0

i will setting up strongswan and have some trouble with configure it. I can log in with user/pass but i will replace it with user.p12 certificate. When i add rightauth2=pubkey is login with user/pass no more working auth with user.p12 is no working.

my may wo create all certs:

ipsec pki --gen --type rsa --size 4096 --outform pem > server-root-key.pem chmod 600 server-root-key.pem

ipsec pki --self --ca --lifetime 3650 \
--in server-root-key.pem \
--type rsa --dn "C=DE, O=VPN Server, CN=VPN Server Root CA" \
--outform pem > server-root-ca.pem

ipsec pki --gen --type rsa --size 4096 --outform pem > vpn-server-key.pem

ipsec pki --pub --in vpn-server-key.pem \
--type rsa | ipsec pki --issue --lifetime 1825 \
--cacert server-root-ca.pem \
--cakey server-root-key.pem \
--dn "C=US, O=VPN Server, CN=strongswan" \
--san strongswan \
--san vpn.example.com --san vpn.example.net \
--flag serverAuth --flag ikeIntermediate \
--outform pem > vpn-server-cert.pem

sudo cp ./vpn-server-cert.pem /etc/ipsec.d/certs/vpn-server-cert.pem
sudo cp ./vpn-server-key.pem /etc/ipsec.d/private/vpn-server-key.pem

sudo chown root /etc/ipsec.d/private/vpn-server-key.pem
sudo chgrp root /etc/ipsec.d/private/vpn-server-key.pem
sudo chmod 600 /etc/ipsec.d/private/vpn-server-key.pem



ipsec pki --gen --type rsa --size 2048 --outform pem > JohnKey.pem

ipsec pki --pub --in JohnKey.pem --type rsa | ipsec pki --issue --        lifetime 730 --cacert server-root-ca.pem --cakey server-root-key.pem --dn             "C=DE, O=VPN Server, CN=john@example.org" --san "john@example.org" --san     "john@example.net" --outform pem > JohnCert.pem


openssl pkcs12 -export  -inkey JohnKey.pem -in JohnCert.pem -name "John's VPN Certificate"  -certfile server-root-ca.pem -caname "strongSwan Root CA" -out John.p12
->password : password


cp JohnKey.pem /etc/ipsec.d/private/JohnKey.pem
chmod 600 /etc/ipsec.d/private/JohnKey.pem

cp JohnCert.pem /etc/ipsec.d/certs/JohnCert.pem

ipsec.conf config setup charondebug="ike 1, knl 1, cfg 0" uniqueids=no

conn ikev2-vpn
auto=add
compress=no
type=tunnel
keyexchange=ikev2
fragmentation=yes
forceencaps=yes
ike=aes256-sha1-modp1024,3des-sha1-modp1024!
esp=aes256-sha1,3des-sha1!
dpdaction=clear
dpddelay=300s
rekey=no
left=%any
leftid=@strongswan
leftcert=/etc/ipsec.d/certs/vpn-server-cert.pem
leftsendcert=always
leftsubnet=0.0.0.0/0
right=%any
rightid=%any
rightauth=eap-mschapv2
rightdns=8.8.8.8,8.8.4.4
rightsourceip=10.10.10.0/24
rightsendcert=never
eap_identity=%identity

ipsec.secrets

: RSA "/etc/ipsec.d/private/vpn-server-key.pem"
admin : EAP "password"

Login with auth by user/pass:

Apr 26 11:19:01 strongswan charon: 14[NET] received packet: from 192.168.178.42[500] to 192.168.178.83[500] (604 bytes)
Apr 26 11:19:01 strongswan charon: 14[ENC] parsed IKE_SA_INIT request 0 [ SA KE No N(REDIR_SUP) N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) ]
Apr 26 11:19:01 strongswan charon: 14[IKE] 192.168.178.42 is initiating an IKE_SA
Apr 26 11:19:01 strongswan charon: 14[IKE] faking NAT situation to enforce UDP encapsulation
Apr 26 11:19:01 strongswan charon: 14[IKE] DH group MODP_2048 inacceptable, requesting MODP_1024
Apr 26 11:19:01 strongswan charon: 14[ENC] generating IKE_SA_INIT response 0 [ N(INVAL_KE) ]
Apr 26 11:19:01 strongswan charon: 14[NET] sending packet: from 192.168.178.83[500] to 192.168.178.42[500] (38 bytes)
Apr 26 11:19:01 strongswan charon: 15[NET] received packet: from 192.168.178.42[500] to 192.168.178.83[500] (476 bytes)
Apr 26 11:19:01 strongswan charon: 15[ENC] parsed IKE_SA_INIT request 0 [ SA KE No N(REDIR_SUP) N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) ]
Apr 26 11:19:01 strongswan charon: 15[IKE] 192.168.178.42 is initiating an IKE_SA
Apr 26 11:19:01 strongswan charon: 15[IKE] faking NAT situation to enforce UDP encapsulation
Apr 26 11:19:01 strongswan charon: 15[ENC] generating IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(MULT_AUTH) ]
Apr 26 11:19:01 strongswan charon: 15[NET] sending packet: from 192.168.178.83[500] to 192.168.178.42[500] (316 bytes)
Apr 26 11:19:01 strongswan charon: 13[NET] received packet: from 192.168.178.42[4500] to 192.168.178.83[4500] (484 bytes)
Apr 26 11:19:01 strongswan charon: 13[ENC] unknown attribute type (25)
Apr 26 11:19:01 strongswan charon: 13[ENC] parsed IKE_AUTH request 1 [ IDi N(INIT_CONTACT) N(MOBIKE_SUP) IDr CPRQ(ADDR DHCP DNS MASK ADDR6 DHCP6 DNS6 (25)) N(ESP_TFC_PAD_N) N(NON_FIRST_FRAG) SA TSi TSr ]
Apr 26 11:19:01 strongswan charon: 13[IKE] initiating EAP_IDENTITY method (id 0x00)
Apr 26 11:19:01 strongswan charon: 13[IKE] received ESP_TFC_PADDING_NOT_SUPPORTED, not using ESPv3 TFC padding
Apr 26 11:19:01 strongswan charon: 13[IKE] peer supports MOBIKE
Apr 26 11:19:01 strongswan charon: 13[IKE] authentication of 'strongswan' (myself) with RSA signature successful
Apr 26 11:19:01 strongswan charon: 13[IKE] sending end entity cert "C=US, O=VPN Server, CN=strongswan"
Apr 26 11:19:01 strongswan charon: 13[ENC] generating IKE_AUTH response 1 [ IDr CERT AUTH EAP/REQ/ID ]
Apr 26 11:19:01 strongswan charon: 13[ENC] splitting IKE message with length of 2004 bytes into 2 fragments
Apr 26 11:19:01 strongswan charon: 13[ENC] generating IKE_AUTH response 1 [ EF(1/2) ]
Apr 26 11:19:01 strongswan charon: 13[ENC] generating IKE_AUTH response 1 [ EF(2/2) ]
Apr 26 11:19:01 strongswan charon: 13[NET] sending packet: from 192.168.178.83[4500] to 192.168.178.42[4500] (1248 bytes)
Apr 26 11:19:01 strongswan charon: 13[NET] sending packet: from 192.168.178.83[4500] to 192.168.178.42[4500] (824 bytes)
Apr 26 11:19:01 strongswan charon: 06[NET] received packet: from 192.168.178.42[4500] to 192.168.178.83[4500] (68 bytes)
Apr 26 11:19:01 strongswan charon: 06[ENC] parsed IKE_AUTH request 2 [ EAP/RES/ID ]
Apr 26 11:19:01 strongswan charon: 06[IKE] received EAP identity 'admin'
Apr 26 11:19:01 strongswan charon: 06[IKE] initiating EAP_MSCHAPV2 method (id 0x57)
Apr 26 11:19:01 strongswan charon: 06[ENC] generating IKE_AUTH response 2 [ EAP/REQ/MSCHAPV2 ]
Apr 26 11:19:01 strongswan charon: 06[NET] sending packet: from 192.168.178.83[4500] to 192.168.178.42[4500] (100 bytes)
Apr 26 11:19:01 strongswan charon: 07[NET] received packet: from 192.168.178.42[4500] to 192.168.178.83[4500] (124 bytes)
Apr 26 11:19:01 strongswan charon: 07[ENC] parsed IKE_AUTH request 3 [ EAP/RES/MSCHAPV2 ]
Apr 26 11:19:01 strongswan charon: 07[ENC] generating IKE_AUTH response 3 [ EAP/REQ/MSCHAPV2 ]
Apr 26 11:19:01 strongswan charon: 07[NET] sending packet: from 192.168.178.83[4500] to 192.168.178.42[4500] (132 bytes)
Apr 26 11:19:01 strongswan charon: 08[NET] received packet: from 192.168.178.42[4500] to 192.168.178.83[4500] (68 bytes)
Apr 26 11:19:01 strongswan charon: 08[ENC] parsed IKE_AUTH request 4 [ EAP/RES/MSCHAPV2 ]
Apr 26 11:19:01 strongswan charon: 08[IKE] EAP method EAP_MSCHAPV2 succeeded, MSK established
Apr 26 11:19:01 strongswan charon: 08[ENC] generating IKE_AUTH response 4 [ EAP/SUCC ]
Apr 26 11:19:01 strongswan charon: 08[NET] sending packet: from 192.168.178.83[4500] to 192.168.178.42[4500] (68 bytes)
Apr 26 11:19:01 strongswan charon: 09[NET] received packet: from 192.168.178.42[4500] to 192.168.178.83[4500] (84 bytes)
Apr 26 11:19:01 strongswan charon: 09[ENC] parsed IKE_AUTH request 5 [ AUTH ]
Apr 26 11:19:01 strongswan charon: 09[IKE] authentication of '192.168.178.42' with EAP successful
Apr 26 11:19:01 strongswan charon: 09[IKE] authentication of 'strongswan' (myself) with EAP
Apr 26 11:19:01 strongswan charon: 09[IKE] IKE_SA ikev2-vpn[6] established between 192.168.178.83[strongswan]...192.168.178.42[192.168.178.42]
Apr 26 11:19:01 strongswan charon: 09[IKE] peer requested virtual IP %any
Apr 26 11:19:01 strongswan charon: 09[IKE] assigning virtual IP 10.10.10.1 to peer 'admin'
Apr 26 11:19:01 strongswan charon: 09[IKE] peer requested virtual IP %any6
Apr 26 11:19:01 strongswan charon: 09[IKE] no virtual IP found for %any6 requested by 'admin'
Apr 26 11:19:01 strongswan charon: 09[IKE] CHILD_SA ikev2-vpn{3} established with SPIs cf64b56a_i 0554cc0e_o and TS 0.0.0.0/0 === 10.10.10.1/32
Apr 26 11:19:01 strongswan charon: 09[ENC] generating IKE_AUTH response 5 [ AUTH CPRP(ADDR DNS DNS) N(ESP_TFC_PAD_N) SA TSi TSr N(MOBIKE_SUP) N(ADD_4_ADDR) N(ADD_6_ADDR) ]
Apr 26 11:19:01 strongswan charon: 09[NET] sending packet: from 192.168.178.83[4500] to 192.168.178.42[4500] (260 bytes)

Login with auth by cert:

Apr 26 11:22:56 strongswan charon: 09[NET] received packet: from 192.168.178.42[500] to 192.168.178.83[500] (604 bytes)
Apr 26 11:22:56 strongswan charon: 09[ENC] parsed IKE_SA_INIT request 0 [ SA KE No N(REDIR_SUP) N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) ]
Apr 26 11:22:56 strongswan charon: 09[CFG] looking for an ike config for 192.168.178.83...192.168.178.42
Apr 26 11:22:56 strongswan charon: 09[CFG]   candidate: %any...%any, prio 28
Apr 26 11:22:56 strongswan charon: 09[CFG] found matching ike config: %any...%any with prio 28
Apr 26 11:22:56 strongswan charon: 09[IKE] 192.168.178.42 is initiating an IKE_SA
Apr 26 11:22:56 strongswan charon: 09[IKE] IKE_SA (unnamed)[1] state change: CREATED => CONNECTING
Apr 26 11:22:56 strongswan charon: 09[CFG] selecting proposal:
Apr 26 11:22:56 strongswan charon: 09[CFG]   no acceptable PSEUDO_RANDOM_FUNCTION found
Apr 26 11:22:56 strongswan charon: 09[CFG] selecting proposal:
Apr 26 11:22:56 strongswan charon: 09[CFG]   no acceptable PSEUDO_RANDOM_FUNCTION found
Apr 26 11:22:56 strongswan charon: 09[CFG] selecting proposal:
Apr 26 11:22:56 strongswan charon: 09[CFG]   no acceptable PSEUDO_RANDOM_FUNCTION found
Apr 26 11:22:56 strongswan charon: 09[CFG] selecting proposal:
Apr 26 11:22:56 strongswan charon: 09[CFG]   no acceptable ENCRYPTION_ALGORITHM found
Apr 26 11:22:56 strongswan charon: 09[CFG] selecting proposal:
Apr 26 11:22:56 strongswan charon: 09[CFG]   no acceptable ENCRYPTION_ALGORITHM found
Apr 26 11:22:56 strongswan charon: 09[CFG] selecting proposal:
Apr 26 11:22:56 strongswan charon: 09[CFG]   no acceptable ENCRYPTION_ALGORITHM found
Apr 26 11:22:56 strongswan charon: 09[CFG] selecting proposal:
Apr 26 11:22:56 strongswan charon: 09[CFG]   no acceptable ENCRYPTION_ALGORITHM found
Apr 26 11:22:56 strongswan charon: 09[CFG] selecting proposal:
Apr 26 11:22:56 strongswan charon: 09[CFG]   no acceptable ENCRYPTION_ALGORITHM found
Apr 26 11:22:56 strongswan charon: 09[CFG] selecting proposal:
Apr 26 11:22:56 strongswan charon: 09[CFG]   no acceptable ENCRYPTION_ALGORITHM found
Apr 26 11:22:56 strongswan charon: 09[CFG] selecting proposal:
Apr 26 11:22:56 strongswan charon: 09[CFG]   proposal matches
Apr 26 11:22:56 strongswan charon: 09[CFG] received proposals: IKE:AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_2048, IKE:AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/ECP_256, IKE:AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_1536, IKE:AES_CBC_128/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024, IKE:3DES_CBC/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024
Apr 26 11:22:56 strongswan charon: 09[CFG] configured proposals: IKE:AES_CBC_256/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024, IKE:3DES_CBC/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024
Apr 26 11:22:56 strongswan charon: 09[CFG] selected proposal: IKE:3DES_CBC/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024
Apr 26 11:22:56 strongswan charon: 09[IKE] faking NAT situation to enforce UDP encapsulation
Apr 26 11:22:56 strongswan charon: 09[IKE] DH group MODP_2048 inacceptable, requesting MODP_1024
Apr 26 11:22:56 strongswan charon: 09[ENC] generating IKE_SA_INIT response 0 [ N(INVAL_KE) ]
Apr 26 11:22:56 strongswan charon: 09[NET] sending packet: from 192.168.178.83[500] to 192.168.178.42[500] (38 bytes)
Apr 26 11:22:56 strongswan charon: 09[MGR] checkin and destroy IKE_SA (unnamed)[1]
Apr 26 11:22:56 strongswan charon: 09[IKE] IKE_SA (unnamed)[1] state change: CONNECTING => DESTROYING
Apr 26 11:22:56 strongswan charon: 09[MGR] checkin and destroy of IKE_SA successful
Apr 26 11:22:56 strongswan charon: 04[NET] sending packet: from 192.168.178.83[500] to 192.168.178.42[500]
Apr 26 11:22:56 strongswan charon: 03[NET] received packet: from 192.168.178.42[500] to 192.168.178.83[500]
Apr 26 11:22:56 strongswan charon: 03[NET] waiting for data on sockets
Apr 26 11:22:56 strongswan charon: 10[MGR] checkout IKEv2 SA by message with SPIs 46305c6dd06fc413_i 0000000000000000_r
Apr 26 11:22:56 strongswan charon: 10[MGR] created IKE_SA (unnamed)[2]
Apr 26 11:22:56 strongswan charon: 10[NET] received packet: from 192.168.178.42[500] to 192.168.178.83[500] (476 bytes)
Apr 26 11:22:56 strongswan charon: 10[ENC] parsed IKE_SA_INIT request 0 [ SA KE No N(REDIR_SUP) N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) ]
Apr 26 11:22:56 strongswan charon: 10[CFG] looking for an ike config for 192.168.178.83...192.168.178.42
Apr 26 11:22:56 strongswan charon: 10[CFG]   candidate: %any...%any, prio 28
Apr 26 11:22:56 strongswan charon: 10[CFG] found matching ike config: %any...%any with prio 28
Apr 26 11:22:56 strongswan charon: 10[IKE] 192.168.178.42 is initiating an IKE_SA
Apr 26 11:22:56 strongswan charon: 10[IKE] IKE_SA (unnamed)[2] state change: CREATED => CONNECTING
Apr 26 11:22:56 strongswan charon: 10[CFG] selecting proposal:
Apr 26 11:22:56 strongswan charon: 10[CFG]   no acceptable PSEUDO_RANDOM_FUNCTION found
Apr 26 11:22:56 strongswan charon: 10[CFG] selecting proposal:
Apr 26 11:22:56 strongswan charon: 10[CFG]   no acceptable PSEUDO_RANDOM_FUNCTION found
Apr 26 11:22:56 strongswan charon: 10[CFG] selecting proposal:
Apr 26 11:22:56 strongswan charon: 10[CFG]   no acceptable PSEUDO_RANDOM_FUNCTION found
Apr 26 11:22:56 strongswan charon: 10[CFG] selecting proposal:
Apr 26 11:22:56 strongswan charon: 10[CFG]   no acceptable ENCRYPTION_ALGORITHM found
Apr 26 11:22:56 strongswan charon: 10[CFG] selecting proposal:
Apr 26 11:22:56 strongswan charon: 10[CFG]   no acceptable ENCRYPTION_ALGORITHM found
Apr 26 11:22:56 strongswan charon: 10[CFG] selecting proposal:
Apr 26 11:22:56 strongswan charon: 10[CFG]   no acceptable ENCRYPTION_ALGORITHM found
Apr 26 11:22:56 strongswan charon: 10[CFG] selecting proposal:
Apr 26 11:22:57 strongswan charon: 10[CFG]   no acceptable ENCRYPTION_ALGORITHM found
Apr 26 11:22:57 strongswan charon: 10[CFG] selecting proposal:
Apr 26 11:22:57 strongswan charon: 10[CFG]   no acceptable ENCRYPTION_ALGORITHM found
Apr 26 11:22:57 strongswan charon: 10[CFG] selecting proposal:
Apr 26 11:22:57 strongswan charon: 10[CFG]   no acceptable ENCRYPTION_ALGORITHM found
Apr 26 11:22:57 strongswan charon: 10[CFG] selecting proposal:
Apr 26 11:22:57 strongswan charon: 10[CFG]   proposal matches
Apr 26 11:22:57 strongswan charon: 10[CFG] received proposals: IKE:AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_2048, IKE:AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/ECP_256, IKE:AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_1536, IKE:AES_CBC_128/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024, IKE:3DES_CBC/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024
Apr 26 11:22:57 strongswan charon: 10[CFG] configured proposals: IKE:AES_CBC_256/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024, IKE:3DES_CBC/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024
Apr 26 11:22:57 strongswan charon: 10[CFG] selected proposal: IKE:3DES_CBC/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024
Apr 26 11:22:57 strongswan charon: 10[IKE] faking NAT situation to enforce UDP encapsulation
Apr 26 11:22:57 strongswan charon: 10[ENC] generating IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(MULT_AUTH) ]
Apr 26 11:22:57 strongswan charon: 10[NET] sending packet: from 192.168.178.83[500] to 192.168.178.42[500] (316 bytes)
Apr 26 11:22:57 strongswan charon: 04[NET] sending packet: from 192.168.178.83[500] to 192.168.178.42[500]
Apr 26 11:22:57 strongswan charon: 10[MGR] checkin IKE_SA (unnamed)[2]
Apr 26 11:22:57 strongswan charon: 10[MGR] checkin of IKE_SA successful
Apr 26 11:22:57 strongswan charon: 03[NET] received packet: from 192.168.178.42[4500] to 192.168.178.83[4500]
Apr 26 11:22:57 strongswan charon: 03[NET] waiting for data on sockets
Apr 26 11:22:57 strongswan charon: 11[MGR] checkout IKEv2 SA by message with SPIs 46305c6dd06fc413_i 3b484cfd473d268b_r
Apr 26 11:22:57 strongswan charon: 11[MGR] IKE_SA (unnamed)[2] successfully checked out
Apr 26 11:22:57 strongswan charon: 11[NET] received packet: from 192.168.178.42[4500] to 192.168.178.83[4500] (484 bytes)
Apr 26 11:22:57 strongswan charon: 11[ENC] unknown attribute type (25)
Apr 26 11:22:57 strongswan charon: 11[ENC] parsed IKE_AUTH request 1 [ IDi N(INIT_CONTACT) N(MOBIKE_SUP) IDr CPRQ(ADDR DHCP DNS MASK ADDR6 DHCP6 DNS6 (25)) N(ESP_TFC_PAD_N) N(NON_FIRST_FRAG) SA TSi TSr ]
Apr 26 11:22:57 strongswan charon: 11[CFG] looking for peer configs matching 192.168.178.83[strongswan]...192.168.178.42[192.168.178.42]
Apr 26 11:22:57 strongswan charon: 11[CFG]   candidate "ikev2-vpn", match: 20/1/28 (me/other/ike)
Apr 26 11:22:57 strongswan charon: 11[CFG] selected peer config 'ikev2-vpn'
Apr 26 11:22:57 strongswan charon: 11[IKE] initiating EAP_IDENTITY method (id 0x00)
Apr 26 11:22:57 strongswan charon: 11[IKE] processing INTERNAL_IP4_ADDRESS attribute
Apr 26 11:22:57 strongswan charon: 11[IKE] processing INTERNAL_IP4_DHCP attribute
Apr 26 11:22:57 strongswan charon: 11[IKE] processing INTERNAL_IP4_DNS attribute
Apr 26 11:22:57 strongswan charon: 11[IKE] processing INTERNAL_IP4_NETMASK attribute
Apr 26 11:22:57 strongswan charon: 11[IKE] processing INTERNAL_IP6_ADDRESS attribute
Apr 26 11:22:57 strongswan charon: 11[IKE] processing INTERNAL_IP6_DHCP attribute
Apr 26 11:22:57 strongswan charon: 11[IKE] processing INTERNAL_IP6_DNS attribute
Apr 26 11:22:57 strongswan charon: 11[IKE] processing (25) attribute
Apr 26 11:22:57 strongswan charon: 11[IKE] received ESP_TFC_PADDING_NOT_SUPPORTED, not using ESPv3 TFC padding
Apr 26 11:22:57 strongswan charon: 11[IKE] peer supports MOBIKE
Apr 26 11:22:57 strongswan charon: 11[IKE] authentication of 'strongswan' (myself) with RSA signature successful
Apr 26 11:22:57 strongswan charon: 11[IKE] sending end entity cert "C=US, O=VPN Server, CN=strongswan"
Apr 26 11:22:57 strongswan charon: 11[ENC] generating IKE_AUTH response 1 [ IDr CERT AUTH EAP/REQ/ID ]
Apr 26 11:22:57 strongswan charon: 11[ENC] splitting IKE message with length of 2004 bytes into 2 fragments
Apr 26 11:22:57 strongswan charon: 11[ENC] generating IKE_AUTH response 1 [ EF(1/2) ]
Apr 26 11:22:57 strongswan charon: 11[ENC] generating IKE_AUTH response 1 [ EF(2/2) ]
Apr 26 11:22:57 strongswan charon: 11[NET] sending packet: from 192.168.178.83[4500] to 192.168.178.42[4500] (1248 bytes)
Apr 26 11:22:57 strongswan charon: 04[NET] sending packet: from 192.168.178.83[4500] to 192.168.178.42[4500]
Apr 26 11:22:57 strongswan charon: 11[NET] sending packet: from 192.168.178.83[4500] to 192.168.178.42[4500] (824 bytes)
Apr 26 11:22:57 strongswan charon: 04[NET] sending packet: from 192.168.178.83[4500] to 192.168.178.42[4500]
Apr 26 11:22:57 strongswan charon: 11[MGR] checkin IKE_SA ikev2-vpn[2]
Apr 26 11:22:57 strongswan charon: 11[MGR] checkin of IKE_SA successful
Apr 26 11:22:57 strongswan charon: 03[NET] received packet: from 192.168.178.42[4500] to 192.168.178.83[4500]
Apr 26 11:22:57 strongswan charon: 03[NET] waiting for data on sockets
Apr 26 11:22:57 strongswan charon: 12[MGR] checkout IKEv2 SA by message with SPIs 46305c6dd06fc413_i 3b484cfd473d268b_r
Apr 26 11:22:57 strongswan charon: 12[MGR] IKE_SA ikev2-vpn[2] successfully checked out
Apr 26 11:22:57 strongswan charon: 12[NET] received packet: from 192.168.178.42[4500] to 192.168.178.83[4500] (84 bytes)
Apr 26 11:22:57 strongswan charon: 12[ENC] parsed IKE_AUTH request 2 [ EAP/RES/ID ]
Apr 26 11:22:57 strongswan charon: 12[IKE] received EAP identity '192.168.178.42'
Apr 26 11:22:57 strongswan charon: 12[IKE] initiating EAP_MSCHAPV2 method (id 0xF8)
Apr 26 11:22:57 strongswan charon: 12[ENC] generating IKE_AUTH response 2 [ EAP/REQ/MSCHAPV2 ]
Apr 26 11:22:57 strongswan charon: 12[NET] sending packet: from 192.168.178.83[4500] to 192.168.178.42[4500] (100 bytes)
Apr 26 11:22:57 strongswan charon: 12[MGR] checkin IKE_SA ikev2-vpn[2]
Apr 26 11:22:57 strongswan charon: 12[MGR] checkin of IKE_SA successful
Apr 26 11:22:57 strongswan charon: 04[NET] sending packet: from 192.168.178.83[4500] to 192.168.178.42[4500]
Apr 26 11:22:57 strongswan charon: 03[NET] received packet: from 192.168.178.42[4500] to 192.168.178.83[4500]
Apr 26 11:22:57 strongswan charon: 03[NET] waiting for data on sockets
Apr 26 11:22:57 strongswan charon: 13[MGR] checkout IKEv2 SA by message with SPIs 46305c6dd06fc413_i 3b484cfd473d268b_r
Apr 26 11:22:57 strongswan charon: 13[MGR] IKE_SA ikev2-vpn[2] successfully checked out
Apr 26 11:22:57 strongswan charon: 13[NET] received packet: from 192.168.178.42[4500] to 192.168.178.83[4500] (68 bytes)
Apr 26 11:22:57 strongswan charon: 13[ENC] parsed IKE_AUTH request 3 [ EAP/RES/NAK ]
Apr 26 11:22:57 strongswan charon: 13[IKE] received EAP_NAK, sending EAP_FAILURE
Apr 26 11:22:57 strongswan charon: 13[ENC] generating IKE_AUTH response 3 [ EAP/FAIL ]
Apr 26 11:22:57 strongswan charon: 13[NET] sending packet: from 192.168.178.83[4500] to 192.168.178.42[4500] (68 bytes)
Apr 26 11:22:57 strongswan charon: 13[MGR] checkin and destroy IKE_SA ikev2-vpn[2]
Apr 26 11:22:57 strongswan charon: 13[IKE] IKE_SA ikev2-vpn[2] state change: CONNECTING => DESTROYING
Apr 26 11:22:57 strongswan charon: 13[MGR] checkin and destroy of IKE_SA successful
Apr 26 11:22:57 strongswan charon: 04[NET] sending packet: from 192.168.178.83[4500] to 192.168.178.42[4500]

Please help me! :/

edit: when i change rightauth to pubkey cannot connect (client is a mac with ikev2 vpn settings and user certificate for auth):

Apr 26 13:07:59 strongswan charon: 08[ENC] generating IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(MULT_AUTH) ]
Apr 26 13:07:59 strongswan charon: 08[NET] sending packet: from 192.168.178.83[500] to 192.168.178.42[500] (316 bytes)
Apr 26 13:07:59 strongswan charon: 09[NET] received packet: from 192.168.178.42[4500] to 192.168.178.83[4500] (484 bytes)
Apr 26 13:07:59 strongswan charon: 09[ENC] unknown attribute type (25)
Apr 26 13:07:59 strongswan charon: 09[ENC] parsed IKE_AUTH request 1 [ IDi N(INIT_CONTACT) N(MOBIKE_SUP) IDr CPRQ(ADDR DHCP DNS MASK ADDR6 DHCP6 DNS6 (25)) N(ESP_TFC_PAD_N) N(NON_FIRST_FRAG) SA TSi TSr ]
Apr 26 13:07:59 strongswan charon: 09[IKE] peer requested EAP, config inacceptable
Apr 26 13:07:59 strongswan charon: 09[IKE] received ESP_TFC_PADDING_NOT_SUPPORTED, not using ESPv3 TFC padding
Apr 26 13:07:59 strongswan charon: 09[IKE] peer supports MOBIKE
Apr 26 13:07:59 strongswan charon: 09[ENC] generating IKE_AUTH response 1 [ N(AUTH_FAILED) ]
Apr 26 13:07:59 strongswan charon: 09[NET] sending packet: from 192.168.178.83[4500] to 192.168.178.42[4500] (68 bytes)
Apr 26 13:08:26 strongswan charon: 05[NET] received packet: from 192.168.178.42[500] to 192.168.178.83[500] (604 bytes)
Apr 26 13:08:26 strongswan charon: 05[ENC] parsed IKE_SA_INIT request 0 [ SA KE No N(REDIR_SUP) N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) ]
Apr 26 13:08:26 strongswan charon: 05[IKE] 192.168.178.42 is initiating an IKE_SA
Apr 26 13:08:26 strongswan charon: 05[IKE] faking NAT situation to enforce UDP encapsulation
Apr 26 13:08:26 strongswan charon: 05[IKE] DH group MODP_2048 inacceptable, requesting MODP_1024
Apr 26 13:08:26 strongswan charon: 05[ENC] generating IKE_SA_INIT response 0 [ N(INVAL_KE) ]
Apr 26 13:08:26 strongswan charon: 05[NET] sending packet: from 192.168.178.83[500] to 192.168.178.42[500] (38 bytes)
Apr 26 13:08:26 strongswan charon: 06[NET] received packet: from 192.168.178.42[500] to 192.168.178.83[500] (476 bytes)
Apr 26 13:08:26 strongswan charon: 06[ENC] parsed IKE_SA_INIT request 0 [ SA KE No N(REDIR_SUP) N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) ]
Apr 26 13:08:26 strongswan charon: 06[IKE] 192.168.178.42 is initiating an IKE_SA
Apr 26 13:08:26 strongswan charon: 06[IKE] faking NAT situation to enforce UDP encapsulation
Apr 26 13:08:26 strongswan charon: 06[ENC] generating IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(MULT_AUTH) ]
Apr 26 13:08:26 strongswan charon: 06[NET] sending packet: from 192.168.178.83[500] to 192.168.178.42[500] (316 bytes)
Apr 26 13:08:26 strongswan charon: 07[NET] received packet: from 192.168.178.42[4500] to 192.168.178.83[4500] (484 bytes)
Apr 26 13:08:26 strongswan charon: 07[ENC] unknown attribute type (25)
Apr 26 13:08:26 strongswan charon: 07[ENC] parsed IKE_AUTH request 1 [ IDi N(INIT_CONTACT) N(MOBIKE_SUP) IDr CPRQ(ADDR DHCP DNS MASK ADDR6 DHCP6 DNS6 (25)) N(ESP_TFC_PAD_N) N(NON_FIRST_FRAG) SA TSi TSr ]
Apr 26 13:08:26 strongswan charon: 07[IKE] peer requested EAP, config inacceptable
Apr 26 13:08:26 strongswan charon: 07[IKE] received ESP_TFC_PADDING_NOT_SUPPORTED, not using ESPv3 TFC padding
Apr 26 13:08:26 strongswan charon: 07[IKE] peer supports MOBIKE
Apr 26 13:08:26 strongswan charon: 07[ENC] generating IKE_AUTH response 1 [ N(AUTH_FAILED) ]
Apr 26 13:08:26 strongswan charon: 07[NET] sending packet: from 192.168.178.83[4500] to 192.168.178.42[4500] (68 bytes)
  • If you want to use a different authentication method, change your config accordingly (i.e. set _rightauth_ to _pubkey_ or _eap-tls_ depending on how you configured the client). – ecdsa Apr 26 '18 at 10:41
  • i habe change right auth to pubkey but cannot connect i append my question with log for this. – Hannes Peter Apr 26 '18 at 11:13
  • The log tells you: The client wants to do EAP authentication, while you now configured pubkey authentication. If you configured certificates on the client it might expects the server to initiate EAP-TLS (but macOS should also be able to use simple certificate authentication, but you have to configure it accordingly). So either change the server or client config so they match. – ecdsa Apr 26 '18 at 18:28

0 Answers0