[strongSwan] IKEv2 EAP (username/password) authentication failing with strongswan server
Ravi Kanth Vanapalli
vvnrk.vanapalli at gmail.com
Mon Dec 22 20:12:22 CET 2014
Dear Noel,
I was able to make some progress after setting the leftauth to pubkey.
I generated the certificates using the procedure outlined in the link.
Now I am running into the issue where gateway sends the last IKE_AUTH
message with IP address. Then UE sends back AUTH failed. On looking into
charon.log, there was an error like
Dec 22 14:02:52 12[CFG] constraint check failed: identity '192.168.43.185'
required
Dec 22 14:02:52 12[CFG] selected peer config 'android' inacceptable:
constraint checking failed
Here is the print of daemon log (/var/log/syslog)on the strongswan server
side
---------------------------------------------------------------------------------------------------------------
Dec 22 14:02:54 samsung-600B4B-600B5B charon: 14[NET] received packet: from
192.168.43.94[54252] to 192.168.43.185[500]
Dec 22 14:02:54 samsung-600B4B-600B5B charon: 14[ENC] parsed IKE_SA_INIT
request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N((16430)) ]
Dec 22 14:02:54 samsung-600B4B-600B5B charon: 14[IKE] 192.168.43.94 is
initiating an IKE_SA
Dec 22 14:02:54 samsung-600B4B-600B5B charon: 14[IKE] remote host is behind
NAT
Dec 22 14:02:54 samsung-600B4B-600B5B charon: 14[ENC] generating
IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(MULT_AUTH) ]
Dec 22 14:02:54 samsung-600B4B-600B5B charon: 14[NET] sending packet: from
192.168.43.185[500] to 192.168.43.94[54252]
Dec 22 14:02:54 samsung-600B4B-600B5B charon: 15[NET] received packet: from
192.168.43.94[46301] to 192.168.43.185[4500]
Dec 22 14:02:54 samsung-600B4B-600B5B charon: 15[ENC] parsed IKE_AUTH
request 1 [ IDi N(INIT_CONTACT) CERTREQ CP(ADDR ADDR6 DNS DNS6)
N(ESP_TFC_PAD_N) SA TSi TSr N(MOBIKE_SUP) N(ADD_6_ADDR) N(ADD_6_ADDR)
N(MULT_AUTH) N(EAP_ONLY) ]
Dec 22 14:02:54 samsung-600B4B-600B5B charon: 15[IKE] received cert request
for "C=CH, O=strongSwan, CN=strongSwan Root CA"
Dec 22 14:02:54 samsung-600B4B-600B5B charon: 15[CFG] looking for peer
configs matching 192.168.43.185[%any]...192.168.43.94[user1]
Dec 22 14:02:54 samsung-600B4B-600B5B charon: 15[CFG] selected peer config
'ssandroid'
Dec 22 14:02:54 samsung-600B4B-600B5B charon: 15[IKE] initiating
EAP-Identity request
Dec 22 14:02:54 samsung-600B4B-600B5B charon: 15[IKE] received
ESP_TFC_PADDING_NOT_SUPPORTED, not using ESPv3 TFC padding
Dec 22 14:02:54 samsung-600B4B-600B5B charon: 15[IKE] peer supports MOBIKE
Dec 22 14:02:54 samsung-600B4B-600B5B charon: 15[IKE] authentication of
'C=CH, O=strongSwan, CN=strongSwan Root CA' (myself) with RSA signature
successful
Dec 22 14:02:54 samsung-600B4B-600B5B charon: 15[IKE] sending end entity
cert "C=CH, O=strongSwan, CN=strongSwan Root CA"
Dec 22 14:02:54 samsung-600B4B-600B5B charon: 15[ENC] generating IKE_AUTH
response 1 [ IDr CERT AUTH EAP/REQ/ID ]
Dec 22 14:02:54 samsung-600B4B-600B5B charon: 15[NET] sending packet: from
192.168.43.185[4500] to 192.168.43.94[46301]
Dec 22 14:02:54 samsung-600B4B-600B5B charon: 09[NET] received packet: from
192.168.43.94[46301] to 192.168.43.185[4500]
Dec 22 14:02:54 samsung-600B4B-600B5B charon: 09[ENC] parsed IKE_AUTH
request 2 [ EAP/RES/ID ]
Dec 22 14:02:54 samsung-600B4B-600B5B charon: 09[IKE] received EAP identity
'user1'
Dec 22 14:02:54 samsung-600B4B-600B5B charon: 09[IKE] initiating
EAP_MSCHAPV2 method (id 0x87)
Dec 22 14:02:54 samsung-600B4B-600B5B charon: 09[ENC] generating IKE_AUTH
response 2 [ EAP/REQ/MSCHAPV2 ]
Dec 22 14:02:54 samsung-600B4B-600B5B charon: 09[NET] sending packet: from
192.168.43.185[4500] to 192.168.43.94[46301]
Dec 22 14:02:54 samsung-600B4B-600B5B charon: 10[NET] received packet: from
192.168.43.94[46301] to 192.168.43.185[4500]
Dec 22 14:02:54 samsung-600B4B-600B5B charon: 10[ENC] parsed IKE_AUTH
request 3 [ EAP/RES/MSCHAPV2 ]
Dec 22 14:02:54 samsung-600B4B-600B5B charon: 10[ENC] generating IKE_AUTH
response 3 [ EAP/REQ/MSCHAPV2 ]
Dec 22 14:02:54 samsung-600B4B-600B5B charon: 10[NET] sending packet: from
192.168.43.185[4500] to 192.168.43.94[46301]
Dec 22 14:02:54 samsung-600B4B-600B5B charon: 11[NET] received packet: from
192.168.43.94[46301] to 192.168.43.185[4500]
Dec 22 14:02:54 samsung-600B4B-600B5B charon: 11[ENC] parsed IKE_AUTH
request 4 [ EAP/RES/MSCHAPV2 ]
Dec 22 14:02:54 samsung-600B4B-600B5B charon: 11[IKE] EAP method
EAP_MSCHAPV2 succeeded, MSK established
Dec 22 14:02:54 samsung-600B4B-600B5B charon: 11[ENC] generating IKE_AUTH
response 4 [ EAP/SUCC ]
Dec 22 14:02:54 samsung-600B4B-600B5B charon: 11[NET] sending packet: from
192.168.43.185[4500] to 192.168.43.94[46301]
Dec 22 14:02:54 samsung-600B4B-600B5B charon: 13[NET] received packet: from
192.168.43.94[46301] to 192.168.43.185[4500]
Dec 22 14:02:54 samsung-600B4B-600B5B charon: 13[ENC] parsed IKE_AUTH
request 5 [ AUTH ]
Dec 22 14:02:54 samsung-600B4B-600B5B charon: 13[IKE] authentication of
'user1' with EAP successful
Dec 22 14:02:54 samsung-600B4B-600B5B charon: 13[IKE] authentication of
'C=CH, O=strongSwan, CN=strongSwan Root CA' (myself) with EAP
Dec 22 14:02:54 samsung-600B4B-600B5B charon: 13[IKE] IKE_SA ssandroid[2]
established between 192.168.43.185[C=CH, O=strongSwan, CN=strongSwan Root
CA]...192.168.43.94[user1]
Dec 22 14:02:54 samsung-600B4B-600B5B charon: 13[IKE] scheduling
reauthentication in 3250s
Dec 22 14:02:54 samsung-600B4B-600B5B charon: 13[IKE] maximum IKE_SA
lifetime 3430s
Dec 22 14:02:54 samsung-600B4B-600B5B charon: 13[IKE] peer requested
virtual IP %any6
Dec 22 14:02:54 samsung-600B4B-600B5B charon: 13[CFG] assigning new lease
to 'user1'
Dec 22 14:02:54 samsung-600B4B-600B5B charon: 13[IKE] assigning virtual IP
10.0.0.3 to peer 'user1'
Dec 22 14:02:54 samsung-600B4B-600B5B charon: 13[IKE] CHILD_SA ssandroid{1}
established with SPIs c04897ea_i 87a8ff7a_o and TS 192.168.43.185/32 ===
10.0.0.3/32
Dec 22 14:02:54 samsung-600B4B-600B5B charon: 13[ENC] generating IKE_AUTH
response 5 [ AUTH CP(ADDR) SA TSi TSr N(AUTH_LFT) N(MOBIKE_SUP)
N(ADD_6_ADDR) N(ADD_6_ADDR) ]
Dec 22 14:02:54 samsung-600B4B-600B5B charon: 13[NET] sending packet: from
192.168.43.185[4500] to 192.168.43.94[46301]
Dec 22 14:02:55 samsung-600B4B-600B5B charon: 01[NET] received packet: from
192.168.43.94[46301] to 192.168.43.185[4500]
Dec 22 14:02:55 samsung-600B4B-600B5B charon: 01[ENC] parsed INFORMATIONAL
request 6 [ N(AUTH_FAILED) ]
Dec 22 14:02:55 samsung-600B4B-600B5B charon: 01[ENC] generating
INFORMATIONAL response 6 [ ]
Dec 22 14:02:55 samsung-600B4B-600B5B charon: 01[NET] sending packet: from
192.168.43.185[4500] to 192.168.43.94[46301]
ipsec.conf file looks like below
-----------------------------------------------
conn ssandroid
left=192.168.43.185
leftfirewall=no
right=%any
rightsourceip = 10.0.0.2/24
rightauth=eap-mschapv2
rightsendcert=never
eap_identity=%any
auto=start
leftcert=ServerCert.pem
leftauth=pubkey
ipsec.secrets file looks like below
------------------------------------
include /var/lib/strongswan/ipsec.secrets.inc
: RSA ServerPrivKey.pem
user1 : EAP "topsecretpassword"
On the charon.log on the Android client side here is the error
----------------------------------------------------------------------------------------
Note:
Dec 22 14:02:52 16[ENC] parsed IKE_AUTH response 4 [ EAP/SUCC ]
Dec 22 14:02:52 16[IKE] EAP method EAP_MSCHAPV2 succeeded, MSK established
Dec 22 14:02:52 16[IKE] authentication of 'user1' (myself) with EAP
Dec 22 14:02:52 16[ENC] generating IKE_AUTH request 5 [ AUTH ]
Dec 22 14:02:52 16[NET] sending packet: from 192.168.43.94[46301] to
192.168.43.185[4500] (92 bytes)
Dec 22 14:02:52 12[NET] received packet: from 192.168.43.185[4500] to
192.168.43.94[46301] (268 bytes)
Dec 22 14:02:52 12[ENC] parsed IKE_AUTH response 5 [ AUTH CPRP(ADDR) SA TSi
TSr N(AUTH_LFT) N(MOBIKE_SUP) N(ADD_6_ADDR) N(ADD_6_ADDR) ]
Dec 22 14:02:52 12[IKE] authentication of 'C=CH, O=strongSwan,
CN=strongSwan Root CA' with EAP successful
Dec 22 14:02:52 12[CFG] constraint check failed: identity '192.168.43.185'
required
Dec 22 14:02:52 12[CFG] selected peer config 'android' inacceptable:
constraint checking failed
Dec 22 14:02:52 12[CFG] no alternative config found
Dec 22 14:02:52 12[ENC] generating INFORMATIONAL request 6 [ N(AUTH_FAILED)
]
Dec 22 14:02:52 12[NET] sending packet: from 192.168.43.94[46301] to
192.168.43.185[4500] (76 bytes)
Please let me know the issue here. Is something wrong with the certificates
created.
I have attached the complete charon.log file to this email.
Thanks,
Ravikanth
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20141222/db999136/attachment.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: charon.log
Type: text/x-log
Size: 4729 bytes
Desc: not available
URL: <http://lists.strongswan.org/pipermail/users/attachments/20141222/db999136/attachment.bin>
More information about the Users
mailing list