[strongSwan] Windows 7 IKEv2 problems
Kevin Clark
kevin.clark at csoft.co.uk
Wed Apr 28 20:40:53 CEST 2010
Hoping someone can help me understand and fix a couple of issues I see when connecting from Windows 7 Agile client using IKEv2.
I am able to connect and authenticate so the configuration does works but problem number one is that charon does not release IP addresses back into the pool. Here's the syslog after I press the disconnect button in the Windows:
Apr 28 18:56:38 vpn-test charon: 09[NET] received packet: from 10.0.7.1[37908] to 10.0.0.1[4500]
Apr 28 18:56:38 vpn-test charon: 09[ENC] parsed INFORMATIONAL request 7 [ D ]
Apr 28 18:56:38 vpn-test charon: 09[IKE] received DELETE for IKE_SA rw-win7[1]
Apr 28 18:56:38 vpn-test charon: 09[IKE] deleting IKE_SA rw-win7[1] between 10.0.0.1[C=GB, ST=England, O=Example Limited, CN=10.0.0.1]...10.0.7.1[192.168.25.10]
Apr 28 18:56:38 vpn-test charon: 09[IKE] IKE_SA deleted
Apr 28 18:56:38 vpn-test charon: 09[ENC] generating INFORMATIONAL response 7 [ ]
Apr 28 18:56:38 vpn-test charon: 09[NET] sending packet: from 10.0.0.1[4500] to 10.0.7.1[37908]
Apr 28 18:56:38 vpn-test charon: 09[LIB] releasing address to pool 'rw-win7' failed
The second and more troubling problem is to do with the routes that Windows creates to support the subnet behind the VPN gateway. I only want packets destined for the remote subnet to go across the VPN. If I enable "Use default gateway on remote network" everything gets routed through the VPN which I don't want. I've have disabled this option and left "class based route addition" enabled but then all I get are routes supporting the virtual IP address, not the subnet behind the VPN gateway. You may well say that this is a Windows issue but I hope that there's some parameter missing from my config that will fix this.
IPv4 Route Table [ class based route addition ]
====================
Active Routes:
Network Destination Netmask Gateway Interface Metric
0.0.0.0 0.0.0.0 192.168.25.1 192.168.25.10 10
127.0.0.0 255.0.0.0 On-link 127.0.0.1 306
127.0.0.1 255.255.255.255 On-link 127.0.0.1 306
127.255.255.255 255.255.255.255 On-link 127.0.0.1 306
192.168.7.0 255.255.255.0 On-link 192.168.7.2 11
192.168.7.2 255.255.255.255 On-link 192.168.7.2 266 <---- the assigned virtual
192.168.7.255 255.255.255.255 On-link 192.168.7.2 266
IPv4 Route Table [ default route enabled ]
====================
Active Routes:
Network Destination Netmask Gateway Interface Metric
0.0.0.0 0.0.0.0 192.168.25.1 192.168.25.10 4235
0.0.0.0 0.0.0.0 On-link 192.168.7.3 11 <---- everything shoved down the VPN :-(
127.0.0.0 255.0.0.0 On-link 127.0.0.1 4531
127.0.0.1 255.255.255.255 On-link 127.0.0.1 4531
127.255.255.255 255.255.255.255 On-link 127.0.0.1 4531
192.168.7.3 255.255.255.255 On-link 192.168.7.3 266
--- ipsec.conf ---
config setup
plutostart=no
charonstart=yes
conn %default
ike=aes256-sha1-modp1024!
esp=aes256-sha1!
dpdaction=clear
dpddelay=300s
rekey=no
left=10.0.0.1
leftsubnet=192.168.0.0/24
leftid=@10.0.0.1
leftcert=10.0.0.1.crt
leftfirewall=yes
conn rw-win7
mobike=yes
keyexchange=ikev2
right=%any
rightsourceip=192.168.7.0/24
rightauth=eap-mschapv2
rightsendcert=never
eap_identity=%any
auto=add
--- /etc/strongswan.conf ---
# strongswan.conf - strongSwan configuration file
charon {
dns1 = 192.168.0.1
dns2 = 192.168.0.2
nbns1 = 192.168.0.3
# Two defined file loggers. Each subsection is either a file
# in the filesystem or one of: stdout, stderr.
filelog {
/var/log/charon.log {
# loggers to files also accept the append option to open files in
# append mode at startup (default is yes)
append = no
# the default loglevel for all daemon subsystems (defaults to 1).
default = 1
}
stderr {
# more detailed loglevel for a specific subsystem, overriding the
# default loglevel.
ike = 2
knl = 3
}
}
# And two loggers using syslog. The subsections define the facility to log
# to, currently one of: daemon, auth.
syslog {
# default level to the LOG_DAEMON facility
daemon {
}
# very minimalistic IKE auditing logs to LOG_AUTHPRIV
auth {
default = -1
ike = 0
}
}
}
--- syslog ---
Apr 28 18:32:13 vpn-test charon: 00[DMN] Starting IKEv2 charon daemon (strongSwan 4.3.6)
Apr 28 18:32:13 vpn-test charon: 00[KNL] listening on interfaces:
Apr 28 18:32:13 vpn-test charon: 00[KNL] eth0
Apr 28 18:32:13 vpn-test charon: 00[KNL] 10.0.0.1
Apr 28 18:32:13 vpn-test charon: 00[KNL] -----------------------
Apr 28 18:32:13 vpn-test charon: 00[KNL] eth1
Apr 28 18:32:13 vpn-test charon: 00[KNL] 192.168.0.1
Apr 28 18:32:13 vpn-test charon: 00[KNL] -----------------------
Apr 28 18:32:13 vpn-test charon: 00[CFG] loading ca certificates from '/etc/ipsec.d/cacerts'
Apr 28 18:32:13 vpn-test charon: 00[CFG] loaded ca certificate "O=Example Limited, OU=CA Administration, E=support at example.com, L=London, ST=England, C=GB, CN=Example Root CA" from '/etc/ipsec.d/cacerts/example_ca.crt'
Apr 28 18:32:13 vpn-test charon: 00[CFG] loading aa certificates from '/etc/ipsec.d/aacerts'
Apr 28 18:32:13 vpn-test charon: 00[CFG] loading ocsp signer certificates from '/etc/ipsec.d/ocspcerts'
Apr 28 18:32:13 vpn-test charon: 00[CFG] loading attribute certificates from '/etc/ipsec.d/acerts'
Apr 28 18:32:13 vpn-test charon: 00[CFG] loading crls from '/etc/ipsec.d/crls'
Apr 28 18:32:13 vpn-test charon: 00[CFG] loading secrets from '/etc/ipsec.secrets'
Apr 28 18:32:13 vpn-test charon: 00[CFG] loaded RSA private key from '/etc/ipsec.d/private/10.0.0.1.key'
Apr 28 18:32:13 vpn-test charon: 00[CFG] loaded EAP secret for win7
Apr 28 18:32:13 vpn-test charon: 00[DMN] loaded plugins: aes des sha1 sha2 md4 md5 fips-prf random x509 pubkey pkcs1 pgp dnskey pem xcbc hmac gmp kernel-netlink stroke updown attr eap-identity eap-mschapv2 resolve
Apr 28 18:32:13 vpn-test charon: 00[JOB] spawning 16 worker threads
Apr 28 18:32:13 vpn-test charon: 04[CFG] received stroke: add connection 'rw-win7'
Apr 28 18:32:13 vpn-test charon: 04[CFG] loaded certificate "C=GB, ST=England, O=Example Limited, CN=10.0.0.1" from '10.0.0.1.crt'
Apr 28 18:32:13 vpn-test charon: 04[CFG] id '10.0.0.1' not confirmed by certificate, defaulting to 'C=GB, ST=England, O=Example Limited, CN=10.0.0.1'
Apr 28 18:32:13 vpn-test charon: 04[CFG] added configuration 'rw-win7'
Apr 28 18:32:13 vpn-test charon: 04[CFG] adding virtual IP address pool 'rw-win7': 192.168.7.0/24
Apr 28 18:32:22 vpn-test charon: 09[NET] received packet: from 10.0.7.1[33908] to 10.0.0.1[500]
Apr 28 18:32:22 vpn-test charon: 09[ENC] parsed IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) ]
Apr 28 18:32:22 vpn-test charon: 09[IKE] 10.0.7.1 is initiating an IKE_SA
Apr 28 18:32:22 vpn-test charon: 09[IKE] remote host is behind NAT
Apr 28 18:32:22 vpn-test charon: 09[ENC] generating IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(MULT_AUTH) ]
Apr 28 18:32:22 vpn-test charon: 09[NET] sending packet: from 10.0.0.1[500] to 10.0.7.1[33908]
Apr 28 18:32:22 vpn-test charon: 11[NET] received packet: from 10.0.7.1[37908] to 10.0.0.1[4500]
Apr 28 18:32:22 vpn-test charon: 11[ENC] unknown attribute type INTERNAL_IP4_SERVER
Apr 28 18:32:22 vpn-test charon: 11[ENC] parsed IKE_AUTH request 1 [ IDi CERTREQ N(MOBIKE_SUP) CP SA TSi TSr ]
Apr 28 18:32:22 vpn-test charon: 11[IKE] received cert request for unknown ca with keyid 0e:ac:82:60:40:56:27:97:e5:25:13:fc:2a:e1:0a:53:95:59:e4:a4
Apr 28 18:32:22 vpn-test charon: 11[IKE] received cert request for unknown ca with keyid dd:bc:bd:86:9c:3f:07:ed:40:e3:1b:08:ef:ce:c4:d1:88:cd:3b:15
Apr 28 18:32:23 vpn-test charon: 11[IKE] received cert request for unknown ca with keyid 4a:5c:75:22:aa:46:bf:a4:08:9d:39:97:4e:bd:b4:a3:60:f7:a0:1d
Apr 28 18:32:23 vpn-test charon: 11[IKE] received cert request for unknown ca with keyid 01:f0:33:4c:1a:a1:d9:ee:5b:7b:a9:de:43:bc:02:7d:57:09:33:fb
Apr 28 18:32:23 vpn-test charon: 11[IKE] received cert request for unknown ca with keyid 34:4f:30:2d:25:69:31:91:ea:f7:73:5c:ab:f5:86:8d:37:82:40:ec
Apr 28 18:32:23 vpn-test charon: 11[IKE] received cert request for unknown ca with keyid 3e:df:29:0c:c1:f5:cc:73:2c:eb:3d:24:e1:7e:52:da:bd:27:e2:f0
Apr 28 18:32:23 vpn-test charon: 11[IKE] received cert request for ""O=Example Limited, OU=CA Administration, E=support at example.com, L=London, ST=England, C=GB, CN=Example Root CA"
Apr 28 18:32:23 vpn-test charon: 11[IKE] received cert request for unknown ca with keyid 59:79:12:de:61:75:d6:6f:c4:23:b7:77:13:74:c7:96:de:6f:88:72
Apr 28 18:32:23 vpn-test charon: 11[IKE] received cert request for unknown ca with keyid e2:7f:7b:d8:77:d5:df:9e:0a:3f:9e:b4:cb:0e:2e:a9:ef:db:69:77
Apr 28 18:32:23 vpn-test charon: 11[IKE] received cert request for unknown ca with keyid 5f:f3:24:6c:8f:91:24:af:9b:5f:3e:b0:34:6a:f4:2d:5c:a8:5d:cc
Apr 28 18:32:23 vpn-test charon: 11[IKE] received cert request for unknown ca with keyid e2:7f:7b:d8:77:d5:df:9e:0a:3f:9e:b4:cb:0e:2e:a9:ef:db:69:77
Apr 28 18:32:23 vpn-test charon: 11[CFG] looking for peer configs matching 10.0.0.1[%any]...10.0.7.1[192.168.7.1]
Apr 28 18:32:23 vpn-test charon: 11[CFG] selected peer config 'rw-win7'
Apr 28 18:32:23 vpn-test charon: 11[IKE] initiating EAP-Identity request
Apr 28 18:32:23 vpn-test charon: 11[IKE] peer supports MOBIKE
Apr 28 18:32:23 vpn-test charon: 11[IKE] authentication of 'C=GB, ST=England, O=Example Limited, CN=10.0.0.1' (myself) with RSA signature successful
Apr 28 18:32:23 vpn-test charon: 11[IKE] sending end entity cert "C=GB, ST=England, O=Example Limited, CN=10.0.0.1"
Apr 28 18:32:23 vpn-test charon: 11[ENC] generating IKE_AUTH response 1 [ IDr CERT AUTH EAP/REQ/ID ]
Apr 28 18:32:23 vpn-test charon: 11[NET] sending packet: from 10.0.0.1[4500] to 10.0.7.1[37908]
Apr 28 18:32:23 vpn-test charon: 12[NET] received packet: from 10.0.7.1[37908] to 10.0.0.1[4500]
Apr 28 18:32:23 vpn-test charon: 12[ENC] parsed IKE_AUTH request 2 [ EAP/RES/ID ]
Apr 28 18:32:23 vpn-test charon: 12[IKE] received EAP identity 'win7'
Apr 28 18:32:23 vpn-test charon: 12[IKE] initiating EAP_MSCHAPV2 method
Apr 28 18:32:23 vpn-test charon: 12[ENC] generating IKE_AUTH response 2 [ EAP/REQ/MSCHAPV2 ]
Apr 28 18:32:23 vpn-test charon: 12[NET] sending packet: from 10.0.0.1[4500] to 10.0.7.1[37908]
Apr 28 18:32:23 vpn-test charon: 13[NET] received packet: from 10.0.7.1[37908] to 10.0.0.1[4500]
Apr 28 18:32:23 vpn-test charon: 13[ENC] parsed IKE_AUTH request 3 [ EAP/RES/MSCHAPV2 ]
Apr 28 18:32:23 vpn-test charon: 13[ENC] generating IKE_AUTH response 3 [ EAP/REQ/MSCHAPV2 ]
Apr 28 18:32:23 vpn-test charon: 13[NET] sending packet: from 10.0.0.1[4500] to 10.0.7.1[37908]
Apr 28 18:32:23 vpn-test charon: 07[NET] received packet: from 10.0.7.1[37908] to 10.0.0.1[4500]
Apr 28 18:32:23 vpn-test charon: 07[ENC] parsed IKE_AUTH request 4 [ EAP/RES/MSCHAPV2 ]
Apr 28 18:32:23 vpn-test charon: 07[IKE] EAP method EAP_MSCHAPV2 succeeded, MSK established
Apr 28 18:32:23 vpn-test charon: 07[ENC] generating IKE_AUTH response 4 [ EAP/SUCC ]
Apr 28 18:32:23 vpn-test charon: 07[NET] sending packet: from 10.0.0.1[4500] to 10.0.7.1[37908]
Apr 28 18:32:23 vpn-test charon: 14[NET] received packet: from 10.0.7.1[37908] to 10.0.0.1[4500]
Apr 28 18:32:23 vpn-test charon: 14[ENC] parsed IKE_AUTH request 5 [ AUTH ]
Apr 28 18:32:23 vpn-test charon: 14[IKE] authentication of '192.168.25.10' with EAP successful
Apr 28 18:32:23 vpn-test charon: 14[IKE] authentication of 'C=GB, ST=England, O=Example Limited, CN=10.0.0.1' (myself) with EAP
Apr 28 18:32:23 vpn-test charon: 14[IKE] IKE_SA rw-win7[1] established between 10.0.0.1[C=GB, ST=England, O=Example Limited, CN=10.0.0.1]...10.0.7.1[192.168.25.10]
Apr 28 18:32:23 vpn-test charon: 14[IKE] peer requested virtual IP %any
Apr 28 18:32:23 vpn-test charon: 14[CFG] assigning new lease to 'win7'
Apr 28 18:32:23 vpn-test charon: 14[IKE] assigning virtual IP 192.168.7.1 to peer
Apr 28 18:32:23 vpn-test charon: 14[IKE] CHILD_SA rw-win7{1} established with SPIs cc910d0a_i f7d646ba_o and TS 192.168.0.0/24 === 192.168.7.1/32
Apr 28 18:32:23 vpn-test vpn: + 192.168.25.10 192.168.7.1/32 == 10.0.7.1 -- 10.0.0.1 == 192.168.0.0/24
Apr 28 18:32:23 vpn-test charon: 14[ENC] generating IKE_AUTH response 5 [ AUTH CP SA TSi TSr N(MOBIKE_SUP) N(ADD_4_ADDR) ]
Apr 28 18:32:23 vpn-test charon: 14[NET] sending packet: from 10.0.0.1[4500] to 10.0.7.1[37908]
Thanks.
Kevin
More information about the Users
mailing list