[strongSwan] IKEV2 windows 2008 r2

Matthew F. Hymowitz mhymowitz at gmpnet.net
Tue Nov 8 16:21:58 CET 2011 

Thanks Again for your help Andreas




Here is the current config and non-debug log file:



-Matt


# ipsec.conf - strongSwan IPsec configuration file

config setup
	crlcheckinterval=0s
	strictcrlpolicy=no
	cachecrls=yes
	nat_traversal=yes
	charonstart=yes
	plutostart=no

# Add connections here.

# Sample VPN connections

#conn sample-self-signed
#      left=%defaultroute
#      leftsubnet=10.10.0.0/16
#      leftcert=selfCert.der
#      leftsendcert=never
#      right=192.168.0.2
#      rightsubnet=10.2.0.0/16
#      rightcert=peerCert.der
#      auto=start

conn net-net
	left=10.0.0.90
	leftsubnet=10.0.0.0/24
	leftauth=eap-mschapv2
	eap_identity=matt	
	right=verrado.aaronline.com
	rightsubnet=192.168.1.0/24
	rightauth=pubkey
	keyexchange=ikev2
	auto=add

ca carefree-aaronline-ca
	cacert=/usr/local/etc/ipsec.d/cacert/aaronline.carefree.cert


Nov  8 %f 00[DMN] Starting IKEv2 charon daemon (strongSwan 4.5.3)
Nov  8 %f 00[KNL] listening on interfaces:
Nov  8 %f 00[KNL]   eth0
Nov  8 %f 00[KNL]     10.0.0.90
Nov  8 %f 00[KNL]     fe80::215:5dff:fe01:660d
Nov  8 %f 00[CFG] loading ca certificates from '/usr/local/etc/ipsec.d/cacerts'
Nov  8 %f 00[CFG]   loaded ca certificate "DC=com, DC=aaronline, CN=aaronline-CAREFREE-CA" from '/usr/local/etc/ipsec.d/cacerts/aaronline.carefree.cert'
Nov  8 %f 00[CFG] loading aa certificates from '/usr/local/etc/ipsec.d/aacerts'
Nov  8 %f 00[CFG] loading ocsp signer certificates from '/usr/local/etc/ipsec.d/ocspcerts'
Nov  8 %f 00[CFG] loading attribute certificates from '/usr/local/etc/ipsec.d/acerts'
Nov  8 %f 00[CFG] loading crls from '/usr/local/etc/ipsec.d/crls'
Nov  8 %f 00[CFG] loading secrets from '/usr/local/etc/ipsec.secrets'
Nov  8 %f 00[CFG]   loaded EAP secret for matt
Nov  8 %f 00[DMN] loaded plugins: aes des sha1 sha2 md4 md5 random x509 constraints pubkey pkcs1 pgp pem fips-prf gmp xcbc hmac attr kernel-netlink resolve socket-default stroke updown eap-identity eap-mschapv2 
Nov  8 %f 00[JOB] spawning 16 worker threads
Nov  8 %f 10[CFG] crl caching to /usr/local/etc/ipsec.d/crls enabled
Nov  8 %f 12[CFG] received stroke: add connection 'net-net'
Nov  8 %f 12[CFG] added configuration 'net-net'
Nov  8 %f 14[CFG] received stroke: initiate 'net-net'
Nov  8 %f 03[IKE] initiating IKE_SA net-net[1] to 66.238.30.124
Nov  8 %f 03[ENC] generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) ]
Nov  8 %f 03[NET] sending packet: from 10.0.0.90[500] to 66.238.30.124[500]
Nov  8 %f 16[NET] received packet: from 66.238.30.124[500] to 10.0.0.90[500]
Nov  8 %f 16[ENC] parsed IKE_SA_INIT response 0 [ N(INVAL_KE) ]
Nov  8 %f 16[IKE] peer didn't accept DH group MODP_2048, it requested MODP_1024
Nov  8 %f 16[IKE] initiating IKE_SA net-net[1] to 66.238.30.124
Nov  8 %f 16[ENC] generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) ]
Nov  8 %f 16[NET] sending packet: from 10.0.0.90[500] to 66.238.30.124[500]
Nov  8 %f 02[NET] received packet: from 66.238.30.124[500] to 10.0.0.90[500]
Nov  8 %f 02[ENC] parsed IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) ]
Nov  8 %f 02[IKE] local host is behind NAT, sending keep alives
Nov  8 %f 02[IKE] remote host is behind NAT
Nov  8 %f 02[IKE] sending cert request for "DC=com, DC=aaronline, CN=aaronline-CAREFREE-CA"
Nov  8 %f 02[IKE] establishing CHILD_SA net-net
Nov  8 %f 02[ENC] generating IKE_AUTH request 1 [ IDi N(INIT_CONTACT) CERTREQ IDr SA TSi TSr N(MOBIKE_SUP) N(NO_ADD_ADDR) N(EAP_ONLY) ]
Nov  8 %f 02[NET] sending packet: from 10.0.0.90[4500] to 66.238.30.124[4500]
Nov  8 %f 01[NET] received packet: from 66.238.30.124[4500] to 10.0.0.90[4500]
Nov  8 %f 01[ENC] parsed IKE_AUTH response 1 [ IDr CERT AUTH EAP/REQ/ID ]
Nov  8 %f 01[IKE] received end entity cert "CN=verrado.aaronline.com"
Nov  8 %f 01[CFG]   using certificate "CN=verrado.aaronline.com"
Nov  8 %f 01[CFG]   using trusted ca certificate "DC=com, DC=aaronline, CN=aaronline-CAREFREE-CA"
Nov  8 %f 01[CFG]   reached self-signed root ca with a path length of 0
Nov  8 %f 01[IKE] authentication of 'CN=verrado.aaronline.com' with RSA signature successful
Nov  8 %f 01[IKE] server requested EAP_IDENTITY (id 0x00), sending 'matt'
Nov  8 %f 01[ENC] generating IKE_AUTH request 2 [ EAP/RES/ID ]
Nov  8 %f 01[NET] sending packet: from 10.0.0.90[4500] to 66.238.30.124[4500]
Nov  8 %f 10[NET] received packet: from 66.238.30.124[4500] to 10.0.0.90[4500]
Nov  8 %f 10[ENC] parsed IKE_AUTH response 2 [ EAP/REQ/MSCHAPV2 ]
Nov  8 %f 10[IKE] server requested EAP_MSCHAPV2 authentication (id 0x01)
Nov  8 %f 10[ENC] generating IKE_AUTH request 3 [ EAP/RES/MSCHAPV2 ]
Nov  8 %f 10[NET] sending packet: from 10.0.0.90[4500] to 66.238.30.124[4500]
Nov  8 %f 11[NET] received packet: from 66.238.30.124[4500] to 10.0.0.90[4500]
Nov  8 %f 11[ENC] parsed IKE_AUTH response 3 [ EAP/REQ/MSCHAPV2 ]
Nov  8 %f 11[IKE] EAP-MS-CHAPv2 succeeded: '(null)'
Nov  8 %f 11[ENC] generating IKE_AUTH request 4 [ EAP/RES/MSCHAPV2 ]
Nov  8 %f 11[NET] sending packet: from 10.0.0.90[4500] to 66.238.30.124[4500]
Nov  8 %f 12[NET] received packet: from 66.238.30.124[4500] to 10.0.0.90[4500]
Nov  8 %f 12[ENC] parsed IKE_AUTH response 4 [ EAP/SUCC ]
Nov  8 %f 12[IKE] EAP method EAP_MSCHAPV2 succeeded, MSK established
Nov  8 %f 12[IKE] authentication of '10.0.0.90' (myself) with EAP
Nov  8 %f 12[ENC] generating IKE_AUTH request 5 [ AUTH ]
Nov  8 %f 12[NET] sending packet: from 10.0.0.90[4500] to 66.238.30.124[4500]
Nov  8 %f 10[IKE] retransmit 1 of request with message ID 5
Nov  8 %f 10[NET] sending packet: from 10.0.0.90[4500] to 66.238.30.124[4500]
Nov  8 %f 11[NET] received packet: from 66.238.30.124[4500] to 10.0.0.90[4500]
Nov  8 %f 11[ENC] parsed IKE_AUTH response 5 [ N(FAIL_CP_REQ) ]
Nov  8 %f 11[IKE] AUTH payload missing
Nov  8 %f 00[DMN] signal of type SIGINT received. Shutting down









Matt Hymowitz, CISSP
Manager
GMP Networks, LLC
520 577-3891
________________________________________
From: Andreas Steffen [andreas.steffen at strongswan.org]
Sent: Monday, November 07, 2011 10:05 PM
To: Matthew F. Hymowitz
Cc: users at lists.strongswan.org
Subject: Re: [strongSwan] IKEV2   windows 2008 r2

Hi Matt,

yes, the current ipsec.conf file and the log (but please without
increasing the debug level!!!) would help.

Regards

Andreas

On 11/08/2011 12:21 AM, Matthew F. Hymowitz wrote:
> Hi Andreas
>
> Thanks for your quick response.  I made the changes you suggest and reconfigured with the following switches
> --disable-pluto --disable-revocation --enable-eap-identity --enable-eap-mschapv2 and --enable-md4
>
> I am now getting much further along in the negotiation.  I am now failing with the error
>
> parsed IKE_AUTH response 5 [ N(FAIL_CP_REQ) ]
> Auth payload missing
>
>
> The is after I get the message EAP method EAP_MSCHAPV2 succeeded, MSK established.
>
>
> Let me know if you need complete logs, and thanks again for such a quick response.
>
>
> Matt Hymowitz, CISSP
> Manager
> GMP Networks, LLC
> 520 577-3891

======================================================================
Andreas Steffen                         andreas.steffen at strongswan.org
strongSwan - the Linux VPN Solution!                www.strongswan.org
Institute for Internet Technologies and Applications
University of Applied Sciences Rapperswil
CH-8640 Rapperswil (Switzerland)
===========================================================[ITA-HSR]==

More information about the Users mailing list