[strongSwan] generating IKE_AUTH response 1 [ N(AUTH_FAILED) ]

Jon me at jonwatson.ca
Sun Oct 15 00:22:20 CEST 2017 

Hello,

I am running up against this auth failed message - I am unable to get authenticated to my strongSwan server using EAP user/password. I have read the support pages and have tried the usable examples as well, but can't get authenticated with any configuration I've tried yet. I feel there is some fundamental thing I missed but I can't see it.

I'm using the Ubuntu network manager (although I have also tried the strongSwan Android app to ensure I was not missing something). I have my strongSwan server set as the Gateway, the server's certificate loaded, the Authentication method set to EAP and the correct username and password entered: https://snag.gy/OyRGJr.jpg

I've included what I suspect are the relevant files and logs as indicated on the HelpRequest page.

ipsec.conf

config setup
  charondebug="ike 1, knl 1, cfg 0"
  uniqueids=no

conn ikev2-vpn
  auto=add
  compress=no
  type=tunnel
  keyexchange=ikev2
  fragmentation=yes
  forceencaps=yes
  ike=aes256-sha1-modp1024,3des-sha1-modp1024!
  esp=aes256-sha1,3des-sha1!
  dpdaction=clear
  dpddelay=300s
  rekey=no
  left=%any
  leftid=@strongswan
  leftcert=/etc/ipsec.d/certs/vpn-server-cert.pem
  leftsendcert=always
  leftsubnet=0.0.0.0/0
  right=%any
  rightid=%any
  rightauth=eap-mschapv2
  rightsourceip=10.10.10.0/24
  rightdns=8.8.8.8,8.8.4.4
  rightsendcert=never
  eap_identity=%identity

ipsec.secrets

: PSK "foobarblah"
: RSA /etc/ipsec.d/private/vpn-server-key.pem
user1 : EAP "munged"

ipsec statusall

Status of IKE charon daemon (strongSwan 5.3.5, Linux 4.4.0-97-generic, x86_64):
  uptime: 24 minutes, since Oct 14 21:51:15 2017
  malloc: sbrk 1769472, mmap 0, used 565024, free 1204448
  worker threads: 7 of 16 idle, 5/0/4/0 working, job queue: 0/0/0/0, scheduled: 0
  loaded plugins: charon test-vectors aes rc2 sha1 sha2 md4 md5 random nonce x509 revocation constraints pubkey pkcs1 pkcs7 pkcs8 pkcs12 pgp dnskey sshkey pem openssl fips-prf gmp agent xcbc hmac ccm gcm attr kernel-libipsec kernel-netlink resolve socket-default connmark farp stroke updown eap-identity eap-sim eap-sim-pcsc eap-aka eap-aka-3gpp2 eap-simaka-pseudonym eap-simaka-reauth eap-md5 eap-gtc eap-mschapv2 eap-dynamic eap-radius eap-tls eap-ttls eap-peap eap-tnc xauth-generic xauth-eap xauth-pam xauth-noauth tnc-tnccs tnccs-20 tnccs-11 tnccs-dynamic dhcp lookip error-notify certexpire led addrblock unity
Virtual IP pools (size/online/offline):
  10.10.10.0/24: 254/0/0
Listening IP addresses:
  172.20.9.175
  2602:ffb6:2:0:f816:3eff:feb7:3803
Connections:
   ikev2-vpn:  %any...%any  IKEv2, dpddelay=300s
   ikev2-vpn:   local:  [my.strongswan.com] uses public key authentication
   ikev2-vpn:    cert:  "C=US, O=VPN Server, CN=my.strongswan.com"
   ikev2-vpn:   remote: uses EAP_MSCHAPV2 authentication with EAP identity '%any'
   ikev2-vpn:   child:  0.0.0.0/0 === dynamic TUNNEL, dpdaction=clear
Security Associations (0 up, 0 connecting):
  none

Log

Oct 14 22:08:14 my charon: 14[NET] received packet: from 142.66.15.26[46644] to 172.20.9.175[500] (1256 bytes)
Oct 14 22:08:14 my charon: 14[ENC] parsed IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(HASH_ALG) ]
Oct 14 22:08:14 my charon: 14[IKE] 142.66.15.26 is initiating an IKE_SA
Oct 14 22:08:14 my charon: 14[IKE] local host is behind NAT, sending keep alives
Oct 14 22:08:14 my charon: 14[IKE] remote host is behind NAT
Oct 14 22:08:14 my charon: 14[IKE] DH group MODP_2048 inacceptable, requesting MODP_1024
Oct 14 22:08:14 my charon: 14[ENC] generating IKE_SA_INIT response 0 [ N(INVAL_KE) ]
Oct 14 22:08:14 my charon: 14[NET] sending packet: from 172.20.9.175[500] to 142.66.15.26[46644] (38 bytes)
Oct 14 22:08:14 my charon: 13[NET] received packet: from 142.66.15.26[46644] to 172.20.9.175[500] (1128 bytes)
Oct 14 22:08:14 my charon: 13[ENC] parsed IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(HASH_ALG) ]
Oct 14 22:08:14 my charon: 13[IKE] 142.66.15.26 is initiating an IKE_SA
Oct 14 22:08:14 my charon: 13[IKE] local host is behind NAT, sending keep alives
Oct 14 22:08:14 my charon: 13[IKE] remote host is behind NAT
Oct 14 22:08:14 my charon: 13[ENC] generating IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(HASH_ALG) N(MULT_AUTH) ]
Oct 14 22:08:14 my charon: 13[NET] sending packet: from 172.20.9.175[500] to 142.66.15.26[46644] (328 bytes)
Oct 14 22:08:14 my charon: 16[NET] received packet: from 142.66.15.26[4500] to 172.20.9.175[4500] (364 bytes)
Oct 14 22:08:14 my charon: 16[ENC] parsed IKE_AUTH request 1 [ IDi N(INIT_CONTACT) IDr CPRQ(ADDR DNS NBNS) SA TSi TSr N(MOBIKE_SUP) N(NO_ADD_ADDR) N(MULT_AUTH) N(EAP_ONLY) ]
Oct 14 22:08:14 my charon: 16[IKE] peer supports MOBIKE
Oct 14 22:08:14 my charon: 16[ENC] generating IKE_AUTH response 1 [ N(AUTH_FAILED) ]
Oct 14 22:08:14 my charon: 16[NET] sending packet: from 172.20.9.175[4500] to 142.66.15.26[4500] (76 bytes)

Dies here and my client says "VPN connection failed"

Any help would be appreciated. Thank you.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20171014/2901db6c/attachment.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: IPSec-cert.pem
Type: application/octet-stream
Size: 1916 bytes
Desc: not available
URL: <http://lists.strongswan.org/pipermail/users/attachments/20171014/2901db6c/attachment.obj>

More information about the Users mailing list