Re: [strongSwan] Users Digest, Vol 96, Issue 2

[Noel Kuntze]

It's not.

local and remote authentication always defaults to pubkey. By specifying one 
side to use PSK authentication does not imply that the other does the same.

On 03.01.2018 06:00, Glen Huang wrote:
> Thanks for the help and happy new year.
>
> IIUC, ipsec.conf is used by starter, but I execute charon directly and then 
> use swanctl to load swanctl.conf. So I’m not sure if ipsec.conf is relevant 
> here. The secret is specified in swanctl.conf already, I’m also not sure if 
> ipsec.secret is consulted since it’s also only used by starter.
>
> Regards
> Glen
>
>> On 3 Jan 2018, at 10:23 AM, Quaker <bigb...@gmail.com 
>> <mailto:bigb...@gmail.com>> wrote:
>>
>> 1. peer config is related to ipsec.conf
>> 2. As your log, AUTH_FAILED might also caused by ipsec.conf, when finished 
>> ipsec.conf, you should config ipsec.secret also
>>
>>
>> Regards
>> Quaker
>>
>> On Tue, Jan 2, 2018 at 7:00 PM, <users-requ...@lists.strongswan.org 
>> <mailto:users-requ...@lists.strongswan.org>> wrote:
>>
>>     Send Users mailing list submissions to
>>             users@lists.strongswan.org <mailto:users@lists.strongswan.org>
>>
>>     To subscribe or unsubscribe via the World Wide Web, visit
>>             https://lists.strongswan.org/mailman/listinfo/users 
>> <https://lists.strongswan.org/mailman/listinfo/users>
>>     or, via email, send a message with subject or body 'help' to
>>             users-requ...@lists.strongswan.org 
>> <mailto:users-requ...@lists.strongswan.org>
>>
>>     You can reach the person managing the list at
>>             users-ow...@lists.strongswan.org 
>> <mailto:users-ow...@lists.strongswan.org>
>>
>>     When replying, please edit your Subject line so it is more specific
>>     than "Re: Contents of Users digest..."
>>
>>
>>     Today's Topics:
>>
>>        1. Help needed for a basic swanctl config (Glen Huang)
>>
>>
>>     ----------------------------------------------------------------------
>>
>>     Message: 1
>>     Date: Tue, 2 Jan 2018 18:54:27 +0800
>>     From: Glen Huang <hey...@gmail.com <mailto:hey...@gmail.com>>
>>     To: users@lists.strongswan.org <mailto:users@lists.strongswan.org>
>>     Subject: [strongSwan] Help needed for a basic swanctl config
>>     Message-ID: <bc3fde8e-b7ab-48ec-8c56-320f42c71...@gmail.com 
>> <mailto:bc3fde8e-b7ab-48ec-8c56-320f42c71...@gmail.com>>
>>     Content-Type: text/plain;       charset=utf-8
>>
>>     Hi,
>>
>>     I’m trying to set up an IKEv2 VPN server using swanctl for iOS clients.
>>
>>     I have this very simple config:
>>
>>     connections {
>>         ios {
>>             version = 2
>>             pools = ios_pool
>>             remote {
>>                 id = foobar
>>                 auth = psk
>>             }
>>         }
>>     }
>>
>>     pools {
>>        ios_pool {
>>           addrs = 192.168.37.0/24 <http://192.168.37.0/24>
>>           dns = 8.8.8.8
>>        }
>>     }
>>
>>     secrets {
>>        ike-ios {
>>           secret = abc
>>        }
>>     }
>>
>>     But when connect from an iOS client using the following connection 
>> settings:
>>
>>     Remote ID: foobar
>>     Local ID: [empty]
>>     Authentication Settings: None
>>     Shared Secret: abc
>>
>>     It fails to connect, and the log shows it fails at an pretty early stage:
>>
>>     12[NET] received packet: from 2.2.2.2[500] to 1.1.1.1[500] (604 bytes)
>>     12[ENC] parsed IKE_SA_INIT request 0 [ SA KE No N(REDIR_SUP) 
>> N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) ]
>>     12[IKE] 2.2.2.2 is initiating an IKE_SA
>>     12[IKE] remote host is behind NAT
>>     12[IKE] sending cert request for "C=com, O=myvpn, CN=VPN CA"
>>     12[ENC] generating IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) 
>> N(NATD_D_IP) CERTREQ N(FRAG_SUP) N(MULT_AUTH) ]
>>     12[NET] sending packet: from 1.1.1.1[500] to 2.2.2.2[500] (473 bytes)
>>     15[NET] received packet: from 2.2.2.2[500] to 1.1.1.1[500] (604 bytes)
>>     15[ENC] parsed IKE_SA_INIT request 0 [ SA KE No N(REDIR_SUP) 
>> N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) ]
>>     15[IKE] received retransmit of request with ID 0, retransmitting response
>>     15[NET] sending packet: from 1.1.1.1[500] to 2.2.2.2[500] (473 bytes)
>>     05[NET] received packet: from 2.2.2.2[4500] to 1.1.1.1[4500] (544 bytes)
>>     05[ENC] unknown attribute type (25)
>>     05[ENC] parsed IKE_AUTH request 1 [ IDi N(INIT_CONTACT) N(MOBIKE_SUP) 
>> IDr AUTH CPRQ(ADDR DHCP DNS MASK ADDR6 DHCP6 DNS6 (25)) N(ESP_TFC_PAD_N) 
>> N(NON_FIRST_FRAG) SA TSi TSr ]
>>     05[CFG] looking for peer configs matching 
>> 1.1.1.1[foobar]...2.2.2.2[192.168.1.251]
>>     05[CFG] no matching peer config found
>>     05[IKE] received ESP_TFC_PADDING_NOT_SUPPORTED, not using ESPv3 TFC 
>> padding
>>     05[IKE] peer supports MOBIKE
>>     05[ENC] generating IKE_AUTH response 1 [ N(AUTH_FAILED) ]
>>     05[NET] sending packet: from 1.1.1.1[4500] to 2.2.2.2[4500] (80 bytes)
>>
>>     I’m trying to have a firm grasp of strongswan (I have some basic 
>> understanding of ikev2 & IPsec), so a few questions:
>>
>>     1. What constitutes a "peer config” in swanctl.conf?
>>     2. The AUTH_FAILED message is caused by a secret mismatch or unable to 
>> find a connection setting or something else?
>>     3. How do I find out in the logs the kind of auth request sent by the 
>> client? The iOS Client client provides quite a few authentication settings, 
>> and I’d like to learn how charon sees them in order to provide the 
>> corresponding settings in swanctl.conf
>>
>>     Thanks in advance.
>>
>>
>>     End of Users Digest, Vol 96, Issue 2
>>     ************************************
>>
>>
>

signature.asc
Description: OpenPGP digital signature