[strongSwan] strongswan without client certifikate

Imran Akbar skunkwerk at gmail.com
Fri Dec 5 19:53:06 CET 2014 

Hey Noel,

thanks for your continued help.
I generated a self-signed CA on my server and put it into the correct
directories.

While I can (and have previously) installed the CA certificate myself on
the Android client, I don't want the other users who aren't as tech-savvy
to have to do this step.  It also requires them to set up a PIN code for
their phone's home screen, which not everyone wants to have to do.

If I used a paid, non-self-signed CA certificate that's tied back to one of
the root certificates already installed on Android, would that solve this
issue?

regards,
imran





On Fri, Dec 5, 2014 at 10:19 AM, Noel Kuntze <noel at familie-kuntze.de> wrote:

>
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA256
>
> Hello Imran,
>
> Do you have a CA? You need to have your CA installed on all devices.
>
> Try adding the DNS name you're connecting to in an additional SAN field by
> adding --san DNSNAME to
> the ipsec pki command used to generate the server certificate.
>
> Mit freundlichen Grüßen/Regards,
> Noel Kuntze
>
> GPG Key ID: 0x63EC6658
> Fingerprint: 23CA BB60 2146 05E7 7278 6592 3839 298F 63EC 6658
>
> Am 05.12.2014 um 19:16 schrieb Imran Akbar:
> > I've gotten past that issue by ensuring I was using the IP when
> generating the certificates, as in:
> > http://endlessroad1991.blogspot.com/2014/04/setup-ipsec-vpn-on-ec2.html
> >
> > but now the client cannot verify the server with the message "verifying
> gateway authentication failed"
> > and in the client log:
> > "no trusted RSA public key found for 'C=CN, O=strongSwan,
> CN=54.169.64.53'"
> >
> > How can I verify the server without installing its public key on every
> client, or using a PSK (which the Android client doesn't support)?
> >
> > thanks,
> > imran
> >
> > On Fri, Dec 5, 2014 at 9:04 AM, Imran Akbar <skunkwerk at gmail.com
> <mailto:skunkwerk at gmail.com>> wrote:
> >
> >     When I change the ipsec.conf from:
> >     rightauth=psk
> >     righauth2=eap-mschapv2
> >
> >     to:
> >     rightauth=eap-mschapv2
> >
> >     the server log now contains:
> >     Dec  5 16:46:34 ip-172-31-26-153 charon: 14[CFG] looking for peer
> configs matching 172.31.26.153[%any]...172.56.39.247[app]
> >     Dec  5 16:46:34 ip-172-31-26-153 charon: 14[CFG] selected peer
> config 'android'
> >     Dec  5 16:46:34 ip-172-31-26-153 charon: 14[IKE] initiating
> EAP_IDENTITY method (id 0x00)
> >     Dec  5 16:46:34 ip-172-31-26-153 charon: 14[IKE] received
> ESP_TFC_PADDING_NOT_SUPPORTED, not using ESPv3 TFC padding
> >     Dec  5 16:46:34 ip-172-31-26-153 charon: 14[IKE] peer supports MOBIKE
> >     Dec  5 16:46:34 ip-172-31-26-153 charon: 14[CFG] no IDr configured,
> fall back on IP address
> >     Dec  5 16:46:34 ip-172-31-26-153 charon: 14[IKE] authentication of
> '172.31.26.153' (myself) with pre-shared key
> >     Dec  5 16:46:34 ip-172-31-26-153 charon: 14[ENC] generating IKE_AUTH
> response 1 [ IDr AUTH EAP/REQ/ID ]
> >     Dec  5 16:46:34 ip-172-31-26-153 charon: 14[NET] sending packet:
> from 172.31.26.153[4500] to 172.56.39.247[63277] (124 bytes)
> >     Dec  5 16:46:34 ip-172-31-26-153 charon: 15[NET] received packet:
> from 172.56.39.247[63277] to 172.31.26.153[4500] (76 bytes)
> >     Dec  5 16:46:34 ip-172-31-26-153 charon: 15[ENC] parsed
> INFORMATIONAL request 2 [ N(AUTH_FAILED) ]
> >
> >     and I get a different error message in the client log:
> >     no shared key found for 'app'
> >
> >     As I was never prompted for the PSK in the app, I'm guessing the
> Android client doesn't support it?
> >     Therefore, the only way to get this working is for the server to
> authenticate with a certificate, it seems.
> >     Which isn't working, as it's not parsing my private key properly.
> >
> >     thanks,
> >     imran
> >
> >     On Fri, Dec 5, 2014 at 8:41 AM, Imran Akbar <skunkwerk at gmail.com
> <mailto:skunkwerk at gmail.com>> wrote:
> >
> >         Hey Thomas,
> >
> >         Here's my latest attempt to get a setup working without
> requiring client certificates.
> >
> >         Client is Strongswan Android, server is running Strongswan 5.2.2
> on a fresh Ubuntu 14 server on EC2 with UDP ports 500 and 4500 opened.
> >         Client is connecting via IKEv2 username/password.
> >
> >         Is PSK the same as the "EAP username/password" option in the
> Strongswan android client?  I have a feeling it's not, ie this config will
> not work for EAP-MSCHAPv2:
> http://www.strongswan.org/uml/testresults/ikev2/rw-psk-ipv4/
> >
> >         But there's no documentation on a version of this one without
> the gateway authenticating via a RSA key:
> >
> http://www.strongswan.org/uml/testresults/ikev2/rw-eap-mschapv2-id-rsa/
> >
> >         I've tried with the gateway authenticating itself using a
> certificate, and with PSK - both have the same error:
> >         *"peer requested EAP, config inacceptable"*
> >
> >         In addition, the gateway seems unable to parse my private server
> key:
> >         *building CRED_PRIVATE_KEY - RSA failed*, tried 5 builders
> >         Dec  5 16:15:13 ip-172-31-26-153 charon: 00[CFG]   loading
> private key from '/etc/ipsec.d/private/serverKey.pem' failed
> >         even though I see openssl, pkcs1, and pem in my plugins - though
> I'm not sure which ones weren't loaded, as it doesn't say in the log.
> >
> >         attempt 1 - with gateway using public key:
> >         ipsec.conf: https://pastee.org/z8234
> >         ipsec.secrets: https://pastee.org/mva6t
> >         server log: https://pastee.org/t2ahc
> >
> >         attempt 2 - with gateway using PSK:
> >         ipsec.conf: https://pastee.org/f4fbp
> >         ipsec.secrets: https://pastee.org/mva6t
> >         server log: https://pastee.org/6yd8q
> >
> >         Can someone please help?
> >
> >         thanks,
> >         imran
> >
> >         On Thu, Dec 4, 2014 at 3:21 AM, Thomas <jk at c.vu <mailto:jk at c.vu>>
> wrote:
> >
> >             Hi,
> >
> >             ok, so I have to change my EAP-MSCHAPv2 configuration.
> >             I've tested a lot, but don't find any ipsec-configuration
> where the
> >             client don't need the certificate installed local.
> >
> >             Do you have any ideas based on my posted ipsec.conf ?
> >
> >             Best regards
> >             Thomas
> >
> >             Am 04.12.2014 10:40, schrieb Martin Willi:
> >             > Hi,
> >             >
> >             >> Any idea whats the best authentication method for
> username/password only
> >             >> on client-side? EAP-MD5?
> >             >> The client should be able to connect via windows ikev2
> native clients,
> >             >> the strongswan android-app,
> >             > If you want to use the native Windows IKEv2 Agile VPN
> client, there is
> >             > no way around EAP-MSCHAPv2 for username/password
> authentication. You
> >             > could wrap that in PEAP/TTLS, but that most likely makes
> no sense for
> >             > your setup. The Android App supports EAP-MSCHAPv2 as well.
> Refer to [1]
> >             > for configuration details.
> >             >
> >             >> and the native clients from osx/ios.
> >             > OS X does not natively support IKEv2. You'd have to stick
> to IKEv1 with
> >             > XAuth, so you need a separate configuration profile.
> Please note that
> >             > there are rekeying issues with that client, which usually
> breaks the
> >             > tunnel after ~45 minutes if you rely on
> username/passwords. Refer to [2]
> >             > for configuration details.
> >             >
> >             > iOS supports IKEv2 since version 8, older versions support
> IKEv1 only.
> >             > Refer to [3] for details about deploying configuration
> profiles.
> >             >
> >             > Regards
> >             > Martin
> >             >
> >             > [1]
> https://wiki.strongswan.org/projects/strongswan/wiki/Windows7#C-Authentication-using-EAP-MSCHAP-v2
> >             > [2]
> https://wiki.strongswan.org/projects/strongswan/wiki/IOS_(Apple)
> >             > [3]
> https://wiki.strongswan.org/projects/strongswan/wiki/AppleIKEv2Profile
> >             >
> >             >
> >
> >             _______________________________________________
> >             Users mailing list
> >             Users at lists.strongswan.org <mailto:
> Users at lists.strongswan.org>
> >             https://lists.strongswan.org/mailman/listinfo/users
> >
> >
> >
> >
> >
> >
> > _______________________________________________
> > Users mailing list
> > Users at lists.strongswan.org
> > https://lists.strongswan.org/mailman/listinfo/users
>
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v2
>
> iQIcBAEBCAAGBQJUgfcbAAoJEDg5KY9j7GZYQcgQAIdqa+nXhpoGyIc2wsPsV4jz
> /VFg3cli2vmw410oII4Ok3KfnChK58lZB7mq8Wv7mKQ5ah5f7INzeoRkb7mzWIlX
> lShOeAahHzx4wVQJ6Td5j2owKsuAqtWlC4vnhGYHa9Y1izqs6xo0gbo27dQqafk3
> if086y+IYGhBko/khgDO16PsVujUBlW6tMVZcjgYQLza1ou0TU/+ZmK3CD0pnkMb
> gw3RgBD+lUogwzUTfo84gIDO5UWHLoGHqufugSyp59XakUNhPzS+KbWyuOcmJ22b
> THhrwuVmUi30xFXBJDRUmAF1ODllWloQm8NaP+3dsj8nQlWE5H0qPLT8QYguuXOO
> QmD4tGjDQKSN7Nto77RNyeXJMXNRFxN+pLi5uhNpb5eLq4ssTHMsdyA7G+j5fgd4
> NtHt41y3TTGgsHHyEMdS3RjLcszwaCiMyI+mBjuLOg+TwwieDOg/jgGw/6lZ+KiJ
> K8NEXCSuP7F5g3dZplf7x+Z6WVwUZ4baAQ8QCnxY8XyFWajO6RNhPjURC7RnWcr4
> kC5HdIUFJwBhQQxwoTnKAbC6/NibgCUViUH8pwsEiPjIRkaNWrcLnNtgxUPyTZCb
> jvIIrK/M1ZTuxBC/i/aN1vfkKf42AmEQO+1OBYV45r01nmGvxx5tfOJuQkz7kdO5
> sMeULWX/RwdKE9alRMBe
> =Dzha
> -----END PGP SIGNATURE-----
>
> _______________________________________________
> Users mailing list
> Users at lists.strongswan.org
> https://lists.strongswan.org/mailman/listinfo/users
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20141205/15ebe965/attachment-0001.html>

More information about the Users mailing list