[Completed] Working eap-tls / pfSense 2.2 - $100 USD
I see the issue now.
Is pfSense the issuer of these certificates.
I think that all the client certs should be present in the certificate repository of pfSense, at least the public component.
After i will put all these public parts to be trusted by strongswan.
Not sure why strongswan has this requirement but seems the better way.
Can you do the test to put the peer certificate on the /var/etc/ipsec/ipsec.d/cer* and see if that fixes it with eap_identify = %identity?
pfSense is not the issuer of the certs, I imported the root CA and the pfSense VPN cert.
I will test that after work.
(If importing the public key is required it should be possible to import only the public key via the GUI - Currently private and public is required)
Normally you can import only public even though you have both fields you can just import the public part and it will not complain.
I can import the cert without private key in the CAs tab.
In the Certificates tab i get the error "The field Key data is required."
Anyway can you perform the test from console and after can see this issue as well.
strongswan seems to ignore the cert completly if it's not referenced in the conf.
I added the pub, and even the private key to the right directories and after "ipsec rerreadall" it only shows my used pfSense cert with "ipsec listcerts" (and only the CA cert with listcacerts)
If I add this to the config, the peer cert is available with listcerts
but than I get
"charon: 01[CFG] no matching peer config found"
I can also see my peer cert after the first successfully connection
(with eap_identity = "C=, ST=, L=, O=, OU=, CN=, E=*")
I will build a new test deployment with different certs and clients(also a strongswan client) at the weekend....
Can you try instead of eap_identity to put aaa_identity = %any and retry?
Jan 15 20:06:56 charon: 10[IKE] EAP method EAP_TLS failed for peer CLIENT-IP
Jan 15 20:06:56 charon: 10[TLS] sending fatal TLS alert 'certificate unknown'
Jan 15 20:06:56 charon: 10[TLS] no trusted certificate found for 'CERT-CN' to verify TLS peer
Jan 15 20:06:56 charon: 10[TLS] received TLS peer certificate 'C=XX, ST=XXXXXX, L=XXX, O=XXX, OU=XXX, CN=CERT-CN, E=XXX'
Jan 15 20:08:27 charon: 07[TLS] sending fatal TLS alert 'handshake failure'
Jan 15 20:08:27 charon: 07[TLS] no usable TLS server certificate found for '%identity'
What algo is the signature on the client cert, SHA1 something else?
Can you validate this cert with the pki –verify tool of strongswan?
It is available with pfSense.
pki –verify --in /tmp/VPN-Client.crt --cacert /var/etc/ipsec/ipsec.d/cacerts/1eb57a16.0.crt
using certificate 'C=XX, ST=XXXXXX, L=XXX, O=XXX, OU=XXX, CN=CERT-CN, E=XXX'
using trusted ca certificate 'C=XX, ST=XXXXXX, L=XXX, O=XXX, OU=XXX, CN=CA-CERT-CN, E=XXX'
reached self-signed root ca with a path length of 0
certificate trusted, lifetimes valid
I do this tests currently in my private network, at weekend I will create a new test setup with weaker and non sensible certs, so I can give you more information if needed.
Oh can you try removing the leftid settings from the profile and see if that fixes it?
Jan 15 22:06:23 charon: 13[TLS] no trusted certificate found for 'CERT-CN' to verify TLS peer
(with and without eap_identity)
What if you do even leftauth=eap-tls or as usual but adding rightsendcert=never?
Also can you post full ipsec.conf section of the connection?
EDIT: also can you see based on this https://wiki.strongswan.org/projects/strongswan/wiki/Win7EapMultipleConfig
Jan 15 22:15:53 charon: 07[IKE] configured EAP-only authentication, but peer does not support it
Jan 15 22:15:53 charon: 07[IKE] <con3|43>configured EAP-only authentication, but peer does not support it
conn con3 reqid = 3 fragmentation = yes keyexchange = ikev2 reauth = yes forceencaps = no rekey = yes installpolicy = yes type = tunnel dpdaction = none auto = add left = WAN-IP right = %any compress = yes ikelifetime = 28800s lifetime = 3600s rightsourceip = 172.16.94.0/24 ike = aes256-sha256-modp1024! esp = aes256-sha1-modp1024,aes256-sha256-modp1024! eap_identity=%identity leftauth=eap-tls rightauth=eap-tls leftcert=/var/etc/ipsec/ipsec.d/certs/cert-3.crt rightsubnet = 172.16.94.0/24 leftsubnet = 0.0.0.0/0
edit: with usual but rightsendcert=never same as always
Jan 15 22:19:11 charon: 13[TLS] sending fatal TLS alert 'certificate unknown'
Jan 15 22:19:11 charon: 13[TLS] no trusted certificate found for 'Client-CN' to verify TLS peer</con3|43>
Can you try with as usual but adding rightsendcert=never?
Can you also try a config as per https://wiki.strongswan.org/projects/strongswan/wiki/Win7EapMultipleConfig
Your link is pointing to a working eap-mschapv2 config (the one I used for my first tests with mschap)
I tried it now, and some days ago, with this config and many variations without success
Jan 15 22:36:08 charon: 11[JOB] deleting half open IKE_SA after timeout
Jan 15 22:36:00 charon: 11[NET] sending packet: from Server-IP to Client-IP (108 bytes)
Jan 15 22:19:11 charon: 13[TLS] sending fatal TLS alert 'certificate unknown'
Jan 15 22:19:11 charon: 13[TLS] no trusted certificate found for 'Client-CN' to verify TLS peer
conn con3 reqid = 3 fragmentation = yes keyexchange = ikev2 reauth = yes forceencaps = no rekey = yes installpolicy = yes type = tunnel dpdaction = none auto = add left = 220.127.116.11 right = %any compress = yes ikelifetime = 28800s lifetime = 3600s rightsourceip = 172.16.94.0/24 ike = aes256-sha256-modp1024! esp = aes256-sha1-modp1024,aes256-sha256-modp1024! leftauth=pubkey rightauth=eap-tls leftcert=/var/etc/ipsec/ipsec.d/certs/cert-3.crt rightsubnet = 172.16.94.0/24 leftsubnet = 0.0.0.0/0 rightsendcert=never
I really need some sleep, I will continue until tomorrow evening, and I hope that with the windows 8 debug files it should be easier to find the issue. - Windows Phone is hard to debug.
After hours of testing and searching I finally could connect with a workaround, which is unusable for productive use :(
My test environment: (I can give you direct access if you like - just pm me)
Certs generated by pfSense (root cert / vpn cert / client cert - vpn cert with the DNS name as SAN)
pfSense 2.2 RC Config WAN 18.104.22.168 Lan 192.168.123.1 EAP-TLS: My identifier: fw.test.domain.local My Cert: fw.test.domain.local (Server Cert / Alt.Name: fw.test.domain.local/ issued by Test-CA) My CA: Test-CA P1: AES 256 / SHA256 / DH2 / Lifetime 28800 / NAT AUto / DPD 10,5 P2: Network: 0.0.0.0/0 / ESP / AES256 / SHA1 / PFS OFF / Lifetime 3600 Win 8 Config LAN: 22.214.171.124 (direct WAN Access) IKEv2 Config: Hostname: fw.test.domain.local Type: IKEv2 encryption: Require encryption Authentication: EAP Use a certificate on this computer (advanced: issued by Test-CA) Verify the servers identity Connect to these servers fw.test.private.domain Trusted Root CA: Test-CA Use a different user name for the connection
Connection user name: C=US, ST=Vienna, L=Vienna, O=Test, Eemail@example.com, CN=Test-VPNClient
Connection and successful traffic to 192.168.123.1 !
Successful connection logs:
Edit: removed connection log
Connection without "Use a different user name for the connection" option and with variations of eap_identity (%any / %identity)
charon: 16[IKE] EAP method EAP_TLS failed for peer 126.96.36.199
charon: 16[TLS] no trusted certificate found for 'Test-VPNClient' to verify TLS peer
charon: 16[TLS] received TLS peer certificate 'C=US, ST=Vienna, L=Vienna, O=Test-Hege, Efirstname.lastname@example.org, CN=Test-VPNClient'
charon: 13[IKE] received EAP identity 'Test-VPNClient'
Edit: removed the log file
What do you mean by unusable ?
I did not understand why its unusable for production use?
The VPN-user have to paste the full cert value as his username, which is very long and you can't save this value, so you have to insert this "username" every time.
eap-tls have to work without any user-input.
Also this workaround is not possible on Windows Phone, because you can't specify an username there.
Edit: Maybe that is the solution https://lists.strongswan.org/pipermail/users/2010-October/000814.html - I will try that as soon as possible!
Edit2: Yep, just a client cert issue, such a waste of free time…
Full trust of chain (Root CA have to be installed on the client)
pfSense Server cert needs the EKU "Server Authentification", also the FQDN in the Subject Alternative Names
pfSense Client Cert needs the EKU "Client Authentification", also the CN name as a FQDN in the SAN
ermal, THANK YOU VERY MUCH!
Please let me know, how I can donate my bounty to pfSense.
I think buying the gold package is the nearest donate approach :)
Thank you, hege for confirming it works.
done, bit I still owe you a dollar :)