<div dir='auto'><div>Ok looks to me like an auth error on the client (windows) I mean the error code <div dir="auto"><br></div><div dir="auto">https://social.technet.microsoft.com/Forums/ie/en-US/771bf5ec-7017-4fd3-9496-52137dfa616a/error-description-13801-ike-authentication-credentials-are-unacceptable<br></div><div dir="auto"><br></div><div dir="auto">Also in your windows client settings screenshot you have EAP auth selected - did you mean to use machine certificate rather?</div><div dir="auto"><br></div><div dir="auto">The connection type there looks good as IKEv2. Did you just fix this?</div><div dir="auto"><br></div>The CA doesn't have a CRL link as I can see, so my theory about "ufw blocks port 443" looks wrong (and Il Ka's looks more likely).</div><div dir="auto"><br></div><div dir="auto">On the windows error code some possible causes have to do with the server certificate's subjectAltName - so you will want to dump the server cert the same way and examine that. </div><div dir="auto"><br></div><div dir="auto">But personally I'd still do PSK as a test, an easy way to be sure that everything else (except cert or eap auth) is working. </div><div dir="auto"><br></div><div dir="auto">Oh and you're still not allowing all traffic from client. </div><div dir="auto"><br></div><div dir="auto">ufw allow in from 154.77.***.** </div><div dir="auto"><br></div><div dir="auto">I'd do this as a test (and then either revert or tighten based on the results).</div><div dir="auto"><br></div><div dir="auto">-- K<br><div class="gmail_extra" dir="auto"><br><div class="gmail_quote">20 февр. 2019 г. 1:26 пользователь MOSES KARIUKI <kariukims@gmail.com> написал:<br type="attribution"><blockquote class="quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div dir="ltr"><div dir="ltr"><div style="font-family:'tahoma' , sans-serif"><div><span style="font-family:'arial' , 'helvetica' , sans-serif">Dear Users,</span></div><div><span style="font-family:'arial' , 'helvetica' , sans-serif"><br></span></div><div><span style="font-family:'arial' , 'helvetica' , sans-serif">Below were the suggestions : </span></div><div><span style="font-family:'arial' , 'helvetica' , sans-serif">- Installing EAP-Identity support - Done</span><br style="font-family:'arial' , 'helvetica' , sans-serif"><span style="font-family:'arial' , 'helvetica' , sans-serif">- Setting UFW to allow all traffic from client</span></div><div><span style="font-family:'arial' , 'helvetica' , sans-serif"> </span><span style="background-color:rgba( 0 , 0 , 0 , 0.05 );color:rgb( 58 , 58 , 58 );font-family:monospace;font-size:14px;white-space:pre">ufw allow 500,4500/udp</span></div><div> ufw allow in from 154.77.***.** proto gre<div> ufw allow in from 154.77.***.** proto ah</div><div> ufw allow in from 154.77.***.** proto esp</div><div><br></div><span style="font-family:'arial' , 'helvetica' , sans-serif">- Checking if your server certificates have https:// CRL's</span></div><div style="font-family:'arial' , 'helvetica' , sans-serif"><font face="tahoma, sans-serif"> </font><b><i><font face="trebuchet ms, sans-serif"> openssl x509 -noout -text -in ca-cert.pem</font></i></b><div style="font-family:'tahoma' , sans-serif">Certificate:</div><div style="font-family:'tahoma' , sans-serif"> Data:</div><div style="font-family:'tahoma' , sans-serif"> Version: 3 (0x2)</div><div style="font-family:'tahoma' , sans-serif"> Serial Number: 5360843625440499832 (0x4a658adfd6cc5878)</div><div style="font-family:'tahoma' , sans-serif"> Signature Algorithm: sha384WithRSAEncryption</div><div style="font-family:'tahoma' , sans-serif"> Issuer: CN = VPN root CA</div><div style="font-family:'tahoma' , sans-serif"> Validity</div><div style="font-family:'tahoma' , sans-serif"> Not Before: Feb 12 21:01:05 2019 GMT</div><div style="font-family:'tahoma' , sans-serif"> Not After : Feb 9 21:01:05 2029 GMT</div><div style="font-family:'tahoma' , sans-serif"> Subject: CN = VPN root CA</div><div style="font-family:'tahoma' , sans-serif"> Subject Public Key Info:</div><div style="font-family:'tahoma' , sans-serif"> Public Key Algorithm: rsaEncryption</div><div style="font-family:'tahoma' , sans-serif"> Public-Key: (4096 bit)</div><div style="font-family:'tahoma' , sans-serif"> Modulus:</div><div style="font-family:'tahoma' , sans-serif"> 00:c5:bb:cc:c2:90:92:b4:40:fa:12:7b:39:30:cb:</div><div style="font-family:'tahoma' , sans-serif"> e8:54:8f:09:59:38:f1:9e:52:6d:eb:a3:fc:e2:dd:</div><div style="font-family:'tahoma' , sans-serif"> a3:64:30:d4:20:0b:85:f7:09:fc:5b:8f:7f:eb:c6:</div><div style="font-family:'tahoma' , sans-serif"> 25:12:20:45:fb:1a:2c:2d:80:f7:d3:a9:3f:81:04:</div><div style="font-family:'tahoma' , sans-serif"> 27:80:e5:2c:87:ef:08:81:c7:b0:cf:fc:f2:e4:cb:</div><div style="font-family:'tahoma' , sans-serif"> 18:09:3a:a2:fe:2e:27:44:fd:9f:7f:3d:a7:ed:1c:</div><div style="font-family:'tahoma' , sans-serif"> d6:71:f6:e4:c2:c2:e3:fd:54:bd:31:fe:de:c7:1d:</div><div style="font-family:'tahoma' , sans-serif"> 52:ea:49:aa:48:0c:2d:46:b0:dc:fe:15:6d:8c:0f:</div><div style="font-family:'tahoma' , sans-serif"> 49:f0:af:b7:7c:62:d7:36:e9:34:20:3a:0e:04:4e:</div><div style="font-family:'tahoma' , sans-serif"> 73:ab:78:fe:bb:44:b5:22:ff:33:f4:60:3e:ab:36:</div><div style="font-family:'tahoma' , sans-serif"> 26:c3:bd:f0:9f:e4:04:eb:c2:2b:8f:cf:61:53:9c:</div><div style="font-family:'tahoma' , sans-serif"> 38:0e:ce:db:a0:5b:48:73:9f:fe:63:d1:02:05:59:</div><div style="font-family:'tahoma' , sans-serif"> 8b:64:7d:ab:2f:6f:b5:c6:55:78:24:ba:a3:0a:6b:</div><div style="font-family:'tahoma' , sans-serif"> cb:88:96:0d:56:c0:ea:17:58:1e:55:09:e2:17:61:</div><div style="font-family:'tahoma' , sans-serif"> 37:24:02:2a:96:39:5c:6d:b7:2a:6f:63:0d:d1:b0:</div><div style="font-family:'tahoma' , sans-serif"> 44:65:d8:28:97:c6:74:5c:af:b9:10:b7:ec:4c:0e:</div><div style="font-family:'tahoma' , sans-serif"> 2b:b2:6b:f5:39:89:53:d9:81:bd:2d:18:e8:1e:e5:</div><div style="font-family:'tahoma' , sans-serif"> a0:3b:76:d2:04:ee:92:00:a1:a7:e8:21:27:74:b6:</div><div style="font-family:'tahoma' , sans-serif"> e1:b5:77:7c:73:49:2f:cc:eb:54:04:29:c9:9a:3a:</div><div style="font-family:'tahoma' , sans-serif"> 75:34:5c:d0:f9:dd:5e:e9:76:69:25:c3:b0:d3:d6:</div><div style="font-family:'tahoma' , sans-serif"> 74:bc:a3:1d:07:18:67:7b:24:60:a1:88:9d:c6:f0:</div><div style="font-family:'tahoma' , sans-serif"> 7d:6a:e8:b1:e2:3e:a6:df:c7:1e:54:e9:8d:16:a2:</div><div style="font-family:'tahoma' , sans-serif"> be:60:91:e1:42:6e:50:18:0a:6f:4d:32:b3:df:17:</div><div style="font-family:'tahoma' , sans-serif"> 0d:e1:fa:3f:bf:d2:a6:3e:17:40:69:e9:d7:a0:da:</div><div style="font-family:'tahoma' , sans-serif"> 7f:2e:1f:dd:c2:88:e4:72:09:bd:c4:35:76:9d:3a:</div><div style="font-family:'tahoma' , sans-serif"> 1c:38:53:5f:13:12:28:10:0a:27:a3:69:5e:66:7a:</div><div style="font-family:'tahoma' , sans-serif"> 1d:4d:82:13:91:49:4c:99:a8:4c:5d:30:e5:ab:9f:</div><div style="font-family:'tahoma' , sans-serif"> 5f:c6:63:d4:e0:45:e7:c5:6e:b9:45:3f:a8:73:92:</div><div style="font-family:'tahoma' , sans-serif"> ea:88:fc:ae:2b:16:d9:92:53:2e:f8:95:57:06:7e:</div><div style="font-family:'tahoma' , sans-serif"> 6b:cc:4c:53:ae:76:31:b1:f0:14:47:00:33:19:03:</div><div style="font-family:'tahoma' , sans-serif"> 24:34:90:df:f0:ca:93:c5:4c:4f:96:34:16:f3:c7:</div><div style="font-family:'tahoma' , sans-serif"> eb:b4:82:d9:67:10:f1:70:b2:b6:64:55:81:5e:b3:</div><div style="font-family:'tahoma' , sans-serif"> 70:4e:c1:05:b1:bc:65:2e:49:10:1d:30:1e:79:9e:</div><div style="font-family:'tahoma' , sans-serif"> a3:62:c5:c3:9f:06:5a:c9:34:36:af:14:2e:6a:23:</div><div style="font-family:'tahoma' , sans-serif"> f2:39:4f</div><div style="font-family:'tahoma' , sans-serif"> Exponent: 65537 (0x10001)</div><div style="font-family:'tahoma' , sans-serif"> X509v3 extensions:</div><div style="font-family:'tahoma' , sans-serif"> X509v3 Basic Constraints: critical</div><div style="font-family:'tahoma' , sans-serif"> CA:TRUE</div><div style="font-family:'tahoma' , sans-serif"> X509v3 Key Usage: critical</div><div style="font-family:'tahoma' , sans-serif"> Certificate Sign, CRL Sign</div><div style="font-family:'tahoma' , sans-serif"> X509v3 Subject Key Identifier:</div><div style="font-family:'tahoma' , sans-serif"> 92:3F:B1:C0:05:82:F8:11:B1:69:7E:9E:4F:B4:71:31:F0:AD:18:B7</div><div style="font-family:'tahoma' , sans-serif"> Signature Algorithm: sha384WithRSAEncryption</div><div style="font-family:'tahoma' , sans-serif"> 88:53:04:b1:a3:d7:7d:00:d6:f7:06:80:c5:c4:cb:f3:86:30:</div><div style="font-family:'tahoma' , sans-serif"> 43:54:11:f6:e8:4d:42:70:12:b9:5f:26:07:ab:7c:d1:48:b1:</div><div style="font-family:'tahoma' , sans-serif"> f7:d4:28:c8:f0:53:49:bc:c1:5b:71:45:bd:f1:3a:a2:06:c2:</div><div style="font-family:'tahoma' , sans-serif"> 38:08:c5:e7:d4:d4:51:19:9d:27:d2:f0:fa:71:8b:50:aa:cd:</div><div style="font-family:'tahoma' , sans-serif"> e3:00:96:a8:9c:f8:db:16:00:eb:6f:1f:3c:39:ee:1c:02:ac: ....</div><div style="font-family:'tahoma' , sans-serif"><b><i><br></i></b></div></div><div><b><i>On the client side</i></b> <br></div><br style="font-family:'arial' , 'helvetica' , sans-serif"><div><div><img src="cid:ii_jscbumqh0" alt="image.png" width="359" height="472"><br></div><div><br></div></div><div><span style="font-family:'arial' , 'helvetica' , sans-serif">- Checking actual error message from the client</span> </div><div style="font-family:'arial' , 'helvetica' , sans-serif"><img src="cid:ii_jscb2jig2" alt="image.png" width="375" height="210"><br></div><div style="font-family:'arial' , 'helvetica' , sans-serif"><br></div><div style="font-family:'arial' , 'helvetica' , sans-serif"><div style="font-family:'tahoma' , sans-serif">Client error log :</div><div style="font-family:'tahoma' , sans-serif"><br></div><div><font face="tahoma, sans-serif"><b><i>Information<span style="white-space:pre"> </span>2/20/2019 12:51:31 AM<span style="white-space:pre"> </span>RasClient<span style="white-space:pre"> </span>20221<span style="white-space:pre"> </span>None</i></b></font></div><div><font face="tahoma, sans-serif">CoId={E5273640-B6B0-4B4B-A0FF-8B5FC33EEDFB}: The user DESKTOP-ICV578Q\User has started dialing a VPN connection using a per-user connection profile named VPN Connection. The connection settings are: </font></div><div><font face="tahoma, sans-serif">Dial-in User = remoteprivate</font></div><div><font face="tahoma, sans-serif">VpnStrategy = IKEv2</font></div><div><font face="tahoma, sans-serif">DataEncryption = Requested</font></div><div><font face="tahoma, sans-serif">PrerequisiteEntry = </font></div><div><font face="tahoma, sans-serif">AutoLogon = No</font></div><div><font face="tahoma, sans-serif">UseRasCredentials = Yes</font></div><div><font face="tahoma, sans-serif">Authentication Type = EAP </font></div><div><font face="tahoma, sans-serif">Ipv4DefaultGateway = Yes</font></div><div><font face="tahoma, sans-serif">Ipv4AddressAssignment = By Server</font></div><div><font face="tahoma, sans-serif">Ipv4DNSServerAssignment = By Server</font></div><div><font face="tahoma, sans-serif">Ipv6DefaultGateway = Yes</font></div><div><font face="tahoma, sans-serif">Ipv6AddressAssignment = By Server</font></div><div><font face="tahoma, sans-serif">Ipv6DNSServerAssignment = By Server</font></div><div><font face="tahoma, sans-serif">IpDnsFlags = </font></div><div><font face="tahoma, sans-serif">IpNBTEnabled = Yes</font></div><div><font face="tahoma, sans-serif">UseFlags = Private Connection</font></div><div><font face="tahoma, sans-serif">ConnectOnWinlogon = No</font></div><div><font face="tahoma, sans-serif">Mobility enabled for IKEv2 = Yes.</font></div><div><font face="tahoma, sans-serif"><br></font></div><div><font face="tahoma, sans-serif"><b><i>Information<span style="white-space:pre"> </span>2/20/2019 12:51:31 AM<span style="white-space:pre"> </span>RasClient<span style="white-space:pre"> </span>20222<span style="white-space:pre"> </span>None</i></b></font></div><div><font face="tahoma, sans-serif">CoId={E5273640-B6B0-4B4B-A0FF-8B5FC33EEDFB}: The user DESKTOP-ICV578Q\User is trying to establish a link to the Remote Access Server for the connection named VPN Connection using the following device: </font></div><div><font face="tahoma, sans-serif">Server address/Phone Number = 102.129.249.173</font></div><div><font face="tahoma, sans-serif">Device = WAN Miniport (IKEv2)</font></div><div><font face="tahoma, sans-serif">Port = VPN2-1</font></div><div><font face="tahoma, sans-serif">MediaType = VPN.</font></div><div><font face="tahoma, sans-serif"><br></font></div><div><font face="tahoma, sans-serif"><b><i>Information<span style="white-space:pre"> </span>2/20/2019 12:51:31 AM<span style="white-space:pre"> </span>RasClient<span style="white-space:pre"> </span>20223<span style="white-space:pre"> </span>None</i></b></font></div><div><font face="tahoma, sans-serif">CoId={E5273640-B6B0-4B4B-A0FF-8B5FC33EEDFB}: The user DESKTOP-ICV578Q\User has successfully established a link to the Remote Access Server using the following device: </font></div><div><font face="tahoma, sans-serif">Server address/Phone Number = 102.129.249.173</font></div><div><font face="tahoma, sans-serif">Device = WAN Miniport (IKEv2)</font></div><div><font face="tahoma, sans-serif">Port = VPN2-1</font></div><div><font face="tahoma, sans-serif">MediaType = VPN.</font></div><div><font face="tahoma, sans-serif"><br></font></div><div><font face="tahoma, sans-serif"><b><i>Information<span style="white-space:pre"> </span>2/20/2019 12:51:31 AM<span style="white-space:pre"> </span>RasClient<span style="white-space:pre"> </span>20224<span style="white-space:pre"> </span>None</i></b></font></div><div><font face="tahoma, sans-serif">CoId={E5273640-B6B0-4B4B-A0FF-8B5FC33EEDFB}: The link to the Remote Access Server has been established by user DESKTOP-ICV578Q\User.</font></div><div><br></div><div><font face="tahoma, sans-serif"><b><i>Error<span style="white-space:pre"> </span>2/20/2019 12:51:32 AM<span style="white-space:pre"> </span>RasClient<span style="white-space:pre"> </span>20227<span style="white-space:pre"> </span>None</i></b></font></div><div><font face="tahoma, sans-serif">CoId={E5273640-B6B0-4B4B-A0FF-8B5FC33EEDFB}: The user DESKTOP-ICV578Q\User dialed a connection named VPN Connection which has failed. The error code returned on failure is 13801.</font><span style="font-family:'tahoma' , sans-serif"></span></div><br></div><div style="font-family:'arial' , 'helvetica' , sans-serif"><div>Feb 20 01:13:59 VM-e2b7eaee-4c52-4455-8364-c1977c8afa6a ipsec[1126]: 06[CFG] selected proposal: IKE:AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_2048</div><div>Feb 20 01:13:59 VM-e2b7eaee-4c52-4455-8364-c1977c8afa6a ipsec[1126]: 06[IKE] remote host is behind NAT</div><div>Feb 20 01:13:59 VM-e2b7eaee-4c52-4455-8364-c1977c8afa6a ipsec[1126]: 06[ENC] generating IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(MULT_AUTH) ]</div><div>Feb 20 01:13:59 VM-e2b7eaee-4c52-4455-8364-c1977c8afa6a ipsec[1126]: 06[NET] sending packet: from 102.1*9.2**.***[500] to 154.77.***.**[500] (448 bytes)</div><div>Feb 20 01:13:59 VM-e2b7eaee-4c52-4455-8364-c1977c8afa6a charon: 05[NET] received packet: from 154.77.***.**[4500] to 102.1*9.2**.***[4500] (500 bytes)</div><div>Feb 20 01:13:59 VM-e2b7eaee-4c52-4455-8364-c1977c8afa6a ipsec[1126]: 07[NET] received packet: from 154.77.***.**[4500] to 102.1*9.2**.***[4500] (580 bytes)</div><div>Feb 20 01:13:59 VM-e2b7eaee-4c52-4455-8364-c1977c8afa6a ipsec[1126]: 07[ENC] parsed IKE_AUTH request 1 [ EF(1/3) ]</div><div>Feb 20 01:13:59 VM-e2b7eaee-4c52-4455-8364-c1977c8afa6a ipsec[1126]: 07[ENC] received fragment #1 of 3, waiting for complete IKE message</div><div>Feb 20 01:13:59 VM-e2b7eaee-4c52-4455-8364-c1977c8afa6a charon: 05[ENC] parsed IKE_AUTH request 1 [ EF(3/3) ]</div><div>Feb 20 01:13:59 VM-e2b7eaee-4c52-4455-8364-c1977c8afa6a charon: 05[ENC] received fragment #3 of 3, waiting for complete IKE message</div><div>Feb 20 01:13:59 VM-e2b7eaee-4c52-4455-8364-c1977c8afa6a charon: 08[NET] received packet: from 154.77.***.**[4500] to 102.1*9.2**.***[4500] (580 bytes)</div><div>Feb 20 01:13:59 VM-e2b7eaee-4c52-4455-8364-c1977c8afa6a charon: 08[ENC] parsed IKE_AUTH request 1 [ EF(2/3) ]</div><div>Feb 20 01:13:59 VM-e2b7eaee-4c52-4455-8364-c1977c8afa6a charon: 08[ENC] received fragment #2 of 3, reassembling fragmented IKE message</div><div>Feb 20 01:13:59 VM-e2b7eaee-4c52-4455-8364-c1977c8afa6a charon: 08[ENC] parsed IKE_AUTH request 1 [ IDi CERTREQ N(MOBIKE_SUP) CPRQ(ADDR DNS NBNS SRV ADDR6 DNS6 SRV6) SA TSi TSr ]</div><div>Feb 20 01:13:59 VM-e2b7eaee-4c52-4455-8364-c1977c8afa6a charon: 08[IKE] received 52 cert requests for an unknown ca</div><div>Feb 20 01:13:59 VM-e2b7eaee-4c52-4455-8364-c1977c8afa6a charon: 08[CFG] looking for peer configs matching 102.1*9.2**.***[%any]...154.77.***.**[192.168.43.156]</div><div>Feb 20 01:13:59 VM-e2b7eaee-4c52-4455-8364-c1977c8afa6a charon: 08[CFG] candidate "ikev2-vpn", match: 1/1/28 (me/other/ike)</div><div>Feb 20 01:13:59 VM-e2b7eaee-4c52-4455-8364-c1977c8afa6a charon: 08[CFG] selected peer config 'ikev2-vpn'</div><div>Feb 20 01:13:59 VM-e2b7eaee-4c52-4455-8364-c1977c8afa6a charon: 08[IKE] initiating EAP_IDENTITY method (id 0x00)</div><div>Feb 20 01:13:59 VM-e2b7eaee-4c52-4455-8364-c1977c8afa6a charon: 08[IKE] peer supports MOBIKE</div><div>Feb 20 01:13:59 VM-e2b7eaee-4c52-4455-8364-c1977c8afa6a charon: 08[IKE] authentication of '102.1*9.2**.***' (myself) with RSA signature successful</div><div>Feb 20 01:13:59 VM-e2b7eaee-4c52-4455-8364-c1977c8afa6a charon: 08[IKE] sending end entity cert "CN=102.1*9.2**.***"</div><div>Feb 20 01:13:59 VM-e2b7eaee-4c52-4455-8364-c1977c8afa6a charon: 08[ENC] generating IKE_AUTH response 1 [ IDr CERT AUTH EAP/REQ/ID ]</div><div>Feb 20 01:13:59 VM-e2b7eaee-4c52-4455-8364-c1977c8afa6a charon: 08[ENC] splitting IKE message with length of 1904 bytes into 2 fragments</div><div>Feb 20 01:13:59 VM-e2b7eaee-4c52-4455-8364-c1977c8afa6a charon: 08[ENC] generating IKE_AUTH response 1 [ EF(1/2) ]</div><div>Feb 20 01:13:59 VM-e2b7eaee-4c52-4455-8364-c1977c8afa6a charon: 08[ENC] generating IKE_AUTH response 1 [ EF(2/2) ]</div><div>Feb 20 01:13:59 VM-e2b7eaee-4c52-4455-8364-c1977c8afa6a charon: 08[NET] sending packet: from 102.1*9.2**.***[4500] to 154.77.***.**[4500] (1236 bytes)</div><div>Feb 20 01:13:59 VM-e2b7eaee-4c52-4455-8364-c1977c8afa6a charon: 08[NET] sending packet: from 102.1*9.2**.***[4500] to 154.77.***.**[4500] (740 bytes)</div><div>Feb 20 01:14:28 VM-e2b7eaee-4c52-4455-8364-c1977c8afa6a charon: 10[JOB] deleting half open IKE_SA with 154.77.***.** after timeout</div><div><br></div></div><div style="font-family:'arial' , 'helvetica' , sans-serif"><br></div><div> <span style="font-family:'arial' , 'helvetica' , sans-serif">- Simplifying your setup to use PSK (pre-shared-keys) for authentication *for now*</span><font face="tahoma, sans-serif"> </font> </div><div> Will do that today.</div><br></div></div></div><br><div class="elided-text"><div dir="ltr">On Tue, Feb 19, 2019 at 7:51 PM Kostya Vasilyev <<a href="mailto:kman@fastmail.com">kman@fastmail.com</a>> wrote:<br></div><blockquote style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb( 204 , 204 , 204 );padding-left:1ex"><u></u>
<div><div>It would also help to know your actual Windows VPN settings including VPN Type.<br></div>
<div><br></div>
<div>I'm not much of a Windows person, but ....<br></div>
<div><br></div>
<div>This Cisco tutorial has nice screenshots under "Configure Windows 7 built-in client":<br></div>
<div><br></div>
<div><a href="https://www.cisco.com/c/en/us/support/docs/security/adaptive-security-appliance-asa-software/213246-asa-ikev2-ra-vpn-with-windows-7-or-andro.html">https://www.cisco.com/c/en/us/support/docs/security/adaptive-security-appliance-asa-software/213246-asa-ikev2-ra-vpn-with-windows-7-or-andro.html</a><br></div>
<div><br></div>
<div>In particular please see "step 10" near the end:<br></div>
<div><br></div>
<div><a href="https://www.cisco.com/c/dam/en/us/support/docs/security/adaptive-security-appliance-asa-software/213246-asa-ikev2-ra-vpn-with-windows-7-or-andro-50.png">https://www.cisco.com/c/dam/en/us/support/docs/security/adaptive-security-appliance-asa-software/213246-asa-ikev2-ra-vpn-with-windows-7-or-andro-50.png</a><br></div>
<div><br></div>
<div>If you have "automatic" as VPN type - it would explain the client trying to use ports OpenVPN / PPTP / L2TP ports which we're seeing ("UFW blocked" messages).<br></div>
<div><br></div>
<div>I believe you want IKEv2 as VPN type here.<br></div>
<div><br></div>
<div>If I'm wrong, hopefully someone more knowledgeable in Windows can correct me.<br></div>
<div><br></div>
<div>And here is a different tutorial about strongSwan and Windows - it has nice screenshots of how to properly configure Windows side (same screen as I linked above, basically, just a different presentation).<br></div>
<div><br></div>
<div><a href="https://docplayer.net/1323154-Vpn-with-windows-7-and-linux-strongswan-using-ikev2.html">https://docplayer.net/1323154-Vpn-with-windows-7-and-linux-strongswan-using-ikev2.html</a><br></div>
<div><br></div>
<div><div>--<br></div>
<div>Kostya Vasilyev<br></div>
<div><a href="mailto:kman@fastmail.com">kman@fastmail.com</a><br></div>
<div><br></div>
</div>
<div><br></div>
<div>On Tue, Feb 19, 2019, at 4:02 PM, MOSES KARIUKI wrote:<br></div>
<blockquote><div dir="ltr"><div style="font-family:'tahoma' , sans-serif">Thanks a lot. Let me load the WIndows logs.<br></div>
</div>
<div><br></div>
<div><div dir="ltr">On Tue, Feb 19, 2019 at 4:00 PM Kostya Vasilyev <<a href="mailto:kman@fastmail.com">kman@fastmail.com</a>> wrote:<br></div>
<blockquote style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb( 204 , 204 , 204 );padding-left:1ex"><div><u></u><br></div>
<div><div><br></div>
<div>On Tue, Feb 19, 2019, at 3:56 PM, MOSES KARIUKI wrote:<br></div>
<blockquote><div dir="ltr"><div dir="ltr"><div style="font-family:'tahoma' , sans-serif">Hello Vasilyev,<br></div>
<div style="font-family:'tahoma' , sans-serif"><br></div>
<div style="font-family:'tahoma' , sans-serif">I can't get this to work. <i>openssl -noout -text -in ca-key.pem. </i>I have tried Googling but this also gives nothing.<br></div>
<div style="font-family:'tahoma' , sans-serif"><i> </i><span style="background-color:transparent"><span style="color:inherit"><span style="font-family:'monaco' , 'menlo' , 'consolas' , 'courier new' , monospace"><span style="font-size:inherit">openssl x509 -noout -text -in </span></span></span></span>ca-key.pem<br></div>
<div style="font-family:'tahoma' , sans-serif"><br></div>
<div style="font-family:'tahoma' , sans-serif">Any ideas. Sorry I am a newbie on this one.<br></div>
</div>
</div>
</blockquote><div><br></div>
<div>You want to do this with the certificate - not its key.<br></div>
<div><br></div>
<div>But like I said it could be a red herring too - as Il Ka just wrote, it could be that Windows client tries several protos including PPTP/GRE, L2TP and so on ...<br></div>
<div><br></div>
<div>... which is a reason to make sure that Windows it's not trying to use some other protocol like PPTP or L2TP, and that you're not trying to use OpenVPN or some such.<br></div>
<div><br></div>
<div>Tom Rymes just suggested you check your Windows connection properties. I second this.<br></div>
<div><br></div>
<div>-- K<br></div>
<div><br></div>
<blockquote><div dir="ltr"><div dir="ltr"><div style="font-family:'tahoma' , sans-serif"><br></div>
</div>
</div>
<div><br></div>
<div><div dir="ltr">On Tue, Feb 19, 2019 at 12:40 PM Kostya Vasilyev <<a href="mailto:kman@fastmail.com">kman@fastmail.com</a>> wrote:<br></div>
<blockquote style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb( 204 , 204 , 204 );padding-left:1ex"><div><br></div>
<div>On Tue, Feb 19, 2019, at 12:34 PM, IL Ka wrote:<br></div>
<div>> <br></div>
<div>> On Tue, Feb 19, 2019 at 8:48 AM Kostya Vasilyev <<a href="mailto:kman@fastmail.com">kman@fastmail.com</a>> wrote:<br></div>
<div>>> Looks like the connection is "almost there" but gets blocked by your firewall (UFW)<br></div>
<div>>> <br></div>
<div>>> Very end of your log:<br></div>
<div>>> <br></div>
<div>>> Feb 19 02:10:01 VM-e2b7 charon: 11[NET] sending packet: from 102.1*9.2**.***[4500] to 154.77.***.**[4500] (772 bytes)<br></div>
<div>>> Feb 19 02:10:01 VM-e2b7 kernel: [ 2543.189073] [UFW BLOCK] IN=ens3 OUT= MAC=06:97:9c:00:00:8f:00:1d:b5:c0:a7:c0:08:00 SRC=154.77.***.** DST=102.1*9.2**.*** LEN=52 TOS=0x10 PREC=0x20 TTL=116 ID=27223 DF PROTO=TCP SPT=54229 DPT=443 WINDOW=17520 RES=0x00 SYN URGP=0<br></div>
<div>>> Feb 19 02:10:30 VM-e2b7 charon: 14[JOB] deleting half open IKE_SA with 154.77.***.** after timeout<br></div>
<div>> <br></div>
<div>> <br></div>
<div>> DPT=443 looks like OpenVPN or HTTPS. <br></div>
<div>> IKE uses UDP/500 (or UDP/4500 in case of NAT).<br></div>
<div>> <br></div>
<div>> I am not sure this message is somehow connected to problem.<br></div>
<div>> <br></div>
<div><br></div>
<div>Could be unrelated - good find on the EAP-Identity<br></div>
<div><br></div>
<div>But it could also be the client trying to fetch the CA certificate's CRL.<br></div>
<div><br></div>
<div>Moses can you check if your CA cert has a CRL?<br></div>
<div><br></div>
<div>openssl -text -noout -in your_CA_cert<br></div>
<div><br></div>
<div>Is there a CRL? Is it an https:// link?<br></div>
<div><br></div>
<div> X509v3 CRL Distribution Points:<br></div>
<div><br></div>
<div> Full Name:<br></div>
<div> URI:https://......<br></div>
<div><br></div>
<div>-- K<br></div>
</blockquote></div>
</blockquote><div><br></div>
</div>
</blockquote></div>
</blockquote><div><br></div>
</div>
</blockquote></div>
</blockquote></div><br></div></div></div>