1. Computer problem? Tech Support Guy is completely free -- paid for by advertisers and donations. Click here to join today! If you're new to Tech Support Guy, we highly recommend that you visit our Guide for New Members.

Strongswan IKEv2 - Certificate Authentication

Discussion in 'Networking' started by Damonc, Jul 29, 2018.

Thread Status:
Not open for further replies.
Advertisement
  1. Damonc

    Damonc Thread Starter

    Joined:
    May 9, 2001
    Messages:
    656
    First Name:
    Damon
    Hi,

    I'm trying to setup strongswan using IKEv2 certificate authentication on a raspberry pi. Nearly every other VPN server I've setup previously, has either been Windows, or had a GUI, and was username/password not certificates - so i'm new to strongswan.

    I followed this tutorial on youtube

    Part 1:


    Part 2:


    however it didn't work, even after making some changes via other posts I'd read - still no go, I'm just getting authentication failed. For the moment I've just trying over my internal network (as its just purely for learning purposes at the moment).

    Here's my ipsec.conf file:
    Code:
    # ipsec.conf - strongSwan IPsec configuration file
    
    
    config setup
      uniqueids=never
      charondebug="cfg 2, dmn 2, ike 2, net 2"
    
    conn %default
      auto=start
      closeaction=restart
      keyexchange=ikev2
      ike=aes128-sha256-ecp256
      esp=aes128-sha256-ecp256
      dpdaction=clear
      dpddelay=300s
      dpdtimeout = 5s
      forceencaps=yes
      fragmentation=yes
      keyingtries=5
      rekey=yes
      left=%any
      leftfirewall=yes
      leftid=172.16.0.18
      leftsubnet=0.0.0.0/0
      leftcert=vpnHostCert.pem
      leftsendcert=always
      mobike=yes
      rightid=%any
      rightdns=8.8.8.8
      rightsourceip=172.16.16.1/24 ## LOCAL IP RANGE FOR VPN CONNECTED DEVICES
      type=tunnel
    
    conn IKEv2
      rightauth=pubkey
      eap_identity=%any
    
    
    include /var/lib/strongswan/ipsec.conf.inc
    and the ipsec.secrets
    Code:
    # This file holds shared secrets or RSA private keys for authentication.
    
    # RSA private key for this host, authenticating it to any other host
    # which knows the public part.
    
    # this file is managed with debconf and will contain the automatically created private key
    include /var/lib/strongswan/ipsec.secrets.inc
    
    : ECDSA vpnHostKey.pem

    and from the log
    Code:
    Jul 29 08:03:39 raspberrypi charon: 04[IKE] IKE_SA (unnamed)[3] state change: CREATED => CONNECTING
    Jul 29 08:03:39 raspberrypi charon: 04[CFG] selecting proposal:
    Jul 29 08:03:39 raspberrypi charon: 04[CFG]   proposal matches
    Jul 29 08:03:39 raspberrypi charon: 04[CFG] received proposals: IKE:AES_CBC_128/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/ECP_256
    Jul 29 08:03:39 raspberrypi charon: 04[CFG] configured proposals: IKE:AES_CBC_128/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/ECP_256, IKE:AES_CBC_128/AES_CBC_192/AES_CBC_256/CAMELLIA_CBC_128/CAMELLIA_CBC_192/CAMELLIA$
    Jul 29 08:03:39 raspberrypi charon: 04[CFG] selected proposal: IKE:AES_CBC_128/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/ECP_256
    Jul 29 08:03:39 raspberrypi charon: 04[IKE] faking NAT situation to enforce UDP encapsulation
    Jul 29 08:03:39 raspberrypi charon: 04[IKE] sending cert request for "C=AU, O=strongSwan, CN=strongSwan Root CA"
    Jul 29 08:03:39 raspberrypi charon: 04[ENC] generating IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) CERTREQ N(FRAG_SUP) N(MULT_AUTH) ]
    Jul 29 08:03:39 raspberrypi charon: 04[NET] sending packet: from 172.16.0.18[500] to 172.16.0.150[500] (281 bytes)
    Jul 29 08:03:39 raspberrypi charon: 14[NET] sending packet: from 172.16.0.18[500] to 172.16.0.150[500]
    Jul 29 08:03:39 raspberrypi charon: 13[NET] received packet: from 172.16.0.150[4500] to 172.16.0.18[4500]
    Jul 29 08:03:39 raspberrypi charon: 13[NET] waiting for data on sockets
    Jul 29 08:03:39 raspberrypi charon: 03[NET] received packet: from 172.16.0.150[4500] to 172.16.0.18[4500] (532 bytes)
    Jul 29 08:03:39 raspberrypi charon: 03[ENC] parsed IKE_AUTH request 1 [ EF(1/2) ]
    Jul 29 08:03:39 raspberrypi charon: 03[ENC] received fragment #1 of 2, waiting for complete IKE message
    Jul 29 08:03:39 raspberrypi charon: 13[NET] received packet: from 172.16.0.150[4500] to 172.16.0.18[4500]
    Jul 29 08:03:39 raspberrypi charon: 13[NET] waiting for data on sockets
    Jul 29 08:03:39 raspberrypi charon: 05[NET] received packet: from 172.16.0.150[4500] to 172.16.0.18[4500] (436 bytes)
    Jul 29 08:03:39 raspberrypi charon: 05[ENC] parsed IKE_AUTH request 1 [ EF(2/2) ]
    Jul 29 08:03:39 raspberrypi charon: 05[ENC] received fragment #2 of 2, reassembling fragmented IKE message
    Jul 29 08:03:39 raspberrypi charon: 05[ENC] unknown attribute type (25)
    Jul 29 08:03:39 raspberrypi charon: 05[ENC] parsed IKE_AUTH request 1 [ IDi N(INIT_CONTACT) N(MOBIKE_SUP) IDr CERTREQ AUTH CERT CPRQ(ADDR DHCP DNS MASK ADDR6 DHCP6 DNS6 (25)) N(ESP_TFC_PAD_N) N(NON_FIRST_FRAG)$
    Jul 29 08:03:39 raspberrypi charon: 05[IKE] received cert request for unknown ca with keyid 1b:d9:89:c6:31:65:8d:79:b1:27:8e:ea:13:19:28:6b:5a:56:08:88
    Jul 29 08:03:39 raspberrypi charon: 05[IKE] received 1 cert requests for an unknown ca
    Jul 29 08:03:39 raspberrypi charon: 05[IKE] received end entity cert "C=AU, O=strongSwan, CN=VPNUser"
    Jul 29 08:03:39 raspberrypi charon: 05[CFG] looking for peer configs matching 172.16.0.18[172.16.0.18]...172.16.0.150[VPNUser]
    Jul 29 08:03:39 raspberrypi charon: 05[CFG] no matching peer config found
    Jul 29 08:03:39 raspberrypi charon: 05[IKE] processing INTERNAL_IP4_ADDRESS attribute
    Jul 29 08:03:39 raspberrypi charon: 05[IKE] processing INTERNAL_IP4_DHCP attribute
    Jul 29 08:03:39 raspberrypi charon: 05[IKE] processing INTERNAL_IP4_DNS attribute
    Jul 29 08:03:39 raspberrypi charon: 05[IKE] processing INTERNAL_IP4_NETMASK attribute
    Jul 29 08:03:39 raspberrypi charon: 05[IKE] processing INTERNAL_IP6_ADDRESS attribute
    Jul 29 08:03:39 raspberrypi charon: 05[IKE] processing INTERNAL_IP6_DHCP attribute
    Jul 29 08:03:39 raspberrypi charon: 05[IKE] processing INTERNAL_IP6_DNS attribute
    Jul 29 08:03:39 raspberrypi charon: 05[IKE] processing (25) attribute
    Jul 29 08:03:39 raspberrypi charon: 05[IKE] received ESP_TFC_PADDING_NOT_SUPPORTED, not using ESPv3 TFC padding
    Jul 29 08:03:39 raspberrypi charon: 05[IKE] peer supports MOBIKE
    Jul 29 08:03:39 raspberrypi charon: 05[ENC] generating IKE_AUTH response 1 [ N(AUTH_FAILED) ]
    Jul 29 08:03:39 raspberrypi charon: 05[NET] sending packet: from 172.16.0.18[4500] to 172.16.0.150[4500] (80 bytes)
    Jul 29 08:03:39 raspberrypi charon: 14[NET] sending packet: from 172.16.0.18[4500] to 172.16.0.150[4500]
    Jul 29 08:03:39 raspberrypi charon: 05[IKE] IKE_SA (unnamed)[3] state change: CONNECTING => DESTROYING
     
  2. dvk01

    dvk01 Moderator Malware Specialist

    Joined:
    Dec 14, 2002
    Messages:
    56,283
    First Name:
    Derek
    moved to networking where you might be more likely to get somebody who knows
     
  3. Damonc

    Damonc Thread Starter

    Joined:
    May 9, 2001
    Messages:
    656
    First Name:
    Damon
    Cheers - thanks
     
  4. Damonc

    Damonc Thread Starter

    Joined:
    May 9, 2001
    Messages:
    656
    First Name:
    Damon
    Update.. I've gotten a bit further, now I just need to sort out the encryption..

    Code:
    Jul 29 11:54:05 raspberrypi charon: 09[IKE] IKE_SA (unnamed)[2] state change: CREATED => CONNECTING
    Jul 29 11:54:05 raspberrypi charon: 09[CFG] selecting proposal:
    Jul 29 11:54:05 raspberrypi charon: 09[CFG]   no acceptable ENCRYPTION_ALGORITHM found
    Jul 29 11:54:05 raspberrypi charon: 09[CFG] received proposals: IKE:AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/ECP_256
    Jul 29 11:54:05 raspberrypi charon: 09[CFG] configured proposals: IKE:AES_CBC_128/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/ECP_256
     
  5. Damonc

    Damonc Thread Starter

    Joined:
    May 9, 2001
    Messages:
    656
    First Name:
    Damon
    Another update..

    I've configured the encryption methods to match what the iPad is sending, and now I'm back to "no matching peer config found"

    Code:
    Jul 30 10:44:22 raspberrypi charon: 10[IKE] received 1 cert requests for an unknown ca
    Jul 30 10:44:22 raspberrypi charon: 10[IKE] received end entity cert "C=AU, O=strongSwan, CN=VPNUser"
    Jul 30 10:44:22 raspberrypi charon: 10[CFG] looking for peer configs matching 172.16.0.18[172.16.0.18]...172.16.0.53[VPNUser]
    Jul 30 10:44:22 raspberrypi charon: 10[CFG] no matching peer config found
    Jul 30 10:44:22 raspberrypi charon: 10[IKE] processing INTERNAL_IP4_ADDRESS attribute
    Jul 30 10:44:22 raspberrypi charon: 10[IKE] processing INTERNAL_IP4_DHCP attribute
    Jul 30 10:44:22 raspberrypi charon: 10[IKE] processing INTERNAL_IP4_DNS attribute
    Jul 30 10:44:22 raspberrypi charon: 10[IKE] processing INTERNAL_IP4_NETMASK attribute
    Jul 30 10:44:22 raspberrypi charon: 10[IKE] processing INTERNAL_IP6_ADDRESS attribute
    Jul 30 10:44:22 raspberrypi charon: 10[IKE] processing INTERNAL_IP6_DHCP attribute
    Jul 30 10:44:22 raspberrypi charon: 10[IKE] processing INTERNAL_IP6_DNS attribute
    Jul 30 10:44:22 raspberrypi charon: 10[IKE] processing (25) attribute
    Jul 30 10:44:22 raspberrypi charon: 10[IKE] received ESP_TFC_PADDING_NOT_SUPPORTED, not using ESPv3 TFC padding
    Jul 30 10:44:22 raspberrypi charon: 10[IKE] peer supports MOBIKE
    Jul 30 10:44:22 raspberrypi charon: 10[ENC] generating IKE_AUTH response 1 [ N(AUTH_FAILED) ]
    Jul 30 10:44:22 raspberrypi charon: 10[NET] sending packet: from 172.16.0.18[4500] to 172.16.0.53[4500] (76 bytes)
    Jul 30 10:44:22 raspberrypi charon: 04[NET] sending packet: from 172.16.0.18[4500] to 172.16.0.53[4500]
    Jul 30 10:44:22 raspberrypi charon: 10[IKE] IKE_SA (unnamed)[2] state change: CONNECTING => DESTROYING
    If anyone able to offer any advise setting strongswan up?
     
  6. Sponsor

As Seen On
As Seen On...

Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join over 733,556 other people just like you!

Thread Status:
Not open for further replies.

Short URL to this thread: https://techguy.org/1213682

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice