Pages : 1
#1 Le 14/11/2016, à 16:04
- kboo
server strongswan et ios 10
Bonjour,
J'essaye de faire une passerelle entre un iphone sous ios 10 et un serveur afin de faire un "forward" de la connection internet du serveur sur ce téléphone.
J'utilise Strongswan, j'ai fait des certificats Let's encrypt mais l'iphone ne se connecte pas.
Pouvez-vous m'aider, je deviens chèvre à force !
voici la les logs et la conf:
root@myserver:/home/myuser# iptables -F && sleep 30 && /etc/init.d/iptables-rules.sh
Nov 14 11:34:38 myserver charon: 10[NET] received packet: from 37XX.XXX.XX[35512] to 198.XX.XXX.XX[500] (604 bytes)
Nov 14 11:34:38 myserver charon: 10[ENC] parsed IKE_SA_INIT request 0 [ SA KE No N(REDIR_SUP) N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) ]
Nov 14 11:34:38 myserver charon: 10[IKE] 37XX.XXX.XX is initiating an IKE_SA
Nov 14 11:34:38 myserver charon: 10[IKE] remote host is behind NAT
Nov 14 11:34:38 myserver charon: 10[ENC] generating IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(MULT_AUTH) ]
Nov 14 11:34:38 myserver charon: 10[NET] sending packet: from 198.XX.XXX.XX[500] to 37XX.XXX.XX[35512] (440 bytes)
Nov 14 11:34:38 myserver charon: 11[NET] received packet: from 37XX.XXX.XX[35513] to 198.XX.XXX.XX[4500] (512 bytes)
Nov 14 11:34:38 myserver charon: 11[ENC] parsed IKE_AUTH request 1 [ IDi N(INIT_CONTACT) N(MOBIKE_SUP) IDr CPRQ(ADDR DHCP DNS MASK ADDR6 DHCP6 DNS6) N(ESP_TFC_PAD_N) N(NON_FIRST_FRAG) SA TSi TSr ]
Nov 14 11:34:38 myserver charon: 11[CFG] looking for peer configs matching 198.XX.XXX.XX[myserver.ovh.net]...37XX.XXX.XX[myuser]
Nov 14 11:34:38 myserver charon: 11[CFG] selected peer config 'iosuser'
Nov 14 11:34:38 myserver charon: 11[IKE] initiating EAP_IDENTITY method (id 0x00)
Nov 14 11:34:38 myserver charon: 11[IKE] received ESP_TFC_PADDING_NOT_SUPPORTED, not using ESPv3 TFC padding
Nov 14 11:34:38 myserver charon: 11[IKE] peer supports MOBIKE
Nov 14 11:34:38 myserver charon: 11[IKE] authentication of 'myserver.ovh.net' (myself) with RSA signature successful
Nov 14 11:34:38 myserver charon: 11[IKE] sending end entity cert "CN=myserver.ovh.net"
Nov 14 11:34:38 myserver charon: 11[ENC] generating IKE_AUTH response 1 [ IDr CERT AUTH EAP/REQ/ID ]
Nov 14 11:34:38 myserver charon: 11[NET] sending packet: from 198.XX.XXX.XX[4500] to 37XX.XXX.XX[35513] (1664 bytes)
Nov 14 11:34:38 myserver charon: 12[NET] received packet: from 37XX.XXX.XX[35513] to 198.XX.XXX.XX[4500] (80 bytes)
Nov 14 11:34:38 myserver charon: 12[ENC] parsed IKE_AUTH request 2 [ EAP/RES/ID ]
Nov 14 11:34:38 myserver charon: 12[IKE] received EAP identity 'myuser'
Nov 14 11:34:38 myserver charon: 12[IKE] initiating EAP_MSCHAPV2 method (id 0x98)
Nov 14 11:34:38 myserver charon: 12[ENC] generating IKE_AUTH response 2 [ EAP/REQ/MSCHAPV2 ]
Nov 14 11:34:38 myserver charon: 12[NET] sending packet: from 198.XX.XXX.XX[4500] to 37XX.XXX.XX[35513] (112 bytes)
Nov 14 11:34:38 myserver charon: 13[NET] received packet: from 37XX.XXX.XX[35513] to 198.XX.XXX.XX[4500] (144 bytes)
Nov 14 11:34:38 myserver charon: 13[ENC] parsed IKE_AUTH request 3 [ EAP/RES/MSCHAPV2 ]
Nov 14 11:34:38 myserver charon: 13[ENC] generating IKE_AUTH response 3 [ EAP/REQ/MSCHAPV2 ]
Nov 14 11:34:38 myserver charon: 13[NET] sending packet: from 198.XX.XXX.XX[4500] to 37XX.XXX.XX[35513] (144 bytes)
Nov 14 11:34:38 myserver charon: 14[NET] received packet: from 37XX.XXX.XX[35513] to 198.XX.XXX.XX[4500] (80 bytes)
Nov 14 11:34:38 myserver charon: 14[ENC] parsed IKE_AUTH request 4 [ EAP/RES/MSCHAPV2 ]
Nov 14 11:34:38 myserver charon: 14[IKE] EAP method EAP_MSCHAPV2 succeeded, MSK established
Nov 14 11:34:38 myserver charon: 14[ENC] generating IKE_AUTH response 4 [ EAP/SUCC ]
Nov 14 11:34:38 myserver charon: 14[NET] sending packet: from 198.XX.XXX.XX[4500] to 37XX.XXX.XX[35513] (80 bytes)
Nov 14 11:34:39 myserver charon: 03[NET] received packet: from 37XX.XXX.XX[35513] to 198.XX.XXX.XX[4500] (112 bytes)
Nov 14 11:34:39 myserver charon: 03[ENC] parsed IKE_AUTH request 5 [ AUTH ]
Nov 14 11:34:39 myserver charon: 03[IKE] authentication of 'myuser' with EAP successful
Nov 14 11:34:39 myserver charon: 03[IKE] authentication of 'myserver.ovh.net' (myself) with EAP
Nov 14 11:34:39 myserver charon: 03[IKE] IKE_SA iosuser[1] established between 198.XX.XXX.XX[myserver.ovh.net]...37XX.XXX.XX[myuser]
Nov 14 11:34:39 myserver charon: 03[IKE] scheduling reauthentication in 10141s
Nov 14 11:34:39 myserver charon: 03[IKE] maximum IKE_SA lifetime 10681s
Nov 14 11:34:39 myserver charon: 03[IKE] peer requested virtual IP %any
Nov 14 11:34:39 myserver charon: 03[CFG] assigning new lease to 'myuser'
Nov 14 11:34:39 myserver charon: 03[IKE] assigning virtual IP 10.0.0.1 to peer 'myuser'
Nov 14 11:34:39 myserver charon: 03[IKE] peer requested virtual IP %any6
Nov 14 11:34:39 myserver charon: 03[IKE] no virtual IP found for %any6 requested by 'myuser'
Nov 14 11:34:39 myserver charon: 03[KNL] received netlink error: Protocol not supported (93)
Nov 14 11:34:39 myserver charon: 03[KNL] unable to add SAD entry with SPI c4a5f120
Nov 14 11:34:39 myserver charon: 03[KNL] received netlink error: Protocol not supported (93)
Nov 14 11:34:39 myserver charon: 03[KNL] unable to add SAD entry with SPI 0d802d94
Nov 14 11:34:39 myserver charon: 03[IKE] unable to install inbound and outbound IPsec SA (SAD) in kernel
Nov 14 11:34:39 myserver charon: 03[IKE] failed to establish CHILD_SA, keeping IKE_SA
Nov 14 11:34:39 myserver charon: 03[ENC] generating IKE_AUTH response 5 [ AUTH CPRP(ADDR DNS) N(AUTH_LFT) N(MOBIKE_SUP) N(ADD_6_ADDR) N(NO_PROP) ]
Nov 14 11:34:39 myserver charon: 03[NET] sending packet: from 198.XX.XXX.XX[4500] to 37XX.XXX.XX[35513] (192 bytes)
Nov 14 11:34:39 myserver ipsec[7684]: 00[DMN] Starting IKE charon daemon (strongSwan 5.2.1, Linux 2.6.32-042stab111.12, x86_64)
Nov 14 11:34:39 myserver ipsec[7684]: 00[CFG] HA config misses local/remote address
Nov 14 11:34:39 myserver ipsec[7684]: 00[LIB] plugin 'ha': failed to load - ha_plugin_create returned NULL
Nov 14 11:34:39 myserver ipsec[7684]: 00[CFG] loading ca certificates from '/etc/ipsec.d/cacerts'
Nov 14 11:34:39 myserver ipsec[7684]: 00[CFG] loading aa certificates from '/etc/ipsec.d/aacerts'
Nov 14 11:34:39 myserver ipsec[7684]: 00[CFG] loading ocsp signer certificates from '/etc/ipsec.d/ocspcerts'
Nov 14 11:34:39 myserver ipsec[7684]: 00[CFG] loading attribute certificates from '/etc/ipsec.d/acerts'
Nov 14 11:34:39 myserver ipsec[7684]: 00[CFG] loading crls from '/etc/ipsec.d/crls'
Nov 14 11:34:39 myserver ipsec[7684]: 00[CFG] loading secrets from '/etc/ipsec.secrets'
Nov 14 11:34:39 myserver ipsec[7684]: 00[CFG] loaded RSA private key from '/etc/ipsec.d/private/privkey.pem'
Nov 14 11:34:39 myserver ipsec[7684]: 00[CFG] loaded EAP secret for myuser
Nov 14 11:34:39 myserver ipsec[7684]: 00[CFG] loaded 0 RADIUS server configurations
Nov 14 11:34:39 myserver ipsec[7684]: 00[LIB] loaded plugins: charon aes rc2 sha1 sha2 md5 random nonce x509 revocation constraints pubkey pkcs1 pkcs7 pkcs8 pkcs12 pgp dnskey sshkey pem openssl fips-prf gmp agent xcbc hmac gcm attr kernel-netlink resolve socket-default farp stroke updown eap-identity eap-aka eap-md5 eap-gtc eap-mschapv2 eap-radius eap-tls eap-ttls eap-tnc xauth-generic xauth-eap xauth-pam tnc-tnccs dhcp lookip error-notify certexpire led addrblock unity
Nov 14 11:34:39 myserver ipsec[7684]: 00[LIB] unable to load 5 plugin features (5 due to unmet dependencies)
Nov 14 11:34:39 myserver ipsec[7684]: 00[LIB] dropped capabilities, running as uid 0, gid 0
Nov 14 11:34:39 myserver ipsec[7684]: 00[JOB] spawning 16 worker threads
Nov 14 11:34:39 myserver ipsec[7684]: 08[CFG] received stroke: add connection 'iosuser'
Nov 14 11:34:39 myserver ipsec[7684]: 08[CFG] left nor right host is our side, assuming left=local
Nov 14 11:34:39 myserver ipsec[7684]: 08[CFG] adding virtual IP address pool 10.0.0.0/24
Nov 14 11:34:39 myserver ipsec[7684]: 08[CFG] loaded certificate "CN=myserver.ovh.net" from 'fullchain.pem'
Nov 14 11:34:39 myserver ipsec[7684]: 08[CFG] added configuration 'iosuser'
Nov 14 11:34:39 myserver ipsec[7684]: 10[NET] received packet: from 37XX.XXX.XX[35512] to 198.XX.XXX.XX[500] (604 bytes)
Nov 14 11:34:39 myserver ipsec[7684]: 10[ENC] parsed IKE_SA_INIT request 0 [ SA KE No N(REDIR_SUP) N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) ]
Nov 14 11:34:39 myserver ipsec[7684]: 10[IKE] 37XX.XXX.XX is initiating an IKE_SA
Nov 14 11:34:39 myserver ipsec[7684]: 10[IKE] remote host is behind NAT
Nov 14 11:34:39 myserver ipsec[7684]: 10[ENC] generating IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(MULT_AUTH) ]
Nov 14 11:34:39 myserver ipsec[7684]: 10[NET] sending packet: from 198.XX.XXX.XX[500] to 37XX.XXX.XX[35512] (440 bytes)
Nov 14 11:34:39 myserver ipsec[7684]: 11[NET] received packet: from 37XX.XXX.XX[35513] to 198.XX.XXX.XX[4500] (512 bytes)
Nov 14 11:34:39 myserver ipsec[7684]: 11[ENC] parsed IKE_AUTH request 1 [ IDi N(INIT_CONTACT) N(MOBIKE_SUP) IDr CPRQ(ADDR DHCP DNS MASK ADDR6 DHCP6 DNS6) N(ESP_TFC_PAD_N) N(NON_FIRST_FRAG) SA TSi TSr ]
Nov 14 11:34:39 myserver ipsec[7684]: 11[CFG] looking for peer configs matching 198.XX.XXX.XX[myserver.ovh.net]...37XX.XXX.XX[myuser]
Nov 14 11:34:39 myserver ipsec[7684]: 11[CFG] selected peer config 'iosuser'
Nov 14 11:34:39 myserver ipsec[7684]: 11[IKE] initiating EAP_IDENTITY method (id 0x00)
Nov 14 11:34:39 myserver ipsec[7684]: 11[IKE] received ESP_TFC_PADDING_NOT_SUPPORTED, not using ESPv3 TFC padding
Nov 14 11:34:39 myserver ipsec[7684]: 11[IKE] peer supports MOBIKE
Nov 14 11:34:39 myserver ipsec[7684]: 11[IKE] authentication of 'myserver.ovh.net' (myself) with RSA signature successful
Nov 14 11:34:39 myserver ipsec[7684]: 11[IKE] sending end entity cert "CN=myserver.ovh.net"
Nov 14 11:34:39 myserver ipsec[7684]: 11[ENC] generating IKE_AUTH response 1 [ IDr CERT AUTH EAP/REQ/ID ]
Nov 14 11:34:39 myserver ipsec[7684]: 11[NET] sending packet: from 198.XX.XXX.XX[4500] to 37XX.XXX.XX[35513] (1664 bytes)
Nov 14 11:34:39 myserver ipsec[7684]: 12[NET] received packet: from 37XX.XXX.XX[35513] to 198.XX.XXX.XX[4500] (80 bytes)
Nov 14 11:34:39 myserver ipsec[7684]: 12[ENC] parsed IKE_AUTH request 2 [ EAP/RES/ID ]
Nov 14 11:34:39 myserver ipsec[7684]: 12[IKE] received EAP identity 'myuser'
Nov 14 11:34:39 myserver ipsec[7684]: 12[IKE] initiating EAP_MSCHAPV2 method (id 0x98)
Nov 14 11:34:39 myserver ipsec[7684]: 12[ENC] generating IKE_AUTH response 2 [ EAP/REQ/MSCHAPV2 ]
Nov 14 11:34:39 myserver ipsec[7684]: 12[NET] sending packet: from 198.XX.XXX.XX[4500] to 37XX.XXX.XX[35513] (112 bytes)
Nov 14 11:34:39 myserver ipsec[7684]: 13[NET] received packet: from 37XX.XXX.XX[35513] to 198.XX.XXX.XX[4500] (144 bytes)
Nov 14 11:34:39 myserver ipsec[7684]: 13[ENC] parsed IKE_AUTH request 3 [ EAP/RES/MSCHAPV2 ]
Nov 14 11:34:39 myserver ipsec[7684]: 13[ENC] generating IKE_AUTH response 3 [ EAP/REQ/MSCHAPV2 ]
Nov 14 11:34:39 myserver ipsec[7684]: 13[NET] sending packet: from 198.XX.XXX.XX[4500] to 37XX.XXX.XX[35513] (144 bytes)
Nov 14 11:34:39 myserver ipsec[7684]: 14[NET] received packet: from 37XX.XXX.XX[35513] to 198.XX.XXX.XX[4500] (80 bytes)
Nov 14 11:34:39 myserver ipsec[7684]: 14[ENC] parsed IKE_AUTH request 4 [ EAP/RES/MSCHAPV2 ]
Nov 14 11:34:39 myserver ipsec[7684]: 14[IKE] EAP method EAP_MSCHAPV2 succeeded, MSK established
Nov 14 11:34:39 myserver ipsec[7684]: 14[ENC] generating IKE_AUTH response 4 [ EAP/SUCC ]
Nov 14 11:34:39 myserver ipsec[7684]: 14[NET] sending packet: from 198.XX.XXX.XX[4500] to 37XX.XXX.XX[35513] (80 bytes)
Nov 14 11:34:39 myserver ipsec[7684]: 03[NET] received packet: from 37XX.XXX.XX[35513] to 198.XX.XXX.XX[4500] (112 bytes)
Nov 14 11:34:39 myserver ipsec[7684]: 03[ENC] parsed IKE_AUTH request 5 [ AUTH ]
Nov 14 11:34:39 myserver ipsec[7684]: 03[IKE] authentication of 'myuser' with EAP successful
Nov 14 11:34:39 myserver ipsec[7684]: 03[IKE] authentication of 'myserver.ovh.net' (myself) with EAP
Nov 14 11:34:39 myserver charon: 15[NET] received packet: from 37XX.XXX.XX[35513] to 198.XX.XXX.XX[4500] (80 bytes)
Nov 14 11:34:39 myserver charon: 15[ENC] parsed INFORMATIONAL request 6 [ D ]
Nov 14 11:34:39 myserver charon: 15[IKE] received DELETE for IKE_SA iosuser[1]
Nov 14 11:34:39 myserver charon: 15[IKE] deleting IKE_SA iosuser[1] between 198.XX.XXX.XX[myserver.ovh.net]...37XX.XXX.XX[myuser]
Nov 14 11:34:39 myserver charon: 15[IKE] IKE_SA deleted
Nov 14 11:34:39 myserver charon: 15[ENC] generating INFORMATIONAL response 6 [ ]
Nov 14 11:34:39 myserver charon: 15[NET] sending packet: from 198.XX.XXX.XX[4500] to 37XX.XXX.XX[35513] (80 bytes)
Nov 14 11:34:39 myserver charon: 15[CFG] lease 10.0.0.1 by 'myuser' went offline
Nov 14 11:35:05 myserver systemd[1]: Stopping LSB: pptpd...
Nov 14 11:35:05 myserver systemd[1]: Starting LSB: pptpd...
Nov 14 11:35:05 myserver systemd[1]: Started LSB: pptpd.
root@myserver:/home/myuser#
root@myserver:/home/myuser#
root@myserver:/home/myuser#
root@myserver:/home/myuser# vim /etc/ipsec.secrets
root@myserver:/home/myuser# vim /etc/ipsec.conf
root@myserver:/home/myuser# cat /etc/ipsec.conf
config setup
conn %default
keyexchange=ikev2
leftid=myserver.ovh.net
leftcert=fullchain.pem
leftsubnet=0.0.0.0/0
right=%any
rightsourceip=10.0.0.0/24
rightdns=8.8.8.8
dpdaction=clear
#esp=null-sha1!
esp=aes256-sha256, 3des-sha1!
conn iosuser
leftsendcert=always
rightauth=eap-mschapv2
eap_identity=%identity
auto=add Hors ligne
Pages : 1