<html><head></head><body><div class="ydpdd9bd62cyahoo-style-wrap" style="font-family:Helvetica Neue, Helvetica, Arial, sans-serif;font-size:13px;"><div></div>
<div>I think that one is out of date. Here is the latest log. Error on OSX is "authentication failed". It really looks like it hates that there is no AltName in the client cert, which is pretty weird.</div><div><br></div><div>11.11.11.11 is the client public ip</div><div>18.22.22.22 is the server Elastic IP</div><div><br></div><div><span><div>Jan 23 23:03:33 ip-10-0-0-194 pluto[25632]: "ikev2-cp"[2] 11.11.11.11: constructed local IKE proposals for ikev2-cp (IKE SA responder matching remote proposals): 1:IKE:ENCR=AES_CBC_256;PRF=HMAC_SHA2_512;INTEG=HMAC_SHA2_512_256;DH=MODP2048 2:IKE:ENCR=AES_CBC_128;PRF=HMAC_SHA2_512;INTEG=HMAC_SHA2_512_256;DH=MODP2048 3:IKE:ENCR=AES_CBC_256;PRF=HMAC_SHA1;INTEG=HMAC_SHA1_96;DH=MODP2048 4:IKE:ENCR=AES_CBC_128;PRF=HMAC_SHA1;INTEG=HMAC_SHA1_96;DH=MODP2048 5:IKE:ENCR=AES_CBC_256,AES_CBC_128;PRF=HMAC_SHA2_256;INTEG=HMAC_SHA2_256_128;DH=MODP2048 6:IKE:ENCR=AES_CBC_256;PRF=HMAC_SHA1;INTEG=HMAC_SHA1_96;DH=MODP1024 7:IKE:ENCR=AES_CBC_128;PRF=HMAC_SHA1;INTEG=HMAC_SHA1_96;DH=MODP1024 8:IKE:ENCR=AES_CBC_256,AES_CBC_128;PRF=HMAC_SHA2_256;INTEG=HMAC_SHA2_256_128;DH=MODP1024</div><div>Jan 23 23:03:33 ip-10-0-0-194 pluto[25632]: "ikev2-cp"[2] 11.11.11.11 #2: proposal 1:IKE:ENCR=AES_CBC_256;PRF=HMAC_SHA2_256;INTEG=HMAC_SHA2_256_128;DH=MODP2048 chosen from remote proposals 1:IKE:ENCR=AES_CBC_256;PRF=HMAC_SHA2_256;INTEG=HMAC_SHA2_256_128;DH=MODP2048[first-match] 2:IKE:ENCR=AES_CBC_256;PRF=HMAC_SHA2_256;INTEG=HMAC_SHA2_256_128;DH=ECP_256 3:IKE:ENCR=AES_CBC_256;PRF=HMAC_SHA2_256;INTEG=HMAC_SHA2_256_128;DH=MODP1536 4:IKE:ENCR=AES_CBC_128;PRF=HMAC_SHA1;INTEG=HMAC_SHA1_96;DH=MODP1024 5:IKE:ENCR=3DES;PRF=HMAC_SHA1;INTEG=HMAC_SHA1_96;DH=MODP1024</div><div>Jan 23 23:03:33 ip-10-0-0-194 pluto[25632]: "ikev2-cp"[2] 11.11.11.11 #2: STATE_PARENT_R1: received v2I1, sent v2R1 {auth=IKEv2 cipher=AES_CBC_256 integ=HMAC_SHA2_256_128 prf=HMAC_SHA2_256 group=MODP2048}</div><div>Jan 23 23:03:33 ip-10-0-0-194 pluto[25632]: "ikev2-cp"[2] 11.11.11.11 #2: certificate verified OK: O=Client2,CN=client2.zzz.net</div><div>Jan 23 23:03:33 ip-10-0-0-194 pluto[25632]: "ikev2-cp"[2] 11.11.11.11 #2: No matching subjectAltName found</div><div>Jan 23 23:03:33 ip-10-0-0-194 pluto[25632]: "ikev2-cp"[2] 11.11.11.11 #2: certificate does not contain ID_IP subjectAltName=11.11.11.11</div><div>Jan 23 23:03:33 ip-10-0-0-194 pluto[25632]: "ikev2-cp"[2] 11.11.11.11 #2: Peer public key SubjectAltName does not match peer ID for this connection</div><div>Jan 23 23:03:33 ip-10-0-0-194 pluto[25632]: "ikev2-cp"[2] 11.11.11.11 #2: No matching subjectAltName found</div><div>Jan 23 23:03:33 ip-10-0-0-194 pluto[25632]: "ikev2-cp"[2] 11.11.11.11 #2: No matching subjectAltName found</div><div>Jan 23 23:03:33 ip-10-0-0-194 pluto[25632]: "ikev2-cp"[2] 11.11.11.11 #2: Peer ID '10.4.9.62' mismatched on first found connection and no better connection found</div><div>Jan 23 23:03:33 ip-10-0-0-194 pluto[25632]: "ikev2-cp"[2] 11.11.11.11 #2: responding to IKE_AUTH message (ID 1) from 11.11.11.11:10700 with encrypted notification AUTHENTICATION_FAILED</div><div>Jan 23 23:05:35 ip-10-0-0-194 pluto[25632]: "ikev2-cp"[2] 11.11.11.11 #3: proposal 1:IKE:ENCR=AES_CBC_256;PRF=HMAC_SHA2_256;INTEG=HMAC_SHA2_256_128;DH=MODP2048 chosen from remote proposals 1:IKE:ENCR=AES_CBC_256;PRF=HMAC_SHA2_256;INTEG=HMAC_SHA2_256_128;DH=MODP2048[first-match] 2:IKE:ENCR=AES_CBC_256;PRF=HMAC_SHA2_256;INTEG=HMAC_SHA2_256_128;DH=ECP_256 3:IKE:ENCR=AES_CBC_256;PRF=HMAC_SHA2_256;INTEG=HMAC_SHA2_256_128;DH=MODP1536 4:IKE:ENCR=AES_CBC_128;PRF=HMAC_SHA1;INTEG=HMAC_SHA1_96;DH=MODP1024 5:IKE:ENCR=3DES;PRF=HMAC_SHA1;INTEG=HM leftsubnet=0.0.0.0/0</div><div><br></div><div>conn ikev2-cp</div><div> authby=rsasig</div><div> ikev2=insist</div><div> cisco-unity=yes</div><div> # The server's actual IP goes here - not elastic IPs</div><div> left=10.0.0.194</div><div> leftsourceip=18.22.22.22</div><div> leftcert=vv.zzz.net</div><div> #leftid=@vv.zzz.net</div><div> leftsendcert=always</div><div> leftsubnet=0.0.0.0/0</div><div> leftrsasigkey=%cert</div><div> # try to structure something to accept this offer: IKE:ENCR=AES_CBC_256;INTEG=HMAC_SHA2_384_192;PRF=HMAC_SHA2_384;DH=MODP1024</div><div> ike=aes256-sha2_512;modp2048,aes128-sha2_512;modp2048,aes256-sha1;modp2048,aes128-sha1;modp2048,aes-sha2;modp2048,aes256-sha1;modp1024,aes128-sha1;modp1024,aes-sha2;modp1024</div><div> #esp=aes_gcm256-null,aes_gcm128-null,aes256-sha2_512,aes128-sha2_512</div><div> # Clients</div><div> right=%any</div><div> # your addresspool to use - you might need NAT rules if providing full internet to clients</div><div> rightaddresspool=10.0.0.240-10.0.0.250</div><div> # optional rightid with restrictions</div><div> # rightid="C=CA, L=Toronto, O=Libreswan Project, OU=*, CN=*, E=*"</div><div> rightca=%same</div><div> rightrsasigkey=%cert</div><div> #</div><div> # connection configuration</div><div> # DNS servers for clients to use</div><div> #modecfgdns=8.8.8.8,193.100.157.123</div><div> # Versions up to 3.22 used modecfgdns1 and modecfgdns2</div><div> #modecfgdns1=8.8.8.8</div><div> #modecfgdns2=193.110.157.123</div><div> narrowing=yes</div><div> # recommended dpd/liveness to cleanup vanished clients</div><div> dpddelay=30</div><div> dpdtimeout=120</div><div> dpdaction=clear</div><div> auto=add</div><div> rekey=no</div><div> #ms-dh-fallback=yes</div><div> #msdh-downgrade=yes</div><div> ms-dh-downgrade=yes</div><div> leftxauthserver=yes</div><div> rightxauthclient=yes</div><div> leftmodecfgserver=yes</div><div> rightmodecfgclient=yes</div><div> # ikev2 fragmentation support requires libreswan 3.14 or newer</div><div> fragmentation=yes</div><div> # optional PAM username verification (eg to implement bandwidth quota</div><div> # pam-authorize=yes</div></span><br></div><div><br></div>
</div><div id="yahoo_quoted_8306052446" class="yahoo_quoted">
<div style="font-family:'Helvetica Neue', Helvetica, Arial, sans-serif;font-size:13px;color:#26282a;">
<div>
On Wednesday, January 23, 2019, 1:38:42 PM EST, Paul Wouters <paul@nohats.ca> wrote:
</div>
<div><br></div>
<div><br></div>
<div><div dir="ltr">On Tue, 22 Jan 2019, Mr. Jan Walter wrote:<br clear="none"><br clear="none">> Generated cert with now-changed public IP address for client. Does the --extSAN ip:xx.xx.xx.xx need to the public ip address of the client's<br clear="none">> NAT gateway or the internal IPv4 address on the LAN of the client?<br clear="none"><br clear="none">The SAN should be the IP that others connect to. So the public/elastic<br clear="none">one.<br clear="none"><br clear="none">> How does this connection use case address roaming clients?<br clear="none"><br clear="none">Client certificates should not use IP based SAN's. They can use a @fqdn<br clear="none">SAN or just stick with sending the Distinguished Name (DN) using leftif=%fromcert<br clear="none"><br clear="none">> matching remote ESP/AH proposals): 1:ESP:ENCR=AES_GCM_C_256;INTEG=NONE;DH=NONE;ESN=DISABLED<br clear="none">> 2:ESP:ENCR=AES_GCM_C_128;INTEG=NONE;DH=NONE;ESN=DISABLED 3:ESP:ENCR=AES_CBC_256;INTEG=HMAC_SHA2_512_256;DH=NONE;ESN=DISABLED<br clear="none">> 4:ESP:ENCR=AES_CBC_128;INTEG=HMAC_SHA2_512_256;DH=NONE;ESN=DISABLED<br clear="none">> Jan 22 17:20:06 ip-10-0-0-194 pluto[19256]: "ikev2-cp"[2] xx.xx.xx.xx #2: no local proposal matches remote proposals<br clear="none">> 1:ESP:ENCR=AES_CBC_256;INTEG=HMAC_SHA2_256_128;ESN=DISABLED 2:ESP:ENCR=AES_CBC_256;INTEG=HMAC_SHA2_256_128;ESN=DISABLED<br clear="none">> 3:ESP:ENCR=AES_CBC_256;INTEG=HMAC_SHA2_256_128;ESN=DISABLED 4:ESP:ENCR=AES_CBC_128;INTEG=HMAC_SHA1_96;ESN=DISABLED<br clear="none">> 5:ESP:ENCR=3DES;INTEG=HMAC_SHA1_96;ESN=DISABLED<br clear="none">> Jan 22 17:20:06 ip-10-0-0-194 pluto[19256]: "ikev2-cp"[2] xx.xx.xx.xx #2: IKE_AUTH responder matching remote ESP/AH proposals failed, responder<br clear="none">> SA processing returned STF_FAIL+v2N_NO_PROPOSAL_CHOSEN<br clear="none"><br clear="none">This is a phase2/esp mismatch. Looks like DH groups might not match. Try<br clear="none">changing the pfs= setting?<div class="yqt0305121092" id="yqtfd97631"><br clear="none"><br clear="none">Paul<br clear="none"></div></div></div>
</div>
</div></body></html>