[GUIDA] strongSwan per IPsec su OpenWrt e Homeware

  • 249 Risposte
  • 39626 Visite

0 Utenti e 1 Visitatore stanno visualizzando questo topic.

Offline a1pollo

  • Membro Anziano
  • ***
  • 172
Re:[GUIDA] strongSwan per IPsec su OpenWrt e Homeware
« Risposta #240 il: 13 Febbraio 2022, 18:43 »
Ora non mi viene in mente altro, fatti un backup dei seguenti file e conservali in luogo sicuro :
Codice: [Seleziona]
/etc/config/firewall
/etc/firewall.user
/etc/ipsec.conf
/etc/ipsec.secrets
/etc/strongswan.conf
/etc/strongswan.d/charon/dhcp.conf
/etc/ipsec.d/tutte le cartelle(ci sono i certificati del server e dalla ca)

Offline LuKePicci

  • Global Moderator
  • VIP
  • *****
  • 2789
Re:[GUIDA] strongSwan per IPsec su OpenWrt e Homeware
« Risposta #241 il: 17 Febbraio 2022, 09:52 »
Ha qualche problema nel file di conf. Di nuovo, se lo script era stato eseguito con pacchetti mancanti non mi aspetto che funzioni.

Offline kitt1997

  • Membro Giovane
  • **
  • 54
Re:[GUIDA] strongSwan per IPsec su OpenWrt e Homeware
« Risposta #242 il: 13 Aprile 2022, 08:34 »
Dovrebbe esserci un problema nello script di @FrancYescO .
Nelle configurazioni del file ipsec.conf ci deve essere rightca e non rightcert se si utilizza il certificato caCert.pem

Offline FrancYescO

  • VIP
  • *****
  • 3382
Re:[GUIDA] strongSwan per IPsec su OpenWrt e Homeware
« Risposta #243 il: 13 Aprile 2022, 08:51 »
Se qualcuno mi conferma modifico lo script, non vorrei che si comporta diversamente in base alla versione di IPSec/strongswan

Offline LuKePicci

  • Global Moderator
  • VIP
  • *****
  • 2789
Re:[GUIDA] strongSwan per IPsec su OpenWrt e Homeware
« Risposta #244 il: 17 Aprile 2022, 21:22 »
se lo scopo è autenticare tutti i certificati emessi da una CA allora ci va rightca e non rightcert. Se invece si vuole autenticare solo uno specifico certificato allora ci va rightcert.

Non c'entra con la domanda ma aggiungo, essendomi tornato utile di recente,  che nel campo del rightid ci si possono mettere delle wildcard che matchano su parti del soggetto del certificato e così facendo è possibile dirottare soggetti specifici con certificati dalla stessa CA su conn distinte.

Offline kitt1997

  • Membro Giovane
  • **
  • 54
Re:[GUIDA] strongSwan per IPsec su OpenWrt e Homeware
« Risposta #245 il: 17 Aprile 2022, 23:01 »
Esatto, ma per come è scritto adesso fa un ibrido tra i due e, almeno a me, non funzionava

Offline gfucka

  • Nuovo Iscritto
  • *
  • 13
Re:[GUIDA] strongSwan per IPsec su OpenWrt e Homeware
« Risposta #246 il: 25 Dicembre 2022, 23:28 »
Ciao a tutti ho un DGA4132 con la 2.3.3.
Sto provando ad installare strongswan con lo script ma mi vengono restituiti questi errori:

Codice: [Seleziona]
Building certificates for [ mioddns.duckdns.org ] and client [  (aka myVpnClients) ]
generating a new cakey for [ CATechnicolor ]
instantiation of DRBG_HMAC_SHA512 failed
building CRED_PRIVATE_KEY - RSA failed, tried 4 builders
private key generation failed
generating caCert for [ CATechnicolor ]...
  file coded in unknown format, discarded
building CRED_PRIVATE_KEY - ANY failed, tried 2 builders
loading private key failed
unable to load certificate
3065327632:error:0909006C:PEM routines:get_name:no start line:crypto/pem/pem_lib.c:745:Expecting: TRUSTED CERTIFICATE
Now building CA keys bundle
unable to load private key
3065171984:error:0909006C:PEM routines:get_name:no start line:crypto/pem/pem_lib.c:745:Expecting: ANY PRIVATE KEY
generating server certificates for [ ghomenvr.duckdns.org ]...
instantiation of DRBG_HMAC_SHA512 failed
building CRED_PRIVATE_KEY - RSA failed, tried 4 builders
private key generation failed
  file coded in unknown format, discarded
building CRED_PRIVATE_KEY - ANY failed, tried 2 builders
parsing private key failed
  file coded in unknown format, discarded
building CRED_CERTIFICATE - X509 failed, tried 3 builders
parsing CA certificate failed
generating clientCert for [ myvpnclient1 (aka myVpnClients) ]...
instantiation of DRBG_HMAC_SHA512 failed
building CRED_PRIVATE_KEY - RSA failed, tried 4 builders
private key generation failed
  file coded in unknown format, discarded
building CRED_PRIVATE_KEY - ANY failed, tried 2 builders
parsing private key failed
  file coded in unknown format, discarded
building CRED_CERTIFICATE - X509 failed, tried 3 builders
parsing CA certificate failed
unable to load certificate
3065872400:error:0909006C:PEM routines:get_name:no start line:crypto/pem/pem_lib.c:745:Expecting: TRUSTED CERTIFICATE
Now building Client keys bundle for [ myvpnclient1 ]
unable to load private key
3065708560:error:0909006C:PEM routines:get_name:no start line:crypto/pem/pem_lib.c:745:Expecting: ANY PRIVATE KEY
unable to load certificate
3065368592:error:0909006C:PEM routines:get_name:no start line:crypto/pem/pem_lib.c:745:Expecting: TRUSTED CERTIFICATE
generating clientCert for [ myvpnclient2 (aka myVpnClients) ]...
instantiation of DRBG_HMAC_SHA512 failed
building CRED_PRIVATE_KEY - RSA failed, tried 4 builders
private key generation failed
  file coded in unknown format, discarded
building CRED_PRIVATE_KEY - ANY failed, tried 2 builders
parsing private key failed
  file coded in unknown format, discarded
building CRED_CERTIFICATE - X509 failed, tried 3 builders
parsing CA certificate failed
unable to load certificate
3065249808:error:0909006C:PEM routines:get_name:no start line:crypto/pem/pem_lib.c:745:Expecting: TRUSTED CERTIFICATE
Now building Client keys bundle for [ myvpnclient2 ]
unable to load private key
3065770000:error:0909006C:PEM routines:get_name:no start line:crypto/pem/pem_lib.c:745:Expecting: ANY PRIVATE KEY
unable to load certificate
3065450512:error:0909006C:PEM routines:get_name:no start line:crypto/pem/pem_lib.c:745:Expecting: TRUSTED CERTIFICATE
generating clientCert for [ myvpnclient3 (aka myVpnClients) ]...
instantiation of DRBG_HMAC_SHA512 failed
building CRED_PRIVATE_KEY - RSA failed, tried 4 builders
private key generation failed
  file coded in unknown format, discarded
building CRED_CERTIFICATE - X509 failed, tried 3 builders
parsing CA certificate failed
  file coded in unknown format, discarded
building CRED_PRIVATE_KEY - ANY failed, tried 2 builders
parsing private key failed
unable to load certificate
3065389072:error:0909006C:PEM routines:get_name:no start line:crypto/pem/pem_lib.c:745:Expecting: TRUSTED CERTIFICATE
Now building Client keys bundle for [ myvpnclient3 ]
unable to load private key
3065479184:error:0909006C:PEM routines:get_name:no start line:crypto/pem/pem_lib.c:745:Expecting: ANY PRIVATE KEY
unable to load certificate
3065069584:error:0909006C:PEM routines:get_name:no start line:crypto/pem/pem_lib.c:745:Expecting: TRUSTED CERTIFICATE
generating clientCert for [ myvpnclient4 (aka myVpnClients) ]...
instantiation of DRBG_HMAC_SHA512 failed
building CRED_PRIVATE_KEY - RSA failed, tried 4 builders
private key generation failed
  file coded in unknown format, discarded
building CRED_PRIVATE_KEY - ANY failed, tried 2 builders
parsing private key failed
  file coded in unknown format, discarded
building CRED_CERTIFICATE - X509 failed, tried 3 builders
parsing CA certificate failed
unable to load certificate
3065880592:error:0909006C:PEM routines:get_name:no start line:crypto/pem/pem_lib.c:745:Expecting: TRUSTED CERTIFICATE
Now building Client keys bundle for [ myvpnclient4 ]
unable to load private key
3065200656:error:0909006C:PEM routines:get_name:no start line:crypto/pem/pem_lib.c:745:Expecting: ANY PRIVATE KEY
unable to load certificate
3065495568:error:0909006C:PEM routines:get_name:no start line:crypto/pem/pem_lib.c:745:Expecting: TRUSTED CERTIFICATE
mv: can't rename 'ca.p12': No such file or directory
mv: can't rename 'client_*.p12': No such file or directory
mv: can't rename 'clientCert_*.crt': No such file or directory
**** THE END ****


Potete gentilmente darmi una mano a capire dov'è il problema?  A quanto ho capito non riesce a generare i certificati per file in formato errato.

Grazie mille

Offline racosirif

  • Nuovo Iscritto
  • *
  • 7
  • Sesso: Maschio
Re:[GUIDA] strongSwan per IPsec su OpenWrt e Homeware
« Risposta #247 il: 20 Novembre 2024, 00:47 »
Ciao a tutti ho un DGA4132 con la 2.3.3.
Sto provando ad installare strongswan con lo script ma mi vengono restituiti questi errori:

Codice: [Seleziona]
Building certificates for [ mioddns.duckdns.org ] and client [  (aka myVpnClients) ]
generating a new cakey for [ CATechnicolor ]
instantiation of DRBG_HMAC_SHA512 failed
building CRED_PRIVATE_KEY - RSA failed, tried 4 builders
private key generation failed
generating caCert for [ CATechnicolor ]...
  file coded in unknown format, discarded
building CRED_PRIVATE_KEY - ANY failed, tried 2 builders
loading private key failed
unable to load certificate
3065327632:error:0909006C:PEM routines:get_name:no start line:crypto/pem/pem_lib.c:745:Expecting: TRUSTED CERTIFICATE
Now building CA keys bundle
unable to load private key
3065171984:error:0909006C:PEM routines:get_name:no start line:crypto/pem/pem_lib.c:745:Expecting: ANY PRIVATE KEY
generating server certificates for [ ghomenvr.duckdns.org ]...
instantiation of DRBG_HMAC_SHA512 failed
building CRED_PRIVATE_KEY - RSA failed, tried 4 builders
private key generation failed
  file coded in unknown format, discarded
building CRED_PRIVATE_KEY - ANY failed, tried 2 builders
parsing private key failed
  file coded in unknown format, discarded
building CRED_CERTIFICATE - X509 failed, tried 3 builders
parsing CA certificate failed
generating clientCert for [ myvpnclient1 (aka myVpnClients) ]...
instantiation of DRBG_HMAC_SHA512 failed
building CRED_PRIVATE_KEY - RSA failed, tried 4 builders
private key generation failed
  file coded in unknown format, discarded
building CRED_PRIVATE_KEY - ANY failed, tried 2 builders
parsing private key failed
  file coded in unknown format, discarded
building CRED_CERTIFICATE - X509 failed, tried 3 builders
parsing CA certificate failed
unable to load certificate
3065872400:error:0909006C:PEM routines:get_name:no start line:crypto/pem/pem_lib.c:745:Expecting: TRUSTED CERTIFICATE
Now building Client keys bundle for [ myvpnclient1 ]
unable to load private key
3065708560:error:0909006C:PEM routines:get_name:no start line:crypto/pem/pem_lib.c:745:Expecting: ANY PRIVATE KEY
unable to load certificate
3065368592:error:0909006C:PEM routines:get_name:no start line:crypto/pem/pem_lib.c:745:Expecting: TRUSTED CERTIFICATE
generating clientCert for [ myvpnclient2 (aka myVpnClients) ]...
instantiation of DRBG_HMAC_SHA512 failed
building CRED_PRIVATE_KEY - RSA failed, tried 4 builders
private key generation failed
  file coded in unknown format, discarded
building CRED_PRIVATE_KEY - ANY failed, tried 2 builders
parsing private key failed
  file coded in unknown format, discarded
building CRED_CERTIFICATE - X509 failed, tried 3 builders
parsing CA certificate failed
unable to load certificate
3065249808:error:0909006C:PEM routines:get_name:no start line:crypto/pem/pem_lib.c:745:Expecting: TRUSTED CERTIFICATE
Now building Client keys bundle for [ myvpnclient2 ]
unable to load private key
3065770000:error:0909006C:PEM routines:get_name:no start line:crypto/pem/pem_lib.c:745:Expecting: ANY PRIVATE KEY
unable to load certificate
3065450512:error:0909006C:PEM routines:get_name:no start line:crypto/pem/pem_lib.c:745:Expecting: TRUSTED CERTIFICATE
generating clientCert for [ myvpnclient3 (aka myVpnClients) ]...
instantiation of DRBG_HMAC_SHA512 failed
building CRED_PRIVATE_KEY - RSA failed, tried 4 builders
private key generation failed
  file coded in unknown format, discarded
building CRED_CERTIFICATE - X509 failed, tried 3 builders
parsing CA certificate failed
  file coded in unknown format, discarded
building CRED_PRIVATE_KEY - ANY failed, tried 2 builders
parsing private key failed
unable to load certificate
3065389072:error:0909006C:PEM routines:get_name:no start line:crypto/pem/pem_lib.c:745:Expecting: TRUSTED CERTIFICATE
Now building Client keys bundle for [ myvpnclient3 ]
unable to load private key
3065479184:error:0909006C:PEM routines:get_name:no start line:crypto/pem/pem_lib.c:745:Expecting: ANY PRIVATE KEY
unable to load certificate
3065069584:error:0909006C:PEM routines:get_name:no start line:crypto/pem/pem_lib.c:745:Expecting: TRUSTED CERTIFICATE
generating clientCert for [ myvpnclient4 (aka myVpnClients) ]...
instantiation of DRBG_HMAC_SHA512 failed
building CRED_PRIVATE_KEY - RSA failed, tried 4 builders
private key generation failed
  file coded in unknown format, discarded
building CRED_PRIVATE_KEY - ANY failed, tried 2 builders
parsing private key failed
  file coded in unknown format, discarded
building CRED_CERTIFICATE - X509 failed, tried 3 builders
parsing CA certificate failed
unable to load certificate
3065880592:error:0909006C:PEM routines:get_name:no start line:crypto/pem/pem_lib.c:745:Expecting: TRUSTED CERTIFICATE
Now building Client keys bundle for [ myvpnclient4 ]
unable to load private key
3065200656:error:0909006C:PEM routines:get_name:no start line:crypto/pem/pem_lib.c:745:Expecting: ANY PRIVATE KEY
unable to load certificate
3065495568:error:0909006C:PEM routines:get_name:no start line:crypto/pem/pem_lib.c:745:Expecting: TRUSTED CERTIFICATE
mv: can't rename 'ca.p12': No such file or directory
mv: can't rename 'client_*.p12': No such file or directory
mv: can't rename 'clientCert_*.crt': No such file or directory
**** THE END ****


Potete gentilmente darmi una mano a capire dov'è il problema?  A quanto ho capito non riesce a generare i certificati per file in formato errato.

Grazie mille

Ciao amico, sono giorni che leggo questo thread e al momento sto testando la procedura su un DGA4131 (con scarsi risultati ahimè :headbang: ), ma da quel poco che ho capito, il tuo problema nella generazione dei certificati risiede in alcune dipendenze (libcurl, curl e altre - i più esperti mi correggeranno).
Anch'io ho avuto il tuo stesso problema inizialmente e l'ho risolto resettando il router, lasciando SOLO i feeds delle repo ANSUEL (quindi no macoers) e lanciando lo script del buon @FrancYescO  (modificando servername e client).
Così facendo l'installazione termina creando correttamente i certificati.

Purtroppo nonostante ciò non riesco a connettermi  :doh:
Se uno degli esperti potesse venirci incontro, riesumando questa ormai antica conversazione, magari riusciremo nei nostri intenti.

Continuo a studiarci, non si sa mai che con un po' di fortuna riesca a trovare la soluzione.
2 DGA4132 unlocked fw 2.3.5 + GUI Ansuel

Offline FrancYescO

  • VIP
  • *****
  • 3382
Re:[GUIDA] strongSwan per IPsec su OpenWrt e Homeware
« Risposta #248 il: 20 Novembre 2024, 13:16 »
@racosirif se lo script termina correttamente quasi sicuramente il problema è a livello network, servono i log durante la connessione di un client.

Offline racosirif

  • Nuovo Iscritto
  • *
  • 7
  • Sesso: Maschio
Re:[GUIDA] strongSwan per IPsec su OpenWrt e Homeware
« Risposta #249 il: 20 Novembre 2024, 16:39 »
@racosirif se lo script termina correttamente quasi sicuramente il problema è a livello network, servono i log durante la connessione di un client.

Grazie FrancYescO, probabilmente è come dici tu, il problema sarà nella configurazione della mia rete. Però sto guardando anche i log sia lato server che lato client (app Strongswan su Android 14). Una cosa che mi salta all'occhio guardandolo a prima vista, è che dal log del DGA4131 sembra che non riconosca l'autenticazione tramite certificato. Sul client ho importato il "certificato_client".p12 preso dalla /etc/ipsec.d/private del DGA4131.

log server:
Codice: [Seleziona]
root@FGAP:~# logread -f
Wed Nov 20 15:54:31 2024 daemon.info charon: 05[NET] received packet: from "ipClientAndroid"[34167] to "ipDGA4131"[500] (948 bytes)
Wed Nov 20 15:54:31 2024 daemon.info charon: 05[ENC] parsed IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG) N(REDIR_SUP) ]
Wed Nov 20 15:54:31 2024 daemon.info charon: 05[IKE] "ipClientAndroid" is initiating an IKE_SA
Wed Nov 20 15:54:31 2024 authpriv.info charon: 05[IKE] "ipClientAndroid" is initiating an IKE_SA
Wed Nov 20 15:54:31 2024 daemon.info charon: 05[IKE] local host is behind NAT, sending keep alives
Wed Nov 20 15:54:31 2024 daemon.info charon: 05[IKE] remote host is behind NAT
Wed Nov 20 15:54:31 2024 daemon.info charon: 05[IKE] DH group ECP_256 inacceptable, requesting MODP_3072
Wed Nov 20 15:54:31 2024 daemon.info charon: 05[ENC] generating IKE_SA_INIT response 0 [ N(INVAL_KE) ]
Wed Nov 20 15:54:31 2024 daemon.info charon: 05[NET] sending packet: from "ipDGA4131"[500] to "ipClientAndroid"[34167] (38 bytes)
Wed Nov 20 15:54:31 2024 daemon.info charon: 15[NET] received packet: from "ipClientAndroid"[34167] to "ipDGA4131"[500] (1268 bytes)
Wed Nov 20 15:54:31 2024 daemon.info charon: 15[ENC] parsed IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG) N(REDIR_SUP) ]
Wed Nov 20 15:54:31 2024 daemon.info charon: 15[IKE] "ipClientAndroid" is initiating an IKE_SA
Wed Nov 20 15:54:31 2024 authpriv.info charon: 15[IKE] "ipClientAndroid" is initiating an IKE_SA
Wed Nov 20 15:54:31 2024 daemon.info charon: 15[IKE] local host is behind NAT, sending keep alives
Wed Nov 20 15:54:31 2024 daemon.info charon: 15[IKE] remote host is behind NAT
Wed Nov 20 15:54:31 2024 daemon.info charon: 15[ENC] generating IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG) N(MULT_AUTH) ]
Wed Nov 20 15:54:31 2024 daemon.info charon: 15[NET] sending packet: from "ipDGA4131"[500] to "ipClientAndroid"[34167] (590 bytes)
Wed Nov 20 15:54:32 2024 daemon.info charon: 12[NET] received packet: from "ipClientAndroid"[34168] to "ipDGA4131"[4500] (1364 bytes)
Wed Nov 20 15:54:32 2024 daemon.info charon: 12[ENC] parsed IKE_AUTH request 1 [ EF(1/4) ]
Wed Nov 20 15:54:32 2024 daemon.info charon: 12[ENC] received fragment #1 of 4, waiting for complete IKE message
Wed Nov 20 15:54:32 2024 daemon.info charon: 13[NET] received packet: from "ipClientAndroid"[34168] to "ipDGA4131"[4500] (1364 bytes)
Wed Nov 20 15:54:32 2024 daemon.info charon: 13[ENC] parsed IKE_AUTH request 1 [ EF(2/4) ]
Wed Nov 20 15:54:32 2024 daemon.info charon: 13[ENC] received fragment #2 of 4, waiting for complete IKE message
Wed Nov 20 15:54:32 2024 daemon.info charon: 14[NET] received packet: from "ipClientAndroid"[34168] to "ipDGA4131"[4500] (1364 bytes)
Wed Nov 20 15:54:32 2024 daemon.info charon: 14[ENC] parsed IKE_AUTH request 1 [ EF(3/4) ]
Wed Nov 20 15:54:32 2024 daemon.info charon: 14[ENC] received fragment #3 of 4, waiting for complete IKE message
Wed Nov 20 15:54:32 2024 daemon.info charon: 11[NET] received packet: from "ipClientAndroid"[34168] to "ipDGA4131"[4500] (644 bytes)
Wed Nov 20 15:54:32 2024 daemon.info charon: 11[ENC] parsed IKE_AUTH request 1 [ EF(4/4) ]
Wed Nov 20 15:54:32 2024 daemon.info charon: 11[ENC] received fragment #4 of 4, reassembling fragmented IKE message
Wed Nov 20 15:54:32 2024 daemon.info charon: 11[ENC] parsed IKE_AUTH request 1 [ IDi CERT N(INIT_CONTACT) CERTREQ AUTH CPRQ(ADDR ADDR6 DNS DNS6) SA TSi TSr N(MOBIKE_SUP) N(NO_ADD_ADDR) N(MULT_AUTH) N(EAP_ONLY) N(MSG_ID_SYN_SUP) ]
Wed Nov 20 15:54:32 2024 daemon.info charon: 11[IKE] received cert request for "C=US, O=Technicolor, CN=CATechnicolor"
Wed Nov 20 15:54:32 2024 daemon.info charon: 11[IKE] received 145 cert requests for an unknown ca
Wed Nov 20 15:54:32 2024 daemon.info charon: 11[IKE] received end entity cert "C=US, O=Technicolor, CN=clientvpn1"
Wed Nov 20 15:54:32 2024 daemon.info charon: 11[CFG] looking for peer configs matching "ipDGA4131"[%any]..."ipClientAndroid"[C=US, O=Technicolor, CN=clientvpn1]
Wed Nov 20 15:54:32 2024 daemon.info charon: 11[CFG] selected peer config 'rwEAPMSCHAPV2'
Wed Nov 20 15:54:32 2024 daemon.info charon: 11[CFG]   using certificate "C=US, O=Technicolor, CN=clientvpn1"
Wed Nov 20 15:54:32 2024 daemon.info charon: 11[CFG]   using trusted ca certificate "C=US, O=Technicolor, CN=CATechnicolor"
Wed Nov 20 15:54:32 2024 daemon.info charon: 11[CFG] checking certificate status of "C=US, O=Technicolor, CN=clientvpn1"
Wed Nov 20 15:54:32 2024 daemon.info charon: 11[CFG] certificate status is not available
Wed Nov 20 15:54:32 2024 daemon.info charon: 11[CFG]   reached self-signed root ca with a path length of 0
Wed Nov 20 15:54:32 2024 daemon.info charon: 11[IKE] authentication of 'C=US, O=Technicolor, CN=clientvpn1' with RSA_EMSA_PKCS1_SHA2_256 successful
Wed Nov 20 15:54:32 2024 daemon.info charon: 11[CFG] constraint check failed: EAP identity '%any' required
Wed Nov 20 15:54:32 2024 daemon.info charon: 11[CFG] selected peer config 'rwEAPMSCHAPV2' inacceptable: non-matching authentication done
Wed Nov 20 15:54:32 2024 daemon.info charon: 11[CFG] no alternative config found
Wed Nov 20 15:54:32 2024 daemon.info charon: 11[IKE] peer supports MOBIKE
Wed Nov 20 15:54:32 2024 daemon.info charon: 11[ENC] generating IKE_AUTH response 1 [ N(AUTH_FAILED) ]
Wed Nov 20 15:54:32 2024 daemon.info charon: 11[NET] sending packet: from "ipDGA4131"[4500] to "ipClientAndroid"[34168] (80 bytes)

log client:
Codice: [Seleziona]
Nov 20 15:54:29 00[DMN] +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
Nov 20 15:54:29 00[DMN] Starting IKE service (strongSwan 5.9.14, Android 14 - RMX3311_14.0.0.1100(EX01)/2024-09-05, RMX3311 - realme/RMX3311EEA/realme, Linux 5.4.254-qgki-ga74746b20243, aarch64, org.strongswan.android)
Nov 20 15:54:29 00[LIB] providers loaded by OpenSSL: default legacy
Nov 20 15:54:29 00[LIB] loaded plugins: androidbridge charon android-log socket-default openssl nonce pkcs1 pem x509 xcbc kdf revocation eap-identity eap-mschapv2 eap-md5 eap-gtc eap-tls
Nov 20 15:54:29 00[JOB] spawning 16 worker threads
Nov 20 15:54:30 07[CFG] loaded user certificate 'C=US, O=Technicolor, CN=clientvpn1' and private key
Nov 20 15:54:30 07[CFG] loaded CA certificate 'C=US, O=Technicolor, CN=CATechnicolor'
Nov 20 15:54:30 07[IKE] initiating IKE_SA android[7] to "ipDGA4131"
Nov 20 15:54:30 07[ENC] generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG) N(REDIR_SUP) ]
Nov 20 15:54:30 07[NET] sending packet: from "ipClientAndroid"[39687] to "ipDGA4131"[500] (948 bytes)
Nov 20 15:54:30 10[NET] received packet: from "ipDGA4131"[500] to "ipClientAndroid"[39687] (38 bytes)
Nov 20 15:54:30 10[ENC] parsed IKE_SA_INIT response 0 [ N(INVAL_KE) ]
Nov 20 15:54:30 10[IKE] peer didn't accept DH group ECP_256, it requested MODP_3072
Nov 20 15:54:30 10[IKE] initiating IKE_SA android[7] to "ipDGA4131"
Nov 20 15:54:30 10[ENC] generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG) N(REDIR_SUP) ]
Nov 20 15:54:30 10[NET] sending packet: from "ipClientAndroid"[39687] to "ipDGA4131"[500] (1268 bytes)
Nov 20 15:54:31 11[NET] received packet: from "ipDGA4131"[500] to "ipClientAndroid"[39687] (590 bytes)
Nov 20 15:54:31 11[ENC] parsed IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG) N(MULT_AUTH) ]
Nov 20 15:54:31 11[CFG] selected proposal: IKE:AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_3072
Nov 20 15:54:31 11[IKE] local host is behind NAT, sending keep alives
Nov 20 15:54:31 11[IKE] remote host is behind NAT
Nov 20 15:54:31 11[IKE] sending cert request for "C=US, O=Certainly, CN=Certainly Root R1"
Nov 20 15:54:31 11[IKE] sending cert request for "C=US, O=Internet Security Research Group, CN=ISRG Root X1"
Nov 20 15:54:31 11[IKE] sending cert request for "C=US, O=Internet Security Research Group, CN=ISRG Root X2"
Nov 20 15:54:31 11[IKE] sending cert request for "C=US, O=IdenTrust, CN=IdenTrust Public Sector Root CA 1"
Nov 20 15:54:31 11[IKE] sending cert request for "C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert High Assurance EV Root CA"
Nov 20 15:54:31 11[IKE] sending cert request for "OU=GlobalSign Root CA - R3, O=GlobalSign, CN=GlobalSign"
Nov 20 15:54:31 11[IKE] sending cert request for "C=US, O=DigiCert, Inc., CN=DigiCert TLS ECC P384 Root G5"
.......tanti altri certificati presenti..........
Nov 20 15:54:31 11[IKE] sending cert request for "C=US, O=Technicolor, CN=CATechnicolor"
Nov 20 15:54:31 11[IKE] authentication of 'C=US, O=Technicolor, CN=clientvpn1' (myself) with RSA_EMSA_PKCS1_SHA2_256 successful
Nov 20 15:54:31 11[IKE] sending end entity cert "C=US, O=Technicolor, CN=clientvpn1"
Nov 20 15:54:31 11[IKE] establishing CHILD_SA android{4}
Nov 20 15:54:31 11[ENC] generating IKE_AUTH request 1 [ IDi CERT N(INIT_CONTACT) CERTREQ AUTH CPRQ(ADDR ADDR6 DNS DNS6) SA TSi TSr N(MOBIKE_SUP) N(NO_ADD_ADDR) N(MULT_AUTH) N(EAP_ONLY) N(MSG_ID_SYN_SUP) ]
Nov 20 15:54:31 11[ENC] splitting IKE message (4528 bytes) into 4 fragments
Nov 20 15:54:31 11[ENC] generating IKE_AUTH request 1 [ EF(1/4) ]
Nov 20 15:54:31 11[ENC] generating IKE_AUTH request 1 [ EF(2/4) ]
Nov 20 15:54:31 11[ENC] generating IKE_AUTH request 1 [ EF(3/4) ]
Nov 20 15:54:31 11[ENC] generating IKE_AUTH request 1 [ EF(4/4) ]
Nov 20 15:54:31 11[NET] sending packet: from "ipClientAndroid"[42422] to "ipDGA4131"[4500] (1364 bytes)
Nov 20 15:54:31 11[NET] sending packet: from "ipClientAndroid"[42422] to "ipDGA4131"[4500] (1364 bytes)
Nov 20 15:54:31 11[NET] sending packet: from "ipClientAndroid"[42422] to "ipDGA4131"[4500] (1364 bytes)
Nov 20 15:54:31 11[NET] sending packet: from "ipClientAndroid"[42422] to "ipDGA4131"[4500] (644 bytes)
Nov 20 15:54:31 12[NET] received packet: from "ipDGA4131"[4500] to "ipClientAndroid"[42422] (80 bytes)
Nov 20 15:54:31 12[ENC] parsed IKE_AUTH response 1 [ N(AUTH_FAILED) ]
Nov 20 15:54:31 12[IKE] received AUTHENTICATION_FAILED notify error

Non capisco se sbaglio a importare il certificato  :help:

Update:
riesco a connettermi solo tramite app Strongswan di Android (client nativo non riesco), impostando IKEv2 EAPTLS, utilizzando il giusto certificato (presente nel file ipsec.conf). Via client nativo Win10 le sto provando un po' tutte.. :headbang: e finalmente dopo non so quanti tentativi, mi connetto ..ma tramite username e password.  -_-
« Ultima modifica: 25 Novembre 2024, 17:38 da racosirif »
2 DGA4132 unlocked fw 2.3.5 + GUI Ansuel