[Swan] How to connect a Mac client to Libreswan

Blue Aquan blueaquan at zuwissen.com
Sat May 1 14:39:45 UTC 2021 

Hi Paul	I read a few documentation about similar problem with MacOS and
tried a suggestion you have mentioned in them.  I didn't import a
profile, but in the VPN configuration of Mac, under "Authentication
Settings", I choose "None".  When I select "None", it throws up two
options below  "Shared Secret" and "Certificate"... I choose
"Certificate" and selected the corresponding client certificate and
applied the change.  
When I did this, it still does not connect, but there's a change in the
message from the previous one
May  1 19:55:55.592575: "MOBILE"[1] 1.2.3.4 #8: processing decrypted
IKE_AUTH request: SK{IDi,N,N,IDr,AUTH,CERT,CP,N,N,SA,TSi,TSr}May  1
19:55:55.592602: loading root certificate cacheMay  1 19:55:55.593563:
"MOBILE"[1] 1.2.3.4 #8: certificate verified OK: O=Sun,CN=CometMay  1
19:55:55.595941: "MOBILE"[1] 1.2.3.4 #8: reloaded private key matching
left certificate 'sun.abc.com'May  1 19:55:55.595954: "MOBILE"[1]
1.2.3.4 #8: switched from "MOBILE"[1] 1.2.3.4 to "MOBILE"May  1
19:55:55.595979: "MOBILE"[1] 1.2.3.4: deleting connection instance with
peer 1.2.3.4 {isakmp=#0/ipsec=#0}May  1 19:55:55.595992: "MOBILE"[2]
1.2.3.4 #8: IKEv2 mode peer ID is ID_FQDN: '@Comet'May  1
19:55:55.596196: "MOBILE"[2] 1.2.3.4 #8: authenticated using RSA with
SHA1May  1 19:55:55.611645: "MOBILE"[2] 1.2.3.4 #9: responding to
IKE_AUTH message (ID 1) from 1.2.3.4:4500 with encrypted notification
TS_UNACCEPTABLEMay  1 19:55:55.611675: "MOBILE"[2] 1.2.3.4 #9: deleting
state (STATE_V2_IKE_AUTH_CHILD_R0) aged 0.000041s and NOT sending
notificationMay  1 19:55:55.611736: "MOBILE"[2] 1.2.3.4 #8: state
transition 'Responder: process IKE_AUTH request' failedMay  1
19:55:55.611782: "MOBILE"[2] 1.2.3.4 #8: deleting state
(STATE_V2_ESTABLISHED_IKE_SA) aged 16.182256s and sending
notificationMay  1 19:55:55.611869: "MOBILE"[2] 1.2.3.4: deleting
connection instance with peer 1.2.3.4 {isakmp=#0/ipsec=#0}May  1
19:55:55.642613: packet from 1.2.3.4:4500: INFORMATIONAL message
response has no corresponding IKE SA

Thanks, Best
BA

On Sat, 2021-05-01 at 16:43 +0530, Blue Aquan wrote:
> Dear Paul	The reason, I couldn't respond to your earlier message
> was due to certain limitations in finding a Mac OS for this testbed
> purpose.  I finally have one to conduct these tests and here are the
> logs on the Server when the Mac tries to connect.
> 
> Please note, with the same configuration on the Server, Linux clients
> are able to connect.
> May  1 13:52:38.347004: "MOBILE"[1] 1.2.3.4: local IKE proposals (IKE
> SA responder matching remote proposals): May  1 13:52:38.347034:
> "MOBILE"[1] 1.2.3.4:   1:IKE=AES_GCM_C_256-
> HMAC_SHA2_512+HMAC_SHA2_256-NONE-
> MODP2048+MODP3072+MODP4096+MODP8192+ECP_256+ECP_384+ECP_521+CURVE2551
> 9May  1 13:52:38.347039: "MOBILE"[1] 1.2.3.4:   2:IKE=AES_GCM_C_128-
> HMAC_SHA2_512+HMAC_SHA2_256-NONE-
> MODP2048+MODP3072+MODP4096+MODP8192+ECP_256+ECP_384+ECP_521+CURVE2551
> 9May  1 13:52:38.347043: "MOBILE"[1] 1.2.3.4:   3:IKE=AES_CBC_256-
> HMAC_SHA2_512+HMAC_SHA2_256-HMAC_SHA2_512_256+HMAC_SHA2_256_128-
> MODP2048+MODP3072+MODP4096+MODP8192+ECP_256+ECP_384+ECP_521+CURVE2551
> 9May  1 13:52:38.347046: "MOBILE"[1] 1.2.3.4:   4:IKE=AES_CBC_128-
> HMAC_SHA2_512+HMAC_SHA2_256-HMAC_SHA2_512_256+HMAC_SHA2_256_128-
> MODP2048+MODP3072+MODP4096+MODP8192+ECP_256+ECP_384+ECP_521+CURVE2551
> 9May  1 13:52:38.347072: "MOBILE"[1] 1.2.3.4 #10: proposal
> 1:IKE=AES_CBC_256-HMAC_SHA2_256-HMAC_SHA2_256_128-MODP2048 chosen
> from remote proposals
> 1:IKE:ENCR=AES_CBC_256;PRF=HMAC_SHA2_256;INTEG=HMAC_SHA2_256_128;DH=M
> ODP2048[first-match]
> 2:IKE:ENCR=AES_CBC_256;PRF=HMAC_SHA2_256;INTEG=HMAC_SHA2_256_128;DH=E
> CP_256
> 3:IKE:ENCR=AES_CBC_256;PRF=HMAC_SHA2_256;INTEG=HMAC_SHA2_256_128;DH=M
> ODP1536
> 4:IKE:ENCR=AES_CBC_128;PRF=HMAC_SHA1;INTEG=HMAC_SHA1_96;DH=MODP1024
> 5:IKE:ENCR=3DES;PRF=HMAC_SHA1;INTEG=HMAC_SHA1_96;DH=MODP1024May  1
> 13:52:38.348823: "MOBILE"[1] 1.2.3.4 #10: sent IKE_SA_INIT reply
> {auth=IKEv2 cipher=AES_CBC_256 integ=HMAC_SHA2_256_128
> prf=HMAC_SHA2_256 group=MODP2048}May  1 13:52:38.412735: "MOBILE"[1]
> 1.2.3.4 #10: dropping unexpected IKE_AUTH message containing
> INITIAL_CONTACT... notification; message payloads: SK; encrypted
> payloads: SA,IDi,IDr,N,TSi,TSr,CP; missing payloads: AUTHMay  1
> 13:52:38.412766: "MOBILE"[1] 1.2.3.4 #10: responding to IKE_AUTH
> message (ID 1) from 1.2.3.4:500 with encrypted notification
> INVALID_SYNTAXMay  1 13:52:38.412849: "MOBILE"[1] 1.2.3.4 #10:
> encountered fatal error in state STATE_PARENT_R1May  1
> 13:52:38.412920: "MOBILE"[1] 1.2.3.4 #10: deleting state
> (STATE_PARENT_R1) aged 0.065925s and NOT sending notificationMay  1
> 13:52:38.412954: "MOBILE"[1] 1.2.3.4: deleting connection instance
> with peer 1.2.3.4 {isakmp=#0/ipsec=#0}
> 
> 
> Thanks, Best
> BA
> 
> On Tue, 2021-04-20 at 15:38 -0400, Paul Wouters wrote:
> > On Tue, 20 Apr 2021, Blue Aquan wrote:
> > > Hi Team LibreswanI have a Libreswan 4.3 (netkey) running on
> > > CentOS 8 which has a roadwarrior setup with the following
> > > configuration. All through I followed thisguide 
> > > https://libreswan.org/wiki/VPN_server_for_remote_clients_using_IKEv2
> > >  With a Linux client, the setup works flawlessly, but I am unable
> > > to replicate the same on a Mac client. I tried following the same
> > > step by creating a certificate for theMac client, but the Mac
> > > client throws up a lot of errors. I want to know if there's any
> > > standard procedure to follow while connecting from a Mac
> > > client...?
> > > On a Linux, the same procedure works perfectly fine
> > > On VPN Server
> > > conn
> > > COMET        left=1.2.3.4        leftsubnet=192.168.1.0/24       
> > >  leftcert=sun.abc.com        leftid=@sun.abc.com
> > 
> > Note that for a Mac to accept this ID, it MUST appear as
> > asubjectAltName (SAN) of the type DNS: inside the certificate.
> > The mac also needs to have the CAcert that signed it of course. But
> > itshould have that if you used a PKCS#12 formatted file (.p12).
> > Note that in the past, I've had issues with a MAC and its
> > configurationtool when you add a new connection and set it to PSK
> > and fill in the ID,and then change it to certificate. It somehow
> > still would use the wrongold ID instead of the cert. You might want
> > to just delete the conn andstart a new one from scratch where you
> > never select PSK or will in theID manually.
> > Paul
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.libreswan.org/pipermail/swan/attachments/20210501/eba2b13b/attachment.html>

More information about the Swan mailing list