Strongswan IKEv2 - Certificate Authentication

Status
This thread has been Locked and is not open to further replies. Please start a New Thread if you're having a similar issue. View our Welcome Guide to learn how to use this site.

Damonc

Damon
Thread Starter
Joined
May 9, 2001
Messages
667
Hi,

I'm trying to setup strongswan using IKEv2 certificate authentication on a raspberry pi. Nearly every other VPN server I've setup previously, has either been Windows, or had a GUI, and was username/password not certificates - so i'm new to strongswan.

I followed this tutorial on youtube

Part 1:

Part 2:

however it didn't work, even after making some changes via other posts I'd read - still no go, I'm just getting authentication failed. For the moment I've just trying over my internal network (as its just purely for learning purposes at the moment).

Here's my ipsec.conf file:
Code:
# ipsec.conf - strongSwan IPsec configuration file


config setup
  uniqueids=never
  charondebug="cfg 2, dmn 2, ike 2, net 2"

conn %default
  auto=start
  closeaction=restart
  keyexchange=ikev2
  ike=aes128-sha256-ecp256
  esp=aes128-sha256-ecp256
  dpdaction=clear
  dpddelay=300s
  dpdtimeout = 5s
  forceencaps=yes
  fragmentation=yes
  keyingtries=5
  rekey=yes
  left=%any
  leftfirewall=yes
  leftid=172.16.0.18
  leftsubnet=0.0.0.0/0
  leftcert=vpnHostCert.pem
  leftsendcert=always
  mobike=yes
  rightid=%any
  rightdns=8.8.8.8
  rightsourceip=172.16.16.1/24 ## LOCAL IP RANGE FOR VPN CONNECTED DEVICES
  type=tunnel

conn IKEv2
  rightauth=pubkey
  eap_identity=%any


include /var/lib/strongswan/ipsec.conf.inc
and the ipsec.secrets
Code:
# This file holds shared secrets or RSA private keys for authentication.

# RSA private key for this host, authenticating it to any other host
# which knows the public part.

# this file is managed with debconf and will contain the automatically created private key
include /var/lib/strongswan/ipsec.secrets.inc

: ECDSA vpnHostKey.pem

and from the log
Code:
Jul 29 08:03:39 raspberrypi charon: 04[IKE] IKE_SA (unnamed)[3] state change: CREATED => CONNECTING
Jul 29 08:03:39 raspberrypi charon: 04[CFG] selecting proposal:
Jul 29 08:03:39 raspberrypi charon: 04[CFG]   proposal matches
Jul 29 08:03:39 raspberrypi charon: 04[CFG] received proposals: IKE:AES_CBC_128/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/ECP_256
Jul 29 08:03:39 raspberrypi charon: 04[CFG] configured proposals: IKE:AES_CBC_128/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/ECP_256, IKE:AES_CBC_128/AES_CBC_192/AES_CBC_256/CAMELLIA_CBC_128/CAMELLIA_CBC_192/CAMELLIA$
Jul 29 08:03:39 raspberrypi charon: 04[CFG] selected proposal: IKE:AES_CBC_128/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/ECP_256
Jul 29 08:03:39 raspberrypi charon: 04[IKE] faking NAT situation to enforce UDP encapsulation
Jul 29 08:03:39 raspberrypi charon: 04[IKE] sending cert request for "C=AU, O=strongSwan, CN=strongSwan Root CA"
Jul 29 08:03:39 raspberrypi charon: 04[ENC] generating IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) CERTREQ N(FRAG_SUP) N(MULT_AUTH) ]
Jul 29 08:03:39 raspberrypi charon: 04[NET] sending packet: from 172.16.0.18[500] to 172.16.0.150[500] (281 bytes)
Jul 29 08:03:39 raspberrypi charon: 14[NET] sending packet: from 172.16.0.18[500] to 172.16.0.150[500]
Jul 29 08:03:39 raspberrypi charon: 13[NET] received packet: from 172.16.0.150[4500] to 172.16.0.18[4500]
Jul 29 08:03:39 raspberrypi charon: 13[NET] waiting for data on sockets
Jul 29 08:03:39 raspberrypi charon: 03[NET] received packet: from 172.16.0.150[4500] to 172.16.0.18[4500] (532 bytes)
Jul 29 08:03:39 raspberrypi charon: 03[ENC] parsed IKE_AUTH request 1 [ EF(1/2) ]
Jul 29 08:03:39 raspberrypi charon: 03[ENC] received fragment #1 of 2, waiting for complete IKE message
Jul 29 08:03:39 raspberrypi charon: 13[NET] received packet: from 172.16.0.150[4500] to 172.16.0.18[4500]
Jul 29 08:03:39 raspberrypi charon: 13[NET] waiting for data on sockets
Jul 29 08:03:39 raspberrypi charon: 05[NET] received packet: from 172.16.0.150[4500] to 172.16.0.18[4500] (436 bytes)
Jul 29 08:03:39 raspberrypi charon: 05[ENC] parsed IKE_AUTH request 1 [ EF(2/2) ]
Jul 29 08:03:39 raspberrypi charon: 05[ENC] received fragment #2 of 2, reassembling fragmented IKE message
Jul 29 08:03:39 raspberrypi charon: 05[ENC] unknown attribute type (25)
Jul 29 08:03:39 raspberrypi charon: 05[ENC] parsed IKE_AUTH request 1 [ IDi N(INIT_CONTACT) N(MOBIKE_SUP) IDr CERTREQ AUTH CERT CPRQ(ADDR DHCP DNS MASK ADDR6 DHCP6 DNS6 (25)) N(ESP_TFC_PAD_N) N(NON_FIRST_FRAG)$
Jul 29 08:03:39 raspberrypi charon: 05[IKE] received cert request for unknown ca with keyid 1b:d9:89:c6:31:65:8d:79:b1:27:8e:ea:13:19:28:6b:5a:56:08:88
Jul 29 08:03:39 raspberrypi charon: 05[IKE] received 1 cert requests for an unknown ca
Jul 29 08:03:39 raspberrypi charon: 05[IKE] received end entity cert "C=AU, O=strongSwan, CN=VPNUser"
Jul 29 08:03:39 raspberrypi charon: 05[CFG] looking for peer configs matching 172.16.0.18[172.16.0.18]...172.16.0.150[VPNUser]
Jul 29 08:03:39 raspberrypi charon: 05[CFG] no matching peer config found
Jul 29 08:03:39 raspberrypi charon: 05[IKE] processing INTERNAL_IP4_ADDRESS attribute
Jul 29 08:03:39 raspberrypi charon: 05[IKE] processing INTERNAL_IP4_DHCP attribute
Jul 29 08:03:39 raspberrypi charon: 05[IKE] processing INTERNAL_IP4_DNS attribute
Jul 29 08:03:39 raspberrypi charon: 05[IKE] processing INTERNAL_IP4_NETMASK attribute
Jul 29 08:03:39 raspberrypi charon: 05[IKE] processing INTERNAL_IP6_ADDRESS attribute
Jul 29 08:03:39 raspberrypi charon: 05[IKE] processing INTERNAL_IP6_DHCP attribute
Jul 29 08:03:39 raspberrypi charon: 05[IKE] processing INTERNAL_IP6_DNS attribute
Jul 29 08:03:39 raspberrypi charon: 05[IKE] processing (25) attribute
Jul 29 08:03:39 raspberrypi charon: 05[IKE] received ESP_TFC_PADDING_NOT_SUPPORTED, not using ESPv3 TFC padding
Jul 29 08:03:39 raspberrypi charon: 05[IKE] peer supports MOBIKE
Jul 29 08:03:39 raspberrypi charon: 05[ENC] generating IKE_AUTH response 1 [ N(AUTH_FAILED) ]
Jul 29 08:03:39 raspberrypi charon: 05[NET] sending packet: from 172.16.0.18[4500] to 172.16.0.150[4500] (80 bytes)
Jul 29 08:03:39 raspberrypi charon: 14[NET] sending packet: from 172.16.0.18[4500] to 172.16.0.150[4500]
Jul 29 08:03:39 raspberrypi charon: 05[IKE] IKE_SA (unnamed)[3] state change: CONNECTING => DESTROYING
 

dvk01

Derek
Retired Moderator Retired Malware Specialist
Joined
Dec 14, 2002
Messages
56,452
moved to networking where you might be more likely to get somebody who knows
 

Damonc

Damon
Thread Starter
Joined
May 9, 2001
Messages
667
Update.. I've gotten a bit further, now I just need to sort out the encryption..

Code:
Jul 29 11:54:05 raspberrypi charon: 09[IKE] IKE_SA (unnamed)[2] state change: CREATED => CONNECTING
Jul 29 11:54:05 raspberrypi charon: 09[CFG] selecting proposal:
Jul 29 11:54:05 raspberrypi charon: 09[CFG]   no acceptable ENCRYPTION_ALGORITHM found
Jul 29 11:54:05 raspberrypi charon: 09[CFG] received proposals: IKE:AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/ECP_256
Jul 29 11:54:05 raspberrypi charon: 09[CFG] configured proposals: IKE:AES_CBC_128/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/ECP_256
 

Damonc

Damon
Thread Starter
Joined
May 9, 2001
Messages
667
Another update..

I've configured the encryption methods to match what the iPad is sending, and now I'm back to "no matching peer config found"

Code:
Jul 30 10:44:22 raspberrypi charon: 10[IKE] received 1 cert requests for an unknown ca
Jul 30 10:44:22 raspberrypi charon: 10[IKE] received end entity cert "C=AU, O=strongSwan, CN=VPNUser"
Jul 30 10:44:22 raspberrypi charon: 10[CFG] looking for peer configs matching 172.16.0.18[172.16.0.18]...172.16.0.53[VPNUser]
Jul 30 10:44:22 raspberrypi charon: 10[CFG] no matching peer config found
Jul 30 10:44:22 raspberrypi charon: 10[IKE] processing INTERNAL_IP4_ADDRESS attribute
Jul 30 10:44:22 raspberrypi charon: 10[IKE] processing INTERNAL_IP4_DHCP attribute
Jul 30 10:44:22 raspberrypi charon: 10[IKE] processing INTERNAL_IP4_DNS attribute
Jul 30 10:44:22 raspberrypi charon: 10[IKE] processing INTERNAL_IP4_NETMASK attribute
Jul 30 10:44:22 raspberrypi charon: 10[IKE] processing INTERNAL_IP6_ADDRESS attribute
Jul 30 10:44:22 raspberrypi charon: 10[IKE] processing INTERNAL_IP6_DHCP attribute
Jul 30 10:44:22 raspberrypi charon: 10[IKE] processing INTERNAL_IP6_DNS attribute
Jul 30 10:44:22 raspberrypi charon: 10[IKE] processing (25) attribute
Jul 30 10:44:22 raspberrypi charon: 10[IKE] received ESP_TFC_PADDING_NOT_SUPPORTED, not using ESPv3 TFC padding
Jul 30 10:44:22 raspberrypi charon: 10[IKE] peer supports MOBIKE
Jul 30 10:44:22 raspberrypi charon: 10[ENC] generating IKE_AUTH response 1 [ N(AUTH_FAILED) ]
Jul 30 10:44:22 raspberrypi charon: 10[NET] sending packet: from 172.16.0.18[4500] to 172.16.0.53[4500] (76 bytes)
Jul 30 10:44:22 raspberrypi charon: 04[NET] sending packet: from 172.16.0.18[4500] to 172.16.0.53[4500]
Jul 30 10:44:22 raspberrypi charon: 10[IKE] IKE_SA (unnamed)[2] state change: CONNECTING => DESTROYING
If anyone able to offer any advise setting strongswan up?
 
Status
This thread has been Locked and is not open to further replies. Please start a New Thread if you're having a similar issue. View our Welcome Guide to learn how to use this site.

Users Who Are Viewing This Thread (Users: 0, Guests: 1)

As Seen On
As Seen On...

Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join over 807,865 other people just like you!

Latest posts

Staff online

Members online

Top