[strongSwan] strongSwan + Windows 7 + IKEv2 + MSCHAPv2 (Username and password)
Kerschbaum, Sven
sven.kerschbaum at siemens.com
Fri May 7 13:00:51 CEST 2010
Hi Tobias, Hi Martin,
thanks for your replies!
I fixed the issue of the missing md4 plugin. Now md4 is being successfully loaded as plugin during startup of strongSwan:
01[DMN] loaded plugins: aes des sha1 sha2 md4 md5 fips-prf random x509 pubkey xcbc hmac gmp stroke eap-identity eap-mschapv2
That's true, Tobias, the IKE AUTH gets sent by strongSwan. But I still can't figure out why strongSwan does not include the CERT into the IKE AUTH response (in fact Win 7 sends a CERTREQ to strongSwan):
01[DMN] Starting IKEv2 charon daemon (strongSwan 4.3.2)
01[CFG] loading ca certificates from '/usr/local/etc/ipsec.d/cacerts'
01[LIB] loaded certificate file '/usr/local/etc/ipsec.d/cacerts/cacert.pem'
01[CFG] loading aa certificates from '/usr/local/etc/ipsec.d/aacerts'
01[CFG] loading ocsp signer certificates from '/usr/local/etc/ipsec.d/ocspcerts'
01[CFG] loading attribute certificates from '/usr/local/etc/ipsec.d/acerts'
01[CFG] loading crls from '/usr/local/etc/ipsec.d/crls'
01[CFG] loading secrets from '/usr/local/etc/ipsec.secrets'
01[CFG] loaded private key file '/usr/local/etc/ipsec.d/private/clientkey.pem'
01[CFG] loaded EAP secret for test
...
07[ENC] parsed IKE_AUTH request 1 [ IDi CERTREQ N(MOBIKE_SUP) CP SA TSi TSr ]
07[IKE] received cert request for "O=Siemens, OU=ATS, L=Nuremberg, ST=Bavaria, C=DE, CN=ikeca"
07[CFG] looking for peer configs matching 192.168.10.90[%any]...192.168.10.12[192.168.10.12]
07[CFG] selected peer config 'host-host'
07[IKE] initiating EAP-Identity request
07[IKE] authentication of 'C=DE, ST=Bavaria, O=Siemens, OU=andere, CN=ikeclient' (myself) with RSA signature successful
07[ENC] generating IKE_AUTH response 1 [ IDr AUTH EAP ]
07[NET] sending packet: from 192.168.10.90[4500] to 192.168.10.12[4500]
Any ideas what´s going wrong? Why does strongSwan not reply with IKE AUTH [Idr AUTH CERT EAP REQ/ID] as I would expect? Could it be of a misconfiguration of strongSwan? My ipsec.conf looks as follows:
config setup
plutostart=no
conn host-host
esp = 3des-sha1
ike = 3des-sha1-modp1024
left=%defaultroute
leftsubnet=192.168.2.0/24
leftcert=clientcert.pem
leftsendcert=never
right=192.168.10.12
rightsubnet=192.168.3.0/24
rightauth=eap-mschapv2
eap_identity=%any
keyexchange=ikev2
auto=add
Thanks for your help!
Kind Regards,
Sven
Mit freundlichem Gruß / Best regards
Sven Kerschbaum
Siemens AG
Industry Sector Industry Automation Division
mailto:sven.kerschbaum at siemens.com
http://www.siemens.com/automation
Siemens Aktiengesellschaft: Chairman of the Supervisory Board: Gerhard Cromme
Managing Board: Peter Loescher, Chairman, President and Chief Executive Officer;
Wolfgang Dehen, Heinrich Hiesinger, Joe Kaeser, Barbara Kux, Hermann Requardt,
Siegfried Russwurm, Peter Y. Solmssen
Registered offices: Berlin and Munich;
Commercial registries: Berlin Charlottenburg, HRB 12300, Munich, HRB 6684
WEEE-Reg.-No. DE 23691322
-----Ursprüngliche Nachricht-----
Von: Tobias Brunner [mailto:tobias at strongswan.org]
Gesendet: Freitag, 7. Mai 2010 11:34
An: Martin Willi
Cc: Kerschbaum, Sven; users at lists.strongswan.org
Betreff: Re: [strongSwan] strongSwan + Windows 7 + IKEv2 + MSCHAPv2 (Username and password)
Hi Martin, Hi Sven,
the response is just a little bit below:
> 08[IKE] authentication of 'C=DE, ST=Bavaria, O=Siemens, OU=andere,
> CN=ikeclient' (myself) with RSA signature successful
> 08[ENC] generating IKE_AUTH response 1 [ IDr AUTH EAP ]
> 08[NET] sending packet: from 192.168.10.90[4500] to 192.168.10.12[4500]
Which indicates that the gateway certificate is not sent, which might cause this
error in Win7.
One other thing, not related to this particular error, but will cause the
authentication to fail later:
> 01[DMN] loaded plugins: aes des sha1 sha2 md5 fips-prf random x509
> pubkey xcbc hmac gmp stroke eap-identity eap-mschapv2
The MD4 plugin is not built/loaded (which is required, if you don't use the
OpenSSL plugin), therefore the NT-Hashes cannot be generated.
Regards,
Tobias
--
======================================================================
Tobias Brunner tobias at strongswan.org
strongSwan - The Linux VPN Solution! http://www.strongswan.org
======================================================================
More information about the Users
mailing list