[strongSwan] strongSwan + Windows 7 + IKEv2 + MSCHAPv2 (Username and password)

Kerschbaum, Sven sven.kerschbaum at siemens.com
Fri May 7 13:00:51 CEST 2010 

Hi Tobias, Hi Martin,

thanks for your replies!

I fixed the issue of the missing md4 plugin. Now md4 is being successfully loaded as plugin during startup of strongSwan:

01[DMN] loaded plugins: aes des sha1 sha2 md4 md5 fips-prf random x509 pubkey xcbc hmac gmp stroke eap-identity eap-mschapv2

That's true, Tobias, the IKE AUTH gets sent by strongSwan. But I still can't figure out why strongSwan does not include the CERT into the IKE AUTH response (in fact Win 7 sends a CERTREQ to strongSwan):

01[DMN] Starting IKEv2 charon daemon (strongSwan 4.3.2)
01[CFG] loading ca certificates from '/usr/local/etc/ipsec.d/cacerts'
01[LIB]   loaded certificate file '/usr/local/etc/ipsec.d/cacerts/cacert.pem'
01[CFG] loading aa certificates from '/usr/local/etc/ipsec.d/aacerts'
01[CFG] loading ocsp signer certificates from '/usr/local/etc/ipsec.d/ocspcerts'
01[CFG] loading attribute certificates from '/usr/local/etc/ipsec.d/acerts'
01[CFG] loading crls from '/usr/local/etc/ipsec.d/crls'
01[CFG] loading secrets from '/usr/local/etc/ipsec.secrets'
01[CFG]   loaded private key file '/usr/local/etc/ipsec.d/private/clientkey.pem'
01[CFG]   loaded EAP secret for test

...

07[ENC] parsed IKE_AUTH request 1 [ IDi CERTREQ N(MOBIKE_SUP) CP SA TSi TSr ]
07[IKE] received cert request for "O=Siemens, OU=ATS, L=Nuremberg, ST=Bavaria, C=DE, CN=ikeca"
07[CFG] looking for peer configs matching 192.168.10.90[%any]...192.168.10.12[192.168.10.12]
07[CFG] selected peer config 'host-host'
07[IKE] initiating EAP-Identity request
07[IKE] authentication of 'C=DE, ST=Bavaria, O=Siemens, OU=andere, CN=ikeclient' (myself) with RSA signature successful
07[ENC] generating IKE_AUTH response 1 [ IDr AUTH EAP ]
07[NET] sending packet: from 192.168.10.90[4500] to 192.168.10.12[4500]

Any ideas what´s going wrong? Why does strongSwan not reply with IKE AUTH  [Idr AUTH CERT EAP REQ/ID] as I would expect? Could it be of a misconfiguration of strongSwan? My ipsec.conf looks as follows:

config setup
     plutostart=no

conn host-host
     esp = 3des-sha1
     ike = 3des-sha1-modp1024
     left=%defaultroute
     leftsubnet=192.168.2.0/24
     leftcert=clientcert.pem
     leftsendcert=never
     right=192.168.10.12
     rightsubnet=192.168.3.0/24
     rightauth=eap-mschapv2
     eap_identity=%any
     keyexchange=ikev2
     auto=add

Thanks for your help!
Kind Regards,
Sven


Mit freundlichem Gruß / Best regards

Sven Kerschbaum

Siemens AG
Industry Sector Industry Automation Division
mailto:sven.kerschbaum at siemens.com
http://www.siemens.com/automation

Siemens Aktiengesellschaft: Chairman of the Supervisory Board: Gerhard Cromme
Managing Board: Peter Loescher, Chairman, President and Chief Executive Officer; 
Wolfgang Dehen, Heinrich Hiesinger, Joe Kaeser, Barbara Kux, Hermann Requardt,
Siegfried Russwurm, Peter Y. Solmssen
Registered offices: Berlin and Munich; 
Commercial registries: Berlin Charlottenburg, HRB 12300, Munich, HRB 6684
WEEE-Reg.-No. DE 23691322



-----Ursprüngliche Nachricht-----
Von: Tobias Brunner [mailto:tobias at strongswan.org] 
Gesendet: Freitag, 7. Mai 2010 11:34
An: Martin Willi
Cc: Kerschbaum, Sven; users at lists.strongswan.org
Betreff: Re: [strongSwan] strongSwan + Windows 7 + IKEv2 + MSCHAPv2 (Username and password)

Hi Martin, Hi Sven,

the response is just a little bit below:

> 08[IKE] authentication of 'C=DE, ST=Bavaria, O=Siemens, OU=andere,
> CN=ikeclient' (myself) with RSA signature successful
> 08[ENC] generating IKE_AUTH response 1 [ IDr AUTH EAP ]
> 08[NET] sending packet: from 192.168.10.90[4500] to 192.168.10.12[4500]

Which indicates that the gateway certificate is not sent, which might cause this
error in Win7.

One other thing, not related to this particular error, but will cause the
authentication to fail later:

> 01[DMN] loaded plugins: aes des sha1 sha2 md5 fips-prf random x509
> pubkey xcbc hmac gmp stroke eap-identity eap-mschapv2

The MD4 plugin is not built/loaded (which is required, if you don't use the
OpenSSL plugin), therefore the NT-Hashes cannot be generated.

Regards,
Tobias

-- 
======================================================================
Tobias Brunner                                   tobias at strongswan.org
strongSwan - The Linux VPN Solution!         http://www.strongswan.org
======================================================================

More information about the Users mailing list