<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
</head>
<body>
<p>Try the following for "remote":</p>
<p><i><font face="Courier New, Courier, monospace">
remote {<br>
auth = eap-tls<br>
eap_id = %any<br>
}</font></i></p>
<p>--Jafar</p>
<p><br>
</p>
<div class="moz-cite-prefix">On 4/24/21 10:33 PM, pLAN9
Administrator wrote:<br>
</div>
<blockquote type="cite"
cite="mid:485175ff-9dd0-6cb5-f62e-3ef96c64cb17@pLAN9.co">
<meta http-equiv="content-type" content="text/html; charset=UTF-8">
<p>I am trying to set up Strongswan to act as a remote access
server for an iPhone using IKEv2 certificate auth. It is a major
headache!<br>
</p>
<p>I have made sure to set the SAN in both the server and phone
certificate. Here is the the server SAN:</p>
<p><i><font face="Courier New, Courier, monospace"> X509v3
extensions:<br>
X509v3 Subject Alternative Name: <br>
DNS:echo.pLAN9.co<br>
X509v3 Extended Key Usage: <br>
TLS Web Server Authentication, TLS Web
Client Authentication</font></i><br>
<br>
</p>
<p>Here is the phone SAN:</p>
<p><i><font face="Courier New, Courier, monospace"> X509v3
extensions:<br>
X509v3 Subject Alternative Name: <br>
DNS:pLAN9-iPhone.pLAN9.co<br>
X509v3 Extended Key Usage: <br>
TLS Web Server Authentication, TLS Web
Client Authentication</font></i><br>
</p>
<p>Here is /etc/swanctl/swanctl.conf</p>
<p><i><font face="Courier New, Courier, monospace">connections {<br>
RA {<br>
local_addrs = %any<br>
local {<br>
auth = pubkey<br>
certs = ECHO.crt<br>
id = @echo.pLAN9.co<br>
}<br>
remote {<br>
auth = pubkey<br>
id = %any<br>
}<br>
children {<br>
net {<br>
local_ts = 0.0.0.0/0<br>
esp_proposals = aes256-sha256<br>
}<br>
}<br>
version = 2<br>
proposals = aes256-sha256-modp2048<br>
send_certreq = no<br>
pools = pool<br>
}<br>
}<br>
pools {<br>
pool {<br>
addrs = 172.16.16.64/29<br>
dns = 172.16.16.1<br>
}<br>
}</font></i><br>
</p>
<p><br>
</p>
<p>Here is the output of a connection:</p>
<p><br>
</p>
<p><font face="Courier New, Courier, monospace"><i>01[NET]
received packet: from IPHONE_IP[9975] to STRONGSWAN_IP[500]
(604 bytes)</i><i><br>
</i><i>01[ENC] parsed IKE_SA_INIT request 0 [ SA KE No
N(REDIR_SUP) N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) ]</i><i><br>
</i><i>01[IKE] IPHONE_IP is initiating an IKE_SA</i><i><br>
</i><i>01[CFG] selected proposal:
IKE:AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_2048</i><i><br>
</i><i>01[IKE] remote host is behind NAT</i><i><br>
</i><i>01[ENC] generating IKE_SA_INIT response 0 [ SA KE No
N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(CHDLESS_SUP)
N(MULT_AUTH) ]</i><i><br>
</i><i>01[NET] sending packet: from STRONGSWAN_IP[500] to
IPHONE_IP[9975] (456 bytes)</i><i><br>
</i><i>10[NET] received packet: from IPHONE_IP[9959] to
STRONGSWAN_IP[4500] (532 bytes)</i><i><br>
</i><i>10[ENC] parsed IKE_AUTH request 1 [ EF(1/4) ]</i><i><br>
</i><i>13[NET] received packet: from IPHONE_IP[9959] to
STRONGSWAN_IP[4500] (532 bytes)</i><i><br>
</i><i>10[ENC] received fragment #1 of 4, waiting for complete
IKE message</i><i><br>
</i><i>13[ENC] parsed IKE_AUTH request 1 [ EF(2/4) ]</i><i><br>
</i><i>13[ENC] received fragment #2 of 4, waiting for complete
IKE message</i><i><br>
</i><i>14[NET] received packet: from IPHONE_IP[9959] to
STRONGSWAN_IP[4500] (532 bytes)</i><i><br>
</i><i>14[ENC] parsed IKE_AUTH request 1 [ EF(3/4) ]</i><i><br>
</i><i>01[NET] received packet: from IPHONE_IP[9959] to
STRONGSWAN_IP[4500] (180 bytes)</i><i><br>
</i><i>14[ENC] received fragment #3 of 4, waiting for complete
IKE message</i><i><br>
</i><i>01[ENC] parsed IKE_AUTH request 1 [ EF(4/4) ]</i><i><br>
</i><i>01[ENC] received fragment #4 of 4, reassembled
fragmented IKE message (1552 bytes)</i><i><br>
</i><i>01[ENC] unknown attribute type INTERNAL_DNS_DOMAIN</i><i><br>
</i><i>01[ENC] parsed IKE_AUTH request 1 [ IDi CERT
N(INIT_CONTACT) IDr AUTH CPRQ(ADDR MASK DHCP DNS ADDR6 DHCP6
DNS6 DOMAIN) N(ESP_TFC_PAD_N) N(NON_FIRST_FRAG) SA TSi TSr
N(MOBIKE_SUP) ]</i><i><br>
</i><i>01[IKE] received end entity cert "CN=pLAN9-iPhone"</i><i><br>
</i><i>01[CFG] looking for peer configs matching
STRONGSWAN_IP[echo.plan9.co]...IPHONE_IP[pLAn9-iPhone.pLAN9.co]</i><i><br>
</i><i>01[CFG] selected peer config 'RA'</i><i><br>
</i><i>01[CFG] using certificate "CN=pLAN9-iPhone"</i><i><br>
</i><i>01[CFG] using trusted ca certificate "CN=pLAN9 CA
2019-2021"</i><i><br>
</i><i>01[CFG] checking certificate status of
"CN=pLAN9-iPhone"</i><i><br>
</i><i>01[CFG] certificate status is not available</i><i><br>
</i><i>01[CFG] reached self-signed root ca with a path
length of 0</i><i><br>
</i><i>01[IKE] authentication of 'pLAn9-iPhone.pLAN9.co' with
RSA signature successful</i><i><br>
</i><i>01[IKE] received ESP_TFC_PADDING_NOT_SUPPORTED, not
using ESPv3 TFC padding</i><i><br>
</i><i>01[IKE] peer supports MOBIKE</i><i><br>
</i><i>01[IKE] authentication of 'echo.plan9.co' (myself) with
RSA signature successful</i><i><br>
</i><i>01[IKE] IKE_SA RA[2] established between
STRONGSWAN_IP[echo.plan9.co]...IPHONE_IP[pLAn9-iPhone.pLAN9.co]</i><i><br>
</i><i>01[IKE] scheduling rekeying in 13941s</i><i><br>
</i><i>01[IKE] maximum IKE_SA lifetime 15381s</i><i><br>
</i><i>01[IKE] peer requested virtual IP %any</i><i><br>
</i><i>01[CFG] assigning new lease to 'pLAn9-iPhone.pLAN9.co'</i><i><br>
</i><i>01[IKE] assigning virtual IP 172.16.16.65 to peer
'pLAn9-iPhone.pLAN9.co'</i><i><br>
</i><i>01[IKE] peer requested virtual IP %any6</i><i><br>
</i><i>01[IKE] no virtual IP found for %any6 requested by
'pLAn9-iPhone.pLAN9.co'</i><i><br>
</i><i>01[CFG] selected proposal:
ESP:AES_CBC_256/HMAC_SHA2_256_128/NO_EXT_SEQ</i><i><br>
</i><i>01[IKE] CHILD_SA net{4} established with SPIs
cc4e7aea_i 0358690a_o and TS 0.0.0.0/0 === 172.16.16.65/32</i><i><br>
</i><i>01[ENC] generating IKE_AUTH response 1 [ IDr AUTH
CPRP(ADDR DNS) SA TSi TSr N(MOBIKE_SUP) N(ADD_4_ADDR)
N(ADD_6_ADDR) N(ADD_6_ADDR) ]</i><i><br>
</i><i>01[NET] sending packet: from STRONGSWAN_IP[4500] to
IPHONE_IP[9959] (544 bytes)</i></font></p>
<p><font face="Courier New, Courier, monospace"><i><br>
</i></font></p>
<p>Strongswan looks like it is connecting fine, but the phone
reports the error "User Authentication Failed" and doesn't
connect. The phone is using the same certificate to connect to a
number of other routers (not Strongswan based) that all have
certificates signed by the same CA, and those are all working
fine.</p>
<p><br>
</p>
<p>What am I doing wrong here?<br>
</p>
</blockquote>
</body>
</html>