[strongSwan] strongswan 5.5 server with clients MS W10 Surface or IOS 10.2?

Sarefrech sarefrech at wanadoo.fr
Fri Feb 24 18:22:41 CET 2017 

hi all,

 

I have a strongswan server (U5.5.0/K3.12.28+) on a raspberry pi & two devices : a windows 10 surface tab & an Ipad (10.21).

I want to activate ikev2/ipsec vpns. I use built-in ikev2 clients.

 

So far the only working conf is with iPad and psk - I was forced to use apple configurator to generate a customized mobileconfig file. 

On Ipad, the configuration with certificate on the device itself does not seem to work -> traces on the server show that the device asks for eap.

With the apple configurator mobileconfig file (with certificates this time), it's better but in negociation process the device stops responding (I can see port unreachable packets in the capture): 

 

10[NET] received packet: from 161.106.240.156[500] to 161.106.240.155[500] (428 bytes)
10[ENC] parsed IKE_SA_INIT request 0 [ SA KE No N(REDIR_SUP) N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) ]
10[IKE] 161.106.240.156 is initiating an IKE_SA
10[IKE] IKE_SA (unnamed)[1] state change: CREATED => CONNECTING
10[IKE] remote host is behind NAT
10[IKE] sending cert request for "C=FR, O=DreamSwanPI, CN=DreamSwanPI CA"
10[ENC] generating IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) CERTREQ N(MULT_AUTH) ]
10[NET] sending packet: from 161.106.240.155[500] to 161.106.240.156[500] (461 bytes)
07[NET] received packet: from 161.106.240.156[1293] to 161.106.240.155[4500] (1412 bytes)
07[ENC] parsed IKE_AUTH request 1 [ IDi N(INIT_CONTACT) N(MOBIKE_SUP) IDr AUTH CERT CPRQ(ADDR DHCP DNS MASK ADDR6 DHCP6 DNS6) N(ESP_TFC_PAD_N) N(NON_FIRST_FRAG) SA TSi TSr ]
07[IKE] received end entity cert "C=FR, O=DreamSwanPI, CN=Ipad2"
07[CFG] looking for peer configs matching 161.106.240.155[vpnPI.strongswan.org]...161.106.240.156[Ipad2]
07[CFG] selected peer config 'Ios'
07[CFG]   using trusted ca certificate "C=FR, O=DreamSwanPI, CN=DreamSwanPI CA"
07[CFG] checking certificate status of "C=FR, O=DreamSwanPI, CN=Ipad2"
07[CFG] certificate status is not available
07[CFG]   reached self-signed root ca with a path length of 0
07[CFG]   using trusted certificate "C=FR, O=DreamSwanPI, CN=Ipad2"
07[IKE] authentication of 'Ipad2' with RSA signature successful
07[IKE] processing INTERNAL_IP4_ADDRESS attribute
07[IKE] processing INTERNAL_IP4_DHCP attribute
07[IKE] processing INTERNAL_IP4_DNS attribute
07[IKE] processing INTERNAL_IP4_NETMASK attribute
07[IKE] processing INTERNAL_IP6_ADDRESS attribute
07[IKE] processing INTERNAL_IP6_DHCP attribute
07[IKE] processing INTERNAL_IP6_DNS attribute
07[IKE] received ESP_TFC_PADDING_NOT_SUPPORTED, not using ESPv3 TFC padding
07[IKE] peer supports MOBIKE
07[IKE] authentication of 'vpnPI.strongswan.org' (myself) with RSA signature successful
07[IKE] IKE_SA Ios[1] established between 161.106.240.155[vpnPI.strongswan.org]...161.106.240.156[Ipad2]
07[IKE] IKE_SA Ios[1] state change: CONNECTING => ESTABLISHED
07[IKE] scheduling rekeying in 13613s
07[IKE] maximum IKE_SA lifetime 15053s
07[IKE] sending end entity cert "C=FR, O=DreamSwanPI, CN=vpnPI.strongswan.org"
07[IKE] peer requested virtual IP %any
07[CFG] assigning new lease to 'Ipad2'
07[IKE] assigning virtual IP 10.0.2.1 to peer 'Ipad2'
07[IKE] peer requested virtual IP %any6
07[IKE] no virtual IP found for %any6 requested by 'Ipad2'
07[IKE] CHILD_SA default{1} established with SPIs c28e65bf_i 025b0308_o and TS 1.1.1.1/32 161.106.240.155/32 === 10.0.2.1/32
07[ENC] generating IKE_AUTH response 1 [ IDr CERT AUTH CPRP(ADDR) SA TSi TSr N(MOBIKE_SUP) N(ADD_4_ADDR) N(ADD_4_ADDR) N(ADD_4_ADDR) ]
07[NET] sending packet: from 161.106.240.155[4500] to 161.106.240.156[1293] (1380 bytes)
14[KNL] creating rekey job for CHILD_SA ESP/0x025b0308/161.106.240.156
14[IKE] queueing CHILD_REKEY task
14[IKE] activating new tasks
14[IKE]   activating CHILD_REKEY task
14[IKE] establishing CHILD_SA default{1}
14[ENC] generating CREATE_CHILD_SA request 0 [ N(REKEY_SA) SA No TSi TSr ]
14[NET] sending packet: from 161.106.240.155[4500] to 161.106.240.156[1293] (300 bytes)
08[KNL] creating rekey job for CHILD_SA ESP/0xc28e65bf/161.106.240.155
08[IKE] queueing CHILD_REKEY task
08[IKE] delaying task initiation, CREATE_CHILD_SA exchange in progress
11[KNL] creating delete job for CHILD_SA ESP/0xc28e65bf/161.106.240.155
11[IKE] queueing CHILD_DELETE task
11[IKE] delaying task initiation, CREATE_CHILD_SA exchange in progress
15[KNL] creating delete job for CHILD_SA ESP/0x025b0308/161.106.240.156
15[IKE] queueing CHILD_DELETE task
15[IKE] delaying task initiation, CREATE_CHILD_SA exchange in progress
06[IKE] retransmit 1 of request with message ID 0
06[NET] sending packet: from 161.106.240.155[4500] to 161.106.240.156[1293] (300 bytes)
09[IKE] retransmit 2 of request with message ID 0
09[NET] sending packet: from 161.106.240.155[4500] to 161.106.240.156[1293] (300 bytes)
07[IKE] retransmit 3 of request with message ID 0
07[NET] sending packet: from 161.106.240.155[4500] to 161.106.240.156[1293] (300 bytes)
11[IKE] retransmit 4 of request with message ID 0
11[NET] sending packet: from 161.106.240.155[4500] to 161.106.240.156[1293] (300 bytes)
06[IKE] retransmit 5 of request with message ID 0
06[NET] sending packet: from 161.106.240.155[4500] to 161.106.240.156[1293] (300 bytes)
.

 

On Surface tab (win10), I don't have any working conf. The tab keeps on asking for eap even if certificate auth is configured. 

I've tried several configurations - eap-mschapv2 for example - with no luck.

 

I've spent quite a big amount of time working on it. Writing to the list maybe my last try...

 

Did anybody find running configurations to get these devices to work with certificates or at least eap (any flavors would be ok as a first step)? 

 

thank you,

 

Régis
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20170224/623c5735/attachment.html>

More information about the Users mailing list