Project

General

Profile

Issue #3313

Migration from ipsec.conf to swanctl.conf (IKEv2)

Added by Bernd Bernikov about 1 year ago. Updated about 1 year ago.

Status:
Closed
Priority:
Normal
Category:
configuration
Affected version:
5.8.0
Resolution:
No change required

Description

Hello.

I am trying to migrate ipsec.conf to swanctl.conf, but the connection is not established.

ipsec.conf:

config setup
    uniqueids=never # yes #uniqueids=never
    charondebug="all" 

# Add connections here.

conn lan-passthrough
        leftsubnet=192.168.1.0/24 # Replace with your LAN subnet
        rightsubnet=192.168.1.0/24 # Replace with your LAN subnet
        authby=never # No authentication necessary
        type=pass # passthrough
        auto=route # no need to ipsec up lan-passthrough

conn PP
    eap_identity="<username>" 
    type=tunnel
    keyexchange=ikev2
    dpdaction=restart
    closeaction=restart
    dpddelay=300s
    inactivity=36000s
    rekey=no
    forceencaps=yes
    authby=secret
    ike=aes256-sha256-modp2048
    esp=aes256-sha256
    leftfirewall=yes
    left=192.168.1.1
    leftid=192.168.1.1
    leftsourceip=%config4
    leftsendcert=never
    leftauth=eap-mschapv2
    rightfirewall=yes
    rightauth=pubkey
    right=37.48.94.1
    rightid=%any
    rightsubnet=0.0.0.0/0
    rightsendcert=always
    auto=add

swantctl.conf:

connections {
    lan-passthrough {
        children {
            lan-passthrough {
                local_ts = 192.168.1.0/24 # Replace with your LAN subnet
                remote_ts = 192.168.1.0/24 # Replace with your LAN subnet
                mode = pass # passthrough
                start_action = trap # trap: on traffic | start: on boot
            }
        }
    }
        pp {
        unique = never
        version = 2
        keyingtries=0
        dpd_delay = 300s
        rekey_time = 0
        encap = yes
        proposals = aes256-sha256-modp2048
        local_addrs = 192.168.1.1
        vips = 0.0.0.0
        send_cert = never
        remote_addrs = 37.48.94.1
        send_certreq = yes

                local {
            id = 192.168.1.1
            auth = eap-mschapv2
                }
                remote {
            auth = pubkey
            id = %any
            eap_id = %any
                }
                children {
                        pp {
                dpd_action = start
                close_action = start
                inactivity = 36000s
                life_time = 0
                esp_proposals = aes256-sha256
                remote_ts = 0.0.0.0/0
                mode = tunnel
                start_action = none # none = add in ipsec.conf, or use = start
                        }
                }
    }
}
secrets {
    eap-user1 {
        id = <username>
        secret = "<password>"    
    }
}

root@OpenWrt:~# swanctl --load-all
curl SSL backend 'mbedTLS/2.16.3' not supported, https:// disabled
loaded eap secret 'eap-user1'
no authorities found, 0 unloaded
no pools found, 0 unloaded
loaded connection 'lan-passthrough'
loaded connection 'pp'
successfully loaded 2 connections, 0 unloaded
root@OpenWrt:~# swanctl --initiate --child pp
curl SSL backend 'mbedTLS/2.16.3' not supported, https:// disabled
[IKE] initiating IKE_SA pp[8] to 37.48.94.1
[ENC] generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG) N(REDIR_SUP) ]
[NET] sending packet: from 192.168.1.1[500] to 37.48.94.1[500] (464 bytes)
[NET] received packet: from 37.48.94.1[500] to 192.168.1.1[500] (497 bytes)
[ENC] parsed IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) CERTREQ N(FRAG_SUP) N(HASH_ALG) N(CHDLESS_SUP) N(MULT_AUTH) ]
[CFG] selected proposal: IKE:AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_2048
[IKE] local host is behind NAT, sending keep alives
[IKE] received cert request for "C=CH, ST=Zug, L=Zug, O=Perfect Privacy, CN=Perfect Privacy IPSEC CA, E=admin@perfect-privacy.com" 
[IKE] sending cert request for "C=CH, ST=Zug, L=Zug, O=Perfect Privacy, CN=Perfect Privacy IPSEC CA, E=admin@perfect-privacy.com" 
[IKE] establishing CHILD_SA pp{8}
[ENC] generating IKE_AUTH request 1 [ IDi CERTREQ CPRQ(ADDR DNS) SA TSi TSr N(MOBIKE_SUP) N(ADD_4_ADDR) N(MULT_AUTH) N(EAP_ONLY) N(MSG_ID_SYN_SUP) ]
[NET] sending packet: from 192.168.1.1[4500] to 37.48.94.1[4500] (256 bytes)
[NET] received packet: from 37.48.94.1[4500] to 192.168.1.1[4500] (1236 bytes)
[ENC] parsed IKE_AUTH response 1 [ EF(1/2) ]
[ENC] received fragment #1 of 2, waiting for complete IKE message
[NET] received packet: from 37.48.94.1[4500] to 192.168.1.1[4500] (548 bytes)
[ENC] parsed IKE_AUTH response 1 [ EF(2/2) ]
[ENC] received fragment #2 of 2, reassembled fragmented IKE message (1712 bytes)
[ENC] parsed IKE_AUTH response 1 [ IDr CERT AUTH EAP/REQ/ID ]
[IKE] received end entity cert "C=CH, O=Perfect Privacy, CN=amsterdam4.perfect-privacy.com" 
[CFG]   using certificate "C=CH, O=Perfect Privacy, CN=amsterdam4.perfect-privacy.com" 
[CFG]   using trusted ca certificate "C=CH, ST=Zug, L=Zug, O=Perfect Privacy, CN=Perfect Privacy IPSEC CA, E=admin@perfect-privacy.com" 
[CFG] checking certificate status of "C=CH, O=Perfect Privacy, CN=amsterdam4.perfect-privacy.com" 
[CFG] certificate status is not available
[CFG]   reached self-signed root ca with a path length of 0
[IKE] authentication of 'amsterdam.perfect-privacy.com' with RSA_EMSA_PKCS1_SHA2_256 successful
[CFG] constraint check failed: EAP identity '%any' required
[CFG] selected peer config 'pp' unacceptable: constraint checking failed
[CFG] no alternative config found
[ENC] generating INFORMATIONAL request 2 [ N(AUTH_FAILED) ]
[NET] sending packet: from 192.168.1.1[4500] to 37.48.94.1[4500] (80 bytes)
initiate failed: establishing CHILD_SA 'pp' failed

What is missing or what is wrong?

Best regards

Bernd

History

#1 Updated by Tobias Brunner about 1 year ago

  • Category changed from swanctl to configuration
  • Status changed from New to Feedback

The combination of auth=pubkey and eap_id=%any makes no sense, you should remove the latter.

#2 Updated by Bernd Bernikov about 1 year ago

Hello.

I have removed eap_id=%any and it looks better now.
But now I get a new error message:

root@OpenWrt:~# swanctl --initiate --child pp
curl SSL backend 'mbedTLS/2.16.3' not supported, https:// disabled
[IKE] initiating IKE_SA pp[4] to 37.48.94.1
[ENC] generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG) N(REDIR_SUP) ]
[NET] sending packet: from 192.168.1.1[500] to 37.48.94.1[500] (464 bytes)
[NET] received packet: from 37.48.94.1[500] to 192.168.1.1[500] (497 bytes)
[ENC] parsed IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) CERTREQ N(FRAG_SUP) N(HASH_ALG) N(CHDLESS_SUP) N(MULT_AUTH) ]
[IKE] local host is behind NAT, sending keep alives
[IKE] received cert request for "C=CH, ST=Zug, L=Zug, O=Perfect Privacy, CN=Perfect Privacy IPSEC CA, E=admin@perfect-privacy.com" 
[IKE] sending cert request for "C=CH, ST=Zug, L=Zug, O=Perfect Privacy, CN=Perfect Privacy IPSEC CA, E=admin@perfect-privacy.com" 
[IKE] establishing CHILD_SA pp{4}
[ENC] generating IKE_AUTH request 1 [ IDi CERTREQ CPRQ(ADDR DNS) SA TSi TSr N(MOBIKE_SUP) N(ADD_4_ADDR) N(MULT_AUTH) N(EAP_ONLY) N(MSG_ID_SYN_SUP) ]
[NET] sending packet: from 192.168.1.1[4500] to 37.48.94.1[4500] (256 bytes)
[NET] received packet: from 37.48.94.1[4500] to 192.168.1.1[4500] (1236 bytes)
[ENC] parsed IKE_AUTH response 1 [ EF(1/2) ]
[ENC] received fragment #1 of 2, waiting for complete IKE message
[NET] received packet: from 37.48.94.1[4500] to 192.168.1.1[4500] (548 bytes)
[ENC] parsed IKE_AUTH response 1 [ EF(2/2) ]
[ENC] received fragment #2 of 2, reassembling fragmented IKE message
[ENC] parsed IKE_AUTH response 1 [ IDr CERT AUTH EAP/REQ/ID ]
[IKE] received end entity cert "C=CH, O=Perfect Privacy, CN=amsterdam4.perfect-privacy.com" 
[CFG]   using certificate "C=CH, O=Perfect Privacy, CN=amsterdam4.perfect-privacy.com" 
[CFG]   using trusted ca certificate "C=CH, ST=Zug, L=Zug, O=Perfect Privacy, CN=Perfect Privacy IPSEC CA, E=admin@perfect-privacy.com" 
[CFG] checking certificate status of "C=CH, O=Perfect Privacy, CN=amsterdam4.perfect-privacy.com" 
[CFG] certificate status is not available
[CFG]   reached self-signed root ca with a path length of 0
[IKE] authentication of 'amsterdam.perfect-privacy.com' with RSA_EMSA_PKCS1_SHA2_256 successful
[IKE] server requested EAP_IDENTITY (id 0x00), sending '192.168.1.1'
[ENC] generating IKE_AUTH request 2 [ EAP/RES/ID ]
[NET] sending packet: from 192.168.1.1[4500] to 37.48.94.1[4500] (80 bytes)
[NET] received packet: from 37.48.94.1[4500] to 192.168.1.1[4500] (112 bytes)
[ENC] parsed IKE_AUTH response 2 [ EAP/REQ/MSCHAPV2 ]
[IKE] server requested EAP_MSCHAPV2 authentication (id 0xF6)
[IKE] no EAP key found for hosts 'amsterdam.perfect-privacy.com' - '192.168.1.1'
[IKE] EAP_MSCHAPV2 method failed
[ENC] generating INFORMATIONAL request 3 [ N(AUTH_FAILED) ]
[NET] sending packet: from 192.168.1.1[4500] to 37.48.94.1[4500] (80 bytes)
initiate failed: establishing CHILD_SA 'pp' failed

#3 Updated by Tobias Brunner about 1 year ago

You may want to configure local.eap_id to your username.

#4 Updated by Bernd Bernikov about 1 year ago

That's it.

Now it works. Thank you very much.

#5 Updated by Tobias Brunner about 1 year ago

  • Status changed from Feedback to Closed
  • Assignee set to Tobias Brunner
  • Resolution set to No change required

Also available in: Atom PDF