<div dir="ltr"><div class="gmail_default" style="font-family:tahoma,sans-serif"></div><div dir="ltr"><div dir="ltr"><div dir="ltr"><div dir="ltr"><div dir="ltr"><div dir="ltr"><div class="gmail_default" style="font-family:tahoma,sans-serif">Dear Team,</div><div class="gmail_default" style="font-family:tahoma,sans-serif"><br></div><div class="gmail_default" style="font-family:tahoma,sans-serif">Thanks for your very valuable reply. I have set up a Linux Client and I am able to connect. :)</div><div class="gmail_default" style="font-family:tahoma,sans-serif"><br></div><div class="gmail_default" style="font-family:tahoma,sans-serif"><b><u>On the client side :</u></b></div><div class="gmail_default"><div class="gmail_default" style="font-family:tahoma,sans-serif"><b><i>ipsec statusall</i></b></div><div class="gmail_default" style="font-family:tahoma,sans-serif">Status of IKE charon daemon (strongSwan 5.6.2, Linux 4.15.0, x86_64):</div><div class="gmail_default" style="font-family:tahoma,sans-serif"> uptime: 29 minutes, since Feb 20 17:55:09 2019</div><div class="gmail_default" style="font-family:tahoma,sans-serif"> malloc: sbrk 3256320, mmap 532480, used 1349136, free 1907184</div><div class="gmail_default" style="font-family:tahoma,sans-serif"> worker threads: 11 of 16 idle, 5/0/0/0 working, job queue: 0/0/0/0, scheduled: 2</div><div class="gmail_default" style="font-family:tahoma,sans-serif"> loaded plugins: charon test-vectors unbound ldap pkcs11 tpm aesni aes rc2 sha2 sha1 md4 md5 mgf1 rdrand random nonce x509 revocation constraints acert pubkey pkcs1 pkcs7 pkcs8 pkcs12 pgp dnskey sshkey dnscert ipseckey pem openssl gcrypt fips-prf gmp curve25519 agent chapoly xcbc cmac hmac ctr ccm gcm ntru bliss curl soup mysql sqlite attr kernel-netlink resolve socket-default connmark farp stroke updown eap-identity eap-sim eap-sim-pcsc eap-aka eap-aka-3gpp2 eap-simaka-pseudonym eap-simaka-reauth eap-md5 eap-gtc eap-mschapv2 eap-dynamic eap-radius eap-tls eap-ttls eap-peap eap-tnc xauth-generic xauth-eap xauth-pam xauth-noauth tnc-tnccs tnccs-20 tnccs-11 tnccs-dynamic dhcp whitelist lookip error-notify certexpire led radattr addrblock unity counters</div><div class="gmail_default" style="font-family:tahoma,sans-serif">Listening IP addresses:</div><div class="gmail_default" style="font-family:tahoma,sans-serif"> 185.135.*.**</div><div class="gmail_default" style="font-family:tahoma,sans-serif"> 2a03:a960:5:42a:8000::</div><div class="gmail_default" style="font-family:tahoma,sans-serif"> ::2</div><div class="gmail_default" style="font-family:tahoma,sans-serif">Connections:</div><div class="gmail_default" style="font-family:tahoma,sans-serif">ipsec-ikev2-vpn-client: %any...102.1*9.2**.*** IKEv1/2</div><div class="gmail_default" style="font-family:tahoma,sans-serif">ipsec-ikev2-vpn-client: local: [remoteprivate] uses EAP_MSCHAPV2 authentication with EAP identity '%any'</div><div class="gmail_default" style="font-family:tahoma,sans-serif">ipsec-ikev2-vpn-client: remote: [102.1*9.2**.***] uses public key authentication</div><div class="gmail_default" style="font-family:tahoma,sans-serif">ipsec-ikev2-vpn-client: child: dynamic === <a href="http://0.0.0.0/0">0.0.0.0/0</a> TUNNEL</div><div class="gmail_default" style="font-family:tahoma,sans-serif">Security Associations (1 up, 0 connecting):</div><div class="gmail_default" style="font-family:tahoma,sans-serif">ipsec-ikev2-vpn-client[1]: ESTABLISHED 29 minutes ago, 185.135.9.62[remoteprivate]...102.1*9.2**.***[102.1*9.2**.***]</div><div class="gmail_default" style="font-family:tahoma,sans-serif">ipsec-ikev2-vpn-client[1]: IKEv2 SPIs: 0338f500edc84652_i* 1ae30618408f64a4_r, EAP reauthentication in 2 hours</div><div class="gmail_default" style="font-family:tahoma,sans-serif">ipsec-ikev2-vpn-client[1]: IKE proposal: AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_2048</div><div style="font-family:tahoma,sans-serif"><br></div><div><div><font face="tahoma, sans-serif"><b><i>hostname -I</i></b></font></div><div><font face="tahoma, sans-serif">127.0.0.1 185.135.*.** <i>10.10.10.1</i> 2a03:a960:5:42a:8000:: ::2</font></div></div><div><font face="tahoma, sans-serif"><br></font></div><div><font face="tahoma, sans-serif"><b><u>On the server : </u></b></font></div><div><font face="tahoma, sans-serif"><div>ipsec statusall</div><div>Status of IKE charon daemon (strongSwan 5.6.2, Linux 4.15.0-45-generic, x86_64):</div><div> uptime: 21 hours, since Feb 19 23:58:30 2019</div><div> malloc: sbrk 3256320, mmap 532480, used 1645568, free 1610752</div><div> worker threads: 11 of 16 idle, 5/0/0/0 working, job queue: 0/0/0/0, scheduled: 1</div><div> loaded plugins: charon test-vectors unbound ldap pkcs11 tpm aesni aes rc2 sha2 sha1 md4 md5 mgf1 rdrand random nonce x509 revocation constraints acert pubkey pkcs1 pkcs7 pkcs8 pkcs12 pgp dnskey sshkey dnscert ipseckey pem openssl gcrypt af-alg fips-prf gmp curve25519 agent chapoly xcbc cmac hmac ctr ccm gcm ntru bliss curl soup mysql sqlite attr kernel-netlink resolve socket-default connmark farp stroke updown eap-identity eap-sim eap-sim-pcsc eap-aka eap-aka-3gpp2 eap-simaka-pseudonym eap-simaka-reauth eap-md5 eap-gtc eap-mschapv2 eap-dynamic eap-radius eap-tls eap-ttls eap-peap eap-tnc xauth-generic xauth-eap xauth-pam xauth-noauth tnc-tnccs tnccs-20 tnccs-11 tnccs-dynamic dhcp whitelist lookip error-notify certexpire led radattr addrblock unity counters</div><div>Virtual IP pools (size/online/offline):</div><div> <a href="http://10.10.10.0/24">10.10.10.0/24</a>: 254/1/0</div><div>Listening IP addresses:</div><div> 102.1*9.2**.***<span style="font-family:Arial,Helvetica,sans-serif"></span></div></font><font face="tahoma, sans-serif"><div>Connections:</div><div> ikev2-vpn: %any...%any IKEv2, dpddelay=300s</div><div> ikev2-vpn: local: [
102.1*9.2**.*** ] uses public key authentication</div><div> ikev2-vpn: cert: "CN=
102.1*9.2**.***"</div><div> ikev2-vpn: remote: uses EAP_MSCHAPV2 authentication with EAP identity '%any'</div><div> ikev2-vpn: child: <a href="http://0.0.0.0/0">0.0.0.0/0</a> === dynamic TUNNEL, dpdaction=clear</div><div>Security Associations (1 up, 0 connecting):</div><div> ikev2-vpn[21]: ESTABLISHED 41 minutes ago,
102.1*9.2**.***[
102.1*9.2**.***]...
185.135.*.** [remoteprivate]</div><div> ikev2-vpn[21]: IKEv2 SPIs: 0338f500edc84652_i 1ae30618408f64a4_r*, rekeying disabled</div><div> ikev2-vpn[21]: IKE proposal: AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_2048</div><div><br></div></font></div><div><br></div><div><font face="tahoma, sans-serif">That said, how can I verify that the connection to the VPN client from the server works?</font></div><div><font face="tahoma, sans-serif"><br></font></div><div><font face="tahoma, sans-serif">Only issue now is to connect from Windows.</font></div><div><font face="tahoma, sans-serif"><br></font></div><div><font face="tahoma, sans-serif">Thanks,</font></div><div><font face="tahoma, sans-serif">Moses K</font></div><div><font face="tahoma, sans-serif"><br></font></div></div></div></div></div></div></div></div></div><br><div class="gmail_quote"><div dir="ltr" class="gmail_attr">On Wed, Feb 20, 2019 at 4:24 AM Kostya Vasilyev <<a href="mailto:kman@fastmail.com">kman@fastmail.com</a>> wrote:<br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"><div dir="auto"><div>Ok looks to me like an auth error on the client (windows) I mean the error code <div dir="auto"><br></div><div dir="auto"><a href="https://social.technet.microsoft.com/Forums/ie/en-US/771bf5ec-7017-4fd3-9496-52137dfa616a/error-description-13801-ike-authentication-credentials-are-unacceptable" target="_blank">https://social.technet.microsoft.com/Forums/ie/en-US/771bf5ec-7017-4fd3-9496-52137dfa616a/error-description-13801-ike-authentication-credentials-are-unacceptable</a><br></div><div dir="auto"><br></div><div dir="auto">Also in your windows client settings screenshot you have EAP auth selected - did you mean to use machine certificate rather?</div><div dir="auto"><br></div><div dir="auto">The connection type there looks good as IKEv2. Did you just fix this?</div><div dir="auto"><br></div>The CA doesn't have a CRL link as I can see, so my theory about "ufw blocks port 443" looks wrong (and Il Ka's looks more likely).</div><div dir="auto"><br></div><div dir="auto">On the windows error code some possible causes have to do with the server certificate's subjectAltName - so you will want to dump the server cert the same way and examine that. </div><div dir="auto"><br></div><div dir="auto">But personally I'd still do PSK as a test, an easy way to be sure that everything else (except cert or eap auth) is working. </div><div dir="auto"><br></div><div dir="auto">Oh and you're still not allowing all traffic from client. </div><div dir="auto"><br></div><div dir="auto">ufw allow in from 154.77.***.** </div><div dir="auto"><br></div><div dir="auto">I'd do this as a test (and then either revert or tighten based on the results).</div><div dir="auto"><br></div><div dir="auto">-- K<br><div class="gmail_extra" dir="auto"><br><div class="gmail_quote">20 февр. 2019 г. 1:26 пользователь MOSES KARIUKI <<a href="mailto:kariukims@gmail.com" target="_blank">kariukims@gmail.com</a>> написал:<br type="attribution"><blockquote class="gmail-m_3554427959306019307quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"><div dir="ltr"><div dir="ltr"><div style="font-family:tahoma,sans-serif"><div><span style="font-family:arial,helvetica,sans-serif">Dear Users,</span></div><div><span style="font-family:arial,helvetica,sans-serif"><br></span></div><div><span style="font-family:arial,helvetica,sans-serif">Below were the suggestions : </span></div><div><span style="font-family:arial,helvetica,sans-serif">- Installing EAP-Identity support - Done</span><br style="font-family:arial,helvetica,sans-serif"><span style="font-family:arial,helvetica,sans-serif">- Setting UFW to allow all traffic from client</span></div><div><span style="font-family:arial,helvetica,sans-serif"> </span><span style="background-color:rgba(0,0,0,0.05);color:rgb(58,58,58);font-family:monospace;font-size:14px;white-space:pre-wrap">ufw allow 500,4500/udp</span></div><div> ufw allow in from 154.77.***.** proto gre<div> ufw allow in from 154.77.***.** proto ah</div><div> ufw allow in from 154.77.***.** proto esp</div><div><br></div><span style="font-family:arial,helvetica,sans-serif">- Checking if your server certificates have https:// CRL's</span></div><div style="font-family:arial,helvetica,sans-serif"><font face="tahoma, sans-serif"> </font><b><i><font face="trebuchet ms, sans-serif"> openssl x509 -noout -text -in ca-cert.pem</font></i></b><div style="font-family:tahoma,sans-serif">Certificate:</div><div style="font-family:tahoma,sans-serif"> Data:</div><div style="font-family:tahoma,sans-serif"> Version: 3 (0x2)</div><div style="font-family:tahoma,sans-serif"> Serial Number: 5360843625440499832 (0x4a658adfd6cc5878)</div><div style="font-family:tahoma,sans-serif"> Signature Algorithm: sha384WithRSAEncryption</div><div style="font-family:tahoma,sans-serif"> Issuer: CN = VPN root CA</div><div style="font-family:tahoma,sans-serif"> Validity</div><div style="font-family:tahoma,sans-serif"> Not Before: Feb 12 21:01:05 2019 GMT</div><div style="font-family:tahoma,sans-serif"> Not After : Feb 9 21:01:05 2029 GMT</div><div style="font-family:tahoma,sans-serif"> Subject: CN = VPN root CA</div><div style="font-family:tahoma,sans-serif"> Subject Public Key Info:</div><div style="font-family:tahoma,sans-serif"> Public Key Algorithm: rsaEncryption</div><div style="font-family:tahoma,sans-serif"> Public-Key: (4096 bit)</div><div style="font-family:tahoma,sans-serif"> Modulus:</div><div style="font-family:tahoma,sans-serif"> 00:c5:bb:cc:c2:90:92:b4:40:fa:12:7b:39:30:cb:</div><div style="font-family:tahoma,sans-serif"> e8:54:8f:09:59:38:f1:9e:52:6d:eb:a3:fc:e2:dd:</div><div style="font-family:tahoma,sans-serif"> a3:64:30:d4:20:0b:85:f7:09:fc:5b:8f:7f:eb:c6:</div><div style="font-family:tahoma,sans-serif"> 25:12:20:45:fb:1a:2c:2d:80:f7:d3:a9:3f:81:04:</div><div style="font-family:tahoma,sans-serif"> 27:80:e5:2c:87:ef:08:81:c7:b0:cf:fc:f2:e4:cb:</div><div style="font-family:tahoma,sans-serif"> 18:09:3a:a2:fe:2e:27:44:fd:9f:7f:3d:a7:ed:1c:</div><div style="font-family:tahoma,sans-serif"> d6:71:f6:e4:c2:c2:e3:fd:54:bd:31:fe:de:c7:1d:</div><div style="font-family:tahoma,sans-serif"> 52:ea:49:aa:48:0c:2d:46:b0:dc:fe:15:6d:8c:0f:</div><div style="font-family:tahoma,sans-serif"> 49:f0:af:b7:7c:62:d7:36:e9:34:20:3a:0e:04:4e:</div><div style="font-family:tahoma,sans-serif"> 73:ab:78:fe:bb:44:b5:22:ff:33:f4:60:3e:ab:36:</div><div style="font-family:tahoma,sans-serif"> 26:c3:bd:f0:9f:e4:04:eb:c2:2b:8f:cf:61:53:9c:</div><div style="font-family:tahoma,sans-serif"> 38:0e:ce:db:a0:5b:48:73:9f:fe:63:d1:02:05:59:</div><div style="font-family:tahoma,sans-serif"> 8b:64:7d:ab:2f:6f:b5:c6:55:78:24:ba:a3:0a:6b:</div><div style="font-family:tahoma,sans-serif"> cb:88:96:0d:56:c0:ea:17:58:1e:55:09:e2:17:61:</div><div style="font-family:tahoma,sans-serif"> 37:24:02:2a:96:39:5c:6d:b7:2a:6f:63:0d:d1:b0:</div><div style="font-family:tahoma,sans-serif"> 44:65:d8:28:97:c6:74:5c:af:b9:10:b7:ec:4c:0e:</div><div style="font-family:tahoma,sans-serif"> 2b:b2:6b:f5:39:89:53:d9:81:bd:2d:18:e8:1e:e5:</div><div style="font-family:tahoma,sans-serif"> a0:3b:76:d2:04:ee:92:00:a1:a7:e8:21:27:74:b6:</div><div style="font-family:tahoma,sans-serif"> e1:b5:77:7c:73:49:2f:cc:eb:54:04:29:c9:9a:3a:</div><div style="font-family:tahoma,sans-serif"> 75:34:5c:d0:f9:dd:5e:e9:76:69:25:c3:b0:d3:d6:</div><div style="font-family:tahoma,sans-serif"> 74:bc:a3:1d:07:18:67:7b:24:60:a1:88:9d:c6:f0:</div><div style="font-family:tahoma,sans-serif"> 7d:6a:e8:b1:e2:3e:a6:df:c7:1e:54:e9:8d:16:a2:</div><div style="font-family:tahoma,sans-serif"> be:60:91:e1:42:6e:50:18:0a:6f:4d:32:b3:df:17:</div><div style="font-family:tahoma,sans-serif"> 0d:e1:fa:3f:bf:d2:a6:3e:17:40:69:e9:d7:a0:da:</div><div style="font-family:tahoma,sans-serif"> 7f:2e:1f:dd:c2:88:e4:72:09:bd:c4:35:76:9d:3a:</div><div style="font-family:tahoma,sans-serif"> 1c:38:53:5f:13:12:28:10:0a:27:a3:69:5e:66:7a:</div><div style="font-family:tahoma,sans-serif"> 1d:4d:82:13:91:49:4c:99:a8:4c:5d:30:e5:ab:9f:</div><div style="font-family:tahoma,sans-serif"> 5f:c6:63:d4:e0:45:e7:c5:6e:b9:45:3f:a8:73:92:</div><div style="font-family:tahoma,sans-serif"> ea:88:fc:ae:2b:16:d9:92:53:2e:f8:95:57:06:7e:</div><div style="font-family:tahoma,sans-serif"> 6b:cc:4c:53:ae:76:31:b1:f0:14:47:00:33:19:03:</div><div style="font-family:tahoma,sans-serif"> 24:34:90:df:f0:ca:93:c5:4c:4f:96:34:16:f3:c7:</div><div style="font-family:tahoma,sans-serif"> eb:b4:82:d9:67:10:f1:70:b2:b6:64:55:81:5e:b3:</div><div style="font-family:tahoma,sans-serif"> 70:4e:c1:05:b1:bc:65:2e:49:10:1d:30:1e:79:9e:</div><div style="font-family:tahoma,sans-serif"> a3:62:c5:c3:9f:06:5a:c9:34:36:af:14:2e:6a:23:</div><div style="font-family:tahoma,sans-serif"> f2:39:4f</div><div style="font-family:tahoma,sans-serif"> Exponent: 65537 (0x10001)</div><div style="font-family:tahoma,sans-serif"> X509v3 extensions:</div><div style="font-family:tahoma,sans-serif"> X509v3 Basic Constraints: critical</div><div style="font-family:tahoma,sans-serif"> CA:TRUE</div><div style="font-family:tahoma,sans-serif"> X509v3 Key Usage: critical</div><div style="font-family:tahoma,sans-serif"> Certificate Sign, CRL Sign</div><div style="font-family:tahoma,sans-serif"> X509v3 Subject Key Identifier:</div><div style="font-family:tahoma,sans-serif"> 92:3F:B1:C0:05:82:F8:11:B1:69:7E:9E:4F:B4:71:31:F0:AD:18:B7</div><div style="font-family:tahoma,sans-serif"> Signature Algorithm: sha384WithRSAEncryption</div><div style="font-family:tahoma,sans-serif"> 88:53:04:b1:a3:d7:7d:00:d6:f7:06:80:c5:c4:cb:f3:86:30:</div><div style="font-family:tahoma,sans-serif"> 43:54:11:f6:e8:4d:42:70:12:b9:5f:26:07:ab:7c:d1:48:b1:</div><div style="font-family:tahoma,sans-serif"> f7:d4:28:c8:f0:53:49:bc:c1:5b:71:45:bd:f1:3a:a2:06:c2:</div><div style="font-family:tahoma,sans-serif"> 38:08:c5:e7:d4:d4:51:19:9d:27:d2:f0:fa:71:8b:50:aa:cd:</div><div style="font-family:tahoma,sans-serif"> e3:00:96:a8:9c:f8:db:16:00:eb:6f:1f:3c:39:ee:1c:02:ac: ....</div><div style="font-family:tahoma,sans-serif"><b><i><br></i></b></div></div><div><b><i>On the client side</i></b> <br></div><br style="font-family:arial,helvetica,sans-serif"><div><div><img alt="image.png" width="359" height="472"><br></div><div><br></div></div><div><span style="font-family:arial,helvetica,sans-serif">- Checking actual error message from the client</span> </div><div style="font-family:arial,helvetica,sans-serif"><img alt="image.png" width="375" height="210"><br></div><div style="font-family:arial,helvetica,sans-serif"><br></div><div style="font-family:arial,helvetica,sans-serif"><div style="font-family:tahoma,sans-serif">Client error log :</div><div style="font-family:tahoma,sans-serif"><br></div><div><font face="tahoma, sans-serif"><b><i>Information<span style="white-space:pre-wrap"> </span>2/20/2019 12:51:31 AM<span style="white-space:pre-wrap"> </span>RasClient<span style="white-space:pre-wrap"> </span>20221<span style="white-space:pre-wrap"> </span>None</i></b></font></div><div><font face="tahoma, sans-serif">CoId={E5273640-B6B0-4B4B-A0FF-8B5FC33EEDFB}: The user DESKTOP-ICV578Q\User has started dialing a VPN connection using a per-user connection profile named VPN Connection. The connection settings are: </font></div><div><font face="tahoma, sans-serif">Dial-in User = remoteprivate</font></div><div><font face="tahoma, sans-serif">VpnStrategy = IKEv2</font></div><div><font face="tahoma, sans-serif">DataEncryption = Requested</font></div><div><font face="tahoma, sans-serif">PrerequisiteEntry = </font></div><div><font face="tahoma, sans-serif">AutoLogon = No</font></div><div><font face="tahoma, sans-serif">UseRasCredentials = Yes</font></div><div><font face="tahoma, sans-serif">Authentication Type = EAP </font></div><div><font face="tahoma, sans-serif">Ipv4DefaultGateway = Yes</font></div><div><font face="tahoma, sans-serif">Ipv4AddressAssignment = By Server</font></div><div><font face="tahoma, sans-serif">Ipv4DNSServerAssignment = By Server</font></div><div><font face="tahoma, sans-serif">Ipv6DefaultGateway = Yes</font></div><div><font face="tahoma, sans-serif">Ipv6AddressAssignment = By Server</font></div><div><font face="tahoma, sans-serif">Ipv6DNSServerAssignment = By Server</font></div><div><font face="tahoma, sans-serif">IpDnsFlags = </font></div><div><font face="tahoma, sans-serif">IpNBTEnabled = Yes</font></div><div><font face="tahoma, sans-serif">UseFlags = Private Connection</font></div><div><font face="tahoma, sans-serif">ConnectOnWinlogon = No</font></div><div><font face="tahoma, sans-serif">Mobility enabled for IKEv2 = Yes.</font></div><div><font face="tahoma, sans-serif"><br></font></div><div><font face="tahoma, sans-serif"><b><i>Information<span style="white-space:pre-wrap"> </span>2/20/2019 12:51:31 AM<span style="white-space:pre-wrap"> </span>RasClient<span style="white-space:pre-wrap"> </span>20222<span style="white-space:pre-wrap"> </span>None</i></b></font></div><div><font face="tahoma, sans-serif">CoId={E5273640-B6B0-4B4B-A0FF-8B5FC33EEDFB}: The user DESKTOP-ICV578Q\User is trying to establish a link to the Remote Access Server for the connection named VPN Connection using the following device: </font></div><div><font face="tahoma, sans-serif">Server address/Phone Number = 102.129.249.173</font></div><div><font face="tahoma, sans-serif">Device = WAN Miniport (IKEv2)</font></div><div><font face="tahoma, sans-serif">Port = VPN2-1</font></div><div><font face="tahoma, sans-serif">MediaType = VPN.</font></div><div><font face="tahoma, sans-serif"><br></font></div><div><font face="tahoma, sans-serif"><b><i>Information<span style="white-space:pre-wrap"> </span>2/20/2019 12:51:31 AM<span style="white-space:pre-wrap"> </span>RasClient<span style="white-space:pre-wrap"> </span>20223<span style="white-space:pre-wrap"> </span>None</i></b></font></div><div><font face="tahoma, sans-serif">CoId={E5273640-B6B0-4B4B-A0FF-8B5FC33EEDFB}: The user DESKTOP-ICV578Q\User has successfully established a link to the Remote Access Server using the following device: </font></div><div><font face="tahoma, sans-serif">Server address/Phone Number = 102.129.249.173</font></div><div><font face="tahoma, sans-serif">Device = WAN Miniport (IKEv2)</font></div><div><font face="tahoma, sans-serif">Port = VPN2-1</font></div><div><font face="tahoma, sans-serif">MediaType = VPN.</font></div><div><font face="tahoma, sans-serif"><br></font></div><div><font face="tahoma, sans-serif"><b><i>Information<span style="white-space:pre-wrap"> </span>2/20/2019 12:51:31 AM<span style="white-space:pre-wrap"> </span>RasClient<span style="white-space:pre-wrap"> </span>20224<span style="white-space:pre-wrap"> </span>None</i></b></font></div><div><font face="tahoma, sans-serif">CoId={E5273640-B6B0-4B4B-A0FF-8B5FC33EEDFB}: The link to the Remote Access Server has been established by user DESKTOP-ICV578Q\User.</font></div><div><br></div><div><font face="tahoma, sans-serif"><b><i>Error<span style="white-space:pre-wrap"> </span>2/20/2019 12:51:32 AM<span style="white-space:pre-wrap"> </span>RasClient<span style="white-space:pre-wrap"> </span>20227<span style="white-space:pre-wrap"> </span>None</i></b></font></div><div><font face="tahoma, sans-serif">CoId={E5273640-B6B0-4B4B-A0FF-8B5FC33EEDFB}: The user DESKTOP-ICV578Q\User dialed a connection named VPN Connection which has failed. The error code returned on failure is 13801.</font><span style="font-family:tahoma,sans-serif"></span></div><br></div><div style="font-family:arial,helvetica,sans-serif"><div>Feb 20 01:13:59 VM-e2b7eaee-4c52-4455-8364-c1977c8afa6a ipsec[1126]: 06[CFG] selected proposal: IKE:AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_2048</div><div>Feb 20 01:13:59 VM-e2b7eaee-4c52-4455-8364-c1977c8afa6a ipsec[1126]: 06[IKE] remote host is behind NAT</div><div>Feb 20 01:13:59 VM-e2b7eaee-4c52-4455-8364-c1977c8afa6a ipsec[1126]: 06[ENC] generating IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(MULT_AUTH) ]</div><div>Feb 20 01:13:59 VM-e2b7eaee-4c52-4455-8364-c1977c8afa6a ipsec[1126]: 06[NET] sending packet: from 102.1*9.2**.***[500] to 154.77.***.**[500] (448 bytes)</div><div>Feb 20 01:13:59 VM-e2b7eaee-4c52-4455-8364-c1977c8afa6a charon: 05[NET] received packet: from 154.77.***.**[4500] to 102.1*9.2**.***[4500] (500 bytes)</div><div>Feb 20 01:13:59 VM-e2b7eaee-4c52-4455-8364-c1977c8afa6a ipsec[1126]: 07[NET] received packet: from 154.77.***.**[4500] to 102.1*9.2**.***[4500] (580 bytes)</div><div>Feb 20 01:13:59 VM-e2b7eaee-4c52-4455-8364-c1977c8afa6a ipsec[1126]: 07[ENC] parsed IKE_AUTH request 1 [ EF(1/3) ]</div><div>Feb 20 01:13:59 VM-e2b7eaee-4c52-4455-8364-c1977c8afa6a ipsec[1126]: 07[ENC] received fragment #1 of 3, waiting for complete IKE message</div><div>Feb 20 01:13:59 VM-e2b7eaee-4c52-4455-8364-c1977c8afa6a charon: 05[ENC] parsed IKE_AUTH request 1 [ EF(3/3) ]</div><div>Feb 20 01:13:59 VM-e2b7eaee-4c52-4455-8364-c1977c8afa6a charon: 05[ENC] received fragment #3 of 3, waiting for complete IKE message</div><div>Feb 20 01:13:59 VM-e2b7eaee-4c52-4455-8364-c1977c8afa6a charon: 08[NET] received packet: from 154.77.***.**[4500] to 102.1*9.2**.***[4500] (580 bytes)</div><div>Feb 20 01:13:59 VM-e2b7eaee-4c52-4455-8364-c1977c8afa6a charon: 08[ENC] parsed IKE_AUTH request 1 [ EF(2/3) ]</div><div>Feb 20 01:13:59 VM-e2b7eaee-4c52-4455-8364-c1977c8afa6a charon: 08[ENC] received fragment #2 of 3, reassembling fragmented IKE message</div><div>Feb 20 01:13:59 VM-e2b7eaee-4c52-4455-8364-c1977c8afa6a charon: 08[ENC] parsed IKE_AUTH request 1 [ IDi CERTREQ N(MOBIKE_SUP) CPRQ(ADDR DNS NBNS SRV ADDR6 DNS6 SRV6) SA TSi TSr ]</div><div>Feb 20 01:13:59 VM-e2b7eaee-4c52-4455-8364-c1977c8afa6a charon: 08[IKE] received 52 cert requests for an unknown ca</div><div>Feb 20 01:13:59 VM-e2b7eaee-4c52-4455-8364-c1977c8afa6a charon: 08[CFG] looking for peer configs matching 102.1*9.2**.***[%any]...154.77.***.**[192.168.43.156]</div><div>Feb 20 01:13:59 VM-e2b7eaee-4c52-4455-8364-c1977c8afa6a charon: 08[CFG] candidate "ikev2-vpn", match: 1/1/28 (me/other/ike)</div><div>Feb 20 01:13:59 VM-e2b7eaee-4c52-4455-8364-c1977c8afa6a charon: 08[CFG] selected peer config 'ikev2-vpn'</div><div>Feb 20 01:13:59 VM-e2b7eaee-4c52-4455-8364-c1977c8afa6a charon: 08[IKE] initiating EAP_IDENTITY method (id 0x00)</div><div>Feb 20 01:13:59 VM-e2b7eaee-4c52-4455-8364-c1977c8afa6a charon: 08[IKE] peer supports MOBIKE</div><div>Feb 20 01:13:59 VM-e2b7eaee-4c52-4455-8364-c1977c8afa6a charon: 08[IKE] authentication of '102.1*9.2**.***' (myself) with RSA signature successful</div><div>Feb 20 01:13:59 VM-e2b7eaee-4c52-4455-8364-c1977c8afa6a charon: 08[IKE] sending end entity cert "CN=102.1*9.2**.***"</div><div>Feb 20 01:13:59 VM-e2b7eaee-4c52-4455-8364-c1977c8afa6a charon: 08[ENC] generating IKE_AUTH response 1 [ IDr CERT AUTH EAP/REQ/ID ]</div><div>Feb 20 01:13:59 VM-e2b7eaee-4c52-4455-8364-c1977c8afa6a charon: 08[ENC] splitting IKE message with length of 1904 bytes into 2 fragments</div><div>Feb 20 01:13:59 VM-e2b7eaee-4c52-4455-8364-c1977c8afa6a charon: 08[ENC] generating IKE_AUTH response 1 [ EF(1/2) ]</div><div>Feb 20 01:13:59 VM-e2b7eaee-4c52-4455-8364-c1977c8afa6a charon: 08[ENC] generating IKE_AUTH response 1 [ EF(2/2) ]</div><div>Feb 20 01:13:59 VM-e2b7eaee-4c52-4455-8364-c1977c8afa6a charon: 08[NET] sending packet: from 102.1*9.2**.***[4500] to 154.77.***.**[4500] (1236 bytes)</div><div>Feb 20 01:13:59 VM-e2b7eaee-4c52-4455-8364-c1977c8afa6a charon: 08[NET] sending packet: from 102.1*9.2**.***[4500] to 154.77.***.**[4500] (740 bytes)</div><div>Feb 20 01:14:28 VM-e2b7eaee-4c52-4455-8364-c1977c8afa6a charon: 10[JOB] deleting half open IKE_SA with 154.77.***.** after timeout</div><div><br></div></div><div style="font-family:arial,helvetica,sans-serif"><br></div><div> <span style="font-family:arial,helvetica,sans-serif">- Simplifying your setup to use PSK (pre-shared-keys) for authentication *for now*</span><font face="tahoma, sans-serif"> </font> </div><div> Will do that today.</div><br></div></div></div><br><div class="gmail-m_3554427959306019307elided-text"><div dir="ltr">On Tue, Feb 19, 2019 at 7:51 PM Kostya Vasilyev <<a href="mailto:kman@fastmail.com" target="_blank">kman@fastmail.com</a>> wrote:<br></div><blockquote style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"><u></u>
<div><div>It would also help to know your actual Windows VPN settings including VPN Type.<br></div>
<div><br></div>
<div>I'm not much of a Windows person, but ....<br></div>
<div><br></div>
<div>This Cisco tutorial has nice screenshots under "Configure Windows 7 built-in client":<br></div>
<div><br></div>
<div><a href="https://www.cisco.com/c/en/us/support/docs/security/adaptive-security-appliance-asa-software/213246-asa-ikev2-ra-vpn-with-windows-7-or-andro.html" target="_blank">https://www.cisco.com/c/en/us/support/docs/security/adaptive-security-appliance-asa-software/213246-asa-ikev2-ra-vpn-with-windows-7-or-andro.html</a><br></div>
<div><br></div>
<div>In particular please see "step 10" near the end:<br></div>
<div><br></div>
<div><a href="https://www.cisco.com/c/dam/en/us/support/docs/security/adaptive-security-appliance-asa-software/213246-asa-ikev2-ra-vpn-with-windows-7-or-andro-50.png" target="_blank">https://www.cisco.com/c/dam/en/us/support/docs/security/adaptive-security-appliance-asa-software/213246-asa-ikev2-ra-vpn-with-windows-7-or-andro-50.png</a><br></div>
<div><br></div>
<div>If you have "automatic" as VPN type - it would explain the client trying to use ports OpenVPN / PPTP / L2TP ports which we're seeing ("UFW blocked" messages).<br></div>
<div><br></div>
<div>I believe you want IKEv2 as VPN type here.<br></div>
<div><br></div>
<div>If I'm wrong, hopefully someone more knowledgeable in Windows can correct me.<br></div>
<div><br></div>
<div>And here is a different tutorial about strongSwan and Windows - it has nice screenshots of how to properly configure Windows side (same screen as I linked above, basically, just a different presentation).<br></div>
<div><br></div>
<div><a href="https://docplayer.net/1323154-Vpn-with-windows-7-and-linux-strongswan-using-ikev2.html" target="_blank">https://docplayer.net/1323154-Vpn-with-windows-7-and-linux-strongswan-using-ikev2.html</a><br></div>
<div><br></div>
<div><div>--<br></div>
<div>Kostya Vasilyev<br></div>
<div><a href="mailto:kman@fastmail.com" target="_blank">kman@fastmail.com</a><br></div>
<div><br></div>
</div>
<div><br></div>
<div>On Tue, Feb 19, 2019, at 4:02 PM, MOSES KARIUKI wrote:<br></div>
<blockquote><div dir="ltr"><div style="font-family:tahoma,sans-serif">Thanks a lot. Let me load the WIndows logs.<br></div>
</div>
<div><br></div>
<div><div dir="ltr">On Tue, Feb 19, 2019 at 4:00 PM Kostya Vasilyev <<a href="mailto:kman@fastmail.com" target="_blank">kman@fastmail.com</a>> wrote:<br></div>
<blockquote style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"><div><u></u><br></div>
<div><div><br></div>
<div>On Tue, Feb 19, 2019, at 3:56 PM, MOSES KARIUKI wrote:<br></div>
<blockquote><div dir="ltr"><div dir="ltr"><div style="font-family:tahoma,sans-serif">Hello Vasilyev,<br></div>
<div style="font-family:tahoma,sans-serif"><br></div>
<div style="font-family:tahoma,sans-serif">I can't get this to work. <i>openssl -noout -text -in ca-key.pem. </i>I have tried Googling but this also gives nothing.<br></div>
<div style="font-family:tahoma,sans-serif"><i> </i><span style="background-color:transparent"><span style="color:inherit"><span style="font-family:monaco,menlo,consolas,"courier new",monospace"><span style="font-size:inherit">openssl x509 -noout -text -in </span></span></span></span>ca-key.pem<br></div>
<div style="font-family:tahoma,sans-serif"><br></div>
<div style="font-family:tahoma,sans-serif">Any ideas. Sorry I am a newbie on this one.<br></div>
</div>
</div>
</blockquote><div><br></div>
<div>You want to do this with the certificate - not its key.<br></div>
<div><br></div>
<div>But like I said it could be a red herring too - as Il Ka just wrote, it could be that Windows client tries several protos including PPTP/GRE, L2TP and so on ...<br></div>
<div><br></div>
<div>... which is a reason to make sure that Windows it's not trying to use some other protocol like PPTP or L2TP, and that you're not trying to use OpenVPN or some such.<br></div>
<div><br></div>
<div>Tom Rymes just suggested you check your Windows connection properties. I second this.<br></div>
<div><br></div>
<div>-- K<br></div>
<div><br></div>
<blockquote><div dir="ltr"><div dir="ltr"><div style="font-family:tahoma,sans-serif"><br></div>
</div>
</div>
<div><br></div>
<div><div dir="ltr">On Tue, Feb 19, 2019 at 12:40 PM Kostya Vasilyev <<a href="mailto:kman@fastmail.com" target="_blank">kman@fastmail.com</a>> wrote:<br></div>
<blockquote style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"><div><br></div>
<div>On Tue, Feb 19, 2019, at 12:34 PM, IL Ka wrote:<br></div>
<div>> <br></div>
<div>> On Tue, Feb 19, 2019 at 8:48 AM Kostya Vasilyev <<a href="mailto:kman@fastmail.com" target="_blank">kman@fastmail.com</a>> wrote:<br></div>
<div>>> Looks like the connection is "almost there" but gets blocked by your firewall (UFW)<br></div>
<div>>> <br></div>
<div>>> Very end of your log:<br></div>
<div>>> <br></div>
<div>>> Feb 19 02:10:01 VM-e2b7 charon: 11[NET] sending packet: from 102.1*9.2**.***[4500] to 154.77.***.**[4500] (772 bytes)<br></div>
<div>>> Feb 19 02:10:01 VM-e2b7 kernel: [ 2543.189073] [UFW BLOCK] IN=ens3 OUT= MAC=06:97:9c:00:00:8f:00:1d:b5:c0:a7:c0:08:00 SRC=154.77.***.** DST=102.1*9.2**.*** LEN=52 TOS=0x10 PREC=0x20 TTL=116 ID=27223 DF PROTO=TCP SPT=54229 DPT=443 WINDOW=17520 RES=0x00 SYN URGP=0<br></div>
<div>>> Feb 19 02:10:30 VM-e2b7 charon: 14[JOB] deleting half open IKE_SA with 154.77.***.** after timeout<br></div>
<div>> <br></div>
<div>> <br></div>
<div>> DPT=443 looks like OpenVPN or HTTPS. <br></div>
<div>> IKE uses UDP/500 (or UDP/4500 in case of NAT).<br></div>
<div>> <br></div>
<div>> I am not sure this message is somehow connected to problem.<br></div>
<div>> <br></div>
<div><br></div>
<div>Could be unrelated - good find on the EAP-Identity<br></div>
<div><br></div>
<div>But it could also be the client trying to fetch the CA certificate's CRL.<br></div>
<div><br></div>
<div>Moses can you check if your CA cert has a CRL?<br></div>
<div><br></div>
<div>openssl -text -noout -in your_CA_cert<br></div>
<div><br></div>
<div>Is there a CRL? Is it an https:// link?<br></div>
<div><br></div>
<div> X509v3 CRL Distribution Points:<br></div>
<div><br></div>
<div> Full Name:<br></div>
<div> URI:https://......<br></div>
<div><br></div>
<div>-- K<br></div>
</blockquote></div>
</blockquote><div><br></div>
</div>
</blockquote></div>
</blockquote><div><br></div>
</div>
</blockquote></div>
</blockquote></div><br></div></div></div></blockquote></div>