<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1">
<style type="text/css" style="display:none;"> P {margin-top:0;margin-bottom:0;} </style>
</head>
<body dir="ltr">
<div style="font-family: Calibri, Helvetica, sans-serif; font-size: 12pt; color: rgb(0, 0, 0);">
You don't say how your Windows client is configured. There are (at least) two potential issues to check:<br>
</div>
<div style="font-family: Calibri, Helvetica, sans-serif; font-size: 12pt; color: rgb(0, 0, 0);">
<br>
</div>
<div style="font-family: Calibri, Helvetica, sans-serif; font-size: 12pt; color: rgb(0, 0, 0);">
<div style="font-family: Calibri, Helvetica, sans-serif; font-size: 12pt">1) You didn't install the cert correctly. See
<a href="https://github.com/gitbls/pistrong/blob/master/CertInstall.md">https://github.com/gitbls/pistrong/blob/master/CertInstall.md</a> for detailed instructions on how to correctly install the cert into Windows</div>
<div style="font-family: Calibri, Helvetica, sans-serif; font-size: 12pt"><br>
</div>
2) You didn't mention whether your Windows client is accessing the VPN by IP address or DNS name. If it's by IP address, looks like this is OK. If it's by DNS name, you need to have the DNS name as an altName in your cert. See
<a href="https://github.com/gitbls/pistrong/blob/master/CertDetails.md" id="LPNoLP839900">
https://github.com/gitbls/pistrong/blob/master/CertDetails.md</a> <br>
</div>
<br>
<div style="font-family: Calibri, Helvetica, sans-serif; font-size: 12pt; color: rgb(0, 0, 0);">
Regards<br>
</div>
<div>
<div id="appendonsend"></div>
<div style="font-family:Calibri,Helvetica,sans-serif; font-size:12pt; color:rgb(0,0,0)">
<br>
</div>
<hr tabindex="-1" style="display:inline-block; width:98%">
<div id="divRplyFwdMsg" dir="ltr"><font style="font-size:11pt" face="Calibri, sans-serif" color="#000000"><b>From:</b> Users <users-bounces@lists.strongswan.org> on behalf of Alexey Vlasov <renton@renton.name><br>
<b>Sent:</b> Thursday, July 25, 2019 7:37 AM<br>
<b>To:</b> Noel Kuntze <noel.kuntze@thermi.consulting><br>
<b>Cc:</b> users@lists.strongswan.org <users@lists.strongswan.org><br>
<b>Subject:</b> Re: [strongSwan] IKEv2 VPN server</font>
<div> </div>
</div>
<div class="BodyFragment"><font size="2"><span style="font-size:11pt">
<div class="PlainText">(my ca cert is on top of the list)<br>
<br>
On Thu, Jul 25, 2019 at 05:35:54PM +0300, Alexey Vlasov wrote:<br>
> I've rechecked again,<br>
> <a href="https://www.dropbox.com/s/c67ua5uzs05dkgo/vpn_cert_ca.png?dl=0">https://www.dropbox.com/s/c67ua5uzs05dkgo/vpn_cert_ca.png?dl=0</a><br>
> <br>
> On Thu, Jul 25, 2019 at 04:20:18PM +0200, Noel Kuntze wrote:<br>
> > Hello Alexey,<br>
> > <br>
> > Looks like your Windows clients don't trust your CA.<br>
> > <br>
> > Kind regards<br>
> > <br>
> > Noel<br>
> > <br>
> > Am 25.07.19 um 16:00 schrieb Alexey Vlasov:<br>
> > > Hi,<br>
> > ><br>
> > > After several days of digging and trying tens working configs I given up<br>
> > > to find out why in my case ikev2 does not work with any vpn clients.<br>
> > ><br>
> > > So, I have fresh Gentoo box with strongswan 5.7.2,<br>
> > ><br>
> > > ipsec.conf :<br>
> > > ==================<br>
> > > config setup<br>
> > > charondebug="ike 2, knl 2, cfg 2, net 2, esp 2, dmn 2, mgr 2"<br>
> > ><br>
> > > conn VPN-IKEV2<br>
> > > auto=add<br>
> > > dpdaction=clear<br>
> > > keyexchange=ikev2<br>
> > > ike=aes256-sha1-modp1024,3des-sha1-modp1024!<br>
> > > esp=aes256-sha1,3des-sha1!<br>
> > > fragmentation=yes<br>
> > ><br>
> > > leftsubnet=0.0.0.0/0<br>
> > > leftcert=/etc/ipsec.d/certs/vpn-server-cert.pem<br>
> > > leftsendcert=always<br>
> > > leftid=5.231.208.198<br>
> > ><br>
> > > rightauth=eap-mschapv2<br>
> > > ==================<br>
> > ><br>
> > > # ipsec listcerts<br>
> > ><br>
> > > List of X.509 End Entity Certificates<br>
> > ><br>
> > > subject: "C=DE, O=LLC Lucky-Host, CN=5.231.208.198"<br>
> > > issuer: "C=DE, O=LLC Lucky-Host, CN=Lucky-Host VPN Service Root CA"<br>
> > > validity: not before Jul 24 19:40:35 2019, ok<br>
> > > not after Jul 21 19:40:35 2029, ok (expires in 3649 days)<br>
> > > serial: 57:d9:c8:a8:f3:c5:cf:5a<br>
> > > altNames: 5.231.208.198<br>
> > > flags: serverAuth ikeIntermediate<br>
> > > authkeyId: d3:77:ff:85:bc:51:12:6b:cc:cf:3f:97:da:f6:81:59:00:dd:81:f8<br>
> > > subjkeyId: d5:bb:9c:d5:67:24:71:6c:40:ac:55:a7:d3:33:d3:ac:a6:1c:ac:d3<br>
> > > pubkey: RSA 4096 bits, has private key<br>
> > > keyid: 04:9a:94:1e:de:5c:ee:33:20:4b:c3:c3:2a:62:8d:6a:11:58:74:03<br>
> > > subjkey: d5:bb:9c:d5:67:24:71:6c:40:ac:55:a7:d3:33:d3:ac:a6:1c:ac:d3<br>
> > ><br>
> > > ipsec.secrets :<br>
> > > ==================<br>
> > > vpn : EAP "testvpn"<br>
> > > 5.231.208.198 : RSA /etc/ipsec.d/private/vpn-server-key.pem<br>
> > > ==================<br>
> > ><br>
> > > The built-in Windows 10 VPN client says "IKE authentication credentials are unacceptable" after an attempt to connect.<br>
> > ><br>
> > > IPSec logs end on this row:<br>
> > > Jul 25 15:55:40 vpn1 charon: 13[NET] sending packet: from 5.231.208.198[4500] to 128.70.239.23[4500] (848 bytes)<br>
> > > Jul 25 15:55:40 vpn1 charon: 04[NET] sending packet: from 5.231.208.198[4500] to 128.70.239.23[4500]<br>
> > > Jul 25 15:55:40 vpn1 charon: 13[MGR] checkin IKE_SA VPN-IKEV2[5]<br>
> > > Jul 25 15:55:40 vpn1 charon: 13[MGR] checkin of IKE_SA successful<br>
> > ><br>
> > > and after 30 seconds adding<br>
> > > Jul 25 15:56:10 vpn1 charon: 15[MGR] checkout IKEv2 SA with SPIs 6eed288a380403e2_i 1e6835aaf130f6fe_r<br>
> > > Jul 25 15:56:10 vpn1 charon: 15[MGR] IKE_SA VPN-IKEV2[5] successfully checked out<br>
> > > Jul 25 15:56:10 vpn1 charon: 15[JOB] deleting half open IKE_SA with 128.70.239.23 after timeout<br>
> > > Jul 25 15:56:10 vpn1 charon: 15[MGR] checkin and destroy IKE_SA VPN-IKEV2[5]<br>
> > > Jul 25 15:56:10 vpn1 charon: 15[IKE] IKE_SA VPN-IKEV2[5] state change: CONNECTING => DESTROYING<br>
> > > Jul 25 15:56:10 vpn1 charon: 15[MGR] checkin and destroy of IKE_SA successful<br>
> > ><br>
> > > The CA cert have been installed on windows side.<br>
> > ><br>
> > > Full log is in attach.<br>
> > ><br>
> > > Are there any ideas what is wrong?<br>
> > ><br>
> > > Thanks in advance.<br>
> > <br>
> > -- <br>
> > Noel Kuntze<br>
> > IT security consultant<br>
> > <br>
> > GPG Key ID: 0x0739AD6C<br>
> > Fingerprint: 3524 93BE B5F7 8E63 1372 AF2D F54E E40B 0739 AD6C<br>
> > <br>
> > <br>
> <br>
> <br>
> <br>
</div>
</span></font></div>
</div>
</body>
</html>