[strongSwan] Ubuntu CLI client works Network Manager fails

Alex Sharaz alex.sharaz at york.ac.uk
Fri Dec 1 12:55:24 CET 2017


o.k  deleted source tree and started again. It now looks as if there's a
difference between what happens when talking to the RADIUS server used by
the VPN server

Below is a snippet from /var/log/syslog for the charon-nm process. As
before CLI VPN connections just work. I've run the following ./configured

./configure --sysconfdir=/etc --prefix=/usr --libexecdir=/usr/lib
--disable-aes --disable-des --disable-md5 --disable-sha1 --disable-sha2
--disable-fips-prf --disable-gmp --enable-openssl --enable-nm
--enable-agent --enable-eap-mschapv2 --enable-eap-identity --enable-curl
--enable-eap-peap --with-nm-ca-dir=/etc/ssl/certs

I've created a network manager config called Alex99, specifying a gateway
server FQDN of vpn.york.ac.uk with no cert specified and client
authentication of EAP, specifying my account ( as1558 at york.ac.uk)

On the VPN server both the CLI initiated VPN connection and the Network
manager initiated one use the same VPN server connection definition

#
# Initiating vpn connection request from network manager
# .. to server vpn.york.ac.uk
#
Dec  1 10:40:13 deadpool charon-nm: 05[CFG] received initiate for
NetworkManager connection Alex99
Dec  1 10:40:13 deadpool charon-nm: 05[CFG] C=BM, O=QuoVadis Limited,
CN=QuoVadis Global SSL ICA G3 is not self signed
Dec  1 10:40:13 deadpool charon-nm: 05[CFG] C=GB, ST=Greater Manchester,
L=Salford, O=COMODO CA Limited, CN=COMODO SHA-256 Organization Validation
Secure Server CA is not self signed
Dec  1 10:40:13 deadpool charon-nm: 05[CFG] using CA certificate, gateway
identity 'vpn.york.ac.uk'
Dec  1 10:40:13 deadpool charon-nm: 05[IKE] initiating IKE_SA Alex99[6] to
144.32.128.199
Dec  1 10:40:13 deadpool charon-nm: 05[ENC] generating IKE_SA_INIT request
0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG) N(REDIR_SUP)
]
Dec  1 10:40:13 deadpool charon-nm: 05[NET] sending packet: from
144.32.230.152[45805] to 144.32.128.199[500] (752 bytes)
Dec  1 10:40:13 deadpool charon-nm: 08[NET] received packet: from
144.32.128.199[500] to 144.32.230.152[45805] (38 bytes)
Dec  1 10:40:13 deadpool charon-nm: 08[ENC] parsed IKE_SA_INIT response 0 [
N(INVAL_KE) ]
Dec  1 10:40:13 deadpool charon-nm: 08[IKE] peer didn't accept DH group
ECP_256, it requested MODP_2048
Dec  1 10:40:13 deadpool charon-nm: 08[IKE] initiating IKE_SA Alex99[6] to
144.32.128.199
Dec  1 10:40:13 deadpool charon-nm: 08[ENC] generating IKE_SA_INIT request
0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG) N(REDIR_SUP)
]
Dec  1 10:40:13 deadpool charon-nm: 08[NET] sending packet: from
144.32.230.152[45805] to 144.32.128.199[500] (944 bytes)
Dec  1 10:40:13 deadpool charon-nm: 09[NET] received packet: from
144.32.128.199[500] to 144.32.230.152[45805] (464 bytes)
Dec  1 10:40:13 deadpool charon-nm: 09[ENC] parsed IKE_SA_INIT response 0 [
SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG) N(MULT_AUTH) ]
Dec  1 10:40:13 deadpool charon-nm: 09[IKE] faking NAT situation to enforce
UDP encapsulation
#
# Why does charon do this ? these certs are located in /etc/ipsec.d/cacerts
on the client  machine.
#
#
Dec  1 10:40:13 deadpool charon-nm: 09[IKE] sending cert request for "C=BM,
O=QuoVadis Limited, CN=QuoVadis Global SSL ICA G3"
Dec  1 10:40:13 deadpool charon-nm: 09[IKE] sending cert request for "C=SE,
O=AddTrust AB, OU=AddTrust External TTP Network, CN=AddTrust External CA
Root"
Dec  1 10:40:13 deadpool charon-nm: 09[IKE] sending cert request for "C=GB,
ST=Greater Manchester, L=Salford, O=COMODO CA Limited, CN=COMODO SHA-256
Organization Validation Secure Server CA"
Dec  1 10:40:13 deadpool charon-nm: 09[IKE] sending cert request for "C=BM,
O=QuoVadis Limited, CN=QuoVadis Root CA 2 G3"
#
#
#
Dec  1 10:40:13 deadpool charon-nm: 09[IKE] establishing CHILD_SA Alex99{6}
Dec  1 10:40:13 deadpool charon-nm: 09[ENC] generating IKE_AUTH request 1 [
IDi N(INIT_CONTACT) CERTREQ CPRQ(ADDR DNS NBNS) SA TSi TSr N(MOBIKE_SUP)
N(ADD_6_ADDR) N(MULT_AUTH) N(EAP_ONLY) N(MSG_ID_SYN_SUP) ]
Dec  1 10:40:13 deadpool charon-nm: 09[NET] sending packet: from
144.32.230.152[42743] to 144.32.128.199[4500] (412 bytes)
Dec  1 10:40:13 deadpool charon-nm: 10[NET] received packet: from
144.32.128.199[4500] to 144.32.230.152[42743] (1248 bytes)
Dec  1 10:40:13 deadpool charon-nm: 10[ENC] parsed IKE_AUTH response 1 [
EF(1/3) ]
Dec  1 10:40:13 deadpool charon-nm: 10[ENC] received fragment #1 of 3,
waiting for complete IKE message
Dec  1 10:40:13 deadpool charon-nm: 11[NET] received packet: from
144.32.128.199[4500] to 144.32.230.152[42743] (1248 bytes)
Dec  1 10:40:13 deadpool charon-nm: 11[ENC] parsed IKE_AUTH response 1 [
EF(2/3) ]
Dec  1 10:40:13 deadpool charon-nm: 11[ENC] received fragment #2 of 3,
waiting for complete IKE message
Dec  1 10:40:13 deadpool charon-nm: 12[NET] received packet: from
144.32.128.199[4500] to 144.32.230.152[42743] (128 bytes)
Dec  1 10:40:13 deadpool charon-nm: 12[ENC] parsed IKE_AUTH response 1 [
EF(3/3) ]
Dec  1 10:40:13 deadpool charon-nm: 12[ENC] received fragment #3 of 3,
reassembling fragmented IKE message
Dec  1 10:40:13 deadpool charon-nm: 12[ENC] parsed IKE_AUTH response 1 [
IDr CERT AUTH EAP/REQ/ID ]
Dec  1 10:40:13 deadpool charon-nm: 12[IKE] received end entity cert "C=GB,
ST=City of York, L=YORK, O=University of York, OU=IT Services, CN=
vpn.york.ac.uk"
Dec  1 10:40:13 deadpool charon-nm: 12[CFG]   using certificate "C=GB,
ST=City of York, L=YORK, O=University of York, OU=IT Services, CN=
vpn.york.ac.uk"
Dec  1 10:40:13 deadpool charon-nm: 12[CFG]   using trusted intermediate ca
certificate "C=BM, O=QuoVadis Limited, CN=QuoVadis Global SSL ICA G3"
Dec  1 10:40:13 deadpool charon-nm: 12[CFG] checking certificate status of
"C=GB, ST=City of York, L=YORK, O=University of York, OU=IT Services, CN=
vpn.york.ac.uk"
Dec  1 10:40:13 deadpool charon-nm: 12[CFG]   ocsp response correctly
signed by "C=BM, O=QuoVadis Limited, OU=OCSP Responder, CN=QuoVadis OCSP
Authority Signature"
Dec  1 10:40:13 deadpool charon-nm: 12[CFG]   ocsp response is valid: until
Dec 03 09:49:51 2017
Dec  1 10:40:13 deadpool charon-nm: 12[CFG]   using cached ocsp response
Dec  1 10:40:13 deadpool charon-nm: 12[CFG] certificate status is good
Dec  1 10:40:13 deadpool charon-nm: 12[CFG]   using trusted ca certificate
"C=BM, O=QuoVadis Limited, CN=QuoVadis Root CA 2 G3"
Dec  1 10:40:13 deadpool charon-nm: 12[CFG] checking certificate status of
"C=BM, O=QuoVadis Limited, CN=QuoVadis Global SSL ICA G3"
Dec  1 10:40:13 deadpool charon-nm: 12[CFG] ocsp response verification
failed, invalid signature
Dec  1 10:40:13 deadpool charon-nm: 12[CFG]   ocsp response correctly
signed by "C=BM, O=QuoVadis Limited, OU=OCSP Responder, CN=QuoVadis OCSP
Authority Signature"
Dec  1 10:40:13 deadpool charon-nm: 12[CFG]   ocsp response is valid: until
Dec 03 09:49:51 2017
Dec  1 10:40:13 deadpool charon-nm: 12[CFG]   using cached ocsp response
Dec  1 10:40:13 deadpool charon-nm: 12[CFG] certificate status is good
#
# Should I worry about this ? its a normal server cert
#
Dec  1 10:40:13 deadpool charon-nm: 12[CFG] certificate policy
1.3.6.1.4.1.8024.0.2.100.1.1 for 'C=GB, ST=City of York, L=YORK,
O=University of York, OU=IT Services, CN=vpn.york.ac.uk' not allowed by
trustchain, ignored
Dec  1 10:40:13 deadpool charon-nm: 12[CFG]   reached self-signed root ca
with a path length of 1
Dec  1 10:40:13 deadpool charon-nm: 12[IKE] authentication of '
vpn.york.ac.uk' with RSA_EMSA_PKCS1_SHA2_256 successful

#
# So at his point the client recognises vpn.york.ac.uk as a valid
certificate
# ... so start the EAP-PEAP  authentication
#
Dec  1 10:40:13 deadpool charon-nm: 12[IKE] server requested EAP_IDENTITY
(id 0x00), sending 'as1558 at york.ac.uk'
Dec  1 10:40:13 deadpool charon-nm: 12[ENC] generating IKE_AUTH request 2 [
EAP/RES/ID ]
Dec  1 10:40:13 deadpool charon-nm: 12[NET] sending packet: from
144.32.230.152[42743] to 144.32.128.199[4500] (92 bytes)
Dec  1 10:40:13 deadpool charon-nm: 13[NET] received packet: from
144.32.128.199[4500] to 144.32.230.152[42743] (76 bytes)
Dec  1 10:40:13 deadpool charon-nm: 13[ENC] parsed IKE_AUTH response 2 [
EAP/REQ/PEAP ]
Dec  1 10:40:13 deadpool charon-nm: 13[IKE] server requested EAP_PEAP
authentication (id 0x01)
Dec  1 10:40:13 deadpool charon-nm: 13[TLS] EAP_PEAP version is v1
Dec  1 10:40:13 deadpool charon-nm: 13[ENC] generating IKE_AUTH request 3 [
EAP/RES/PEAP ]
Dec  1 10:40:13 deadpool charon-nm: 13[NET] sending packet: from
144.32.230.152[42743] to 144.32.128.199[4500] (268 bytes)
Dec  1 10:40:13 deadpool charon-nm: 14[NET] received packet: from
144.32.128.199[4500] to 144.32.230.152[42743] (1100 bytes)
Dec  1 10:40:13 deadpool charon-nm: 14[ENC] parsed IKE_AUTH response 3 [
EAP/REQ/PEAP ]
Dec  1 10:40:13 deadpool charon-nm: 14[TLS] negotiated TLS 1.2 using suite
TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
Dec  1 10:40:13 deadpool charon-nm: 14[ENC] generating IKE_AUTH request 4 [
EAP/RES/PEAP ]
Dec  1 10:40:13 deadpool charon-nm: 14[NET] sending packet: from
144.32.230.152[42743] to 144.32.128.199[4500] (76 bytes)
Dec  1 10:40:13 deadpool charon-nm: 15[NET] received packet: from
144.32.128.199[4500] to 144.32.230.152[42743] (1100 bytes)
Dec  1 10:40:13 deadpool charon-nm: 15[ENC] parsed IKE_AUTH response 4 [
EAP/REQ/PEAP ]
Dec  1 10:40:13 deadpool charon-nm: 15[ENC] generating IKE_AUTH request 5 [
EAP/RES/PEAP ]
Dec  1 10:40:13 deadpool charon-nm: 15[NET] sending packet: from
144.32.230.152[42743] to 144.32.128.199[4500] (76 bytes)
Dec  1 10:40:13 deadpool charon-nm: 16[NET] received packet: from
144.32.128.199[4500] to 144.32.230.152[42743] (1100 bytes)
Dec  1 10:40:13 deadpool charon-nm: 16[ENC] parsed IKE_AUTH response 5 [
EAP/REQ/PEAP ]
Dec  1 10:40:13 deadpool charon-nm: 16[ENC] generating IKE_AUTH request 6 [
EAP/RES/PEAP ]
Dec  1 10:40:13 deadpool charon-nm: 16[NET] sending packet: from
144.32.230.152[42743] to 144.32.128.199[4500] (76 bytes)
Dec  1 10:40:13 deadpool charon-nm: 06[NET] received packet: from
144.32.128.199[4500] to 144.32.230.152[42743] (1100 bytes)
Dec  1 10:40:13 deadpool charon-nm: 06[ENC] parsed IKE_AUTH response 6 [
EAP/REQ/PEAP ]
#
# Where is this coming from ? The cert on vpn.york.ac.uk lives on a host
called vpn10.york.ac.uk  and has multiple SubjAlt Name entries for all the
real vpn servers we might want to use the cert on.
# Think this is "wrong " message,
Dec  1 10:40:13 deadpool charon-nm: 06[TLS] server certificate does not
match to 'vpn.york.ac.uk'
Dec  1 10:40:13 deadpool charon-nm: 06[TLS] sending fatal TLS alert 'access
denied'
#
# So I guess its failed now. Now looking at the RADIUS sever end I can see
a failed eap-peap auth request for my userid
#
Dec  1 10:40:13 deadpool charon-nm: 06[ENC] generating IKE_AUTH request 7 [
EAP/RES/PEAP ]
Dec  1 10:40:13 deadpool charon-nm: 06[NET] sending packet: from
144.32.230.152[42743] to 144.32.128.199[4500] (92 bytes)
Dec  1 10:40:15 deadpool charon-nm: 07[NET] received packet: from
144.32.128.199[4500] to 144.32.230.152[42743] (76 bytes)
Dec  1 10:40:15 deadpool charon-nm: 07[ENC] parsed IKE_AUTH response 7 [
EAP/FAIL ]
Dec  1 10:40:15 deadpool charon-nm: 07[IKE] received EAP_FAILURE, EAP
authentication failed
Dec  1 10:40:15 deadpool charon-nm: 07[ENC] generating INFORMATIONAL
request 8 [ N(AUTH_FAILED) ]
Dec  1 10:40:15 deadpool charon-nm: 07[NET] sending packet: from
144.32.230.152[42743] to 144.32.128.199[4500] (76 bytes)


on the VPN server I can see that the same service definition is being used.
On the RADIUS server I can see one connection from the VPN client
succeeding and one failing

How can I increase charon-nm debugging on the client to see what its doing?
Setting charondebug doesn't seem to do anything for network manager iVPN
initiations

Rgds
Alex


On 1 December 2017 at 09:40, Tobias Brunner <tobias at strongswan.org> wrote:

> Hi Alex,
>
> > What do i have to do to make the plugin use my new value ?
>
> No idea.  Just make sure the executables you built are actually the ones
> that are installed and get executed.  Alternatively, you may also
> configure the directory via charon-nm.ca_dir in strongswan.conf.
>
> Regards,
> Tobias
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20171201/b056c1a7/attachment-0001.html>


More information about the Users mailing list