[strongSwan] strongswan without client certifikate

Imran Akbar skunkwerk at gmail.com
Fri Dec 5 18:04:56 CET 2014 

When I change the ipsec.conf from:
rightauth=psk
righauth2=eap-mschapv2

to:
rightauth=eap-mschapv2

the server log now contains:
Dec  5 16:46:34 ip-172-31-26-153 charon: 14[CFG] looking for peer configs
matching 172.31.26.153[%any]...172.56.39.247[app]
Dec  5 16:46:34 ip-172-31-26-153 charon: 14[CFG] selected peer config
'android'
Dec  5 16:46:34 ip-172-31-26-153 charon: 14[IKE] initiating EAP_IDENTITY
method (id 0x00)
Dec  5 16:46:34 ip-172-31-26-153 charon: 14[IKE] received
ESP_TFC_PADDING_NOT_SUPPORTED, not using ESPv3 TFC padding
Dec  5 16:46:34 ip-172-31-26-153 charon: 14[IKE] peer supports MOBIKE
Dec  5 16:46:34 ip-172-31-26-153 charon: 14[CFG] no IDr configured, fall
back on IP address
Dec  5 16:46:34 ip-172-31-26-153 charon: 14[IKE] authentication of
'172.31.26.153' (myself) with pre-shared key
Dec  5 16:46:34 ip-172-31-26-153 charon: 14[ENC] generating IKE_AUTH
response 1 [ IDr AUTH EAP/REQ/ID ]
Dec  5 16:46:34 ip-172-31-26-153 charon: 14[NET] sending packet: from
172.31.26.153[4500] to 172.56.39.247[63277] (124 bytes)
Dec  5 16:46:34 ip-172-31-26-153 charon: 15[NET] received packet: from
172.56.39.247[63277] to 172.31.26.153[4500] (76 bytes)
Dec  5 16:46:34 ip-172-31-26-153 charon: 15[ENC] parsed INFORMATIONAL
request 2 [ N(AUTH_FAILED) ]

and I get a different error message in the client log:
no shared key found for 'app'

As I was never prompted for the PSK in the app, I'm guessing the Android
client doesn't support it?
Therefore, the only way to get this working is for the server to
authenticate with a certificate, it seems.
Which isn't working, as it's not parsing my private key properly.

thanks,
imran

On Fri, Dec 5, 2014 at 8:41 AM, Imran Akbar <skunkwerk at gmail.com> wrote:

> Hey Thomas,
>
> Here's my latest attempt to get a setup working without requiring client
> certificates.
>
> Client is Strongswan Android, server is running Strongswan 5.2.2 on a
> fresh Ubuntu 14 server on EC2 with UDP ports 500 and 4500 opened.
> Client is connecting via IKEv2 username/password.
>
> Is PSK the same as the "EAP username/password" option in the Strongswan
> android client?  I have a feeling it's not, ie this config will not work
> for EAP-MSCHAPv2:
> http://www.strongswan.org/uml/testresults/ikev2/rw-psk-ipv4/
>
> But there's no documentation on a version of this one without the gateway
> authenticating via a RSA key:
> http://www.strongswan.org/uml/testresults/ikev2/rw-eap-mschapv2-id-rsa/
>
> I've tried with the gateway authenticating itself using a certificate, and
> with PSK - both have the same error:
> *"peer requested EAP, config inacceptable"*
>
> In addition, the gateway seems unable to parse my private server key:
> *building CRED_PRIVATE_KEY - RSA failed*, tried 5 builders
> Dec  5 16:15:13 ip-172-31-26-153 charon: 00[CFG]   loading private key
> from '/etc/ipsec.d/private/serverKey.pem' failed
> even though I see openssl, pkcs1, and pem in my plugins - though I'm not
> sure which ones weren't loaded, as it doesn't say in the log.
>
> attempt 1 - with gateway using public key:
> ipsec.conf: https://pastee.org/z8234
> ipsec.secrets: https://pastee.org/mva6t
> server log: https://pastee.org/t2ahc
>
> attempt 2 - with gateway using PSK:
> ipsec.conf: https://pastee.org/f4fbp
> ipsec.secrets: https://pastee.org/mva6t
> server log: https://pastee.org/6yd8q
>
> Can someone please help?
>
> thanks,
> imran
>
> On Thu, Dec 4, 2014 at 3:21 AM, Thomas <jk at c.vu> wrote:
>
>> Hi,
>>
>> ok, so I have to change my EAP-MSCHAPv2 configuration.
>> I've tested a lot, but don't find any ipsec-configuration where the
>> client don't need the certificate installed local.
>>
>> Do you have any ideas based on my posted ipsec.conf ?
>>
>> Best regards
>> Thomas
>>
>> Am 04.12.2014 10:40, schrieb Martin Willi:
>> > Hi,
>> >
>> >> Any idea whats the best authentication method for username/password
>> only
>> >> on client-side? EAP-MD5?
>> >> The client should be able to connect via windows ikev2 native clients,
>> >> the strongswan android-app,
>> > If you want to use the native Windows IKEv2 Agile VPN client, there is
>> > no way around EAP-MSCHAPv2 for username/password authentication. You
>> > could wrap that in PEAP/TTLS, but that most likely makes no sense for
>> > your setup. The Android App supports EAP-MSCHAPv2 as well. Refer to [1]
>> > for configuration details.
>> >
>> >> and the native clients from osx/ios.
>> > OS X does not natively support IKEv2. You'd have to stick to IKEv1 with
>> > XAuth, so you need a separate configuration profile. Please note that
>> > there are rekeying issues with that client, which usually breaks the
>> > tunnel after ~45 minutes if you rely on username/passwords. Refer to [2]
>> > for configuration details.
>> >
>> > iOS supports IKEv2 since version 8, older versions support IKEv1 only.
>> > Refer to [3] for details about deploying configuration profiles.
>> >
>> > Regards
>> > Martin
>> >
>> > [1]
>> https://wiki.strongswan.org/projects/strongswan/wiki/Windows7#C-Authentication-using-EAP-MSCHAP-v2
>> > [2]https://wiki.strongswan.org/projects/strongswan/wiki/IOS_(Apple)
>> > [3]
>> https://wiki.strongswan.org/projects/strongswan/wiki/AppleIKEv2Profile
>> >
>> >
>>
>> _______________________________________________
>> Users mailing list
>> Users at lists.strongswan.org
>> https://lists.strongswan.org/mailman/listinfo/users
>>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20141205/6c5d2bc2/attachment.html>

More information about the Users mailing list