Re: [strongSwan] eap auth with 5.8 - how?

2020-05-11 Thread lejeczek 



On 11/05/2020 12:43, Tobias Brunner wrote:
> Hi,
>
>> Having only:
>>
>>     remote {
>>   certs = "remote.fqdn.crt"
>>   auth  =  "pubkey"
>>     }
>>
>> does not help.
> Again, not the same thing as configuring %any as remote identity (there
> is a fallback to the certificate's subject identity if a certificate but
> no identity is configured - and that identity is sent to the peer, which
> might not like it, so you should perhaps later check what identity it
> actually returns and configure that).
>
>> Trying: 'mode=tunnel' also fails.
> That will only have an effect after the authentication.
>
>> Also, I'm not sure how to translate this (in case it's critical)
>>
>> leftfirewall=yes
> Whether it's critical depends on your firewall config.  See [1] for
> notes on migrating from ipsec.conf to swanctl.conf.
>
> Regards,
> Tobias
>
> [1] https://wiki.strongswan.org/projects/strongswan/wiki/fromipsecconf
ahh.. I'm got irritated with myself. I also missed this:
..
# swanctl --load-all
loaded certificate from
'/etc/strongswan/swanctl/x509/remote.fqdn.crt'
vici value exceeds size limit (222148 > 65535)
vici builder error: 1 errors (section: 0, list 0)
load-cert request failed: Invalid argument

That cert got malformed somehow somewhere.
It's good now.
May I ask why - mode = "pass" - is no good?

many thanks gents, L

Re: [strongSwan] eap auth with 5.8 - how?

2020-05-11 Thread Tobias Brunner 
Hi,

> Having only:
> 
>     remote {
>   certs = "remote.fqdn.crt"
>   auth  =  "pubkey"
>     }
> 
> does not help.

Again, not the same thing as configuring %any as remote identity (there
is a fallback to the certificate's subject identity if a certificate but
no identity is configured - and that identity is sent to the peer, which
might not like it, so you should perhaps later check what identity it
actually returns and configure that).

> Trying: 'mode=tunnel' also fails.

That will only have an effect after the authentication.

> Also, I'm not sure how to translate this (in case it's critical)
> 
> leftfirewall=yes

Whether it's critical depends on your firewall config.  See [1] for
notes on migrating from ipsec.conf to swanctl.conf.

Regards,
Tobias

[1] https://wiki.strongswan.org/projects/strongswan/wiki/fromipsecconf

Re: [strongSwan] eap auth with 5.8 - how?

2020-05-11 Thread lejeczek 



On 11/05/2020 10:39, Tobias Brunner wrote:
> Hi,
>
>>   rightid="DNS:vpn.remote.fqdn"
>>   rightid=%any
> Obviously not the same as configuring `id="DNS:remote.fqdn"`.
>
> Also, setting `mode="pass"` is probably not what you want.
>
> Regards,
> Tobias
ah.. was staring in my face yet I did not see it.

Having only:

    remote {
  certs = "remote.fqdn.crt"
  auth  =  "pubkey"
    }

does not help.
Trying: 'mode=tunnel' also fails.

Also, I'm not sure how to translate this (in case it's critical)

leftfirewall=yes

to swanctl.

many thanks, L

Re: [strongSwan] eap auth with 5.8 - how?

2020-05-11 Thread Tobias Brunner 
Hi,

>   rightid="DNS:vpn.remote.fqdn"
>   rightid=%any

Obviously not the same as configuring `id="DNS:remote.fqdn"`.

Also, setting `mode="pass"` is probably not what you want.

Regards,
Tobias

Re: [strongSwan] eap auth with 5.8 - how?

2020-05-11 Thread lejeczek 



On 11/05/2020 07:48, Andreas Steffen wrote:
> But I think the remote side is not configured
> for EAP-based client authentication or cannot
> find its private signature key so AUTHENTICATION
> FAILED ensues. Any chance of getting the remote log?
>
> Andreas
>
> On 11.05.20 08:45, Andreas Steffen wrote:
>> Hi,
>>
>> in the remote section you have to set
>>
>>   auth = pubkey
>>
>> since the responder is using a certificate-based
>> authentication.
>>
>> Regards
>>
>> Andreas
>>
>> On 10.05.20 14:17, lejeczek wrote:
>>> hi guys
>>>
>>> I got my strongswan updated to 5.8 and I think I migrated my
>>> simple config correctly:
>>>
>>> connections {
>>>   camuni {
>>>     remote_addrs="remote.fqdn"    # The location
>>> of the host, FQDN or IP
>>>     vips="0.0.0.0"
>>>     send_cert="never"
>>>     local {
>>>   id="me@domain"
>>>   auth="eap"
>>>     }
>>>     remote {
>>>   certs="remote.fqdn.crt"
>>>   id="DNS:remote.fqdn"
>>>   auth="eap"
>>>     }
>>>     children {
>>>   camuni {
>>>     remote_ts="172.16.0.0/12"
>>>     mode="pass"
>>>     start_action="start"
>>>   }
>>>     }
>>>   }
>>> }
>>> secrets {
>>>   eap {
>>>     secret="aSecret"
>>>     id="me@fqdn
>>>   }
>>> }
>>>
>>> Yet still auth fails. I have no control over "remote.fqdn"
>>> but at my end I see:
>>> ...
>>> IKE] initiating IKE_SA camuni[9] to xx.XX.zz.ZZ
>>> [ENC] generating IKE_SA_INIT request 0 [ SA KE No
>>> N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG) N(REDIR_SUP) ]
>>> [NET] sending packet: from xx.XX.yy.YY[500] to
>>> xx.XX.zz.ZZ[500] (1400 bytes)
>>> [NET] received packet: from xx.XX.zz.ZZ[500] to
>>> xx.XX.yy.YY[500] (592 bytes)
>>> [ENC] parsed IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP)
>>> N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG) N(MULT_AUTH) ]
>>> [CFG] selected proposal:
>>> IKE:AES_CBC_128/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_3072
>>> [IKE] remote host is behind NAT
>>> [IKE] sending cert request for "O=CA, CN=mydom.local"
>>> [IKE] sending cert request for "O=CA, CN=mydom.local"
>>> [IKE] establishing CHILD_SA camuni{9}
>>> [ENC] generating IKE_AUTH request 1 [ IDi N(INIT_CONTACT)
>>> CERTREQ IDr CPRQ(ADDR DNS) SA TSi TSr N(MOBIKE_SUP)
>>> N(ADD_4_ADDR) N(ADD_4_ADDR) N(ADD_4_ADDR) N(ADD_4_ADDR)
>>> N(MULT_AUTH) N(EAP_ONLY) N(MSG_ID_SYN_SUP) ]
>>> [NET] sending packet: from xx.XX.yy.YY[4500] to
>>> xx.XX.zz.ZZ[4500] (432 bytes)
>>> [NET] received packet: from xx.XX.zz.ZZ[4500] to
>>> xx.XX.yy.YY[4500] (80 bytes)
>>> [ENC] parsed IKE_AUTH response 1 [ N(AUTH_FAILED) ]
>>> [IKE] received AUTHENTICATION_FAILED notify error
>>> initiate failed: establishing CHILD_SA 'camuni' failed
>>>
>>> Would you have any suggestions and advice I'll be grateful.
>>> many thanks, L.
>>>
I'm afraid no chance to see what's happening on the remote.
All I know is that is should be "IKEv2 with RSA and EAP"
Just for the sake of clarity, below is the working 5.7 config:

conn MAC

  left=%any
  leftid="me@domain"
  leftauth=eap
  leftsourceip=%config
  leftfirewall=yes

  right="vpn.remote.fqdn"
  rightid="DNS:vpn.remote.fqdn"
  rightid=%any
  rightcert="/etc/strongswan/ipsec.d/certs/mac-vpn-server.crt"


  rightsubnet=172.16.0.0/12
  auto=start

There is, I guess, a bit more in how 5.7 and 5.8 differ.
Some "defaults" perhaps?
Changing config in remote to:

  auth = "pubkey"

still fails with:
...
May 11 10:23:51 swir.private.pawel charon-systemd[13223]:
12[IKE] received AUTHENTICATION_FAILED notify error
May 11 10:23:51 swir.private.pawel charon-systemd[13223]:
parsed IKE_AUTH response 1 [ N(AUTH_FAILED) ]
May 11 10:23:51 swir.private.pawel charon-systemd[13223]:
12[CHD] CHILD_SA amuni{2} state change: CREATED => DESTROYING
May 11 10:23:51 swir.private.pawel charon-systemd[13223]:
received AUTHENTICATION_FAILED notify error
May 11 10:23:51 swir.private.pawel charon-systemd[13223]:
12[IKE] IKE_SA amuni[2] state change: CONNECTING => DESTROYING

ps. I'm on Centos 7.8

many thanks, L.