<div>Thank you Kemmo for the tips.</div>
<div> </div>
<div>I scaled down my configurated to use eap-mschapv2 authentication instead of eap-radius.</div>
<div> </div>
<div>After I initiated a vpn connection from Win7, security associations are established for both directions : 172.16.50.10 (windows7 IP address) <-> 172.16.30.2(vpn gateway IP address) . I also have securiy policy added (172.16.80.1<-><a href="http://0.0.0.0/0">0.0.0.0/0</a>) where 172.16.80.1 is the Win7 machine tunnel IP which is dynamically assigned from the configured IP pool. </div>
<div> </div>
<div>My current problem is ping requests from Win7 to a protected linux host (172,16.40.10) behind the VPN server fails. The ping requests reach the host and ping replies from the host reach the vpn gateway but don't get to the Win7 client.</div>
<div> </div>
<div>
<div>Do I need to install firewall policy? The following security policy is dynsmicslly added.</div>
<div> </div>
<div>I have the following SP automatically added to the SPD.</div>
<div>
<div>172.16.80.1[any] <a href="http://0.0.0.0/0[any]">0.0.0.0/0[any]</a> any<br> in priority=1680 index=0x80000180 ipsec<br> esp/tunnel/172.16.50.10-172.16.30.2/unique:20<br> created: Jun 12 06:50:56 2012 lastused:<br>
lifetime: 0(s) validtime: 0(s)<br> spid=0x80000180 seq=1 pid=4876<br> refcnt=2<br> vrfid=0 linkvrfid=0<br><a href="http://0.0.0.0/0[any]">0.0.0.0/0[any]</a> 172.16.80.1[any] any<br> out priority=2000 index=0x80000179 ipsec<br>
esp/tunnel/172.16.30.2-172.16.50.10/unique:20<br> created: Jun 12 06:50:56 2012 lastused:<br> lifetime: 0(s) validtime: 0(s)<br> spid=0x80000179 seq=2 pid=4876<br> refcnt=2<br> vrfid=0 linkvrfid=0<br>
</div></div>
<div> </div></div>
<div>Below is ping messages from two <font style="BACKGROUND-COLOR:#ffff00">VPN</font> server interface - tunnel interface and internal interface.</div>
<div> </div>
<div>Here is ping packet capture from vpn server tunnel interface (Win7 packets are routed to this iinterface) . </div>
<div>06:33:05.676371 (FP) IP 172.16.50.10 > <a href="http://172.16.30.2">172.16.30.2</a>: ESP(spi=0xccd10f1f,seq=0x4f)<br>06:33:09.466764 (FP) IP 172.16.50.10 > <a href="http://172.16.30.2">172.16.30.2</a>: ESP(spi=0xccd10f1f,seq=0x50)<br>
06:33:11.104529 (FP) IP 172.16.50.10 > <a href="http://172.16.30.2">172.16.30.2</a>: ESP(spi=0xccd10f1f,seq=0x51)<br></div>
<div> </div>
<div>Below is ping packet capture from vpn server internal interface ( directly connected to the linux host - 172.16.40.10). Internal host responds to Win7 ping request but response doesn't reach Win7 machine. VPN server fails to apply esp and send to Win7 - 172.16.50.10.</div>
<div> </div>
<div> </div>
<div>06:29:39.484332 IP 172.16.80.1 > <a href="http://172.16.40.10">172.16.40.10</a>: icmp 40: echo request seq 375<br>06:29:39.484425 IP 172.16.40.10 > <a href="http://172.16.80.1">172.16.80.1</a>: icmp 40: echo reply seq 375<br>
06:29:39.484437 IP 172.16.40.2 > <a href="http://172.16.40.10">172.16.40.10</a>: icmp 68: net 172.16.80.1 unreachable<br>06:29:44.491581 IP 172.16.80.1 > <a href="http://172.16.40.10">172.16.40.10</a>: icmp 40: echo request seq 376<br>
06:29:44.491666 (FP) IP 172.16.40.10 > <a href="http://172.16.80.1">172.16.80.1</a>: icmp 40: echo reply seq 376<br>06:29:44.491668 IP 172.16.40.10 > <a href="http://172.16.80.1">172.16.80.1</a>: icmp 40: echo reply seq 376<br>
06:29:44.491682 IP 172.16.40.2 > <a href="http://172.16.40.10">172.16.40.10</a>: icmp 68: net 172.16.80.1 unreachable</div>
<div> </div>
<div>
<div>I am also perplexed why port 4500 is used instead of 500 during IKE exchange. See vpn server logs and configuration below. I am not behind NAT.</div></div>
<div> </div>
<div>Here is ipsec.conf and strongswan log. </div>
<div> </div>
<div>ipsec.conf:</div>
<div><br>conn %default<br> auto=route<br> keyexchange=ikev2<br> keyingtries=1</div>
<div>conn myvpn~mypolicy<br> vpn=myvpn<br> left=172.16.30.2<br> leftsubnet=<a href="http://0.0.0.0/0">0.0.0.0/0</a><br> leftauth=pubkey<br> <a href="mailto:leftcert=zeus@ares.cer">leftcert=zeus@ares.cer</a><br>
<a href="mailto:leftid=@zeus.test.net">leftid=@zeus.test.net</a></div>
<div> right=%any<br> rightsourceip=<a href="http://172.16.80.0/24">172.16.80.0/24</a><br> rightauth=eap-mschapv2<br> rightsendcert=never<br> eap_identity=%any<br> auto=add<br></div>
<div>vpn server log:</div>
<div>Jun 12 06:14:23 router CHARON-INFO: 12[ENC] parsed INFORMATIONAL response 1 [ ]<br>Jun 12 06:14:23 router CHARON-INFO: 12[IKE] IKE_SA deleted<br>Jun 12 06:14:23 router CHARON-INFO: 12[IKE] IKE_SA deleted<br>Jun 12 06:14:23 router CHARON-INFO: 12[LIB] releasing address to pool 'myvpn~mypolicy' failed<br>
Jun 12 06:14:23 router CHARON-INFO: 15[CFG] received stroke: delete connection 'myvpn~mypolicy'<br>Jun 12 06:14:23 router CHARON-INFO: 15[CFG] deleted connection 'myvpn~mypolicy'<br>Jun 12 06:14:23 router CHARON-INFO: 09[CFG] received stroke: add connection 'myvpn~mypolicy'<br>
Jun 12 06:14:23 router CHARON-INFO: 09[CFG] loaded certificate "C=US, ST=MYSTATE, O=MYORG, OU=MYGROUP, CN=<a href="http://zeus.test.net">zeus.test.net</a>, <a href="mailto:E=zeus@test.net">E=zeus@test.net</a>" from <a href="mailto:'zeus@ares.cer'">'zeus@ares.cer'</a><br>
Jun 12 06:14:23 router CHARON-INFO: 09[CFG] added configuration 'myvpn~mypolicy'<br>Jun 12 06:14:23 router CHARON-INFO: 09[CFG] adding virtual IP address pool 'myvpn~mypolicy': <a href="http://172.16.80.0/24">172.16.80.0/24</a></div>
<div>Jun 12 06:15:24 router CHARON-INFO: 13[NET] received packet: from [500] to [500]<br>Jun 12 06:15:24 router CHARON-INFO: 13[ENC] parsed IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) ]<br>Jun 12 06:15:24 router CHARON-INFO: 13[IKE] 172.16.50.10 is initiating an IKE_SA<br>
Jun 12 06:15:24 router CHARON-INFO: 13[IKE] 172.16.50.10 is initiating an IKE_SA<br>Jun 12 06:15:24 router CHARON-INFO: 13[ENC] generating IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(MULT_AUTH) ]<br>Jun 12 06:15:24 router CHARON-INFO: 13[NET] sending packet: from [500] to [500]<br>
Jun 12 06:15:24 router CHARON-INFO: 15[NET] received packet: from [4500] to [4500]<br>Jun 12 06:15:24 router CHARON-INFO: 15[ENC] unknown attribute type INTERNAL_IP4_SERVER<br>Jun 12 06:15:24 router CHARON-INFO: 15[ENC] parsed IKE_AUTH request 1 [ IDi CERTREQ N(MOBIKE_SUP) CP SA TSi TSr ]<br>
Jun 12 06:15:24 router CHARON-INFO: 15[IKE] received cert request for unknown ca with keyid 0e:ac:82:60:40:56:27:97:e5:25:13:fc:2a:e1:0a:53:95:59:e4:a4<br>Jun 12 06:15:24 router CHARON-INFO: 15[IKE] received cert request for unknown ca with keyid dd:bc:bd:86:9c:3f:07:ed:40:e3:1b:08:ef:ce:c4:d1:88:cd:3b:15<br>
Jun 12 06:15:24 router CHARON-INFO: 15[IKE] received cert request for unknown ca with keyid 4a:5c:75:22:aa:46:bf:a4:08:9d:39:97:4e:bd:b4:a3:60:f7:a0:1d<br>Jun 12 06:15:24 router CHARON-INFO: 15[IKE] received cert request for unknown ca with keyid 01:f0:33:4c:1a:a1:d9:ee:5b:7b:a9:de:43:bc:02:7d:57:09:33:fb<br>
Jun 12 06:15:24 router CHARON-INFO: 15[IKE] received cert request for "C=US, ST=CA, L=Roseville, O=HP, OU=SPG, CN=<a href="http://ares.hp.com">ares.hp.com</a>, <a href="mailto:E=ares@hp.com">E=ares@hp.com</a>"<br>
Jun 12 06:15:24 router CHARON-INFO: 15[IKE] received cert request for unknown ca with keyid 34:4f:30:2d:25:69:31:91:ea:f7:73:5c:ab:f5:86:8d:37:82:40:ec<br>Jun 12 06:15:24 router CHARON-INFO: 15[IKE] received cert request for unknown ca with keyid 3e:df:29:0c:c1:f5:cc:73:2c:eb:3d:24:e1:7e:52:da:bd:27:e2:f0<br>
Jun 12 06:15:24 router CHARON-INFO: 15[IKE] received cert request for unknown ca with keyid da:ed:64:74:14:9c:14:3c:ab:dd:99:a9:bd:5b:28:4d:8b:3c:c9:d8<br>Jun 12 06:15:24 router CHARON-INFO: 15[IKE] received cert request for unknown ca with keyid 5f:f3:24:6c:8f:91:24:af:9b:5f:3e:b0:34:6a:f4:2d:5c:a8:5d:cc<br>
Jun 12 06:15:24 router CHARON-INFO: 15[IKE] received cert request for unknown ca with keyid c0:7a:98:68:8d:89:fb:ab:05:64:0c:11:7d:aa:7d:65:b8:ca:cc:4e<br>Jun 12 06:15:24 router CHARON-INFO: 15[IKE] received cert request for unknown ca with keyid 48:e6:68:f9:2b:d2:b2:95:d7:47:d8:23:20:10:4f:33:98:90:9f:d4<br>
Jun 12 06:15:24 router CHARON-INFO: 15[IKE] received cert request for unknown ca with keyid 87:db:d4:5f:b0:92:8d:4e:1d:f8:15:67:e7:f2:ab:af:d6:2b:67:75<br>Jun 12 06:15:24 router CHARON-INFO: 15[IKE] received cert request for unknown ca with keyid 4a:81:0c:de:f0:c0:90:0f:19:06:42:31:35:a2:a2:8d:d3:44:fd:08<br>
Jun 12 06:15:24 router CHARON-INFO: 15[IKE] received cert request for unknown ca with keyid 07:15:28:6d:70:73:aa:b2:8a:7c:0f:86:ce:38:93:00:38:05:8a:b1<br>Jun 12 06:15:24 router CHARON-INFO: 15[IKE] received cert request for unknown ca with keyid f0:17:62:13:55:3d:b3:ff:0a:00:6b:fb:50:84:97:f3:ed:62:d0:1a<br>
Jun 12 06:15:24 router CHARON-INFO: 15[IKE] received cert request for unknown ca with keyid 1a:21:b4:95:2b:62:93:ce:18:b3:65:ec:9c:0e:93:4c:b3:81:e6:d4<br>Jun 12 06:15:24 router CHARON-INFO: 15[IKE] received cert request for unknown ca with keyid 59:79:12:de:61:75:d6:6f:c4:23:b7:77:13:74:c7:96:de:6f:88:72<br>
Jun 12 06:15:24 router CHARON-INFO: 15[IKE] received cert request for unknown ca with keyid 42:32:b6:16:fa:04:fd:fe:5d:4b:7a:c3:fd:f7:4c:40:1d:5a:43:af<br>Jun 12 06:15:24 router CHARON-INFO: 15[IKE] received cert request for unknown ca with keyid 1a:21:b4:95:2b:62:93:ce:18:b3:65:ec:9c:0e:93:4c:b3:81:e6:d4<br>
Jun 12 06:15:24 router CHARON-INFO: 15[IKE] received cert request for unknown ca with keyid be:a8:a0:74:72:50:6b:44:b7:c9:23:d8:fb:a8:ff:b3:57:6b:68:6c<br>Jun 12 06:15:24 router CHARON-INFO: 15[IKE] received cert request for unknown ca with keyid e2:7f:7b:d8:77:d5:df:9e:0a:3f:9e:b4:cb:0e:2e:a9:ef:db:69:77<br>
Jun 12 06:15:24 router CHARON-INFO: 15[IKE] received cert request for unknown ca with keyid fb:61:40:61:b4:8a:bc:eb:56:1d:64:16:1f:ab:6d:f3:f7:ae:45:a5<br>Jun 12 06:15:24 router CHARON-INFO: 15[IKE] received cert request for unknown ca with keyid 5f:f3:24:6c:8f:91:24:af:9b:5f:3e:b0:34:6a:f4:2d:5c:a8:5d:cc<br>
Jun 12 06:15:24 router CHARON-INFO: 15[IKE] received cert request for unknown ca with keyid 83:31:7e:62:85:42:53:d6:d7:78:31:90:ec:91:90:56:e9:91:b9:e3<br>Jun 12 06:15:24 router CHARON-INFO: 15[IKE] received cert request for unknown ca with keyid 53:32:d1:b3:cf:7f:fa:e0:f1:a0:5d:85:4e:92:d2:9e:45:1d:b4:4f<br>
Jun 12 06:15:24 router CHARON-INFO: 15[IKE] received cert request for unknown ca with keyid 55:e4:81:d1:11:80:be:d8:89:b9:08:a3:31:f9:a1:24:09:16:b9:70<br>Jun 12 06:15:24 router CHARON-INFO: 15[IKE] received cert request for unknown ca with keyid e2:7f:7b:d8:77:d5:df:9e:0a:3f:9e:b4:cb:0e:2e:a9:ef:db:69:77<br>
Jun 12 06:15:24 router CHARON-INFO: 15[IKE] received cert request for unknown ca with keyid b1:81:08:1a:19:a4:c0:94:1f:fa:e8:95:28:c1:24:c9:9b:34:ac:c7<br>Jun 12 06:15:24 router CHARON-INFO: 15[IKE] received cert request for unknown ca with keyid 00:ad:d9:a3:f6:79:f6:6e:74:a9:7f:33:3d:81:17:d7:4c:cf:33:de<br>
Jun 12 06:15:24 router CHARON-INFO: 15[IKE] received cert request for unknown ca with keyid a8:48:b4:24:2f:c6:ea:24:a0:d7:8e:3c:b9:3c:5c:78:d7:98:33:e4<br>Jun 12 06:15:24 router CHARON-INFO: 15[IKE] received cert request for unknown ca with keyid ee:e5:9f:1e:2a:a5:44:c3:cb:25:43:a6:9a:5b:d4:6a:25:bc:bb:8e<br>
Jun 12 06:15:24 router CHARON-INFO: 15[IKE] received cert request for unknown ca with keyid 07:15:28:6d:70:73:aa:b2:8a:7c:0f:86:ce:38:93:00:38:05:8a:b1<br>Jun 12 06:15:24 router CHARON-INFO: 15[IKE] received cert request for unknown ca with keyid a1:72:5f:26:1b:28:98:43:95:5d:07:37:d5:85:96:9d:4b:d2:c3:45<br>
Jun 12 06:15:24 router CHARON-INFO: 15[IKE] received cert request for unknown ca with keyid 4f:9c:7d:21:79:9c:ad:0e:d8:b9:0c:57:9f:1a:02:99:e7:90:f3:87<br>Jun 12 06:15:24 router CHARON-INFO: 15[CFG] looking for peer configs matching 172.16.30.2[%any]...172.16.50.10[172.16.50.10]<br>
Jun 12 06:15:24 router CHARON-INFO: 15[CFG] selected peer config 'myvpn~mypolicy'<br>Jun 12 06:15:24 router CHARON-INFO: 15[IKE] initiating EAP-Identity request<br>Jun 12 06:15:24 router CHARON-INFO: 15[IKE] peer supports MOBIKE<br>
Jun 12 06:15:24 router CHARON-INFO: 15[IKE] authentication of '<a href="http://zeus.test.net">zeus.test.net</a>' (myself) with RSA signature successful<br>Jun 12 06:15:24 router CHARON-INFO: 15[IKE] sending end entity cert "C=US, ST=CA, O=MYORG, OU=SPG, CN=<a href="http://zeus.test.net">zeus.test.net</a>, <a href="mailto:E=zeus@test.net">E=zeus@test.net</a>"<br>
Jun 12 06:15:24 router CHARON-INFO: 15[ENC] generating IKE_AUTH response 1 [ IDr CERT AUTH EAP/REQ/ID ]<br>Jun 12 06:15:24 router CHARON-INFO: 15[NET] sending packet: from [4500] to [4500]<br>Jun 12 06:15:24 router CHARON-INFO: 12[NET] received packet: from [4500] to [4500]<br>
Jun 12 06:15:24 router CHARON-INFO: 12[ENC] parsed IKE_AUTH request 2 [ EAP/RES/ID ]<br>Jun 12 06:15:24 router CHARON-INFO: 12[IKE] received EAP identity 'jordan'<br>Jun 12 06:15:24 router CHARON-INFO: 12[IKE] initiating EAP_MSCHAPV2 method<br>
Jun 12 06:15:24 router CHARON-INFO: 12[ENC] generating IKE_AUTH response 2 [ EAP/REQ/MSCHAPV2 ]<br>Jun 12 06:15:24 router CHARON-INFO: 12[NET] sending packet: from [4500] to [4500]<br>Jun 12 06:15:24 router CHARON-INFO: 16[NET] received packet: from [4500] to [4500]<br>
Jun 12 06:15:24 router CHARON-INFO: 16[ENC] parsed IKE_AUTH request 3 [ EAP/RES/MSCHAPV2 ]<br>Jun 12 06:15:24 router CHARON-INFO: 16[ENC] generating IKE_AUTH response 3 [ EAP/REQ/MSCHAPV2 ]<br>Jun 12 06:15:24 router CHARON-INFO: 16[NET] sending packet: from [4500] to [4500]<br>
Jun 12 06:15:24 router CHARON-INFO: 09[NET] received packet: from [4500] to [4500]<br>Jun 12 06:15:24 router CHARON-INFO: 09[ENC] parsed IKE_AUTH request 4 [ EAP/RES/MSCHAPV2 ]<br>Jun 12 06:15:24 router CHARON-INFO: 09[IKE] EAP method EAP_MSCHAPV2 succeeded, MSK established<br>
Jun 12 06:15:24 router CHARON-INFO: 09[ENC] generating IKE_AUTH response 4 [ EAP/SUCC ]<br>Jun 12 06:15:24 router CHARON-INFO: 09[NET] sending packet: from [4500] to [4500]<br>Jun 12 06:15:24 router CHARON-INFO: 08[NET] received packet: from [4500] to [4500]<br>
Jun 12 06:15:24 router CHARON-INFO: 08[ENC] parsed IKE_AUTH request 5 [ AUTH ]<br>Jun 12 06:15:24 router CHARON-INFO: 08[IKE] authentication of '172.16.50.10' with EAP successful<br>Jun 12 06:15:24 router CHARON-INFO: 08[IKE] authentication of '<a href="http://zeus.test.net">zeus.test.net</a>' (myself) with EAP<br>
Jun 12 06:15:24 router CHARON-INFO: 08[IKE] IKE_SA myvpn~mypolicy[9] established between 172.16.30.2[<a href="http://zeus.test.net">zeus.test.net</a>]...172.16.50.10[172.16.50.10]<br>Jun 12 06:15:24 router CHARON-INFO: 08[IKE] IKE_SA myvpn~mypolicy[9] established between 172.16.30.2[<a href="http://zeus.test.net">zeus.test.net</a>]...172.16.50.10[172.16.50.10]<br>
Jun 12 06:15:24 router CHARON-INFO: 08[IKE] scheduling reauthentication in 10137s<br>Jun 12 06:15:24 router CHARON-INFO: 08[IKE] maximum IKE_SA lifetime 10677s<br>Jun 12 06:15:24 router CHARON-INFO: 08[IKE] peer requested virtual IP (vr*)%any<br>
Jun 12 06:15:24 router CHARON-INFO: 08[CFG] assigning new lease to 'jordan'<br>Jun 12 06:15:24 router CHARON-INFO: 08[IKE] assigning virtual IP 172.16.80.1 to peer<br>Jun 12 06:15:24 router CHARON-INFO: 08[IKE] CHILD_SA myvpn~mypolicy{13} established with SPIs c120b985_i 65d20505_o and TS <a href="http://0.0.0.0/0">0.0.0.0/0</a> === <a href="http://172.16.80.1/32">172.16.80.1/32</a><br>
Jun 12 06:15:24 router CHARON-INFO: 08[IKE] CHILD_SA myvpn~mypolicy{13} established with SPIs c120b985_i 65d20505_o and TS <a href="http://0.0.0.0/0">0.0.0.0/0</a> === <a href="http://172.16.80.1/32">172.16.80.1/32</a><br>
Jun 12 06:15:24 router CHARON-INFO: 08[ENC] generating IKE_AUTH response 5 [ AUTH CP SA TSi TSr N(AUTH_LFT) N(MOBIKE_SUP) N(ADD_4_ADDR) N(ADD_4_ADDR) N(ADD_4_ADDR) ]<br>Jun 12 06:15:24 router CHARON-INFO: 08[NET] sending packet: from [4500] to [4500]</div>
<div> </div>
<div>I appreciate any help.</div>
<div> </div>
<div>Thanks!</div>
<div> </div>
<div>Jordan.<br></div>
<div class="gmail_quote">On Mon, Jun 11, 2012 at 12:01 AM, Kimmo Koivisto <span dir="ltr"><<a href="mailto:koippa@gmail.com" target="_blank">koippa@gmail.com</a>></span> wrote:<br>
<blockquote style="BORDER-LEFT:#ccc 1px solid;MARGIN:0px 0px 0px 0.8ex;PADDING-LEFT:1ex" class="gmail_quote">2012/6/11 yordanos beyene <<a href="mailto:yordanosb@gmail.com">yordanosb@gmail.com</a>>:<br>> Hi Everyone,<br>
Hello<br>
<div class="im"><br>><br>> I am having difficulties connectiong to strongSwan IKEv2 using eap-radius<br>> from a windows7 Agile VPN client. Below are my vpn server, windows7, radius<br>> configuration and error messages. I have followed the strongSwan windows7<br>
> certificate requirements and tried for a couple of days different<br>> recommendations from the strongswam mailing archive but I couldn't make it<br>> to work. I really appreciate any help.<br><br></div>If I would be you, I would first make the connection work with<br>
eap-mschapv2 and rule out the problems with certificates.<br><br>This is my configuration from working eap-mschapv2 connection:<br><br>conn win7<br> rekey=no<br> left=%any<br> leftsubnet=<a href="http://0.0.0.0/0" target="_blank">0.0.0.0/0</a><br>
leftauth=pubkey<br> leftcert=mycert.crt<br> leftid=@cert-cn<br> right=%any<br> rightsourceip=<a href="http://192.168.2.0/25" target="_blank">192.168.2.0/25</a><br> rightauth=eap-mschapv2<br> rightsendcert=never<br>
eap_identity=%any<br> auto=add<br><br><br>><br>> conn myvpn~mypolicy<br>> vpn=myvpn<br>> mobike=no<br><br>I would enable mobike, that is quite important for me, changing<br>interface from WLAN to 3G etc works nice.<br>
<br>> left=172.16.30.2<br>> leftsubnet=<a href="http://172.26.40.0/24" target="_blank">172.26.40.0/24</a><br><br>Split tunneling is not possibe, thus you can narrow traffic selector<br>to your subnet. I'm negotiating <a href="http://0.0.0.0/0" target="_blank">0.0.0.0/0</a> so I can surf internet with<br>
the connection<br>
<div class="im"><br>> =============================<br>> #Windows 7 Agile vpn client<br>><br>> Type of VPN : IKEv2<br>> Authentication: EAP ; sub-menu: tried both PEAP and EAP-MSCHAP v2<br>> X509 machine certificate and CA certificate installed , and verified as<br>
> valid<br><br></div>With mschapv2, client machine certificate is not needed, server is<br>authenticated using server certificate, client authenticates with EAP.<br>
<div class="im"><br>> Added the following configuration to the windows 7 hosts file<br>><br>> 172.16.30.2 <a href="http://zeus.test.net/" target="_blank">zeus.test.net</a><br>> ( 172.16.30.2 refers to the vpn gateway interface, and <a href="http://zeus.test.net/" target="_blank">zeus.test.net</a> is the<br>
> vpn gateway certificate CN and subject alt name).====<br><br></div>Did you configure you VPN connection using the <a href="http://zeus.test.net/" target="_blank">zeus.test.net</a>? I know,<br>stupid thing to ask but just to verify that problem is not there.<br>
<div class="im"><br>> when I started the Windows 7 Agile vpn connection, the following error<br>> message shows on the vpn gateway and windows7 :<br></div>
<div class="im">> #Windows7 error message<br>><br>> starts "Verifying user name and password and displays<br>> Error:13801: IKE authentication credentials are unacceptable<br>> =============================<br>
<br></div>When you authenticate using eap-mschapv2 and username/password<br>authentication fails, Windows shows window with message "Re-enter your<br>user name and password. Windows could not connect using ...."<br>
Error 13801 means problem in certificates, at least in mschapv2.<br><br>If you already have client certificate installed, you can also try<br>using the selection "use machine certificate" and try without EAP,<br>
that verifies that certificates are okay.<br><br>In that case, this is my working configuration for it:<br><br><br>conn %default<br> keyingtries=3<br> keyexchange=ikev2<br> ike=aes256-sha1-modp1024!<br> esp=aes256-sha1!<br>
dpdaction=clear<br> dpddelay=30s<br> rekey=no<br><br>conn win7certs<br> authby=rsasig<br> left=my-public-ip<br> leftsubnet=<a href="http://0.0.0.0/0" target="_blank">0.0.0.0/0</a><br> leftcert=mycert.crt<br>
leftid=@cert-cn<br> right=%any<br> rightsourceip=<a href="http://192.168.3.0/24" target="_blank">192.168.3.0/24</a><br> auto=add<br><br><br>Regards,<br>Kimmo<br>
<div class="im"><br>><br>> No user authentication request send to the radius server.<br>><br>> Thank you!<br>><br>> Jordan.<br>><br></div>> _______________________________________________<br>> Users mailing list<br>
> <a href="mailto:Users@lists.strongswan.org">Users@lists.strongswan.org</a><br>> <a href="https://lists.strongswan.org/mailman/listinfo/users" target="_blank">https://lists.strongswan.org/mailman/listinfo/users</a><br>
</blockquote></div><br>