<html><body style="word-wrap: break-word; -webkit-nbsp-mode: space; -webkit-line-break: after-white-space;"><div><div>On Sep 16, 2014, at 7:48 PM, Paul Wouters <<a href="mailto:paul@nohats.ca">paul@nohats.ca</a>> wrote:</div><div><br></div><div>Hmmm, still no go...</div><div><br><br><blockquote type="cite">On Tue, 16 Sep 2014, Enrico Brunetta wrote:<br><br><blockquote type="cite">You say leftcert should be the vpn server cert and not my own cert, so I went ahead and created a cert for the server.<br><br>Now is the server cert the one I need to export and then import on my Mac system keychain to then use on the Cisco VPN connection setting, or should that be my own cert (enrico) ?<br></blockquote><br>No you should import your enrico cert on the mac. Remember to both<br>import the p12 file and the cacert.pem separately - OSX/iOS is stupid<br>like that.<br><br></blockquote><div><br></div>OK, I imported both separately:</div><div><img apple-inline="yes" id="15FB44E5-0240-47C2-8515-3124996C67AC" height="749" width="501" apple-width="yes" apple-height="yes" src="cid:91FD0C09-5F45-4F1D-878B-E2F084CD862E"></div><div><img apple-inline="yes" id="523993D1-3514-4649-8031-97F217575136" height="870" width="550" apple-width="yes" apple-height="yes" src="cid:07D04B60-0412-4B54-BBC0-FB55A1BC6DF5"></div><div><br></div><div>VPN connection is using it:</div><div><img apple-inline="yes" id="2E91DFB7-AAA2-4DF2-BC2C-7F90277BE63B" height="715" width="1026" apple-width="yes" apple-height="yes" src="cid:18C97369-6DF8-4E4D-9689-12A83EC0A31B"></div><div><br></div><div><br></div><div><blockquote type="cite"><blockquote type="cite"><br>leftid=<a href="http://vpn.bitproductions.com">vpn.bitproductions.com</a><br></blockquote><br>you most likely mean <a href="mailto:leftid=@vpn.bitproductions.com">leftid=@vpn.bitproductions.com</a><br><br></blockquote><div><br></div>Yes, fixed this.</div><div><br><blockquote type="cite"><br>You are missing modecfgpull=yes. See<br><a href="https://libreswan.org/wiki/VPN_server_for_remote_clients_using_IKEv1_XAUTH">https://libreswan.org/wiki/VPN_server_for_remote_clients_using_IKEv1_XAUTH</a><br><br></blockquote><div>OK, added modecfgpull=yes</div><div><br></div><div><br></div><div>/etc/ipsec.secrets:</div><div>: RSA enrico</div><div><br></div><div><br></div><blockquote type="cite">Did your connection load? run ipsec auto --add xauth-rsa<br></blockquote><div>002 "xauth-rsa": deleting connection<br>002 added connection description "xauth-rsa”</div><div><br></div><br><blockquote type="cite">Did your certificates load? run ipsec auto --listall and look for the<br>CAcert and the <a href="http://vpn.bitproductions.com">vpn.bitproductions.com</a> cert.<br></blockquote><div><br></div>root@ip-172-31-48-104:~# ipsec auto --listall<br>000 <br>000 List of RSA Public Keys:<br>000 <br>000 Sep 17 01:24:23 2014, 1024 RSA Key AwEAAdS9l (no private key), until Sep 16 22:04:08 2024 ok<br>000 ID_FQDN '@<a href="http://vpn.bitproductions.com">vpn.bitproductions.com</a>'<br>000 Issuer 'C=US, ST=TX, L=Austin, O=bitProductions Inc., CN=bitProductions VPN Certification Authority'<br>000 Sep 17 01:24:23 2014, 1024 RSA Key AwEAAdS9l (no private key), until Sep 16 22:04:08 2024 ok<br>000 ID_DER_ASN1_DN 'C=US, ST=TX, L=Austin, O=bitProductions Inc., CN=VPN Server'<br>000 Issuer 'C=US, ST=TX, L=Austin, O=bitProductions Inc., CN=bitProductions VPN Certification Authority'<br>000 List of Pre-shared secrets (from /etc/ipsec.secrets)<br>000 1: RSA (none) (none)<br>000 <br>000 List of X.509 End Certificates:<br>000 Sep 17 01:24:23 2014, count: 1<br>000 subject: 'C=US, ST=TX, L=Austin, O=bitProductions Inc., CN=VPN Server'<br>000 issuer: 'C=US, ST=TX, L=Austin, O=bitProductions Inc., CN=bitProductions VPN Certification Authority'<br>000 serial: 00:a0:66:bd:bf<br>000 pubkey: 1024 RSA Key AwEAAdS9l<br>000 validity: not before Sep 16 22:04:08 2014 ok<br>000 not after Sep 16 22:04:08 2024 ok<br>000 <br>000 List of X.509 CA Certificates:<br>000 Sep 17 01:17:27 2014, count: 1<br>000 subject: 'C=US, ST=TX, L=Austin, O=bitProductions Inc., CN=bitProductions VPN Certification Authority'<br>000 issuer: 'C=US, ST=TX, L=Austin, O=bitProductions Inc., CN=bitProductions VPN Certification Authority'<br>000 serial: 00:a0:66:bd:a5<br>000 pubkey: 1024 RSA Key AwEAAco/Y<br>000 validity: not before Sep 16 22:03:58 2014 ok<br>000 not after Sep 16 22:03:58 2024 ok<br>000 <br>000 List of X.509 CRLs:</div><div><br></div><div><br>/etc/ipsec.conf is now:</div></div><div>version 2.0<br><br>config setup<br> dumpdir=/var/run/pluto/<br> nat_traversal=yes<br> virtual_private=%v4:10.0.0.0/8,%v4:192.168.0.0/16,%v4:172.16.0.0/12,%v4:!172.31.48.129/25<br> oe=off<br> protostack=netkey<br> nhelpers=0<br> interfaces=%defaultroute</div><div><br></div><div>conn xauth-rsa<br> connaddrfamily=ipv4<br> auto=add<br> authby=rsasig<br> pfs=no<br> rekey=no<br> leftxauthserver=yes<br> rightxauthclient=yes<br> modecfgpull=yes<br> left=172.31.28.183<br> leftcert=<a href="http://vpn.bitproductions.com">vpn.bitproductions.com</a><br> <a href="mailto:leftid=@vpn.bitproductions.com">leftid=@vpn.bitproductions.com</a><br> leftsendcert=always<br># leftnexthop=%defaultroute<br> leftsubnet=0.0.0.0/0<br> right=%any<br> rightid=%fromcert<br> rightrsasigkey=%cert<br> rightaddresspool=172.31.48.130-172.31.48.254<br> forceencaps=yes<br> #xauthfail=soft<br> #xauthby=alwaysok<br> xauthby=file<br> ike_frag=yes<br> dpddelay=30<br> dpdtimeout=120<br> dpdaction=clear</div><div><br></div><div>Sep 17 01:17:27 ip-172-31-48-104 pluto[5416]: secrets file: /etc/ipsec.secrets<br>Sep 17 01:17:27 ip-172-31-48-104 pluto[5416]: leak-detective disabled<br>Sep 17 01:17:27 ip-172-31-48-104 pluto[5416]: SAref support [disabled]: Protocol not available<br>Sep 17 01:17:27 ip-172-31-48-104 pluto[5416]: SAbind support [disabled]: Protocol not available<br>Sep 17 01:17:27 ip-172-31-48-104 pluto[5416]: NSS crypto [enabled]<br>Sep 17 01:17:27 ip-172-31-48-104 pluto[5416]: XAUTH PAM support [enabled]<br>Sep 17 01:17:27 ip-172-31-48-104 pluto[5416]: NAT-Traversal support [enabled]<br>Sep 17 01:17:27 ip-172-31-48-104 pluto[5416]: ike_alg_register_enc(): Activating OAKLEY_TWOFISH_CBC_SSH: Ok (ret=0)<br>Sep 17 01:17:27 ip-172-31-48-104 pluto[5416]: ike_alg_register_enc(): Activating OAKLEY_TWOFISH_CBC: Ok (ret=0)<br>Sep 17 01:17:27 ip-172-31-48-104 pluto[5416]: ike_alg_register_enc(): Activating OAKLEY_SERPENT_CBC: Ok (ret=0)<br>Sep 17 01:17:27 ip-172-31-48-104 pluto[5416]: ike_alg_register_enc(): Activating OAKLEY_AES_CBC: Ok (ret=0)<br>Sep 17 01:17:27 ip-172-31-48-104 pluto[5416]: ike_alg_register_hash(): Activating OAKLEY_SHA2_512: Ok (ret=0)<br>Sep 17 01:17:27 ip-172-31-48-104 pluto[5416]: ike_alg_register_hash(): Activating OAKLEY_SHA2_384: Ok (ret=0)<br>Sep 17 01:17:27 ip-172-31-48-104 pluto[5416]: ike_alg_register_hash(): Activating OAKLEY_SHA2_256: Ok (ret=0)<br>Sep 17 01:17:27 ip-172-31-48-104 pluto[5416]: no crypto helpers will be started; all cryptographic operations will be done inline<br>Sep 17 01:17:27 ip-172-31-48-104 pluto[5416]: Using Linux XFRM/NETKEY IPsec interface code on 3.13.0-29-generic<br>Sep 17 01:17:27 ip-172-31-48-104 pluto[5416]: ike_alg_register_enc(): Activating aes_ccm_8: Ok (ret=0)<br>Sep 17 01:17:27 ip-172-31-48-104 pluto[5416]: Warning: failed to register algo_aes_ccm_8 for IKE<br>Sep 17 01:17:27 ip-172-31-48-104 pluto[5416]: ike_alg_register_enc(): Activating aes_ccm_12: Ok (ret=0)<br>Sep 17 01:17:27 ip-172-31-48-104 pluto[5416]: Warning: failed to register algo_aes_ccm_12 for IKE<br>Sep 17 01:17:27 ip-172-31-48-104 pluto[5416]: ike_alg_register_enc(): Activating aes_ccm_16: Ok (ret=0)<br>Sep 17 01:17:27 ip-172-31-48-104 pluto[5416]: Warning: failed to register algo_aes_ccm_16 for IKE<br>Sep 17 01:17:27 ip-172-31-48-104 pluto[5416]: ike_alg_register_enc(): Activating aes_gcm_8: Ok (ret=0)<br>Sep 17 01:17:27 ip-172-31-48-104 pluto[5416]: Warning: failed to register algo_aes_gcm_8 for IKE<br>Sep 17 01:17:27 ip-172-31-48-104 pluto[5416]: ike_alg_register_enc(): Activating aes_gcm_12: Ok (ret=0)<br>Sep 17 01:17:27 ip-172-31-48-104 pluto[5416]: Warning: failed to register algo_aes_gcm_12 for IKE<br>Sep 17 01:17:27 ip-172-31-48-104 pluto[5416]: ike_alg_register_enc(): Activating aes_gcm_16: Ok (ret=0)<br>Sep 17 01:17:27 ip-172-31-48-104 pluto[5416]: Warning: failed to register algo_aes_gcm_16 for IKE<br>Sep 17 01:17:28 ip-172-31-48-104 pluto[5416]: added connection description "xauth-rsa"<br>Sep 17 01:17:28 ip-172-31-48-104 pluto[5416]: listening for IKE messages<br>Sep 17 01:17:28 ip-172-31-48-104 pluto[5416]: adding interface eth0/eth0 172.31.48.104:500<br>Sep 17 01:17:28 ip-172-31-48-104 pluto[5416]: adding interface eth0/eth0 172.31.48.104:4500<br>Sep 17 01:17:28 ip-172-31-48-104 pluto[5416]: adding interface lo/lo 127.0.0.1:500<br>Sep 17 01:17:28 ip-172-31-48-104 pluto[5416]: adding interface lo/lo 127.0.0.1:4500<br>Sep 17 01:17:28 ip-172-31-48-104 pluto[5416]: loading secrets from "/etc/ipsec.secrets"<br>Sep 17 01:17:28 ip-172-31-48-104 pluto[5416]: loaded private key for keyid: PPK_RSA:AwEAAbjhb<br>Sep 17 01:24:23 ip-172-31-48-104 pluto[5416]: "xauth-rsa": deleting connection</div><div>Sep 17 01:24:23 ip-172-31-48-104 pluto[5416]: added connection description "xauth-rsa"<br>Sep 17 01:31:29 ip-172-31-48-104 pluto[5416]: packet from 70.117.100.63:500: received Vendor ID payload [RFC 3947]<br>Sep 17 01:31:29 ip-172-31-48-104 pluto[5416]: packet from 70.117.100.63:500: ignoring Vendor ID payload [draft-ietf-ipsec-nat-t-ike]<br>Sep 17 01:31:29 ip-172-31-48-104 pluto[5416]: packet from 70.117.100.63:500: ignoring Vendor ID payload [draft-ietf-ipsec-nat-t-ike-08]<br>Sep 17 01:31:29 ip-172-31-48-104 pluto[5416]: packet from 70.117.100.63:500: ignoring Vendor ID payload [draft-ietf-ipsec-nat-t-ike-07]<br>Sep 17 01:31:29 ip-172-31-48-104 pluto[5416]: packet from 70.117.100.63:500: ignoring Vendor ID payload [draft-ietf-ipsec-nat-t-ike-06]<br>Sep 17 01:31:29 ip-172-31-48-104 pluto[5416]: packet from 70.117.100.63:500: ignoring Vendor ID payload [draft-ietf-ipsec-nat-t-ike-05]<br>Sep 17 01:31:29 ip-172-31-48-104 pluto[5416]: packet from 70.117.100.63:500: ignoring Vendor ID payload [draft-ietf-ipsec-nat-t-ike-04]<br>Sep 17 01:31:29 ip-172-31-48-104 pluto[5416]: packet from 70.117.100.63:500: ignoring Vendor ID payload [draft-ietf-ipsec-nat-t-ike-03]<br>Sep 17 01:31:29 ip-172-31-48-104 pluto[5416]: packet from 70.117.100.63:500: ignoring Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02]<br>Sep 17 01:31:29 ip-172-31-48-104 pluto[5416]: packet from 70.117.100.63:500: ignoring Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02_n]<br>Sep 17 01:31:29 ip-172-31-48-104 pluto[5416]: packet from 70.117.100.63:500: received Vendor ID payload [XAUTH]<br>Sep 17 01:31:29 ip-172-31-48-104 pluto[5416]: packet from 70.117.100.63:500: received Vendor ID payload [Cisco-Unity]<br>Sep 17 01:31:29 ip-172-31-48-104 pluto[5416]: packet from 70.117.100.63:500: received Vendor ID payload [FRAGMENTATION 80000000]<br>Sep 17 01:31:29 ip-172-31-48-104 pluto[5416]: packet from 70.117.100.63:500: received Vendor ID payload [Dead Peer Detection]<br>Sep 17 01:31:29 ip-172-31-48-104 pluto[5416]: packet from 70.117.100.63:500: initial Main Mode message received on 172.31.48.104:500 but no connection has been authorized with policy=RSASIG+XAUTH</div><div><br></div><div><br></div><div>Thanks again for any additional help...I promise to write a nice how to when all of this is in place to help newbies like me.</div><div><br></div><div>Enrico.</div></body></html>