[strongSwan] iOS (iPad) connections without xauth

Fiederling, Daniel daniel.fiederling at warema.de
Tue Feb 26 23:38:12 CET 2013 

Hi,

I'm currently working on a prototype vpn setup which aims to connect a large number of iPads to our company network. My goal is to connect the iPads via the built-in Cisco-compatible IPsec client with authby=rsasig without xauth.
The main reason for not using xauth is that the devices are centrally managed by a mdm system which allows to configure the vpn profile and certificates. We don't want our users to input a password upon every connect and as far as I know Apple doesn't allow to preconfigure user/pass for xauth. Using PSK isn't a solution for use due to the large number of devices.

When I activate xauth as described in the following wiki article http://wiki.strongswan.org/projects/strongswan/wiki/IOS_(Apple) the connection works. But if I change the authby to rsasig it seems as if the client still tries to enforce xauth:

12[NET] received packet: from a.b.c.d[4500] to e.f.g.h[4500] (2092 bytes)
12[ENC] parsed ID_PROT request 0 [ ID CERT SIG CERTREQ N(INITIAL_CONTACT) ]
12[IKE] ignoring certificate request without data
12[IKE] received end entity cert "***del*** E=daniel.fiederling at warema.de"
12[CFG] looking for XAuthInitRSA peer configs matching e.f.g.h...a.b.c.d[***del*** E=daniel.fiederling at warema.de]
12[IKE] no peer config found
12[ENC] generating INFORMATIONAL_V1 request 2873723852 [ HASH N(AUTH_FAILED) ]
12[NET] sending packet: from e.f.g.h[4500] to a.b.c.d[4500] (92 bytes)

What do I have to do to enforce both sides to use rsasig only?
Do I have to setup something in ipsec.secrets despite the : RSA server key?

System configuration:
CentOS 6.3
StrongSWAN 5.0.2 with unity plugin enabled (cisco_unity = yes) for split tunneling
(./configure --prefix=/usr --sysconfdir=/etc --enable-curl --enable-ldap --enable-sqlite --enable-sql --enable-eap-radius --enable-xauth-eap --enable-attr-sql --enable-dhcp --enable-openssl --enable-unity --enable-ha --enable-lookip)

ipsec.conf:

config setup

conn ipads
        keyexchange=ikev1
        authby=rsasig
        left=e.f.g.h
        leftsubnet="10.16.0.0/12, 10.116.0.0/16"
        leftcert=server.pem
        leftca="DC=org, DC=example, CN=myca"
        right=%any
        rightsubnet=10.21.248.0/22
        rightdns="10.17.0.1, 10.17.0.2"
        rightsourceip=10.21.248.0/22
        rightca="DC=org, DC=example, CN=myca"
        auto=add


I have a second issue which is not clear to me. Using authby=xauthrsasig charon tries to get the crl from our AD-integrated CA and fails:

01[CFG] checking certificate status of "***del*** E=daniel.fiederling at warema.de"
01[CFG]   fetching crl from 'http://cert.example.org/CertEnroll/myca.crl' ...
01[CFG]   using trusted certificate "DC=org, DC=example, CN=myca"
01[CFG] crl response verification failed
01[CFG]   fetching crl from 'http://cert.example.org/CertEnroll/myca.crl' ...
01[CFG]   using trusted certificate "DC=org, DC=example, CN=myca"
01[CFG] crl response verification failed
01[CFG]   fetching crl from 'ldap:///CN=myca,CN=ad-dc1,CN=CDP,CN=Public%20Key%20Services,CN=Services,CN=Configuration,DC=example,DC=org?certificateRevocationList?base?objectClass=cRLDistributionPoint' ...
14[MGR] ignoring request with ID 0, already processing
12[MGR] ignoring request with ID 0, already processing
13[MGR] ignoring request with ID 0, already processing
01[LIB] LDAP bind to 'ldap:///CN=myca,CN=ad-dc1,CN=CDP,CN=Public%20Key%20Services,CN=Services,CN=Configuration,DC=example,DC=org?certificateRevocationList?base?objectClass=cRLDistributionPoint' failed: Can't contact LDAP server
01[CFG] crl fetching failed
01[CFG] certificate status is not available

The error on fetching the ldap crl might be due to the fact that our AD doesn't allow anonymous binding. But why does the dowload fail from the http cert services (MS AD-integrated CA)? When using wget on the same box without any credentials the download works fine. Using tcpdump during the fetch process shows that the http response contains a status code of 200.

Hope you can help me!

Best regards
Daniel




Besuchen Sie WAREMA auf der ISH 2013 in Frankfurt.
12.03. - 16.03.2013, Halle 10.3, Stand A79
http://www.warema.de

More information about the Users mailing list