[strongSwan] strongSwan + Windows 7 + IKEv2 + MSCHAPv2 (Username and password)

Kerschbaum, Sven sven.kerschbaum at siemens.com
Tue May 11 09:02:09 CEST 2010 

Good morgning everybody,

hope you had a nice and sunny weekend ;). After trying hard to resolve the issue of failing to allocate a SPI, I have now further ideas what is causing this error:

12[IKE] IKE_SA host-host[1] established between 192.168.10.90[C=DE, ST=Bavaria, O=Siemens, OU=andere, CN=ikeclient]...192.168.10.12[192.168.10.12]
12[IKE] peer requested virtual IP %any
12[CFG] assigning new lease to '192.168.10.12'
12[IKE] assigning virtual IP 10.10.3.1 to peer
12[IKE] allocating SPI failed
12[ENC] generating IKE_AUTH response 5 [ AUTH CP N(MOBIKE_SUP) N(NO_ADD_ADDR) N(NO_PROP) ]

Does anybody has an idea/hint/...?

Thanks in advance,
Sven

Mit freundlichem Gruß / Best regards

Sven Kerschbaum

Siemens AG
Industry Sector Industry Automation Division
mailto:sven.kerschbaum at siemens.com
http://www.siemens.com/automation

Siemens Aktiengesellschaft: Chairman of the Supervisory Board: Gerhard Cromme
Managing Board: Peter Loescher, Chairman, President and Chief Executive Officer; 
Wolfgang Dehen, Heinrich Hiesinger, Joe Kaeser, Barbara Kux, Hermann Requardt,
Siegfried Russwurm, Peter Y. Solmssen
Registered offices: Berlin and Munich; 
Commercial registries: Berlin Charlottenburg, HRB 12300, Munich, HRB 6684
WEEE-Reg.-No. DE 23691322



-----Ursprüngliche Nachricht-----
Von: Andreas Steffen [mailto:andreas.steffen at hsr.ch] 
Gesendet: Freitag, 7. Mai 2010 15:01
An: Kerschbaum, Sven; Martin Willi
Cc: users at lists.strongswan.org
Betreff: Aw: Re: [strongSwan] strongSwan + Windows 7 + IKEv2 + MSCHAPv2 (Username and password)

Did you read the certificate constraints
defined in

http://wiki.strongswan.org/projects/strongswan/wiki/Win7cCertReq

- gateway name contained either in CN or subjectAltName.

- serverAuth Extended Key Usage flag

andreas

----- Ursprüngliche Mitteilung -----
> Yeah, right. I already changed the ipsec.conf to:
>
> leftsendcert=always
>
> strongSwan generates now the IKE AUTH response IKE AUTH  [Idr AUTH CERT EAP].
>
> Now it's a step further but Win 7 still complains with the following message:
>
> "Error 13801: IKE authentication credentials are unacceptable"
>
> In Win 7 I installed CA certificate used by the strongSwan server as a trusted
> root certificate. I also made an entry to the Win 7 - host file mapping cert
> details to the IP address of the strongSwan server.
>
> 192.168.10.90    ikeclient
>
> Hmm... Thanks for your assistance and great help!
>
> Mit freundlichem Gruß / Best regards
>
> Sven Kerschbaum
>
> Siemens AG
> Industry Sector Industry Automation Division
> mailto:sven.kerschbaum at siemens.com
> http://www.siemens.com/automation
>
> Siemens Aktiengesellschaft: Chairman of the Supervisory Board: Gerhard Cromme
> Managing Board: Peter Loescher, Chairman, President and Chief Executive Officer;
> Wolfgang Dehen, Heinrich Hiesinger, Joe Kaeser, Barbara Kux, Hermann Requardt,
> Siegfried Russwurm, Peter Y. Solmssen
> Registered offices: Berlin and Munich;
> Commercial registries: Berlin Charlottenburg, HRB 12300, Munich, HRB 6684
> WEEE-Reg.-No. DE 23691322
>
>
>
> -----Ursprüngliche Nachricht-----
> Von: Martin Willi [mailto:martin at strongswan.org]
> Gesendet: Freitag, 7. Mai 2010 13:44
> An: Kerschbaum, Sven
> Cc: users at lists.strongswan.org
> Betreff: Re: AW: [strongSwan] strongSwan + Windows 7 + IKEv2 + MSCHAPv2
> (Username and password)
>
> Hi again,
>
> > the response is just a little bit below:
>
> A yes, haven't seen the first authentication round in the log.
>
> > Why does strongSwan not reply with IKE AUTH  [Idr AUTH CERT EAP REQ/ID]
>
> >          leftsendcert=never
>
> Looks suspicious ;-). The example configuration uses
> rightsendcert=never, which actually says to not request a certificate
> from the client. leftsendcert=never will not include our own
> certificate, for example if a client already has the peer certificate of
> the gateway. But Windows 7 always expects a certificate payload to
> authenticate the gateway.
>
> Regards
> Martin
>
>
> _______________________________________________
> Users mailing list
> Users at lists.strongswan.org
> https://lists.strongswan.org/mailman/listinfo/users

More information about the Users mailing list