Hello, I am running up against this auth failed message - I am unable to get authenticated to my strongSwan server using EAP user/password. I have read the support pages and have tried the usable examples as well, but can't get authenticated with any configuration I've tried yet. I feel there is some fundamental thing I missed but I can't see it.
I'm using the Ubuntu network manager (although I have also tried the strongSwan Android app to ensure I was not missing something). I have my strongSwan server set as the Gateway, the server's certificate loaded, the Authentication method set to EAP and the correct username and password entered: https://snag.gy/OyRGJr.jpg I've included what I suspect are the relevant files and logs as indicated on the HelpRequest page. ipsec.conf config setup charondebug="ike 1, knl 1, cfg 0" uniqueids=no conn ikev2-vpn auto=add compress=no type=tunnel keyexchange=ikev2 fragmentation=yes forceencaps=yes ike=aes256-sha1-modp1024,3des-sha1-modp1024! esp=aes256-sha1,3des-sha1! dpdaction=clear dpddelay=300s rekey=no left=%any leftid=@strongswan leftcert=/etc/ipsec.d/certs/vpn-server-cert.pem leftsendcert=always leftsubnet=0.0.0.0/0 right=%any rightid=%any rightauth=eap-mschapv2 rightsourceip=10.10.10.0/24 rightdns=8.8.8.8,8.8.4.4 rightsendcert=never eap_identity=%identity ipsec.secrets : PSK "foobarblah" : RSA /etc/ipsec.d/private/vpn-server-key.pem user1 : EAP "munged" ipsec statusall Status of IKE charon daemon (strongSwan 5.3.5, Linux 4.4.0-97-generic, x86_64): uptime: 24 minutes, since Oct 14 21:51:15 2017 malloc: sbrk 1769472, mmap 0, used 565024, free 1204448 worker threads: 7 of 16 idle, 5/0/4/0 working, job queue: 0/0/0/0, scheduled: 0 loaded plugins: charon test-vectors aes rc2 sha1 sha2 md4 md5 random nonce x509 revocation constraints pubkey pkcs1 pkcs7 pkcs8 pkcs12 pgp dnskey sshkey pem openssl fips-prf gmp agent xcbc hmac ccm gcm attr kernel-libipsec kernel-netlink resolve socket-default connmark farp stroke updown eap-identity eap-sim eap-sim-pcsc eap-aka eap-aka-3gpp2 eap-simaka-pseudonym eap-simaka-reauth eap-md5 eap-gtc eap-mschapv2 eap-dynamic eap-radius eap-tls eap-ttls eap-peap eap-tnc xauth-generic xauth-eap xauth-pam xauth-noauth tnc-tnccs tnccs-20 tnccs-11 tnccs-dynamic dhcp lookip error-notify certexpire led addrblock unity Virtual IP pools (size/online/offline): 10.10.10.0/24: 254/0/0 Listening IP addresses: 172.20.9.175 2602:ffb6:2:0:f816:3eff:feb7:3803 Connections: ikev2-vpn: %any...%any IKEv2, dpddelay=300s ikev2-vpn: local: [my.strongswan.com] uses public key authentication ikev2-vpn: cert: "C=US, O=VPN Server, CN=my.strongswan.com" ikev2-vpn: remote: uses EAP_MSCHAPV2 authentication with EAP identity '%any' ikev2-vpn: child: 0.0.0.0/0 === dynamic TUNNEL, dpdaction=clear Security Associations (0 up, 0 connecting): none Log Oct 14 22:08:14 my charon: 14[NET] received packet: from 142.66.15.26[46644] to 172.20.9.175[500] (1256 bytes) Oct 14 22:08:14 my charon: 14[ENC] parsed IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(HASH_ALG) ] Oct 14 22:08:14 my charon: 14[IKE] 142.66.15.26 is initiating an IKE_SA Oct 14 22:08:14 my charon: 14[IKE] local host is behind NAT, sending keep alives Oct 14 22:08:14 my charon: 14[IKE] remote host is behind NAT Oct 14 22:08:14 my charon: 14[IKE] DH group MODP_2048 inacceptable, requesting MODP_1024 Oct 14 22:08:14 my charon: 14[ENC] generating IKE_SA_INIT response 0 [ N(INVAL_KE) ] Oct 14 22:08:14 my charon: 14[NET] sending packet: from 172.20.9.175[500] to 142.66.15.26[46644] (38 bytes) Oct 14 22:08:14 my charon: 13[NET] received packet: from 142.66.15.26[46644] to 172.20.9.175[500] (1128 bytes) Oct 14 22:08:14 my charon: 13[ENC] parsed IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(HASH_ALG) ] Oct 14 22:08:14 my charon: 13[IKE] 142.66.15.26 is initiating an IKE_SA Oct 14 22:08:14 my charon: 13[IKE] local host is behind NAT, sending keep alives Oct 14 22:08:14 my charon: 13[IKE] remote host is behind NAT Oct 14 22:08:14 my charon: 13[ENC] generating IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(HASH_ALG) N(MULT_AUTH) ] Oct 14 22:08:14 my charon: 13[NET] sending packet: from 172.20.9.175[500] to 142.66.15.26[46644] (328 bytes) Oct 14 22:08:14 my charon: 16[NET] received packet: from 142.66.15.26[4500] to 172.20.9.175[4500] (364 bytes) Oct 14 22:08:14 my charon: 16[ENC] parsed IKE_AUTH request 1 [ IDi N(INIT_CONTACT) IDr CPRQ(ADDR DNS NBNS) SA TSi TSr N(MOBIKE_SUP) N(NO_ADD_ADDR) N(MULT_AUTH) N(EAP_ONLY) ] Oct 14 22:08:14 my charon: 16[IKE] peer supports MOBIKE Oct 14 22:08:14 my charon: 16[ENC] generating IKE_AUTH response 1 [ N(AUTH_FAILED) ] Oct 14 22:08:14 my charon: 16[NET] sending packet: from 172.20.9.175[4500] to 142.66.15.26[4500] (76 bytes) Dies here and my client says "VPN connection failed" Any help would be appreciated. Thank you.
IPSec-cert.pem
Description: Binary data
