4. IPSec for mobile users not working with strongswan-nm

IPSec for mobile users not working with strongswan-nm

  • M

    Hello,

    I'm currently trying to set up a roadwarrior style VPN to connect to to my router. Since I might want to use Windows to connect too, I wanted to use IPSec IKEv2.

    I used this tutorial: https://www.netgate.com/docs/pfsense/book/ipsec/mobile-ipsec-choices.html#ikev2-with-eap-mschapv2

    Unfortunately, this doesn't seem to work for me. My client is Linux with strongswan-nm installed and the full logs are at the end.

    I think it is a rather simple misconfiguration, but I can't find it. The client logs shortly before the authentication failure

    Oct 01 13:17:29 novac charon-nm[4597]: 12[IKE] received 1 cert requests for an unknown ca

    and the Server shortly thereafter:

    Oct 1 13:50:42 	charon: 09[CFG] constraint requires public key authentication, but pre-shared key was used

    does anyone know more about this? is it even possible this is the problem or do I have another problem?

    Thank you for your Support.

    Client-Side:

    Oct 01 13:17:24 novac charon-nm[4597]: 04[CFG] using gateway certificate, identity 'C=DE, L=Example, O=Example GmbH, E=root@example.com, CN=rw.vpn.example.com'
Oct 01 13:17:29 novac charon-nm[4597]: 04[IKE] initiating IKE_SA rw.vpn.example.com[25] to 217.X.X.X
Oct 01 13:17:29 novac charon-nm[4597]: 04[ENC] generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG) N(REDIR_SUP) ]
Oct 01 13:17:29 novac charon-nm[4597]: 04[NET] sending packet: from 10.21.247.45[48983] to 217.X.X.X[500] (336 bytes)
Oct 01 13:17:29 novac NetworkManager[1046]: <info>  [1538392649.3122] vpn-connection[0x1d1faab0110,964ea3a0-5277-4d58-aa1a-cfdac1f13621,"rw.vpn.example.com",0]: VPN plugin: state changed: starting (3)
Oct 01 13:17:29 novac charon-nm[4597]: 12[NET] received packet: from 217.X.X.X[500] to 10.21.247.45[48983] (363 bytes)
Oct 01 13:17:29 novac charon-nm[4597]: 12[ENC] parsed IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) CERTREQ N(FRAG_SUP) N(HASH_ALG) N(MULT_AUTH) ]
Oct 01 13:17:29 novac charon-nm[4597]: 12[CFG] selected proposal: IKE:AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_1024
Oct 01 13:17:29 novac charon-nm[4597]: 12[IKE] local host is behind NAT, sending keep alives
Oct 01 13:17:29 novac charon-nm[4597]: 12[IKE] received 1 cert requests for an unknown ca
Oct 01 13:17:29 novac charon-nm[4597]: 12[IKE] authentication of 'testkey' (myself) with pre-shared key
Oct 01 13:17:29 novac charon-nm[4597]: 12[IKE] establishing CHILD_SA rw.vpn.example.com{22}
Oct 01 13:17:29 novac charon-nm[4597]: 12[ENC] generating IKE_AUTH request 1 [ IDi N(INIT_CONTACT) IDr AUTH CPRQ(ADDR DNS NBNS) SA TSi TSr N(MOBIKE_SUP) N(ADD_4_ADDR) N(MULT_AUTH) N(EAP_ONLY) N(MSG_ID_SYN_SUP) ]
Oct 01 13:17:29 novac charon-nm[4597]: 12[NET] sending packet: from 10.21.247.45[46341] to 217.X.X.X[4500] (480 bytes)
Oct 01 13:17:29 novac charon-nm[4597]: 08[NET] received packet: from 217.X.X.X[4500] to 10.21.247.45[46341] (80 bytes)
Oct 01 13:17:29 novac charon-nm[4597]: 08[ENC] parsed IKE_AUTH response 1 [ N(AUTH_FAILED) ]
Oct 01 13:17:29 novac charon-nm[4597]: 08[IKE] received AUTHENTICATION_FAILED notify error
Oct 01 13:17:29 novac NetworkManager[1046]: <warn>  [1538392649.4250] vpn-connection[0x1d1faab0110,964ea3a0-5277-4d58-aa1a-cfdac1f13621,"rw.vpn.example.com",0]: VPN plugin: failed: connect-failed (1)
Oct 01 13:17:29 novac NetworkManager[1046]: <warn>  [1538392649.4251] vpn-connection[0x1d1faab0110,964ea3a0-5277-4d58-aa1a-cfdac1f13621,"rw.vpn.example.com",0]: VPN plugin: failed: connect-failed (1)
Oct 01 13:17:29 novac NetworkManager[1046]: <info>  [1538392649.4252] vpn-connection[0x1d1faab0110,964ea3a0-5277-4d58-aa1a-cfdac1f13621,"rw.vpn.example.com",0]: VPN plugin: state changed: stopping (5)
Oct 01 13:17:29 novac NetworkManager[1046]: <info>  [1538392649.4253] vpn-connection[0x1d1faab0110,964ea3a0-5277-4d58-aa1a-cfdac1f13621,"rw.vpn.example.com",0]: VPN plugin: state changed: stopped (6)

    Server-Side:

    Oct 1 13:50:42 	charon: 09[NET] received packet: from 193.X.X.X[48983] to 217.X.X.X[500] (336 bytes)
Oct 1 13:50:42 	charon: 09[NET] <23> received packet: from 193.X.X.X[48983] to 217.X.X.X[500] (336 bytes)
Oct 1 13:50:42 	charon: 09[ENC] parsed IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG) N(REDIR_SUP) ]
Oct 1 13:50:42 	charon: 09[ENC] <23> parsed IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG) N(REDIR_SUP) ]
Oct 1 13:50:42 	charon: 09[CFG] looking for an ike config for 217.X.X.X...193.X.X.X
Oct 1 13:50:42 	charon: 09[CFG] <23> looking for an ike config for 217.X.X.X...193.X.X.X
Oct 1 13:50:42 	charon: 09[CFG] candidate: %any...%any, prio 24
Oct 1 13:50:42 	charon: 09[CFG] <23> candidate: %any...%any, prio 24
Oct 1 13:50:42 	charon: 09[CFG] candidate: 217.X.X.X...%any, prio 1052
Oct 1 13:50:42 	charon: 09[CFG] <23> candidate: 217.X.X.X...%any, prio 1052
Oct 1 13:50:42 	charon: 09[CFG] found matching ike config: 217.X.X.X...%any with prio 1052
Oct 1 13:50:42 	charon: 09[CFG] <23> found matching ike config: 217.X.X.X...%any with prio 1052
Oct 1 13:50:42 	charon: 09[IKE] 193.X.X.X is initiating an IKE_SA
Oct 1 13:50:42 	charon: 09[IKE] <23> 193.X.X.X is initiating an IKE_SA
Oct 1 13:50:42 	charon: 09[IKE] IKE_SA (unnamed)[23] state change: CREATED => CONNECTING
Oct 1 13:50:42 	charon: 09[IKE] <23> IKE_SA (unnamed)[23] state change: CREATED => CONNECTING
Oct 1 13:50:42 	charon: 09[CFG] selecting proposal:
Oct 1 13:50:42 	charon: 09[CFG] <23> selecting proposal:
Oct 1 13:50:42 	charon: 09[CFG] proposal matches
Oct 1 13:50:42 	charon: 09[CFG] <23> proposal matches
Oct 1 13:50:42 	charon: 09[CFG] received proposals: IKE:AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_1024
Oct 1 13:50:42 	charon: 09[CFG] <23> received proposals: IKE:AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_1024
Oct 1 13:50:42 	charon: 09[CFG] configured proposals: IKE:AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_1024
Oct 1 13:50:42 	charon: 09[CFG] <23> configured proposals: IKE:AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_1024
Oct 1 13:50:42 	charon: 09[CFG] selected proposal: IKE:AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_1024
Oct 1 13:50:42 	charon: 09[CFG] <23> selected proposal: IKE:AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_1024
Oct 1 13:50:42 	charon: 09[CFG] received supported signature hash algorithms: sha256 sha384 sha512 identity
Oct 1 13:50:42 	charon: 09[CFG] <23> received supported signature hash algorithms: sha256 sha384 sha512 identity
Oct 1 13:50:42 	charon: 09[IKE] remote host is behind NAT
Oct 1 13:50:42 	charon: 09[IKE] <23> remote host is behind NAT
Oct 1 13:50:42 	charon: 09[CFG] sending supported signature hash algorithms: sha1 sha256 sha384 sha512 identity
Oct 1 13:50:42 	charon: 09[CFG] <23> sending supported signature hash algorithms: sha1 sha256 sha384 sha512 identity
Oct 1 13:50:42 	charon: 09[IKE] sending cert request for "C=DE, ST=ST, L=example, O=example GmbH, E=root@example.com, CN=example-vpn-ca"
Oct 1 13:50:42 	charon: 09[IKE] <23> sending cert request for "C=DE, ST=ST, L=example, O=example GmbH, E=root@example.com, CN=example-vpn-ca"
Oct 1 13:50:42 	charon: 09[ENC] generating IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) CERTREQ N(FRAG_SUP) N(HASH_ALG) N(MULT_AUTH) ]
Oct 1 13:50:42 	charon: 09[ENC] <23> generating IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) CERTREQ N(FRAG_SUP) N(HASH_ALG) N(MULT_AUTH) ]
Oct 1 13:50:42 	charon: 09[NET] sending packet: from 217.X.X.X[500] to 193.X.X.X[48983] (363 bytes)
Oct 1 13:50:42 	charon: 09[NET] <23> sending packet: from 217.X.X.X[500] to 193.X.X.X[48983] (363 bytes)
Oct 1 13:50:42 	charon: 09[NET] received packet: from 193.X.X.X[46341] to 217.X.X.X[4500] (480 bytes)
Oct 1 13:50:42 	charon: 09[NET] <23> received packet: from 193.X.X.X[46341] to 217.X.X.X[4500] (480 bytes)
Oct 1 13:50:42 	charon: 09[ENC] parsed IKE_AUTH request 1 [ IDi N(INIT_CONTACT) IDr AUTH CPRQ(ADDR DNS NBNS) SA TSi TSr N(MOBIKE_SUP) N(ADD_4_ADDR) N(MULT_AUTH) N(EAP_ONLY) N(MSG_ID_SYN_SUP) ]
Oct 1 13:50:42 	charon: 09[ENC] <23> parsed IKE_AUTH request 1 [ IDi N(INIT_CONTACT) IDr AUTH CPRQ(ADDR DNS NBNS) SA TSi TSr N(MOBIKE_SUP) N(ADD_4_ADDR) N(MULT_AUTH) N(EAP_ONLY) N(MSG_ID_SYN_SUP) ]
Oct 1 13:50:42 	charon: 09[CFG] looking for peer configs matching 217.X.X.X[C=DE, ST=ST, L=example, O=example GmbH, E=root@example.com, CN=rw.vpn.example.com]...193.X.X.X[testkey]
Oct 1 13:50:42 	charon: 09[CFG] <23> looking for peer configs matching 217.X.X.X[C=DE, ST=ST, L=example, O=example GmbH, E=root@example.com, CN=rw.vpn.example.com]...193.X.X.X[testkey]
Oct 1 13:50:42 	charon: 09[CFG] candidate "bypasslan", match: 1/1/24 (me/other/ike)
Oct 1 13:50:42 	charon: 09[CFG] <23> candidate "bypasslan", match: 1/1/24 (me/other/ike)
Oct 1 13:50:42 	charon: 09[CFG] selected peer config 'bypasslan'
Oct 1 13:50:42 	charon: 09[CFG] <bypasslan|23> selected peer config 'bypasslan'
Oct 1 13:50:42 	charon: 09[IKE] authentication of 'testkey' with pre-shared key successful
Oct 1 13:50:42 	charon: 09[IKE] <bypasslan|23> authentication of 'testkey' with pre-shared key successful
Oct 1 13:50:42 	charon: 09[CFG] constraint requires public key authentication, but pre-shared key was used
Oct 1 13:50:42 	charon: 09[CFG] <bypasslan|23> constraint requires public key authentication, but pre-shared key was used
Oct 1 13:50:42 	charon: 09[CFG] selected peer config 'bypasslan' inacceptable: non-matching authentication done
Oct 1 13:50:42 	charon: 09[CFG] <bypasslan|23> selected peer config 'bypasslan' inacceptable: non-matching authentication done
Oct 1 13:50:42 	charon: 09[CFG] no alternative config found
Oct 1 13:50:42 	charon: 09[CFG] <bypasslan|23> no alternative config found
Oct 1 13:50:42 	charon: 09[IKE] processing INTERNAL_IP4_ADDRESS attribute
Oct 1 13:50:42 	charon: 09[IKE] <bypasslan|23> processing INTERNAL_IP4_ADDRESS attribute
Oct 1 13:50:42 	charon: 09[IKE] processing INTERNAL_IP4_DNS attribute
Oct 1 13:50:42 	charon: 09[IKE] <bypasslan|23> processing INTERNAL_IP4_DNS attribute
Oct 1 13:50:42 	charon: 09[IKE] processing INTERNAL_IP4_NBNS attribute
Oct 1 13:50:42 	charon: 09[IKE] <bypasslan|23> processing INTERNAL_IP4_NBNS attribute
Oct 1 13:50:42 	charon: 09[IKE] peer supports MOBIKE
Oct 1 13:50:42 	charon: 09[IKE] <bypasslan|23> peer supports MOBIKE
Oct 1 13:50:42 	charon: 09[IKE] got additional MOBIKE peer address: 172.17.0.1
Oct 1 13:50:42 	charon: 09[IKE] <bypasslan|23> got additional MOBIKE peer address: 172.17.0.1
Oct 1 13:50:42 	charon: 09[ENC] generating IKE_AUTH response 1 [ N(AUTH_FAILED) ]
Oct 1 13:50:42 	charon: 09[ENC] <bypasslan|23> generating IKE_AUTH response 1 [ N(AUTH_FAILED) ]
Oct 1 13:50:42 	charon: 09[NET] sending packet: from 217.X.X.X[4500] to 193.X.X.X[46341] (80 bytes)
Oct 1 13:50:42 	charon: 09[NET] <bypasslan|23> sending packet: from 217.X.X.X[4500] to 193.X.X.X[46341] (80 bytes)
Oct 1 13:50:42 	charon: 09[IKE] IKE_SA bypasslan[23] state change: CONNECTING => DESTROYING
Oct 1 13:50:42 	charon: 09[IKE] <bypasslan|23> IKE_SA bypasslan[23] state change: CONNECTING => DESTROYING
    0
  • M

    So, after trying a lot last weekend I finally have this working. As always, RTFM helps a lot.

    One problem was that I used the server cert instead of the CA cert in the client, another problem was that I somehow put in 0.0.0.0/24 instead of 0.0.0.0/0 as described in the manual. In hindsight I really don't know what I was thinking.

    0
 

Products

Applications

Support

Services

News

Resources

Company

Our Mission

As host of the pfSense open source firewall project, Netgate believes in enhancing network connectivity that maintains both security and privacy. We also believe everyone should be able to afford it.

Subscribe to our Newsletter

Product information, software announcements, and special offers. See our newsletter archive for past announcements.

© Copyright 2002 - 2019 Rubicon Communications, LLC | Privacy Policy