3

I can't get Strongswan to run on my Debian machine. I've already done a tutorial to get it to run on a Ubuntu machine but it seems impossible to me to get it to run on my Debian machine. I actually did everything like in the tutorial, except the part with the firewall at the bottom, because I don't have it on my server.

When I try to connect to my server, I get an error message that the user data is wrong. I have already created and installed three different certificates, tried different users but always get the message with the wrong user information. What am I doing wrong?

MYIPADDRESS = My Debian Server IP
Every cert file I created I appended "-vpn2" to the name.

ipsec statusall:

Status of IKE charon daemon (strongSwan 5.5.1, Linux 3.10.0-957.1.3.el7.x86_64, x86_64):
  uptime: 42 seconds, since Sep 23 03:30:26 2019
  malloc: sbrk 2699264, mmap 0, used 455168, free 2244096
  worker threads: 11 of 16 idle, 5/0/0/0 working, job queue: 0/0/0/0, scheduled: 1
  loaded plugins: charon aesni aes rc2 sha2 sha1 md5 random nonce x509 revocation constraints pubkey pkcs1 pkcs7 pkcs8 pkcs12 pgp dnskey sshkey pem openssl fips-prf gmp agent xcbc hmac gcm attr kernel-netlink resolve socket-default connmark stroke updown
Virtual IP pools (size/online/offline):
  10.10.10.0/24: 254/0/0
Listening IP addresses:
  MYIPADDRESS
Connections:
   ikev2-vpn:  %any...%any  IKEv2, dpddelay=300s
   ikev2-vpn:   local:  [MYIPADDRESS] uses public key authentication
   ikev2-vpn:    cert:  "CN=MYIPADDRESS"
   ikev2-vpn:   remote: uses EAP_MSCHAPV2 authentication with EAP identity '%any'
   ikev2-vpn:   child:  0.0.0.0/0 === dynamic TUNNEL, dpdaction=clear
Security Associations (0 up, 0 connecting):
  none

ipsec.secrets:

# This file holds shared secrets or RSA private keys for authentication.

# RSA private key for this host, authenticating it to any other host
# which knows the public part.

# this file is managed with debconf and will contain the automatically created $
#include /var/lib/strongswan/ipsec.secrets.inc
: RSA "server-key-vpn2.pem"
user1 : EAP "hallo1234"
user2 : EAP "hallo1234"

ipsec.conf:

config setup
    charondebug="ike 1, knl 1, cfg 2"
    uniqueids=no

conn ikev2-vpn
    auto=add
    compress=no
    type=tunnel
    keyexchange=ikev2
    fragmentation=yes
    forceencaps=yes
    dpdaction=clear
    dpddelay=300s
    rekey=no
    left=%any
    leftid=MYIPADDRESS
    leftcert=server-cert-vpn2.pem
    leftsendcert=always
    leftsubnet=0.0.0.0/0
    right=%any
    rightid=%any
    rightauth=eap-mschapv2
    rightsourceip=10.10.10.0/24
    rightdns=8.8.8.8,8.8.4.4
    rightsendcert=never
    eap_identity=%identity

Exportet Cert:

 cat /etc/ipsec.d/cacerts/ca-cert-vpn2.pem 

Log from strongswan android app (user2 ; hallo1234):

Sep 23 09:43:37 00[DMN] +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
Sep 23 09:43:37 00[DMN] Starting IKE service (strongSwan 5.8.0dr2, Android 9 - PKQ1.181121.001/2019-08-01, Mi 9T Pro - Xiaomi/raphael_eea/Xiaomi, Linux 4.14.83-perf-g7723fb1, aarch64)
Sep 23 09:43:37 00[LIB] loaded plugins: androidbridge charon android-log openssl fips-prf random nonce pubkey chapoly curve25519 pkcs1 pkcs8 pem xcbc hmac socket-default revocation eap-identity eap-mschapv2 eap-md5 eap-gtc eap-tls x509
Sep 23 09:43:37 00[JOB] spawning 16 worker threads
Sep 23 09:43:37 07[IKE] initiating IKE_SA android[15] to MYIPADDRESS
Sep 23 09:43:37 07[ENC] generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG) N(REDIR_SUP) ]
Sep 23 09:43:37 07[NET] sending packet: from 10.105.74.60[44288] to MYIPADDRESS[500] (716 bytes)
Sep 23 09:43:37 10[NET] received packet: from MYIPADDRESS[500] to 10.105.74.60[44288] (38 bytes)
Sep 23 09:43:37 10[ENC] parsed IKE_SA_INIT response 0 [ N(INVAL_KE) ]
Sep 23 09:43:37 10[IKE] peer didn't accept DH group ECP_256, it requested MODP_3072
Sep 23 09:43:37 10[IKE] initiating IKE_SA android[15] to MYIPADDRESS
Sep 23 09:43:37 10[ENC] generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG) N(REDIR_SUP) ]
Sep 23 09:43:37 10[NET] sending packet: from 10.105.74.60[44288] to MYIPADDRESS[500] (1036 bytes)
Sep 23 09:43:38 12[NET] received packet: from MYIPADDRESS[500] to 10.105.74.60[44288] (592 bytes)
Sep 23 09:43:38 12[ENC] parsed IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG) N(MULT_AUTH) ]
Sep 23 09:43:38 12[CFG] selected proposal: IKE:AES_CBC_128/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_3072
Sep 23 09:43:38 12[IKE] local host is behind NAT, sending keep alives
Sep 23 09:43:38 12[IKE] remote host is behind NAT
Sep 23 09:43:38 12[IKE] sending cert request for "CN=VPN root CA"
Sep 23 09:43:38 12[IKE] establishing CHILD_SA android{15}
Sep 23 09:43:38 12[ENC] generating IKE_AUTH request 1 [ IDi N(INIT_CONTACT) CERTREQ CPRQ(ADDR ADDR6 DNS DNS6) N(ESP_TFC_PAD_N) SA TSi TSr N(MOBIKE_SUP) N(NO_ADD_ADDR) N(MULT_AUTH) N(EAP_ONLY) N(MSG_ID_SYN_SUP) ]
Sep 23 09:43:38 12[NET] sending packet: from 10.105.74.60[45106] to MYIPADDRESS[4500] (464 bytes)
Sep 23 09:43:38 08[NET] received packet: from MYIPADDRESS[4500] to 10.105.74.60[45106] (96 bytes)
Sep 23 09:43:38 08[ENC] parsed IKE_AUTH response 1 [ IDr EAP/FAIL ]
Sep 23 09:43:38 08[IKE] received EAP_FAILURE, EAP authentication failed
Sep 23 09:43:38 08[ENC] generating INFORMATIONAL request 2 [ N(AUTH_FAILED) ]
Sep 23 09:43:38 08[NET] sending packet: from 10.105.74.60[45106] to MYIPADDRESS[4500] (80 bytes)

Edit:

I just tried this command:

ipsec up ikev2-vpn

unable to resolve %any, initiate aborted
tried to checkin and delete nonexisting IKE_SA
establishing connection 'ikev2-vpn' failed

car /var/log/syslog

Sep 23 04:17:42 Minecraft charon: 07[NET] received packet: from 195.37.108.234[38454] to MYIPADDRESS[500] (716 bytes)
Sep 23 04:17:42 Minecraft charon: 07[ENC] parsed IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG) N(REDIR_SUP) ]
Sep 23 04:17:42 Minecraft charon: 07[IKE] 195.37.108.234 is initiating an IKE_SA
Sep 23 04:17:42 Minecraft charon: 07[IKE] remote host is behind NAT
Sep 23 04:17:42 Minecraft charon: 07[IKE] DH group ECP_256 inacceptable, requesting MODP_3072
Sep 23 04:17:42 Minecraft charon: 07[ENC] generating IKE_SA_INIT response 0 [ N(INVAL_KE) ]
Sep 23 04:17:42 Minecraft charon: 07[NET] sending packet: from MYIPADDRESS[500] to 195.37.108.234[38454] (38 bytes)
Sep 23 04:17:42 Minecraft charon: 16[NET] received packet: from 195.37.108.234[38454] to MYIPADDRESS[500] (1036 bytes)
Sep 23 04:17:42 Minecraft charon: 16[ENC] parsed IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG) N(REDIR_SUP) ]
Sep 23 04:17:42 Minecraft charon: 16[IKE] 195.37.108.234 is initiating an IKE_SA
Sep 23 04:17:42 Minecraft charon: 16[IKE] remote host is behind NAT
Sep 23 04:17:42 Minecraft charon: 16[ENC] generating IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG) N(MULT_AUTH) ]
Sep 23 04:17:42 Minecraft charon: 16[NET] sending packet: from MYIPADDRESS[500] to 195.37.108.234[38454] (592 bytes)
Sep 23 04:17:42 Minecraft charon: 05[NET] received packet: from 195.37.108.234[41118] to MYIPADDRESS[4500] (464 bytes)
Sep 23 04:17:42 Minecraft charon: 05[ENC] parsed IKE_AUTH request 1 [ IDi N(INIT_CONTACT) CERTREQ CPRQ(ADDR ADDR6 DNS DNS6) N(ESP_TFC_PAD_N) SA TSi TSr N(MOBIKE_SUP) N(NO_ADD_ADDR) N(MULT_AUTH) N(EAP_ONLY) N(MSG_ID_SYN_SUP) ]
Sep 23 04:17:42 Minecraft charon: 05[IKE] received cert request for "CN=VPN root CA"
Sep 23 04:17:42 Minecraft charon: 05[CFG] looking for peer configs matching MYIPADDRESS[%any]...195.37.108.234[user]
Sep 23 04:17:42 Minecraft charon: 05[CFG] selected peer config 'ikev2-vpn'
Sep 23 04:17:42 Minecraft charon: 05[IKE] EAP-Identity request configured, but not supported
Sep 23 04:17:42 Minecraft charon: 05[IKE] loading EAP_MSCHAPV2 method failed
Sep 23 04:17:42 Minecraft charon: 05[IKE] received ESP_TFC_PADDING_NOT_SUPPORTED, not using ESPv3 TFC padding
Sep 23 04:17:42 Minecraft charon: 05[IKE] peer supports MOBIKE
Sep 23 04:17:42 Minecraft charon: 05[ENC] generating IKE_AUTH response 1 [ IDr EAP/FAIL ]
Sep 23 04:17:42 Minecraft charon: 05[NET] sending packet: from MYIPADDRESS[4500] to 195.37.108.234[41118] (96 bytes)

cat /var/log/auth.log

Sep 23 03:55:13 Minecraft ipsec_starter[25750]: Starting strongSwan 5.5.1 IPsec [starter]...
Sep 23 03:55:13 Minecraft ipsec_starter[25750]: charon is already running (/var/run/charon.pid exists) -- skipping daemon start
Sep 23 03:55:13 Minecraft ipsec_starter[25750]: no netkey IPsec stack detected
Sep 23 03:55:13 Minecraft ipsec_starter[25750]: no KLIPS IPsec stack detected
Sep 23 03:55:13 Minecraft ipsec_starter[25750]: no known IPsec stack detected, ignoring!
Sep 23 03:55:13 Minecraft ipsec_starter[25750]: starter is already running (/var/run/starter.charon.pid exists) -- no fork done
Sep 23 03:55:57 Minecraft charon: 04[IKE] 195.37.108.234 is initiating an IKE_SA
Sep 23 03:55:59 Minecraft charon: 15[IKE] 195.37.108.234 is initiating an IKE_SA
Sep 23 03:55:59 Minecraft charon: 06[IKE] 195.37.108.234 is initiating an IKE_SA
Sep 23 03:57:10 Minecraft charon: 12[IKE] 195.37.108.234 is initiating an IKE_SA
Sep 23 03:57:10 Minecraft charon: 11[IKE] 195.37.108.234 is initiating an IKE_SA
Sep 23 03:57:15 Minecraft charon: 16[IKE] 195.37.108.234 is initiating an IKE_SA
Sep 23 03:57:15 Minecraft charon: 05[IKE] 195.37.108.234 is initiating an IKE_SA
Sep 23 03:57:20 Minecraft charon: 06[IKE] 195.37.108.234 is initiating an IKE_SA
Sep 23 03:57:20 Minecraft charon: 10[IKE] 195.37.108.234 is initiating an IKE_SA
Sep 23 03:57:26 Minecraft charon: 12[IKE] 195.37.108.234 is initiating an IKE_SA
Sep 23 03:57:26 Minecraft charon: 11[IKE] 195.37.108.234 is initiating an IKE_SA
Sep 23 04:17:42 Minecraft charon: 07[IKE] 195.37.108.234 is initiating an IKE_SA
Sep 23 04:17:42 Minecraft charon: 16[IKE] 195.37.108.234 is initiating an IKE_SA

Edit: One line in the server log says:

Sep 23 04:17:42 Minecraft charon: 05[IKE] loading EAP_MSCHAPV2 method failed

I think this is the reason for this.. Anyone know how to fix this?


Edit: I changed the strongswan.conf and added this line:

load = aes des sha1 sha2 md4 md5 pem pkcs1 gmp random nonce x509 curl revocation hmac xcbc stroke kernel-netlink socket-default fips-prf eap-mschapv2 eap-identity updown

and now I I see the EAP_MSCHAPV2 plugin loaded with ipsec statusall but when I tried to connect, I get this in my syslog:

Sep 23 05:03:44 Minecraft charon: 14[NET] received packet: from 195.37.108.234[46425] to MYIPADDRESS[500] (716 bytes)
Sep 23 05:03:44 Minecraft charon: 14[ENC] parsed IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG) N(REDIR_SUP) ]
Sep 23 05:03:44 Minecraft charon: 14[IKE] 195.37.108.234 is initiating an IKE_SA
Sep 23 05:03:44 Minecraft charon: 14[IKE] remote host is behind NAT
Sep 23 05:03:44 Minecraft charon: 14[IKE] DH group ECP_256 inacceptable, requesting MODP_3072
Sep 23 05:03:44 Minecraft charon: 14[ENC] generating IKE_SA_INIT response 0 [ N(INVAL_KE) ]
Sep 23 05:03:44 Minecraft charon: 14[NET] sending packet: from MYIPADDRESS[500] to 195.37.108.234[46425] (38 bytes)
Sep 23 05:03:44 Minecraft charon: 15[NET] received packet: from 195.37.108.234[46425] to MYIPADDRESS[500] (1036 bytes)
Sep 23 05:03:44 Minecraft charon: 15[ENC] parsed IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG) N(REDIR_SUP) ]
Sep 23 05:03:44 Minecraft charon: 15[IKE] 195.37.108.234 is initiating an IKE_SA
Sep 23 05:03:44 Minecraft charon: 15[IKE] remote host is behind NAT
Sep 23 05:03:44 Minecraft charon: 15[ENC] generating IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG) N(MULT_AUTH) ]
Sep 23 05:03:44 Minecraft charon: 15[NET] sending packet: from MYIPADDRESS[500] to 195.37.108.234[46425] (592 bytes)
Sep 23 05:03:44 Minecraft charon: 10[NET] received packet: from 195.37.108.234[39639] to MYIPADDRESS[4500] (464 bytes)
Sep 23 05:03:44 Minecraft charon: 10[ENC] parsed IKE_AUTH request 1 [ IDi N(INIT_CONTACT) CERTREQ CPRQ(ADDR ADDR6 DNS DNS6) N(ESP_TFC_PAD_N) SA TSi TSr N(MOBIKE_SUP) N(NO_ADD_ADDR) N(MULT_AUTH) N(EAP_ONLY) N(MSG_ID_SYN_SUP) ]
Sep 23 05:03:44 Minecraft charon: 10[IKE] received cert request for "CN=VPN root CA"
Sep 23 05:03:44 Minecraft charon: 10[CFG] looking for peer configs matching MYIPADDRESS[%any]...195.37.108.234[user1]
Sep 23 05:03:44 Minecraft charon: 10[CFG] selected peer config 'ikev2-vpn'
Sep 23 05:03:44 Minecraft charon: 10[IKE] initiating EAP_IDENTITY method (id 0x00)
Sep 23 05:03:44 Minecraft charon: 10[IKE] received ESP_TFC_PADDING_NOT_SUPPORTED, not using ESPv3 TFC padding
Sep 23 05:03:44 Minecraft charon: 10[IKE] peer supports MOBIKE
Sep 23 05:03:44 Minecraft charon: 10[IKE] authentication of 'MYIPADDRESS' (myself) with RSA_EMSA_PKCS1_SHA2_384 successful
Sep 23 05:03:44 Minecraft charon: 10[IKE] sending end entity cert "CN=MYIPADDRESS"
Sep 23 05:03:44 Minecraft charon: 10[ENC] generating IKE_AUTH response 1 [ IDr CERT AUTH EAP/REQ/ID ]
Sep 23 05:03:44 Minecraft charon: 10[ENC] splitting IKE message with length of 1920 bytes into 2 fragments
Sep 23 05:03:44 Minecraft charon: 10[ENC] generating IKE_AUTH response 1 [ EF(1/2) ]
Sep 23 05:03:44 Minecraft charon: 10[ENC] generating IKE_AUTH response 1 [ EF(2/2) ]
Sep 23 05:03:44 Minecraft charon: 10[NET] sending packet: from MYIPADDRESS[4500] to 195.37.108.234[39639] (1236 bytes)
Sep 23 05:03:44 Minecraft charon: 10[NET] sending packet: from MYIPADDRESS[4500] to 195.37.108.234[39639] (756 bytes)
Sep 23 05:03:44 Minecraft charon: 06[NET] received packet: from 195.37.108.234[39639] to MYIPADDRESS[4500] (80 bytes)
Sep 23 05:03:44 Minecraft charon: 06[ENC] parsed IKE_AUTH request 2 [ EAP/RES/ID ]
Sep 23 05:03:44 Minecraft charon: 06[IKE] received EAP identity 'user1'
Sep 23 05:03:44 Minecraft charon: 06[IKE] initiating EAP_MSCHAPV2 method (id 0xEC)
Sep 23 05:03:44 Minecraft charon: 06[ENC] generating IKE_AUTH response 2 [ EAP/REQ/MSCHAPV2 ]
Sep 23 05:03:44 Minecraft charon: 06[NET] sending packet: from MYIPADDRESS[4500] to 195.37.108.234[39639] (112 bytes)
Sep 23 05:03:45 Minecraft charon: 04[NET] received packet: from 195.37.108.234[39639] to MYIPADDRESS[4500] (144 bytes)
Sep 23 05:03:45 Minecraft charon: 04[ENC] parsed IKE_AUTH request 3 [ EAP/RES/MSCHAPV2 ]
Sep 23 05:03:45 Minecraft charon: 04[IKE] no EAP key found for hosts 'MYIPADDRESS' - 'user1'
Sep 23 05:03:45 Minecraft charon: 04[IKE] EAP-MS-CHAPv2 verification failed, retry (1)
Sep 23 05:03:47 Minecraft charon: 04[ENC] generating IKE_AUTH response 3 [ EAP/REQ/MSCHAPV2 ]
Sep 23 05:03:47 Minecraft charon: 04[NET] sending packet: from MYIPADDRESS[4500] to 195.37.108.234[39639] (128 bytes)
Sep 23 05:03:47 Minecraft charon: 05[NET] received packet: from 195.37.108.234[39639] to MYIPADDRESS[4500] (144 bytes)
Sep 23 05:03:47 Minecraft charon: 05[ENC] parsed IKE_AUTH request 3 [ EAP/RES/MSCHAPV2 ]
Sep 23 05:03:47 Minecraft charon: 05[IKE] received retransmit of request with ID 3, retransmitting response
Sep 23 05:03:47 Minecraft charon: 05[NET] sending packet: from MYIPADDRESS[4500] to 195.37.108.234[39639] (128 bytes)
Sep 23 05:03:47 Minecraft charon: 07[NET] received packet: from 195.37.108.234[39639] to MYIPADDRESS[4500] (80 bytes)
Sep 23 05:03:47 Minecraft charon: 07[ENC] parsed INFORMATIONAL request 4 [ N(AUTH_FAILED) ]
Sep 23 05:03:47 Minecraft charon: 07[ENC] generating INFORMATIONAL response 4 [ N(AUTH_FAILED) ]
Sep 23 05:03:47 Minecraft charon: 07[NET] sending packet: from MYIPADDRESS[4500] to 195.37.108.234[39639] (80 bytes)

where the row

Sep 23 05:03:45 Minecraft charon: 04[IKE] no EAP key found for hosts 'MYIPADDRESS' - 'user1'

is strange because this is my secret file:

# This file holds shared secrets or RSA private keys for authentication.

# RSA private key for this host, authenticating it to any other host
# which knows the public part.

# this file is managed with debconf and will contain the automatically created $
#include /var/lib/strongswan/ipsec.secrets.inc
: RSA "server-key-vpn2.pem"
user1: EAP "1234"
user2 : EAP "hallo1234"

And yes, after each change of one of the config files, I do sudo systemctl restart strongswan and ipsec restart.

New android log:

Sep 23 11:07:57 00[DMN] +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
Sep 23 11:07:57 00[DMN] Starting IKE service (strongSwan 5.8.0dr2, Android 9 - PKQ1.181121.001/2019-08-01, Mi 9T Pro - Xiaomi/raphael_eea/Xiaomi, Linux 4.14.83-perf-g7723fb1, aarch64)
Sep 23 11:07:57 00[LIB] loaded plugins: androidbridge charon android-log openssl fips-prf random nonce pubkey chapoly curve25519 pkcs1 pkcs8 pem xcbc hmac socket-default revocation eap-identity eap-mschapv2 eap-md5 eap-gtc eap-tls x509
Sep 23 11:07:57 00[JOB] spawning 16 worker threads
Sep 23 11:07:57 11[IKE] initiating IKE_SA android[29] to MYIPADDRESS
Sep 23 11:07:57 11[ENC] generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG) N(REDIR_SUP) ]
Sep 23 11:07:57 11[NET] sending packet: from 10.105.74.60[49105] to MYIPADDRESS[500] (716 bytes)
Sep 23 11:07:57 12[NET] received packet: from MYIPADDRESS[500] to 10.105.74.60[49105] (38 bytes)
Sep 23 11:07:57 12[ENC] parsed IKE_SA_INIT response 0 [ N(INVAL_KE) ]
Sep 23 11:07:57 12[IKE] peer didn't accept DH group ECP_256, it requested MODP_3072
Sep 23 11:07:57 12[IKE] initiating IKE_SA android[29] to MYIPADDRESS
Sep 23 11:07:57 12[ENC] generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG) N(REDIR_SUP) ]
Sep 23 11:07:57 12[NET] sending packet: from 10.105.74.60[49105] to MYIPADDRESS[500] (1036 bytes)
Sep 23 11:07:57 07[NET] received packet: from MYIPADDRESS[500] to 10.105.74.60[49105] (592 bytes)
Sep 23 11:07:57 07[ENC] parsed IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG) N(MULT_AUTH) ]
Sep 23 11:07:57 07[CFG] selected proposal: IKE:AES_CBC_128/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_3072
Sep 23 11:07:57 07[IKE] local host is behind NAT, sending keep alives
Sep 23 11:07:57 07[IKE] remote host is behind NAT
Sep 23 11:07:57 07[IKE] sending cert request for "CN=VPN root CA"
Sep 23 11:07:57 07[IKE] establishing CHILD_SA android{29}
Sep 23 11:07:57 07[ENC] generating IKE_AUTH request 1 [ IDi N(INIT_CONTACT) CERTREQ CPRQ(ADDR ADDR6 DNS DNS6) N(ESP_TFC_PAD_N) SA TSi TSr N(MOBIKE_SUP) N(NO_ADD_ADDR) N(MULT_AUTH) N(EAP_ONLY) N(MSG_ID_SYN_SUP) ]
Sep 23 11:07:57 07[NET] sending packet: from 10.105.74.60[49611] to MYIPADDRESS[4500] (464 bytes)
Sep 23 11:07:58 14[NET] received packet: from MYIPADDRESS[4500] to 10.105.74.60[49611] (1236 bytes)
Sep 23 11:07:58 14[ENC] parsed IKE_AUTH response 1 [ EF(1/2) ]
Sep 23 11:07:58 14[ENC] received fragment #1 of 2, waiting for complete IKE message
Sep 23 11:07:58 15[NET] received packet: from MYIPADDRESS[4500] to 10.105.74.60[49611] (756 bytes)
Sep 23 11:07:58 15[ENC] parsed IKE_AUTH response 1 [ EF(2/2) ]
Sep 23 11:07:58 15[ENC] received fragment #2 of 2, reassembled fragmented IKE message (1920 bytes)
Sep 23 11:07:58 15[ENC] parsed IKE_AUTH response 1 [ IDr CERT AUTH EAP/REQ/ID ]
Sep 23 11:07:58 15[IKE] received end entity cert "CN=MYIPADDRESS"
Sep 23 11:07:58 15[CFG]   using certificate "CN=MYIPADDRESS"
Sep 23 11:07:58 15[CFG]   using trusted ca certificate "CN=VPN root CA"
Sep 23 11:07:58 15[CFG] checking certificate status of "CN=MYIPADDRESS"
Sep 23 11:07:58 15[CFG] certificate status is not available
Sep 23 11:07:58 15[CFG]   reached self-signed root ca with a path length of 0
Sep 23 11:07:58 15[IKE] authentication of 'MYIPADDRESS' with RSA_EMSA_PKCS1_SHA2_384 successful
Sep 23 11:07:58 15[IKE] server requested EAP_IDENTITY (id 0x00), sending 'user1'
Sep 23 11:07:58 15[ENC] generating IKE_AUTH request 2 [ EAP/RES/ID ]
Sep 23 11:07:58 15[NET] sending packet: from 10.105.74.60[49611] to MYIPADDRESS[4500] (80 bytes)
Sep 23 11:07:58 11[NET] received packet: from MYIPADDRESS[4500] to 10.105.74.60[49611] (112 bytes)
Sep 23 11:07:58 11[ENC] parsed IKE_AUTH response 2 [ EAP/REQ/MSCHAPV2 ]
Sep 23 11:07:58 11[IKE] server requested EAP_MSCHAPV2 authentication (id 0x3C)
Sep 23 11:07:58 11[ENC] generating IKE_AUTH request 3 [ EAP/RES/MSCHAPV2 ]
Sep 23 11:07:58 11[NET] sending packet: from 10.105.74.60[49611] to MYIPADDRESS[4500] (144 bytes)
Sep 23 11:08:00 13[IKE] retransmit 1 of request with message ID 3
Sep 23 11:08:00 13[NET] sending packet: from 10.105.74.60[49611] to MYIPADDRESS[4500] (144 bytes)
Sep 23 11:08:00 07[NET] received packet: from MYIPADDRESS[4500] to 10.105.74.60[49611] (128 bytes)
Sep 23 11:08:00 07[ENC] parsed IKE_AUTH response 3 [ EAP/REQ/MSCHAPV2 ]
Sep 23 11:08:00 07[IKE] EAP-MS-CHAPv2 failed with error ERROR_AUTHENTICATION_FAILURE: '(null)'
Sep 23 11:08:00 07[IKE] EAP_MSCHAPV2 method failed
Sep 23 11:08:00 07[ENC] generating INFORMATIONAL request 4 [ N(AUTH_FAILED) ]
Sep 23 11:08:00 07[NET] sending packet: from 10.105.74.60[49611] to MYIPADDRESS[4500] (80 bytes)

1 Answers1

8

I hate me. In my secret file I needed a space after my username: From this:

user1: EAP "1234"

to this:

user1 : EAP "1234"

Now it works.

  • 2
    Oh my goodness, that was my problem too. If the space is that important, StrongSwan should at least output an error message that the conf file is not formatted properly. – jlyonsmith Oct 30 '19 at 22:17