[strongSwan] Storngswan 5.0.1 CentOS server-MacOS X client certificate issue

Martin Lambev Sat, 27 Oct 2012 04:12:11 -0700

Hello StrongSwan guys,

I'm trying to build strongswan 5.0.1 compiled form source on CentOS 6.3 VPN 
server based on certificate+xauth as my goal is to connect various apple 
devices and different MAC OS versions.
I followed this guide very closely:  
http://wiki.strongswan.org/projects/strongswan/wiki/IOS_%28Apple%29, I'm 
jumping directly on the results so far: 
Test topology:
Servers IP 192.168.17.118 (certificates are generated with CN:192.168.17.118 
and altsubj: 192.168.17.118)
For all devices I used the same certificates for testing, and made root 
certificate trusted on Lion and Mountain Lion.  In all Configuration below I 
used build in VPN client (Cisco IPSec) with client certificate and xauth 
username and password.
I test it with IPhone 3G iOS 4.2.1 - it's connecting fine.
Snow Leopard IP  192.168.17.137 in the log - connects just fine
Lion v.10.7.4 - can't connect I guess it does not connect because of the same 
reason as Mountain Lion.
Mountain Lion v.10.8.2  IP 192.168.17.250 in the log - can't connect.


Here is my ipsec.conf:
config setup
        charondebug="dmn 1, mgr 1, ike 1, chd 1, job 1, cfg 1, knl 1, net 1, 
asn 1, enc 1, lib 1, esp 1, tls 1"

conn %default
        ikelifetime=60m
        keylife=20m
        rekeymargin=3m
        keyingtries=1


conn xarsa
        authby=xauthrsasig
        xauth=server
        left=%defaultroute
        leftsubnet=0.0.0.0/0
        leftfirewall=yes
        leftcert=serverCert.pem
        right=%any
        rightsubnet=10.0.0.0/24
        rightsourceip=10.0.0.2
        rightcert=clientCert.pem
        auto=add

ipsec.secrets:
#include /etc/ipsec.d/*.secrets
# /etc/ipsec.secrets - strongSwan IPsec secrets file

: RSA serverKey.pem
mve : XAUTH "12345"

/var/log/messages:
Oct 27 03:29:54 ir1 charon: 00[DMN] loaded plugins: charon aes des sha1 sha2 
md5 random nonce x509 revocation constraints pubkey pkcs1 pkcs8 pgp dnskey pem 
fips-prf gmp xcbc cmac hmac attr kernel-netlink resolve socket-default stroke 
updown xauth-generic
Oct 27 03:29:54 ir1 charon: 00[JOB] spawning 16 worker threads
Oct 27 03:29:54 ir1 charon: 11[CFG] received stroke: add connection 'xarsa'
Oct 27 03:29:54 ir1 charon: 11[CFG] left nor right host is our side, assuming 
left=local
Oct 27 03:29:54 ir1 charon: 11[CFG] adding virtual IP address pool 10.0.0.2
Oct 27 03:29:54 ir1 charon: 11[CFG]   loaded certificate "C=BG, O=MYVPN, 
CN=192.168.17.118" from 'serverCert.pem'
Oct 27 03:29:54 ir1 charon: 11[CFG]   id '%any' not confirmed by certificate, 
defaulting to 'C=BG, O=MYVPN, CN=192.168.17.118'
Oct 27 03:29:54 ir1 charon: 11[CFG]   loaded certificate "C=BG, O=MYVPN, CN=ML" 
from 'clientCert.pem'
Oct 27 03:29:54 ir1 charon: 11[CFG]   id '%any' not confirmed by certificate, 
defaulting to 'C=BG, O=MYVPN, CN=ML'
Oct 27 03:29:54 ir1 charon: 11[CFG] added configuration 'xarsa'
Oct 27 03:31:00 ir1 charon: 12[NET] received packet: from 192.168.17.137[500] 
to 192.168.17.118[500]
Oct 27 03:31:00 ir1 charon: 12[ENC] parsed ID_PROT request 0 [ SA V V V V V V V 
V V V V V V ]
Oct 27 03:31:00 ir1 charon: 12[IKE] received NAT-T (RFC 3947) vendor ID
Oct 27 03:31:00 ir1 charon: 12[IKE] received draft-ietf-ipsec-nat-t-ike vendor 
ID
Oct 27 03:31:00 ir1 charon: 12[IKE] received draft-ietf-ipsec-nat-t-ike-08 
vendor ID
Oct 27 03:31:00 ir1 charon: 12[IKE] received draft-ietf-ipsec-nat-t-ike-07 
vendor ID
Oct 27 03:31:00 ir1 charon: 12[IKE] received draft-ietf-ipsec-nat-t-ike-06 
vendor ID
Oct 27 03:31:00 ir1 charon: 12[IKE] received draft-ietf-ipsec-nat-t-ike-05 
vendor ID
Oct 27 03:31:00 ir1 charon: 12[IKE] received draft-ietf-ipsec-nat-t-ike-04 
vendor ID
Oct 27 03:31:00 ir1 charon: 12[IKE] received draft-ietf-ipsec-nat-t-ike-03 
vendor ID
Oct 27 03:31:00 ir1 charon: 12[IKE] received draft-ietf-ipsec-nat-t-ike-02 
vendor ID
Oct 27 03:31:00 ir1 charon: 12[IKE] received draft-ietf-ipsec-nat-t-ike-02\n 
vendor ID
Oct 27 03:31:00 ir1 charon: 12[IKE] received XAuth vendor ID
Oct 27 03:31:00 ir1 charon: 12[IKE] received Cisco Unity vendor ID
Oct 27 03:31:00 ir1 charon: 12[IKE] received DPD vendor ID
Oct 27 03:31:00 ir1 charon: 12[IKE] 192.168.17.137 is initiating a Main Mode 
IKE_SA
Oct 27 03:31:00 ir1 charon: 12[ENC] generating ID_PROT response 0 [ SA V V V ]
Oct 27 03:31:00 ir1 charon: 12[NET] sending packet: from 192.168.17.118[500] to 
192.168.17.137[500]
Oct 27 03:31:00 ir1 charon: 13[NET] received packet: from 192.168.17.137[500] 
to 192.168.17.118[500]
Oct 27 03:31:00 ir1 charon: 13[ENC] parsed ID_PROT request 0 [ KE No NAT-D 
NAT-D ]
Oct 27 03:31:00 ir1 charon: 13[IKE] sending cert request for "C=BG, O=MYVPN, 
CN=MYVPN CA"
Oct 27 03:31:00 ir1 charon: 13[ENC] generating ID_PROT response 0 [ KE No 
CERTREQ NAT-D NAT-D ]
Oct 27 03:31:00 ir1 charon: 13[NET] sending packet: from 192.168.17.118[500] to 
192.168.17.137[500]
Oct 27 03:31:00 ir1 charon: 14[NET] received packet: from 192.168.17.137[500] 
to 192.168.17.118[500]
Oct 27 03:31:00 ir1 charon: 14[ENC] parsed ID_PROT request 0 [ ID CERT SIG 
CERTREQ N(INITIAL_CONTACT) ]
Oct 27 03:31:00 ir1 charon: 14[IKE] ignoring certificate request without data
Oct 27 03:31:00 ir1 charon: 14[IKE] received end entity cert "C=BG, O=MYVPN, 
CN=ML"
Oct 27 03:31:00 ir1 charon: 14[CFG] looking for XAuthInitRSA peer configs 
matching 192.168.17.118...192.168.17.137[C=BG, O=MYVPN, CN=ML]
Oct 27 03:31:00 ir1 charon: 14[CFG] selected peer config "xarsa"
Oct 27 03:31:00 ir1 charon: 14[CFG]   using trusted ca certificate "C=BG, 
O=MYVPN, CN=MYVPN CA"
Oct 27 03:31:00 ir1 charon: 14[CFG] checking certificate status of "C=BG, 
O=MYVPN, CN=ML"
Oct 27 03:31:00 ir1 charon: 14[CFG] certificate status is not available
Oct 27 03:31:00 ir1 charon: 14[CFG]   reached self-signed root ca with a path 
length of 0
Oct 27 03:31:00 ir1 charon: 14[CFG]   using trusted certificate "C=BG, O=MYVPN, 
CN=ML"
Oct 27 03:31:00 ir1 charon: 14[IKE] authentication of 'C=BG, O=MYVPN, CN=ML' 
with RSA successful
Oct 27 03:31:00 ir1 charon: 14[IKE] authentication of 'C=BG, O=MYVPN, 
CN=192.168.17.118' (myself) successful
Oct 27 03:31:00 ir1 charon: 14[IKE] sending end entity cert "C=BG, O=MYVPN, 
CN=192.168.17.118"
Oct 27 03:31:00 ir1 charon: 14[ENC] generating ID_PROT response 0 [ ID CERT SIG 
]
Oct 27 03:31:00 ir1 charon: 14[NET] sending packet: from 192.168.17.118[500] to 
192.168.17.137[500]
Oct 27 03:31:00 ir1 charon: 14[ENC] generating TRANSACTION request 1934430434 [ 
HASH CP ]
Oct 27 03:31:00 ir1 charon: 14[NET] sending packet: from 192.168.17.118[500] to 
192.168.17.137[500]
Oct 27 03:31:04 ir1 charon: 15[NET] received packet: from 192.168.17.137[500] 
to 192.168.17.118[500]
Oct 27 03:31:04 ir1 charon: 15[ENC] parsed TRANSACTION response 1934430434 [ 
HASH CP ]
Oct 27 03:31:04 ir1 charon: 15[IKE] XAuth authentication of 'mve' successful
Oct 27 03:31:04 ir1 charon: 15[ENC] generating TRANSACTION request 3053698936 [ 
HASH CP ]
Oct 27 03:31:04 ir1 charon: 15[NET] sending packet: from 192.168.17.118[500] to 
192.168.17.137[500]
Oct 27 03:31:04 ir1 charon: 16[NET] received packet: from 192.168.17.137[500] 
to 192.168.17.118[500]
Oct 27 03:31:04 ir1 charon: 16[ENC] parsed TRANSACTION response 3053698936 [ 
HASH CP ]
Oct 27 03:31:04 ir1 charon: 16[IKE] IKE_SA xarsa[1] established between 
192.168.17.118[C=BG, O=MYVPN, CN=192.168.17.118]...192.168.17.137[C=BG, 
O=MYVPN, CN=ML]
Oct 27 03:31:04 ir1 charon: 16[IKE] scheduling reauthentication in 3258s
Oct 27 03:31:04 ir1 charon: 16[IKE] maximum IKE_SA lifetime 3438s
Oct 27 03:31:04 ir1 charon: 01[NET] received packet: from 192.168.17.137[500] 
to 192.168.17.118[500]
Oct 27 03:31:04 ir1 charon: 01[ENC] unknown attribute type (28683)
Oct 27 03:31:04 ir1 charon: 01[ENC] parsed TRANSACTION request 2515032727 [ 
HASH CP ]
Oct 27 03:31:04 ir1 charon: 01[IKE] peer requested virtual IP %any
Oct 27 03:31:04 ir1 charon: 01[CFG] assigning new lease to 'mve'
Oct 27 03:31:04 ir1 charon: 01[IKE] assigning virtual IP 10.0.0.2 to peer 'mve'
Oct 27 03:31:04 ir1 charon: 01[ENC] generating TRANSACTION response 2515032727 
[ HASH CP ]
Oct 27 03:31:04 ir1 charon: 01[NET] sending packet: from 192.168.17.118[500] to 
192.168.17.137[500]
Oct 27 03:31:04 ir1 charon: 03[NET] received packet: from 192.168.17.137[500] 
to 192.168.17.118[500]
Oct 27 03:31:04 ir1 charon: 03[ENC] parsed QUICK_MODE request 3999596799 [ HASH 
SA No ID ID ]
Oct 27 03:31:04 ir1 charon: 03[IKE] received 3600s lifetime, configured 1200s
Oct 27 03:31:04 ir1 charon: 03[ENC] generating QUICK_MODE response 3999596799 [ 
HASH SA No ID ID ]
Oct 27 03:31:04 ir1 charon: 03[NET] sending packet: from 192.168.17.118[500] to 
192.168.17.137[500]
Oct 27 03:31:04 ir1 charon: 11[NET] received packet: from 192.168.17.137[500] 
to 192.168.17.118[500]
Oct 27 03:31:04 ir1 charon: 11[ENC] parsed QUICK_MODE request 3999596799 [ HASH 
]
Oct 27 03:31:04 ir1 kernel: alg: No test for __aes-aesni (__driver-aes-aesni)
Oct 27 03:31:04 ir1 kernel: alg: No test for __ecb-aes-aesni 
(__driver-ecb-aes-aesni)
Oct 27 03:31:04 ir1 kernel: alg: No test for __cbc-aes-aesni 
(__driver-cbc-aes-aesni)
Oct 27 03:31:04 ir1 kernel: alg: No test for __ecb-aes-aesni 
(cryptd(__driver-ecb-aes-aesni))
Oct 27 03:31:04 ir1 kernel: padlock: VIA PadLock not detected.
Oct 27 03:31:04 ir1 charon: 11[IKE] CHILD_SA xarsa{1} established with SPIs 
ce0a9192_i 09fb746f_o and TS 0.0.0.0/0 === 10.0.0.2/32 
Oct 27 03:31:04 ir1 kernel: alg: No test for __cbc-aes-aesni 
(cryptd(__driver-cbc-aes-aesni))
Oct 27 03:31:04 ir1 kernel: alg: No test for authenc(hmac(sha1),cbc(aes)) 
(authenc(hmac(sha1-generic),cbc-aes-aesni))
Oct 27 03:31:04 ir1 vpn: + C=BG, O=MYVPN, CN=ML 10.0.0.2/32 == 192.168.17.137 
-- 192.168.17.118 == %any/0
Oct 27 03:31:44 ir1 charon: 16[NET] received packet: from 192.168.17.137[500] 
to 192.168.17.118[500]
Oct 27 03:31:44 ir1 charon: 16[ENC] parsed INFORMATIONAL_V1 request 2484179066 
[ HASH D ]
Oct 27 03:31:44 ir1 charon: 16[IKE] received DELETE for ESP CHILD_SA with SPI 
09fb746f
Oct 27 03:31:44 ir1 charon: 16[IKE] closing CHILD_SA xarsa{1} with SPIs 
ce0a9192_i (0 bytes) 09fb746f_o (0 bytes) and TS 0.0.0.0/0 === 10.0.0.2/32 
Oct 27 03:31:44 ir1 vpn: - C=BG, O=MYVPN, CN=ML 10.0.0.2/32 == 192.168.17.137 
-- 192.168.17.118 == %any/0
Oct 27 03:31:44 ir1 charon: 02[NET] received packet: from 192.168.17.137[500] 
to 192.168.17.118[500]
Oct 27 03:31:44 ir1 charon: 02[ENC] parsed INFORMATIONAL_V1 request 2470569940 
[ HASH D ]
Oct 27 03:31:44 ir1 charon: 02[IKE] received DELETE for IKE_SA xarsa[1]
Oct 27 03:31:44 ir1 charon: 02[IKE] deleting IKE_SA xarsa[1] between 
192.168.17.118[C=BG, O=MYVPN, CN=192.168.17.118]...192.168.17.137[C=BG, 
O=MYVPN, CN=ML]
Oct 27 03:31:44 ir1 charon: 02[CFG] lease 10.0.0.2 by 'mve' went offline
Oct 27 03:31:58 ir1 charon: 01[NET] received packet: from 192.168.17.250[500] 
to 192.168.17.118[500]
Oct 27 03:31:58 ir1 charon: 01[ENC] parsed ID_PROT request 0 [ SA V V V V V V V 
V V V V V V V ]
Oct 27 03:31:58 ir1 charon: 01[IKE] received NAT-T (RFC 3947) vendor ID
Oct 27 03:31:58 ir1 charon: 01[IKE] received draft-ietf-ipsec-nat-t-ike vendor 
ID
Oct 27 03:31:58 ir1 charon: 01[IKE] received draft-ietf-ipsec-nat-t-ike-08 
vendor ID
Oct 27 03:31:58 ir1 charon: 01[IKE] received draft-ietf-ipsec-nat-t-ike-07 
vendor ID
Oct 27 03:31:58 ir1 charon: 01[IKE] received draft-ietf-ipsec-nat-t-ike-06 
vendor ID
Oct 27 03:31:58 ir1 charon: 01[IKE] received draft-ietf-ipsec-nat-t-ike-05 
vendor ID
Oct 27 03:31:58 ir1 charon: 01[IKE] received draft-ietf-ipsec-nat-t-ike-04 
vendor ID
Oct 27 03:31:58 ir1 charon: 01[IKE] received draft-ietf-ipsec-nat-t-ike-03 
vendor ID
Oct 27 03:31:58 ir1 charon: 01[IKE] received draft-ietf-ipsec-nat-t-ike-02 
vendor ID
Oct 27 03:31:58 ir1 charon: 01[IKE] received draft-ietf-ipsec-nat-t-ike-02\n 
vendor ID
Oct 27 03:31:58 ir1 charon: 01[IKE] received XAuth vendor ID
Oct 27 03:31:58 ir1 charon: 01[IKE] received Cisco Unity vendor ID
Oct 27 03:31:58 ir1 charon: 01[ENC] received unknown vendor ID: 
40:48:b7:d5:6e:bc:e8:85:25:e7:de:7f:00:d6:c2:d3:80:00:00:00
Oct 27 03:31:58 ir1 charon: 01[IKE] received DPD vendor ID
Oct 27 03:31:58 ir1 charon: 01[IKE] 192.168.17.250 is initiating a Main Mode 
IKE_SA
Oct 27 03:31:58 ir1 charon: 01[ENC] generating ID_PROT response 0 [ SA V V V ]
Oct 27 03:31:58 ir1 charon: 01[NET] sending packet: from 192.168.17.118[500] to 
192.168.17.250[500]
Oct 27 03:31:58 ir1 charon: 03[NET] received packet: from 192.168.17.250[500] 
to 192.168.17.118[500]
Oct 27 03:31:58 ir1 charon: 03[ENC] parsed ID_PROT request 0 [ KE No NAT-D 
NAT-D ]
Oct 27 03:31:58 ir1 charon: 03[IKE] sending cert request for "C=BG, O=MYVPN, 
CN=MYVPN CA"
Oct 27 03:31:58 ir1 charon: 03[ENC] generating ID_PROT response 0 [ KE No 
CERTREQ NAT-D NAT-D ]
Oct 27 03:31:58 ir1 charon: 03[NET] sending packet: from 192.168.17.118[500] to 
192.168.17.250[500]
Oct 27 03:31:58 ir1 charon: 11[NET] received packet: from 192.168.17.250[500] 
to 192.168.17.118[500]
Oct 27 03:31:58 ir1 charon: 11[ENC] parsed ID_PROT request 0 [ ID CERT SIG 
CERTREQ N(INITIAL_CONTACT) ]
Oct 27 03:31:58 ir1 charon: 11[IKE] ignoring certificate request without data
Oct 27 03:31:58 ir1 charon: 11[IKE] received end entity cert "C=BG, O=MYVPN, 
CN=ML"
Oct 27 03:31:58 ir1 charon: 11[CFG] looking for XAuthInitRSA peer configs 
matching 192.168.17.118...192.168.17.250[ML]
Oct 27 03:31:58 ir1 charon: 11[IKE] no peer config found
Oct 27 03:31:58 ir1 charon: 11[ENC] generating INFORMATIONAL_V1 request 
3832895531 [ HASH N(AUTH_FAILED) ]
Oct 27 03:31:58 ir1 charon: 11[NET] sending packet: from 192.168.17.118[500] to 
192.168.17.250[500]

I searched the mailing list and I found that strongswan 5.x is supposed to work 
with Lion and ML I do know that my config is not matching Lion and ML clients? 
On other forums and I found some suggestions also I tried to make the 
certificate smaller size according to some info in apple forums, but did not 
help either. 

What I can see form the log is that Snow Leopard sends this:
14[CFG] looking for XAuthInitRSA peer configs matching 
192.168.17.118…192.168.17.137[C=BG, O=MYVPN, CN=ML]
14[CFG] selected peer config "xarsa" ….
But breaking point is that Mountain Lion does not send that same message:
11[CFG] looking for XAuthInitRSA peer configs matching 
192.168.17.118...192.168.17.250[ML]
11[IKE] no peer config found

According to apple documentation matching needs to be done based on client 
certificate name group name? But I guess this is only for the new MacOS X 
versions Lion and ML and iOS6 because in Snow Leopard this is working fine…
"When using certificate-based authentication, make sure the server is set up to 
identify the user’s group based on fields in the client certificate."

I'm asking if someone can give me a hint is it possible that I can match users 
that use Lion and ML in my ipsec.conf based on client certificate Common Name 
[ML]?
I know this is not mature question but how can I assign multiply private IP 
address dynamically in one range let's say 10.0.0.0/24 to each client that 
connects? I can see the guide in wiki is only for single client, when I connect 
second user the first one is disconnected…

Kind regards,

Martin

_______________________________________________
Users mailing list
[email protected]
https://lists.strongswan.org/mailman/listinfo/users

[strongSwan] Storngswan 5.0.1 CentOS server-MacOS X client certificate issue

Reply via email to