[strongSwan] no IDr configured, fall back on IP address - revisit

lejeczek peljasz at yahoo.co.uk
Tue Oct 29 19:18:18 CET 2019 

hi everyone,

I've asked a long time ago, was not urgent and I did put it off.

I have a relatively simple config, on the server:

conn to_NRR
 
ike=aes128-sha256-ecp256,aes256-sha384-ecp384,aes128-sha256-modp2048,aes128-sha1-modp2048,aes256-sha384-modp4096,aes256-sha256-modp4096,aes256-sha1-modp4096,aes128-sha256-modp1536,aes128-sha1-modp1536,aes256-sha384-modp2048,aes256-sha256-modp2048,aes256-sha1-modp2048,aes128-sha256-modp1024,aes128-sha1-modp1024,aes256-sha384-modp1536,aes256-sha256-modp1536,aes256-sha1-modp1536,aes256-sha384-modp1024,aes256-sha256-modp1024,aes256-sha1-modp1024!

 
esp=aes128gcm16-ecp256,aes256gcm16-ecp384,aes128-sha256-ecp256,aes256-sha384-ecp384,aes128-sha256-modp2048,aes128-sha1-modp2048,aes256-sha384-modp4096,aes256-sha256-modp4096,aes256-sha1-modp4096,aes128-sha256-modp1536,aes128-sha1-modp1536,aes256-sha384-modp2048,aes256-sha256-modp2048,aes256-sha1-modp2048,aes128-sha256-modp1024,aes128-sha1-modp1024,aes256-sha384-modp1536,aes256-sha256-modp1536,aes256-sha1-modp1536,aes256-sha384-modp1024,aes256-sha256-modp1024,aes256-sha1-modp1024,aes128gcm16,aes256gcm16,aes128-sha256,aes128-sha1,aes256-sha384,aes256-sha256,aes256-sha1!

 
  dpdaction=clear
  dpddelay=300s
  rekey=no
 
  left=%any
  #leftsubnet=0.0.0.0/0
  leftsubnet=10.5.8.0/24
  leftcert="NRR-vpn-clusterserver.cert.der"
 
  right=%any
  rightdns=10.5.8.204
  rightsourceip=10.5.8.220,10.5.8.221
 
conn IPSec-IKEv2
    keyexchange=ikev2
    auto=add
 
conn IPSec-IKEv2-EAP
    also="IPSec-IKEv2"
    #rightauth=eap-mschapv2
    #rightauthby2=pubkey
    rightauth=pubkey
    #rightauthby2=eap-mschapv2
    rightsendcert=never
    eap_identity=%any
 
conn CiscoIPSec
    keyexchange=ikev1
    forceencaps=yes
    authby=xauthrsasig
    xauth=server
    auto=add

and when roadwarrior connects then server logs shows:

...

2[IKE] received cert request for "C=Shire, O=NRR,
CN=private.private.tam.cos"
12[IKE] received 1 cert requests for an unknown ca
12[IKE] received end entity cert "C=Shire, O=NRR,
CN=sucker at private.private.tam.cos"
12[CFG] looking for peer configs matching
192.168.2.202[%any]...10.4.4.21[C=Shire, O=NRR,
CN=sucker at private.private.tam.cos]
12[CFG]   candidate "IPSec-IKEv2", match: 1/1/28 (me/other/ike)
12[CFG]   candidate "IPSec-IKEv2-EAP", match: 1/1/28 (me/other/ike)
12[CFG] selected peer config 'IPSec-IKEv2'
12[CFG]   using certificate "C=Shire, O=NRR,
CN=sucker at private.private.tam.cos"
12[CFG]   certificate "C=Shire, O=NRR,
CN=sucker at private.private.tam.cos" key: 2048 bit RSA
12[CFG]   using trusted ca certificate "C=Shire, O=NRR,
CN=private.private.tam.cos"
12[CFG] checking certificate status of "C=Shire, O=NRR,
CN=sucker at private.private.tam.cos"
12[CFG] ocsp check skipped, no ocsp found
12[CFG] certificate status is not available
12[CFG]   certificate "C=Shire, O=NRR, CN=private.private.tam.cos" key:
2048 bit RSA
12[CFG]   reached self-signed root ca with a path length of 0
12[IKE] authentication of 'C=Shire, O=NRR,
CN=sucker at private.private.tam.cos' with RSA_EMSA_PKCS1_SHA2_256 successful
12[IKE] processing INTERNAL_IP4_ADDRESS attribute
12[IKE] processing INTERNAL_IP4_DNS attribute
12[IKE] peer supports MOBIKE
12[IKE] got additional MOBIKE peer address: 10.0.16.6
12[IKE] got additional MOBIKE peer address: 10.5.10.49
12[CFG] no IDr configured, fall back on IP address
12[IKE] no private key found for '192.168.2.202'
12[ENC] generating IKE_AUTH response 1 [ N(AUTH_FAILED) ]
12[NET] sending packet: from 192.168.2.202[4500] to 10.4.4.21[4500] (80
bytes)
12[MGR] checkin and destroy IKE_SA IPSec-IKEv2[2]
12[IKE] IKE_SA IPSec-IKEv2[2] state change: CONNECTING => DESTROYING
03[NET] sending packet: from 192.168.2.202[4500] to 10.4.4.21[4500]
12[MGR] checkin and destroy of IKE_SA successful
07[MGR] checkout IKEv2 SA with SPIs a1791cef0af46d08_i f11cc222ffacd5bf_r
07[MGR] IKE_SA checkout not successful

and the roadwarrior's config is:

conn to_NRR
  leftsourceip=%config                # This will take an IP from the ip
pool on server
  leftcert="sucker at openstack.der"        # The user cert we copied in
  leftfirewall=yes
 
  right=192.168.2.202                # The location of the host, FQDN or
IP 
  rightid="C=Shire, O=NRR, CN=*"              # the Altname used by the
ipsec host
  rightsubnet=10.5.8.0/24          # the subnet on the servers side you
want to access. 
 
  auto=add
  #type=route
  type=passthrough

and roadwarrior says:

initiating IKE_SA to_nrr[1] to 192.168.2.202
generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP)
N(FRAG_SUP) N(HASH_ALG) N(REDIR_SUP) ]
sending packet: from 10.0.0.5[500] to 192.168.2.202[500] (1064 bytes)
received packet: from 192.168.2.202[500] to 10.0.0.5[500] (297 bytes)
parsed IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP)
CERTREQ N(FRAG_SUP) N(HASH_ALG) N(MULT_AUTH) ]
selected proposal:
IKE:AES_CBC_128/HMAC_SHA2_256_128/PRF_AES128_XCBC/ECP_256
local host is behind NAT, sending keep alives
received cert request for "C=Shire, O=nrr, CN=private.private.tam.cos"
sending cert request for "C=shire, O=strongswan, CN=vpn"
sending cert request for "C=Shire, O=nrr, CN=private.private.tam.cos"
authentication of 'C=Shire, O=nrr, CN=sucker at private.private.tam.cos'
(myself) with RSA_EMSA_PKCS1_SHA2_256 successful
sending end entity cert "C=Shire, O=nrr, CN=sucker at private.private.tam.cos"
establishing CHILD_SA to_nrr{1}
generating IKE_AUTH request 1 [ IDi CERT CERTREQ AUTH CPRQ(ADDR DNS) SA
TSi TSr N(MOBIKE_SUP) N(ADD_4_ADDR) N(ADD_4_ADDR) N(MULT_AUTH)
N(EAP_ONLY) N(MSG_ID_SYN_SUP) ]
splitting IKE message (1664 bytes) into 2 fragments
generating IKE_AUTH request 1 [ EF(1/2) ]
generating IKE_AUTH request 1 [ EF(2/2) ]
sending packet: from 10.0.0.5[4500] to 192.168.2.202[4500] (1236 bytes)
sending packet: from 10.0.0.5[4500] to 192.168.2.202[4500] (500 bytes)
received packet: from 192.168.2.202[4500] to 10.0.0.5[4500] (80 bytes)
parsed IKE_AUTH response 1 [ N(AUTH_FAILED) ]
received AUTHENTICATION_FAILED notify error
establishing connection 'to_nrr' failed 


That - 12[IKE] no private key found for '192.168.2.202' - it's the IP of
the server thus I presume something there?

Certificates seem to load on both ends okey. Both ends are Centos 7 with
U5.7.2/K3.10.0-514.26.2.el7.x86_64

Could this be some kind of a bug or I've gone blind(from tiredness) ?

many thanks, L.


-------------- next part --------------
A non-text attachment was scrubbed...
Name: pEpkey.asc
Type: application/pgp-keys
Size: 1757 bytes
Desc: not available
URL: <http://lists.strongswan.org/pipermail/users/attachments/20191029/3ce82e5d/attachment.key>

More information about the Users mailing list