[strongSwan] IKEV2 windows 2008 r2

Matthew F. Hymowitz mhymowitz at gmpnet.net
Wed Nov 9 04:56:49 CET 2011


Andreas

Got it working.  I needed to add rightsubnet=192.168.1.0/24 to the connection.   I still have a question about removing rightid=%any

Thanks again for all your help.


Matt Hymowitz, CISSP
Manager
GMP Networks, LLC
520 577-3891
________________________________________
From: Matthew F. Hymowitz
Sent: Tuesday, November 08, 2011 6:00 PM
To: Andreas Steffen
Cc: users at lists.strongswan.org
Subject: RE: [strongSwan] IKEV2   windows 2008 r2

Hi Andreas

With your expert help, I am now able to establish a connection between my two sites.   From my ubuntu box I am to ping 192.168.1.45, which I think is my local VPN adapter.   I can not, however, ping 192.168.1.43 which I think is the windows PPP adaptor.  I do not see any entries for 192.168.1.x when I do a netstat -r (should I?).  I also can not ping anything else on the 192.168.1.x network.


 I greatly appreciate all the help  you providing me.  Thank you again.



sudo ipsec statusall shows the    following:


Status of IKEv2 charon daemon (strongSwan 4.5.3):
  uptime: 16 minutes, since Nov 08 17:33:32 2011
  malloc: sbrk 270336, mmap 0, used 154064, free 116272
  worker threads: 9 of 16 idle, 6/1/0/0 working, job queue: 0/0/0/0, scheduled: 3
  loaded plugins: aes des sha1 sha2 md4 md5 random x509 constraints pubkey pkcs1 pgp pem fips-prf gmp xcbc hmac attr kernel-netlink resolve socket-default stroke updown eap-identity eap-mschapv2
Listening IP addresses:
  10.0.0.106
Connections:
     net-net:  10.0.0.106...66.238.30.124
     net-net:   local:  [10.0.0.106] uses EAP_MSCHAPV2 authentication with EAP identity 'matt'
     net-net:   remote: [%any] uses public key authentication
     net-net:   child:  dynamic === dynamic TUNNEL
Security Associations (1 up, 0 connecting):
     net-net[1]: ESTABLISHED 16 minutes ago, 10.0.0.106[10.0.0.106]...66.238.30.124[CN=verrado.aaronline.com]
     net-net[1]: IKE SPIs: d970b6f80746b929_i* 0b2a24b30601e1e3_r, EAP reauthentication in 39 minutes
     net-net[1]: IKE proposal: 3DES_CBC/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024




Also I had to add an %any for rightid, it says it is looking for verrado's ip address when I put that in there it still complains.  Not sure what the rightid should really be.


Here is my current config  ( i did change ip addresses on the ubunutu machine since the last config I sent you).

# /etc/ipsec.conf - strongSwan IPsec configuration file
config setup
       crlcheckinterval=0s
 strictcrlpolicy=no
 plutostart=no
 nat_traversal=yes
 charonstart=yes
conn %default
 ikelifetime=60m
 keylife=20m
 rekeymargin=3m
 keyingtries=1
 keyexchange=ikev2
 mobike=no
 forceencaps=yes
conn net-net
 left=10.0.0.106
 leftsourceip=%config
 leftfirewall=yes
 leftauth=eap-mschapv2
 eap_identity=matt
 right=verrado.aaronline.com
 rightid=%any
 rightauth=pubkey
 auto=add
ca carefree-aaronline-ca
 cacert=/usr/local/etc/ipsec.d/cacerts/aaronline.carefree.cert




Here is the log file

00[DMN] Starting IKEv2 charon daemon (strongSwan 4.5.3)
00[KNL] listening on interfaces:
00[KNL]   eth0
00[KNL]     10.0.0.106
00[KNL]     fe80::215:5dff:fe01:6609
00[CFG] loading ca certificates from '/usr/local/etc/ipsec.d/cacerts'
00[CFG]   loaded ca certificate "DC=com, DC=aaronline, CN=aaronline-CAREFREE-CA" from '/usr/local/etc/ipsec.d/cacerts/aaronline.carefree.cert'
00[CFG] loading aa certificates from '/usr/local/etc/ipsec.d/aacerts'
00[CFG] loading ocsp signer certificates from '/usr/local/etc/ipsec.d/ocspcerts'
00[CFG] loading attribute certificates from '/usr/local/etc/ipsec.d/acerts'
00[CFG] loading crls from '/usr/local/etc/ipsec.d/crls'
00[CFG] loading secrets from '/usr/local/etc/ipsec.secrets'
00[CFG]   loaded EAP secret for matt
00[DMN] loaded plugins: aes des sha1 sha2 md4 md5 random x509 constraints pubkey pkcs1 pgp pem fips-prf gmp xcbc hmac attr kernel-netlink resolve socket-default stroke updown eap-identity eap-mschapv2
00[JOB] spawning 16 worker threads
00[DMN] signal of type SIGINT received. Shutting down
00[DMN] Starting IKEv2 charon daemon (strongSwan 4.5.3)
00[KNL] listening on interfaces:
00[KNL]   eth0
00[KNL]     10.0.0.106
00[KNL]     fe80::215:5dff:fe01:6609
00[CFG] loading ca certificates from '/usr/local/etc/ipsec.d/cacerts'
00[CFG]   loaded ca certificate "DC=com, DC=aaronline, CN=aaronline-CAREFREE-CA" from '/usr/local/etc/ipsec.d/cacerts/aaronline.carefree.cert'
00[CFG] loading aa certificates from '/usr/local/etc/ipsec.d/aacerts'
00[CFG] loading ocsp signer certificates from '/usr/local/etc/ipsec.d/ocspcerts'
00[CFG] loading attribute certificates from '/usr/local/etc/ipsec.d/acerts'
00[CFG] loading crls from '/usr/local/etc/ipsec.d/crls'
00[CFG] loading secrets from '/usr/local/etc/ipsec.secrets'
00[CFG]   loaded EAP secret for matt
00[DMN] loaded plugins: aes des sha1 sha2 md4 md5 random x509 constraints pubkey pkcs1 pgp pem fips-prf gmp xcbc hmac attr kernel-netlink resolve socket-default stroke updown eap-identity eap-mschapv2
00[JOB] spawning 16 worker threads
00[DMN] signal of type SIGINT received. Shutting down
00[DMN] Starting IKEv2 charon daemon (strongSwan 4.5.3)
00[KNL] listening on interfaces:
00[KNL]   eth0
00[KNL]     10.0.0.106
00[KNL]     fe80::215:5dff:fe01:6609
00[CFG] loading ca certificates from '/usr/local/etc/ipsec.d/cacerts'
00[CFG]   loaded ca certificate "DC=com, DC=aaronline, CN=aaronline-CAREFREE-CA" from '/usr/local/etc/ipsec.d/cacerts/aaronline.carefree.cert'
00[CFG] loading aa certificates from '/usr/local/etc/ipsec.d/aacerts'
00[CFG] loading ocsp signer certificates from '/usr/local/etc/ipsec.d/ocspcerts'
00[CFG] loading attribute certificates from '/usr/local/etc/ipsec.d/acerts'
00[CFG] loading crls from '/usr/local/etc/ipsec.d/crls'
00[CFG] loading secrets from '/usr/local/etc/ipsec.secrets'
00[CFG]   loaded EAP secret for matt
00[DMN] loaded plugins: aes des sha1 sha2 md4 md5 random x509 constraints pubkey pkcs1 pgp pem fips-prf gmp xcbc hmac attr kernel-netlink resolve socket-default stroke updown eap-identity eap-mschapv2
00[JOB] spawning 16 worker threads
09[CFG] received stroke: add connection 'net-net'
09[CFG] added configuration 'net-net'
11[CFG] received stroke: initiate 'net-net'
13[IKE] initiating IKE_SA net-net[1] to 66.238.30.124
13[ENC] generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) ]
13[NET] sending packet: from 10.0.0.106[500] to 66.238.30.124[500]
02[IKE] retransmit 1 of request with message ID 0
02[NET] sending packet: from 10.0.0.106[500] to 66.238.30.124[500]
14[IKE] retransmit 2 of request with message ID 0
14[NET] sending packet: from 10.0.0.106[500] to 66.238.30.124[500]
15[NET] received packet: from 66.238.30.124[500] to 10.0.0.106[500]
15[ENC] parsed IKE_SA_INIT response 0 [ N(INVAL_KE) ]
15[IKE] peer didn't accept DH group MODP_2048, it requested MODP_1024
15[IKE] initiating IKE_SA net-net[1] to 66.238.30.124
15[ENC] generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) ]
15[NET] sending packet: from 10.0.0.106[500] to 66.238.30.124[500]
16[NET] received packet: from 66.238.30.124[500] to 10.0.0.106[500]
16[ENC] parsed IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) ]
16[IKE] local host is behind NAT, sending keep alives
16[IKE] remote host is behind NAT
16[IKE] sending cert request for "DC=com, DC=aaronline, CN=aaronline-CAREFREE-CA"
16[IKE] establishing CHILD_SA net-net
16[ENC] generating IKE_AUTH request 1 [ IDi N(INIT_CONTACT) CERTREQ CP(ADDR DNS) SA TSi TSr N(EAP_ONLY) ]
16[NET] sending packet: from 10.0.0.106[4500] to 66.238.30.124[4500]
01[NET] received packet: from 66.238.30.124[4500] to 10.0.0.106[4500]
01[ENC] parsed IKE_AUTH response 1 [ IDr CERT AUTH EAP/REQ/ID ]
01[IKE] received end entity cert "CN=verrado.aaronline.com"
01[CFG]   using certificate "CN=verrado.aaronline.com"
01[CFG]   using trusted ca certificate "DC=com, DC=aaronline, CN=aaronline-CAREFREE-CA"
01[CFG]   reached self-signed root ca with a path length of 0
01[IKE] authentication of 'CN=verrado.aaronline.com' with RSA signature successful
01[IKE] server requested EAP_IDENTITY (id 0x00), sending 'matt'
01[ENC] generating IKE_AUTH request 2 [ EAP/RES/ID ]
01[NET] sending packet: from 10.0.0.106[4500] to 66.238.30.124[4500]
09[NET] received packet: from 66.238.30.124[4500] to 10.0.0.106[4500]
09[ENC] parsed IKE_AUTH response 2 [ EAP/REQ/MSCHAPV2 ]
09[IKE] server requested EAP_MSCHAPV2 authentication (id 0x01)
09[ENC] generating IKE_AUTH request 3 [ EAP/RES/MSCHAPV2 ]
09[NET] sending packet: from 10.0.0.106[4500] to 66.238.30.124[4500]
10[NET] received packet: from 66.238.30.124[4500] to 10.0.0.106[4500]
10[ENC] parsed IKE_AUTH response 3 [ EAP/REQ/MSCHAPV2 ]
10[IKE] EAP-MS-CHAPv2 succeeded: '(null)'
10[ENC] generating IKE_AUTH request 4 [ EAP/RES/MSCHAPV2 ]
10[NET] sending packet: from 10.0.0.106[4500] to 66.238.30.124[4500]
12[NET] received packet: from 66.238.30.124[4500] to 10.0.0.106[4500]
12[ENC] parsed IKE_AUTH response 4 [ EAP/SUCC ]
12[IKE] EAP method EAP_MSCHAPV2 succeeded, MSK established
12[IKE] authentication of '10.0.0.106' (myself) with EAP
12[ENC] generating IKE_AUTH request 5 [ AUTH ]
12[NET] sending packet: from 10.0.0.106[4500] to 66.238.30.124[4500]
13[NET] received packet: from 66.238.30.124[4500] to 10.0.0.106[4500]
13[ENC] parsed IKE_AUTH response 5 [ AUTH N(MOBIKE_SUP) CP(ADDR DNS DNS) SA TSi TSr ]
13[IKE] authentication of 'CN=verrado.aaronline.com' with EAP successful
13[IKE] IKE_SA net-net[1] established between 10.0.0.106[10.0.0.106]...66.238.30.124[CN=verrado.aaronline.com]
13[IKE] scheduling reauthentication in 3335s
13[IKE] maximum IKE_SA lifetime 3515s
13[IKE] installing DNS server 192.168.1.3 to /usr/local/etc/resolv.conf
13[IKE] installing DNS server 192.168.1.5 to /usr/local/etc/resolv.conf
13[IKE] installing new virtual IP 192.168.1.45
13[IKE] CHILD_SA net-net{1} established with SPIs c7f02950_i e7875dae_o and TS 192.168.1.45/32 === 66.238.30.124/32
11[IKE] sending keep alive
11[NET] sending packet: from 10.0.0.106[4500] to 66.238.30.124[4500]
13[IKE] sending keep alive


Matt Hymowitz, CISSP
Manager
GMP Networks, LLC
520 577-3891
________________________________________
From: Andreas Steffen [andreas.steffen at strongswan.org]
Sent: Tuesday, November 08, 2011 10:22 AM
To: Matthew F. Hymowitz
Cc: users at lists.strongswan.org
Subject: Re: [strongSwan] IKEV2   windows 2008 r2

Hello Matt,

the Windows Server 2008 r2 expects strongSwan
to request a virtual IP address to be used
as a source address within the IPsec tunnel.
Therefore add this statement:

   leftsourceip=%config

With a virtual IP address

   leftsubnet=10.0.0.0/24

doesn't make much sense, so you'd better
omit the leftsubnet statement.

Regards

Andreas

 On 08.11.2011 16:21, Matthew F. Hymowitz wrote:
> Thanks Again for your help Andreas
>
>
>
>
> Here is the current config and non-debug log file:
>
>
>
> -Matt
>
>
> # ipsec.conf - strongSwan IPsec configuration file
>
> config setup
>       crlcheckinterval=0s
>       strictcrlpolicy=no
>       cachecrls=yes
>       nat_traversal=yes
>       charonstart=yes
>       plutostart=no
>
> # Add connections here.
>
> # Sample VPN connections
>
> #conn sample-self-signed
> #      left=%defaultroute
> #      leftsubnet=10.10.0.0/16
> #      leftcert=selfCert.der
> #      leftsendcert=never
> #      right=192.168.0.2
> #      rightsubnet=10.2.0.0/16
> #      rightcert=peerCert.der
> #      auto=start
>
> conn net-net
>       left=10.0.0.90
>       leftsubnet=10.0.0.0/24
>       leftauth=eap-mschapv2
>       eap_identity=matt
>       right=verrado.aaronline.com
>       rightsubnet=192.168.1.0/24
>       rightauth=pubkey
>       keyexchange=ikev2
>       auto=add
>
> ca carefree-aaronline-ca
>       cacert=/usr/local/etc/ipsec.d/cacert/aaronline.carefree.cert
>
>
> Nov  8 %f 00[DMN] Starting IKEv2 charon daemon (strongSwan 4.5.3)
> Nov  8 %f 00[KNL] listening on interfaces:
> Nov  8 %f 00[KNL]   eth0
> Nov  8 %f 00[KNL]     10.0.0.90
> Nov  8 %f 00[KNL]     fe80::215:5dff:fe01:660d
> Nov  8 %f 00[CFG] loading ca certificates from '/usr/local/etc/ipsec.d/cacerts'
> Nov  8 %f 00[CFG]   loaded ca certificate "DC=com, DC=aaronline, CN=aaronline-CAREFREE-CA" from '/usr/local/etc/ipsec.d/cacerts/aaronline.carefree.cert'
> Nov  8 %f 00[CFG] loading aa certificates from '/usr/local/etc/ipsec.d/aacerts'
> Nov  8 %f 00[CFG] loading ocsp signer certificates from '/usr/local/etc/ipsec.d/ocspcerts'
> Nov  8 %f 00[CFG] loading attribute certificates from '/usr/local/etc/ipsec.d/acerts'
> Nov  8 %f 00[CFG] loading crls from '/usr/local/etc/ipsec.d/crls'
> Nov  8 %f 00[CFG] loading secrets from '/usr/local/etc/ipsec.secrets'
> Nov  8 %f 00[CFG]   loaded EAP secret for matt
> Nov  8 %f 00[DMN] loaded plugins: aes des sha1 sha2 md4 md5 random x509 constraints pubkey pkcs1 pgp pem fips-prf gmp xcbc hmac attr kernel-netlink resolve socket-default stroke updown eap-identity eap-mschapv2
> Nov  8 %f 00[JOB] spawning 16 worker threads
> Nov  8 %f 10[CFG] crl caching to /usr/local/etc/ipsec.d/crls enabled
> Nov  8 %f 12[CFG] received stroke: add connection 'net-net'
> Nov  8 %f 12[CFG] added configuration 'net-net'
> Nov  8 %f 14[CFG] received stroke: initiate 'net-net'
> Nov  8 %f 03[IKE] initiating IKE_SA net-net[1] to 66.238.30.124
> Nov  8 %f 03[ENC] generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) ]
> Nov  8 %f 03[NET] sending packet: from 10.0.0.90[500] to 66.238.30.124[500]
> Nov  8 %f 16[NET] received packet: from 66.238.30.124[500] to 10.0.0.90[500]
> Nov  8 %f 16[ENC] parsed IKE_SA_INIT response 0 [ N(INVAL_KE) ]
> Nov  8 %f 16[IKE] peer didn't accept DH group MODP_2048, it requested MODP_1024
> Nov  8 %f 16[IKE] initiating IKE_SA net-net[1] to 66.238.30.124
> Nov  8 %f 16[ENC] generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) ]
> Nov  8 %f 16[NET] sending packet: from 10.0.0.90[500] to 66.238.30.124[500]
> Nov  8 %f 02[NET] received packet: from 66.238.30.124[500] to 10.0.0.90[500]
> Nov  8 %f 02[ENC] parsed IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) ]
> Nov  8 %f 02[IKE] local host is behind NAT, sending keep alives
> Nov  8 %f 02[IKE] remote host is behind NAT
> Nov  8 %f 02[IKE] sending cert request for "DC=com, DC=aaronline, CN=aaronline-CAREFREE-CA"
> Nov  8 %f 02[IKE] establishing CHILD_SA net-net
> Nov  8 %f 02[ENC] generating IKE_AUTH request 1 [ IDi N(INIT_CONTACT) CERTREQ IDr SA TSi TSr N(MOBIKE_SUP) N(NO_ADD_ADDR) N(EAP_ONLY) ]
> Nov  8 %f 02[NET] sending packet: from 10.0.0.90[4500] to 66.238.30.124[4500]
> Nov  8 %f 01[NET] received packet: from 66.238.30.124[4500] to 10.0.0.90[4500]
> Nov  8 %f 01[ENC] parsed IKE_AUTH response 1 [ IDr CERT AUTH EAP/REQ/ID ]
> Nov  8 %f 01[IKE] received end entity cert "CN=verrado.aaronline.com"
> Nov  8 %f 01[CFG]   using certificate "CN=verrado.aaronline.com"
> Nov  8 %f 01[CFG]   using trusted ca certificate "DC=com, DC=aaronline, CN=aaronline-CAREFREE-CA"
> Nov  8 %f 01[CFG]   reached self-signed root ca with a path length of 0
> Nov  8 %f 01[IKE] authentication of 'CN=verrado.aaronline.com' with RSA signature successful
> Nov  8 %f 01[IKE] server requested EAP_IDENTITY (id 0x00), sending 'matt'
> Nov  8 %f 01[ENC] generating IKE_AUTH request 2 [ EAP/RES/ID ]
> Nov  8 %f 01[NET] sending packet: from 10.0.0.90[4500] to 66.238.30.124[4500]
> Nov  8 %f 10[NET] received packet: from 66.238.30.124[4500] to 10.0.0.90[4500]
> Nov  8 %f 10[ENC] parsed IKE_AUTH response 2 [ EAP/REQ/MSCHAPV2 ]
> Nov  8 %f 10[IKE] server requested EAP_MSCHAPV2 authentication (id 0x01)
> Nov  8 %f 10[ENC] generating IKE_AUTH request 3 [ EAP/RES/MSCHAPV2 ]
> Nov  8 %f 10[NET] sending packet: from 10.0.0.90[4500] to 66.238.30.124[4500]
> Nov  8 %f 11[NET] received packet: from 66.238.30.124[4500] to 10.0.0.90[4500]
> Nov  8 %f 11[ENC] parsed IKE_AUTH response 3 [ EAP/REQ/MSCHAPV2 ]
> Nov  8 %f 11[IKE] EAP-MS-CHAPv2 succeeded: '(null)'
> Nov  8 %f 11[ENC] generating IKE_AUTH request 4 [ EAP/RES/MSCHAPV2 ]
> Nov  8 %f 11[NET] sending packet: from 10.0.0.90[4500] to 66.238.30.124[4500]
> Nov  8 %f 12[NET] received packet: from 66.238.30.124[4500] to 10.0.0.90[4500]
> Nov  8 %f 12[ENC] parsed IKE_AUTH response 4 [ EAP/SUCC ]
> Nov  8 %f 12[IKE] EAP method EAP_MSCHAPV2 succeeded, MSK established
> Nov  8 %f 12[IKE] authentication of '10.0.0.90' (myself) with EAP
> Nov  8 %f 12[ENC] generating IKE_AUTH request 5 [ AUTH ]
> Nov  8 %f 12[NET] sending packet: from 10.0.0.90[4500] to 66.238.30.124[4500]
> Nov  8 %f 10[IKE] retransmit 1 of request with message ID 5
> Nov  8 %f 10[NET] sending packet: from 10.0.0.90[4500] to 66.238.30.124[4500]
> Nov  8 %f 11[NET] received packet: from 66.238.30.124[4500] to 10.0.0.90[4500]
> Nov  8 %f 11[ENC] parsed IKE_AUTH response 5 [ N(FAIL_CP_REQ) ]
> Nov  8 %f 11[IKE] AUTH payload missing
> Nov  8 %f 00[DMN] signal of type SIGINT received. Shutting down
>
>
>
>
>
>
>
>
>
> Matt Hymowitz, CISSP
> Manager
> GMP Networks, LLC
> 520 577-3891
> ________________________________________
> From: Andreas Steffen [andreas.steffen at strongswan.org]
> Sent: Monday, November 07, 2011 10:05 PM
> To: Matthew F. Hymowitz
> Cc: users at lists.strongswan.org
> Subject: Re: [strongSwan] IKEV2   windows 2008 r2
>
> Hi Matt,
>
> yes, the current ipsec.conf file and the log (but please without
> increasing the debug level!!!) would help.
>
> Regards
>
> Andreas
>
> On 11/08/2011 12:21 AM, Matthew F. Hymowitz wrote:
>> Hi Andreas
>>
>> Thanks for your quick response.  I made the changes you suggest and reconfigured with the following switches
>> --disable-pluto --disable-revocation --enable-eap-identity --enable-eap-mschapv2 and --enable-md4
>>
>> I am now getting much further along in the negotiation.  I am now failing with the error
>>
>> parsed IKE_AUTH response 5 [ N(FAIL_CP_REQ) ]
>> Auth payload missing
>>
>>
>> The is after I get the message EAP method EAP_MSCHAPV2 succeeded, MSK established.
>>
>>
>> Let me know if you need complete logs, and thanks again for such a quick response.
>>
>>
>> Matt Hymowitz, CISSP
>> Manager
>> GMP Networks, LLC
>> 520 577-3891
>
> ======================================================================
> Andreas Steffen                         andreas.steffen at strongswan.org
> strongSwan - the Linux VPN Solution!                www.strongswan.org
> Institute for Internet Technologies and Applications
> University of Applied Sciences Rapperswil
> CH-8640 Rapperswil (Switzerland)
> ===========================================================[ITA-HSR]==
>


--
======================================================================
Andreas Steffen                         andreas.steffen at strongswan.org
strongSwan - the Linux VPN Solution!                www.strongswan.org
Institute for Internet Technologies and Applications
University of Applied Sciences Rapperswil
CH-8640 Rapperswil (Switzerland)
===========================================================[ITA-HSR]==




More information about the Users mailing list