[SOLVED] IPSec IKEv2: Failed Auth Using Strongswan Client

l1m0n4d3 · 12-13-2018, 10:03 AM

I'm currently trainee in a small IT consulting company, trying to test a VPN connection from a Linux client.

Connection works flawlessly if established from a VM with Windows 10. On a VM with Kubuntu 18.10 I always get authentication failure, instead.

VPN tunnel is set up on a pfSense VM, hypervisor is Hyper-V.

This is connection setting (auto IPv4 address)

VPN config on pfSense:
https://ibb.co/vsWsWp4
https://ibb.co/x1kPbZX
https://ibb.co/3vmncKh
https://ibb.co/W3c9k6t
https://ibb.co/P47pJC1

System log output (client)

pfSense syslog:
https://ibb.co/KhXWTGL
https://ibb.co/K95Hqzn
https://ibb.co/vxKrx6M
https://ibb.co/3SfmKFb
https://ibb.co/8xGKGgy
https://ibb.co/Cv13LGw

Is there maybe something wrong with the certificate?
Thanks in advance

ecdsa · 12-14-2018, 02:47 AM

Quote:

Originally Posted by l1m0n4d3

Is there maybe something wrong with the certificate?

Yes, looks that way. The server sends a self-signed certificate, whereas on the client you apparently loaded a CA certificate. So either load the self-signed server certificate on the client instead, or issue a server certificate from the CA you already loaded on the client.

l1m0n4d3 · 12-14-2018, 05:56 AM

OK, thanks a lot, it was just the wrong certificate.
So Linux clients need server cert instead of CA cert.

ecdsa · 12-14-2018, 07:13 AM

Quote:

Originally Posted by l1m0n4d3

So Linux clients need server cert instead of CA cert.

Yes, if the server uses a self-signed certificate. If the server uses a certificate issued by a CA, configuring the server certificate would still work, but it also works with the CA certificate (especially if the server certificate was issued by a CA that the client already trusts, so no certificate would have to be configured in the GUI in order to rely on the system's list of trusted CA certificates).