Hello May I ask for some input anyone? I’ve done the wildcard TLS ikev2 in strong swan but I want/need to do it in libreswan as well. What am I doing wrong?
Thank you > On 21 Jan 2025, at 11:51, Viktor Keremedchiev <[email protected]> > wrote: > > Hello > I have existing ikev1 ‘roaming warriors’ setup that uses shared PSK and pam > auth via custom PAM module > Now I want to add alongside it IKEv2, but using user/pass auth via the same > PAM module. The ikev2 method is using publicly signed wildcard TLS > (*.example.com). The idea behind is that I need new few VPN servers using > same domain > > conn xxxx > left=172.30.254.151 > leftsubnet=0.0.0.0/0 > leftcert=tls > leftid=@*.example.com > leftsendcert=always > #leftrsasigkey=%cert > #leftmodecfgserver=yes > #leftxauthserver=yes > > # Clients > right=%any > rightaddresspool=172.30.254.1-172.30.255.254 > rightca=%same > rightid=%fromcert > rightrsasigkey=%cert > #rightxauthclient=no > #rightmodecfgclient=yes > modecfgdns=8.8.8.8,4.4.4.4 > modecfgpull=yes > narrowing=yes > > # recommended dpd/liveness to cleanup vanished clients > dpddelay=30 > dpdtimeout=120 > dpdaction=clear > auto=add > ikev2=insist > rekey=no > #mobike=yes > fragmentation=yes > # optional PAM username verification (eg to implement bandwidth quota > pam-authorize=yes > > > > > When I connect I get the following error > an 21 09:28:01.068865: | processing payload: ISAKMP_NEXT_v2N (len=0) > Jan 21 09:28:01.068890: | looking for transition from PARENT_R1 matching > IKE_AUTH request: > SK{IDi,N(INITIAL_CONTACT),IDr,CP,N(ESP_TFC_PADDING_NOT_SUPPORTED),N(NON_FIRST_FRAGMENTS_ALSO),SA,TSi,TSr,N(MOBIKE_SUPPORTED)} > Jan 21 09:28:01.068905: | trying: Responder: process IKE_INTERMEDIATE > request > Jan 21 09:28:01.068909: | exchange type does not match IKE_INTERMEDIATE > Jan 21 09:28:01.068914: | trying: Responder: process IKE_AUTH request > Jan 21 09:28:01.068918: | secured payloads do not match > Jan 21 09:28:01.068923: | trying: Responder: process IKE_AUTH request, > initiate EAP > Jan 21 09:28:01.068927: | secured message matched > Jan 21 09:28:01.068931: | selected state microcode Responder: process > IKE_AUTH request, initiate EAP > Jan 21 09:28:01.068940: | #1.st_v2_transition PARENT_R0->PARENT_R1 -> > PARENT_R1->PARENT_R_EAP (v2_dispatch() +2311 /programs/pluto/ikev2.c) > Jan 21 09:28:01.068954: | Message ID: IKE #1 responder starting message > request 1 (initiator: .sent=-1 .recv=-1 .recv_frags=0 .wip=-1 > .last_sent=559662.421947 .last_recv=559662.421947 responder: .sent=0 .recv=0 > .recv_frags=0 .wip=1 .last_sent=559662.425345 .last_recv=559662.425339) > Jan 21 09:28:01.068961: | calling processor Responder: process IKE_AUTH > request, initiate EAP > Jan 21 09:28:01.068975: “URL.example"[1] 213.16.62.185 #1: processing > decrypted IKE_AUTH request: > SK{IDi,N(INITIAL_CONTACT),IDr,CP,N(ESP_TFC_PADDING_NOT_SUPPORTED),N(NON_FIRST_FRAGMENTS_ALSO),SA,TSi,TSr,N(MOBIKE_SUPPORTED)} > Jan 21 09:28:01.068986: "URL.example.com"[1] 213.16.62.185 #1: Peer attempted > EAP authentication, but IKE_AUTH is required > Jan 21 09:28:01.068991: | pstats #1 ikev2.ike failed auth-failed > Jan 21 09:28:01.068999: | opening output PBS v2N response > Jan 21 09:28:01.069004: | **emit ISAKMP Message: > Jan 21 09:28:01.069012: | initiator SPI: be a7 d4 67 1d e8 cf bb > Jan 21 09:28:01.069019: | responder SPI: 68 30 0e 1f 85 4c 1b 96 > Jan 21 09:28:01.069024: | next payload type: ISAKMP_NEXT_NONE (0x0) > Jan 21 09:28:01.069029: | ISAKMP version: IKEv2 version 2.0 > (rfc4306/rfc5996) (0x20) > Jan 21 09:28:01.069034: | exchange type: ISAKMP_v2_IKE_AUTH (0x23) > Jan 21 09:28:01.069039: | flags: ISAKMP_FLAG_v2_MSG_RESPONSE (0x20) > Jan 21 09:28:01.069046: | Message ID: 1 (00 00 00 01) > Jan 21 09:28:01.069052: | next payload chain: saving message location 'ISAKMP > Message'.'next payload type' > Jan 21 09:28:01.069059: | ***emit IKEv2 Encryption Payload: > Jan 21 09:28:01.069065: | next payload type: ISAKMP_NEXT_v2NONE (0x0) > Jan 21 09:28:01.069069: | flags: none (0x0) > Jan 21 09:28:01.069074: | next payload chain: setting previous 'ISAKMP > Message'.'next payload type' to current IKEv2 Encryption Payload > (46:ISAKMP_NEXT_v2SK) > Jan 21 09:28:01.069078: | next payload chain: saving location 'IKEv2 > Encryption Payload'.'next payload type' in 'v2N response' > Jan 21 09:28:01.069085: | emitting 8 zero bytes of IV into IKEv2 Encryption > Payload > Jan 21 09:28:01.069104: "URL.example.com"[1] 213.16.62.185 #1: responding to > IKE_AUTH message (ID 1) from 213.16.62.185:500 with encrypted notification > AUTHENTICATION_FAILED > Jan 21 09:28:01.069112: | adding a v2N Payload > Jan 21 09:28:01.069120: | ****emit IKEv2 Notify Payload: > Jan 21 09:28:01.069124: | next payload type: ISAKMP_NEXT_v2NONE (0x0) > Jan 21 09:28:01.069128: | flags: none (0x0) > Jan 21 09:28:01.069132: | Protocol ID: IKEv2_SEC_PROTO_NONE (0x0) > Jan 21 09:28:01.069138: | SPI size: 0 (00) > Jan 21 09:28:01.069143: | Notify Message Type: v2N_AUTHENTICATION_FAILED > (0x18) > > Dd > > > I don’t even see an attempt for my username to be authenticated. The client I > use is MacOS 15, using the ‘IKEv2’ type > > > For reference this is my existing ikev1 that works pretty solidly > left=172.30.254.151 > leftsubnet=0.0.0.0/0 > type=tunnel > authby=secret > right=%any > rightaddresspool=172.30.254.1-172.30.255.254 > rightmodecfgclient=yes > modecfgdns=8.8.8.8,4.4.4.4 > modecfgpull=yes > leftxauthserver=yes > rightxauthclient=yes > leftmodecfgserver=yes > cisco-unity=yes > ikev2=never > auto=add > pfs=no > rekey=no > xauthby=pam > > > Any guidance is appreciated > > > _______________________________________________ Swan mailing list -- [email protected] To unsubscribe send an email to [email protected]
