[strongSwan] Challenges with MacOS Roadwarrior (again)

Tom Rymes trymes at rymes.com
Mon Dec 10 01:13:34 CET 2018 

I’m replying to my own e-mail here, but with help from Benn of PiStrong fame, I was able to figure out what I had omitted from my configuration: It was the Subject Alt Names in the certificates.

Specifically, I read Noel’s note to remove the SAN for the IP Address from the cert and unwisely left out all SANs. In the end, adding “DNS:myhost.mydom.dom” to the server’s certificate and “email:user at mydom.dom” to the Mac’s certificate solved the issue.

Thank you for your patience and my apologies for the wasted bandwidth.

Tom

> On Dec 9, 2018, at 10:12 AM, Tom Rymes <trymes at rymes.com> wrote:
> 
> My apologies for having to ask about this again, but I am stuck trying to make a MacOS IPSec connection to Strongswan. I had similar issues in the past, and Noel kindly helped me out, and I thought I had it all documented, but here I am again. Once again, Strongswan is reporting that it cannot find a matching peer config.
> 
> Noel’s response to my last post: https://lists.strongswan.org/pipermail/users/2018-January/012155.html <https://lists.strongswan.org/pipermail/users/2018-January/012155.html>
> 
> Once again, I’m sure this is me doing something dumb here, but I cannot figure out what it is.
> 
> [root at MyHost ~]# ipsec --version
> Linux strongSwan U5.6.3/K4.14.72-ipfire
> 
> conn MacIPSec
> 	left=x.x.x.x
> 	leftsubnet=0.0.0.0/0
> 	right=%any
> 	leftcert=/var/ipfire/certs/hostcert.pem
> 	rightcert=/var/ipfire/certs/MacIPSeccert.pem
> 	leftid=myhost.mydom.dom
> 	rightid=user at mydom.dom <mailto:rightid=user at mydom.dom>
> 	ike=aes256-sha2_384-ecp384,aes256-sha2_384-ecp256,aes256-sha2_256-ecp384,aes256-sha2_256-ecp256!
> 	esp=aes256-sha2_384-ecp384,aes256-sha2_384-ecp256,aes256-sha2_256-ecp384,aes256-sha2_256-ecp256!
> 	keyexchange=ikev2
> 	ikelifetime=3h
> 	keylife=1h
> 	dpdaction=clear
> 	dpddelay=30
> 	dpdtimeout=120
> 	auto=add
> 	rightsourceip=10.252.0.240/28
> 	fragmentation=yes
> 	leftsendcert=always
> 	leftallowany=yes
> 	rightdns=10.252.0.1
> 	rekey=no
> 	reauth=no
> 
> When starting Strongswan, these messages are logged:
> 
> Dec  9 09:47:30 MyHost charon: 06[CFG]   id ‘myhost.mydom.dom' not confirmed by certificate, defaulting to 'C=US, ST=ST, O=MyOrg, OU=My Dept., CN=myhost.mydom.dom' 
> Dec  9 09:47:30 TheShack charon: 06[CFG]   id ‘user at mydom.dom <mailto:user at mydom.dom>' not confirmed by certificate, defaulting to 'C=US, ST=ST, O=MyOrg, OU=My Dept., CN=MacIPSec' 
> 
> 
> And this hits the logs when I try to connect: 
> 
> Dec  9 09:47:50 MyHost charon: 16[NET] received packet: from y.y.y.y[500] to x.x.x.x[500] (604 bytes) 
> Dec  9 09:47:50 MyHost charon: 16[ENC] parsed IKE_SA_INIT request 0 [ SA KE No N(REDIR_SUP) N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) ] 
> Dec  9 09:47:50 MyHost charon: 16[IKE] y.y.y.y is initiating an IKE_SA 
> Dec  9 09:47:50 MyHost charon: 16[IKE] y.y.y.y is initiating an IKE_SA 
> Dec  9 09:47:50 MyHost charon: 16[IKE] remote host is behind NAT 
> Dec  9 09:47:50 MyHost charon: 16[IKE] DH group MODP_2048 inacceptable, requesting ECP_256 
> Dec  9 09:47:50 MyHost charon: 16[ENC] generating IKE_SA_INIT response 0 [ N(INVAL_KE) ] 
> Dec  9 09:47:50 MyHost charon: 16[NET] sending packet: from x.x.x.x[500] to y.y.y.y[500] (38 bytes) 
> Dec  9 09:47:50 MyHost charon: 06[NET] received packet: from y.y.y.y[500] to x.x.x.x[500] (412 bytes) 
> Dec  9 09:47:50 MyHost charon: 06[ENC] parsed IKE_SA_INIT request 0 [ SA KE No N(REDIR_SUP) N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) ] 
> Dec  9 09:47:50 MyHost charon: 06[IKE] y.y.y.y is initiating an IKE_SA 
> Dec  9 09:47:50 MyHost charon: 06[IKE] y.y.y.y is initiating an IKE_SA 
> Dec  9 09:47:50 MyHost charon: 06[IKE] remote host is behind NAT 
> Dec  9 09:47:50 MyHost charon: 06[IKE] sending cert request for "C=US, ST=ST, L=MyTown, O=MyOrg, OU=My Dept., CN=MyOrg CA, E=user at mydom.dom <mailto:E=user at mydom.dom>" 
> Dec  9 09:47:50 MyHost charon: 06[IKE] sending cert request for "C=US, ST=ST, L=MyTown, O=MyOrg, OU=My Dept, CN=MyOrg CA, E=user at mydom.dom <mailto:E=user at mydom.dom>" 
> Dec  9 09:47:50 MyHost charon: 06[IKE] sending cert request for "C=US, ST=ST, L=OtherTown, O=MyOrg, OU=My Dept., CN=MyOrg CA, E=user at mydom.dom <mailto:E=user at mydom.dom>" 
> Dec  9 09:47:50 MyHost charon: 06[IKE] sending cert request for "C=US, ST=ST, L=OtherTown2, O=MyOrg, OU=My Dept, CN=MyOrg CA, E=user at mydom.dom <mailto:E=user at mydom.dom>" 
> Dec  9 09:47:50 MyHost charon: 06[ENC] generating IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) CERTREQ N(FRAG_SUP) N(MULT_AUTH) ] 
> Dec  9 09:47:50 MyHost charon: 06[NET] sending packet: from x.x.x.x[500] to y.y.y.y[500] (341 bytes) 
> Dec  9 09:47:50 MyHost charon: 05[NET] received packet: from y.y.y.y[4500] to x.x.x.x[4500] (532 bytes) 
> Dec  9 09:47:50 MyHost charon: 05[ENC] parsed IKE_AUTH request 1 [ EF(1/5) ] 
> Dec  9 09:47:50 MyHost charon: 05[ENC] received fragment #1 of 5, waiting for complete IKE message 
> Dec  9 09:47:50 MyHost charon: 08[NET] received packet: from y.y.y.y[4500] to x.x.x.x[4500] (532 bytes) 
> Dec  9 09:47:50 MyHost charon: 08[ENC] parsed IKE_AUTH request 1 [ EF(2/5) ] 
> Dec  9 09:47:50 MyHost charon: 08[ENC] received fragment #2 of 5, waiting for complete IKE message 
> Dec  9 09:47:50 MyHost charon: 07[NET] received packet: from y.y.y.y[4500] to x.x.x.x[4500] (532 bytes) 
> Dec  9 09:47:50 MyHost charon: 07[ENC] parsed IKE_AUTH request 1 [ EF(3/5) ] 
> Dec  9 09:47:50 MyHost charon: 07[ENC] received fragment #3 of 5, waiting for complete IKE message 
> Dec  9 09:47:50 MyHost charon: 09[NET] received packet: from y.y.y.y[4500] to x.x.x.x[4500] (532 bytes) 
> Dec  9 09:47:50 MyHost charon: 09[ENC] parsed IKE_AUTH request 1 [ EF(4/5) ] 
> Dec  9 09:47:50 MyHost charon: 09[ENC] received fragment #4 of 5, waiting for complete IKE message 
> Dec  9 09:47:50 MyHost charon: 11[NET] received packet: from y.y.y.y[4500] to x.x.x.x[4500] (132 bytes) 
> Dec  9 09:47:50 MyHost charon: 11[ENC] parsed IKE_AUTH request 1 [ EF(5/5) ] 
> Dec  9 09:47:50 MyHost charon: 11[ENC] received fragment #5 of 5, reassembling fragmented IKE message 
> Dec  9 09:47:50 MyHost charon: 11[ENC] unknown attribute type (25) 
> Dec  9 09:47:50 MyHost charon: 11[ENC] parsed IKE_AUTH request 1 [ IDi N(INIT_CONTACT) N(MOBIKE_SUP) IDr AUTH CERT CPRQ(ADDR DHCP DNS MASK ADDR6 DHCP6 DNS6 (25)) N(ESP_TFC_PAD_N) N(NON_FIRST_FRAG) SA TSi TSr ] 
> Dec  9 09:47:50 TheShack charon: 11[IKE] received end entity cert "C=US, ST=ST, O=MyOrg, OU=My Dept., CN=MacIPSec" 
> Dec  9 09:47:50 TheShack charon: 11[CFG] looking for peer configs matching x.x.x.x[myhost.mydom.dom]…y.y.y.y[user at mydom.dom <mailto:user at mydom.dom>] 
> Dec  9 09:47:50 TheShack charon: 11[CFG] no matching peer config found 
> Dec  9 09:47:50 TheShack charon: 11[IKE] received ESP_TFC_PADDING_NOT_SUPPORTED, not using ESPv3 TFC padding 
> Dec  9 09:47:50 TheShack charon: 11[IKE] peer supports MOBIKE 
> Dec  9 09:47:50 TheShack charon: 11[ENC] generating IKE_AUTH response 1 [ N(AUTH_FAILED) ] 
> 
> Many thanks,
> 
> Tom

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20181209/5a36f442/attachment-0001.html>

More information about the Users mailing list