Project

General

Profile

Issue #3554

eap-tls connection failed for windows

Added by zhenxing huang about 2 months ago. Updated 23 days ago.

Status:
Closed
Priority:
Normal
Category:
configuration
Affected version:
5.8.2
Resolution:
No change required

Description

Hello
We want to connect using tls on windows but it fails
Say that Invalid payload received
[[https://wiki.strongswan.org/projects/strongswan/wiki/WindowsClients#B-Authentication-using-X509-User-Certificates]]

ipsec.conf:
---------------------

config setup
    strictcrlpolicy=no
    uniqueids = yes 
    charondebug="ike 1,cfg 1" 
conn  %default
    left=m.domain.de
    leftid="C=cn, CN=m.domain.de" 
        leftsubnet=192.168.2.0/24
    leftcert=ec-link.cer
    leftfirewall=yes
    keyexchange=ikev2
    ike=aes128-sha256-prfsha256-modp2048,aes256-sha1-prfsha1-modp2048,aes128-sha256-modp2048,aes256-sha256-prfsha256-modp2048,aes256-sha1-sha1-modp1024,aes256-sha256-sha256-modp1024,aes256-sha384-sha384-modp1024!
    #esp=aes256-sha256,aes256-sha1!
    auto=add
        right = %any
conn  tls
    rightsourceip=192.168.10.0/28
    rightauth=eap-tls
    leftsendcert=never
    eap_identity=%any

strongswan.conf:
---------------------


charon {
    #multiple_authentication=yes
    #dos_protection=yes
    plugins {
            eap-tls {
              fragment_size = 512
            }
        }
    }
include /etc/strongswan.d/*.conf


log:
---------------------
Starting strongSwan 5.8.2 IPsec [starter]...
00[DMN] Starting IKE charon daemon (strongSwan 5.8.2, Linux 4.14.180, x86_64)
00[LIB] curl SSL backend 'mbedTLS/2.16.7' not supported, https:// disabled
00[CFG] loading ca certificates from '/etc/ipsec.d/cacerts'
00[CFG]   loaded ca certificate "C=cn, CN=ca" from '/etc/ipsec.d/cacerts/ecca.cer'
00[CFG] loading aa certificates from '/etc/ipsec.d/aacerts'
00[CFG] loading ocsp signer certificates from '/etc/ipsec.d/ocspcerts'
00[CFG] loading attribute certificates from '/etc/ipsec.d/acerts'
00[CFG] loading crls from '/etc/ipsec.d/crls'
00[CFG]   loaded crl from '/etc/ipsec.d/crls/ec.der'
00[CFG] loading secrets from '/etc/ipsec.secrets'
00[CFG]   loaded RSA private key from '/etc/ipsec.d/private/ec-link-key.der'
00[LIB] loaded plugins: charon pkcs11 aes sha1 random nonce x509 revocation pubkey pem openssl gmp curve25519 xcbc hmac curl kernel-netlink socket-default stroke updown eap-identity eap-tls
00[JOB] spawning 16 worker threads
charon (5850) started after 40 ms
05[CFG] received stroke: add connection 'tls'
05[CFG] adding virtual IP address pool 192.168.10.0/28
05[CFG]   loaded certificate "C=cn, CN=m.domain.de" from 'ec-link.cer'
05[CFG] added configuration 'tls'
07[NET] received packet: from 192.168.1.113[500] to 192.168.1.100[500] (624 bytes)
07[ENC] parsed IKE_SA_INIT request 0 [ SA KE No N(FRAG_SUP) N(NATD_S_IP) N(NATD_D_IP) V V V V ]
07[IKE] received MS NT5 ISAKMPOAKLEY v9 vendor ID
07[IKE] received MS-Negotiation Discovery Capable vendor ID
07[IKE] received Vid-Initial-Contact vendor ID
07[ENC] received unknown vendor ID: 01:52:8b:bb:c0:06:96:12:18:49:ab:9a:1c:5b:2a:51:00:00:00:02
07[IKE] 192.168.1.113 is initiating an IKE_SA
07[CFG] selected proposal: IKE:AES_CBC_256/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024
07[IKE] sending cert request for "C=cn, CN=ca" 
07[ENC] generating IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) CERTREQ N(FRAG_SUP) N(CHDLESS_SUP) N(MULT_AUTH) ]
07[NET] sending packet: from 192.168.1.100[500] to 192.168.1.113[500] (353 bytes)
08[NET] received packet: from 192.168.1.113[4500] to 192.168.1.100[4500] (576 bytes)
08[ENC] parsed IKE_AUTH request 1 [ EF(1/4) ]
08[ENC] received fragment #1 of 4, waiting for complete IKE message
08[NET] received packet: from 192.168.1.113[4500] to 192.168.1.100[4500] (576 bytes)
08[ENC] parsed IKE_AUTH request 1 [ EF(2/4) ]
08[ENC] received fragment #2 of 4, waiting for complete IKE message
08[NET] received packet: from 192.168.1.113[4500] to 192.168.1.100[4500] (576 bytes)
08[ENC] parsed IKE_AUTH request 1 [ EF(3/4) ]
08[ENC] received fragment #3 of 4, waiting for complete IKE message
08[NET] received packet: from 192.168.1.113[4500] to 192.168.1.100[4500] (464 bytes)
08[ENC] parsed IKE_AUTH request 1 [ EF(4/4) ]
08[ENC] received fragment #4 of 4, reassembled fragmented IKE message (1948 bytes)
08[ENC] parsed IKE_AUTH request 1 [ IDi CERTREQ N(MOBIKE_SUP) CPRQ(ADDR DNS NBNS SRV) SA TSi TSr ]
08[IKE] received 81 cert requests for an unknown ca
08[CFG] looking for peer configs matching 192.168.1.100[%any]...192.168.1.113[192.168.1.113]
08[CFG] selected peer config 'tls'
08[IKE] initiating EAP_IDENTITY method (id 0x00)
08[IKE] peer supports MOBIKE
08[IKE] authentication of 'C=cn, CN=m.domain.de' (myself) with RSA signature successful
08[ENC] generating IKE_AUTH response 1 [ IDr AUTH EAP/REQ/ID ]
08[NET] sending packet: from 192.168.1.100[4500] to 192.168.1.113[4500] (396 bytes)
12[JOB] deleting half open IKE_SA with 192.168.1.113 after timeout

There seems to be no error from the log. What's the problem?Same error as 5. 9
Thanks

History

#1 Updated by zhenxing huang about 2 months ago

connection succeeded when

leftsendcert=always

but

leftsendcert=never

windows error 13843

Why is this ?

BTW:
I added the eap-dynamic plugin and it seems to load successfully

00[LIB] loaded plugins: charon pkcs11 aes des sha1 md4 random nonce x509 revocation pubkey pem openssl gmp curve25519 xcbc hmac curl kernel-netlink socket-default socket-dynamic stroke updown eap-identity eap-mschapv2 eap-tls
00[JOB] spawning 16 worker threads

conn  dynamic
    rightsourceip=192.168.10.0/28
    leftsendcert=always
    #rightauth=eap-tls
    #rightauth=eap-mschapv2
    eap_identity=%any
    rightauth=eap-dynamic

Log result:

14[IKE] loading EAP_DYNAMIC method failed

#2 Updated by Tobias Brunner about 2 months ago

  • Status changed from New to Feedback

Why is this ?

Because the client obviously needs the server certificate during the authentication. If the client doesn't support local configuration of that, the server has to send it.

I added the eap-dynamic plugin and it seems to load successfully

No, it doesn't (it's not in the list, there is a socket-dynamic, but that's something completely different).

#3 Updated by zhenxing huang about 2 months ago

Tobias Brunner wrote:

No, it doesn't (it's not in the list, there is a socket-dynamic, but that's something completely different).

OK,I know
Thanks very mach

#4 Updated by Tobias Brunner 23 days ago

  • Category set to configuration
  • Status changed from Feedback to Closed
  • Assignee set to Tobias Brunner
  • Resolution set to No change required

Also available in: Atom PDF