[strongSwan] MacOS Cert authentication failing

G J bls3427 at outlook.com
Wed Jul 6 05:09:05 CEST 2022


I'm having a problem getting macOS working with strongSwan, and would greatly appreciate assistance.

The exact same Certs work fine when installed on an iOS client, so the Certs aren't obviously broken, and the .conf works fine for iOS as well. The swanctl.conf snippet, Certs, and log snippet from working iOS connection follow.

The error in the system log shows near the very end of authenticating the connection:

Jul 05 12:09:42 pvn charon-systemd[39509]: received fragment #2 of 2, reassembled fragmented IKE message (960 bytes)
Jul 05 12:09:42 pvn charon-systemd[39509]: parsed IKE_AUTH request 7 [ EAP/RES/TLS ]
Jul 05 12:09:42 pvn charon-systemd[39509]: received TLS peer certificate 'C=US, O=pvn-strongSwan, CN=len-mac-pvn at myvpn.net<mailto:CN=len-mac-pvn at myvpn.net>'
Jul 05 12:09:42 pvn charon-systemd[39509]: received TLS intermediate certificate 'C=US, O=pvn-strongSwan, CN=strongSwan pvn Root CA'
Jul 05 12:09:42 pvn charon-systemd[39509]: no trusted certificate found for 'len-mac-pvn at mypvn.net' to verify TLS peer
Jul 05 12:09:42 pvn charon-systemd[39509]: sending fatal TLS alert 'certificate unknown'
Jul 05 12:09:42 pvn charon-systemd[39509]: generating IKE_AUTH response 7 [ EAP/REQ/TLS ]
Jul 05 12:09:42 pvn charon-systemd[39509]: sending packet: from 192.168.92.5[4500] to ex.te.rn.al[4500] (96 bytes)
Jul 05 12:09:42 pvn charon-systemd[39509]: received packet: from ex.te.rn.al[4500] to 192.168.92.5[4500] (144 bytes)
Jul 05 12:09:42 pvn charon-systemd[39509]: parsed IKE_AUTH request 8 [ EAP/RES/TLS ]
Jul 05 12:09:42 pvn charon-systemd[39509]: EAP method EAP_TLS failed for peer len-mac-pvn at mypvn.net<mailto:len-mac-pvn at mypvn.net>
Jul 05 12:09:42 pvn charon-systemd[39509]: generating IKE_AUTH response 8 [ EAP/FAIL ]
Jul 05 12:09:42 pvn charon-systemd[39509]: sending packet: from 192.168.92.5[4500] to ex.te.rn.al[4500] (80 bytes)

I've checked that the .p12 and (self-signed) Root CA Certs are both in the system keychain. Thinking that maybe the Root CA Cert needed to be in the System Roots keychain, tried to put it there, but MacOS said "No, they should be in the system keychain". The Root CA Cert is marked as trusted for all users, for all usages.

I'd appreciate any definitive answers, good guesses, etc. This has me totally baffled!

Thanks!

swanctl.conf VPN Configuration Details:

# Configuration written by pistrong makeMyCA V3.1 on Tue 07 Jun 2022 09:51:24 AM PDT

conn-defaults {
    version = 2
    send_certreq = yes
    send_cert = always
    unique = never
    fragmentation = yes
    # Force esp encapsulation for restrictive firewalls
    encap = yes
    dpd_delay = 120s
    rekey_time = 0s
    pools = primary-pool-ipv4

    local {
        auth = pubkey
        cacerts = strongSwanCACert.pem
    }
}

remote-defaults {
    remote {
        id = %any
    }

}
child-defaults {
    net {
        dpd_action = clear
        rekey_time = 0s
        updown = /usr/lib/ipsec/_updown iptables
    }
}

connections {
    conn-ios : conn-defaults, remote-defaults {
        proposals = aes256-sha256-modp2048, aes256-sha256-modp1024,aes256-sha1-modp1024
        local {
            certs = ios-strongSwanVPNCert.pem
            id = ios.mydomain.com
            }
        remote {
            auth = eap-tls
            }
        children {
            net : child-defaults {
                local_ts = 0.0.0.0/0
                esp_proposals = aes256-sha256
            }
        }
    }
}
pools {
    primary-pool-ipv4 {
        addrs = 10.92.10.0/24
        dns = 192.168.92.3
    }
}

Formatted CA and VPN Cert:

[CA Certificate /etc/swanctl/x509ca/strongSwanCACert.pem]
  subject:  "C=US, O=pvn-strongSwan, CN=strongSwan pvn Root CA"
  issuer:   "C=US, O=pvn-strongSwan, CN=strongSwan pvn Root CA"
  validity:  not before Jun 06 12:59:04 2022, ok
             not after  Jun 03 12:59:04 2032, ok (expires in 3620 days)
  serial:    38:94:d1:8e:7f:32:28:90
  flags:     CA CRLSign self-signed
  subjkeyId: 04:63:b7:4e:12:5b:6c:b4:3f:fb:5d:e3:f6:9c:43:6e:3f:69:3b:0e
  pubkey:    RSA 4096 bits
  keyid:     de:8c:21:84:30:3c:34:13:84:65:41:60:5f:e0:66:c0:0a:d2:54:0a
  subjkey:   04:63:b7:4e:12:5b:6c:b4:3f:fb:5d:e3:f6:9c:43:6e:3f:69:3b:0e

[VPN Host Certificate /etc/swanctl/x509/ios-strongSwanVPNCert.pem]
  subject:  "C=US, O=pvn-strongSwan, CN=pvn.mydomain.com"
  issuer:   "C=US, O=pvn-strongSwan, CN=strongSwan pvn Root CA"
  validity:  not before Jun 06 12:59:18 2022, ok
             not after  Jun 03 12:59:18 2032, ok (expires in 3620 days)
  serial:    10:dc:bf:05:81:c0:e4:06
  altNames:  ios.mydomain.com, pvn.mydomain.com
  flags:     serverAuth ikeIntermediate
  authkeyId: 04:63:b7:4e:12:5b:6c:b4:3f:fb:5d:e3:f6:9c:43:6e:3f:69:3b:0e
  subjkeyId: d0:1b:b4:b8:67:df:64:07:ef:14:f1:e7:92:80:c6:8f:7f:e4:1b:94
  pubkey:    RSA 4096 bits
  keyid:     3f:a6:74:2d:4e:24:6a:78:17:80:7f:29:92:ba:62:29:19:70:69:aa
  subjkey:   d0:1b:b4:b8:67:df:64:07:ef:14:f1:e7:92:80:c6:8f:7f:e4:1b:94


Formatted User Cert:

  subject:  "C=US, O=pvn-strongSwan, CN=len-mac-pvn at myvpn.net<mailto:CN=len-mac-pvn at myvpn.net>"
  issuer:   "C=US, O=pvn-strongSwan, CN=strongSwan pvn Root CA"
  validity:  not before Jul 01 10:08:33 2022, ok
             not after  Jun 30 10:08:33 2024, ok (expires in 725 days)
  serial:    0b:94:f4:e8:50:7b:71:a2
  altNames:  len-mac-pvn at myvpn.net<mailto:len-mac-pvn at myvpn.net>
  flags:
  authkeyId: 04:63:b7:4e:12:5b:6c:b4:3f:fb:5d:e3:f6:9c:43:6e:3f:69:3b:0e
  subjkeyId: 2f:a3:94:ed:03:c6:5c:e2:29:c7:42:7e:67:2e:d4:4c:91:a2:a2:fe
  pubkey:    RSA 2048 bits
  keyid:     be:8a:71:45:9c:de:9b:94:83:8e:0f:e7:d1:26:b4:58:a2:01:07:7b
  subjkey:   2f:a3:94:ed:03:c6:5c:e2:29:c7:42:7e:67:2e:d4:4c:91:a2:a2:fe

The exact same Certs when connected from an iOS device yield this set of authentication log entries:

Jul 05 11:52:30 pvn charon-systemd[39509]: received fragment #2 of 2, reassembled fragmented IKE message (960 bytes)
Jul 05 11:52:30 pvn charon-systemd[39509]: parsed IKE_AUTH request 7 [ EAP/RES/TLS ]
Jul 05 11:52:30 pvn charon-systemd[39509]: received TLS peer certificate 'C=US, O=pvn-strongSwan, CN=len-mac-pvn at myvpn.net<mailto:CN=len-mac-pvn at myvpn.net>'
Jul 05 11:52:30 pvn charon-systemd[39509]: received TLS intermediate certificate 'C=US, O=pvn-strongSwan, CN=strongSwan pvn Root CA'
Jul 05 11:52:30 pvn charon-systemd[39509]:   using trusted ca certificate "C=US, O=pvn-strongSwan, CN=strongSwan pvn Root CA"
Jul 05 11:52:30 pvn charon-systemd[39509]: checking certificate status of "C=US, O=pvn-strongSwan, CN=len-mac-pvn at myvpn.net<mailto:CN=len-mac-pvn at myvpn.net>"
Jul 05 11:52:30 pvn charon-systemd[39509]: certificate status is not available
Jul 05 11:52:30 pvn charon-systemd[39509]:   reached self-signed root ca with a path length of 0
Jul 05 11:52:30 pvn charon-systemd[39509]:   using trusted certificate "C=US, O=pvn-strongSwan, CN=len-mac-pvn at myvpn.net<mailto:CN=len-mac-pvn at myvpn.net>"
Jul 05 11:52:30 pvn charon-systemd[39509]: generating IKE_AUTH response 7 [ EAP/REQ/TLS ]
Jul 05 11:52:30 pvn charon-systemd[39509]: sending packet: from 192.168.92.5[4500] to ex.te.rn.al[4500] (160 bytes)
Jul 05 11:52:30 pvn charon-systemd[39509]: received packet: from ex.te.rn.al[4500] to 192.168.92.5[4500] (80 bytes)
Jul 05 11:52:30 pvn charon-systemd[39509]: parsed IKE_AUTH request 8 [ EAP/RES/TLS ]
Jul 05 11:52:30 pvn charon-systemd[39509]: EAP method EAP_TLS succeeded, MSK established
Jul 05 11:52:30 pvn charon-systemd[39509]: generating IKE_AUTH response 8 [ EAP/SUCC ]
Jul 05 11:52:30 pvn charon-systemd[39509]: sending packet: from 192.168.92.5[4500] to ex.te.rn.al[4500] (80 bytes)
Jul 05 11:52:30 pvn charon-systemd[39509]: received packet: from ex.te.rn.al[4500] to 192.168.92.5[4500] (112 bytes)
Jul 05 11:52:30 pvn charon-systemd[39509]: parsed IKE_AUTH request 9 [ AUTH ]
Jul 05 11:52:30 pvn charon-systemd[39509]: authentication of 'len-mac-pvn at myvpn.net' with EAP successful
Jul 05 11:52:30 pvn charon-systemd[39509]: authentication of 'ios.mydomain.com' (myself) with EAP

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20220706/fe283e0c/attachment-0001.html>


More information about the Users mailing list