Re: [Swan] OSX Connectivity debugging

Mon, 28 Jan 2019 12:26:06 -0800 

 Paul & list:
Okay, so last try on this, it's pretty frustrating. I made the changes in the 
ipsec.conf file per your suggestions, and of course, it gets farther.

OSX Log Facility Output:2019-01-28 14:51:16.602342-0500 0x168228   Activity    
0xcdd60              66177  0    neagent: (NetworkExtension) IKEv2 processing 
socket read event2019-01-28 14:51:16.602452-0500 0x168228   Activity    0xcdd61 
             66177  0    neagent: (NetworkExtension) IKEv2 processing socket 
read event2019-01-28 14:51:16.602494-0500 0x168228   Activity    0xcdd62        
      66177  0    neagent: (NetworkExtension) IKEv2 processing socket read 
event2019-01-28 14:51:16.602538-0500 0x168228   Activity    0xcdd63             
 66177  0    neagent: (NetworkExtension) IKEv2 processing socket read 
event2019-01-28 14:51:16.602803-0500 0x168210   Activity    0xcdd64             
 66177  0    neagent: (Security) SecTrustEvaluateIfNecessary2019-01-28 
14:51:16.602882-0500 0x168228   Activity    0xcdd65              66177  0    
neagent: (NetworkExtension) IKEv2 processing socket read event2019-01-28 
14:51:16.609829-0500 0x168210   Default     0x0                  66177  0    
neagent: (Security) [com.apple.securityd:SecError] Trust evaluate failure: 
[leaf SSLHostname]2019-01-28 14:51:16.609832-0500 0x168210   Error       0x0    
              66177  0    neagent: (NetworkExtension) 
[com.apple.networkextension:] Certificate evaluation error = 
kSecTrustResultRecoverableTrustFailure2019-01-28 14:51:16.609840-0500 0x168210  
 Error       0x0                  66177  0    neagent: (NetworkExtension) 
[com.apple.networkextension:] Certificate is not trusted2019-01-28 
14:51:16.609844-0500 0x168210   Error       0x0                  66177  0    
neagent: (NetworkExtension) [com.apple.networkextension:] Certificate 
authentication data could not be verified2019-01-28 14:51:16.609847-0500 
0x168210   Error       0x0                  66177  0    neagent: 
(NetworkExtension) [com.apple.networkextension:] Failed to process IKE Auth 
packet (connect)
Ipsec barf output:
Jan 28 19:51:16 ip-10-0-0-194 pluto[2898]: "ikev2-cp"[1] 11.11.11.11 #15: 
proposal 
1:IKE:ENCR=AES_CBC_256;PRF=HMAC_SHA2_256;INTEG=HMAC_SHA2_256_128;DH=MODP2048 
chosen from remote proposals 
1:IKE:ENCR=AES_CBC_256;PRF=HMAC_SHA2_256;INTEG=HMAC_SHA2_256_128;DH=MODP2048[first-match]
 2:IKE:ENCR=AES_CBC_256;PRF=HMAC_SHA2_256;INTEG=HMAC_SHA2_256_128;DH=ECP_256 
3:IKE:ENCR=AES_CBC_256;PRF=HMAC_SHA2_256;INTEG=HMAC_SHA2_256_128;DH=MODP1536 
4:IKE:ENCR=AES_CBC_128;PRF=HMAC_SHA1;INTEG=HMAC_SHA1_96;DH=MODP1024 
5:IKE:ENCR=3DES;PRF=HMAC_SHA1;INTEG=HMAC_SHA1_96;DH=MODP1024Jan 28 19:51:16 
ip-10-0-0-194 pluto[2898]: "ikev2-cp"[1] 11.11.11.11 #15: STATE_PARENT_R1: 
received v2I1, sent v2R1 {auth=IKEv2 cipher=AES_CBC_256 integ=HMAC_SHA2_256_128 
prf=HMAC_SHA2_256 group=MODP2048}Jan 28 19:51:16 ip-10-0-0-194 pluto[2898]: 
"ikev2-cp"[1] 11.11.11.11 #15: certificate verified OK: 
O=Client1,CN=client1.zzz.netJan 28 19:51:16 ip-10-0-0-194 pluto[2898]: 
"ikev2-cp"[1] 11.11.11.11 #15: No matching subjectAltName foundJan 28 19:51:16 
ip-10-0-0-194 pluto[2898]: "ikev2-cp"[1] 11.11.11.11 #15: No matching 
subjectAltName foundJan 28 19:51:16 ip-10-0-0-194 pluto[2898]: "ikev2-cp"[1] 
11.11.11.11 #15: IKEv2 mode peer ID is ID_FQDN: '@client1.zzz.net'Jan 28 
19:51:16 ip-10-0-0-194 pluto[2898]: "ikev2-cp"[1] 11.11.11.11 #15: 
Authenticated using RSAJan 28 19:51:16 ip-10-0-0-194 pluto[2898]: "ikev2-cp"[1] 
11.11.11.11 #15: proposal 
1:ESP:SPI=08fdfa42;ENCR=AES_CBC_256;INTEG=HMAC_SHA2_256_128;ESN=DISABLED chosen 
from remote proposals 
1:ESP:ENCR=AES_CBC_256;INTEG=HMAC_SHA2_256_128;ESN=DISABLED[first-match] 
2:ESP:ENCR=AES_CBC_256;INTEG=HMAC_SHA2_256_128;ESN=DISABLED 
3:ESP:ENCR=AES_CBC_256;INTEG=HMAC_SHA2_256_128;ESN=DISABLED 
4:ESP:ENCR=AES_CBC_128;INTEG=HMAC_SHA1_96;ESN=DISABLED 
5:ESP:ENCR=3DES;INTEG=HMAC_SHA1_96;ESN=DISABLEDJan 28 19:51:16 ip-10-0-0-194 
pluto[2898]: "ikev2-cp"[1] 11.11.11.11 #15: received unsupported NOTIFY 
v2N_NON_FIRST_FRAGMENTS_ALSOJan 28 19:51:16 ip-10-0-0-194 pluto[2898]: 
"ikev2-cp"[1] 11.11.11.11 #16: negotiated connection 
[22.22.22.22-22.22.22.22:0-65535 0] -> [10.0.0.240-10.0.0.240:0-65535 0]Jan 28 
19:51:16 ip-10-0-0-194 pluto[2898]: "ikev2-cp"[1] 11.11.11.11 #16: 
STATE_V2_IPSEC_R: IPsec SA established tunnel mode {ESP/NAT=>0x08fdfa42 
<0xb6b7d56a xfrm=AES_CBC_256-HMAC_SHA2_256_128 NATOA=none NATD=11.11.11.11:4500 
DPD=active}Jan 28 19:51:16 ip-10-0-0-194 pluto[2898]: "ikev2-cp"[1] 11.11.11.11 
#14: deleting state (STATE_V2_IPSEC_R) aged 15.101s and NOT sending 
notificationJan 28 19:51:16 ip-10-0-0-194 pluto[2898]: "ikev2-cp"[1] 
11.11.11.11 #14: ESP traffic information: in=0B out=0BJan 28 19:51:16 
ip-10-0-0-194 pluto[2898]: expire unused IKE SA #13 "ikev2-cp"[1] 
11.11.11.11Jan 28 19:51:16 ip-10-0-0-194 pluto[2898]: "ikev2-cp"[1] 11.11.11.11 
#13: deleting state (STATE_PARENT_R2) aged 15.167s and sending notification
Commands to make ca, server, client cert. server cert exported and imported to 
ipsec. CA, server, client certificates and keys exported using pk12util, and 
imported into OSX keystore. Tried "login" keystore and "system" keystore, CA 
cert marked "trust always", and each subsequent attempt marked server, and then 
client cert as "trust always".

The error message on the OSX Mojave side is the same, so there is something 
missing in the trust chain I don't see.
certutil -S -x -n "ca.zzz.net" -s "O=zzzz team CA,CN=ca.zzz.net" -k rsa -g 4096 
-v 12 -d sql:${HOME}/ca -t "CT,," -2certutil -S -c "ca.zzz.net" -n "vv.zzz.net" 
-s "O=VV Server Cert,CN=vv.zzz.net" -k rsa -v 12 -d sql:${HOME}/ca -t ",," -1 
-6 --extSAN 'dns:vv.zzz.net,ip:22.22.22.22,ip:10.0.0.194'certutil -S -c 
"ca.zzz.net" -n "client1.zzz.net" -s "O=Client1,CN=client1.zzz.net" -k rsa -v 
12 -d sql:${HOME}/ca -t ",," -1 -6 -8 "client1.zzz.net"
ipsec.conf:
onn ikev2-cp    authby=rsasig    ikev2=insist    cisco-unity=yes    # The 
server's actual IP goes here - not elastic IPs    left=10.0.0.194    
leftsourceip=22.22.22.22    leftcert=vv.zzz.net    [email protected]    
leftsendcert=always    #leftsubnet=0.0.0.0/0    leftrsasigkey=%cert    # try to 
structure something to accept this offer: 
IKE:ENCR=AES_CBC_256;INTEG=HMAC_SHA2_384_192;PRF=HMAC_SHA2_384;DH=MODP1024    
ike=aes256-sha2_512;modp2048,aes128-sha2_512;modp2048,aes256-sha1;modp2048,aes128-sha1;modp2048,aes-sha2;modp2048,aes256-sha1;modp1024,aes128-sha1;modp1024,aes-sha2;modp1024
    #esp=aes_gcm256-null,aes_gcm128-null,aes256-sha2_512,aes128-sha2_512    # 
Clients    right=%any    # your addresspool to use - you might need NAT rules 
if providing full internet to clients    rightaddresspool=10.0.0.240-10.0.0.250 
   # optional rightid with restrictions    # rightid="C=CA, L=Toronto, 
O=Libreswan Project, OU=*, CN=*, E=*"    rightca=%same    rightrsasigkey=%cert  
  rightid=%fromcert    #    # connection configuration    # DNS servers for 
clients to use    #modecfgdns=8.8.8.8,193.100.157.123    # Versions up to 3.22 
used modecfgdns1 and modecfgdns2    #modecfgdns1=8.8.8.8    
#modecfgdns2=193.110.157.123    narrowing=yes    # recommended dpd/liveness to 
cleanup vanished clients    dpddelay=30    dpdtimeout=120    dpdaction=clear    
auto=add    rekey=no    #ms-dh-fallback=yes    #msdh-downgrade=yes    
ms-dh-downgrade=yes    leftxauthserver=yes    rightxauthclient=yes    
leftmodecfgserver=yes    rightmodecfgclient=yes    # ikev2 fragmentation 
support requires libreswan 3.14 or newer    fragmentation=yes    # optional PAM 
username verification (eg to implement bandwidth quota    # pam-authorize=yes


Cheers,
Jan  
_______________________________________________
Swan mailing list
[email protected]
https://lists.libreswan.org/mailman/listinfo/swan

Reply via email to