[strongSwan] certificate only vpn connection with mac
Cindy Moore
ctmoore at cs.ucsd.edu
Fri Dec 12 23:19:01 CET 2014
I'm really at a loss over this one. I can get the connections going
with other clients, for example Network Manager on a Ubuntu 14.04 has
no difficulties connecting with my strongswan server.
This seems to be a possible clue:
Dec 11 12:47:54 vpn charon: 10[IKE] found 1 matching config, but none
allows RSA signature authentication using Main Mode
But I'm not sure how to interpret it, or begin to address it.
I'm also unsure about how the mac's vpn connection should be
configured (I haven't found an equivalent to
https://wiki.strongswan.org/projects/strongswan/wiki/NetworkManager
under the Howto's for a Mac VPN setup, so I don't know if its some
kind of problem that I can't select the vpn host certificate from the
vpn setup dialog even though it shows up just fine in the system
keychain. Any thoughts?
On Thu, Dec 11, 2014 at 1:20 PM, Cindy Moore <ctmoore at cs.ucsd.edu> wrote:
> I'm trying to get a basic connection going with a mac os x client to
> strongswan (latest) installed on ubuntu (14.04 lts). I'm not entirely
> certain what is going on. It seems like the client isn't sending the
> desired certificate. in the log file, vpnHostCert doesn't seem to
> play a part at all which i find unexpected.
>
> When I set up the mac I sent the p12 packages over to the mac, added
> the three of them (root, vpnHost, cindy) to the system keychain.
> What's weird though, is that I can only seem to select, for both User
> Authentication certificate & Machine Authentication certificate, the
> one identified with ctmoore at example.com (I had expected to select that
> for User Auth, and the vpn.example.com for Machine Auth -- all three
> (root, vpn, cindy) certificates are visible in the system keychain,
> but only the cindy one appears in the list of options when selecting
> User/Machine Auth in setting up a vpn connection on the mac. I set
> the strongswan root up as a trusted cert, and authorized the use of
> all three in any kind of setting.
>
>
> Overview of setup (syslog copy at end)
>
>
> Created the certificates. Sorry, my email program is eating tabs.
>
> ========
> "root":
> ipsec pki --gen --type rsa --size 4096 \
> --outform pem \
>> private/strongswanKey.pem
> chmod 600 private/strongswanKey.pem
> ipsec pki --self --ca --lifetime 3650 \
> --in private/strongswanKey.pem --type rsa \
> --dn "C=US, O=ThatsUs, CN=strongSwan Root CA" \
> --outform pem \
>> cacerts/strongswanCert.pem
>
> ========
> host:
> ipsec pki --gen --type rsa --size 2048 \
> --outform pem \
>> private/vpnHostKey.pem
> chmod 600 private/vpnHostKey.pem
> ipsec pki --pub --in private/vpnHostKey.pem --type rsa | \
> ipsec pki --issue --lifetime 730 \
> --cacert cacerts/strongswanCert.pem \
> --cakey private/strongswanKey.pem \
> --dn "C=US, O=ThatsUs, CN=vpn.example.com" \
> --san vpn.example.com \
> --flag serverAuth --flag ikeIntermediate \
> --outform pem > certs/vpnHostCert.pem
>
> ipsec pki --print looks okay for both
>
> ========
> created p12 packages
> # openssl pkcs12 -export -in certs/vpnHostCert.pem -nokeys -nodes -out
> exports/vpnHost.p12
> Enter Export Password:
> Verifying - Enter Export Password:
>
> # openssl pkcs12 -export -in cacerts/strongswanCert.pem -nokeys -nodes
> -out exports/strongSwan.p12
> Enter Export Password:
> Verifying - Enter Export Password:
>
> ========
> client certificate
> ipsec pki --gen --type rsa --size 2048 \
> --outform pem \
>> private/cindyKey.pem
> chmod 600 private/cindyKey.pem
> ipsec pki --pub --in private/cindyKey.pem --type rsa | \
> ipsec pki --issue --lifetime 730 \
> --cacert cacerts/strongswanCert.pem \
> --cakey private/strongswanKey.pem \
> --dn "C=US, O=ThatsUs, CN=ctmoore at example.com" \
> --san ctmoore at example.com \
> --outform pem > certs/cindyCert.pem
>
> (plus p12 packaging)
>
> ========
> ipsec.secrets
> : RSA vpnHostKey.pem
>
> =========
> ipsec.conf
>
> conn %default
> ikelifetime=60m
> keylife=60m
> rekeymargin=3m
> keyingtries=1
> #vpn server
> left=[vpn ip]
> leftcert=vpnHostCert.pem
> # certificate based ID
> leftid="C=US, O=strongSwan, CN=vpn.example.com"
> #allow full tunneling
> leftsubnet=0.0.0.0/0
> #assign ip addr from this pool
> rightsourceip=[...]
> # assign dns servers once connected
> rightdns=[...]
>
> ca %default
> cacert=strongswanCert.pem
>
> # certificate only
> conn roadwarrior-ikev2
> keyexchange=ikev2
> leftauth=pubkey
> right=%any
> rightid=%any
> rightauth=pubkey
> auto=add
>
> # certificate only, fakeout on xauth (for eg Mac/iOS that must do
> xauth. and ikev1 for that matter)
> conn roadwarrior-ikev1
> keyexchange=ikev1
> leftauth=pubkey
> right=%any
> rightid=%any
> rightauth=pubkey
> rightauth2=xauth-noauth
> auto=add
>
>
> ========
>
>
> Using the same ctmoore cert on User/Machine auth in the mac vpn and
> connect anyway, I get the following in the syslog
>
> I find the
> Dec 11 12:47:54 vpn charon: 10[IKE] found 1 matching config, but none
> allows RSA signature authentication using Main Mode
> entry interesting, but I don't know if that's the issue, and if it is,
> what I can do about it.
>
>
> /var/log/syslog
> ========
> Dec 11 12:47:54 vpn charon: 02[NET] received packet: from [client
> ip][500] to [vpn ip][500]
> Dec 11 12:47:54 vpn charon: 02[NET] waiting for data on sockets
> Dec 11 12:47:54 vpn charon: 04[NET] received packet: from [client
> ip][500] to [vpn ip][500] (300 bytes)
> Dec 11 12:47:54 vpn charon: 04[ENC] parsed ID_PROT request 0 [ SA V V
> V V V V V V V V V ]
> Dec 11 12:47:54 vpn charon: 04[CFG] looking for an ike config for [vpn
> ip]...[client ip]
> Dec 11 12:47:54 vpn charon: 04[CFG] candidate: [vpn ip]...%any, prio 1052
> Dec 11 12:47:54 vpn charon: 04[CFG] found matching ike config: [vpn
> ip]...%any with prio 1052
> Dec 11 12:47:54 vpn charon: 04[IKE] received NAT-T (RFC 3947) vendor ID
> Dec 11 12:47:54 vpn charon: 04[IKE] received
> draft-ietf-ipsec-nat-t-ike vendor ID
> Dec 11 12:47:54 vpn charon: 04[IKE] received
> draft-ietf-ipsec-nat-t-ike-08 vendor ID
> Dec 11 12:47:54 vpn charon: 04[IKE] received
> draft-ietf-ipsec-nat-t-ike-07 vendor ID
> Dec 11 12:47:54 vpn charon: 04[IKE] received
> draft-ietf-ipsec-nat-t-ike-06 vendor ID
> Dec 11 12:47:54 vpn charon: 04[IKE] received
> draft-ietf-ipsec-nat-t-ike-05 vendor ID
> Dec 11 12:47:54 vpn charon: 04[IKE] received
> draft-ietf-ipsec-nat-t-ike-04 vendor ID
> Dec 11 12:47:54 vpn charon: 04[IKE] received
> draft-ietf-ipsec-nat-t-ike-03 vendor ID
> Dec 11 12:47:54 vpn charon: 04[IKE] received
> draft-ietf-ipsec-nat-t-ike-02 vendor ID
> Dec 11 12:47:54 vpn charon: 04[IKE] received
> draft-ietf-ipsec-nat-t-ike-02\n vendor ID
> Dec 11 12:47:54 vpn charon: 04[IKE] received DPD vendor ID
> Dec 11 12:47:54 vpn charon: 04[IKE] [client ip] is initiating a Main Mode IKE_SA
> Dec 11 12:47:54 vpn charon: 04[IKE] IKE_SA (unnamed)[3] state change:
> CREATED => CONNECTING
> Dec 11 12:47:54 vpn charon: 04[CFG] selecting proposal:
> Dec 11 12:47:54 vpn charon: 04[CFG] no acceptable ENCRYPTION_ALGORITHM found
> Dec 11 12:47:54 vpn charon: 04[CFG] selecting proposal:
> Dec 11 12:47:54 vpn charon: 04[CFG] no acceptable DIFFIE_HELLMAN_GROUP found
> Dec 11 12:47:54 vpn charon: 04[CFG] selecting proposal:
> Dec 11 12:47:54 vpn charon: 04[CFG] proposal matches
> Dec 11 12:47:54 vpn charon: 04[CFG] received proposals:
> IKE:3DES_CBC/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024
> Dec 11 12:47:54 vpn charon: 04[CFG] configured proposals:
> IKE:AES_CBC_128/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_2048,
> IKE:3DES_CBC/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1536,
> IKE:AES_CBC_128/AES_CBC_192/AES_CBC_256/3DES_CBC/AES_XCBC_96/AES_CMAC_96/HMAC_SHA1_96/HMAC_MD5_96/HMAC_SHA2_256_128/HMAC_SHA2_384_192/HMAC_SHA2_512_256/PRF_AES128_XCBC/PRF_AES128_CMAC/PRF_HMAC_SHA1/PRF_HMAC_MD5/PRF_HMAC_SHA2_256/PRF_HMAC_SHA2_384/PRF_HMAC_SHA2_512/MODP_2048/MODP_2048_224/MODP_2048_256/MODP_1536/MODP_3072/MODP_4096/MODP_8192/MODP_1024/MODP_1024_160
> Dec 11 12:47:54 vpn charon: 04[CFG] selected proposal:
> IKE:3DES_CBC/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024
> Dec 11 12:47:54 vpn charon: 04[IKE] sending XAuth vendor ID
> Dec 11 12:47:54 vpn charon: 04[IKE] sending DPD vendor ID
> Dec 11 12:47:54 vpn charon: 04[IKE] sending NAT-T (RFC 3947) vendor ID
> Dec 11 12:47:54 vpn charon: 04[ENC] generating ID_PROT response 0 [ SA V V V ]
> Dec 11 12:47:54 vpn charon: 04[NET] sending packet: from [vpn ip][500]
> to [client ip][500] (132 bytes)
> Dec 11 12:47:54 vpn charon: 03[NET] sending packet: from [vpn ip][500]
> to [client ip][500]
> Dec 11 12:47:54 vpn charon: 02[NET] received packet: from [client
> ip][500] to [vpn ip][500]
> Dec 11 12:47:54 vpn charon: 02[NET] waiting for data on sockets
> Dec 11 12:47:54 vpn charon: 09[NET] received packet: from [client
> ip][500] to [vpn ip][500] (228 bytes)
> Dec 11 12:47:54 vpn charon: 09[ENC] parsed ID_PROT request 0 [ KE No
> NAT-D NAT-D ]
> Dec 11 12:47:54 vpn charon: 09[IKE] sending cert request for "C=US,
> O=ThatsUs, CN=strongSwan Root CA"
> Dec 11 12:47:54 vpn charon: 09[ENC] generating ID_PROT response 0 [ KE
> No CERTREQ NAT-D NAT-D ]
> Dec 11 12:47:54 vpn charon: 09[NET] sending packet: from [vpn ip][500]
> to [client ip][500] (310 bytes)
> Dec 11 12:47:54 vpn charon: 03[NET] sending packet: from [vpn ip][500]
> to [client ip][500]
> Dec 11 12:47:54 vpn charon: 02[NET] received packet: from [client
> ip][500] to [vpn ip][500]
> Dec 11 12:47:54 vpn charon: 02[NET] waiting for data on sockets
> Dec 11 12:47:54 vpn charon: 10[NET] received packet: from [client
> ip][500] to [vpn ip][500] (1492 bytes)
> Dec 11 12:47:54 vpn charon: 10[ENC] parsed ID_PROT request 0 [ ID CERT
> SIG CERTREQ N(INITIAL_CONTACT) ]
> Dec 11 12:47:54 vpn charon: 10[IKE] ignoring certificate request without data
> Dec 11 12:47:54 vpn charon: 10[IKE] received end entity cert "C=US,
> O=ThatsUs, CN=ctmoore at example.com"
> Dec 11 12:47:54 vpn charon: 10[CFG] looking for RSA signature peer
> configs matching [vpn ip]...[client ip][C=US, O=ThatsUs,
> CN=ctmoore at example.com]
> Dec 11 12:47:54 vpn charon: 10[CFG] candidate "roadwarrior-ikev1",
> match: 1/1/1052 (me/other/ike)
> Dec 11 12:47:54 vpn charon: 10[IKE] found 1 matching config, but none
> allows RSA signature authentication using Main Mode
> Dec 11 12:47:54 vpn charon: 10[IKE] queueing INFORMATIONAL task
> Dec 11 12:47:54 vpn charon: 10[IKE] activating new tasks
> Dec 11 12:47:54 vpn charon: 10[IKE] activating INFORMATIONAL task
> Dec 11 12:47:54 vpn charon: 10[ENC] generating INFORMATIONAL_V1
> request 2651689082 [ HASH N(AUTH_FAILED) ]
> Dec 11 12:47:54 vpn charon: 10[NET] sending packet: from [vpn ip][500]
> to [client ip][500] (84 bytes)
> Dec 11 12:47:54 vpn charon: 10[IKE] IKE_SA (unnamed)[3] state change:
> CONNECTING => DESTROYING
> Dec 11 12:47:54 vpn charon: 03[NET] sending packet: from [vpn ip][500]
> to [client ip][500]
> Dec 11 12:47:57 vpn charon: 02[NET] received packet: from [client
> ip][500] to [vpn ip][500]
> Dec 11 12:47:57 vpn charon: 02[NET] waiting for data on sockets
> Dec 11 12:48:00 vpn charon: 02[NET] received packet: from [client
> ip][500] to [vpn ip][500]
> Dec 11 12:48:00 vpn charon: 02[NET] waiting for data on sockets
> Dec 11 12:48:03 vpn charon: 02[NET] received packet: from [client
> ip][500] to [vpn ip][500]
> Dec 11 12:48:03 vpn charon: 02[NET] waiting for data on sockets
> Dec 11 12:48:06 vpn charon: 02[NET] received packet: from [client
> ip][500] to [vpn ip][500]
> Dec 11 12:48:06 vpn charon: 02[NET] waiting for data on sockets
> Dec 11 12:48:09 vpn charon: 02[NET] received packet: from [client
> ip][500] to [vpn ip][500]
> Dec 11 12:48:09 vpn charon: 02[NET] waiting for data on sockets
> Dec 11 12:48:16 vpn charon: 02[NET] received packet: from [client
> ip][500] to [vpn ip][500]
> Dec 11 12:48:16 vpn charon: 02[NET] waiting for data on sockets
> Dec 11 12:48:19 vpn charon: 02[NET] received packet: from [client
> ip][500] to [vpn ip][500]
> Dec 11 12:48:19 vpn charon: 02[NET] waiting for data on sockets
> Dec 11 12:48:22 vpn charon: 02[NET] received packet: from [client
> ip][500] to [vpn ip][500]
> Dec 11 12:48:22 vpn charon: 02[NET] waiting for data on sockets
> Dec 11 12:48:24 vpn charon: 02[NET] received packet: from [client
> ip][500] to [vpn ip][500]
> Dec 11 12:48:24 vpn charon: 02[NET] waiting for data on sockets
> Dec 11 12:48:24 vpn charon: 04[NET] received packet: from [client
> ip][500] to [vpn ip][500] (300 bytes)
> Dec 11 12:48:24 vpn charon: 04[ENC] parsed ID_PROT request 0 [ SA V V
> V V V V V V V V V ]
> Dec 11 12:48:24 vpn charon: 04[CFG] looking for an ike config for [vpn
> ip]...[client ip]
> Dec 11 12:48:24 vpn charon: 04[CFG] candidate: [vpn ip]...%any, prio 1052
> Dec 11 12:48:24 vpn charon: 04[CFG] found matching ike config: [vpn
> ip]...%any with prio 1052
> Dec 11 12:48:24 vpn charon: 04[IKE] received NAT-T (RFC 3947) vendor ID
> Dec 11 12:48:24 vpn charon: 04[IKE] received
> draft-ietf-ipsec-nat-t-ike vendor ID
> Dec 11 12:48:24 vpn charon: 04[IKE] received
> draft-ietf-ipsec-nat-t-ike-08 vendor ID
> Dec 11 12:48:24 vpn charon: 04[IKE] received
> draft-ietf-ipsec-nat-t-ike-07 vendor ID
> Dec 11 12:48:24 vpn charon: 04[IKE] received
> draft-ietf-ipsec-nat-t-ike-06 vendor ID
> Dec 11 12:48:24 vpn charon: 04[IKE] received
> draft-ietf-ipsec-nat-t-ike-05 vendor ID
> Dec 11 12:48:24 vpn charon: 04[IKE] received
> draft-ietf-ipsec-nat-t-ike-04 vendor ID
> Dec 11 12:48:24 vpn charon: 04[IKE] received
> draft-ietf-ipsec-nat-t-ike-03 vendor ID
> Dec 11 12:48:24 vpn charon: 04[IKE] received
> draft-ietf-ipsec-nat-t-ike-02 vendor ID
> Dec 11 12:48:24 vpn charon: 04[IKE] received
> draft-ietf-ipsec-nat-t-ike-02\n vendor ID
> Dec 11 12:48:24 vpn charon: 04[IKE] received DPD vendor ID
> Dec 11 12:48:24 vpn charon: 04[IKE] [client ip] is initiating a Main Mode IKE_SA
> Dec 11 12:48:24 vpn charon: 04[IKE] IKE_SA (unnamed)[4] state change:
> CREATED => CONNECTING
> Dec 11 12:48:24 vpn charon: 04[CFG] selecting proposal:
> Dec 11 12:48:24 vpn charon: 04[CFG] no acceptable ENCRYPTION_ALGORITHM found
> Dec 11 12:48:24 vpn charon: 04[CFG] selecting proposal:
> Dec 11 12:48:24 vpn charon: 04[CFG] no acceptable DIFFIE_HELLMAN_GROUP found
> Dec 11 12:48:24 vpn charon: 04[CFG] selecting proposal:
> Dec 11 12:48:24 vpn charon: 04[CFG] proposal matches
> Dec 11 12:48:24 vpn charon: 04[CFG] received proposals:
> IKE:3DES_CBC/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024
> Dec 11 12:48:24 vpn charon: 04[CFG] configured proposals:
> IKE:AES_CBC_128/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_2048,
> IKE:3DES_CBC/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1536,
> IKE:AES_CBC_128/AES_CBC_192/AES_CBC_256/3DES_CBC/AES_XCBC_96/AES_CMAC_96/HMAC_SHA1_96/HMAC_MD5_96/HMAC_SHA2_256_128/HMAC_SHA2_384_192/HMAC_SHA2_512_256/PRF_AES128_XCBC/PRF_AES128_CMAC/PRF_HMAC_SHA1/PRF_HMAC_MD5/PRF_HMAC_SHA2_256/PRF_HMAC_SHA2_384/PRF_HMAC_SHA2_512/MODP_2048/MODP_2048_224/MODP_2048_256/MODP_1536/MODP_3072/MODP_4096/MODP_8192/MODP_1024/MODP_1024_160
> Dec 11 12:48:24 vpn charon: 04[CFG] selected proposal:
> IKE:3DES_CBC/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024
> Dec 11 12:48:24 vpn charon: 04[IKE] sending XAuth vendor ID
> Dec 11 12:48:24 vpn charon: 04[IKE] sending DPD vendor ID
> Dec 11 12:48:24 vpn charon: 04[IKE] sending NAT-T (RFC 3947) vendor ID
> Dec 11 12:48:24 vpn charon: 04[ENC] generating ID_PROT response 0 [ SA V V V ]
> Dec 11 12:48:24 vpn charon: 04[NET] sending packet: from [vpn ip][500]
> to [client ip][500] (132 bytes)
> Dec 11 12:48:24 vpn charon: 03[NET] sending packet: from [vpn ip][500]
> to [client ip][500]
> Dec 11 12:48:24 vpn charon: 02[NET] received packet: from [client
> ip][500] to [vpn ip][500]
> Dec 11 12:48:24 vpn charon: 02[NET] waiting for data on sockets
> Dec 11 12:48:24 vpn charon: 09[NET] received packet: from [client
> ip][500] to [vpn ip][500] (228 bytes)
> Dec 11 12:48:24 vpn charon: 09[ENC] parsed ID_PROT request 0 [ KE No
> NAT-D NAT-D ]
> Dec 11 12:48:24 vpn charon: 09[IKE] sending cert request for "C=US,
> O=ThatsUs, CN=strongSwan Root CA"
> Dec 11 12:48:24 vpn charon: 09[ENC] generating ID_PROT response 0 [ KE
> No CERTREQ NAT-D NAT-D ]
> Dec 11 12:48:24 vpn charon: 09[NET] sending packet: from [vpn ip][500]
> to [client ip][500] (310 bytes)
> Dec 11 12:48:24 vpn charon: 03[NET] sending packet: from [vpn ip][500]
> to [client ip][500]
> Dec 11 12:48:54 vpn charon: 10[JOB] deleting half open IKE_SA after timeout
> Dec 11 12:48:54 vpn charon: 10[IKE] IKE_SA (unnamed)[4] state change:
> CONNECTING => DESTROYING
More information about the Users
mailing list