[strongSwan] MacOS 10.12 Sierra IKEv2 user/password auth
Pete Ashdown
pashdown at xmission.com
Sun Oct 9 18:57:58 CEST 2016
On 10/9/16 10:42 AM, Noel Kuntze wrote:
> On 09.10.2016 18:37, Pete Ashdown wrote:
>> On 10/9/16 10:29 AM, Noel Kuntze wrote:
>>>> On 09.10.2016 18:23, Pete Ashdown wrote:
>>>>>> Has anyone actually gotten this to work? I've tried both the Mac's gui
>>>>>> and Configurator program and a number of iterations of Strongswan
>>>>>> configs and I always end up with this error in the logs:
>>>>>>
>>>>>> charon: 10[ENC] generating IKE_AUTH response 1 [ N(AUTH_FAILED) ]
>>>>>>
>>>>>> I have no idea where to go from here. A little help please?
>>>> You start reading the log lines above that message.
>>>>
>> Thanks for your helpful response, but there is nothing there that sticks
>> out as to why the auth fails. The prior auth entry looks like this:
>>
>> charon: 10[ENC] parsed IKE_AUTH request 1 [ IDi N(INIT_CONTACT)
>> N(MOBIKE_SUP) IDr CPRQ(ADDR DHCP DNS MASK ADDR6 DHCP6 DNS6)
>> N(ESP_TFC_PAD_N) N(NON_FIRST_FRAG) SA TSi TSr ]
>>
>> If you'd like me to paste the whole thing, I can do that, but I'm not
>> seeing any smoking guns.
>>
> Then please provide a full log and your configuration.
>
Some IP addresses have been obfuscated.
Config:
# ipsec.conf - strongSwan IPsec configuration file
config setup
charondebug="ike 2, knl 2, cfg 2, net 2, esp 2, dmn 2, mgr 2"
conn win7
leftcert=vpnHostCert.der
leftsendcert=always
leftauth=pubkey
leftsubnet=0.0.0.0/0
right=%any
rightauth=eap-gtc
rightsourceip=10.10.10.16/2
rightsendcert=never
eap_identity=%any
keyexchange=ikev2
auto=add
Log:
Oct 9 10:52:47 vpn charon: 00[DMN] Starting IKE charon daemon
(strongSwan 5.3.5, Linux 4.4.0-38-generic, x86_64)
Oct 9 10:52:47 vpn charon: 00[LIB] created TUN device: ipsec0
Oct 9 10:52:47 vpn charon: 00[KNL] known interfaces and IP addresses:
Oct 9 10:52:47 vpn charon: 00[KNL] lo
Oct 9 10:52:47 vpn charon: 00[KNL] 127.0.0.1
Oct 9 10:52:47 vpn charon: 00[KNL] ::1
Oct 9 10:52:47 vpn charon: 00[KNL] eth0
Oct 9 10:52:47 vpn charon: 00[KNL] br0
Oct 9 10:52:47 vpn charon: 00[KNL] 10.10.10.1
Oct 9 10:52:47 vpn charon: 00[KNL] 2600:f000:0:a::f01
Oct 9 10:52:47 vpn charon: 00[KNL] fe80::225:90ff:fe33:afa4
Oct 9 10:52:47 vpn charon: 00[KNL] tap1
Oct 9 10:52:47 vpn charon: 00[KNL] fe80::1c73:77ff:fee0:6535
Oct 9 10:52:47 vpn charon: 00[KNL] tap0
Oct 9 10:52:47 vpn charon: 00[KNL] fe80::1490:25ff:fed2:5663
Oct 9 10:52:47 vpn charon: 00[KNL] ipsec0
Oct 9 10:52:47 vpn charon: 00[CFG] loading ca certificates from
'/etc/ipsec.d/cacerts'
Oct 9 10:52:47 vpn charon: 00[CFG] loaded ca certificate "C=US,
O=XMission, CN=vpn.xmission.com" from '/etc/ipsec.d/cacerts/stron
gswanCert.der'
Oct 9 10:52:47 vpn charon: 00[CFG] loading aa certificates from
'/etc/ipsec.d/aacerts'
Oct 9 10:52:47 vpn charon: 00[CFG] loading ocsp signer certificates
from '/etc/ipsec.d/ocspcerts'
Oct 9 10:52:47 vpn charon: 00[CFG] loading attribute certificates from
'/etc/ipsec.d/acerts'
Oct 9 10:52:47 vpn charon: 00[CFG] loading crls from '/etc/ipsec.d/crls'
Oct 9 10:52:47 vpn charon: 00[CFG] loading secrets from
'/etc/ipsec.secrets'
Oct 9 10:52:47 vpn charon: 00[CFG] loaded RSA private key from
'/etc/ipsec.d/private/vpnHostKey.der'
Oct 9 10:52:47 vpn charon: 00[CFG] opening triplet file
/etc/ipsec.d/triplets.dat failed: No such file or directory
Oct 9 10:52:47 vpn charon: 00[CFG] loaded 0 RADIUS server configurations
Oct 9 10:52:47 vpn charon: 00[LIB] loaded plugins: charon test-vectors
aes rc2 sha1 sha2 md4 md5 random nonce x509 revocation constra
ints pubkey pkcs1 pkcs7 pkcs8 pkcs12 pgp dnskey sshkey pem openssl
fips-prf gmp agent xcbc hmac ccm gcm attr kernel-libipsec kernel-netl
ink resolve socket-default connmark farp stroke updown eap-identity
eap-sim eap-sim-pcsc eap-aka eap-aka-3gpp2 eap-simaka-pseudonym eap-
simaka-reauth eap-md5 eap-gtc eap-mschapv2 eap-dynamic eap-radius
eap-tls eap-ttls eap-peap eap-tnc xauth-generic xauth-eap xauth-pam xa
uth-noauth tnc-tnccs tnccs-20 tnccs-11 tnccs-dynamic dhcp lookip
error-notify certexpire led addrblock unity
Oct 9 10:52:47 vpn charon: 00[LIB] dropped capabilities, running as uid
0, gid 0
Oct 9 10:52:47 vpn charon: 00[JOB] spawning 16 worker threads
Oct 9 10:52:47 vpn charon: 02[NET] waiting for data on sockets
Oct 9 10:52:47 vpn charon: 11[CFG] received stroke: add connection 'win7'
Oct 9 10:52:47 vpn charon: 11[CFG] conn win7
Oct 9 10:52:47 vpn charon: 11[CFG] left=%any
Oct 9 10:52:47 vpn charon: 11[CFG] leftsubnet=0.0.0.0/0
Oct 9 10:52:47 vpn charon: 11[CFG] leftauth=pubkey
Oct 9 10:52:47 vpn charon: 11[CFG] leftcert=vpnHostCert.der
Oct 9 10:52:47 vpn charon: 11[CFG] right=%any
Oct 9 10:52:47 vpn charon: 11[CFG] rightsourceip=10.10.10.16/2
Oct 9 10:52:47 vpn charon: 11[CFG] rightauth=eap-gtc
Oct 9 10:52:47 vpn charon: 11[CFG] eap_identity=%any
Oct 9 10:52:47 vpn charon: 11[CFG]
ike=aes128-sha1-modp2048,3des-sha1-modp1536
Oct 9 10:52:47 vpn charon: 11[CFG] esp=aes128-sha1,3des-sha1
Oct 9 10:52:47 vpn charon: 11[CFG] dpddelay=30
Oct 9 10:52:47 vpn charon: 11[CFG] dpdtimeout=150
Oct 9 10:52:47 vpn charon: 11[CFG] mediation=no
Oct 9 10:52:47 vpn charon: 11[CFG] keyexchange=ikev2
Oct 9 10:52:47 vpn charon: 11[CFG] adding virtual IP address pool
10.10.10.16/2
Oct 9 10:52:47 vpn charon: 11[CFG] loaded certificate "C=US,
O=XMission, CN=vpn.xmission.com" from 'vpnHostCert.der'
Oct 9 10:52:47 vpn charon: 11[CFG] id '%any' not confirmed by
certificate, defaulting to 'C=US, O=XMission, CN=vpn.xmission.com'
Oct 9 10:52:47 vpn charon: 11[CFG] added configuration 'win7'
Oct 9 10:52:51 vpn charon: 02[NET] received packet: from
177.77.77.62[500] to 10.10.10.1[500]
Oct 9 10:52:51 vpn charon: 02[NET] waiting for data on sockets
Oct 9 10:52:51 vpn charon: 10[MGR] checkout IKE_SA by message
Oct 9 10:52:51 vpn charon: 10[MGR] created IKE_SA (unnamed)[1]
Oct 9 10:52:51 vpn charon: 10[NET] received packet: from
177.77.77.62[500] to 10.10.10.1[500] (604 bytes)
Oct 9 10:52:51 vpn charon: 10[ENC] parsed IKE_SA_INIT request 0 [ SA KE
No N(REDIR_SUP) N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) ]
Oct 9 10:52:51 vpn charon: 10[CFG] looking for an ike config for
10.10.10.1...177.77.77.62
Oct 9 10:52:51 vpn charon: 10[CFG] candidate: %any...%any, prio 28
Oct 9 10:52:51 vpn charon: 10[CFG] found matching ike config:
%any...%any with prio 28
Oct 9 10:52:51 vpn charon: 10[IKE] 177.77.77.62 is initiating an IKE_SA
Oct 9 10:52:51 vpn charon: 10[IKE] 177.77.77.62 is initiating an IKE_SA
Oct 9 10:52:51 vpn charon: 10[IKE] IKE_SA (unnamed)[1] state change:
CREATED => CONNECTING
Oct 9 10:52:51 vpn charon: 10[CFG] selecting proposal:
Oct 9 10:52:51 vpn charon: 10[CFG] no acceptable ENCRYPTION_ALGORITHM
found
Oct 9 10:52:51 vpn charon: 10[CFG] selecting proposal:
Oct 9 10:52:51 vpn charon: 10[CFG] no acceptable ENCRYPTION_ALGORITHM
found
Oct 9 10:52:51 vpn charon: 10[CFG] selecting proposal:
Oct 9 10:52:51 vpn charon: 10[CFG] no acceptable ENCRYPTION_ALGORITHM
found
Oct 9 10:52:51 vpn charon: 10[CFG] selecting proposal:
Oct 9 10:52:51 vpn charon: 10[CFG] no acceptable DIFFIE_HELLMAN_GROUP
found
Oct 9 10:52:51 vpn charon: 10[CFG] selecting proposal:
Oct 9 10:52:51 vpn charon: 10[CFG] no acceptable ENCRYPTION_ALGORITHM
found
Oct 9 10:52:51 vpn charon: 10[CFG] selecting proposal:
Oct 9 10:52:51 vpn charon: 10[CFG] no acceptable ENCRYPTION_ALGORITHM
found
Oct 9 10:52:51 vpn charon: 10[CFG] selecting proposal:
Oct 9 10:52:51 vpn charon: 10[CFG] no acceptable ENCRYPTION_ALGORITHM
found
Oct 9 10:52:51 vpn charon: 10[CFG] selecting proposal:
Oct 9 10:52:51 vpn charon: 10[CFG] no acceptable ENCRYPTION_ALGORITHM
found
Oct 9 10:52:51 vpn charon: 10[CFG] selecting proposal:
Oct 9 10:52:51 vpn charon: 10[CFG] no acceptable ENCRYPTION_ALGORITHM
found
Oct 9 10:52:51 vpn charon: 10[CFG] selecting proposal:
Oct 9 10:52:51 vpn charon: 10[CFG] no acceptable DIFFIE_HELLMAN_GROUP
found
Oct 9 10:52:51 vpn charon: 10[CFG] selecting proposal:
Oct 9 10:52:51 vpn charon: 10[CFG] proposal matches
Oct 9 10:52:51 vpn charon: 10[CFG] received proposals:
IKE:AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_2048,
IKE:AES_CBC_256
/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/ECP_256,
IKE:AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_1536,
IKE:AES_CBC_128/HMAC_SHA1_9
6/PRF_HMAC_SHA1/MODP_1024, IKE:3DES_CBC/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024
Oct 9 10:52:51 vpn charon: 10[CFG] configured proposals:
IKE:AES_CBC_128/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_2048, IKE:3DES_CBC/HMAC_SHA1
_96/PRF_HMAC_SHA1/MODP_1536,
IKE:AES_CBC_128/AES_CBC_192/AES_CBC_256/3DES_CBC/CAMELLIA_CBC_128/CAMELLIA_CBC_192/CAMELLIA_CBC_256/HMAC_MD
5_96/HMAC_SHA1_96/HMAC_SHA2_256_128/HMAC_SHA2_384_192/HMAC_SHA2_512_256/AES_XCBC_96/PRF_HMAC_MD5/PRF_HMAC_SHA1/PRF_HMAC_SHA2_256/PRF_HMA
C_SHA2_384/PRF_HMAC_SHA2_512/PRF_AES128_XCBC/MODP_2048/MODP_2048_224/MODP_2048_256/MODP_1536/MODP_3072/MODP_4096/MODP_8192/MODP_1024/MOD
P_1024_160/ECP_256/ECP_384/ECP_521/ECP_224/ECP_192/ECP_224_BP/ECP_256_BP/ECP_384_BP/ECP_512_BP,
IKE:AES_GCM_8_128/AES_GCM_8_192/AES_GCM_
8_256/AES_GCM_12_128/AES_GCM_12_192/AES_GCM_12_256/AES_GCM_16_128/AES_GCM_16_192/AES_GCM_16_256/AES_CCM_8_128/AES_CCM_8_192/AES_CCM_8_25
6/AES_CCM_12_128/AES_CCM_12_192/AES_CCM_12_256/AES_CCM_16_128/AES_CCM_16_192/AES_CCM_16_256/CAMELLIA_CCM_8_128/CAMELLIA_CCM_8_192/CAMELL
IA_CCM_8_256/CAMELLIA_CCM_12_128/CAMELLIA_CCM_12_192/CAMELLIA_CCM_12_256/CAMELLIA_CCM_16_128/CAMELLIA_CCM_16_192/CAMELLIA_CCM_16_256/PRF
_HMAC_MD5/PRF_HMAC_SHA1/PRF_HMAC_SHA2_256/PRF_HMAC_SHA2_384/PRF_HMAC_SHA2_512/PRF_AES128_XCBC/MODP_2048/MODP_2048_224/MODP_2048_256/MODP
_1536/MODP_3072/MODP_4096/MODP_8192/MODP_1024/MODP_1024_160/ECP_256/ECP_384/ECP_521/ECP_224/ECP_192/ECP_224_BP/ECP_256_BP/ECP_384_BP/ECP
_512_BP
Oct 9 10:52:51 vpn charon: 10[CFG] selected proposal:
IKE:AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_2048
Oct 9 10:52:51 vpn charon: 10[IKE] remote host is behind NAT
Oct 9 10:52:51 vpn charon: 10[ENC] generating IKE_SA_INIT response 0 [
SA KE No N(NATD_S_IP) N(NATD_D_IP) N(MULT_AUTH) ]
Oct 9 10:52:51 vpn charon: 10[NET] sending packet: from 10.10.10.1[500]
to 177.77.77.62[500] (440 bytes)
Oct 9 10:52:51 vpn charon: 03[NET] sending packet: from 10.10.10.1[500]
to 177.77.77.62[500]
Oct 9 10:52:51 vpn charon: 10[MGR] checkin IKE_SA (unnamed)[1]
Oct 9 10:52:51 vpn charon: 10[MGR] check-in of IKE_SA successful.
Oct 9 10:52:51 vpn charon: 02[NET] received packet: from
177.77.77.62[4500] to 10.10.10.1[4500]
Oct 9 10:52:51 vpn charon: 02[NET] waiting for data on sockets
Oct 9 10:52:51 vpn charon: 13[MGR] checkout IKE_SA by message
Oct 9 10:52:51 vpn charon: 13[MGR] IKE_SA (unnamed)[1] successfully
checked out
Oct 9 10:52:51 vpn charon: 13[NET] received packet: from
177.77.77.62[4500] to 10.10.10.1[4500] (512 bytes)
Oct 9 10:52:51 vpn charon: 13[ENC] parsed IKE_AUTH request 1 [ IDi
N(INIT_CONTACT) N(MOBIKE_SUP) IDr CPRQ(ADDR DHCP DNS MASK ADDR6 DH
CP6 DNS6) N(ESP_TFC_PAD_N) N(NON_FIRST_FRAG) SA TSi TSr ]
Oct 9 10:52:51 vpn charon: 13[CFG] looking for peer configs matching
10.10.10.1[vpn.xmission.com]...177.77.77.62[10.67.1.244]
Oct 9 10:52:51 vpn charon: 13[CFG] no matching peer config found
Oct 9 10:52:51 vpn charon: 13[IKE] processing INTERNAL_IP4_ADDRESS
attribute
Oct 9 10:52:51 vpn charon: 13[IKE] processing INTERNAL_IP4_DHCP attribute
Oct 9 10:52:51 vpn charon: 13[IKE] processing INTERNAL_IP4_DNS attribute
Oct 9 10:52:51 vpn charon: 13[IKE] processing INTERNAL_IP4_NETMASK
attribute
Oct 9 10:52:51 vpn charon: 13[IKE] processing INTERNAL_IP6_ADDRESS
attribute
Oct 9 10:52:51 vpn charon: 13[IKE] processing INTERNAL_IP6_DHCP attribute
Oct 9 10:52:51 vpn charon: 13[IKE] processing INTERNAL_IP6_DNS attribute
Oct 9 10:52:51 vpn charon: 13[IKE] received
ESP_TFC_PADDING_NOT_SUPPORTED, not using ESPv3 TFC padding
Oct 9 10:52:51 vpn charon: 13[IKE] peer supports MOBIKE
Oct 9 10:52:51 vpn charon: 13[ENC] generating IKE_AUTH response 1 [
N(AUTH_FAILED) ]
Oct 9 10:52:51 vpn charon: 13[NET] sending packet: from
10.10.10.1[4500] to 177.77.77.62[4500] (80 bytes)
Oct 9 10:52:51 vpn charon: 13[MGR] checkin and destroy IKE_SA (unnamed)[1]
Oct 9 10:52:51 vpn charon: 03[NET] sending packet: from
10.10.10.1[4500] to 177.77.77.62[4500]
Oct 9 10:52:51 vpn charon: 13[IKE] IKE_SA (unnamed)[1] state change:
CONNECTING => DESTROYING
Oct 9 10:52:51 vpn charon: 13[MGR] check-in and destroy of IKE_SA
successful
Oct 9 10:53:21 vpn charon: 11[MGR] checkout IKE_SA
More information about the Users
mailing list