[Swan] OSX Connectivity debugging
Mr. Jan Walter
hopping_hol at yahoo.com
Mon Jan 28 20:04:42 UTC 2019
Paul & list:
Okay, so last try on this, it's pretty frustrating. I made the changes in the ipsec.conf file per your suggestions, and of course, it gets farther.
OSX Log Facility Output:2019-01-28 14:51:16.602342-0500 0x168228 Activity 0xcdd60 66177 0 neagent: (NetworkExtension) IKEv2 processing socket read event2019-01-28 14:51:16.602452-0500 0x168228 Activity 0xcdd61 66177 0 neagent: (NetworkExtension) IKEv2 processing socket read event2019-01-28 14:51:16.602494-0500 0x168228 Activity 0xcdd62 66177 0 neagent: (NetworkExtension) IKEv2 processing socket read event2019-01-28 14:51:16.602538-0500 0x168228 Activity 0xcdd63 66177 0 neagent: (NetworkExtension) IKEv2 processing socket read event2019-01-28 14:51:16.602803-0500 0x168210 Activity 0xcdd64 66177 0 neagent: (Security) SecTrustEvaluateIfNecessary2019-01-28 14:51:16.602882-0500 0x168228 Activity 0xcdd65 66177 0 neagent: (NetworkExtension) IKEv2 processing socket read event2019-01-28 14:51:16.609829-0500 0x168210 Default 0x0 66177 0 neagent: (Security) [com.apple.securityd:SecError] Trust evaluate failure: [leaf SSLHostname]2019-01-28 14:51:16.609832-0500 0x168210 Error 0x0 66177 0 neagent: (NetworkExtension) [com.apple.networkextension:] Certificate evaluation error = kSecTrustResultRecoverableTrustFailure2019-01-28 14:51:16.609840-0500 0x168210 Error 0x0 66177 0 neagent: (NetworkExtension) [com.apple.networkextension:] Certificate is not trusted2019-01-28 14:51:16.609844-0500 0x168210 Error 0x0 66177 0 neagent: (NetworkExtension) [com.apple.networkextension:] Certificate authentication data could not be verified2019-01-28 14:51:16.609847-0500 0x168210 Error 0x0 66177 0 neagent: (NetworkExtension) [com.apple.networkextension:] Failed to process IKE Auth packet (connect)
Ipsec barf output:
Jan 28 19:51:16 ip-10-0-0-194 pluto[2898]: "ikev2-cp"[1] 11.11.11.11 #15: proposal 1:IKE:ENCR=AES_CBC_256;PRF=HMAC_SHA2_256;INTEG=HMAC_SHA2_256_128;DH=MODP2048 chosen from remote proposals 1:IKE:ENCR=AES_CBC_256;PRF=HMAC_SHA2_256;INTEG=HMAC_SHA2_256_128;DH=MODP2048[first-match] 2:IKE:ENCR=AES_CBC_256;PRF=HMAC_SHA2_256;INTEG=HMAC_SHA2_256_128;DH=ECP_256 3:IKE:ENCR=AES_CBC_256;PRF=HMAC_SHA2_256;INTEG=HMAC_SHA2_256_128;DH=MODP1536 4:IKE:ENCR=AES_CBC_128;PRF=HMAC_SHA1;INTEG=HMAC_SHA1_96;DH=MODP1024 5:IKE:ENCR=3DES;PRF=HMAC_SHA1;INTEG=HMAC_SHA1_96;DH=MODP1024Jan 28 19:51:16 ip-10-0-0-194 pluto[2898]: "ikev2-cp"[1] 11.11.11.11 #15: STATE_PARENT_R1: received v2I1, sent v2R1 {auth=IKEv2 cipher=AES_CBC_256 integ=HMAC_SHA2_256_128 prf=HMAC_SHA2_256 group=MODP2048}Jan 28 19:51:16 ip-10-0-0-194 pluto[2898]: "ikev2-cp"[1] 11.11.11.11 #15: certificate verified OK: O=Client1,CN=client1.zzz.netJan 28 19:51:16 ip-10-0-0-194 pluto[2898]: "ikev2-cp"[1] 11.11.11.11 #15: No matching subjectAltName foundJan 28 19:51:16 ip-10-0-0-194 pluto[2898]: "ikev2-cp"[1] 11.11.11.11 #15: No matching subjectAltName foundJan 28 19:51:16 ip-10-0-0-194 pluto[2898]: "ikev2-cp"[1] 11.11.11.11 #15: IKEv2 mode peer ID is ID_FQDN: '@client1.zzz.net'Jan 28 19:51:16 ip-10-0-0-194 pluto[2898]: "ikev2-cp"[1] 11.11.11.11 #15: Authenticated using RSAJan 28 19:51:16 ip-10-0-0-194 pluto[2898]: "ikev2-cp"[1] 11.11.11.11 #15: proposal 1:ESP:SPI=08fdfa42;ENCR=AES_CBC_256;INTEG=HMAC_SHA2_256_128;ESN=DISABLED chosen from remote proposals 1:ESP:ENCR=AES_CBC_256;INTEG=HMAC_SHA2_256_128;ESN=DISABLED[first-match] 2:ESP:ENCR=AES_CBC_256;INTEG=HMAC_SHA2_256_128;ESN=DISABLED 3:ESP:ENCR=AES_CBC_256;INTEG=HMAC_SHA2_256_128;ESN=DISABLED 4:ESP:ENCR=AES_CBC_128;INTEG=HMAC_SHA1_96;ESN=DISABLED 5:ESP:ENCR=3DES;INTEG=HMAC_SHA1_96;ESN=DISABLEDJan 28 19:51:16 ip-10-0-0-194 pluto[2898]: "ikev2-cp"[1] 11.11.11.11 #15: received unsupported NOTIFY v2N_NON_FIRST_FRAGMENTS_ALSOJan 28 19:51:16 ip-10-0-0-194 pluto[2898]: "ikev2-cp"[1] 11.11.11.11 #16: negotiated connection [22.22.22.22-22.22.22.22:0-65535 0] -> [10.0.0.240-10.0.0.240:0-65535 0]Jan 28 19:51:16 ip-10-0-0-194 pluto[2898]: "ikev2-cp"[1] 11.11.11.11 #16: STATE_V2_IPSEC_R: IPsec SA established tunnel mode {ESP/NAT=>0x08fdfa42 <0xb6b7d56a xfrm=AES_CBC_256-HMAC_SHA2_256_128 NATOA=none NATD=11.11.11.11:4500 DPD=active}Jan 28 19:51:16 ip-10-0-0-194 pluto[2898]: "ikev2-cp"[1] 11.11.11.11 #14: deleting state (STATE_V2_IPSEC_R) aged 15.101s and NOT sending notificationJan 28 19:51:16 ip-10-0-0-194 pluto[2898]: "ikev2-cp"[1] 11.11.11.11 #14: ESP traffic information: in=0B out=0BJan 28 19:51:16 ip-10-0-0-194 pluto[2898]: expire unused IKE SA #13 "ikev2-cp"[1] 11.11.11.11Jan 28 19:51:16 ip-10-0-0-194 pluto[2898]: "ikev2-cp"[1] 11.11.11.11 #13: deleting state (STATE_PARENT_R2) aged 15.167s and sending notification
Commands to make ca, server, client cert. server cert exported and imported to ipsec. CA, server, client certificates and keys exported using pk12util, and imported into OSX keystore. Tried "login" keystore and "system" keystore, CA cert marked "trust always", and each subsequent attempt marked server, and then client cert as "trust always".
The error message on the OSX Mojave side is the same, so there is something missing in the trust chain I don't see.
certutil -S -x -n "ca.zzz.net" -s "O=zzzz team CA,CN=ca.zzz.net" -k rsa -g 4096 -v 12 -d sql:${HOME}/ca -t "CT,," -2certutil -S -c "ca.zzz.net" -n "vv.zzz.net" -s "O=VV Server Cert,CN=vv.zzz.net" -k rsa -v 12 -d sql:${HOME}/ca -t ",," -1 -6 --extSAN 'dns:vv.zzz.net,ip:22.22.22.22,ip:10.0.0.194'certutil -S -c "ca.zzz.net" -n "client1.zzz.net" -s "O=Client1,CN=client1.zzz.net" -k rsa -v 12 -d sql:${HOME}/ca -t ",," -1 -6 -8 "client1.zzz.net"
ipsec.conf:
onn ikev2-cp authby=rsasig ikev2=insist cisco-unity=yes # The server's actual IP goes here - not elastic IPs left=10.0.0.194 leftsourceip=22.22.22.22 leftcert=vv.zzz.net leftid=@zzz.net leftsendcert=always #leftsubnet=0.0.0.0/0 leftrsasigkey=%cert # try to structure something to accept this offer: IKE:ENCR=AES_CBC_256;INTEG=HMAC_SHA2_384_192;PRF=HMAC_SHA2_384;DH=MODP1024 ike=aes256-sha2_512;modp2048,aes128-sha2_512;modp2048,aes256-sha1;modp2048,aes128-sha1;modp2048,aes-sha2;modp2048,aes256-sha1;modp1024,aes128-sha1;modp1024,aes-sha2;modp1024 #esp=aes_gcm256-null,aes_gcm128-null,aes256-sha2_512,aes128-sha2_512 # Clients right=%any # your addresspool to use - you might need NAT rules if providing full internet to clients rightaddresspool=10.0.0.240-10.0.0.250 # optional rightid with restrictions # rightid="C=CA, L=Toronto, O=Libreswan Project, OU=*, CN=*, E=*" rightca=%same rightrsasigkey=%cert rightid=%fromcert # # connection configuration # DNS servers for clients to use #modecfgdns=8.8.8.8,193.100.157.123 # Versions up to 3.22 used modecfgdns1 and modecfgdns2 #modecfgdns1=8.8.8.8 #modecfgdns2=193.110.157.123 narrowing=yes # recommended dpd/liveness to cleanup vanished clients dpddelay=30 dpdtimeout=120 dpdaction=clear auto=add rekey=no #ms-dh-fallback=yes #msdh-downgrade=yes ms-dh-downgrade=yes leftxauthserver=yes rightxauthclient=yes leftmodecfgserver=yes rightmodecfgclient=yes # ikev2 fragmentation support requires libreswan 3.14 or newer fragmentation=yes # optional PAM username verification (eg to implement bandwidth quota # pam-authorize=yes
Cheers,
Jan
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.libreswan.org/pipermail/swan/attachments/20190128/5dc7382d/attachment-0001.html>
More information about the Swan
mailing list