[strongSwan] Setup help: No private key found with ios8 and eap-mschapv2
carl leopold
carlbright772 at gmail.com
Wed Dec 10 16:48:59 CET 2014
Hi,
I have a problem with "no private key found" for ios 8 and eap-mschapv2. I
am using strongswan 5.2.1 on ubuntu 14.04.
I am not sure if eap-mschapv2 works with 5.2.1 but its probably something i
am doing wrong. I looked for unit tests and cant find any for IOS with
eap-mschapv2.
I have a previous strongswan/freeradius setup on the same localhost and
with mysql and it works fine with Ikev1 and ios.
I have been reading these strongswan docs about Ikev2 and the supplied ios
mobile config xml sample.
https://wiki.strongswan.org/projects/strongswan/wiki/AppleIKEv2Profile#Authentication-options
https://wiki.strongswan.org/issues/708
These more detailed docs i found google searching and are not on the main
site index.
I also read all the apple developer docs where i found you can also add an
additional dict for the client key to go along with the ca cert but the
thread talks about not needing it. I am not 100% sure that is now the case.
>From what I read in the support thread you can use Ikev2 and eap-mschapv2
together but not with a client key authentication. So it seems the extra
embedded xml dict is not needed.
I deployed my xml mobile config and base64 encoded the cacert correctly
onto the ipad which installs fine.
When the ios client negotiates I see great its matched to conn win7. I
expected next use the eap-mschapv2 to authenticate but instead it says in
the server logs:
Dec 10 09:28:19 vpn2 charon: 12[IKE] received
ESP_TFC_PADDING_NOT_SUPPORTED, not using ESPv3 TFC padding
Dec 10 09:28:19 vpn2 charon: 12[IKE] no private key found for '
strongholdvpn2.ddns.net'
Full logs are given below. I am also not sure what the
ESP_TFC_PADDING_NOT_SUPPORTED means.
I have tried many combinations with/without this embedded client key dict
and it makes no difference.
Also I have a slightly tweaked (maybe more correct ?) than the win7 sample
ipsec.conf setup that works with the example mobile config eap-mschapv2 xml:
leftid=strongholdvpn2.ddns.net
rightid=*@strongholdvpn2.ddns.net
ike=aes128-sha1-modp2048!
esp=aes128-sha1!
The ike and esp now match to the recommeded xml settings in the sample
config. left and rightid now seems to work together better this way.
Please advise me what i am doing wrong as i have been at this for a while.
#rightsendcert=never does not seem to make any difference. I added in
leftsendcert=always from the advice given in the notes but makes no
difference.
Many Thanks
Carl
Full setup below:
root at vpn2:/etc/ipsec.d/certs# ipsec version
Linux strongSwan U5.2.1/K3.13.0-37-generic
$Iptables -L
Chain INPUT (policy ACCEPT)
target prot opt source destination
ACCEPT udp -- anywhere anywhere udp dpt:isakmp
ACCEPT udp -- anywhere anywhere udp
dpt:ipsec-nat-t
ACCEPT esp -- anywhere anywhere
Chain FORWARD (policy ACCEPT)
target prot opt source destination
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
$ipsec statusall
Status of IKE charon daemon (strongSwan 5.2.1, Linux 3.13.0-37-generic,
x86_64):
uptime: 5 minutes, since Dec 10 09:38:29 2014
malloc: sbrk 1486848, mmap 0, used 409872, free 1076976
worker threads: 11 of 16 idle, 5/0/0/0 working, job queue: 0/0/0/0,
scheduled: 0
loaded plugins: charon aes rc2 sha1 sha2 md5 random nonce x509 revocation
constraints pubkey pkcs1 pkcs7 pkcs8 pkcs12 pgp dnskey sshkey pem openssl
fips-prf gmp xcbc hmac gcm attr kernel-netlink resolve socket-default farp
stroke updown eap-identity eap-aka eap-md5 eap-gtc eap-mschapv2 eap-radius
eap-tls eap-ttls eap-tnc xauth-generic xauth-eap tnc-tnccs dhcp lookip
error-notify certexpire led addrblock unity
Virtual IP pools (size/online/offline):
10.10.3.0/24: 254/0/0
Listening IP addresses:
178.62.119.121
2a03:b0c0:1:d0::215:4001
10.131.213.244
Connections:
win7: %any...%any IKEv2, dpddelay=300s
win7: local: [strongholdvpn2.ddns.net] uses public key
authentication
win7: cert: "C=CH, O=strongSwan, CN=strongholdvpn2.ddns.net"
win7: remote: [*@strongholdvpn2.ddns.net] uses EAP_MSCHAPV2
authentication with EAP identity '%any'
win7: child: 0.0.0.0/0 === dynamic TUNNEL, dpdaction=clear
Security Associations (0 up, 0 connecting):
none
My ipsec.config:
conn %default
keyexchange=ikev2
ike=aes128-sha1-modp2048!
esp=aes128-sha1!
dpdaction=clear
dpddelay=300s
rekey=no
conn win7
left=%any
leftsubnet=0.0.0.0/0
leftauth=pubkey
leftcert=vpnHostCert.pem
leftid=strongholdvpn2.ddns.net
leftsendcert=always
right=%any
rightid=*@strongholdvpn2.ddns.net
rightsourceip=10.10.3.0/24
rightauth=eap-mschapv2
eap_identity=%any
#rightsendcert=never
auto=add
Logs:
Dec 10 09:28:09 vpn2 charon: 00[DMN] Starting IKE charon daemon (strongSwan
5.2.1, Linux 3.13.0-37-generic, x86_64)
Dec 10 09:28:09 vpn2 charon: 00[DMN] agent plugin requires CAP_DAC_OVERRIDE
capability
Dec 10 09:28:09 vpn2 charon: 00[LIB] plugin 'agent': failed to load -
agent_plugin_create returned NULL
Dec 10 09:28:09 vpn2 charon: 00[DMN] xauth-pam plugin requires
CAP_AUDIT_WRITE capability
Dec 10 09:28:09 vpn2 charon: 00[LIB] plugin 'xauth-pam': failed to load -
xauth_pam_plugin_create returned NULL
Dec 10 09:28:09 vpn2 charon: 00[CFG] HA config misses local/remote address
Dec 10 09:28:09 vpn2 charon: 00[LIB] plugin 'ha': failed to load -
ha_plugin_create returned NULL
Dec 10 09:28:09 vpn2 charon: 00[CFG] loading ca certificates from
'/etc/ipsec.d/cacerts'
Dec 10 09:28:09 vpn2 charon: 00[CFG] loaded ca certificate "C=CH,
O=strongSwan, CN=strongSwan Root CA" from
'/etc/ipsec.d/cacerts/strongswanCert.pem'
Dec 10 09:28:09 vpn2 charon: 00[CFG] loading aa certificates from
'/etc/ipsec.d/aacerts'
Dec 10 09:28:09 vpn2 charon: 00[CFG] loading ocsp signer certificates from
'/etc/ipsec.d/ocspcerts'
Dec 10 09:28:09 vpn2 charon: 00[CFG] loading attribute certificates from
'/etc/ipsec.d/acerts'
Dec 10 09:28:09 vpn2 charon: 00[CFG] loading crls from '/etc/ipsec.d/crls'
Dec 10 09:28:09 vpn2 charon: 00[CFG] loading secrets from
'/etc/ipsec.secrets'
Dec 10 09:28:09 vpn2 charon: 00[CFG] expanding file expression
'/var/lib/strongswan/ipsec.secrets.inc' failed
Dec 10 09:28:09 vpn2 charon: 00[CFG] loaded 1 RADIUS server configuration
Dec 10 09:28:09 vpn2 charon: 00[LIB] loaded plugins: charon aes rc2 sha1
sha2 md5 random nonce x509 revocation constraints pubkey pkcs1 pkcs7 pkcs8
pkcs12 pgp dnskey sshkey pem openssl fips-prf gmp xcbc hmac gcm attr
kernel-netlink resolve socket-default farp stroke updown eap-identity
eap-aka eap-md5 eap-gtc eap-mschapv2 eap-radius eap-tls eap-ttls eap-tnc
xauth-generic xauth-eap tnc-tnccs dhcp lookip error-notify certexpire led
addrblock unity
Dec 10 09:28:09 vpn2 charon: 00[LIB] unable to load 5 plugin features (5
due to unmet dependencies)
Dec 10 09:28:09 vpn2 charon: 00[LIB] dropped capabilities, running as uid
0, gid 0
Dec 10 09:28:09 vpn2 charon: 00[JOB] spawning 16 worker threads
Dec 10 09:28:09 vpn2 charon: 08[NET] waiting for data on sockets
Dec 10 09:28:09 vpn2 charon: 05[CFG] received stroke: add connection 'win7'
Dec 10 09:28:09 vpn2 charon: 05[CFG] conn win7
Dec 10 09:28:09 vpn2 charon: 05[CFG] left=%any
Dec 10 09:28:09 vpn2 charon: 05[CFG] leftsubnet=0.0.0.0/0
Dec 10 09:28:09 vpn2 charon: 05[CFG] leftauth=pubkey
Dec 10 09:28:09 vpn2 charon: 05[CFG] leftid=strongholdvpn2.ddns.net
Dec 10 09:28:09 vpn2 charon: 05[CFG] leftcert=vpnHostCert.pem
Dec 10 09:28:09 vpn2 charon: 05[CFG] right=%any
Dec 10 09:28:09 vpn2 charon: 05[CFG] rightsourceip=10.10.3.0/24
Dec 10 09:28:09 vpn2 charon: 05[CFG] rightauth=eap-mschapv2
Dec 10 09:28:09 vpn2 charon: 05[CFG] rightid=*@strongholdvpn2.ddns.net
Dec 10 09:28:09 vpn2 charon: 05[CFG] eap_identity=%any
Dec 10 09:28:09 vpn2 charon: 05[CFG] ike=aes128-sha1-modp2048!
Dec 10 09:28:09 vpn2 charon: 05[CFG] esp=aes128-sha1!
Dec 10 09:28:09 vpn2 charon: 05[CFG] dpddelay=300
Dec 10 09:28:09 vpn2 charon: 05[CFG] dpdtimeout=150
Dec 10 09:28:09 vpn2 charon: 05[CFG] dpdaction=1
Dec 10 09:28:09 vpn2 charon: 05[CFG] mediation=no
Dec 10 09:28:09 vpn2 charon: 05[CFG] keyexchange=ikev2
Dec 10 09:28:09 vpn2 charon: 05[CFG] left nor right host is our side,
assuming left=local
Dec 10 09:28:09 vpn2 charon: 05[CFG] adding virtual IP address pool
10.10.3.0/24
Dec 10 09:28:09 vpn2 charon: 05[CFG] loaded certificate "C=CH,
O=strongSwan, CN=strongholdvpn2.ddns.net" from 'vpnHostCert.pem'
Dec 10 09:28:09 vpn2 charon: 05[CFG] added configuration 'win7'
Dec 10 09:28:18 vpn2 charon: 08[NET] received packet: from
195.102.55.203[500] to 178.62.119.121[500]
Dec 10 09:28:18 vpn2 charon: 08[NET] waiting for data on sockets
Dec 10 09:28:18 vpn2 charon: 11[NET] received packet: from
195.102.55.203[500] to 178.62.119.121[500] (416 bytes)
Dec 10 09:28:18 vpn2 charon: 11[ENC] parsed IKE_SA_INIT request 0 [ SA KE
No N(NATD_S_IP) N(NATD_D_IP) ]
Dec 10 09:28:18 vpn2 charon: 11[CFG] looking for an ike config for
178.62.119.121...195.102.55.203
Dec 10 09:28:18 vpn2 charon: 11[CFG] candidate: %any...%any, prio 28
Dec 10 09:28:18 vpn2 charon: 11[CFG] found matching ike config: %any...%any
with prio 28
Dec 10 09:28:18 vpn2 charon: 11[IKE] 195.102.55.203 is initiating an IKE_SA
Dec 10 09:28:18 vpn2 charon: 11[IKE] IKE_SA (unnamed)[1] state change:
CREATED => CONNECTING
Dec 10 09:28:18 vpn2 charon: 11[CFG] selecting proposal:
Dec 10 09:28:18 vpn2 charon: 11[CFG] proposal matches
Dec 10 09:28:18 vpn2 charon: 11[CFG] received proposals:
IKE:AES_CBC_128/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_2048
Dec 10 09:28:18 vpn2 charon: 11[CFG] configured proposals:
IKE:AES_CBC_128/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_2048
Dec 10 09:28:18 vpn2 charon: 11[CFG] selected proposal:
IKE:AES_CBC_128/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_2048
Dec 10 09:28:18 vpn2 charon: 11[IKE] remote host is behind NAT
Dec 10 09:28:18 vpn2 charon: 11[IKE] sending cert request for "C=CH,
O=strongSwan, CN=strongSwan Root CA"
Dec 10 09:28:18 vpn2 charon: 11[ENC] generating IKE_SA_INIT response 0 [ SA
KE No N(NATD_S_IP) N(NATD_D_IP) CERTREQ N(MULT_AUTH) ]
Dec 10 09:28:18 vpn2 charon: 11[NET] sending packet: from
178.62.119.121[500] to 195.102.55.203[500] (465 bytes)
Dec 10 09:28:18 vpn2 charon: 09[NET] sending packet: from
178.62.119.121[500] to 195.102.55.203[500]
Dec 10 09:28:19 vpn2 charon: 08[NET] received packet: from
195.102.55.203[4500] to 178.62.119.121[4500]
Dec 10 09:28:19 vpn2 charon: 08[NET] waiting for data on sockets
Dec 10 09:28:19 vpn2 charon: 12[NET] received packet: from
195.102.55.203[4500] to 178.62.119.121[4500] (364 bytes)
Dec 10 09:28:19 vpn2 charon: 12[ENC] parsed IKE_AUTH request 1 [ IDi
N(INIT_CONTACT) IDr CPRQ(ADDR DHCP DNS MASK ADDR6 DHCP6 DNS6)
N(ESP_TFC_PAD_N) N(NON_FIRST_FRAG) SA TSi TSr ]
Dec 10 09:28:19 vpn2 charon: 12[CFG] looking for peer configs matching
178.62.119.121[strongholdvpn2.ddns.net]...195.102.55.203[
client at strongholdvpn2.ddns.net]
Dec 10 09:28:19 vpn2 charon: 12[CFG] candidate "win7", match: 20/19/28
(me/other/ike)
Dec 10 09:28:19 vpn2 charon: 12[CFG] selected peer config 'win7'
Dec 10 09:28:19 vpn2 charon: 12[IKE] initiating EAP_IDENTITY method (id
0x00)
Dec 10 09:28:19 vpn2 charon: 12[IKE] processing INTERNAL_IP4_ADDRESS
attribute
Dec 10 09:28:19 vpn2 charon: 12[IKE] processing INTERNAL_IP4_DHCP attribute
Dec 10 09:28:19 vpn2 charon: 12[IKE] processing INTERNAL_IP4_DNS attribute
Dec 10 09:28:19 vpn2 charon: 12[IKE] processing INTERNAL_IP4_NETMASK
attribute
Dec 10 09:28:19 vpn2 charon: 12[IKE] processing INTERNAL_IP6_ADDRESS
attribute
Dec 10 09:28:19 vpn2 charon: 12[IKE] processing INTERNAL_IP6_DHCP attribute
Dec 10 09:28:19 vpn2 charon: 12[IKE] processing INTERNAL_IP6_DNS attribute
Dec 10 09:28:19 vpn2 charon: 12[IKE] received
ESP_TFC_PADDING_NOT_SUPPORTED, not using ESPv3 TFC padding
Dec 10 09:28:19 vpn2 charon: 12[IKE] no private key found for '
strongholdvpn2.ddns.net'
Dec 10 09:28:19 vpn2 charon: 12[ENC] generating IKE_AUTH response 1 [
N(AUTH_FAILED) ]
Dec 10 09:28:19 vpn2 charon: 12[NET] sending packet: from
178.62.119.121[4500] to 195.102.55.203[4500] (76 bytes)
Dec 10 09:28:19 vpn2 charon: 09[NET] sending packet: from
178.62.119.121[4500] to 195.102.55.203[4500]
Dec 10 09:28:19 vpn2 charon: 12[IKE] IKE_SA win7[1] state change:
CONNECTING => DESTROYING
Key setup:
cd /etc/ipsec.d/
ipsec pki --gen --type rsa --size 4096 --outform pem >
private/strongswanKey.pem
cat private/strongswanKey.pem
chmod 600 private/strongswanKey.pem
ipsec pki --self --ca --lifetime 3650 --in private/strongswanKey.pem --type
rsa --dn "C=CH, O=strongSwan, CN=strongSwan Root CA" --outform pem >
cacerts/strongswanCert.pem
cat cacerts/strongswanCert.pem
ipsec pki --print --in cacerts/strongswanCert.pem
ipsec pki --gen --type rsa --size 4096 --outform pem >
private/vpnHostKey.pem
chmod 600 private/vpnHostKey.pem
ipsec pki --pub --in private/vpnHostKey.pem --type rsa | ipsec pki --issue
--lifetime 730 --cacert cacerts/strongswanCert.pem --cakey
private/strongswanKey.pem --dn "C=CH, O=strongSwan, CN=
strongholdvpn2.ddns.net" --sanstrongholdvpn2.ddns.net --flag serverAuth
--flag ikeIntermediate --outform pem > certs/vpnHostCert.pem
ipsec pki --print --in certs/vpnHostCert.pem
ipsec pki --gen --type rsa --size 4096 --outform pem > private/RsaKey.pem
chmod private/RsaKey.pem
chmod 600 private/RsaKey.pem
ipsec pki --pub --in private/RsaKey.pem --type rsa | ipsec pki --issue
--lifetime 730 --cacert cacerts/strongswanCert.pem --cakey
private/strongswanKey.pem --dn "C=CH, O=strongSwan, CN=client at yahoo.com"
--san client at yahoo.com --outform pem > certs/RsaCert.pem
openssl pkcs12 -export -inkey private/RsaKey.pem -in certs/RsaCert.pem
-name "Ecdsa VPN Certificate" -certfile cacerts/strongswanCert.pem -caname
"StrongSwan Root CA" -out RsaUser.p12
Strongswan.conf
charon {
load_modular = yes
plugins {
include strongswan.d/charon/*.conf
eap-radius {
class_group = yes
eap_start = yes
servers {
primary {
address = localhost
secret =sharedsec
nas_identifer = ipsec-gateway
sockets = 20
}
}
}
}
}
include strongswan.d/*.conf
Mobile config XML:
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "
http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
<!-- Set the name to whatever you like, it is used in the profile list
on the device -->
<key>PayloadDisplayName</key>
<string>Strong Hold VPN2</string>
<!-- This is a reverse-DNS style unique identifier used to detect
duplicate profiles -->
<key>PayloadIdentifier</key>
<string>strongholdvpn2</string>
<!-- A globally unique identifier, use uuidgen on Linux/Mac OS X to
generate it -->
<key>PayloadUUID</key>
<string>1f93912b-5fd2-4455-99fd-13b9a47b4582</string>
<key>PayloadType</key>
<string>Configuration</string>
<key>PayloadVersion</key>
<integer>1</integer>
<key>PayloadContent</key>
<array>
<!-- It is possible to add multiple VPN payloads with different
identifiers/UUIDs and names -->
<dict>
<!-- This is an extension of the identifier given above -->
<key>PayloadIdentifier</key>
<string>StrongHoldVPN2</string>
<!-- A globally unique identifier for this payload -->
<key>PayloadUUID</key>
<string>82e4456d-3f03-4f15-b26f-4225d89465b7</string>
<key>PayloadType</key>
<string>com.apple.vpn.managed</string>
<key>PayloadVersion</key>
<integer>1</integer>
<!-- This is the name of the VPN conneciton as seen in the VPN
application later -->
<key>UserDefinedName</key>
<string>StrongHold VPN2</string>
<key>VPNType</key>
<string>IKEv2</string>
<key>IKEv2</key>
<dict>
<!-- Hostname or IP address of the VPN server -->
<key>RemoteAddress</key>
<string>strongholdvpn2.ddns.net</string>
<!-- Remote identity, can be a FQDN, a userFQDN, an IP or
(theoretically) a certificate's subject DN. Can't be empty.
IMPORTANT: DNs are currently not handled correctly,
they are always sent as identities of type FQDN -->
<key>RemoteIdentifier</key>
<string>strongholdvpn2.ddns.net</string>
<!-- Local IKE identity, same restrictions as above. If it
is empty the client's IP address will be used -->
<key>LocalIdentifier</key>
<string>client at strongholdvpn2.ddns.net</string>
<!-- Optional, if it matches the CN of the root CA
certificate (not the full subject DN) a certificate request will be sent
NOTE: If this is not configured make sure to configure
leftsendcert=always on the server, otherwise it won't send its certificate
-->
<key>ServerCertificateIssuerCommonName</key>
<string>Example Root CA</string>
<!-- Optional, the CN or one of the subjectAltNames of the
server certificate to verify it, if not set RemoteIdentifier will be used
-->
<key>ServerCertificateCommonName</key>
<string>RsaCert.pem</string>
<!-- The server is authenticated using a certificate -->
<key>AuthenticationMethod</key>
<string>Certificate</string>
<!-- The client uses EAP to authenticate -->
<key>ExtendedAuthEnabled</key>
<integer>1</integer>
<!-- User name for EAP authentication, must be set as there
is currently no prompt during installation.
IMPORTANT: Because there is no prompt and this value
cannot be changed later on the device a separate profile is required for
every user -->
<key>AuthName</key>
<string>carl</string>
<!-- Optional password for EAP authentication, if it is not
set the user is prompted when the profile is installed
<key>AuthPassword</key>
<string>connect1</string>
-->
<!-- The next two dictionaries are optional (as are the
keys in them), but it is recommended to specify them as the default is to
use 3DES.
IMPORTANT: Because only one proposal is sent (even if
nothing is configured here) it must match the server configuration -->
<key>IKESecurityAssociationParameters</key>
<dict>
<key>EncryptionAlgorithm</key>
<string>AES-128</string>
<key>IntegrityAlgorithm</key>
<string>SHA1-96</string>
<key>DiffieHellmanGroup</key>
<integer>14</integer>
</dict>
<key>ChildSecurityAssociationParameters</key>
<dict>
<key>EncryptionAlgorithm</key>
<string>AES-128</string>
<key>IntegrityAlgorithm</key>
<string>SHA1-96</string>
<key>DiffieHellmanGroup</key>
<integer>14</integer>
</dict>
</dict>
</dict>
<!-- This payload is optional but it provides an easy way to install the CA
certificate together with the configuration -->
<dict>
<key>PayloadIdentifier</key>
<string>StrongHoldVPN2</string>
<key>PayloadUUID</key>
<string>18587b2c-33e0-4adf-a432-6fbcae543408</string>
<key>PayloadType</key>
<string>com.apple.security.root</string>
<key>PayloadVersion</key>
<integer>1</integer>
<!-- This is the Base64 (PEM) encoded CA certificate -->
<key>PayloadContent</key>
<data>
LS0tL (trunkated for this brevity)==
</data>
</dict>
</array>
</dict>
</plist>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20141210/4d610929/attachment-0001.html>
More information about the Users
mailing list