[strongSwan] Win7 and Window10Mobile: IKE authentication credentials are unacceptable
Arne Schmid
arne.j.schmid at outlook.com
Mon May 2 16:24:59 CEST 2016
Hi Tobias,
I'm getting closer. Then there is still an error saying
TLS record MAC verification failedsending fatal TLS alert 'bad record mac'
Did a lot of searching to no avail.I'm on OpenSSL 1.0.1e 11 Feb 2013 if that helps.
May 2 15:11:49 12[CFG] <1> candidate "winCert", match: 1/1/5 (me/other/ike)May 2 15:11:49 12[CFG] <winCert|1> selected peer config 'winCert'May 2 15:11:49 12[IKE] <winCert|1> initiating EAP-Identity requestMay 2 15:11:49 12[IKE] <winCert|1> processing INTERNAL_IP4_ADDRESS attributeMay 2 15:11:49 12[IKE] <winCert|1> processing INTERNAL_IP4_DNS attributeMay 2 15:11:49 12[IKE] <winCert|1> processing INTERNAL_IP4_NBNS attributeMay 2 15:11:49 12[IKE] <winCert|1> processing INTERNAL_IP4_SERVER attributeMay 2 15:11:49 12[IKE] <winCert|1> processing INTERNAL_IP6_ADDRESS attributeMay 2 15:11:49 12[IKE] <winCert|1> processing INTERNAL_IP6_DNS attributeMay 2 15:11:49 12[IKE] <winCert|1> processing INTERNAL_IP6_SERVER attributeMay 2 15:11:49 12[IKE] <winCert|1> peer supports MOBIKEMay 2 15:11:49 12[IKE] <winCert|1> authentication of 'C=CN, O=EXAMPLE, CN=vpn.EXAMPLE.de' (myself) with RSA signature successfulMay 2 15:11:49 12[IKE] <winCert|1> sending end entity cert "C=CN, O=EXAMPLE, CN=vpn.EXAMPLE.de"May 2 15:11:49 13[IKE] <winCert|1> received EAP identity 'client at vpn.EXAMPLE.de'May 2 15:11:49 13[TLS] <winCert|1> 33 supported TLS cipher suites:May 2 15:11:49 13[TLS] <winCert|1> TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHAMay 2 15:11:49 13[TLS] <winCert|1> TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256May 2 15:11:49 13[TLS] <winCert|1> TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHAMay 2 15:11:49 13[TLS] <winCert|1> TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384May 2 15:11:49 13[TLS] <winCert|1> TLS_ECDHE_RSA_WITH_AES_128_CBC_SHAMay 2 15:11:49 13[TLS] <winCert|1> TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256May 2 15:11:49 13[TLS] <winCert|1> TLS_ECDHE_RSA_WITH_AES_256_CBC_SHAMay 2 15:11:49 13[TLS] <winCert|1> TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384May 2 15:11:49 13[TLS] <winCert|1> TLS_DHE_RSA_WITH_AES_128_CBC_SHAMay 2 15:11:49 13[TLS] <winCert|1> TLS_DHE_RSA_WITH_AES_128_CBC_SHA256May 2 15:11:49 13[TLS] <winCert|1> TLS_DHE_RSA_WITH_AES_256_CBC_SHAMay 2 15:11:49 13[TLS] <winCert|1> TLS_DHE_RSA_WITH_AES_256_CBC_SHA256May 2 15:11:49 13[TLS] <winCert|1> TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHAMay 2 15:11:49 13[TLS] <winCert|1> TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA256May 2 15:11:49 13[TLS] <winCert|1> TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHAMay 2 15:11:49 13[TLS] <winCert|1> TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA256May 2 15:11:49 13[TLS] <winCert|1> TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHAMay 2 15:11:49 13[TLS] <winCert|1> TLS_RSA_WITH_AES_128_CBC_SHAMay 2 15:11:49 13[TLS] <winCert|1> TLS_RSA_WITH_AES_128_CBC_SHA256May 2 15:11:49 13[TLS] <winCert|1> TLS_RSA_WITH_AES_256_CBC_SHAMay 2 15:11:49 13[TLS] <winCert|1> TLS_RSA_WITH_AES_256_CBC_SHA256May 2 15:11:49 13[TLS] <winCert|1> TLS_RSA_WITH_CAMELLIA_128_CBC_SHAMay 2 15:11:49 13[TLS] <winCert|1> TLS_RSA_WITH_CAMELLIA_128_CBC_SHA256May 2 15:11:49 13[TLS] <winCert|1> TLS_RSA_WITH_CAMELLIA_256_CBC_SHAMay 2 15:11:49 13[TLS] <winCert|1> TLS_RSA_WITH_CAMELLIA_256_CBC_SHA256May 2 15:11:49 13[TLS] <winCert|1> TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHAMay 2 15:11:49 13[TLS] <winCert|1> TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHAMay 2 15:11:49 13[TLS] <winCert|1> TLS_RSA_WITH_3DES_EDE_CBC_SHAMay 2 15:11:49 13[TLS] <winCert|1> TLS_ECDHE_ECDSA_WITH_NULL_SHAMay 2 15:11:49 13[TLS] <winCert|1> TLS_ECDHE_RSA_WITH_NULL_SHAMay 2 15:11:49 13[TLS] <winCert|1> TLS_RSA_WITH_NULL_SHAMay 2 15:11:49 13[TLS] <winCert|1> TLS_RSA_WITH_NULL_SHA256May 2 15:11:49 13[TLS] <winCert|1> TLS_RSA_WITH_NULL_MD5May 2 15:11:49 13[TLS] <winCert|1> sending EAP_TLS start packet (6 bytes)May 2 15:11:49 13[IKE] <winCert|1> initiating EAP_TLS method (id 0x3A)May 2 15:11:49 14[TLS] <winCert|1> processing TLS Handshake record (169 bytes)May 2 15:11:49 14[TLS] <winCert|1> received TLS ClientHello handshake (165 bytes)May 2 15:11:49 14[TLS] <winCert|1> received TLS 'status request' extensionMay 2 15:11:49 14[TLS] <winCert|1> received TLS 'elliptic curves' extensionMay 2 15:11:49 14[TLS] <winCert|1> received TLS 'ec point formats' extensionMay 2 15:11:49 14[TLS] <winCert|1> received TLS 'signature algorithms' extensionMay 2 15:11:49 14[TLS] <winCert|1> received TLS '(35)' extensionMay 2 15:11:49 14[TLS] <winCert|1> received TLS '(23)' extensionMay 2 15:11:49 14[TLS] <winCert|1> received TLS 'renegotiation info' extensionMay 2 15:11:49 14[TLS] <winCert|1> received 30 TLS cipher suites:May 2 15:11:49 14[TLS] <winCert|1> TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384May 2 15:11:49 14[TLS] <winCert|1> TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256May 2 15:11:49 14[TLS] <winCert|1> TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384May 2 15:11:49 14[TLS] <winCert|1> TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256May 2 15:11:49 14[TLS] <winCert|1> TLS_DHE_RSA_WITH_AES_256_GCM_SHA384May 2 15:11:49 14[TLS] <winCert|1> TLS_DHE_RSA_WITH_AES_128_GCM_SHA256May 2 15:11:49 14[TLS] <winCert|1> TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384May 2 15:11:49 14[TLS] <winCert|1> TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256May 2 15:11:49 14[TLS] <winCert|1> TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384May 2 15:11:49 14[TLS] <winCert|1> TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256May 2 15:11:49 14[TLS] <winCert|1> TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHAMay 2 15:11:49 14[TLS] <winCert|1> TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHAMay 2 15:11:49 14[TLS] <winCert|1> TLS_ECDHE_RSA_WITH_AES_256_CBC_SHAMay 2 15:11:49 14[TLS] <winCert|1> TLS_ECDHE_RSA_WITH_AES_128_CBC_SHAMay 2 15:11:49 14[TLS] <winCert|1> TLS_DHE_RSA_WITH_AES_256_CBC_SHAMay 2 15:11:49 14[TLS] <winCert|1> TLS_DHE_RSA_WITH_AES_128_CBC_SHAMay 2 15:11:49 14[TLS] <winCert|1> TLS_RSA_WITH_AES_256_GCM_SHA384May 2 15:11:49 14[TLS] <winCert|1> TLS_RSA_WITH_AES_128_GCM_SHA256May 2 15:11:49 14[TLS] <winCert|1> TLS_RSA_WITH_AES_256_CBC_SHA256May 2 15:11:49 14[TLS] <winCert|1> TLS_RSA_WITH_AES_128_CBC_SHA256May 2 15:11:49 14[TLS] <winCert|1> TLS_RSA_WITH_AES_256_CBC_SHAMay 2 15:11:49 14[TLS] <winCert|1> TLS_RSA_WITH_AES_128_CBC_SHAMay 2 15:11:49 14[TLS] <winCert|1> TLS_RSA_WITH_3DES_EDE_CBC_SHAMay 2 15:11:49 14[TLS] <winCert|1> TLS_DHE_DSS_WITH_AES_256_CBC_SHA256May 2 15:11:49 14[TLS] <winCert|1> TLS_DHE_DSS_WITH_AES_128_CBC_SHA256May 2 15:11:49 14[TLS] <winCert|1> TLS_DHE_DSS_WITH_AES_256_CBC_SHAMay 2 15:11:49 14[TLS] <winCert|1> TLS_DHE_DSS_WITH_AES_128_CBC_SHAMay 2 15:11:49 14[TLS] <winCert|1> TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHAMay 2 15:11:49 14[TLS] <winCert|1> TLS_RSA_WITH_RC4_128_SHAMay 2 15:11:49 14[TLS] <winCert|1> TLS_RSA_WITH_RC4_128_MD5May 2 15:11:49 14[TLS] <winCert|1> negotiated TLS version TLS 1.2 with suite TLS_ECDHE_RSA_WITH_AES_128_CBC_SHAMay 2 15:11:49 14[TLS] <winCert|1> sending TLS ServerHello handshake (38 bytes)May 2 15:11:49 14[TLS] <winCert|1> sending TLS server certificate 'C=CN, O=EXAMPLE, CN=vpn.EXAMPLE.de'May 2 15:11:49 14[TLS] <winCert|1> sending TLS Certificate handshake (853 bytes)May 2 15:11:49 14[TLS] <winCert|1> selected ECDH group SECP256R1May 2 15:11:49 14[TLS] <winCert|1> created signature with SHA256/RSAMay 2 15:11:49 14[TLS] <winCert|1> sending TLS ServerKeyExchange handshake (329 bytes)May 2 15:11:49 14[TLS] <winCert|1> sending TLS cert request for 'C=CN, O=EXAMPLE, CN=EXAMPLE ca'May 2 15:11:49 14[TLS] <winCert|1> sending TLS CertificateRequest handshake (87 bytes)May 2 15:11:49 14[TLS] <winCert|1> sending TLS ServerHelloDone handshake (0 bytes)May 2 15:11:49 14[TLS] <winCert|1> sending TLS Handshake record (1327 bytes)May 2 15:11:49 14[TLS] <winCert|1> sending EAP_TLS first fragment (512 bytes)May 2 15:11:49 15[TLS] <winCert|1> received EAP_TLS acknowledgement packetMay 2 15:11:49 15[TLS] <winCert|1> sending EAP_TLS further fragment (512 bytes)May 2 15:11:49 16[TLS] <winCert|1> received EAP_TLS acknowledgement packetMay 2 15:11:49 16[TLS] <winCert|1> sending EAP_TLS final fragment (330 bytes)May 2 15:11:50 09[TLS] <winCert|1> processing TLS Handshake record (1206 bytes)May 2 15:11:50 09[TLS] <winCert|1> received TLS Certificate handshake (868 bytes)May 2 15:11:50 09[TLS] <winCert|1> received TLS peer certificate 'C=CN, O=EXAMPLE, CN=client at vpn.EXAMPLE.de'May 2 15:11:50 09[TLS] <winCert|1> received TLS ClientKeyExchange handshake (66 bytes)May 2 15:11:50 09[TLS] <winCert|1> received TLS CertificateVerify handshake (260 bytes)May 2 15:11:50 09[CFG] <winCert|1> using certificate "C=CN, O=EXAMPLE, CN=client at vpn.EXAMPLE.de"May 2 15:11:50 09[CFG] <winCert|1> certificate "C=CN, O=EXAMPLE, CN=client at vpn.EXAMPLE.de" key: 2048 bit RSAMay 2 15:11:50 09[CFG] <winCert|1> using trusted ca certificate "C=CN, O=EXAMPLE, CN=EXAMPLE ca"May 2 15:11:50 09[CFG] <winCert|1> checking certificate status of "C=CN, O=EXAMPLE, CN=client at vpn.EXAMPLE.de"May 2 15:11:50 09[CFG] <winCert|1> ocsp check skipped, no ocsp foundMay 2 15:11:50 09[CFG] <winCert|1> certificate status is not availableMay 2 15:11:50 09[CFG] <winCert|1> certificate "C=CN, O=EXAMPLE, CN=EXAMPLE ca" key: 2048 bit RSAMay 2 15:11:50 09[CFG] <winCert|1> reached self-signed root ca with a path length of 0May 2 15:11:50 09[TLS] <winCert|1> verified signature with SHA1/RSAMay 2 15:11:50 09[TLS] <winCert|1> processing TLS ChangeCipherSpec record (1 bytes)May 2 15:11:50 09[TLS] <winCert|1> processing TLS Handshake record (64 bytes)May 2 15:11:50 09[TLS] <winCert|1> TLS record MAC verification failedMay 2 15:11:50 09[TLS] <winCert|1> sending fatal TLS alert 'bad record mac'May 2 15:11:50 09[TLS] <winCert|1> sending TLS Alert record (2 bytes)May 2 15:11:50 09[TLS] <winCert|1> sending EAP_TLS packet (17 bytes)May 2 15:11:50 05[TLS] <winCert|1> received EAP_TLS acknowledgement packetMay 2 15:11:50 05[IKE] <winCert|1> EAP method EAP_TLS failed for peer 10.145.250.86May 2 15:11:50 05[IKE] <winCert|1> IKE_SA winCert[1] state change: CONNECTING => DESTROYING
Thanks,Arne
sent from my Windows 8 Tablet
> Subject: Re: [strongSwan] Win7 and Window10Mobile: IKE authentication credentials are unacceptable
> To: arne.j.schmid at outlook.com; users at lists.strongswan.org
> From: tobias at strongswan.org
> Date: Mon, 2 May 2016 10:22:29 +0200
>
> Hi Arne,
>
> > I'm now as far as the connection establishes until there is a "no
> > trusted certificate found for 'client at vpn.EXAMPLE.de' to verify TLS peer"
>
> Your client certificate contains an incorrect subjectAltName extension.
> It should be client at vpn.EXAMPLE.de instead of vpn.EXAMPLE.de.
>
> Regards,
> Tobias
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20160502/b5b79d82/attachment-0001.html>
More information about the Users
mailing list