[strongSwan] Strongswan IKEv2 certificates - "user authentication failed" ????

pLAN9 Administrator admin at pLAN9.co
Sun Apr 25 05:33:29 CEST 2021 

I am trying to set up Strongswan to act as a remote access server for an 
iPhone using IKEv2 certificate auth. It is a major headache!

I have made sure to set the SAN in both the server and phone 
certificate. Here is the the server SAN:

/        X509v3 extensions:
             X509v3 Subject Alternative Name:
                 DNS:echo.pLAN9.co
             X509v3 Extended Key Usage:
                 TLS Web Server Authentication, TLS Web Client 
Authentication/

Here is the phone SAN:

/        X509v3 extensions:
             X509v3 Subject Alternative Name:
                 DNS:pLAN9-iPhone.pLAN9.co
             X509v3 Extended Key Usage:
                 TLS Web Server Authentication, TLS Web Client 
Authentication/

Here is /etc/swanctl/swanctl.conf

/connections {
         RA {
                 local_addrs = %any
                 local {
                         auth = pubkey
                         certs = ECHO.crt
                         id = @echo.pLAN9.co
                 }
                 remote {
                         auth = pubkey
                         id = %any
                 }
                 children {
                         net {
                                 local_ts = 0.0.0.0/0
                         esp_proposals = aes256-sha256
                         }
                 }
                 version = 2
                 proposals = aes256-sha256-modp2048
                 send_certreq = no
                 pools = pool
         }
}
pools {
                 pool {
                         addrs = 172.16.16.64/29
                         dns = 172.16.16.1
                 }
         }/


Here is the output of a connection:


/01[NET] received packet: from IPHONE_IP[9975] to STRONGSWAN_IP[500] 
(604 bytes)//
//01[ENC] parsed IKE_SA_INIT request 0 [ SA KE No N(REDIR_SUP) 
N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) ]//
//01[IKE] IPHONE_IP is initiating an IKE_SA//
//01[CFG] selected proposal: 
IKE:AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_2048//
//01[IKE] remote host is behind NAT//
//01[ENC] generating IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) 
N(NATD_D_IP) N(FRAG_SUP) N(CHDLESS_SUP) N(MULT_AUTH) ]//
//01[NET] sending packet: from STRONGSWAN_IP[500] to IPHONE_IP[9975] 
(456 bytes)//
//10[NET] received packet: from IPHONE_IP[9959] to STRONGSWAN_IP[4500] 
(532 bytes)//
//10[ENC] parsed IKE_AUTH request 1 [ EF(1/4) ]//
//13[NET] received packet: from IPHONE_IP[9959] to STRONGSWAN_IP[4500] 
(532 bytes)//
//10[ENC] received fragment #1 of 4, waiting for complete IKE message//
//13[ENC] parsed IKE_AUTH request 1 [ EF(2/4) ]//
//13[ENC] received fragment #2 of 4, waiting for complete IKE message//
//14[NET] received packet: from IPHONE_IP[9959] to STRONGSWAN_IP[4500] 
(532 bytes)//
//14[ENC] parsed IKE_AUTH request 1 [ EF(3/4) ]//
//01[NET] received packet: from IPHONE_IP[9959] to STRONGSWAN_IP[4500] 
(180 bytes)//
//14[ENC] received fragment #3 of 4, waiting for complete IKE message//
//01[ENC] parsed IKE_AUTH request 1 [ EF(4/4) ]//
//01[ENC] received fragment #4 of 4, reassembled fragmented IKE message 
(1552 bytes)//
//01[ENC] unknown attribute type INTERNAL_DNS_DOMAIN//
//01[ENC] parsed IKE_AUTH request 1 [ IDi CERT N(INIT_CONTACT) IDr AUTH 
CPRQ(ADDR MASK DHCP DNS ADDR6 DHCP6 DNS6 DOMAIN) N(ESP_TFC_PAD_N) 
N(NON_FIRST_FRAG) SA TSi TSr N(MOBIKE_SUP) ]//
//01[IKE] received end entity cert "CN=pLAN9-iPhone"//
//01[CFG] looking for peer configs matching 
STRONGSWAN_IP[echo.plan9.co]...IPHONE_IP[pLAn9-iPhone.pLAN9.co]//
//01[CFG] selected peer config 'RA'//
//01[CFG]   using certificate "CN=pLAN9-iPhone"//
//01[CFG]   using trusted ca certificate "CN=pLAN9 CA 2019-2021"//
//01[CFG] checking certificate status of "CN=pLAN9-iPhone"//
//01[CFG] certificate status is not available//
//01[CFG]   reached self-signed root ca with a path length of 0//
//01[IKE] authentication of 'pLAn9-iPhone.pLAN9.co' with RSA signature 
successful//
//01[IKE] received ESP_TFC_PADDING_NOT_SUPPORTED, not using ESPv3 TFC 
padding//
//01[IKE] peer supports MOBIKE//
//01[IKE] authentication of 'echo.plan9.co' (myself) with RSA signature 
successful//
//01[IKE] IKE_SA RA[2] established between 
STRONGSWAN_IP[echo.plan9.co]...IPHONE_IP[pLAn9-iPhone.pLAN9.co]//
//01[IKE] scheduling rekeying in 13941s//
//01[IKE] maximum IKE_SA lifetime 15381s//
//01[IKE] peer requested virtual IP %any//
//01[CFG] assigning new lease to 'pLAn9-iPhone.pLAN9.co'//
//01[IKE] assigning virtual IP 172.16.16.65 to peer 
'pLAn9-iPhone.pLAN9.co'//
//01[IKE] peer requested virtual IP %any6//
//01[IKE] no virtual IP found for %any6 requested by 
'pLAn9-iPhone.pLAN9.co'//
//01[CFG] selected proposal: ESP:AES_CBC_256/HMAC_SHA2_256_128/NO_EXT_SEQ//
//01[IKE] CHILD_SA net{4} established with SPIs cc4e7aea_i 0358690a_o 
and TS 0.0.0.0/0 === 172.16.16.65/32//
//01[ENC] generating IKE_AUTH response 1 [ IDr AUTH CPRP(ADDR DNS) SA 
TSi TSr N(MOBIKE_SUP) N(ADD_4_ADDR) N(ADD_6_ADDR) N(ADD_6_ADDR) ]//
//01[NET] sending packet: from STRONGSWAN_IP[4500] to IPHONE_IP[9959] 
(544 bytes)/

/
/

Strongswan looks like it is connecting fine, but the phone reports the 
error "User Authentication Failed" and doesn't connect. The phone is 
using the same certificate to connect to a number of other routers (not 
Strongswan based) that all have certificates signed by the same CA, and 
those are all working fine.


What am I doing wrong here?

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20210424/d14b850f/attachment.html>

More information about the Users mailing list