(Solved) ikev2 PSK and swanctl.conf - "constraint check failed"

Monviech (Cedrik) · August 29, 2023, 02:57:24 PM

Any help is highly appreciated :)

I'm new to swanctl and I'm trying to establish my first IPsec Tunnel with PSKs using it. My goal is to establish ikev2 tunnels from the OPNsense to remote linux clients behind NAT, replacing wireguard in the process.

I'm stumped though, even though the authentication is set to

Code Select

auth = psk on both sides, the ipsec.log on the opnsense always shows:

Code Select

authentication of 'site5.example.com' with pre-shared key successful
constraint check failed: peer not authenticated with peer cert 'site5.example.com'
selected peer config '7209bd0f-c7f8-467a-9f8a-6c209d9be771' unacceptable: non-matching authentication done
no alternative config found

I don't understand this though, my config on both sides doesn't use "ESP". It uses "PSK.

swanctl.conf Opnsense strongSwan swanctl 5.9.10:

Code Select

connections {   
   7209bd0f-c7f8-467a-9f8a-6c209d9be771 {
        proposals = aes256-sha256-modp2048
        unique = replace
        aggressive = no
        version = 2
        mobike = yes
        local_addrs = 91.XXX.XXX.XXX
        encap = no
        dpd_delay = 300
        pools = site-pool
        send_certreq = no
        send_cert = never
        local-f24d9f6a-9828-463c-a813-361c17253249 {
            round = 0
            auth = psk
            id = opn01.example.com
            pubkeys = a4554b89-f166-4da7-ac9b-b9954c9a394c.pem
        }
        remote-c8b144a9-df8d-46f8-8250-169d7947f3da {
            round = 0
            auth = psk
            id = site5.example.com
            pubkeys = a1ef50c8-f544-47cf-beb7-b419ef830ad7.pem
        }
        children {
            7827bcd2-8ee8-42f8-b775-0163c1c0d12a {
                esp_proposals = aes256-sha256-modp2048
                sha256_96 = no
                start_action = trap
                close_action = none
                dpd_action = clear
                mode = tunnel
                policies = yes
                rekey_time = 3600
                updown = /usr/local/opnsense/scripts/ipsec/updown_event.py --connection_child 7827bcd2-8ee8-42f8-b775-0163c1c0d12a
            }
        }
    }
}
pools {
    site-pool {
        addrs = 192.168.208.0/24
    }
}
secrets {
    ike-85b0a34c-687c-460d-9dde-cfc6a6a7d00a {
        id-0 = opn01.example.com
        id-1 = site5.example.com
        secret = 0s[OMITTED]
    }
}

swanctl.conf Linux Client strongSwan swanctl 5.9.1:

Code Select

connections {
    site5-to-opn01 {
        proposals = aes256-sha256-modp2048
        unique = replace
        aggressive = no
        version = 2
        mobike = yes
        local_addrs = %config
        remote_addrs = 91.XXX.XXX.XXX
        encap = no
        dpd_delay = 300
        send_certreq = no
        send_cert = never
        local {
            round = 0
            auth = psk
            id = site5.example.com
        }
        remote {
            round = 0
            auth = psk
            id = opn01.example.com
        }
        children {
            site5 {
                esp_proposals = aes256-sha256-modp2048
                sha256_96 = no
                local_ts = 192.168.208.5/32
                remote_ts = 192.168.208.0/24
                mode = tunnel
                policies = yes
                rekey_time = 3600
                start_action = start
                dpd_action = clear
            }
        }
    }
}
secrets {
    ike-site5-to-opn01 {
        id-0 = site5.example.com
        id-1 = opn01.example.com
        secret = 0s[OMITTED]
    }
}

ipsec.log Opnsense:

Code Select

<30>1 2023-08-29T14:34:23+02:00 opn01.example.com charon 52418 - [meta sequenceId="138106"] 06[NET] <39> received packet: from 80.XXX.XXX.XXX[500] to 91.XXX.XXX.XXX[500] (464 bytes)
<30>1 2023-08-29T14:34:23+02:00 opn01.example.com charon 52418 - [meta sequenceId="138107"] 06[ENC] <39> parsed IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG) N(REDIR_SUP) ]
<30>1 2023-08-29T14:34:23+02:00 opn01.example.com charon 52418 - [meta sequenceId="138108"] 06[IKE] <39> 80.XXX.XXX.XXX is initiating an IKE_SA
<30>1 2023-08-29T14:34:23+02:00 opn01.example.com charon 52418 - [meta sequenceId="138109"] 06[CFG] <39> selected proposal: IKE:AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_2048
<30>1 2023-08-29T14:34:23+02:00 opn01.example.com charon 52418 - [meta sequenceId="138110"] 06[IKE] <39> remote host is behind NAT
<30>1 2023-08-29T14:34:23+02:00 opn01.example.com charon 52418 - [meta sequenceId="138111"] 06[ENC] <39> generating IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG) N(CHDLESS_SUP) N(MULT_AUTH) ]
<30>1 2023-08-29T14:34:23+02:00 opn01.example.com charon 52418 - [meta sequenceId="138112"] 06[NET] <39> sending packet: from 91.XXX.XXX.XXX[500] to 80.XXX.XXX.XXX[500] (472 bytes)
<30>1 2023-08-29T14:34:23+02:00 opn01.example.com charon 52418 - [meta sequenceId="138113"] 06[NET] <39> received packet: from 80.XXX.XXX.XXX[4500] to 91.XXX.XXX.XXX[4500] (384 bytes)
<30>1 2023-08-29T14:34:23+02:00 opn01.example.com charon 52418 - [meta sequenceId="138114"] 06[ENC] <39> parsed IKE_AUTH request 1 [ IDi N(INIT_CONTACT) IDr AUTH SA TSi TSr N(MOBIKE_SUP) N(ADD_4_ADDR) N(ADD_4_ADDR) N(ADD_4_ADDR) N(ADD_4_ADDR) N(ADD_4_ADDR) N(ADD_4_ADDR) N(MULT_AUTH) N(EAP_ONLY) N(MSG_ID_SYN_SUP) ]
<30>1 2023-08-29T14:34:23+02:00 opn01.example.com charon 52418 - [meta sequenceId="138115"] 06[CFG] <39> looking for peer configs matching 91.XXX.XXX.XXX[opn01.example.com]...80.XXX.XXX.XXX[site5.example.com]
<30>1 2023-08-29T14:34:23+02:00 opn01.example.com charon 52418 - [meta sequenceId="138116"] 06[CFG] <7209bd0f-c7f8-467a-9f8a-6c209d9be771|39> selected peer config '7209bd0f-c7f8-467a-9f8a-6c209d9be771'
<30>1 2023-08-29T14:34:23+02:00 opn01.example.com charon 52418 - [meta sequenceId="138117"] 06[IKE] <7209bd0f-c7f8-467a-9f8a-6c209d9be771|39> authentication of 'site5.example.com' with pre-shared key successful
<30>1 2023-08-29T14:34:23+02:00 opn01.example.com charon 52418 - [meta sequenceId="138118"] 06[CFG] <7209bd0f-c7f8-467a-9f8a-6c209d9be771|39> constraint check failed: peer not authenticated with peer cert 'site5.example.com'
<30>1 2023-08-29T14:34:23+02:00 opn01.example.com charon 52418 - [meta sequenceId="138119"] 06[CFG] <7209bd0f-c7f8-467a-9f8a-6c209d9be771|39> selected peer config '7209bd0f-c7f8-467a-9f8a-6c209d9be771' unacceptable: non-matching authentication done
<30>1 2023-08-29T14:34:23+02:00 opn01.example.com charon 52418 - [meta sequenceId="138120"] 06[CFG] <7209bd0f-c7f8-467a-9f8a-6c209d9be771|39> no alternative config found
<30>1 2023-08-29T14:34:23+02:00 opn01.example.com charon 52418 - [meta sequenceId="138121"] 06[IKE] <7209bd0f-c7f8-467a-9f8a-6c209d9be771|39> peer supports MOBIKE
<30>1 2023-08-29T14:34:23+02:00 opn01.example.com charon 52418 - [meta sequenceId="138122"] 06[ENC] <7209bd0f-c7f8-467a-9f8a-6c209d9be771|39> generating IKE_AUTH response 1 [ N(AUTH_FAILED) ]
<30>1 2023-08-29T14:34:23+02:00 opn01.example.com charon 52418 - [meta sequenceId="138123"] 06[NET] <7209bd0f-c7f8-467a-9f8a-6c209d9be771|39> sending packet: from 91.XXX.XXX.XXX[4500] to 80.XXX.XXX.XXX[4500] (80 bytes)

charon.log Linux Client:

Code Select

[IKE] initiating IKE_SA site5-to-opn01[12] to 91.XXX.XXX.XXX
[ENC] generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG) N(REDIR_SUP) ]
[NET] sending packet: from 0.0.0.0[500] to 91.XXX.XXX.XXX[500] (464 bytes)
[NET] received packet: from 91.XXX.XXX.XXX[500] to 10.169.172.207[500] (472 bytes)
[ENC] parsed IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG) N(CHDLESS_SUP) N(MULT_AUTH) ]
[CFG] selected proposal: IKE:AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_2048
[IKE] local host is behind NAT, sending keep alives
[IKE] authentication of 'site5.example.com' (myself) with pre-shared key
[IKE] establishing CHILD_SA checkmk-site5{12}
[ENC] generating IKE_AUTH request 1 [ IDi N(INIT_CONTACT) IDr AUTH SA TSi TSr N(MOBIKE_SUP) N(ADD_4_ADDR) N(ADD_4_ADDR) N(ADD_4_ADDR) N(ADD_4_ADDR) N(ADD_4_ADDR) N(ADD_4_ADDR) N(MULT_AUTH) N(EAP_ONLY) N(MSG_ID_SYN_SUP) ]
[NET] sending packet: from 10.169.172.207[4500] to 91.XXX.XXX.XXX[4500] (384 bytes)
[NET] received packet: from 91.XXX.XXX.XXX[4500] to 10.169.172.207[4500] (80 bytes)
[ENC] parsed IKE_AUTH response 1 [ N(AUTH_FAILED) ]
[IKE] received AUTHENTICATION_FAILED notify error
initiate failed: establishing CHILD_SA 'site5' failed

Monviech (Cedrik) · August 29, 2023, 03:14:44 PM

Fixed it myself. Just when I posted I saw that the config in the Opnsense had this section:

Code Select

        local-f24d9f6a-9828-463c-a813-361c17253249 {
            round = 0
            auth = psk
            id = opn01.example.com
            pubkeys = a4554b89-f166-4da7-ac9b-b9954c9a394c.pem
        }
        remote-c8b144a9-df8d-46f8-8250-169d7947f3da {
            round = 0
            auth = psk
            id = site5.example.com
            pubkeys = a1ef50c8-f544-47cf-beb7-b419ef830ad7.pem

And somehow there were pubkeys defined.
I think it's because I first created the Local Authentication and Remote Authentication in the GUI with Public Key, but then after creating them changed it back to "Pre-Shared Key".
The settings stuck though. I had to delete and recreate them.

(Solved) ikev2 PSK and swanctl.conf - "constraint check failed"

Monviech (Cedrik)

August 29, 2023, 02:57:24 PM Last Edit: August 29, 2023, 03:15:15 PM by Monviech

Monviech (Cedrik)

August 29, 2023, 03:14:44 PM #1