Re: [strongSwan] Strange issue. Cant connect.
Ok, I changed remote { auth = eap-tls ... and tried again and now on the client side, I’m getting EAP_TLS not supported! Getting there…. Now to figure out how to enable it on the client. SERVER Jun 12 14:22:22 08[CFG] looking for peer configs matching 10.0.0.49[%any]…x.x.x.x[remote.user] Jun 12 14:22:22 08[CFG] peer config match local: 1 (ID_ANY -> ) Jun 12 14:22:22 08[CFG] peer config match remote: 1 (ID_FQDN -> 63:68:72:69:73:2e:6f:72:63:68:61:72:64:2e:76:69:76:61:63:65:2e:74:65:63:68) Jun 12 14:22:22 08[CFG] ike config match: 28 (10.0.0.49 x.x.x.x IKEv2) Jun 12 14:22:22 08[CFG] candidate "ecdsa", match: 1/1/28 (me/other/ike) Jun 12 14:22:22 08[CFG] peer config match local: 1 (ID_ANY -> ) Jun 12 14:22:22 08[CFG] peer config match remote: 1 (ID_FQDN -> 63:68:72:69:73:2e:6f:72:63:68:61:72:64:2e:76:69:76:61:63:65:2e:74:65:63:68) Jun 12 14:22:22 08[CFG] ike config match: 28 (10.0.0.49 x.x.x.x IKEv2) Jun 12 14:22:22 08[CFG] candidate "rsa", match: 1/1/28 (me/other/ike) Jun 12 14:22:22 08[CFG] selected peer config 'ecdsa' Jun 12 14:22:22 08[IKE] initiating EAP_IDENTITY method (id 0x00) Jun 12 14:22:22 08[IKE] processing INTERNAL_IP4_ADDRESS attribute Jun 12 14:22:22 08[IKE] processing INTERNAL_IP4_DNS attribute Jun 12 14:22:22 08[IKE] received ESP_TFC_PADDING_NOT_SUPPORTED, not using ESPv3 TFC padding Jun 12 14:22:22 08[IKE] peer supports MOBIKE Jun 12 14:22:22 08[IKE] authentication of 'vpnserver1' (myself) with ECDSA_WITH_SHA384_DER successful Jun 12 14:22:22 08[IKE] sending end entity cert "C=GB, CN=vpnserver1" Jun 12 14:22:22 12[IKE] received EAP identity ‘remote.user' Jun 12 14:22:22 12[IKE] initiating EAP_TLS method (id 0x6A) Jun 12 14:22:22 10[IKE] received EAP_NAK, sending EAP_FAILURE Jun 12 14:22:22 10[IKE] IKE_SA ecdsa[2] state change: CONNECTING => DESTROYING CLIENT 00[DMN] Starting charon-cmd IKE client (strongSwan 5.6.3, Darwin 17.5.0, x86_64) 00[LIB] loaded plugins: charon-cmd nonce x509 revocation constraints pubkey pkcs1 pkcs8 sshkey pem openssl curve25519 kernel-pfkey kernel-pfroute socket-default eap-identity eap-md5 eap-gtc eap-mschapv2 xauth-generic osx-attr 00[JOB] spawning 16 worker threads 07[IKE] initiating IKE_SA cmd[1] to x.x.x.x 07[ENC] generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(HASH_ALG) N(REDIR_SUP) ] 07[NET] sending packet: from 192.168.1.31[51903] to x.x.x.x[4500] (712 bytes) 09[NET] received packet: from x.x.x.x[4500] to 192.168.1.31[51903] (289 bytes) 09[ENC] parsed IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) CERTREQ N(HASH_ALG) N(MULT_AUTH) ] 09[IKE] local host is behind NAT, sending keep alives 09[IKE] remote host is behind NAT 09[IKE] received cert request for "CN=Vivace Root CA" 09[IKE] sending cert request for "CN=Vivace Root CA" 09[IKE] establishing CHILD_SA cmd{1} 09[ENC] generating IKE_AUTH request 1 [ IDi N(INIT_CONTACT) CERTREQ CPRQ(ADDR DNS) N(ESP_TFC_PAD_N) SA TSi TSr N(MOBIKE_SUP) N(NO_ADD_ADDR) N(MULT_AUTH) N(EAP_ONLY) N(MSG_ID_SYN_SUP) ] 09[NET] sending packet: from 192.168.1.31[64672] to x.x.x.x[4500] (352 bytes) 10[NET] received packet: from x.x.x.x[4500] to 192.168.1.31[64672] (1152 bytes) 10[ENC] parsed IKE_AUTH response 1 [ IDr CERT AUTH EAP/REQ/ID ] 10[IKE] received end entity cert "C=GB, CN=vpnserver1" 10[CFG] using certificate "C=GB, CN=vpnserver1" 10[CFG] using trusted ca certificate "CN=Vivace Root CA" 10[CFG] checking certificate status of "C=GB, CN=vpnserver1" 10[CFG] certificate status is not available 10[CFG] reached self-signed root ca with a path length of 0 10[IKE] authentication of 'vpnserver1' with ECDSA_WITH_SHA384_DER successful 10[IKE] server requested EAP_IDENTITY (id 0x00), sending ‘remote.user' 10[ENC] generating IKE_AUTH request 2 [ EAP/RES/ID ] 10[NET] sending packet: from 192.168.1.31[64672] to x.x.x.x[4500] (112 bytes) 11[NET] received packet: from x.x.x.x[4500] to 192.168.1.31[64672] (80 bytes) 11[ENC] parsed IKE_AUTH response 2 [ EAP/REQ/TLS ] 11[IKE] server requested EAP_TLS authentication (id 0x6A) 11[IKE] EAP method not supported, sending EAP_NAK 11[ENC] generating IKE_AUTH request 3 [ EAP/RES/NAK ] 11[NET] sending packet: from 192.168.1.31[64672] to x.x.x.x[4500] (80 bytes) 12[NET] received packet: from x.x.x.x[4500] to 192.168.1.31[64672] (80 bytes) 12[ENC] parsed IKE_AUTH response 3 [ EAP/FAIL ] 12[IKE] received EAP_FAILURE, EAP authentication failed 12[ENC] generating INFORMATIONAL request 4 [ N(AUTH_FAILED) ] 12[NET] sending packet: from 192.168.1.31[64672] to x.x.x.x[4500] (80 bytes) > On 12 Jun 2018, at 15:20, Tobias Brunner wrote: > >> Its using eap-dynamic with eap-tls as the preferred. > > The latter is doubtful because EAP-MSCHAPv2 is the method initiated by > the server (and not as response to an EAP-Nak by the client). > > Regards, > Tobias
Re: [strongSwan] Strange issue. Cant connect.
> Its using eap-dynamic with eap-tls as the preferred. The latter is doubtful because EAP-MSCHAPv2 is the method initiated by the server (and not as response to an EAP-Nak by the client). Regards, Tobias
Re: [strongSwan] Strange issue. Cant connect.
Its using eap-dynamic with eap-tls as the preferred. > On 12 Jun 2018, at 15:17, Tobias Brunner wrote: > >> With that option, its asking for MSCHAPV2 > > Why did you configure a client certificate then? If the server is > configured to do EAP-MSCHAPv2 no client certificate/key is needed, but a > password instead. > > Regards, > Tobias
Re: [strongSwan] Strange issue. Cant connect.
> With that option, its asking for MSCHAPV2 Why did you configure a client certificate then? If the server is configured to do EAP-MSCHAPv2 no client certificate/key is needed, but a password instead. Regards, Tobias
Re: [strongSwan] Strange issue. Cant connect.
With that option, its asking for MSCHAPV2 CLIENT 10[IKE] server requested EAP_IDENTITY (id 0x00), sending ‘remote.user' 10[ENC] generating IKE_AUTH request 2 [ EAP/RES/ID ] 10[NET] sending packet: from 192.168.1.31[54408] to x.x.x.x[4500] (112 bytes) 11[NET] received packet: from x.x.x.x[4500] to 192.168.1.31[54408] (112 bytes) 11[ENC] parsed IKE_AUTH response 2 [ EAP/REQ/MSCHAPV2 ] 11[IKE] server requested EAP_MSCHAPV2 authentication (id 0xA8) SERVER Jun 12 13:43:19 13[IKE] received EAP identity ‘remote.user' Jun 12 13:43:19 13[IKE] EAP_MSCHAPV2 method selected Jun 12 13:43:19 13[IKE] initiating EAP_MSCHAPV2 method (id 0xA8) > On 12 Jun 2018, at 14:40, Tobias Brunner wrote: > > Hi Christian, > >> Ok, I changed my command line to now read >> >> sudo charon-cmd --host x.x.x.x --identity remote.user --p12 remote.user.p12 > > The server expects the client to authenticate with EAP, but the client > will not do that automatically if you configure a private > key/certificate (it then uses the profile ikev2-pub to use regular > pubkey authentication). If you want to use EAP-TLS instead, add > --profile ikev2-eap to the command line. > > Regards, > Tobias
Re: [strongSwan] Strange issue. Cant connect.
Hi Christian, > Ok, I changed my command line to now read > > sudo charon-cmd --host x.x.x.x --identity remote.user --p12 remote.user.p12 The server expects the client to authenticate with EAP, but the client will not do that automatically if you configure a private key/certificate (it then uses the profile ikev2-pub to use regular pubkey authentication). If you want to use EAP-TLS instead, add --profile ikev2-eap to the command line. Regards, Tobias
Re: [strongSwan] Strange issue. Cant connect.
Ok, I changed my command line to now read sudo charon-cmd --host x.x.x.x --identity remote.user --p12 remote.user.p12 But I am still getting failed login. This works in OSX’s built-in VPN client so I know the certificate is good. SERVER Jun 12 13:24:00 07[IKE] x.x.x.x is initiating an IKE_SA Jun 12 13:24:00 07[IKE] IKE_SA (unnamed)[6] state change: CREATED => CONNECTING Jun 12 13:24:00 07[CFG] selected proposal: IKE:AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/ECP_256 Jun 12 13:24:00 07[CFG] received supported signature hash algorithms: sha256 sha384 sha512 identity Jun 12 13:24:00 07[IKE] local host is behind NAT, sending keep alives Jun 12 13:24:00 07[IKE] remote host is behind NAT Jun 12 13:24:00 07[CFG] sending supported signature hash algorithms: sha256 sha384 sha512 identity Jun 12 13:24:00 07[IKE] sending cert request for "CN=Vivace Root CA" Jun 12 13:24:01 11[IKE] received cert request for "CN=Vivace Root CA" Jun 12 13:24:01 11[IKE] received end entity cert "C=GB, CN=remote.user" Jun 12 13:24:01 11[CFG] looking for peer configs matching 10.0.0.49[%any]…x.x.x.x[remote.user] Jun 12 13:24:01 11[CFG] peer config match local: 1 (ID_ANY -> ) Jun 12 13:24:01 11[CFG] peer config match remote: 1 (ID_FQDN -> 63:68:72:69:73:2e:6f:72:63:68:61:72:64:2e:76:69:76:61:63:65:2e:74:65:63:68) Jun 12 13:24:01 11[CFG] ike config match: 28 (10.0.0.49 x.x.x.x IKEv2) Jun 12 13:24:01 11[CFG] candidate "ecdsa", match: 1/1/28 (me/other/ike) Jun 12 13:24:01 11[CFG] peer config match local: 1 (ID_ANY -> ) Jun 12 13:24:01 11[CFG] peer config match remote: 1 (ID_FQDN -> 63:68:72:69:73:2e:6f:72:63:68:61:72:64:2e:76:69:76:61:63:65:2e:74:65:63:68) Jun 12 13:24:01 11[CFG] ike config match: 28 (10.0.0.49 x.x.x.x IKEv2) Jun 12 13:24:01 11[CFG] candidate "rsa", match: 1/1/28 (me/other/ike) Jun 12 13:24:01 11[CFG] selected peer config 'ecdsa' Jun 12 13:24:01 11[CFG] certificate "C=GB, CN=remote.user" key: 384 bit ECDSA Jun 12 13:24:01 11[CFG] using trusted ca certificate "CN=Vivace Root CA" Jun 12 13:24:01 11[CFG] checking certificate status of "C=GB, CN=remote.user" Jun 12 13:24:01 11[CFG] ocsp check skipped, no ocsp found Jun 12 13:24:01 11[CFG] certificate status is not available Jun 12 13:24:01 11[CFG] certificate "CN=Vivace Root CA" key: 4096 bit RSA Jun 12 13:24:01 11[CFG] reached self-signed root ca with a path length of 0 Jun 12 13:24:01 11[CFG] using trusted certificate "C=GB, CN=remote.user" Jun 12 13:24:01 11[IKE] authentication of ‘remote.user' with ECDSA_WITH_SHA384_DER successful Jun 12 13:24:01 11[CFG] constraint check failed: EAP identity '%any' required Jun 12 13:24:01 11[CFG] selected peer config 'ecdsa' inacceptable: non-matching authentication done Jun 12 13:24:01 11[CFG] switching to peer config 'rsa' Jun 12 13:24:01 11[CFG] constraint check failed: EAP identity '%any' required Jun 12 13:24:01 11[CFG] selected peer config 'rsa' inacceptable: non-matching authentication done Jun 12 13:24:01 11[CFG] no alternative config found > On 12 Jun 2018, at 14:07, Tobias Brunner wrote: > > Hi Christian, > >> From what I can see, I’m requesting --remote-identity vpnserver but the >> server is choosing vpnserver1. > > charon-cmd does not send the configured identity (i.e. it does not send > an IDr payload). The configured identity is only used to match against > the returned identity/certificate. This is basically as if you > configured rightid=%vpnserver in ipsec.conf. So the server is free to > select whichever config it wants (it will just use the first one > loaded), so if you have multiple matching configs (based on the IPs and > IKE version) with different identities this could be problematic. > > Regards, > Tobias
Re: [strongSwan] Strange issue. Cant connect.
Hi Christian, > From what I can see, I’m requesting --remote-identity vpnserver but the > server is choosing vpnserver1. charon-cmd does not send the configured identity (i.e. it does not send an IDr payload). The configured identity is only used to match against the returned identity/certificate. This is basically as if you configured rightid=%vpnserver in ipsec.conf. So the server is free to select whichever config it wants (it will just use the first one loaded), so if you have multiple matching configs (based on the IPs and IKE version) with different identities this could be problematic. Regards, Tobias
Re: [strongSwan] Strange issue. Cant connect.
Basically, linux users cant connect which I’m trying to work out why. From what I can see, I’m requesting --remote-identity vpnserver but the server is choosing vpnserver1. Thanks > On 12 Jun 2018, at 13:24, Tobias Brunner wrote: > > Hi Christian, > >> When I try to connect to the VPN server using charon-cmd, Im instructing >> it use vpnserver but the server is responding with vpnserver1. I have >> two connection configs set up (pasted below). What am I missing?? > > What exactly confuses you? > > Regards, > Tobias >
Re: [strongSwan] Strange issue. Cant connect.
Hi Christian, > When I try to connect to the VPN server using charon-cmd, Im instructing > it use vpnserver but the server is responding with vpnserver1. I have > two connection configs set up (pasted below). What am I missing?? What exactly confuses you? Regards, Tobias