Re: [strongSwan] Win7 and Window10Mobile: IKE authentication credentials are unacceptable

Mon, 02 May 2016 07:31:14 -0700 

Hi Tobias,
I'm getting closer. Then there is still an error saying 
TLS record MAC verification failedsending fatal TLS alert 'bad record mac'
Did a lot of searching to no avail.I'm on OpenSSL 1.0.1e 11 Feb 2013 if that 
helps.
May  2 15:11:49 12[CFG] <1>   candidate "winCert", match: 1/1/5 
(me/other/ike)May  2 15:11:49 12[CFG] <winCert|1> selected peer config 
'winCert'May  2 15:11:49 12[IKE] <winCert|1> initiating EAP-Identity requestMay 
 2 15:11:49 12[IKE] <winCert|1> processing INTERNAL_IP4_ADDRESS attributeMay  2 
15:11:49 12[IKE] <winCert|1> processing INTERNAL_IP4_DNS attributeMay  2 
15:11:49 12[IKE] <winCert|1> processing INTERNAL_IP4_NBNS attributeMay  2 
15:11:49 12[IKE] <winCert|1> processing INTERNAL_IP4_SERVER attributeMay  2 
15:11:49 12[IKE] <winCert|1> processing INTERNAL_IP6_ADDRESS attributeMay  2 
15:11:49 12[IKE] <winCert|1> processing INTERNAL_IP6_DNS attributeMay  2 
15:11:49 12[IKE] <winCert|1> processing INTERNAL_IP6_SERVER attributeMay  2 
15:11:49 12[IKE] <winCert|1> peer supports MOBIKEMay  2 15:11:49 12[IKE] 
<winCert|1> authentication of 'C=CN, O=EXAMPLE, CN=vpn.EXAMPLE.de' (myself) 
with RSA signature successfulMay  2 15:11:49 12[IKE] <winCert|1> sending end 
entity cert "C=CN, O=EXAMPLE, CN=vpn.EXAMPLE.de"May  2 15:11:49 13[IKE] 
<winCert|1> received EAP identity '[email protected]'May  2 15:11:49 
13[TLS] <winCert|1> 33 supported TLS cipher suites:May  2 15:11:49 13[TLS] 
<winCert|1>   TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHAMay  2 15:11:49 13[TLS] 
<winCert|1>   TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256May  2 15:11:49 13[TLS] 
<winCert|1>   TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHAMay  2 15:11:49 13[TLS] 
<winCert|1>   TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384May  2 15:11:49 13[TLS] 
<winCert|1>   TLS_ECDHE_RSA_WITH_AES_128_CBC_SHAMay  2 15:11:49 13[TLS] 
<winCert|1>   TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256May  2 15:11:49 13[TLS] 
<winCert|1>   TLS_ECDHE_RSA_WITH_AES_256_CBC_SHAMay  2 15:11:49 13[TLS] 
<winCert|1>   TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384May  2 15:11:49 13[TLS] 
<winCert|1>   TLS_DHE_RSA_WITH_AES_128_CBC_SHAMay  2 15:11:49 13[TLS] 
<winCert|1>   TLS_DHE_RSA_WITH_AES_128_CBC_SHA256May  2 15:11:49 13[TLS] 
<winCert|1>   TLS_DHE_RSA_WITH_AES_256_CBC_SHAMay  2 15:11:49 13[TLS] 
<winCert|1>   TLS_DHE_RSA_WITH_AES_256_CBC_SHA256May  2 15:11:49 13[TLS] 
<winCert|1>   TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHAMay  2 15:11:49 13[TLS] 
<winCert|1>   TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA256May  2 15:11:49 13[TLS] 
<winCert|1>   TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHAMay  2 15:11:49 13[TLS] 
<winCert|1>   TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA256May  2 15:11:49 13[TLS] 
<winCert|1>   TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHAMay  2 15:11:49 13[TLS] 
<winCert|1>   TLS_RSA_WITH_AES_128_CBC_SHAMay  2 15:11:49 13[TLS] <winCert|1>   
TLS_RSA_WITH_AES_128_CBC_SHA256May  2 15:11:49 13[TLS] <winCert|1>   
TLS_RSA_WITH_AES_256_CBC_SHAMay  2 15:11:49 13[TLS] <winCert|1>   
TLS_RSA_WITH_AES_256_CBC_SHA256May  2 15:11:49 13[TLS] <winCert|1>   
TLS_RSA_WITH_CAMELLIA_128_CBC_SHAMay  2 15:11:49 13[TLS] <winCert|1>   
TLS_RSA_WITH_CAMELLIA_128_CBC_SHA256May  2 15:11:49 13[TLS] <winCert|1>   
TLS_RSA_WITH_CAMELLIA_256_CBC_SHAMay  2 15:11:49 13[TLS] <winCert|1>   
TLS_RSA_WITH_CAMELLIA_256_CBC_SHA256May  2 15:11:49 13[TLS] <winCert|1>   
TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHAMay  2 15:11:49 13[TLS] <winCert|1>   
TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHAMay  2 15:11:49 13[TLS] <winCert|1>   
TLS_RSA_WITH_3DES_EDE_CBC_SHAMay  2 15:11:49 13[TLS] <winCert|1>   
TLS_ECDHE_ECDSA_WITH_NULL_SHAMay  2 15:11:49 13[TLS] <winCert|1>   
TLS_ECDHE_RSA_WITH_NULL_SHAMay  2 15:11:49 13[TLS] <winCert|1>   
TLS_RSA_WITH_NULL_SHAMay  2 15:11:49 13[TLS] <winCert|1>   
TLS_RSA_WITH_NULL_SHA256May  2 15:11:49 13[TLS] <winCert|1>   
TLS_RSA_WITH_NULL_MD5May  2 15:11:49 13[TLS] <winCert|1> sending EAP_TLS start 
packet (6 bytes)May  2 15:11:49 13[IKE] <winCert|1> initiating EAP_TLS method 
(id 0x3A)May  2 15:11:49 14[TLS] <winCert|1> processing TLS Handshake record 
(169 bytes)May  2 15:11:49 14[TLS] <winCert|1> received TLS ClientHello 
handshake (165 bytes)May  2 15:11:49 14[TLS] <winCert|1> received TLS 'status 
request' extensionMay  2 15:11:49 14[TLS] <winCert|1> received TLS 'elliptic 
curves' extensionMay  2 15:11:49 14[TLS] <winCert|1> received TLS 'ec point 
formats' extensionMay  2 15:11:49 14[TLS] <winCert|1> received TLS 'signature 
algorithms' extensionMay  2 15:11:49 14[TLS] <winCert|1> received TLS '(35)' 
extensionMay  2 15:11:49 14[TLS] <winCert|1> received TLS '(23)' extensionMay  
2 15:11:49 14[TLS] <winCert|1> received TLS 'renegotiation info' extensionMay  
2 15:11:49 14[TLS] <winCert|1> received 30 TLS cipher suites:May  2 15:11:49 
14[TLS] <winCert|1>   TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384May  2 15:11:49 
14[TLS] <winCert|1>   TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256May  2 15:11:49 
14[TLS] <winCert|1>   TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384May  2 15:11:49 
14[TLS] <winCert|1>   TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256May  2 15:11:49 
14[TLS] <winCert|1>   TLS_DHE_RSA_WITH_AES_256_GCM_SHA384May  2 15:11:49 
14[TLS] <winCert|1>   TLS_DHE_RSA_WITH_AES_128_GCM_SHA256May  2 15:11:49 
14[TLS] <winCert|1>   TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384May  2 15:11:49 
14[TLS] <winCert|1>   TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256May  2 15:11:49 
14[TLS] <winCert|1>   TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384May  2 15:11:49 
14[TLS] <winCert|1>   TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256May  2 15:11:49 
14[TLS] <winCert|1>   TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHAMay  2 15:11:49 
14[TLS] <winCert|1>   TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHAMay  2 15:11:49 
14[TLS] <winCert|1>   TLS_ECDHE_RSA_WITH_AES_256_CBC_SHAMay  2 15:11:49 14[TLS] 
<winCert|1>   TLS_ECDHE_RSA_WITH_AES_128_CBC_SHAMay  2 15:11:49 14[TLS] 
<winCert|1>   TLS_DHE_RSA_WITH_AES_256_CBC_SHAMay  2 15:11:49 14[TLS] 
<winCert|1>   TLS_DHE_RSA_WITH_AES_128_CBC_SHAMay  2 15:11:49 14[TLS] 
<winCert|1>   TLS_RSA_WITH_AES_256_GCM_SHA384May  2 15:11:49 14[TLS] 
<winCert|1>   TLS_RSA_WITH_AES_128_GCM_SHA256May  2 15:11:49 14[TLS] 
<winCert|1>   TLS_RSA_WITH_AES_256_CBC_SHA256May  2 15:11:49 14[TLS] 
<winCert|1>   TLS_RSA_WITH_AES_128_CBC_SHA256May  2 15:11:49 14[TLS] 
<winCert|1>   TLS_RSA_WITH_AES_256_CBC_SHAMay  2 15:11:49 14[TLS] <winCert|1>   
TLS_RSA_WITH_AES_128_CBC_SHAMay  2 15:11:49 14[TLS] <winCert|1>   
TLS_RSA_WITH_3DES_EDE_CBC_SHAMay  2 15:11:49 14[TLS] <winCert|1>   
TLS_DHE_DSS_WITH_AES_256_CBC_SHA256May  2 15:11:49 14[TLS] <winCert|1>   
TLS_DHE_DSS_WITH_AES_128_CBC_SHA256May  2 15:11:49 14[TLS] <winCert|1>   
TLS_DHE_DSS_WITH_AES_256_CBC_SHAMay  2 15:11:49 14[TLS] <winCert|1>   
TLS_DHE_DSS_WITH_AES_128_CBC_SHAMay  2 15:11:49 14[TLS] <winCert|1>   
TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHAMay  2 15:11:49 14[TLS] <winCert|1>   
TLS_RSA_WITH_RC4_128_SHAMay  2 15:11:49 14[TLS] <winCert|1>   
TLS_RSA_WITH_RC4_128_MD5May  2 15:11:49 14[TLS] <winCert|1> negotiated TLS 
version TLS 1.2 with suite TLS_ECDHE_RSA_WITH_AES_128_CBC_SHAMay  2 15:11:49 
14[TLS] <winCert|1> sending TLS ServerHello handshake (38 bytes)May  2 15:11:49 
14[TLS] <winCert|1> sending TLS server certificate 'C=CN, O=EXAMPLE, 
CN=vpn.EXAMPLE.de'May  2 15:11:49 14[TLS] <winCert|1> sending TLS Certificate 
handshake (853 bytes)May  2 15:11:49 14[TLS] <winCert|1> selected ECDH group 
SECP256R1May  2 15:11:49 14[TLS] <winCert|1> created signature with 
SHA256/RSAMay  2 15:11:49 14[TLS] <winCert|1> sending TLS ServerKeyExchange 
handshake (329 bytes)May  2 15:11:49 14[TLS] <winCert|1> sending TLS cert 
request for 'C=CN, O=EXAMPLE, CN=EXAMPLE ca'May  2 15:11:49 14[TLS] <winCert|1> 
sending TLS CertificateRequest handshake (87 bytes)May  2 15:11:49 14[TLS] 
<winCert|1> sending TLS ServerHelloDone handshake (0 bytes)May  2 15:11:49 
14[TLS] <winCert|1> sending TLS Handshake record (1327 bytes)May  2 15:11:49 
14[TLS] <winCert|1> sending EAP_TLS first fragment (512 bytes)May  2 15:11:49 
15[TLS] <winCert|1> received EAP_TLS acknowledgement packetMay  2 15:11:49 
15[TLS] <winCert|1> sending EAP_TLS further fragment (512 bytes)May  2 15:11:49 
16[TLS] <winCert|1> received EAP_TLS acknowledgement packetMay  2 15:11:49 
16[TLS] <winCert|1> sending EAP_TLS final fragment (330 bytes)May  2 15:11:50 
09[TLS] <winCert|1> processing TLS Handshake record (1206 bytes)May  2 15:11:50 
09[TLS] <winCert|1> received TLS Certificate handshake (868 bytes)May  2 
15:11:50 09[TLS] <winCert|1> received TLS peer certificate 'C=CN, O=EXAMPLE, 
[email protected]'May  2 15:11:50 09[TLS] <winCert|1> received TLS 
ClientKeyExchange handshake (66 bytes)May  2 15:11:50 09[TLS] <winCert|1> 
received TLS CertificateVerify handshake (260 bytes)May  2 15:11:50 09[CFG] 
<winCert|1>   using certificate "C=CN, O=EXAMPLE, [email protected]"May  
2 15:11:50 09[CFG] <winCert|1>   certificate "C=CN, O=EXAMPLE, 
[email protected]" key: 2048 bit RSAMay  2 15:11:50 09[CFG] <winCert|1>  
 using trusted ca certificate "C=CN, O=EXAMPLE, CN=EXAMPLE ca"May  2 15:11:50 
09[CFG] <winCert|1> checking certificate status of "C=CN, O=EXAMPLE, 
[email protected]"May  2 15:11:50 09[CFG] <winCert|1> ocsp check 
skipped, no ocsp foundMay  2 15:11:50 09[CFG] <winCert|1> certificate status is 
not availableMay  2 15:11:50 09[CFG] <winCert|1>   certificate "C=CN, 
O=EXAMPLE, CN=EXAMPLE ca" key: 2048 bit RSAMay  2 15:11:50 09[CFG] <winCert|1>  
 reached self-signed root ca with a path length of 0May  2 15:11:50 09[TLS] 
<winCert|1> verified signature with SHA1/RSAMay  2 15:11:50 09[TLS] <winCert|1> 
processing TLS ChangeCipherSpec record (1 bytes)May  2 15:11:50 09[TLS] 
<winCert|1> processing TLS Handshake record (64 bytes)May  2 15:11:50 09[TLS] 
<winCert|1> TLS record MAC verification failedMay  2 15:11:50 09[TLS] 
<winCert|1> sending fatal TLS alert 'bad record mac'May  2 15:11:50 09[TLS] 
<winCert|1> sending TLS Alert record (2 bytes)May  2 15:11:50 09[TLS] 
<winCert|1> sending EAP_TLS packet (17 bytes)May  2 15:11:50 05[TLS] 
<winCert|1> received EAP_TLS acknowledgement packetMay  2 15:11:50 05[IKE] 
<winCert|1> EAP method EAP_TLS failed for peer 10.145.250.86May  2 15:11:50 
05[IKE] <winCert|1> IKE_SA winCert[1] state change: CONNECTING => DESTROYING
Thanks,Arne
sent from my Windows 8 Tablet




> Subject: Re: [strongSwan] Win7 and Window10Mobile: IKE authentication 
> credentials are unacceptable
> To: [email protected]; [email protected]
> From: [email protected]
> Date: Mon, 2 May 2016 10:22:29 +0200
> 
> Hi Arne,
> 
> > I'm now as far as the connection establishes until there is a "no
> > trusted certificate found for '[email protected]' to verify TLS peer"
> 
> Your client certificate contains an incorrect subjectAltName extension.
>  It should be [email protected] instead of vpn.EXAMPLE.de.
> 
> Regards,
> Tobias
> 
                                          
_______________________________________________
Users mailing list
[email protected]
https://lists.strongswan.org/mailman/listinfo/users

Reply via email to