win10 ipsec/ikev2 smartcard to pfsense fails - EAP method EAP_TLS failed for peer
-
Hi,
i try to connect a windows 10 with virtual smartcard to PFSENSE with ipsec.
It all works if i use the plain p12-certificate from the windows internal cert store (User Certs...)
It fails, if i try to load the cert from a virtual smartcard (off the TPM2.0 module) with following error:
Any ideas?
Sep 28 14:50:59 charon 61573 14[ENC] <con-mobile|163> added payload of type EAP to message Sep 28 14:50:59 charon 61573 14[ENC] <con-mobile|163> order payloads in message Sep 28 14:50:59 charon 61573 14[ENC] <con-mobile|163> added payload of type EAP to message Sep 28 14:50:59 charon 61573 14[ENC] <con-mobile|163> generating IKE_AUTH response 4 [ EAP/REQ/TLS ] Sep 28 14:50:59 charon 61573 14[ENC] <con-mobile|163> insert payload EAP into encrypted payload Sep 28 14:50:59 charon 61573 14[ENC] <con-mobile|163> generating payload of type HEADER Sep 28 14:50:59 charon 61573 14[ENC] <con-mobile|163> generating rule 0 IKE_SPI Sep 28 14:50:59 charon 61573 14[ENC] <con-mobile|163> generating rule 1 IKE_SPI Sep 28 14:50:59 charon 61573 14[ENC] <con-mobile|163> generating rule 2 U_INT_8 Sep 28 14:50:59 charon 61573 14[ENC] <con-mobile|163> generating rule 3 U_INT_4 Sep 28 14:50:59 charon 61573 14[ENC] <con-mobile|163> generating rule 4 U_INT_4 Sep 28 14:50:59 charon 61573 14[ENC] <con-mobile|163> generating rule 5 U_INT_8 Sep 28 14:50:59 charon 61573 14[ENC] <con-mobile|163> generating rule 6 RESERVED_BIT Sep 28 14:50:59 charon 61573 14[ENC] <con-mobile|163> generating rule 7 RESERVED_BIT Sep 28 14:50:59 charon 61573 14[ENC] <con-mobile|163> generating rule 8 FLAG Sep 28 14:50:59 charon 61573 14[ENC] <con-mobile|163> generating rule 9 FLAG Sep 28 14:50:59 charon 61573 14[ENC] <con-mobile|163> generating rule 10 FLAG Sep 28 14:50:59 charon 61573 14[ENC] <con-mobile|163> generating rule 11 FLAG Sep 28 14:50:59 charon 61573 14[ENC] <con-mobile|163> generating rule 12 FLAG Sep 28 14:50:59 charon 61573 14[ENC] <con-mobile|163> generating rule 13 FLAG Sep 28 14:50:59 charon 61573 14[ENC] <con-mobile|163> generating rule 14 U_INT_32 Sep 28 14:50:59 charon 61573 14[ENC] <con-mobile|163> generating rule 15 HEADER_LENGTH Sep 28 14:50:59 charon 61573 14[ENC] <con-mobile|163> generating HEADER payload finished Sep 28 14:50:59 charon 61573 14[ENC] <con-mobile|163> generating payload of type EAP Sep 28 14:50:59 charon 61573 14[ENC] <con-mobile|163> generating rule 0 U_INT_8 Sep 28 14:50:59 charon 61573 14[ENC] <con-mobile|163> generating rule 1 FLAG Sep 28 14:50:59 charon 61573 14[ENC] <con-mobile|163> generating rule 2 RESERVED_BIT Sep 28 14:50:59 charon 61573 14[ENC] <con-mobile|163> generating rule 3 RESERVED_BIT Sep 28 14:50:59 charon 61573 14[ENC] <con-mobile|163> generating rule 4 RESERVED_BIT Sep 28 14:50:59 charon 61573 14[ENC] <con-mobile|163> generating rule 5 RESERVED_BIT Sep 28 14:50:59 charon 61573 14[ENC] <con-mobile|163> generating rule 6 RESERVED_BIT Sep 28 14:50:59 charon 61573 14[ENC] <con-mobile|163> generating rule 7 RESERVED_BIT Sep 28 14:50:59 charon 61573 14[ENC] <con-mobile|163> generating rule 8 RESERVED_BIT Sep 28 14:50:59 charon 61573 14[ENC] <con-mobile|163> generating rule 9 PAYLOAD_LENGTH Sep 28 14:50:59 charon 61573 14[ENC] <con-mobile|163> generating rule 10 CHUNK_DATA Sep 28 14:50:59 charon 61573 14[ENC] <con-mobile|163> increasing gen buffer from 500 to 1000 byte Sep 28 14:50:59 charon 61573 14[ENC] <con-mobile|163> increasing gen buffer from 1000 to 1500 byte Sep 28 14:50:59 charon 61573 14[ENC] <con-mobile|163> generating EAP payload finished Sep 28 14:50:59 charon 61573 14[ENC] <con-mobile|163> generated content in encrypted payload Sep 28 14:50:59 charon 61573 14[ENC] <con-mobile|163> generating payload of type ENCRYPTED Sep 28 14:50:59 charon 61573 14[ENC] <con-mobile|163> generating rule 0 U_INT_8 Sep 28 14:50:59 charon 61573 14[ENC] <con-mobile|163> generating rule 1 U_INT_8 Sep 28 14:50:59 charon 61573 14[ENC] <con-mobile|163> generating rule 2 PAYLOAD_LENGTH Sep 28 14:50:59 charon 61573 14[ENC] <con-mobile|163> generating rule 3 CHUNK_DATA Sep 28 14:50:59 charon 61573 14[ENC] <con-mobile|163> increasing gen buffer from 500 to 1000 byte Sep 28 14:50:59 charon 61573 14[ENC] <con-mobile|163> increasing gen buffer from 1000 to 1500 byte Sep 28 14:50:59 charon 61573 14[ENC] <con-mobile|163> generating ENCRYPTED payload finished Sep 28 14:50:59 charon 61573 14[NET] <con-mobile|163> sending packet: from 10.8.0.2[4500] to 95.91.204.27[3828] (1104 bytes) Sep 28 14:50:59 charon 61573 14[MGR] <con-mobile|163> checkin IKE_SA con-mobile[163] Sep 28 14:50:59 charon 61573 14[MGR] <con-mobile|163> checkin of IKE_SA successful Sep 28 14:50:59 charon 61573 05[NET] sending packet: from 10.8.0.2[4500] to 95.91.204.27[3828] Sep 28 14:50:59 charon 61573 04[NET] received packet: from 95.91.204.27[3828] to 10.8.0.2[4500] Sep 28 14:50:59 charon 61573 04[ENC] parsing header of message Sep 28 14:50:59 charon 61573 04[ENC] parsing HEADER payload, 80 bytes left Sep 28 14:50:59 charon 61573 04[ENC] parsing rule 0 IKE_SPI Sep 28 14:50:59 charon 61573 04[ENC] parsing rule 1 IKE_SPI Sep 28 14:50:59 charon 61573 04[ENC] parsing rule 2 U_INT_8 Sep 28 14:50:59 charon 61573 04[ENC] parsing rule 3 U_INT_4 Sep 28 14:50:59 charon 61573 04[ENC] parsing rule 4 U_INT_4 Sep 28 14:50:59 charon 61573 04[ENC] parsing rule 5 U_INT_8 Sep 28 14:50:59 charon 61573 04[ENC] parsing rule 6 RESERVED_BIT Sep 28 14:50:59 charon 61573 04[ENC] parsing rule 7 RESERVED_BIT Sep 28 14:50:59 charon 61573 04[ENC] parsing rule 8 FLAG Sep 28 14:50:59 charon 61573 04[ENC] parsing rule 9 FLAG Sep 28 14:50:59 charon 61573 04[ENC] parsing rule 10 FLAG Sep 28 14:50:59 charon 61573 04[ENC] parsing rule 11 FLAG Sep 28 14:50:59 charon 61573 04[ENC] parsing rule 12 FLAG Sep 28 14:50:59 charon 61573 04[ENC] parsing rule 13 FLAG Sep 28 14:50:59 charon 61573 04[ENC] parsing rule 14 U_INT_32 Sep 28 14:50:59 charon 61573 04[ENC] parsing rule 15 HEADER_LENGTH Sep 28 14:50:59 charon 61573 04[ENC] parsing HEADER payload finished Sep 28 14:50:59 charon 61573 04[ENC] parsed a IKE_AUTH request header Sep 28 14:50:59 charon 61573 04[NET] waiting for data on sockets Sep 28 14:50:59 charon 61573 14[MGR] checkout IKEv2 SA by message with SPIs 60d44c2e09fbb8e5_i 88c2b6d86b36c317_r Sep 28 14:50:59 charon 61573 14[MGR] IKE_SA con-mobile[163] successfully checked out Sep 28 14:50:59 charon 61573 14[NET] <con-mobile|163> received packet: from 95.91.204.27[3828] to 10.8.0.2[4500] (80 bytes) Sep 28 14:50:59 charon 61573 14[ENC] <con-mobile|163> parsing body of message, first payload is ENCRYPTED Sep 28 14:50:59 charon 61573 14[ENC] <con-mobile|163> starting parsing a ENCRYPTED payload Sep 28 14:50:59 charon 61573 14[ENC] <con-mobile|163> parsing ENCRYPTED payload, 52 bytes left Sep 28 14:50:59 charon 61573 14[ENC] <con-mobile|163> parsing rule 0 U_INT_8 Sep 28 14:50:59 charon 61573 14[ENC] <con-mobile|163> parsing rule 1 U_INT_8 Sep 28 14:50:59 charon 61573 14[ENC] <con-mobile|163> parsing rule 2 PAYLOAD_LENGTH Sep 28 14:50:59 charon 61573 14[ENC] <con-mobile|163> parsing rule 3 CHUNK_DATA Sep 28 14:50:59 charon 61573 14[ENC] <con-mobile|163> parsing ENCRYPTED payload finished Sep 28 14:50:59 charon 61573 14[ENC] <con-mobile|163> verifying payload of type ENCRYPTED Sep 28 14:50:59 charon 61573 14[ENC] <con-mobile|163> ENCRYPTED payload verified, adding to payload list Sep 28 14:50:59 charon 61573 14[ENC] <con-mobile|163> ENCRYPTED payload found, stop parsing Sep 28 14:50:59 charon 61573 14[ENC] <con-mobile|163> process payload of type ENCRYPTED Sep 28 14:50:59 charon 61573 14[ENC] <con-mobile|163> found an encrypted payload Sep 28 14:50:59 charon 61573 14[ENC] <con-mobile|163> parsing EAP payload, 10 bytes left Sep 28 14:50:59 charon 61573 14[ENC] <con-mobile|163> parsing rule 0 U_INT_8 Sep 28 14:50:59 charon 61573 14[ENC] <con-mobile|163> parsing rule 1 FLAG Sep 28 14:50:59 charon 61573 14[ENC] <con-mobile|163> parsing rule 2 RESERVED_BIT Sep 28 14:50:59 charon 61573 14[ENC] <con-mobile|163> parsing rule 3 RESERVED_BIT Sep 28 14:50:59 charon 61573 14[ENC] <con-mobile|163> parsing rule 4 RESERVED_BIT Sep 28 14:50:59 charon 61573 14[ENC] <con-mobile|163> parsing rule 5 RESERVED_BIT Sep 28 14:50:59 charon 61573 14[ENC] <con-mobile|163> parsing rule 6 RESERVED_BIT Sep 28 14:50:59 charon 61573 14[ENC] <con-mobile|163> parsing rule 7 RESERVED_BIT Sep 28 14:50:59 charon 61573 14[ENC] <con-mobile|163> parsing rule 8 RESERVED_BIT Sep 28 14:50:59 charon 61573 14[ENC] <con-mobile|163> parsing rule 9 PAYLOAD_LENGTH Sep 28 14:50:59 charon 61573 14[ENC] <con-mobile|163> parsing rule 10 CHUNK_DATA Sep 28 14:50:59 charon 61573 14[ENC] <con-mobile|163> parsing EAP payload finished Sep 28 14:50:59 charon 61573 14[ENC] <con-mobile|163> parsed content of encrypted payload Sep 28 14:50:59 charon 61573 14[ENC] <con-mobile|163> insert decrypted payload of type EAP at end of list Sep 28 14:50:59 charon 61573 14[ENC] <con-mobile|163> verifying message structure Sep 28 14:50:59 charon 61573 14[ENC] <con-mobile|163> found payload of type EAP Sep 28 14:50:59 charon 61573 14[ENC] <con-mobile|163> parsed IKE_AUTH request 5 [ EAP/RES/TLS ] Sep 28 14:50:59 charon 61573 14[TLS] <con-mobile|163> EAP_TLS payload => 6 bytes @ 0x80472b080 Sep 28 14:50:59 charon 61573 14[TLS] <con-mobile|163> 0: 02 5F 00 06 0D 00 ._.... Sep 28 14:50:59 charon 61573 14[TLS] <con-mobile|163> received EAP_TLS acknowledgement packet Sep 28 14:50:59 charon 61573 14[TLS] <con-mobile|163> sending EAP_TLS final fragment (201 bytes) SOME LINES REMOVED FOR PRIVACY Sep 28 14:50:59 charon 61573 14[TLS] <con-mobile|163> 192: 70 6E 2D 63 61 0E 00 00 00 pn-ca.... Sep 28 14:50:59 charon 61573 14[ENC] <con-mobile|163> added payload of type EAP to message Sep 28 14:50:59 charon 61573 14[ENC] <con-mobile|163> order payloads in message Sep 28 14:50:59 charon 61573 14[ENC] <con-mobile|163> added payload of type EAP to message Sep 28 14:50:59 charon 61573 14[ENC] <con-mobile|163> generating IKE_AUTH response 5 [ EAP/REQ/TLS ] Sep 28 14:50:59 charon 61573 14[ENC] <con-mobile|163> insert payload EAP into encrypted payload Sep 28 14:50:59 charon 61573 14[ENC] <con-mobile|163> generating payload of type HEADER Sep 28 14:50:59 charon 61573 14[ENC] <con-mobile|163> generating rule 0 IKE_SPI Sep 28 14:50:59 charon 61573 14[ENC] <con-mobile|163> generating rule 1 IKE_SPI Sep 28 14:50:59 charon 61573 14[ENC] <con-mobile|163> generating rule 2 U_INT_8 Sep 28 14:50:59 charon 61573 14[ENC] <con-mobile|163> generating rule 3 U_INT_4 Sep 28 14:50:59 charon 61573 14[ENC] <con-mobile|163> generating rule 4 U_INT_4 Sep 28 14:50:59 charon 61573 14[ENC] <con-mobile|163> generating rule 5 U_INT_8 Sep 28 14:50:59 charon 61573 14[ENC] <con-mobile|163> generating rule 6 RESERVED_BIT Sep 28 14:50:59 charon 61573 14[ENC] <con-mobile|163> generating rule 7 RESERVED_BIT Sep 28 14:50:59 charon 61573 14[ENC] <con-mobile|163> generating rule 8 FLAG Sep 28 14:50:59 charon 61573 14[ENC] <con-mobile|163> generating rule 9 FLAG Sep 28 14:50:59 charon 61573 14[ENC] <con-mobile|163> generating rule 10 FLAG Sep 28 14:50:59 charon 61573 14[ENC] <con-mobile|163> generating rule 11 FLAG Sep 28 14:50:59 charon 61573 14[ENC] <con-mobile|163> generating rule 12 FLAG Sep 28 14:50:59 charon 61573 14[ENC] <con-mobile|163> generating rule 13 FLAG Sep 28 14:50:59 charon 61573 14[ENC] <con-mobile|163> generating rule 14 U_INT_32 Sep 28 14:50:59 charon 61573 14[ENC] <con-mobile|163> generating rule 15 HEADER_LENGTH Sep 28 14:50:59 charon 61573 14[ENC] <con-mobile|163> generating HEADER payload finished Sep 28 14:50:59 charon 61573 14[ENC] <con-mobile|163> generating payload of type EAP Sep 28 14:50:59 charon 61573 14[ENC] <con-mobile|163> generating rule 0 U_INT_8 Sep 28 14:50:59 charon 61573 14[ENC] <con-mobile|163> generating rule 1 FLAG Sep 28 14:50:59 charon 61573 14[ENC] <con-mobile|163> generating rule 2 RESERVED_BIT Sep 28 14:50:59 charon 61573 14[ENC] <con-mobile|163> generating rule 3 RESERVED_BIT Sep 28 14:50:59 charon 61573 14[ENC] <con-mobile|163> generating rule 4 RESERVED_BIT Sep 28 14:50:59 charon 61573 14[ENC] <con-mobile|163> generating rule 5 RESERVED_BIT Sep 28 14:50:59 charon 61573 14[ENC] <con-mobile|163> generating rule 6 RESERVED_BIT Sep 28 14:50:59 charon 61573 14[ENC] <con-mobile|163> generating rule 7 RESERVED_BIT Sep 28 14:50:59 charon 61573 14[ENC] <con-mobile|163> generating rule 8 RESERVED_BIT Sep 28 14:50:59 charon 61573 14[ENC] <con-mobile|163> generating rule 9 PAYLOAD_LENGTH Sep 28 14:50:59 charon 61573 14[ENC] <con-mobile|163> generating rule 10 CHUNK_DATA Sep 28 14:50:59 charon 61573 14[ENC] <con-mobile|163> generating EAP payload finished Sep 28 14:50:59 charon 61573 14[ENC] <con-mobile|163> generated content in encrypted payload Sep 28 14:50:59 charon 61573 14[ENC] <con-mobile|163> generating payload of type ENCRYPTED Sep 28 14:50:59 charon 61573 14[ENC] <con-mobile|163> generating rule 0 U_INT_8 Sep 28 14:50:59 charon 61573 14[ENC] <con-mobile|163> generating rule 1 U_INT_8 Sep 28 14:50:59 charon 61573 14[ENC] <con-mobile|163> generating rule 2 PAYLOAD_LENGTH Sep 28 14:50:59 charon 61573 14[ENC] <con-mobile|163> generating rule 3 CHUNK_DATA Sep 28 14:50:59 charon 61573 14[ENC] <con-mobile|163> generating ENCRYPTED payload finished Sep 28 14:50:59 charon 61573 14[NET] <con-mobile|163> sending packet: from 10.8.0.2[4500] to 95.91.204.27[3828] (272 bytes) Sep 28 14:50:59 charon 61573 14[MGR] <con-mobile|163> checkin IKE_SA con-mobile[163] Sep 28 14:50:59 charon 61573 14[MGR] <con-mobile|163> checkin of IKE_SA successful Sep 28 14:50:59 charon 61573 05[NET] sending packet: from 10.8.0.2[4500] to 95.91.204.27[3828] Sep 28 14:50:59 charon 61573 04[NET] received packet: from 95.91.204.27[3828] to 10.8.0.2[4500] Sep 28 14:50:59 charon 61573 04[ENC] parsing header of message Sep 28 14:50:59 charon 61573 04[ENC] parsing HEADER payload, 80 bytes left Sep 28 14:50:59 charon 61573 04[ENC] parsing rule 0 IKE_SPI Sep 28 14:50:59 charon 61573 04[ENC] parsing rule 1 IKE_SPI Sep 28 14:50:59 charon 61573 04[ENC] parsing rule 2 U_INT_8 Sep 28 14:50:59 charon 61573 04[ENC] parsing rule 3 U_INT_4 Sep 28 14:50:59 charon 61573 04[ENC] parsing rule 4 U_INT_4 Sep 28 14:50:59 charon 61573 04[ENC] parsing rule 5 U_INT_8 Sep 28 14:50:59 charon 61573 04[ENC] parsing rule 6 RESERVED_BIT Sep 28 14:50:59 charon 61573 04[ENC] parsing rule 7 RESERVED_BIT Sep 28 14:50:59 charon 61573 04[ENC] parsing rule 8 FLAG Sep 28 14:50:59 charon 61573 04[ENC] parsing rule 9 FLAG Sep 28 14:50:59 charon 61573 04[ENC] parsing rule 10 FLAG Sep 28 14:50:59 charon 61573 04[ENC] parsing rule 11 FLAG Sep 28 14:50:59 charon 61573 04[ENC] parsing rule 12 FLAG Sep 28 14:50:59 charon 61573 04[ENC] parsing rule 13 FLAG Sep 28 14:50:59 charon 61573 04[ENC] parsing rule 14 U_INT_32 Sep 28 14:50:59 charon 61573 04[ENC] parsing rule 15 HEADER_LENGTH Sep 28 14:50:59 charon 61573 04[ENC] parsing HEADER payload finished Sep 28 14:50:59 charon 61573 04[ENC] parsed a IKE_AUTH request header Sep 28 14:50:59 charon 61573 04[NET] waiting for data on sockets Sep 28 14:50:59 charon 61573 14[MGR] checkout IKEv2 SA by message with SPIs 60d44c2e09fbb8e5_i 88c2b6d86b36c317_r Sep 28 14:50:59 charon 61573 14[MGR] IKE_SA con-mobile[163] successfully checked out Sep 28 14:50:59 charon 61573 14[NET] <con-mobile|163> received packet: from 95.91.204.27[3828] to 10.8.0.2[4500] (80 bytes) Sep 28 14:50:59 charon 61573 14[ENC] <con-mobile|163> parsing body of message, first payload is ENCRYPTED Sep 28 14:50:59 charon 61573 14[ENC] <con-mobile|163> starting parsing a ENCRYPTED payload Sep 28 14:50:59 charon 61573 14[ENC] <con-mobile|163> parsing ENCRYPTED payload, 52 bytes left Sep 28 14:50:59 charon 61573 14[ENC] <con-mobile|163> parsing rule 0 U_INT_8 Sep 28 14:50:59 charon 61573 14[ENC] <con-mobile|163> parsing rule 1 U_INT_8 Sep 28 14:50:59 charon 61573 14[ENC] <con-mobile|163> parsing rule 2 PAYLOAD_LENGTH Sep 28 14:50:59 charon 61573 14[ENC] <con-mobile|163> parsing rule 3 CHUNK_DATA Sep 28 14:50:59 charon 61573 14[ENC] <con-mobile|163> parsing ENCRYPTED payload finished Sep 28 14:50:59 charon 61573 14[ENC] <con-mobile|163> verifying payload of type ENCRYPTED Sep 28 14:50:59 charon 61573 14[ENC] <con-mobile|163> ENCRYPTED payload verified, adding to payload list Sep 28 14:50:59 charon 61573 14[ENC] <con-mobile|163> ENCRYPTED payload found, stop parsing Sep 28 14:50:59 charon 61573 14[ENC] <con-mobile|163> process payload of type ENCRYPTED Sep 28 14:50:59 charon 61573 14[ENC] <con-mobile|163> found an encrypted payload Sep 28 14:50:59 charon 61573 14[ENC] <con-mobile|163> parsing EAP payload, 10 bytes left Sep 28 14:50:59 charon 61573 14[ENC] <con-mobile|163> parsing rule 0 U_INT_8 Sep 28 14:50:59 charon 61573 14[ENC] <con-mobile|163> parsing rule 1 FLAG Sep 28 14:50:59 charon 61573 14[ENC] <con-mobile|163> parsing rule 2 RESERVED_BIT Sep 28 14:50:59 charon 61573 14[ENC] <con-mobile|163> parsing rule 3 RESERVED_BIT Sep 28 14:50:59 charon 61573 14[ENC] <con-mobile|163> parsing rule 4 RESERVED_BIT Sep 28 14:50:59 charon 61573 14[ENC] <con-mobile|163> parsing rule 5 RESERVED_BIT Sep 28 14:50:59 charon 61573 14[ENC] <con-mobile|163> parsing rule 6 RESERVED_BIT Sep 28 14:50:59 charon 61573 14[ENC] <con-mobile|163> parsing rule 7 RESERVED_BIT Sep 28 14:50:59 charon 61573 14[ENC] <con-mobile|163> parsing rule 8 RESERVED_BIT Sep 28 14:50:59 charon 61573 14[ENC] <con-mobile|163> parsing rule 9 PAYLOAD_LENGTH Sep 28 14:50:59 charon 61573 14[ENC] <con-mobile|163> parsing rule 10 CHUNK_DATA Sep 28 14:50:59 charon 61573 14[ENC] <con-mobile|163> parsing EAP payload finished Sep 28 14:50:59 charon 61573 14[ENC] <con-mobile|163> parsed content of encrypted payload Sep 28 14:50:59 charon 61573 14[ENC] <con-mobile|163> insert decrypted payload of type EAP at end of list Sep 28 14:50:59 charon 61573 14[ENC] <con-mobile|163> verifying message structure Sep 28 14:50:59 charon 61573 14[ENC] <con-mobile|163> found payload of type EAP Sep 28 14:50:59 charon 61573 14[ENC] <con-mobile|163> parsed IKE_AUTH request 6 [ EAP/RES/TLS ] Sep 28 14:50:59 charon 61573 14[TLS] <con-mobile|163> EAP_TLS payload => 6 bytes @ 0x80472b080 Sep 28 14:50:59 charon 61573 14[TLS] <con-mobile|163> 0: 02 60 00 06 0D 00 .`.... Sep 28 14:50:59 charon 61573 14[TLS] <con-mobile|163> received EAP_TLS acknowledgement packet Sep 28 14:50:59 charon 61573 14[IKE] <con-mobile|163> EAP method EAP_TLS failed for peer 192.168.179.20 Sep 28 14:50:59 charon 61573 14[ENC] <con-mobile|163> added payload of type EAP to message Sep 28 14:50:59 charon 61573 14[ENC] <con-mobile|163> order payloads in message Sep 28 14:50:59 charon 61573 14[ENC] <con-mobile|163> added payload of type EAP to message Sep 28 14:50:59 charon 61573 14[ENC] <con-mobile|163> generating IKE_AUTH response 6 [ EAP/FAIL ] Sep 28 14:50:59 charon 61573 14[ENC] <con-mobile|163> insert payload EAP into encrypted payload Sep 28 14:50:59 charon 61573 14[ENC] <con-mobile|163> generating payload of type HEADER Sep 28 14:50:59 charon 61573 14[ENC] <con-mobile|163> generating rule 0 IKE_SPI Sep 28 14:50:59 charon 61573 14[ENC] <con-mobile|163> generating rule 1 IKE_SPI Sep 28 14:50:59 charon 61573 14[ENC] <con-mobile|163> generating rule 2 U_INT_8 Sep 28 14:50:59 charon 61573 14[ENC] <con-mobile|163> generating rule 3 U_INT_4 Sep 28 14:50:59 charon 61573 14[ENC] <con-mobile|163> generating rule 4 U_INT_4 Sep 28 14:50:59 charon 61573 14[ENC] <con-mobile|163> generating rule 5 U_INT_8 Sep 28 14:50:59 charon 61573 14[ENC] <con-mobile|163> generating rule 6 RESERVED_BIT Sep 28 14:50:59 charon 61573 14[ENC] <con-mobile|163> generating rule 7 RESERVED_BIT Sep 28 14:50:59 charon 61573 14[ENC] <con-mobile|163> generating rule 8 FLAG Sep 28 14:50:59 charon 61573 14[ENC] <con-mobile|163> generating rule 9 FLAG Sep 28 14:50:59 charon 61573 14[ENC] <con-mobile|163> generating rule 10 FLAG Sep 28 14:50:59 charon 61573 14[ENC] <con-mobile|163> generating rule 11 FLAG Sep 28 14:50:59 charon 61573 14[ENC] <con-mobile|163> generating rule 12 FLAG Sep 28 14:50:59 charon 61573 14[ENC] <con-mobile|163> generating rule 13 FLAG Sep 28 14:50:59 charon 61573 14[ENC] <con-mobile|163> generating rule 14 U_INT_32 Sep 28 14:50:59 charon 61573 14[ENC] <con-mobile|163> generating rule 15 HEADER_LENGTH Sep 28 14:50:59 charon 61573 14[ENC] <con-mobile|163> generating HEADER payload finished Sep 28 14:50:59 charon 61573 14[ENC] <con-mobile|163> generating payload of type EAP Sep 28 14:50:59 charon 61573 14[ENC] <con-mobile|163> generating rule 0 U_INT_8 Sep 28 14:50:59 charon 61573 14[ENC] <con-mobile|163> generating rule 1 FLAG Sep 28 14:50:59 charon 61573 14[ENC] <con-mobile|163> generating rule 2 RESERVED_BIT Sep 28 14:50:59 charon 61573 14[ENC] <con-mobile|163> generating rule 3 RESERVED_BIT Sep 28 14:50:59 charon 61573 14[ENC] <con-mobile|163> generating rule 4 RESERVED_BIT Sep 28 14:50:59 charon 61573 14[ENC] <con-mobile|163> generating rule 5 RESERVED_BIT Sep 28 14:50:59 charon 61573 14[ENC] <con-mobile|163> generating rule 6 RESERVED_BIT Sep 28 14:50:59 charon 61573 14[ENC] <con-mobile|163> generating rule 7 RESERVED_BIT Sep 28 14:50:59 charon 61573 14[ENC] <con-mobile|163> generating rule 8 RESERVED_BIT Sep 28 14:50:59 charon 61573 14[ENC] <con-mobile|163> generating rule 9 PAYLOAD_LENGTH Sep 28 14:50:59 charon 61573 14[ENC] <con-mobile|163> generating rule 10 CHUNK_DATA Sep 28 14:50:59 charon 61573 14[ENC] <con-mobile|163> generating EAP payload finished Sep 28 14:50:59 charon 61573 14[ENC] <con-mobile|163> generated content in encrypted payload Sep 28 14:50:59 charon 61573 14[ENC] <con-mobile|163> generating payload of type ENCRYPTED Sep 28 14:50:59 charon 61573 14[ENC] <con-mobile|163> generating rule 0 U_INT_8 Sep 28 14:50:59 charon 61573 14[ENC] <con-mobile|163> generating rule 1 U_INT_8 Sep 28 14:50:59 charon 61573 14[ENC] <con-mobile|163> generating rule 2 PAYLOAD_LENGTH Sep 28 14:50:59 charon 61573 14[ENC] <con-mobile|163> generating rule 3 CHUNK_DATA Sep 28 14:50:59 charon 61573 14[ENC] <con-mobile|163> generating ENCRYPTED payload finished Sep 28 14:50:59 charon 61573 14[NET] <con-mobile|163> sending packet: from 10.8.0.2[4500] to 95.91.204.27[3828] (80 bytes) Sep 28 14:50:59 charon 61573 14[MGR] <con-mobile|163> checkin and destroy IKE_SA con-mobile[163] Sep 28 14:50:59 charon 61573 05[NET] sending packet: from 10.8.0.2[4500] to 95.91.204.27[3828] Sep 28 14:50:59 charon 61573 14[IKE] <con-mobile|163> IKE_SA con-mobile[163] state change: CONNECTING => DESTROYING Sep 28 14:50:59 charon 61573 14[MGR] checkin and destroy of IKE_SA successful Sep 28 14:51:00 newsyslog 97738 logfile turned over due to size>500K Sep 28 14:51:00 newsyslog 97738 logfile turned over due to size>500K Sep 28 14:51:01 charon 61573 02[JOB] watched FD 21 ready to read Sep 28 14:51:01 charon 61573 02[JOB] watcher going to poll() 5 fds Sep 28 14:51:01 charon 61573 02[JOB] watcher got notification, rebuilding Sep 28 14:51:01 charon 61573 02[JOB] watcher going to poll() 6 fds Sep 28 14:51:01 charon 61573 02[JOB] watched FD 21 ready to read Sep 28 14:51:01 charon 61573 02[JOB] watcher going to poll() 5 fds Sep 28 14:51:01 charon 61573 02[JOB] watcher got notification, rebuilding Sep 28 14:51:01 charon 61573 02[JOB] watcher going to poll() 6 fds Sep 28 14:51:01 charon 61573 02[JOB] watched FD 21 ready to read Sep 28 14:51:01 charon 61573 02[JOB] watcher going to poll() 5 fds Sep 28 14:51:01 charon 61573 02[JOB] watcher got notification, rebuilding Sep 28 14:51:01 charon 61573 02[JOB] watcher going to poll() 6 fds Sep 28 14:51:01 charon 61573 02[JOB] watched FD 21 ready to read Sep 28 14:51:01 charon 61573 02[JOB] watcher going to poll() 5 fds Sep 28 14:51:01 charon 61573 02[JOB] watcher got notification, rebuilding Sep 28 14:51:01 charon 61573 02[JOB] watcher going to poll() 6 fds
-
Just for the record. Just loaded the cert onto a Yubikey 5 hardware smartcard. Same error/result.