IPSec for mobile users not working with strongswan-nm



  • Hello,

    I'm currently trying to set up a roadwarrior style VPN to connect to to my router. Since I might want to use Windows to connect too, I wanted to use IPSec IKEv2.

    I used this tutorial: https://www.netgate.com/docs/pfsense/book/ipsec/mobile-ipsec-choices.html#ikev2-with-eap-mschapv2

    Unfortunately, this doesn't seem to work for me. My client is Linux with strongswan-nm installed and the full logs are at the end.

    I think it is a rather simple misconfiguration, but I can't find it. The client logs shortly before the authentication failure

    Oct 01 13:17:29 novac charon-nm[4597]: 12[IKE] received 1 cert requests for an unknown ca
    

    and the Server shortly thereafter:

    Oct 1 13:50:42 	charon: 09[CFG] constraint requires public key authentication, but pre-shared key was used
    

    does anyone know more about this? is it even possible this is the problem or do I have another problem?

    Thank you for your Support.

    Client-Side:

    Oct 01 13:17:24 novac charon-nm[4597]: 04[CFG] using gateway certificate, identity 'C=DE, L=Example, O=Example GmbH, E=root@example.com, CN=rw.vpn.example.com'
    Oct 01 13:17:29 novac charon-nm[4597]: 04[IKE] initiating IKE_SA rw.vpn.example.com[25] to 217.X.X.X
    Oct 01 13:17:29 novac charon-nm[4597]: 04[ENC] generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG) N(REDIR_SUP) ]
    Oct 01 13:17:29 novac charon-nm[4597]: 04[NET] sending packet: from 10.21.247.45[48983] to 217.X.X.X[500] (336 bytes)
    Oct 01 13:17:29 novac NetworkManager[1046]: <info>  [1538392649.3122] vpn-connection[0x1d1faab0110,964ea3a0-5277-4d58-aa1a-cfdac1f13621,"rw.vpn.example.com",0]: VPN plugin: state changed: starting (3)
    Oct 01 13:17:29 novac charon-nm[4597]: 12[NET] received packet: from 217.X.X.X[500] to 10.21.247.45[48983] (363 bytes)
    Oct 01 13:17:29 novac charon-nm[4597]: 12[ENC] parsed IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) CERTREQ N(FRAG_SUP) N(HASH_ALG) N(MULT_AUTH) ]
    Oct 01 13:17:29 novac charon-nm[4597]: 12[CFG] selected proposal: IKE:AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_1024
    Oct 01 13:17:29 novac charon-nm[4597]: 12[IKE] local host is behind NAT, sending keep alives
    Oct 01 13:17:29 novac charon-nm[4597]: 12[IKE] received 1 cert requests for an unknown ca
    Oct 01 13:17:29 novac charon-nm[4597]: 12[IKE] authentication of 'testkey' (myself) with pre-shared key
    Oct 01 13:17:29 novac charon-nm[4597]: 12[IKE] establishing CHILD_SA rw.vpn.example.com{22}
    Oct 01 13:17:29 novac charon-nm[4597]: 12[ENC] generating IKE_AUTH request 1 [ IDi N(INIT_CONTACT) IDr AUTH CPRQ(ADDR DNS NBNS) SA TSi TSr N(MOBIKE_SUP) N(ADD_4_ADDR) N(MULT_AUTH) N(EAP_ONLY) N(MSG_ID_SYN_SUP) ]
    Oct 01 13:17:29 novac charon-nm[4597]: 12[NET] sending packet: from 10.21.247.45[46341] to 217.X.X.X[4500] (480 bytes)
    Oct 01 13:17:29 novac charon-nm[4597]: 08[NET] received packet: from 217.X.X.X[4500] to 10.21.247.45[46341] (80 bytes)
    Oct 01 13:17:29 novac charon-nm[4597]: 08[ENC] parsed IKE_AUTH response 1 [ N(AUTH_FAILED) ]
    Oct 01 13:17:29 novac charon-nm[4597]: 08[IKE] received AUTHENTICATION_FAILED notify error
    Oct 01 13:17:29 novac NetworkManager[1046]: <warn>  [1538392649.4250] vpn-connection[0x1d1faab0110,964ea3a0-5277-4d58-aa1a-cfdac1f13621,"rw.vpn.example.com",0]: VPN plugin: failed: connect-failed (1)
    Oct 01 13:17:29 novac NetworkManager[1046]: <warn>  [1538392649.4251] vpn-connection[0x1d1faab0110,964ea3a0-5277-4d58-aa1a-cfdac1f13621,"rw.vpn.example.com",0]: VPN plugin: failed: connect-failed (1)
    Oct 01 13:17:29 novac NetworkManager[1046]: <info>  [1538392649.4252] vpn-connection[0x1d1faab0110,964ea3a0-5277-4d58-aa1a-cfdac1f13621,"rw.vpn.example.com",0]: VPN plugin: state changed: stopping (5)
    Oct 01 13:17:29 novac NetworkManager[1046]: <info>  [1538392649.4253] vpn-connection[0x1d1faab0110,964ea3a0-5277-4d58-aa1a-cfdac1f13621,"rw.vpn.example.com",0]: VPN plugin: state changed: stopped (6)
    

    Server-Side:

    Oct 1 13:50:42 	charon: 09[NET] received packet: from 193.X.X.X[48983] to 217.X.X.X[500] (336 bytes)
    Oct 1 13:50:42 	charon: 09[NET] <23> received packet: from 193.X.X.X[48983] to 217.X.X.X[500] (336 bytes)
    Oct 1 13:50:42 	charon: 09[ENC] parsed IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG) N(REDIR_SUP) ]
    Oct 1 13:50:42 	charon: 09[ENC] <23> parsed IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG) N(REDIR_SUP) ]
    Oct 1 13:50:42 	charon: 09[CFG] looking for an ike config for 217.X.X.X...193.X.X.X
    Oct 1 13:50:42 	charon: 09[CFG] <23> looking for an ike config for 217.X.X.X...193.X.X.X
    Oct 1 13:50:42 	charon: 09[CFG] candidate: %any...%any, prio 24
    Oct 1 13:50:42 	charon: 09[CFG] <23> candidate: %any...%any, prio 24
    Oct 1 13:50:42 	charon: 09[CFG] candidate: 217.X.X.X...%any, prio 1052
    Oct 1 13:50:42 	charon: 09[CFG] <23> candidate: 217.X.X.X...%any, prio 1052
    Oct 1 13:50:42 	charon: 09[CFG] found matching ike config: 217.X.X.X...%any with prio 1052
    Oct 1 13:50:42 	charon: 09[CFG] <23> found matching ike config: 217.X.X.X...%any with prio 1052
    Oct 1 13:50:42 	charon: 09[IKE] 193.X.X.X is initiating an IKE_SA
    Oct 1 13:50:42 	charon: 09[IKE] <23> 193.X.X.X is initiating an IKE_SA
    Oct 1 13:50:42 	charon: 09[IKE] IKE_SA (unnamed)[23] state change: CREATED => CONNECTING
    Oct 1 13:50:42 	charon: 09[IKE] <23> IKE_SA (unnamed)[23] state change: CREATED => CONNECTING
    Oct 1 13:50:42 	charon: 09[CFG] selecting proposal:
    Oct 1 13:50:42 	charon: 09[CFG] <23> selecting proposal:
    Oct 1 13:50:42 	charon: 09[CFG] proposal matches
    Oct 1 13:50:42 	charon: 09[CFG] <23> proposal matches
    Oct 1 13:50:42 	charon: 09[CFG] received proposals: IKE:AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_1024
    Oct 1 13:50:42 	charon: 09[CFG] <23> received proposals: IKE:AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_1024
    Oct 1 13:50:42 	charon: 09[CFG] configured proposals: IKE:AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_1024
    Oct 1 13:50:42 	charon: 09[CFG] <23> configured proposals: IKE:AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_1024
    Oct 1 13:50:42 	charon: 09[CFG] selected proposal: IKE:AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_1024
    Oct 1 13:50:42 	charon: 09[CFG] <23> selected proposal: IKE:AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_1024
    Oct 1 13:50:42 	charon: 09[CFG] received supported signature hash algorithms: sha256 sha384 sha512 identity
    Oct 1 13:50:42 	charon: 09[CFG] <23> received supported signature hash algorithms: sha256 sha384 sha512 identity
    Oct 1 13:50:42 	charon: 09[IKE] remote host is behind NAT
    Oct 1 13:50:42 	charon: 09[IKE] <23> remote host is behind NAT
    Oct 1 13:50:42 	charon: 09[CFG] sending supported signature hash algorithms: sha1 sha256 sha384 sha512 identity
    Oct 1 13:50:42 	charon: 09[CFG] <23> sending supported signature hash algorithms: sha1 sha256 sha384 sha512 identity
    Oct 1 13:50:42 	charon: 09[IKE] sending cert request for "C=DE, ST=ST, L=example, O=example GmbH, E=root@example.com, CN=example-vpn-ca"
    Oct 1 13:50:42 	charon: 09[IKE] <23> sending cert request for "C=DE, ST=ST, L=example, O=example GmbH, E=root@example.com, CN=example-vpn-ca"
    Oct 1 13:50:42 	charon: 09[ENC] generating IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) CERTREQ N(FRAG_SUP) N(HASH_ALG) N(MULT_AUTH) ]
    Oct 1 13:50:42 	charon: 09[ENC] <23> generating IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) CERTREQ N(FRAG_SUP) N(HASH_ALG) N(MULT_AUTH) ]
    Oct 1 13:50:42 	charon: 09[NET] sending packet: from 217.X.X.X[500] to 193.X.X.X[48983] (363 bytes)
    Oct 1 13:50:42 	charon: 09[NET] <23> sending packet: from 217.X.X.X[500] to 193.X.X.X[48983] (363 bytes)
    Oct 1 13:50:42 	charon: 09[NET] received packet: from 193.X.X.X[46341] to 217.X.X.X[4500] (480 bytes)
    Oct 1 13:50:42 	charon: 09[NET] <23> received packet: from 193.X.X.X[46341] to 217.X.X.X[4500] (480 bytes)
    Oct 1 13:50:42 	charon: 09[ENC] parsed IKE_AUTH request 1 [ IDi N(INIT_CONTACT) IDr AUTH CPRQ(ADDR DNS NBNS) SA TSi TSr N(MOBIKE_SUP) N(ADD_4_ADDR) N(MULT_AUTH) N(EAP_ONLY) N(MSG_ID_SYN_SUP) ]
    Oct 1 13:50:42 	charon: 09[ENC] <23> parsed IKE_AUTH request 1 [ IDi N(INIT_CONTACT) IDr AUTH CPRQ(ADDR DNS NBNS) SA TSi TSr N(MOBIKE_SUP) N(ADD_4_ADDR) N(MULT_AUTH) N(EAP_ONLY) N(MSG_ID_SYN_SUP) ]
    Oct 1 13:50:42 	charon: 09[CFG] looking for peer configs matching 217.X.X.X[C=DE, ST=ST, L=example, O=example GmbH, E=root@example.com, CN=rw.vpn.example.com]...193.X.X.X[testkey]
    Oct 1 13:50:42 	charon: 09[CFG] <23> looking for peer configs matching 217.X.X.X[C=DE, ST=ST, L=example, O=example GmbH, E=root@example.com, CN=rw.vpn.example.com]...193.X.X.X[testkey]
    Oct 1 13:50:42 	charon: 09[CFG] candidate "bypasslan", match: 1/1/24 (me/other/ike)
    Oct 1 13:50:42 	charon: 09[CFG] <23> candidate "bypasslan", match: 1/1/24 (me/other/ike)
    Oct 1 13:50:42 	charon: 09[CFG] selected peer config 'bypasslan'
    Oct 1 13:50:42 	charon: 09[CFG] <bypasslan|23> selected peer config 'bypasslan'
    Oct 1 13:50:42 	charon: 09[IKE] authentication of 'testkey' with pre-shared key successful
    Oct 1 13:50:42 	charon: 09[IKE] <bypasslan|23> authentication of 'testkey' with pre-shared key successful
    Oct 1 13:50:42 	charon: 09[CFG] constraint requires public key authentication, but pre-shared key was used
    Oct 1 13:50:42 	charon: 09[CFG] <bypasslan|23> constraint requires public key authentication, but pre-shared key was used
    Oct 1 13:50:42 	charon: 09[CFG] selected peer config 'bypasslan' inacceptable: non-matching authentication done
    Oct 1 13:50:42 	charon: 09[CFG] <bypasslan|23> selected peer config 'bypasslan' inacceptable: non-matching authentication done
    Oct 1 13:50:42 	charon: 09[CFG] no alternative config found
    Oct 1 13:50:42 	charon: 09[CFG] <bypasslan|23> no alternative config found
    Oct 1 13:50:42 	charon: 09[IKE] processing INTERNAL_IP4_ADDRESS attribute
    Oct 1 13:50:42 	charon: 09[IKE] <bypasslan|23> processing INTERNAL_IP4_ADDRESS attribute
    Oct 1 13:50:42 	charon: 09[IKE] processing INTERNAL_IP4_DNS attribute
    Oct 1 13:50:42 	charon: 09[IKE] <bypasslan|23> processing INTERNAL_IP4_DNS attribute
    Oct 1 13:50:42 	charon: 09[IKE] processing INTERNAL_IP4_NBNS attribute
    Oct 1 13:50:42 	charon: 09[IKE] <bypasslan|23> processing INTERNAL_IP4_NBNS attribute
    Oct 1 13:50:42 	charon: 09[IKE] peer supports MOBIKE
    Oct 1 13:50:42 	charon: 09[IKE] <bypasslan|23> peer supports MOBIKE
    Oct 1 13:50:42 	charon: 09[IKE] got additional MOBIKE peer address: 172.17.0.1
    Oct 1 13:50:42 	charon: 09[IKE] <bypasslan|23> got additional MOBIKE peer address: 172.17.0.1
    Oct 1 13:50:42 	charon: 09[ENC] generating IKE_AUTH response 1 [ N(AUTH_FAILED) ]
    Oct 1 13:50:42 	charon: 09[ENC] <bypasslan|23> generating IKE_AUTH response 1 [ N(AUTH_FAILED) ]
    Oct 1 13:50:42 	charon: 09[NET] sending packet: from 217.X.X.X[4500] to 193.X.X.X[46341] (80 bytes)
    Oct 1 13:50:42 	charon: 09[NET] <bypasslan|23> sending packet: from 217.X.X.X[4500] to 193.X.X.X[46341] (80 bytes)
    Oct 1 13:50:42 	charon: 09[IKE] IKE_SA bypasslan[23] state change: CONNECTING => DESTROYING
    Oct 1 13:50:42 	charon: 09[IKE] <bypasslan|23> IKE_SA bypasslan[23] state change: CONNECTING => DESTROYING
    


  • So, after trying a lot last weekend I finally have this working. As always, RTFM helps a lot.

    One problem was that I used the server cert instead of the CA cert in the client, another problem was that I somehow put in 0.0.0.0/24 instead of 0.0.0.0/0 as described in the manual. In hindsight I really don't know what I was thinking.