[strongSwan] Can't connect to Strongswan
Alexander v. Below
Alex at vonBelow.Com
Thu Jul 19 13:31:23 CEST 2018
Thanks a lot! I went through all the material, and changed my config.
Now initiator and receiver agree, and more things happen. However, not to the point where a connection is established.
I believe the problem is here, but I still somewhat new to the logs:
Jul 19 13:18:09 below charon: 09[IKE] signature validation failed, looking for another key
Jul 19 13:18:09 below charon: 09[CFG] no issuer certificate found for "C=CH, O=strongSwan, CN=Client Key“
Reading the mailing list archives, FAQs or HOWTOs did not seem to yield anything for my problem.I have used ipsec pki --verify --in certs/ClientCert.pem --cacert cacerts/strongswanCert.pem in an attempt to check the certificates, and everything seems OK: "certificate trusted, lifetimes valid“
Any further pointers are highly appreciated.
Following are the log, the ipsec.conf, and the certificates (no keys, or course) as text
Linux strongSwan U5.2.1/K2.6.32-openvz-042stab123.2-amd64
Client is macOS 10.13.4
==================
Connection Log
==================
Jul 19 13:18:09 below charon: 01[NET] received packet: from 217.94.72.100[500] to 46.4.163.72[500]
Jul 19 13:18:09 below charon: 01[NET] waiting for data on sockets
Jul 19 13:18:09 below charon: 12[NET] received packet: from 217.94.72.100[500] to 46.4.163.72[500] (240 bytes)
Jul 19 13:18:09 below charon: 12[ENC] parsed IKE_SA_INIT request 0 [ SA KE No N(REDIR_SUP) N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) ]
Jul 19 13:18:09 below charon: 12[CFG] looking for an ike config for 46.4.163.72...217.94.72.100
Jul 19 13:18:09 below charon: 12[CFG] candidate: %any...%any, prio 28
Jul 19 13:18:09 below charon: 12[CFG] candidate: %any...%any, prio 28
Jul 19 13:18:09 below charon: 12[CFG] found matching ike config: %any...%any with prio 28
Jul 19 13:18:09 below charon: 12[IKE] 217.94.72.100 is initiating an IKE_SA
Jul 19 13:18:09 below charon: 12[IKE] IKE_SA (unnamed)[103] state change: CREATED => CONNECTING
Jul 19 13:18:09 below charon: 12[CFG] selecting proposal:
Jul 19 13:18:09 below charon: 12[CFG] proposal matches
Jul 19 13:18:09 below charon: 12[CFG] received proposals: IKE:AES_CBC_128/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/ECP_256
Jul 19 13:18:09 below charon: 12[CFG] configured proposals: IKE:AES_CBC_128/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/ECP_256, IKE:AES_CBC_128/AES_CBC_192/AES_CBC_256/3DES_CBC/CAMELLIA_CBC_128/CAMELLIA_CBC_192/CAMELLIA_CBC_256/HMAC_MD5_96/HMAC_SHA1_96/HMAC_SHA2_256_128/HMAC_SHA2_384_192/HMAC_SHA2_512_256/AES_XCBC_96/PRF_HMAC_MD5/PRF_HMAC_SHA1/PRF_HMAC_SHA2_256/PRF_HMAC_SHA2_384/PRF_HMAC_SHA2_512/PRF_AES128_XCBC/MODP_2048/MODP_2048_224/MODP_2048_256/MODP_1536/MODP_3072/MODP_4096/MODP_8192/MODP_1024/MODP_1024_160/ECP_256/ECP_384/ECP_521/ECP_224/ECP_192/ECP_224_BP/ECP_256_BP/ECP_384_BP/ECP_512_BP, IKE:AES_GCM_8_128/AES_GCM_8_192/AES_GCM_8_256/AES_GCM_12_128/AES_GCM_12_192/AES_GCM_12_256/AES_GCM_16_128/AES_GCM_16_192/AES_GCM_16_256/PRF_HMAC_MD5/PRF_HMAC_SHA1/PRF_HMAC_SHA2_256/PRF_HMAC_SHA2_384/PRF_HMAC_SHA2_512/PRF_AES128_XCBC/MODP_2048/MODP_2048_224/MODP_2048_256/MODP_1536/MODP_3072/MODP_4096/MODP_8192/MODP_1024/MODP_1024_160/ECP_256/ECP_384/ECP_521/ECP_224/ECP_192/ECP_224_BP/ECP_256_BP/ECP_384_BP/ECP_512_BP
Jul 19 13:18:09 below charon: 12[CFG] selected proposal: IKE:AES_CBC_128/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/ECP_256
Jul 19 13:18:09 below charon: 12[IKE] remote host is behind NAT
Jul 19 13:18:09 below charon: 12[IKE] sending cert request for "C=CH, O=strongSwan, CN=strongSwan Root CA"
Jul 19 13:18:09 below charon: 12[ENC] generating IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) CERTREQ N(FRAG_SUP) N(MULT_AUTH) ]
Jul 19 13:18:09 below charon: 12[NET] sending packet: from 46.4.163.72[500] to 217.94.72.100[500] (281 bytes)
Jul 19 13:18:09 below charon: 03[NET] sending packet: from 46.4.163.72[500] to 217.94.72.100[500]
Jul 19 13:18:09 below charon: 01[NET] received packet: from 217.94.72.100[4500] to 46.4.163.72[4500]
Jul 19 13:18:09 below charon: 01[NET] waiting for data on sockets
Jul 19 13:18:09 below charon: 07[NET] received packet: from 217.94.72.100[4500] to 46.4.163.72[4500] (532 bytes)
Jul 19 13:18:09 below charon: 07[ENC] parsed IKE_AUTH request 1 [ EF ]
Jul 19 13:18:09 below charon: 07[ENC] received fragment #1 of 2, waiting for complete IKE message
Jul 19 13:18:09 below charon: 01[NET] received packet: from 217.94.72.100[4500] to 46.4.163.72[4500]
Jul 19 13:18:09 below charon: 01[NET] waiting for data on sockets
Jul 19 13:18:09 below charon: 09[NET] received packet: from 217.94.72.100[4500] to 46.4.163.72[4500] (420 bytes)
Jul 19 13:18:09 below charon: 09[ENC] parsed IKE_AUTH request 1 [ EF ]
Jul 19 13:18:09 below charon: 09[ENC] received fragment #2 of 2, reassembling fragmented IKE message
Jul 19 13:18:09 below charon: 09[ENC] unknown attribute type (25)
Jul 19 13:18:09 below charon: 09[ENC] parsed IKE_AUTH request 1 [ IDi N(INIT_CONTACT) N(MOBIKE_SUP) IDr AUTH CERT CPRQ(ADDR DHCP DNS MASK ADDR6 DHCP6 DNS6 (25)) N(ESP_TFC_PAD_N) N(NON_FIRST_FRAG) SA TSi TSr ]
Jul 19 13:18:09 below charon: 09[IKE] received end entity cert "C=CH, O=strongSwan, CN=Client Key"
Jul 19 13:18:09 below charon: 09[CFG] looking for peer configs matching 46.4.163.72[46.4.163.72]...217.94.72.100[Client_Key]
Jul 19 13:18:09 below charon: 09[CFG] candidate "IKEv2-eap", match: 20/1/28 (me/other/ike)
Jul 19 13:18:09 below charon: 09[CFG] candidate "ikev2-pubkey", match: 20/1/28 (me/other/ike)
Jul 19 13:18:09 below charon: 09[CFG] selected peer config 'IKEv2-eap'
Jul 19 13:18:09 below charon: 09[CFG] using certificate "C=CH, O=strongSwan, CN=Client Key"
Jul 19 13:18:09 below charon: 09[CFG] certificate "C=CH, O=strongSwan, CN=Client Key" key: 256 bit ECDSA
Jul 19 13:18:09 below charon: 09[CFG] using trusted ca certificate "C=CH, O=strongSwan, CN=strongSwan Root CA"
Jul 19 13:18:09 below charon: 09[CFG] checking certificate status of "C=CH, O=strongSwan, CN=Client Key"
Jul 19 13:18:09 below charon: 09[CFG] ocsp check skipped, no ocsp found
Jul 19 13:18:09 below charon: 09[CFG] certificate status is not available
Jul 19 13:18:09 below charon: 09[CFG] certificate "C=CH, O=strongSwan, CN=strongSwan Root CA" key: 384 bit ECDSA
Jul 19 13:18:09 below charon: 09[CFG] reached self-signed root ca with a path length of 0
Jul 19 13:18:09 below charon: 09[IKE] signature validation failed, looking for another key
Jul 19 13:18:09 below charon: 09[CFG] using certificate "C=CH, O=strongSwan, CN=Client Key"
Jul 19 13:18:09 below charon: 09[CFG] certificate "C=CH, O=strongSwan, CN=Client Key" key: 256 bit ECDSA
Jul 19 13:18:09 below ipsec[1146]: 08[IKE] peer supports MOBIKE
Jul 19 13:18:09 below ipsec[1146]: 08[ENC] generating IKE_AUTH response 1 [ N(AUTH_FAILED) ]
Jul 19 13:18:09 below ipsec[1146]: 08[NET] sending packet: from 46.4.163.72[4500] to 217.94.72.100[4500] (80 bytes)
Jul 19 13:18:09 below ipsec[1146]: 03[NET] sending packet: from 46.4.163.72[4500] to 217.94.72.100[4500]
Jul 19 13:18:09 below ipsec[1146]: 08[IKE] IKE_SA IKEv2-eap[102] state change: CONNECTING => DESTROYING
Jul 19 13:18:09 below ipsec[1146]: 01[NET] received packet: from 217.94.72.100[500] to 46.4.163.72[500]
Jul 19 13:18:09 below ipsec[1146]: 01[NET] waiting for data on sockets
Jul 19 13:18:09 below ipsec[1146]: 12[NET] received packet: from 217.94.72.100[500] to 46.4.163.72[500] (240 bytes)
Jul 19 13:18:09 below ipsec[1146]: 12[ENC] parsed IKE_SA_INIT request 0 [ SA KE No N(REDIR_SUP) N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) ]
Jul 19 13:18:09 below ipsec[1146]: 12[CFG] looking for an ike config for 46.4.163.72...217.94.72.100
Jul 19 13:18:09 below ipsec[1146]: 12[CFG] candidate: %any...%any, prio 28
Jul 19 13:18:09 below ipsec[1146]: 12[CFG] candidate: %any...%any, prio 28
Jul 19 13:18:09 below ipsec[1146]: 12[CFG] found matching ike config: %any...%any with prio 28
Jul 19 13:18:09 below ipsec[1146]: 12[IKE] 217.94.72.100 is initiating an IKE_SA
Jul 19 13:18:09 below ipsec[1146]: 12[IKE] IKE_SA (unnamed)[103] state change: CREATED => CONNECTING
Jul 19 13:18:09 below ipsec[1146]: 12[CFG] selecting proposal:
Jul 19 13:18:09 below ipsec[1146]: 12[CFG] proposal matches
Jul 19 13:18:09 below ipsec[1146]: 12[CFG] received proposals: IKE:AES_CBC_128/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/ECP_256
Jul 19 13:18:09 below ipsec[1146]: 12[CFG] configured proposals: IKE:AES_CBC_128/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/ECP_256, IKE:AES_CBC_128/AES_CBC_192/AES_CBC_256/3DES_CBC/CAMELLIA_CBC_128/CAMELLIA_CBC_192/CAMELLIA_CBC_256/HMAC_MD5_96/HMAC_SHA1_96/HMAC_SHA2_256_128/HMAC_SHA2_384_192/HMAC_SHA2_512_256/AES_XCBC_96/PRF_HMAC_MD5/PRF_HMAC_SHA1/PRF_HMAC_SHA2_256/PRF_HMAC_SHA2_384/PRF_HMAC_SHA2_512/PRF_AES128_XCBC/MODP_2048/MODP_2048_224/MODP_2048_256/MODP_1536/MODP_3072/MODP_4096/MODP_8192/MODP_1024/MODP_1024_160/ECP_256/ECP_384/ECP_521/ECP_224/ECP_192/ECP_224_BP/ECP_256_BP/ECP_384_BP/ECP_512_BP, IKE:AES_GCM_8_128/AES_GCM_8_192/AES_GCM_8_256/AES_GCM_12_128/AES_GCM_12_192/AES_GCM_12_256/AES_GCM_16_128/AES_GCM_16_192/AES_GCM_16_256/PRF_HMAC_MD5/PRF_HMAC_SHA1/PRF_HMAC_SHA2_256/PRF_HMAC_SHA2_384/PRF_HMAC_SHA2_512/PRF_AES128_XCBC/MODP_2048/MODP_2048_224/MODP_2048_256/MODP_1536/MODP_3072/MODP_4096/MODP_8192/MODP_1024/MODP_1024_160/ECP_256/ECP_384/ECP_521/ECP_224/ECP_192/ECP_224_BP/ECP_256_BP/ECP_384_BP/ECP_512_BP
Jul 19 13:18:09 below ipsec[1146]: 12[CFG] selected proposal: IKE:AES_CBC_128/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/ECP_256
Jul 19 13:18:09 below ipsec[1146]: 12[IKE] remote host is behind NAT
Jul 19 13:18:09 below ipsec[1146]: 12[IKE] sending cert request for "C=CH, O=strongSwan, CN=strongSwan Root CA"
Jul 19 13:18:09 below ipsec[1146]: 12[ENC] generating IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) CERTREQ N(FRAG_SUP) N(MULT_AUTH) ]
Jul 19 13:18:09 below ipsec[1146]: 12[NET] sending packet: from 46.4.163.72[500] to 217.94.72.100[500] (281 bytes)
Jul 19 13:18:09 below ipsec[1146]: 03[NET] sending packet: from 46.4.163.72[500] to 217.94.72.100[500]
Jul 19 13:18:09 below ipsec[1146]: 01[NET] received packet: from 217.94.72.100[4500] to 46.4.163.72[4500]
Jul 19 13:18:09 below ipsec[1146]: 01[NET] waiting for data on sockets
Jul 19 13:18:09 below ipsec[1146]: 07[NET] received packet: from 217.94.72.100[4500] to 46.4.163.72[4500] (532 bytes)
Jul 19 13:18:09 below ipsec[1146]: 07[ENC] parsed IKE_AUTH request 1 [ EF ]
Jul 19 13:18:09 below ipsec[1146]: 07[ENC] received fragment #1 of 2, waiting for complete IKE message
Jul 19 13:18:09 below ipsec[1146]: 01[NET] received packet: from 217.94.72.100[4500] to 46.4.163.72[4500]
Jul 19 13:18:09 below ipsec[1146]: 01[NET] waiting for data on sockets
Jul 19 13:18:09 below ipsec[1146]: 09[NET] received packet: from 217.94.72.100[4500] to 46.4.163.72[4500] (420 bytes)
Jul 19 13:18:09 below ipsec[1146]: 09[ENC] parsed IKE_AUTH request 1 [ EF ]
Jul 19 13:18:09 below ipsec[1146]: 09[ENC] received fragment #2 of 2, reassembling fragmented IKE message
Jul 19 13:18:09 below ipsec[1146]: 09[ENC] unknown attribute type (25)
Jul 19 13:18:09 below ipsec[1146]: 09[ENC] parsed IKE_AUTH request 1 [ IDi N(INIT_CONTACT) N(MOBIKE_SUP) IDr AUTH CERT CPRQ(ADDR DHCP DNS MASK ADDR6 DHCP6 DNS6 (25)) N(ESP_TFC_PAD_N) N(NON_FIRST_FRAG) SA TSi TSr ]
Jul 19 13:18:09 below ipsec[1146]: 09[IKE] received end entity cert "C=CH, O=strongSwan, CN=Client Key"
Jul 19 13:18:09 below ipsec[1146]: 09[CFG] looking for peer configs matching 46.4.163.72[46.4.163.72]...217.94.72.100[Client_Key]
Jul 19 13:18:09 below ipsec[1146]: 09[CFG] candidate "IKEv2-eap", match: 20/1/28 (me/other/ike)
Jul 19 13:18:09 below ipsec[1146]: 09[CFG] candidate "ikev2-pubkey", match: 20/1/28 (me/other/ike)
Jul 19 13:18:09 below ipsec[1146]: 09[CFG] selected peer config 'IKEv2-eap'
Jul 19 13:18:09 below ipsec[1146]: 09[CFG] using certificate "C=CH, O=strongSwan, CN=Client Key"
Jul 19 13:18:09 below ipsec[1146]: 09[CFG] certificate "C=CH, O=strongSwan, CN=Client Key" key: 256 bit ECDSA
Jul 19 13:18:09 below ipsec[1146]: 09[CFG] using trusted ca certificate "C=CH, O=strongSwan, CN=strongSwan Root CA"
Jul 19 13:18:09 below ipsec[1146]: 09[CFG] checking certificate status of "C=CH, O=strongSwan, CN=Client Key"
Jul 19 13:18:09 below ipsec[1146]: 09[CFG] ocsp check skipped, no ocsp found
Jul 19 13:18:09 below ipsec[1146]: 09[CFG] certificate status is not available
Jul 19 13:18:09 below charon: 09[CFG] no issuer certificate found for "C=CH, O=strongSwan, CN=Client Key"
Jul 19 13:18:09 below charon: 09[IKE] processing INTERNAL_IP4_ADDRESS attribute
Jul 19 13:18:09 below charon: 09[IKE] processing INTERNAL_IP4_DHCP attribute
Jul 19 13:18:09 below charon: 09[IKE] processing INTERNAL_IP4_DNS attribute
Jul 19 13:18:09 below charon: 09[IKE] processing INTERNAL_IP4_NETMASK attribute
Jul 19 13:18:09 below charon: 09[IKE] processing INTERNAL_IP6_ADDRESS attribute
Jul 19 13:18:09 below charon: 09[IKE] processing INTERNAL_IP6_DHCP attribute
Jul 19 13:18:09 below charon: 09[IKE] processing INTERNAL_IP6_DNS attribute
Jul 19 13:18:09 below charon: 09[IKE] processing (25) attribute
Jul 19 13:18:09 below charon: 09[IKE] received ESP_TFC_PADDING_NOT_SUPPORTED, not using ESPv3 TFC padding
Jul 19 13:18:09 below charon: 09[IKE] peer supports MOBIKE
Jul 19 13:18:09 below charon: 09[ENC] generating IKE_AUTH response 1 [ N(AUTH_FAILED) ]
Jul 19 13:18:09 below charon: 09[NET] sending packet: from 46.4.163.72[4500] to 217.94.72.100[4500] (80 bytes)
Jul 19 13:18:09 below charon: 03[NET] sending packet: from 46.4.163.72[4500] to 217.94.72.100[4500]
Jul 19 13:18:09 below charon: 09[IKE] IKE_SA IKEv2-eap[103] state change: CONNECTING => DESTROYING
==================
ipsec.conf
==================
config setup
uniqueids=never
charondebug="cfg 4, dmn 2, ike 2, net 2"
conn rw-base
fragmentation=yes
dpdaction=clear
dpddelay=300s
dpdtimeout = 5s
conn rw-config
also=rw-base
rightsourceip=10.0.0.101/24 ## LOCAL IP RANGE FOR VPN CONNECTED DEVICES
rightdns=208.67.222.222,208.67.220.220
leftsubnet=0.0.0.0/0
leftid=46.4.163.72
leftcert=vpnHostCert.pem
reauth=no
rekey=no
closeaction=restart
keyexchange=ikev2
ike=aes128-sha256-ecp256
esp=aes128-sha256-ecp256
leftsendcert=always
rightca="C=CH, O=strongSwan, CN=strongSwan Root CA"
#forceencaps=yes
#keyingtries=5
#left=%any
#leftfirewall=no
#mobike=yes
#right=%any
#type=tunnel
conn IKEv2-eap
also=rw-config
rightauth=eap-dynamic
eap_identity=%identity
auto=add
conn ikev2-pubkey
also=rw-config
auto=add
==================
Certificates
==================
% openssl x509 -text -in certs/ClientCert.pem
Certificate:
Data:
Version: 3 (0x2)
Serial Number: 6326430233911968836 (0x57cbfec7649d4444)
Signature Algorithm: ecdsa-with-SHA1
Issuer: C=CH, O=strongSwan, CN=strongSwan Root CA
Validity
Not Before: Jul 19 10:24:32 2018 GMT
Not After : Jul 18 10:24:32 2020 GMT
Subject: C=CH, O=strongSwan, CN=Client Key
Subject Public Key Info:
Public Key Algorithm: id-ecPublicKey
Public-Key: (256 bit)
pub:
04:02:86:d1:ee:c3:4e:57:9e:ea:e2:66:79:33:c4:
e2:0b:7c:4b:84:14:84:88:04:35:93:38:0f:b8:cb:
00:d5:fc:d6:0b:de:ac:ac:e1:db:e5:0e:cf:70:78:
31:87:0f:3d:a8:f7:45:35:f7:01:c2:94:a8:5f:2c:
ad:be:6e:a1:b9
ASN1 OID: prime256v1
X509v3 extensions:
X509v3 Authority Key Identifier:
keyid:0C:A3:17:68:91:12:BD:4D:56:D7:22:EA:FE:6D:A9:70:E4:AF:BD:85
X509v3 Subject Alternative Name:
DNS:Client_Key
Signature Algorithm: ecdsa-with-SHA1
30:64:02:30:1e:cf:72:74:10:04:47:50:4c:82:d6:b2:a8:db:
9f:b2:af:55:af:16:fc:f6:df:fb:e3:9a:06:49:a6:c6:cb:22:
a9:2a:c5:ee:48:55:87:a6:b1:17:4b:32:96:cf:8d:55:02:30:
0a:b2:7b:e9:6f:6e:c3:fb:e4:ac:25:19:05:61:8f:90:52:f4:
d8:4e:bf:77:e3:74:56:ce:0c:75:a6:2f:e7:ea:51:24:ad:08:
63:25:fb:0c:9b:2a:10:51:73:51:26:67
-----BEGIN CERTIFICATE-----
MIIBwzCCAUugAwIBAgIIV8v+x2SdREQwCQYHKoZIzj0EATA/MQswCQYDVQQGEwJD
SDETMBEGA1UEChMKc3Ryb25nU3dhbjEbMBkGA1UEAxMSc3Ryb25nU3dhbiBSb290
IENBMB4XDTE4MDcxOTEwMjQzMloXDTIwMDcxODEwMjQzMlowNzELMAkGA1UEBhMC
Q0gxEzARBgNVBAoTCnN0cm9uZ1N3YW4xEzARBgNVBAMTCkNsaWVudCBLZXkwWTAT
BgcqhkjOPQIBBggqhkjOPQMBBwNCAAQChtHuw05XnuriZnkzxOILfEuEFISIBDWT
OA+4ywDV/NYL3qys4dvlDs9weDGHDz2o90U19wHClKhfLK2+bqG5ozowODAfBgNV
HSMEGDAWgBQMoxdokRK9TVbXIur+balw5K+9hTAVBgNVHREEDjAMggpDbGllbnRf
S2V5MAkGByqGSM49BAEDZwAwZAIwHs9ydBAER1BMgtayqNufsq9Vrxb89t/745oG
SabGyyKpKsXuSFWHprEXSzKWz41VAjAKsnvpb27D++SsJRkFYY+QUvTYTr9343RW
zgx1pi/n6lEkrQhjJfsMmyoQUXNRJmc=
-----END CERTIFICATE——
% openssl x509 -text -in certs/vpnHostCert.pem
Certificate:
Data:
Version: 3 (0x2)
Serial Number: 4685939399688120732 (0x4107cd0e8d6ae99c)
Signature Algorithm: ecdsa-with-SHA1
Issuer: C=CH, O=strongSwan, CN=strongSwan Root CA
Validity
Not Before: Jul 19 10:24:32 2018 GMT
Not After : Jul 18 10:24:32 2020 GMT
Subject: C=CH, O=strongSwan, CN=46.4.163.72
Subject Public Key Info:
Public Key Algorithm: id-ecPublicKey
Public-Key: (256 bit)
pub:
04:dc:4e:33:9d:c2:86:a4:6c:66:fe:9b:49:63:6d:
1a:1c:1d:09:bf:39:d7:06:e3:6a:29:96:75:f5:b8:
b3:e2:44:6c:38:6a:c5:3e:d7:24:5c:7c:17:e5:5c:
27:b0:56:61:09:97:8f:b7:37:da:24:82:0a:06:19:
35:ae:76:9a:53
ASN1 OID: prime256v1
X509v3 extensions:
X509v3 Authority Key Identifier:
keyid:0C:A3:17:68:91:12:BD:4D:56:D7:22:EA:FE:6D:A9:70:E4:AF:BD:85
X509v3 Subject Alternative Name:
IP Address:46.4.163.72
X509v3 Extended Key Usage:
TLS Web Server Authentication, 1.3.6.1.5.5.8.2.2
Signature Algorithm: ecdsa-with-SHA1
30:64:02:30:1d:2a:0f:e8:90:16:19:78:ae:d5:5c:d8:83:b4:
1f:69:59:d4:f3:b1:37:68:9a:66:d0:27:9d:f5:aa:fc:5a:dd:
a2:c7:11:bb:81:eb:ab:ce:f6:8c:6b:cd:c0:f5:89:49:02:30:
60:92:12:d6:17:0f:19:8c:c1:89:c3:eb:7c:6b:c2:39:45:91:
7c:58:af:21:8e:d0:dd:3a:b7:bf:fa:88:6b:0b:d3:27:26:01:
08:ec:3c:55:32:ce:83:59:1b:b9:7f:f4
-----BEGIN CERTIFICATE-----
MIIB3TCCAWWgAwIBAgIIQQfNDo1q6ZwwCQYHKoZIzj0EATA/MQswCQYDVQQGEwJD
SDETMBEGA1UEChMKc3Ryb25nU3dhbjEbMBkGA1UEAxMSc3Ryb25nU3dhbiBSb290
IENBMB4XDTE4MDcxOTEwMjQzMloXDTIwMDcxODEwMjQzMlowODELMAkGA1UEBhMC
Q0gxEzARBgNVBAoTCnN0cm9uZ1N3YW4xFDASBgNVBAMTCzQ2LjQuMTYzLjcyMFkw
EwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAE3E4zncKGpGxm/ptJY20aHB0JvznXBuNq
KZZ19biz4kRsOGrFPtckXHwX5VwnsFZhCZePtzfaJIIKBhk1rnaaU6NTMFEwHwYD
VR0jBBgwFoAUDKMXaJESvU1W1yLq/m2pcOSvvYUwDwYDVR0RBAgwBocELgSjSDAd
BgNVHSUEFjAUBggrBgEFBQcDAQYIKwYBBQUIAgIwCQYHKoZIzj0EAQNnADBkAjAd
Kg/okBYZeK7VXNiDtB9pWdTzsTdommbQJ531qvxa3aLHEbuB66vO9oxrzcD1iUkC
MGCSEtYXDxmMwYnD63xrwjlFkXxYryGO0N06t7/6iGsL0ycmAQjsPFUyzoNZG7l/
9A==
-----END CERTIFICATE——
% openssl x509 -text -in cacerts/strongswanCert.pem
Certificate:
Data:
Version: 3 (0x2)
Serial Number: 4805933790098540678 (0x42b21b51b4dec886)
Signature Algorithm: ecdsa-with-SHA1
Issuer: C=CH, O=strongSwan, CN=strongSwan Root CA
Validity
Not Before: Jul 19 10:24:32 2018 GMT
Not After : Jul 16 10:24:32 2028 GMT
Subject: C=CH, O=strongSwan, CN=strongSwan Root CA
Subject Public Key Info:
Public Key Algorithm: id-ecPublicKey
Public-Key: (384 bit)
pub:
04:2c:0a:88:9e:61:2f:07:5d:ab:76:6b:6e:86:e5:
89:c6:2d:d9:08:27:ee:c1:8d:b7:95:50:ad:13:71:
4f:f6:99:66:4b:99:8c:1f:09:b4:ea:ca:b7:3e:51:
2d:66:f9:6d:e3:98:0e:72:da:1c:c1:19:1b:13:38:
29:eb:66:a2:ee:07:c5:45:5b:5c:f1:50:72:e4:61:
c0:9a:00:f7:3c:dc:59:14:c1:8a:51:fa:c8:47:cc:
0e:80:c1:e3:fa:b6:8f
ASN1 OID: secp384r1
X509v3 extensions:
X509v3 Basic Constraints: critical
CA:TRUE
X509v3 Key Usage: critical
Certificate Sign, CRL Sign
X509v3 Subject Key Identifier:
0C:A3:17:68:91:12:BD:4D:56:D7:22:EA:FE:6D:A9:70:E4:AF:BD:85
Signature Algorithm: ecdsa-with-SHA1
30:64:02:30:2c:cf:e0:d0:94:6e:11:f5:df:72:18:b2:12:7d:
3c:a2:e8:f0:82:b6:29:7a:ff:1b:b4:19:81:b4:fb:f0:0e:15:
3c:c9:dc:81:42:eb:b5:bb:cd:41:dd:61:81:ed:e1:36:02:30:
2b:6e:86:20:98:ed:fd:35:6e:35:79:fa:67:fa:94:bf:49:32:
80:78:db:c4:2b:af:f6:10:47:b8:d6:95:aa:a3:75:0e:fa:70:
bb:ff:84:db:33:d9:1a:6a:a0:7f:b5:85
-----BEGIN CERTIFICATE-----
MIIB8DCCAXigAwIBAgIIQrIbUbTeyIYwCQYHKoZIzj0EATA/MQswCQYDVQQGEwJD
SDETMBEGA1UEChMKc3Ryb25nU3dhbjEbMBkGA1UEAxMSc3Ryb25nU3dhbiBSb290
IENBMB4XDTE4MDcxOTEwMjQzMloXDTI4MDcxNjEwMjQzMlowPzELMAkGA1UEBhMC
Q0gxEzARBgNVBAoTCnN0cm9uZ1N3YW4xGzAZBgNVBAMTEnN0cm9uZ1N3YW4gUm9v
dCBDQTB2MBAGByqGSM49AgEGBSuBBAAiA2IABCwKiJ5hLwddq3ZrboblicYt2Qgn
7sGNt5VQrRNxT/aZZkuZjB8JtOrKtz5RLWb5beOYDnLaHMEZGxM4Ketmou4HxUVb
XPFQcuRhwJoA9zzcWRTBilH6yEfMDoDB4/q2j6NCMEAwDwYDVR0TAQH/BAUwAwEB
/zAOBgNVHQ8BAf8EBAMCAQYwHQYDVR0OBBYEFAyjF2iREr1NVtci6v5tqXDkr72F
MAkGByqGSM49BAEDZwAwZAIwLM/g0JRuEfXfchiyEn08oujwgrYpev8btBmBtPvw
DhU8ydyBQuu1u81B3WGB7eE2AjArboYgmO39NW41efpn+pS/STKAeNvEK6/2EEe4
1pWqo3UO+nC7/4TbM9kaaqB/tYU=
-----END CERTIFICATE——
> Am 18.07.2018 um 15:30 schrieb Tobias Brunner <tobias at strongswan.org>:
>
> Hi Alexander,
>
>> Interestingly enough, there are different error messages. When connecting with Linux, the key parts of the log seem to be:
>>
>> Jul 18 15:05:56 below charon: 07[ENC] parsed ID_PROT request 0 [ SA V V V V V ]
>> Jul 18 15:05:56 below charon: 07[CFG] looking for an ike config for 46.4.163.72...80.152.52.195
>> Jul 18 15:05:56 below charon: 07[IKE] no IKE config found for 46.4.163.72...80.152.52.195, sending NO_PROPOSAL_CHOSEN
>> Jul 18 15:05:56 below charon: 07[ENC] generating INFORMATIONAL_V1 request 1522692232 [ N(NO_PROP) ]
>
> Fix your config. Either the IKE version or IPs don't match whatever you
> configured (increase the log level for cfg to 2 or 3 for details).
>
>> When connecting with macOS, I don’t even see where the process is failing. There is a good deal of communication, and finally
>>
>> Jul 18 15:01:35 below charon: 08[IKE] received ESP_TFC_PADDING_NOT_SUPPORTED, not using ESPv3 TFC padding
>> Jul 18 15:01:35 below charon: 08[IKE] peer supports MOBIKE
>> Jul 18 15:01:35 below charon: 08[ENC] generating IKE_AUTH response 1 [ N(AUTH_FAILED) ]
>
> That's not the important part, which is:
>
>> Jul 18 15:01:35 below charon: 08[CFG] selected peer config 'IKEv2'
>> Jul 18 15:01:35 below charon: 08[IKE] peer requested EAP, config inacceptable
>> Jul 18 15:01:35 below charon: 08[CFG] no alternative config found
>
> The client wants to use EAP authentication, but the server is apparently
> not configured for it. So again, fix your config (client or server, but
> they have to agree on how to authenticate each other).
>
> Also, see [1].
>
> Regards,
> Tobias
>
> [1] https://wiki.strongswan.org/projects/strongswan/wiki/HelpRequests
More information about the Users
mailing list