[strongSwan] Mac OS X 10.9 Mavericks - StrongSwan Native Application - constraint checking failed

Thu Oct 31 21:03:12 CET 2013

Hello,

I run a windows 2008 r2 vpn server, which I am able to connect to fine with
the android strongswan app and linux install of strongswan.  I am trying to
get the mac osx native application to connect to it (tested 5.1.0-4 and
5.1.1-1) using strongswan installed via homebrew.  OS x version is 10.9
mavericks.

I have the CA certificate and vpn host certificate installed and trusted in
the system and user keychain.

Connection is almost successful, but fails with identity check of the
gateway.  Any feedback on what might be wrong or what to try next?  Posted
below is sanitized content from my daemon.log.  As best as I can tell, it is
reading the host certificate from the keychain, but I can't tell what else
is wrong and can't figure out how to elevate the debug level using the
native application.

Thanks,
Fred Kilbourn

Oct 31 14:40:12 org.strongswan.charon-xpc[317]: 00[LIB] created TUN device:
utun0
Oct 31 14:40:12 org.strongswan.charon-xpc[317]: 00[CFG] loaded 211
certificates from /System/Library/Keychains/SystemRootCertificates.keychain
Oct 31 14:40:12 org.strongswan.charon-xpc[317]: 00[CFG] loaded 5
certificates from /Library/Keychains/System.keychain
Oct 31 14:40:12 org.strongswan.charon-xpc[317]: 00[DMN] Starting charon-xpc
IKE daemon (strongSwan 5.1.0-4, Darwin 13.0.0, x86_64)
Oct 31 14:40:12 org.strongswan.charon-xpc[317]: 00[JOB] spawning 16 worker
threads
Oct 31 14:40:12 org.strongswan.charon-xpc[317]: 11[KNL] interface utun1
appeared
Oct 31 14:40:12 org.strongswan.charon-xpc[317]: 00[LIB] created TUN device:
utun1
Oct 31 14:40:12 org.strongswan.charon-xpc[317]: 12[IKE] initiating IKE_SA
VPN_CONNECTION_CONFIG[1] to 127.0.0.999
Oct 31 14:40:12 org.strongswan.charon-xpc[317]: 14[KNL] interface utun1
deactivated
Oct 31 14:40:12 org.strongswan.charon-xpc[317]: 12[ENC] generating
IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) ]
Oct 31 14:40:12 org.strongswan.charon-xpc[317]: 12[NET] sending packet: from
127.0.0.1[51632] to 127.0.0.999[4500] (884 bytes)
Oct 31 14:40:12 org.strongswan.charon-xpc[317]: 15[NET] received packet:
from 127.0.0.999[4500] to 127.0.0.1[51632] (38 bytes)
Oct 31 14:40:12 org.strongswan.charon-xpc[317]: 15[ENC] parsed IKE_SA_INIT
response 0 [ N(INVAL_KE) ]
Oct 31 14:40:12 org.strongswan.charon-xpc[317]: 15[IKE] peer didn't accept
DH group MODP_2048, it requested MODP_1024
Oct 31 14:40:12 org.strongswan.charon-xpc[317]: 15[IKE] initiating IKE_SA
VPN_CONNECTION_CONFIG[1] to 127.0.0.999
Oct 31 14:40:12 org.strongswan.charon-xpc[317]: 15[ENC] generating
IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) ]
Oct 31 14:40:12 org.strongswan.charon-xpc[317]: 15[NET] sending packet: from
127.0.0.1[51632] to 127.0.0.999[4500] (756 bytes)
Oct 31 14:40:12 org.strongswan.charon-xpc[317]: 16[NET] received packet:
from 127.0.0.999[4500] to 127.0.0.1[51632] (316 bytes)
Oct 31 14:40:12 org.strongswan.charon-xpc[317]: 16[ENC] parsed IKE_SA_INIT
response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) ]
Oct 31 14:40:12 org.strongswan.charon-xpc[317]: 16[IKE] faking NAT situation
to enforce UDP encapsulation
Oct 31 14:40:12 org.strongswan.charon-xpc[317]: 16[IKE] establishing
CHILD_SA VPN_CONNECTION_CONFIG
Oct 31 14:40:12 org.strongswan.charon-xpc[317]: 16[ENC] generating IKE_AUTH
request 1 [ IDi N(INIT_CONTACT) IDr CP(ADDR DNS) N(ESP_TFC_PAD_N) SA TSi TSr
N(MOBIKE_SUP) N(NO_ADD_ADDR) N(EAP_ONLY) ]
Oct 31 14:40:12 org.strongswan.charon-xpc[317]: 16[NET] sending packet: from
127.0.0.1[55981] to 127.0.0.999[4500] (412 bytes)
Oct 31 14:40:12 org.strongswan.charon-xpc[317]: 10[NET] received packet:
from 127.0.0.999[4500] to 127.0.0.1[51632] (2908 bytes)
Oct 31 14:40:12 org.strongswan.charon-xpc[317]: 10[ENC] parsed IKE_AUTH
response 1 [ IDr CERT AUTH EAP/REQ/ID ]
Oct 31 14:40:12 org.strongswan.charon-xpc[317]: 10[IKE] received end entity
cert "CN=vpn-host.subdomain.domain.com"
Oct 31 14:40:12 org.strongswan.charon-xpc[317]: 10[CFG]   using trusted ca
certificate "DC=com, DC=domain, DC=subdomain, CN=ca-name"
Oct 31 14:40:12 org.strongswan.charon-xpc[317]: 10[CFG]   reached
self-signed root ca with a path length of 0
Oct 31 14:40:12 org.strongswan.charon-xpc[317]: 10[CFG]   using trusted
certificate "CN=vpn-host.subdomain.domain.com"
Oct 31 14:40:12 org.strongswan.charon-xpc[317]: 10[IKE] authentication of
'CN=vpn-host.subdomain.domain.com' with RSA signature successful
Oct 31 14:40:12 org.strongswan.charon-xpc[317]: 10[IKE] server requested
EAP_IDENTITY (id 0x00), sending 'username'
Oct 31 14:40:12 org.strongswan.charon-xpc[317]: 10[ENC] generating IKE_AUTH
request 2 [ EAP/RES/ID ]
Oct 31 14:40:12 org.strongswan.charon-xpc[317]: 10[NET] sending packet: from
127.0.0.1[55981] to 127.0.0.999[4500] (76 bytes)
Oct 31 14:40:12 org.strongswan.charon-xpc[317]: 11[NET] received packet:
from 127.0.0.999[4500] to 127.0.0.1[51632] (92 bytes)
Oct 31 14:40:12 org.strongswan.charon-xpc[317]: 11[ENC] parsed IKE_AUTH
response 2 [ EAP/REQ/MSCHAPV2 ]
Oct 31 14:40:12 org.strongswan.charon-xpc[317]: 11[IKE] server requested
EAP_MSCHAPV2 authentication (id 0x01)
Oct 31 14:40:17 org.strongswan.charon-xpc[317]: 11[ENC] generating IKE_AUTH
request 3 [ EAP/RES/MSCHAPV2 ]
Oct 31 14:40:17 org.strongswan.charon-xpc[317]: 11[NET] sending packet: from
127.0.0.1[55981] to 127.0.0.999[4500] (132 bytes)
Oct 31 14:40:17 org.strongswan.charon-xpc[317]: 11[NET] received packet:
from 127.0.0.999[4500] to 127.0.0.1[51632] (116 bytes)
Oct 31 14:40:17 org.strongswan.charon-xpc[317]: 11[ENC] parsed IKE_AUTH
response 3 [ EAP/REQ/MSCHAPV2 ]
Oct 31 14:40:17 org.strongswan.charon-xpc[317]: 11[IKE] EAP-MS-CHAPv2
succeeded: '(null)'
Oct 31 14:40:17 org.strongswan.charon-xpc[317]: 11[ENC] generating IKE_AUTH
request 4 [ EAP/RES/MSCHAPV2 ]
Oct 31 14:40:17 org.strongswan.charon-xpc[317]: 11[NET] sending packet: from
127.0.0.1[55981] to 127.0.0.999[4500] (68 bytes)
Oct 31 14:40:17 org.strongswan.charon-xpc[317]: 12[NET] received packet:
from 127.0.0.999[4500] to 127.0.0.1[51632] (68 bytes)
Oct 31 14:40:17 org.strongswan.charon-xpc[317]: 12[ENC] parsed IKE_AUTH
response 4 [ EAP/SUCC ]
Oct 31 14:40:17 org.strongswan.charon-xpc[317]: 12[IKE] EAP method
EAP_MSCHAPV2 succeeded, MSK established
Oct 31 14:40:17 org.strongswan.charon-xpc[317]: 12[IKE] authentication of
'username' (myself) with EAP
Oct 31 14:40:17 org.strongswan.charon-xpc[317]: 12[ENC] generating IKE_AUTH
request 5 [ AUTH ]
Oct 31 14:40:17 org.strongswan.charon-xpc[317]: 12[NET] sending packet: from
127.0.0.1[55981] to 127.0.0.999[4500] (84 bytes)
Oct 31 14:40:17 org.strongswan.charon-xpc[317]: 13[NET] received packet:
from 127.0.0.999[4500] to 127.0.0.1[51632] (212 bytes)
Oct 31 14:40:17 org.strongswan.charon-xpc[317]: 13[ENC] parsed IKE_AUTH
response 5 [ AUTH N(MOBIKE_SUP) CP(ADDR DNS) SA TSi TSr ]
Oct 31 14:40:17 org.strongswan.charon-xpc[317]: 13[IKE] authentication of
'CN=vpn-host.subdomain.domain.com' with EAP successful
Oct 31 14:40:17 org.strongswan.charon-xpc[317]: 13[CFG] constraint check
failed: identity 'vpn-host.subdomain.domain.com' required 
Oct 31 14:40:17 org.strongswan.charon-xpc[317]: 13[CFG] selected peer config
'VPN_CONNECTION_CONFIG' inacceptable: constraint checking failed
Oct 31 14:40:17 org.strongswan.charon-xpc[317]: 13[CFG] no alternative
config found
Oct 31 14:40:17 org.strongswan.charon-xpc[317]: 13[ENC] generating
INFORMATIONAL request 6 [ N(AUTH_FAILED) ]
Oct 31 14:40:17 org.strongswan.charon-xpc[317]: 13[NET] sending packet: from
127.0.0.1[55981] to 127.0.0.999[4500] (68 bytes)
Oct 31 14:40:17 org.strongswan.charon-xpc[317]: 19[DMN] thread 19 received 4
Oct 31 14:40:17 org.strongswan.charon-xpc[317]: 19[LIB]  dumping 15 stack
frame addresses:
Oct 31 14:40:17 org.strongswan.charon-xpc[317]: 19[LIB]
/usr/lib/system/libsystem_platform.dylib @ 0x7fff8e180000 (_sigtramp+0x1a)
[0x7fff8e1835aa]
Oct 31 14:40:17 org.strongswan.charon-xpc[317]: 19[LIB]     -> _sigtramp (in
libsystem_platform.dylib) + 26
Oct 31 14:40:17 org.strongswan.charon-xpc[317]: 19[LIB]     1   ???
0x0000000000000000 0x0 + 0
Oct 31 14:40:17 org.strongswan.charon-xpc[317]: 19[LIB]
/usr/lib/system/libxpc.dylib @ 0x7fff870aa000
(_xpc_connection_last_xref_cancel+0x39) [0x7fff870b522d]
Oct 31 14:40:17 org.strongswan.charon-xpc[317]: 19[LIB]     ->
_xpc_connection_last_xref_cancel (in libxpc.dylib) + 57
Oct 31 14:40:17 org.strongswan.charon-xpc[317]: 19[LIB]
/usr/lib/system/libxpc.dylib @ 0x7fff870aa000 (-[OS_xpc_connection
_xref_dispose]+0x11) [0x7fff870b51ce]
Oct 31 14:40:17 org.strongswan.charon-xpc[317]: 19[LIB]     ->
-[OS_xpc_connection _xref_dispose] (in libxpc.dylib) + 17
Oct 31 14:40:17 org.strongswan.charon-xpc[317]: 19[LIB]
/Library/PrivilegedHelperTools/org.strongswan.charon-xpc @ 0x10ecc3000
(start+0xd75) [0x10ed4fcb1]
Oct 31 14:40:17 org.strongswan.charon-xpc[317]: 19[LIB]     ->
0x000000010008ccb1 (in org.strongswan.charon-xpc) + 59
Oct 31 14:40:17 org.strongswan.charon-xpc[317]: 19[LIB]
/usr/lib/system/libdispatch.dylib @ 0x7fff8ab47000
(_dispatch_call_block_and_release+0xc) [0x7fff8ab4b1d7]
Oct 31 14:40:17 org.strongswan.charon-xpc[317]: 19[LIB]     ->
_dispatch_call_block_and_release (in libdispatch.dylib) + 12
Oct 31 14:40:17 org.strongswan.charon-xpc[317]: 19[LIB]
/usr/lib/system/libdispatch.dylib @ 0x7fff8ab47000
(_dispatch_client_callout+0x8) [0x7fff8ab482ad]
Oct 31 14:40:17 org.strongswan.charon-xpc[317]: 19[LIB]     ->
_dispatch_client_callout (in libdispatch.dylib) + 8
Oct 31 14:40:17 org.strongswan.charon-xpc[317]: 19[LIB]
/usr/lib/system/libdispatch.dylib @ 0x7fff8ab47000
(_dispatch_mach_barrier_invoke+0x50) [0x7fff8ab4ba89]
Oct 31 14:40:17 org.strongswan.charon-xpc[317]: 19[LIB]     ->
_dispatch_mach_barrier_invoke (in libdispatch.dylib) + 80
Oct 31 14:40:17 org.strongswan.charon-xpc[317]: 19[LIB]
/usr/lib/system/libdispatch.dylib @ 0x7fff8ab47000
(_dispatch_client_callout+0x8) [0x7fff8ab482ad]
Oct 31 14:40:17 org.strongswan.charon-xpc[317]: 19[LIB]     ->
_dispatch_client_callout (in libdispatch.dylib) + 8
Oct 31 14:40:17 org.strongswan.charon-xpc[317]: 19[LIB]
/usr/lib/system/libdispatch.dylib @ 0x7fff8ab47000
(_dispatch_queue_drain+0x1c3) [0x7fff8ab4a68f]
Oct 31 14:40:17 org.strongswan.charon-xpc[317]: 19[LIB]     ->
_dispatch_queue_drain (in libdispatch.dylib) + 451
Oct 31 14:40:17 org.strongswan.charon-xpc[317]: 19[LIB]
/usr/lib/system/libdispatch.dylib @ 0x7fff8ab47000
(_dispatch_mach_invoke+0x9a) [0x7fff8ab4b69e]
Oct 31 14:40:17 org.strongswan.charon-xpc[317]: 19[LIB]     ->
_dispatch_mach_invoke (in libdispatch.dylib) + 154
Oct 31 14:40:17 org.strongswan.charon-xpc[317]: 19[LIB]
/usr/lib/system/libdispatch.dylib @ 0x7fff8ab47000
(_dispatch_root_queue_drain+0x4b) [0x7fff8ab49fa3]
Oct 31 14:40:17 org.strongswan.charon-xpc[317]: 19[LIB]     ->
_dispatch_root_queue_drain (in libdispatch.dylib) + 75
Oct 31 14:40:17 org.strongswan.charon-xpc[317]: 19[LIB]
/usr/lib/system/libdispatch.dylib @ 0x7fff8ab47000
(_dispatch_worker_thread2+0x28) [0x7fff8ab4b193]
Oct 31 14:40:17 org.strongswan.charon-xpc[317]: 19[LIB]     ->
_dispatch_worker_thread2 (in libdispatch.dylib) + 40
Oct 31 14:40:17 org.strongswan.charon-xpc[317]: 19[LIB]
/usr/lib/system/libsystem_pthread.dylib @ 0x7fff8afc2000
(_pthread_wqthread+0x13a) [0x7fff8afc4ef8]
Oct 31 14:40:17 org.strongswan.charon-xpc[317]: 19[LIB]     ->
_pthread_wqthread (in libsystem_pthread.dylib) + 314
Oct 31 14:40:17 org.strongswan.charon-xpc[317]: 19[LIB]
/usr/lib/system/libsystem_pthread.dylib @ 0x7fff8afc2000
(start_wqthread+0xd) [0x7fff8afc7fb9]
Oct 31 14:40:17 org.strongswan.charon-xpc[317]: 19[LIB]     ->
start_wqthread (in libsystem_pthread.dylib) + 13
Oct 31 14:40:17 org.strongswan.charon-xpc[317]: 19[DMN] killing ourself,
received critical signal