[strongSwan] IKEV2 windows 2008 r2
Matthew F. Hymowitz
mhymowitz at gmpnet.net
Wed Nov 9 04:56:49 CET 2011
Andreas
Got it working. I needed to add rightsubnet=192.168.1.0/24 to the connection. I still have a question about removing rightid=%any
Thanks again for all your help.
Matt Hymowitz, CISSP
Manager
GMP Networks, LLC
520 577-3891
________________________________________
From: Matthew F. Hymowitz
Sent: Tuesday, November 08, 2011 6:00 PM
To: Andreas Steffen
Cc: users at lists.strongswan.org
Subject: RE: [strongSwan] IKEV2 windows 2008 r2
Hi Andreas
With your expert help, I am now able to establish a connection between my two sites. From my ubuntu box I am to ping 192.168.1.45, which I think is my local VPN adapter. I can not, however, ping 192.168.1.43 which I think is the windows PPP adaptor. I do not see any entries for 192.168.1.x when I do a netstat -r (should I?). I also can not ping anything else on the 192.168.1.x network.
I greatly appreciate all the help you providing me. Thank you again.
sudo ipsec statusall shows the following:
Status of IKEv2 charon daemon (strongSwan 4.5.3):
uptime: 16 minutes, since Nov 08 17:33:32 2011
malloc: sbrk 270336, mmap 0, used 154064, free 116272
worker threads: 9 of 16 idle, 6/1/0/0 working, job queue: 0/0/0/0, scheduled: 3
loaded plugins: aes des sha1 sha2 md4 md5 random x509 constraints pubkey pkcs1 pgp pem fips-prf gmp xcbc hmac attr kernel-netlink resolve socket-default stroke updown eap-identity eap-mschapv2
Listening IP addresses:
10.0.0.106
Connections:
net-net: 10.0.0.106...66.238.30.124
net-net: local: [10.0.0.106] uses EAP_MSCHAPV2 authentication with EAP identity 'matt'
net-net: remote: [%any] uses public key authentication
net-net: child: dynamic === dynamic TUNNEL
Security Associations (1 up, 0 connecting):
net-net[1]: ESTABLISHED 16 minutes ago, 10.0.0.106[10.0.0.106]...66.238.30.124[CN=verrado.aaronline.com]
net-net[1]: IKE SPIs: d970b6f80746b929_i* 0b2a24b30601e1e3_r, EAP reauthentication in 39 minutes
net-net[1]: IKE proposal: 3DES_CBC/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024
Also I had to add an %any for rightid, it says it is looking for verrado's ip address when I put that in there it still complains. Not sure what the rightid should really be.
Here is my current config ( i did change ip addresses on the ubunutu machine since the last config I sent you).
# /etc/ipsec.conf - strongSwan IPsec configuration file
config setup
crlcheckinterval=0s
strictcrlpolicy=no
plutostart=no
nat_traversal=yes
charonstart=yes
conn %default
ikelifetime=60m
keylife=20m
rekeymargin=3m
keyingtries=1
keyexchange=ikev2
mobike=no
forceencaps=yes
conn net-net
left=10.0.0.106
leftsourceip=%config
leftfirewall=yes
leftauth=eap-mschapv2
eap_identity=matt
right=verrado.aaronline.com
rightid=%any
rightauth=pubkey
auto=add
ca carefree-aaronline-ca
cacert=/usr/local/etc/ipsec.d/cacerts/aaronline.carefree.cert
Here is the log file
00[DMN] Starting IKEv2 charon daemon (strongSwan 4.5.3)
00[KNL] listening on interfaces:
00[KNL] eth0
00[KNL] 10.0.0.106
00[KNL] fe80::215:5dff:fe01:6609
00[CFG] loading ca certificates from '/usr/local/etc/ipsec.d/cacerts'
00[CFG] loaded ca certificate "DC=com, DC=aaronline, CN=aaronline-CAREFREE-CA" from '/usr/local/etc/ipsec.d/cacerts/aaronline.carefree.cert'
00[CFG] loading aa certificates from '/usr/local/etc/ipsec.d/aacerts'
00[CFG] loading ocsp signer certificates from '/usr/local/etc/ipsec.d/ocspcerts'
00[CFG] loading attribute certificates from '/usr/local/etc/ipsec.d/acerts'
00[CFG] loading crls from '/usr/local/etc/ipsec.d/crls'
00[CFG] loading secrets from '/usr/local/etc/ipsec.secrets'
00[CFG] loaded EAP secret for matt
00[DMN] loaded plugins: aes des sha1 sha2 md4 md5 random x509 constraints pubkey pkcs1 pgp pem fips-prf gmp xcbc hmac attr kernel-netlink resolve socket-default stroke updown eap-identity eap-mschapv2
00[JOB] spawning 16 worker threads
00[DMN] signal of type SIGINT received. Shutting down
00[DMN] Starting IKEv2 charon daemon (strongSwan 4.5.3)
00[KNL] listening on interfaces:
00[KNL] eth0
00[KNL] 10.0.0.106
00[KNL] fe80::215:5dff:fe01:6609
00[CFG] loading ca certificates from '/usr/local/etc/ipsec.d/cacerts'
00[CFG] loaded ca certificate "DC=com, DC=aaronline, CN=aaronline-CAREFREE-CA" from '/usr/local/etc/ipsec.d/cacerts/aaronline.carefree.cert'
00[CFG] loading aa certificates from '/usr/local/etc/ipsec.d/aacerts'
00[CFG] loading ocsp signer certificates from '/usr/local/etc/ipsec.d/ocspcerts'
00[CFG] loading attribute certificates from '/usr/local/etc/ipsec.d/acerts'
00[CFG] loading crls from '/usr/local/etc/ipsec.d/crls'
00[CFG] loading secrets from '/usr/local/etc/ipsec.secrets'
00[CFG] loaded EAP secret for matt
00[DMN] loaded plugins: aes des sha1 sha2 md4 md5 random x509 constraints pubkey pkcs1 pgp pem fips-prf gmp xcbc hmac attr kernel-netlink resolve socket-default stroke updown eap-identity eap-mschapv2
00[JOB] spawning 16 worker threads
00[DMN] signal of type SIGINT received. Shutting down
00[DMN] Starting IKEv2 charon daemon (strongSwan 4.5.3)
00[KNL] listening on interfaces:
00[KNL] eth0
00[KNL] 10.0.0.106
00[KNL] fe80::215:5dff:fe01:6609
00[CFG] loading ca certificates from '/usr/local/etc/ipsec.d/cacerts'
00[CFG] loaded ca certificate "DC=com, DC=aaronline, CN=aaronline-CAREFREE-CA" from '/usr/local/etc/ipsec.d/cacerts/aaronline.carefree.cert'
00[CFG] loading aa certificates from '/usr/local/etc/ipsec.d/aacerts'
00[CFG] loading ocsp signer certificates from '/usr/local/etc/ipsec.d/ocspcerts'
00[CFG] loading attribute certificates from '/usr/local/etc/ipsec.d/acerts'
00[CFG] loading crls from '/usr/local/etc/ipsec.d/crls'
00[CFG] loading secrets from '/usr/local/etc/ipsec.secrets'
00[CFG] loaded EAP secret for matt
00[DMN] loaded plugins: aes des sha1 sha2 md4 md5 random x509 constraints pubkey pkcs1 pgp pem fips-prf gmp xcbc hmac attr kernel-netlink resolve socket-default stroke updown eap-identity eap-mschapv2
00[JOB] spawning 16 worker threads
09[CFG] received stroke: add connection 'net-net'
09[CFG] added configuration 'net-net'
11[CFG] received stroke: initiate 'net-net'
13[IKE] initiating IKE_SA net-net[1] to 66.238.30.124
13[ENC] generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) ]
13[NET] sending packet: from 10.0.0.106[500] to 66.238.30.124[500]
02[IKE] retransmit 1 of request with message ID 0
02[NET] sending packet: from 10.0.0.106[500] to 66.238.30.124[500]
14[IKE] retransmit 2 of request with message ID 0
14[NET] sending packet: from 10.0.0.106[500] to 66.238.30.124[500]
15[NET] received packet: from 66.238.30.124[500] to 10.0.0.106[500]
15[ENC] parsed IKE_SA_INIT response 0 [ N(INVAL_KE) ]
15[IKE] peer didn't accept DH group MODP_2048, it requested MODP_1024
15[IKE] initiating IKE_SA net-net[1] to 66.238.30.124
15[ENC] generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) ]
15[NET] sending packet: from 10.0.0.106[500] to 66.238.30.124[500]
16[NET] received packet: from 66.238.30.124[500] to 10.0.0.106[500]
16[ENC] parsed IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) ]
16[IKE] local host is behind NAT, sending keep alives
16[IKE] remote host is behind NAT
16[IKE] sending cert request for "DC=com, DC=aaronline, CN=aaronline-CAREFREE-CA"
16[IKE] establishing CHILD_SA net-net
16[ENC] generating IKE_AUTH request 1 [ IDi N(INIT_CONTACT) CERTREQ CP(ADDR DNS) SA TSi TSr N(EAP_ONLY) ]
16[NET] sending packet: from 10.0.0.106[4500] to 66.238.30.124[4500]
01[NET] received packet: from 66.238.30.124[4500] to 10.0.0.106[4500]
01[ENC] parsed IKE_AUTH response 1 [ IDr CERT AUTH EAP/REQ/ID ]
01[IKE] received end entity cert "CN=verrado.aaronline.com"
01[CFG] using certificate "CN=verrado.aaronline.com"
01[CFG] using trusted ca certificate "DC=com, DC=aaronline, CN=aaronline-CAREFREE-CA"
01[CFG] reached self-signed root ca with a path length of 0
01[IKE] authentication of 'CN=verrado.aaronline.com' with RSA signature successful
01[IKE] server requested EAP_IDENTITY (id 0x00), sending 'matt'
01[ENC] generating IKE_AUTH request 2 [ EAP/RES/ID ]
01[NET] sending packet: from 10.0.0.106[4500] to 66.238.30.124[4500]
09[NET] received packet: from 66.238.30.124[4500] to 10.0.0.106[4500]
09[ENC] parsed IKE_AUTH response 2 [ EAP/REQ/MSCHAPV2 ]
09[IKE] server requested EAP_MSCHAPV2 authentication (id 0x01)
09[ENC] generating IKE_AUTH request 3 [ EAP/RES/MSCHAPV2 ]
09[NET] sending packet: from 10.0.0.106[4500] to 66.238.30.124[4500]
10[NET] received packet: from 66.238.30.124[4500] to 10.0.0.106[4500]
10[ENC] parsed IKE_AUTH response 3 [ EAP/REQ/MSCHAPV2 ]
10[IKE] EAP-MS-CHAPv2 succeeded: '(null)'
10[ENC] generating IKE_AUTH request 4 [ EAP/RES/MSCHAPV2 ]
10[NET] sending packet: from 10.0.0.106[4500] to 66.238.30.124[4500]
12[NET] received packet: from 66.238.30.124[4500] to 10.0.0.106[4500]
12[ENC] parsed IKE_AUTH response 4 [ EAP/SUCC ]
12[IKE] EAP method EAP_MSCHAPV2 succeeded, MSK established
12[IKE] authentication of '10.0.0.106' (myself) with EAP
12[ENC] generating IKE_AUTH request 5 [ AUTH ]
12[NET] sending packet: from 10.0.0.106[4500] to 66.238.30.124[4500]
13[NET] received packet: from 66.238.30.124[4500] to 10.0.0.106[4500]
13[ENC] parsed IKE_AUTH response 5 [ AUTH N(MOBIKE_SUP) CP(ADDR DNS DNS) SA TSi TSr ]
13[IKE] authentication of 'CN=verrado.aaronline.com' with EAP successful
13[IKE] IKE_SA net-net[1] established between 10.0.0.106[10.0.0.106]...66.238.30.124[CN=verrado.aaronline.com]
13[IKE] scheduling reauthentication in 3335s
13[IKE] maximum IKE_SA lifetime 3515s
13[IKE] installing DNS server 192.168.1.3 to /usr/local/etc/resolv.conf
13[IKE] installing DNS server 192.168.1.5 to /usr/local/etc/resolv.conf
13[IKE] installing new virtual IP 192.168.1.45
13[IKE] CHILD_SA net-net{1} established with SPIs c7f02950_i e7875dae_o and TS 192.168.1.45/32 === 66.238.30.124/32
11[IKE] sending keep alive
11[NET] sending packet: from 10.0.0.106[4500] to 66.238.30.124[4500]
13[IKE] sending keep alive
Matt Hymowitz, CISSP
Manager
GMP Networks, LLC
520 577-3891
________________________________________
From: Andreas Steffen [andreas.steffen at strongswan.org]
Sent: Tuesday, November 08, 2011 10:22 AM
To: Matthew F. Hymowitz
Cc: users at lists.strongswan.org
Subject: Re: [strongSwan] IKEV2 windows 2008 r2
Hello Matt,
the Windows Server 2008 r2 expects strongSwan
to request a virtual IP address to be used
as a source address within the IPsec tunnel.
Therefore add this statement:
leftsourceip=%config
With a virtual IP address
leftsubnet=10.0.0.0/24
doesn't make much sense, so you'd better
omit the leftsubnet statement.
Regards
Andreas
On 08.11.2011 16:21, Matthew F. Hymowitz wrote:
> Thanks Again for your help Andreas
>
>
>
>
> Here is the current config and non-debug log file:
>
>
>
> -Matt
>
>
> # ipsec.conf - strongSwan IPsec configuration file
>
> config setup
> crlcheckinterval=0s
> strictcrlpolicy=no
> cachecrls=yes
> nat_traversal=yes
> charonstart=yes
> plutostart=no
>
> # Add connections here.
>
> # Sample VPN connections
>
> #conn sample-self-signed
> # left=%defaultroute
> # leftsubnet=10.10.0.0/16
> # leftcert=selfCert.der
> # leftsendcert=never
> # right=192.168.0.2
> # rightsubnet=10.2.0.0/16
> # rightcert=peerCert.der
> # auto=start
>
> conn net-net
> left=10.0.0.90
> leftsubnet=10.0.0.0/24
> leftauth=eap-mschapv2
> eap_identity=matt
> right=verrado.aaronline.com
> rightsubnet=192.168.1.0/24
> rightauth=pubkey
> keyexchange=ikev2
> auto=add
>
> ca carefree-aaronline-ca
> cacert=/usr/local/etc/ipsec.d/cacert/aaronline.carefree.cert
>
>
> Nov 8 %f 00[DMN] Starting IKEv2 charon daemon (strongSwan 4.5.3)
> Nov 8 %f 00[KNL] listening on interfaces:
> Nov 8 %f 00[KNL] eth0
> Nov 8 %f 00[KNL] 10.0.0.90
> Nov 8 %f 00[KNL] fe80::215:5dff:fe01:660d
> Nov 8 %f 00[CFG] loading ca certificates from '/usr/local/etc/ipsec.d/cacerts'
> Nov 8 %f 00[CFG] loaded ca certificate "DC=com, DC=aaronline, CN=aaronline-CAREFREE-CA" from '/usr/local/etc/ipsec.d/cacerts/aaronline.carefree.cert'
> Nov 8 %f 00[CFG] loading aa certificates from '/usr/local/etc/ipsec.d/aacerts'
> Nov 8 %f 00[CFG] loading ocsp signer certificates from '/usr/local/etc/ipsec.d/ocspcerts'
> Nov 8 %f 00[CFG] loading attribute certificates from '/usr/local/etc/ipsec.d/acerts'
> Nov 8 %f 00[CFG] loading crls from '/usr/local/etc/ipsec.d/crls'
> Nov 8 %f 00[CFG] loading secrets from '/usr/local/etc/ipsec.secrets'
> Nov 8 %f 00[CFG] loaded EAP secret for matt
> Nov 8 %f 00[DMN] loaded plugins: aes des sha1 sha2 md4 md5 random x509 constraints pubkey pkcs1 pgp pem fips-prf gmp xcbc hmac attr kernel-netlink resolve socket-default stroke updown eap-identity eap-mschapv2
> Nov 8 %f 00[JOB] spawning 16 worker threads
> Nov 8 %f 10[CFG] crl caching to /usr/local/etc/ipsec.d/crls enabled
> Nov 8 %f 12[CFG] received stroke: add connection 'net-net'
> Nov 8 %f 12[CFG] added configuration 'net-net'
> Nov 8 %f 14[CFG] received stroke: initiate 'net-net'
> Nov 8 %f 03[IKE] initiating IKE_SA net-net[1] to 66.238.30.124
> Nov 8 %f 03[ENC] generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) ]
> Nov 8 %f 03[NET] sending packet: from 10.0.0.90[500] to 66.238.30.124[500]
> Nov 8 %f 16[NET] received packet: from 66.238.30.124[500] to 10.0.0.90[500]
> Nov 8 %f 16[ENC] parsed IKE_SA_INIT response 0 [ N(INVAL_KE) ]
> Nov 8 %f 16[IKE] peer didn't accept DH group MODP_2048, it requested MODP_1024
> Nov 8 %f 16[IKE] initiating IKE_SA net-net[1] to 66.238.30.124
> Nov 8 %f 16[ENC] generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) ]
> Nov 8 %f 16[NET] sending packet: from 10.0.0.90[500] to 66.238.30.124[500]
> Nov 8 %f 02[NET] received packet: from 66.238.30.124[500] to 10.0.0.90[500]
> Nov 8 %f 02[ENC] parsed IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) ]
> Nov 8 %f 02[IKE] local host is behind NAT, sending keep alives
> Nov 8 %f 02[IKE] remote host is behind NAT
> Nov 8 %f 02[IKE] sending cert request for "DC=com, DC=aaronline, CN=aaronline-CAREFREE-CA"
> Nov 8 %f 02[IKE] establishing CHILD_SA net-net
> Nov 8 %f 02[ENC] generating IKE_AUTH request 1 [ IDi N(INIT_CONTACT) CERTREQ IDr SA TSi TSr N(MOBIKE_SUP) N(NO_ADD_ADDR) N(EAP_ONLY) ]
> Nov 8 %f 02[NET] sending packet: from 10.0.0.90[4500] to 66.238.30.124[4500]
> Nov 8 %f 01[NET] received packet: from 66.238.30.124[4500] to 10.0.0.90[4500]
> Nov 8 %f 01[ENC] parsed IKE_AUTH response 1 [ IDr CERT AUTH EAP/REQ/ID ]
> Nov 8 %f 01[IKE] received end entity cert "CN=verrado.aaronline.com"
> Nov 8 %f 01[CFG] using certificate "CN=verrado.aaronline.com"
> Nov 8 %f 01[CFG] using trusted ca certificate "DC=com, DC=aaronline, CN=aaronline-CAREFREE-CA"
> Nov 8 %f 01[CFG] reached self-signed root ca with a path length of 0
> Nov 8 %f 01[IKE] authentication of 'CN=verrado.aaronline.com' with RSA signature successful
> Nov 8 %f 01[IKE] server requested EAP_IDENTITY (id 0x00), sending 'matt'
> Nov 8 %f 01[ENC] generating IKE_AUTH request 2 [ EAP/RES/ID ]
> Nov 8 %f 01[NET] sending packet: from 10.0.0.90[4500] to 66.238.30.124[4500]
> Nov 8 %f 10[NET] received packet: from 66.238.30.124[4500] to 10.0.0.90[4500]
> Nov 8 %f 10[ENC] parsed IKE_AUTH response 2 [ EAP/REQ/MSCHAPV2 ]
> Nov 8 %f 10[IKE] server requested EAP_MSCHAPV2 authentication (id 0x01)
> Nov 8 %f 10[ENC] generating IKE_AUTH request 3 [ EAP/RES/MSCHAPV2 ]
> Nov 8 %f 10[NET] sending packet: from 10.0.0.90[4500] to 66.238.30.124[4500]
> Nov 8 %f 11[NET] received packet: from 66.238.30.124[4500] to 10.0.0.90[4500]
> Nov 8 %f 11[ENC] parsed IKE_AUTH response 3 [ EAP/REQ/MSCHAPV2 ]
> Nov 8 %f 11[IKE] EAP-MS-CHAPv2 succeeded: '(null)'
> Nov 8 %f 11[ENC] generating IKE_AUTH request 4 [ EAP/RES/MSCHAPV2 ]
> Nov 8 %f 11[NET] sending packet: from 10.0.0.90[4500] to 66.238.30.124[4500]
> Nov 8 %f 12[NET] received packet: from 66.238.30.124[4500] to 10.0.0.90[4500]
> Nov 8 %f 12[ENC] parsed IKE_AUTH response 4 [ EAP/SUCC ]
> Nov 8 %f 12[IKE] EAP method EAP_MSCHAPV2 succeeded, MSK established
> Nov 8 %f 12[IKE] authentication of '10.0.0.90' (myself) with EAP
> Nov 8 %f 12[ENC] generating IKE_AUTH request 5 [ AUTH ]
> Nov 8 %f 12[NET] sending packet: from 10.0.0.90[4500] to 66.238.30.124[4500]
> Nov 8 %f 10[IKE] retransmit 1 of request with message ID 5
> Nov 8 %f 10[NET] sending packet: from 10.0.0.90[4500] to 66.238.30.124[4500]
> Nov 8 %f 11[NET] received packet: from 66.238.30.124[4500] to 10.0.0.90[4500]
> Nov 8 %f 11[ENC] parsed IKE_AUTH response 5 [ N(FAIL_CP_REQ) ]
> Nov 8 %f 11[IKE] AUTH payload missing
> Nov 8 %f 00[DMN] signal of type SIGINT received. Shutting down
>
>
>
>
>
>
>
>
>
> Matt Hymowitz, CISSP
> Manager
> GMP Networks, LLC
> 520 577-3891
> ________________________________________
> From: Andreas Steffen [andreas.steffen at strongswan.org]
> Sent: Monday, November 07, 2011 10:05 PM
> To: Matthew F. Hymowitz
> Cc: users at lists.strongswan.org
> Subject: Re: [strongSwan] IKEV2 windows 2008 r2
>
> Hi Matt,
>
> yes, the current ipsec.conf file and the log (but please without
> increasing the debug level!!!) would help.
>
> Regards
>
> Andreas
>
> On 11/08/2011 12:21 AM, Matthew F. Hymowitz wrote:
>> Hi Andreas
>>
>> Thanks for your quick response. I made the changes you suggest and reconfigured with the following switches
>> --disable-pluto --disable-revocation --enable-eap-identity --enable-eap-mschapv2 and --enable-md4
>>
>> I am now getting much further along in the negotiation. I am now failing with the error
>>
>> parsed IKE_AUTH response 5 [ N(FAIL_CP_REQ) ]
>> Auth payload missing
>>
>>
>> The is after I get the message EAP method EAP_MSCHAPV2 succeeded, MSK established.
>>
>>
>> Let me know if you need complete logs, and thanks again for such a quick response.
>>
>>
>> Matt Hymowitz, CISSP
>> Manager
>> GMP Networks, LLC
>> 520 577-3891
>
> ======================================================================
> Andreas Steffen andreas.steffen at strongswan.org
> strongSwan - the Linux VPN Solution! www.strongswan.org
> Institute for Internet Technologies and Applications
> University of Applied Sciences Rapperswil
> CH-8640 Rapperswil (Switzerland)
> ===========================================================[ITA-HSR]==
>
--
======================================================================
Andreas Steffen andreas.steffen at strongswan.org
strongSwan - the Linux VPN Solution! www.strongswan.org
Institute for Internet Technologies and Applications
University of Applied Sciences Rapperswil
CH-8640 Rapperswil (Switzerland)
===========================================================[ITA-HSR]==
More information about the Users
mailing list