[strongSwan] Storngswan 5.0.1 CentOS server-MacOS X client certificate issue

Martin Lambev fsh3mve at gmail.com
Sat Oct 27 13:11:48 CEST 2012 

Hello StrongSwan guys,

I'm trying to build strongswan 5.0.1 compiled form source on CentOS 6.3 VPN server based on certificate+xauth as my goal is to connect various apple devices and different MAC OS versions.
I followed this guide very closely:  http://wiki.strongswan.org/projects/strongswan/wiki/IOS_%28Apple%29, I'm jumping directly on the results so far: 
Test topology:
Servers IP 192.168.17.118 (certificates are generated with CN:192.168.17.118 and altsubj: 192.168.17.118)
For all devices I used the same certificates for testing, and made root certificate trusted on Lion and Mountain Lion.  In all Configuration below I used build in VPN client (Cisco IPSec) with client certificate and xauth username and password.
I test it with IPhone 3G iOS 4.2.1 - it's connecting fine.
Snow Leopard IP  192.168.17.137 in the log - connects just fine
Lion v.10.7.4 - can't connect I guess it does not connect because of the same reason as Mountain Lion.
Mountain Lion v.10.8.2  IP 192.168.17.250 in the log - can't connect.

Here is my ipsec.conf:
config setup
	charondebug="dmn 1, mgr 1, ike 1, chd 1, job 1, cfg 1, knl 1, net 1, asn 1, enc 1, lib 1, esp 1, tls 1"

conn %default
	ikelifetime=60m
	keylife=20m
	rekeymargin=3m
	keyingtries=1


conn xarsa
        authby=xauthrsasig
        xauth=server
        left=%defaultroute
        leftsubnet=0.0.0.0/0
        leftfirewall=yes
        leftcert=serverCert.pem
	right=%any
	rightsubnet=10.0.0.0/24
	rightsourceip=10.0.0.2
	rightcert=clientCert.pem
	auto=add

ipsec.secrets:
#include /etc/ipsec.d/*.secrets
# /etc/ipsec.secrets - strongSwan IPsec secrets file

: RSA serverKey.pem
mve : XAUTH "12345"

/var/log/messages:
Oct 27 03:29:54 ir1 charon: 00[DMN] loaded plugins: charon aes des sha1 sha2 md5 random nonce x509 revocation constraints pubkey pkcs1 pkcs8 pgp dnskey pem fips-prf gmp xcbc cmac hmac attr kernel-netlink resolve socket-default stroke updown xauth-generic
Oct 27 03:29:54 ir1 charon: 00[JOB] spawning 16 worker threads
Oct 27 03:29:54 ir1 charon: 11[CFG] received stroke: add connection 'xarsa'
Oct 27 03:29:54 ir1 charon: 11[CFG] left nor right host is our side, assuming left=local
Oct 27 03:29:54 ir1 charon: 11[CFG] adding virtual IP address pool 10.0.0.2
Oct 27 03:29:54 ir1 charon: 11[CFG]   loaded certificate "C=BG, O=MYVPN, CN=192.168.17.118" from 'serverCert.pem'
Oct 27 03:29:54 ir1 charon: 11[CFG]   id '%any' not confirmed by certificate, defaulting to 'C=BG, O=MYVPN, CN=192.168.17.118'
Oct 27 03:29:54 ir1 charon: 11[CFG]   loaded certificate "C=BG, O=MYVPN, CN=ML" from 'clientCert.pem'
Oct 27 03:29:54 ir1 charon: 11[CFG]   id '%any' not confirmed by certificate, defaulting to 'C=BG, O=MYVPN, CN=ML'
Oct 27 03:29:54 ir1 charon: 11[CFG] added configuration 'xarsa'
Oct 27 03:31:00 ir1 charon: 12[NET] received packet: from 192.168.17.137[500] to 192.168.17.118[500]
Oct 27 03:31:00 ir1 charon: 12[ENC] parsed ID_PROT request 0 [ SA V V V V V V V V V V V V V ]
Oct 27 03:31:00 ir1 charon: 12[IKE] received NAT-T (RFC 3947) vendor ID
Oct 27 03:31:00 ir1 charon: 12[IKE] received draft-ietf-ipsec-nat-t-ike vendor ID
Oct 27 03:31:00 ir1 charon: 12[IKE] received draft-ietf-ipsec-nat-t-ike-08 vendor ID
Oct 27 03:31:00 ir1 charon: 12[IKE] received draft-ietf-ipsec-nat-t-ike-07 vendor ID
Oct 27 03:31:00 ir1 charon: 12[IKE] received draft-ietf-ipsec-nat-t-ike-06 vendor ID
Oct 27 03:31:00 ir1 charon: 12[IKE] received draft-ietf-ipsec-nat-t-ike-05 vendor ID
Oct 27 03:31:00 ir1 charon: 12[IKE] received draft-ietf-ipsec-nat-t-ike-04 vendor ID
Oct 27 03:31:00 ir1 charon: 12[IKE] received draft-ietf-ipsec-nat-t-ike-03 vendor ID
Oct 27 03:31:00 ir1 charon: 12[IKE] received draft-ietf-ipsec-nat-t-ike-02 vendor ID
Oct 27 03:31:00 ir1 charon: 12[IKE] received draft-ietf-ipsec-nat-t-ike-02\n vendor ID
Oct 27 03:31:00 ir1 charon: 12[IKE] received XAuth vendor ID
Oct 27 03:31:00 ir1 charon: 12[IKE] received Cisco Unity vendor ID
Oct 27 03:31:00 ir1 charon: 12[IKE] received DPD vendor ID
Oct 27 03:31:00 ir1 charon: 12[IKE] 192.168.17.137 is initiating a Main Mode IKE_SA
Oct 27 03:31:00 ir1 charon: 12[ENC] generating ID_PROT response 0 [ SA V V V ]
Oct 27 03:31:00 ir1 charon: 12[NET] sending packet: from 192.168.17.118[500] to 192.168.17.137[500]
Oct 27 03:31:00 ir1 charon: 13[NET] received packet: from 192.168.17.137[500] to 192.168.17.118[500]
Oct 27 03:31:00 ir1 charon: 13[ENC] parsed ID_PROT request 0 [ KE No NAT-D NAT-D ]
Oct 27 03:31:00 ir1 charon: 13[IKE] sending cert request for "C=BG, O=MYVPN, CN=MYVPN CA"
Oct 27 03:31:00 ir1 charon: 13[ENC] generating ID_PROT response 0 [ KE No CERTREQ NAT-D NAT-D ]
Oct 27 03:31:00 ir1 charon: 13[NET] sending packet: from 192.168.17.118[500] to 192.168.17.137[500]
Oct 27 03:31:00 ir1 charon: 14[NET] received packet: from 192.168.17.137[500] to 192.168.17.118[500]
Oct 27 03:31:00 ir1 charon: 14[ENC] parsed ID_PROT request 0 [ ID CERT SIG CERTREQ N(INITIAL_CONTACT) ]
Oct 27 03:31:00 ir1 charon: 14[IKE] ignoring certificate request without data
Oct 27 03:31:00 ir1 charon: 14[IKE] received end entity cert "C=BG, O=MYVPN, CN=ML"
Oct 27 03:31:00 ir1 charon: 14[CFG] looking for XAuthInitRSA peer configs matching 192.168.17.118...192.168.17.137[C=BG, O=MYVPN, CN=ML]
Oct 27 03:31:00 ir1 charon: 14[CFG] selected peer config "xarsa"
Oct 27 03:31:00 ir1 charon: 14[CFG]   using trusted ca certificate "C=BG, O=MYVPN, CN=MYVPN CA"
Oct 27 03:31:00 ir1 charon: 14[CFG] checking certificate status of "C=BG, O=MYVPN, CN=ML"
Oct 27 03:31:00 ir1 charon: 14[CFG] certificate status is not available
Oct 27 03:31:00 ir1 charon: 14[CFG]   reached self-signed root ca with a path length of 0
Oct 27 03:31:00 ir1 charon: 14[CFG]   using trusted certificate "C=BG, O=MYVPN, CN=ML"
Oct 27 03:31:00 ir1 charon: 14[IKE] authentication of 'C=BG, O=MYVPN, CN=ML' with RSA successful
Oct 27 03:31:00 ir1 charon: 14[IKE] authentication of 'C=BG, O=MYVPN, CN=192.168.17.118' (myself) successful
Oct 27 03:31:00 ir1 charon: 14[IKE] sending end entity cert "C=BG, O=MYVPN, CN=192.168.17.118"
Oct 27 03:31:00 ir1 charon: 14[ENC] generating ID_PROT response 0 [ ID CERT SIG ]
Oct 27 03:31:00 ir1 charon: 14[NET] sending packet: from 192.168.17.118[500] to 192.168.17.137[500]
Oct 27 03:31:00 ir1 charon: 14[ENC] generating TRANSACTION request 1934430434 [ HASH CP ]
Oct 27 03:31:00 ir1 charon: 14[NET] sending packet: from 192.168.17.118[500] to 192.168.17.137[500]
Oct 27 03:31:04 ir1 charon: 15[NET] received packet: from 192.168.17.137[500] to 192.168.17.118[500]
Oct 27 03:31:04 ir1 charon: 15[ENC] parsed TRANSACTION response 1934430434 [ HASH CP ]
Oct 27 03:31:04 ir1 charon: 15[IKE] XAuth authentication of 'mve' successful
Oct 27 03:31:04 ir1 charon: 15[ENC] generating TRANSACTION request 3053698936 [ HASH CP ]
Oct 27 03:31:04 ir1 charon: 15[NET] sending packet: from 192.168.17.118[500] to 192.168.17.137[500]
Oct 27 03:31:04 ir1 charon: 16[NET] received packet: from 192.168.17.137[500] to 192.168.17.118[500]
Oct 27 03:31:04 ir1 charon: 16[ENC] parsed TRANSACTION response 3053698936 [ HASH CP ]
Oct 27 03:31:04 ir1 charon: 16[IKE] IKE_SA xarsa[1] established between 192.168.17.118[C=BG, O=MYVPN, CN=192.168.17.118]...192.168.17.137[C=BG, O=MYVPN, CN=ML]
Oct 27 03:31:04 ir1 charon: 16[IKE] scheduling reauthentication in 3258s
Oct 27 03:31:04 ir1 charon: 16[IKE] maximum IKE_SA lifetime 3438s
Oct 27 03:31:04 ir1 charon: 01[NET] received packet: from 192.168.17.137[500] to 192.168.17.118[500]
Oct 27 03:31:04 ir1 charon: 01[ENC] unknown attribute type (28683)
Oct 27 03:31:04 ir1 charon: 01[ENC] parsed TRANSACTION request 2515032727 [ HASH CP ]
Oct 27 03:31:04 ir1 charon: 01[IKE] peer requested virtual IP %any
Oct 27 03:31:04 ir1 charon: 01[CFG] assigning new lease to 'mve'
Oct 27 03:31:04 ir1 charon: 01[IKE] assigning virtual IP 10.0.0.2 to peer 'mve'
Oct 27 03:31:04 ir1 charon: 01[ENC] generating TRANSACTION response 2515032727 [ HASH CP ]
Oct 27 03:31:04 ir1 charon: 01[NET] sending packet: from 192.168.17.118[500] to 192.168.17.137[500]
Oct 27 03:31:04 ir1 charon: 03[NET] received packet: from 192.168.17.137[500] to 192.168.17.118[500]
Oct 27 03:31:04 ir1 charon: 03[ENC] parsed QUICK_MODE request 3999596799 [ HASH SA No ID ID ]
Oct 27 03:31:04 ir1 charon: 03[IKE] received 3600s lifetime, configured 1200s
Oct 27 03:31:04 ir1 charon: 03[ENC] generating QUICK_MODE response 3999596799 [ HASH SA No ID ID ]
Oct 27 03:31:04 ir1 charon: 03[NET] sending packet: from 192.168.17.118[500] to 192.168.17.137[500]
Oct 27 03:31:04 ir1 charon: 11[NET] received packet: from 192.168.17.137[500] to 192.168.17.118[500]
Oct 27 03:31:04 ir1 charon: 11[ENC] parsed QUICK_MODE request 3999596799 [ HASH ]
Oct 27 03:31:04 ir1 kernel: alg: No test for __aes-aesni (__driver-aes-aesni)
Oct 27 03:31:04 ir1 kernel: alg: No test for __ecb-aes-aesni (__driver-ecb-aes-aesni)
Oct 27 03:31:04 ir1 kernel: alg: No test for __cbc-aes-aesni (__driver-cbc-aes-aesni)
Oct 27 03:31:04 ir1 kernel: alg: No test for __ecb-aes-aesni (cryptd(__driver-ecb-aes-aesni))
Oct 27 03:31:04 ir1 kernel: padlock: VIA PadLock not detected.
Oct 27 03:31:04 ir1 charon: 11[IKE] CHILD_SA xarsa{1} established with SPIs ce0a9192_i 09fb746f_o and TS 0.0.0.0/0 === 10.0.0.2/32 
Oct 27 03:31:04 ir1 kernel: alg: No test for __cbc-aes-aesni (cryptd(__driver-cbc-aes-aesni))
Oct 27 03:31:04 ir1 kernel: alg: No test for authenc(hmac(sha1),cbc(aes)) (authenc(hmac(sha1-generic),cbc-aes-aesni))
Oct 27 03:31:04 ir1 vpn: + C=BG, O=MYVPN, CN=ML 10.0.0.2/32 == 192.168.17.137 -- 192.168.17.118 == %any/0
Oct 27 03:31:44 ir1 charon: 16[NET] received packet: from 192.168.17.137[500] to 192.168.17.118[500]
Oct 27 03:31:44 ir1 charon: 16[ENC] parsed INFORMATIONAL_V1 request 2484179066 [ HASH D ]
Oct 27 03:31:44 ir1 charon: 16[IKE] received DELETE for ESP CHILD_SA with SPI 09fb746f
Oct 27 03:31:44 ir1 charon: 16[IKE] closing CHILD_SA xarsa{1} with SPIs ce0a9192_i (0 bytes) 09fb746f_o (0 bytes) and TS 0.0.0.0/0 === 10.0.0.2/32 
Oct 27 03:31:44 ir1 vpn: - C=BG, O=MYVPN, CN=ML 10.0.0.2/32 == 192.168.17.137 -- 192.168.17.118 == %any/0
Oct 27 03:31:44 ir1 charon: 02[NET] received packet: from 192.168.17.137[500] to 192.168.17.118[500]
Oct 27 03:31:44 ir1 charon: 02[ENC] parsed INFORMATIONAL_V1 request 2470569940 [ HASH D ]
Oct 27 03:31:44 ir1 charon: 02[IKE] received DELETE for IKE_SA xarsa[1]
Oct 27 03:31:44 ir1 charon: 02[IKE] deleting IKE_SA xarsa[1] between 192.168.17.118[C=BG, O=MYVPN, CN=192.168.17.118]...192.168.17.137[C=BG, O=MYVPN, CN=ML]
Oct 27 03:31:44 ir1 charon: 02[CFG] lease 10.0.0.2 by 'mve' went offline
Oct 27 03:31:58 ir1 charon: 01[NET] received packet: from 192.168.17.250[500] to 192.168.17.118[500]
Oct 27 03:31:58 ir1 charon: 01[ENC] parsed ID_PROT request 0 [ SA V V V V V V V V V V V V V V ]
Oct 27 03:31:58 ir1 charon: 01[IKE] received NAT-T (RFC 3947) vendor ID
Oct 27 03:31:58 ir1 charon: 01[IKE] received draft-ietf-ipsec-nat-t-ike vendor ID
Oct 27 03:31:58 ir1 charon: 01[IKE] received draft-ietf-ipsec-nat-t-ike-08 vendor ID
Oct 27 03:31:58 ir1 charon: 01[IKE] received draft-ietf-ipsec-nat-t-ike-07 vendor ID
Oct 27 03:31:58 ir1 charon: 01[IKE] received draft-ietf-ipsec-nat-t-ike-06 vendor ID
Oct 27 03:31:58 ir1 charon: 01[IKE] received draft-ietf-ipsec-nat-t-ike-05 vendor ID
Oct 27 03:31:58 ir1 charon: 01[IKE] received draft-ietf-ipsec-nat-t-ike-04 vendor ID
Oct 27 03:31:58 ir1 charon: 01[IKE] received draft-ietf-ipsec-nat-t-ike-03 vendor ID
Oct 27 03:31:58 ir1 charon: 01[IKE] received draft-ietf-ipsec-nat-t-ike-02 vendor ID
Oct 27 03:31:58 ir1 charon: 01[IKE] received draft-ietf-ipsec-nat-t-ike-02\n vendor ID
Oct 27 03:31:58 ir1 charon: 01[IKE] received XAuth vendor ID
Oct 27 03:31:58 ir1 charon: 01[IKE] received Cisco Unity vendor ID
Oct 27 03:31:58 ir1 charon: 01[ENC] received unknown vendor ID: 40:48:b7:d5:6e:bc:e8:85:25:e7:de:7f:00:d6:c2:d3:80:00:00:00
Oct 27 03:31:58 ir1 charon: 01[IKE] received DPD vendor ID
Oct 27 03:31:58 ir1 charon: 01[IKE] 192.168.17.250 is initiating a Main Mode IKE_SA
Oct 27 03:31:58 ir1 charon: 01[ENC] generating ID_PROT response 0 [ SA V V V ]
Oct 27 03:31:58 ir1 charon: 01[NET] sending packet: from 192.168.17.118[500] to 192.168.17.250[500]
Oct 27 03:31:58 ir1 charon: 03[NET] received packet: from 192.168.17.250[500] to 192.168.17.118[500]
Oct 27 03:31:58 ir1 charon: 03[ENC] parsed ID_PROT request 0 [ KE No NAT-D NAT-D ]
Oct 27 03:31:58 ir1 charon: 03[IKE] sending cert request for "C=BG, O=MYVPN, CN=MYVPN CA"
Oct 27 03:31:58 ir1 charon: 03[ENC] generating ID_PROT response 0 [ KE No CERTREQ NAT-D NAT-D ]
Oct 27 03:31:58 ir1 charon: 03[NET] sending packet: from 192.168.17.118[500] to 192.168.17.250[500]
Oct 27 03:31:58 ir1 charon: 11[NET] received packet: from 192.168.17.250[500] to 192.168.17.118[500]
Oct 27 03:31:58 ir1 charon: 11[ENC] parsed ID_PROT request 0 [ ID CERT SIG CERTREQ N(INITIAL_CONTACT) ]
Oct 27 03:31:58 ir1 charon: 11[IKE] ignoring certificate request without data
Oct 27 03:31:58 ir1 charon: 11[IKE] received end entity cert "C=BG, O=MYVPN, CN=ML"
Oct 27 03:31:58 ir1 charon: 11[CFG] looking for XAuthInitRSA peer configs matching 192.168.17.118...192.168.17.250[ML]
Oct 27 03:31:58 ir1 charon: 11[IKE] no peer config found
Oct 27 03:31:58 ir1 charon: 11[ENC] generating INFORMATIONAL_V1 request 3832895531 [ HASH N(AUTH_FAILED) ]
Oct 27 03:31:58 ir1 charon: 11[NET] sending packet: from 192.168.17.118[500] to 192.168.17.250[500]

I searched the mailing list and I found that strongswan 5.x is supposed to work with Lion and ML I do know that my config is not matching Lion and ML clients? On other forums and I found some suggestions also I tried to make the certificate smaller size according to some info in apple forums, but did not help either. 

What I can see form the log is that Snow Leopard sends this:
14[CFG] looking for XAuthInitRSA peer configs matching 192.168.17.118…192.168.17.137[C=BG, O=MYVPN, CN=ML]
14[CFG] selected peer config "xarsa" ….
But breaking point is that Mountain Lion does not send that same message:
11[CFG] looking for XAuthInitRSA peer configs matching 192.168.17.118...192.168.17.250[ML]
11[IKE] no peer config found

According to apple documentation matching needs to be done based on client certificate name group name? But I guess this is only for the new MacOS X versions Lion and ML and iOS6 because in Snow Leopard this is working fine…
"When using certificate-based authentication, make sure the server is set up to identify the user’s group based on fields in the client certificate."

I'm asking if someone can give me a hint is it possible that I can match users that use Lion and ML in my ipsec.conf based on client certificate Common Name [ML]?
I know this is not mature question but how can I assign multiply private IP address dynamically in one range let's say 10.0.0.0/24 to each client that connects? I can see the guide in wiki is only for single client, when I connect second user the first one is disconnected…

Kind regards,

Martin


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20121027/c85c625d/attachment.html>

More information about the Users mailing list