[strongSwan] IKEV2 windows 2008 r2

Andreas Steffen andreas.steffen at strongswan.org
Tue Nov 8 18:22:52 CET 2011 

Hello Matt,

the Windows Server 2008 r2 expects strongSwan
to request a virtual IP address to be used
as a source address within the IPsec tunnel.
Therefore add this statement:

   leftsourceip=%config

With a virtual IP address

   leftsubnet=10.0.0.0/24

doesn't make much sense, so you'd better
omit the leftsubnet statement.

Regards

Andreas

 On 08.11.2011 16:21, Matthew F. Hymowitz wrote:
> Thanks Again for your help Andreas
> 
> 
> 
> 
> Here is the current config and non-debug log file:
> 
> 
> 
> -Matt
> 
> 
> # ipsec.conf - strongSwan IPsec configuration file
> 
> config setup
> 	crlcheckinterval=0s
> 	strictcrlpolicy=no
> 	cachecrls=yes
> 	nat_traversal=yes
> 	charonstart=yes
> 	plutostart=no
> 
> # Add connections here.
> 
> # Sample VPN connections
> 
> #conn sample-self-signed
> #      left=%defaultroute
> #      leftsubnet=10.10.0.0/16
> #      leftcert=selfCert.der
> #      leftsendcert=never
> #      right=192.168.0.2
> #      rightsubnet=10.2.0.0/16
> #      rightcert=peerCert.der
> #      auto=start
> 
> conn net-net
> 	left=10.0.0.90
> 	leftsubnet=10.0.0.0/24
> 	leftauth=eap-mschapv2
> 	eap_identity=matt	
> 	right=verrado.aaronline.com
> 	rightsubnet=192.168.1.0/24
> 	rightauth=pubkey
> 	keyexchange=ikev2
> 	auto=add
> 
> ca carefree-aaronline-ca
> 	cacert=/usr/local/etc/ipsec.d/cacert/aaronline.carefree.cert
> 
> 
> Nov  8 %f 00[DMN] Starting IKEv2 charon daemon (strongSwan 4.5.3)
> Nov  8 %f 00[KNL] listening on interfaces:
> Nov  8 %f 00[KNL]   eth0
> Nov  8 %f 00[KNL]     10.0.0.90
> Nov  8 %f 00[KNL]     fe80::215:5dff:fe01:660d
> Nov  8 %f 00[CFG] loading ca certificates from '/usr/local/etc/ipsec.d/cacerts'
> Nov  8 %f 00[CFG]   loaded ca certificate "DC=com, DC=aaronline, CN=aaronline-CAREFREE-CA" from '/usr/local/etc/ipsec.d/cacerts/aaronline.carefree.cert'
> Nov  8 %f 00[CFG] loading aa certificates from '/usr/local/etc/ipsec.d/aacerts'
> Nov  8 %f 00[CFG] loading ocsp signer certificates from '/usr/local/etc/ipsec.d/ocspcerts'
> Nov  8 %f 00[CFG] loading attribute certificates from '/usr/local/etc/ipsec.d/acerts'
> Nov  8 %f 00[CFG] loading crls from '/usr/local/etc/ipsec.d/crls'
> Nov  8 %f 00[CFG] loading secrets from '/usr/local/etc/ipsec.secrets'
> Nov  8 %f 00[CFG]   loaded EAP secret for matt
> Nov  8 %f 00[DMN] loaded plugins: aes des sha1 sha2 md4 md5 random x509 constraints pubkey pkcs1 pgp pem fips-prf gmp xcbc hmac attr kernel-netlink resolve socket-default stroke updown eap-identity eap-mschapv2 
> Nov  8 %f 00[JOB] spawning 16 worker threads
> Nov  8 %f 10[CFG] crl caching to /usr/local/etc/ipsec.d/crls enabled
> Nov  8 %f 12[CFG] received stroke: add connection 'net-net'
> Nov  8 %f 12[CFG] added configuration 'net-net'
> Nov  8 %f 14[CFG] received stroke: initiate 'net-net'
> Nov  8 %f 03[IKE] initiating IKE_SA net-net[1] to 66.238.30.124
> Nov  8 %f 03[ENC] generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) ]
> Nov  8 %f 03[NET] sending packet: from 10.0.0.90[500] to 66.238.30.124[500]
> Nov  8 %f 16[NET] received packet: from 66.238.30.124[500] to 10.0.0.90[500]
> Nov  8 %f 16[ENC] parsed IKE_SA_INIT response 0 [ N(INVAL_KE) ]
> Nov  8 %f 16[IKE] peer didn't accept DH group MODP_2048, it requested MODP_1024
> Nov  8 %f 16[IKE] initiating IKE_SA net-net[1] to 66.238.30.124
> Nov  8 %f 16[ENC] generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) ]
> Nov  8 %f 16[NET] sending packet: from 10.0.0.90[500] to 66.238.30.124[500]
> Nov  8 %f 02[NET] received packet: from 66.238.30.124[500] to 10.0.0.90[500]
> Nov  8 %f 02[ENC] parsed IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) ]
> Nov  8 %f 02[IKE] local host is behind NAT, sending keep alives
> Nov  8 %f 02[IKE] remote host is behind NAT
> Nov  8 %f 02[IKE] sending cert request for "DC=com, DC=aaronline, CN=aaronline-CAREFREE-CA"
> Nov  8 %f 02[IKE] establishing CHILD_SA net-net
> Nov  8 %f 02[ENC] generating IKE_AUTH request 1 [ IDi N(INIT_CONTACT) CERTREQ IDr SA TSi TSr N(MOBIKE_SUP) N(NO_ADD_ADDR) N(EAP_ONLY) ]
> Nov  8 %f 02[NET] sending packet: from 10.0.0.90[4500] to 66.238.30.124[4500]
> Nov  8 %f 01[NET] received packet: from 66.238.30.124[4500] to 10.0.0.90[4500]
> Nov  8 %f 01[ENC] parsed IKE_AUTH response 1 [ IDr CERT AUTH EAP/REQ/ID ]
> Nov  8 %f 01[IKE] received end entity cert "CN=verrado.aaronline.com"
> Nov  8 %f 01[CFG]   using certificate "CN=verrado.aaronline.com"
> Nov  8 %f 01[CFG]   using trusted ca certificate "DC=com, DC=aaronline, CN=aaronline-CAREFREE-CA"
> Nov  8 %f 01[CFG]   reached self-signed root ca with a path length of 0
> Nov  8 %f 01[IKE] authentication of 'CN=verrado.aaronline.com' with RSA signature successful
> Nov  8 %f 01[IKE] server requested EAP_IDENTITY (id 0x00), sending 'matt'
> Nov  8 %f 01[ENC] generating IKE_AUTH request 2 [ EAP/RES/ID ]
> Nov  8 %f 01[NET] sending packet: from 10.0.0.90[4500] to 66.238.30.124[4500]
> Nov  8 %f 10[NET] received packet: from 66.238.30.124[4500] to 10.0.0.90[4500]
> Nov  8 %f 10[ENC] parsed IKE_AUTH response 2 [ EAP/REQ/MSCHAPV2 ]
> Nov  8 %f 10[IKE] server requested EAP_MSCHAPV2 authentication (id 0x01)
> Nov  8 %f 10[ENC] generating IKE_AUTH request 3 [ EAP/RES/MSCHAPV2 ]
> Nov  8 %f 10[NET] sending packet: from 10.0.0.90[4500] to 66.238.30.124[4500]
> Nov  8 %f 11[NET] received packet: from 66.238.30.124[4500] to 10.0.0.90[4500]
> Nov  8 %f 11[ENC] parsed IKE_AUTH response 3 [ EAP/REQ/MSCHAPV2 ]
> Nov  8 %f 11[IKE] EAP-MS-CHAPv2 succeeded: '(null)'
> Nov  8 %f 11[ENC] generating IKE_AUTH request 4 [ EAP/RES/MSCHAPV2 ]
> Nov  8 %f 11[NET] sending packet: from 10.0.0.90[4500] to 66.238.30.124[4500]
> Nov  8 %f 12[NET] received packet: from 66.238.30.124[4500] to 10.0.0.90[4500]
> Nov  8 %f 12[ENC] parsed IKE_AUTH response 4 [ EAP/SUCC ]
> Nov  8 %f 12[IKE] EAP method EAP_MSCHAPV2 succeeded, MSK established
> Nov  8 %f 12[IKE] authentication of '10.0.0.90' (myself) with EAP
> Nov  8 %f 12[ENC] generating IKE_AUTH request 5 [ AUTH ]
> Nov  8 %f 12[NET] sending packet: from 10.0.0.90[4500] to 66.238.30.124[4500]
> Nov  8 %f 10[IKE] retransmit 1 of request with message ID 5
> Nov  8 %f 10[NET] sending packet: from 10.0.0.90[4500] to 66.238.30.124[4500]
> Nov  8 %f 11[NET] received packet: from 66.238.30.124[4500] to 10.0.0.90[4500]
> Nov  8 %f 11[ENC] parsed IKE_AUTH response 5 [ N(FAIL_CP_REQ) ]
> Nov  8 %f 11[IKE] AUTH payload missing
> Nov  8 %f 00[DMN] signal of type SIGINT received. Shutting down
> 
> 
> 
> 
> 
> 
> 
> 
> 
> Matt Hymowitz, CISSP
> Manager
> GMP Networks, LLC
> 520 577-3891
> ________________________________________
> From: Andreas Steffen [andreas.steffen at strongswan.org]
> Sent: Monday, November 07, 2011 10:05 PM
> To: Matthew F. Hymowitz
> Cc: users at lists.strongswan.org
> Subject: Re: [strongSwan] IKEV2   windows 2008 r2
> 
> Hi Matt,
> 
> yes, the current ipsec.conf file and the log (but please without
> increasing the debug level!!!) would help.
> 
> Regards
> 
> Andreas
> 
> On 11/08/2011 12:21 AM, Matthew F. Hymowitz wrote:
>> Hi Andreas
>>
>> Thanks for your quick response.  I made the changes you suggest and reconfigured with the following switches
>> --disable-pluto --disable-revocation --enable-eap-identity --enable-eap-mschapv2 and --enable-md4
>>
>> I am now getting much further along in the negotiation.  I am now failing with the error
>>
>> parsed IKE_AUTH response 5 [ N(FAIL_CP_REQ) ]
>> Auth payload missing
>>
>>
>> The is after I get the message EAP method EAP_MSCHAPV2 succeeded, MSK established.
>>
>>
>> Let me know if you need complete logs, and thanks again for such a quick response.
>>
>>
>> Matt Hymowitz, CISSP
>> Manager
>> GMP Networks, LLC
>> 520 577-3891
> 
> ======================================================================
> Andreas Steffen                         andreas.steffen at strongswan.org
> strongSwan - the Linux VPN Solution!                www.strongswan.org
> Institute for Internet Technologies and Applications
> University of Applied Sciences Rapperswil
> CH-8640 Rapperswil (Switzerland)
> ===========================================================[ITA-HSR]==
> 


-- 
======================================================================
Andreas Steffen                         andreas.steffen at strongswan.org
strongSwan - the Linux VPN Solution!                www.strongswan.org
Institute for Internet Technologies and Applications
University of Applied Sciences Rapperswil
CH-8640 Rapperswil (Switzerland)
===========================================================[ITA-HSR]==

-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4489 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://lists.strongswan.org/pipermail/users/attachments/20111108/bc60a2ea/attachment.bin>

More information about the Users mailing list