Hi there, I have a testing scenario where the VPN gateway moon uses the certificate/private key to authenticate itself to the client. I have installed the server's certificate at /usr/local/etc/ipsec.d/certs/ moonCert.pem and server's private key file at /usr/local/etc/ipsec.d/private/moonKey.pem. These two files are the original ones taken from the strongswan-5.0.0 release.
The client is an Android phone behind a WiFi router (10.41.72.35). When the client comes in, I am seeing moon (10.46.212.196) complaining about certificate related problem and then the authentication failed: Sep 15 18:52:51 as3-iwf118 charon: 13[NET] received packet: from 10.41.72.35[34745] to 10.46.212.196[500] Sep 15 18:52:51 as3-iwf118 charon: 13[ENC] parsed IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) ] Sep 15 18:52:51 as3-iwf118 charon: 13[IKE] 10.41.72.35 is initiating an IKE_SA Sep 15 18:52:51 as3-iwf118 charon: 13[IKE] remote host is behind NAT Sep 15 18:52:51 as3-iwf118 charon: 13[ENC] generating IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(MULT_AUTH) ] Sep 15 18:52:51 as3-iwf118 charon: 13[NET] sending packet: from 10.46.212.196[500] to 10.41.72.35[34745] Sep 15 18:52:53 as3-iwf118 charon: 08[NET] received packet: from 10.41.72.35[44399] to 10.46.212.196[4500] Sep 15 18:52:53 as3-iwf118 charon: 08[ENC] parsed IKE_AUTH request 1 [ IDi N(INIT_CONTACT) CERTREQ IDr CP(ADDR DNS) SA TSi TSr N(MOBIKE_SUP) N(NO_ADD_ADDR) N(MULT_AUTH) N(EAP_ONLY) ] Sep 15 18:52:53 as3-iwf118 charon: 08[IKE] received 118 cert requests for an unknown ca Sep 15 18:52:53 as3-iwf118 charon: 08[CFG] looking for peer configs matching 10.46.212.196[10.46.212.196]...10.41.72.35[[email protected]] Sep 15 18:52:53 as3-iwf118 charon: 08[CFG] no matching peer config found Sep 15 18:52:53 as3-iwf118 charon: 08[IKE] peer supports MOBIKE Sep 15 18:52:53 as3-iwf118 charon: 08[ENC] generating IKE_AUTH response 1 [ N(AUTH_FAILED) ] Sep 15 18:52:53 as3-iwf118 charon: 08[NET] sending packet: from 10.46.212.196[4500] to 10.41.72.35[44399] I have included moon's ipsec.conf, ipsec.secrets, and strongswan.conf at the end of this email, but I guess I may not fully understand how this certificate/private key authentication works, so I am asking some questions here and would appreciate very much if someone could please shed some light: 1): Is it allowed to make moon to use pre-configured certificate/private key, such as the moonCert.pem/ moonKey.pem, to authenticate itself to the client, and make a client to use the moonCert.pem? Or does it have to go through some kind of certificate authorities (CAs)? 2): Is "received 118 cert requests for an unknown ca" really the error which caused the AUTH_FAILED or is "no matching peer config found" the real error? 3): Is the "received 118 cert requests for an unknown ca" harmless? Or should we configure the client not to include the CERTREQ in its IKE_AUTH request? 4): How can I make the client accept the moonCert.pem? Shout I manually install it on the client as well? Or can the client receive it from the IKV2 message and start using it from there? I also tried another client of strongswan-5.0.0 running on a separate Linux box (10.41.73.234) and got the server authentication working with the same configurations of the server: Sep 16 21:57:14 as3-iwf118 charon: 09[NET] received packet: from 10.41.73.234[4500] to 10.46.212.196[4500] Sep 16 21:57:14 as3-iwf118 charon: 09[ENC] parsed IKE_AUTH request 1 [ IDi N(INIT_CONTACT) IDr CP(ADDR DNS) SA TSi TSr N(MOBIKE_SUP) N(ADD_6_ADDR) N(MULT_AUTH) N(EAP_ONLY) ] Sep 16 21:57:14 as3-iwf118 charon: 09[CFG] looking for peer configs matching 10.46.212.196[moon.strongswan.org]...10.41.73.234[[email protected]] Sep 16 21:57:14 as3-iwf118 charon: 09[CFG] selected peer config 'client_1' Sep 16 21:57:14 as3-iwf118 charon: 09[CFG] sending RADIUS Access-Request to server '127.0.0.1' Sep 16 21:57:14 as3-iwf118 charon: 07[ENC] generating IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(MULT_AUTH) ] Sep 16 21:57:14 as3-iwf118 charon: 07[NET] sending packet: from 2002:c023:9c17:21b::a2e:d4c4[500] to 2002:c023:9c17:21c:21b:78ff:fee0:dbfc[500] Sep 16 21:57:14 as3-iwf118 charon: 09[CFG] received RADIUS Access-Challenge from server '127.0.0.1' Sep 16 21:57:14 as3-iwf118 charon: 09[IKE] initiating EAP_RADIUS method (id 0x01) Sep 16 21:57:14 as3-iwf118 charon: 09[IKE] peer supports MOBIKE Sep 16 21:57:14 as3-iwf118 charon: 09[IKE] authentication of 'moon.strongswan.org' (myself) with RSA signature successful Sep 16 21:57:14 as3-iwf118 charon: 09[ENC] generating IKE_AUTH response 1 [ IDr AUTH EAP/REQ/MD5 ] Sep 16 21:57:14 as3-iwf118 charon: 09[NET] sending packet: from 10.46.212.196[4500] to 10.41.73.234[4500] Sep 16 21:57:14 as3-iwf118 charon: 10[NET] received packet: from 10.41.73.234[4500] to 10.46.212.196[4500] Sep 16 21:57:14 as3-iwf118 charon: 10[ENC] parsed IKE_AUTH request 2 [ EAP/RES/MD5 ] Sep 16 21:57:14 as3-iwf118 charon: 10[CFG] sending RADIUS Access-Request to server '127.0.0.1' Sep 16 21:57:14 as3-iwf118 charon: 10[CFG] received RADIUS Access-Accept from server '127.0.0.1' Sep 16 21:57:14 as3-iwf118 charon: 10[IKE] RADIUS authentication of '[email protected]' successful Sep 16 21:57:14 as3-iwf118 charon: 10[IKE] EAP method EAP_MD5 succeeded, no MSK established Sep 16 21:57:14 as3-iwf118 charon: 10[ENC] generating IKE_AUTH response 2 [ EAP/SUCC ] Sep 16 21:57:14 as3-iwf118 charon: 10[NET] sending packet: from 10.46.212.196[4500] to 10.41.73.234[4500] In this log, I noticed the matching 10.46.212.196[moon.strongswan.org]...10.41.73.234[[email protected]] and found the 'client_1'. However, between the two log messages below (the first is the failed case, and the second is the success case), the only difference is that the first one did not show moon.strongswan.org, it had 10.46.212.196 instead and it failed: Sep 15 18:52:53 as3-iwf118 charon: 08[CFG] looking for peer configs matching 10.46.212.196[10.46.212.196]...10.41.72.35[[email protected]] Sep 16 21:57:14 as3-iwf118 charon: 09[CFG] looking for peer configs matching 10.46.212.196[moon.strongswan.org]...10.41.73.234[[email protected]] So, could this be the reason why no matching peer config found in the failure case? How can I make it work in the failure case? Thanks a lot! Zhiheng ======================================================= # ipsec.conf - strongSwan IPsec configuration file of the VPN gateway # config setup conn %default ikelifetime=60m keylife=20m rekeymargin=3m keyingtries=1 keyexchange=ikev2 conn client_1 left=%defaultroute leftsubnet=10.46.212.192/27,10.9.8.0/24 [email protected]<mailto:[email protected]> leftcert=moonCert.pem leftauth=pubkey leftfirewall=yes [email protected]<mailto:[email protected]> rightauth=eap-radius rightsendcert=never right=%any rightsourceip=10.9.8.1 auto=add ======================================================= # ipsec.secrets - strongSwan IPsec secrets file of the VPN gateway # : RSA moonKey.pem # client's secrecy is stored in freeradius server's configuration file # for example: /usr/etc/raddb/users ======================================================= # strongswan.conf - strongSwan configuration file # charon { # number of worker threads in charon threads = 16 # send strongswan vendor ID? # send_vendor_id = yes plugins { sql { # loglevel to log into sql database loglevel = -1 # URI to the database # database = sqlite:///path/to/file.db # database = mysql://user:password@localhost/database } eap-radius { server = 127.0.0.1 secret = testing123 } } # ... } pluto { } libstrongswan { # set to no, the DH exponent size is optimized # dh_exponent_ansi_x9_42 = no }
_______________________________________________ Users mailing list [email protected] https://lists.strongswan.org/mailman/listinfo/users
