Project

General

Profile

Issue #3572

ios failed to connect again

Added by zhenxing huang about 1 month ago. Updated about 1 month ago.

Status:
Closed
Priority:
Normal
Category:
configuration
Affected version:
5.8.2
Resolution:
No change required

Description

Hello
excuse me
Please help me look at the following questions again
Server certificate information:
(Subject is "C=CN,CN=vpn.server.de" and validity period of 365 days )

crlDistributionPoints=crlDistributionPoint0_sect, crlDistributionPoint1_sect
subjectAltName=DNS:vpn.server.de, DNS:vpn2.server.de
extendedKeyUsage=serverAuth, clientAuth
keyUsage=critical,digitalSignature, keyEncipherment
authorityKeyIdentifier=keyid
subjectKeyIdentifier=hash
basicConstraints=critical,CA:FALSE

[crlDistributionPoint2_sect]
fullname=URI:http://vpn.server.de:8080/crl.der
[crlDistributionPoint1_sect]
fullname=URI:http://vpn2.server.de:8080/crl.der

ios certificate information:

crlDistributionPoints=crlDistributionPoint0_sect, crlDistributionPoint1_sect
subjectAltName=DNS:iphone
extendedKeyUsage=clientAuth
keyUsage=critical,digitalSignature, keyEncipherment
authorityKeyIdentifier=keyid
subjectKeyIdentifier=hash
basicConstraints=critical,CA:FALSE

[crlDistributionPoint2_sect]
fullname=URI:http://vpn.server.de:8080/crl.der
[crlDistributionPoint1_sect]
fullname=URI:http://vpn2.server.de:8080/crl.der

Part of the server configuration:

conn  %default
    left=vpn.server.de
    leftid="C=CN, CN=vpn.server.de" 
    leftsubnet=0.0.0.0/0
    leftcert=linkplus.cer
    leftfirewall=yes
    keyexchange=ikev2
    ike=aes256gcm128-prfsha384-ecp384,aes256-sha256-ecp256!
    esp=aes256gcm128-ecp384,aes256-sha256!
    right = %any
    auto=add

conn  ios-tls-2
    rightsourceip=192.168.10.0/28
    leftsendcert=always
    rightauth=eap-tls
    eap_identity=%any
    #leftid=vpn.server.de
    #rightauth=pubkey

iphone config:

desc: vpn.server
server:vpn.server.de
remote id:vpn.server.de
localid:iphone


Authentiaction:
1)
user Authentiaction : none
use certificate     : on
certificate         : iphone

Or
2)Same error as below
user Authentiaction   : certificate
certificate           : iphone

( What is the difference between 1 and 2 ? Which one is tls ?)

ipsec log:

04[IKE] received end entity cert "C=CN, CN=iphone" 
04[CFG] looking for peer configs matching X.X.75.60[vpn.server.de]...X.X.39.122[iphone]
04[CFG] peer config match local: 0 (ID_FQDN -> 6c:69:6e:6b:70:6c:75:73:2e:64:64:6e:73:73:2e:64:65)
04[CFG] peer config match remote: 1 (ID_FQDN -> 69:70:68:6f:6e:65)
04[CFG] ike config match: 0 (X.X.75.60 X.X.39.122 IKEv2)
04[CFG] peer config match local: 0 (ID_FQDN -> 6c:69:6e:6b:70:6c:75:73:2e:64:64:6e:73:73:2e:64:65)
04[CFG] peer config match remote: 0 (ID_FQDN -> 69:70:68:6f:6e:65)
04[CFG] ike config match: 1052 (X.X.75.60 X.X.39.122 IKEv2)
04[CFG] peer config match local: 0 (ID_FQDN -> 6c:69:6e:6b:70:6c:75:73:2e:64:64:6e:73:73:2e:64:65)
04[CFG] peer config match remote: 0 (ID_FQDN -> 69:70:68:6f:6e:65)
04[CFG] ike config match: 1052 (X.X.75.60 X.X.39.122 IKEv2)
04[CFG] no matching peer config found

I have also seen A&Q, but I really don’t know what went wrong
[[https://wiki.strongswan.org/projects/strongswan/wiki/FAQ#no-matching-peer-config-found]]

help me please!!
thank you

History

#1 Updated by Tobias Brunner about 1 month ago

  • Category set to configuration
  • Status changed from New to Feedback
    leftid="C=CN, CN=vpn.server.de" 

That won't match the FQDN identity the client sends as identity:

04[CFG] looking for peer configs matching X.X.75.60[vpn.server.de]...X.X.39.122[iphone]
...
04[CFG] no matching peer config found

So configure leftid=vpn.server.de.

( What is the difference between 1 and 2 ? Which one is tls ?)

The first uses regular pubkey authentication, the second EAP-TLS.

I have also seen A&Q, but I really don’t know what went wrong
[[https://wiki.strongswan.org/projects/strongswan/wiki/FAQ#no-matching-peer-config-found]]

How is that possible? It describes every part of that log message and what they have to match.

#2 Updated by zhenxing huang about 1 month ago

Tobias Brunner wrote:

So configure leftid=vpn.server.de.

Thanks for you reply!!
Yes,you are right :), Maybe my network was not updated at the time

When I change the configuration to

conn  cert
        rightsourceip=192.168.10.0/28
        rightauth=pubkey
        leftsendcert=always
        leftid=vpn.server.de
conn  tls
        also=cert
        rightauth=eap-tls
        eap_identity=%any

And when using the certificate method to connect , log is :

06[IKE] received end entity cert "C=CN, CN=iphone" 
06[CFG] looking for peer configs matching 14.198.X.X[vpn.server.de]...117.136.X.X[iphone]
06[CFG] selected peer config 'cert'
06[CFG]   using certificate "C=CN, CN=iphone" 
06[CFG]   using trusted ca certificate "CN=Public Root RSACA" 
06[CFG] checking certificate status of "C=CN, CN=iphone" 
06[CFG]   fetching crl from 'http://vpn.server.de:8080/crl.der' ...
06[CFG]   using trusted certificate "CN=Public Root RSACA" 
06[CFG]   crl correctly signed by "CN=Public Root RSACA" 
06[CFG]   crl is valid: until Sep 29 19:05:00 2020
06[CFG] certificate status is good
06[CFG]   reached self-signed root ca with a path length of 0
06[IKE] authentication of 'iphone' with RSA signature successful
06[IKE] received ESP_TFC_PADDING_NOT_SUPPORTED, not using ESPv3 TFC padding
06[IKE] peer supports MOBIKE
06[IKE] authentication of 'vpn.server.de' (myself) with ECDSA-256 signature successful
06[IKE] IKE_SA cert[2] established between 14.198.X.X[vpn.server.de]...117.136.X.X[iphone]
06[IKE] scheduling reauthentication in 10211s
06[IKE] maximum IKE_SA lifetime 10751s
06[IKE] sending end entity cert "C=CN, CN=vpn.server.de" 
06[IKE] peer requested virtual IP %any
06[CFG] assigning new lease to 'iphone'
06[IKE] assigning virtual IP 192.168.10.1 to peer 'iphone'
06[IKE] peer requested virtual IP %any6
06[IKE] no virtual IP found for %any6 requested by 'iphone'
06[IKE] CHILD_SA cert{1} established with SPIs c4a37df2_i 0c94f6ff_o and TS 0.0.0.0/0 === 192.168.10.1/32
06[ENC] generating IKE_AUTH response 1 [ IDr CERT AUTH CPRP(ADDR DNS DNS) SA TSi TSr N(AUTH_LFT) N(MOBIKE_SUP) N(ADD_4_ADDR) N(ADD_6_ADDR) ]
06[NET] sending packet: from 14.198.X.X[4500] to 117.136.X.X[30984] (1216 bytes)
11[IKE] sending DPD request
11[ENC] generating INFORMATIONAL request 0 [ ]
11[NET] sending packet: from 14.198.X.X[4500] to 117.136.X.X[30984] (80 bytes)
13[IKE] retransmit 1 of request with message ID 0
13[NET] sending packet: from 14.198.X.X[4500] to 117.136.X.X[30984] (80 bytes)

ipsec statusall
Security Associations (1 up, 0 connecting):
        cert[2]: ESTABLISHED 9 seconds ago, 14.198.X.X[vpn.server.de]...117.136.X.X[iphone]
        cert[2]: IKEv2 SPIs: 79cff519e0602323_i 85989eb1a67f23da_r*, public key reauthentication in 2 hours
        cert[2]: IKE proposal: AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/ECP_256
        cert{1}:  INSTALLED, TUNNEL, reqid 1, ESP in UDP SPIs: cb8ea68f_i 0e85cedb_o
        cert{1}:  AES_CBC_256/HMAC_SHA2_256_128, 0 bytes_i, 0 bytes_o, rekeying in 49 minutes
        cert{1}:   0.0.0.0/0 === 192.168.10.1/32

When using the EAP-TLS method to connect , log is :

09[NET] received packet: from 117.136.X.X[51005] to 14.198.X.X[500] (604 bytes)
09[ENC] parsed IKE_SA_INIT request 0 [ SA KE No N(REDIR_SUP) N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) ]
09[IKE] 117.136.X.X is initiating an IKE_SA
09[IKE] remote host is behind NAT
09[IKE] DH group MODP_2048 inacceptable, requesting ECP_256
09[ENC] generating IKE_SA_INIT response 0 [ N(INVAL_KE) ]
09[NET] sending packet: from 14.198.X.X[500] to 117.136.X.X[51005] (38 bytes)
11[NET] received packet: from 117.136.X.X[51005] to 14.198.X.X[500] (412 bytes)
11[ENC] parsed IKE_SA_INIT request 0 [ SA KE No N(REDIR_SUP) N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) ]
11[IKE] 117.136.X.X is initiating an IKE_SA
11[IKE] remote host is behind NAT
11[IKE] sending cert request for "CN=Public Root RSACA" 
11[ENC] generating IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) CERTREQ N(FRAG_SUP) N(MULT_AUTH) ]
11[NET] sending packet: from 14.198.X.X[500] to 117.136.X.X[51005] (281 bytes)
12[NET] received packet: from 117.136.X.X[30990] to 14.198.X.X[4500] (512 bytes)
12[ENC] unknown attribute type (25)
12[ENC] parsed IKE_AUTH request 1 [ IDi N(INIT_CONTACT) IDr CPRQ(ADDR MASK DHCP DNS ADDR6 DHCP6 DNS6 (25)) N(ESP_TFC_PAD_N) N(NON_FIRST_FRAG) SA TSi TSr N(MOBIKE_SUP) ]
12[CFG] looking for peer configs matching 14.198.X.X[vpn.server.de]...117.136.X.X[iphone]
12[CFG] selected peer config 'cert'
12[IKE] peer requested EAP, config inacceptable
12[CFG] switching to peer config 'tls'
12[IKE] initiating EAP_IDENTITY method (id 0x00)
12[IKE] received ESP_TFC_PADDING_NOT_SUPPORTED, not using ESPv3 TFC padding
12[IKE] peer supports MOBIKE
12[IKE] authentication of 'vpn.server.de' (myself) with ECDSA-256 signature successful
12[IKE] sending end entity cert "C=CN, CN=vpn.server.de" 
12[ENC] generating IKE_AUTH response 1 [ IDr CERT AUTH EAP/REQ/ID ]
12[NET] sending packet: from 14.198.X.X[4500] to 117.136.X.X[30990] (1040 bytes)
07[JOB] deleting half open IKE_SA with 117.136.X.X after timeout

However , the above two methods, IPhone said
User authentication failed

What's the problem

#3 Updated by Tobias Brunner about 1 month ago

However , the above two methods, IPhone said
User authentication failed

What's the problem

Maybe the client can't verify the server certificate (not sure why it would say "user" authentication failed, though, which is complete in the first case - in the second there could be other reasons). Did you install the CA certificate? Is it trusted?

#4 Updated by zhenxing huang about 1 month ago

Tobias Brunner wrote:

However , the above two methods, IPhone said
User authentication failed

What's the problem

Maybe the client can't verify the server certificate

You're right again
The server certificate cannot use ecdsa.
Thanks for you help.

#5 Updated by Tobias Brunner about 1 month ago

The server certificate cannot use ecdsa.

Are you sure? This seems quite strange because iOS has supported ECDSA for client certificates for years (at least if configured via profile).

#6 Updated by zhenxing huang about 1 month ago

Tobias Brunner wrote:

The server certificate cannot use ecdsa.

Are you sure? This seems quite strange because iOS has supported ECDSA for client certificates for years (at least if configured via profile).

I am sure .
When my server certificate was changed to rsa, the connection was successful

#7 Updated by Tobias Brunner about 1 month ago

When my server certificate was changed to rsa, the connection was successful

Without changing anything else? The certificate contains the same information and was issued by the same CA?

#8 Updated by zhenxing huang about 1 month ago

Tobias Brunner wrote:

When my server certificate was changed to rsa, the connection was successful

Without changing anything else? The certificate contains the same information and was issued by the same CA?

All configurations are the same, including certificate subjectDN and export method ect.

#9 Updated by Tobias Brunner about 1 month ago

  • Status changed from Feedback to Closed
  • Assignee set to Tobias Brunner
  • Resolution set to No change required

All configurations are the same, including certificate subjectDN and export method ect.

OK, thanks. I wonder if it would work if the client used ECDSA too (because, as I mentioned before, that's explicitly supported by Apple).

I'm closing this for now.

Also available in: Atom PDF