Re: [strongSwan] Strongswan IKEv2 certificates - "user authentication failed" ????
Set connections..send_cert=yes
Exactly as shown in the generated conn. It's not present in the faulty
configuration.
Am 26.04.21 um 21:01 schrieb bls s:
I use nearly the same. Here’s the complete connection definition for iOS as
generated by my pistrong strongSwan management tool:
ios-pubkey-ikev2 {
version = 2
proposals =
aes256-sha1-modp1024,aes192-sha256-modp3072,aes128-sha1-modp1536,aes128-sha256-modp1536,aes128-sha256-modp2048,default
rekey_time = 0s
pools = primary-pool-ipv4
fragmentation = no
dpd_delay = 30s
send_cert = always
local-1 {
auth = pubkey
cacerts = strongSwanCACert.pem
certs = ios-strongSwanVPNCert.pem
id = ios.crystix.com
}
remote-1 {
auth = eap-tls
id = %any
}
children {
net-ios {
local_ts = 0.0.0.0/0
rekey_time = 0s
dpd_action = clear
esp_proposals =
aes256-sha1-modp1024,aes192-sha256-modp3072,aes128-sha1-modp1536,aes128-sha256-modp1536,aes128-sha256-modp2048,default
}
}
}
primary-pool-ipv4 {
addrs = 10.92.10.0/24
dns = 192.168.92.3
}
}
*From:* Users *On Behalf Of *Jafar
Al-Gharaibeh
*Sent:* Monday, April 26, 2021 8:21 AM
*To:* pLAN9 Administrator ; users@lists.strongswan.org
*Subject:* Re: [strongSwan] Strongswan IKEv2 certificates - "user authentication
failed"
Try the following for "remote":
/ remote {
auth =
eap-tls
eap_id
= %any
}/
--Jafar
On 4/24/21 10:33 PM, pLAN9 Administrator wrote:
I am trying to set up Strongswan to act as a remote access server for an
iPhone using IKEv2 certificate auth. It is a major headache!
I have made sure to set the SAN in both the server and phone certificate.
Here is the the server SAN:
/ X509v3 extensions:
X509v3 Subject Alternative Name:
DNS:echo.pLAN9.co
X509v3 Extended Key Usage:
TLS Web Server Authentication, TLS Web Client
Authentication/
Here is the phone SAN:
/ X509v3 extensions:
X509v3 Subject Alternative Name:
DNS:pLAN9-iPhone.pLAN9.co
X509v3 Extended Key Usage:
TLS Web Server Authentication, TLS Web Client
Authentication/
Here is /etc/swanctl/swanctl.conf
/connections {
RA {
local_addrs = %any
local {
auth = pubkey
certs = ECHO.crt
id = @echo.pLAN9.co
}
remote {
auth = pubkey
id = %any
}
children {
net {
local_ts = 0.0.0.0/0
esp_proposals = aes256-sha256
}
}
version = 2
proposals = aes256-sha256-modp2048
send_certreq = no
pools = pool
}
}
pools {
pool {
addrs = 172.16.16.64/29
dns = 172.16.16.1
}
}/
Here is the output of a connection:
/01[NET] received packet: from IPHONE_IP[9975] to STRONGSWAN_IP[500] (604
bytes)
01[ENC] parsed IKE_SA_INIT request 0 [ SA KE No N(REDIR_SUP) N(NATD_S_IP)
N(NATD_D_IP) N(FRAG_SUP) ]
01[IKE] IPHONE_IP is initiating an IKE_SA
01[CFG] selected proposal:
IKE:AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_2048
01[IKE] remote host is behind NAT
01[ENC] generating IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP)
N(NATD_D_IP) N(FRAG_SUP) N(CHDLESS_SUP) N(MULT_AUTH) ]
01[NET] sending packet: from STRONGSWAN_IP[500] to IPHONE_IP[9975] (456
bytes)
10[NET] received packet: from IPHONE_IP[9959] to STRONGSWAN_IP[4500] (532
bytes)
10[ENC] parsed IKE_AUTH request 1 [ EF(1/4) ]
13[NET] received packet: from IPHONE_IP[9959] to STRONGSWAN_IP[4500] (532
bytes)
10[ENC] received fragment #1 of 4, waiting for complete IKE message
13[ENC] parsed IKE_AUTH request 1 [ EF(2/4) ]
13[ENC] received fragment #2 of 4, waiting for complete IKE message
14[NET] received packet: from IPHONE_IP[9959] to STRONGSWAN_IP[4500] (532
bytes)
14[ENC] parsed IKE_AUTH request 1 [ EF(3/4) ]
01[NET] received packet: from IPHONE_IP[9959] to STRONGSWAN_IP[4500] (180
bytes)
14[ENC] received fragment #3 of 4, waiting for complete
Re: [strongSwan] Strongswan IKEv2 certificates - "user authentication failed" ????
I use nearly the same. Here’s the complete connection definition for iOS as
generated by my pistrong strongSwan management tool:
ios-pubkey-ikev2 {
version = 2
proposals =
aes256-sha1-modp1024,aes192-sha256-modp3072,aes128-sha1-modp1536,aes128-sha256-modp1536,aes128-sha256-modp2048,default
rekey_time = 0s
pools = primary-pool-ipv4
fragmentation = no
dpd_delay = 30s
send_cert = always
local-1 {
auth = pubkey
cacerts = strongSwanCACert.pem
certs = ios-strongSwanVPNCert.pem
id = ios.crystix.com
}
remote-1 {
auth = eap-tls
id = %any
}
children {
net-ios {
local_ts = 0.0.0.0/0
rekey_time = 0s
dpd_action = clear
esp_proposals =
aes256-sha1-modp1024,aes192-sha256-modp3072,aes128-sha1-modp1536,aes128-sha256-modp1536,aes128-sha256-modp2048,default
}
}
}
primary-pool-ipv4 {
addrs = 10.92.10.0/24
dns = 192.168.92.3
}
}
From: Users On Behalf Of Jafar Al-Gharaibeh
Sent: Monday, April 26, 2021 8:21 AM
To: pLAN9 Administrator ; users@lists.strongswan.org
Subject: Re: [strongSwan] Strongswan IKEv2 certificates - "user authentication
failed"
Try the following for "remote":
remote {
auth = eap-tls
eap_id = %any
}
--Jafar
On 4/24/21 10:33 PM, pLAN9 Administrator wrote:
I am trying to set up Strongswan to act as a remote access server for an
iPhone using IKEv2 certificate auth. It is a major headache!
I have made sure to set the SAN in both the server and phone certificate. Here
is the the server SAN:
X509v3 extensions:
X509v3 Subject Alternative Name:
DNS:echo.pLAN9.co
X509v3 Extended Key Usage:
TLS Web Server Authentication, TLS Web Client Authentication
Here is the phone SAN:
X509v3 extensions:
X509v3 Subject Alternative Name:
DNS:pLAN9-iPhone.pLAN9.co
X509v3 Extended Key Usage:
TLS Web Server Authentication, TLS Web Client Authentication
Here is /etc/swanctl/swanctl.conf
connections {
RA {
local_addrs = %any
local {
auth = pubkey
certs = ECHO.crt
id = @echo.pLAN9.co
}
remote {
auth = pubkey
id = %any
}
children {
net {
local_ts = 0.0.0.0/0
esp_proposals = aes256-sha256
}
}
version = 2
proposals = aes256-sha256-modp2048
send_certreq = no
pools = pool
}
}
pools {
pool {
addrs = 172.16.16.64/29
dns = 172.16.16.1
}
}
Here is the output of a connection:
01[NET] received packet: from IPHONE_IP[9975] to STRONGSWAN_IP[500] (604 bytes)
01[ENC] parsed IKE_SA_INIT request 0 [ SA KE No N(REDIR_SUP) N(NATD_S_IP)
N(NATD_D_IP) N(FRAG_SUP) ]
01[IKE] IPHONE_IP is initiating an IKE_SA
01[CFG] selected proposal:
IKE:AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_2048
01[IKE] remote host is behind NAT
01[ENC] generating IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP)
N(FRAG_SUP) N(CHDLESS_SUP) N(MULT_AUTH) ]
01[NET] sending packet: from STRONGSWAN_IP[500] to IPHONE_IP[9975] (456 bytes)
10[NET] received packet: from IPHONE_IP[9959] to STRONGSWAN_IP[4500] (532 bytes)
10[ENC] parsed IKE_AUTH request 1 [ EF(1/4) ]
13[NET] received packet: from IPHONE_IP[9959] to STRONGSWAN_IP[4500] (532 bytes)
10[ENC] received fragment #1 of 4, waiting for complete IKE message
13[ENC] parsed IKE_AUTH request 1 [ EF(2/4) ]
13[ENC] received fragment #2 of 4, waiting for complete IKE message
14[NET] received packet: from IPHONE_IP[9959] to STRONGSWAN_IP[4500] (532 bytes)
14[ENC] parsed IKE_AUTH request 1 [ EF(3/4) ]
01[NET] received packet: from IPHONE_IP[9959] to STRONGSWAN_IP[4500] (180 bytes)
14[ENC] received fragment #3 of 4, waiting for complete IKE message
01[ENC] parsed IKE_AUTH request 1 [ EF(4/4) ]
01[ENC] received fragment #4 of 4, reassembled fragmented IKE message (1552
bytes)
01[ENC] unknown attribute type INTERNAL_DNS_DOMAIN
01[ENC] parsed IKE_AUTH request 1 [ IDi CERT N(INIT_CONTACT) IDr AUTH CPRQ(ADDR
MASK DHCP DNS ADDR6 DHCP6 DNS6 DOMAIN) N(ESP_TFC_PAD_N) N(NON_FIRST_FRAG) SA
TSi TSr N(MOBIKE_SUP) ]
01[IKE] received end entity cert "CN=pLAN9-iPhone"
01[CFG] looking for peer configs matching
STRONGSWAN_IP[echo.plan9.co]...IPHONE_IP[pLAn9-iPhone.pLAN9.co]
01[CFG] selected peer config 'RA'
Re: [strongSwan] Strongswan IKEv2 certificates - "user authentication failed" ????
Try the following for "remote":
/ remote {
auth = eap-tls
eap_id = %any
}/
--Jafar
On 4/24/21 10:33 PM, pLAN9 Administrator wrote:
>
> I am trying to set up Strongswan to act as a remote access server for
> an iPhone using IKEv2 certificate auth. It is a major headache!
>
> I have made sure to set the SAN in both the server and phone
> certificate. Here is the the server SAN:
>
> / X509v3 extensions:
> X509v3 Subject Alternative Name:
> DNS:echo.pLAN9.co
> X509v3 Extended Key Usage:
> TLS Web Server Authentication, TLS Web Client
> Authentication/
>
> Here is the phone SAN:
>
> / X509v3 extensions:
> X509v3 Subject Alternative Name:
> DNS:pLAN9-iPhone.pLAN9.co
> X509v3 Extended Key Usage:
> TLS Web Server Authentication, TLS Web Client
> Authentication/
>
> Here is /etc/swanctl/swanctl.conf
>
> /connections {
> RA {
> local_addrs = %any
> local {
> auth = pubkey
> certs = ECHO.crt
> id = @echo.pLAN9.co
> }
> remote {
> auth = pubkey
> id = %any
> }
> children {
> net {
> local_ts = 0.0.0.0/0
> esp_proposals = aes256-sha256
> }
> }
> version = 2
> proposals = aes256-sha256-modp2048
> send_certreq = no
> pools = pool
> }
> }
> pools {
> pool {
> addrs = 172.16.16.64/29
> dns = 172.16.16.1
> }
> }/
>
>
> Here is the output of a connection:
>
>
> /01[NET] received packet: from IPHONE_IP[9975] to STRONGSWAN_IP[500]
> (604 bytes)//
> //01[ENC] parsed IKE_SA_INIT request 0 [ SA KE No N(REDIR_SUP)
> N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) ]//
> //01[IKE] IPHONE_IP is initiating an IKE_SA//
> //01[CFG] selected proposal:
> IKE:AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_2048//
> //01[IKE] remote host is behind NAT//
> //01[ENC] generating IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP)
> N(NATD_D_IP) N(FRAG_SUP) N(CHDLESS_SUP) N(MULT_AUTH) ]//
> //01[NET] sending packet: from STRONGSWAN_IP[500] to IPHONE_IP[9975]
> (456 bytes)//
> //10[NET] received packet: from IPHONE_IP[9959] to STRONGSWAN_IP[4500]
> (532 bytes)//
> //10[ENC] parsed IKE_AUTH request 1 [ EF(1/4) ]//
> //13[NET] received packet: from IPHONE_IP[9959] to STRONGSWAN_IP[4500]
> (532 bytes)//
> //10[ENC] received fragment #1 of 4, waiting for complete IKE message//
> //13[ENC] parsed IKE_AUTH request 1 [ EF(2/4) ]//
> //13[ENC] received fragment #2 of 4, waiting for complete IKE message//
> //14[NET] received packet: from IPHONE_IP[9959] to STRONGSWAN_IP[4500]
> (532 bytes)//
> //14[ENC] parsed IKE_AUTH request 1 [ EF(3/4) ]//
> //01[NET] received packet: from IPHONE_IP[9959] to STRONGSWAN_IP[4500]
> (180 bytes)//
> //14[ENC] received fragment #3 of 4, waiting for complete IKE message//
> //01[ENC] parsed IKE_AUTH request 1 [ EF(4/4) ]//
> //01[ENC] received fragment #4 of 4, reassembled fragmented IKE
> message (1552 bytes)//
> //01[ENC] unknown attribute type INTERNAL_DNS_DOMAIN//
> //01[ENC] parsed IKE_AUTH request 1 [ IDi CERT N(INIT_CONTACT) IDr
> AUTH CPRQ(ADDR MASK DHCP DNS ADDR6 DHCP6 DNS6 DOMAIN) N(ESP_TFC_PAD_N)
> N(NON_FIRST_FRAG) SA TSi TSr N(MOBIKE_SUP) ]//
> //01[IKE] received end entity cert "CN=pLAN9-iPhone"//
> //01[CFG] looking for peer configs matching
> STRONGSWAN_IP[echo.plan9.co]...IPHONE_IP[pLAn9-iPhone.pLAN9.co]//
> //01[CFG] selected peer config 'RA'//
> //01[CFG] using certificate "CN=pLAN9-iPhone"//
> //01[CFG] using trusted ca certificate "CN=pLAN9 CA 2019-2021"//
> //01[CFG] checking certificate status of "CN=pLAN9-iPhone"//
> //01[CFG] certificate status is not available//
> //01[CFG] reached self-signed root ca with a path length of 0//
> //01[IKE] authentication of 'pLAn9-iPhone.pLAN9.co' with RSA signature
> successful//
> //01[IKE] received ESP_TFC_PADDING_NOT_SUPPORTED, not using ESPv3 TFC
> padding//
> //01[IKE] peer supports MOBIKE//
> //01[IKE] authentication of 'echo.plan9.co' (myself) with RSA
> signature successful//
> //01[IKE] IKE_SA RA[2] established between
> STRONGSWAN_IP[echo.plan9.co]...IPHONE_IP[pLAn9-iPhone.pLAN9.co]//
> //01[IKE] scheduling rekeying in 13941s//
> //01[IKE] maximum IKE_SA lifetime 15381s//
> //01[IKE] peer requested virtual IP %any//
> //01[CFG] assigning new lease to 'pLAn9-iPhone.pLAN9.co'//
> //01[IKE] assigning virtual IP 172.16.16.65 to peer
> 'pLAn9-iPhone.pLAN9.co'//
> //01[IKE] peer requested virtual IP %any6//
> //01[IKE] no virtual IP found for %any6 requested by
>
