Try the following for "remote": / remote { auth = eap-tls eap_id = %any }/
--Jafar On 4/24/21 10:33 PM, pLAN9 Administrator wrote: > > I am trying to set up Strongswan to act as a remote access server for > an iPhone using IKEv2 certificate auth. It is a major headache! > > I have made sure to set the SAN in both the server and phone > certificate. Here is the the server SAN: > > / X509v3 extensions: > X509v3 Subject Alternative Name: > DNS:echo.pLAN9.co > X509v3 Extended Key Usage: > TLS Web Server Authentication, TLS Web Client > Authentication/ > > Here is the phone SAN: > > / X509v3 extensions: > X509v3 Subject Alternative Name: > DNS:pLAN9-iPhone.pLAN9.co > X509v3 Extended Key Usage: > TLS Web Server Authentication, TLS Web Client > Authentication/ > > Here is /etc/swanctl/swanctl.conf > > /connections { > RA { > local_addrs = %any > local { > auth = pubkey > certs = ECHO.crt > id = @echo.pLAN9.co > } > remote { > auth = pubkey > id = %any > } > children { > net { > local_ts = 0.0.0.0/0 > esp_proposals = aes256-sha256 > } > } > version = 2 > proposals = aes256-sha256-modp2048 > send_certreq = no > pools = pool > } > } > pools { > pool { > addrs = 172.16.16.64/29 > dns = 172.16.16.1 > } > }/ > > > Here is the output of a connection: > > > /01[NET] received packet: from IPHONE_IP[9975] to STRONGSWAN_IP[500] > (604 bytes)// > //01[ENC] parsed IKE_SA_INIT request 0 [ SA KE No N(REDIR_SUP) > N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) ]// > //01[IKE] IPHONE_IP is initiating an IKE_SA// > //01[CFG] selected proposal: > IKE:AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_2048// > //01[IKE] remote host is behind NAT// > //01[ENC] generating IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) > N(NATD_D_IP) N(FRAG_SUP) N(CHDLESS_SUP) N(MULT_AUTH) ]// > //01[NET] sending packet: from STRONGSWAN_IP[500] to IPHONE_IP[9975] > (456 bytes)// > //10[NET] received packet: from IPHONE_IP[9959] to STRONGSWAN_IP[4500] > (532 bytes)// > //10[ENC] parsed IKE_AUTH request 1 [ EF(1/4) ]// > //13[NET] received packet: from IPHONE_IP[9959] to STRONGSWAN_IP[4500] > (532 bytes)// > //10[ENC] received fragment #1 of 4, waiting for complete IKE message// > //13[ENC] parsed IKE_AUTH request 1 [ EF(2/4) ]// > //13[ENC] received fragment #2 of 4, waiting for complete IKE message// > //14[NET] received packet: from IPHONE_IP[9959] to STRONGSWAN_IP[4500] > (532 bytes)// > //14[ENC] parsed IKE_AUTH request 1 [ EF(3/4) ]// > //01[NET] received packet: from IPHONE_IP[9959] to STRONGSWAN_IP[4500] > (180 bytes)// > //14[ENC] received fragment #3 of 4, waiting for complete IKE message// > //01[ENC] parsed IKE_AUTH request 1 [ EF(4/4) ]// > //01[ENC] received fragment #4 of 4, reassembled fragmented IKE > message (1552 bytes)// > //01[ENC] unknown attribute type INTERNAL_DNS_DOMAIN// > //01[ENC] parsed IKE_AUTH request 1 [ IDi CERT N(INIT_CONTACT) IDr > AUTH CPRQ(ADDR MASK DHCP DNS ADDR6 DHCP6 DNS6 DOMAIN) N(ESP_TFC_PAD_N) > N(NON_FIRST_FRAG) SA TSi TSr N(MOBIKE_SUP) ]// > //01[IKE] received end entity cert "CN=pLAN9-iPhone"// > //01[CFG] looking for peer configs matching > STRONGSWAN_IP[echo.plan9.co]...IPHONE_IP[pLAn9-iPhone.pLAN9.co]// > //01[CFG] selected peer config 'RA'// > //01[CFG] using certificate "CN=pLAN9-iPhone"// > //01[CFG] using trusted ca certificate "CN=pLAN9 CA 2019-2021"// > //01[CFG] checking certificate status of "CN=pLAN9-iPhone"// > //01[CFG] certificate status is not available// > //01[CFG] reached self-signed root ca with a path length of 0// > //01[IKE] authentication of 'pLAn9-iPhone.pLAN9.co' with RSA signature > successful// > //01[IKE] received ESP_TFC_PADDING_NOT_SUPPORTED, not using ESPv3 TFC > padding// > //01[IKE] peer supports MOBIKE// > //01[IKE] authentication of 'echo.plan9.co' (myself) with RSA > signature successful// > //01[IKE] IKE_SA RA[2] established between > STRONGSWAN_IP[echo.plan9.co]...IPHONE_IP[pLAn9-iPhone.pLAN9.co]// > //01[IKE] scheduling rekeying in 13941s// > //01[IKE] maximum IKE_SA lifetime 15381s// > //01[IKE] peer requested virtual IP %any// > //01[CFG] assigning new lease to 'pLAn9-iPhone.pLAN9.co'// > //01[IKE] assigning virtual IP 172.16.16.65 to peer > 'pLAn9-iPhone.pLAN9.co'// > //01[IKE] peer requested virtual IP %any6// > //01[IKE] no virtual IP found for %any6 requested by > 'pLAn9-iPhone.pLAN9.co'// > //01[CFG] selected proposal: > ESP:AES_CBC_256/HMAC_SHA2_256_128/NO_EXT_SEQ// > //01[IKE] CHILD_SA net{4} established with SPIs cc4e7aea_i 0358690a_o > and TS 0.0.0.0/0 === 172.16.16.65/32// > //01[ENC] generating IKE_AUTH response 1 [ IDr AUTH CPRP(ADDR DNS) SA > TSi TSr N(MOBIKE_SUP) N(ADD_4_ADDR) N(ADD_6_ADDR) N(ADD_6_ADDR) ]// > //01[NET] sending packet: from STRONGSWAN_IP[4500] to IPHONE_IP[9959] > (544 bytes)/ > > / > / > > Strongswan looks like it is connecting fine, but the phone reports the > error "User Authentication Failed" and doesn't connect. The phone is > using the same certificate to connect to a number of other routers > (not Strongswan based) that all have certificates signed by the same > CA, and those are all working fine. > > > What am I doing wrong here? >