<div dir="ltr">Hi<div><br></div><div>Maybe this info maybe of some use/help for the users. It took up a lot of time spent in studying various aspects and arriving at this config....hence sharing for some use to other users too.</div><div><br></div><div>The below is the config for Strongswan VPN server for Windows-IKEv2 clients (using Certs-ONLY and/or EAP-MSCHAPv2 for auth). This is working for me with multiple concurrent windows-ikev2 clients connected to this server</div><div>Note: The use of option "rekey=no" on this VPN server is necessary so that this will enable and ensure the windows-IKEv2-clients to be the rekey-initiators always. This option was more necessary when the remote Windows-IKEv2-clients were behind NAT-Routers...and they would NOT respond to rekey requests initiated from the VPN-server....hence rekey is disabled on server. BUT the VPN-server WILL RESPOND TO ALL REKEY REQUESTS FROM CLIENTS..</div><div><br></div><div><br>root@gw1:/tmp# cat /etc/ipsec.conf <br># ipsec config file<br>config setup<br> charondebug="chd 2,knl 1,ike 2,cfg 1"<br> strictcrlpolicy=no<br><br>conn %default<br> auto=route<br> leftfirewall=yes<br> lefthostaccess=yes<br> keyingtries=1<br> mobike=no<br> fragmentation=yes<br> leftsendcert=always<br><br>conn WindArdClients_V2_wCertsOnly<br> auto=add<br> left=20.20.20.7<br> right=%any<br> ikelifetime=28800s<br> esp=aes256-sha1!<br> lifetime=3600s<br> rekeymargin=180s<br> ike=aes256-sha1-modp1024<br> keyexchange=ikev2<br> reauth=no<br> rekey=no<br> leftauth=pubkey<br> rightauth=pubkey<br> leftid="/C=US/ST=CA/L=SFO/O=Cisco Systems/OU=SVTQA/CN=<a href="http://vRouter.dyndns.org">vRouter.dyndns.org</a>"<br> rightid=%any<br> leftcert=/etc/ssl/certs/vRoutercert.pem<br> dpddelay=40<br> dpdtimeout=120<br> dpdaction=clear<br> rightsourceip=10.1.103.100-10.1.103.200<br> modeconfig=pull<br> leftsubnet=<a href="http://0.0.0.0/0">0.0.0.0/0</a><br> rightdns=192.168.110.26,192.168.110.27<br><br>conn WindArdOthClients_V2_wEAP<br> auto=add<br> left=20.20.20.7<br> right=%any<br> ikelifetime=28800s<br> esp=aes256-sha1!<br> lifetime=3600s<br> margintime=180s<br> ike=aes256-sha1-modp1024<br> keyexchange=ikev2<br> reauth=no<br> rekey=no<br> leftauth=pubkey<br> rightauth=eap-mschapv2<br> eap_identity=%any<br> leftsendcert=always<br> rightsendcert=never<br> leftid=<a href="http://vRouter.dyndns.org">vRouter.dyndns.org</a><br> rightid=%any<br> leftcert=/etc/ssl/certs/vRoutercert.pem<br> dpddelay=40<br> dpdtimeout=120<br> dpdaction=clear<br> rightsourceip=10.1.104.100-10.1.104.200<br> modeconfig=pull<br> leftsubnet=<a href="http://192.168.20.0/24,192.168.25.0/24,192.168.110.0/24">192.168.20.0/24,192.168.25.0/24,192.168.110.0/24</a><br> rightdns=192.168.110.26,192.168.110.27<br><br>---------------------------------------------------------<br>root@gw1:/tmp# cat /etc/ipsec.secrets <br># ipsec-secrets file<br>: RSA vRouterKey.pem<br>user1 : EAP "test1234"<br>user2 : EAP "test1234"<br>user3 : EAP "test1234"<br>user4 : EAP "test1234"<br>user5 : EAP "test1234"<br>user6 : EAP "test1234"<br><br>===========================================<br></div><div><br></div><div><br></div><div>thanks & regards</div><div>Rajiv</div><div><br></div><div><br></div><div><br></div><div><br></div><div><br></div><div><br></div><div><br></div><div> </div></div><br><div class="gmail_quote"><div dir="ltr" class="gmail_attr">On Tue, Oct 13, 2020 at 5:48 PM Makarand Pradhan <<a href="mailto:MakarandPradhan@is5com.com">MakarandPradhan@is5com.com</a>> wrote:<br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">Thanks Tobias for responding.<br>
<br>
There is no firewall.<br>
<br>
Windows has not yet sent an IKE_AUTH.<br>
Windows sends an IKE_SA_INIT.<br>
Strongswan sends a CA CERT REQ. I think it's going to windows. The CA cert is installed on windows Trusted folder.<br>
On windows I see a msg saying "Ask your admin to config certificates properly."<br>
<br>
I think, I'm messing up with certificates somehow. I've created a CA and signed the certificates using this CA on the Strongswan server. <br>
The CA cert and the Win Cert with it's private key is installed on windows.<br>
The CA cert and Server cert is installed in ipsec.d/cacert, ipsec.d/cert and the server private key is installed in ipsec.d/private<br>
<br>
Will recheck and get back.<br>
<br>
Thanks again.<br>
Makarand.<br>
<br>
<br>
-----Original Message-----<br>
From: Tobias Brunner <<a href="mailto:tobias@strongswan.org" target="_blank">tobias@strongswan.org</a>> <br>
Sent: October 12, 2020 10:59 AM<br>
To: Makarand Pradhan <<a href="mailto:MakarandPradhan@is5com.com" target="_blank">MakarandPradhan@is5com.com</a>>; <a href="mailto:users@lists.strongswan.org" target="_blank">users@lists.strongswan.org</a><br>
Subject: Re: [strongSwan] Windows VPN client issue with Strongswan<br>
<br>
Hi Makarand,<br>
<br>
> 06[ENC] generating IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) <br>
> N(NATD_D_IP) CERTREQ N(FRAG_SUP) N(CHDLESS_SUP) N(MULT_AUTH) ] 06[NET] <br>
> sending packet: from 10.10.5.1[500] to 10.10.5.7[500] (353 bytes) <br>
> 15[JOB] deleting half open IKE_SA with 10.10.5.7 after timeout<br>
<br>
This could indicate an IP fragmentation issue (IKE_AUTH too large with certificate and certificate requests, fragments dropped). But since both peers support IKEv2 fragmentation (FRAG_SUP) that seems unlikely.<br>
<br>
While there is no NAT between the hosts, with MOBIKE there will still be a switch to UDP port 4500, so make sure no firewall blocks that port.<br>
<br>
What error is the client reporting exactly? Does it actually send an IKE_AUTH request?<br>
<br>
> I was expecting a windows cert request. Instead I see a CA Cert req.<br>
<br>
The request is for certificates issued by that CA.<br>
<br>
Regards,<br>
Tobias<br>
</blockquote></div>