[strongSwan] Mac OS 10.10 Client to Linux Strongswan server HASH N(AUTH_FAILED) error

Jude Oliver judeo at blansys.com
Mon Apr 18 17:00:43 CEST 2016


I am attempting to setup a RHEL 7 based Strongswan server, with Macintosh based clients, using ipsec (the built in OS X Cisco client), and I am unable to get this to behave so far.

It appears to be issue with the certs? I have regenerated them on both sides several times and that does not seem to be resolving my issue here.

Any insights into what I am missing in my setup, my hope is that this is just some simple newbie mistake I am doing.


My ipsec.conf file:


config setup


conn %default

ikelifetime=60m

keylife=20m

rekeymargin=3m

keyingtries=1

keyexchange=ikev1

authby=secret

leftauth=psk

   rightauth=psk

   rightauth2=xauth

leftid=10.0.11.200

rightid=10.0.11.160


conn rw-carol

also=rw

right=10.0.11.0/24

auto=add


conn rw-dave

also=rw

right=10.0.11.0/24

auto=add

conn rw

left=10.0.11.200

leftsubnet=10.11.0.0/16

leftfirewall=yes


This is my ipsec.secrets file:


: RSA RH7Standard.vpnHostPrivateKey.der

: PSK “Password"

judeo %any : EAP "Password"

judeo %any : XAUTH "Password"

judeo %any : PSK "Password"


This is the error I am seeing in the logs:




Apr 18 09:45:41 RH7Standard charon: 10[IKE] 10.0.11.160 is initiating a Main Mode IKE_SA

Apr 18 09:45:41 RH7Standard charon: 10[ENC] generating ID_PROT response 0 [ SA V V V ]

Apr 18 09:45:41 RH7Standard charon: 10[NET] sending packet: from 10.0.11.200[500] to 10.0.11.160[500] (136 bytes)

Apr 18 09:45:41 RH7Standard strongswan: 00[DMN] Starting IKE charon daemon (strongSwan 5.3.2, Linux 3.10.0-327.4.5.el7.x86_64, x86_64)

Apr 18 09:45:41 RH7Standard strongswan: 00[LIB] openssl FIPS mode(2) - enabled

Apr 18 09:45:41 RH7Standard strongswan: 00[LIB] created TUN device: ipsec0

Apr 18 09:45:41 RH7Standard strongswan: 00[NET] could not open socket: Address family not supported by protocol

Apr 18 09:45:41 RH7Standard strongswan: 00[NET] could not open IPv6 socket, IPv6 disabled

Apr 18 09:45:41 RH7Standard strongswan: 00[KNL] received netlink error: Address family not supported by protocol (97)

Apr 18 09:45:41 RH7Standard strongswan: 00[KNL] unable to create IPv6 routing table rule

Apr 18 09:45:41 RH7Standard strongswan: 00[CFG] loading ca certificates from '/etc/strongswan/ipsec.d/cacerts'

Apr 18 09:45:41 RH7Standard strongswan: 00[CFG]   loaded ca certificate "C=US, O=BSI, CN=RH7Standard.blansys.com" from '/etc/strongswan/ipsec.d/cacerts/RH7Standard.SelfSigned.CA.cert.strongswanCert.der'

Apr 18 09:45:41 RH7Standard strongswan: 00[CFG]   loaded ca certificate "C=US, O=BSI, CN=RH7Standard.blansys.com" from '/etc/strongswan/ipsec.d/cacerts/RH7Standard.Converted.SelfSigned.CA.cert.pem'

Apr 18 09:45:41 RH7Standard strongswan: 00[CFG] loading aa certificates from '/etc/strongswan/ipsec.d/aacerts'

Apr 18 09:45:41 RH7Standard strongswan: 00[LIB] opening directory '/etc/strongswan/ipsec.d/aacerts' failed: No such file or directory

Apr 18 09:45:41 RH7Standard strongswan: 00[CFG]   reading directory failed

Apr 18 09:45:41 RH7Standard strongswan: 00[CFG] loading ocsp signer certificates from '/etc/strongswan/ipsec.d/ocspcerts'

Apr 18 09:45:41 RH7Standard strongswan: 00[LIB] opening directory '/etc/strongswan/ipsec.d/ocspcerts' failed: No such file or directory

Apr 18 09:45:41 RH7Standard strongswan: 00[CFG]   reading directory failed

Apr 18 09:45:41 RH7Standard strongswan: 00[CFG] loading attribute certificates from '/etc/strongswan/ipsec.d/acerts'

Apr 18 09:45:41 RH7Standard strongswan: 00[LIB] opening directory '/etc/strongswan/ipsec.d/acerts' failed: No such file or directory

Apr 18 09:45:41 RH7Standard strongswan: 00[CFG]   reading directory failed

Apr 18 09:45:41 RH7Standard strongswan: 00[CFG] loading crls from '/etc/strongswan/ipsec.d/crls'

Apr 18 09:45:41 RH7Standard strongswan: 00[LIB] opening directory '/etc/strongswan/ipsec.d/crls' failed: No such file or directory

Apr 18 09:45:41 RH7Standard strongswan: 00[CFG]   reading directory failed

Apr 18 09:45:41 RH7Standard strongswan: 00[CFG] loading secrets from '/etc/strongswan/ipsec.secrets'

Apr 18 09:45:41 RH7Standard strongswan: 00[CFG]   loaded RSA private key from '/etc/strongswan/ipsec.d/private/RH7Standard.vpnHostPrivateKey.der'

Apr 18 09:45:41 RH7Standard strongswan: 00[CFG]   loaded IKE secret for %any

Apr 18 09:45:41 RH7Standard strongswan: 00[CFG]   loaded EAP secret for judeo %any

Apr 18 09:45:41 RH7Standard strongswan: 00[CFG]   loaded EAP secret for judeo %any

Apr 18 09:45:41 RH7Standard strongswan: 00[CFG]   loaded IKE secret for judeo %any

Apr 18 09:45:41 RH7Standard strongswan: 00[CFG] loaded 0 RADIUS server configurations

Apr 18 09:45:41 RH7Standard strongswan: 00[TNC] MAP server certificate not defined

Apr 18 09:45:41 RH7Standard strongswan: 00[TNC] TNC recommendation policy is 'default'

Apr 18 09:45:41 RH7Standard strongswan: 00[TNC] loading IMVs from '/etc/tnc_config'

Apr 18 09:45:41 RH7Standard strongswan: 00[TNC] opening configuration file '/etc/tnc_config' failed: No such file or directory

Apr 18 09:45:41 RH7Standard strongswan: 00[CFG] missing PDP server name, PDP disabled

Apr 18 09:45:41 RH7Standard strongswan: 00[TNC] loading IMCs from '/etc/tnc_config'

Apr 18 09:45:41 RH7Standard strongswan: 00[TNC] opening configuration file '/etc/tnc_config' failed: No such file or directory

Apr 18 09:45:41 RH7Standard strongswan: 00[LIB] loaded plugins: charon aes des rc2 sha1 sha2 md4 md5 random nonce x509 revocation constraints acert pubkey pkcs1 pkcs7 pkcs8 pkcs12 pgp dnskey sshkey pem openssl fips-prf gmp xcbc cmac hmac ctr ccm curl sqlite attr kernel-libipsec kernel-netlink resolve socket-default farp stroke vici updown eap-identity eap-md5 eap-gtc eap-mschapv2 eap-radius eap-tls eap-ttls eap-peap eap-tnc xauth-generic xauth-eap xauth-pam xauth-noauth tnc-imc tnc-imv tnc-tnccs tnccs-20 tnccs-11 tnccs-dynamic dhcp

Apr 18 09:45:41 RH7Standard strongswan: 00[JOB] spawning 16 worker threads

Apr 18 09:45:41 RH7Standard strongswan: 11[CFG] received stroke: add connection 'rw-carol'

Apr 18 09:45:41 RH7Standard strongswan: 11[CFG] added configuration 'rw-carol'

Apr 18 09:45:41 RH7Standard strongswan: 13[CFG] received stroke: add connection 'rw-dave'

Apr 18 09:45:41 RH7Standard strongswan: 13[CFG] added child to existing configuration 'rw-carol'

Apr 18 09:45:41 RH7Standard strongswan: 10[NET] received packet: from 10.0.11.160[500] to 10.0.11.200[500] (668 bytes)

Apr 18 09:45:41 RH7Standard strongswan: 10[ENC] parsed ID_PROT request 0 [ SA V V V V V V V V V V V V V V ]

Apr 18 09:45:41 RH7Standard strongswan: 10[IKE] received NAT-T (RFC 3947) vendor ID

Apr 18 09:45:41 RH7Standard strongswan: 10[IKE] received draft-ietf-ipsec-nat-t-ike vendor ID

Apr 18 09:45:41 RH7Standard strongswan: 10[IKE] received draft-ietf-ipsec-nat-t-ike-08 vendor ID

Apr 18 09:45:41 RH7Standard strongswan: 10[IKE] received draft-ietf-ipsec-nat-t-ike-07 vendor ID

Apr 18 09:45:41 RH7Standard strongswan: 10[IKE] received draft-ietf-ipsec-nat-t-ike-06 vendor ID

Apr 18 09:45:41 RH7Standard strongswan: 10[IKE] received draft-ietf-ipsec-nat-t-ike-05 vendor ID

Apr 18 09:45:41 RH7Standard strongswan: 10[IKE] received draft-ietf-ipsec-nat-t-ike-04 vendor ID

Apr 18 09:45:41 RH7Standard strongswan: 10[IKE] received draft-ietf-ipsec-nat-t-ike-03 vendor ID

Apr 18 09:45:41 RH7Standard strongswan: 10[IKE] received draft-ietf-ipsec-nat-t-ike-02 vendor ID

Apr 18 09:45:41 RH7Standard strongswan: 10[IKE] received draft-ietf-ipsec-nat-t-ike-02\n vendor ID

Apr 18 09:45:41 RH7Standard strongswan: 10[IKE] received XAuth vendor ID

Apr 18 09:45:41 RH7Standard strongswan: 10[IKE] received Cisco Unity vendor ID

Apr 18 09:45:41 RH7Standard strongswan: 10[IKE] received FRAGMENTATION vendor ID

Apr 18 09:45:41 RH7Standard strongswan: 10[IKE] received DPD vendor ID

Apr 18 09:45:41 RH7Standard strongswan: 10[IKE] 10.0.11.160 is initiating a Main Mode IKE_SA

Apr 18 09:45:41 RH7Standard strongswan: 10[ENC] generating ID_PROT response 0 [ SA V V V ]

Apr 18 09:45:41 RH7Standard charon: 11[NET] received packet: from 10.0.11.160[500] to 10.0.11.200[500] (292 bytes)

Apr 18 09:45:41 RH7Standard charon: 11[ENC] parsed ID_PROT request 0 [ KE No NAT-D NAT-D ]

Apr 18 09:45:41 RH7Standard charon: 11[IKE] faking NAT situation to enforce UDP encapsulation

Apr 18 09:45:41 RH7Standard charon: 11[IKE] sending cert request for "C=US, O=BSI, CN=RH7Standard.blansys.com"

Apr 18 09:45:41 RH7Standard charon: 11[ENC] generating ID_PROT response 0 [ KE No CERTREQ NAT-D NAT-D ]

Apr 18 09:45:41 RH7Standard charon: 11[NET] sending packet: from 10.0.11.200[500] to 10.0.11.160[500] (376 bytes)

Apr 18 09:45:42 RH7Standard charon: 12[NET] received packet: from 10.0.11.160[4500] to 10.0.11.200[4500] (1500 bytes)

Apr 18 09:45:42 RH7Standard charon: 12[ENC] parsed ID_PROT request 0 [ ID CERT SIG CERTREQ N(INITIAL_CONTACT) ]

Apr 18 09:45:42 RH7Standard charon: 12[IKE] ignoring certificate request without data

Apr 18 09:45:42 RH7Standard charon: 12[IKE] received end entity cert "C=US, O=BSI, CN=judeo at blansys.com"

Apr 18 09:45:42 RH7Standard charon: 12[CFG] looking for XAuthInitRSA peer configs matching 10.0.11.200...10.0.11.160[C=US, O=BSI, CN=judeo at blansys.com]

Apr 18 09:45:42 RH7Standard charon: 12[IKE] no peer config found

Apr 18 09:45:42 RH7Standard charon: 12[ENC] generating INFORMATIONAL_V1 request 2365044413 [ HASH N(AUTH_FAILED) ]

Apr 18 09:45:42 RH7Standard charon: 12[NET] sending packet: from 10.0.11.200[4500] to 10.0.11.160[4500] (92 bytes)



________________________________

Jude Oliver
Support
1100 Poydras St. Suite 1230
New Orleans, LA 70163
Main Office: 504-529-8869
Joliver at blansys.com
www.blanchardsystems.com<http://www.blanchardsystems.com/>

-----------------------------------------------------
Join Blanchard Systems

2016 Tips and Tricks Training Webinars
Check out the Blanchard Systems 2015 FREE monthly Tips & Tricks training webinars.
Click Here<http://www.blanchardsystems.com/events/> to view the schedule and register for one of our upcoming events.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20160418/70c2df01/attachment-0001.html>


More information about the Users mailing list