<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
<HTML><HEAD>
<META http-equiv=Content-Type content="text/html; charset=utf-8">
<META content="MSHTML 6.00.2800.1555" name=GENERATOR>
<STYLE></STYLE>
</HEAD>
<BODY bgColor=#ffffff>
<DIV><FONT face=Arial size=2>No, I meant a different thing. You need a little
bit learn about PKI structure a whole thing and PKI structure i strongswan
particularly, I think. Windows <STRONG>requires</STRONG> right install
infrastructure.</FONT></DIV>
<DIV><FONT face=Arial size=2>So, again, CA cert in <STRONG>not</STRONG> enough
to make Windows work with VPN.</FONT></DIV>
<DIV><FONT face=Arial size=2>1. CA cert You issued is only first
step.</FONT></DIV>
<DIV><FONT face=Arial size=2>2. You had to issue server and client certs signed
by Your CA made on step 1</FONT></DIV>
<DIV><FONT face=Arial size=2>3. Put Your CA, server key and server cert on
server at appropriate folders</FONT></DIV>
<DIV><FONT face=Arial size=2>3. Make .p12 file with Your CA cert, client
key, client cert, put it on Your windows machine and import all that
stuff at computer account.</FONT></DIV>
<DIV><FONT face=Arial size=2>And please read certificates requirements for
Strongswan and Windows before issue server and client certs; You can find these
ones on strongswan.org</FONT></DIV>
<DIV><FONT face=Arial size=2></FONT> </DIV>
<BLOCKQUOTE dir=ltr
style="PADDING-RIGHT: 0px; PADDING-LEFT: 5px; MARGIN-LEFT: 5px; BORDER-LEFT: #000000 2px solid; MARGIN-RIGHT: 0px">
<DIV style="FONT: 10pt arial">----- Исходное сообщение ----- </DIV>
<DIV
style="BACKGROUND: #e4e4e4; FONT: 10pt arial; font-color: black"><B>От:</B> <A
title=kariukims@gmail.com href="mailto:kariukims@gmail.com">MOSES KARIUKI</A>
</DIV>
<DIV style="FONT: 10pt arial"><B>Кому:</B> <A title=p_port@mail.ru
href="mailto:p_port@mail.ru">Yuri</A> </DIV>
<DIV style="FONT: 10pt arial"><B>Отправлено:</B> 20 февраля 2019 г.
13:47</DIV>
<DIV style="FONT: 10pt arial"><B>Тема:</B> Re: [strongSwan] Strongswan on
Ubuntu - Failure to connect from Windows 10 client -error: deleting half open
IKE_SA with 154.**.***.** after timeout</DIV>
<DIV><BR></DIV>
<DIV dir=ltr>
<DIV dir=ltr>
<DIV dir=ltr>
<DIV class=gmail_default style="FONT-FAMILY: tahoma,sans-serif">Dear
Yuri,</DIV>
<DIV class=gmail_default style="FONT-FAMILY: tahoma,sans-serif"><BR></DIV>
<DIV class=gmail_default><FONT face="tahoma, sans-serif">I already installed
the </FONT><SPAN
style="FONT-SIZE: 14px; COLOR: rgb(58,58,58); FONT-FAMILY: monospace; WHITE-SPACE: pre">ca-cert.pem
</SPAN><SPAN style="FONT-FAMILY: tahoma,sans-serif"> certificate
under </SPAN><FONT face="tahoma, sans-serif"><B>Trusted Root
Certification Authorities</B></FONT><SPAN
style="FONT-WEIGHT: 600; FONT-SIZE: 16px; COLOR: rgb(0,0,0); FONT-FAMILY: proxima-nova,sans-serif; box-sizing: border-box"> </SPAN><SPAN
style="FONT-FAMILY: tahoma,sans-serif">and under the <B>Personal </B>folder.
Is this what you meant?</SPAN></DIV>
<DIV class=gmail_default><SPAN
style="FONT-FAMILY: tahoma,sans-serif"><BR></SPAN></DIV>
<DIV class=gmail_default><SPAN style="FONT-FAMILY: tahoma,sans-serif">Below
are the instructions that I followed. </SPAN></DIV>
<DIV class=gmail_default>
<H3 id=gmail-connecting-from-windows
style="PADDING-RIGHT: 0px; PADDING-LEFT: 0px; FONT-SIZE: 22px; PADDING-BOTTOM: 0px; MARGIN: 14px auto 11px; WIDTH: 745px; COLOR: rgb(58,58,58); PADDING-TOP: 0px; FONT-FAMILY: proxima-nova,sans-serif; LETTER-SPACING: 0em; box-sizing: border-box">Connecting
from Windows</H3>
<P
style="PADDING-RIGHT: 0px; PADDING-LEFT: 0px; FONT-SIZE: 16px; PADDING-BOTTOM: 0px; MARGIN: 0px auto 22px; WIDTH: 745px; COLOR: rgb(0,0,0); PADDING-TOP: 0px; FONT-FAMILY: proxima-nova,sans-serif; box-sizing: border-box">First,
import the root certificate by following these steps:</P>
<OL
style="FONT-SIZE: 16px; MARGIN-LEFT: auto; WIDTH: 745px; COLOR: rgb(0,0,0); MARGIN-RIGHT: auto; FONT-FAMILY: proxima-nova,sans-serif; box-sizing: border-box">
<LI
style="PADDING-RIGHT: 0px; PADDING-LEFT: 4px; PADDING-BOTTOM: 0px; MARGIN: 0px; PADDING-TOP: 0px; box-sizing: border-box">Press <CODE
style="PADDING-RIGHT: 3px; PADDING-LEFT: 3px; FONT-SIZE: 15px; PADDING-BOTTOM: 3px; LINE-HEIGHT: 22px; PADDING-TOP: 3px; box-sizing: border-box; border-radius: 3px">WINDOWS+R</CODE> to
bring up the <SPAN
style="FONT-WEIGHT: 600; box-sizing: border-box">Run</SPAN> dialog, and
enter <CODE
style="PADDING-RIGHT: 3px; PADDING-LEFT: 3px; FONT-SIZE: 15px; PADDING-BOTTOM: 3px; LINE-HEIGHT: 22px; PADDING-TOP: 3px; box-sizing: border-box; border-radius: 3px">mmc.exe</CODE> to
launch the Windows Management Console.
<LI
style="PADDING-RIGHT: 0px; PADDING-LEFT: 4px; PADDING-BOTTOM: 0px; MARGIN: 0px; PADDING-TOP: 0px; box-sizing: border-box">From
the <SPAN
style="FONT-WEIGHT: 600; box-sizing: border-box">File</SPAN> menu,
navigate to <SPAN style="FONT-WEIGHT: 600; box-sizing: border-box">Add
or Remove Snap-in</SPAN>, select <SPAN
style="FONT-WEIGHT: 600; box-sizing: border-box">Certificates</SPAN> from
the list of available snap-ins, and click <SPAN
style="FONT-WEIGHT: 600; box-sizing: border-box">Add</SPAN>.
<LI
style="PADDING-RIGHT: 0px; PADDING-LEFT: 4px; PADDING-BOTTOM: 0px; MARGIN: 0px; PADDING-TOP: 0px; box-sizing: border-box">We
want the VPN to work with any user, so select <SPAN
style="FONT-WEIGHT: 600; box-sizing: border-box">Computer
Account</SPAN> and click <SPAN
style="FONT-WEIGHT: 600; box-sizing: border-box">Next</SPAN>.
<LI
style="PADDING-RIGHT: 0px; PADDING-LEFT: 4px; PADDING-BOTTOM: 0px; MARGIN: 0px; PADDING-TOP: 0px; box-sizing: border-box">We're
configuring things on the local computer, so select <SPAN
style="FONT-WEIGHT: 600; box-sizing: border-box">Local Computer</SPAN>, then
click <SPAN
style="FONT-WEIGHT: 600; box-sizing: border-box">Finish</SPAN>.
<LI
style="PADDING-RIGHT: 0px; PADDING-LEFT: 4px; PADDING-BOTTOM: 0px; MARGIN: 0px; PADDING-TOP: 0px; box-sizing: border-box">
<P class=gmail-growable
style="PADDING-RIGHT: 0px; DISPLAY: inline; PADDING-LEFT: 0px; PADDING-BOTTOM: 0px; MARGIN: 0px; WIDTH: 100%; PADDING-TOP: 0px; box-sizing: border-box">Under
the <SPAN style="FONT-WEIGHT: 600; box-sizing: border-box">Console
Root</SPAN> node, expand the <SPAN
style="FONT-WEIGHT: 600; box-sizing: border-box">Certificates (Local
Computer)</SPAN> entry, expand <SPAN
style="FONT-WEIGHT: 600; box-sizing: border-box">Trusted Root Certification
Authorities</SPAN>, and then select the <SPAN
style="FONT-WEIGHT: 600; box-sizing: border-box">Certificates</SPAN> entry:<BR
style="box-sizing: border-box"><IMG
style="BORDER-RIGHT: rgb(229,229,229) 2px solid; BORDER-TOP: rgb(229,229,229) 2px solid; DISPLAY: block; MARGIN-LEFT: auto; BORDER-LEFT: rgb(229,229,229) 2px solid; MARGIN-RIGHT: auto; BORDER-BOTTOM: rgb(229,229,229) 2px solid; HEIGHT: auto; box-sizing: border-box; max-width: 100%"
alt="Certificates view"
src="https://assets.digitalocean.com/articles/ikevpn_ubuntu_1604/4PN0vT6.png"></P>
<LI
style="PADDING-RIGHT: 0px; PADDING-LEFT: 4px; PADDING-BOTTOM: 0px; MARGIN: 0px; PADDING-TOP: 0px; box-sizing: border-box">
<P
style="PADDING-RIGHT: 0px; DISPLAY: inline; PADDING-LEFT: 0px; PADDING-BOTTOM: 0px; MARGIN: 0px; PADDING-TOP: 0px; box-sizing: border-box">From
the <SPAN
style="FONT-WEIGHT: 600; box-sizing: border-box">Action</SPAN> menu,
select <SPAN style="FONT-WEIGHT: 600; box-sizing: border-box">All
Tasks</SPAN> and click <SPAN
style="FONT-WEIGHT: 600; box-sizing: border-box">Import</SPAN> to
display the Certificate Import Wizard. Click <SPAN
style="FONT-WEIGHT: 600; box-sizing: border-box">Next</SPAN> to move
past the introduction.</P>
<LI
style="PADDING-RIGHT: 0px; PADDING-LEFT: 4px; PADDING-BOTTOM: 0px; MARGIN: 0px; PADDING-TOP: 0px; box-sizing: border-box">
<P
style="PADDING-RIGHT: 0px; DISPLAY: inline; PADDING-LEFT: 0px; PADDING-BOTTOM: 0px; MARGIN: 0px; PADDING-TOP: 0px; box-sizing: border-box">On
the <SPAN style="FONT-WEIGHT: 600; box-sizing: border-box">File to
Import</SPAN> screen, press the <SPAN
style="FONT-WEIGHT: 600; box-sizing: border-box">Browse</SPAN> button
and select the certificate file that you've saved. Then click <SPAN
style="FONT-WEIGHT: 600; box-sizing: border-box">Next</SPAN>.</P>
<LI
style="PADDING-RIGHT: 0px; PADDING-LEFT: 4px; PADDING-BOTTOM: 0px; MARGIN: 0px; PADDING-TOP: 0px; box-sizing: border-box">
<P
style="PADDING-RIGHT: 0px; DISPLAY: inline; PADDING-LEFT: 0px; PADDING-BOTTOM: 0px; MARGIN: 0px; PADDING-TOP: 0px; box-sizing: border-box">Ensure
that the <SPAN
style="FONT-WEIGHT: 600; box-sizing: border-box">Certificate
Store</SPAN> is set to <SPAN
style="FONT-WEIGHT: 600; box-sizing: border-box">Trusted Root Certification
Authorities</SPAN>, and click <SPAN
style="FONT-WEIGHT: 600; box-sizing: border-box">Next</SPAN>.</P>
<LI
style="PADDING-RIGHT: 0px; PADDING-LEFT: 4px; PADDING-BOTTOM: 0px; MARGIN: 0px; PADDING-TOP: 0px; box-sizing: border-box">
<P
style="PADDING-RIGHT: 0px; DISPLAY: inline; PADDING-LEFT: 0px; PADDING-BOTTOM: 0px; MARGIN: 0px; PADDING-TOP: 0px; box-sizing: border-box">Click <SPAN
style="FONT-WEIGHT: 600; box-sizing: border-box">Finish</SPAN> to
import the certificate.</P></LI></OL>
<P
style="PADDING-RIGHT: 0px; PADDING-LEFT: 0px; FONT-SIZE: 16px; PADDING-BOTTOM: 0px; MARGIN: 0px auto 22px; WIDTH: 745px; COLOR: rgb(0,0,0); PADDING-TOP: 0px; FONT-FAMILY: proxima-nova,sans-serif; box-sizing: border-box">Then
configure the VPN with these steps:</P>
<OL
style="FONT-SIZE: 16px; MARGIN-LEFT: auto; WIDTH: 745px; COLOR: rgb(0,0,0); MARGIN-RIGHT: auto; FONT-FAMILY: proxima-nova,sans-serif; box-sizing: border-box">
<LI
style="PADDING-RIGHT: 0px; PADDING-LEFT: 4px; PADDING-BOTTOM: 0px; MARGIN: 0px; PADDING-TOP: 0px; box-sizing: border-box">Launch <SPAN
style="FONT-WEIGHT: 600; box-sizing: border-box">Control Panel</SPAN>, then
navigate to the <SPAN
style="FONT-WEIGHT: 600; box-sizing: border-box">Network and Sharing
Center</SPAN>.
<LI
style="PADDING-RIGHT: 0px; PADDING-LEFT: 4px; PADDING-BOTTOM: 0px; MARGIN: 0px; PADDING-TOP: 0px; box-sizing: border-box">Click
on <SPAN style="FONT-WEIGHT: 600; box-sizing: border-box">Set up a new
connection or network</SPAN>, then select <SPAN
style="FONT-WEIGHT: 600; box-sizing: border-box">Connect to a
workplace</SPAN>.
<LI
style="PADDING-RIGHT: 0px; PADDING-LEFT: 4px; PADDING-BOTTOM: 0px; MARGIN: 0px; PADDING-TOP: 0px; box-sizing: border-box">Select <SPAN
style="FONT-WEIGHT: 600; box-sizing: border-box">Use my Internet connection
(VPN)</SPAN>.
<LI
style="PADDING-RIGHT: 0px; PADDING-LEFT: 4px; PADDING-BOTTOM: 0px; MARGIN: 0px; PADDING-TOP: 0px; box-sizing: border-box">Enter
the VPN server details. Enter the server's domain name or IP address in
the <SPAN style="FONT-WEIGHT: 600; box-sizing: border-box">Internet
address</SPAN>field, then fill in <SPAN
style="FONT-WEIGHT: 600; box-sizing: border-box">Destination
name</SPAN> with something that describes your VPN connection. Then
click <SPAN
style="FONT-WEIGHT: 600; box-sizing: border-box">Done</SPAN>.</LI></OL>
<P
style="PADDING-RIGHT: 0px; PADDING-LEFT: 0px; FONT-SIZE: 16px; PADDING-BOTTOM: 0px; MARGIN: 0px auto 22px; WIDTH: 745px; COLOR: rgb(0,0,0); PADDING-TOP: 0px; FONT-FAMILY: proxima-nova,sans-serif; box-sizing: border-box">Your
new VPN connection will be visible under the list of networks. Select the VPN
and click <SPAN
style="FONT-WEIGHT: 600; box-sizing: border-box">Connect</SPAN>. You'll be
prompted for your username and password. Type them in, click <SPAN
style="FONT-WEIGHT: 600; box-sizing: border-box">OK</SPAN>, and you'll be
connected.</P></DIV><BR
class=gmail-Apple-interchange-newline></DIV></DIV></DIV><BR>
<DIV class=gmail_quote>
<DIV class=gmail_attr dir=ltr>On Wed, Feb 20, 2019 at 1:32 PM Yuri <<A
href="mailto:p_port@mail.ru" target=_blank>p_port@mail.ru</A>>
wrote:<BR></DIV>
<BLOCKQUOTE class=gmail_quote
style="PADDING-LEFT: 1ex; MARGIN: 0px 0px 0px 0.8ex; BORDER-LEFT: rgb(204,204,204) 1px solid"><U></U>
<DIV bgcolor="#ffffff">
<DIV><FONT face=Arial size=2>Hi!</FONT></DIV>
<DIV><FONT face=Arial size=2>I don't see any client certs in Your message,
that's a reason for Yor problem possibly.</FONT></DIV>
<DIV><FONT face=Arial size=2>That's what You should install on client
Windows machine:</FONT></DIV>
<DIV><FONT face=Arial size=2>- CA cert</FONT></DIV>
<DIV><FONT face=Arial size=2>- client cert</FONT></DIV>
<DIV><FONT face=Arial size=2>Cheers</FONT></DIV>
<DIV><FONT face=Arial size=2>Yuri</FONT></DIV>
<BLOCKQUOTE dir=ltr
style="PADDING-RIGHT: 0px; PADDING-LEFT: 5px; MARGIN-LEFT: 5px; BORDER-LEFT: rgb(0,0,0) 2px solid; MARGIN-RIGHT: 0px">
<DIV><FONT face=Arial size=2></FONT><BR></DIV>
<DIV dir=ltr>
<DIV dir=ltr>
<DIV class=gmail_default style="FONT-FAMILY: tahoma,sans-serif">
<DIV class=gmail_default><SPAN
style="FONT-FAMILY: Arial,Helvetica,sans-serif">Dear Users,</SPAN></DIV>
<DIV class=gmail_default><SPAN
style="FONT-FAMILY: Arial,Helvetica,sans-serif"><BR></SPAN></DIV>
<DIV class=gmail_default><SPAN
style="FONT-FAMILY: Arial,Helvetica,sans-serif">Below were the suggestions
: </SPAN></DIV>
<DIV class=gmail_default><SPAN
style="FONT-FAMILY: Arial,Helvetica,sans-serif">- Installing EAP-Identity
support - Done</SPAN><BR
style="FONT-FAMILY: Arial,Helvetica,sans-serif"><SPAN
style="FONT-FAMILY: Arial,Helvetica,sans-serif">- Setting UFW to allow all
traffic from client</SPAN></DIV>
<DIV class=gmail_default><SPAN
style="FONT-FAMILY: Arial,Helvetica,sans-serif">
</SPAN><SPAN
style="FONT-SIZE: 14px; COLOR: rgb(58,58,58); FONT-FAMILY: monospace">ufw
allow 500,4500/udp</SPAN></DIV>
<DIV class=gmail_default> ufw allow in from
154.77.***.** proto gre
<DIV class=gmail_default> ufw allow in from
154.77.***.** proto ah</DIV>
<DIV class=gmail_default> ufw allow in from
154.77.***.** proto esp</DIV>
<DIV class=gmail_default><BR></DIV><SPAN
style="FONT-FAMILY: Arial,Helvetica,sans-serif">- Checking if your server
certificates have https:// CRL's</SPAN></DIV>
<DIV class=gmail_default
style="FONT-FAMILY: Arial,Helvetica,sans-serif"><FONT
face="tahoma, sans-serif"> </FONT><B><I><FONT
face="trebuchet ms, sans-serif"> openssl x509 -noout -text -in
ca-cert.pem</FONT></I></B>
<DIV class=gmail_default
style="FONT-FAMILY: tahoma,sans-serif">Certificate:</DIV>
<DIV class=gmail_default style="FONT-FAMILY: tahoma,sans-serif">
Data:</DIV>
<DIV class=gmail_default style="FONT-FAMILY: tahoma,sans-serif">
Version: 3 (0x2)</DIV>
<DIV class=gmail_default style="FONT-FAMILY: tahoma,sans-serif">
Serial Number: 5360843625440499832
(0x4a658adfd6cc5878)</DIV>
<DIV class=gmail_default style="FONT-FAMILY: tahoma,sans-serif">
Signature Algorithm: sha384WithRSAEncryption</DIV>
<DIV class=gmail_default style="FONT-FAMILY: tahoma,sans-serif">
Issuer: CN = VPN root CA</DIV>
<DIV class=gmail_default style="FONT-FAMILY: tahoma,sans-serif">
Validity</DIV>
<DIV class=gmail_default style="FONT-FAMILY: tahoma,sans-serif">
Not Before: Feb 12 21:01:05 2019
GMT</DIV>
<DIV class=gmail_default style="FONT-FAMILY: tahoma,sans-serif">
Not After : Feb 9 21:01:05 2029
GMT</DIV>
<DIV class=gmail_default style="FONT-FAMILY: tahoma,sans-serif">
Subject: CN = VPN root CA</DIV>
<DIV class=gmail_default style="FONT-FAMILY: tahoma,sans-serif">
Subject Public Key Info:</DIV>
<DIV class=gmail_default style="FONT-FAMILY: tahoma,sans-serif">
Public Key Algorithm:
rsaEncryption</DIV>
<DIV class=gmail_default style="FONT-FAMILY: tahoma,sans-serif">
Public-Key: (4096
bit)</DIV>
<DIV class=gmail_default style="FONT-FAMILY: tahoma,sans-serif">
Modulus:</DIV>
<DIV class=gmail_default style="FONT-FAMILY: tahoma,sans-serif">
00:c5:bb:cc:c2:90:92:b4:40:fa:12:7b:39:30:cb:</DIV>
<DIV class=gmail_default style="FONT-FAMILY: tahoma,sans-serif">
e8:54:8f:09:59:38:f1:9e:52:6d:eb:a3:fc:e2:dd:</DIV>
<DIV class=gmail_default style="FONT-FAMILY: tahoma,sans-serif">
a3:64:30:d4:20:0b:85:f7:09:fc:5b:8f:7f:eb:c6:</DIV>
<DIV class=gmail_default style="FONT-FAMILY: tahoma,sans-serif">
25:12:20:45:fb:1a:2c:2d:80:f7:d3:a9:3f:81:04:</DIV>
<DIV class=gmail_default style="FONT-FAMILY: tahoma,sans-serif">
27:80:e5:2c:87:ef:08:81:c7:b0:cf:fc:f2:e4:cb:</DIV>
<DIV class=gmail_default style="FONT-FAMILY: tahoma,sans-serif">
18:09:3a:a2:fe:2e:27:44:fd:9f:7f:3d:a7:ed:1c:</DIV>
<DIV class=gmail_default style="FONT-FAMILY: tahoma,sans-serif">
d6:71:f6:e4:c2:c2:e3:fd:54:bd:31:fe:de:c7:1d:</DIV>
<DIV class=gmail_default style="FONT-FAMILY: tahoma,sans-serif">
52:ea:49:aa:48:0c:2d:46:b0:dc:fe:15:6d:8c:0f:</DIV>
<DIV class=gmail_default style="FONT-FAMILY: tahoma,sans-serif">
49:f0:af:b7:7c:62:d7:36:e9:34:20:3a:0e:04:4e:</DIV>
<DIV class=gmail_default style="FONT-FAMILY: tahoma,sans-serif">
73:ab:78:fe:bb:44:b5:22:ff:33:f4:60:3e:ab:36:</DIV>
<DIV class=gmail_default style="FONT-FAMILY: tahoma,sans-serif">
26:c3:bd:f0:9f:e4:04:eb:c2:2b:8f:cf:61:53:9c:</DIV>
<DIV class=gmail_default style="FONT-FAMILY: tahoma,sans-serif">
38:0e:ce:db:a0:5b:48:73:9f:fe:63:d1:02:05:59:</DIV>
<DIV class=gmail_default style="FONT-FAMILY: tahoma,sans-serif">
8b:64:7d:ab:2f:6f:b5:c6:55:78:24:ba:a3:0a:6b:</DIV>
<DIV class=gmail_default style="FONT-FAMILY: tahoma,sans-serif">
cb:88:96:0d:56:c0:ea:17:58:1e:55:09:e2:17:61:</DIV>
<DIV class=gmail_default style="FONT-FAMILY: tahoma,sans-serif">
37:24:02:2a:96:39:5c:6d:b7:2a:6f:63:0d:d1:b0:</DIV>
<DIV class=gmail_default style="FONT-FAMILY: tahoma,sans-serif">
44:65:d8:28:97:c6:74:5c:af:b9:10:b7:ec:4c:0e:</DIV>
<DIV class=gmail_default style="FONT-FAMILY: tahoma,sans-serif">
2b:b2:6b:f5:39:89:53:d9:81:bd:2d:18:e8:1e:e5:</DIV>
<DIV class=gmail_default style="FONT-FAMILY: tahoma,sans-serif">
a0:3b:76:d2:04:ee:92:00:a1:a7:e8:21:27:74:b6:</DIV>
<DIV class=gmail_default style="FONT-FAMILY: tahoma,sans-serif">
e1:b5:77:7c:73:49:2f:cc:eb:54:04:29:c9:9a:3a:</DIV>
<DIV class=gmail_default style="FONT-FAMILY: tahoma,sans-serif">
75:34:5c:d0:f9:dd:5e:e9:76:69:25:c3:b0:d3:d6:</DIV>
<DIV class=gmail_default style="FONT-FAMILY: tahoma,sans-serif">
74:bc:a3:1d:07:18:67:7b:24:60:a1:88:9d:c6:f0:</DIV>
<DIV class=gmail_default style="FONT-FAMILY: tahoma,sans-serif">
7d:6a:e8:b1:e2:3e:a6:df:c7:1e:54:e9:8d:16:a2:</DIV>
<DIV class=gmail_default style="FONT-FAMILY: tahoma,sans-serif">
be:60:91:e1:42:6e:50:18:0a:6f:4d:32:b3:df:17:</DIV>
<DIV class=gmail_default style="FONT-FAMILY: tahoma,sans-serif">
0d:e1:fa:3f:bf:d2:a6:3e:17:40:69:e9:d7:a0:da:</DIV>
<DIV class=gmail_default style="FONT-FAMILY: tahoma,sans-serif">
7f:2e:1f:dd:c2:88:e4:72:09:bd:c4:35:76:9d:3a:</DIV>
<DIV class=gmail_default style="FONT-FAMILY: tahoma,sans-serif">
1c:38:53:5f:13:12:28:10:0a:27:a3:69:5e:66:7a:</DIV>
<DIV class=gmail_default style="FONT-FAMILY: tahoma,sans-serif">
1d:4d:82:13:91:49:4c:99:a8:4c:5d:30:e5:ab:9f:</DIV>
<DIV class=gmail_default style="FONT-FAMILY: tahoma,sans-serif">
5f:c6:63:d4:e0:45:e7:c5:6e:b9:45:3f:a8:73:92:</DIV>
<DIV class=gmail_default style="FONT-FAMILY: tahoma,sans-serif">
ea:88:fc:ae:2b:16:d9:92:53:2e:f8:95:57:06:7e:</DIV>
<DIV class=gmail_default style="FONT-FAMILY: tahoma,sans-serif">
6b:cc:4c:53:ae:76:31:b1:f0:14:47:00:33:19:03:</DIV>
<DIV class=gmail_default style="FONT-FAMILY: tahoma,sans-serif">
24:34:90:df:f0:ca:93:c5:4c:4f:96:34:16:f3:c7:</DIV>
<DIV class=gmail_default style="FONT-FAMILY: tahoma,sans-serif">
eb:b4:82:d9:67:10:f1:70:b2:b6:64:55:81:5e:b3:</DIV>
<DIV class=gmail_default style="FONT-FAMILY: tahoma,sans-serif">
70:4e:c1:05:b1:bc:65:2e:49:10:1d:30:1e:79:9e:</DIV>
<DIV class=gmail_default style="FONT-FAMILY: tahoma,sans-serif">
a3:62:c5:c3:9f:06:5a:c9:34:36:af:14:2e:6a:23:</DIV>
<DIV class=gmail_default style="FONT-FAMILY: tahoma,sans-serif">
f2:39:4f</DIV>
<DIV class=gmail_default style="FONT-FAMILY: tahoma,sans-serif">
Exponent: 65537
(0x10001)</DIV>
<DIV class=gmail_default style="FONT-FAMILY: tahoma,sans-serif">
X509v3 extensions:</DIV>
<DIV class=gmail_default style="FONT-FAMILY: tahoma,sans-serif">
X509v3 Basic Constraints:
critical</DIV>
<DIV class=gmail_default style="FONT-FAMILY: tahoma,sans-serif">
CA:TRUE</DIV>
<DIV class=gmail_default style="FONT-FAMILY: tahoma,sans-serif">
X509v3 Key Usage: critical</DIV>
<DIV class=gmail_default style="FONT-FAMILY: tahoma,sans-serif">
Certificate Sign, CRL
Sign</DIV>
<DIV class=gmail_default style="FONT-FAMILY: tahoma,sans-serif">
X509v3 Subject Key Identifier:</DIV>
<DIV class=gmail_default style="FONT-FAMILY: tahoma,sans-serif">
92:3F:B1:C0:05:82:F8:11:B1:69:7E:9E:4F:B4:71:31:F0:AD:18:B7</DIV>
<DIV class=gmail_default style="FONT-FAMILY: tahoma,sans-serif">
Signature Algorithm: sha384WithRSAEncryption</DIV>
<DIV class=gmail_default style="FONT-FAMILY: tahoma,sans-serif">
88:53:04:b1:a3:d7:7d:00:d6:f7:06:80:c5:c4:cb:f3:86:30:</DIV>
<DIV class=gmail_default style="FONT-FAMILY: tahoma,sans-serif">
43:54:11:f6:e8:4d:42:70:12:b9:5f:26:07:ab:7c:d1:48:b1:</DIV>
<DIV class=gmail_default style="FONT-FAMILY: tahoma,sans-serif">
f7:d4:28:c8:f0:53:49:bc:c1:5b:71:45:bd:f1:3a:a2:06:c2:</DIV>
<DIV class=gmail_default style="FONT-FAMILY: tahoma,sans-serif">
38:08:c5:e7:d4:d4:51:19:9d:27:d2:f0:fa:71:8b:50:aa:cd:</DIV>
<DIV class=gmail_default style="FONT-FAMILY: tahoma,sans-serif">
e3:00:96:a8:9c:f8:db:16:00:eb:6f:1f:3c:39:ee:1c:02:ac: ....</DIV>
<DIV class=gmail_default
style="FONT-FAMILY: tahoma,sans-serif"><B><I><BR></I></B></DIV></DIV>
<DIV class=gmail_default><B><I>On the client
side</I></B> <BR></DIV><BR
style="FONT-FAMILY: Arial,Helvetica,sans-serif">
<DIV class=gmail_default>
<DIV><IMG height=472 alt=image.png
src="cid:005701d4c9ca$f38f0440$6500a8c0@Audio" width=359><BR></DIV>
<DIV><BR></DIV></DIV>
<DIV class=gmail_default><SPAN
style="FONT-FAMILY: Arial,Helvetica,sans-serif">- Checking actual error
message from the client</SPAN> </DIV>
<DIV style="FONT-FAMILY: Arial,Helvetica,sans-serif"><IMG height=210
alt=image.png width=375><BR></DIV>
<DIV style="FONT-FAMILY: Arial,Helvetica,sans-serif"><BR></DIV>
<DIV style="FONT-FAMILY: Arial,Helvetica,sans-serif">
<DIV class=gmail_default style="FONT-FAMILY: tahoma,sans-serif">Client
error log :</DIV>
<DIV class=gmail_default style="FONT-FAMILY: tahoma,sans-serif"><BR></DIV>
<DIV class=gmail_default><FONT
face="tahoma, sans-serif"><B><I>Information<SPAN> </SPAN>2/20/2019
12:51:31 AM<SPAN> </SPAN>RasClient<SPAN> </SPAN>20221<SPAN>
</SPAN>None</I></B></FONT></DIV>
<DIV class=gmail_default><FONT
face="tahoma, sans-serif">CoId={E5273640-B6B0-4B4B-A0FF-8B5FC33EEDFB}: The
user DESKTOP-ICV578Q\User has started dialing a VPN connection using a
per-user connection profile named VPN Connection. The connection settings
are: </FONT></DIV>
<DIV class=gmail_default><FONT face="tahoma, sans-serif">Dial-in User =
remoteprivate</FONT></DIV>
<DIV class=gmail_default><FONT face="tahoma, sans-serif">VpnStrategy =
IKEv2</FONT></DIV>
<DIV class=gmail_default><FONT face="tahoma, sans-serif">DataEncryption =
Requested</FONT></DIV>
<DIV class=gmail_default><FONT face="tahoma, sans-serif">PrerequisiteEntry
= </FONT></DIV>
<DIV class=gmail_default><FONT face="tahoma, sans-serif">AutoLogon =
No</FONT></DIV>
<DIV class=gmail_default><FONT face="tahoma, sans-serif">UseRasCredentials
= Yes</FONT></DIV>
<DIV class=gmail_default><FONT face="tahoma, sans-serif">Authentication
Type = EAP </FONT></DIV>
<DIV class=gmail_default><FONT
face="tahoma, sans-serif">Ipv4DefaultGateway = Yes</FONT></DIV>
<DIV class=gmail_default><FONT
face="tahoma, sans-serif">Ipv4AddressAssignment = By Server</FONT></DIV>
<DIV class=gmail_default><FONT
face="tahoma, sans-serif">Ipv4DNSServerAssignment = By Server</FONT></DIV>
<DIV class=gmail_default><FONT
face="tahoma, sans-serif">Ipv6DefaultGateway = Yes</FONT></DIV>
<DIV class=gmail_default><FONT
face="tahoma, sans-serif">Ipv6AddressAssignment = By Server</FONT></DIV>
<DIV class=gmail_default><FONT
face="tahoma, sans-serif">Ipv6DNSServerAssignment = By Server</FONT></DIV>
<DIV class=gmail_default><FONT face="tahoma, sans-serif">IpDnsFlags
= </FONT></DIV>
<DIV class=gmail_default><FONT face="tahoma, sans-serif">IpNBTEnabled =
Yes</FONT></DIV>
<DIV class=gmail_default><FONT face="tahoma, sans-serif">UseFlags =
Private Connection</FONT></DIV>
<DIV class=gmail_default><FONT face="tahoma, sans-serif">ConnectOnWinlogon
= No</FONT></DIV>
<DIV class=gmail_default><FONT face="tahoma, sans-serif">Mobility enabled
for IKEv2 = Yes.</FONT></DIV>
<DIV class=gmail_default><FONT face="tahoma, sans-serif"><BR></FONT></DIV>
<DIV class=gmail_default><FONT
face="tahoma, sans-serif"><B><I>Information<SPAN> </SPAN>2/20/2019
12:51:31 AM<SPAN> </SPAN>RasClient<SPAN> </SPAN>20222<SPAN>
</SPAN>None</I></B></FONT></DIV>
<DIV class=gmail_default><FONT
face="tahoma, sans-serif">CoId={E5273640-B6B0-4B4B-A0FF-8B5FC33EEDFB}: The
user DESKTOP-ICV578Q\User is trying to establish a link to the Remote
Access Server for the connection named VPN Connection using the following
device: </FONT></DIV>
<DIV class=gmail_default><FONT face="tahoma, sans-serif">Server
address/Phone Number = 102.129.249.173</FONT></DIV>
<DIV class=gmail_default><FONT face="tahoma, sans-serif">Device = WAN
Miniport (IKEv2)</FONT></DIV>
<DIV class=gmail_default><FONT face="tahoma, sans-serif">Port =
VPN2-1</FONT></DIV>
<DIV class=gmail_default><FONT face="tahoma, sans-serif">MediaType =
VPN.</FONT></DIV>
<DIV class=gmail_default><FONT face="tahoma, sans-serif"><BR></FONT></DIV>
<DIV class=gmail_default><FONT
face="tahoma, sans-serif"><B><I>Information<SPAN> </SPAN>2/20/2019
12:51:31 AM<SPAN> </SPAN>RasClient<SPAN> </SPAN>20223<SPAN>
</SPAN>None</I></B></FONT></DIV>
<DIV class=gmail_default><FONT
face="tahoma, sans-serif">CoId={E5273640-B6B0-4B4B-A0FF-8B5FC33EEDFB}: The
user DESKTOP-ICV578Q\User has successfully established a link to the
Remote Access Server using the following device: </FONT></DIV>
<DIV class=gmail_default><FONT face="tahoma, sans-serif">Server
address/Phone Number = 102.129.249.173</FONT></DIV>
<DIV class=gmail_default><FONT face="tahoma, sans-serif">Device = WAN
Miniport (IKEv2)</FONT></DIV>
<DIV class=gmail_default><FONT face="tahoma, sans-serif">Port =
VPN2-1</FONT></DIV>
<DIV class=gmail_default><FONT face="tahoma, sans-serif">MediaType =
VPN.</FONT></DIV>
<DIV class=gmail_default><FONT face="tahoma, sans-serif"><BR></FONT></DIV>
<DIV class=gmail_default><FONT
face="tahoma, sans-serif"><B><I>Information<SPAN> </SPAN>2/20/2019
12:51:31 AM<SPAN> </SPAN>RasClient<SPAN> </SPAN>20224<SPAN>
</SPAN>None</I></B></FONT></DIV>
<DIV class=gmail_default><FONT
face="tahoma, sans-serif">CoId={E5273640-B6B0-4B4B-A0FF-8B5FC33EEDFB}: The
link to the Remote Access Server has been established by user
DESKTOP-ICV578Q\User.</FONT></DIV>
<DIV class=gmail_default><BR></DIV>
<DIV class=gmail_default><FONT face="tahoma, sans-serif"><B><I>Error<SPAN>
</SPAN>2/20/2019 12:51:32 AM<SPAN> </SPAN>RasClient<SPAN>
</SPAN>20227<SPAN> </SPAN>None</I></B></FONT></DIV>
<DIV class=gmail_default><FONT
face="tahoma, sans-serif">CoId={E5273640-B6B0-4B4B-A0FF-8B5FC33EEDFB}: The
user DESKTOP-ICV578Q\User dialed a connection named VPN Connection which
has failed. The error code returned on failure is 13801.</FONT><SPAN
style="FONT-FAMILY: tahoma,sans-serif"></SPAN></DIV><BR></DIV>
<DIV style="FONT-FAMILY: Arial,Helvetica,sans-serif">
<DIV>Feb 20 01:13:59 VM-e2b7eaee-4c52-4455-8364-c1977c8afa6a ipsec[1126]:
06[CFG] selected proposal:
IKE:AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_2048</DIV>
<DIV>Feb 20 01:13:59 VM-e2b7eaee-4c52-4455-8364-c1977c8afa6a ipsec[1126]:
06[IKE] remote host is behind NAT</DIV>
<DIV>Feb 20 01:13:59 VM-e2b7eaee-4c52-4455-8364-c1977c8afa6a ipsec[1126]:
06[ENC] generating IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP)
N(NATD_D_IP) N(FRAG_SUP) N(MULT_AUTH) ]</DIV>
<DIV>Feb 20 01:13:59 VM-e2b7eaee-4c52-4455-8364-c1977c8afa6a ipsec[1126]:
06[NET] sending packet: from 102.1*9.2**.***[500] to 154.77.***.**[500]
(448 bytes)</DIV>
<DIV>Feb 20 01:13:59 VM-e2b7eaee-4c52-4455-8364-c1977c8afa6a charon:
05[NET] received packet: from 154.77.***.**[4500] to 102.1*9.2**.***[4500]
(500 bytes)</DIV>
<DIV>Feb 20 01:13:59 VM-e2b7eaee-4c52-4455-8364-c1977c8afa6a ipsec[1126]:
07[NET] received packet: from 154.77.***.**[4500] to 102.1*9.2**.***[4500]
(580 bytes)</DIV>
<DIV>Feb 20 01:13:59 VM-e2b7eaee-4c52-4455-8364-c1977c8afa6a ipsec[1126]:
07[ENC] parsed IKE_AUTH request 1 [ EF(1/3) ]</DIV>
<DIV>Feb 20 01:13:59 VM-e2b7eaee-4c52-4455-8364-c1977c8afa6a ipsec[1126]:
07[ENC] received fragment #1 of 3, waiting for complete IKE message</DIV>
<DIV>Feb 20 01:13:59 VM-e2b7eaee-4c52-4455-8364-c1977c8afa6a charon:
05[ENC] parsed IKE_AUTH request 1 [ EF(3/3) ]</DIV>
<DIV>Feb 20 01:13:59 VM-e2b7eaee-4c52-4455-8364-c1977c8afa6a charon:
05[ENC] received fragment #3 of 3, waiting for complete IKE message</DIV>
<DIV>Feb 20 01:13:59 VM-e2b7eaee-4c52-4455-8364-c1977c8afa6a charon:
08[NET] received packet: from 154.77.***.**[4500] to 102.1*9.2**.***[4500]
(580 bytes)</DIV>
<DIV>Feb 20 01:13:59 VM-e2b7eaee-4c52-4455-8364-c1977c8afa6a charon:
08[ENC] parsed IKE_AUTH request 1 [ EF(2/3) ]</DIV>
<DIV>Feb 20 01:13:59 VM-e2b7eaee-4c52-4455-8364-c1977c8afa6a charon:
08[ENC] received fragment #2 of 3, reassembling fragmented IKE
message</DIV>
<DIV>Feb 20 01:13:59 VM-e2b7eaee-4c52-4455-8364-c1977c8afa6a charon:
08[ENC] parsed IKE_AUTH request 1 [ IDi CERTREQ N(MOBIKE_SUP) CPRQ(ADDR
DNS NBNS SRV ADDR6 DNS6 SRV6) SA TSi TSr ]</DIV>
<DIV>Feb 20 01:13:59 VM-e2b7eaee-4c52-4455-8364-c1977c8afa6a charon:
08[IKE] received 52 cert requests for an unknown ca</DIV>
<DIV>Feb 20 01:13:59 VM-e2b7eaee-4c52-4455-8364-c1977c8afa6a charon:
08[CFG] looking for peer configs matching
102.1*9.2**.***[%any]...154.77.***.**[192.168.43.156]</DIV>
<DIV>Feb 20 01:13:59 VM-e2b7eaee-4c52-4455-8364-c1977c8afa6a charon:
08[CFG] candidate "ikev2-vpn", match: 1/1/28
(me/other/ike)</DIV>
<DIV>Feb 20 01:13:59 VM-e2b7eaee-4c52-4455-8364-c1977c8afa6a charon:
08[CFG] selected peer config 'ikev2-vpn'</DIV>
<DIV>Feb 20 01:13:59 VM-e2b7eaee-4c52-4455-8364-c1977c8afa6a charon:
08[IKE] initiating EAP_IDENTITY method (id 0x00)</DIV>
<DIV>Feb 20 01:13:59 VM-e2b7eaee-4c52-4455-8364-c1977c8afa6a charon:
08[IKE] peer supports MOBIKE</DIV>
<DIV>Feb 20 01:13:59 VM-e2b7eaee-4c52-4455-8364-c1977c8afa6a charon:
08[IKE] authentication of '102.1*9.2**.***' (myself) with RSA signature
successful</DIV>
<DIV>Feb 20 01:13:59 VM-e2b7eaee-4c52-4455-8364-c1977c8afa6a charon:
08[IKE] sending end entity cert "CN=102.1*9.2**.***"</DIV>
<DIV>Feb 20 01:13:59 VM-e2b7eaee-4c52-4455-8364-c1977c8afa6a charon:
08[ENC] generating IKE_AUTH response 1 [ IDr CERT AUTH EAP/REQ/ID ]</DIV>
<DIV>Feb 20 01:13:59 VM-e2b7eaee-4c52-4455-8364-c1977c8afa6a charon:
08[ENC] splitting IKE message with length of 1904 bytes into 2
fragments</DIV>
<DIV>Feb 20 01:13:59 VM-e2b7eaee-4c52-4455-8364-c1977c8afa6a charon:
08[ENC] generating IKE_AUTH response 1 [ EF(1/2) ]</DIV>
<DIV>Feb 20 01:13:59 VM-e2b7eaee-4c52-4455-8364-c1977c8afa6a charon:
08[ENC] generating IKE_AUTH response 1 [ EF(2/2) ]</DIV>
<DIV>Feb 20 01:13:59 VM-e2b7eaee-4c52-4455-8364-c1977c8afa6a charon:
08[NET] sending packet: from 102.1*9.2**.***[4500] to 154.77.***.**[4500]
(1236 bytes)</DIV>
<DIV>Feb 20 01:13:59 VM-e2b7eaee-4c52-4455-8364-c1977c8afa6a charon:
08[NET] sending packet: from 102.1*9.2**.***[4500] to 154.77.***.**[4500]
(740 bytes)</DIV>
<DIV>Feb 20 01:14:28 VM-e2b7eaee-4c52-4455-8364-c1977c8afa6a charon:
10[JOB] deleting half open IKE_SA with 154.77.***.** after timeout</DIV>
<DIV><BR></DIV></DIV>
<DIV style="FONT-FAMILY: Arial,Helvetica,sans-serif"><BR></DIV>
<DIV class=gmail_default> <SPAN
style="FONT-FAMILY: Arial,Helvetica,sans-serif">- Simplifying your setup
to use PSK (pre-shared-keys) for authentication *for now*</SPAN><FONT
face="tahoma, sans-serif"> </FONT> </DIV>
<DIV class=gmail_default> Will do that today.</DIV><BR
class=gmail-m_5504522518048980817gmail-m_-1086287228049524629gmail-Apple-interchange-newline></DIV></DIV></DIV><BR>
<DIV class=gmail_quote>
<DIV class=gmail_attr dir=ltr>On Tue, Feb 19, 2019 at 7:51 PM Kostya
Vasilyev <<A href="mailto:kman@fastmail.com"
target=_blank>kman@fastmail.com</A>> wrote:<BR></DIV>
<BLOCKQUOTE class=gmail_quote
style="PADDING-LEFT: 1ex; MARGIN: 0px 0px 0px 0.8ex; BORDER-LEFT: rgb(204,204,204) 1px solid"><U></U>
<DIV>
<DIV>It would also help to know your actual Windows VPN settings
including VPN Type.<BR></DIV>
<DIV><BR></DIV>
<DIV>I'm not much of a Windows person, but ....<BR></DIV>
<DIV><BR></DIV>
<DIV>This Cisco tutorial has nice screenshots under "Configure Windows 7
built-in client":<BR></DIV>
<DIV><BR></DIV>
<DIV><A
href="https://www.cisco.com/c/en/us/support/docs/security/adaptive-security-appliance-asa-software/213246-asa-ikev2-ra-vpn-with-windows-7-or-andro.html"
target=_blank>https://www.cisco.com/c/en/us/support/docs/security/adaptive-security-appliance-asa-software/213246-asa-ikev2-ra-vpn-with-windows-7-or-andro.html</A><BR></DIV>
<DIV><BR></DIV>
<DIV>In particular please see "step 10" near the end:<BR></DIV>
<DIV><BR></DIV>
<DIV><A
href="https://www.cisco.com/c/dam/en/us/support/docs/security/adaptive-security-appliance-asa-software/213246-asa-ikev2-ra-vpn-with-windows-7-or-andro-50.png"
target=_blank>https://www.cisco.com/c/dam/en/us/support/docs/security/adaptive-security-appliance-asa-software/213246-asa-ikev2-ra-vpn-with-windows-7-or-andro-50.png</A><BR></DIV>
<DIV><BR></DIV>
<DIV>If you have "automatic" as VPN type - it would explain the client
trying to use ports OpenVPN / PPTP / L2TP ports which we're seeing ("UFW
blocked" messages).<BR></DIV>
<DIV><BR></DIV>
<DIV>I believe you want IKEv2 as VPN type here.<BR></DIV>
<DIV><BR></DIV>
<DIV>If I'm wrong, hopefully someone more knowledgeable in Windows can
correct me.<BR></DIV>
<DIV><BR></DIV>
<DIV>And here is a different tutorial about strongSwan and Windows - it
has nice screenshots of how to properly configure Windows side (same
screen as I linked above, basically, just a different
presentation).<BR></DIV>
<DIV><BR></DIV>
<DIV><A
href="https://docplayer.net/1323154-Vpn-with-windows-7-and-linux-strongswan-using-ikev2.html"
target=_blank>https://docplayer.net/1323154-Vpn-with-windows-7-and-linux-strongswan-using-ikev2.html</A><BR></DIV>
<DIV><BR></DIV>
<DIV
id=gmail-m_5504522518048980817gmail-m_-1086287228049524629gmail-m_-9190295401736213918sig24956113>
<DIV
class=gmail-m_5504522518048980817gmail-m_-1086287228049524629gmail-m_-9190295401736213918signature>--<BR></DIV>
<DIV
class=gmail-m_5504522518048980817gmail-m_-1086287228049524629gmail-m_-9190295401736213918signature>Kostya
Vasilyev<BR></DIV>
<DIV
class=gmail-m_5504522518048980817gmail-m_-1086287228049524629gmail-m_-9190295401736213918signature><A
href="mailto:kman@fastmail.com"
target=_blank>kman@fastmail.com</A><BR></DIV>
<DIV
class=gmail-m_5504522518048980817gmail-m_-1086287228049524629gmail-m_-9190295401736213918signature><BR></DIV></DIV>
<DIV><BR></DIV>
<DIV>On Tue, Feb 19, 2019, at 4:02 PM, MOSES KARIUKI wrote:<BR></DIV>
<BLOCKQUOTE type="cite">
<DIV dir=ltr>
<DIV style="FONT-FAMILY: tahoma,sans-serif">Thanks a lot. Let me load
the WIndows logs.<BR></DIV></DIV>
<DIV><BR></DIV>
<DIV>
<DIV dir=ltr>On Tue, Feb 19, 2019 at 4:00 PM Kostya Vasilyev <<A
href="mailto:kman@fastmail.com"
target=_blank>kman@fastmail.com</A>> wrote:<BR></DIV>
<BLOCKQUOTE
style="PADDING-LEFT: 1ex; MARGIN: 0px 0px 0px 0.8ex; BORDER-LEFT: rgb(204,204,204) 1px solid">
<DIV><U></U><BR></DIV>
<DIV>
<DIV><BR></DIV>
<DIV>On Tue, Feb 19, 2019, at 3:56 PM, MOSES KARIUKI
wrote:<BR></DIV>
<BLOCKQUOTE type="cite">
<DIV dir=ltr>
<DIV dir=ltr>
<DIV style="FONT-FAMILY: tahoma,sans-serif">Hello
Vasilyev,<BR></DIV>
<DIV style="FONT-FAMILY: tahoma,sans-serif"><BR></DIV>
<DIV style="FONT-FAMILY: tahoma,sans-serif">I can't get
this to work. <I>openssl -noout -text -in
ca-key.pem. </I>I have tried Googling but this also gives
nothing.<BR></DIV>
<DIV style="FONT-FAMILY: tahoma,sans-serif"><I>
</I><SPAN
class=gmail-m_5504522518048980817gmail-m_-1086287228049524629gmail-m_-9190295401736213918highlight
style="BACKGROUND-COLOR: transparent"><SPAN
class=gmail-m_5504522518048980817gmail-m_-1086287228049524629gmail-m_-9190295401736213918colour><SPAN
class=gmail-m_5504522518048980817gmail-m_-1086287228049524629gmail-m_-9190295401736213918font
style="FONT-FAMILY: Monaco,Menlo,Consolas,'Courier New',monospace"><SPAN
class=gmail-m_5504522518048980817gmail-m_-1086287228049524629gmail-m_-9190295401736213918size>openssl
x509 -noout -text -in
</SPAN></SPAN></SPAN></SPAN>ca-key.pem<BR></DIV>
<DIV style="FONT-FAMILY: tahoma,sans-serif"><BR></DIV>
<DIV style="FONT-FAMILY: tahoma,sans-serif">Any ideas. Sorry I am
a newbie on this one.<BR></DIV></DIV></DIV></BLOCKQUOTE>
<DIV><BR></DIV>
<DIV>You want to do this with the certificate - not its
key.<BR></DIV>
<DIV><BR></DIV>
<DIV>But like I said it could be a red herring too - as Il Ka just
wrote, it could be that Windows client tries several protos
including PPTP/GRE, L2TP and so on ...<BR></DIV>
<DIV><BR></DIV>
<DIV>... which is a reason to make sure that Windows it's not trying
to use some other protocol like PPTP or L2TP, and that you're not
trying to use OpenVPN or some such.<BR></DIV>
<DIV><BR></DIV>
<DIV>Tom Rymes just suggested you check your Windows connection
properties. I second this.<BR></DIV>
<DIV><BR></DIV>
<DIV>-- K<BR></DIV>
<DIV><BR></DIV>
<BLOCKQUOTE type="cite">
<DIV dir=ltr>
<DIV dir=ltr>
<DIV style="FONT-FAMILY: tahoma,sans-serif"><BR></DIV></DIV></DIV>
<DIV><BR></DIV>
<DIV>
<DIV dir=ltr>On Tue, Feb 19, 2019 at 12:40 PM Kostya Vasilyev
<<A href="mailto:kman@fastmail.com"
target=_blank>kman@fastmail.com</A>> wrote:<BR></DIV>
<BLOCKQUOTE
style="PADDING-LEFT: 1ex; MARGIN: 0px 0px 0px 0.8ex; BORDER-LEFT: rgb(204,204,204) 1px solid">
<DIV><BR></DIV>
<DIV>On Tue, Feb 19, 2019, at 12:34 PM, IL Ka wrote:<BR></DIV>
<DIV>> <BR></DIV>
<DIV>> On Tue, Feb 19, 2019 at 8:48 AM Kostya Vasilyev <<A
href="mailto:kman@fastmail.com"
target=_blank>kman@fastmail.com</A>> wrote:<BR></DIV>
<DIV>>> Looks like the connection is "almost there" but
gets blocked by your firewall (UFW)<BR></DIV>
<DIV>>> <BR></DIV>
<DIV>>> Very end of your log:<BR></DIV>
<DIV>>> <BR></DIV>
<DIV>>> Feb 19 02:10:01 VM-e2b7 charon: 11[NET]
sending packet: from 102.1*9.2**.***[4500] to
154.77.***.**[4500] (772 bytes)<BR></DIV>
<DIV>>> Feb 19 02:10:01 VM-e2b7 kernel: [
2543.189073] [UFW BLOCK] IN=ens3 OUT=
MAC=06:97:9c:00:00:8f:00:1d:b5:c0:a7:c0:08:00 SRC=154.77.***.**
DST=102.1*9.2**.*** LEN=52 TOS=0x10 PREC=0x20 TTL=116 ID=27223
DF PROTO=TCP SPT=54229 DPT=443 WINDOW=17520 RES=0x00 SYN
URGP=0<BR></DIV>
<DIV>>> Feb 19 02:10:30 VM-e2b7 charon: 14[JOB]
deleting half open IKE_SA with 154.77.***.** after
timeout<BR></DIV>
<DIV>> <BR></DIV>
<DIV>> <BR></DIV>
<DIV>> DPT=443 looks like OpenVPN or HTTPS. <BR></DIV>
<DIV>> IKE uses UDP/500 (or UDP/4500 in case of
NAT).<BR></DIV>
<DIV>> <BR></DIV>
<DIV>> I am not sure this message is somehow connected to
problem.<BR></DIV>
<DIV>> <BR></DIV>
<DIV><BR></DIV>
<DIV>Could be unrelated - good find on the
EAP-Identity<BR></DIV>
<DIV><BR></DIV>
<DIV>But it could also be the client trying to fetch the CA
certificate's CRL.<BR></DIV>
<DIV><BR></DIV>
<DIV>Moses can you check if your CA cert has a CRL?<BR></DIV>
<DIV><BR></DIV>
<DIV>openssl -text -noout -in your_CA_cert<BR></DIV>
<DIV><BR></DIV>
<DIV>Is there a CRL? Is it an https:// link?<BR></DIV>
<DIV><BR></DIV>
<DIV> X509v3 CRL Distribution Points:<BR></DIV>
<DIV><BR></DIV>
<DIV> Full Name:<BR></DIV>
<DIV>
URI:https://......<BR></DIV>
<DIV><BR></DIV>
<DIV>-- K<BR></DIV></BLOCKQUOTE></DIV></BLOCKQUOTE>
<DIV><BR></DIV></DIV></BLOCKQUOTE></DIV></BLOCKQUOTE>
<DIV><BR></DIV></DIV></BLOCKQUOTE></DIV></BLOCKQUOTE></DIV></BLOCKQUOTE></DIV></BLOCKQUOTE></BODY></HTML>