16
Virtual private networks / (Solved) ikev2 PSK and swanctl.conf - "constraint check failed"
« on: August 29, 2023, 02:57:24 pm »
Any help is highly appreciated
I'm new to swanctl and I'm trying to establish my first IPsec Tunnel with PSKs using it. My goal is to establish ikev2 tunnels from the OPNsense to remote linux clients behind NAT, replacing wireguard in the process.
I'm stumped though, even though the authentication is set to
I don't understand this though, my config on both sides doesn't use "ESP". It uses "PSK.
swanctl.conf Opnsense strongSwan swanctl 5.9.10:
swanctl.conf Linux Client strongSwan swanctl 5.9.1:
ipsec.log Opnsense:
charon.log Linux Client:
I'm new to swanctl and I'm trying to establish my first IPsec Tunnel with PSKs using it. My goal is to establish ikev2 tunnels from the OPNsense to remote linux clients behind NAT, replacing wireguard in the process.
I'm stumped though, even though the authentication is set to
Code: [Select]
auth = psk
on both sides, the ipsec.log on the opnsense always shows:Code: [Select]
authentication of 'site5.example.com' with pre-shared key successful
constraint check failed: peer not authenticated with peer cert 'site5.example.com'
selected peer config '7209bd0f-c7f8-467a-9f8a-6c209d9be771' unacceptable: non-matching authentication done
no alternative config found
I don't understand this though, my config on both sides doesn't use "ESP". It uses "PSK.
swanctl.conf Opnsense strongSwan swanctl 5.9.10:
Code: [Select]
connections {
7209bd0f-c7f8-467a-9f8a-6c209d9be771 {
proposals = aes256-sha256-modp2048
unique = replace
aggressive = no
version = 2
mobike = yes
local_addrs = 91.XXX.XXX.XXX
encap = no
dpd_delay = 300
pools = site-pool
send_certreq = no
send_cert = never
local-f24d9f6a-9828-463c-a813-361c17253249 {
round = 0
auth = psk
id = opn01.example.com
pubkeys = a4554b89-f166-4da7-ac9b-b9954c9a394c.pem
}
remote-c8b144a9-df8d-46f8-8250-169d7947f3da {
round = 0
auth = psk
id = site5.example.com
pubkeys = a1ef50c8-f544-47cf-beb7-b419ef830ad7.pem
}
children {
7827bcd2-8ee8-42f8-b775-0163c1c0d12a {
esp_proposals = aes256-sha256-modp2048
sha256_96 = no
start_action = trap
close_action = none
dpd_action = clear
mode = tunnel
policies = yes
rekey_time = 3600
updown = /usr/local/opnsense/scripts/ipsec/updown_event.py --connection_child 7827bcd2-8ee8-42f8-b775-0163c1c0d12a
}
}
}
}
pools {
site-pool {
addrs = 192.168.208.0/24
}
}
secrets {
ike-85b0a34c-687c-460d-9dde-cfc6a6a7d00a {
id-0 = opn01.example.com
id-1 = site5.example.com
secret = 0s[OMITTED]
}
}
swanctl.conf Linux Client strongSwan swanctl 5.9.1:
Code: [Select]
connections {
site5-to-opn01 {
proposals = aes256-sha256-modp2048
unique = replace
aggressive = no
version = 2
mobike = yes
local_addrs = %config
remote_addrs = 91.XXX.XXX.XXX
encap = no
dpd_delay = 300
send_certreq = no
send_cert = never
local {
round = 0
auth = psk
id = site5.example.com
}
remote {
round = 0
auth = psk
id = opn01.example.com
}
children {
site5 {
esp_proposals = aes256-sha256-modp2048
sha256_96 = no
local_ts = 192.168.208.5/32
remote_ts = 192.168.208.0/24
mode = tunnel
policies = yes
rekey_time = 3600
start_action = start
dpd_action = clear
}
}
}
}
secrets {
ike-site5-to-opn01 {
id-0 = site5.example.com
id-1 = opn01.example.com
secret = 0s[OMITTED]
}
}
ipsec.log Opnsense:
Code: [Select]
<30>1 2023-08-29T14:34:23+02:00 opn01.example.com charon 52418 - [meta sequenceId="138106"] 06[NET] <39> received packet: from 80.XXX.XXX.XXX[500] to 91.XXX.XXX.XXX[500] (464 bytes)
<30>1 2023-08-29T14:34:23+02:00 opn01.example.com charon 52418 - [meta sequenceId="138107"] 06[ENC] <39> parsed IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG) N(REDIR_SUP) ]
<30>1 2023-08-29T14:34:23+02:00 opn01.example.com charon 52418 - [meta sequenceId="138108"] 06[IKE] <39> 80.XXX.XXX.XXX is initiating an IKE_SA
<30>1 2023-08-29T14:34:23+02:00 opn01.example.com charon 52418 - [meta sequenceId="138109"] 06[CFG] <39> selected proposal: IKE:AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_2048
<30>1 2023-08-29T14:34:23+02:00 opn01.example.com charon 52418 - [meta sequenceId="138110"] 06[IKE] <39> remote host is behind NAT
<30>1 2023-08-29T14:34:23+02:00 opn01.example.com charon 52418 - [meta sequenceId="138111"] 06[ENC] <39> generating IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG) N(CHDLESS_SUP) N(MULT_AUTH) ]
<30>1 2023-08-29T14:34:23+02:00 opn01.example.com charon 52418 - [meta sequenceId="138112"] 06[NET] <39> sending packet: from 91.XXX.XXX.XXX[500] to 80.XXX.XXX.XXX[500] (472 bytes)
<30>1 2023-08-29T14:34:23+02:00 opn01.example.com charon 52418 - [meta sequenceId="138113"] 06[NET] <39> received packet: from 80.XXX.XXX.XXX[4500] to 91.XXX.XXX.XXX[4500] (384 bytes)
<30>1 2023-08-29T14:34:23+02:00 opn01.example.com charon 52418 - [meta sequenceId="138114"] 06[ENC] <39> parsed IKE_AUTH request 1 [ IDi N(INIT_CONTACT) IDr AUTH SA TSi TSr N(MOBIKE_SUP) N(ADD_4_ADDR) N(ADD_4_ADDR) N(ADD_4_ADDR) N(ADD_4_ADDR) N(ADD_4_ADDR) N(ADD_4_ADDR) N(MULT_AUTH) N(EAP_ONLY) N(MSG_ID_SYN_SUP) ]
<30>1 2023-08-29T14:34:23+02:00 opn01.example.com charon 52418 - [meta sequenceId="138115"] 06[CFG] <39> looking for peer configs matching 91.XXX.XXX.XXX[opn01.example.com]...80.XXX.XXX.XXX[site5.example.com]
<30>1 2023-08-29T14:34:23+02:00 opn01.example.com charon 52418 - [meta sequenceId="138116"] 06[CFG] <7209bd0f-c7f8-467a-9f8a-6c209d9be771|39> selected peer config '7209bd0f-c7f8-467a-9f8a-6c209d9be771'
<30>1 2023-08-29T14:34:23+02:00 opn01.example.com charon 52418 - [meta sequenceId="138117"] 06[IKE] <7209bd0f-c7f8-467a-9f8a-6c209d9be771|39> authentication of 'site5.example.com' with pre-shared key successful
<30>1 2023-08-29T14:34:23+02:00 opn01.example.com charon 52418 - [meta sequenceId="138118"] 06[CFG] <7209bd0f-c7f8-467a-9f8a-6c209d9be771|39> constraint check failed: peer not authenticated with peer cert 'site5.example.com'
<30>1 2023-08-29T14:34:23+02:00 opn01.example.com charon 52418 - [meta sequenceId="138119"] 06[CFG] <7209bd0f-c7f8-467a-9f8a-6c209d9be771|39> selected peer config '7209bd0f-c7f8-467a-9f8a-6c209d9be771' unacceptable: non-matching authentication done
<30>1 2023-08-29T14:34:23+02:00 opn01.example.com charon 52418 - [meta sequenceId="138120"] 06[CFG] <7209bd0f-c7f8-467a-9f8a-6c209d9be771|39> no alternative config found
<30>1 2023-08-29T14:34:23+02:00 opn01.example.com charon 52418 - [meta sequenceId="138121"] 06[IKE] <7209bd0f-c7f8-467a-9f8a-6c209d9be771|39> peer supports MOBIKE
<30>1 2023-08-29T14:34:23+02:00 opn01.example.com charon 52418 - [meta sequenceId="138122"] 06[ENC] <7209bd0f-c7f8-467a-9f8a-6c209d9be771|39> generating IKE_AUTH response 1 [ N(AUTH_FAILED) ]
<30>1 2023-08-29T14:34:23+02:00 opn01.example.com charon 52418 - [meta sequenceId="138123"] 06[NET] <7209bd0f-c7f8-467a-9f8a-6c209d9be771|39> sending packet: from 91.XXX.XXX.XXX[4500] to 80.XXX.XXX.XXX[4500] (80 bytes)
charon.log Linux Client:
Code: [Select]
[IKE] initiating IKE_SA site5-to-opn01[12] to 91.XXX.XXX.XXX
[ENC] generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG) N(REDIR_SUP) ]
[NET] sending packet: from 0.0.0.0[500] to 91.XXX.XXX.XXX[500] (464 bytes)
[NET] received packet: from 91.XXX.XXX.XXX[500] to 10.169.172.207[500] (472 bytes)
[ENC] parsed IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG) N(CHDLESS_SUP) N(MULT_AUTH) ]
[CFG] selected proposal: IKE:AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_2048
[IKE] local host is behind NAT, sending keep alives
[IKE] authentication of 'site5.example.com' (myself) with pre-shared key
[IKE] establishing CHILD_SA checkmk-site5{12}
[ENC] generating IKE_AUTH request 1 [ IDi N(INIT_CONTACT) IDr AUTH SA TSi TSr N(MOBIKE_SUP) N(ADD_4_ADDR) N(ADD_4_ADDR) N(ADD_4_ADDR) N(ADD_4_ADDR) N(ADD_4_ADDR) N(ADD_4_ADDR) N(MULT_AUTH) N(EAP_ONLY) N(MSG_ID_SYN_SUP) ]
[NET] sending packet: from 10.169.172.207[4500] to 91.XXX.XXX.XXX[4500] (384 bytes)
[NET] received packet: from 91.XXX.XXX.XXX[4500] to 10.169.172.207[4500] (80 bytes)
[ENC] parsed IKE_AUTH response 1 [ N(AUTH_FAILED) ]
[IKE] received AUTHENTICATION_FAILED notify error
initiate failed: establishing CHILD_SA 'site5' failed