[strongSwan] Mac OS 10.10 Client to Linux Strongswan server HASH N(AUTH_FAILED) error

Jude Oliver judeo at blansys.com
Tue Apr 26 17:10:31 CEST 2016 

Still no love here, no private key for my left server? Did I mess up my
cert creation?


Apr 26 10:05:14 RH7Standard charon: 11[IKE] faking NAT situation to
enforce UDP encapsulation
Apr 26 10:05:14 RH7Standard charon: 11[IKE] sending cert request for
"C=US, O=BSI, CN=RH7Standard.blansys.com"
Apr 26 10:05:14 RH7Standard charon: 11[ENC] generating ID_PROT response 0
[ KE No CERTREQ NAT-D NAT-D ]
Apr 26 10:05:14 RH7Standard charon: 11[NET] sending packet: from
10.0.11.200[500] to 10.0.11.160[500] (376 bytes)
Apr 26 10:05:14 RH7Standard strongswan: 10[NET] sending packet: from
10.0.11.200[500] to 10.0.11.160[500] (136 bytes)
Apr 26 10:05:14 RH7Standard charon: 12[NET] received packet: from
10.0.11.160[4500] to 10.0.11.200[4500] (1500 bytes)
Apr 26 10:05:14 RH7Standard charon: 12[ENC] parsed ID_PROT request 0 [ ID
CERT SIG CERTREQ N(INITIAL_CONTACT) ]
Apr 26 10:05:14 RH7Standard charon: 12[IKE] ignoring certificate request
without data
Apr 26 10:05:14 RH7Standard charon: 12[IKE] received end entity cert
"C=US, O=BSI, CN=judeo at blansys.com"
Apr 26 10:05:14 RH7Standard charon: 12[CFG] looking for XAuthInitRSA peer
configs matching 10.0.11.200...10.0.11.160[C=US, O=BSI,
CN=judeo at blansys.com]
Apr 26 10:05:14 RH7Standard charon: 12[CFG] selected peer config "%Mac"
Apr 26 10:05:14 RH7Standard charon: 12[CFG]   using certificate "C=US,
O=BSI, CN=judeo at blansys.com"
Apr 26 10:05:14 RH7Standard charon: 12[CFG]   using trusted ca certificate
"C=US, O=BSI, CN=RH7Standard.blansys.com"
Apr 26 10:05:14 RH7Standard charon: 12[CFG] checking certificate status of
"C=US, O=BSI, CN=judeo at blansys.com"
Apr 26 10:05:14 RH7Standard charon: 12[CFG] certificate status is not
available
Apr 26 10:05:14 RH7Standard charon: 12[CFG]   reached self-signed root ca
with a path length of 0
Apr 26 10:05:14 RH7Standard charon: 12[IKE] authentication of 'C=US,
O=BSI, CN=judeo at blansys.com' with RSA successful
Apr 26 10:05:14 RH7Standard charon: 12[IKE] no RSA private key found for
'10.0.11.200'
Apr 26 10:05:14 RH7Standard charon: 12[ENC] generating INFORMATIONAL_V1
request 860305567 [ HASH N(AUTH_FAILED) ]
Apr 26 10:05:14 RH7Standard charon: 12[NET] sending packet: from
10.0.11.200[4500] to 10.0.11.160[4500] (92 bytes)



Please verify I have not made any mistakes in my ipsec.conf file:

config setup


conn %default
	ikelifetime=60m
	keylife=20m
	rekeymargin=3m
	keyingtries=1
	keyexchange=ikev1


conn %Mac
	auto=add
rightid="C=US, O=BSI, CN=judeo at blansys.com"
leftauth=pubkey
   	rightauth=pubkey
   	rightauth2=xauth


And my list of certs.

strongswan listcerts


List of X.509 End Entity Certificates:


  altNames:  jude at blansys.com, judeo at blansys.com
  subject:  "C=US, O=BSI, CN=judeo at blansys.com"
  issuer:   "C=US, O=BSI, CN=RH7Standard.blansys.com"
  serial:    25:74:fe:8b:a9:5f:aa:02
  validity:  not before Apr 08 13:25:55 2016, ok
             not after  Apr 08 13:25:55 2018, ok
  pubkey:    RSA 2048 bits
  keyid:     a0:7a:df:22:55:da:02:f6:9d:3e:ac:ae:7d:e1:31:ee:ea:6e:1e:33
  subjkey:   72:88:65:dc:71:f5:20:5d:80:d4:1a:6b:a7:88:c3:f8:b4:1f:cb:6f
  authkey:   9a:f2:13:b8:bb:85:97:4a:fc:48:ad:a2:4a:80:82:5a:ee:75:49:39






________________________________________


Jude Oliver
Support
1100 Poydras St. Suite 1230
New Orleans, LA 70163
Main Office: 504-529-8869
Joliver at blansys.com
www.blanchardsystems.com <http://www.blanchardsystems.com/>

-----------------------------------------------------

Join Blanchard Systems

2016 Tips and Tricks Training Webinars

Check out the Blanchard Systems 2015 FREE monthly Tips & Tricks training
webinars. 
Click Here <http://www.blanchardsystems.com/events/> to view the schedule
and register for one of our upcoming events.









On 4/26/16, 8:16 AM, "Tobias Brunner" <tobias at strongswan.org> wrote:

>Hi Jude,
>
>> Apr 25 11:20:44 RH7Standard charon: 09[IKE] found 1 matching config, but
>> none allows XAuthInitRSA authentication using Main Mode
>
>Seems your left|rightauth settings are still wrong.  As I wrote before
>you need
>
>   leftauth=pubkey
>   rightauth=pubkey
>   rightauth2=xauth
>
>> I have tried a few variations with out success, like
>> authby=xauthrsasig
>> 	authby=xauthpsk
>
>authby has no effect if you configure left|rightauth.
>
>> I presume this is the configuration example I should be looking at to
>>get
>> this to behave:
>> 
>>https://www.strongswan.org/testing/testresults/ikev1/xauth-id-rsa-hybrid/
>
>No, as the name indicates and the description explains this uses XAuth
>in Hybrid Mode (where the client is only authenticated with XAuth not
>PSK or RSA).  While the Apple clients support this mode it's not their
>default setting.
>
>Regards,
>Tobias
>

More information about the Users mailing list