[strongSwan] eap auth with 5.8 - how?
lejeczek
peljasz at yahoo.co.uk
Mon May 11 11:30:46 CEST 2020
On 11/05/2020 07:48, Andreas Steffen wrote:
> But I think the remote side is not configured
> for EAP-based client authentication or cannot
> find its private signature key so AUTHENTICATION
> FAILED ensues. Any chance of getting the remote log?
>
> Andreas
>
> On 11.05.20 08:45, Andreas Steffen wrote:
>> Hi,
>>
>> in the remote section you have to set
>>
>> auth = pubkey
>>
>> since the responder is using a certificate-based
>> authentication.
>>
>> Regards
>>
>> Andreas
>>
>> On 10.05.20 14:17, lejeczek wrote:
>>> hi guys
>>>
>>> I got my strongswan updated to 5.8 and I think I migrated my
>>> simple config correctly:
>>>
>>> connections {
>>> camuni {
>>> remote_addrs="remote.fqdn" # The location
>>> of the host, FQDN or IP
>>> vips="0.0.0.0"
>>> send_cert="never"
>>> local {
>>> id="me at domain"
>>> auth="eap"
>>> }
>>> remote {
>>> certs="remote.fqdn.crt"
>>> id="DNS:remote.fqdn"
>>> auth="eap"
>>> }
>>> children {
>>> camuni {
>>> remote_ts="172.16.0.0/12"
>>> mode="pass"
>>> start_action="start"
>>> }
>>> }
>>> }
>>> }
>>> secrets {
>>> eap {
>>> secret="aSecret"
>>> id="me at fqdn
>>> }
>>> }
>>>
>>> Yet still auth fails. I have no control over "remote.fqdn"
>>> but at my end I see:
>>> ...
>>> IKE] initiating IKE_SA camuni[9] to xx.XX.zz.ZZ
>>> [ENC] generating IKE_SA_INIT request 0 [ SA KE No
>>> N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG) N(REDIR_SUP) ]
>>> [NET] sending packet: from xx.XX.yy.YY[500] to
>>> xx.XX.zz.ZZ[500] (1400 bytes)
>>> [NET] received packet: from xx.XX.zz.ZZ[500] to
>>> xx.XX.yy.YY[500] (592 bytes)
>>> [ENC] parsed IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP)
>>> N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG) N(MULT_AUTH) ]
>>> [CFG] selected proposal:
>>> IKE:AES_CBC_128/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_3072
>>> [IKE] remote host is behind NAT
>>> [IKE] sending cert request for "O=CA, CN=mydom.local"
>>> [IKE] sending cert request for "O=CA, CN=mydom.local"
>>> [IKE] establishing CHILD_SA camuni{9}
>>> [ENC] generating IKE_AUTH request 1 [ IDi N(INIT_CONTACT)
>>> CERTREQ IDr CPRQ(ADDR DNS) SA TSi TSr N(MOBIKE_SUP)
>>> N(ADD_4_ADDR) N(ADD_4_ADDR) N(ADD_4_ADDR) N(ADD_4_ADDR)
>>> N(MULT_AUTH) N(EAP_ONLY) N(MSG_ID_SYN_SUP) ]
>>> [NET] sending packet: from xx.XX.yy.YY[4500] to
>>> xx.XX.zz.ZZ[4500] (432 bytes)
>>> [NET] received packet: from xx.XX.zz.ZZ[4500] to
>>> xx.XX.yy.YY[4500] (80 bytes)
>>> [ENC] parsed IKE_AUTH response 1 [ N(AUTH_FAILED) ]
>>> [IKE] received AUTHENTICATION_FAILED notify error
>>> initiate failed: establishing CHILD_SA 'camuni' failed
>>>
>>> Would you have any suggestions and advice I'll be grateful.
>>> many thanks, L.
>>>
I'm afraid no chance to see what's happening on the remote.
All I know is that is should be "IKEv2 with RSA and EAP"
Just for the sake of clarity, below is the working 5.7 config:
conn MAC
left=%any
leftid="me at domain"
leftauth=eap
leftsourceip=%config
leftfirewall=yes
right="vpn.remote.fqdn"
rightid="DNS:vpn.remote.fqdn"
rightid=%any
rightcert="/etc/strongswan/ipsec.d/certs/mac-vpn-server.crt"
rightsubnet=172.16.0.0/12
auto=start
There is, I guess, a bit more in how 5.7 and 5.8 differ.
Some "defaults" perhaps?
Changing config in remote to:
auth = "pubkey"
still fails with:
...
May 11 10:23:51 swir.private.pawel charon-systemd[13223]:
12[IKE] received AUTHENTICATION_FAILED notify error
May 11 10:23:51 swir.private.pawel charon-systemd[13223]:
parsed IKE_AUTH response 1 [ N(AUTH_FAILED) ]
May 11 10:23:51 swir.private.pawel charon-systemd[13223]:
12[CHD] CHILD_SA amuni{2} state change: CREATED => DESTROYING
May 11 10:23:51 swir.private.pawel charon-systemd[13223]:
received AUTHENTICATION_FAILED notify error
May 11 10:23:51 swir.private.pawel charon-systemd[13223]:
12[IKE] IKE_SA amuni[2] state change: CONNECTING => DESTROYING
ps. I'm on Centos 7.8
many thanks, L.
More information about the Users
mailing list