<div dir="ltr">I've gotten past that issue by ensuring I was using the IP when generating the certificates, as in:<div><a href="http://endlessroad1991.blogspot.com/2014/04/setup-ipsec-vpn-on-ec2.html">http://endlessroad1991.blogspot.com/2014/04/setup-ipsec-vpn-on-ec2.html</a><br></div><div><br></div><div>but now the client cannot verify the server with the message "verifying gateway authentication failed"</div><div>and in the client log:</div><div>"no trusted RSA public key found for 'C=CN, O=strongSwan, CN=54.169.64.53'"</div><div><br></div><div>How can I verify the server without installing its public key on every client, or using a PSK (which the Android client doesn't support)?</div><div><br></div><div>thanks,</div><div>imran</div></div><div class="gmail_extra"><br><div class="gmail_quote">On Fri, Dec 5, 2014 at 9:04 AM, Imran Akbar <span dir="ltr"><<a href="mailto:skunkwerk@gmail.com" target="_blank">skunkwerk@gmail.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div dir="ltr">When I change the ipsec.conf from:<div>rightauth=psk</div><div>righauth2=eap-mschapv2</div><div><br></div><div>to:</div><div>rightauth=eap-mschapv2</div><div><br></div><div>the server log now contains:</div><div><div>Dec 5 16:46:34 ip-172-31-26-153 charon: 14[CFG] looking for peer configs matching 172.31.26.153[%any]...172.56.39.247[app]</div><div>Dec 5 16:46:34 ip-172-31-26-153 charon: 14[CFG] selected peer config 'android'</div><div>Dec 5 16:46:34 ip-172-31-26-153 charon: 14[IKE] initiating EAP_IDENTITY method (id 0x00)</div><div>Dec 5 16:46:34 ip-172-31-26-153 charon: 14[IKE] received ESP_TFC_PADDING_NOT_SUPPORTED, not using ESPv3 TFC padding</div><div>Dec 5 16:46:34 ip-172-31-26-153 charon: 14[IKE] peer supports MOBIKE</div><div>Dec 5 16:46:34 ip-172-31-26-153 charon: 14[CFG] no IDr configured, fall back on IP address</div><div>Dec 5 16:46:34 ip-172-31-26-153 charon: 14[IKE] authentication of '172.31.26.153' (myself) with pre-shared key</div><div>Dec 5 16:46:34 ip-172-31-26-153 charon: 14[ENC] generating IKE_AUTH response 1 [ IDr AUTH EAP/REQ/ID ]</div><div>Dec 5 16:46:34 ip-172-31-26-153 charon: 14[NET] sending packet: from 172.31.26.153[4500] to 172.56.39.247[63277] (124 bytes)</div><div>Dec 5 16:46:34 ip-172-31-26-153 charon: 15[NET] received packet: from 172.56.39.247[63277] to 172.31.26.153[4500] (76 bytes)</div><div>Dec 5 16:46:34 ip-172-31-26-153 charon: 15[ENC] parsed INFORMATIONAL request 2 [ N(AUTH_FAILED) ]</div></div><div><br></div><div>and I get a different error message in the client log:</div><div>no shared key found for 'app'</div><div><br></div><div>As I was never prompted for the PSK in the app, I'm guessing the Android client doesn't support it?</div><div>Therefore, the only way to get this working is for the server to authenticate with a certificate, it seems.</div><div>Which isn't working, as it's not parsing my private key properly.</div><div><br></div><div>thanks,</div><div>imran</div></div><div class="HOEnZb"><div class="h5"><div class="gmail_extra"><br><div class="gmail_quote">On Fri, Dec 5, 2014 at 8:41 AM, Imran Akbar <span dir="ltr"><<a href="mailto:skunkwerk@gmail.com" target="_blank">skunkwerk@gmail.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div dir="ltr">Hey Thomas,<div><br></div><div>Here's my latest attempt to get a setup working without requiring client certificates.</div><div><br></div><div>Client is Strongswan Android, server is running Strongswan 5.2.2 on a fresh Ubuntu 14 server on EC2 with UDP ports 500 and 4500 opened.</div><div>Client is connecting via IKEv2 username/password.</div><div><br></div><div>Is PSK the same as the "EAP username/password" option in the Strongswan android client? I have a feeling it's not, ie this config will not work for EAP-MSCHAPv2: <a href="http://www.strongswan.org/uml/testresults/ikev2/rw-psk-ipv4/" target="_blank">http://www.strongswan.org/uml/testresults/ikev2/rw-psk-ipv4/</a></div><div><br></div><div>But there's no documentation on a version of this one without the gateway authenticating via a RSA key:</div><div><a href="http://www.strongswan.org/uml/testresults/ikev2/rw-eap-mschapv2-id-rsa/" target="_blank">http://www.strongswan.org/uml/testresults/ikev2/rw-eap-mschapv2-id-rsa/</a><br></div><div><br></div><div>I've tried with the gateway authenticating itself using a certificate, and with PSK - both have the same error:</div><div><b>"peer requested EAP, config inacceptable"</b></div><div><br></div><div>In addition, the gateway seems unable to parse my private server key:</div><div><div><b>building CRED_PRIVATE_KEY - RSA failed</b>, tried 5 builders</div><div>Dec 5 16:15:13 ip-172-31-26-153 charon: 00[CFG] loading private key from '/etc/ipsec.d/private/serverKey.pem' failed</div></div><div>even though I see openssl, pkcs1, and pem in my plugins - though I'm not sure which ones weren't loaded, as it doesn't say in the log.</div><div><br></div><div>attempt 1 - with gateway using public key:</div><div>ipsec.conf: <a href="https://pastee.org/z8234" target="_blank">https://pastee.org/z8234</a></div><div>ipsec.secrets: <a href="https://pastee.org/mva6t" target="_blank">https://pastee.org/mva6t</a></div><div>server log: <a href="https://pastee.org/t2ahc" target="_blank">https://pastee.org/t2ahc</a></div><div><br></div><div>attempt 2 - with gateway using PSK:</div><div><div>ipsec.conf: <a href="https://pastee.org/f4fbp" target="_blank">https://pastee.org/f4fbp</a></div><div>ipsec.secrets: <a href="https://pastee.org/mva6t" target="_blank">https://pastee.org/mva6t</a></div><div>server log: <a href="https://pastee.org/6yd8q" target="_blank">https://pastee.org/6yd8q</a></div></div><div><br></div><div>Can someone please help?</div><div><br></div><div>thanks,</div><div>imran</div></div><div><div><div class="gmail_extra"><br><div class="gmail_quote">On Thu, Dec 4, 2014 at 3:21 AM, Thomas <span dir="ltr"><<a href="mailto:jk@c.vu" target="_blank">jk@c.vu</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">Hi,<br>
<br>
ok, so I have to change my EAP-MSCHAPv2 configuration.<br>
I've tested a lot, but don't find any ipsec-configuration where the<br>
client don't need the certificate installed local.<br>
<br>
Do you have any ideas based on my posted ipsec.conf ?<br>
<br>
Best regards<br>
Thomas<br>
<br>
Am 04.12.2014 10:40, schrieb Martin Willi:<br>
<div><div>> Hi,<br>
><br>
>> Any idea whats the best authentication method for username/password only<br>
>> on client-side? EAP-MD5?<br>
>> The client should be able to connect via windows ikev2 native clients,<br>
>> the strongswan android-app,<br>
> If you want to use the native Windows IKEv2 Agile VPN client, there is<br>
> no way around EAP-MSCHAPv2 for username/password authentication. You<br>
> could wrap that in PEAP/TTLS, but that most likely makes no sense for<br>
> your setup. The Android App supports EAP-MSCHAPv2 as well. Refer to [1]<br>
> for configuration details.<br>
><br>
>> and the native clients from osx/ios.<br>
> OS X does not natively support IKEv2. You'd have to stick to IKEv1 with<br>
> XAuth, so you need a separate configuration profile. Please note that<br>
> there are rekeying issues with that client, which usually breaks the<br>
> tunnel after ~45 minutes if you rely on username/passwords. Refer to [2]<br>
> for configuration details.<br>
><br>
> iOS supports IKEv2 since version 8, older versions support IKEv1 only.<br>
> Refer to [3] for details about deploying configuration profiles.<br>
><br>
> Regards<br>
> Martin<br>
><br>
> [1]<a href="https://wiki.strongswan.org/projects/strongswan/wiki/Windows7#C-Authentication-using-EAP-MSCHAP-v2" target="_blank">https://wiki.strongswan.org/projects/strongswan/wiki/Windows7#C-Authentication-using-EAP-MSCHAP-v2</a><br>
> [2]<a href="https://wiki.strongswan.org/projects/strongswan/wiki/IOS_(Apple)" target="_blank">https://wiki.strongswan.org/projects/strongswan/wiki/IOS_(Apple)</a><br>
> [3]<a href="https://wiki.strongswan.org/projects/strongswan/wiki/AppleIKEv2Profile" target="_blank">https://wiki.strongswan.org/projects/strongswan/wiki/AppleIKEv2Profile</a><br>
><br>
><br>
<br>
_______________________________________________<br>
Users mailing list<br>
<a href="mailto:Users@lists.strongswan.org" target="_blank">Users@lists.strongswan.org</a><br>
<a href="https://lists.strongswan.org/mailman/listinfo/users" target="_blank">https://lists.strongswan.org/mailman/listinfo/users</a><br>
</div></div></blockquote></div><br></div>
</div></div></blockquote></div><br></div>
</div></div></blockquote></div><br></div>