[strongSwan] Challenges with MacOS Roadwarrior
Noel Kuntze
noel.kuntze+strongswan-users-ml at thermi.consulting
Fri Jan 26 01:56:55 CET 2018
Hi,
> "id '%any' not confirmed by certificate, defaulting to 'C=US, ST=ST, O=MyOrg, OU=Engineering Dept., CN=RW'"
Now your leftid is 'C=US, ST=ST, O=MyOrg, OU=Engineering Dept., CN=RW'.
> Jan 25 14:48:06 myhost charon: 11[CFG] looking for peer configs matching y.y.y.y[@myhost.domain.dom]...x.x.x.x[me at domain.dom]
initiator sends literal IDr @myhost.domain.dom (type is not printed. Might be type email). Obviously that doesn't match your leftid setting right now,
so no config is found.
Remove the @ from the Mac OS UI, set leftid=myhost.domain.com.
Cherry on top: Remove that unnecessary DNS:y.y.y.y in a SAN field. It's just unnecessary.
That's unnecessary, too:
> authby=rsasig
> leftrsasigkey=%cert
> rightrsasigkey=%cert
default is leftauth=pubkey (same for rightauth).
Don't do that, you better use static iptables rules with the policy match module.
> leftfirewall=yes
> lefthostaccess=yes
Kind regards
Noel
On 25.01.2018 22:40, Tom Rymes wrote:
> I have spent a fair amount of time lurking and searching for the answers to this, and I am fairly certain that I have overlooked something basic, such as putting the right data in the proper SAN. Unfortunately, the learning curve here seems to be quite steep, and I am not keeping up.
>
> Regardless, I cannot get a working RW connection to a MacOS client using machine certs. Windows 10 works just fine.
>
> I have tried various combinations of leftid and rightid, along with adding different things to the SAN field of the responder's cert, but nothing so far has done the trick.
>
> I did notice lines similar to these when trying various different rightids:
>
> "id '%any' not confirmed by certificate, defaulting to 'C=US, ST=ST, O=MyOrg, OU=Engineering Dept., CN=RW'"
>
> Can someone please (gently) point out the dumb mistake I have been making?
>
> The error indicates that StrongSwan (5.6.1) cannot find a valid peer config, which is why I have been trying to fiddle with the left/rightid and the cert SANs.
>
> Many thanks,
>
> Tom
>
> PS: I am attempting to make this work using the built-in VPN client on MacOS 10.11 - without importing a special configuration file, just using System Preferences.
>
> Error:
> Jan 25 14:48:06 myhost charon: 09[NET] received packet: from x.x.x.x[500] to y.y.y.y[500] (604 bytes)
> Jan 25 14:48:06 myhost charon: 09[ENC] parsed IKE_SA_INIT request 0 [ SA KE No N(REDIR_SUP) N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) ]
> Jan 25 14:48:06 myhost charon: 09[IKE] x.x.x.x is initiating an IKE_SA
> Jan 25 14:48:06 myhost charon: 09[IKE] x.x.x.x is initiating an IKE_SA
> Jan 25 14:48:06 myhost charon: 09[IKE] remote host is behind NAT
> Jan 25 14:48:06 myhost charon: 09[IKE] sending cert request for "C=US, ST=ST, L=TownA, O=MyOrg, OU=Engineering Dept., CN=MyOrg CA, E=me at domain.dom"
> Jan 25 14:48:06 myhost charon: 09[IKE] sending cert request for "C=US, ST=ST, L=TownB, O=MyOrg, OU=Engineering Dept., CN=MyOrg CA, E=me at domain.dom"
> Jan 25 14:48:06 myhost charon: 09[ENC] generating IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) CERTREQ N(FRAG_SUP) N(MULT_AUTH) ]
> Jan 25 14:48:06 myhost charon: 09[NET] sending packet: from y.y.y.y[500] to x.x.x.x[500] (493 bytes)
> Jan 25 14:48:06 myhost charon: 11[NET] received packet: from x.x.x.x[4500] to y.y.y.y[4500] (512 bytes)
> Jan 25 14:48:06 myhost charon: 11[ENC] unknown attribute type (25)
> Jan 25 14:48:06 myhost charon: 11[ENC] parsed IKE_AUTH request 1 [ IDi N(INIT_CONTACT) N(MOBIKE_SUP) IDr CPRQ(ADDR DHCP DNS MASK ADDR6 DHCP6 DNS6 (25)) N(ESP_TFC_PAD_N) N(NON_FIRST_FRAG) SA TSi TSr ]
> Jan 25 14:48:06 myhost charon: 11[CFG] looking for peer configs matching y.y.y.y[@myhost.domain.dom]...x.x.x.x[me at domain.dom]
> Jan 25 14:48:06 myhost charon: 11[CFG] no matching peer config found
> Jan 25 14:48:06 myhost charon: 11[IKE] received ESP_TFC_PADDING_NOT_SUPPORTED, not using ESPv3 TFC padding
> Jan 25 14:48:06 myhost charon: 11[IKE] peer supports MOBIKE
> Jan 25 14:48:06 myhost charon: 11[ENC] generating IKE_AUTH response 1 [ N(AUTH_FAILED) ]
> Jan 25 14:48:06 myhost charon: 11[NET] sending packet: from y.y.y.y[4500] to x.x.x.x[4500] (80 bytes)
>
> Config:
>
> version 2
>
> conn %default
> keyingtries=%forever
>
> include /etc/ipsec.user.conf
>
> conn RW2
> left=y.y.y.y
> leftsubnet=0.0.0.0/0
> leftsendcert=always
> leftallowany=yes
> rekey=no
> leftfirewall=yes
> lefthostaccess=yes
> right=%any
> leftcert=/var/ipfire/certs/hostcert.pem
> rightcert=/var/ipfire/certs/RW2cert.pem
>
> ike=aes256-sha2_256-modp1024,aes192-sha2_256-modp1024,aes128-sha2_256-modp1024
>
> esp=aes256-sha2_256-modp1024,aes192-sha2_256-modp1024,aes128-sha2_256-modp1024
> keyexchange=ikev2
> ikelifetime=3h
> keylife=1h
> dpdaction=clear
> dpddelay=30
> dpdtimeout=90
> authby=rsasig
> leftrsasigkey=%cert
> rightrsasigkey=%cert
> auto=add
> rightsourceip=10.100.2.200/21
> fragmentation=yes
>
> StrongSwan's Cert:
>
> Certificate:
> Data:
> Version: 3 (0x2)
> Serial Number: 1 (0x1)
> Signature Algorithm: sha256WithRSAEncryption
> Issuer: C=US, ST=ST, L=TownB, O=MyOrg, OU=Engineering Dept., CN=MyOrg CA/emailAddress=me at domain.dom
> Validity
> Not Before: Jan 25 18:19:07 2018 GMT
> Not After : Dec 22 18:19:07 4755 GMT
> Subject: C=US, ST=ST, O=MyOrg, OU=Engineering Dept., CN=myhost.domain.dom
> Subject Public Key Info:
> Public Key Algorithm: rsaEncryption
> Public-Key: (2048 bit)
> Modulus:
> <snip>
> Exponent: 65537 (0x10001)
> X509v3 extensions:
> X509v3 Basic Constraints:
> CA:FALSE
> Netscape Comment:
> OpenSSL Generated Certificate
> X509v3 Subject Key Identifier:
> 3D:37:14:B8:B4:6A:AD:44:D2:C2:66:BE:10:6B:99:E1:95:29:CD:9D
> X509v3 Authority Key Identifier:
>
> keyid:53:89:48:5A:AD:A2:81:01:DC:C9:0B:F6:15:25:78:9C:96:AA:5E:73
> DirName:/C=US/ST=ST/L=TownB/O=MyOrg/OU=Engineering Dept./CN=MyOrg CA/emailAddress=me at domain.dom
> serial:CA:95:8A:1F:26:B5:A1:D7
>
> X509v3 Extended Key Usage:
> TLS Web Server Authentication
> X509v3 Subject Alternative Name:
> DNS:myhost.domain.dom, DNS:y.y.y.y, IP Address:y.y.y.y
> Signature Algorithm: sha256WithRSAEncryption
> <snip>
>
> Mac Client's Cert:
> Data:
> Version: 3 (0x2)
> Serial Number: 1 (0x1)
> Signature Algorithm: sha256WithRSAEncryption
> Issuer: C=US, ST=ST, L=TownB, O=MyOrg, OU=Engineering Dept., CN=MyOrg CA/emailAddress=me at domain.dom
> Validity
> Not Before: Jan 25 20:18:53 2018 GMT
> Not After : Dec 22 20:18:53 4755 GMT
> Subject: C=US, ST=ST, O=MyOrg, OU=Engineering Dept., CN=Roadwarrior User
> Subject Public Key Info:
> Public Key Algorithm: rsaEncryption
> Public-Key: (2048 bit)
> Modulus:
> <snip>
> Exponent: 65537 (0x10001)
> X509v3 extensions:
> X509v3 Basic Constraints:
> CA:FALSE
> Netscape Comment:
> OpenSSL Generated Certificate
> X509v3 Subject Key Identifier:
> AC:29:A4:81:79:B7:1D:4C:BE:0F:DB:9F:8B:CC:AE:26:13:D3:82:73
> X509v3 Extended Key Usage:
> TLS Web Client Authentication
> X509v3 Authority Key Identifier:
>
> keyid:53:89:48:5A:AD:A2:81:01:DC:C9:0B:F6:15:25:78:9C:96:AA:5E:73
> DirName:/C=US/ST=ST/L=TownB/O=MyOrg/OU=Engineering Dept./CN=MyOrg CA/emailAddress=me at domain.dom
> serial:CA:95:8A:1F:26:B5:A1:D7
>
> X509v3 Subject Alternative Name:
> email:me at domain.dom
> Signature Algorithm: sha256WithRSAEncryption
> <snip>
>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: OpenPGP digital signature
URL: <http://lists.strongswan.org/pipermail/users/attachments/20180126/cd1f882e/attachment-0001.sig>
More information about the Users
mailing list