Issue #1252
Updated by Tobias Brunner over 9 years ago
I am trying to use strongswan directly from linux (no network manager support) to connect to a Windows server 2008 VPN in order to redirect all my internet traffic through a VPN. The commercial VPN supports L2TP/Ipsec through a shared psk plus the standard username/password credential (as far as I have understood L2TP could not be necessary and in any case L2TP protocol sets up after the IPSEC tunnel has been established); I have no problem in connecting from Windows, yet from linux the tunnel is never established. The ipsec.conf, ipsec.secrets and the connection logs are attached, here follows just a brief summary of to summarize what happens: is happening:
1) If I use leftauth=eap and rightauth=psk the connection fails because the server seems to provide by itself its certificate and strongswan client drops the connection since
instead of psk verification has not taken place (constraint requires pre-shared key authentication, but public key was used).
2) If I use leftauth=eap and rightauth=pubkey (so I skip psk) strongswan verifies the server certificate, certificates, performs a successful EAP authentication (which works perfecty because if I change either the username or password an error is returned), but then another authentication is made which, unluckily, again which unluckily fails (EAP method EAP_MSCHAPV2 succeeded, MSK established, reinitiating already active tasks,IKE_AUTH task, authentication of 'purevpn0sxxxxxx' (myself) with EAP, parsed IKE_AUTH response 5 [ N(FAIL_CP_REQ) ], [IKE] AUTH payload missing, [ENC] generating INFORMATIONAL request 6 [ N(AUTH_FAILED) ]).
In the log even though the EAP authentication is reported to be successful I can see read: EAP-MS-CHAPv2 succeeded: '(null)', which seems quite strange (I would expect a non null string between quotes). Moreover I do not know what option how to specify in the configuration enables the verification of psk in place of certificate. server PSK.
Probably it is just a configuration issue, but I was unable to find a working configuration example in https://wiki.strongswan.org/projects/strongswan/wiki/IKEv2Examples.
1) If I use leftauth=eap and rightauth=psk the connection fails because the server seems to provide by itself its certificate and strongswan client drops the connection since
instead of psk verification has not taken place (constraint requires pre-shared key authentication, but public key was used).
2) If I use leftauth=eap and rightauth=pubkey (so I skip psk) strongswan verifies the server certificate, certificates, performs a successful EAP authentication (which works perfecty because if I change either the username or password an error is returned), but then another authentication is made which, unluckily, again which unluckily fails (EAP method EAP_MSCHAPV2 succeeded, MSK established, reinitiating already active tasks,IKE_AUTH task, authentication of 'purevpn0sxxxxxx' (myself) with EAP, parsed IKE_AUTH response 5 [ N(FAIL_CP_REQ) ], [IKE] AUTH payload missing, [ENC] generating INFORMATIONAL request 6 [ N(AUTH_FAILED) ]).
In the log even though the EAP authentication is reported to be successful I can see read: EAP-MS-CHAPv2 succeeded: '(null)', which seems quite strange (I would expect a non null string between quotes). Moreover I do not know what option how to specify in the configuration enables the verification of psk in place of certificate. server PSK.
Probably it is just a configuration issue, but I was unable to find a working configuration example in https://wiki.strongswan.org/projects/strongswan/wiki/IKEv2Examples.