IPSec for mobile users not working with strongswan-nm
-
Hello,
I'm currently trying to set up a roadwarrior style VPN to connect to to my router. Since I might want to use Windows to connect too, I wanted to use IPSec IKEv2.
I used this tutorial: https://www.netgate.com/docs/pfsense/book/ipsec/mobile-ipsec-choices.html#ikev2-with-eap-mschapv2
Unfortunately, this doesn't seem to work for me. My client is Linux with strongswan-nm installed and the full logs are at the end.
I think it is a rather simple misconfiguration, but I can't find it. The client logs shortly before the authentication failure
Oct 01 13:17:29 novac charon-nm[4597]: 12[IKE] received 1 cert requests for an unknown ca
and the Server shortly thereafter:
Oct 1 13:50:42 charon: 09[CFG] constraint requires public key authentication, but pre-shared key was used
does anyone know more about this? is it even possible this is the problem or do I have another problem?
Thank you for your Support.
Client-Side:
Oct 01 13:17:24 novac charon-nm[4597]: 04[CFG] using gateway certificate, identity 'C=DE, L=Example, O=Example GmbH, E=root@example.com, CN=rw.vpn.example.com' Oct 01 13:17:29 novac charon-nm[4597]: 04[IKE] initiating IKE_SA rw.vpn.example.com[25] to 217.X.X.X Oct 01 13:17:29 novac charon-nm[4597]: 04[ENC] generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG) N(REDIR_SUP) ] Oct 01 13:17:29 novac charon-nm[4597]: 04[NET] sending packet: from 10.21.247.45[48983] to 217.X.X.X[500] (336 bytes) Oct 01 13:17:29 novac NetworkManager[1046]: <info> [1538392649.3122] vpn-connection[0x1d1faab0110,964ea3a0-5277-4d58-aa1a-cfdac1f13621,"rw.vpn.example.com",0]: VPN plugin: state changed: starting (3) Oct 01 13:17:29 novac charon-nm[4597]: 12[NET] received packet: from 217.X.X.X[500] to 10.21.247.45[48983] (363 bytes) Oct 01 13:17:29 novac charon-nm[4597]: 12[ENC] parsed IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) CERTREQ N(FRAG_SUP) N(HASH_ALG) N(MULT_AUTH) ] Oct 01 13:17:29 novac charon-nm[4597]: 12[CFG] selected proposal: IKE:AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_1024 Oct 01 13:17:29 novac charon-nm[4597]: 12[IKE] local host is behind NAT, sending keep alives Oct 01 13:17:29 novac charon-nm[4597]: 12[IKE] received 1 cert requests for an unknown ca Oct 01 13:17:29 novac charon-nm[4597]: 12[IKE] authentication of 'testkey' (myself) with pre-shared key Oct 01 13:17:29 novac charon-nm[4597]: 12[IKE] establishing CHILD_SA rw.vpn.example.com{22} Oct 01 13:17:29 novac charon-nm[4597]: 12[ENC] generating IKE_AUTH request 1 [ IDi N(INIT_CONTACT) IDr AUTH CPRQ(ADDR DNS NBNS) SA TSi TSr N(MOBIKE_SUP) N(ADD_4_ADDR) N(MULT_AUTH) N(EAP_ONLY) N(MSG_ID_SYN_SUP) ] Oct 01 13:17:29 novac charon-nm[4597]: 12[NET] sending packet: from 10.21.247.45[46341] to 217.X.X.X[4500] (480 bytes) Oct 01 13:17:29 novac charon-nm[4597]: 08[NET] received packet: from 217.X.X.X[4500] to 10.21.247.45[46341] (80 bytes) Oct 01 13:17:29 novac charon-nm[4597]: 08[ENC] parsed IKE_AUTH response 1 [ N(AUTH_FAILED) ] Oct 01 13:17:29 novac charon-nm[4597]: 08[IKE] received AUTHENTICATION_FAILED notify error Oct 01 13:17:29 novac NetworkManager[1046]: <warn> [1538392649.4250] vpn-connection[0x1d1faab0110,964ea3a0-5277-4d58-aa1a-cfdac1f13621,"rw.vpn.example.com",0]: VPN plugin: failed: connect-failed (1) Oct 01 13:17:29 novac NetworkManager[1046]: <warn> [1538392649.4251] vpn-connection[0x1d1faab0110,964ea3a0-5277-4d58-aa1a-cfdac1f13621,"rw.vpn.example.com",0]: VPN plugin: failed: connect-failed (1) Oct 01 13:17:29 novac NetworkManager[1046]: <info> [1538392649.4252] vpn-connection[0x1d1faab0110,964ea3a0-5277-4d58-aa1a-cfdac1f13621,"rw.vpn.example.com",0]: VPN plugin: state changed: stopping (5) Oct 01 13:17:29 novac NetworkManager[1046]: <info> [1538392649.4253] vpn-connection[0x1d1faab0110,964ea3a0-5277-4d58-aa1a-cfdac1f13621,"rw.vpn.example.com",0]: VPN plugin: state changed: stopped (6)
Server-Side:
Oct 1 13:50:42 charon: 09[NET] received packet: from 193.X.X.X[48983] to 217.X.X.X[500] (336 bytes) Oct 1 13:50:42 charon: 09[NET] <23> received packet: from 193.X.X.X[48983] to 217.X.X.X[500] (336 bytes) Oct 1 13:50:42 charon: 09[ENC] parsed IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG) N(REDIR_SUP) ] Oct 1 13:50:42 charon: 09[ENC] <23> parsed IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG) N(REDIR_SUP) ] Oct 1 13:50:42 charon: 09[CFG] looking for an ike config for 217.X.X.X...193.X.X.X Oct 1 13:50:42 charon: 09[CFG] <23> looking for an ike config for 217.X.X.X...193.X.X.X Oct 1 13:50:42 charon: 09[CFG] candidate: %any...%any, prio 24 Oct 1 13:50:42 charon: 09[CFG] <23> candidate: %any...%any, prio 24 Oct 1 13:50:42 charon: 09[CFG] candidate: 217.X.X.X...%any, prio 1052 Oct 1 13:50:42 charon: 09[CFG] <23> candidate: 217.X.X.X...%any, prio 1052 Oct 1 13:50:42 charon: 09[CFG] found matching ike config: 217.X.X.X...%any with prio 1052 Oct 1 13:50:42 charon: 09[CFG] <23> found matching ike config: 217.X.X.X...%any with prio 1052 Oct 1 13:50:42 charon: 09[IKE] 193.X.X.X is initiating an IKE_SA Oct 1 13:50:42 charon: 09[IKE] <23> 193.X.X.X is initiating an IKE_SA Oct 1 13:50:42 charon: 09[IKE] IKE_SA (unnamed)[23] state change: CREATED => CONNECTING Oct 1 13:50:42 charon: 09[IKE] <23> IKE_SA (unnamed)[23] state change: CREATED => CONNECTING Oct 1 13:50:42 charon: 09[CFG] selecting proposal: Oct 1 13:50:42 charon: 09[CFG] <23> selecting proposal: Oct 1 13:50:42 charon: 09[CFG] proposal matches Oct 1 13:50:42 charon: 09[CFG] <23> proposal matches Oct 1 13:50:42 charon: 09[CFG] received proposals: IKE:AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_1024 Oct 1 13:50:42 charon: 09[CFG] <23> received proposals: IKE:AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_1024 Oct 1 13:50:42 charon: 09[CFG] configured proposals: IKE:AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_1024 Oct 1 13:50:42 charon: 09[CFG] <23> configured proposals: IKE:AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_1024 Oct 1 13:50:42 charon: 09[CFG] selected proposal: IKE:AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_1024 Oct 1 13:50:42 charon: 09[CFG] <23> selected proposal: IKE:AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_1024 Oct 1 13:50:42 charon: 09[CFG] received supported signature hash algorithms: sha256 sha384 sha512 identity Oct 1 13:50:42 charon: 09[CFG] <23> received supported signature hash algorithms: sha256 sha384 sha512 identity Oct 1 13:50:42 charon: 09[IKE] remote host is behind NAT Oct 1 13:50:42 charon: 09[IKE] <23> remote host is behind NAT Oct 1 13:50:42 charon: 09[CFG] sending supported signature hash algorithms: sha1 sha256 sha384 sha512 identity Oct 1 13:50:42 charon: 09[CFG] <23> sending supported signature hash algorithms: sha1 sha256 sha384 sha512 identity Oct 1 13:50:42 charon: 09[IKE] sending cert request for "C=DE, ST=ST, L=example, O=example GmbH, E=root@example.com, CN=example-vpn-ca" Oct 1 13:50:42 charon: 09[IKE] <23> sending cert request for "C=DE, ST=ST, L=example, O=example GmbH, E=root@example.com, CN=example-vpn-ca" Oct 1 13:50:42 charon: 09[ENC] generating IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) CERTREQ N(FRAG_SUP) N(HASH_ALG) N(MULT_AUTH) ] Oct 1 13:50:42 charon: 09[ENC] <23> generating IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) CERTREQ N(FRAG_SUP) N(HASH_ALG) N(MULT_AUTH) ] Oct 1 13:50:42 charon: 09[NET] sending packet: from 217.X.X.X[500] to 193.X.X.X[48983] (363 bytes) Oct 1 13:50:42 charon: 09[NET] <23> sending packet: from 217.X.X.X[500] to 193.X.X.X[48983] (363 bytes) Oct 1 13:50:42 charon: 09[NET] received packet: from 193.X.X.X[46341] to 217.X.X.X[4500] (480 bytes) Oct 1 13:50:42 charon: 09[NET] <23> received packet: from 193.X.X.X[46341] to 217.X.X.X[4500] (480 bytes) Oct 1 13:50:42 charon: 09[ENC] parsed IKE_AUTH request 1 [ IDi N(INIT_CONTACT) IDr AUTH CPRQ(ADDR DNS NBNS) SA TSi TSr N(MOBIKE_SUP) N(ADD_4_ADDR) N(MULT_AUTH) N(EAP_ONLY) N(MSG_ID_SYN_SUP) ] Oct 1 13:50:42 charon: 09[ENC] <23> parsed IKE_AUTH request 1 [ IDi N(INIT_CONTACT) IDr AUTH CPRQ(ADDR DNS NBNS) SA TSi TSr N(MOBIKE_SUP) N(ADD_4_ADDR) N(MULT_AUTH) N(EAP_ONLY) N(MSG_ID_SYN_SUP) ] Oct 1 13:50:42 charon: 09[CFG] looking for peer configs matching 217.X.X.X[C=DE, ST=ST, L=example, O=example GmbH, E=root@example.com, CN=rw.vpn.example.com]...193.X.X.X[testkey] Oct 1 13:50:42 charon: 09[CFG] <23> looking for peer configs matching 217.X.X.X[C=DE, ST=ST, L=example, O=example GmbH, E=root@example.com, CN=rw.vpn.example.com]...193.X.X.X[testkey] Oct 1 13:50:42 charon: 09[CFG] candidate "bypasslan", match: 1/1/24 (me/other/ike) Oct 1 13:50:42 charon: 09[CFG] <23> candidate "bypasslan", match: 1/1/24 (me/other/ike) Oct 1 13:50:42 charon: 09[CFG] selected peer config 'bypasslan' Oct 1 13:50:42 charon: 09[CFG] <bypasslan|23> selected peer config 'bypasslan' Oct 1 13:50:42 charon: 09[IKE] authentication of 'testkey' with pre-shared key successful Oct 1 13:50:42 charon: 09[IKE] <bypasslan|23> authentication of 'testkey' with pre-shared key successful Oct 1 13:50:42 charon: 09[CFG] constraint requires public key authentication, but pre-shared key was used Oct 1 13:50:42 charon: 09[CFG] <bypasslan|23> constraint requires public key authentication, but pre-shared key was used Oct 1 13:50:42 charon: 09[CFG] selected peer config 'bypasslan' inacceptable: non-matching authentication done Oct 1 13:50:42 charon: 09[CFG] <bypasslan|23> selected peer config 'bypasslan' inacceptable: non-matching authentication done Oct 1 13:50:42 charon: 09[CFG] no alternative config found Oct 1 13:50:42 charon: 09[CFG] <bypasslan|23> no alternative config found Oct 1 13:50:42 charon: 09[IKE] processing INTERNAL_IP4_ADDRESS attribute Oct 1 13:50:42 charon: 09[IKE] <bypasslan|23> processing INTERNAL_IP4_ADDRESS attribute Oct 1 13:50:42 charon: 09[IKE] processing INTERNAL_IP4_DNS attribute Oct 1 13:50:42 charon: 09[IKE] <bypasslan|23> processing INTERNAL_IP4_DNS attribute Oct 1 13:50:42 charon: 09[IKE] processing INTERNAL_IP4_NBNS attribute Oct 1 13:50:42 charon: 09[IKE] <bypasslan|23> processing INTERNAL_IP4_NBNS attribute Oct 1 13:50:42 charon: 09[IKE] peer supports MOBIKE Oct 1 13:50:42 charon: 09[IKE] <bypasslan|23> peer supports MOBIKE Oct 1 13:50:42 charon: 09[IKE] got additional MOBIKE peer address: 172.17.0.1 Oct 1 13:50:42 charon: 09[IKE] <bypasslan|23> got additional MOBIKE peer address: 172.17.0.1 Oct 1 13:50:42 charon: 09[ENC] generating IKE_AUTH response 1 [ N(AUTH_FAILED) ] Oct 1 13:50:42 charon: 09[ENC] <bypasslan|23> generating IKE_AUTH response 1 [ N(AUTH_FAILED) ] Oct 1 13:50:42 charon: 09[NET] sending packet: from 217.X.X.X[4500] to 193.X.X.X[46341] (80 bytes) Oct 1 13:50:42 charon: 09[NET] <bypasslan|23> sending packet: from 217.X.X.X[4500] to 193.X.X.X[46341] (80 bytes) Oct 1 13:50:42 charon: 09[IKE] IKE_SA bypasslan[23] state change: CONNECTING => DESTROYING Oct 1 13:50:42 charon: 09[IKE] <bypasslan|23> IKE_SA bypasslan[23] state change: CONNECTING => DESTROYING
-
So, after trying a lot last weekend I finally have this working. As always, RTFM helps a lot.
One problem was that I used the server cert instead of the CA cert in the client, another problem was that I somehow put in 0.0.0.0/24 instead of 0.0.0.0/0 as described in the manual. In hindsight I really don't know what I was thinking.