[strongSwan] Strongswan IKEv2 certificates - "user authentication failed" ????
Noel Kuntze
noel.kuntze+strongswan-users-ml at thermi.consulting
Mon Apr 26 21:10:05 CEST 2021
Set connections.<conn>.send_cert=yes
Exactly as shown in the generated conn. It's not present in the faulty configuration.
Am 26.04.21 um 21:01 schrieb bls s:
> I use nearly the same. Here’s the complete connection definition for iOS as generated by my pistrong strongSwan management tool:
>
> ios-pubkey-ikev2 {
>
> version = 2
>
> proposals = aes256-sha1-modp1024,aes192-sha256-modp3072,aes128-sha1-modp1536,aes128-sha256-modp1536,aes128-sha256-modp2048,default
>
> rekey_time = 0s
>
> pools = primary-pool-ipv4
>
> fragmentation = no
>
> dpd_delay = 30s
>
> send_cert = always
>
> local-1 {
>
>
auth = pubkey
>
>
cacerts = strongSwanCACert.pem
>
>
certs = ios-strongSwanVPNCert.pem
>
>
id = ios.crystix.com
>
> }
>
> remote-1 {
>
>
auth = eap-tls
>
> id = %any
>
> }
>
> children {
>
>
net-ios {
>
> local_ts = 0.0.0.0/0
>
> rekey_time = 0s
>
> dpd_action = clear
>
> esp_proposals = aes256-sha1-modp1024,aes192-sha256-modp3072,aes128-sha1-modp1536,aes128-sha256-modp1536,aes128-sha256-modp2048,default
>
>
}
>
> }
>
> }
>
> primary-pool-ipv4 {
>
> addrs = 10.92.10.0/24
>
> dns = 192.168.92.3
>
> }
>
> }
>
> *From:* Users <users-bounces at lists.strongswan.org> *On Behalf Of *Jafar
Al-Gharaibeh
> *Sent:* Monday, April 26, 2021 8:21 AM
> *To:* pLAN9 Administrator <admin at pLAN9.co>; users at lists.strongswan.org
> *Subject:* Re: [strongSwan] Strongswan IKEv2 certificates - "user authentication failed" ????
>
> Try the following for "remote":
>
> / remote {
> auth =
eap-tls
> eap_id
= %any
> }/
>
> --Jafar
>
> On 4/24/21 10:33 PM, pLAN9 Administrator wrote:
>
> I am trying to set up Strongswan to act as a remote access server for an iPhone using IKEv2 certificate auth. It is a major headache!
>
> I have made sure to set the SAN in both the server and phone certificate. Here is the the server SAN:
>
> / X509v3 extensions:
>
X509v3 Subject Alternative Name:
> DNS:echo.pLAN9.co
>
X509v3 Extended Key Usage:
> TLS Web Server Authentication, TLS Web Client Authentication/
>
> Here is the phone SAN:
>
> / X509v3 extensions:
>
X509v3 Subject Alternative Name:
> DNS:pLAN9-iPhone.pLAN9.co
>
X509v3 Extended Key Usage:
> TLS Web Server Authentication, TLS Web Client Authentication/
>
> Here is /etc/swanctl/swanctl.conf
>
> /connections {
> RA {
> local_addrs = %any
> local {
> auth = pubkey
> certs = ECHO.crt
> id = @echo.pLAN9.co
> }
> remote {
> auth = pubkey
> id = %any
> }
> children {
> net {
> local_ts = 0.0.0.0/0
> esp_proposals = aes256-sha256
> }
> }
> version = 2
> proposals = aes256-sha256-modp2048
> send_certreq = no
> pools = pool
> }
> }
> pools {
> pool {
> addrs = 172.16.16.64/29
> dns = 172.16.16.1
> }
> }/
>
> Here is the output of a connection:
>
> /01[NET] received packet: from IPHONE_IP[9975] to STRONGSWAN_IP[500] (604 bytes)
> 01[ENC] parsed IKE_SA_INIT request 0 [ SA KE No N(REDIR_SUP) N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) ]
> 01[IKE] IPHONE_IP is initiating an IKE_SA
> 01[CFG] selected proposal: IKE:AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_2048
> 01[IKE] remote host is behind NAT
> 01[ENC] generating IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(CHDLESS_SUP) N(MULT_AUTH) ]
> 01[NET] sending packet: from STRONGSWAN_IP[500] to IPHONE_IP[9975] (456 bytes)
> 10[NET] received packet: from IPHONE_IP[9959] to STRONGSWAN_IP[4500] (532 bytes)
> 10[ENC] parsed IKE_AUTH request 1 [ EF(1/4) ]
> 13[NET] received packet: from IPHONE_IP[9959] to STRONGSWAN_IP[4500] (532 bytes)
> 10[ENC] received fragment #1 of 4, waiting for complete IKE message
> 13[ENC] parsed IKE_AUTH request 1 [ EF(2/4) ]
> 13[ENC] received fragment #2 of 4, waiting for complete IKE message
> 14[NET] received packet: from IPHONE_IP[9959] to STRONGSWAN_IP[4500] (532 bytes)
> 14[ENC] parsed IKE_AUTH request 1 [ EF(3/4) ]
> 01[NET] received packet: from IPHONE_IP[9959] to STRONGSWAN_IP[4500] (180 bytes)
> 14[ENC] received fragment #3 of 4, waiting for complete IKE message
> 01[ENC] parsed IKE_AUTH request 1 [ EF(4/4) ]
> 01[ENC] received fragment #4 of 4, reassembled fragmented IKE message (1552 bytes)
> 01[ENC] unknown attribute type INTERNAL_DNS_DOMAIN
> 01[ENC] parsed IKE_AUTH request 1 [ IDi CERT N(INIT_CONTACT) IDr AUTH CPRQ(ADDR MASK DHCP DNS ADDR6 DHCP6 DNS6 DOMAIN) N(ESP_TFC_PAD_N) N(NON_FIRST_FRAG) SA TSi TSr N(MOBIKE_SUP) ]
> 01[IKE] received end entity cert "CN=pLAN9-iPhone"
> 01[CFG] looking for peer configs matching STRONGSWAN_IP[echo.plan9.co]...IPHONE_IP[pLAn9-iPhone.pLAN9.co]
> 01[CFG] selected peer config 'RA'
> 01[CFG] using certificate "CN=pLAN9-iPhone"
> 01[CFG] using trusted ca certificate "CN=pLAN9 CA 2019-2021"
> 01[CFG] checking certificate status of "CN=pLAN9-iPhone"
> 01[CFG] certificate status is not available
> 01[CFG] reached self-signed root ca with a path length of 0
> 01[IKE] authentication of 'pLAn9-iPhone.pLAN9.co' with RSA signature successful
> 01[IKE] received ESP_TFC_PADDING_NOT_SUPPORTED, not using ESPv3 TFC
padding
> 01[IKE] peer supports MOBIKE
> 01[IKE] authentication of 'echo.plan9.co' (myself) with RSA signature successful
> 01[IKE] IKE_SA RA[2] established between STRONGSWAN_IP[echo.plan9.co]...IPHONE_IP[pLAn9-iPhone.pLAN9.co]
> 01[IKE] scheduling rekeying in 13941s
> 01[IKE] maximum IKE_SA lifetime 15381s
> 01[IKE] peer requested virtual IP %any
> 01[CFG] assigning new lease to 'pLAn9-iPhone.pLAN9.co'
> 01[IKE] assigning virtual IP 172.16.16.65 to peer 'pLAn9-iPhone.pLAN9.co'
> 01[IKE] peer requested virtual IP %any6
> 01[IKE] no virtual IP found for %any6 requested by 'pLAn9-iPhone.pLAN9.co'
> 01[CFG] selected proposal: ESP:AES_CBC_256/HMAC_SHA2_256_128/NO_EXT_SEQ
> 01[IKE] CHILD_SA net{4} established with SPIs cc4e7aea_i 0358690a_o
and TS 0.0.0.0/0 === 172.16.16.65/32
> 01[ENC] generating IKE_AUTH response 1 [ IDr AUTH CPRP(ADDR DNS) SA
TSi TSr N(MOBIKE_SUP) N(ADD_4_ADDR) N(ADD_6_ADDR) N(ADD_6_ADDR) ]
> 01[NET] sending packet: from STRONGSWAN_IP[4500] to IPHONE_IP[9959]
(544 bytes)/
>
> Strongswan looks like it is connecting fine, but the phone reports the error "User Authentication Failed" and doesn't connect. The phone is using the same certificate to connect to a number of other routers (not Strongswan based) that all have certificates signed by the same CA, and those are all working fine.
>
> What am I doing wrong here?
>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: OpenPGP_signature
Type: application/pgp-signature
Size: 840 bytes
Desc: OpenPGP digital signature
URL: <http://lists.strongswan.org/pipermail/users/attachments/20210426/bf2435db/attachment.sig>
More information about the Users
mailing list