[strongSwan] Challenges with MacOS Roadwarrior (again)

Tom Rymes trymes at rymes.com
Sun Dec 9 16:12:18 CET 2018 

My apologies for having to ask about this again, but I am stuck trying to make a MacOS IPSec connection to Strongswan. I had similar issues in the past, and Noel kindly helped me out, and I thought I had it all documented, but here I am again. Once again, Strongswan is reporting that it cannot find a matching peer config.

Noel’s response to my last post: https://lists.strongswan.org/pipermail/users/2018-January/012155.html <https://lists.strongswan.org/pipermail/users/2018-January/012155.html>

Once again, I’m sure this is me doing something dumb here, but I cannot figure out what it is.

[root at MyHost ~]# ipsec --version
Linux strongSwan U5.6.3/K4.14.72-ipfire

conn MacIPSec
	left=x.x.x.x
	leftsubnet=0.0.0.0/0
	right=%any
	leftcert=/var/ipfire/certs/hostcert.pem
	rightcert=/var/ipfire/certs/MacIPSeccert.pem
	leftid=myhost.mydom.dom
	rightid=user at mydom.dom <mailto:rightid=user at mydom.dom>
	ike=aes256-sha2_384-ecp384,aes256-sha2_384-ecp256,aes256-sha2_256-ecp384,aes256-sha2_256-ecp256!
	esp=aes256-sha2_384-ecp384,aes256-sha2_384-ecp256,aes256-sha2_256-ecp384,aes256-sha2_256-ecp256!
	keyexchange=ikev2
	ikelifetime=3h
	keylife=1h
	dpdaction=clear
	dpddelay=30
	dpdtimeout=120
	auto=add
	rightsourceip=10.252.0.240/28
	fragmentation=yes
	leftsendcert=always
	leftallowany=yes
	rightdns=10.252.0.1
	rekey=no
	reauth=no

When starting Strongswan, these messages are logged:

Dec  9 09:47:30 MyHost charon: 06[CFG]   id ‘myhost.mydom.dom' not confirmed by certificate, defaulting to 'C=US, ST=ST, O=MyOrg, OU=My Dept., CN=myhost.mydom.dom' 
Dec  9 09:47:30 TheShack charon: 06[CFG]   id ‘user at mydom.dom <mailto:user at mydom.dom>' not confirmed by certificate, defaulting to 'C=US, ST=ST, O=MyOrg, OU=My Dept., CN=MacIPSec' 


And this hits the logs when I try to connect: 

Dec  9 09:47:50 MyHost charon: 16[NET] received packet: from y.y.y.y[500] to x.x.x.x[500] (604 bytes) 
Dec  9 09:47:50 MyHost charon: 16[ENC] parsed IKE_SA_INIT request 0 [ SA KE No N(REDIR_SUP) N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) ] 
Dec  9 09:47:50 MyHost charon: 16[IKE] y.y.y.y is initiating an IKE_SA 
Dec  9 09:47:50 MyHost charon: 16[IKE] y.y.y.y is initiating an IKE_SA 
Dec  9 09:47:50 MyHost charon: 16[IKE] remote host is behind NAT 
Dec  9 09:47:50 MyHost charon: 16[IKE] DH group MODP_2048 inacceptable, requesting ECP_256 
Dec  9 09:47:50 MyHost charon: 16[ENC] generating IKE_SA_INIT response 0 [ N(INVAL_KE) ] 
Dec  9 09:47:50 MyHost charon: 16[NET] sending packet: from x.x.x.x[500] to y.y.y.y[500] (38 bytes) 
Dec  9 09:47:50 MyHost charon: 06[NET] received packet: from y.y.y.y[500] to x.x.x.x[500] (412 bytes) 
Dec  9 09:47:50 MyHost charon: 06[ENC] parsed IKE_SA_INIT request 0 [ SA KE No N(REDIR_SUP) N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) ] 
Dec  9 09:47:50 MyHost charon: 06[IKE] y.y.y.y is initiating an IKE_SA 
Dec  9 09:47:50 MyHost charon: 06[IKE] y.y.y.y is initiating an IKE_SA 
Dec  9 09:47:50 MyHost charon: 06[IKE] remote host is behind NAT 
Dec  9 09:47:50 MyHost charon: 06[IKE] sending cert request for "C=US, ST=ST, L=MyTown, O=MyOrg, OU=My Dept., CN=MyOrg CA, E=user at mydom.dom <mailto:E=user at mydom.dom>" 
Dec  9 09:47:50 MyHost charon: 06[IKE] sending cert request for "C=US, ST=ST, L=MyTown, O=MyOrg, OU=My Dept, CN=MyOrg CA, E=user at mydom.dom <mailto:E=user at mydom.dom>" 
Dec  9 09:47:50 MyHost charon: 06[IKE] sending cert request for "C=US, ST=ST, L=OtherTown, O=MyOrg, OU=My Dept., CN=MyOrg CA, E=user at mydom.dom <mailto:E=user at mydom.dom>" 
Dec  9 09:47:50 MyHost charon: 06[IKE] sending cert request for "C=US, ST=ST, L=OtherTown2, O=MyOrg, OU=My Dept, CN=MyOrg CA, E=user at mydom.dom <mailto:E=user at mydom.dom>" 
Dec  9 09:47:50 MyHost charon: 06[ENC] generating IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) CERTREQ N(FRAG_SUP) N(MULT_AUTH) ] 
Dec  9 09:47:50 MyHost charon: 06[NET] sending packet: from x.x.x.x[500] to y.y.y.y[500] (341 bytes) 
Dec  9 09:47:50 MyHost charon: 05[NET] received packet: from y.y.y.y[4500] to x.x.x.x[4500] (532 bytes) 
Dec  9 09:47:50 MyHost charon: 05[ENC] parsed IKE_AUTH request 1 [ EF(1/5) ] 
Dec  9 09:47:50 MyHost charon: 05[ENC] received fragment #1 of 5, waiting for complete IKE message 
Dec  9 09:47:50 MyHost charon: 08[NET] received packet: from y.y.y.y[4500] to x.x.x.x[4500] (532 bytes) 
Dec  9 09:47:50 MyHost charon: 08[ENC] parsed IKE_AUTH request 1 [ EF(2/5) ] 
Dec  9 09:47:50 MyHost charon: 08[ENC] received fragment #2 of 5, waiting for complete IKE message 
Dec  9 09:47:50 MyHost charon: 07[NET] received packet: from y.y.y.y[4500] to x.x.x.x[4500] (532 bytes) 
Dec  9 09:47:50 MyHost charon: 07[ENC] parsed IKE_AUTH request 1 [ EF(3/5) ] 
Dec  9 09:47:50 MyHost charon: 07[ENC] received fragment #3 of 5, waiting for complete IKE message 
Dec  9 09:47:50 MyHost charon: 09[NET] received packet: from y.y.y.y[4500] to x.x.x.x[4500] (532 bytes) 
Dec  9 09:47:50 MyHost charon: 09[ENC] parsed IKE_AUTH request 1 [ EF(4/5) ] 
Dec  9 09:47:50 MyHost charon: 09[ENC] received fragment #4 of 5, waiting for complete IKE message 
Dec  9 09:47:50 MyHost charon: 11[NET] received packet: from y.y.y.y[4500] to x.x.x.x[4500] (132 bytes) 
Dec  9 09:47:50 MyHost charon: 11[ENC] parsed IKE_AUTH request 1 [ EF(5/5) ] 
Dec  9 09:47:50 MyHost charon: 11[ENC] received fragment #5 of 5, reassembling fragmented IKE message 
Dec  9 09:47:50 MyHost charon: 11[ENC] unknown attribute type (25) 
Dec  9 09:47:50 MyHost charon: 11[ENC] parsed IKE_AUTH request 1 [ IDi N(INIT_CONTACT) N(MOBIKE_SUP) IDr AUTH CERT CPRQ(ADDR DHCP DNS MASK ADDR6 DHCP6 DNS6 (25)) N(ESP_TFC_PAD_N) N(NON_FIRST_FRAG) SA TSi TSr ] 
Dec  9 09:47:50 TheShack charon: 11[IKE] received end entity cert "C=US, ST=ST, O=MyOrg, OU=My Dept., CN=MacIPSec" 
Dec  9 09:47:50 TheShack charon: 11[CFG] looking for peer configs matching x.x.x.x[myhost.mydom.dom]…y.y.y.y[user at mydom.dom <mailto:user at mydom.dom>] 
Dec  9 09:47:50 TheShack charon: 11[CFG] no matching peer config found 
Dec  9 09:47:50 TheShack charon: 11[IKE] received ESP_TFC_PADDING_NOT_SUPPORTED, not using ESPv3 TFC padding 
Dec  9 09:47:50 TheShack charon: 11[IKE] peer supports MOBIKE 
Dec  9 09:47:50 TheShack charon: 11[ENC] generating IKE_AUTH response 1 [ N(AUTH_FAILED) ] 

Many thanks,

Tom
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20181209/aa564bbf/attachment.html>

More information about the Users mailing list