Re: [strongSwan] Strongswan IKEv2 certificates - "user authentication failed" ????
Set connections..send_cert=yes Exactly as shown in the generated conn. It's not present in the faulty configuration. Am 26.04.21 um 21:01 schrieb bls s: I use nearly the same. Here’s the complete connection definition for iOS as generated by my pistrong strongSwan management tool: ios-pubkey-ikev2 { version = 2 proposals = aes256-sha1-modp1024,aes192-sha256-modp3072,aes128-sha1-modp1536,aes128-sha256-modp1536,aes128-sha256-modp2048,default rekey_time = 0s pools = primary-pool-ipv4 fragmentation = no dpd_delay = 30s send_cert = always local-1 { auth = pubkey cacerts = strongSwanCACert.pem certs = ios-strongSwanVPNCert.pem id = ios.crystix.com } remote-1 { auth = eap-tls id = %any } children { net-ios { local_ts = 0.0.0.0/0 rekey_time = 0s dpd_action = clear esp_proposals = aes256-sha1-modp1024,aes192-sha256-modp3072,aes128-sha1-modp1536,aes128-sha256-modp1536,aes128-sha256-modp2048,default } } } primary-pool-ipv4 { addrs = 10.92.10.0/24 dns = 192.168.92.3 } } *From:* Users *On Behalf Of *Jafar Al-Gharaibeh *Sent:* Monday, April 26, 2021 8:21 AM *To:* pLAN9 Administrator ; users@lists.strongswan.org *Subject:* Re: [strongSwan] Strongswan IKEv2 certificates - "user authentication failed" Try the following for "remote": / remote { auth = eap-tls eap_id = %any }/ --Jafar On 4/24/21 10:33 PM, pLAN9 Administrator wrote: I am trying to set up Strongswan to act as a remote access server for an iPhone using IKEv2 certificate auth. It is a major headache! I have made sure to set the SAN in both the server and phone certificate. Here is the the server SAN: / X509v3 extensions: X509v3 Subject Alternative Name: DNS:echo.pLAN9.co X509v3 Extended Key Usage: TLS Web Server Authentication, TLS Web Client Authentication/ Here is the phone SAN: / X509v3 extensions: X509v3 Subject Alternative Name: DNS:pLAN9-iPhone.pLAN9.co X509v3 Extended Key Usage: TLS Web Server Authentication, TLS Web Client Authentication/ Here is /etc/swanctl/swanctl.conf /connections { RA { local_addrs = %any local { auth = pubkey certs = ECHO.crt id = @echo.pLAN9.co } remote { auth = pubkey id = %any } children { net { local_ts = 0.0.0.0/0 esp_proposals = aes256-sha256 } } version = 2 proposals = aes256-sha256-modp2048 send_certreq = no pools = pool } } pools { pool { addrs = 172.16.16.64/29 dns = 172.16.16.1 } }/ Here is the output of a connection: /01[NET] received packet: from IPHONE_IP[9975] to STRONGSWAN_IP[500] (604 bytes) 01[ENC] parsed IKE_SA_INIT request 0 [ SA KE No N(REDIR_SUP) N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) ] 01[IKE] IPHONE_IP is initiating an IKE_SA 01[CFG] selected proposal: IKE:AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_2048 01[IKE] remote host is behind NAT 01[ENC] generating IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(CHDLESS_SUP) N(MULT_AUTH) ] 01[NET] sending packet: from STRONGSWAN_IP[500] to IPHONE_IP[9975] (456 bytes) 10[NET] received packet: from IPHONE_IP[9959] to STRONGSWAN_IP[4500] (532 bytes) 10[ENC] parsed IKE_AUTH request 1 [ EF(1/4) ] 13[NET] received packet: from IPHONE_IP[9959] to STRONGSWAN_IP[4500] (532 bytes) 10[ENC] received fragment #1 of 4, waiting for complete IKE message 13[ENC] parsed IKE_AUTH request 1 [ EF(2/4) ] 13[ENC] received fragment #2 of 4, waiting for complete IKE message 14[NET] received packet: from IPHONE_IP[9959] to STRONGSWAN_IP[4500] (532 bytes) 14[ENC] parsed IKE_AUTH request 1 [ EF(3/4) ] 01[NET] received packet: from IPHONE_IP[9959] to STRONGSWAN_IP[4500] (180 bytes) 14[ENC] received fragment #3 of 4, waiting for complete
Re: [strongSwan] Strongswan IKEv2 certificates - "user authentication failed" ????
I use nearly the same. Here’s the complete connection definition for iOS as generated by my pistrong strongSwan management tool: ios-pubkey-ikev2 { version = 2 proposals = aes256-sha1-modp1024,aes192-sha256-modp3072,aes128-sha1-modp1536,aes128-sha256-modp1536,aes128-sha256-modp2048,default rekey_time = 0s pools = primary-pool-ipv4 fragmentation = no dpd_delay = 30s send_cert = always local-1 { auth = pubkey cacerts = strongSwanCACert.pem certs = ios-strongSwanVPNCert.pem id = ios.crystix.com } remote-1 { auth = eap-tls id = %any } children { net-ios { local_ts = 0.0.0.0/0 rekey_time = 0s dpd_action = clear esp_proposals = aes256-sha1-modp1024,aes192-sha256-modp3072,aes128-sha1-modp1536,aes128-sha256-modp1536,aes128-sha256-modp2048,default } } } primary-pool-ipv4 { addrs = 10.92.10.0/24 dns = 192.168.92.3 } } From: Users On Behalf Of Jafar Al-Gharaibeh Sent: Monday, April 26, 2021 8:21 AM To: pLAN9 Administrator ; users@lists.strongswan.org Subject: Re: [strongSwan] Strongswan IKEv2 certificates - "user authentication failed" Try the following for "remote": remote { auth = eap-tls eap_id = %any } --Jafar On 4/24/21 10:33 PM, pLAN9 Administrator wrote: I am trying to set up Strongswan to act as a remote access server for an iPhone using IKEv2 certificate auth. It is a major headache! I have made sure to set the SAN in both the server and phone certificate. Here is the the server SAN: X509v3 extensions: X509v3 Subject Alternative Name: DNS:echo.pLAN9.co X509v3 Extended Key Usage: TLS Web Server Authentication, TLS Web Client Authentication Here is the phone SAN: X509v3 extensions: X509v3 Subject Alternative Name: DNS:pLAN9-iPhone.pLAN9.co X509v3 Extended Key Usage: TLS Web Server Authentication, TLS Web Client Authentication Here is /etc/swanctl/swanctl.conf connections { RA { local_addrs = %any local { auth = pubkey certs = ECHO.crt id = @echo.pLAN9.co } remote { auth = pubkey id = %any } children { net { local_ts = 0.0.0.0/0 esp_proposals = aes256-sha256 } } version = 2 proposals = aes256-sha256-modp2048 send_certreq = no pools = pool } } pools { pool { addrs = 172.16.16.64/29 dns = 172.16.16.1 } } Here is the output of a connection: 01[NET] received packet: from IPHONE_IP[9975] to STRONGSWAN_IP[500] (604 bytes) 01[ENC] parsed IKE_SA_INIT request 0 [ SA KE No N(REDIR_SUP) N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) ] 01[IKE] IPHONE_IP is initiating an IKE_SA 01[CFG] selected proposal: IKE:AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_2048 01[IKE] remote host is behind NAT 01[ENC] generating IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(CHDLESS_SUP) N(MULT_AUTH) ] 01[NET] sending packet: from STRONGSWAN_IP[500] to IPHONE_IP[9975] (456 bytes) 10[NET] received packet: from IPHONE_IP[9959] to STRONGSWAN_IP[4500] (532 bytes) 10[ENC] parsed IKE_AUTH request 1 [ EF(1/4) ] 13[NET] received packet: from IPHONE_IP[9959] to STRONGSWAN_IP[4500] (532 bytes) 10[ENC] received fragment #1 of 4, waiting for complete IKE message 13[ENC] parsed IKE_AUTH request 1 [ EF(2/4) ] 13[ENC] received fragment #2 of 4, waiting for complete IKE message 14[NET] received packet: from IPHONE_IP[9959] to STRONGSWAN_IP[4500] (532 bytes) 14[ENC] parsed IKE_AUTH request 1 [ EF(3/4) ] 01[NET] received packet: from IPHONE_IP[9959] to STRONGSWAN_IP[4500] (180 bytes) 14[ENC] received fragment #3 of 4, waiting for complete IKE message 01[ENC] parsed IKE_AUTH request 1 [ EF(4/4) ] 01[ENC] received fragment #4 of 4, reassembled fragmented IKE message (1552 bytes) 01[ENC] unknown attribute type INTERNAL_DNS_DOMAIN 01[ENC] parsed IKE_AUTH request 1 [ IDi CERT N(INIT_CONTACT) IDr AUTH CPRQ(ADDR MASK DHCP DNS ADDR6 DHCP6 DNS6 DOMAIN) N(ESP_TFC_PAD_N) N(NON_FIRST_FRAG) SA TSi TSr N(MOBIKE_SUP) ] 01[IKE] received end entity cert "CN=pLAN9-iPhone" 01[CFG] looking for peer configs matching STRONGSWAN_IP[echo.plan9.co]...IPHONE_IP[pLAn9-iPhone.pLAN9.co] 01[CFG] selected peer config 'RA'
Re: [strongSwan] Strongswan IKEv2 certificates - "user authentication failed" ????
Try the following for "remote": / remote { auth = eap-tls eap_id = %any }/ --Jafar On 4/24/21 10:33 PM, pLAN9 Administrator wrote: > > I am trying to set up Strongswan to act as a remote access server for > an iPhone using IKEv2 certificate auth. It is a major headache! > > I have made sure to set the SAN in both the server and phone > certificate. Here is the the server SAN: > > / X509v3 extensions: > X509v3 Subject Alternative Name: > DNS:echo.pLAN9.co > X509v3 Extended Key Usage: > TLS Web Server Authentication, TLS Web Client > Authentication/ > > Here is the phone SAN: > > / X509v3 extensions: > X509v3 Subject Alternative Name: > DNS:pLAN9-iPhone.pLAN9.co > X509v3 Extended Key Usage: > TLS Web Server Authentication, TLS Web Client > Authentication/ > > Here is /etc/swanctl/swanctl.conf > > /connections { > RA { > local_addrs = %any > local { > auth = pubkey > certs = ECHO.crt > id = @echo.pLAN9.co > } > remote { > auth = pubkey > id = %any > } > children { > net { > local_ts = 0.0.0.0/0 > esp_proposals = aes256-sha256 > } > } > version = 2 > proposals = aes256-sha256-modp2048 > send_certreq = no > pools = pool > } > } > pools { > pool { > addrs = 172.16.16.64/29 > dns = 172.16.16.1 > } > }/ > > > Here is the output of a connection: > > > /01[NET] received packet: from IPHONE_IP[9975] to STRONGSWAN_IP[500] > (604 bytes)// > //01[ENC] parsed IKE_SA_INIT request 0 [ SA KE No N(REDIR_SUP) > N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) ]// > //01[IKE] IPHONE_IP is initiating an IKE_SA// > //01[CFG] selected proposal: > IKE:AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_2048// > //01[IKE] remote host is behind NAT// > //01[ENC] generating IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) > N(NATD_D_IP) N(FRAG_SUP) N(CHDLESS_SUP) N(MULT_AUTH) ]// > //01[NET] sending packet: from STRONGSWAN_IP[500] to IPHONE_IP[9975] > (456 bytes)// > //10[NET] received packet: from IPHONE_IP[9959] to STRONGSWAN_IP[4500] > (532 bytes)// > //10[ENC] parsed IKE_AUTH request 1 [ EF(1/4) ]// > //13[NET] received packet: from IPHONE_IP[9959] to STRONGSWAN_IP[4500] > (532 bytes)// > //10[ENC] received fragment #1 of 4, waiting for complete IKE message// > //13[ENC] parsed IKE_AUTH request 1 [ EF(2/4) ]// > //13[ENC] received fragment #2 of 4, waiting for complete IKE message// > //14[NET] received packet: from IPHONE_IP[9959] to STRONGSWAN_IP[4500] > (532 bytes)// > //14[ENC] parsed IKE_AUTH request 1 [ EF(3/4) ]// > //01[NET] received packet: from IPHONE_IP[9959] to STRONGSWAN_IP[4500] > (180 bytes)// > //14[ENC] received fragment #3 of 4, waiting for complete IKE message// > //01[ENC] parsed IKE_AUTH request 1 [ EF(4/4) ]// > //01[ENC] received fragment #4 of 4, reassembled fragmented IKE > message (1552 bytes)// > //01[ENC] unknown attribute type INTERNAL_DNS_DOMAIN// > //01[ENC] parsed IKE_AUTH request 1 [ IDi CERT N(INIT_CONTACT) IDr > AUTH CPRQ(ADDR MASK DHCP DNS ADDR6 DHCP6 DNS6 DOMAIN) N(ESP_TFC_PAD_N) > N(NON_FIRST_FRAG) SA TSi TSr N(MOBIKE_SUP) ]// > //01[IKE] received end entity cert "CN=pLAN9-iPhone"// > //01[CFG] looking for peer configs matching > STRONGSWAN_IP[echo.plan9.co]...IPHONE_IP[pLAn9-iPhone.pLAN9.co]// > //01[CFG] selected peer config 'RA'// > //01[CFG] using certificate "CN=pLAN9-iPhone"// > //01[CFG] using trusted ca certificate "CN=pLAN9 CA 2019-2021"// > //01[CFG] checking certificate status of "CN=pLAN9-iPhone"// > //01[CFG] certificate status is not available// > //01[CFG] reached self-signed root ca with a path length of 0// > //01[IKE] authentication of 'pLAn9-iPhone.pLAN9.co' with RSA signature > successful// > //01[IKE] received ESP_TFC_PADDING_NOT_SUPPORTED, not using ESPv3 TFC > padding// > //01[IKE] peer supports MOBIKE// > //01[IKE] authentication of 'echo.plan9.co' (myself) with RSA > signature successful// > //01[IKE] IKE_SA RA[2] established between > STRONGSWAN_IP[echo.plan9.co]...IPHONE_IP[pLAn9-iPhone.pLAN9.co]// > //01[IKE] scheduling rekeying in 13941s// > //01[IKE] maximum IKE_SA lifetime 15381s// > //01[IKE] peer requested virtual IP %any// > //01[CFG] assigning new lease to 'pLAn9-iPhone.pLAN9.co'// > //01[IKE] assigning virtual IP 172.16.16.65 to peer > 'pLAn9-iPhone.pLAN9.co'// > //01[IKE] peer requested virtual IP %any6// > //01[IKE] no virtual IP found for %any6 requested by >