<html xmlns:v="urn:schemas-microsoft-com:vml" xmlns:o="urn:schemas-microsoft-com:office:office" xmlns:w="urn:schemas-microsoft-com:office:word" xmlns:m="http://schemas.microsoft.com/office/2004/12/omml" xmlns="http://www.w3.org/TR/REC-html40">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=us-ascii">
<meta name="Generator" content="Microsoft Word 14 (filtered medium)">
<style><!--
/* Font Definitions */
@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0in;
margin-bottom:.0001pt;
font-size:11.0pt;
font-family:"Calibri","sans-serif";}
a:link, span.MsoHyperlink
{mso-style-priority:99;
color:blue;
text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
{mso-style-priority:99;
color:purple;
text-decoration:underline;}
p
{mso-style-priority:99;
margin:0in;
margin-bottom:.0001pt;
font-size:12.0pt;
font-family:"Times New Roman","serif";}
span.EmailStyle17
{mso-style-type:personal-compose;
font-family:"Calibri","sans-serif";
color:windowtext;}
.MsoChpDefault
{mso-style-type:export-only;
font-family:"Calibri","sans-serif";}
@page WordSection1
{size:8.5in 11.0in;
margin:1.0in 1.0in 1.0in 1.0in;}
div.WordSection1
{page:WordSection1;}
--></style><!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]-->
</head>
<body lang="EN-US" link="blue" vlink="purple">
<div class="WordSection1">
<p class="MsoNormal">Hi there,<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">I have a testing scenario where the VPN gateway moon uses the certificate/private key to authenticate itself to the client. I have installed the server’s certificate at
<span style="background:yellow;mso-highlight:yellow">/usr/local/etc/ipsec.d/certs/ moonCert.pem</span> and server’s private key file at
<span style="background:yellow;mso-highlight:yellow">/usr/local/etc/ipsec.d/private/moonKey.pem</span>. These two files are the original ones taken from the strongswan-5.0.0 release.<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">The client is an Android phone behind a WiFi router (10.41.72.35). When the client comes in, I am seeing moon (10.46.212.196) complaining about certificate related problem and then the authentication failed:<o:p></o:p></p>
<p class="MsoNormal">Sep 15 18:52:51 as3-iwf118 charon: 13[NET] received packet: from 10.41.72.35[34745] to 10.46.212.196[500]
<br>
Sep 15 18:52:51 as3-iwf118 charon: 13[ENC] parsed IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) ]
<br>
Sep 15 18:52:51 as3-iwf118 charon: 13[IKE] 10.41.72.35 is initiating an IKE_SA <br>
Sep 15 18:52:51 as3-iwf118 charon: 13[IKE] remote host is behind NAT <br>
Sep 15 18:52:51 as3-iwf118 charon: 13[ENC] generating IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(MULT_AUTH) ]
<br>
Sep 15 18:52:51 as3-iwf118 charon: 13[NET] sending packet: from 10.46.212.196[500] to 10.41.72.35[34745]
<br>
Sep 15 18:52:53 as3-iwf118 charon: 08[NET] received packet: from 10.41.72.35[44399] to 10.46.212.196[4500]
<br>
Sep 15 18:52:53 as3-iwf118 charon: 08[ENC] parsed IKE_AUTH request 1 [ IDi N(INIT_CONTACT)
<span style="background:yellow;mso-highlight:yellow">CERTREQ</span> IDr CP(ADDR DNS) SA TSi TSr N(MOBIKE_SUP) N(NO_ADD_ADDR) N(MULT_AUTH) N(EAP_ONLY) ]
<br>
Sep 15 18:52:53 as3-iwf118 charon: 08[IKE] <span style="color:red">received 118 cert requests for an unknown ca
</span><br>
Sep 15 18:52:53 as3-iwf118 charon: 08[CFG] looking for peer configs matching <span style="background:yellow;mso-highlight:yellow">
10.46.212.196</span>[<span style="color:red">10.46.212.196</span>]...<span style="background:yellow;mso-highlight:yellow">10.41.72.35[octopus@qualcomm.com]</span>
<br>
Sep 15 18:52:53 as3-iwf118 charon: 08[CFG] <span style="color:red">no matching peer config found
</span><br>
Sep 15 18:52:53 as3-iwf118 charon: 08[IKE] peer supports MOBIKE <br>
Sep 15 18:52:53 as3-iwf118 charon: 08[ENC] generating IKE_AUTH response 1 [ N(<span style="color:red">AUTH_FAILED</span>) ]
<br>
Sep 15 18:52:53 as3-iwf118 charon: 08[NET] sending packet: from 10.46.212.196[4500] to 10.41.72.35[44399]<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p><span style="font-size:11.0pt;font-family:"Calibri","sans-serif"">I have included moon’s ipsec.conf, ipsec.secrets, and strongswan.conf at the end of this email, but I guess I may not fully understand how this certificate/private key authentication works,
so I am asking some questions here and would appreciate very much if someone could please shed some light:<o:p></o:p></span></p>
<p><span style="font-size:11.0pt;font-family:"Calibri","sans-serif""><o:p> </o:p></span></p>
<p>1): Is it allowed to make moon to use pre-configured certificate/private key, such as the<span style="font-size:11.0pt;font-family:"Calibri","sans-serif"">
</span><span style="background:yellow;mso-highlight:yellow">moonCert.pem</span>/<span style="background:yellow;mso-highlight:yellow"> moonKey.pem</span>, to authenticate itself to the client, and make a client to use the
<span style="background:yellow;mso-highlight:yellow">moonCert.pem</span>? Or does it have to go through some kind of certificate authorities (CAs)?<span style="font-size:11.0pt;font-family:"Calibri","sans-serif""><o:p></o:p></span></p>
<p class="MsoNormal">2): <span style="font-size:12.0pt;font-family:"Times New Roman","serif"">Is “<span style="color:red">received 118 cert requests for an unknown ca</span>” really the error which caused the AUTH_FAILED or is “</span><span style="color:red">no
matching peer config found</span><span style="color:black">” </span><span style="font-size:12.0pt;font-family:"Times New Roman","serif"">the real error?<o:p></o:p></span></p>
<p class="MsoNormal"><span style="color:black">3</span>): <span style="font-size:12.0pt;font-family:"Times New Roman","serif";background:yellow;mso-highlight:yellow">Is the</span><span style="color:black">
</span><span style="font-size:12.0pt;font-family:"Times New Roman","serif"">“<span style="color:red">received 118 cert requests for an unknown ca</span>” harmless? Or should we configure the client not to include the
<span style="background:yellow;mso-highlight:yellow">CERTREQ</span> in its IKE_AUTH request?<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:12.0pt;font-family:"Times New Roman","serif"">4): How can I make the client accept the</span><span style="color:red">
</span><span style="background:yellow;mso-highlight:yellow">moonCert.pem</span>? <span style="font-size:12.0pt;font-family:"Times New Roman","serif"">
Shout I manually install it on the client as well? Or can the client receive it from the IKV2 message and start using it from there?<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:12.0pt;font-family:"Times New Roman","serif""><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="font-size:12.0pt;font-family:"Times New Roman","serif"">I also tried another client of strongswan-5.0.0 running on a separate Linux box (</span>10.41.73.234)
<span style="font-size:12.0pt;font-family:"Times New Roman","serif"">and got the server authentication working with the same configurations of the server:<o:p></o:p></span></p>
<p class="MsoNormal">Sep 16 21:57:14 as3-iwf118 charon: 09[NET] received packet: from 10.41.73.234[4500] to 10.46.212.196[4500]
<o:p></o:p></p>
<p class="MsoNormal">Sep 16 21:57:14 as3-iwf118 charon: 09[ENC] parsed IKE_AUTH request 1 [ IDi N(INIT_CONTACT) IDr CP(ADDR DNS) SA TSi TSr N(MOBIKE_SUP) N(ADD_6_ADDR) N(MULT_AUTH) N(EAP_ONLY) ]
<o:p></o:p></p>
<p class="MsoNormal">Sep 16 21:57:14 as3-iwf118 charon: 09[CFG] looking for peer configs matching
<span style="background:yellow;mso-highlight:yellow">10.46.212.196[moon.strongswan.org]...10.41.73.234[octopus@qualcomm.com]</span>
<o:p></o:p></p>
<p class="MsoNormal">Sep 16 21:57:14 as3-iwf118 charon: 09[CFG] selected peer config
<span style="background:yellow;mso-highlight:yellow">'client_1'</span> <o:p></o:p></p>
<p class="MsoNormal">Sep 16 21:57:14 as3-iwf118 charon: 09[CFG] sending RADIUS Access-Request to server '127.0.0.1'
<o:p></o:p></p>
<p class="MsoNormal">Sep 16 21:57:14 as3-iwf118 charon: 07[ENC] generating IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(MULT_AUTH) ]
<o:p></o:p></p>
<p class="MsoNormal">Sep 16 21:57:14 as3-iwf118 charon: 07[NET] sending packet: from 2002:c023:9c17:21b::a2e:d4c4[500] to 2002:c023:9c17:21c:21b:78ff:fee0:dbfc[500]
<o:p></o:p></p>
<p class="MsoNormal">Sep 16 21:57:14 as3-iwf118 charon: 09[CFG] received RADIUS Access-Challenge from server '127.0.0.1'
<o:p></o:p></p>
<p class="MsoNormal">Sep 16 21:57:14 as3-iwf118 charon: 09[IKE] initiating EAP_RADIUS method (id 0x01)
<o:p></o:p></p>
<p class="MsoNormal">Sep 16 21:57:14 as3-iwf118 charon: 09[IKE] peer supports MOBIKE
<o:p></o:p></p>
<p class="MsoNormal">Sep 16 21:57:14 as3-iwf118 charon: 09[IKE] authentication of 'moon.strongswan.org' (myself) with RSA signature successful
<o:p></o:p></p>
<p class="MsoNormal">Sep 16 21:57:14 as3-iwf118 charon: 09[ENC] generating IKE_AUTH response 1 [ IDr AUTH EAP/REQ/MD5 ]
<o:p></o:p></p>
<p class="MsoNormal">Sep 16 21:57:14 as3-iwf118 charon: 09[NET] sending packet: from 10.46.212.196[4500] to 10.41.73.234[4500]
<o:p></o:p></p>
<p class="MsoNormal">Sep 16 21:57:14 as3-iwf118 charon: 10[NET] received packet: from 10.41.73.234[4500] to 10.46.212.196[4500]
<o:p></o:p></p>
<p class="MsoNormal">Sep 16 21:57:14 as3-iwf118 charon: 10[ENC] parsed IKE_AUTH request 2 [ EAP/RES/MD5 ]
<o:p></o:p></p>
<p class="MsoNormal">Sep 16 21:57:14 as3-iwf118 charon: 10[CFG] sending RADIUS Access-Request to server '127.0.0.1'
<o:p></o:p></p>
<p class="MsoNormal">Sep 16 21:57:14 as3-iwf118 charon: 10[CFG] received RADIUS Access-Accept from server '127.0.0.1'
<o:p></o:p></p>
<p class="MsoNormal">Sep 16 21:57:14 as3-iwf118 charon: 10[IKE] RADIUS authentication of 'octopus@qualcomm.com' successful
<o:p></o:p></p>
<p class="MsoNormal">Sep 16 21:57:14 as3-iwf118 charon: 10[IKE] EAP method EAP_MD5 succeeded, no MSK established
<o:p></o:p></p>
<p class="MsoNormal">Sep 16 21:57:14 as3-iwf118 charon: 10[ENC] generating IKE_AUTH response 2 [ EAP/SUCC ]
<o:p></o:p></p>
<p class="MsoNormal">Sep 16 21:57:14 as3-iwf118 charon: 10[NET] sending packet: from 10.46.212.196[4500] to 10.41.73.234[4500]<o:p></o:p></p>
<p class="MsoNormal"><span style="font-size:12.0pt;font-family:"Times New Roman","serif""><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="font-size:12.0pt;font-family:"Times New Roman","serif"">In this log, I noticed the
</span>matching <span style="background:yellow;mso-highlight:yellow">10.46.212.196[moon.strongswan.org]...10.41.73.234[octopus@qualcomm.com]</span> and found the
<span style="background:yellow;mso-highlight:yellow">'client_1'</span>.<o:p></o:p></p>
<p class="MsoNormal"><span style="font-size:12.0pt;font-family:"Times New Roman","serif"">However, between the two log messages below (the first is the failed case, and the second is the success case), the only difference is that the first one did</span>
<span style="font-size:12.0pt;font-family:"Times New Roman","serif"">not show</span>
<span style="color:red">moon.strongswan.org</span><span style="color:black">, </span>
<span style="font-size:12.0pt;font-family:"Times New Roman","serif"">it had</span><span style="color:black">
</span><span style="color:red">10.46.212.196 </span><span style="font-size:12.0pt;font-family:"Times New Roman","serif"">instead and it failed:</span><span style="color:black"><o:p></o:p></span></p>
<p class="MsoNormal"><span style="color:black"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="background:yellow;mso-highlight:yellow">Sep 15</span> 18:52:53 as3-iwf118 charon: 08[CFG] looking for peer configs matching 10.46.212.196[<span style="color:red">10.46.212.196</span>]...10.41.72.35[octopus@qualcomm.com]
<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal"><span style="background:yellow;mso-highlight:yellow">Sep 16</span> 21:57:14 as3-iwf118 charon: 09[CFG] looking for peer configs matching 10.46.212.196[<span style="color:red">moon.strongswan.org</span>]...10.41.73.234[octopus@qualcomm.com]
<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">So, could this be the reason why <span style="color:red">no matching peer config found</span> in the failure case? How can I make it work in the failure case?<o:p></o:p></p>
<p class="MsoNormal"><span style="font-size:12.0pt;font-family:"Times New Roman","serif""><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="font-size:12.0pt;font-family:"Times New Roman","serif"">Thanks a lot!<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:12.0pt;font-family:"Times New Roman","serif""><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="font-size:12.0pt;font-family:"Times New Roman","serif"">Zhiheng<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:12.0pt;font-family:"Times New Roman","serif""><o:p> </o:p></span></p>
<p><span style="font-size:11.0pt;font-family:"Calibri","sans-serif"">=======================================================<o:p></o:p></span></p>
<p><span style="font-size:11.0pt;font-family:"Calibri","sans-serif""># ipsec.conf - strongSwan IPsec configuration file of the VPN gateway<o:p></o:p></span></p>
<p><span style="font-size:11.0pt;font-family:"Calibri","sans-serif"">#<o:p></o:p></span></p>
<p><span style="font-size:11.0pt;font-family:"Calibri","sans-serif"">config setup<o:p></o:p></span></p>
<p><span style="font-size:11.0pt;font-family:"Calibri","sans-serif""><o:p> </o:p></span></p>
<p><span style="font-size:11.0pt;font-family:"Calibri","sans-serif"">conn %default<o:p></o:p></span></p>
<p><span style="font-size:11.0pt;font-family:"Calibri","sans-serif""> ikelifetime=60m<o:p></o:p></span></p>
<p><span style="font-size:11.0pt;font-family:"Calibri","sans-serif""> keylife=20m<o:p></o:p></span></p>
<p><span style="font-size:11.0pt;font-family:"Calibri","sans-serif""> rekeymargin=3m<o:p></o:p></span></p>
<p><span style="font-size:11.0pt;font-family:"Calibri","sans-serif""> keyingtries=1<o:p></o:p></span></p>
<p><span style="font-size:11.0pt;font-family:"Calibri","sans-serif""> keyexchange=ikev2<o:p></o:p></span></p>
<p><span style="font-size:11.0pt;font-family:"Calibri","sans-serif""><o:p> </o:p></span></p>
<p><span style="font-size:11.0pt;font-family:"Calibri","sans-serif"">conn client_1<o:p></o:p></span></p>
<p><span style="font-size:11.0pt;font-family:"Calibri","sans-serif""> left=%defaultroute<o:p></o:p></span></p>
<p><span style="font-size:11.0pt;font-family:"Calibri","sans-serif""> leftsubnet=10.46.212.192/27,10.9.8.0/24<o:p></o:p></span></p>
<p><span style="font-size:11.0pt;font-family:"Calibri","sans-serif""> <a href="mailto:leftid=@moon.strongswan.org">
leftid=@moon.strongswan.org</a><o:p></o:p></span></p>
<p><span style="font-size:11.0pt;font-family:"Calibri","sans-serif""> leftcert=moonCert.pem<o:p></o:p></span></p>
<p><span style="font-size:11.0pt;font-family:"Calibri","sans-serif""> leftauth=pubkey<o:p></o:p></span></p>
<p><span style="font-size:11.0pt;font-family:"Calibri","sans-serif""> leftfirewall=yes<o:p></o:p></span></p>
<p><span style="font-size:11.0pt;font-family:"Calibri","sans-serif""> <a href="mailto:rightid=octopus@qualcomm.com">
rightid=octopus@qualcomm.com</a><o:p></o:p></span></p>
<p><span style="font-size:11.0pt;font-family:"Calibri","sans-serif""> rightauth=eap-radius<o:p></o:p></span></p>
<p><span style="font-size:11.0pt;font-family:"Calibri","sans-serif""> rightsendcert=never<o:p></o:p></span></p>
<p><span style="font-size:11.0pt;font-family:"Calibri","sans-serif""> right=%any<o:p></o:p></span></p>
<p><span style="font-size:11.0pt;font-family:"Calibri","sans-serif""> rightsourceip=10.9.8.1<o:p></o:p></span></p>
<p><span style="font-size:11.0pt;font-family:"Calibri","sans-serif""> auto=add<o:p></o:p></span></p>
<p><span style="font-size:11.0pt;font-family:"Calibri","sans-serif""><o:p> </o:p></span></p>
<p><span style="font-size:11.0pt;font-family:"Calibri","sans-serif"">=======================================================<o:p></o:p></span></p>
<p><span style="font-size:11.0pt;font-family:"Calibri","sans-serif""># ipsec.secrets - strongSwan IPsec secrets file of the VPN gateway<o:p></o:p></span></p>
<p><span style="font-size:11.0pt;font-family:"Calibri","sans-serif"">#<o:p></o:p></span></p>
<p><span style="font-size:11.0pt;font-family:"Calibri","sans-serif"">: RSA moonKey.pem<o:p></o:p></span></p>
<p><span style="font-size:11.0pt;font-family:"Calibri","sans-serif""><o:p> </o:p></span></p>
<p><span style="font-size:11.0pt;font-family:"Calibri","sans-serif""># client's secrecy is stored in freeradius server's configuration file<o:p></o:p></span></p>
<p><span style="font-size:11.0pt;font-family:"Calibri","sans-serif""># for example: /usr/etc/raddb/users<o:p></o:p></span></p>
<p><span style="font-size:11.0pt;font-family:"Calibri","sans-serif""><o:p> </o:p></span></p>
<p><span style="font-size:11.0pt;font-family:"Calibri","sans-serif"">=======================================================<o:p></o:p></span></p>
<p class="MsoNormal"># strongswan.conf - strongSwan configuration file<o:p></o:p></p>
<p class="MsoNormal">#<o:p></o:p></p>
<p class="MsoNormal">charon {<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal"> # number of worker threads in charon<o:p></o:p></p>
<p class="MsoNormal"> threads = 16<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal"> # send strongswan vendor ID?<o:p></o:p></p>
<p class="MsoNormal"> # send_vendor_id = yes<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal"> plugins {<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal"> sql {<o:p></o:p></p>
<p class="MsoNormal"> # loglevel to log into sql database<o:p></o:p></p>
<p class="MsoNormal"> loglevel = -1<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal"> # URI to the database<o:p></o:p></p>
<p class="MsoNormal"> # database = sqlite:///path/to/file.db<o:p></o:p></p>
<p class="MsoNormal"> # database = mysql://user:password@localhost/database<o:p></o:p></p>
<p class="MsoNormal"> }<o:p></o:p></p>
<p class="MsoNormal"> eap-radius {<o:p></o:p></p>
<p class="MsoNormal"> server = 127.0.0.1<o:p></o:p></p>
<p class="MsoNormal"> secret = testing123<o:p></o:p></p>
<p class="MsoNormal"> }<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal"> }<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal"> # ...<o:p></o:p></p>
<p class="MsoNormal">}<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">pluto {<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">}<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">libstrongswan {<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal"> # set to no, the DH exponent size is optimized<o:p></o:p></p>
<p class="MsoNormal"> # dh_exponent_ansi_x9_42 = no<o:p></o:p></p>
<p class="MsoNormal">}<o:p></o:p></p>
</div>
</body>
</html>