[Swan] Trying to setup ikev2 with custom PAM module, auth done via user/pass and wildcard TLS

Viktor Keremedchiev via Swan Tue, 21 Jan 2025 01:52:15 -0800

Hello
I have existing ikev1 ‘roaming warriors’ setup that uses shared PSK and pam 
auth via custom PAM module
Now I want to add alongside it IKEv2, but using user/pass auth via the same PAM 
module. The ikev2 method is using publicly signed wildcard TLS (*.example.com). 
The idea behind is that I need new few VPN servers using same domain


conn xxxx
    left=172.30.254.151
    leftsubnet=0.0.0.0/0
    leftcert=tls
    leftid=@*.example.com
    leftsendcert=always
    #leftrsasigkey=%cert
    #leftmodecfgserver=yes
    #leftxauthserver=yes

    # Clients
    right=%any
    rightaddresspool=172.30.254.1-172.30.255.254
    rightca=%same
    rightid=%fromcert
    rightrsasigkey=%cert
    #rightxauthclient=no
    #rightmodecfgclient=yes
    modecfgdns=8.8.8.8,4.4.4.4
    modecfgpull=yes
    narrowing=yes

    # recommended dpd/liveness to cleanup vanished clients
    dpddelay=30
    dpdtimeout=120
    dpdaction=clear
    auto=add
    ikev2=insist
    rekey=no
    #mobike=yes
    fragmentation=yes
    # optional PAM username verification (eg to implement bandwidth quota
    pam-authorize=yes




When I connect I get the following error
an 21 09:28:01.068865: | processing payload: ISAKMP_NEXT_v2N (len=0)
Jan 21 09:28:01.068890: | looking for transition from PARENT_R1 matching 
IKE_AUTH request: 
SK{IDi,N(INITIAL_CONTACT),IDr,CP,N(ESP_TFC_PADDING_NOT_SUPPORTED),N(NON_FIRST_FRAGMENTS_ALSO),SA,TSi,TSr,N(MOBIKE_SUPPORTED)}
Jan 21 09:28:01.068905: |   trying: Responder: process IKE_INTERMEDIATE request
Jan 21 09:28:01.068909: |     exchange type does not match IKE_INTERMEDIATE
Jan 21 09:28:01.068914: |   trying: Responder: process IKE_AUTH request
Jan 21 09:28:01.068918: |     secured payloads do not match
Jan 21 09:28:01.068923: |   trying: Responder: process IKE_AUTH request, 
initiate EAP
Jan 21 09:28:01.068927: |     secured message matched
Jan 21 09:28:01.068931: | selected state microcode Responder: process IKE_AUTH 
request, initiate EAP
Jan 21 09:28:01.068940: | #1.st_v2_transition PARENT_R0->PARENT_R1 -> 
PARENT_R1->PARENT_R_EAP (v2_dispatch() +2311 /programs/pluto/ikev2.c)
Jan 21 09:28:01.068954: | Message ID: IKE #1 responder starting message request 
1 (initiator: .sent=-1 .recv=-1 .recv_frags=0 .wip=-1 .last_sent=559662.421947 
.last_recv=559662.421947 responder: .sent=0 .recv=0 .recv_frags=0 .wip=1 
.last_sent=559662.425345 .last_recv=559662.425339)
Jan 21 09:28:01.068961: | calling processor Responder: process IKE_AUTH 
request, initiate EAP
Jan 21 09:28:01.068975: “URL.example"[1] 213.16.62.185 #1: processing decrypted 
IKE_AUTH request: 
SK{IDi,N(INITIAL_CONTACT),IDr,CP,N(ESP_TFC_PADDING_NOT_SUPPORTED),N(NON_FIRST_FRAGMENTS_ALSO),SA,TSi,TSr,N(MOBIKE_SUPPORTED)}
Jan 21 09:28:01.068986: "URL.example.com"[1] 213.16.62.185 #1: Peer attempted 
EAP authentication, but IKE_AUTH is required
Jan 21 09:28:01.068991: | pstats #1 ikev2.ike failed auth-failed
Jan 21 09:28:01.068999: | opening output PBS v2N response
Jan 21 09:28:01.069004: | **emit ISAKMP Message:
Jan 21 09:28:01.069012: |    initiator SPI: be a7 d4 67  1d e8 cf bb
Jan 21 09:28:01.069019: |    responder SPI: 68 30 0e 1f  85 4c 1b 96
Jan 21 09:28:01.069024: |    next payload type: ISAKMP_NEXT_NONE (0x0)
Jan 21 09:28:01.069029: |    ISAKMP version: IKEv2 version 2.0 
(rfc4306/rfc5996) (0x20)
Jan 21 09:28:01.069034: |    exchange type: ISAKMP_v2_IKE_AUTH (0x23)
Jan 21 09:28:01.069039: |    flags: ISAKMP_FLAG_v2_MSG_RESPONSE (0x20)
Jan 21 09:28:01.069046: |    Message ID: 1 (00 00 00 01)
Jan 21 09:28:01.069052: | next payload chain: saving message location 'ISAKMP 
Message'.'next payload type'
Jan 21 09:28:01.069059: | ***emit IKEv2 Encryption Payload:
Jan 21 09:28:01.069065: |    next payload type: ISAKMP_NEXT_v2NONE (0x0)
Jan 21 09:28:01.069069: |    flags: none (0x0)
Jan 21 09:28:01.069074: | next payload chain: setting previous 'ISAKMP 
Message'.'next payload type' to current IKEv2 Encryption Payload 
(46:ISAKMP_NEXT_v2SK)
Jan 21 09:28:01.069078: | next payload chain: saving location 'IKEv2 Encryption 
Payload'.'next payload type' in 'v2N response'
Jan 21 09:28:01.069085: | emitting 8 zero bytes of IV into IKEv2 Encryption 
Payload
Jan 21 09:28:01.069104: "URL.example.com"[1] 213.16.62.185 #1: responding to 
IKE_AUTH message (ID 1) from 213.16.62.185:500 with encrypted notification 
AUTHENTICATION_FAILED
Jan 21 09:28:01.069112: | adding a v2N Payload
Jan 21 09:28:01.069120: | ****emit IKEv2 Notify Payload:
Jan 21 09:28:01.069124: |    next payload type: ISAKMP_NEXT_v2NONE (0x0)
Jan 21 09:28:01.069128: |    flags: none (0x0)
Jan 21 09:28:01.069132: |    Protocol ID: IKEv2_SEC_PROTO_NONE (0x0)
Jan 21 09:28:01.069138: |    SPI size: 0 (00)
Jan 21 09:28:01.069143: |    Notify Message Type: v2N_AUTHENTICATION_FAILED 
(0x18)

Dd


 I don’t even see an attempt for my username to be authenticated. The client I 
use is MacOS 15, using the ‘IKEv2’ type


For reference this is my existing ikev1 that works pretty solidly
    left=172.30.254.151
    leftsubnet=0.0.0.0/0
    type=tunnel
    authby=secret
    right=%any
    rightaddresspool=172.30.254.1-172.30.255.254
    rightmodecfgclient=yes
    modecfgdns=8.8.8.8,4.4.4.4
    modecfgpull=yes
    leftxauthserver=yes
    rightxauthclient=yes
    leftmodecfgserver=yes
    cisco-unity=yes
    ikev2=never
    auto=add
    pfs=no
    rekey=no
    xauthby=pam


Any guidance is appreciated



_______________________________________________
Swan mailing list -- [email protected]
To unsubscribe send an email to [email protected]

[Swan] Trying to setup ikev2 with custom PAM module, auth done via user/pass and wildcard TLS

Reply via email to