In the last days I did a lot of investigation regarding my roadwarrior connections. I have four different connection profiles active:
- Mutual RSA + EAP-MSCHAPv2 with IPv4 (used by an android smartphone with the strongswan VPN app)
- Mutual RSA with IPv4 (used by an ubuntu laptop with strongswan and the network manager)
- Mutual RSA with IPv6 (used by an ubuntu laptop with strongswan and the network manager)
- Mutual RSA + EAP-MSCHAPv2 with IPv6 (used by an android smartphone with the strongswan VPN app)
The different profiles are neccessary because for flexibility (internet protocol) and different support by the IPsec clients. I tried to get all profiles to work, but no luck. The android smartphone can successfully authenticate with IPv4 but not IPv6. And the Laptop can instead use IPv6 but not IPv4.
I far as I know Opnsense still allows only to add one roadwarrior (mobile) connection profile. But strongswan itself has not such a limitation. There was a discussion about it in 2018 [1]. Some more investigation offered that the combination of successful and unsuccessful authentication depends on the sequence of profiles in the
ipsec.conf configuration file (as noted above).
Related to a specific IP version charon either tries to match an incoming connection to the first configuration entry or to none of them :'(. Corresponding entries in the log file look similar to
- charon selects the wrong profile
- looking for peer configs matching <local ip>[<local id>] ... <remote ip>[<remote id>]
- selected peer config 'con2'
- selected peer config 'con2' unacceptable: non-matching authentication done
- no alternative config found
- charon cannot find a profile match
- looking for peer configs matching <local ip>[<local id>] ... <remote ip>[<remote id>]
- no matching peer config found
According to the strongswan documention (FAQ - no matching peer config found) [2] charon tries to find the correct profile by comparing the ip addresses and identities (including the type of the identity). I don't know, whether the mismatch is based on the wrong identity type. The FAQ recommends in such cases to check the log file (log level 3). Unfortunately, I cannot find a hint in the log file, which identity type the client has been used.
In my eyes it seems to be a bug in charon (strongswan). Because, in case I only activate the last of the above profiles, the IPv6 based VPN on the smartphone works well even when pinning the identities of the endpoints to their certificate's DN. After adding the IPv6 profile for the laptop (still in the above sequence) the IPv6 based VPN connection of the smartphone fails because charon does not find any matching profile. In the second case I could understand that charon mistakenly selects the wrong profile. But, in this case it cannot find any match (second error description above). That sounds weird.
Does anybody know what I am doing wrong or if there is a really a bug in strongswan (v.5.9.5)?
[1] https://forum.opnsense.org/index.php?topic=9142.msg44734#msg44734
[2] https://wiki.strongswan.org/projects/strongswan/wiki/FAQ
Thanks.