[strongSwan] Road warrior eap_identity mismatch

Gustavo Schroeder gutosch at gmail.com
Thu Jan 28 21:04:58 CET 2016 

Hi,

I did implement the VPN gateway using strongSwan 5.3.2 (centos 7 rpm).
Here is my use case scenario:

- 4 road warriors
- enforce a single /32 IP to each road warrior, so it's best for
firewall control

I'm using pubkey auth + eap-mschapv2 and eap_identity flags on
ipsec.conf. Very similar to the rw-eap-peap-mschapv2 test scenario.

I'm able to connect to the VPN gateway, authentication works with a
small glitch. I do insert the password, auth starts on the gateway, on
the client a window pops-up requesting the password confirmation once
again. I do confirm the password and I get authenticated normally.

I have 4 conn entries in ipsec.conf.

---ipsec.conf
config setup
charondebug="ike 2, knl 2, cfg 2, net 2, esp 2, dmn 2,  mgr 2"

conn %default
ike=aes128-sha256-ecp256,aes256-sha384-ecp384,aes128-sha256-modp2048,aes128-sha1-modp2048,aes256-sha384-modp4096,aes256-sha256-modp4096,aes256-sha1-modp4096,aes128-sha256-modp1536,aes128-sha1-modp1536,aes256-sha384-modp2048,aes256-sha256-modp2048,aes256-sha1-modp2048,aes128-sha256-modp1024,aes128-sha1-modp1024,aes256-sha384-modp1536,aes256-sha256-modp1536,aes256-sha1-modp1536,aes256-sha384-modp1024,aes256-sha256-modp1024,aes256-sha1-modp1024!
esp=aes128gcm16-ecp256,aes256gcm16-ecp384,aes128-sha256-ecp256,aes256-sha384-ecp384,aes128-sha256-modp2048,aes128-sha1-modp2048,aes256-sha384-modp4096,aes256-sha256-modp4096,aes256-sha1-modp4096,aes128-sha256-modp1536,aes128-sha1-modp1536,aes256-sha384-modp2048,aes256-sha256-modp2048,aes256-sha1-modp2048,aes128-sha256-modp1024,aes128-sha1-modp1024,aes256-sha384-modp1536,aes256-sha256-modp1536,aes256-sha1-modp1536,aes256-sha384-modp1024,aes256-sha256-modp1024,aes256-sha1-modp1024,aes128gcm16,aes256gcm16,aes128-sha256,aes128-sha1,aes256-sha384,aes256-sha256,aes256-sha1!
dpdaction=clear
dpddelay=300s
rekey=no
ikelifetime=60m
keylife=20m
rekeymargin=3m
keyingtries=1
keyexchange=ikev2

conn rw-gustavo
left=vpn.example.com
leftcert=vpnHostCert.der
leftauth=pubkey
leftsubnet=10.9.16.0/22
right=%any
rightauth=eap-mschapv2
rightsourceip=192.168.55.95/32
rightdns=10.9.15.2,10.9.15.3
eap_identity=gustavo
auto=add

conn rw-fabricio
left=vpn.example.com
leftcert=vpnHostCert.der
leftauth=pubkey
leftsubnet=10.9.16.0/22
right=%any
rightauth=eap-mschapv2
rightsourceip=192.168.55.66/32
rightdns=10.9.15.2,10.9.15.3
eap_identity=fabricio
auto=add

<more warriors supressed>....

---ipsec.secrets
# /etc/ipsec.secrets - strongSwan IPsec secrets file

: RSA vpnHostKey.der

gustavo : EAP "123456"
fabiano : EAP "123456"
fabricio : EAP "654321"
jackson : EAP "123456"

---ipsec statusall
Status of IKE charon daemon (strongSwan 5.3.2, Linux
3.10.0-327.4.5.el7.x86_64, x86_64):
  uptime: 10 minutes, since Jan 28 17:10:10 2016
  malloc: sbrk 2854912, mmap 0, used 582976, free 2271936
  worker threads: 11 of 16 idle, 5/0/0/0 working, job queue: 0/0/0/0,
scheduled: 3
  loaded plugins: charon attr ccm cmac constraints ctr curl des dhcp
dnskey eap-gtc eap-identity eap-md5 eap-mschapv2 eap-peap eap-tls
eap-ttls farp fips-prf md4 md5 openssl pem pgp pkcs1 pkcs12 pkcs8
pubkey rc2 resolve revocation sshkey vici x509 xauth-eap xauth-generic
xauth-noauth xauth-pam xcbc aes sha1 sha2 gmp random nonce hmac stroke
kernel-netlink socket-default updown
Virtual IP pools (size/online/offline):
  192.168.55.95/32: 1/1/0
  192.168.55.66/32: 1/0/0
  192.168.55.181/32: 1/0/0
  192.168.55.32/32: 1/0/0
Listening IP addresses:
  10.9.15.190
Connections:
  rw-gustavo:  vpn.example.com...%any  IKEv2, dpddelay=300s
  rw-gustavo:   local:  [vpn.example.com] uses public key authentication
  rw-gustavo:    cert:  "CN=vpn.example.com"
  rw-gustavo:   remote: uses EAP_MSCHAPV2 authentication with EAP
identity 'gustavo'
  rw-gustavo:   child:  10.9.16.0/22 === dynamic TUNNEL, dpdaction=clear
 rw-fabricio:  vpn.example.com...%any  IKEv2, dpddelay=300s
 rw-fabricio:   local:  [vpn.example.com] uses public key authentication
 rw-fabricio:    cert:  "CN=vpn.example.com"
 rw-fabricio:   remote: uses EAP_MSCHAPV2 authentication with EAP
identity 'fabricio'
 rw-fabricio:   child:  10.9.16.0/22 === dynamic TUNNEL, dpdaction=clear
  rw-jackson:  vpn.example.com...%any  IKEv2, dpddelay=300s
  rw-jackson:   local:  [vpn.example.com] uses public key authentication
  rw-jackson:    cert:  "CN=vpn.example.com"
  rw-jackson:   remote: uses EAP_MSCHAPV2 authentication with EAP
identity 'jackson'
  rw-jackson:   child:  10.9.16.0/22 === dynamic TUNNEL, dpdaction=clear
  rw-fabiano:  vpn.example.com...%any  IKEv2, dpddelay=300s
  rw-fabiano:   local:  [vpn.example.com] uses public key authentication
  rw-fabiano:    cert:  "CN=vpn.example.com"
  rw-fabiano:   remote: uses EAP_MSCHAPV2 authentication with EAP
identity 'fabiano'
  rw-fabiano:   child:  10.9.16.0/22 === dynamic TUNNEL, dpdaction=clear
Security Associations (1 up, 0 connecting):
  rw-gustavo[2]: ESTABLISHED 24 seconds ago,
10.9.15.190[vpn.example.com]...192.168.201.111[192.168.201.111]
  rw-gustavo[2]: Remote EAP identity: gustavo
  rw-gustavo[2]: IKEv2 SPIs: 9a056fa3ddbba174_i eacd0e744f30aeb7_r*,
rekeying disabled
  rw-gustavo[2]: IKE proposal:
AES_CBC_256/HMAC_SHA2_384_192/PRF_HMAC_SHA2_384/MODP_1024
  rw-gustavo{2}:  INSTALLED, TUNNEL, reqid 2, ESP SPIs: c0e676a5_i 0289798c_o
  rw-gustavo{2}:  AES_CBC_256/HMAC_SHA1_96, 0 bytes_i, 0 bytes_o,
rekeying disabled
  rw-gustavo{2}:   10.9.16.0/22 === 192.168.55.95/32

For this connection above I used user 'fabricio', but regardless of
the user I'm using to connect it always matches the first conn entry
for rw-gustavo and assigning the wrong IP for user fabricio.

For sure I might have overlooked something or messed up the config.

Any clue where I'm missing?

-Schröeder

More information about the Users mailing list