[strongSwan] Strange issue. Cant connect.

Christian Salway christian.salway at naimuri.com
Tue Jun 12 16:27:33 CEST 2018 

Ok, I changed remote { auth = eap-tls ... and tried again and now on the client side, I’m getting EAP_TLS not supported!  Getting there…. Now to figure out how to enable it on the client.

SERVER

Jun 12 14:22:22 08[CFG] looking for peer configs matching 10.0.0.49[%any]…x.x.x.x[remote.user]
Jun 12 14:22:22 08[CFG] peer config match local: 1 (ID_ANY -> )
Jun 12 14:22:22 08[CFG] peer config match remote: 1 (ID_FQDN -> 63:68:72:69:73:2e:6f:72:63:68:61:72:64:2e:76:69:76:61:63:65:2e:74:65:63:68)
Jun 12 14:22:22 08[CFG] ike config match: 28 (10.0.0.49 x.x.x.x IKEv2)
Jun 12 14:22:22 08[CFG]   candidate "ecdsa", match: 1/1/28 (me/other/ike)
Jun 12 14:22:22 08[CFG] peer config match local: 1 (ID_ANY -> )
Jun 12 14:22:22 08[CFG] peer config match remote: 1 (ID_FQDN -> 63:68:72:69:73:2e:6f:72:63:68:61:72:64:2e:76:69:76:61:63:65:2e:74:65:63:68)
Jun 12 14:22:22 08[CFG] ike config match: 28 (10.0.0.49 x.x.x.x IKEv2)
Jun 12 14:22:22 08[CFG]   candidate "rsa", match: 1/1/28 (me/other/ike)
Jun 12 14:22:22 08[CFG] selected peer config 'ecdsa'
Jun 12 14:22:22 08[IKE] initiating EAP_IDENTITY method (id 0x00)
Jun 12 14:22:22 08[IKE] processing INTERNAL_IP4_ADDRESS attribute
Jun 12 14:22:22 08[IKE] processing INTERNAL_IP4_DNS attribute
Jun 12 14:22:22 08[IKE] received ESP_TFC_PADDING_NOT_SUPPORTED, not using ESPv3 TFC padding
Jun 12 14:22:22 08[IKE] peer supports MOBIKE
Jun 12 14:22:22 08[IKE] authentication of 'vpnserver1' (myself) with ECDSA_WITH_SHA384_DER successful
Jun 12 14:22:22 08[IKE] sending end entity cert "C=GB, CN=vpnserver1"
Jun 12 14:22:22 12[IKE] received EAP identity ‘remote.user'
Jun 12 14:22:22 12[IKE] initiating EAP_TLS method (id 0x6A)
Jun 12 14:22:22 10[IKE] received EAP_NAK, sending EAP_FAILURE
Jun 12 14:22:22 10[IKE] IKE_SA ecdsa[2] state change: CONNECTING => DESTROYING

CLIENT

00[DMN] Starting charon-cmd IKE client (strongSwan 5.6.3, Darwin 17.5.0, x86_64)
00[LIB] loaded plugins: charon-cmd nonce x509 revocation constraints pubkey pkcs1 pkcs8 sshkey pem openssl curve25519 kernel-pfkey kernel-pfroute socket-default eap-identity eap-md5 eap-gtc eap-mschapv2 xauth-generic osx-attr
00[JOB] spawning 16 worker threads
07[IKE] initiating IKE_SA cmd[1] to x.x.x.x
07[ENC] generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(HASH_ALG) N(REDIR_SUP) ]
07[NET] sending packet: from 192.168.1.31[51903] to x.x.x.x[4500] (712 bytes)
09[NET] received packet: from x.x.x.x[4500] to 192.168.1.31[51903] (289 bytes)
09[ENC] parsed IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) CERTREQ N(HASH_ALG) N(MULT_AUTH) ]
09[IKE] local host is behind NAT, sending keep alives
09[IKE] remote host is behind NAT
09[IKE] received cert request for "CN=Vivace Root CA"
09[IKE] sending cert request for "CN=Vivace Root CA"
09[IKE] establishing CHILD_SA cmd{1}
09[ENC] generating IKE_AUTH request 1 [ IDi N(INIT_CONTACT) CERTREQ CPRQ(ADDR DNS) N(ESP_TFC_PAD_N) SA TSi TSr N(MOBIKE_SUP) N(NO_ADD_ADDR) N(MULT_AUTH) N(EAP_ONLY) N(MSG_ID_SYN_SUP) ]
09[NET] sending packet: from 192.168.1.31[64672] to x.x.x.x[4500] (352 bytes)
10[NET] received packet: from x.x.x.x[4500] to 192.168.1.31[64672] (1152 bytes)
10[ENC] parsed IKE_AUTH response 1 [ IDr CERT AUTH EAP/REQ/ID ]
10[IKE] received end entity cert "C=GB, CN=vpnserver1"
10[CFG]   using certificate "C=GB, CN=vpnserver1"
10[CFG]   using trusted ca certificate "CN=Vivace Root CA"
10[CFG] checking certificate status of "C=GB, CN=vpnserver1"
10[CFG] certificate status is not available
10[CFG]   reached self-signed root ca with a path length of 0
10[IKE] authentication of 'vpnserver1' with ECDSA_WITH_SHA384_DER successful
10[IKE] server requested EAP_IDENTITY (id 0x00), sending ‘remote.user'
10[ENC] generating IKE_AUTH request 2 [ EAP/RES/ID ]
10[NET] sending packet: from 192.168.1.31[64672] to x.x.x.x[4500] (112 bytes)
11[NET] received packet: from x.x.x.x[4500] to 192.168.1.31[64672] (80 bytes)
11[ENC] parsed IKE_AUTH response 2 [ EAP/REQ/TLS ]
11[IKE] server requested EAP_TLS authentication (id 0x6A)
11[IKE] EAP method not supported, sending EAP_NAK
11[ENC] generating IKE_AUTH request 3 [ EAP/RES/NAK ]
11[NET] sending packet: from 192.168.1.31[64672] to x.x.x.x[4500] (80 bytes)
12[NET] received packet: from x.x.x.x[4500] to 192.168.1.31[64672] (80 bytes)
12[ENC] parsed IKE_AUTH response 3 [ EAP/FAIL ]
12[IKE] received EAP_FAILURE, EAP authentication failed
12[ENC] generating INFORMATIONAL request 4 [ N(AUTH_FAILED) ]
12[NET] sending packet: from 192.168.1.31[64672] to x.x.x.x[4500] (80 bytes)

> On 12 Jun 2018, at 15:20, Tobias Brunner <tobias at strongswan.org> wrote:
> 
>> Its using eap-dynamic with eap-tls as the preferred.
> 
> The latter is doubtful because EAP-MSCHAPv2 is the method initiated by
> the server (and not as response to an EAP-Nak by the client).
> 
> Regards,
> Tobias

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20180612/4f601f99/attachment-0001.html>

More information about the Users mailing list