[GUIDA] xl2tpd/strongSwan per VPN L2TP/IPsec su DGA413x/TG78x

a1pollo · « **Risposta #60 il:** 01 Dicembre 2019, 14:26 »

@LuKePicci, ok a me andrebbe bene solo certificati,
Il client e' strongswan per android.
Attualmente l'ho configurato IKEv2 Certificate + EAP(username/password).
Anche se metto IKEv2 Certificate (sul client) non connette, in questo caso non so che configurazione devo mettere sul server(ne ho provate tante).
Questo con IKEv2 Certificate sul mio android:

Codice: [Seleziona]

Sun Dec  1 14:19:10 2019 daemon.info syslog: 03[NET] received packet: from 37.160.110.212[40636] to mio ip[500] (336 bytes)
Sun Dec  1 14:19:10 2019 daemon.info syslog: 03[ENC] parsed IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG) N(REDIR_SUP) ]
Sun Dec  1 14:19:10 2019 daemon.info syslog: 03[IKE] 37.160.110.212 is initiating an IKE_SA
Sun Dec  1 14:19:10 2019 authpriv.info syslog: 03[IKE] 37.160.110.212 is initiating an IKE_SA
Sun Dec  1 14:19:10 2019 daemon.info syslog: 03[IKE] remote host is behind NAT
Sun Dec  1 14:19:10 2019 daemon.info syslog: 03[IKE] sending cert request for "C=DE, O=xxx, CN=xxxx"
Sun Dec  1 14:19:10 2019 daemon.info syslog: 03[ENC] generating IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) CERTREQ N(HASH_ALG) N(MULT_AUTH) ]
Sun Dec  1 14:19:10 2019 daemon.info syslog: 03[NET] sending packet: from mio ip[500] to 37.160.110.212[40636] (353 bytes)
Sun Dec  1 14:19:11 2019 daemon.info syslog: 01[NET] received packet: from 37.160.110.212[40642] to mio ip[4500] (1456 bytes)
Sun Dec  1 14:19:11 2019 daemon.info syslog: 01[ENC] parsed IKE_AUTH request 1 [ IDi CERT N(INIT_CONTACT) CERTREQ AUTH CPRQ(ADDR ADDR6 DNS DNS6) N(ESP_TFC_PAD_N) SA TSi TSr N(MOBIKE_SUP) N(NO_ADD_ADDR) N(MULT_AUTH) N(EAP_ONLY) N(MSG_ID_SYN_SUP) ]
Sun Dec  1 14:19:11 2019 daemon.info syslog: 01[IKE] received cert request for "C=DE, O=xxx, CN=xxxx"
Sun Dec  1 14:19:11 2019 daemon.info syslog: 01[IKE] received end entity cert "C=DE, O=xxx, CN=client"
Sun Dec  1 14:19:11 2019 daemon.info syslog: 01[CFG] looking for peer configs matching mio ip[%any]...37.160.110.212[C=DE, O=xxx, CN=client]
Sun Dec  1 14:19:11 2019 daemon.info syslog: 01[CFG] selected peer config 'roadwarriorPUBKEY'
Sun Dec  1 14:19:11 2019 daemon.info syslog: 01[CFG]   using trusted ca certificate "C=DE, O=xxx, CN=xxxx"
Sun Dec  1 14:19:11 2019 daemon.info syslog: 01[CFG] checking certificate status of "C=DE, O=xxx, CN=client"
Sun Dec  1 14:19:11 2019 daemon.info syslog: 01[CFG] certificate status is not available
Sun Dec  1 14:19:11 2019 daemon.info syslog: 01[CFG]   reached self-signed root ca with a path length of 0
Sun Dec  1 14:19:11 2019 daemon.info syslog: 01[CFG]   using trusted certificate "C=DE, O=xxx, CN=client"
Sun Dec  1 14:19:11 2019 daemon.info syslog: 01[IKE] authentication of 'C=DE, O=xxx, CN=client' with RSA_EMSA_PKCS1_SHA256 successful
Sun Dec  1 14:19:11 2019 daemon.info syslog: 01[IKE] received ESP_TFC_PADDING_NOT_SUPPORTED, not using ESPv3 TFC padding
Sun Dec  1 14:19:11 2019 daemon.info syslog: 01[IKE] peer supports MOBIKE
Sun Dec  1 14:19:11 2019 daemon.info syslog: 01[IKE] authentication of 'xxx.dyndns.org' (myself) with RSA_EMSA_PKCS1_SHA256 successful
Sun Dec  1 14:19:11 2019 daemon.info syslog: 01[IKE] IKE_SA roadwarriorPUBKEY[2] established between mio ip[xxx.dyndns.org]...37.160.110.212[C=DE, O=xxx, CN=client]
Sun Dec  1 14:19:11 2019 authpriv.info syslog: 01[IKE] IKE_SA roadwarriorPUBKEY[2] established between mio ip[xxx.dyndns.org]...37.160.110.212[C=DE, O=xxx, CN=client]
Sun Dec  1 14:19:11 2019 daemon.info syslog: 01[IKE] scheduling reauthentication in 10003s
Sun Dec  1 14:19:11 2019 daemon.info syslog: 01[IKE] maximum IKE_SA lifetime 10543s
Sun Dec  1 14:19:11 2019 daemon.info syslog: 01[IKE] sending end entity cert "C=DE, O=xxx, CN=xxx.dyndns.org"
Sun Dec  1 14:19:11 2019 daemon.info syslog: 01[IKE] peer requested virtual IP %any
Sun Dec  1 14:19:11 2019 daemon.info syslog: 01[CFG] reassigning offline lease to 'C=DE, O=xxx, CN=client'
Sun Dec  1 14:19:11 2019 daemon.info syslog: 01[IKE] assigning virtual IP 10.0.1.1 to peer 'C=DE, O=xxx, CN=client'
Sun Dec  1 14:19:11 2019 daemon.info syslog: 01[IKE] peer requested virtual IP %any6
Sun Dec  1 14:19:11 2019 daemon.info syslog: 01[IKE] no virtual IP found for %any6 requested by 'C=DE, O=xxx, CN=client'
Sun Dec  1 14:19:11 2019 daemon.info syslog: 01[CFG] received proposals: ESP:AES_CBC_256/HMAC_SHA2_256_128/NO_EXT_SEQ
Sun Dec  1 14:19:11 2019 daemon.info syslog: 01[CFG] configured proposals: ESP:AES_CBC_128/HMAC_SHA1_96/NO_EXT_SEQ, ESP:3DES_CBC/HMAC_SHA1_96/NO_EXT_SEQ, ESP:AES_CBC_128/AES_CBC_192/AES_CBC_256/3DES_CBC/BLOWFISH_CBC_256/HMAC_SHA1_96/AES_XCBC_96/HMAC_MD5_96/NO_EXT_SEQ
Sun Dec  1 14:19:11 2019 daemon.info syslog: 01[IKE] no acceptable proposal found
Sun Dec  1 14:19:11 2019 daemon.info syslog: 01[IKE] failed to establish CHILD_SA, keeping IKE_SA
Sun Dec  1 14:19:11 2019 daemon.info syslog: 01[ENC] generating IKE_AUTH response 1 [ IDr CERT AUTH CPRP(ADDR DNS NBNS) N(AUTH_LFT) N(MOBIKE_SUP) N(ADD_4_ADDR) N(ADD_4_ADDR) N(ADD_4_ADDR) N(ADD_6_ADDR) N(ADD_6_ADDR) N(ADD_6_ADDR) N(NO_PROP) ]
Sun Dec  1 14:19:11 2019 daemon.info syslog: 01[NET] sending packet: from mio ip[4500] to 37.160.110.212[40642] (1376 bytes)
Sun Dec  1 14:19:11 2019 daemon.info syslog: 07[NET] received packet: from 37.160.110.212[40642] to mio ip[4500] (80 bytes)
Sun Dec  1 14:19:11 2019 daemon.info syslog: 07[ENC] parsed INFORMATIONAL request 2 [ N(AUTH_FAILED) ]
Sun Dec  1 14:19:11 2019 daemon.info syslog: 07[IKE] received DELETE for IKE_SA roadwarriorPUBKEY[2]
Sun Dec  1 14:19:11 2019 daemon.info syslog: 07[IKE] deleting IKE_SA roadwarriorPUBKEY[2] between mio ip[xxx.dyndns.org]...37.160.110.212[C=DE, O=xxx, CN=client]
Sun Dec  1 14:19:11 2019 authpriv.info syslog: 07[IKE] deleting IKE_SA roadwarriorPUBKEY[2] between mio ip[xxx.dyndns.org]...37.160.110.212[C=DE, O=xxx, CN=client]
Sun Dec  1 14:19:11 2019 daemon.info syslog: 07[IKE] IKE_SA deleted
Sun Dec  1 14:19:11 2019 authpriv.info syslog: 07[IKE] IKE_SA deleted
Sun Dec  1 14:19:11 2019 daemon.info syslog: 07[ENC] generating INFORMATIONAL response 2 [ ]
Sun Dec  1 14:19:11 2019 daemon.info syslog: 07[NET] sending packet: from mio ip[4500] to 37.160.110.212[40642] (80 bytes)
Sun Dec  1 14:19:11 2019 daemon.info syslog: 07[CFG] lease 10.0.1.1 by 'C=DE, O=xxx, CN=client' went offline

LuKePicci · « **Risposta #61 il:** 01 Dicembre 2019, 15:55 »

Si ma non mi hai detto se lo vuoi con pubkey o con eap-tls.

Io non so tu cosa abbia ora nelle configurazioni di strongswan sul router ~~probabilmente ne hai due non distinguibili~~ (edit: no, tra i due esempi hai solo modificato la config del client).

Sicuramente puoi tenere configurate sul router due alternative che propongono rispettivamente pubkey o eap-tls come primo round. Nel momento in cui ne modifichi una per proporre anche un secondo round eap perdi la possibilit� di tenere configurata una alternativa a singolo round pubkey perch� strongswan non � in grado di distinguerle (dato che entrambe le policy matchano con %any). Quindi attieniti per il momento alla guida sulla wiki e tieni solo le due alternative a singolo round.

edit: Nell'esempio di stamattina avevi evidentemente configurato il client con due round di autenticazione (pubkey + eap-mschapv2) di cui non esisteva una corrispondente config sul router. In questo qui sopra invece hai configurato il client con soli certificati e il router � d'accordo, l'autenticazione (primo ed unico round) � completa e il client prosegue col setup della policy ESP ma sei di nuovo al punto che la ciphersuite richiesta dal client non � tra quelle disponibili su sul router. Faccio qualche verifica sulle versioni dei client android che avevo testato e e ti faccio sapere, intanto vedi se sul client riesci a rilassare il requisito crittografico per ESP e vedi se intanto riesce a connettersi.

a1pollo · « **Risposta #62 il:** 01 Dicembre 2019, 16:15 »

Non voglio discostarmi dalla guida quindi pubkey(roadwarriorPUBKEY).

La guida su openwrt l'hai scritta tu?

LuKePicci · « **Risposta #63 il:** 01 Dicembre 2019, 16:25 »

L'ho editata, quella originale ometteva una serie di dettagli fondamentali e soprattutto proponeva per default la config a doppio round che per� funziona solo su android.
Vedi che ho editato sopra, non avevo confrontato correttamente i due log.

edit: dunque, il client android che ho usato per i test e che tutt'ora funziona correttamente � strongswan 2.2.1, configurato come solo certificati (pubkey) selezionato sull'app come "IKEv2 Certificate", e non ho customizzato in alcun modo le ciphersuite (c'� il campo per sceglierle manualmente). Questo � il log che compare quando tutto va come dovrebbe:

Codice: [Seleziona]

root@OpenWrt:~# logread -f | grep "daemon.info syslog:"
Sun Dec  1 16:31:35 2019 daemon.info syslog: 13[NET] received packet: from 37.161.75.19[38672] to 62.x.x.x[500] (716 bytes)
Sun Dec  1 16:31:35 2019 daemon.info syslog: 13[ENC] parsed IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG) N(REDIR_SUP) ]
Sun Dec  1 16:31:35 2019 daemon.info syslog: 13[IKE] 37.161.75.19 is initiating an IKE_SA
Sun Dec  1 16:31:35 2019 daemon.info syslog: 13[IKE] remote host is behind NAT
Sun Dec  1 16:31:35 2019 daemon.info syslog: 13[IKE] DH group ECP_256 inacceptable, requesting MODP_2048
Sun Dec  1 16:31:35 2019 daemon.info syslog: 13[ENC] generating IKE_SA_INIT response 0 [ N(INVAL_KE) ]
Sun Dec  1 16:31:35 2019 daemon.info syslog: 13[NET] sending packet: from 62.x.x.x[500] to 37.161.75.19[38672] (38 bytes)
Sun Dec  1 16:31:36 2019 daemon.info syslog: 16[NET] received packet: from 37.161.75.19[38672] to 62.x.x.x[500] (908 bytes)
Sun Dec  1 16:31:36 2019 daemon.info syslog: 16[ENC] parsed IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG) N(REDIR_SUP) ]
Sun Dec  1 16:31:36 2019 daemon.info syslog: 16[IKE] 37.161.75.19 is initiating an IKE_SA
Sun Dec  1 16:31:36 2019 daemon.info syslog: 16[IKE] remote host is behind NAT
Sun Dec  1 16:31:36 2019 daemon.info syslog: 16[IKE] sending cert request for "C=IT, O=LuMa, CN=LuMa Trusted Members CA"
Sun Dec  1 16:31:36 2019 daemon.info syslog: 16[ENC] generating IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) CERTREQ N(HASH_ALG) N(MULT_AUTH) ]
Sun Dec  1 16:31:36 2019 daemon.info syslog: 16[NET] sending packet: from 62.x.x.x[500] to 37.161.75.19[38672] (481 bytes)
Sun Dec  1 16:31:36 2019 daemon.info syslog: 05[NET] received packet: from 37.161.75.19[38673] to 62.x.x.x[4500] (4716 bytes)
Sun Dec  1 16:31:36 2019 daemon.info syslog: 05[ENC] parsed IKE_AUTH request 1 [ IDi CERT N(INIT_CONTACT) CERTREQ AUTH CPRQ(ADDR ADDR6 DNS DNS6) N(ESP_TFC_PAD_N) SA TSi TSr N(MOBIKE_SUP) N(NO_ADD_ADDR) N(MULT_AUTH) N(EAP_ONLY) N(MSG_ID_SYN_SUP) ]
Sun Dec  1 16:31:36 2019 daemon.info syslog: 05[IKE] received cert request for "C=IT, O=LuMa, CN=LuMa Trusted Members CA"
Sun Dec  1 16:31:36 2019 daemon.info syslog: 05[IKE] received 153 cert requests for an unknown ca
Sun Dec  1 16:31:36 2019 daemon.info syslog: 05[IKE] received end entity cert "C=IT, O=LuMa, [email protected]"
Sun Dec  1 16:31:36 2019 daemon.info syslog: 05[CFG] looking for peer configs matching 62.x.x.x[%any]...37.161.75.19[C=IT, O=LuMa, [email protected]]
Sun Dec  1 16:31:36 2019 daemon.info syslog: 05[CFG] selected peer config 'roadwarriorPUBKEY'
Sun Dec  1 16:31:36 2019 daemon.info syslog: 05[CFG]   using certificate "C=IT, O=LuMa, [email protected]"
Sun Dec  1 16:31:36 2019 daemon.info syslog: 05[CFG]   using trusted ca certificate "C=IT, O=LuMa, CN=LuMa Trusted Members CA"
Sun Dec  1 16:31:36 2019 daemon.info syslog: 05[CFG] checking certificate status of "C=IT, O=LuMa, [email protected]"
Sun Dec  1 16:31:36 2019 daemon.info syslog: 05[CFG] certificate status is not available
Sun Dec  1 16:31:36 2019 daemon.info syslog: 05[CFG]   reached self-signed root ca with a path length of 0
Sun Dec  1 16:31:36 2019 daemon.info syslog: 05[IKE] authentication of 'C=IT, O=LuMa, [email protected]' with RSA_EMSA_PKCS1_SHA256 successful
Sun Dec  1 16:31:36 2019 daemon.info syslog: 05[IKE] received ESP_TFC_PADDING_NOT_SUPPORTED, not using ESPv3 TFC padding
Sun Dec  1 16:31:36 2019 daemon.info syslog: 05[IKE] peer supports MOBIKE
Sun Dec  1 16:31:36 2019 daemon.info syslog: 05[IKE] authentication of 'myrouter.dyndns.org' (myself) with RSA_EMSA_PKCS1_SHA256 successful
Sun Dec  1 16:31:36 2019 daemon.info syslog: 05[IKE] IKE_SA roadwarriorPUBKEY[9] established between 62.x.x.x[myrouter.dyndns.org]...37.161.75.19[C=IT, O=LuMa, [email protected]]
Sun Dec  1 16:31:36 2019 daemon.info syslog: 05[IKE] scheduling reauthentication in 10163s
Sun Dec  1 16:31:36 2019 daemon.info syslog: 05[IKE] maximum IKE_SA lifetime 10703s
Sun Dec  1 16:31:36 2019 daemon.info syslog: 05[IKE] sending end entity cert "C=IT, O=LuMa, CN=myrouter.dyndns.org"
Sun Dec  1 16:31:36 2019 daemon.info syslog: 05[IKE] peer requested virtual IP %any
Sun Dec  1 16:31:36 2019 daemon.info syslog: 05[CFG] sending DHCP DISCOVER to 192.168.43.255
Sun Dec  1 16:31:37 2019 daemon.info syslog: 05[CFG] sending DHCP DISCOVER to 192.168.43.255
Sun Dec  1 16:31:38 2019 daemon.info syslog: 15[MGR] ignoring request with ID 1, already processing
Sun Dec  1 16:31:39 2019 daemon.info syslog: 05[CFG] sending DHCP DISCOVER to 192.168.43.255
Sun Dec  1 16:31:40 2019 daemon.info syslog: 04[CFG] received DHCP OFFER 192.168.43.187 from 192.168.43.254
Sun Dec  1 16:31:40 2019 daemon.info syslog: 05[CFG] sending DHCP REQUEST for 192.168.43.187 to 192.168.43.254
Sun Dec  1 16:31:40 2019 daemon.info syslog: 05[CFG] sending DHCP REQUEST for 192.168.43.187 to 192.168.43.254
Sun Dec  1 16:31:40 2019 daemon.info syslog: 02[CFG] received DHCP ACK for 192.168.43.187
Sun Dec  1 16:31:40 2019 daemon.info syslog: 05[IKE] assigning virtual IP 192.168.43.187 to peer 'C=IT, O=LuMa, [email protected]'
Sun Dec  1 16:31:40 2019 daemon.info syslog: 05[IKE] peer requested virtual IP %any6
Sun Dec  1 16:31:40 2019 daemon.info syslog: 05[IKE] no virtual IP found for %any6 requested by 'C=IT, O=LuMa, [email protected]'
Sun Dec  1 16:31:40 2019 daemon.info syslog: 05[IKE] CHILD_SA roadwarriorPUBKEY{3} established with SPIs c991e2ff_i 837c457f_o and TS 0.0.0.0/0 ::/0 === 192.168.43.187/32
Sun Dec  1 16:31:40 2019 daemon.info syslog: 05[ENC] generating IKE_AUTH response 1 [ IDr CERT AUTH CPRP(ADDR DNS NBNS DNS) SA TSi TSr N(AUTH_LFT) N(MOBIKE_SUP) N(ADD_4_ADDR) N(ADD_4_ADDR) N(ADD_4_ADDR) ]
Sun Dec  1 16:31:40 2019 daemon.info syslog: 05[NET] sending packet: from 62.x.x.x[4500] to 37.161.75.19[38673] (1452 bytes)
Sun Dec  1 16:31:40 2019 daemon.info syslog: 16[NET] received packet: from 37.161.75.19[38673] to 62.x.x.x[4500] (76 bytes)
Sun Dec  1 16:31:40 2019 daemon.info syslog: 16[ENC] parsed INFORMATIONAL request 2 [ N(NO_ADD_ADDR) ]
Sun Dec  1 16:31:40 2019 daemon.info syslog: 16[ENC] generating INFORMATIONAL response 2 [ ]
Sun Dec  1 16:31:40 2019 daemon.info syslog: 16[NET] sending packet: from 62.x.x.x[4500] to 37.161.75.19[38673] (76 bytes)

ora se riesco provo a controllare quale ciphersuite sta usando

a1pollo · « **Risposta #64 il:** 01 Dicembre 2019, 16:50 »

LuKe,nelle due guide su openwrt riguardanti strongswan, nella generazione dei certificati e chiavi ho notato queste differenze:
a1 vs b1 la presenza di \ prima di --san
a2 vs b2 la mancanza di --san=********
Possono dar modo a degli errori?

https://openwrt.org/docs/guide-user/services/vpn/ipsec/strongswan/howto

a1)ipsec pki --pub --in serverKey.pem | ipsec pki --issue --cacert caCert.pem --cakey caKey.pem --dn "C=DE, O=xxx, CN=xxx.dyndns.org" \--san="xxx.dyndns.org" --flag serverAuth --flag ikeIntermediate --outform pem > serverCert.pem
a2)ipsec pki --pub --in clientKey.pem | ipsec pki --issue --cacert caCert.pem --cakey caKey.pem --dn "C=DE, O=xxx, CN=client" --outform pem > clientCert.pem

https://openwrt.org/docs/guide-user/services/vpn/ipsec/strongswan/roadwarrior

b1)ipsec pki --pub --in serverKey.pem | ipsec pki --issue --cacert caCert.pem --cakey caKey.pem --dn "C=US, O=yyy, CN=myvpnserver.dyndns.org" --san="myvpnserver.dyndns.org" --flag serverAuth --flag ikeIntermediate --outform pem > serverCert.pem
b2)ipsec pki --pub --in clientKey.pem | ipsec pki --issue --cacert caCert.pem --cakey caKey.pem --dn "C=US, O=yyy, CN=myvpnclient" --san="myvpnclient" --outform pem > clientCert.pem

In un forum(uno dei tanti riguardanti l'argomento) leggevo che l'opzione san dava problemi ad android,puo' essere che fosse un bug risolto,pero' magari...

Ps. io oltre no riesco ad andare, ho provato tante configurazioni diverse sia sul server che sul client.

LuKePicci · « **Risposta #65 il:** 01 Dicembre 2019, 17:10 »

La \ che vedi in quella guida serve sulle shell unix a splittare il comando su due righe, � irrilevante. SAN va specificato per requisiti pi� stringenti introdotti in epoca pi� moderna. Quell'altra pagina non l'ho mia guardata, serviva a configurare ipsec con ikev1+xauth su ios quando ancora non esisteva ikev2, andrebbe rinominata tipo "Roadwarrior IPsec IKEv1" e deprecata. Se dovessi mettermi ad aggiornarle tutte uscirei pazzo.

Controlla la versione del kernel sul tuo cellulare, mi sa che � pi� nuovo di quello che ho usato io (linux 3.10.84) e per questo propone solo ciphersuite pi� nuove.

a1pollo · « **Risposta #66 il:** 01 Dicembre 2019, 17:24 »

Xiaomi redmi note 5 Kernel 4.4.153
strongswan 2.2.1, un utente ha scritto sul playstore non funziona,altri ok

Ora con IKEv2 Certificate , senza setting avanzato

Codice: [Seleziona]

Sun Dec  1 17:06:43 2019 daemon.info syslog: 13[NET] received packet: from 37.160.110.212[40712] to ip[500] (716 bytes)
Sun Dec  1 17:06:43 2019 daemon.info syslog: 13[ENC] parsed IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG) N(REDIR_SUP) ]
Sun Dec  1 17:06:43 2019 daemon.info syslog: 13[IKE] 37.160.110.212 is initiating an IKE_SA
Sun Dec  1 17:06:43 2019 authpriv.info syslog: 13[IKE] 37.160.110.212 is initiating an IKE_SA
Sun Dec  1 17:06:43 2019 daemon.info syslog: 13[IKE] remote host is behind NAT
Sun Dec  1 17:06:43 2019 daemon.info syslog: 13[IKE] DH group ECP_256 inacceptable, requesting MODP_2048
Sun Dec  1 17:06:43 2019 daemon.info syslog: 13[ENC] generating IKE_SA_INIT response 0 [ N(INVAL_KE) ]
Sun Dec  1 17:06:43 2019 daemon.info syslog: 13[NET] sending packet: from ip[500] to 37.160.110.212[40712] (38 bytes)
Sun Dec  1 17:06:43 2019 daemon.info syslog: 08[NET] received packet: from 37.160.110.212[40712] to ip[500] (908 bytes)
Sun Dec  1 17:06:43 2019 daemon.info syslog: 08[ENC] parsed IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG) N(REDIR_SUP) ]
Sun Dec  1 17:06:43 2019 daemon.info syslog: 08[IKE] 37.160.110.212 is initiating an IKE_SA
Sun Dec  1 17:06:43 2019 authpriv.info syslog: 08[IKE] 37.160.110.212 is initiating an IKE_SA
Sun Dec  1 17:06:44 2019 daemon.info syslog: 08[IKE] remote host is behind NAT
Sun Dec  1 17:06:44 2019 daemon.info syslog: 08[IKE] sending cert request for "C=DE, O=xxx, CN=xxxx"
Sun Dec  1 17:06:44 2019 daemon.info syslog: 08[ENC] generating IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) CERTREQ N(HASH_ALG) N(MULT_AUTH) ]
Sun Dec  1 17:06:44 2019 daemon.info syslog: 08[NET] sending packet: from ip[500] to 37.160.110.212[40712] (481 bytes)
Sun Dec  1 17:07:14 2019 daemon.info syslog: 02[JOB] deleting half open IKE_SA after timeout

LuKePicci · « **Risposta #67 il:** 01 Dicembre 2019, 17:29 »

S�, � decisamente troppo nuovo. Devi configurarlo in modo da adattarsi a quelle disponibili sul kernel del router. Alcune sono obsolete e insicure ma ce n'� qualcuno ancora adeguata.
Vedi un po' qui: https://wiki.strongswan.org/projects/strongswan/wiki/SecurityRecommendations#Cipher-Selection ma in generale trovi di sicuro qualcuno su internet che si � imbattuto in questi problemi.

PS che vuol dire senza setting avanzato? Prima cosa avevi selezionato?

PS 2: comunque se intanto provi da un altro dispositivo verifichi che la config sul router sia ok.

PS 3: una possibile scelta per le proposal sul client potrebbe essrere

Codice: [Seleziona]

ESP:AES_CBC_128/HMAC_SHA1_96/NO_EXT_SEQ, ESP:AES_CBC_128/AES_CBC_192/AES_CBC_256/BLOWFISH_CBC_256/HMAC_SHA1_96/AES_XCBC_96/NO_EXT_SEQ

a1pollo · « **Risposta #68 il:** 01 Dicembre 2019, 17:42 »

To do that, click Edit on the Profile, and scroll to the bottom to Advanced settings. At the bottom you will find a section called Algorithms.
Under IKEv2 Algorithms, enter: aes256-sha256-modp1024 or whatever IKEv2 Algorithm you are using.
Under IPsec/ESP Algorithms, enter: aes256-sha256 or whatever IPsec/ESP Algorithm you are using.
Save, and then try to connect again.

Potrei provare con ariel (amazon fire4 @root),pero' con hotspot dal mio smartphone.

LuKePicci · « **Risposta #69 il:** 01 Dicembre 2019, 17:51 »

Ah ok, quella parte della guida non l'avevo mai notata, fa parte di quello che c'era in origine. Io non ho applicato nulla del genere sul mio client.

Su IKEv2 Algorithms metti quello che avevi quando ottenevi l'errore sulla proposal CHILD_SA (immagino avessi specificato aes256-sha256-modp1024 visto che lasciandolo vuoto a te tenta di usare ECP_256). In ESP Algorithms invece devi selezionare qualcosa che il router ammetta. prova a lasciarlo vuoto e vediamo cosa dice. (edit: ti confermo che aes256-sha256 per il nostro router � troppo, anche a me d� lo stesso errore se lo specifico in quel modo, se lasciandolo vuoto non riesci mettici al massimo aes256-sha1, o se vuoi vederlo andare pi� veloce aes128-sha1).

a1pollo · « **Risposta #70 il:** 01 Dicembre 2019, 18:11 »

Amazon fire 4 @root ,kernel 3 10 61, con hotspot dal mio telefono,strongswan IKEv2 Certificate:

Codice: [Seleziona]

Sun Dec  1 18:00:57 2019 daemon.info syslog: 06[NET] received packet: from 37.160.110.212[40735] to ip[500] (716 bytes)
Sun Dec  1 18:00:57 2019 daemon.info syslog: 06[ENC] parsed IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG) N(REDIR_SUP) ]
Sun Dec  1 18:00:57 2019 daemon.info syslog: 06[IKE] 37.160.110.212 is initiating an IKE_SA
Sun Dec  1 18:00:57 2019 authpriv.info syslog: 06[IKE] 37.160.110.212 is initiating an IKE_SA
Sun Dec  1 18:00:57 2019 daemon.info syslog: 06[IKE] remote host is behind NAT
Sun Dec  1 18:00:57 2019 daemon.info syslog: 06[IKE] DH group ECP_256 inacceptable, requesting MODP_2048
Sun Dec  1 18:00:57 2019 daemon.info syslog: 06[ENC] generating IKE_SA_INIT response 0 [ N(INVAL_KE) ]
Sun Dec  1 18:00:57 2019 daemon.info syslog: 06[NET] sending packet: from ip[500] to 37.160.110.212[40735] (38 bytes)
Sun Dec  1 18:00:57 2019 daemon.info syslog: 04[NET] received packet: from 37.160.110.212[40735] to ip[500] (908 bytes)
Sun Dec  1 18:00:57 2019 daemon.info syslog: 04[ENC] parsed IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG) N(REDIR_SUP) ]
Sun Dec  1 18:00:57 2019 daemon.info syslog: 04[IKE] 37.160.110.212 is initiating an IKE_SA
Sun Dec  1 18:00:57 2019 authpriv.info syslog: 04[IKE] 37.160.110.212 is initiating an IKE_SA
Sun Dec  1 18:00:57 2019 daemon.info syslog: 04[IKE] remote host is behind NAT
Sun Dec  1 18:00:57 2019 daemon.info syslog: 04[IKE] sending cert request for "C=DE, O=xxx, CN=xxxx"
Sun Dec  1 18:00:57 2019 daemon.info syslog: 04[ENC] generating IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) CERTREQ N(HASH_ALG) N(MULT_AUTH) ]
Sun Dec  1 18:00:57 2019 daemon.info syslog: 04[NET] sending packet: from ip[500] to 37.160.110.212[40735] (481 bytes)
Sun Dec  1 18:00:58 2019 daemon.info syslog: 03[NET] received packet: from 37.160.110.212[40736] to ip[4500] (1548 bytes)
Sun Dec  1 18:00:58 2019 daemon.info syslog: 03[ENC] parsed IKE_AUTH request 1 [ IDi CERT N(INIT_CONTACT) CERTREQ AUTH CPRQ(ADDR ADDR6 DNS DNS6) N(ESP_TFC_PAD_N) SA TSi TSr N(MOBIKE_SUP) N(NO_ADD_ADDR) N(MULT_AUTH) N(EAP_ONLY) N(MSG_ID_SYN_SUP) ]
Sun Dec  1 18:00:58 2019 daemon.info syslog: 03[IKE] received cert request for "C=DE, O=xxx, CN=xxxx"
Sun Dec  1 18:00:58 2019 daemon.info syslog: 03[IKE] received end entity cert "C=DE, O=xxx, CN=client"
Sun Dec  1 18:00:58 2019 daemon.info syslog: 03[CFG] looking for peer configs matching ip[%any]...37.160.110.212[C=DE, O=xxx, CN=client]
Sun Dec  1 18:00:58 2019 daemon.info syslog: 03[CFG] selected peer config 'roadwarriorPUBKEY'
Sun Dec  1 18:00:58 2019 daemon.info syslog: 03[CFG]   using trusted ca certificate "C=DE, O=xxx, CN=xxxx"
Sun Dec  1 18:00:58 2019 daemon.info syslog: 03[CFG] checking certificate status of "C=DE, O=xxx, CN=client"
Sun Dec  1 18:00:58 2019 daemon.info syslog: 03[CFG] certificate status is not available
Sun Dec  1 18:00:58 2019 daemon.info syslog: 03[CFG]   reached self-signed root ca with a path length of 0
Sun Dec  1 18:00:58 2019 daemon.info syslog: 03[CFG]   using trusted certificate "C=DE, O=xxx, CN=client"
Sun Dec  1 18:00:58 2019 daemon.info syslog: 03[IKE] authentication of 'C=DE, O=xxx, CN=client' with RSA_EMSA_PKCS1_SHA256 successful
Sun Dec  1 18:00:58 2019 daemon.info syslog: 03[IKE] received ESP_TFC_PADDING_NOT_SUPPORTED, not using ESPv3 TFC padding
Sun Dec  1 18:00:58 2019 daemon.info syslog: 03[IKE] peer supports MOBIKE
Sun Dec  1 18:00:58 2019 daemon.info syslog: 03[IKE] authentication of 'xxx.dyndns.org' (myself) with RSA_EMSA_PKCS1_SHA256 successful
Sun Dec  1 18:00:58 2019 daemon.info syslog: 03[IKE] IKE_SA roadwarriorPUBKEY[23] established between ip[xxx.dyndns.org]...37.160.110.212[C=DE, O=xxx, CN=client]
Sun Dec  1 18:00:58 2019 authpriv.info syslog: 03[IKE] IKE_SA roadwarriorPUBKEY[23] established between ip[xxx.dyndns.org]...37.160.110.212[C=DE, O=xxx, CN=client]
Sun Dec  1 18:00:58 2019 daemon.info syslog: 03[IKE] scheduling reauthentication in 9842s
Sun Dec  1 18:00:58 2019 daemon.info syslog: 03[IKE] maximum IKE_SA lifetime 10382s
Sun Dec  1 18:00:58 2019 daemon.info syslog: 03[IKE] sending end entity cert "C=DE, O=xxx, CN=xxx.dyndns.org"
Sun Dec  1 18:00:58 2019 daemon.info syslog: 03[IKE] peer requested virtual IP %any
Sun Dec  1 18:00:58 2019 daemon.info syslog: 03[CFG] reassigning offline lease to 'C=DE, O=xxx, CN=client'
Sun Dec  1 18:00:58 2019 daemon.info syslog: 03[IKE] assigning virtual IP 10.0.1.1 to peer 'C=DE, O=xxx, CN=client'
Sun Dec  1 18:00:58 2019 daemon.info syslog: 03[IKE] peer requested virtual IP %any6
Sun Dec  1 18:00:58 2019 daemon.info syslog: 03[IKE] no virtual IP found for %any6 requested by 'C=DE, O=xxx, CN=client'
Sun Dec  1 18:00:58 2019 daemon.info syslog: 03[IKE] CHILD_SA roadwarriorPUBKEY{5} established with SPIs c07b9bfd_i 9c3a665a_o and TS 0.0.0.0/0 ::/0 === 10.0.1.1/32
Sun Dec  1 18:00:58 2019 authpriv.info syslog: 03[IKE] CHILD_SA roadwarriorPUBKEY{5} established with SPIs c07b9bfd_i 9c3a665a_o and TS 0.0.0.0/0 ::/0 === 10.0.1.1/32
Sun Dec  1 18:00:58 2019 daemon.info syslog: 03[ENC] generating IKE_AUTH response 1 [ IDr CERT AUTH CPRP(ADDR DNS NBNS) SA TSi TSr N(AUTH_LFT) N(MOBIKE_SUP) N(ADD_4_ADDR) N(ADD_4_ADDR) N(ADD_4_ADDR) N(ADD_6_ADDR) N(ADD_6_ADDR) N(ADD_6_ADDR) ]
Sun Dec  1 18:00:58 2019 daemon.info syslog: 03[NET] sending packet: from ip[4500] to 37.160.110.212[40736] (1500 bytes)
Sun Dec  1 18:00:59 2019 user.err syslog: [defaultGW] Ignoring improper event
Sun Dec  1 18:00:59 2019 daemon.info syslog: 13[NET] received packet: from 37.160.110.212[40736] to ip[4500] (76 bytes)
Sun Dec  1 18:00:59 2019 daemon.info syslog: 13[ENC] parsed INFORMATIONAL request 2 [ N(AUTH_FAILED) ]
Sun Dec  1 18:00:59 2019 daemon.info syslog: 13[IKE] received DELETE for IKE_SA roadwarriorPUBKEY[23]
Sun Dec  1 18:00:59 2019 daemon.info syslog: 13[IKE] deleting IKE_SA roadwarriorPUBKEY[23] between ip[xxx.dyndns.org]...37.160.110.212[C=DE, O=xxx, CN=client]
Sun Dec  1 18:00:59 2019 authpriv.info syslog: 13[IKE] deleting IKE_SA roadwarriorPUBKEY[23] between ip[xxx.dyndns.org]...37.160.110.212[C=DE, O=xxx, CN=client]
Sun Dec  1 18:00:59 2019 daemon.info syslog: 13[IKE] IKE_SA deleted
Sun Dec  1 18:00:59 2019 authpriv.info syslog: 13[IKE] IKE_SA deleted
Sun Dec  1 18:00:59 2019 daemon.info syslog: 13[ENC] generating INFORMATIONAL response 2 [ ]
Sun Dec  1 18:00:59 2019 daemon.info syslog: 13[NET] sending packet: from ip[4500] to 37.160.110.212[40736] (76 bytes)
Sun Dec  1 18:00:59 2019 daemon.info syslog: 13[CFG] lease 10.0.1.1 by 'C=DE, O=xxx, CN=client' went offline

larsen64it · « **Risposta #71 il:** 01 Dicembre 2019, 18:13 »

Scusate l'interruzione
@a1pollo
Per la cronaca ho ridato un occhiata allo script di @FrancYescO
https://github.com/FrancYescO/sharing_tg789/blob/strongswan/setup.sh
il pacchetto che non trovavi strongswan-pki � presente nei repo per i dga4132/30 per il kernel 4.x
Per tg788/789 e dga4131 non � presente ed � sostituito da strongswan-utils che � gi� compreso nell'installazione di strongswan-default.
Buon proseguimento

a1pollo · « **Risposta #72 il:** 01 Dicembre 2019, 18:31 »

aes256-sha1, o se vuoi vederlo andare pi� veloce aes128-sha1, la configurazione non vuole accettarli.
Potrebbe essere dovuto dalla generazione dei certificati e chiavi,perche' quelli che uso ora li ho generati con la seconda guida , senza --san.
Potrei sostituirli.

aes128-sha1-modp1024 cosi lo prende:

dal mio smartphone,IKEv2 Certificate aes128-sha1-modp1024:

Codice: [Seleziona]

Sun Dec  1 18:43:14 2019 daemon.info syslog: 02[NET] received packet: from 37.160.110.212[40781] to ip[500] (336 bytes)
Sun Dec  1 18:43:14 2019 daemon.info syslog: 02[ENC] parsed IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG) N(REDIR_SUP) ]
Sun Dec  1 18:43:14 2019 daemon.info syslog: 02[IKE] 37.160.110.212 is initiating an IKE_SA
Sun Dec  1 18:43:14 2019 authpriv.info syslog: 02[IKE] 37.160.110.212 is initiating an IKE_SA
Sun Dec  1 18:43:14 2019 daemon.info syslog: 02[IKE] remote host is behind NAT
Sun Dec  1 18:43:14 2019 daemon.info syslog: 02[IKE] sending cert request for "C=DE, O=xxx, CN=xxxx"
Sun Dec  1 18:43:14 2019 daemon.info syslog: 02[ENC] generating IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) CERTREQ N(HASH_ALG) N(MULT_AUTH) ]
Sun Dec  1 18:43:14 2019 daemon.info syslog: 02[NET] sending packet: from ip[500] to 37.160.110.212[40781] (353 bytes)
Sun Dec  1 18:43:14 2019 daemon.info syslog: 15[NET] received packet: from 37.160.110.212[40782] to ip[4500] (1452 bytes)
Sun Dec  1 18:43:14 2019 daemon.info syslog: 15[ENC] parsed IKE_AUTH request 1 [ IDi CERT N(INIT_CONTACT) CERTREQ AUTH CPRQ(ADDR ADDR6 DNS DNS6) N(ESP_TFC_PAD_N) SA TSi TSr N(MOBIKE_SUP) N(NO_ADD_ADDR) N(MULT_AUTH) N(EAP_ONLY) N(MSG_ID_SYN_SUP) ]
Sun Dec  1 18:43:14 2019 daemon.info syslog: 15[IKE] received cert request for "C=DE, O=xxx, CN=xxxx"
Sun Dec  1 18:43:14 2019 daemon.info syslog: 15[IKE] received end entity cert "C=DE, O=xxx, CN=client"
Sun Dec  1 18:43:14 2019 daemon.info syslog: 15[CFG] looking for peer configs matching ip[%any]...37.160.110.212[C=DE, O=xxx, CN=client]
Sun Dec  1 18:43:14 2019 daemon.info syslog: 15[CFG] selected peer config 'roadwarriorPUBKEY'
Sun Dec  1 18:43:14 2019 daemon.info syslog: 15[CFG]   using trusted ca certificate "C=DE, O=xxx, CN=xxxx"
Sun Dec  1 18:43:14 2019 daemon.info syslog: 15[CFG] checking certificate status of "C=DE, O=xxx, CN=client"
Sun Dec  1 18:43:14 2019 daemon.info syslog: 15[CFG] certificate status is not available
Sun Dec  1 18:43:14 2019 daemon.info syslog: 15[CFG]   reached self-signed root ca with a path length of 0
Sun Dec  1 18:43:14 2019 daemon.info syslog: 15[CFG]   using trusted certificate "C=DE, O=xxx, CN=client"
Sun Dec  1 18:43:14 2019 daemon.info syslog: 15[IKE] authentication of 'C=DE, O=xxx, CN=client' with RSA_EMSA_PKCS1_SHA256 successful
Sun Dec  1 18:43:14 2019 daemon.info syslog: 15[IKE] received ESP_TFC_PADDING_NOT_SUPPORTED, not using ESPv3 TFC padding
Sun Dec  1 18:43:14 2019 daemon.info syslog: 15[IKE] peer supports MOBIKE
Sun Dec  1 18:43:14 2019 user.err syslog: [defaultGW] Ignoring improper event
Sun Dec  1 18:43:14 2019 daemon.info syslog: 15[IKE] authentication of 'xxx.dyndns.org' (myself) with RSA_EMSA_PKCS1_SHA256 successful
Sun Dec  1 18:43:14 2019 daemon.info syslog: 15[IKE] IKE_SA roadwarriorPUBKEY[34] established between ip[xxx.dyndns.org]...37.160.110.212[C=DE, O=xxx, CN=client]
Sun Dec  1 18:43:14 2019 authpriv.info syslog: 15[IKE] IKE_SA roadwarriorPUBKEY[34] established between ip[xxx.dyndns.org]...37.160.110.212[C=DE, O=xxx, CN=client]
Sun Dec  1 18:43:14 2019 daemon.info syslog: 15[IKE] scheduling reauthentication in 9803s
Sun Dec  1 18:43:14 2019 daemon.info syslog: 15[IKE] maximum IKE_SA lifetime 10343s
Sun Dec  1 18:43:14 2019 daemon.info syslog: 15[IKE] sending end entity cert "C=DE, O=xxx, CN=xxx.dyndns.org"
Sun Dec  1 18:43:14 2019 daemon.info syslog: 15[IKE] peer requested virtual IP %any
Sun Dec  1 18:43:14 2019 daemon.info syslog: 15[CFG] reassigning offline lease to 'C=DE, O=xxx, CN=client'
Sun Dec  1 18:43:14 2019 daemon.info syslog: 15[IKE] assigning virtual IP 10.0.1.1 to peer 'C=DE, O=xxx, CN=client'
Sun Dec  1 18:43:14 2019 daemon.info syslog: 15[IKE] peer requested virtual IP %any6
Sun Dec  1 18:43:14 2019 daemon.info syslog: 15[IKE] no virtual IP found for %any6 requested by 'C=DE, O=xxx, CN=client'
Sun Dec  1 18:43:14 2019 daemon.info syslog: 15[IKE] CHILD_SA roadwarriorPUBKEY{8} established with SPIs cc4df570_i ec9ac3d9_o and TS 0.0.0.0/0 ::/0 === 10.0.1.1/32
Sun Dec  1 18:43:14 2019 authpriv.info syslog: 15[IKE] CHILD_SA roadwarriorPUBKEY{8} established with SPIs cc4df570_i ec9ac3d9_o and TS 0.0.0.0/0 ::/0 === 10.0.1.1/32
Sun Dec  1 18:43:14 2019 daemon.info syslog: 15[ENC] generating IKE_AUTH response 1 [ IDr CERT AUTH CPRP(ADDR DNS NBNS) SA TSi TSr N(AUTH_LFT) N(MOBIKE_SUP) N(ADD_4_ADDR) N(ADD_4_ADDR) N(ADD_4_ADDR) N(ADD_6_ADDR) N(ADD_6_ADDR) N(ADD_6_ADDR) ]
Sun Dec  1 18:43:14 2019 daemon.info syslog: 15[NET] sending packet: from ip[4500] to 37.160.110.212[40782] (1500 bytes)
Sun Dec  1 18:43:14 2019 daemon.info syslog: 04[NET] received packet: from 37.160.110.212[40782] to ip[4500] (76 bytes)
Sun Dec  1 18:43:14 2019 daemon.info syslog: 04[ENC] parsed INFORMATIONAL request 2 [ N(AUTH_FAILED) ]
Sun Dec  1 18:43:14 2019 daemon.info syslog: 04[IKE] received DELETE for IKE_SA roadwarriorPUBKEY[34]
Sun Dec  1 18:43:14 2019 daemon.info syslog: 04[IKE] deleting IKE_SA roadwarriorPUBKEY[34] between ip[xxx.dyndns.org]...37.160.110.212[C=DE, O=xxx, CN=client]
Sun Dec  1 18:43:14 2019 authpriv.info syslog: 04[IKE] deleting IKE_SA roadwarriorPUBKEY[34] between ip[xxx.dyndns.org]...37.160.110.212[C=DE, O=xxx, CN=client]
Sun Dec  1 18:43:14 2019 daemon.info syslog: 04[IKE] IKE_SA deleted
Sun Dec  1 18:43:14 2019 authpriv.info syslog: 04[IKE] IKE_SA deleted
Sun Dec  1 18:43:14 2019 daemon.info syslog: 04[ENC] generating INFORMATIONAL response 2 [ ]
Sun Dec  1 18:43:14 2019 daemon.info syslog: 04[NET] sending packet: from ip[4500] to 37.160.110.212[40782] (76 bytes)
Sun Dec  1 18:43:14 2019 daemon.info syslog: 04[CFG] lease 10.0.1.1 by 'C=DE, O=xxx, CN=client' went offline

errore era aes128-sha1-modp1024

LuKePicci · « **Risposta #73 il:** 01 Dicembre 2019, 18:51 »

Sicuramente devi generare i certificati nel modo corretto se vuoi escludere compatibilit� con client pi� recenti. Il fire4 sembra non avere problemi con le proposal crittografiche.
Per il fire4, rigenera i certificati nel modo giusto e riprova.
Per lo xiaomi, sempre con i certificati rigenerati, rilassa la proposta per la parte IKE e lascia vuota quella per ESP

Comunque ho aggiornato la guida sulla wiki per gestire meglio queste situazioni, la versione precedente dava per scontato che se c'� un problema allora la soluzione � impostare quel certo valore, ma cos� non �.

a1pollo · « **Risposta #74 il:** 02 Dicembre 2019, 23:21 »

@LuKePicci, sono dentro ci siamo riusciti!!!!!!!

La colpa era la mia, la prima autenticazione era ok, mettendo sul client ikev2 certificate, aes128-sha1-modp2048(avanzate)
La seconda autenticazione non passava per via dell'opzione "san" sulle chiavi,non riusciva ad autenticarlo con il mio ip pubblico,che appunto utilizza android(confronto indirizzo ip con l'opzione "san" scritta sul certificato del server, se e' diverso non entri), perche' io non lo mettevo!!

Il servizio ddns che avevo io funziona male ma ora non mi serve piu'.
Ho rigenerato le chiavi mettendolo.
Grazie, senza il tuo aiuto non sarei riuscito!

#!/bin/sh
ipsec pki --gen --outform pem > caKey.pem
ipsec pki --self --in caKey.pem --dn "C=US, O=yyy, CN=xxxx" --ca --outform pem > caCert.pem
ipsec pki --gen --outform pem > serverKey.pem
ipsec pki --pub --in serverKey.pem | ipsec pki --issue --cacert caCert.pem --cakey caKey.pem --dn "C=US, O=yyy, CN=ip pubblico o il nome del servizio ddns" --san="ip pubblico o il nome del servizio ddns" --flag serverAuth --flag ikeIntermediate --outform pem > serverCert.pem
ipsec pki --gen --outform pem > clientKey.pem
ipsec pki --pub --in clientKey.pem | ipsec pki --issue --cacert caCert.pem --cakey caKey.pem --dn "C=US, O=yyy, CN=myvpnclient" --san="myvpnclient" --outform pem > clientCert.pem
openssl pkcs12 -export -inkey clientKey.pem -in clientCert.pem -name "myvpnclient" -certfile caCert.pem -caname "xxxx" -out clientCert.p12

Cit. "guerriero ti abbiamo sconfitto"

Ho parlato troppo presto,sono dentro ma non navigo!

[GUIDA] xl2tpd/strongSwan per VPN L2TP/IPsec su DGA413x/TG78x

a1pollo

Re:[Testing] VPN L2TP/IPSec DGA413x/TG78x

LuKePicci

Re:[Testing] VPN L2TP/IPSec DGA413x/TG78x

a1pollo

Re:[Testing] VPN L2TP/IPSec DGA413x/TG78x

LuKePicci

Re:[Testing] VPN L2TP/IPSec DGA413x/TG78x

a1pollo

Re:[Testing] VPN L2TP/IPSec DGA413x/TG78x

LuKePicci

Re:[Testing] VPN L2TP/IPSec DGA413x/TG78x

a1pollo

Re:[Testing] VPN L2TP/IPSec DGA413x/TG78x

LuKePicci

Re:[Testing] VPN L2TP/IPSec DGA413x/TG78x

a1pollo

Re:[Testing] VPN L2TP/IPSec DGA413x/TG78x

LuKePicci

Re:[Testing] VPN L2TP/IPSec DGA413x/TG78x

a1pollo

Re:[Testing] VPN L2TP/IPSec DGA413x/TG78x

larsen64it

Re:[Testing] VPN L2TP/IPSec DGA413x/TG78x

a1pollo

Re:[Testing] VPN L2TP/IPSec DGA413x/TG78x

LuKePicci

Re:[Testing] VPN L2TP/IPSec DGA413x/TG78x

a1pollo

Re:[Testing] VPN L2TP/IPSec DGA413x/TG78x