<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=Windows-1252">
<style type="text/css" style="display:none;"> P {margin-top:0;margin-bottom:0;} </style>
</head>
<body dir="ltr">
<div style="font-family: Calibri, Helvetica, sans-serif; font-size: 12pt; color: rgb(0, 0, 0);">
Forgot to mention that the eap_identity issue is most likely related to <a href="https://wiki.strongswan.org/issues/1183" id="LPNoLP995642">https://wiki.strongswan.org/issues/1183</a></div>
<div style="font-family: Calibri, Helvetica, sans-serif; font-size: 12pt; color: rgb(0, 0, 0);">
<br>
</div>
<div style="font-family: Calibri, Helvetica, sans-serif; font-size: 12pt; color: rgb(0, 0, 0);">
</div>
<hr style="display:inline-block;width:98%" tabindex="-1">
<div id="divRplyFwdMsg" dir="ltr"><font face="Calibri, sans-serif" style="font-size:11pt" color="#000000"><b>From:</b> Marwan Khalili <choklad_321@hotmail.com><br>
<b>Sent:</b> Friday, September 28, 2018 11:12<br>
<b>To:</b> bls s; Christian Salway<br>
<b>Cc:</b> users@lists.strongswan.org<br>
<b>Subject:</b> Re: [strongSwan] Help! I can't configure Windows 10 to send remote id (leftid) for IKEv2</font>
<div> </div>
</div>
<meta content="text/html; charset=Windows-1252">
<div dir="ltr">
<div style="font-family:Calibri,Helvetica,sans-serif; font-size:12pt; color:rgb(0,0,0)">
<span style="color:rgb(0,0,0); font-family:Calibri,Helvetica,sans-serif; font-size:12pt">The pre-shared key solution could definitely be worth a try. </span></div>
<div style="font-family:Calibri,Helvetica,sans-serif; font-size:12pt; color:rgb(0,0,0)">
<span style="color:rgb(0,0,0); font-family:Calibri,Helvetica,sans-serif; font-size:12pt"><br>
</span></div>
<div style="font-family:Calibri,Helvetica,sans-serif; font-size:12pt; color:rgb(0,0,0)">
<span style="color:rgb(0,0,0); font-family:Calibri,Helvetica,sans-serif; font-size:12pt">I've been experimenting with using "eap_identity" to coerce the selection depending on the provided username (see config below). Authenticating</span><span style="color:rgb(0,0,0); font-family:Calibri,Helvetica,sans-serif; font-size:12pt"> as
"user1" connects me to vpn1 and "user2" connects to vpn2.</span></div>
<div style="font-family:Calibri,Helvetica,sans-serif; font-size:12pt; color:rgb(0,0,0)">
<br>
</div>
<div style="font-family:Calibri,Helvetica,sans-serif; font-size:12pt; color:rgb(0,0,0)">
Works great in macOS but still having issues with Windows 10. The first authentication attempt always fails and when I retry to connect, the second authentication is successful. Posting the logs below if they are to any help</div>
<div style="font-family:Calibri,Helvetica,sans-serif; font-size:12pt; color:rgb(0,0,0)">
<br>
</div>
<div style="font-family:Calibri,Helvetica,sans-serif; font-size:12pt; color:rgb(0,0,0)">
ipsec.conf</div>
<div style="font-family:Calibri,Helvetica,sans-serif; font-size:12pt; color:rgb(0,0,0)">
--------------</div>
<div style="font-family:Calibri,Helvetica,sans-serif; font-size:12pt; color:rgb(0,0,0)">
<div>conn vpn1<br>
</div>
<div> eap_identity=user1<br>
</div>
<div> left=%any<br>
</div>
<div> leftid=@example.org<br>
</div>
<div> leftsubnet=0.0.0.0/0<br>
</div>
<div> right=%any<br>
</div>
<div> rightid=%any<br>
</div>
<div> rightdns=8.8.8.8,8.8.4.4<br>
</div>
<div> rightsourceip=10.10.10.1/24<br>
</div>
<div><br>
</div>
<div>conn vpn2<br>
</div>
<div> eap_identity=user2<br>
</div>
<div> left=%any<br>
</div>
<div> leftid=@example.org<br>
</div>
<div> leftsubnet=0.0.0.0/0<br>
</div>
<div> right=%any<br>
</div>
<div> rightid=%any<br>
</div>
<div> rightdns=8.8.8.8,8.8.4.4<br>
</div>
<span> rightsourceip=10.10.10.2/24</span><br>
</div>
<div style="font-family:Calibri,Helvetica,sans-serif; font-size:12pt; color:rgb(0,0,0)">
<span><br>
</span></div>
<div style="font-family:Calibri,Helvetica,sans-serif; font-size:12pt; color:rgb(0,0,0)">
syslog (first attempt fails)</div>
<div style="font-family:Calibri,Helvetica,sans-serif; font-size:12pt; color:rgb(0,0,0)">
---------------------------------</div>
<div style="font-family:Calibri,Helvetica,sans-serif; font-size:12pt; color:rgb(0,0,0)">
<div style="color:#bbbbbb; background-color:#282c34; font-family:Source Code Pro; font-weight:normal; font-size:14px; line-height:21px">
<div><span></span></div>
</div>
<div style="color:#bbbbbb; background-color:#282c34; font-family:Source Code Pro; font-weight:normal; font-size:14px">
<div><span>charon: </span><span style="color:#d19a66">07</span><span>[NET] received packet: from
</span><span style="color:#d19a66">36</span><span>.</span><span style="color:#d19a66">170</span><span>.</span><span style="color:#d19a66">198</span><span>.</span><span style="color:#d19a66">412</span><span>[</span><span style="color:#d19a66">46981</span><span>]
to </span><span style="color:#d19a66">157</span><span>.</span><span style="color:#d19a66">140</span><span>.</span><span style="color:#d19a66">164</span><span>.</span><span style="color:#d19a66">120</span><span>[</span><span style="color:#d19a66">500</span><span>]
(</span><span style="color:#d19a66">1104</span><span> bytes)</span></div>
<div><span>charon: </span><span style="color:#d19a66">07</span><span>[ENC] parsed IKE_SA_INIT request
</span><span style="color:#d19a66">0</span><span> [ SAKE No N(FRAG_SUP) N(NATD_S_IP) N(NATD_D_IP) V V V V ]</span></div>
<div><span>charon: </span><span style="color:#d19a66">07</span><span>[IKE] received MS NT5 ISAKMPOAKLEY v9 vendor ID</span></div>
<div><span>charon: </span><span style="color:#d19a66">07</span><span>[IKE] received MS-Negotiation DiscoveryCapable vendor ID</span></div>
<div><span>charon: </span><span style="color:#d19a66">07</span><span>[IKE] received Vid-Initial-Contact vendor ID</span></div>
<div><span>charon: </span><span style="color:#d19a66">07</span><span>[ENC] received unknown vendor ID:
</span><span style="color:#7f848e; font-style:italic">01:52</span><span>:8b:bb:c0:</span><span style="color:#7f848e; font-style:italic">06:96:12</span><span>:</span><span style="color:#7f848e; font-style:italic">18:49</span><span>:ab:9a:1c:5b:2a:</span><span style="color:#7f848e; font-style:italic">51:00:00</span><span>:</span><span style="color:#7f848e; font-style:italic">00:02</span></div>
<div><span>charon: </span><span style="color:#d19a66">07</span><span>[IKE] </span>
<span style="color:#d19a66">36</span><span>.</span><span style="color:#d19a66">170</span><span>.</span><span style="color:#d19a66">198</span><span>.</span><span style="color:#d19a66">412</span><span> is initiating an IKE_SA</span></div>
<div><span>charon: </span><span style="color:#d19a66">07</span><span>[IKE] remote host is behind NAT</span></div>
<div><span>charon: </span><span style="color:#d19a66">07</span><span>[ENC] generating IKE_SA_INIT response
</span><span style="color:#d19a66">0</span><span>[ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(MULT_AUTH) ]</span></div>
<div><span>charon: </span><span style="color:#d19a66">07</span><span>[NET] sending packet: from
</span><span style="color:#d19a66">157</span><span>.</span><span style="color:#d19a66">140</span><span>.</span><span style="color:#d19a66">164</span><span>.</span><span style="color:#d19a66">120</span><span>[</span><span style="color:#d19a66">500</span><span>]
to </span><span style="color:#d19a66">36</span><span>.</span><span style="color:#d19a66">170</span><span>.</span><span style="color:#d19a66">198</span><span>.</span><span style="color:#d19a66">412</span><span>[</span><span style="color:#d19a66">46981</span><span>]
(</span><span style="color:#d19a66">320</span><span> bytes)</span></div>
<div><span>charon: </span><span style="color:#d19a66">12</span><span>[NET] received packet: from
</span><span style="color:#d19a66">36</span><span>.</span><span style="color:#d19a66">170</span><span>.</span><span style="color:#d19a66">198</span><span>.</span><span style="color:#d19a66">412</span><span>[</span><span style="color:#d19a66">47029</span><span>]
to </span><span style="color:#d19a66">157</span><span>.</span><span style="color:#d19a66">140</span><span>.</span><span style="color:#d19a66">164</span><span>.</span><span style="color:#d19a66">120</span><span>[</span><span style="color:#d19a66">4500</span><span>]
(</span><span style="color:#d19a66">576</span><span> bytes)</span></div>
<div><span>charon: </span><span style="color:#d19a66">12</span><span>[ENC] parsed IKE_AUTH request
</span><span style="color:#d19a66">1</span><span> [ EF(</span><span style="color:#d19a66">1</span><span>/</span><span style="color:#d19a66">2</span><span>) ]</span></div>
<div><span>charon: </span><span style="color:#d19a66">12</span><span>[ENC] received fragment #</span><span style="color:#d19a66">1</span><span> of
</span><span style="color:#d19a66">2</span><span>, waiting for complete IKE message</span></div>
<div><span>charon: </span><span style="color:#d19a66">12</span><span>[NET] received packet: from
</span><span style="color:#d19a66">36</span><span>.</span><span style="color:#d19a66">170</span><span>.</span><span style="color:#d19a66">198</span><span>.</span><span style="color:#d19a66">412</span><span>[</span><span style="color:#d19a66">47029</span><span>]
to </span><span style="color:#d19a66">157</span><span>.</span><span style="color:#d19a66">140</span><span>.</span><span style="color:#d19a66">164</span><span>.</span><span style="color:#d19a66">120</span><span>[</span><span style="color:#d19a66">4500</span><span>]
(</span><span style="color:#d19a66">416</span><span> bytes)</span></div>
<div><span>charon: </span><span style="color:#d19a66">12</span><span>[ENC] parsed IKE_AUTH request
</span><span style="color:#d19a66">1</span><span> [ EF(</span><span style="color:#d19a66">2</span><span>/</span><span style="color:#d19a66">2</span><span>) ]</span></div>
<div><span>charon: </span><span style="color:#d19a66">12</span><span>[ENC] received fragment #</span><span style="color:#d19a66">2</span><span> of
</span><span style="color:#d19a66">2</span><span>, reassembling fragmented IKE message</span></div>
<div><span>charon: </span><span style="color:#d19a66">12</span><span>[ENC] parsed IKE_AUTH request
</span><span style="color:#d19a66">1</span><span> [ IDi CERTREQ N(MOBIKE_SUP) CPRQ(ADDR DNS NBNS SRV ADDR6 DNS6 SRV6) SA TSi TSr ]</span></div>
<div><span>charon: </span><span style="color:#d19a66">12</span><span>[IKE] received
</span><span style="color:#d19a66">23</span><span> cert requests for an unknown ca</span></div>
<div><span>charon: </span><span style="color:#d19a66">12</span><span>[CFG] looking for peer configs
</span><span style="color:#d19a66">matching157.140.164.120</span><span>[%any]...</span><span style="color:#d19a66">36</span><span>.</span><span style="color:#d19a66">170</span><span>.</span><span style="color:#d19a66">198</span><span>.</span><span style="color:#d19a66">412</span><span>[</span><span style="color:#d19a66">10</span><span>.</span><span style="color:#d19a66">0</span><span>.</span><span style="color:#d19a66">2</span><span>.</span><span style="color:#d19a66">15</span><span>]</span></div>
<div><span>charon: </span><span style="color:#d19a66">12</span><span>[CFG] selected peer config</span><span style="color:#98c379"> 'vpn2'</span></div>
<div><span>charon: </span><span style="color:#d19a66">12</span><span>[IKE] using configured EAP-Identity user2</span></div>
<div><span>charon: </span><span style="color:#d19a66">12</span><span>[IKE] initiating EAP_MSCHAPV2 method (id 0xA7)</span></div>
<div><span>charon: </span><span style="color:#d19a66">12</span><span>[IKE] peer supports MOBIKE</span></div>
<div><span>charon: </span><span style="color:#d19a66">12</span><span>[IKE] authentication of</span><span style="color:#98c379"> 'example.org'</span><span> (myself) with RSA signature successful</span></div>
<div><span>charon: </span><span style="color:#d19a66">12</span><span>[IKE] sending end entity cert
</span><span style="color:#98c379">"CN=example.org"</span></div>
<div><span>charon: </span><span style="color:#d19a66">12</span><span>[IKE] sending issuer cert
</span><span style="color:#98c379">"C=US, O=Let's Encrypt, CN=Let's Encrypt Authority X3"</span></div>
<div><span>charon: </span><span style="color:#d19a66">12</span><span>[ENC] generating IKE_AUTH response
</span><span style="color:#d19a66">1</span><span> [ IDr CERT CERT AUTH EAP/REQ/MSCHAPV2 ]</span></div>
<div><span>charon: </span><span style="color:#d19a66">12</span><span>[ENC] splitting IKE message with lengthof
</span><span style="color:#d19a66">3164</span><span> bytes into </span><span style="color:#d19a66">3</span><span> fragments</span></div>
<div><span>charon: </span><span style="color:#d19a66">12</span><span>[ENC] generating IKE_AUTH response
</span><span style="color:#d19a66">1</span><span> [ EF(</span><span style="color:#d19a66">1</span><span>/</span><span style="color:#d19a66">3</span><span>) ]</span></div>
<div><span>charon: </span><span style="color:#d19a66">12</span><span>[ENC] generating IKE_AUTH response
</span><span style="color:#d19a66">1</span><span> [ EF(</span><span style="color:#d19a66">2</span><span>/</span><span style="color:#d19a66">3</span><span>) ]</span></div>
<div><span>charon: </span><span style="color:#d19a66">12</span><span>[ENC] generating IKE_AUTH response
</span><span style="color:#d19a66">1</span><span> [ EF(</span><span style="color:#d19a66">3</span><span>/</span><span style="color:#d19a66">3</span><span>) ]</span></div>
<div><span>charon: </span><span style="color:#d19a66">12</span><span>[NET] sending packet: from
</span><span style="color:#d19a66">157</span><span>.</span><span style="color:#d19a66">140</span><span>.</span><span style="color:#d19a66">164</span><span>.</span><span style="color:#d19a66">120</span><span>[</span><span style="color:#d19a66">4500</span><span>]
to </span><span style="color:#d19a66">36</span><span>.</span><span style="color:#d19a66">170</span><span>.</span><span style="color:#d19a66">198</span><span>.</span><span style="color:#d19a66">412</span><span>[</span><span style="color:#d19a66">47029</span><span>]
(</span><span style="color:#d19a66">1248</span><span> bytes)</span></div>
<div><span>charon: </span><span style="color:#d19a66">12</span><span>[NET] sending packet: from
</span><span style="color:#d19a66">157</span><span>.</span><span style="color:#d19a66">140</span><span>.</span><span style="color:#d19a66">164</span><span>.</span><span style="color:#d19a66">120</span><span>[</span><span style="color:#d19a66">4500</span><span>]
to </span><span style="color:#d19a66">36</span><span>.</span><span style="color:#d19a66">170</span><span>.</span><span style="color:#d19a66">198</span><span>.</span><span style="color:#d19a66">412</span><span>[</span><span style="color:#d19a66">47029</span><span>]
(</span><span style="color:#d19a66">1248</span><span> bytes)</span></div>
<div><span>charon: </span><span style="color:#d19a66">12</span><span>[NET] sending packet: from
</span><span style="color:#d19a66">157</span><span>.</span><span style="color:#d19a66">140</span><span>.</span><span style="color:#d19a66">164</span><span>.</span><span style="color:#d19a66">120</span><span>[</span><span style="color:#d19a66">4500</span><span>]
to </span><span style="color:#d19a66">36</span><span>.</span><span style="color:#d19a66">170</span><span>.</span><span style="color:#d19a66">198</span><span>.</span><span style="color:#d19a66">412</span><span>[</span><span style="color:#d19a66">47029</span><span>]
(</span><span style="color:#d19a66">800</span><span> bytes)</span></div>
<div><span>charon: </span><span style="color:#d19a66">06</span><span>[NET] received packet: from
</span><span style="color:#d19a66">36</span><span>.</span><span style="color:#d19a66">170</span><span>.</span><span style="color:#d19a66">198</span><span>.</span><span style="color:#d19a66">412</span><span>[</span><span style="color:#d19a66">47029</span><span>]
to </span><span style="color:#d19a66">157</span><span>.</span><span style="color:#d19a66">140</span><span>.</span><span style="color:#d19a66">164</span><span>.</span><span style="color:#d19a66">120</span><span>[</span><span style="color:#d19a66">4500</span><span>]
(</span><span style="color:#d19a66">140</span><span> bytes)</span></div>
<div><span>charon: </span><span style="color:#d19a66">06</span><span>[ENC] parsed IKE_AUTH request
</span><span style="color:#d19a66">2</span><span> [ EAP/RES/MSCHAPV2 ]</span></div>
<div><span>charon: </span><span style="color:#d19a66">06</span><span>[IKE] EAP-MS-CHAPv2 username:</span><span style="color:#98c379"> '%any'</span></div>
<div><span>charon: </span><span style="color:#d19a66">06</span><span>[IKE] no EAP key found for hosts</span><span style="color:#98c379"> '%any'</span><span>-</span><span style="color:#98c379"> '%any'</span></div>
<div><span>charon: </span><span style="color:#d19a66">06</span><span>[IKE] EAP-MS-CHAPv2 verification failed, retry (</span><span style="color:#d19a66">1</span><span>)</span></div>
<div><span>charon: </span><span style="color:#d19a66">14</span><span>[MGR] ignoring request with ID
</span><span style="color:#d19a66">2</span><span>, already processing</span></div>
<div><span>charon: </span><span style="color:#d19a66">06</span><span>[ENC] generating IKE_AUTH response
</span><span style="color:#d19a66">2</span><span> [ EAP/REQ/MSCHAPV2 ]</span></div>
<div><span>charon: </span><span style="color:#d19a66">06</span><span>[NET] sending packet: from
</span><span style="color:#d19a66">157</span><span>.</span><span style="color:#d19a66">140</span><span>.</span><span style="color:#d19a66">164</span><span>.</span><span style="color:#d19a66">120</span><span>[</span><span style="color:#d19a66">4500</span><span>]
to </span><span style="color:#d19a66">36</span><span>.</span><span style="color:#d19a66">170</span><span>.</span><span style="color:#d19a66">198</span><span>.</span><span style="color:#d19a66">412</span><span>[</span><span style="color:#d19a66">47029</span><span>]
(</span><span style="color:#d19a66">124</span><span> bytes)</span></div>
<div><span>charon: </span><span style="color:#d19a66">09</span><span>[NET] received packet: from
</span><span style="color:#d19a66">36</span><span>.</span><span style="color:#d19a66">170</span><span>.</span><span style="color:#d19a66">198</span><span>.</span><span style="color:#d19a66">412</span><span>[</span><span style="color:#d19a66">47029</span><span>]
to </span><span style="color:#d19a66">157</span><span>.</span><span style="color:#d19a66">140</span><span>.</span><span style="color:#d19a66">164</span><span>.</span><span style="color:#d19a66">120</span><span>[</span><span style="color:#d19a66">4500</span><span>]
(</span><span style="color:#d19a66">140</span><span> bytes)</span></div>
<div><span>charon: </span><span style="color:#d19a66">09</span><span>[ENC] parsed IKE_AUTH request
</span><span style="color:#d19a66">2</span><span> [ EAP/RES/MSCHAPV2 ]</span></div>
<div><span>charon: </span><span style="color:#d19a66">09</span><span>[IKE] received retransmit of request with ID
</span><span style="color:#d19a66">2</span><span>, retransmitting response</span></div>
<div><span>charon: </span><span style="color:#d19a66">09</span><span>[NET] sending packet: from
</span><span style="color:#d19a66">157</span><span>.</span><span style="color:#d19a66">140</span><span>.</span><span style="color:#d19a66">164</span><span>.</span><span style="color:#d19a66">120</span><span>[</span><span style="color:#d19a66">4500</span><span>]
to </span><span style="color:#d19a66">36</span><span>.</span><span style="color:#d19a66">170</span><span>.</span><span style="color:#d19a66">198</span><span>.</span><span style="color:#d19a66">412</span><span>[</span><span style="color:#d19a66">47029</span><span>]
(</span><span style="color:#d19a66">124</span><span> bytes)</span></div>
</div>
<br>
</div>
<div style="font-family:Calibri,Helvetica,sans-serif; font-size:12pt; color:rgb(0,0,0)">
<br>
</div>
<div style="font-family:Calibri,Helvetica,sans-serif; font-size:12pt; color:rgb(0,0,0)">
<br>
</div>
<div style="font-family:Calibri,Helvetica,sans-serif; font-size:12pt; color:rgb(0,0,0)">
syslog (second attempt succeeds)</div>
<div style="font-family:Calibri,Helvetica,sans-serif; font-size:12pt; color:rgb(0,0,0)">
---------------------------------------------</div>
<div style="font-family:Calibri,Helvetica,sans-serif; font-size:12pt; color:rgb(0,0,0)">
<div style="color:#bbbbbb; background-color:#282c34; font-family:Source Code Pro; font-weight:normal; font-size:14px; line-height:21px">
<div><span>charon: </span><span style="color:#d19a66">13</span><span>[NET] received packet: from
</span><span style="color:#d19a66">36</span><span>.</span><span style="color:#d19a66">170</span><span>.</span><span style="color:#d19a66">198</span><span>.</span><span style="color:#d19a66">412</span><span>[</span><span style="color:#d19a66">47029</span><span>]
to </span><span style="color:#d19a66">157</span><span>.</span><span style="color:#d19a66">140</span><span>.</span><span style="color:#d19a66">164</span><span>.</span><span style="color:#d19a66">120</span><span>[</span><span style="color:#d19a66">4500</span><span>]
(</span><span style="color:#d19a66">140</span><span> bytes)</span></div>
<div><span>charon: </span><span style="color:#d19a66">13</span><span>[ENC] parsed IKE_AUTH request
</span><span style="color:#d19a66">3</span><span> [ EAP/RES/MSCHAPV2 ]</span></div>
<div><span>charon: </span><span style="color:#d19a66">13</span><span>[ENC] generating IKE_AUTH response
</span><span style="color:#d19a66">3</span><span> [ EAP/REQ/MSCHAPV2 ]</span></div>
<div><span>charon: </span><span style="color:#d19a66">13</span><span>[NET] sending packet: from
</span><span style="color:#d19a66">157</span><span>.</span><span style="color:#d19a66">140</span><span>.</span><span style="color:#d19a66">164</span><span>.</span><span style="color:#d19a66">120</span><span>[</span><span style="color:#d19a66">4500</span><span>]
to </span><span style="color:#d19a66">36</span><span>.</span><span style="color:#d19a66">170</span><span>.</span><span style="color:#d19a66">198</span><span>.</span><span style="color:#d19a66">412</span><span>[</span><span style="color:#d19a66">47029</span><span>]
(</span><span style="color:#d19a66">140</span><span> bytes)</span></div>
<div><span>charon: </span><span style="color:#d19a66">08</span><span>[NET] received packet: from
</span><span style="color:#d19a66">36</span><span>.</span><span style="color:#d19a66">170</span><span>.</span><span style="color:#d19a66">198</span><span>.</span><span style="color:#d19a66">412</span><span>[</span><span style="color:#d19a66">47029</span><span>]
to </span><span style="color:#d19a66">157</span><span>.</span><span style="color:#d19a66">140</span><span>.</span><span style="color:#d19a66">164</span><span>.</span><span style="color:#d19a66">120</span><span>[</span><span style="color:#d19a66">4500</span><span>]
(</span><span style="color:#d19a66">76</span><span> bytes)</span></div>
<div><span>charon: </span><span style="color:#d19a66">08</span><span>[ENC] parsed IKE_AUTH request
</span><span style="color:#d19a66">4</span><span> [ EAP/RES/MSCHAPV2 ]</span></div>
<div><span>charon: </span><span style="color:#d19a66">08</span><span>[IKE] EAP method EAP_MSCHAPV2 succeeded, MSK established</span></div>
<div><span>charon: </span><span style="color:#d19a66">08</span><span>[ENC] generating IKE_AUTH response
</span><span style="color:#d19a66">4</span><span> [ EAP/SUCC ]</span></div>
<div><span>charon: </span><span style="color:#d19a66">08</span><span>[NET] sending packet: from
</span><span style="color:#d19a66">157</span><span>.</span><span style="color:#d19a66">140</span><span>.</span><span style="color:#d19a66">164</span><span>.</span><span style="color:#d19a66">120</span><span>[</span><span style="color:#d19a66">4500</span><span>]
to </span><span style="color:#d19a66">36</span><span>.</span><span style="color:#d19a66">170</span><span>.</span><span style="color:#d19a66">198</span><span>.</span><span style="color:#d19a66">412</span><span>[</span><span style="color:#d19a66">47029</span><span>]
(</span><span style="color:#d19a66">76</span><span> bytes)</span></div>
<div><span>charon: </span><span style="color:#d19a66">11</span><span>[NET] received packet: from
</span><span style="color:#d19a66">36</span><span>.</span><span style="color:#d19a66">170</span><span>.</span><span style="color:#d19a66">198</span><span>.</span><span style="color:#d19a66">412</span><span>[</span><span style="color:#d19a66">47029</span><span>]
to </span><span style="color:#d19a66">157</span><span>.</span><span style="color:#d19a66">140</span><span>.</span><span style="color:#d19a66">164</span><span>.</span><span style="color:#d19a66">120</span><span>[</span><span style="color:#d19a66">4500</span><span>]
(</span><span style="color:#d19a66">92</span><span> bytes)</span></div>
<div><span>charon: </span><span style="color:#d19a66">11</span><span>[ENC] parsed IKE_AUTH request
</span><span style="color:#d19a66">5</span><span> [ AUTH ]</span></div>
<div><span>charon: </span><span style="color:#d19a66">11</span><span>[IKE] authentication of</span><span style="color:#98c379"> '10.0.2.15'</span><span> with EAP successful</span></div>
<div><span>charon: </span><span style="color:#d19a66">11</span><span>[IKE] authentication of</span><span style="color:#98c379"> 'example.org'</span><span> (myself) with EAP</span></div>
<div><span>charon: </span><span style="color:#d19a66">11</span><span>[IKE] IKE_SA vpn2[</span><span style="color:#d19a66">59</span><span>] established between
</span><span style="color:#d19a66">157</span><span>.</span><span style="color:#d19a66">140</span><span>.</span><span style="color:#d19a66">164</span><span>.</span><span style="color:#d19a66">120</span><span>[</span><span style="color:#d19a66">example.org</span><span>]...</span><span style="color:#d19a66">36</span><span>.</span><span style="color:#d19a66">170</span><span>.</span><span style="color:#d19a66">198</span><span>.</span><span style="color:#d19a66">412</span><span>[</span><span style="color:#d19a66">10</span><span>.</span><span style="color:#d19a66">0</span><span>.</span><span style="color:#d19a66">2</span><span>.</span><span style="color:#d19a66">15</span><span>]</span></div>
<div><span>charon: </span><span style="color:#d19a66">11</span><span>[IKE] scheduling reauthentication in 9946s</span></div>
<div><span>charon: </span><span style="color:#d19a66">11</span><span>[IKE] maximum IKE_SA lifetime 10486s</span></div>
<div><span>charon: </span><span style="color:#d19a66">11</span><span>[IKE] peer requested virtual IP %any</span></div>
<div><span>charon: </span><span style="color:#d19a66">11</span><span>[CFG] reassigning offline lease to</span><span style="color:#98c379"> 'user2'</span></div>
<div><span>charon: </span><span style="color:#d19a66">11</span><span>[IKE] assigning virtual IP
</span><span style="color:#d19a66">10</span><span>.</span><span style="color:#d19a66">10</span><span>.</span><span style="color:#d19a66">10</span><span>.</span><span style="color:#d19a66">2</span><span> to peer</span><span style="color:#98c379"> 'user2'</span></div>
<div><span>charon: </span><span style="color:#d19a66">11</span><span>[IKE] peer requested virtual IP %any6</span></div>
<div><span>charon: </span><span style="color:#d19a66">11</span><span>[IKE] no virtual IP found for %any6 requested by</span><span style="color:#98c379"> 'user2'</span></div>
<div><span>charon: </span><span style="color:#d19a66">11</span><span>[IKE] CHILD_SA vpn2{</span><span style="color:#d19a66">8</span><span>} established withSPIs c5c3c57a_i 18e3d53e_o and TS
</span><span style="color:#d19a66">0</span><span>.</span><span style="color:#d19a66">0</span><span>.</span><span style="color:#d19a66">0</span><span>.</span><span style="color:#d19a66">0</span><span>/</span><span style="color:#d19a66">0</span><span> ===
</span><span style="color:#d19a66">10</span><span>.</span><span style="color:#d19a66">10</span><span>.</span><span style="color:#d19a66">10</span><span>.</span><span style="color:#d19a66">2</span><span>/</span><span style="color:#d19a66">32</span></div>
<div><span>charon: </span><span style="color:#d19a66">11</span><span>[ENC] generating IKE_AUTH response
</span><span style="color:#d19a66">5</span><span> [ AUTH CPRP(ADDR DNS DNS) SA TSi TSr N(AUTH_LFT) N(MOBIKE_SUP) N(ADD_4_ADDR) ]</span></div>
<div><span>charon: </span><span style="color:#d19a66">11</span><span>[NET] sending packet: from
</span><span style="color:#d19a66">157</span><span>.</span><span style="color:#d19a66">140</span><span>.</span><span style="color:#d19a66">164</span><span>.</span><span style="color:#d19a66">120</span><span>[</span><span style="color:#d19a66">4500</span><span>]
to </span><span style="color:#d19a66">36</span><span>.</span><span style="color:#d19a66">170</span><span>.</span><span style="color:#d19a66">198</span><span>.</span><span style="color:#d19a66">412</span><span>[</span><span style="color:#d19a66">47029</span><span>]
(</span><span style="color:#d19a66">252</span><span> bytes)</span></div>
</div>
<br>
</div>
<div style="font-family:Calibri,Helvetica,sans-serif; font-size:12pt; color:rgb(0,0,0)">
<br>
</div>
<div style="font-family:Calibri,Helvetica,sans-serif; font-size:12pt; color:rgb(0,0,0)">
</div>
<hr tabindex="-1" style="display:inline-block; width:98%">
<div id="x_divRplyFwdMsg" dir="ltr"><font face="Calibri, sans-serif" color="#000000" style="font-size:11pt"><b>From:</b> bls s <bls3427@outlook.com><br>
<b>Sent:</b> Wednesday, September 26, 2018 20:54<br>
<b>To:</b> Marwan Khalili; Christian Salway<br>
<b>Cc:</b> users@lists.strongswan.org<br>
<b>Subject:</b> Re: [strongSwan] Help! I can't configure Windows 10 to send remote id (leftid) for IKEv2</font>
<div> </div>
</div>
<div class="x_BodyFragment"><font size="2"><span style="font-size:11pt">
<div class="x_PlainText">Not trying to muddy the waters, but I think it depends on what Auth method you're using. If you're using cert-based auth with IKEV2 I don't think that there's any way to send an ID. On the other hand, if you're using IPSEC with a pre-shared
key, I think you can coerce the selection of a different connection. <br>
<br>
It would definitely be interesting to get some definitive input and validated testing on this!<br>
<br>
From: Users <users-bounces@lists.strongswan.org> on behalf of Marwan Khalili <choklad_321@hotmail.com><br>
Sent: Wednesday, September 26, 2018 5:16 AM<br>
To: Christian Salway<br>
Cc: users@lists.strongswan.org<br>
Subject: Re: [strongSwan] Help! I can't configure Windows 10 to send remote id (leftid) for IKEv2<br>
<br>
I have looked through the options but can not find it. Would be very grateful if you could describe how to do it when you have time.<br>
<br>
<br>
I am using the VPN client built-in Windows 10. I have searched for an option corresponding the "Remote ID" in macOS in the following locations to no avail:<br>
- Settings -> Network & Internet -> VPN<br>
- Control Panel -> Network and Internet -> Network Connections<br>
- rasphone.pbk - %APPDATA%\Microsoft\Network\Connections\Pbk\rasphone.pbk<br>
- PowerShell documentation for Add-VpnConnection and Set-VpnConnectionIPsecConfiguration<br>
<br>
<br>
From: Christian Salway <christian.salway@naimuri.com><br>
Sent: Wednesday, September 26, 2018 01:29<br>
To: bls s<br>
Cc: Marwan Khalili; users@lists.strongswan.org<br>
Subject: Re: [strongSwan] Help! I can't configure Windows 10 to send remote id (leftid) for IKEv2<br>
<br>
You can set the ID in windows 10 if you go through the options for the connection you will see it. Not near a computer otherwise I’d get you the instructions.<br>
<br>
On 26 Sep 2018, at 02:30, bls s <bls3427@outlook.com> wrote:<br>
<br>
<br>
I'm curious about this as well. From my work on pistrong (see elsewhere), it looks to me like Windows doesn't have a way to send an ID that you can use for matching. I haven't tried this, but you might be able to make it work by using a separate "VPN certificate"
for the Windows connection that has an altname in it corresponding to a secondary DNS name for your server. You can then have Windows connect to the secondary DNS name and, in theory, it would eventually match that connection.<br>
<br>
<br>
Again, just a theory, I'm definitely interested in other approaches to solving this.<br>
<br>
From: Users <users-bounces@lists.strongswan.org> on behalf of Marwan Khalili <choklad_321@hotmail.com><br>
Sent: Tuesday, September 25, 2018 7:47 AM<br>
To: users@lists.strongswan.org<br>
Subject: [strongSwan] Help! I can't configure Windows 10 to send remote id (leftid) for IKEv2<br>
<br>
Hello,<br>
<br>
<br>
I have a strongSwan server running with the ipsec.conf pasted below. <br>
<br>
<br>
<br>
The clients are using Windows 10 and macOS and they must be able to choose connection. I am trying to separate the connections using "leftid" with different subdomains for each connection (e.g. vpn1.example.org, vpn2.example.org).<br>
<br>
<br>
My solution below works in macOS by matching "Remote ID" with the appropriate "leftid", however I can't get it to work in Windows 10. <br>
<br>
<br>
I am very grateful to any help or ideas of how I can solve this. <br>
<br>
<br>
<br>
<br>
ipsec.conf<br>
--------------<br>
conn %default<br>
<br>
auto=add<br>
<br>
dpdaction=clear<br>
<br>
dpddelay=180s<br>
<br>
eap_identity=%any<br>
<br>
esp=aes256-sha256,aes256-sha1,3des-sha1!<br>
<br>
forceencaps=yes<br>
<br>
ike=aes256-sha1-modp1024,aes128-sha1-modp1024,3des-sha1-modp1024!<br>
<br>
keyexchange=ikev2<br>
<br>
leftcert=cert.pem<br>
<br>
leftsendcert=always<br>
<br>
rightauth=eap-mschapv2<br>
<br>
rightsendcert=never<br>
<br>
<br>
<br>
conn conn1<br>
<br>
left=%any<br>
<br>
leftid=@vpn1.example.org<br>
<br>
leftsubnet=0.0.0.0/0<br>
<br>
right=%any<br>
<br>
rightid=%any<br>
<br>
rightdns=8.8.8.8,8.8.4.4<br>
<br>
rightsourceip=10.10.10.1/24<br>
<br>
<br>
<br>
conn conn2<br>
left=%any<br>
<br>
leftid=@vpn2.khalili.xyz<br>
<br>
leftsubnet=0.0.0.0/0<br>
<br>
right=%any<br>
<br>
rightid=%any<br>
<br>
rightdns=8.8.8.8,8.8.4.4<br>
<br>
rightsourceip=10.10.10.2/24</div>
</span></font></div>
</div>
</body>
</html>