[strongSwan] Strongswan Android client could not log in (VPN otherwise working for Win7)

Karl Denninger karl at denninger.net
Sun Sep 22 03:21:42 CEST 2013 

Do this:

[karl at NewFS ~] $ ipsec listcerts

List of X.509 End Entity Certificates:

  altNames:  genesis.denninger.net
  subject:  "C=US, ST=Florida, O=Cuda Systems LLC,
CN=genesis.denninger.net, E=karl at denninger.net"
  issuer:   "C=US, ST=Florida, L=Niceville, O=Cuda Systems LLC, CN=Cuda
Systems LLC CA, E=customer-service at cudasystems.net"
  serial:    00
  validity:  not before Apr 26 13:58:18 2013, ok
             not after  Apr 24 13:58:18 2023, ok
  pubkey:    RSA 2048 bits*, has private key*
  keyid:     a2:d6:7e:56:84:02:2b:35:20:84:33:0c:5e:64:33:a3:68:c7:84:da
  subjkey:   a6:eb:7d:3b:91:a9:69:59:a0:7a:aa:6b:9e:cc:18:f8:57:6e:72:e9
  authkey:   5d:d4:de:1a:41:66:ae:34:1c:1e:55:33:b0:78:e3:f8:26:5e:22:34

The gateway in question on which I ran this is "genesis.denninger.net"

If the bold part of that is missing (it is not bolded in the display)
then the private key for your machine certificate (authenticating the
server) is not available to StrongSwan on the gateway.  Either the key
is in the wrong place or it is locked (has a password) and the password
was not provided when ipsec was started.

StrongSwan has to be able to read the private key for the server's
certificate or it will not authenticate the connection.

On 9/21/2013 6:42 PM, Lawrence Chiu wrote:
> Focusing on this error near the end of syslog:
> Sep 21 18:26:16 vmware-u003 charon: 04[CFG] selected peer config 'win7'
> Sep 21 18:26:16 vmware-u003 charon: 04[IKE] no trusted RSA public key 
> found for 'C=CH, O=strongSwan, CN=win7.mycompany.local'
> Sep 21 18:26:16 vmware-u003 charon: 04[IKE] received 
> ESP_TFC_PADDING_NOT_SUPPORTED, not using ESPv3 TFC padding
> Sep 21 18:26:16 vmware-u003 charon: 04[IKE] peer supports MOBIKE
> Sep 21 18:26:16 vmware-u003 charon: 04[ENC] generating IKE_AUTH response 
> 1 [ N(AUTH_FAILED) ]
> Sep 21 18:26:16 vmware-u003 charon: 04[NET] sending packet: from 
> 192.168.0.180[4500] to 166.147.64.91[50881]
>
> The error "no trusted RSA public key found for 'C=CH, O=strongSwan, 
> CN=win7.mycompany.local'" looked interesting, so...
> I added a line to ipsec.conf:
>      rightcert=win7.cert
>
> and then placed the win7.cert file (the client public certificate) in 
> /etc/ipsec.d/certs/
>
> Now, the errors have changed:
> Sep 21 18:27:17 barney charon: 04[CFG] selected peer config 'win7'
> Sep 21 18:27:17 barney charon: 04[CFG]   using trusted ca certificate 
> "C=CH, O=strongSwan, CN=pkiCA"
> Sep 21 18:27:17 barney charon: 04[CFG] checking certificate status of 
> "C=CH, O=strongSwan, CN=win7.mycompany.local"
> Sep 21 18:27:17 barney charon: 04[CFG] certificate status is not available
> Sep 21 18:27:17 barney charon: 04[CFG]   reached self-signed root ca 
> with a path length of 0
> Sep 21 18:27:17 barney charon: 04[CFG]   using trusted certificate 
> "C=CH, O=strongSwan, CN=win7.mycompany.local"
> Sep 21 18:27:17 barney charon: 04[IKE] authentication of 'C=CH, 
> O=strongSwan, CN=win7.mycompany.local' with RSA signature successful
> Sep 21 18:27:17 barney charon: 04[CFG] constraint requires EAP 
> authentication, but public key was used
> Sep 21 18:27:17 barney charon: 04[CFG] selected peer config 'win7' 
> inacceptable
> Sep 21 18:27:17 barney charon: 04[CFG] no alternative config found
> Sep 21 18:27:17 barney charon: 04[IKE] received 
> ESP_TFC_PADDING_NOT_SUPPORTED, not using ESPv3 TFC padding
> Sep 21 18:27:17 barney charon: 04[IKE] peer supports MOBIKE
> Sep 21 18:27:17 barney charon: 04[ENC] generating IKE_AUTH response 1 [ 
> N(AUTH_FAILED) ]
> Sep 21 18:27:17 barney charon: 04[NET] sending packet: from 
> 192.168.0.50[4500] to 166.147.64.91[54346]
>
>
> So it looks like the error is now: "constraint requires EAP 
> authentication, but public key was used" since immediately after that, 
> it says: "selected peer config 'win7' inacceptable"
>
>
>
> _______________________________________________
> Users mailing list
> Users at lists.strongswan.org
> https://lists.strongswan.org/mailman/listinfo/users
>
>
> %SPAMBLOCK-SYS: Matched [strongswan.org], message ok

-- 
Karl Denninger
karl at denninger.net
/Cuda Systems LLC/
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20130921/3c062e16/attachment.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 2711 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://lists.strongswan.org/pipermail/users/attachments/20130921/3c062e16/attachment.bin>

More information about the Users mailing list