StartSSL certificate for IKEv2 with EAP-MSCHAPv2

filnko

Hello,

at the moment I'm using a self-signed server certificate for IKEv2 and would like to switch to an OV StartSSL-certificate.
Somehow this doesn't work, there's always the error "peer requested EAP, config inacceptable".

When connecting with OS X 10.11.4: log reversed


Apr 7 00:22:40	charon: 12[NET] <bypasslan|319>sending packet: from 185.0.0.221[4500] to 91.0.0.237[12680] (80 bytes)
Apr 7 00:22:40	charon: 12[NET] sending packet: from 185.0.0.221[4500] to 91.0.0.237[12680] (80 bytes)
Apr 7 00:22:40	charon: 12[ENC] <bypasslan|319>generating IKE_AUTH response 1 [ N(AUTH_FAILED) ]
Apr 7 00:22:40	charon: 12[ENC] generating IKE_AUTH response 1 [ N(AUTH_FAILED) ]
Apr 7 00:22:40	charon: 12[IKE] <bypasslan|319>peer supports MOBIKE
Apr 7 00:22:40	charon: 12[IKE] peer supports MOBIKE
Apr 7 00:22:40	charon: 12[IKE] <bypasslan|319>received ESP_TFC_PADDING_NOT_SUPPORTED, not using ESPv3 TFC padding
Apr 7 00:22:40	charon: 12[IKE] received ESP_TFC_PADDING_NOT_SUPPORTED, not using ESPv3 TFC padding
Apr 7 00:22:40	charon: 12[CFG] <bypasslan|319>no alternative config found
Apr 7 00:22:40	charon: 12[CFG] no alternative config found
Apr 7 00:22:40	charon: 12[IKE] <bypasslan|319>peer requested EAP, config inacceptable
Apr 7 00:22:40	charon: 12[IKE] peer requested EAP, config inacceptable
Apr 7 00:22:40	charon: 12[CFG] <bypasslan|319>selected peer config 'bypasslan'
Apr 7 00:22:40	charon: 12[CFG] selected peer config 'bypasslan'
Apr 7 00:22:40	charon: 12[CFG] <319> looking for peer configs matching 185.0.0.221[something.ppoe.at]...91.0.0.237[10.5.0.238]
Apr 7 00:22:40	charon: 12[CFG] looking for peer configs matching 185.0.0.221[something.ppoe.at]...91.0.0.237[10.5.0.238]
Apr 7 00:22:40	charon: 12[ENC] <319> parsed IKE_AUTH request 1 [ IDi N(INIT_CONTACT) N(MOBIKE_SUP) IDr CPRQ(ADDR DHCP DNS MASK ADDR6 DHCP6 DNS6) N(ESP_TFC_PAD_N) N(NON_FIRST_FRAG) SA TSi TSr ]
Apr 7 00:22:40	charon: 12[ENC] parsed IKE_AUTH request 1 [ IDi N(INIT_CONTACT) N(MOBIKE_SUP) IDr CPRQ(ADDR DHCP DNS MASK ADDR6 DHCP6 DNS6) N(ESP_TFC_PAD_N) N(NON_FIRST_FRAG) SA TSi TSr ]
Apr 7 00:22:40	charon: 12[NET] <319> received packet: from 91.0.0.237[12680] to 185.0.0.221[4500] (336 bytes)
Apr 7 00:22:40	charon: 12[NET] received packet: from 91.0.0.237[12680] to 185.0.0.221[4500] (336 bytes)
Apr 7 00:22:40	charon: 05[NET] <319> sending packet: from 185.0.0.221[500] to 91.0.0.237[500] (320 bytes)
Apr 7 00:22:40	charon: 05[NET] sending packet: from 185.0.0.221[500] to 91.0.0.237[500] (320 bytes)
Apr 7 00:22:40	charon: 05[ENC] <319> generating IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(MULT_AUTH) ]
Apr 7 00:22:40	charon: 05[ENC] generating IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(MULT_AUTH) ]
Apr 7 00:22:40	charon: 05[IKE] <319> remote host is behind NAT
Apr 7 00:22:40	charon: 05[IKE] remote host is behind NAT
Apr 7 00:22:40	charon: 05[IKE] <319> local host is behind NAT, sending keep alives
Apr 7 00:22:40	charon: 05[IKE] local host is behind NAT, sending keep alives
Apr 7 00:22:40	charon: 05[IKE] <319> 91.0.0.237 is initiating an IKE_SA
Apr 7 00:22:40	charon: 05[IKE] 91.0.0.237 is initiating an IKE_SA
Apr 7 00:22:40	charon: 05[ENC] <319> parsed IKE_SA_INIT request 0 [ SA KE No N(REDIR_SUP) N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) ]
Apr 7 00:22:40	charon: 05[ENC] parsed IKE_SA_INIT request 0 [ SA KE No N(REDIR_SUP) N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) ]
Apr 7 00:22:40	charon: 05[NET] <319> received packet: from 91.0.0.237[500] to 185.0.0.221[500] (304 bytes)
Apr 7 00:22:40	charon: 05[NET] received packet: from 91.0.0.237[500] to 185.0.0.221[500] (304 bytes)</bypasslan|319></bypasslan|319></bypasslan|319></bypasslan|319></bypasslan|319></bypasslan|319></bypasslan|319>

The pfSense FQDN is in the SAN of the SSL certificate, the certificate is the same as here: https://ppoe.at

What am I doing wrong?

jimp

Lots of problems with that cert for IKEv2…

It's not marked a server cert
Missing EKU for TLS Web Server Authentication and 1.3.6.1.5.5.8.2.2
IP address is not in the SAN list