[strongSwan] strongswan without client certifikate
Noel Kuntze
noel at familie-kuntze.de
Fri Dec 5 19:19:09 CET 2014
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Hello Imran,
Do you have a CA? You need to have your CA installed on all devices.
Try adding the DNS name you're connecting to in an additional SAN field by adding --san DNSNAME to
the ipsec pki command used to generate the server certificate.
Mit freundlichen Grüßen/Regards,
Noel Kuntze
GPG Key ID: 0x63EC6658
Fingerprint: 23CA BB60 2146 05E7 7278 6592 3839 298F 63EC 6658
Am 05.12.2014 um 19:16 schrieb Imran Akbar:
> I've gotten past that issue by ensuring I was using the IP when generating the certificates, as in:
> http://endlessroad1991.blogspot.com/2014/04/setup-ipsec-vpn-on-ec2.html
>
> but now the client cannot verify the server with the message "verifying gateway authentication failed"
> and in the client log:
> "no trusted RSA public key found for 'C=CN, O=strongSwan, CN=54.169.64.53'"
>
> How can I verify the server without installing its public key on every client, or using a PSK (which the Android client doesn't support)?
>
> thanks,
> imran
>
> On Fri, Dec 5, 2014 at 9:04 AM, Imran Akbar <skunkwerk at gmail.com <mailto:skunkwerk at gmail.com>> wrote:
>
> When I change the ipsec.conf from:
> rightauth=psk
> righauth2=eap-mschapv2
>
> to:
> rightauth=eap-mschapv2
>
> the server log now contains:
> Dec 5 16:46:34 ip-172-31-26-153 charon: 14[CFG] looking for peer configs matching 172.31.26.153[%any]...172.56.39.247[app]
> Dec 5 16:46:34 ip-172-31-26-153 charon: 14[CFG] selected peer config 'android'
> Dec 5 16:46:34 ip-172-31-26-153 charon: 14[IKE] initiating EAP_IDENTITY method (id 0x00)
> Dec 5 16:46:34 ip-172-31-26-153 charon: 14[IKE] received ESP_TFC_PADDING_NOT_SUPPORTED, not using ESPv3 TFC padding
> Dec 5 16:46:34 ip-172-31-26-153 charon: 14[IKE] peer supports MOBIKE
> Dec 5 16:46:34 ip-172-31-26-153 charon: 14[CFG] no IDr configured, fall back on IP address
> Dec 5 16:46:34 ip-172-31-26-153 charon: 14[IKE] authentication of '172.31.26.153' (myself) with pre-shared key
> Dec 5 16:46:34 ip-172-31-26-153 charon: 14[ENC] generating IKE_AUTH response 1 [ IDr AUTH EAP/REQ/ID ]
> Dec 5 16:46:34 ip-172-31-26-153 charon: 14[NET] sending packet: from 172.31.26.153[4500] to 172.56.39.247[63277] (124 bytes)
> Dec 5 16:46:34 ip-172-31-26-153 charon: 15[NET] received packet: from 172.56.39.247[63277] to 172.31.26.153[4500] (76 bytes)
> Dec 5 16:46:34 ip-172-31-26-153 charon: 15[ENC] parsed INFORMATIONAL request 2 [ N(AUTH_FAILED) ]
>
> and I get a different error message in the client log:
> no shared key found for 'app'
>
> As I was never prompted for the PSK in the app, I'm guessing the Android client doesn't support it?
> Therefore, the only way to get this working is for the server to authenticate with a certificate, it seems.
> Which isn't working, as it's not parsing my private key properly.
>
> thanks,
> imran
>
> On Fri, Dec 5, 2014 at 8:41 AM, Imran Akbar <skunkwerk at gmail.com <mailto:skunkwerk at gmail.com>> wrote:
>
> Hey Thomas,
>
> Here's my latest attempt to get a setup working without requiring client certificates.
>
> Client is Strongswan Android, server is running Strongswan 5.2.2 on a fresh Ubuntu 14 server on EC2 with UDP ports 500 and 4500 opened.
> Client is connecting via IKEv2 username/password.
>
> Is PSK the same as the "EAP username/password" option in the Strongswan android client? I have a feeling it's not, ie this config will not work for EAP-MSCHAPv2: http://www.strongswan.org/uml/testresults/ikev2/rw-psk-ipv4/
>
> But there's no documentation on a version of this one without the gateway authenticating via a RSA key:
> http://www.strongswan.org/uml/testresults/ikev2/rw-eap-mschapv2-id-rsa/
>
> I've tried with the gateway authenticating itself using a certificate, and with PSK - both have the same error:
> *"peer requested EAP, config inacceptable"*
>
> In addition, the gateway seems unable to parse my private server key:
> *building CRED_PRIVATE_KEY - RSA failed*, tried 5 builders
> Dec 5 16:15:13 ip-172-31-26-153 charon: 00[CFG] loading private key from '/etc/ipsec.d/private/serverKey.pem' failed
> even though I see openssl, pkcs1, and pem in my plugins - though I'm not sure which ones weren't loaded, as it doesn't say in the log.
>
> attempt 1 - with gateway using public key:
> ipsec.conf: https://pastee.org/z8234
> ipsec.secrets: https://pastee.org/mva6t
> server log: https://pastee.org/t2ahc
>
> attempt 2 - with gateway using PSK:
> ipsec.conf: https://pastee.org/f4fbp
> ipsec.secrets: https://pastee.org/mva6t
> server log: https://pastee.org/6yd8q
>
> Can someone please help?
>
> thanks,
> imran
>
> On Thu, Dec 4, 2014 at 3:21 AM, Thomas <jk at c.vu <mailto:jk at c.vu>> wrote:
>
> Hi,
>
> ok, so I have to change my EAP-MSCHAPv2 configuration.
> I've tested a lot, but don't find any ipsec-configuration where the
> client don't need the certificate installed local.
>
> Do you have any ideas based on my posted ipsec.conf ?
>
> Best regards
> Thomas
>
> Am 04.12.2014 10:40, schrieb Martin Willi:
> > Hi,
> >
> >> Any idea whats the best authentication method for username/password only
> >> on client-side? EAP-MD5?
> >> The client should be able to connect via windows ikev2 native clients,
> >> the strongswan android-app,
> > If you want to use the native Windows IKEv2 Agile VPN client, there is
> > no way around EAP-MSCHAPv2 for username/password authentication. You
> > could wrap that in PEAP/TTLS, but that most likely makes no sense for
> > your setup. The Android App supports EAP-MSCHAPv2 as well. Refer to [1]
> > for configuration details.
> >
> >> and the native clients from osx/ios.
> > OS X does not natively support IKEv2. You'd have to stick to IKEv1 with
> > XAuth, so you need a separate configuration profile. Please note that
> > there are rekeying issues with that client, which usually breaks the
> > tunnel after ~45 minutes if you rely on username/passwords. Refer to [2]
> > for configuration details.
> >
> > iOS supports IKEv2 since version 8, older versions support IKEv1 only.
> > Refer to [3] for details about deploying configuration profiles.
> >
> > Regards
> > Martin
> >
> > [1]https://wiki.strongswan.org/projects/strongswan/wiki/Windows7#C-Authentication-using-EAP-MSCHAP-v2
> > [2]https://wiki.strongswan.org/projects/strongswan/wiki/IOS_(Apple)
> > [3]https://wiki.strongswan.org/projects/strongswan/wiki/AppleIKEv2Profile
> >
> >
>
> _______________________________________________
> Users mailing list
> Users at lists.strongswan.org <mailto:Users at lists.strongswan.org>
> https://lists.strongswan.org/mailman/listinfo/users
>
>
>
>
>
>
> _______________________________________________
> Users mailing list
> Users at lists.strongswan.org
> https://lists.strongswan.org/mailman/listinfo/users
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2
iQIcBAEBCAAGBQJUgfcbAAoJEDg5KY9j7GZYQcgQAIdqa+nXhpoGyIc2wsPsV4jz
/VFg3cli2vmw410oII4Ok3KfnChK58lZB7mq8Wv7mKQ5ah5f7INzeoRkb7mzWIlX
lShOeAahHzx4wVQJ6Td5j2owKsuAqtWlC4vnhGYHa9Y1izqs6xo0gbo27dQqafk3
if086y+IYGhBko/khgDO16PsVujUBlW6tMVZcjgYQLza1ou0TU/+ZmK3CD0pnkMb
gw3RgBD+lUogwzUTfo84gIDO5UWHLoGHqufugSyp59XakUNhPzS+KbWyuOcmJ22b
THhrwuVmUi30xFXBJDRUmAF1ODllWloQm8NaP+3dsj8nQlWE5H0qPLT8QYguuXOO
QmD4tGjDQKSN7Nto77RNyeXJMXNRFxN+pLi5uhNpb5eLq4ssTHMsdyA7G+j5fgd4
NtHt41y3TTGgsHHyEMdS3RjLcszwaCiMyI+mBjuLOg+TwwieDOg/jgGw/6lZ+KiJ
K8NEXCSuP7F5g3dZplf7x+Z6WVwUZ4baAQ8QCnxY8XyFWajO6RNhPjURC7RnWcr4
kC5HdIUFJwBhQQxwoTnKAbC6/NibgCUViUH8pwsEiPjIRkaNWrcLnNtgxUPyTZCb
jvIIrK/M1ZTuxBC/i/aN1vfkKf42AmEQO+1OBYV45r01nmGvxx5tfOJuQkz7kdO5
sMeULWX/RwdKE9alRMBe
=Dzha
-----END PGP SIGNATURE-----
More information about the Users
mailing list