Strongswan roadwarrior scenario with pubkey authentication issues

Question

Ubuntu 20.04 Strongswan 5.9.1 (built from source)

swanctl.conf

Android Strongswan app

I am using a self signed ca and certificates.

roadwarr-ikev2-pubkey {
    version = 2
    #proposals = aes192gcm16-aes128gcm16-prfsha256-ecp256-ecp521,aes192-sha256-modp3072,default
    proposals = aes256-sha1-modp1024,default
    rekey_time = 0s
    pools = primary-pool-ipv4
    fragmentation = yes
    dpd_delay = 30s
    local_addrs = %any
    # dpd_timeout doesn't do anything for IKEv2. The general IKEv2 packet timeouts are used.
    local-1 {
        #auth = pubkey
        certs = Srv1SwanCert.der
        id = ub-srv-1
    }
    remote-1 {
        # defaults are fine.
        #auth = pubkey
        #id = androidLkP
        id = %any
    }
    children {
        roadwarr-ikev2-pubkey {
            # local_ts = 10.10.5.0/24
            local_ts = 0.0.0.0/0
            rekey_time = 0s
            dpd_action = clear
            # esp_proposals = aes192gcm16-aes128gcm16-prfsha256-ecp256-modp3072,aes192-sha256-ecp256-modp3072,default
            esp_proposals = aes256-sha1-modp1024,default
        }
    }
}

This setup works only if in Android app "Client identity" is blank. As soon as I add a client id, I get this:

15[CFG] selected peer config 'roadwarr-ikev2-pubkey'
15[IKE] no trusted RSA public key found for 'androidLkP'

androidLkP is a CN in this particular certificate.

I have extracted a public key from a certificate by using pki command, placed it into /etc/swanctl/pubkey folder. My goal is to have separate configurations for specific clients and not using id = %any

pubkey plugin is loaded.

What could cause this problem?

Does it work with a self signed ca or it requires a real trusted CA?

score 1 · Accepted Answer · answered Jan 13 '21 at 18:00

1

The value of the CN RDN can't be matched individually in strongSwan (unless you actually configure it as partial DN and enable relaxed RDN matching in strongswan.conf).

The configured identity either has to be the full subject DN or a subjectAltName (SAN) contained in the certificate.

answered Jan 13 '21 at 18:00

ecdsa

3,973
15
29

thank you for your advice. id = "C=XX, O=XXX, CN=user1", id = "C=XX, O=lXXX, CN=user2" helped with individual connections. "Client identity" in Android app can be blank. – lk7777 Jan 13 '21 at 20:46
Yes, the client identity will default to the full subject DN of the certificate if you don't configure it. – ecdsa Jan 14 '21 at 08:59
I have just one question for you. Is it possible in swanctl.conf to configure IKEv2 Certificate + EAP (Username/Password) by using eap-radius? eap-radius works for me if I select in Android app IKEv2 EAP (username/password). I do not ask you to give me instructions on how to implement it in this comment. I will open a new thread if this setup is possible. Thank you. – lk7777 Jan 14 '21 at 16:12
1

Not sure if you mean *only* via eap-radius, as that won't work. But you sure can use regular IKEv2 certificate authentication and then username/password-based EAP authentication via eap-radius (just define two remote authentication rounds, one with `auth = pubkey`, the other with `auth = eap-radius`). – ecdsa Jan 14 '21 at 16:18
Thank you again. Just added remote-1 with auth = pubkey and remote-2 with auth = eap-radius to the same connection and it works now. Probably it deserves a new thread, it might be helpful for others. What do you think?. – lk7777 Jan 14 '21 at 18:16
Seems pretty straight forward to me :) But sure, go ahead. – ecdsa Jan 15 '21 at 08:53

Strongswan roadwarrior scenario with pubkey authentication issues

1 Answers1