[Swan] OSX Connectivity debugging

Mr. Jan Walter hopping_hol at yahoo.com
Mon Jan 28 20:04:42 UTC 2019 

 Paul & list:
Okay, so last try on this, it's pretty frustrating. I made the changes in the ipsec.conf file per your suggestions, and of course, it gets farther.

OSX Log Facility Output:2019-01-28 14:51:16.602342-0500 0x168228   Activity    0xcdd60              66177  0    neagent: (NetworkExtension) IKEv2 processing socket read event2019-01-28 14:51:16.602452-0500 0x168228   Activity    0xcdd61              66177  0    neagent: (NetworkExtension) IKEv2 processing socket read event2019-01-28 14:51:16.602494-0500 0x168228   Activity    0xcdd62              66177  0    neagent: (NetworkExtension) IKEv2 processing socket read event2019-01-28 14:51:16.602538-0500 0x168228   Activity    0xcdd63              66177  0    neagent: (NetworkExtension) IKEv2 processing socket read event2019-01-28 14:51:16.602803-0500 0x168210   Activity    0xcdd64              66177  0    neagent: (Security) SecTrustEvaluateIfNecessary2019-01-28 14:51:16.602882-0500 0x168228   Activity    0xcdd65              66177  0    neagent: (NetworkExtension) IKEv2 processing socket read event2019-01-28 14:51:16.609829-0500 0x168210   Default     0x0                  66177  0    neagent: (Security) [com.apple.securityd:SecError] Trust evaluate failure: [leaf SSLHostname]2019-01-28 14:51:16.609832-0500 0x168210   Error       0x0                  66177  0    neagent: (NetworkExtension) [com.apple.networkextension:] Certificate evaluation error = kSecTrustResultRecoverableTrustFailure2019-01-28 14:51:16.609840-0500 0x168210   Error       0x0                  66177  0    neagent: (NetworkExtension) [com.apple.networkextension:] Certificate is not trusted2019-01-28 14:51:16.609844-0500 0x168210   Error       0x0                  66177  0    neagent: (NetworkExtension) [com.apple.networkextension:] Certificate authentication data could not be verified2019-01-28 14:51:16.609847-0500 0x168210   Error       0x0                  66177  0    neagent: (NetworkExtension) [com.apple.networkextension:] Failed to process IKE Auth packet (connect)
Ipsec barf output:
Jan 28 19:51:16 ip-10-0-0-194 pluto[2898]: "ikev2-cp"[1] 11.11.11.11 #15: proposal 1:IKE:ENCR=AES_CBC_256;PRF=HMAC_SHA2_256;INTEG=HMAC_SHA2_256_128;DH=MODP2048 chosen from remote proposals 1:IKE:ENCR=AES_CBC_256;PRF=HMAC_SHA2_256;INTEG=HMAC_SHA2_256_128;DH=MODP2048[first-match] 2:IKE:ENCR=AES_CBC_256;PRF=HMAC_SHA2_256;INTEG=HMAC_SHA2_256_128;DH=ECP_256 3:IKE:ENCR=AES_CBC_256;PRF=HMAC_SHA2_256;INTEG=HMAC_SHA2_256_128;DH=MODP1536 4:IKE:ENCR=AES_CBC_128;PRF=HMAC_SHA1;INTEG=HMAC_SHA1_96;DH=MODP1024 5:IKE:ENCR=3DES;PRF=HMAC_SHA1;INTEG=HMAC_SHA1_96;DH=MODP1024Jan 28 19:51:16 ip-10-0-0-194 pluto[2898]: "ikev2-cp"[1] 11.11.11.11 #15: STATE_PARENT_R1: received v2I1, sent v2R1 {auth=IKEv2 cipher=AES_CBC_256 integ=HMAC_SHA2_256_128 prf=HMAC_SHA2_256 group=MODP2048}Jan 28 19:51:16 ip-10-0-0-194 pluto[2898]: "ikev2-cp"[1] 11.11.11.11 #15: certificate verified OK: O=Client1,CN=client1.zzz.netJan 28 19:51:16 ip-10-0-0-194 pluto[2898]: "ikev2-cp"[1] 11.11.11.11 #15: No matching subjectAltName foundJan 28 19:51:16 ip-10-0-0-194 pluto[2898]: "ikev2-cp"[1] 11.11.11.11 #15: No matching subjectAltName foundJan 28 19:51:16 ip-10-0-0-194 pluto[2898]: "ikev2-cp"[1] 11.11.11.11 #15: IKEv2 mode peer ID is ID_FQDN: '@client1.zzz.net'Jan 28 19:51:16 ip-10-0-0-194 pluto[2898]: "ikev2-cp"[1] 11.11.11.11 #15: Authenticated using RSAJan 28 19:51:16 ip-10-0-0-194 pluto[2898]: "ikev2-cp"[1] 11.11.11.11 #15: proposal 1:ESP:SPI=08fdfa42;ENCR=AES_CBC_256;INTEG=HMAC_SHA2_256_128;ESN=DISABLED chosen from remote proposals 1:ESP:ENCR=AES_CBC_256;INTEG=HMAC_SHA2_256_128;ESN=DISABLED[first-match] 2:ESP:ENCR=AES_CBC_256;INTEG=HMAC_SHA2_256_128;ESN=DISABLED 3:ESP:ENCR=AES_CBC_256;INTEG=HMAC_SHA2_256_128;ESN=DISABLED 4:ESP:ENCR=AES_CBC_128;INTEG=HMAC_SHA1_96;ESN=DISABLED 5:ESP:ENCR=3DES;INTEG=HMAC_SHA1_96;ESN=DISABLEDJan 28 19:51:16 ip-10-0-0-194 pluto[2898]: "ikev2-cp"[1] 11.11.11.11 #15: received unsupported NOTIFY v2N_NON_FIRST_FRAGMENTS_ALSOJan 28 19:51:16 ip-10-0-0-194 pluto[2898]: "ikev2-cp"[1] 11.11.11.11 #16: negotiated connection [22.22.22.22-22.22.22.22:0-65535 0] -> [10.0.0.240-10.0.0.240:0-65535 0]Jan 28 19:51:16 ip-10-0-0-194 pluto[2898]: "ikev2-cp"[1] 11.11.11.11 #16: STATE_V2_IPSEC_R: IPsec SA established tunnel mode {ESP/NAT=>0x08fdfa42 <0xb6b7d56a xfrm=AES_CBC_256-HMAC_SHA2_256_128 NATOA=none NATD=11.11.11.11:4500 DPD=active}Jan 28 19:51:16 ip-10-0-0-194 pluto[2898]: "ikev2-cp"[1] 11.11.11.11 #14: deleting state (STATE_V2_IPSEC_R) aged 15.101s and NOT sending notificationJan 28 19:51:16 ip-10-0-0-194 pluto[2898]: "ikev2-cp"[1] 11.11.11.11 #14: ESP traffic information: in=0B out=0BJan 28 19:51:16 ip-10-0-0-194 pluto[2898]: expire unused IKE SA #13 "ikev2-cp"[1] 11.11.11.11Jan 28 19:51:16 ip-10-0-0-194 pluto[2898]: "ikev2-cp"[1] 11.11.11.11 #13: deleting state (STATE_PARENT_R2) aged 15.167s and sending notification
Commands to make ca, server, client cert. server cert exported and imported to ipsec. CA, server, client certificates and keys exported using pk12util, and imported into OSX keystore. Tried "login" keystore and "system" keystore, CA cert marked "trust always", and each subsequent attempt marked server, and then client cert as "trust always".

The error message on the OSX Mojave side is the same, so there is something missing in the trust chain I don't see.
certutil -S -x -n "ca.zzz.net" -s "O=zzzz team CA,CN=ca.zzz.net" -k rsa -g 4096 -v 12 -d sql:${HOME}/ca -t "CT,," -2certutil -S -c "ca.zzz.net" -n "vv.zzz.net" -s "O=VV Server Cert,CN=vv.zzz.net" -k rsa -v 12 -d sql:${HOME}/ca -t ",," -1 -6 --extSAN 'dns:vv.zzz.net,ip:22.22.22.22,ip:10.0.0.194'certutil -S -c "ca.zzz.net" -n "client1.zzz.net" -s "O=Client1,CN=client1.zzz.net" -k rsa -v 12 -d sql:${HOME}/ca -t ",," -1 -6 -8 "client1.zzz.net"
ipsec.conf:
onn ikev2-cp    authby=rsasig    ikev2=insist    cisco-unity=yes    # The server's actual IP goes here - not elastic IPs    left=10.0.0.194    leftsourceip=22.22.22.22    leftcert=vv.zzz.net    leftid=@zzz.net    leftsendcert=always    #leftsubnet=0.0.0.0/0    leftrsasigkey=%cert    # try to structure something to accept this offer: IKE:ENCR=AES_CBC_256;INTEG=HMAC_SHA2_384_192;PRF=HMAC_SHA2_384;DH=MODP1024    ike=aes256-sha2_512;modp2048,aes128-sha2_512;modp2048,aes256-sha1;modp2048,aes128-sha1;modp2048,aes-sha2;modp2048,aes256-sha1;modp1024,aes128-sha1;modp1024,aes-sha2;modp1024    #esp=aes_gcm256-null,aes_gcm128-null,aes256-sha2_512,aes128-sha2_512    # Clients    right=%any    # your addresspool to use - you might need NAT rules if providing full internet to clients    rightaddresspool=10.0.0.240-10.0.0.250    # optional rightid with restrictions    # rightid="C=CA, L=Toronto, O=Libreswan Project, OU=*, CN=*, E=*"    rightca=%same    rightrsasigkey=%cert    rightid=%fromcert    #    # connection configuration    # DNS servers for clients to use    #modecfgdns=8.8.8.8,193.100.157.123    # Versions up to 3.22 used modecfgdns1 and modecfgdns2    #modecfgdns1=8.8.8.8    #modecfgdns2=193.110.157.123    narrowing=yes    # recommended dpd/liveness to cleanup vanished clients    dpddelay=30    dpdtimeout=120    dpdaction=clear    auto=add    rekey=no    #ms-dh-fallback=yes    #msdh-downgrade=yes    ms-dh-downgrade=yes    leftxauthserver=yes    rightxauthclient=yes    leftmodecfgserver=yes    rightmodecfgclient=yes    # ikev2 fragmentation support requires libreswan 3.14 or newer    fragmentation=yes    # optional PAM username verification (eg to implement bandwidth quota    # pam-authorize=yes


Cheers,
Jan  
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.libreswan.org/pipermail/swan/attachments/20190128/5dc7382d/attachment-0001.html>

More information about the Swan mailing list