[strongSwan] Strange issue. Cant connect.

Christian Salway christian.salway at naimuri.com
Tue Jun 12 11:55:03 CEST 2018


When I try to connect to the VPN server using charon-cmd, Im instructing it use vpnserver but the server is responding with vpnserver1.  I have two connection configs set up (pasted below).  What am I missing??

CLIENT

sudo charon-cmd --host x.x.x.x --identity remote-user --p12 remote-user.p12 --remote-identity vpnserver --profile ikev2-eap
Password: 
00[DMN] Starting charon-cmd IKE client (strongSwan 5.6.3, Darwin 17.5.0, x86_64)
00[LIB] loaded plugins: charon-cmd nonce x509 revocation constraints pubkey pkcs1 pkcs8 sshkey pem openssl curve25519 kernel-pfkey kernel-pfroute socket-default eap-identity eap-md5 eap-gtc eap-mschapv2 xauth-generic osx-attr
00[JOB] spawning 16 worker threads
07[IKE] initiating IKE_SA cmd[1] to 35.176.91.73
07[ENC] generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(HASH_ALG) N(REDIR_SUP) ]
07[NET] sending packet: from 192.168.1.31[59314] to 35.176.91.73[4500] (712 bytes)
09[NET] received packet: from 35.176.91.73[4500] to 192.168.1.31[59314] (289 bytes)
09[ENC] parsed IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) CERTREQ N(HASH_ALG) N(MULT_AUTH) ]
09[IKE] local host is behind NAT, sending keep alives
09[IKE] remote host is behind NAT
09[IKE] received cert request for "CN=Vivace Root CA"
09[IKE] sending cert request for "CN=Vivace Root CA"
09[IKE] establishing CHILD_SA cmd{1}
09[ENC] generating IKE_AUTH request 1 [ IDi N(INIT_CONTACT) CERTREQ CPRQ(ADDR DNS) N(ESP_TFC_PAD_N) SA TSi TSr N(MOBIKE_SUP) N(NO_ADD_ADDR) N(MULT_AUTH) N(EAP_ONLY) N(MSG_ID_SYN_SUP) ]
09[NET] sending packet: from 192.168.1.31[57170] to 35.176.91.73[4500] (352 bytes)
10[NET] received packet: from 35.176.91.73[4500] to 192.168.1.31[57170] (1152 bytes)
10[ENC] parsed IKE_AUTH response 1 [ IDr CERT AUTH EAP/REQ/ID ]
10[IKE] received end entity cert "C=GB, CN=vpnserver1"
10[CFG]   using certificate "C=GB, CN=vpnserver1"
10[CFG]   using trusted ca certificate "CN=Vivace Root CA"
10[CFG] checking certificate status of "C=GB, CN=vpnserver1"
10[CFG] certificate status is not available
10[CFG]   reached self-signed root ca with a path length of 0
10[IKE] authentication of 'vpnserver1' with ECDSA_WITH_SHA384_DER successful
10[CFG] constraint check failed: identity 'vpnserver' required 
10[CFG] selected peer config 'cmd' inacceptable: constraint checking failed
10[CFG] no alternative config found
10[ENC] generating INFORMATIONAL request 2 [ N(AUTH_FAILED) ]
10[NET] sending packet: from 192.168.1.31[57170] to 35.176.91.73[4500] (80 bytes)


SERVER

Jun 12 09:40:03 09[IKE] 148.252.225.26 is initiating an IKE_SA
Jun 12 09:40:03 09[IKE] IKE_SA (unnamed)[121] state change: CREATED => CONNECTING
Jun 12 09:40:03 09[CFG] selecting proposal:
Jun 12 09:40:03 09[CFG]   proposal matches
Jun 12 09:40:03 09[CFG] received proposals: IKE:AES_CBC_128/AES_CBC_192/AES_CBC_256/CAMELLIA_CBC_128/CAMELLIA_CBC_192/CAMELLIA_CBC_256/3DES_CBC/HMAC_SHA2_256_128/HMAC_SHA2_384_192/HMAC_SHA2_512_256/HMAC_SHA1_96/PRF_HMAC_SHA2_256/PRF_HMAC_SHA2_384/PRF_HMAC_SHA2_512/PRF_HMAC_SHA1/ECP_256/ECP_384/ECP_521/ECP_256_BP/ECP_384_BP/ECP_512_BP/CURVE_25519/MODP_3072/MODP_4096/MODP_6144/MODP_8192/MODP_2048, IKE:AES_GCM_16_128/AES_GCM_16_192/AES_GCM_16_256/AES_GCM_12_128/AES_GCM_12_192/AES_GCM_12_256/AES_GCM_8_128/AES_GCM_8_192/AES_GCM_8_256/PRF_HMAC_SHA2_256/PRF_HMAC_SHA2_384/PRF_HMAC_SHA2_512/PRF_HMAC_SHA1/ECP_256/ECP_384/ECP_521/ECP_256_BP/ECP_384_BP/ECP_512_BP/CURVE_25519/MODP_3072/MODP_4096/MODP_6144/MODP_8192/MODP_2048
Jun 12 09:40:03 09[CFG] configured proposals: IKE:AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/ECP_256/MODP_2048
Jun 12 09:40:03 09[CFG] selected proposal: IKE:AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/ECP_256
Jun 12 09:40:03 09[CFG] received supported signature hash algorithms: sha256 sha384 sha512 identity
Jun 12 09:40:03 09[IKE] local host is behind NAT, sending keep alives
Jun 12 09:40:03 09[IKE] remote host is behind NAT
Jun 12 09:40:03 09[CFG] sending supported signature hash algorithms: sha256 sha384 sha512 identity
Jun 12 09:40:03 09[IKE] sending cert request for "CN=Root CA"
Jun 12 09:40:03 06[IKE] received cert request for "CN=Root CA"
Jun 12 09:40:03 06[CFG] looking for peer configs matching 10.0.0.49[%any]…x.x.x.x[remote-user]
Jun 12 09:40:03 06[CFG] peer config match local: 1 (ID_ANY -> )
Jun 12 09:40:03 06[CFG] peer config match remote: 1 (ID_FQDN -> 63:68:72:69:73:2e:6f:72:63:68:61:72:64:2e:76:69:76:61:63:65:2e:74:65:63:68)
Jun 12 09:40:03 06[CFG] ike config match: 28 (10.0.0.49 x.x.x.x IKEv2)
Jun 12 09:40:03 06[CFG]   candidate "ecdsa", match: 1/1/28 (me/other/ike)
Jun 12 09:40:03 06[CFG] peer config match local: 1 (ID_ANY -> )
Jun 12 09:40:03 06[CFG] peer config match remote: 1 (ID_FQDN -> 63:68:72:69:73:2e:6f:72:63:68:61:72:64:2e:76:69:76:61:63:65:2e:74:65:63:68)
Jun 12 09:40:03 06[CFG] ike config match: 28 (10.0.0.49 x.x.x.x IKEv2)
Jun 12 09:40:03 06[CFG]   candidate "rsa", match: 1/1/28 (me/other/ike)
Jun 12 09:40:03 06[CFG] selected peer config 'ecdsa'
Jun 12 09:40:03 06[IKE] initiating EAP_IDENTITY method (id 0x00)
Jun 12 09:40:03 06[IKE] processing INTERNAL_IP4_ADDRESS attribute
Jun 12 09:40:03 06[IKE] processing INTERNAL_IP4_DNS attribute
Jun 12 09:40:03 06[IKE] received ESP_TFC_PADDING_NOT_SUPPORTED, not using ESPv3 TFC padding
Jun 12 09:40:03 06[IKE] peer supports MOBIKE
Jun 12 09:40:03 06[IKE] authentication of 'vpnserver1' (myself) with ECDSA_WITH_SHA384_DER successful
Jun 12 09:40:03 06[IKE] sending end entity cert "C=GB, CN=vpnserver1"
Jun 12 09:40:03 08[IKE] IKE_SA ecdsa[121] state change: CONNECTING => DESTROYING


/etc/swanctl/conf.d/conn-rsa.conf
connections {
  rsa {
     version = 2
     send_cert = always
     encap = yes
     pools = pool1
     unique = replace
     proposals = aes256-sha256-prfsha256-ecp256-modp2048
     local {
        id = vpnserver
        certs = vpnserver.crt
     }
     remote {
        auth = eap-dynamic
        eap_id = %any
     }
     children {
        net {
          local_ts = 10.0.0.0/18
        }
     }
  }
}


/etc/swanctl/conf.d/conn-ecdsa.conf
connections {
  ecdsa {
     version = 2
     send_cert = always
     encap = yes
     unique = replace
     proposals = aes256-sha256-prfsha256-ecp256-modp2048-modp1024
     pools = pool1
     local {
        id = vpnserver1
        certs = vpnserver1.crt
     }
     remote {
        auth = eap-dynamic
        eap_id = %any
     }
     children {
        net {
          local_ts = 10.0.0.0/18
        }
     }
  }
}


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20180612/bfd672d5/attachment-0001.html>


More information about the Users mailing list