Bug #6113
closed
SWu figure out why SWu has problems connecting to strongswan
Added by lynxis 10 months ago.
Updated 4 months ago.
Description
Currently the python SWu project doesn't connect to strongswan. Strongswan
fails to find a proper peer config:
epdg charon-systemd[6345]: parsed IKE_AUTH request 1 [ IDi IDr CPRQ(ADDR DNS ADDR6 DNS6 PCSCF4 PCSCF6) SA TSi TSr N(EAP_ONLY) ]
epdg charon-systemd[6345]: looking for peer configs matching 192.168.0.2[internet]...192.168.56.51[0262421234567890@nai.epc.mnc42.mcc999.3gppnetwork.org]
epdg charon-systemd[6345]: peer config "rw", ike match: 1052 (192.168.0.2...%any IKEv2)
epdg charon-systemd[6345]: local id match: 0 (ID_FQDN: 69:6e:74:65:72:6e:65:74)
epdg charon-systemd[6345]: no matching peer config found
I would guess SWu doesn't try to get the certificate of the epdg.
Files
- % Done changed from 0 to 30
After relaxing the local id, the connection looks better.
But now epdg strongswan reports: "private key of type ED25519 not supported".
connections {
rw {
local_addrs = 192.168.0.2
pools = rw_pool
local {
auth = pubkey
certs = epdgCert.pem
id = %any
}
remote {
auth = eap-aka
}
children {
net {
local_ts = 172.16.24.0/24
updown = /usr/lib/ipsec/_updown iptables
esp_proposals = default
}
}
version = 2
# proposals = null-md5-prfmd5-null-ecp192
# proposals = AES_CBC_128-HMAC_SHA1_96-PRF_HMAC_SHA1-MODP_2048
}
}
secrets {
}
pools {
rw_pool {
addrs = 172.20.0.0/24
}
}
I'm pretty sure the SWu doesn't support ED25519 authentication but the epdg is currently using an ed25519 certificate
- Status changed from New to Feedback
- % Done changed from 30 to 90
The ed25519 certificate together with the hash algorithm was the problem.
With an rsa 4k certificate it works fine.
Further there is a problem with the eap encoder of SWu, since it's using hardcoded values which are problematic
if the NAI doesn't have the exact expected length.
Cleanup code and create a PR against SWu.
- % Done changed from 90 to 100
- Status changed from Feedback to Closed
Also available in: Atom
PDF