[strongSwan] Strongswan IKEv2 certificates - "user authentication failed" ????

Sat, 24 Apr 2021 20:33:50 -0700

I am trying to set up Strongswan to act as a remote access server for an iPhone using IKEv2 certificate auth. It is a major headache!
I have made sure to set the SAN in both the server and phone certificate. Here is the the server SAN: 

/        X509v3 extensions:
            X509v3 Subject Alternative Name:
                DNS:echo.pLAN9.co
            X509v3 Extended Key Usage:

                TLS Web Server Authentication, TLS Web Client 
Authentication/


Here is the phone SAN:

/        X509v3 extensions:
            X509v3 Subject Alternative Name:
                DNS:pLAN9-iPhone.pLAN9.co
            X509v3 Extended Key Usage:

                TLS Web Server Authentication, TLS Web Client 
Authentication/


Here is /etc/swanctl/swanctl.conf

/connections {
        RA {
                local_addrs = %any
                local {
                        auth = pubkey
                        certs = ECHO.crt
                        id = @echo.pLAN9.co
                }
                remote {
                        auth = pubkey
                        id = %any
                }
                children {
                        net {
                                local_ts = 0.0.0.0/0
                        esp_proposals = aes256-sha256
                        }
                }
                version = 2
                proposals = aes256-sha256-modp2048
                send_certreq = no
                pools = pool
        }
}
pools {
                pool {
                        addrs = 172.16.16.64/29
                        dns = 172.16.16.1
                }
        }/


Here is the output of a connection:



/01[NET] received packet: from IPHONE_IP[9975] to STRONGSWAN_IP[500] 
(604 bytes)//
//01[ENC] parsed IKE_SA_INIT request 0 [ SA KE No N(REDIR_SUP) 
N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) ]//

//01[IKE] IPHONE_IP is initiating an IKE_SA//

//01[CFG] selected proposal: 
IKE:AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_2048//

//01[IKE] remote host is behind NAT//

//01[ENC] generating IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) 
N(NATD_D_IP) N(FRAG_SUP) N(CHDLESS_SUP) N(MULT_AUTH) ]//
//01[NET] sending packet: from STRONGSWAN_IP[500] to IPHONE_IP[9975] 
(456 bytes)//
//10[NET] received packet: from IPHONE_IP[9959] to STRONGSWAN_IP[4500] 
(532 bytes)//

//10[ENC] parsed IKE_AUTH request 1 [ EF(1/4) ]//

//13[NET] received packet: from IPHONE_IP[9959] to STRONGSWAN_IP[4500] 
(532 bytes)//

//10[ENC] received fragment #1 of 4, waiting for complete IKE message//
//13[ENC] parsed IKE_AUTH request 1 [ EF(2/4) ]//
//13[ENC] received fragment #2 of 4, waiting for complete IKE message//

//14[NET] received packet: from IPHONE_IP[9959] to STRONGSWAN_IP[4500] 
(532 bytes)//

//14[ENC] parsed IKE_AUTH request 1 [ EF(3/4) ]//

//01[NET] received packet: from IPHONE_IP[9959] to STRONGSWAN_IP[4500] 
(180 bytes)//

//14[ENC] received fragment #3 of 4, waiting for complete IKE message//
//01[ENC] parsed IKE_AUTH request 1 [ EF(4/4) ]//

//01[ENC] received fragment #4 of 4, reassembled fragmented IKE message 
(1552 bytes)//

//01[ENC] unknown attribute type INTERNAL_DNS_DOMAIN//

//01[ENC] parsed IKE_AUTH request 1 [ IDi CERT N(INIT_CONTACT) IDr AUTH 
CPRQ(ADDR MASK DHCP DNS ADDR6 DHCP6 DNS6 DOMAIN) N(ESP_TFC_PAD_N) 
N(NON_FIRST_FRAG) SA TSi TSr N(MOBIKE_SUP) ]//

//01[IKE] received end entity cert "CN=pLAN9-iPhone"//

//01[CFG] looking for peer configs matching 
STRONGSWAN_IP[echo.plan9.co]...IPHONE_IP[pLAn9-iPhone.pLAN9.co]//

//01[CFG] selected peer config 'RA'//
//01[CFG]   using certificate "CN=pLAN9-iPhone"//
//01[CFG]   using trusted ca certificate "CN=pLAN9 CA 2019-2021"//
//01[CFG] checking certificate status of "CN=pLAN9-iPhone"//
//01[CFG] certificate status is not available//
//01[CFG]   reached self-signed root ca with a path length of 0//

//01[IKE] authentication of 'pLAn9-iPhone.pLAN9.co' with RSA signature 
successful//
//01[IKE] received ESP_TFC_PADDING_NOT_SUPPORTED, not using ESPv3 TFC 
padding//

//01[IKE] peer supports MOBIKE//

//01[IKE] authentication of 'echo.plan9.co' (myself) with RSA signature 
successful//
//01[IKE] IKE_SA RA[2] established between 
STRONGSWAN_IP[echo.plan9.co]...IPHONE_IP[pLAn9-iPhone.pLAN9.co]//

//01[IKE] scheduling rekeying in 13941s//
//01[IKE] maximum IKE_SA lifetime 15381s//
//01[IKE] peer requested virtual IP %any//
//01[CFG] assigning new lease to 'pLAn9-iPhone.pLAN9.co'//

//01[IKE] assigning virtual IP 172.16.16.65 to peer 
'pLAn9-iPhone.pLAN9.co'//

//01[IKE] peer requested virtual IP %any6//

//01[IKE] no virtual IP found for %any6 requested by 
'pLAn9-iPhone.pLAN9.co'//

//01[CFG] selected proposal: ESP:AES_CBC_256/HMAC_SHA2_256_128/NO_EXT_SEQ//

//01[IKE] CHILD_SA net{4} established with SPIs cc4e7aea_i 0358690a_o 
and TS 0.0.0.0/0 === 172.16.16.65/32//
//01[ENC] generating IKE_AUTH response 1 [ IDr AUTH CPRP(ADDR DNS) SA 
TSi TSr N(MOBIKE_SUP) N(ADD_4_ADDR) N(ADD_6_ADDR) N(ADD_6_ADDR) ]//
//01[NET] sending packet: from STRONGSWAN_IP[4500] to IPHONE_IP[9959] 
(544 bytes)/


/
/


Strongswan looks like it is connecting fine, but the phone reports the 
error "User Authentication Failed" and doesn't connect. The phone is 
using the same certificate to connect to a number of other routers (not 
Strongswan based) that all have certificates signed by the same CA, and 
those are all working fine.



What am I doing wrong here?























					Reply via email to