[strongSwan] Constrain checking fails while testing with IKEv2 certificate with EAP on an android device

Chinmaya Dwibedy ckdwibedy at yahoo.com
Thu Apr 28 13:25:20 CEST 2016 

HiAll,



Iam using strongSwan VPN Client app  on anandroid device (VPN Client) and running strongswan-5.4.0 on Linux device (VPNServer on Virtual Machine).  Trying to establishan IKEv2/IPsec tunnel using Certificate with EAP authentication based onusername/password on client and pubkey on server. On server end, constrainchecking fails with the following error message. Can anyone please have a lookinto the below stated and suggest me where I am wrong ? Thank you in advancefor your support and time. 


Charonlog at Server end

12[ENC] parsed IKE_AUTH request 1 [ IDi CERT N(INIT_CONTACT)CERTREQ AUTH CPRQ(ADDR ADDR6 DNS DNS6) N(ESP_TFC_PAD_N) SA TSi TSrN(MOBIKE_SUP) N(NO_ADD_ADDR) N(MULT_AUTH) N(EAP_ONLY) N(AUTH_FOLLOWS) ]

12[IKE] received cert request for "C=NL, O=ExampleCompany, CN=strongSwan Root CA"

12[IKE] received end entity cert "C=NL, O=ExampleCompany, CN=vpn.example.org"

12[CFG] looking for peer configs matching10.0.131.40[%any]...192.168.10.59[C=NL, O=Example Company, CN=vpn.example.org]

12[CFG] selected peer config 'vpn_server-vpn_client'

12[CFG]   using trustedca certificate "C=NL, O=Example Company, CN=strongSwan Root CA"

12[CFG] checking certificate status of "C=NL, O=ExampleCompany, CN=vpn.example.org"

12[CFG] certificate status is not available

12[CFG]   reachedself-signed root ca with a path length of 0

12[CFG]   using trustedcertificate "C=NL, O=Example Company, CN=vpn.example.org"

12[IKE] authentication of 'C=NL, O=Example Company,CN=vpn.example.org' with RSA_EMSA_PKCS1_SHA384 successful

12[CFG] constraint requires EAP_MD5, but EAP_NAK was used

12[CFG] selected peer config 'vpn_server-vpn_client'inacceptable: non-matching authentication done

12[CFG] no alternative config found

12[IKE] received ESP_TFC_PADDING_NOT_SUPPORTED, not usingESPv3 TFC padding

12[IKE] peer supports MOBIKE

12[ENC] generating IKE_AUTH response 1 [ N(AUTH_FAILED) ]

12[NET] sending packet: from 10.0.131.40[4500] to192.168.10.59[63644] (80 bytes)


 
I have disabled the constraints plugin (via ./configure --disable-constraintsoption). The eap-dynamic plugin handles EAP-Nak payloads returned byclients and uses these to select a different EAP method supported/requested bythe client. Hence I have configured the below stated in plugins section of strongswan.conf


 
eap-dynamic

                {


 
                       prefer_user=yes

                       preferred=eap-md5,eap-mschapv2


 
                }


Here goes the configuration.


 Ipsec.conf


config setupconn %default

        ikelifetime=60m

        keylife=20m

        rekeymargin=3m

        keyingtries=1


 
conn vpn_server-vpn_client


 
       left=10.0.131.40

       leftfirewall=yes

        leftprotoport=1

       rightprotoport=1

        right=%any

        rightsendcert=always

       leftcert=vpnHostCert.pem

        leftauth=pubkey

       rightauth=eap-md5

       #eap_identity=%any

       leftsubnet=0.0.0.0/0

        rightsourceip =10.0.3.15/32

        type=tunnel

       keyexchange=ikev2

        esp=aes128-sha1

        rekey=no

        reauth=no

        mobike=yes

        auto=add

        leftid=%any

        rightid=%any


 
ipsec.secrets


: RSA /etc/ipsec.d/private/vpnHostKey.pem

user : EAP "strongSwan"


 
Here are the commands used for certificate generation

ipsec pki --gen --type rsa --size 4096 --outform pem >private/strongswanKey.pem

ipsec pki --self --ca --lifetime 3650 --inprivate/strongswanKey.pem --type rsa --dn "C=NL, O=Example Company,CN=strongSwan Root CA" --outform pem > cacerts/strongswanCert.pem

ipsec pki --gen --type rsa --size 4096 --outform pem >private/vpnHostKey.pem

ipsec pki --pub --in private/vpnHostKey.pem --type rsa |ipsec pki --issue --lifetime 730 --cacert cacerts/strongswanCert.pem --cakeyprivate/strongswanKey.pem --dn "C=NL, O=Example Company,CN=vpn.example.org" --san vpn.example.com --san vpn.example.net --san 172.19.134.4  --san @172.19.134.4 --flag serverAuth --flagikeIntermediate --outform pem > certs/vpnHostCert.pem

openssl pkcs12 -in certs/vpnHostCert.pem -inkeyprivate/vpnHostKey.pem -certfile cacerts/strongswanCert.pem -export -outpeer.p12


 
Note that, IKEv2 certificate authentication without EAP worksfine. .  Imported all certificates to Android virtualdevice and installed. Opted that specific certificate (CA), user certificate thatwas imported.


 
Regards,

Chinmaya

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20160428/b1bfeef0/attachment-0001.html>

More information about the Users mailing list