[strongSwan] Certificate authentication issue

Joe O notjoe at gmail.com
Fri Oct 28 10:28:32 CEST 2016 

I am having some issues with certificate authentication. I’ve generated a .p12 certificate and imported it into my mac. Everything looks good and according to the strongswan logs I am successfully authenticating. However, I am also getting “Deleting half open IKE_SA after timeout message”

Here is the full log:
Oct 28 08:27:06 08[NET] received packet: from 80.24.56.224[500] to 45.63.76.236[500] (604 bytes)
Oct 28 08:27:06 08[ENC] parsed IKE_SA_INIT request 0 [ SA KE No N(REDIR_SUP) N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) ]
Oct 28 08:27:06 08[IKE] 80.24.56.224 is initiating an IKE_SA
Oct 28 08:27:06 08[IKE] remote host is behind NAT
Oct 28 08:27:06 08[IKE] sending cert request for "C=CN, O=Alipay, CN=testing.connectedover.com"
Oct 28 08:27:06 08[ENC] generating IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) CERTREQ N(MULT_AUTH) ]
Oct 28 08:27:06 08[NET] sending packet: from 45.63.76.236[500] to 80.24.56.224[500] (465 bytes)
Oct 28 08:27:06 15[NET] received packet: from 80.24.56.224[4500] to 45.63.76.236[4500] (512 bytes)
Oct 28 08:27:06 15[ENC] parsed IKE_AUTH request 1 [ IDi N(INIT_CONTACT) N(MOBIKE_SUP) IDr CPRQ(ADDR DHCP DNS MASK ADDR6 DHCP6 DNS6) N(ESP_TFC_PAD_N) N(NON_FIRST_FRAG) SA TSi TSr ]
Oct 28 08:27:06 15[CFG] looking for peer configs matching 45.63.76.236[testing.connectedover.com]...80.24.56.224[test]
Oct 28 08:27:06 15[CFG] selected peer config 'radius'
Oct 28 08:27:06 15[IKE] initiating EAP_IDENTITY method (id 0x00)
Oct 28 08:27:06 15[IKE] received ESP_TFC_PADDING_NOT_SUPPORTED, not using ESPv3 TFC padding
Oct 28 08:27:06 15[IKE] peer supports MOBIKE
Oct 28 08:27:06 15[IKE] authentication of 'testing.connectedover.com' (myself) with RSA signature successful
Oct 28 08:27:06 15[ENC] generating IKE_AUTH response 1 [ IDr AUTH EAP/REQ/ID ]
Oct 28 08:27:06 15[NET] sending packet: from 45.63.76.236[4500] to 80.24.56.224[4500] (384 bytes)

Here is my ipsec config:
config setup
    uniqueids=no
  charondebug="cfg 2, dmn 2, ike 2, net 0"

conn %default
  leftid=testing.connectedover.com
  leftcert=server.cert.pem

conn iOS_cert
    keyexchange=ikev1
    # strongswan version >= 5.0.2, compatible with iOS 6.0,6.0.1
    fragmentation=yes
    left=%defaultroute
    leftauth=pubkey
    leftsubnet=0.0.0.0/0
    leftcert=server.cert.pem
    right=%any
    rightauth=eap-radius
    rightauth2=xauth
    rightsourceip=10.0.0.0/24
    rightcert=client.cert.pem
    auto=add
    dpdaction=clear

# also supports iOS PSK and Shrew on Windows
conn android_xauth_psk
    keyexchange=ikev1
    left=%defaultroute
    leftauth=psk
    leftsubnet=0.0.0.0/0
    right=%any
    rightauth=psk
    rightauth2=xauth-radius
    rightsourceip=10.0.0.0/24
    dpdaction=clear
    ikelifetime=500h
    lifetime=200s
    auto=add

# compatible with "strongSwan VPN Client" for Android 4.0+
# and Windows 7 cert mode.
conn networkmanager-strongswan
    keyexchange=ikev2
    left=%defaultroute
    leftauth=pubkey
    leftsubnet=0.0.0.0/0
    leftcert=server.cert.pem
    right=%any
    rightauth=pubkey
    rightauth=pubkey
    rightsourceip=10.0.0.0/24
    rightcert=client.cert.pem
    auto=add

conn radius
    keyexchange=ikev2
    left=%any
    leftsubnet=0.0.0.0/0
    leftauth=pubkey
    leftcert=server.cert.pem
    right=%any
    rightsourceip=10.0.0.0/24
    rightauth=eap-radius
    rightsendcert=never
    eap_identity=%any
    auto=add
    dpdaction=clear


Thanks for the help!

More information about the Users mailing list