[strongSwan] Test scenario's for Mac OSX app

Nicolas Fitton NF at post-quantum.com
Thu Jul 6 11:32:43 CEST 2017


Nevermind…
The solution to the problem is to have the subjectAltName in the server certificate (can be added with `—san [ip address]`)
On 6 Jul 2017, at 10:07, Nicolas Fitton <NF at post-quantum.com<mailto:NF at post-quantum.com>> wrote:

Hi all,
I can’t seem to find any Mac app test cases to research with, are there any? (I’ve looked on https://www.strongswan.org/testing/testresults/all.html)
My problem is that on the Mac app client I get the error:

```
constraint check failed: identity ’[server ip]' required
```

Server Log from connection attempt:
```
11[NET] received packet: from 46.249.xx.xx[13669] to 172.31.xx.xx[4500] (1124 bytes)
11[ENC] parsed IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(HASH_ALG) ]
11[IKE] 46.249.xx.xx is initiating an IKE_SA
11[IKE] local host is behind NAT, sending keep alives
11[IKE] remote host is behind NAT
11[IKE] DH group MODP_2048 inacceptable, requesting MODP_3072
11[ENC] generating IKE_SA_INIT response 0 [ N(INVAL_KE) V ]
11[NET] sending packet: from 172.31.xx.xx[4500] to 46.249.xx.xx[13669] (58 bytes)
12[NET] received packet: from 46.249.xx.xx[13669] to 172.31.xx.xx[4500] (1252 bytes)
12[ENC] parsed IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(HASH_ALG) ]
12[IKE] 46.249.xx.xx is initiating an IKE_SA
12[IKE] local host is behind NAT, sending keep alives
12[IKE] remote host is behind NAT
12[ENC] generating IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(HASH_ALG) V ]
12[NET] sending packet: from 172.31.xx.xx[4500] to 46.249.xx.xx[13669] (598 bytes)
13[NET] received packet: from 46.249.xx.xx[56433] to 172.31.xx.xx[4500] (400 bytes)
13[ENC] parsed IKE_AUTH request 1 [ IDi N(INIT_CONTACT) CPRQ(ADDR DNS) SA TSi TSr N(MOBIKE_SUP) N(ADD_4_ADDR) N(ADD_4_ADDR) N(EAP_ONLY) ]
13[CFG] looking for peer configs matching 172.31.xx.xx[%any]…46.249.xx.xx[nf at post-quantum.com<mailto:nf at post-quantum.com>]
13[CFG] selected peer config 'rw'
13[IKE] initiating EAP_MD5 method (id 0xDA)
13[IKE] peer supports MOBIKE
13[IKE] authentication of 'C=GB, O=Post-Quantum, CN=virtual.postquantum.net<http://virtual.postquantum.net/>' (myself) with RSA_EMSA_PKCS1_SHA2_384 successful
13[IKE] sending end entity cert "C=GB, O=Post-Quantum, CN=virtual.postquantum.net<http://virtual.postquantum.net/>"
13[ENC] generating IKE_AUTH response 1 [ IDr CERT AUTH EAP/REQ/MD5 ]
13[NET] sending packet: from 172.31.xx.xx[4500] to 46.249.xx.xx[56433] (2048 bytes)
14[NET] received packet: from 46.249.xx.xx[56433] to 172.31.xx.xx[4500] (80 bytes)
14[ENC] parsed INFORMATIONAL request 2 [ N(AUTH_FAILED) ]
14[ENC] generating INFORMATIONAL response 2 [ N(AUTH_FAILED) ]
14[NET] sending packet: from 172.31.xx.xx[4500] to 46.249.xx.xx[56433] (80 bytes)

```

And Client log:
```
generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(HASH_ALG) ]
sending packet: from 10.3.xx.xx[49421] to 35.177.xx.xx[4500] (1124 bytes)
received packet: from 35.177.xx.xx[4500] to 10.3.xx.xx[49421] (58 bytes)
parsed IKE_SA_INIT response 0 [ N(INVAL_KE) V ]
received strongSwan vendor ID
peer didn't accept DH group MODP_2048, it requested MODP_3072
initiating IKE_SA Road Warrior[7] to 35.177.xx.xx
generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(HASH_ALG) ]
sending packet: from 10.3.xx.xx[49421] to 35.177.xx.xx[4500] (1252 bytes)
received packet: from 35.177.xx.xx[4500] to 10.3.xx.xx[49421] (598 bytes)
parsed IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(HASH_ALG) V ]
local host is behind NAT, sending keep alives
remote host is behind NAT
establishing CHILD_SA Road Warrior
generating IKE_AUTH request 1 [ IDi N(INIT_CONTACT) CPRQ(ADDR DNS) SA TSi TSr N(MOBIKE_SUP) N(ADD_4_ADDR) N(ADD_4_ADDR) N(EAP_ONLY) ]
sending packet: from 10.3.xx.xx[49217] to 35.177.xx.xx[4500] (400 bytes)
received packet: from 35.177.xx.xx[4500] to 10.3.xx.xx[49217] (2048 bytes)
parsed IKE_AUTH response 1 [ IDr CERT AUTH EAP/REQ/MD5 ]
received end entity cert "C=GB, O=Post-Quantum, CN=virtual.postquantum.net<http://virtual.postquantum.net/>"
  using trusted ca certificate "C=GB, O=Post-Quantum, CN=Post-Quantum CA"
  reached self-signed root ca with a path length of 0
  using trusted certificate "C=GB, O=Post-Quantum, CN=virtual.postquantum.net<http://virtual.postquantum.net/>"
authentication of 'C=GB, O=Post-Quantum, CN=virtual.postquantum.net<http://virtual.postquantum.net/>' with RSA_EMSA_PKCS1_SHA384 successful
constraint check failed: identity '35.177.xx.xx' required
selected peer config 'Road Warrior' inacceptable: constraint checking failed
no alternative config found
generating INFORMATIONAL request 2 [ N(AUTH_FAILED) ]
sending packet: from 10.3.xx.xx[49217] to 35.177.xx.xx[4500] (80 bytes)```

The server is an AWS instance behind an EIP and has version: Linux strongSwan U5.5.3
Running: Linux ip-172-31-xx-xx 4.4.0-1022-aws #31-Ubuntu SMP Tue Jun 27 11:27:55 UTC 2017 x86_64 x86_64 x86_64 GNU/Linux

Any help is greatly appreciated.
Regards
Nick

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20170706/5804c7d9/attachment-0001.html>


More information about the Users mailing list