![]() ![]() After 4 weeks, I have no idea how to proceed. Since this is the first time I need to use this forum because I am really stuck with that, I hope you can help me. In the End I do not think that the certificates are the reason for the authentication problems but I am ready for all ideas. At this point I have to say that I tried a lots of different settings for the certificates to rule out that the problems are the certificates itself such as giving TLS Web Server Authentication and iKEIntermediate to the client certificates too and using self-signed root certificates from the ZyWall.X509v3 Extended Key Usage: TLS Web Client Authentication, E-mail Protection (since the client certificates are also used for S/MIME).X509v3 Key Usage: critical: Digital Signature, Non Repudiation, Key Encipherment.Client certificates are also signed by the same Intermediate CA:.All DNS-Names are in the X509v3 Subject Alternative Name listet starting with the DDNS-Name.X509v3 Extended Key Usage: TLS Web Server Authentication, TLS Web Client Authentication, iKEIntermediate.X509v3 Key Usage: critical: Digital Signature, Non Repudiation, Key Encipherment, Data Encipherment.ZyWall certificate was created as CSR on the Zywall and signed by the Intermediate CA:.Certificates from ROOT CA and Intermediate CA are installed on all machines and marked as trusted, so that verifying the certificates were never a problem.strongSwan: U5.5.1/K4.19.57-v7l+ (on Raspberry Pi, Raspbian Stretch).while using the RADIUS server I have set the authentication server.freeRADIUS: 3.0.17 (on Raspberry Pi, Raspbian Buster).all clients were in a ZyWall independent network at the time of the connection attempts but behind a NAT router of course.Different MacBooks with MacOS 10.14.6 Mojave and iPhones with iOS 12.4.used as PPPoE access to ISP with dynamic public IP (updated by DDNS from ZyWall).In the ZyWall-logs you can read "Authentication mismatch" and the connection will not be established. It is only possible to establish that connection while using the PSK for machine authentication and username/password for user authentication. Both, the machine authentication and the user authentication, does not work with the certificates. I also get a woking L2TP/IPSec connection, but I was not able to implement a certificate based authentication for server nor clients as well. But if the VPN server is a Linux strongSwan too, the RADIUS server EAP-TLS authentication works perfectly. That behaviour of the ZyWall is the same with the Linux Strongswan VPN-Client. The RADIUS server successful authenticate the client and give that response to the ZyWall but after that, the ZyWall does not anything with that, so the client get no response and no connection can be established. If I do not activate EAP, other clients such Linux strongSwan are able to connect by a certification based authentication but not the MacOS built-in VPN-Client.Īfter that I tried to use a RADIUS server to authenticate the EAP-TLS request from the MacOS VPN-Client to bypass the not supported EAP-TLS. For client authentication I have to use EAP-MSCHAPv2, because the ZyWall do not supports EAP-TLS. IKEv2, which is preferred by me to use in the further network configuration, works and the server is able to authenticate itself by a certificate. My goal is to use client certificates issued by a self-created certification authority to authenticate the clients. ![]() That's not what I want since such authentications are vulnerable by dictionary and brute force attacks. So far I was able to get successful connections with IKEv2 and L2TP/IPSec, but all of them use a username/password client authentication. I'm using a Zyxel ZyWall 110 and I want to establish a client-to-side VPN connection to the ZyWall by using the built-in VPN-Client from MacOS 10.14.6 (Mojave). ![]()
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |