[strongSwan] IKEv2 EAP (username/password) authentication failing with strongswan server

Ravi Kanth Vanapalli vvnrk.vanapalli at gmail.com
Mon Dec 22 21:42:22 CET 2014


Dear Noel,
  I have made progress with this issue.
  Issue was the Assigned Name in the certifcate. I have set it to the
gateway IP, generated the certifcaets and re-installed the certificates on
the UE and server side.

  I refered to the following link to solve this issue:
http://marc.info/?t=134837490100004&r=1&w=2

  Now my  strongswan Android App is connnected to my gateway.

Thanks much for your quick support.

Regards,
Ravikanth



On Mon, Dec 22, 2014 at 2:12 PM, Ravi Kanth Vanapalli <
vvnrk.vanapalli at gmail.com> wrote:

> Dear Noel,
>  I was able to make some progress after setting the leftauth to pubkey.
>
>  I generated the certificates using the procedure outlined in the link.
>  Now I am running into the issue where gateway sends the last IKE_AUTH
> message with IP address. Then UE sends back AUTH failed. On looking into
> charon.log, there was an error like
>
> Dec 22 14:02:52 12[CFG] constraint check failed: identity '192.168.43.185'
> required
> Dec 22 14:02:52 12[CFG] selected peer config 'android' inacceptable:
> constraint checking failed
>
> Here is the print of daemon log (/var/log/syslog)on the strongswan server
> side
>
> ---------------------------------------------------------------------------------------------------------------
>
>
> Dec 22 14:02:54 samsung-600B4B-600B5B charon: 14[NET] received packet:
> from 192.168.43.94[54252] to 192.168.43.185[500]
> Dec 22 14:02:54 samsung-600B4B-600B5B charon: 14[ENC] parsed IKE_SA_INIT
> request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N((16430)) ]
> Dec 22 14:02:54 samsung-600B4B-600B5B charon: 14[IKE] 192.168.43.94 is
> initiating an IKE_SA
> Dec 22 14:02:54 samsung-600B4B-600B5B charon: 14[IKE] remote host is
> behind NAT
> Dec 22 14:02:54 samsung-600B4B-600B5B charon: 14[ENC] generating
> IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(MULT_AUTH) ]
> Dec 22 14:02:54 samsung-600B4B-600B5B charon: 14[NET] sending packet: from
> 192.168.43.185[500] to 192.168.43.94[54252]
> Dec 22 14:02:54 samsung-600B4B-600B5B charon: 15[NET] received packet:
> from 192.168.43.94[46301] to 192.168.43.185[4500]
> Dec 22 14:02:54 samsung-600B4B-600B5B charon: 15[ENC] parsed IKE_AUTH
> request 1 [ IDi N(INIT_CONTACT) CERTREQ CP(ADDR ADDR6 DNS DNS6)
> N(ESP_TFC_PAD_N) SA TSi TSr N(MOBIKE_SUP) N(ADD_6_ADDR) N(ADD_6_ADDR)
> N(MULT_AUTH) N(EAP_ONLY) ]
> Dec 22 14:02:54 samsung-600B4B-600B5B charon: 15[IKE] received cert
> request for "C=CH, O=strongSwan, CN=strongSwan Root CA"
> Dec 22 14:02:54 samsung-600B4B-600B5B charon: 15[CFG] looking for peer
> configs matching 192.168.43.185[%any]...192.168.43.94[user1]
> Dec 22 14:02:54 samsung-600B4B-600B5B charon: 15[CFG] selected peer config
> 'ssandroid'
> Dec 22 14:02:54 samsung-600B4B-600B5B charon: 15[IKE] initiating
> EAP-Identity request
> Dec 22 14:02:54 samsung-600B4B-600B5B charon: 15[IKE] received
> ESP_TFC_PADDING_NOT_SUPPORTED, not using ESPv3 TFC padding
> Dec 22 14:02:54 samsung-600B4B-600B5B charon: 15[IKE] peer supports MOBIKE
> Dec 22 14:02:54 samsung-600B4B-600B5B charon: 15[IKE] authentication of
> 'C=CH, O=strongSwan, CN=strongSwan Root CA' (myself) with RSA signature
> successful
> Dec 22 14:02:54 samsung-600B4B-600B5B charon: 15[IKE] sending end entity
> cert "C=CH, O=strongSwan, CN=strongSwan Root CA"
> Dec 22 14:02:54 samsung-600B4B-600B5B charon: 15[ENC] generating IKE_AUTH
> response 1 [ IDr CERT AUTH EAP/REQ/ID ]
> Dec 22 14:02:54 samsung-600B4B-600B5B charon: 15[NET] sending packet: from
> 192.168.43.185[4500] to 192.168.43.94[46301]
> Dec 22 14:02:54 samsung-600B4B-600B5B charon: 09[NET] received packet:
> from 192.168.43.94[46301] to 192.168.43.185[4500]
> Dec 22 14:02:54 samsung-600B4B-600B5B charon: 09[ENC] parsed IKE_AUTH
> request 2 [ EAP/RES/ID ]
> Dec 22 14:02:54 samsung-600B4B-600B5B charon: 09[IKE] received EAP
> identity 'user1'
> Dec 22 14:02:54 samsung-600B4B-600B5B charon: 09[IKE] initiating
> EAP_MSCHAPV2 method (id 0x87)
> Dec 22 14:02:54 samsung-600B4B-600B5B charon: 09[ENC] generating IKE_AUTH
> response 2 [ EAP/REQ/MSCHAPV2 ]
> Dec 22 14:02:54 samsung-600B4B-600B5B charon: 09[NET] sending packet: from
> 192.168.43.185[4500] to 192.168.43.94[46301]
> Dec 22 14:02:54 samsung-600B4B-600B5B charon: 10[NET] received packet:
> from 192.168.43.94[46301] to 192.168.43.185[4500]
> Dec 22 14:02:54 samsung-600B4B-600B5B charon: 10[ENC] parsed IKE_AUTH
> request 3 [ EAP/RES/MSCHAPV2 ]
> Dec 22 14:02:54 samsung-600B4B-600B5B charon: 10[ENC] generating IKE_AUTH
> response 3 [ EAP/REQ/MSCHAPV2 ]
> Dec 22 14:02:54 samsung-600B4B-600B5B charon: 10[NET] sending packet: from
> 192.168.43.185[4500] to 192.168.43.94[46301]
> Dec 22 14:02:54 samsung-600B4B-600B5B charon: 11[NET] received packet:
> from 192.168.43.94[46301] to 192.168.43.185[4500]
> Dec 22 14:02:54 samsung-600B4B-600B5B charon: 11[ENC] parsed IKE_AUTH
> request 4 [ EAP/RES/MSCHAPV2 ]
> Dec 22 14:02:54 samsung-600B4B-600B5B charon: 11[IKE] EAP method
> EAP_MSCHAPV2 succeeded, MSK established
> Dec 22 14:02:54 samsung-600B4B-600B5B charon: 11[ENC] generating IKE_AUTH
> response 4 [ EAP/SUCC ]
> Dec 22 14:02:54 samsung-600B4B-600B5B charon: 11[NET] sending packet: from
> 192.168.43.185[4500] to 192.168.43.94[46301]
> Dec 22 14:02:54 samsung-600B4B-600B5B charon: 13[NET] received packet:
> from 192.168.43.94[46301] to 192.168.43.185[4500]
> Dec 22 14:02:54 samsung-600B4B-600B5B charon: 13[ENC] parsed IKE_AUTH
> request 5 [ AUTH ]
> Dec 22 14:02:54 samsung-600B4B-600B5B charon: 13[IKE] authentication of
> 'user1' with EAP successful
> Dec 22 14:02:54 samsung-600B4B-600B5B charon: 13[IKE] authentication of
> 'C=CH, O=strongSwan, CN=strongSwan Root CA' (myself) with EAP
> Dec 22 14:02:54 samsung-600B4B-600B5B charon: 13[IKE] IKE_SA ssandroid[2]
> established between 192.168.43.185[C=CH, O=strongSwan, CN=strongSwan Root
> CA]...192.168.43.94[user1]
> Dec 22 14:02:54 samsung-600B4B-600B5B charon: 13[IKE] scheduling
> reauthentication in 3250s
> Dec 22 14:02:54 samsung-600B4B-600B5B charon: 13[IKE] maximum IKE_SA
> lifetime 3430s
> Dec 22 14:02:54 samsung-600B4B-600B5B charon: 13[IKE] peer requested
> virtual IP %any6
> Dec 22 14:02:54 samsung-600B4B-600B5B charon: 13[CFG] assigning new lease
> to 'user1'
> Dec 22 14:02:54 samsung-600B4B-600B5B charon: 13[IKE] assigning virtual IP
> 10.0.0.3 to peer 'user1'
> Dec 22 14:02:54 samsung-600B4B-600B5B charon: 13[IKE] CHILD_SA
> ssandroid{1} established with SPIs c04897ea_i 87a8ff7a_o and TS
> 192.168.43.185/32 === 10.0.0.3/32
> Dec 22 14:02:54 samsung-600B4B-600B5B charon: 13[ENC] generating IKE_AUTH
> response 5 [ AUTH CP(ADDR) SA TSi TSr N(AUTH_LFT) N(MOBIKE_SUP)
> N(ADD_6_ADDR) N(ADD_6_ADDR) ]
> Dec 22 14:02:54 samsung-600B4B-600B5B charon: 13[NET] sending packet: from
> 192.168.43.185[4500] to 192.168.43.94[46301]
> Dec 22 14:02:55 samsung-600B4B-600B5B charon: 01[NET] received packet:
> from 192.168.43.94[46301] to 192.168.43.185[4500]
> Dec 22 14:02:55 samsung-600B4B-600B5B charon: 01[ENC] parsed INFORMATIONAL
> request 6 [ N(AUTH_FAILED) ]
> Dec 22 14:02:55 samsung-600B4B-600B5B charon: 01[ENC] generating
> INFORMATIONAL response 6 [ ]
> Dec 22 14:02:55 samsung-600B4B-600B5B charon: 01[NET] sending packet: from
> 192.168.43.185[4500] to 192.168.43.94[46301]
>
>
> ipsec.conf file looks like below
> -----------------------------------------------
> conn ssandroid
>         left=192.168.43.185
>         leftfirewall=no
>         right=%any
>         rightsourceip = 10.0.0.2/24
>         rightauth=eap-mschapv2
>         rightsendcert=never
>         eap_identity=%any
>         auto=start
>         leftcert=ServerCert.pem
>         leftauth=pubkey
>
> ipsec.secrets file looks like below
> ------------------------------------
> include /var/lib/strongswan/ipsec.secrets.inc
>
> : RSA ServerPrivKey.pem
>
> user1 : EAP "topsecretpassword"
>
> On the charon.log on the Android client side here is the error
>
> ----------------------------------------------------------------------------------------
>
> Note:
>
> Dec 22 14:02:52 16[ENC] parsed IKE_AUTH response 4 [ EAP/SUCC ]
> Dec 22 14:02:52 16[IKE] EAP method EAP_MSCHAPV2 succeeded, MSK established
> Dec 22 14:02:52 16[IKE] authentication of 'user1' (myself) with EAP
> Dec 22 14:02:52 16[ENC] generating IKE_AUTH request 5 [ AUTH ]
> Dec 22 14:02:52 16[NET] sending packet: from 192.168.43.94[46301] to
> 192.168.43.185[4500] (92 bytes)
> Dec 22 14:02:52 12[NET] received packet: from 192.168.43.185[4500] to
> 192.168.43.94[46301] (268 bytes)
> Dec 22 14:02:52 12[ENC] parsed IKE_AUTH response 5 [ AUTH CPRP(ADDR) SA
> TSi TSr N(AUTH_LFT) N(MOBIKE_SUP) N(ADD_6_ADDR) N(ADD_6_ADDR) ]
> Dec 22 14:02:52 12[IKE] authentication of 'C=CH, O=strongSwan,
> CN=strongSwan Root CA' with EAP successful
> Dec 22 14:02:52 12[CFG] constraint check failed: identity '192.168.43.185'
> required
> Dec 22 14:02:52 12[CFG] selected peer config 'android' inacceptable:
> constraint checking failed
> Dec 22 14:02:52 12[CFG] no alternative config found
> Dec 22 14:02:52 12[ENC] generating INFORMATIONAL request 6 [
> N(AUTH_FAILED) ]
> Dec 22 14:02:52 12[NET] sending packet: from 192.168.43.94[46301] to
> 192.168.43.185[4500] (76 bytes)
>
>
> Please let me know the issue here. Is something wrong with the
> certificates created.
> I have attached the complete charon.log file to this email.
>
> Thanks,
> Ravikanth
>
>
>


-- 
Regards,

RaviKanth VN Vanapalli
Ph: (469) 999 7567
Email: vvnrk.vanapalli at gmail.com
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20141222/286c66c8/attachment-0001.html>


More information about the Users mailing list