Re: [strongSwan] MacOS 10.12 Sierra IKEv2 user/password auth
On 10/9/16 11:04 AM, Noel Kuntze wrote: > On 09.10.2016 18:57, Pete Ashdown wrote: >> conn win7 >> leftcert=vpnHostCert.der >> leftsendcert=always >> leftauth=pubkey >> leftsubnet=0.0.0.0/0 >> right=%any >> rightauth=eap-gtc >> rightsourceip=10.10.10.16/2 >> rightsendcert=never >> eap_identity=%any >> keyexchange=ikev2 >> auto=add > No leftid set, so it defaults to %any (which is the value of "left", if it is > not defined). > %any is probably not a valid ID in your certificate (and not a valid IP, > DNS name or X.509 DN), so it defaults to the DN of the certificate > I don't think Windows supports EAP-GTC. > Trying to get MacOS to work here, but if Windows doesn't support it, then I probably have to abandon anyway. I was trying to upgrade from a prior installation I did that used user/password (via LDAP) but under IKEv1. That works with Windows, MacOS, iOS, and others. ___ Users mailing list Users@lists.strongswan.org https://lists.strongswan.org/mailman/listinfo/users
Re: [strongSwan] MacOS 10.12 Sierra IKEv2 user/password auth
On 09.10.2016 18:57, Pete Ashdown wrote: > conn win7 > leftcert=vpnHostCert.der > leftsendcert=always > leftauth=pubkey > leftsubnet=0.0.0.0/0 > right=%any > rightauth=eap-gtc > rightsourceip=10.10.10.16/2 > rightsendcert=never > eap_identity=%any > keyexchange=ikev2 > auto=add No leftid set, so it defaults to %any (which is the value of "left", if it is not defined). %any is probably not a valid ID in your certificate (and not a valid IP, DNS name or X.509 DN), so it defaults to the DN of the certificate I don't think Windows supports EAP-GTC. > > Oct 9 10:52:47 vpn charon: 11[CFG] loaded certificate "C=US, > O=XMission, CN=vpn.xmission.com" from 'vpnHostCert.der' > Oct 9 10:52:47 vpn charon: 11[CFG] id '%any' not confirmed by > certificate, defaulting to 'C=US, O=XMission, CN=vpn.xmission.com' leftid defaults to the DN of the certificate, as described above. > Oct 9 10:52:51 vpn charon: 13[CFG] looking for peer configs matching > 10.10.10.1[vpn.xmission.com]...177.77.77.62[10.67.1.244] > Oct 9 10:52:51 vpn charon: 13[CFG] no matching peer config found Peer asks for the ID "vpn.xmission.com". The conn is implicitely configured for the ID 'C=US, O=XMission, CN=vpn.xmission.com' though. Therefore charon can not find a valid connection. You need to set leftid correctly and make sure it's authenticated by the certificate in a SAN field. -- Mit freundlichen Grüßen/Kind Regards, Noel Kuntze GPG Key ID: 0x63EC6658 Fingerprint: 23CA BB60 2146 05E7 7278 6592 3839 298F 63EC 6658 signature.asc Description: OpenPGP digital signature ___ Users mailing list Users@lists.strongswan.org https://lists.strongswan.org/mailman/listinfo/users
Re: [strongSwan] MacOS 10.12 Sierra IKEv2 user/password auth
On 10/9/16 10:49 AM, Andreas Steffen wrote: > Hi Pete, > > there in no AUTH payload in the IKE_AUTH request. This means that > the Mac wants to do EAP-based username/password authentication but > your strongSwan server is not configured for EAP (e.g. EAP-MD5, > EAP-MSCHAPv2 or EAP-GTC). Do I need something additional here? conn win7 leftcert=vpnHostCert.der leftsendcert=always leftauth=pubkey leftsubnet=0.0.0.0/0 right=%any rightauth=eap-gtc rightsourceip=10.10.10.16/26 rightsendcert=never eap_identity=%any keyexchange=ikev2 auto=add ___ Users mailing list Users@lists.strongswan.org https://lists.strongswan.org/mailman/listinfo/users
Re: [strongSwan] MacOS 10.12 Sierra IKEv2 user/password auth
On 10/9/16 10:42 AM, Noel Kuntze wrote: > On 09.10.2016 18:37, Pete Ashdown wrote: >> On 10/9/16 10:29 AM, Noel Kuntze wrote: On 09.10.2016 18:23, Pete Ashdown wrote: >> Has anyone actually gotten this to work? I've tried both the Mac's gui >> and Configurator program and a number of iterations of Strongswan >> configs and I always end up with this error in the logs: >> >> charon: 10[ENC] generating IKE_AUTH response 1 [ N(AUTH_FAILED) ] >> >> I have no idea where to go from here. A little help please? You start reading the log lines above that message. >> Thanks for your helpful response, but there is nothing there that sticks >> out as to why the auth fails. The prior auth entry looks like this: >> >> charon: 10[ENC] parsed IKE_AUTH request 1 [ IDi N(INIT_CONTACT) >> N(MOBIKE_SUP) IDr CPRQ(ADDR DHCP DNS MASK ADDR6 DHCP6 DNS6) >> N(ESP_TFC_PAD_N) N(NON_FIRST_FRAG) SA TSi TSr ] >> >> If you'd like me to paste the whole thing, I can do that, but I'm not >> seeing any smoking guns. >> > Then please provide a full log and your configuration. > Some IP addresses have been obfuscated. Config: # ipsec.conf - strongSwan IPsec configuration file config setup charondebug="ike 2, knl 2, cfg 2, net 2, esp 2, dmn 2, mgr 2" conn win7 leftcert=vpnHostCert.der leftsendcert=always leftauth=pubkey leftsubnet=0.0.0.0/0 right=%any rightauth=eap-gtc rightsourceip=10.10.10.16/2 rightsendcert=never eap_identity=%any keyexchange=ikev2 auto=add Log: Oct 9 10:52:47 vpn charon: 00[DMN] Starting IKE charon daemon (strongSwan 5.3.5, Linux 4.4.0-38-generic, x86_64) Oct 9 10:52:47 vpn charon: 00[LIB] created TUN device: ipsec0 Oct 9 10:52:47 vpn charon: 00[KNL] known interfaces and IP addresses: Oct 9 10:52:47 vpn charon: 00[KNL] lo Oct 9 10:52:47 vpn charon: 00[KNL] 127.0.0.1 Oct 9 10:52:47 vpn charon: 00[KNL] ::1 Oct 9 10:52:47 vpn charon: 00[KNL] eth0 Oct 9 10:52:47 vpn charon: 00[KNL] br0 Oct 9 10:52:47 vpn charon: 00[KNL] 10.10.10.1 Oct 9 10:52:47 vpn charon: 00[KNL] 2600:f000:0:a::f01 Oct 9 10:52:47 vpn charon: 00[KNL] fe80::225:90ff:fe33:afa4 Oct 9 10:52:47 vpn charon: 00[KNL] tap1 Oct 9 10:52:47 vpn charon: 00[KNL] fe80::1c73:77ff:fee0:6535 Oct 9 10:52:47 vpn charon: 00[KNL] tap0 Oct 9 10:52:47 vpn charon: 00[KNL] fe80::1490:25ff:fed2:5663 Oct 9 10:52:47 vpn charon: 00[KNL] ipsec0 Oct 9 10:52:47 vpn charon: 00[CFG] loading ca certificates from '/etc/ipsec.d/cacerts' Oct 9 10:52:47 vpn charon: 00[CFG] loaded ca certificate "C=US, O=XMission, CN=vpn.xmission.com" from '/etc/ipsec.d/cacerts/stron gswanCert.der' Oct 9 10:52:47 vpn charon: 00[CFG] loading aa certificates from '/etc/ipsec.d/aacerts' Oct 9 10:52:47 vpn charon: 00[CFG] loading ocsp signer certificates from '/etc/ipsec.d/ocspcerts' Oct 9 10:52:47 vpn charon: 00[CFG] loading attribute certificates from '/etc/ipsec.d/acerts' Oct 9 10:52:47 vpn charon: 00[CFG] loading crls from '/etc/ipsec.d/crls' Oct 9 10:52:47 vpn charon: 00[CFG] loading secrets from '/etc/ipsec.secrets' Oct 9 10:52:47 vpn charon: 00[CFG] loaded RSA private key from '/etc/ipsec.d/private/vpnHostKey.der' Oct 9 10:52:47 vpn charon: 00[CFG] opening triplet file /etc/ipsec.d/triplets.dat failed: No such file or directory Oct 9 10:52:47 vpn charon: 00[CFG] loaded 0 RADIUS server configurations Oct 9 10:52:47 vpn charon: 00[LIB] loaded plugins: charon test-vectors aes rc2 sha1 sha2 md4 md5 random nonce x509 revocation constra ints pubkey pkcs1 pkcs7 pkcs8 pkcs12 pgp dnskey sshkey pem openssl fips-prf gmp agent xcbc hmac ccm gcm attr kernel-libipsec kernel-netl ink resolve socket-default connmark farp stroke updown eap-identity eap-sim eap-sim-pcsc eap-aka eap-aka-3gpp2 eap-simaka-pseudonym eap- simaka-reauth eap-md5 eap-gtc eap-mschapv2 eap-dynamic eap-radius eap-tls eap-ttls eap-peap eap-tnc xauth-generic xauth-eap xauth-pam xa uth-noauth tnc-tnccs tnccs-20 tnccs-11 tnccs-dynamic dhcp lookip error-notify certexpire led addrblock unity Oct 9 10:52:47 vpn charon: 00[LIB] dropped capabilities, running as uid 0, gid 0 Oct 9 10:52:47 vpn charon: 00[JOB] spawning 16 worker threads Oct 9 10:52:47 vpn charon: 02[NET] waiting for data on sockets Oct 9 10:52:47 vpn charon: 11[CFG] received stroke: add connection 'win7' Oct 9 10:52:47 vpn charon: 11[CFG] conn win7 Oct 9 10:52:47 vpn charon: 11[CFG] left=%any Oct 9 10:52:47 vpn charon: 11[CFG] leftsubnet=0.0.0.0/0 Oct 9 10:52:47 vpn charon: 11[CFG] leftauth=pubkey Oct 9 10:52:47 vpn charon: 11[CFG] leftcert=vpnHostCert.der Oct 9 10:52:47 vpn charon: 11[CFG] right=%any Oct 9 10:52:47 vpn charon: 11[CFG] rightsourceip=10.10.10.16/2 Oct 9 10:52:47 vpn charon: 11[CFG] rightauth=eap-gtc Oct 9 10:52:47 vpn charon: 11[CFG] eap_identity=%any Oct 9 10:52:47 vpn charon: 11[CFG] ike=aes128-sha1-modp2048,3des-sha1-modp1536 Oct 9 10:52:47 vpn charon: 11[CFG]
Re: [strongSwan] MacOS 10.12 Sierra IKEv2 user/password auth
Hi Pete, there in no AUTH payload in the IKE_AUTH request. This means that the Mac wants to do EAP-based username/password authentication but your strongSwan server is not configured for EAP (e.g. EAP-MD5, EAP-MSCHAPv2 or EAP-GTC). Regards Andreas On 09.10.2016 18:37, Pete Ashdown wrote: On 10/9/16 10:29 AM, Noel Kuntze wrote: On 09.10.2016 18:23, Pete Ashdown wrote: Has anyone actually gotten this to work? I've tried both the Mac's gui and Configurator program and a number of iterations of Strongswan configs and I always end up with this error in the logs: charon: 10[ENC] generating IKE_AUTH response 1 [ N(AUTH_FAILED) ] I have no idea where to go from here. A little help please? You start reading the log lines above that message. Thanks for your helpful response, but there is nothing there that sticks out as to why the auth fails. The prior auth entry looks like this: charon: 10[ENC] parsed IKE_AUTH request 1 [ IDi N(INIT_CONTACT) N(MOBIKE_SUP) IDr CPRQ(ADDR DHCP DNS MASK ADDR6 DHCP6 DNS6) N(ESP_TFC_PAD_N) N(NON_FIRST_FRAG) SA TSi TSr ] If you'd like me to paste the whole thing, I can do that, but I'm not seeing any smoking guns. Again, I ask if anyone has actually gotten user/password with IKEv2 to work on Sierra. == Andreas Steffen andreas.stef...@strongswan.org strongSwan - the Open Source VPN Solution! www.strongswan.org Institute for Internet Technologies and Applications University of Applied Sciences Rapperswil CH-8640 Rapperswil (Switzerland) ===[ITA-HSR]== smime.p7s Description: S/MIME Cryptographic Signature ___ Users mailing list Users@lists.strongswan.org https://lists.strongswan.org/mailman/listinfo/users
Re: [strongSwan] MacOS 10.12 Sierra IKEv2 user/password auth
On 09.10.2016 18:37, Pete Ashdown wrote: > On 10/9/16 10:29 AM, Noel Kuntze wrote: >> > On 09.10.2016 18:23, Pete Ashdown wrote: >>> >> Has anyone actually gotten this to work? I've tried both the Mac's gui >>> >> and Configurator program and a number of iterations of Strongswan >>> >> configs and I always end up with this error in the logs: >>> >> >>> >> charon: 10[ENC] generating IKE_AUTH response 1 [ N(AUTH_FAILED) ] >>> >> >>> >> I have no idea where to go from here. A little help please? >> > You start reading the log lines above that message. >> > > Thanks for your helpful response, but there is nothing there that sticks > out as to why the auth fails. The prior auth entry looks like this: > > charon: 10[ENC] parsed IKE_AUTH request 1 [ IDi N(INIT_CONTACT) > N(MOBIKE_SUP) IDr CPRQ(ADDR DHCP DNS MASK ADDR6 DHCP6 DNS6) > N(ESP_TFC_PAD_N) N(NON_FIRST_FRAG) SA TSi TSr ] > > If you'd like me to paste the whole thing, I can do that, but I'm not > seeing any smoking guns. > Then please provide a full log and your configuration. -- Mit freundlichen Grüßen/Kind Regards, Noel Kuntze GPG Key ID: 0x63EC6658 Fingerprint: 23CA BB60 2146 05E7 7278 6592 3839 298F 63EC 6658 signature.asc Description: OpenPGP digital signature ___ Users mailing list Users@lists.strongswan.org https://lists.strongswan.org/mailman/listinfo/users
Re: [strongSwan] MacOS 10.12 Sierra IKEv2 user/password auth
On 10/9/16 10:29 AM, Noel Kuntze wrote: > On 09.10.2016 18:23, Pete Ashdown wrote: >> Has anyone actually gotten this to work? I've tried both the Mac's gui >> and Configurator program and a number of iterations of Strongswan >> configs and I always end up with this error in the logs: >> >> charon: 10[ENC] generating IKE_AUTH response 1 [ N(AUTH_FAILED) ] >> >> I have no idea where to go from here. A little help please? > You start reading the log lines above that message. > Thanks for your helpful response, but there is nothing there that sticks out as to why the auth fails. The prior auth entry looks like this: charon: 10[ENC] parsed IKE_AUTH request 1 [ IDi N(INIT_CONTACT) N(MOBIKE_SUP) IDr CPRQ(ADDR DHCP DNS MASK ADDR6 DHCP6 DNS6) N(ESP_TFC_PAD_N) N(NON_FIRST_FRAG) SA TSi TSr ] If you'd like me to paste the whole thing, I can do that, but I'm not seeing any smoking guns. Again, I ask if anyone has actually gotten user/password with IKEv2 to work on Sierra. ___ Users mailing list Users@lists.strongswan.org https://lists.strongswan.org/mailman/listinfo/users
Re: [strongSwan] MacOS 10.12 Sierra IKEv2 user/password auth
On 09.10.2016 18:23, Pete Ashdown wrote: > Has anyone actually gotten this to work? I've tried both the Mac's gui > and Configurator program and a number of iterations of Strongswan > configs and I always end up with this error in the logs: > > charon: 10[ENC] generating IKE_AUTH response 1 [ N(AUTH_FAILED) ] > > I have no idea where to go from here. A little help please? You start reading the log lines above that message. -- Mit freundlichen Grüßen/Kind Regards, Noel Kuntze GPG Key ID: 0x63EC6658 Fingerprint: 23CA BB60 2146 05E7 7278 6592 3839 298F 63EC 6658 signature.asc Description: OpenPGP digital signature ___ Users mailing list Users@lists.strongswan.org https://lists.strongswan.org/mailman/listinfo/users
[strongSwan] MacOS 10.12 Sierra IKEv2 user/password auth
Has anyone actually gotten this to work? I've tried both the Mac's gui and Configurator program and a number of iterations of Strongswan configs and I always end up with this error in the logs: charon: 10[ENC] generating IKE_AUTH response 1 [ N(AUTH_FAILED) ] I have no idea where to go from here. A little help please? ___ Users mailing list Users@lists.strongswan.org https://lists.strongswan.org/mailman/listinfo/users