HiAll,
Iam using strongSwan VPN Client app on anandroid device (VPN Client) and
running strongswan-5.4.0 on Linux device (VPNServer on Virtual Machine).
Trying to establishan IKEv2/IPsec tunnel using Certificate with EAP
authentication based onusername/password on client and pubkey on server. On
server end, constrainchecking fails with the following error message. Can
anyone please have a lookinto the below stated and suggest me where I am wrong
? Thank you in advancefor your support and time.
Charonlog at Server end
12[ENC] parsed IKE_AUTH request 1 [ IDi CERT N(INIT_CONTACT)CERTREQ AUTH
CPRQ(ADDR ADDR6 DNS DNS6) N(ESP_TFC_PAD_N) SA TSi TSrN(MOBIKE_SUP)
N(NO_ADD_ADDR) N(MULT_AUTH) N(EAP_ONLY) N(AUTH_FOLLOWS) ]
12[IKE] received cert request for "C=NL, O=ExampleCompany, CN=strongSwan Root
CA"
12[IKE] received end entity cert "C=NL, O=ExampleCompany, CN=vpn.example.org"
12[CFG] looking for peer configs
matching10.0.131.40[%any]...192.168.10.59[C=NL, O=Example Company,
CN=vpn.example.org]
12[CFG] selected peer config 'vpn_server-vpn_client'
12[CFG] using trustedca certificate "C=NL, O=Example Company, CN=strongSwan
Root CA"
12[CFG] checking certificate status of "C=NL, O=ExampleCompany,
CN=vpn.example.org"
12[CFG] certificate status is not available
12[CFG] reachedself-signed root ca with a path length of 0
12[CFG] using trustedcertificate "C=NL, O=Example Company, CN=vpn.example.org"
12[IKE] authentication of 'C=NL, O=Example Company,CN=vpn.example.org' with
RSA_EMSA_PKCS1_SHA384 successful
12[CFG] constraint requires EAP_MD5, but EAP_NAK was used
12[CFG] selected peer config 'vpn_server-vpn_client'inacceptable: non-matching
authentication done
12[CFG] no alternative config found
12[IKE] received ESP_TFC_PADDING_NOT_SUPPORTED, not usingESPv3 TFC padding
12[IKE] peer supports MOBIKE
12[ENC] generating IKE_AUTH response 1 [ N(AUTH_FAILED) ]
12[NET] sending packet: from 10.0.131.40[4500] to192.168.10.59[63644] (80 bytes)
I have disabled the constraints plugin (via ./configure
--disable-constraintsoption). The eap-dynamic plugin handles EAP-Nak payloads
returned byclients and uses these to select a different EAP method
supported/requested bythe client. Hence I have configured the below stated in
plugins section of strongswan.conf
eap-dynamic
{
prefer_user=yes
preferred=eap-md5,eap-mschapv2
}
Here goes the configuration.
Ipsec.conf
config setupconn %default
ikelifetime=60m
keylife=20m
rekeymargin=3m
keyingtries=1
conn vpn_server-vpn_client
left=10.0.131.40
leftfirewall=yes
leftprotoport=1
rightprotoport=1
right=%any
rightsendcert=always
leftcert=vpnHostCert.pem
leftauth=pubkey
rightauth=eap-md5
#eap_identity=%any
leftsubnet=0.0.0.0/0
rightsourceip =10.0.3.15/32
type=tunnel
keyexchange=ikev2
esp=aes128-sha1
rekey=no
reauth=no
mobike=yes
auto=add
leftid=%any
rightid=%any
ipsec.secrets
: RSA /etc/ipsec.d/private/vpnHostKey.pem
user : EAP "strongSwan"
Here are the commands used for certificate generation
ipsec pki --gen --type rsa --size 4096 --outform pem >private/strongswanKey.pem
ipsec pki --self --ca --lifetime 3650 --inprivate/strongswanKey.pem --type rsa
--dn "C=NL, O=Example Company,CN=strongSwan Root CA" --outform pem >
cacerts/strongswanCert.pem
ipsec pki --gen --type rsa --size 4096 --outform pem >private/vpnHostKey.pem
ipsec pki --pub --in private/vpnHostKey.pem --type rsa |ipsec pki --issue
--lifetime 730 --cacert cacerts/strongswanCert.pem
--cakeyprivate/strongswanKey.pem --dn "C=NL, O=Example
Company,CN=vpn.example.org" --san vpn.example.com --san vpn.example.net --san
172.19.134.4 --san @172.19.134.4 --flag serverAuth --flagikeIntermediate
--outform pem > certs/vpnHostCert.pem
openssl pkcs12 -in certs/vpnHostCert.pem -inkeyprivate/vpnHostKey.pem -certfile
cacerts/strongswanCert.pem -export -outpeer.p12
Note that, IKEv2 certificate authentication without EAP worksfine. . Imported
all certificates to Android virtualdevice and installed. Opted that specific
certificate (CA), user certificate thatwas imported.
Regards,
Chinmaya
_______________________________________________
Users mailing list
[email protected]
https://lists.strongswan.org/mailman/listinfo/users
