[strongSwan] EAP-MSCHAPV2/PEAP client connection from Network Manager

Chris Sherry smilinjoe at gmail.com
Tue Apr 16 22:56:13 CEST 2019 

All,

I am having issues building a config for clients using network manager
(testing with Ubuntu 18.04). This connection works from the CLI using this
ipsec.conf:




















*conn
%default      ikelifetime=60m      keylife=20m      rekeymargin=3m
 keyingtries=1      keyexchange=ikev2      mobike =
yes  conn vpn
left=%any      leftsourceip=%config      leftfirewall=yes
leftauth=eap-mschapv2
right=vpn.company.com <http://vpn.company.com>
rightid=%vpn.company.com <http://vpn.company.com>
rightcert=Root-CA-2.crt      rightsubnet=0.0.0.0/0 <http://0.0.0.0/0>
auto=add*

What we found key was the leftauth method has to be eap-mschapv2. That
doesn't seem to be avavailbe in the network manager config. Here is a log
of the failure.

Apr 16 15:54:32 ubuntu-desktop charon-nm: 09[CFG] certificate status is
good Apr 16 15:54:32 ubuntu-desktop charon-nm: 09[CFG] reached self-signed
root ca with a path length of 2 Apr 16 15:54:32 ubuntu-desktop charon-nm:
09[IKE] authentication of 'CN=vpn.company.com' with RSA signature
successful Apr 16 15:54:32 ubuntu-desktop charon-nm: 09[IKE] server
requested EAP_IDENTITY (id 0x1F), sending 'csherry' Apr 16 15:54:32
ubuntu-desktop charon-nm: 09[ENC] generating IKE_AUTH request 2 [
EAP/RES/ID ] Apr 16 15:54:32 ubuntu-desktop charon-nm: 09[NET] sending
packet: from 192.168.1.125[39233] to y.y.y.y[4500] (96 bytes) Apr 16
15:54:32 ubuntu-desktop charon-nm: 01[NET] received packet: from
y.y.y.y[4500] to 192.168.1.125[39233] (80 bytes) Apr 16 15:54:32
ubuntu-desktop charon-nm: 01[ENC] parsed IKE_AUTH response 2 [ EAP/REQ/PEAP
] Apr 16 15:54:32 ubuntu-desktop charon-nm: 01[IKE] server requested
EAP_PEAP authentication (id 0x20) Apr 16 15:54:32 ubuntu-desktop charon-nm:
01[TLS] EAP_PEAP version is v0 Apr 16 15:54:32 ubuntu-desktop charon-nm:
01[ENC] generating IKE_AUTH request 3 [ EAP/RES/PEAP ] Apr 16 15:54:32
ubuntu-desktop charon-nm: 01[NET] sending packet: from 192.168.1.125[39233]
to y.y.y.y[4500] (256 bytes) Apr 16 15:54:32 ubuntu-desktop charon-nm:
13[NET] received packet: from y.y.y.y[4500] to 192.168.1.125[39233] (1568
bytes) Apr 16 15:54:32 ubuntu-desktop charon-nm: 13[ENC] parsed IKE_AUTH
response 3 [ EAP/REQ/PEAP ] Apr 16 15:54:32 ubuntu-desktop charon-nm:
13[ENC] generating IKE_AUTH request 4 [ EAP/RES/PEAP ] Apr 16 15:54:32
ubuntu-desktop charon-nm: 13[NET] sending packet: from 192.168.1.125[39233]
to y.y.y.y[4500] (80 bytes) Apr 16 15:54:32 ubuntu-desktop charon-nm:
14[NET] received packet: from y.y.y.y[4500] to 192.168.1.125[39233] (1568
bytes) Apr 16 15:54:32 ubuntu-desktop charon-nm: 14[ENC] parsed IKE_AUTH
response 4 [ EAP/REQ/PEAP ] Apr 16 15:54:32 ubuntu-desktop charon-nm:
14[ENC] generating IKE_AUTH request 5 [ EAP/RES/PEAP ] Apr 16 15:54:32
ubuntu-desktop charon-nm: 14[NET] sending packet: from 192.168.1.125[39233]
to y.y.y.y[4500] (80 bytes) Apr 16 15:54:32 ubuntu-desktop charon-nm:
08[NET] received packet: from y.y.y.y[4500] to 192.168.1.125[39233] (1568
bytes) Apr 16 15:54:32 ubuntu-desktop charon-nm: 08[ENC] parsed IKE_AUTH
response 5 [ EAP/REQ/PEAP ] Apr 16 15:54:32 ubuntu-desktop charon-nm:
08[ENC] generating IKE_AUTH request 6 [ EAP/RES/PEAP ] Apr 16 15:54:32
ubuntu-desktop charon-nm: 08[NET] sending packet: from 192.168.1.125[39233]
to y.y.y.y[4500] (80 bytes) Apr 16 15:54:32 ubuntu-desktop charon-nm:
02[NET] received packet: from y.y.y.y[4500] to 192.168.1.125[39233] (1568
bytes) Apr 16 15:54:32 ubuntu-desktop charon-nm: 02[ENC] parsed IKE_AUTH
response 6 [ EAP/REQ/PEAP ] Apr 16 15:54:32 ubuntu-desktop charon-nm:
02[ENC] generating IKE_AUTH request 7 [ EAP/RES/PEAP ] Apr 16 15:54:32
ubuntu-desktop charon-nm: 02[NET] sending packet: from 192.168.1.125[39233]
to y.y.y.y[4500] (80 bytes) Apr 16 15:54:32 ubuntu-desktop charon-nm:
06[NET] received packet: from y.y.y.y[4500] to 192.168.1.125[39233] (1520
bytes) Apr 16 15:54:32 ubuntu-desktop charon-nm: 06[ENC] parsed IKE_AUTH
response 7 [ EAP/REQ/PEAP ] Apr 16 15:54:32 ubuntu-desktop charon-nm:
06[TLS] negotiated TLS 1.2 using suite
TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 Apr 16 15:54:32 ubuntu-desktop
charon-nm: 06[TLS] server certificate does not match to 'CN=vpn.company.com'
Apr 16 15:54:32 ubuntu-desktop charon-nm: 06[TLS] sending fatal TLS alert
'access denied' Apr 16 15:54:32 ubuntu-desktop charon-nm: 06[ENC]
generating IKE_AUTH request 8 [ EAP/RES/PEAP ] Apr 16 15:54:32
ubuntu-desktop charon-nm: 06[NET] sending packet: from 192.168.1.125[39233]
to y.y.y.y[4500] (96 bytes) Apr 16 15:54:32 ubuntu-desktop charon-nm:
16[NET] received packet: from y.y.y.y[4500] to 192.168.1.125[39233] (80
bytes) Apr 16 15:54:32 ubuntu-desktop charon-nm: 16[ENC] parsed IKE_AUTH
response 8 [ EAP/FAIL ] Apr 16 15:54:32 ubuntu-desktop charon-nm: 16[IKE]
received EAP_FAILURE, EAP authentication failed Apr 16 15:54:32
ubuntu-desktop charon-nm: 16[ENC] generating INFORMATIONAL request 9 [
N(AUTH_FAILED) ] Apr 16 15:54:32 ubuntu-desktop charon-nm: 16[NET] sending
packet: from 192.168.1.125[39233] to y.y.y.y[4500] (80 bytes)

Thanks in advance,
Chris.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20190416/9188bc6d/attachment-0001.html>

More information about the Users mailing list