[strongSwan] Issue with establishing VPN connection with strongSwan VPN Client (google app) using IKEv2 EAP (Username/Password)
Chinmaya Dwibedy
ckdwibedy at yahoo.com
Fri Apr 22 11:47:33 CEST 2016
Hi,
I am using strongSwan VPN Client google app in an android device(VPN Client) and running strongswan-5.4.0 on Linux device (VPN Server onVirtual Machine). I am trying to establish an IKEv2/IPsec tunnel using EAPauthentication based on username/password (EAP-MD5), AES encryption with SHA1data integrity. I find that, Child SA isbeing established at VPN server.
But when it sends the IKE_AUTH response to client, it givesthe following error message in log i.e., “EAP-only authentication requires a mutualand MSK deriving EAP method, but EAP_MD5 is not” and sends INFORMATIONALrequest 5 [ N(AUTH_FAILED) ] to server. As a result,
1) The VPNServer deletes IKE_SA/CHILD_SA .
2) The VPNClient fails to establish VPN with user authentication failed.
Can anyone please suggest where it goes wrong or if I havemissed anything ? Here go the Charon log, configuration used at both ends.
Here go the Charon logs at Server end.
00[JOB] spawning 16 worker threads
charon (1559) started after 20 ms
12[CFG] received stroke: add connection'vpn_server-vpn_client'
12[CFG] adding virtual IP address pool 10.0.2.15/32
12[CFG] 'vpn_server-vpn_client' has both left- andrightsourceip, but IKE can ne gotiateone virtual IP only, ignoring local virtual IP
12[CFG] added configuration 'vpn_server-vpn_client'
11[NET] received packet: from 192.168.10.59[59887] to10.0.131.40[500] (1012 byt es)
11[ENC] parsed IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP)N(NATD_D_IP) N(FRAG _SUP) N(HASH_ALG) ]
11[IKE] 192.168.10.59 is initiating an IKE_SA
11[IKE] local host is behind NAT, sending keep alives
11[IKE] remote host is behind NAT
11[IKE] DH group MODP_2048 inacceptable, requesting MODP_3072
11[ENC] generating IKE_SA_INIT response 0 [ N(INVAL_KE) ]
11[NET] sending packet: from 10.0.131.40[500] to192.168.10.59[59887] (38 bytes)
11[NET] received packet: from 192.168.10.59[59888] to10.0.131.40[500] (1012 byt es)
11[ENC] parsed IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP)N(NATD_D_IP) N(FRAG _SUP) N(HASH_ALG) ]
11[IKE] 192.168.10.59 is initiating an IKE_SA
11[IKE] local host is behind NAT, sending keep alives
11[IKE] remote host is behind NAT
11[IKE] DH group MODP_2048 inacceptable, requesting MODP_3072
11[ENC] generating IKE_SA_INIT response 0 [ N(INVAL_KE) ]
11[NET] sending packet: from 10.0.131.40[500] to192.168.10.59[59888] (38 bytes)
11[NET] received packet: from 192.168.10.59[59888] to10.0.131.40[500] (1140 byt es)
11[ENC] parsed IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP)N(NATD_D_IP) N(FRAG _SUP)N(HASH_ALG) ]
11[IKE] 192.168.10.59 is initiating an IKE_SA
11[IKE] local host is behind NAT, sending keep alives
11[IKE] remote host is behind NAT
11[ENC] generating IKE_SA_INIT response 0 [ SA KE NoN(NATD_S_IP) N(NATD_D_IP) N (HASH_ALG) N(MULT_AUTH) ]
11[NET] sending packet: from 10.0.131.40[500] to192.168.10.59[59888] (584 bytes )
13[NET] received packet: from 192.168.10.59[59892] to10.0.131.40[4500] (3280 by tes)
13[ENC] parsed IKE_AUTH request 1 [ IDi N(INIT_CONTACT)CERTREQ CPRQ(ADDR ADDR6 DNS DNS6) N(ESP_TFC_PAD_N) SA TSi TSr N(MOBIKE_SUP) N(NO_ADD_ADDR)N(MULT_AUTH) N(EAP_ONLY) ]
13[IKE] received 139 cert requests for an unknown ca
13[CFG] looking for peer configs matching10.0.131.40[%any]...192.168.10.59[user ]
13[CFG] selected peer config 'vpn_server-vpn_client'
13[IKE] initiating EAP_IDENTITY method (id 0x00)
13[IKE] received ESP_TFC_PADDING_NOT_SUPPORTED, not usingESPv3 TFC padding
13[IKE] peer supports MOBIKE
13[ENC] generating IKE_AUTH response 1 [ IDr EAP/REQ/ID ]
13[NET] sending packet: from 10.0.131.40[4500] to192.168.10.59[59892] (96 bytes )
12[NET] received packet: from 192.168.10.59[59892] to10.0.131.40[4500] (80 byte s)
12[ENC] parsed IKE_AUTH request 2 [ EAP/RES/ID ]
12[IKE] received EAP identity 'user'
12[IKE] initiating EAP_MD5 method (id 0x12)
12[ENC] generating IKE_AUTH response 2 [ EAP/REQ/MD5 ]
12[NET] sending packet: from 10.0.131.40[4500] to192.168.10.59[59892] (96 bytes )
09[NET] received packet: from 192.168.10.59[59892] to10.0.131.40[4500] (96 byte s)
09[ENC] parsed IKE_AUTH request 3 [ EAP/RES/MD5 ]
09[IKE] EAP method EAP_MD5 succeeded, no MSK established
09[ENC] generating IKE_AUTH response 3 [ EAP/SUCC ]
09[NET] sending packet: from 10.0.131.40[4500] to192.168.10.59[59892] (80 bytes )
11[NET] received packet: from 192.168.10.59[59892] to10.0.131.40[4500] (112 byt es)
11[ENC] parsed IKE_AUTH request 4 [ AUTH ]
11[IKE] authentication of 'user' with EAP successful
11[IKE] authentication of '10.0.131.40' (myself) with EAP
11[IKE] IKE_SA vpn_server-vpn_client[3] established between10.0.131.40[10.0.131 .40]...192.168.10.59[user]
11[IKE] peer requested virtual IP %any
11[CFG] assigning new lease to 'user'
11[IKE] assigning virtual IP 10.0.2.15 to peer 'user'
11[IKE] peer requested virtual IP %any6
11[IKE] no virtual IP found for %any6 requested by 'user'
11[IKE] CHILD_SA vpn_server-vpn_client{1} established withSPIs 1a10e953_i e5c90 1c2_o and TS 0.0.0.0/0[icmp] === 10.0.2.15/32[icmp]
11[ENC] generating IKE_AUTH response 4 [ AUTH CPRP(ADDR) SATSi TSr N(MOBIKE_SUP ) N(NO_ADD_ADDR) ]
11[NET] sending packet: from 10.0.131.40[4500] to192.168.10.59[59892] (240 byte s)
14[NET] received packet: from 192.168.10.59[59892] to10.0.131.40[4500] (80 byte s)
14[ENC] parsed INFORMATIONAL request 5 [ N(AUTH_FAILED) ]
14[IKE] received DELETE for IKE_SA vpn_server-vpn_client[3]
14[IKE] deleting IKE_SA vpn_server-vpn_client[3] between10.0.131.40[10.0.131.40 ]...192.168.10.59[user]
14[IKE] IKE_SA deleted
14[ENC] generating INFORMATIONAL response 5 [ ]
14[NET] sending packet: from 10.0.131.40[4500] to 192.168.10.59[59892](80 bytes )
Here is the ipsec.conf, ipsec.secet used at Server end.
ipsec.conf
config setup
conn %default
ikelifetime=60m
keylife=20m
rekeymargin=3m
keyingtries=1
conn vpn_server-vpn_client
left=10.0.131.40
leftfirewall=yes
leftsubnet =%any
leftprotoport=1
rightprotoport=1
right=%any
rightauth=eap-md5
rightsendcert=never
leftauth=eap-md5
eap_identity=%any
leftsubnet=0.0.0.0/0
rightsourceip =10.0.2.15/32
type=tunnel
keyexchange=ikev2
esp=aes128-sha1
rekey=no
reauth=no
ipsec.secrets
user : EAP "strongSwan"
VPN profileused at android device
Gateway: 172.19.134.4
Type: IKEv2 EAP (Username/Password)
Username: user
Password: strongSwan
CAcertificate: Select automatically (the default)
Regards,Chinmaya
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20160422/9fccc8a3/attachment-0001.html>
More information about the Users
mailing list