I thought my configuration would work but I am getting MAC mismatch in the logs (not sure what MAC stands for).
I am trying to use pubkey (cert) on the server and psk (secret) on the client.
My configuration is as follows:
connections {
default {
version = 2
send_cert = always
unique = replace
local { # left
certs = vpnserver.crt
auth = pubkey
id = {server_dns_name} # must match CN/SAN in cert
}
remote { # right
id = %any
auth = psk
}
children {
net {
}
}
}
}
secrets {
ike-psk {
secret = test123
id = client
}
}
include conf.d/*.conf
The certificate:
List of X.509 End Entity Certificates
subject: "CN={server_dns_name}"
issuer: "C=US, O=Let's Encrypt, CN=Let's Encrypt Authority X3"
validity: not before Oct 29 15:20:53 2019, ok
not after Jan 27 15:20:53 2020, ok (expires in 89 days)
serial: 03:50:64:2f:7a:63:c2:2c:d6:a1:76:de:14:91:69:03:8d:e7
altNames: {server_dns_name}
flags: serverAuth clientAuth
OCSP URIs: http://ocsp.int-x3.letsencrypt.org
certificatePolicies:
2.23.140.1.2.1
1.3.6.1.4.1.44947.1.1.1
CPS: http://cps.letsencrypt.org
authkeyId: a8:4a:6a:63:04:7d:dd:ba:e6:d1:39:b7:a6:45:65:ef:f3:a8:ec:a1
subjkeyId: f5:73:d3:18:9c:82:ea:3f:82:32:d6:c5:30:bc:65:ff:94:0f:4a:71
pubkey: RSA 2048 bits, has private key
keyid: b3:c2:11:b7:a0:6f:dd:74:19:64:59:08:98:39:71:f4:13:ff:24:80
subjkey: f5:73:d3:18:9c:82:ea:3f:82:32:d6:c5:30:bc:65:ff:94:0f:4a:71
The connection:
ikev2-vpn: IKEv2, no reauthentication, no rekeying, dpd delay 300s
local: %any
remote: %any
local public key authentication:
id: {server_dns_name}
certs: CN={server_dns_name}
remote pre-shared key authentication:
ikev2-vpn: TUNNEL, no rekeying, dpd action is clear
local: 0.0.0.0/0
remote: dynamic
The logs:
Oct 30 11:03:21 ip-172-31-32-116.eu-west-2.compute.internal systemd[1]: Starting strongSwan IPsec IKEv1/IKEv2 daemon using swanctl...
Oct 30 11:03:21 ip-172-31-32-116.eu-west-2.compute.internal charon-systemd[6610]: PKCS11 module '<name>' lacks library path
Oct 30 11:03:21 ip-172-31-32-116.eu-west-2.compute.internal charon-systemd[6610]: openssl FIPS mode(2) - enabled
Oct 30 11:03:21 ip-172-31-32-116.eu-west-2.compute.internal charon-systemd[6610]: loading ca certificates from '/etc/strongswan/ipsec.d/cacerts'
Oct 30 11:03:21 ip-172-31-32-116.eu-west-2.compute.internal charon-systemd[6610]: loading aa certificates from '/etc/strongswan/ipsec.d/aacerts'
Oct 30 11:03:21 ip-172-31-32-116.eu-west-2.compute.internal charon-systemd[6610]: loading ocsp signer certificates from '/etc/strongswan/ipsec.d/ocspcerts'
Oct 30 11:03:21 ip-172-31-32-116.eu-west-2.compute.internal charon-systemd[6610]: loading attribute certificates from '/etc/strongswan/ipsec.d/acerts'
Oct 30 11:03:21 ip-172-31-32-116.eu-west-2.compute.internal charon-systemd[6610]: loading crls from '/etc/strongswan/ipsec.d/crls'
Oct 30 11:03:21 ip-172-31-32-116.eu-west-2.compute.internal charon-systemd[6610]: loading secrets from '/etc/strongswan/ipsec.secrets'
Oct 30 11:03:21 ip-172-31-32-116.eu-west-2.compute.internal charon-systemd[6610]: opening triplet file /etc/strongswan/ipsec.d/triplets.dat failed: No such file or directory
Oct 30 11:03:21 ip-172-31-32-116.eu-west-2.compute.internal charon-systemd[6610]: loaded 0 RADIUS server configurations
Oct 30 11:03:21 ip-172-31-32-116.eu-west-2.compute.internal charon-systemd[6610]: HA config misses local/remote address
Oct 30 11:03:21 ip-172-31-32-116.eu-west-2.compute.internal charon-systemd[6610]: no script for ext-auth script defined, disabled
Oct 30 11:03:21 ip-172-31-32-116.eu-west-2.compute.internal charon-systemd[6610]: loaded plugins: charon-systemd pkcs11 tpm aesni aes des rc2 sha2 sha1 md4 md5 mgf1 random nonce x509 revocation constraints acert pubkey pkcs1 pkcs7 pkcs8 pkcs12 pgp dnskey sshkey pem openssl gcrypt fips-prf gmp curve25519 chapoly xcbc cmac hmac ctr ccm gcm curl attr kernel-netlink resolve socket-default farp stroke vici updown eap-identity eap-sim eap-aka eap-aka-3gpp eap-aka-3gpp2 eap-md5 eap-gtc eap-mschapv2 eap-dynamic eap-radius eap-tls eap-ttls eap-peap xauth-generic xauth-eap xauth-pam xauth-noauth dhcp led duplicheck unity counters
Oct 30 11:03:21 ip-172-31-32-116.eu-west-2.compute.internal charon-systemd[6610]: spawning 16 worker threads
Oct 30 11:03:21 ip-172-31-32-116.eu-west-2.compute.internal swanctl[6627]: no files found matching '/etc/strongswan/swanctl/conf.d/*.conf'
Oct 30 11:03:21 ip-172-31-32-116.eu-west-2.compute.internal charon-systemd[6610]: loaded certificate 'CN={server_dns_name}'
Oct 30 11:03:21 ip-172-31-32-116.eu-west-2.compute.internal charon-systemd[6610]: loaded certificate 'C=US, O=Let's Encrypt, CN=Let's Encrypt Authority X3'
Oct 30 11:03:21 ip-172-31-32-116.eu-west-2.compute.internal charon-systemd[6610]: loaded ANY private key
Oct 30 11:03:21 ip-172-31-32-116.eu-west-2.compute.internal charon-systemd[6610]: loaded IKE shared key with id 'ike-psk' for: 'client'
Oct 30 11:03:21 ip-172-31-32-116.eu-west-2.compute.internal swanctl[6627]: no authorities found, 0 unloaded
Oct 30 11:03:21 ip-172-31-32-116.eu-west-2.compute.internal swanctl[6627]: no pools found, 0 unloaded
Oct 30 11:03:21 ip-172-31-32-116.eu-west-2.compute.internal charon-systemd[6610]: added vici connection: default
Oct 30 11:03:21 ip-172-31-32-116.eu-west-2.compute.internal swanctl[6627]: loaded certificate from '/etc/strongswan/swanctl/x509/vpnserver.crt'
Oct 30 11:03:21 ip-172-31-32-116.eu-west-2.compute.internal swanctl[6627]: loaded certificate from '/etc/strongswan/swanctl/x509ca/letsencrypt.crt'
Oct 30 11:03:21 ip-172-31-32-116.eu-west-2.compute.internal swanctl[6627]: loaded private key from '/etc/strongswan/swanctl/private/vpnserver.key'
Oct 30 11:03:21 ip-172-31-32-116.eu-west-2.compute.internal swanctl[6627]: loaded ike secret 'ike-psk'
Oct 30 11:03:21 ip-172-31-32-116.eu-west-2.compute.internal swanctl[6627]: loaded connection 'default'
Oct 30 11:03:21 ip-172-31-32-116.eu-west-2.compute.internal swanctl[6627]: successfully loaded 1 connections, 0 unloaded
Oct 30 11:03:21 ip-172-31-32-116.eu-west-2.compute.internal systemd[1]: Started strongSwan IPsec IKEv1/IKEv2 daemon using swanctl.
Oct 30 11:04:10 ip-172-31-32-116.eu-west-2.compute.internal charon-systemd[6610]: received packet: from xx.xx.xx.xx[42452] to 172.31.32.116[500] (604 bytes)
Oct 30 11:04:10 ip-172-31-32-116.eu-west-2.compute.internal charon-systemd[6610]: parsed IKE_SA_INIT request 0 [ SA KE No N(REDIR_SUP) N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) ]
Oct 30 11:04:10 ip-172-31-32-116.eu-west-2.compute.internal charon-systemd[6610]: xx.xx.xx.xx is initiating an IKE_SA
Oct 30 11:04:10 ip-172-31-32-116.eu-west-2.compute.internal charon-systemd[6610]: selected proposal: IKE:AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_2048
Oct 30 11:04:10 ip-172-31-32-116.eu-west-2.compute.internal charon-systemd[6610]: local host is behind NAT, sending keep alives
Oct 30 11:04:10 ip-172-31-32-116.eu-west-2.compute.internal charon-systemd[6610]: remote host is behind NAT
Oct 30 11:04:10 ip-172-31-32-116.eu-west-2.compute.internal charon-systemd[6610]: sending cert request for "C=US, O=Let's Encrypt, CN=Let's Encrypt Authority X3"
Oct 30 11:04:10 ip-172-31-32-116.eu-west-2.compute.internal charon-systemd[6610]: generating IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) CERTREQ N(FRAG_SUP) N(MULT_AUTH) ]
Oct 30 11:04:10 ip-172-31-32-116.eu-west-2.compute.internal charon-systemd[6610]: sending packet: from 172.31.32.116[500] to xx.xx.xx.xx[42452] (473 bytes)
Oct 30 11:04:10 ip-172-31-32-116.eu-west-2.compute.internal charon-systemd[6610]: received packet: from xx.xx.xx.xx[46452] to 172.31.32.116[4500] (532 bytes)
Oct 30 11:04:10 ip-172-31-32-116.eu-west-2.compute.internal charon-systemd[6610]: parsed IKE_AUTH request 1 [ EF(1/2) ]
Oct 30 11:04:10 ip-172-31-32-116.eu-west-2.compute.internal charon-systemd[6610]: received fragment #1 of 2, waiting for complete IKE message
Oct 30 11:04:10 ip-172-31-32-116.eu-west-2.compute.internal charon-systemd[6610]: received packet: from xx.xx.xx.xx[46452] to 172.31.32.116[4500] (116 bytes)
Oct 30 11:04:10 ip-172-31-32-116.eu-west-2.compute.internal charon-systemd[6610]: parsed IKE_AUTH request 1 [ EF(2/2) ]
Oct 30 11:04:10 ip-172-31-32-116.eu-west-2.compute.internal charon-systemd[6610]: received fragment #2 of 2, reassembled fragmented IKE message (560 bytes)
Oct 30 11:04:10 ip-172-31-32-116.eu-west-2.compute.internal charon-systemd[6610]: unknown attribute type (25)
Oct 30 11:04:10 ip-172-31-32-116.eu-west-2.compute.internal charon-systemd[6610]: parsed IKE_AUTH request 1 [ IDi N(INIT_CONTACT) IDr AUTH CPRQ(ADDR MASK DHCP DNS ADDR6 DHCP6 DNS6 (25)) N(ESP_TFC_PAD_N) N(NON_FIRST_FRAG) SA TSi TSr N(MOBIKE_SUP) ]
Oct 30 11:04:10 ip-172-31-32-116.eu-west-2.compute.internal charon-systemd[6610]: looking for peer configs matching 172.31.32.116[{server_dns_name}]...xx.xx.xx.xx[client]
Oct 30 11:04:10 ip-172-31-32-116.eu-west-2.compute.internal charon-systemd[6610]: selected peer config 'default'
Oct 30 11:04:10 ip-172-31-32-116.eu-west-2.compute.internal charon-systemd[6610]: tried 1 shared key for '{server_dns_name}' - 'client', but MAC mismatched
Oct 30 11:04:10 ip-172-31-32-116.eu-west-2.compute.internal charon-systemd[6610]: received ESP_TFC_PADDING_NOT_SUPPORTED, not using ESPv3 TFC padding
Oct 30 11:04:10 ip-172-31-32-116.eu-west-2.compute.internal charon-systemd[6610]: peer supports MOBIKE
Oct 30 11:04:10 ip-172-31-32-116.eu-west-2.compute.internal charon-systemd[6610]: generating IKE_AUTH response 1 [ N(AUTH_FAILED) ]
Oct 30 11:04:10 ip-172-31-32-116.eu-west-2.compute.internal charon-systemd[6610]: sending packet: from 172.31.32.116[4500] to xx.xx.xx.xx[46452] (80 bytes)
Connection on the macbook