[Swan] IKEv2 PAM auth failure - how it's done properly?

Mirsad Goran Todorovac mirsad.todorovac at alu.hr
Thu Jan 20 11:08:01 EET 2022


Hello,

I have installed the IKEv2 VPN connection at my colleague's laptop and 
he disappointingly noticed that there is no password authentication in 
addition to certificate.

This is also akward because we would have to change all certificates if 
i.e. one laptop configured for the Faculty VPN was lost or stolen. :-(

I tried to setup Windows 10 native VPN client with IKEv2 + username + 
password and pam-authorize=yes in /etc/ipsec.d/ikev2.conf

What I receive is rather odd: it seems that certificate rightid is taken 
as the username, instead of Windows-provided username and password:

Jan 20 09:45:03.533192: "MYCONN-ikev2-cp"[2] 193.198.186.218 #1: IKEv2 
FAILED during pam_authenticate with 'User not known to the underlying 
authentication modu
le' for state #1, MYCONN-ikev2-cp[2] user=CN=pc-mtodorov.alu.hr, 
O=ALU-UNIZG.
Jan 20 09:45:03.533787: | PAM: #1: PAM-process completed for user 
'CN=pc-mtodorov.alu.hr, O=ALU-UNIZG' with result FAILURE

I would like to authenticate users from Linux server's /etc/passwd. Is 
that possible?
I failed to Google anything on IKEv2 PAM authentication.

My /etc/ipsec.d/ikev2.conf is rather standard, and it works perfectly 
when I disable PAM auth:

conn MYCONN-ikev2-cp
         # The server's actual IP goes here - not elastic IPs
         left=161.53.235.3
         leftcert=vpn.alu.hr
         leftid=@vpn.alu.hr
         leftsendcert=always
         leftsubnet=0.0.0.0/0
         leftrsasigkey=%cert
         # Clients
         right=%any
         # your addresspool to use - you might need NAT rules if 
providing full internet to clients
         rightaddresspool=192.168.101.10-192.168.101.253
         # optional rightid with restrictions
         # rightid="O=ALU-UNIZG,CN=win7client.alu.hr"
         rightca=%same
         rightrsasigkey=%cert
         #
         # connection configuration
         # DNS servers for clients to use
         modecfgdns=8.8.8.8,192.168.100.1
         # Versions up to 3.22 used modecfgdns1 and modecfgdns2
         #modecfgdns1=8.8.8.8
         #modecfgdns2=193.110.157.123
         narrowing=yes
         # recommended dpd/liveness to cleanup vanished clients
         dpddelay=30
         dpdtimeout=120
         dpdaction=clear
         auto=add
         ikev2=insist
         rekey=no
esp=aes_gcm256,aes_gcm128,aes256-sha2_512,aes128-sha2_512,aes256-sha1,aes128-sha1
         # 
esp=aes_gcm256-null,aes_gcm128-null,aes256-sha2_512,aes128-sha2_512,aes256-sha1,aes128-sha1,aes_gcm256-null;modp1024
         # ikev2 fragmentation support requires libreswan 3.14 or newer
         fragmentation=yes
         # optional PAM username verification (eg to implement bandwidth 
quota
         # pam-authorize=yes
         ms-dh-downgrade=yes
         authby=rsa-sha1
         # authby=ecdsa

Kind regards,
Mirsad

-- 
Mirsad Goran Todorovac
CARNet sistem inženjer
Grafički fakultet | Akademija likovnih umjetnosti
Sveučilište u Zagrebu
--
CARNet system engineer
Faculty of Graphic Arts | Academy of Fine Arts
University of Zagreb, Republic of Croatia
tel. +385 (0)1 3711 451
mob. +385 91 57 88 355



More information about the Swan mailing list