Re: [strongSwan] Failing to login due to constraint check failed
> why it wasn't sending identity before but does sent it now? The client now offers EAP authentication by omitting the AUTH payload in the first IKE_AUTH exchange. This allows the server to trigger the EAP-Identity exchange, followed by EAP-MSCHAPv2. > and why does authentication fail? The client rejects the EAP-MSCHAPv2 method with EAP-NAK. It is configured to use something else or does not support it. AFAIK iOS supports EAP-MSCHAPv2, so most likely this is a client configuration issue. Regards Martin ___ Users mailing list Users@lists.strongswan.org https://lists.strongswan.org/mailman/listinfo/users
Re: [strongSwan] Failing to login due to constraint check failed
Same code now fails on EAP authentication (username/password are valid): May 27 11:29:08 16[ENC] <2> parsed IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) ] May 27 11:29:08 16[CFG] <2> looking for an ike config for 1.2.3.4...5.6.7.8 May 27 11:29:08 16[CFG] <2> candidate: %any...%any, prio 28 May 27 11:29:08 16[CFG] <2> found matching ike config: %any...%any with prio 28 May 27 11:29:08 16[IKE] <2> 5.6.7.8 is initiating an IKE_SA May 27 11:29:08 16[CFG] <2> selecting proposal: May 27 11:29:08 16[CFG] <2> no acceptable ENCRYPTION_ALGORITHM found May 27 11:29:08 16[CFG] <2> selecting proposal: May 27 11:29:08 16[CFG] <2> no acceptable DIFFIE_HELLMAN_GROUP found May 27 11:29:08 16[CFG] <2> selecting proposal: May 27 11:29:08 16[CFG] <2> proposal matches May 27 11:29:08 16[CFG] <2> received proposals: IKE:3DES_CBC/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024 May 27 11:29:08 16[CFG] <2> configured proposals: IKE:AES_CBC_128/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_2048, IKE:3DES_CBC/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1536, IKE:AES_CBC_128/AES_CBC_192/AES_CBC_256/3DES_CBC/AES_CTR_128/AES_CTR_192/AES_CTR_256/CAMELLIA_CTR_128/CAMELLIA_CTR_192/CAMELLIA_CTR_256/CAMELLIA_CBC_128/CAMELLIA_CBC_192/CAMELLIA_CBC_256/AES_XCBC_96/AES_CMAC_96/HMAC_SHA1_96/HMAC_MD5_96/HMAC_SHA2_256_128/HMAC_SHA2_384_192/HMAC_SHA2_512_256/PRF_AES128_XCBC/PRF_AES128_CMAC/PRF_HMAC_SHA1/PRF_HMAC_MD5/PRF_HMAC_SHA2_256/PRF_HMAC_SHA2_384/PRF_HMAC_SHA2_512/MODP_2048/MODP_2048_224/MODP_2048_256/MODP_1536/MODP_3072/MODP_4096/MODP_8192/MODP_1024/MODP_1024_160 May 27 11:29:08 16[CFG] <2> selected proposal: IKE:3DES_CBC/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024 May 27 11:29:08 16[IKE] <2> remote host is behind NAT May 27 11:29:08 16[ENC] <2> generating IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(MULT_AUTH) ] May 27 11:29:08 16[NET] <2> sending packet: from 1.2.3.4[500] to 5.6.7.8[500] (308 bytes) May 27 11:29:08 04[NET] <2> received packet: from 5.6.7.8[55146] to 1.2.3.4[4500] (316 bytes) May 27 11:29:08 04[ENC] <2> parsed IKE_AUTH request 1 [ IDi N(INIT_CONTACT) IDr CPRQ(ADDR DHCP DNS MASK ADDR6 DHCP6 DNS6) N(ESP_TFC_PAD_N) N(NON_FIRST_FRAG) SA TSi TSr ] May 27 11:29:08 04[CFG] <2> looking for peer configs matching 1.2.3.4[vpn.domain.org]...5.6.7.8[gilad] May 27 11:29:08 04[CFG] <2> candidate "ios8", match: 20/1/28 (me/other/ike) May 27 11:29:08 04[CFG] selected peer config 'ios8' May 27 11:29:08 04[IKE] initiating EAP_IDENTITY method (id 0x00) May 27 11:29:08 04[IKE] received ESP_TFC_PADDING_NOT_SUPPORTED, not using ESPv3 TFC padding May 27 11:29:08 04[IKE] authentication of 'vpn.domain.org' (myself) with pre-shared key May 27 11:29:08 04[ENC] generating IKE_AUTH response 1 [ IDr AUTH EAP/REQ/ID ] May 27 11:29:08 04[NET] sending packet: from 1.2.3.4[4500] to 5.6.7.8[55146] (116 bytes) May 27 11:29:08 03[NET] received packet: from 5.6.7.8[55146] to 1.2.3.4[4500] (68 bytes) May 27 11:29:08 03[ENC] parsed IKE_AUTH request 2 [ EAP/RES/ID ] May 27 11:29:08 03[IKE] received EAP identity 'gilad' May 27 11:29:08 03[IKE] initiating EAP_MSCHAPV2 method (id 0x71) May 27 11:29:08 03[ENC] generating IKE_AUTH response 2 [ EAP/REQ/MSCHAPV2 ] May 27 11:29:08 03[NET] sending packet: from 1.2.3.4[4500] to 5.6.7.8[55146] (100 bytes) May 27 11:29:08 02[NET] received packet: from 5.6.7.8[55146] to 1.2.3.4[4500] (68 bytes) May 27 11:29:08 02[ENC] parsed IKE_AUTH request 3 [ EAP/RES/NAK ] May 27 11:29:08 02[IKE] received EAP_NAK, sending EAP_FAILURE May 27 11:29:08 02[ENC] generating IKE_AUTH response 3 [ EAP/FAIL ] May 27 11:29:08 02[NET] sending packet: from 1.2.3.4[4500] to 5.6.7.8[55146] (68 bytes) I'm completely lost here, why it wasn't sending identity before but does sent it now? and why does authentication fail? -Gilad On 2015-05-27 16:28, Martin Willi wrote: Hi, What I don't understand is why it is failing on EAP identity when I clearly defined 'eap_identity=%any' parsed IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) ] generating IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(MULT_AUTH) ] parsed IKE_AUTH request 1 [ IDi N(INIT_CONTACT) IDr AUTH CPRQ(ADDR DHCP DNS MASK ADDR6 DHCP6 DNS6) N(ESP_TFC_PAD_N) authentication of '%any' with pre-shared key constraint check failed: EAP identity '%any' required Your client does not initiate EAP, but authenticates with a pre-shared key. It does not provide an EAP-Identity matching "%any", as no EAP-Identity is exchanged at all. If you want to do EAP-MSCHAPv2 with iOS IKEv2, set ExtendedAuthEnabled, see [1]. Regards Martin [1]https://wiki.strongswan.org/projects/strongswan/wiki/AppleIKEv2Profile ___ Users mailing list Users@lists.strongswan.org https://lists.strongswan.org/mailman/listinfo/users
Re: [strongSwan] Failing to login due to constraint check failed
Hi, Thanks for your answer. I do set the extended authentication (I do it programmatically): NEVPNProtocolIKEv2* p = [[NEVPNProtocolIKEv2 alloc] init]; p.useExtendedAuthentication = @YES; p.username = @"gilad"; p.passwordReference = < password data >; p.serverAddress = @"1.2.3.4"; p.authenticationMethod = NEVPNIKEAuthenticationMethodSharedSecret; p.sharedSecretReference = < secret data >; p.localIdentifier = @"gilad"; p.remoteIdentifier = @"vpn.domain.org"; p.disconnectOnSleep = NO; It is working when I use a profile, but I'm trying to set the connection manually within my iOS app. It might be a bug with Apple's SDK, although it states: /*! * @property useExtendedAuthentication * @discussion A flag indicating if extended authentication will be negotiated. This authentication is in addition to the IKE authentication used to authenticate the endpoints of the IKE session. * For IKE version 1, when this flag is set X-Auth authentication will be negotiated as part of the IKE session, using the username and password properties as the credential. * For IKE version 2, when this flag is set EAP authentication will be negotiated as part of the IKE session, using the username, password, and/or identity properties as the credential depending on which EAP method the server requires. */ @property BOOL useExtendedAuthentication NS_AVAILABLE(10_10, 8_0); In that case, how can I configure the server to accept connections from my iOS app? Thanks, Gilad On 2015-05-27 16:28, Martin Willi wrote: Hi, What I don't understand is why it is failing on EAP identity when I clearly defined 'eap_identity=%any' parsed IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) ] generating IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(MULT_AUTH) ] parsed IKE_AUTH request 1 [ IDi N(INIT_CONTACT) IDr AUTH CPRQ(ADDR DHCP DNS MASK ADDR6 DHCP6 DNS6) N(ESP_TFC_PAD_N) authentication of '%any' with pre-shared key constraint check failed: EAP identity '%any' required Your client does not initiate EAP, but authenticates with a pre-shared key. It does not provide an EAP-Identity matching "%any", as no EAP-Identity is exchanged at all. If you want to do EAP-MSCHAPv2 with iOS IKEv2, set ExtendedAuthEnabled, see [1]. Regards Martin [1]https://wiki.strongswan.org/projects/strongswan/wiki/AppleIKEv2Profile ___ Users mailing list Users@lists.strongswan.org https://lists.strongswan.org/mailman/listinfo/users
Re: [strongSwan] Failing to login due to constraint check failed
Hi, > What I don't understand is why it is failing on EAP identity when I clearly > defined 'eap_identity=%any' > parsed IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) ] > generating IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) > N(MULT_AUTH) ] > parsed IKE_AUTH request 1 [ IDi N(INIT_CONTACT) IDr AUTH CPRQ(ADDR DHCP DNS > MASK ADDR6 DHCP6 DNS6) N(ESP_TFC_PAD_N) > authentication of '%any' with pre-shared key > constraint check failed: EAP identity '%any' required Your client does not initiate EAP, but authenticates with a pre-shared key. It does not provide an EAP-Identity matching "%any", as no EAP-Identity is exchanged at all. If you want to do EAP-MSCHAPv2 with iOS IKEv2, set ExtendedAuthEnabled, see [1]. Regards Martin [1]https://wiki.strongswan.org/projects/strongswan/wiki/AppleIKEv2Profile ___ Users mailing list Users@lists.strongswan.org https://lists.strongswan.org/mailman/listinfo/users
[strongSwan] Failing to login due to constraint check failed
I have a strongswan setup which is failing when I try to login via iOS8 (IKEv2). What I don't understand is why it is failing on EAP identity when I clearly defined 'eap_identity=%any' Any ideas? May 27 08:15:50 00[DMN] Starting IKE charon daemon (strongSwan 5.3.0, Linux 3.13.0-43-generic, x86_64) May 27 08:15:50 00[CFG] loading ca certificates from '/etc/ipsec.d/cacerts' May 27 08:15:50 00[CFG] loading aa certificates from '/etc/ipsec.d/aacerts' May 27 08:15:50 00[CFG] loading ocsp signer certificates from '/etc/ipsec.d/ocspcerts' May 27 08:15:50 00[CFG] loading attribute certificates from '/etc/ipsec.d/acerts' May 27 08:15:50 00[CFG] loading crls from '/etc/ipsec.d/crls' May 27 08:15:50 00[CFG] loading secrets from '/etc/ipsec.secrets' May 27 08:15:50 00[CFG] loaded IKE secret for %any May 27 08:15:50 00[CFG] loaded EAP secret for gilad May 27 08:15:50 00[LIB] loaded plugins: charon aes des rc2 sha1 sha2 md4 md5 random nonce x509 revocation constraints pubkey pkcs1 pkcs7 pkcs8 pkcs12 pgp dnskey sshkey pem gcrypt fips-prf gmp agent xcbc cmac hmac attr kernel-netlink resolve socket-default connmark farp stroke updown eap-identity eap-md5 eap-mschapv2 eap-tls eap-ttls xauth-generic May 27 08:15:50 00[JOB] spawning 16 worker threads May 27 08:15:50 11[CFG] received stroke: add connection 'ios8' May 27 08:15:50 11[CFG] conn ios8 May 27 08:15:50 11[CFG] left=%any May 27 08:15:50 11[CFG] leftsubnet=0.0.0.0/0 May 27 08:15:50 11[CFG] leftauth=psk May 27 08:15:50 11[CFG] leftid=vpn.domain.org May 27 08:15:50 11[CFG] right=%any May 27 08:15:50 11[CFG] rightsourceip=10.0.0.0/15 May 27 08:15:50 11[CFG] rightdns=8.8.8.8,8.8.4.4 May 27 08:15:50 11[CFG] rightauth=eap-mschapv2 May 27 08:15:50 11[CFG] eap_identity=%any May 27 08:15:50 11[CFG] ike=aes128-sha1-modp2048,3des-sha1-modp1536 May 27 08:15:50 11[CFG] esp=aes128-sha1,3des-sha1 May 27 08:15:50 11[CFG] dpddelay=30 May 27 08:15:50 11[CFG] dpdtimeout=150 May 27 08:15:50 11[CFG] dpdaction=1 May 27 08:15:50 11[CFG] mediation=no May 27 08:15:50 11[CFG] keyexchange=ikev2 May 27 08:15:50 11[CFG] left nor right host is our side, assuming left=local May 27 08:15:50 11[CFG] adding virtual IP address pool 10.0.0.0/15 May 27 08:15:50 11[CFG] added configuration 'ios8' May 27 08:16:00 06[NET] <1> received packet: from 5.6.7.8[500] to 1.2.3.4[500] (284 bytes) May 27 08:16:00 06[ENC] <1> parsed IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) ] May 27 08:16:00 06[CFG] <1> looking for an ike config for 1.2.3.4...5.6.7.8 May 27 08:16:00 06[CFG] <1> candidate: %any...%any, prio 28 May 27 08:16:00 06[CFG] <1> found matching ike config: %any...%any with prio 28 May 27 08:16:00 06[IKE] <1> 5.6.7.8 is initiating an IKE_SA May 27 08:16:00 06[CFG] <1> selecting proposal: May 27 08:16:00 06[CFG] <1> no acceptable ENCRYPTION_ALGORITHM found May 27 08:16:00 06[CFG] <1> selecting proposal: May 27 08:16:00 06[CFG] <1> no acceptable DIFFIE_HELLMAN_GROUP found May 27 08:16:00 06[CFG] <1> selecting proposal: May 27 08:16:00 06[CFG] <1> proposal matches May 27 08:16:00 06[CFG] <1> received proposals: IKE:3DES_CBC/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024 May 27 08:16:00 06[CFG] <1> configured proposals: IKE:AES_CBC_128/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_2048, IKE:3DES_CBC/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1536, IKE:AES_CBC_128/AES_CBC_192/AES_CBC_256/3DES_CBC/AES_CTR_128/AES_CTR_192/AES_CTR_256/CAMELLIA_CTR_128/CAMELLIA_CTR_192/CAMELLIA_CTR_256/CAMELLIA_CBC_128/CAMELLIA_CBC_192/CAMELLIA_CBC_256/AES_XCBC_96/AES_CMAC_96/HMAC_SHA1_96/HMAC_MD5_96/HMAC_SHA2_256_128/HMAC_SHA2_384_192/HMAC_SHA2_512_256/PRF_AES128_XCBC/PRF_AES128_CMAC/PRF_HMAC_SHA1/PRF_HMAC_MD5/PRF_HMAC_SHA2_256/PRF_HMAC_SHA2_384/PRF_HMAC_SHA2_512/MODP_2048/MODP_2048_224/MODP_2048_256/MODP_1536/MODP_3072/MODP_4096/MODP_8192/MODP_1024/MODP_1024_160 May 27 08:16:00 06[CFG] <1> selected proposal: IKE:3DES_CBC/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024 May 27 08:16:00 06[IKE] <1> remote host is behind NAT May 27 08:16:00 06[ENC] <1> generating IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(MULT_AUTH) ] May 27 08:16:00 06[NET] <1> sending packet: from 1.2.3.4[500] to 5.6.7.8[500] (308 bytes) May 27 08:16:00 13[NET] <1> received packet: from 5.6.7.8[55612] to 1.2.3.4[4500] (348 bytes) May 27 08:16:00 13[ENC] <1> parsed IKE_AUTH request 1 [ IDi N(INIT_CONTACT) IDr AUTH CPRQ(ADDR DHCP DNS MASK ADDR6 DHCP6 DNS6) N(ESP_TFC_PAD_N) N(NON_FIRST_FRAG) SA TSi TSr ] May 27 08:16:00 13[CFG] <1> looking for peer configs matching 1.2.3.4[vpn.domain.org]...5.6.7.8[%any] May 27 08:16:00 13[CFG] <1> candidate "ios8", match: 20/1/28 (me/other/ike) May 27 08:16:00 13[CFG] selected peer config 'ios8' May 27 08:16:00 13[IKE] authentication of '%any' with pre-shared key successful May 27 08:16:00 13[CFG] constraint check failed: EAP identity '%any' required May 27 08:16:00 13[CFG] selected peer config 'ios8' inacceptable: non-matching authentication done May 27 08:16: