[strongSwan] Strongswan IKEv2 certificates - "user authentication failed" ????
bls s
bls3427 at outlook.com
Mon Apr 26 21:01:00 CEST 2021
I use nearly the same. Here’s the complete connection definition for iOS as generated by my pistrong strongSwan management tool:
ios-pubkey-ikev2 {
version = 2
proposals = aes256-sha1-modp1024,aes192-sha256-modp3072,aes128-sha1-modp1536,aes128-sha256-modp1536,aes128-sha256-modp2048,default
rekey_time = 0s
pools = primary-pool-ipv4
fragmentation = no
dpd_delay = 30s
send_cert = always
local-1 {
auth = pubkey
cacerts = strongSwanCACert.pem
certs = ios-strongSwanVPNCert.pem
id = ios.crystix.com
}
remote-1 {
auth = eap-tls
id = %any
}
children {
net-ios {
local_ts = 0.0.0.0/0
rekey_time = 0s
dpd_action = clear
esp_proposals = aes256-sha1-modp1024,aes192-sha256-modp3072,aes128-sha1-modp1536,aes128-sha256-modp1536,aes128-sha256-modp2048,default
}
}
}
primary-pool-ipv4 {
addrs = 10.92.10.0/24
dns = 192.168.92.3
}
}
From: Users <users-bounces at lists.strongswan.org> On Behalf Of Jafar Al-Gharaibeh
Sent: Monday, April 26, 2021 8:21 AM
To: pLAN9 Administrator <admin at pLAN9.co>; users at lists.strongswan.org
Subject: Re: [strongSwan] Strongswan IKEv2 certificates - "user authentication failed" ????
Try the following for "remote":
remote {
auth = eap-tls
eap_id = %any
}
--Jafar
On 4/24/21 10:33 PM, pLAN9 Administrator wrote:
I am trying to set up Strongswan to act as a remote access server for an iPhone using IKEv2 certificate auth. It is a major headache!
I have made sure to set the SAN in both the server and phone certificate. Here is the the server SAN:
X509v3 extensions:
X509v3 Subject Alternative Name:
DNS:echo.pLAN9.co
X509v3 Extended Key Usage:
TLS Web Server Authentication, TLS Web Client Authentication
Here is the phone SAN:
X509v3 extensions:
X509v3 Subject Alternative Name:
DNS:pLAN9-iPhone.pLAN9.co
X509v3 Extended Key Usage:
TLS Web Server Authentication, TLS Web Client Authentication
Here is /etc/swanctl/swanctl.conf
connections {
RA {
local_addrs = %any
local {
auth = pubkey
certs = ECHO.crt
id = @echo.pLAN9.co
}
remote {
auth = pubkey
id = %any
}
children {
net {
local_ts = 0.0.0.0/0
esp_proposals = aes256-sha256
}
}
version = 2
proposals = aes256-sha256-modp2048
send_certreq = no
pools = pool
}
}
pools {
pool {
addrs = 172.16.16.64/29
dns = 172.16.16.1
}
}
Here is the output of a connection:
01[NET] received packet: from IPHONE_IP[9975] to STRONGSWAN_IP[500] (604 bytes)
01[ENC] parsed IKE_SA_INIT request 0 [ SA KE No N(REDIR_SUP) N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) ]
01[IKE] IPHONE_IP is initiating an IKE_SA
01[CFG] selected proposal: IKE:AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_2048
01[IKE] remote host is behind NAT
01[ENC] generating IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(CHDLESS_SUP) N(MULT_AUTH) ]
01[NET] sending packet: from STRONGSWAN_IP[500] to IPHONE_IP[9975] (456 bytes)
10[NET] received packet: from IPHONE_IP[9959] to STRONGSWAN_IP[4500] (532 bytes)
10[ENC] parsed IKE_AUTH request 1 [ EF(1/4) ]
13[NET] received packet: from IPHONE_IP[9959] to STRONGSWAN_IP[4500] (532 bytes)
10[ENC] received fragment #1 of 4, waiting for complete IKE message
13[ENC] parsed IKE_AUTH request 1 [ EF(2/4) ]
13[ENC] received fragment #2 of 4, waiting for complete IKE message
14[NET] received packet: from IPHONE_IP[9959] to STRONGSWAN_IP[4500] (532 bytes)
14[ENC] parsed IKE_AUTH request 1 [ EF(3/4) ]
01[NET] received packet: from IPHONE_IP[9959] to STRONGSWAN_IP[4500] (180 bytes)
14[ENC] received fragment #3 of 4, waiting for complete IKE message
01[ENC] parsed IKE_AUTH request 1 [ EF(4/4) ]
01[ENC] received fragment #4 of 4, reassembled fragmented IKE message (1552 bytes)
01[ENC] unknown attribute type INTERNAL_DNS_DOMAIN
01[ENC] parsed IKE_AUTH request 1 [ IDi CERT N(INIT_CONTACT) IDr AUTH CPRQ(ADDR MASK DHCP DNS ADDR6 DHCP6 DNS6 DOMAIN) N(ESP_TFC_PAD_N) N(NON_FIRST_FRAG) SA TSi TSr N(MOBIKE_SUP) ]
01[IKE] received end entity cert "CN=pLAN9-iPhone"
01[CFG] looking for peer configs matching STRONGSWAN_IP[echo.plan9.co]...IPHONE_IP[pLAn9-iPhone.pLAN9.co]
01[CFG] selected peer config 'RA'
01[CFG] using certificate "CN=pLAN9-iPhone"
01[CFG] using trusted ca certificate "CN=pLAN9 CA 2019-2021"
01[CFG] checking certificate status of "CN=pLAN9-iPhone"
01[CFG] certificate status is not available
01[CFG] reached self-signed root ca with a path length of 0
01[IKE] authentication of 'pLAn9-iPhone.pLAN9.co' with RSA signature successful
01[IKE] received ESP_TFC_PADDING_NOT_SUPPORTED, not using ESPv3 TFC padding
01[IKE] peer supports MOBIKE
01[IKE] authentication of 'echo.plan9.co' (myself) with RSA signature successful
01[IKE] IKE_SA RA[2] established between STRONGSWAN_IP[echo.plan9.co]...IPHONE_IP[pLAn9-iPhone.pLAN9.co]
01[IKE] scheduling rekeying in 13941s
01[IKE] maximum IKE_SA lifetime 15381s
01[IKE] peer requested virtual IP %any
01[CFG] assigning new lease to 'pLAn9-iPhone.pLAN9.co'
01[IKE] assigning virtual IP 172.16.16.65 to peer 'pLAn9-iPhone.pLAN9.co'
01[IKE] peer requested virtual IP %any6
01[IKE] no virtual IP found for %any6 requested by 'pLAn9-iPhone.pLAN9.co'
01[CFG] selected proposal: ESP:AES_CBC_256/HMAC_SHA2_256_128/NO_EXT_SEQ
01[IKE] CHILD_SA net{4} established with SPIs cc4e7aea_i 0358690a_o and TS 0.0.0.0/0 === 172.16.16.65/32
01[ENC] generating IKE_AUTH response 1 [ IDr AUTH CPRP(ADDR DNS) SA TSi TSr N(MOBIKE_SUP) N(ADD_4_ADDR) N(ADD_6_ADDR) N(ADD_6_ADDR) ]
01[NET] sending packet: from STRONGSWAN_IP[4500] to IPHONE_IP[9959] (544 bytes)
Strongswan looks like it is connecting fine, but the phone reports the error "User Authentication Failed" and doesn't connect. The phone is using the same certificate to connect to a number of other routers (not Strongswan based) that all have certificates signed by the same CA, and those are all working fine.
What am I doing wrong here?
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20210426/718424e8/attachment-0001.html>
More information about the Users
mailing list