[strongSwan] Having Trouble with Macbook VPN Configuration
Ian McLauchlan
ianmac at miton.co.uk
Wed May 15 11:35:59 CEST 2019
Hi,
I have setup StrongSwan successfully to allow IKEv2 access from a
Windows10 client.
I also need to allow Macbook users native IKEv2 access, but I have run
into a problem. The Macbook attempts a connection and fails and displays
a 'VPN Connection - An unexpected error occurred'. It is a bit cryptic,
there are no errors reported in the Macbook logs.
I am using IKEv2-EAP-MSCHAPv2 authentication. This works fine on the
Windows 10 client. So, it seems there is a discrepancy between the
Windows 10 and Mac configuration. I am having trouble pin-pointing it.
The VPN connects to a limited IP address range on my private LAN.
I have tried various ike/esp variations from advice pages. I have now
for the purposes of testing the connection, allowed all - the link still
fails.
Here is my configuration:
Strongswan-miton:
CentOS release 6.10 (Final)
strongSwan swanctl 5.4.0
Macbook:
macOS Mojave Ver 10.14.4
*iptables*
Macbook is behind a NAT with a fixed ip address. Rule allows all from
the Macbook NAT.
*strongswan.conf*
# strongswan.conf - strongSwan configuration file
#
# Refer to the strongswan.conf(5) manpage for details
#
# Configuration changes should be made in the included files
charon {
load_modular = yes
plugins {
include strongswan.d/charon/*.conf
}
}
libstrongswan {
plugins {
openssl {
fips_mode = 0
}
}
}
include strongswan.d/*.conf
*ipsec.conf*
config setup
# strictcrlpolicy=yes
# uniqueids = no
charondebug="ike 2, knl 2, cfg 2, net 2, esp 2, dmn 2, mgr 2"
conn %default
keyexchange=ikev2
# Test Config 1
# ike=aes128-sha256-ecp256,aes256-sha384-ecp384,aes128-sha256-modp2048,aes128-sha1-modp2048,aes256-sha384-modp4096,aes256-sha256-modp4096,aes256-sha1-modp4096,aes128-sha256-modp1536,aes128-sha1-modp1536,aes256-sha384-modp2048,aes256-sha256-modp2048,aes256-sha1-modp2048,aes128-sha256-modp1024,aes128-sha1-modp1024,aes256-sha384-modp1536,aes256-sha256-modp1536,aes256-sha1-modp1536,aes256-sha384-modp1024,aes256-sha256-modp1024,aes256-sha1-modp1024!
# esp=aes128gcm16-ecp256,aes256gcm16-ecp384,aes128-sha256-ecp256,aes256-sha384-ecp384,aes128-sha256-modp2048,aes128-sha1-modp2048,aes256-sha384-modp4096,aes256-sha256-modp4096,aes256-sha1-modp4096,aes128-sha256-modp1536,aes128-sha1-modp1536,aes256-sha384-modp2048,aes256-sha256-modp2048,aes256-sha1-modp2048,aes128-sha256-modp1024,aes128-sha1-modp1024,aes256-sha384-modp1536,aes256-sha256-modp1536,aes256-sha1-modp1536,aes256-sha384-modp1024,aes256-sha256-modp1024,aes256-sha1-modp1024,aes128gcm16,aes256gcm16,aes128-sha256,aes128-sha1,aes256-sha384,aes256-sha256,aes256-sha1!
# Test Config 2
# ike=aes256-aes192-aes128-3des-sha384-sha256-sha1-modp3072-modp2048-modp1536-modp1024!
# esp=aes256-aes192-aes128-3des-sha384-sha256-sha1!
# Test Config 3
# ike=aes256-sha1-modp1024,aes128-sha1-modp1024! # Win7 is aes256,
sha-1, modp1024; iOS is aes256, sha-256, modp1024; OS X is 3DES, sha-1,
modp1024
# esp=aes256-sha256,aes256-sha1,aes128-sha1! # Win 7 is
aes256-sha1, iOS is aes256-sha256, OS X is 3des-shal1
# Test Config 4 - No restriction - Still failing
dpdaction=clear
dpddelay=300s
rekey=no
left=87.238.75.114
leftid=@miton-strongswan
leftsubnet=0.0.0.0/0
leftcert=mitondcVPNServerCert.der
right=%any
rightdns=192.168.100.3,192.168.100.4
rightsourceip=192.168.100.24/29
conn IPSec-IKEv2-EAP
rightauth=eap-mschapv2
rightsendcert=never
eap_identity=%any
auto=add
*ipsec.secrets*
# /etc/ipsec.secrets - strongSwan IPsec secrets file
: RSA mitondcVPNServerKey.der
abcdef : EAP "pppppppppppppppp"
Test traces:
*StrongSwan Server Tcpdump*
*
*
[root at miton-strongswan ~]# tcpdump -s 0 -n -i eth0 'esp or udp and (port
500 or port 4500)'
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth0, link-type EN10MB (Ethernet), capture size 65535 bytes
08:50:05.910826 IP 92.27.xxx.xxx.isakmp > 87.238.yyy.yyy.isakmp: isakmp:
parent_sa ikev2_init[I]
08:50:05.982896 IP 87.238.yyy.yyy.isakmp > 92.27.xxx.xxxx.isakmp:
isakmp: parent_sa ikev2_init[R]
08:50:06.016609 IP 92.27.xxx.xxx.ipsec-nat-t >
87.238.yyy.yyy.ipsec-nat-t: NONESP-encap: isakmp: child_sa ikev2_auth[I]
08:50:06.028581 IP 87.238.yyy.yyy.ipsec-nat-t >
92.27.xxx.xxx.ipsec-nat-t: NONESP-encap: isakmp: child_sa ikev2_auth[R]
*
*
*StrongSwan Server Swanctl*
[root at miton-strongswan ~]# swanctl -T
04[NET] received packet: from 92.27.xxx.xxx[500] to 87.238.yyy.yyy[500]
(604 bytes)
04[ENC] parsed IKE_SA_INIT request 0 [ SA KE No N(REDIR_SUP)
N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) ]
04[IKE] 92.27.xxx.xxx is initiating an IKE_SA
04[IKE] remote host is behind NAT
04[ENC] generating IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP)
N(NATD_D_IP) N(MULT_AUTH) ]
04[NET] sending packet: from 87.238.yyy.yyy[500] to 92.27.xxx.xxx[500]
(440 bytes)
05[NET] received packet: from 92.27.xxx.xxx[4500] to
87.238.yyy.yyy[4500] (512 bytes)
05[ENC] unknown attribute type (25)
05[ENC] parsed IKE_AUTH request 1 [ IDi N(INIT_CONTACT) N(MOBIKE_SUP)
IDr CPRQ(ADDR DHCP DNS MASK ADDR6 DHCP6 DNS6 (25)) N(ESP_TFC_PAD_N)
N(NON_FIRST_FRAG) SA TSi TSr ]
05[CFG] looking for peer configs matching
87.238.yyy.yyy[miton2.miton.co.uk]...92.27.xxx.xxx[192.168.0.10]
05[CFG] selected peer config 'IPSec-IKEv2-EAP'
05[IKE] initiating EAP_IDENTITY method (id 0x00)
05[IKE] received ESP_TFC_PADDING_NOT_SUPPORTED, not using ESPv3 TFC padding
05[IKE] peer supports MOBIKE
05[IKE] authentication of 'miton2.miton.co.uk' (myself) with RSA
signature successful
05[ENC] generating IKE_AUTH response 1 [ IDr AUTH EAP/REQ/ID ]
05[NET] sending packet: from 87.238.yyy.yyy[4500] to 92.27.xxx.xxx[4500]
(368 bytes)
04[JOB] deleting half open IKE_SA after timeout
*Tcpdump Macbook-Pro*
Ians-MacBook-Pro:~ ianmac$ sudo tcpdump -s 0 -n -i en0 'esp or udp and
(port 500 or port 4500)'
Password:
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on en0, link-type EN10MB (Ethernet), capture size 262144 bytes
08:50:05.904121 IP 192.168.0.10.500 > 87.238.yyy.yyy.500: isakmp:
parent_sa ikev2_init[I]
08:50:05.990893 IP 87.238.yyy.yyy.500 > 192.168.0.10.500: isakmp:
parent_sa ikev2_init[R]
08:50:06.009888 IP 192.168.0.10.4500 > 87.238.yyy.yyy.4500:
NONESP-encap: isakmp: child_sa ikev2_auth[I]
08:50:06.036478 IP 87.238.yyy.yyy.4500 > 192.168.0.10.4500:
NONESP-encap: isakmp: child_sa ikev2_auth[R]
I think it looks like the Macbook is unhappy with the ikev2_auth[R]
response from the miton-strongswan server?
Can anyone give me any pointers?
Best regards,
Ian
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20190515/1df12d92/attachment.html>
More information about the Users
mailing list