Issue #735
Understanding rightid matching
Description
I have a client which can connect using two different ID's:
222.222.222.222[server.com]...123.123.123.123[username]
or:
222.222.222.222[server.com]...123.123.123.123[username@secondary]
Then I have two config sections. Identical, except for the rightid parameter and conn name:
conn eap-peap
left=222.222.222.222
leftid=server.com
leftcert=cert.pem
leftsubnet=0.0.0.0/0
leftfirewall=yes
leftsendcert=always
leftauth=pubkey
right=%any
rightsourceip=10.0.0.0/8
rightdns=8.8.8.8,8.8.4.4
rightauth=eap-radius
rightsendcert=never
rightid=%any
eap_identity=%identity
rekey=no
reauth=no
keyexchange=ikev2
auto=add
The second version changes the rightid line to:
rightid=*@secondary
It appears that when the client identifies as "username@secondary" instead of "username" strongSwan still chooses the config using rightid=%any, not the one using rightid=*@secondary. I guess that's not logically incorrect, but it's not what I was hoping for.
Is there any way to get strongSwan to select the most narrow match and consider the %any connection a fallback? Some devices don't send an id at all, so I need to keep the rightid=%any connection in there while providing more specific connections for others.
History
#1 Updated by Martin Willi almost 11 years ago
- Status changed from New to Feedback
Hi Niels,
It appears that when the client identifies as "username@secondary" instead of "username" strongSwan still chooses the config using rightid=%any, not the one using rightid=*@secondary.
This is actually not the behavior intended and to expect. A partial identity match is better than a %any match, resulting in a higher priority of the configuration. Not sure why this is not working here, possible that a mismatching IKE identity type is used.
What client implementation are you using? Does it send its IDi as RFC822_ADDR IKE identity type?
You may get more information about the configuration matching process if you set the cfg loglevel to 3, see LoggerConfiguration.
Regards
Martin
#2 Updated by Anonymous almost 11 years ago
Hi Martin,
I'm testing with iOS 8, but clients will include BlackBerry and Windows too. (I can test with Windows to see if there's any difference.)
RFC822_ADDR is not mentioned in the log (cfg 3), but I don't know if that's conclusive evidence that it's not sent?
I've tried to read the log below, but it's not clear to me which config it's comparing when or why it didn't match.
Regards,
Niels
Oct 15 16:53:38 smifado charon: 10[ENC] parsed IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) ]
Oct 15 16:53:38 smifado charon: 10[CFG] looking for an ike config for 222.222.222.222...123.123.123.123
Oct 15 16:53:38 smifado charon: 10[CFG] ike config match: 0 (222.222.222.222 123.123.123.123 IKEv2)
Oct 15 16:53:38 smifado charon: 10[CFG] ike config match: 1052 (222.222.222.222 123.123.123.123 IKEv2)
Oct 15 16:53:38 smifado charon: 10[CFG] candidate: 222.222.222.222...%any, prio 1052
Oct 15 16:53:38 smifado charon: 10[CFG] ike config match: 1052 (222.222.222.222 123.123.123.123 IKEv2)
Oct 15 16:53:38 smifado charon: 10[CFG] candidate: 222.222.222.222...%any, prio 1052
Oct 15 16:53:38 smifado charon: 10[CFG] ike config match: 0 (222.222.222.222 123.123.123.123 IKEv2)
Oct 15 16:53:38 smifado charon: 10[CFG] ike config match: 1052 (222.222.222.222 123.123.123.123 IKEv2)
Oct 15 16:53:38 smifado charon: 10[CFG] candidate: 222.222.222.222...%any, prio 1052
Oct 15 16:53:38 smifado charon: 10[CFG] ike config match: 1052 (222.222.222.222 123.123.123.123 IKEv2)
Oct 15 16:53:38 smifado charon: 10[CFG] candidate: 222.222.222.222...%any, prio 1052
Oct 15 16:53:38 smifado charon: 10[CFG] ike config match: 1052 (222.222.222.222 123.123.123.123 IKEv2)
Oct 15 16:53:38 smifado charon: 10[CFG] candidate: 222.222.222.222...%any, prio 1052
Oct 15 16:53:38 smifado charon: 10[CFG] ike config match: 1052 (222.222.222.222 123.123.123.123 IKEv2)
Oct 15 16:53:38 smifado charon: 10[CFG] candidate: 222.222.222.222...%any, prio 1052
Oct 15 16:53:38 smifado charon: 10[CFG] ike config match: 1052 (222.222.222.222 123.123.123.123 IKEv2)
Oct 15 16:53:38 smifado charon: 10[CFG] candidate: 222.222.222.222...%any, prio 1052
Oct 15 16:53:38 smifado charon: 10[CFG] ike config match: 1052 (222.222.222.222 123.123.123.123 IKEv2)
Oct 15 16:53:38 smifado charon: 10[CFG] candidate: 222.222.222.222...%any, prio 1052
Oct 15 16:53:38 smifado charon: 10[CFG] found matching ike config: 222.222.222.222...%any with prio 1052
Oct 15 16:53:38 smifado charon: 10[IKE] 123.123.123.123 is initiating an IKE_SA
Oct 15 16:53:38 smifado charon: 10[IKE] IKE_SA (unnamed)[1] state change: CREATED => CONNECTING
Oct 15 16:53:38 smifado charon: 10[CFG] selecting proposal:
Oct 15 16:53:38 smifado charon: 10[CFG] no acceptable ENCRYPTION_ALGORITHM found
Oct 15 16:53:38 smifado charon: 10[CFG] selecting proposal:
Oct 15 16:53:38 smifado charon: 10[CFG] no acceptable DIFFIE_HELLMAN_GROUP found
Oct 15 16:53:38 smifado charon: 10[CFG] selecting proposal:
Oct 15 16:53:38 smifado charon: 10[CFG] proposal matches
Oct 15 16:53:38 smifado charon: 10[CFG] received proposals: IKE:3DES_CBC/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024
Oct 15 16:53:38 smifado charon: 10[CFG] configured proposals: IKE:AES_CBC_128/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_2048, IKE:3DES_CBC/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1536, IKE:AES_CBC_128/AES_C
BC_192/AES_CBC_256/3DES_CBC/CAMELLIA_CBC_128/CAMELLIA_CBC_192/CAMELLIA_CBC_256/AES_CTR_128/AES_CTR_192/AES_CTR_256/CAMELLIA_CTR_128/CAMELLIA_CTR_192/CAMELLIA_CTR_256/HMAC_MD5_96/HMAC_SHA1_
96/HMAC_SHA2_256_128/HMAC_SHA2_384_192/HMAC_SHA2_512_256/AES_XCBC_96/AES_CMAC_96/PRF_HMAC_MD5/PRF_HMAC_SHA1/PRF_HMAC_SHA2_256/PRF_HMAC_SHA2_384/PRF_HMAC_SHA2_512/PRF_AES128_XCBC/PRF_AES128
_CMAC/MODP_2048/MODP_2048_224/MODP_2048_256/MODP_1536/MODP_3072/MODP_4096/MODP_8192/MODP_1024/MODP_1024_160/ECP_256/ECP_384/ECP_521/ECP_224/ECP_192/ECP_224_BP/ECP_256_BP/ECP_384_BP/ECP_512
_BP, IKE:AES_GCM_8_128/AES_GCM_8_192/AES_GCM_8_256/AES_GCM_12_128/AES_GCM_12_192/AES_GCM_12_256/AES_GCM_16_128/AES_GCM_16_192/AES_GCM_16_256/AES_CCM_8_128/AES_CCM_8_192/AES_CCM_8_256/AES_C
CM_12_128/AES_CCM_12_192/AES_CCM_12_256/AES_CCM_16_128/AES_CCM_16_192/AES_CCM_16_256/CAMELLIA_CCM_8_128/CAMELLIA_CCM_8_192/CAMELLIA_CCM_8_256/CAMELLIA_CCM_12_128/CAMELLIA_CCM_12_192/CAMELL
IA_CCM_12_256/CAMELLIA_CCM_16_128/CAMELLIA_CCM_16_192/CAMELLIA_CCM_16_256/PRF_HMAC_MD5/PRF_HMAC_SHA1/PRF_HMAC_SHA2_256/PRF_HMAC_SHA2_384/PRF_HMAC_SHA2_512/PRF_AES128_XCBC/PRF_AES128_CMAC/MODP_2048/MODP_2048_224/MODP_2048_256/MODP_1536/MODP_3072/MODP_4096/MODP_8192/MODP_1024/MODP_1024_160/ECP_256/ECP_384/ECP_521/ECP_224/ECP_192/ECP_224_BP/ECP_256_BP/ECP_384_BP/ECP_512_BP
Oct 15 16:53:38 smifado charon: 10[CFG] selected proposal: IKE:3DES_CBC/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024
Oct 15 16:53:38 smifado charon: 10[IKE] remote host is behind NAT
Oct 15 16:53:38 smifado charon: 10[IKE] sending cert request for "CN=vpn.com"
Oct 15 16:53:38 smifado charon: 10[ENC] generating IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) CERTREQ N(MULT_AUTH) ]
Oct 15 16:53:39 smifado charon: 12[ENC] parsed IKE_AUTH request 1 [ IDi N(INIT_CONTACT) IDr CPRQ N(ESP_TFC_PAD_N) N(NON_FIRST_FRAG) SA TSi TSr ]
Oct 15 16:53:39 smifado charon: 12[CFG] looking for peer configs matching 222.222.222.222[vpn.com]...123.123.123.123[username@secondary]
Oct 15 16:53:39 smifado charon: 12[CFG] peer config match local: 0 (ID_FQDN -> 73:6d:69:66:61:64:6f:2e:61:6e:75:73:6f:6e:2e:63:6f:6d)
Oct 15 16:53:39 smifado charon: 12[CFG] peer config match remote: 1 (ID_FQDN -> 6e:69:65:6c:73:40:63:68:69:6e:61)
Oct 15 16:53:39 smifado charon: 12[CFG] ike config match: 0 (222.222.222.222 123.123.123.123 IKEv2)
Oct 15 16:53:39 smifado charon: 12[CFG] peer config match local: 0 (ID_FQDN -> 73:6d:69:66:61:64:6f:2e:61:6e:75:73:6f:6e:2e:63:6f:6d)
Oct 15 16:53:39 smifado charon: 12[CFG] peer config match remote: 1 (ID_FQDN -> 6e:69:65:6c:73:40:63:68:69:6e:61)
Oct 15 16:53:39 smifado charon: 12[CFG] ike config match: 1052 (222.222.222.222 123.123.123.123 IKEv2)
Oct 15 16:53:39 smifado charon: 12[CFG] peer config match local: 20 (ID_FQDN -> 73:6d:69:66:61:64:6f:2e:61:6e:75:73:6f:6e:2e:63:6f:6d)
Oct 15 16:53:39 smifado charon: 12[CFG] peer config match remote: 1 (ID_FQDN -> 6e:69:65:6c:73:40:63:68:69:6e:61)
Oct 15 16:53:39 smifado charon: 12[CFG] ike config match: 1052 (222.222.222.222 123.123.123.123 IKEv2)
Oct 15 16:53:39 smifado charon: 12[CFG] candidate "eap-peap", match: 20/1/1052 (me/other/ike)
Oct 15 16:53:39 smifado charon: 12[CFG] peer config match local: 0 (ID_FQDN -> 73:6d:69:66:61:64:6f:2e:61:6e:75:73:6f:6e:2e:63:6f:6d)
Oct 15 16:53:39 smifado charon: 12[CFG] peer config match remote: 1 (ID_FQDN -> 6e:69:65:6c:73:40:63:68:69:6e:61)
Oct 15 16:53:39 smifado charon: 12[CFG] ike config match: 0 222.222.222.222 123.123.123.123 IKEv2)
Oct 15 16:53:39 smifado charon: 12[CFG] peer config match local: 0 (ID_FQDN -> 73:6d:69:66:61:64:6f:2e:61:6e:75:73:6f:6e:2e:63:6f:6d)
Oct 15 16:53:39 smifado charon: 12[CFG] peer config match remote: 0 (ID_FQDN -> 6e:69:65:6c:73:40:63:68:69:6e:61)
Oct 15 16:53:39 smifado charon: 12[CFG] ike config match: 1052 (222.222.222.222 123.123.123.123 IKEv2)
Oct 15 16:53:39 smifado charon: 12[CFG] peer config match local: 20 (ID_FQDN -> 73:6d:69:66:61:64:6f:2e:61:6e:75:73:6f:6e:2e:63:6f:6d)
Oct 15 16:53:39 smifado charon: 12[CFG] peer config match remote: 0 (ID_FQDN -> 6e:69:65:6c:73:40:63:68:69:6e:61)
Oct 15 16:53:39 smifado charon: 12[CFG] ike config match: 1052 (222.222.222.222 123.123.123.123 IKEv2)
Oct 15 16:53:39 smifado charon: 12[CFG] peer config match local: 0 (ID_FQDN -> 73:6d:69:66:61:64:6f:2e:61:6e:75:73:6f:6e:2e:63:6f:6d)
Oct 15 16:53:39 smifado charon: 12[CFG] peer config match remote: 0 (ID_FQDN -> 6e:69:65:6c:73:40:63:68:69:6e:61)
Oct 15 16:53:39 smifado charon: 12[CFG] ike config match: 1052 (222.222.222.222 123.123.123.123 IKEv2)
Oct 15 16:53:39 smifado charon: 12[CFG] peer config match local: 20 (ID_FQDN -> 73:6d:69:66:61:64:6f:2e:61:6e:75:73:6f:6e:2e:63:6f:6d)
Oct 15 16:53:39 smifado charon: 12[CFG] peer config match remote: 0 (ID_FQDN -> 6e:69:65:6c:73:40:63:68:69:6e:61)
Oct 15 16:53:39 smifado charon: 12[CFG] ike config match: 1052 (222.222.222.222 123.123.123.123 IKEv2)
Oct 15 16:53:39 smifado charon: 12[CFG] peer config match local: 0 (ID_FQDN -> 73:6d:69:66:61:64:6f:2e:61:6e:75:73:6f:6e:2e:63:6f:6d)
Oct 15 16:53:39 smifado charon: 12[CFG] peer config match remote: 0 (ID_FQDN -> 6e:69:65:6c:73:40:63:68:69:6e:61)
Oct 15 16:53:39 smifado charon: 12[CFG] ike config match: 1052 (222.222.222.222 123.123.123.123 IKEv2)
Oct 15 16:53:39 smifado charon: 12[CFG] peer config match local: 20 (ID_FQDN -> 73:6d:69:66:61:64:6f:2e:61:6e:75:73:6f:6e:2e:63:6f:6d)
Oct 15 16:53:39 smifado charon: 12[CFG] peer config match remote: 0 (ID_FQDN -> 6e:69:65:6c:73:40:63:68:69:6e:61)
Oct 15 16:53:39 smifado charon: 12[CFG] ike config match: 1052 (222.222.222.222 123.123.123.123 IKEv2)
Oct 15 16:53:39 smifado charon: 12[CFG] selected peer config 'eap-peap'
#3 Updated by Martin Willi almost 11 years ago
I'm testing with iOS 8
12[CFG] looking for peer configs matching 222.222.222.222[vpn.com]...123.123.123.123[username@secondary]
12[CFG] peer config match remote: 1 (ID_FQDN -> 6e:69:65:6c:73:40:63:68:69:6e:61)
It seems that iOS8 uses an ID_FQDN identity type for the identity, which obviously does not match the configured *@secondary RFC822_ADDR identity type in your configuration. Possible that this is a bug on iOS (according to AppleIKEv2Profile FQDN is used for DNs, not sure if this is true for emails as well). Probably you should try to use a valid email address as identity, maybe it helps.
but clients will include BlackBerry and Windows too. (I can test with Windows to see if there's any difference.)
Not sure about BlackBerries, but Windows actually does not send any sane IKE identity; it uses the local IP address. That makes configuration matching impossible. Unfortunately, we currently don't support configuration matching based on EAP identities.
Regards
Martin
#4 Updated by Martin Willi almost 11 years ago
Forgot to mention, you may prepend an @ to enforce a FQDN identity on strongSwan. So having rightid=@*@secondory should match to a FQDN username@secondary identity.
#5 Updated by Anonymous almost 11 years ago
Hi Martin,
Prepending the @ works great. Thanks! Will also try using a full e-mail address.
Thanks,
Niels
#6 Updated by Tobias Brunner almost 11 years ago
- Category set to configuration
- Status changed from Feedback to Closed
- Assignee set to Martin Willi