[strongSwan] Error with EAP-PEAP connection
Andreas Steffen
andreas.steffen at strongswan.org
Tue May 13 06:37:26 CEST 2014
Hi Ygor,
your CA certificate defines a certificate policy which is not present
in the end entity certificate. As a workaround you must omit the
constraints plugin from an explicit load list in strongswan.conf or
compile strongSwan with the option
./configure --disable-constraints
Best regards
Andreas
On 05/13/2014 01:51 AM, Ygor Amadeo Sartori Regados wrote:
> Hi,
>
>
> I am trying to setup a IKEv2 server with EAP-PEAP authentication, but
> the connection doesn't go beyond phase1. The log reports no TLS public
> keys being found. Using an StartCom-issued certificate on the server.
> What's wrong with my setup?
>
> Client setup:
>> conn rw-ikev2-eap
>> keyexchange=ikev2
>> compress=yes
>> rightid=%fromcert
>> right=vpn.zanardo.com.br
>> rightsubnet=0.0.0.0/0
>> rightauth=eap-peap
>> rightsourceip=%config
>> left=%defaultroute
>> leftauth=eap-peap
>> leftid=ygor
>> leftsendcert=never
>> auto=add
>
> ipsec statusall:
>> Status of IKE charon daemon (strongSwan 5.1.1, Linux 3.11.10-7-desktop, x86_64):
>> uptime: 2 minutes, since May 12 20:39:47 2014
>> malloc: sbrk 2985984, mmap 0, used 611424, free 2374560
>> worker threads: 10 of 16 idle, 6/0/0/0 working, job queue: 0/0/0/0, scheduled: 0
>> loaded plugins: charon curl soup ldap pkcs11 aes des blowfish rc2 sha1 sha2 md4 md5 random nonce x509 revocation constraints pubkey pkcs1 pkcs7 pkcs8 pkcs12 pgp dnskey sshkey pem openssl gcrypt af-alg fips-prf gmp agent xcbc cmac hmac ctr ccm gcm attr kernel-netlink resolve socket-default farp stroke smp updown eap-identity eap-sim eap-sim-pcsc eap-aka eap-aka-3gpp2 eap-simaka-pseudonym eap-simaka-reauth eap-md5 eap-gtc eap-mschapv2 eap-dynamic eap-radius eap-tls eap-ttls eap-peap eap-tnc xauth-generic xauth-eap xauth-pam tnc-imc tnc-imv tnc-tnccs tnccs-20 tnccs-11 tnccs-dynamic dhcp certexpire led duplicheck radattr addrblock unity
>> Listening IP addresses:
>> 192.168.1.10
>> 2001:1291:23b:0:22cf:30ff:fef0:fad1
>> Connections:
>> rw-ikev2-eap: %any...vpn.zanardo.com.br IKEv2
>> rw-ikev2-eap: local: [ygor] uses EAP_PEAP authentication
>> rw-ikev2-eap: remote: [fromcert] uses EAP_PEAP authentication
>> rw-ikev2-eap: child: dynamic === 0.0.0.0/0 TUNNEL
>> Security Associations (0 up, 0 connecting):
>> none
>
> Log:
>> initiating IKE_SA rw-ikev2-eap[1] to 200.178.219.170
>> generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) ]
>> sending packet: from 192.168.1.10[500] to 200.178.219.170[500] (1212 bytes)
>> received packet: from 200.178.219.170[500] to 192.168.1.10[500] (440 bytes)
>> parsed IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(MULT_AUTH) ]
>> local host is behind NAT, sending keep alives
>> sending cert request for "C=IL, O=StartCom Ltd., OU=Secure Digital Certificate Signing, CN=StartCom Class 1 Primary Intermediate Server CA"
>> sending cert request for "C=IL, O=StartCom Ltd., OU=Secure Digital Certificate Signing, CN=StartCom Certification Authority"
>> establishing CHILD_SA rw-ikev2-eap
>> generating IKE_AUTH request 1 [ IDi N(INIT_CONTACT) CERTREQ N(IPCOMP_SUP) SA TSi TSr N(MOBIKE_SUP) N(ADD_6_ADDR) N(MULT_AUTH) N(EAP_ONLY) ]
>> sending packet: from 192.168.1.10[4500] to 200.178.219.170[4500] (428 bytes)
>> received packet: from 200.178.219.170[4500] to 192.168.1.10[4500] (204 bytes)
>> parsed IKE_AUTH response 1 [ IDr EAP/REQ/PEAP ]
>> server requested EAP_PEAP authentication (id 0x80)
>> EAP_PEAP version is v0
>> allow mutual EAP-only authentication
>> generating IKE_AUTH request 2 [ EAP/RES/PEAP ]
>> sending packet: from 192.168.1.10[4500] to 200.178.219.170[4500] (236 bytes)
>> received packet: from 200.178.219.170[4500] to 192.168.1.10[4500] (1100 bytes)
>> parsed IKE_AUTH response 2 [ EAP/REQ/PEAP ]
>> generating IKE_AUTH request 3 [ EAP/RES/PEAP ]
>> sending packet: from 192.168.1.10[4500] to 200.178.219.170[4500] (76 bytes)
>> received packet: from 200.178.219.170[4500] to 192.168.1.10[4500] (1100 bytes)
>> parsed IKE_AUTH response 3 [ EAP/REQ/PEAP ]
>> generating IKE_AUTH request 4 [ EAP/RES/PEAP ]
>> sending packet: from 192.168.1.10[4500] to 200.178.219.170[4500] (76 bytes)
>> received packet: from 200.178.219.170[4500] to 192.168.1.10[4500] (1100 bytes)
>> parsed IKE_AUTH response 4 [ EAP/REQ/PEAP ]
>> generating IKE_AUTH request 5 [ EAP/RES/PEAP ]
>> sending packet: from 192.168.1.10[4500] to 200.178.219.170[4500] (76 bytes)
>> received packet: from 200.178.219.170[4500] to 192.168.1.10[4500] (1100 bytes)
>> parsed IKE_AUTH response 5 [ EAP/REQ/PEAP ]
>> generating IKE_AUTH request 6 [ EAP/RES/PEAP ]
>> sending packet: from 192.168.1.10[4500] to 200.178.219.170[4500] (76 bytes)
>> received packet: from 200.178.219.170[4500] to 192.168.1.10[4500] (396 bytes)
>> parsed IKE_AUTH response 6 [ EAP/REQ/PEAP ]
>> negotiated TLS 1.2 using suite TLS_DHE_RSA_WITH_AES_128_CBC_SHA
>> received TLS server certificate 'D=0FKpeSCSnLtP7r7P, C=BR, CN=vpn.zanardo.com.br, E=webmaster at zanardo.com.br'
>> received TLS intermediate certificate 'C=IL, O=StartCom Ltd., OU=Secure Digital Certificate Signing, CN=StartCom Class 1 Primary Intermediate Server CA'
>> using certificate "D=0FKpeSCSnLtP7r7P, C=BR, CN=vpn.zanardo.com.br, E=webmaster at zanardo.com.br"
>> using trusted intermediate ca certificate "C=IL, O=StartCom Ltd., OU=Secure Digital Certificate Signing, CN=StartCom Class 1 Primary Intermediate Server CA"
>> checking certificate status of "D=0FKpeSCSnLtP7r7P, C=BR, CN=vpn.zanardo.com.br, E=webmaster at zanardo.com.br"
>> requesting ocsp status from 'http://ocsp.startssl.com/sub/class1/server/ca' ...
>> using certificate "C=IL, O=StartCom Ltd. (Start Commercial Limited), CN=StartCom Class 1 Server OCSP Signer"
>> using trusted intermediate ca certificate "C=IL, O=StartCom Ltd., OU=Secure Digital Certificate Signing, CN=StartCom Class 1 Primary Intermediate Server CA"
>> using trusted ca certificate "C=IL, O=StartCom Ltd., OU=Secure Digital Certificate Signing, CN=StartCom Certification Authority"
>> reached self-signed root ca with a path length of 1
>> ocsp response correctly signed by "C=IL, O=StartCom Ltd. (Start Commercial Limited), CN=StartCom Class 1 Server OCSP Signer"
>> ocsp response is valid: until May 14 20:40:05 2014
>> certificate status is good
>> policy 2.23.140.1.2.1 missing in issuing certificate 'C=IL, O=StartCom Ltd., OU=Secure Digital Certificate Signing, CN=StartCom Class 1 Primary Intermediate Server CA'
>> no TLS public key found for server 'D=0FKpeSCSnLtP7r7P, C=BR, CN=vpn.zanardo.com.br, E=webmaster at zanardo.com.br'
>> sending fatal TLS alert 'certificate unknown'
>> generating IKE_AUTH request 7 [ EAP/RES/PEAP ]
>> sending packet: from 192.168.1.10[4500] to 200.178.219.170[4500] (92 bytes)
>> received packet: from 200.178.219.170[4500] to 192.168.1.10[4500] (76 bytes)
>> parsed IKE_AUTH response 7 [ EAP/FAIL ]
>> received EAP_FAILURE, EAP authentication failed
>> generating INFORMATIONAL request 8 [ N(AUTH_FAILED) ]
>> sending packet: from 192.168.1.10[4500] to 200.178.219.170[4500] (76 bytes)
>> establishing connection 'rw-ikev2-eap' failed
>
> Thanks,
> Ygor
>
>
>
> _______________________________________________
> Users mailing list
> Users at lists.strongswan.org
> https://lists.strongswan.org/mailman/listinfo/users
>
--
======================================================================
Andreas Steffen andreas.steffen at strongswan.org
strongSwan - the Open Source VPN Solution! www.strongswan.org
Institute for Internet Technologies and Applications
University of Applied Sciences Rapperswil
CH-8640 Rapperswil (Switzerland)
===========================================================[ITA-HSR]==
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4255 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://lists.strongswan.org/pipermail/users/attachments/20140513/51ad0cf3/attachment.bin>
More information about the Users
mailing list