[strongSwan] strongswan without client certifikate

Imran Akbar skunkwerk at gmail.com
Fri Dec 5 19:16:02 CET 2014 

I've gotten past that issue by ensuring I was using the IP when generating
the certificates, as in:
http://endlessroad1991.blogspot.com/2014/04/setup-ipsec-vpn-on-ec2.html

but now the client cannot verify the server with the message "verifying
gateway authentication failed"
and in the client log:
"no trusted RSA public key found for 'C=CN, O=strongSwan, CN=54.169.64.53'"

How can I verify the server without installing its public key on every
client, or using a PSK (which the Android client doesn't support)?

thanks,
imran

On Fri, Dec 5, 2014 at 9:04 AM, Imran Akbar <skunkwerk at gmail.com> wrote:

> When I change the ipsec.conf from:
> rightauth=psk
> righauth2=eap-mschapv2
>
> to:
> rightauth=eap-mschapv2
>
> the server log now contains:
> Dec  5 16:46:34 ip-172-31-26-153 charon: 14[CFG] looking for peer configs
> matching 172.31.26.153[%any]...172.56.39.247[app]
> Dec  5 16:46:34 ip-172-31-26-153 charon: 14[CFG] selected peer config
> 'android'
> Dec  5 16:46:34 ip-172-31-26-153 charon: 14[IKE] initiating EAP_IDENTITY
> method (id 0x00)
> Dec  5 16:46:34 ip-172-31-26-153 charon: 14[IKE] received
> ESP_TFC_PADDING_NOT_SUPPORTED, not using ESPv3 TFC padding
> Dec  5 16:46:34 ip-172-31-26-153 charon: 14[IKE] peer supports MOBIKE
> Dec  5 16:46:34 ip-172-31-26-153 charon: 14[CFG] no IDr configured, fall
> back on IP address
> Dec  5 16:46:34 ip-172-31-26-153 charon: 14[IKE] authentication of
> '172.31.26.153' (myself) with pre-shared key
> Dec  5 16:46:34 ip-172-31-26-153 charon: 14[ENC] generating IKE_AUTH
> response 1 [ IDr AUTH EAP/REQ/ID ]
> Dec  5 16:46:34 ip-172-31-26-153 charon: 14[NET] sending packet: from
> 172.31.26.153[4500] to 172.56.39.247[63277] (124 bytes)
> Dec  5 16:46:34 ip-172-31-26-153 charon: 15[NET] received packet: from
> 172.56.39.247[63277] to 172.31.26.153[4500] (76 bytes)
> Dec  5 16:46:34 ip-172-31-26-153 charon: 15[ENC] parsed INFORMATIONAL
> request 2 [ N(AUTH_FAILED) ]
>
> and I get a different error message in the client log:
> no shared key found for 'app'
>
> As I was never prompted for the PSK in the app, I'm guessing the Android
> client doesn't support it?
> Therefore, the only way to get this working is for the server to
> authenticate with a certificate, it seems.
> Which isn't working, as it's not parsing my private key properly.
>
> thanks,
> imran
>
> On Fri, Dec 5, 2014 at 8:41 AM, Imran Akbar <skunkwerk at gmail.com> wrote:
>
>> Hey Thomas,
>>
>> Here's my latest attempt to get a setup working without requiring client
>> certificates.
>>
>> Client is Strongswan Android, server is running Strongswan 5.2.2 on a
>> fresh Ubuntu 14 server on EC2 with UDP ports 500 and 4500 opened.
>> Client is connecting via IKEv2 username/password.
>>
>> Is PSK the same as the "EAP username/password" option in the Strongswan
>> android client?  I have a feeling it's not, ie this config will not work
>> for EAP-MSCHAPv2:
>> http://www.strongswan.org/uml/testresults/ikev2/rw-psk-ipv4/
>>
>> But there's no documentation on a version of this one without the gateway
>> authenticating via a RSA key:
>> http://www.strongswan.org/uml/testresults/ikev2/rw-eap-mschapv2-id-rsa/
>>
>> I've tried with the gateway authenticating itself using a certificate,
>> and with PSK - both have the same error:
>> *"peer requested EAP, config inacceptable"*
>>
>> In addition, the gateway seems unable to parse my private server key:
>> *building CRED_PRIVATE_KEY - RSA failed*, tried 5 builders
>> Dec  5 16:15:13 ip-172-31-26-153 charon: 00[CFG]   loading private key
>> from '/etc/ipsec.d/private/serverKey.pem' failed
>> even though I see openssl, pkcs1, and pem in my plugins - though I'm not
>> sure which ones weren't loaded, as it doesn't say in the log.
>>
>> attempt 1 - with gateway using public key:
>> ipsec.conf: https://pastee.org/z8234
>> ipsec.secrets: https://pastee.org/mva6t
>> server log: https://pastee.org/t2ahc
>>
>> attempt 2 - with gateway using PSK:
>> ipsec.conf: https://pastee.org/f4fbp
>> ipsec.secrets: https://pastee.org/mva6t
>> server log: https://pastee.org/6yd8q
>>
>> Can someone please help?
>>
>> thanks,
>> imran
>>
>> On Thu, Dec 4, 2014 at 3:21 AM, Thomas <jk at c.vu> wrote:
>>
>>> Hi,
>>>
>>> ok, so I have to change my EAP-MSCHAPv2 configuration.
>>> I've tested a lot, but don't find any ipsec-configuration where the
>>> client don't need the certificate installed local.
>>>
>>> Do you have any ideas based on my posted ipsec.conf ?
>>>
>>> Best regards
>>> Thomas
>>>
>>> Am 04.12.2014 10:40, schrieb Martin Willi:
>>> > Hi,
>>> >
>>> >> Any idea whats the best authentication method for username/password
>>> only
>>> >> on client-side? EAP-MD5?
>>> >> The client should be able to connect via windows ikev2 native clients,
>>> >> the strongswan android-app,
>>> > If you want to use the native Windows IKEv2 Agile VPN client, there is
>>> > no way around EAP-MSCHAPv2 for username/password authentication. You
>>> > could wrap that in PEAP/TTLS, but that most likely makes no sense for
>>> > your setup. The Android App supports EAP-MSCHAPv2 as well. Refer to [1]
>>> > for configuration details.
>>> >
>>> >> and the native clients from osx/ios.
>>> > OS X does not natively support IKEv2. You'd have to stick to IKEv1 with
>>> > XAuth, so you need a separate configuration profile. Please note that
>>> > there are rekeying issues with that client, which usually breaks the
>>> > tunnel after ~45 minutes if you rely on username/passwords. Refer to
>>> [2]
>>> > for configuration details.
>>> >
>>> > iOS supports IKEv2 since version 8, older versions support IKEv1 only.
>>> > Refer to [3] for details about deploying configuration profiles.
>>> >
>>> > Regards
>>> > Martin
>>> >
>>> > [1]
>>> https://wiki.strongswan.org/projects/strongswan/wiki/Windows7#C-Authentication-using-EAP-MSCHAP-v2
>>> > [2]https://wiki.strongswan.org/projects/strongswan/wiki/IOS_(Apple)
>>> > [3]
>>> https://wiki.strongswan.org/projects/strongswan/wiki/AppleIKEv2Profile
>>> >
>>> >
>>>
>>> _______________________________________________
>>> Users mailing list
>>> Users at lists.strongswan.org
>>> https://lists.strongswan.org/mailman/listinfo/users
>>>
>>
>>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20141205/991ce5f4/attachment-0001.html>

More information about the Users mailing list