[strongSwan] Strongswan IKEv2 certificates - "user authentication failed" ????
Jafar Al-Gharaibeh
jafar at atcorp.com
Mon Apr 26 17:20:58 CEST 2021
Try the following for "remote":
/ remote {
auth = eap-tls
eap_id = %any
}/
--Jafar
On 4/24/21 10:33 PM, pLAN9 Administrator wrote:
>
> I am trying to set up Strongswan to act as a remote access server for
> an iPhone using IKEv2 certificate auth. It is a major headache!
>
> I have made sure to set the SAN in both the server and phone
> certificate. Here is the the server SAN:
>
> / X509v3 extensions:
> X509v3 Subject Alternative Name:
> DNS:echo.pLAN9.co
> X509v3 Extended Key Usage:
> TLS Web Server Authentication, TLS Web Client
> Authentication/
>
> Here is the phone SAN:
>
> / X509v3 extensions:
> X509v3 Subject Alternative Name:
> DNS:pLAN9-iPhone.pLAN9.co
> X509v3 Extended Key Usage:
> TLS Web Server Authentication, TLS Web Client
> Authentication/
>
> Here is /etc/swanctl/swanctl.conf
>
> /connections {
> RA {
> local_addrs = %any
> local {
> auth = pubkey
> certs = ECHO.crt
> id = @echo.pLAN9.co
> }
> remote {
> auth = pubkey
> id = %any
> }
> children {
> net {
> local_ts = 0.0.0.0/0
> esp_proposals = aes256-sha256
> }
> }
> version = 2
> proposals = aes256-sha256-modp2048
> send_certreq = no
> pools = pool
> }
> }
> pools {
> pool {
> addrs = 172.16.16.64/29
> dns = 172.16.16.1
> }
> }/
>
>
> Here is the output of a connection:
>
>
> /01[NET] received packet: from IPHONE_IP[9975] to STRONGSWAN_IP[500]
> (604 bytes)//
> //01[ENC] parsed IKE_SA_INIT request 0 [ SA KE No N(REDIR_SUP)
> N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) ]//
> //01[IKE] IPHONE_IP is initiating an IKE_SA//
> //01[CFG] selected proposal:
> IKE:AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_2048//
> //01[IKE] remote host is behind NAT//
> //01[ENC] generating IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP)
> N(NATD_D_IP) N(FRAG_SUP) N(CHDLESS_SUP) N(MULT_AUTH) ]//
> //01[NET] sending packet: from STRONGSWAN_IP[500] to IPHONE_IP[9975]
> (456 bytes)//
> //10[NET] received packet: from IPHONE_IP[9959] to STRONGSWAN_IP[4500]
> (532 bytes)//
> //10[ENC] parsed IKE_AUTH request 1 [ EF(1/4) ]//
> //13[NET] received packet: from IPHONE_IP[9959] to STRONGSWAN_IP[4500]
> (532 bytes)//
> //10[ENC] received fragment #1 of 4, waiting for complete IKE message//
> //13[ENC] parsed IKE_AUTH request 1 [ EF(2/4) ]//
> //13[ENC] received fragment #2 of 4, waiting for complete IKE message//
> //14[NET] received packet: from IPHONE_IP[9959] to STRONGSWAN_IP[4500]
> (532 bytes)//
> //14[ENC] parsed IKE_AUTH request 1 [ EF(3/4) ]//
> //01[NET] received packet: from IPHONE_IP[9959] to STRONGSWAN_IP[4500]
> (180 bytes)//
> //14[ENC] received fragment #3 of 4, waiting for complete IKE message//
> //01[ENC] parsed IKE_AUTH request 1 [ EF(4/4) ]//
> //01[ENC] received fragment #4 of 4, reassembled fragmented IKE
> message (1552 bytes)//
> //01[ENC] unknown attribute type INTERNAL_DNS_DOMAIN//
> //01[ENC] parsed IKE_AUTH request 1 [ IDi CERT N(INIT_CONTACT) IDr
> AUTH CPRQ(ADDR MASK DHCP DNS ADDR6 DHCP6 DNS6 DOMAIN) N(ESP_TFC_PAD_N)
> N(NON_FIRST_FRAG) SA TSi TSr N(MOBIKE_SUP) ]//
> //01[IKE] received end entity cert "CN=pLAN9-iPhone"//
> //01[CFG] looking for peer configs matching
> STRONGSWAN_IP[echo.plan9.co]...IPHONE_IP[pLAn9-iPhone.pLAN9.co]//
> //01[CFG] selected peer config 'RA'//
> //01[CFG] using certificate "CN=pLAN9-iPhone"//
> //01[CFG] using trusted ca certificate "CN=pLAN9 CA 2019-2021"//
> //01[CFG] checking certificate status of "CN=pLAN9-iPhone"//
> //01[CFG] certificate status is not available//
> //01[CFG] reached self-signed root ca with a path length of 0//
> //01[IKE] authentication of 'pLAn9-iPhone.pLAN9.co' with RSA signature
> successful//
> //01[IKE] received ESP_TFC_PADDING_NOT_SUPPORTED, not using ESPv3 TFC
> padding//
> //01[IKE] peer supports MOBIKE//
> //01[IKE] authentication of 'echo.plan9.co' (myself) with RSA
> signature successful//
> //01[IKE] IKE_SA RA[2] established between
> STRONGSWAN_IP[echo.plan9.co]...IPHONE_IP[pLAn9-iPhone.pLAN9.co]//
> //01[IKE] scheduling rekeying in 13941s//
> //01[IKE] maximum IKE_SA lifetime 15381s//
> //01[IKE] peer requested virtual IP %any//
> //01[CFG] assigning new lease to 'pLAn9-iPhone.pLAN9.co'//
> //01[IKE] assigning virtual IP 172.16.16.65 to peer
> 'pLAn9-iPhone.pLAN9.co'//
> //01[IKE] peer requested virtual IP %any6//
> //01[IKE] no virtual IP found for %any6 requested by
> 'pLAn9-iPhone.pLAN9.co'//
> //01[CFG] selected proposal:
> ESP:AES_CBC_256/HMAC_SHA2_256_128/NO_EXT_SEQ//
> //01[IKE] CHILD_SA net{4} established with SPIs cc4e7aea_i 0358690a_o
> and TS 0.0.0.0/0 === 172.16.16.65/32//
> //01[ENC] generating IKE_AUTH response 1 [ IDr AUTH CPRP(ADDR DNS) SA
> TSi TSr N(MOBIKE_SUP) N(ADD_4_ADDR) N(ADD_6_ADDR) N(ADD_6_ADDR) ]//
> //01[NET] sending packet: from STRONGSWAN_IP[4500] to IPHONE_IP[9959]
> (544 bytes)/
>
> /
> /
>
> Strongswan looks like it is connecting fine, but the phone reports the
> error "User Authentication Failed" and doesn't connect. The phone is
> using the same certificate to connect to a number of other routers
> (not Strongswan based) that all have certificates signed by the same
> CA, and those are all working fine.
>
>
> What am I doing wrong here?
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20210426/76859be4/attachment.html>
More information about the Users
mailing list