<!DOCTYPE html>
<html>
<head>
<title></title>
<style type="text/css">p.MsoNormal,p.MsoNoSpacing{margin:0}</style>
</head>
<body><div>It would also help to know your actual Windows VPN settings including VPN Type.<br></div>
<div><br></div>
<div>I'm not much of a Windows person, but ....<br></div>
<div><br></div>
<div>This Cisco tutorial has nice screenshots under "Configure Windows 7 built-in client":<br></div>
<div><br></div>
<div><a href="https://www.cisco.com/c/en/us/support/docs/security/adaptive-security-appliance-asa-software/213246-asa-ikev2-ra-vpn-with-windows-7-or-andro.html">https://www.cisco.com/c/en/us/support/docs/security/adaptive-security-appliance-asa-software/213246-asa-ikev2-ra-vpn-with-windows-7-or-andro.html</a><br></div>
<div><br></div>
<div>In particular please see "step 10" near the end:<br></div>
<div><br></div>
<div><a href="https://www.cisco.com/c/dam/en/us/support/docs/security/adaptive-security-appliance-asa-software/213246-asa-ikev2-ra-vpn-with-windows-7-or-andro-50.png">https://www.cisco.com/c/dam/en/us/support/docs/security/adaptive-security-appliance-asa-software/213246-asa-ikev2-ra-vpn-with-windows-7-or-andro-50.png</a><br></div>
<div><br></div>
<div>If you have "automatic" as VPN type - it would explain the client trying to use ports OpenVPN / PPTP / L2TP ports which we're seeing ("UFW blocked" messages).<br></div>
<div><br></div>
<div>I believe you want IKEv2 as VPN type here.<br></div>
<div><br></div>
<div>If I'm wrong, hopefully someone more knowledgeable in Windows can correct me.<br></div>
<div><br></div>
<div>And here is a different tutorial about strongSwan and Windows - it has nice screenshots of how to properly configure Windows side (same screen as I linked above, basically, just a different presentation).<br></div>
<div><br></div>
<div><a href="https://docplayer.net/1323154-Vpn-with-windows-7-and-linux-strongswan-using-ikev2.html">https://docplayer.net/1323154-Vpn-with-windows-7-and-linux-strongswan-using-ikev2.html</a><br></div>
<div><br></div>
<div id="sig24956113"><div class="signature">--<br></div>
<div class="signature">Kostya Vasilyev<br></div>
<div class="signature">kman@fastmail.com<br></div>
<div class="signature"><br></div>
</div>
<div><br></div>
<div>On Tue, Feb 19, 2019, at 4:02 PM, MOSES KARIUKI wrote:<br></div>
<blockquote type="cite"><div dir="ltr"><div style="font-family:tahoma, sans-serif;">Thanks a lot. Let me load the WIndows logs.<br></div>
</div>
<div><br></div>
<div defang_data-gmailquote="yes"><div dir="ltr">On Tue, Feb 19, 2019 at 4:00 PM Kostya Vasilyev <<a href="mailto:kman@fastmail.com">kman@fastmail.com</a>> wrote:<br></div>
<blockquote defang_data-gmailquote="yes" style="margin-top:0px;margin-right:0px;margin-bottom:0px;margin-left:0.8ex;border-left-width:1px;border-left-style:solid;border-left-color:rgb(204, 204, 204);padding-left:1ex;"><div><u></u><br></div>
<div><div><br></div>
<div>On Tue, Feb 19, 2019, at 3:56 PM, MOSES KARIUKI wrote:<br></div>
<blockquote type="cite"><div dir="ltr"><div dir="ltr"><div style="font-family:tahoma, sans-serif;">Hello Vasilyev,<br></div>
<div style="font-family:tahoma, sans-serif;"><br></div>
<div style="font-family:tahoma, sans-serif;">I can't get this to work. <i>openssl -noout -text -in ca-key.pem. </i>I have tried Googling but this also gives nothing.<br></div>
<div style="font-family:tahoma, sans-serif;"><i> </i><span class="highlight" style="background-color:transparent"><span class="colour" style="color:inherit"><span class="font" style="font-family:Monaco, Menlo, Consolas, "Courier New", monospace"><span class="size" style="font-size:inherit">openssl x509 -noout -text -in </span></span></span></span>ca-key.pem<br></div>
<div style="font-family:tahoma, sans-serif;"><br></div>
<div style="font-family:tahoma, sans-serif;">Any ideas. Sorry I am a newbie on this one.<br></div>
</div>
</div>
</blockquote><div><br></div>
<div>You want to do this with the certificate - not its key.<br></div>
<div><br></div>
<div>But like I said it could be a red herring too - as Il Ka just wrote, it could be that Windows client tries several protos including PPTP/GRE, L2TP and so on ...<br></div>
<div><br></div>
<div>... which is a reason to make sure that Windows it's not trying to use some other protocol like PPTP or L2TP, and that you're not trying to use OpenVPN or some such.<br></div>
<div><br></div>
<div>Tom Rymes just suggested you check your Windows connection properties. I second this.<br></div>
<div><br></div>
<div>-- K<br></div>
<div><br></div>
<blockquote type="cite"><div dir="ltr"><div dir="ltr"><div style="font-family:tahoma, sans-serif;"><br></div>
</div>
</div>
<div><br></div>
<div><div dir="ltr">On Tue, Feb 19, 2019 at 12:40 PM Kostya Vasilyev <<a href="mailto:kman@fastmail.com">kman@fastmail.com</a>> wrote:<br></div>
<blockquote style="margin-top:0px;margin-right:0px;margin-bottom:0px;margin-left:0.8ex;border-left-width:1px;border-left-style:solid;border-left-color:rgb(204, 204, 204);padding-left:1ex;"><div><br></div>
<div>On Tue, Feb 19, 2019, at 12:34 PM, IL Ka wrote:<br></div>
<div>> <br></div>
<div>> On Tue, Feb 19, 2019 at 8:48 AM Kostya Vasilyev <<a href="mailto:kman@fastmail.com">kman@fastmail.com</a>> wrote:<br></div>
<div>>> Looks like the connection is "almost there" but gets blocked by your firewall (UFW)<br></div>
<div>>> <br></div>
<div>>> Very end of your log:<br></div>
<div>>> <br></div>
<div>>> Feb 19 02:10:01 VM-e2b7 charon: 11[NET] sending packet: from 102.1*9.2**.***[4500] to 154.77.***.**[4500] (772 bytes)<br></div>
<div>>> Feb 19 02:10:01 VM-e2b7 kernel: [ 2543.189073] [UFW BLOCK] IN=ens3 OUT= MAC=06:97:9c:00:00:8f:00:1d:b5:c0:a7:c0:08:00 SRC=154.77.***.** DST=102.1*9.2**.*** LEN=52 TOS=0x10 PREC=0x20 TTL=116 ID=27223 DF PROTO=TCP SPT=54229 DPT=443 WINDOW=17520 RES=0x00 SYN URGP=0<br></div>
<div>>> Feb 19 02:10:30 VM-e2b7 charon: 14[JOB] deleting half open IKE_SA with 154.77.***.** after timeout<br></div>
<div>> <br></div>
<div>> <br></div>
<div>> DPT=443 looks like OpenVPN or HTTPS. <br></div>
<div>> IKE uses UDP/500 (or UDP/4500 in case of NAT).<br></div>
<div>> <br></div>
<div>> I am not sure this message is somehow connected to problem.<br></div>
<div>> <br></div>
<div><br></div>
<div>Could be unrelated - good find on the EAP-Identity<br></div>
<div><br></div>
<div>But it could also be the client trying to fetch the CA certificate's CRL.<br></div>
<div><br></div>
<div>Moses can you check if your CA cert has a CRL?<br></div>
<div><br></div>
<div>openssl -text -noout -in your_CA_cert<br></div>
<div><br></div>
<div>Is there a CRL? Is it an https:// link?<br></div>
<div><br></div>
<div> X509v3 CRL Distribution Points:<br></div>
<div><br></div>
<div> Full Name:<br></div>
<div> URI:https://......<br></div>
<div><br></div>
<div>-- K<br></div>
</blockquote></div>
</blockquote><div><br></div>
</div>
</blockquote></div>
</blockquote><div><br></div>
</body>
</html>