[strongSwan] strongSwan + Windows 7 + IKEv2 + MSCHAPv2 (Username and password)

Andreas Steffen andreas.steffen at hsr.ch
Fri May 7 13:47:39 CEST 2010 

Hi Sven,

leftsendcert=never

actually causes no certificate to be sent.
You probably want to send

rightcert=never

which suppresses the certificate request.

Regards

Andreas

----- Ursprüngliche Mitteilung -----
> Hi Tobias, Hi Martin,
>
> thanks for your replies!
>
> I fixed the issue of the missing md4 plugin. Now md4 is being successfully
> loaded as plugin during startup of strongSwan:
>
> 01[DMN] loaded plugins: aes des sha1 sha2 md4 md5 fips-prf random x509 pubkey
> xcbc hmac gmp stroke eap-identity eap-mschapv2
>
> That's true, Tobias, the IKE AUTH gets sent by strongSwan. But I still can't
> figure out why strongSwan does not include the CERT into the IKE AUTH response
> (in fact Win 7 sends a CERTREQ to strongSwan):
>
> 01[DMN] Starting IKEv2 charon daemon (strongSwan 4.3.2)
> 01[CFG] loading ca certificates from '/usr/local/etc/ipsec.d/cacerts'
> 01[LIB]    loaded certificate file '/usr/local/etc/ipsec.d/cacerts/cacert.pem'
> 01[CFG] loading aa certificates from '/usr/local/etc/ipsec.d/aacerts'
> 01[CFG] loading ocsp signer certificates from '/usr/local/etc/ipsec.d/ocspcerts'
> 01[CFG] loading attribute certificates from '/usr/local/etc/ipsec.d/acerts'
> 01[CFG] loading crls from '/usr/local/etc/ipsec.d/crls'
> 01[CFG] loading secrets from '/usr/local/etc/ipsec.secrets'
> 01[CFG]    loaded private key file '/usr/local/etc/ipsec.d/private/clientkey.pem'
> 01[CFG]    loaded EAP secret for test
>
> ...
>
> 07[ENC] parsed IKE_AUTH request 1 [ IDi CERTREQ N(MOBIKE_SUP) CP SA TSi TSr ]
> 07[IKE] received cert request for "O=Siemens, OU=ATS, L=Nuremberg, ST=Bavaria,
> C=DE, CN=ikeca" 07[CFG] looking for peer configs matching
> 192.168.10.90[%any]...192.168.10.12[192.168.10.12] 07[CFG] selected peer config
> 'host-host' 07[IKE] initiating EAP-Identity request
> 07[IKE] authentication of 'C=DE, ST=Bavaria, O=Siemens, OU=andere, CN=ikeclient'
> (myself) with RSA signature successful 07[ENC] generating IKE_AUTH response 1 [
> IDr AUTH EAP ] 07[NET] sending packet: from 192.168.10.90[4500] to
> 192.168.10.12[4500]
>
> Any ideas what´s going wrong? Why does strongSwan not reply with IKE AUTH  [Idr
> AUTH CERT EAP REQ/ID] as I would expect? Could it be of a misconfiguration of
> strongSwan? My ipsec.conf looks as follows:
>
> config setup
>          plutostart=no
>
> conn host-host
>          esp = 3des-sha1
>          ike = 3des-sha1-modp1024
>          left=%defaultroute
>          leftsubnet=192.168.2.0/24
>          leftcert=clientcert.pem
>          leftsendcert=never
>          right=192.168.10.12
>          rightsubnet=192.168.3.0/24
>          rightauth=eap-mschapv2
>          eap_identity=%any
>          keyexchange=ikev2
>          auto=add
>
> Thanks for your help!
> Kind Regards,
> Sven
>
>
> Mit freundlichem Gruß / Best regards
>
> Sven Kerschbaum
>
> Siemens AG
> Industry Sector Industry Automation Division
> mailto:sven.kerschbaum at siemens.com
> http://www.siemens.com/automation
>
> Siemens Aktiengesellschaft: Chairman of the Supervisory Board: Gerhard Cromme
> Managing Board: Peter Loescher, Chairman, President and Chief Executive Officer;
> Wolfgang Dehen, Heinrich Hiesinger, Joe Kaeser, Barbara Kux, Hermann Requardt,
> Siegfried Russwurm, Peter Y. Solmssen
> Registered offices: Berlin and Munich;
> Commercial registries: Berlin Charlottenburg, HRB 12300, Munich, HRB 6684
> WEEE-Reg.-No. DE 23691322
>
>
>
> -----Ursprüngliche Nachricht-----
> Von: Tobias Brunner [mailto:tobias at strongswan.org]
> Gesendet: Freitag, 7. Mai 2010 11:34
> An: Martin Willi
> Cc: Kerschbaum, Sven; users at lists.strongswan.org
> Betreff: Re: [strongSwan] strongSwan + Windows 7 + IKEv2 + MSCHAPv2 (Username
> and password)
>
> Hi Martin, Hi Sven,
>
> the response is just a little bit below:
>
> > 08[IKE] authentication of 'C=DE, ST=Bavaria, O=Siemens, OU=andere,
> > CN=ikeclient' (myself) with RSA signature successful
> > 08[ENC] generating IKE_AUTH response 1 [ IDr AUTH EAP ]
> > 08[NET] sending packet: from 192.168.10.90[4500] to 192.168.10.12[4500]
>
> Which indicates that the gateway certificate is not sent, which might cause this
> error in Win7.
>
> One other thing, not related to this particular error, but will cause the
> authentication to fail later:
>
> > 01[DMN] loaded plugins: aes des sha1 sha2 md5 fips-prf random x509
> > pubkey xcbc hmac gmp stroke eap-identity eap-mschapv2
>
> The MD4 plugin is not built/loaded (which is required, if you don't use the
> OpenSSL plugin), therefore the NT-Hashes cannot be generated.
>
> Regards,
> Tobias
>
> --
> ======================================================================
> Tobias Brunner                                                                    tobias at strongswan.org
> strongSwan - The Linux VPN Solution!                http://www.strongswan.org
> ======================================================================
>
> _______________________________________________
> Users mailing list
> Users at lists.strongswan.org
> https://lists.strongswan.org/mailman/listinfo/users

More information about the Users mailing list