<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
</head>
<body>
<p>This works with a user certificate here -- make SURE Windows put
the certificate in the correct store. The StrongSwan Wiki has
instructions; if it goes in the wrong certificate store Windows
will not find it and you'll get exactly what you're seeing.</p>
<p><a class="moz-txt-link-freetext" href="https://wiki.strongswan.org/projects/strongswan/wiki/Win7Certs">https://wiki.strongswan.org/projects/strongswan/wiki/Win7Certs</a></p>
<p>The other thing is that for Win10 you have to go into the NETWORK
panel (NOT the Windows 10 network panel, the old control panel
one) and drill down into the connection and set the default
gateway on the remote network or you will get split routing and
only the subnet that you get back from the server will go over the
VPN.</p>
<p>This is the stanza that I have in my ipsec.conf for Windows
clients:</p>
<p>conn WinUserCert<br>
left=%any<br>
leftsubnet=0.0.0.0/0<br>
leftcert=ipgw-rsa.denninger.net.crt<br>
leftauth=pubkey<br>
right=%any<br>
rightsourceip=192.168.2.0/24<br>
rightauth=eap-tls<br>
eap_identity=%identity<br>
auto=add<br>
dpdaction=clear<br>
dpddelay=300s<br>
ike=aes256-sha2_256-prfsha256-modp1024<br>
</p>
<p>This gives the client machine an address out of 192.168.2.x/24;
note that "rightauth" has to be set to eap-tls for Windows
clients.</p>
<p>There was a long-standing problem with IKE fragmentation in the
internal Windows client that used to be bedevil me beyond words
that would often prevent connections from coming up at all but it
has been fixed now for about a year provided you have a
reasonably-recent Win10 version.</p>
<p> I put this stanza first in the configuration since EAP-TLS isn't
something anything else that connects to my gateway (Macs, Unix
Machines, IOS and Android phones) will ask for and this way I'm
sure Windows will get it first (Windows is a bit.... odd.....)<br>
</p>
<div class="moz-cite-prefix">On 11/3/2020 11:59, Mike Hill wrote:<br>
</div>
<blockquote type="cite"
cite="mid:BE46486F-5B07-40D1-A1C5-5B84826FBBD4@contoso.com">
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
<meta name="Generator" content="Microsoft Word 15 (filtered
medium)">
<style><!--
/* Font Definitions */
@font-face
{font-family:"Cambria Math";
panose-1:2 4 5 3 5 4 6 3 2 4;}
@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}
@font-face
{font-family:"Times New Roman \(Body CS\)";
panose-1:2 11 6 4 2 2 2 2 2 4;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0cm;
font-size:12.0pt;
font-family:"Calibri",sans-serif;
mso-fareast-language:EN-US;}
span.EmailStyle17
{mso-style-type:personal-compose;
font-family:"Calibri",sans-serif;
color:windowtext;
font-weight:normal;
font-style:normal;
text-decoration:none none;}
.MsoChpDefault
{mso-style-type:export-only;
font-size:12.0pt;
mso-fareast-language:EN-US;}size:612.0pt 792.0pt;
margin:72.0pt 72.0pt 72.0pt 72.0pt;}
div.WordSection1
{page:WordSection1;}</style>
<div class="WordSection1">
<p class="MsoNormal"><span style="font-size:11.0pt">Hi all,<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt">I’m trying
to get Windows 10 clients connecting to our StrongSwan
server with machine certificates (only), but I’m hitting a
roadblock with the following error:<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt">“Verifying
username and password...IKE failed to find valid machine
certificate. Contact your Network Security Administrator
about installing a valid certificate in the appropriate
Certificate Store.”<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt">Error in
Windows Event Viewer is 13806, which appears to be pretty
common, but despite looking at various sources, I cannot
make it work.<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt">We’re using
a PKI-as-a-service (SecureW2) for our certs and have placed
intermediate and root CA certs into /etc/ipsec.d/cacerts,
along with StrongSwan server’s cert in /etc/ipsec.d/certs
and its private key in /etc/ipsec.d/private/. Server device
cert has Server and Client authentication set for EKU and
hostname.domain.com for CN and SAN.<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt">The Windows
test device has its own cert in the machine store, along
with CA intermediate and root certs in the appropriate cert
stores. VPN connection is configured with PowerShell, and
MachineCertificate set as authentication method and VPN
address is hostname.domain.com which matches CN on
StrongSwan device cert. Machine cert is hostname.domain.com
for CN and SAN and has Client Authentication set for EKU.<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt">Events from
/var/log/syslog:<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt">Nov 3
16:40:18 swan charon: 07[NET] received packet: from
XXX.XXX.XXX.XXX[500] to XXX.XXX.XXX.XXX [500] (344 bytes)<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt">Nov 3
16:40:18 swan charon: 07[ENC] parsed IKE_SA_INIT request 0 [
SA KE No N(FRAG_SUP) N(NATD_S_IP) N(NATD_D_IP) V V V V ]<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt">Nov 3
16:40:18 swan charon: 07[CFG] looking for an ike config for
XXX.XXX.XXX.XXX... XXX.XXX.XXX.XXX<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt">Nov 3
16:40:18 swan charon: 07[CFG] candidate: %any...%any, prio
28<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt">Nov 3
16:40:18 swan charon: 07[CFG] found matching ike config:
%any...%any with prio 28<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt">Nov 3
16:40:18 swan charon: 07[IKE] received MS NT5 ISAKMPOAKLEY
v9 vendor ID<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt">Nov 3
16:40:18 swan charon: 07[IKE] received MS-Negotiation
Discovery Capable vendor ID<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt">Nov 3
16:40:18 swan charon: 07[IKE] received Vid-Initial-Contact
vendor ID<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt">Nov 3
16:40:18 swan charon: 07[ENC] received unknown vendor ID:
01:52:8b:bb:c0:06:96:12:18:49:ab:9a:1c:5b:2a:51:00:00:00:02<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt">Nov 3
16:40:18 swan charon: 07[IKE] XXX.XXX.XXX.XXX is initiating
an IKE_SA<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt">Nov 3
16:40:18 swan charon: 07[IKE] IKE_SA (unnamed)[7] state
change: CREATED => CONNECTING<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt">Nov 3
16:40:18 swan charon: 07[CFG] selecting proposal:<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt">Nov 3
16:40:18 swan charon: 07[CFG] proposal matches<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt">Nov 3
16:40:18 swan charon: 07[CFG] received proposals:
IKE:AES_GCM_16_128/PRF_HMAC_SHA2_256/ECP_256<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt">Nov 3
16:40:18 swan charon: 07[CFG] configured proposals:
IKE:AES_GCM_16_128/PRF_HMAC_SHA2_256/ECP_256<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt">Nov 3
16:40:18 swan charon: 07[CFG] selected proposal:
IKE:AES_GCM_16_128/PRF_HMAC_SHA2_256/ECP_256<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt">Nov 3
16:40:18 swan charon: 07[IKE] local host is behind NAT,
sending keep alives<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt">Nov 3
16:40:18 swan charon: 07[IKE] remote host is behind NAT<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt">Nov 3
16:40:18 swan charon: 07[IKE] sending cert request for
"O=Org, CN=Org Device Root CA"<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt">Nov 3
16:40:18 swan charon: 07[IKE] sending cert request for
"O=Org, CN=Org Device Intermediate CA"<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt">Nov 3
16:40:18 swan charon: 07[ENC] generating IKE_SA_INIT
response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) CERTREQ
N(FRAG_SUP) N(MULT_AUTH) ]<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt">Nov 3
16:40:18 swan charon: 07[NET] sending packet: from
XXX.XXX.XXX.XXX [500] to XXX.XXX.XXX.XXX [500] (293 bytes)<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt">Nov 3
16:40:18 swan charon: 09[NET] received packet: from
XXX.XXX.XXX.XXX [500] to XXX.XXX.XXX.XXX [500] (344 bytes)<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt">Nov 3
16:40:18 swan charon: 09[ENC] parsed IKE_SA_INIT request 0 [
SA KE No N(FRAG_SUP) N(NATD_S_IP) N(NATD_D_IP) V V V V ]<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt">We have this
setup working with macOS devices, so we know that the server
is able to accept and establish connections.<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt">Many thanks
in advance,<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt">Mike<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt"><o:p> </o:p></span></p>
</div>
<div
style="mso-line-height-rule:exactly;-webkit-text-size-adjust:100%;">
<table
style="width:100%;color:#000001;font-style:normal;font-weight:400;white-space:nowrap;"
cellspacing="0" cellpadding="0" border="0">
<tbody>
<tr style="font-size:0;">
<td style="vertical-align:top;" align="left">
<table style="font-size:0;" cellspacing="0"
cellpadding="0" border="0">
<tbody>
<tr style="font-size:0;">
<td style="vertical-align:top;" align="left">
<table
style="font-size:0;color:#000001;font-style:normal;font-weight:400;white-space:nowrap;"
cellspacing="0" cellpadding="0" border="0">
<tbody>
<tr style="font-size:14.67px;">
<td
style="vertical-align:top;font-family:Calibri,Arial,sans-serif;"
align="left"><br>
<span
style="font-family:remialcxesans;font-size:1px;color:#FFFFFF;line-height:1px;"></span><br>
</td>
</tr>
<tr style="font-size:0;">
<td style="vertical-align:top;"
align="left">
<table style="font-size:0;"
cellspacing="0" cellpadding="0"
border="0">
<tbody>
<tr style="font-size:0;">
<td
style="padding:0;vertical-align:top;"
align="left">
<table
style="font-size:0;line-height:normal;"
cellspacing="0"
cellpadding="0" border="0">
<tbody>
<tr style="font-size:0;">
<td style="padding:0
10px;vertical-align:top;"
align="left"><img
src="https://s3-eu-west-1.amazonaws.com/assets.techahoy.co.uk/email/image001-coral.png"
alt=""
style="width:110px;min-width:110px;max-width:110px;height:54px;min-height:54px;max-height:54px;font-size:0;"
moz-do-not-send="true"
width="110"
height="54" border="0"></td>
</tr>
</tbody>
</table>
</td>
<td
style="padding:0;vertical-align:top;"
align="left">
<table
style="font-size:0;color:#000001;font-style:normal;font-weight:400;white-space:nowrap;"
cellspacing="0"
cellpadding="0" border="0">
<tbody>
<tr
style="font-size:14.67px;">
<td
style="vertical-align:top;font-family:Calibri,sans-serif;"
align="left">3rd Floor, Vivo Building, 30 Stamford Street, London SE1 9LQ</td>
</tr>
<tr style="font-size:0;">
<td
style="vertical-align:top;"
align="left">
<table
style="font-size:0;color:#000001;font-style:normal;font-weight:400;white-space:nowrap;"
cellspacing="0"
cellpadding="0"
border="0">
<tbody>
<tr
style="font-size:14.67px;">
<td
style="vertical-align:top;font-family:Calibri,Arial,sans-serif;"
align="left">P: 020 3422 0000 <br>
</td>
<td
style="vertical-align:top;font-family:Calibri,Arial,sans-serif;"
align="left"><span
style="font-family:Calibri,sans-serif;">• </span>M: <a
href="tel:07763%20230443"
target="_blank" id="LPlnk689713"
style="text-decoration:none;color:#000001;"
moz-do-not-send="true"><strong style="font-weight:400;">07763 230443 <br>
</strong></a></td>
<td
style="vertical-align:middle;font-family:Calibri,sans-serif;"
align="left">• <br>
</td>
<td
style="vertical-align:top;font-family:Calibri,Arial,sans-serif;"
align="left">E: <span
style="color:#044A91;"><a href="mailto:mike.hill@techahoy.com"
target="_blank"
id="LPlnk689713" style="text-decoration:none;color:#044A91;"
moz-do-not-send="true"><strong
style="font-weight:400;">mike.hill@techahoy.com</strong></a></span></td>
</tr>
</tbody>
</table>
</td>
</tr>
<tr
style="font-size:14.67px;color:#044A91;">
<td
style="vertical-align:top;font-family:Calibri,Arial,sans-serif;"
align="left"><a
href="https://www.techahoy.com/"
target="_blank"
id="LPlnk689713"
title="www.techahoy.com"
style="text-decoration:none;color:#044A91;" moz-do-not-send="true"><strong
style="font-weight:400;">www.techahoy.co</strong></a>m</td>
</tr>
</tbody>
</table>
</td>
</tr>
</tbody>
</table>
</td>
</tr>
</tbody>
</table>
</td>
</tr>
</tbody>
</table>
</td>
</tr>
<tr style="font-size:14.67px;">
<td
style="vertical-align:top;font-family:Calibri,Arial,sans-serif;"
align="left"> <br>
</td>
</tr>
</tbody>
</table>
</div>
</blockquote>
<div class="moz-signature">-- <br>
Karl Denninger<br>
<a href="mailto:karl@denninger.net">karl@denninger.net</a><br>
<i>The Market Ticker</i><br>
<font size="-2"><i>[S/MIME encrypted email preferred]</i></font></div>
</body>
</html>