Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    IPSec for mobile users not working with strongswan-nm

    Scheduled Pinned Locked Moved IPsec
    2 Posts 1 Posters 834 Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • M
      milchi
      last edited by

      Hello,

      I'm currently trying to set up a roadwarrior style VPN to connect to to my router. Since I might want to use Windows to connect too, I wanted to use IPSec IKEv2.

      I used this tutorial: https://www.netgate.com/docs/pfsense/book/ipsec/mobile-ipsec-choices.html#ikev2-with-eap-mschapv2

      Unfortunately, this doesn't seem to work for me. My client is Linux with strongswan-nm installed and the full logs are at the end.

      I think it is a rather simple misconfiguration, but I can't find it. The client logs shortly before the authentication failure

      Oct 01 13:17:29 novac charon-nm[4597]: 12[IKE] received 1 cert requests for an unknown ca
      

      and the Server shortly thereafter:

      Oct 1 13:50:42 	charon: 09[CFG] constraint requires public key authentication, but pre-shared key was used
      

      does anyone know more about this? is it even possible this is the problem or do I have another problem?

      Thank you for your Support.

      Client-Side:

      Oct 01 13:17:24 novac charon-nm[4597]: 04[CFG] using gateway certificate, identity 'C=DE, L=Example, O=Example GmbH, E=root@example.com, CN=rw.vpn.example.com'
      Oct 01 13:17:29 novac charon-nm[4597]: 04[IKE] initiating IKE_SA rw.vpn.example.com[25] to 217.X.X.X
      Oct 01 13:17:29 novac charon-nm[4597]: 04[ENC] generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG) N(REDIR_SUP) ]
      Oct 01 13:17:29 novac charon-nm[4597]: 04[NET] sending packet: from 10.21.247.45[48983] to 217.X.X.X[500] (336 bytes)
      Oct 01 13:17:29 novac NetworkManager[1046]: <info>  [1538392649.3122] vpn-connection[0x1d1faab0110,964ea3a0-5277-4d58-aa1a-cfdac1f13621,"rw.vpn.example.com",0]: VPN plugin: state changed: starting (3)
      Oct 01 13:17:29 novac charon-nm[4597]: 12[NET] received packet: from 217.X.X.X[500] to 10.21.247.45[48983] (363 bytes)
      Oct 01 13:17:29 novac charon-nm[4597]: 12[ENC] parsed IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) CERTREQ N(FRAG_SUP) N(HASH_ALG) N(MULT_AUTH) ]
      Oct 01 13:17:29 novac charon-nm[4597]: 12[CFG] selected proposal: IKE:AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_1024
      Oct 01 13:17:29 novac charon-nm[4597]: 12[IKE] local host is behind NAT, sending keep alives
      Oct 01 13:17:29 novac charon-nm[4597]: 12[IKE] received 1 cert requests for an unknown ca
      Oct 01 13:17:29 novac charon-nm[4597]: 12[IKE] authentication of 'testkey' (myself) with pre-shared key
      Oct 01 13:17:29 novac charon-nm[4597]: 12[IKE] establishing CHILD_SA rw.vpn.example.com{22}
      Oct 01 13:17:29 novac charon-nm[4597]: 12[ENC] generating IKE_AUTH request 1 [ IDi N(INIT_CONTACT) IDr AUTH CPRQ(ADDR DNS NBNS) SA TSi TSr N(MOBIKE_SUP) N(ADD_4_ADDR) N(MULT_AUTH) N(EAP_ONLY) N(MSG_ID_SYN_SUP) ]
      Oct 01 13:17:29 novac charon-nm[4597]: 12[NET] sending packet: from 10.21.247.45[46341] to 217.X.X.X[4500] (480 bytes)
      Oct 01 13:17:29 novac charon-nm[4597]: 08[NET] received packet: from 217.X.X.X[4500] to 10.21.247.45[46341] (80 bytes)
      Oct 01 13:17:29 novac charon-nm[4597]: 08[ENC] parsed IKE_AUTH response 1 [ N(AUTH_FAILED) ]
      Oct 01 13:17:29 novac charon-nm[4597]: 08[IKE] received AUTHENTICATION_FAILED notify error
      Oct 01 13:17:29 novac NetworkManager[1046]: <warn>  [1538392649.4250] vpn-connection[0x1d1faab0110,964ea3a0-5277-4d58-aa1a-cfdac1f13621,"rw.vpn.example.com",0]: VPN plugin: failed: connect-failed (1)
      Oct 01 13:17:29 novac NetworkManager[1046]: <warn>  [1538392649.4251] vpn-connection[0x1d1faab0110,964ea3a0-5277-4d58-aa1a-cfdac1f13621,"rw.vpn.example.com",0]: VPN plugin: failed: connect-failed (1)
      Oct 01 13:17:29 novac NetworkManager[1046]: <info>  [1538392649.4252] vpn-connection[0x1d1faab0110,964ea3a0-5277-4d58-aa1a-cfdac1f13621,"rw.vpn.example.com",0]: VPN plugin: state changed: stopping (5)
      Oct 01 13:17:29 novac NetworkManager[1046]: <info>  [1538392649.4253] vpn-connection[0x1d1faab0110,964ea3a0-5277-4d58-aa1a-cfdac1f13621,"rw.vpn.example.com",0]: VPN plugin: state changed: stopped (6)
      

      Server-Side:

      Oct 1 13:50:42 	charon: 09[NET] received packet: from 193.X.X.X[48983] to 217.X.X.X[500] (336 bytes)
      Oct 1 13:50:42 	charon: 09[NET] <23> received packet: from 193.X.X.X[48983] to 217.X.X.X[500] (336 bytes)
      Oct 1 13:50:42 	charon: 09[ENC] parsed IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG) N(REDIR_SUP) ]
      Oct 1 13:50:42 	charon: 09[ENC] <23> parsed IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG) N(REDIR_SUP) ]
      Oct 1 13:50:42 	charon: 09[CFG] looking for an ike config for 217.X.X.X...193.X.X.X
      Oct 1 13:50:42 	charon: 09[CFG] <23> looking for an ike config for 217.X.X.X...193.X.X.X
      Oct 1 13:50:42 	charon: 09[CFG] candidate: %any...%any, prio 24
      Oct 1 13:50:42 	charon: 09[CFG] <23> candidate: %any...%any, prio 24
      Oct 1 13:50:42 	charon: 09[CFG] candidate: 217.X.X.X...%any, prio 1052
      Oct 1 13:50:42 	charon: 09[CFG] <23> candidate: 217.X.X.X...%any, prio 1052
      Oct 1 13:50:42 	charon: 09[CFG] found matching ike config: 217.X.X.X...%any with prio 1052
      Oct 1 13:50:42 	charon: 09[CFG] <23> found matching ike config: 217.X.X.X...%any with prio 1052
      Oct 1 13:50:42 	charon: 09[IKE] 193.X.X.X is initiating an IKE_SA
      Oct 1 13:50:42 	charon: 09[IKE] <23> 193.X.X.X is initiating an IKE_SA
      Oct 1 13:50:42 	charon: 09[IKE] IKE_SA (unnamed)[23] state change: CREATED => CONNECTING
      Oct 1 13:50:42 	charon: 09[IKE] <23> IKE_SA (unnamed)[23] state change: CREATED => CONNECTING
      Oct 1 13:50:42 	charon: 09[CFG] selecting proposal:
      Oct 1 13:50:42 	charon: 09[CFG] <23> selecting proposal:
      Oct 1 13:50:42 	charon: 09[CFG] proposal matches
      Oct 1 13:50:42 	charon: 09[CFG] <23> proposal matches
      Oct 1 13:50:42 	charon: 09[CFG] received proposals: IKE:AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_1024
      Oct 1 13:50:42 	charon: 09[CFG] <23> received proposals: IKE:AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_1024
      Oct 1 13:50:42 	charon: 09[CFG] configured proposals: IKE:AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_1024
      Oct 1 13:50:42 	charon: 09[CFG] <23> configured proposals: IKE:AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_1024
      Oct 1 13:50:42 	charon: 09[CFG] selected proposal: IKE:AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_1024
      Oct 1 13:50:42 	charon: 09[CFG] <23> selected proposal: IKE:AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_1024
      Oct 1 13:50:42 	charon: 09[CFG] received supported signature hash algorithms: sha256 sha384 sha512 identity
      Oct 1 13:50:42 	charon: 09[CFG] <23> received supported signature hash algorithms: sha256 sha384 sha512 identity
      Oct 1 13:50:42 	charon: 09[IKE] remote host is behind NAT
      Oct 1 13:50:42 	charon: 09[IKE] <23> remote host is behind NAT
      Oct 1 13:50:42 	charon: 09[CFG] sending supported signature hash algorithms: sha1 sha256 sha384 sha512 identity
      Oct 1 13:50:42 	charon: 09[CFG] <23> sending supported signature hash algorithms: sha1 sha256 sha384 sha512 identity
      Oct 1 13:50:42 	charon: 09[IKE] sending cert request for "C=DE, ST=ST, L=example, O=example GmbH, E=root@example.com, CN=example-vpn-ca"
      Oct 1 13:50:42 	charon: 09[IKE] <23> sending cert request for "C=DE, ST=ST, L=example, O=example GmbH, E=root@example.com, CN=example-vpn-ca"
      Oct 1 13:50:42 	charon: 09[ENC] generating IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) CERTREQ N(FRAG_SUP) N(HASH_ALG) N(MULT_AUTH) ]
      Oct 1 13:50:42 	charon: 09[ENC] <23> generating IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) CERTREQ N(FRAG_SUP) N(HASH_ALG) N(MULT_AUTH) ]
      Oct 1 13:50:42 	charon: 09[NET] sending packet: from 217.X.X.X[500] to 193.X.X.X[48983] (363 bytes)
      Oct 1 13:50:42 	charon: 09[NET] <23> sending packet: from 217.X.X.X[500] to 193.X.X.X[48983] (363 bytes)
      Oct 1 13:50:42 	charon: 09[NET] received packet: from 193.X.X.X[46341] to 217.X.X.X[4500] (480 bytes)
      Oct 1 13:50:42 	charon: 09[NET] <23> received packet: from 193.X.X.X[46341] to 217.X.X.X[4500] (480 bytes)
      Oct 1 13:50:42 	charon: 09[ENC] parsed IKE_AUTH request 1 [ IDi N(INIT_CONTACT) IDr AUTH CPRQ(ADDR DNS NBNS) SA TSi TSr N(MOBIKE_SUP) N(ADD_4_ADDR) N(MULT_AUTH) N(EAP_ONLY) N(MSG_ID_SYN_SUP) ]
      Oct 1 13:50:42 	charon: 09[ENC] <23> parsed IKE_AUTH request 1 [ IDi N(INIT_CONTACT) IDr AUTH CPRQ(ADDR DNS NBNS) SA TSi TSr N(MOBIKE_SUP) N(ADD_4_ADDR) N(MULT_AUTH) N(EAP_ONLY) N(MSG_ID_SYN_SUP) ]
      Oct 1 13:50:42 	charon: 09[CFG] looking for peer configs matching 217.X.X.X[C=DE, ST=ST, L=example, O=example GmbH, E=root@example.com, CN=rw.vpn.example.com]...193.X.X.X[testkey]
      Oct 1 13:50:42 	charon: 09[CFG] <23> looking for peer configs matching 217.X.X.X[C=DE, ST=ST, L=example, O=example GmbH, E=root@example.com, CN=rw.vpn.example.com]...193.X.X.X[testkey]
      Oct 1 13:50:42 	charon: 09[CFG] candidate "bypasslan", match: 1/1/24 (me/other/ike)
      Oct 1 13:50:42 	charon: 09[CFG] <23> candidate "bypasslan", match: 1/1/24 (me/other/ike)
      Oct 1 13:50:42 	charon: 09[CFG] selected peer config 'bypasslan'
      Oct 1 13:50:42 	charon: 09[CFG] <bypasslan|23> selected peer config 'bypasslan'
      Oct 1 13:50:42 	charon: 09[IKE] authentication of 'testkey' with pre-shared key successful
      Oct 1 13:50:42 	charon: 09[IKE] <bypasslan|23> authentication of 'testkey' with pre-shared key successful
      Oct 1 13:50:42 	charon: 09[CFG] constraint requires public key authentication, but pre-shared key was used
      Oct 1 13:50:42 	charon: 09[CFG] <bypasslan|23> constraint requires public key authentication, but pre-shared key was used
      Oct 1 13:50:42 	charon: 09[CFG] selected peer config 'bypasslan' inacceptable: non-matching authentication done
      Oct 1 13:50:42 	charon: 09[CFG] <bypasslan|23> selected peer config 'bypasslan' inacceptable: non-matching authentication done
      Oct 1 13:50:42 	charon: 09[CFG] no alternative config found
      Oct 1 13:50:42 	charon: 09[CFG] <bypasslan|23> no alternative config found
      Oct 1 13:50:42 	charon: 09[IKE] processing INTERNAL_IP4_ADDRESS attribute
      Oct 1 13:50:42 	charon: 09[IKE] <bypasslan|23> processing INTERNAL_IP4_ADDRESS attribute
      Oct 1 13:50:42 	charon: 09[IKE] processing INTERNAL_IP4_DNS attribute
      Oct 1 13:50:42 	charon: 09[IKE] <bypasslan|23> processing INTERNAL_IP4_DNS attribute
      Oct 1 13:50:42 	charon: 09[IKE] processing INTERNAL_IP4_NBNS attribute
      Oct 1 13:50:42 	charon: 09[IKE] <bypasslan|23> processing INTERNAL_IP4_NBNS attribute
      Oct 1 13:50:42 	charon: 09[IKE] peer supports MOBIKE
      Oct 1 13:50:42 	charon: 09[IKE] <bypasslan|23> peer supports MOBIKE
      Oct 1 13:50:42 	charon: 09[IKE] got additional MOBIKE peer address: 172.17.0.1
      Oct 1 13:50:42 	charon: 09[IKE] <bypasslan|23> got additional MOBIKE peer address: 172.17.0.1
      Oct 1 13:50:42 	charon: 09[ENC] generating IKE_AUTH response 1 [ N(AUTH_FAILED) ]
      Oct 1 13:50:42 	charon: 09[ENC] <bypasslan|23> generating IKE_AUTH response 1 [ N(AUTH_FAILED) ]
      Oct 1 13:50:42 	charon: 09[NET] sending packet: from 217.X.X.X[4500] to 193.X.X.X[46341] (80 bytes)
      Oct 1 13:50:42 	charon: 09[NET] <bypasslan|23> sending packet: from 217.X.X.X[4500] to 193.X.X.X[46341] (80 bytes)
      Oct 1 13:50:42 	charon: 09[IKE] IKE_SA bypasslan[23] state change: CONNECTING => DESTROYING
      Oct 1 13:50:42 	charon: 09[IKE] <bypasslan|23> IKE_SA bypasslan[23] state change: CONNECTING => DESTROYING
      
      1 Reply Last reply Reply Quote 0
      • M
        milchi
        last edited by

        So, after trying a lot last weekend I finally have this working. As always, RTFM helps a lot.

        One problem was that I used the server cert instead of the CA cert in the client, another problem was that I somehow put in 0.0.0.0/24 instead of 0.0.0.0/0 as described in the manual. In hindsight I really don't know what I was thinking.

        1 Reply Last reply Reply Quote 0
        • First post
          Last post
        Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.