc7a8a6a428c11de8]
pluto[22027]: packet from 96.237.188.238:500: ignoring Vendor ID payload [439b59f8ba676c4c7737ae22eab8f582]
pluto[22027]: packet from 96.237.188.238:500: ignoring Vendor ID payload [4d1e0e136deafa34c4f3ea9f02ec7285]
pluto[22027]: packet from 96.237.188.238:500: ignoring Vendor ID payload [80d0bb3def54565ee84645d4c85ce3ee]
pluto[22027]: packet from 96.237.188.238:500: ignoring Vendor ID payload [9909b64eed937c6573de52ace952fa6b]
pluto[22027]: packet from 96.237.188.238:500: ignoring Vendor ID payload [draft-ietf-ipsec-nat-t-ike-03]
pluto[22027]: packet from 96.237.188.238:500: ignoring Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02]
pluto[22027]: packet from 96.237.188.238:500: ignoring Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02_n]
pluto[22027]: packet from 96.237.188.238:500: received Vendor ID payload [XAUTH]
pluto[22027]: packet from 96.237.188.238:500: ignoring Vendor ID payload [Cisco-Unity]
pluto[22027]: packet from 96.237.188.238:500: ignoring Vendor ID payload [FRAGMENTATION 80000000]
pluto[22027]: packet from 96.237.188.238:500: received Vendor ID payload [Dead Peer Detection]
pluto[22027]: "rw-eap"[1] 96.237.188.238 #3: responding to Main Mode from unknown peer 96.237.188.238
pluto[22027]: "rw-eap"[1] 96.237.188.238 #3: message ignored because it contains an unexpected payload type (ISAKMP_NEXT_SA)
pluto[22027]: "rw-eap"[1] 96.237.188.238 #3: sending notification INVALID_PAYLOAD_TYPE to 96.237.188.238:500
pluto[22027]: "rw-eap"[1] 96.237.188.238 #3: ignoring informational payload, type INVALID_PAYLOAD_TYPE
pluto[22027]: "rw-eap"[1] 96.237.188.238 #2: message ignored because it contains an unexpected payload type (ISAKMP_NEXT_SA)
pluto[22027]: "rw-eap"[1] 96.237.188.238 #2: sending notification INVALID_PAYLOAD_TYPE to 96.237.188.238:500
pluto[22027]: "rw-eap"[1] 96.237.188.238 #1: message ignored because it contains an unexpected payload type (ISAKMP_NEXT_SA)
pluto[22027]: "rw-eap"[1] 96.237.188.238 #1: sending notification INVALID_PAYLOAD_TYPE to 96.237.188.238:500
pluto[22027]: "rw-eap"[1] 96.237.188.238 #2: ignoring informational payload, type INVALID_PAYLOAD_TYPE
pluto[22027]: "rw-eap"[1] 96.237.188.238 #1: ignoring informational payload, type INVALID_PAYLOAD_TYPE
pluto[22027]: "rw-eap"[1] 96.237.188.238 #3: message ignored because it contains an unexpected payload type (ISAKMP_NEXT_SA)
pluto[22027]: "rw-eap"[1] 96.237.188.238 #3: sending notification INVALID_PAYLOAD_TYPE to 96.237.188.238:500
pluto[22027]: "rw-eap"[1] 96.237.188.238 #3: ignoring informational payload, type INVALID_PAYLOAD_TYPE
    
por Peter Story 24.05.2014 / 17:25

0 respostas