[strongSwan] Challenges with MacOS Roadwarrior (again)

Tom Rymes Sun, 09 Dec 2018 07:12:49 -0800

My apologies for having to ask about this again, but I am stuck trying to make 
a MacOS IPSec connection to Strongswan. I had similar issues in the past, and 
Noel kindly helped me out, and I thought I had it all documented, but here I am 
again. Once again, Strongswan is reporting that it cannot find a matching peer 
config.


Noel’s response to my last post: 
https://lists.strongswan.org/pipermail/users/2018-January/012155.html 
<https://lists.strongswan.org/pipermail/users/2018-January/012155.html>

Once again, I’m sure this is me doing something dumb here, but I cannot figure 
out what it is.

[root@MyHost ~]# ipsec --version
Linux strongSwan U5.6.3/K4.14.72-ipfire

conn MacIPSec
        left=x.x.x.x
        leftsubnet=0.0.0.0/0
        right=%any
        leftcert=/var/ipfire/certs/hostcert.pem
        rightcert=/var/ipfire/certs/MacIPSeccert.pem
        leftid=myhost.mydom.dom
        rightid=u...@mydom.dom <mailto:rightid=u...@mydom.dom>
        
ike=aes256-sha2_384-ecp384,aes256-sha2_384-ecp256,aes256-sha2_256-ecp384,aes256-sha2_256-ecp256!
        
esp=aes256-sha2_384-ecp384,aes256-sha2_384-ecp256,aes256-sha2_256-ecp384,aes256-sha2_256-ecp256!
        keyexchange=ikev2
        ikelifetime=3h
        keylife=1h
        dpdaction=clear
        dpddelay=30
        dpdtimeout=120
        auto=add
        rightsourceip=10.252.0.240/28
        fragmentation=yes
        leftsendcert=always
        leftallowany=yes
        rightdns=10.252.0.1
        rekey=no
        reauth=no

When starting Strongswan, these messages are logged:

Dec  9 09:47:30 MyHost charon: 06[CFG]   id ‘myhost.mydom.dom' not confirmed by 
certificate, defaulting to 'C=US, ST=ST, O=MyOrg, OU=My Dept., 
CN=myhost.mydom.dom' 
Dec  9 09:47:30 TheShack charon: 06[CFG]   id ‘u...@mydom.dom 
<mailto:u...@mydom.dom>' not confirmed by certificate, defaulting to 'C=US, 
ST=ST, O=MyOrg, OU=My Dept., CN=MacIPSec' 


And this hits the logs when I try to connect: 

Dec  9 09:47:50 MyHost charon: 16[NET] received packet: from y.y.y.y[500] to 
x.x.x.x[500] (604 bytes) 
Dec  9 09:47:50 MyHost charon: 16[ENC] parsed IKE_SA_INIT request 0 [ SA KE No 
N(REDIR_SUP) N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) ] 
Dec  9 09:47:50 MyHost charon: 16[IKE] y.y.y.y is initiating an IKE_SA 
Dec  9 09:47:50 MyHost charon: 16[IKE] y.y.y.y is initiating an IKE_SA 
Dec  9 09:47:50 MyHost charon: 16[IKE] remote host is behind NAT 
Dec  9 09:47:50 MyHost charon: 16[IKE] DH group MODP_2048 inacceptable, 
requesting ECP_256 
Dec  9 09:47:50 MyHost charon: 16[ENC] generating IKE_SA_INIT response 0 [ 
N(INVAL_KE) ] 
Dec  9 09:47:50 MyHost charon: 16[NET] sending packet: from x.x.x.x[500] to 
y.y.y.y[500] (38 bytes) 
Dec  9 09:47:50 MyHost charon: 06[NET] received packet: from y.y.y.y[500] to 
x.x.x.x[500] (412 bytes) 
Dec  9 09:47:50 MyHost charon: 06[ENC] parsed IKE_SA_INIT request 0 [ SA KE No 
N(REDIR_SUP) N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) ] 
Dec  9 09:47:50 MyHost charon: 06[IKE] y.y.y.y is initiating an IKE_SA 
Dec  9 09:47:50 MyHost charon: 06[IKE] y.y.y.y is initiating an IKE_SA 
Dec  9 09:47:50 MyHost charon: 06[IKE] remote host is behind NAT 
Dec  9 09:47:50 MyHost charon: 06[IKE] sending cert request for "C=US, ST=ST, 
L=MyTown, O=MyOrg, OU=My Dept., CN=MyOrg CA, E=u...@mydom.dom 
<mailto:E=u...@mydom.dom>" 
Dec  9 09:47:50 MyHost charon: 06[IKE] sending cert request for "C=US, ST=ST, 
L=MyTown, O=MyOrg, OU=My Dept, CN=MyOrg CA, E=u...@mydom.dom 
<mailto:E=u...@mydom.dom>" 
Dec  9 09:47:50 MyHost charon: 06[IKE] sending cert request for "C=US, ST=ST, 
L=OtherTown, O=MyOrg, OU=My Dept., CN=MyOrg CA, E=u...@mydom.dom 
<mailto:E=u...@mydom.dom>" 
Dec  9 09:47:50 MyHost charon: 06[IKE] sending cert request for "C=US, ST=ST, 
L=OtherTown2, O=MyOrg, OU=My Dept, CN=MyOrg CA, E=u...@mydom.dom 
<mailto:E=u...@mydom.dom>" 
Dec  9 09:47:50 MyHost charon: 06[ENC] generating IKE_SA_INIT response 0 [ SA 
KE No N(NATD_S_IP) N(NATD_D_IP) CERTREQ N(FRAG_SUP) N(MULT_AUTH) ] 
Dec  9 09:47:50 MyHost charon: 06[NET] sending packet: from x.x.x.x[500] to 
y.y.y.y[500] (341 bytes) 
Dec  9 09:47:50 MyHost charon: 05[NET] received packet: from y.y.y.y[4500] to 
x.x.x.x[4500] (532 bytes) 
Dec  9 09:47:50 MyHost charon: 05[ENC] parsed IKE_AUTH request 1 [ EF(1/5) ] 
Dec  9 09:47:50 MyHost charon: 05[ENC] received fragment #1 of 5, waiting for 
complete IKE message 
Dec  9 09:47:50 MyHost charon: 08[NET] received packet: from y.y.y.y[4500] to 
x.x.x.x[4500] (532 bytes) 
Dec  9 09:47:50 MyHost charon: 08[ENC] parsed IKE_AUTH request 1 [ EF(2/5) ] 
Dec  9 09:47:50 MyHost charon: 08[ENC] received fragment #2 of 5, waiting for 
complete IKE message 
Dec  9 09:47:50 MyHost charon: 07[NET] received packet: from y.y.y.y[4500] to 
x.x.x.x[4500] (532 bytes) 
Dec  9 09:47:50 MyHost charon: 07[ENC] parsed IKE_AUTH request 1 [ EF(3/5) ] 
Dec  9 09:47:50 MyHost charon: 07[ENC] received fragment #3 of 5, waiting for 
complete IKE message 
Dec  9 09:47:50 MyHost charon: 09[NET] received packet: from y.y.y.y[4500] to 
x.x.x.x[4500] (532 bytes) 
Dec  9 09:47:50 MyHost charon: 09[ENC] parsed IKE_AUTH request 1 [ EF(4/5) ] 
Dec  9 09:47:50 MyHost charon: 09[ENC] received fragment #4 of 5, waiting for 
complete IKE message 
Dec  9 09:47:50 MyHost charon: 11[NET] received packet: from y.y.y.y[4500] to 
x.x.x.x[4500] (132 bytes) 
Dec  9 09:47:50 MyHost charon: 11[ENC] parsed IKE_AUTH request 1 [ EF(5/5) ] 
Dec  9 09:47:50 MyHost charon: 11[ENC] received fragment #5 of 5, reassembling 
fragmented IKE message 
Dec  9 09:47:50 MyHost charon: 11[ENC] unknown attribute type (25) 
Dec  9 09:47:50 MyHost charon: 11[ENC] parsed IKE_AUTH request 1 [ IDi 
N(INIT_CONTACT) N(MOBIKE_SUP) IDr AUTH CERT CPRQ(ADDR DHCP DNS MASK ADDR6 DHCP6 
DNS6 (25)) N(ESP_TFC_PAD_N) N(NON_FIRST_FRAG) SA TSi TSr ] 
Dec  9 09:47:50 TheShack charon: 11[IKE] received end entity cert "C=US, ST=ST, 
O=MyOrg, OU=My Dept., CN=MacIPSec" 
Dec  9 09:47:50 TheShack charon: 11[CFG] looking for peer configs matching 
x.x.x.x[myhost.mydom.dom]…y.y.y.y[u...@mydom.dom <mailto:u...@mydom.dom>] 
Dec  9 09:47:50 TheShack charon: 11[CFG] no matching peer config found 
Dec  9 09:47:50 TheShack charon: 11[IKE] received 
ESP_TFC_PADDING_NOT_SUPPORTED, not using ESPv3 TFC padding 
Dec  9 09:47:50 TheShack charon: 11[IKE] peer supports MOBIKE 
Dec  9 09:47:50 TheShack charon: 11[ENC] generating IKE_AUTH response 1 [ 
N(AUTH_FAILED) ] 

Many thanks,

Tom

[strongSwan] Challenges with MacOS Roadwarrior (again)

Reply via email to