[strongSwan] FW: Win7 machine certificate connection failing
Gregg Hughes
ghughes at iscinternational.com
Thu Jul 18 21:02:27 CEST 2013
I wanted to update the information here with results from some config
changes.
I added/reconfigured the ipsec.conf to have an EAP-MSCHAPV2 connection
available, then changed the information on the Windows client side to use
EAP when making the connection. Here's the syslog output:
--------------Clip from syslog------------------
Jul 17 13:41:40 strongswan1 charon: 16[CFG] received stroke: delete
connection 'net-net'
Jul 17 13:41:40 strongswan1 charon: 16[CFG] deleted connection 'net-net'
Jul 17 13:41:40 strongswan1 charon: 04[CFG] received stroke: delete
connection 'rw'
Jul 17 13:41:40 strongswan1 charon: 04[CFG] deleted connection 'rw'
Jul 17 13:41:40 strongswan1 charon: 07[CFG] received stroke: delete
connection 'rw2'
Jul 17 13:41:40 strongswan1 charon: 07[CFG] deleted connection 'rw2'
Jul 17 13:41:40 strongswan1 charon: 05[CFG] received stroke: delete
connection 'rw-eap'
Jul 17 13:41:40 strongswan1 charon: 05[CFG] deleted connection 'rw-eap'
Jul 17 13:41:40 strongswan1 charon: 16[CFG] received stroke: add connection
'net-net'
Jul 17 13:41:40 strongswan1 charon: 16[CFG] added configuration 'net-net'
Jul 17 13:41:40 strongswan1 charon: 16[CFG] received stroke: add connection
'rw'
Jul 17 13:41:40 strongswan1 charon: 16[CFG] added configuration 'rw'
Jul 17 13:41:40 strongswan1 charon: 16[CFG] received stroke: add connection
'rw2'
Jul 17 13:41:40 strongswan1 charon: 16[CFG] loaded certificate "C=US,
ST=Wisconsin, O=ISC International, Ltd., CN=strongswan1" from 'cacert.pem'
Jul 17 13:41:40 strongswan1 charon: 16[CFG] id '192.168.91.163' not
confirmed by certificate, defaulting to 'C=US, ST=Wisconsin, O=ISC
International, Ltd., CN=strongswan1'
Jul 17 13:41:40 strongswan1 charon: 16[CFG] added configuration 'rw2'
Jul 17 13:41:40 strongswan1 charon: 07[CFG] received stroke: add connection
'rw-eap'
Jul 17 13:41:40 strongswan1 charon: 07[CFG] loaded certificate "C=US,
ST=Wisconsin, O=ISC International, Ltd., CN=strongswan1" from 'cacert.pem'
Jul 17 13:41:40 strongswan1 charon: 07[CFG] id '192.168.91.163' not
confirmed by certificate, defaulting to 'C=US, ST=Wisconsin, O=ISC
International, Ltd., CN=strongswan1'
Jul 17 13:41:40 strongswan1 charon: 07[CFG] added configuration 'rw-eap'
Jul 17 13:42:46 strongswan1 charon: 11[NET] received packet: from
192.168.91.166[500] to 192.168.91.163[500]
Jul 17 13:42:46 strongswan1 charon: 11[ENC] parsed IKE_SA_INIT request 0 [
SA KE No N(NATD_S_IP) N(NATD_D_IP) ]
Jul 17 13:42:46 strongswan1 charon: 11[IKE] 192.168.91.166 is initiating an
IKE_SA
Jul 17 13:42:46 strongswan1 charon: 11[IKE] sending cert request for "C=US,
ST=Wisconsin, O=ISC International, Ltd., CN=strongswan1"
Jul 17 13:42:46 strongswan1 charon: 11[ENC] generating IKE_SA_INIT response
0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) CERTREQ N(MULT_AUTH) ]
Jul 17 13:42:46 strongswan1 charon: 11[NET] sending packet: from
192.168.91.163[500] to 192.168.91.166[500]
Jul 17 13:42:46 strongswan1 charon: 14[NET] received packet: from
192.168.91.166[4500] to 192.168.91.163[4500]
Jul 17 13:42:46 strongswan1 charon: 14[ENC] unknown attribute type
INTERNAL_IP4_SERVER
Jul 17 13:42:46 strongswan1 charon: 14[ENC] unknown attribute type
INTERNAL_IP6_SERVER
Jul 17 13:42:46 strongswan1 charon: 14[ENC] parsed IKE_AUTH request 1 [ IDi
CERTREQ N(MOBIKE_SUP) CP(ADDR DNS NBNS SRV ADDR6 DNS6 SRV6) SA TSi TSr ]
Jul 17 13:42:46 strongswan1 charon: 14[IKE] received cert request for "C=US,
ST=Wisconsin, O=ISC International, Ltd., CN=strongswan1"
Jul 17 13:42:46 strongswan1 charon: 14[IKE] received 8 cert requests for an
unknown ca
Jul 17 13:42:46 strongswan1 charon: 14[CFG] looking for peer configs
matching 192.168.91.163[%any]...192.168.91.166[192.168.91.166]
Jul 17 13:42:46 strongswan1 charon: 14[CFG] selected peer config 'rw'
Jul 17 13:42:46 strongswan1 charon: 14[IKE] peer requested EAP, config
inacceptable
Jul 17 13:42:46 strongswan1 charon: 14[CFG] switching to peer config 'rw2'
Jul 17 13:42:46 strongswan1 charon: 14[IKE] peer requested EAP, config
inacceptable
Jul 17 13:42:46 strongswan1 charon: 14[CFG] switching to peer config
'rw-eap'
Jul 17 13:42:46 strongswan1 charon: 14[IKE] using configured EAP-Identity
gregg
Jul 17 13:42:46 strongswan1 charon: 14[IKE] initiating EAP_MSCHAPV2 method
(id 0x77)
Jul 17 13:42:46 strongswan1 charon: 14[IKE] peer supports MOBIKE
Jul 17 13:42:46 strongswan1 charon: 14[IKE] no private key found for 'C=US,
ST=Wisconsin, O=ISC International, Ltd., CN=strongswan1'
Jul 17 13:42:46 strongswan1 charon: 14[ENC] generating IKE_AUTH response 1 [
N(AUTH_FAILED) ]
Jul 17 13:42:46 strongswan1 charon: 14[NET] sending packet: from
192.168.91.163[4500] to 192.168.91.166[4500]
Jul 17 13:43:35 strongswan1 dhclient: DHCPREQUEST of 192.168.91.163 on eth0
to 192.168.91.254 port 67
Jul 17 13:43:35 strongswan1 dhclient: DHCPACK of 192.168.91.163 from
192.168.91.254
Jul 17 13:43:35 strongswan1 dhclient: bound to 192.168.91.163 -- renewal in
692 seconds.
On the client side, I get the dreaded "Error 13801 IKE authentication
credentials are unacceptable." and the connection halts. It looks like the
EAP is clearing but the cacert isn't clearing the Windows client. I've used
seven different methods to create and re-create the self-signed CA and
certificate - openssl, the ipsec pki tool, the OpenVPN tools and probably a
couple others I tried. I edited the openssl.cnf each time to try and add
the extended key usage and the gateway name in the CN and/or the
subjectAltName - with no luck. I did find that removing the leftid didn't
help, nor did specifying the EAP user.
It really appears that the connection is hanging on the server certificate.
I'm *this close* to getting this connection down - and I'm pretty sure it's
a certificate problem. If anyone has some suggestions on where to look
next, I'd really appreciate it!
Config files:
---------ipsec.conf-------------
# ipsec.conf - strongSwan1 IPsec configuration file
# basic configuration
config setup
# plutodebug=all
# crlcheckinterval=180
# strictcrlpolicy=no
# cachecrls=yes
# nat_traversal=yes
charonstart=yes
plutostart=no
# Add connections here.
conn %default
ikelifetime=60m
keylife=20m
rekeymargin=3m
keyingtries=1
# authby=secret
keyexchange=ikev2
# mobike=no
conn net-net
left=192.168.91.163
leftsubnet=10.1.0.0/16
leftid=@strongswan1
leftfirewall=yes
right=192.168.91.160
rightsubnet=10.2.0.0/16
rightid=@strongswan2
auto=add
conn rw
left=192.168.91.163
leftsubnet=10.1.0.0/16
leftfirewall=yes
authby=secret
right=%any
auto=add
conn rw2
left=192.168.91.163
leftsubnet=10.1.0.0/16
# leftid=@strongswan1
leftcert=cacert.pem
leftfirewall=yes
right=%any
keyexchange=ikev2
auto=add
conn rw-eap
left=192.168.91.163
leftsubnet=10.1.0.0/16
# leftid=@strongswan1
leftcert=cacert.pem
leftauth=pubkey
leftfirewall=yes
right=%any
rightauth=eap-mschapv2
rightsendcert=never
eap_identity=gregg
auto=add
include /var/lib/strongswan/ipsec.conf.inc
---------ipsec.secrets---------
: RSA cakey.pem "newcapassword"
192.168.91.165 : PSK 1234567890
192.168.91.154 : PSK 1234567890
gregg : EAP "1234567890"
include /var/lib/strongswan/ipsec.secrets.inc
Thanks to all!
---------------------------------------------------------------
-----Original Message-----
From: Gregg Hughes [mailto:ghughes at iscinternational.com]
Sent: Wednesday, July 10, 2013 4:41 PM
To: 'Paton, Andy'
Cc: 'users at lists.strongswan.org'
Subject: RE: [strongSwan] Win7 machine certificate connection failing
Hi, Andy!
Thanks for the quick response - it's good to know there's help out there for
new folks.....
The CA key was generated like so:
openssl genrsa -des3 -out private/cakey.pem 4096 I added a password
for the key. Not much of one, but a password.
Created CA Root Certificate
openssl req -new -x509 -key private/cakey.pem -out cacert.pem -days
3650 -set_serial 0 Asked some questions:
Country Name US
State or Porvince Name Wisconsin
Locality Name Milwaukee
Organization Name ISC International, Ltd.
Organizational Unit .
Common name strongswan1
Email Address ghughes [at]
iscinternational.com
....and I got my cert.
I added the requirements to the openssl.cnf file for extendedKeyUsage and
for a subjectAltName, following a document here:
http://wiki.strongswan.org/projects/strongswan/wiki/Win7CertReq
Oddly enough, when I do an "ipsec listcerts" I get nothing, even though
syslog shows the certificates being loaded correctly.
Let me know other information you might need (and where to look for it) - I
probably haven't completely fulfilled your request.
Thanks!
Gregg
-----Original Message-----
From: Paton, Andy [mailto:andy.paton at hp.com]
Sent: Wednesday, July 10, 2013 4:13 PM
To: Gregg Hughes
Cc: users at lists.strongswan.org
Subject: Re: [strongSwan] Win7 machine certificate connection failing
Can you post details of your certificates. Both the machine cert for the
gateway and the device cert?
--
Andrew Paton
On 10 Jul 2013, at 21:55, "Gregg Hughes"
<ghughes at iscinternational.com<mailto:ghughes at iscinternational.com>> wrote:
Good afternoon, all!
I've been working on getting a Strongswan installation running on a VMware
Workstation test platform. The server is Ubuntu Server 12.04 with
Strongswan 4.5.2 from the Ubuntu repository.
I've been able to get a net-net test config to work, but have had trouble
with a roadwarrior config. I think it's a problem with certificates because
I get "Error 13801: IKE authentication credentials are unacceptable", so I
know the client is reaching the server and trying to get in.
I followed the examples listed here, working on an X.509 machine certificate
to start: http://wiki.strongswan.org/projects/strongswan/wiki/Windows7 I
used the multiple client configs and the instructions on importing
certificates into Win7.
All certs were generated and signed on the strongswan server and are in the
proper directories under /etc/ipsec.d. Content of ipsec.conf and greps from
auth.log and syslog also.
I confess to being at a loss as to why I am still getting the Error 13801
after several hours troubleshooting.
Thanks in advance!
Gregg
# ipsec.conf - strongSwan1 IPsec configuration file
# basic configuration
config setup
# plutodebug=all
# crlcheckinterval=180
# strictcrlpolicy=no
# cachecrls=yes
# nat_traversal=yes
charonstart=yes
plutostart=no
# Add connections here.
conn %default
ikelifetime=60m
keylife=20m
rekeymargin=3m
keyingtries=1
# authby=secret
keyexchange=ikev2
# mobike=no
conn net-net
left=192.168.91.163
leftsubnet=10.1.0.0/16
leftid=@strongswan1
leftfirewall=yes
right=192.168.91.160
rightsubnet=10.2.0.0/16
rightid=@strongswan2
auto=add
conn Win7
left=%defaultroute
# leftcert=cacert.pem
leftsubnet=10.1.0.0/16
leftid=strongswan1
right=%any
rightsourceip=192.168.93.0/24
# rightauth=eap-mschapv2
# rightsendcert=never
# eap_identity=%any
# rightcert=client1cert.pem
# keyexchange=ikev2
auto=add
include /var/lib/strongswan/ipsec.conf.inc
----------------------------------------
auth.log cuts
Jul 10 15:20:28 strongswan1 charon: 03[IKE] 192.168.91.166 is initiating an
IKE_SA Jul 10 15:21:51 strongswan1 ipsec_starter[1606]: charon stopped after
200 ms Jul 10 15:21:54 strongswan1 ipsec_starter[1641]: charon (1667)
started after 60 ms Jul 10 15:23:02 strongswan1 ipsec_starter[1641]: charon
stopped after 200 ms Jul 10 15:23:25 strongswan1 ipsec_starter[931]: charon
(939) started after 1120 ms Jul 10 15:32:19 strongswan1 ipsec_starter[999]:
charon (1003) started after 1060 ms Jul 10 15:32:43 strongswan1 charon:
13[IKE] 192.168.91.166 is initiating an IKE_SA
--------------------------------------------
syslog cuts
Jul 10 15:32:20 strongswan1 charon: 00[DMN] Starting IKEv2 charon daemon
(strongSwan 4.5.2) Jul 10 15:32:19 strongswan1 charon: 00[KNL] listening on
interfaces:
Jul 10 15:32:19 strongswan1 charon: 00[KNL] eth0
Jul 10 15:32:19 strongswan1 charon: 00[KNL] 192.168.91.163
Jul 10 15:32:19 strongswan1 charon: 00[KNL] fe80::20c:29ff:fecd:2c6b
Jul 10 15:32:19 strongswan1 charon: 00[KNL] eth1
Jul 10 15:32:19 strongswan1 charon: 00[KNL] 10.1.0.1
Jul 10 15:32:19 strongswan1 charon: 00[KNL] fe80::20c:29ff:fecd:2c75
Jul 10 15:32:19 strongswan1 charon: 00[CFG] loading ca certificates from
'/etc/ipsec.d/cacerts'
Jul 10 15:32:19 strongswan1 charon: 00[CFG] loaded ca certificate "C=US,
ST=Wisconsin, L=Milwaukee, O=ISC International, Ltd., CN=strongswan1,
E=ghughes at iscinternational.com<http://iscinternational.com>" from
'/etc/ipsec.d/cacerts/cacert.pem'
Jul 10 15:32:19 strongswan1 charon: 00[CFG] loading aa certificates from
'/etc/ipsec.d/aacerts'
Jul 10 15:32:19 strongswan1 charon: 00[CFG] loading ocsp signer certificates
from '/etc/ipsec.d/ocspcerts'
Jul 10 15:32:19 strongswan1 charon: 00[CFG] loading attribute certificates
from '/etc/ipsec.d/acerts'
Jul 10 15:32:19 strongswan1 charon: 00[CFG] loading crls from
'/etc/ipsec.d/crls'
Jul 10 15:32:19 strongswan1 charon: 00[CFG] loading secrets from
'/etc/ipsec.secrets'
Jul 10 15:32:19 strongswan1 charon: 00[CFG] loaded RSA private key from
'/etc/ipsec.d/private/cakey.pem'
Jul 10 15:32:19 strongswan1 charon: 00[CFG] expanding file expression
'/var/lib/strongswan/ipsec.secrets.inc' failed Jul 10 15:32:19 strongswan1
charon: 00[CFG] sql plugin: database URI not set Jul 10 15:32:19 strongswan1
charon: 00[LIB] plugin 'sql': failed to load - sql_plugin_create returned
NULL Jul 10 15:32:19 strongswan1 charon: 00[CFG] loaded 0 RADIUS server
configurations Jul 10 15:32:19 strongswan1 charon: 00[LIB] plugin 'medsrv'
failed to load: /usr/lib/ipsec/plugins/libstrongswan-medsrv.so: cannot open
shared object file: No such file or directory Jul 10 15:32:19 strongswan1
charon: 00[CFG] mediation client database URI not defined, skipped Jul 10
15:32:19 strongswan1 charon: 00[LIB] plugin 'medcli': failed to load -
medcli_plugin_create returned NULL Jul 10 15:32:19 strongswan1 charon:
00[LIB] plugin 'nm' failed to load:
/usr/lib/ipsec/plugins/libstrongswan-nm.so: cannot open shared object file:
No such file or directory Jul 10 15:32:19 strongswan1 charon: 00[CFG] HA
config misses local/remote address Jul 10 15:32:19 strongswan1 charon:
00[LIB] plugin 'ha': failed to load - ha_plugin_create returned NULL Jul 10
15:32:19 strongswan1 charon: 00[DMN] loaded plugins: test-vectors curl ldap
aes des sha1 sha2 md5 random x509 revocation constraints pubkey pkcs1 pgp
pem openssl fips-prf gmp agent pkcs11 xcbc hmac ctr ccm gcm attr
kernel-netlink resolve socket-raw farp stroke updown eap-identity eap-aka
eap-md5 eap-gtc eap-mschapv2 eap-radius eap-tls eap-ttls eap-tnc dhcp led
addrblock Jul 10 15:32:19 strongswan1 charon: 00[JOB] spawning 16 worker
threads Jul 10 15:32:19 strongswan1 charon: 05[CFG] received stroke: add
connection 'net-net'
Jul 10 15:32:19 strongswan1 charon: 05[CFG] added configuration 'net-net'
Jul 10 15:32:19 strongswan1 charon: 10[CFG] received stroke: add connection
'Win7'
Jul 10 15:32:19 strongswan1 charon: 10[CFG] added configuration 'Win7'
Jul 10 15:32:19 strongswan1 charon: 10[CFG] adding virtual IP address pool
'Win7': 192.168.93.0/24 Jul 10 15:32:43 strongswan1 charon: 13[NET] received
packet: from 192.168.91.166[500] to 192.168.91.163[500] Jul 10 15:32:43
strongswan1 charon: 13[ENC] parsed IKE_SA_INIT request 0 [ SA KE No
N(NATD_S_IP) N(NATD_D_IP) ] Jul 10 15:32:43 strongswan1 charon: 13[IKE]
192.168.91.166 is initiating an IKE_SA Jul 10 15:32:43 strongswan1 charon:
13[IKE] sending cert request for "C=US, ST=Wisconsin, L=Milwaukee, O=ISC
International, Ltd., CN=strongswan1, E=ghughes at
iscinternational.com<http://iscinternational.com>"
Jul 10 15:32:43 strongswan1 charon: 13[ENC] generating IKE_SA_INIT response
0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) CERTREQ N(MULT_AUTH) ] Jul 10
15:32:43 strongswan1 charon: 13[NET] sending packet: from
192.168.91.163[500] to 192.168.91.166[500] Jul 10 15:32:43 strongswan1
charon: 14[NET] received packet: from 192.168.91.166[4500] to
192.168.91.163[4500] Jul 10 15:32:43 strongswan1 charon: 14[ENC] unknown
attribute type INTERNAL_IP4_SERVER Jul 10 15:32:43 strongswan1 charon:
14[ENC] unknown attribute type INTERNAL_IP6_SERVER Jul 10 15:32:43
strongswan1 charon: 14[ENC] parsed IKE_AUTH request 1 [ IDi CERT CERTREQ
AUTH N(MOBIKE_SUP) CP(ADDR DNS NBNS SRV ADDR6 DNS6 SRV6) SA TSi TSr ] Jul 10
15:32:43 strongswan1 charon: 14[IKE] received cert request for "C=US,
ST=Wisconsin, L=Milwaukee, O=ISC International, Ltd., CN=strongswan1,
E=ghughes at iscinternational.com<http://iscinternational.com>"
Jul 10 15:32:43 strongswan1 charon: 14[IKE] received 8 cert requests for an
unknown ca Jul 10 15:32:43 strongswan1 charon: 14[IKE] received end entity
cert "C=US, ST=Wisconsin, O=ISC International, Ltd., CN=strongswan1,
E=ghughes at iscinternational.com<http://iscinternational.com>"
Jul 10 15:32:43 strongswan1 charon: 14[CFG] looking for peer configs
matching 192.168.91.163[%any]...192.168.91.166[C=US, ST=Wisconsin, O=ISC
International, Ltd., CN=strongswan1, E=ghughes at
iscinternational.com<http://iscinternational.com>]
Jul 10 15:32:43 strongswan1 charon: 14[CFG] selected peer config 'Win7'
Jul 10 15:32:43 strongswan1 charon: 14[CFG] using certificate "C=US,
ST=Wisconsin, O=ISC International, Ltd., CN=strongswan1, E=ghughes at
iscinternational.com<http://iscinternational.com>"
Jul 10 15:32:43 strongswan1 charon: 14[CFG] using trusted ca certificate
"C=US, ST=Wisconsin, L=Milwaukee, O=ISC International, Ltd., CN=strongswan1,
E=ghughes at iscinternational.com<http://iscinternational.com>"
Jul 10 15:32:43 strongswan1 charon: 14[CFG] checking certificate status of
"C=US, ST=Wisconsin, O=ISC International, Ltd., CN=strongswan1, E=ghughes at
iscinternational.com<http://iscinternational.com>"
Jul 10 15:32:43 strongswan1 charon: 14[CFG] certificate status is not
available
Jul 10 15:32:43 strongswan1 charon: 14[CFG] reached self-signed root ca
with a path length of 0
Jul 10 15:32:43 strongswan1 charon: 14[IKE] authentication of 'C=US,
ST=Wisconsin, O=ISC International, Ltd., CN=strongswan1, E=ghughes at
iscinternational.com<http://iscinternational.com>' with RSA signature
successful Jul 10 15:32:43 strongswan1 charon: 14[IKE] peer supports MOBIKE
Jul 10 15:32:43 strongswan1 charon: 14[IKE] no private key found for
'strongswan1'
Jul 10 15:32:43 strongswan1 charon: 14[ENC] generating IKE_AUTH response 1 [
N(AUTH_FAILED) ] Jul 10 15:32:43 strongswan1 charon: 14[NET] sending packet:
from 192.168.91.163[4500] to 192.168.91.166[4500]
Gregg Hughes
IT Administrator
www.iscinternational.com<http://www.iscinternational.com>
414.721.0301 phone
262.313.3106 fax
_______________________________________________
Users mailing list
Users at lists.strongswan.org<mailto:Users at lists.strongswan.org>
https://lists.strongswan.org/mailman/listinfo/users
More information about the Users
mailing list