StartSSL certificate for IKEv2 with EAP-MSCHAPv2
-
Hello,
at the moment I'm using a self-signed server certificate for IKEv2 and would like to switch to an OV StartSSL-certificate.
Somehow this doesn't work, there's always the error "peer requested EAP, config inacceptable".When connecting with OS X 10.11.4: log reversed
Apr 7 00:22:40 charon: 12[NET] <bypasslan|319>sending packet: from 185.0.0.221[4500] to 91.0.0.237[12680] (80 bytes) Apr 7 00:22:40 charon: 12[NET] sending packet: from 185.0.0.221[4500] to 91.0.0.237[12680] (80 bytes) Apr 7 00:22:40 charon: 12[ENC] <bypasslan|319>generating IKE_AUTH response 1 [ N(AUTH_FAILED) ] Apr 7 00:22:40 charon: 12[ENC] generating IKE_AUTH response 1 [ N(AUTH_FAILED) ] Apr 7 00:22:40 charon: 12[IKE] <bypasslan|319>peer supports MOBIKE Apr 7 00:22:40 charon: 12[IKE] peer supports MOBIKE Apr 7 00:22:40 charon: 12[IKE] <bypasslan|319>received ESP_TFC_PADDING_NOT_SUPPORTED, not using ESPv3 TFC padding Apr 7 00:22:40 charon: 12[IKE] received ESP_TFC_PADDING_NOT_SUPPORTED, not using ESPv3 TFC padding Apr 7 00:22:40 charon: 12[CFG] <bypasslan|319>no alternative config found Apr 7 00:22:40 charon: 12[CFG] no alternative config found Apr 7 00:22:40 charon: 12[IKE] <bypasslan|319>peer requested EAP, config inacceptable Apr 7 00:22:40 charon: 12[IKE] peer requested EAP, config inacceptable Apr 7 00:22:40 charon: 12[CFG] <bypasslan|319>selected peer config 'bypasslan' Apr 7 00:22:40 charon: 12[CFG] selected peer config 'bypasslan' Apr 7 00:22:40 charon: 12[CFG] <319> looking for peer configs matching 185.0.0.221[something.ppoe.at]...91.0.0.237[10.5.0.238] Apr 7 00:22:40 charon: 12[CFG] looking for peer configs matching 185.0.0.221[something.ppoe.at]...91.0.0.237[10.5.0.238] Apr 7 00:22:40 charon: 12[ENC] <319> parsed IKE_AUTH request 1 [ IDi N(INIT_CONTACT) N(MOBIKE_SUP) IDr CPRQ(ADDR DHCP DNS MASK ADDR6 DHCP6 DNS6) N(ESP_TFC_PAD_N) N(NON_FIRST_FRAG) SA TSi TSr ] Apr 7 00:22:40 charon: 12[ENC] parsed IKE_AUTH request 1 [ IDi N(INIT_CONTACT) N(MOBIKE_SUP) IDr CPRQ(ADDR DHCP DNS MASK ADDR6 DHCP6 DNS6) N(ESP_TFC_PAD_N) N(NON_FIRST_FRAG) SA TSi TSr ] Apr 7 00:22:40 charon: 12[NET] <319> received packet: from 91.0.0.237[12680] to 185.0.0.221[4500] (336 bytes) Apr 7 00:22:40 charon: 12[NET] received packet: from 91.0.0.237[12680] to 185.0.0.221[4500] (336 bytes) Apr 7 00:22:40 charon: 05[NET] <319> sending packet: from 185.0.0.221[500] to 91.0.0.237[500] (320 bytes) Apr 7 00:22:40 charon: 05[NET] sending packet: from 185.0.0.221[500] to 91.0.0.237[500] (320 bytes) Apr 7 00:22:40 charon: 05[ENC] <319> generating IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(MULT_AUTH) ] Apr 7 00:22:40 charon: 05[ENC] generating IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(MULT_AUTH) ] Apr 7 00:22:40 charon: 05[IKE] <319> remote host is behind NAT Apr 7 00:22:40 charon: 05[IKE] remote host is behind NAT Apr 7 00:22:40 charon: 05[IKE] <319> local host is behind NAT, sending keep alives Apr 7 00:22:40 charon: 05[IKE] local host is behind NAT, sending keep alives Apr 7 00:22:40 charon: 05[IKE] <319> 91.0.0.237 is initiating an IKE_SA Apr 7 00:22:40 charon: 05[IKE] 91.0.0.237 is initiating an IKE_SA Apr 7 00:22:40 charon: 05[ENC] <319> parsed IKE_SA_INIT request 0 [ SA KE No N(REDIR_SUP) N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) ] Apr 7 00:22:40 charon: 05[ENC] parsed IKE_SA_INIT request 0 [ SA KE No N(REDIR_SUP) N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) ] Apr 7 00:22:40 charon: 05[NET] <319> received packet: from 91.0.0.237[500] to 185.0.0.221[500] (304 bytes) Apr 7 00:22:40 charon: 05[NET] received packet: from 91.0.0.237[500] to 185.0.0.221[500] (304 bytes)</bypasslan|319></bypasslan|319></bypasslan|319></bypasslan|319></bypasslan|319></bypasslan|319></bypasslan|319>
The pfSense FQDN is in the SAN of the SSL certificate, the certificate is the same as here: https://ppoe.at
What am I doing wrong?
-
Lots of problems with that cert for IKEv2…
- It's not marked a server cert
- Missing EKU for TLS Web Server Authentication and 1.3.6.1.5.5.8.2.2
- IP address is not in the SAN list
Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.