[strongSwan] IKEV2 windows 2008 r2

Matthew F. Hymowitz mhymowitz at gmpnet.net
Sat Nov 12 23:27:24 CET 2011


Thanks again for all your help.  This worked perfectly.


Matt Hymowitz, CISSP
Manager
GMP Networks, LLC
520 577-3891
________________________________________
From: Andreas Steffen [andreas.steffen at strongswan.org]
Sent: Friday, November 11, 2011 7:56 AM
To: Matthew F. Hymowitz
Cc: users at lists.strongswan.org
Subject: Re: [strongSwan] IKEV2   windows 2008 r2

Hi Matt,

in my opinion the subjectDistinguished Name contained in
the server certificate should be the rightid:

  rightid="CN=verrado.aaronline.com"

Regards

Andreas

On 09.11.2011 04:56, Matthew F. Hymowitz wrote:
> Andreas
>
> Got it working.  I needed to add rightsubnet=192.168.1.0/24 to the connection.   I still have a question about removing rightid=%any
>
> Thanks again for all your help.
>
>
> Matt Hymowitz, CISSP
> Manager
> GMP Networks, LLC
> 520 577-3891
> ________________________________________
> From: Matthew F. Hymowitz
> Sent: Tuesday, November 08, 2011 6:00 PM
> To: Andreas Steffen
> Cc: users at lists.strongswan.org
> Subject: RE: [strongSwan] IKEV2   windows 2008 r2
>
> Hi Andreas
>
> With your expert help, I am now able to establish a connection between my two sites.   From my ubuntu box I am to ping 192.168.1.45, which I think is my local VPN adapter.   I can not, however, ping 192.168.1.43 which I think is the windows PPP adaptor.  I do not see any entries for 192.168.1.x when I do a netstat -r (should I?).  I also can not ping anything else on the 192.168.1.x network.
>
>
>   I greatly appreciate all the help  you providing me.  Thank you again.
>
>
>
> sudo ipsec statusall shows the    following:
>
>
> Status of IKEv2 charon daemon (strongSwan 4.5.3):
>    uptime: 16 minutes, since Nov 08 17:33:32 2011
>    malloc: sbrk 270336, mmap 0, used 154064, free 116272
>    worker threads: 9 of 16 idle, 6/1/0/0 working, job queue: 0/0/0/0, scheduled: 3
>    loaded plugins: aes des sha1 sha2 md4 md5 random x509 constraints pubkey pkcs1 pgp pem fips-prf gmp xcbc hmac attr kernel-netlink resolve socket-default stroke updown eap-identity eap-mschapv2
> Listening IP addresses:
>    10.0.0.106
> Connections:
>       net-net:  10.0.0.106...66.238.30.124
>       net-net:   local:  [10.0.0.106] uses EAP_MSCHAPV2 authentication with EAP identity 'matt'
>       net-net:   remote: [%any] uses public key authentication
>       net-net:   child:  dynamic === dynamic TUNNEL
> Security Associations (1 up, 0 connecting):
>       net-net[1]: ESTABLISHED 16 minutes ago, 10.0.0.106[10.0.0.106]...66.238.30.124[CN=verrado.aaronline.com]
>       net-net[1]: IKE SPIs: d970b6f80746b929_i* 0b2a24b30601e1e3_r, EAP reauthentication in 39 minutes
>       net-net[1]: IKE proposal: 3DES_CBC/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024
>
>
>
>
> Also I had to add an %any for rightid, it says it is looking for verrado's ip address when I put that in there it still complains.  Not sure what the rightid should really be.
>
>
> Here is my current config  ( i did change ip addresses on the ubunutu machine since the last config I sent you).
>
> # /etc/ipsec.conf - strongSwan IPsec configuration file
> config setup
>         crlcheckinterval=0s
>   strictcrlpolicy=no
>   plutostart=no
>   nat_traversal=yes
>   charonstart=yes
> conn %default
>   ikelifetime=60m
>   keylife=20m
>   rekeymargin=3m
>   keyingtries=1
>   keyexchange=ikev2
>   mobike=no
>   forceencaps=yes
> conn net-net
>   left=10.0.0.106
>   leftsourceip=%config
>   leftfirewall=yes
>   leftauth=eap-mschapv2
>   eap_identity=matt
>   right=verrado.aaronline.com
>   rightid=%any
>   rightauth=pubkey
>   auto=add
> ca carefree-aaronline-ca
>   cacert=/usr/local/etc/ipsec.d/cacerts/aaronline.carefree.cert
>
>
>
>
> Here is the log file
>
> 00[DMN] Starting IKEv2 charon daemon (strongSwan 4.5.3)
> 00[KNL] listening on interfaces:
> 00[KNL]   eth0
> 00[KNL]     10.0.0.106
> 00[KNL]     fe80::215:5dff:fe01:6609
> 00[CFG] loading ca certificates from '/usr/local/etc/ipsec.d/cacerts'
> 00[CFG]   loaded ca certificate "DC=com, DC=aaronline, CN=aaronline-CAREFREE-CA" from '/usr/local/etc/ipsec.d/cacerts/aaronline.carefree.cert'
> 00[CFG] loading aa certificates from '/usr/local/etc/ipsec.d/aacerts'
> 00[CFG] loading ocsp signer certificates from '/usr/local/etc/ipsec.d/ocspcerts'
> 00[CFG] loading attribute certificates from '/usr/local/etc/ipsec.d/acerts'
> 00[CFG] loading crls from '/usr/local/etc/ipsec.d/crls'
> 00[CFG] loading secrets from '/usr/local/etc/ipsec.secrets'
> 00[CFG]   loaded EAP secret for matt
> 00[DMN] loaded plugins: aes des sha1 sha2 md4 md5 random x509 constraints pubkey pkcs1 pgp pem fips-prf gmp xcbc hmac attr kernel-netlink resolve socket-default stroke updown eap-identity eap-mschapv2
> 00[JOB] spawning 16 worker threads
> 00[DMN] signal of type SIGINT received. Shutting down
> 00[DMN] Starting IKEv2 charon daemon (strongSwan 4.5.3)
> 00[KNL] listening on interfaces:
> 00[KNL]   eth0
> 00[KNL]     10.0.0.106
> 00[KNL]     fe80::215:5dff:fe01:6609
> 00[CFG] loading ca certificates from '/usr/local/etc/ipsec.d/cacerts'
> 00[CFG]   loaded ca certificate "DC=com, DC=aaronline, CN=aaronline-CAREFREE-CA" from '/usr/local/etc/ipsec.d/cacerts/aaronline.carefree.cert'
> 00[CFG] loading aa certificates from '/usr/local/etc/ipsec.d/aacerts'
> 00[CFG] loading ocsp signer certificates from '/usr/local/etc/ipsec.d/ocspcerts'
> 00[CFG] loading attribute certificates from '/usr/local/etc/ipsec.d/acerts'
> 00[CFG] loading crls from '/usr/local/etc/ipsec.d/crls'
> 00[CFG] loading secrets from '/usr/local/etc/ipsec.secrets'
> 00[CFG]   loaded EAP secret for matt
> 00[DMN] loaded plugins: aes des sha1 sha2 md4 md5 random x509 constraints pubkey pkcs1 pgp pem fips-prf gmp xcbc hmac attr kernel-netlink resolve socket-default stroke updown eap-identity eap-mschapv2
> 00[JOB] spawning 16 worker threads
> 00[DMN] signal of type SIGINT received. Shutting down
> 00[DMN] Starting IKEv2 charon daemon (strongSwan 4.5.3)
> 00[KNL] listening on interfaces:
> 00[KNL]   eth0
> 00[KNL]     10.0.0.106
> 00[KNL]     fe80::215:5dff:fe01:6609
> 00[CFG] loading ca certificates from '/usr/local/etc/ipsec.d/cacerts'
> 00[CFG]   loaded ca certificate "DC=com, DC=aaronline, CN=aaronline-CAREFREE-CA" from '/usr/local/etc/ipsec.d/cacerts/aaronline.carefree.cert'
> 00[CFG] loading aa certificates from '/usr/local/etc/ipsec.d/aacerts'
> 00[CFG] loading ocsp signer certificates from '/usr/local/etc/ipsec.d/ocspcerts'
> 00[CFG] loading attribute certificates from '/usr/local/etc/ipsec.d/acerts'
> 00[CFG] loading crls from '/usr/local/etc/ipsec.d/crls'
> 00[CFG] loading secrets from '/usr/local/etc/ipsec.secrets'
> 00[CFG]   loaded EAP secret for matt
> 00[DMN] loaded plugins: aes des sha1 sha2 md4 md5 random x509 constraints pubkey pkcs1 pgp pem fips-prf gmp xcbc hmac attr kernel-netlink resolve socket-default stroke updown eap-identity eap-mschapv2
> 00[JOB] spawning 16 worker threads
> 09[CFG] received stroke: add connection 'net-net'
> 09[CFG] added configuration 'net-net'
> 11[CFG] received stroke: initiate 'net-net'
> 13[IKE] initiating IKE_SA net-net[1] to 66.238.30.124
> 13[ENC] generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) ]
> 13[NET] sending packet: from 10.0.0.106[500] to 66.238.30.124[500]
> 02[IKE] retransmit 1 of request with message ID 0
> 02[NET] sending packet: from 10.0.0.106[500] to 66.238.30.124[500]
> 14[IKE] retransmit 2 of request with message ID 0
> 14[NET] sending packet: from 10.0.0.106[500] to 66.238.30.124[500]
> 15[NET] received packet: from 66.238.30.124[500] to 10.0.0.106[500]
> 15[ENC] parsed IKE_SA_INIT response 0 [ N(INVAL_KE) ]
> 15[IKE] peer didn't accept DH group MODP_2048, it requested MODP_1024
> 15[IKE] initiating IKE_SA net-net[1] to 66.238.30.124
> 15[ENC] generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) ]
> 15[NET] sending packet: from 10.0.0.106[500] to 66.238.30.124[500]
> 16[NET] received packet: from 66.238.30.124[500] to 10.0.0.106[500]
> 16[ENC] parsed IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) ]
> 16[IKE] local host is behind NAT, sending keep alives
> 16[IKE] remote host is behind NAT
> 16[IKE] sending cert request for "DC=com, DC=aaronline, CN=aaronline-CAREFREE-CA"
> 16[IKE] establishing CHILD_SA net-net
> 16[ENC] generating IKE_AUTH request 1 [ IDi N(INIT_CONTACT) CERTREQ CP(ADDR DNS) SA TSi TSr N(EAP_ONLY) ]
> 16[NET] sending packet: from 10.0.0.106[4500] to 66.238.30.124[4500]
> 01[NET] received packet: from 66.238.30.124[4500] to 10.0.0.106[4500]
> 01[ENC] parsed IKE_AUTH response 1 [ IDr CERT AUTH EAP/REQ/ID ]
> 01[IKE] received end entity cert "CN=verrado.aaronline.com"
> 01[CFG]   using certificate "CN=verrado.aaronline.com"
> 01[CFG]   using trusted ca certificate "DC=com, DC=aaronline, CN=aaronline-CAREFREE-CA"
> 01[CFG]   reached self-signed root ca with a path length of 0
> 01[IKE] authentication of 'CN=verrado.aaronline.com' with RSA signature successful
> 01[IKE] server requested EAP_IDENTITY (id 0x00), sending 'matt'
> 01[ENC] generating IKE_AUTH request 2 [ EAP/RES/ID ]
> 01[NET] sending packet: from 10.0.0.106[4500] to 66.238.30.124[4500]
> 09[NET] received packet: from 66.238.30.124[4500] to 10.0.0.106[4500]
> 09[ENC] parsed IKE_AUTH response 2 [ EAP/REQ/MSCHAPV2 ]
> 09[IKE] server requested EAP_MSCHAPV2 authentication (id 0x01)
> 09[ENC] generating IKE_AUTH request 3 [ EAP/RES/MSCHAPV2 ]
> 09[NET] sending packet: from 10.0.0.106[4500] to 66.238.30.124[4500]
> 10[NET] received packet: from 66.238.30.124[4500] to 10.0.0.106[4500]
> 10[ENC] parsed IKE_AUTH response 3 [ EAP/REQ/MSCHAPV2 ]
> 10[IKE] EAP-MS-CHAPv2 succeeded: '(null)'
> 10[ENC] generating IKE_AUTH request 4 [ EAP/RES/MSCHAPV2 ]
> 10[NET] sending packet: from 10.0.0.106[4500] to 66.238.30.124[4500]
> 12[NET] received packet: from 66.238.30.124[4500] to 10.0.0.106[4500]
> 12[ENC] parsed IKE_AUTH response 4 [ EAP/SUCC ]
> 12[IKE] EAP method EAP_MSCHAPV2 succeeded, MSK established
> 12[IKE] authentication of '10.0.0.106' (myself) with EAP
> 12[ENC] generating IKE_AUTH request 5 [ AUTH ]
> 12[NET] sending packet: from 10.0.0.106[4500] to 66.238.30.124[4500]
> 13[NET] received packet: from 66.238.30.124[4500] to 10.0.0.106[4500]
> 13[ENC] parsed IKE_AUTH response 5 [ AUTH N(MOBIKE_SUP) CP(ADDR DNS DNS) SA TSi TSr ]
> 13[IKE] authentication of 'CN=verrado.aaronline.com' with EAP successful
> 13[IKE] IKE_SA net-net[1] established between 10.0.0.106[10.0.0.106]...66.238.30.124[CN=verrado.aaronline.com]
> 13[IKE] scheduling reauthentication in 3335s
> 13[IKE] maximum IKE_SA lifetime 3515s
> 13[IKE] installing DNS server 192.168.1.3 to /usr/local/etc/resolv.conf
> 13[IKE] installing DNS server 192.168.1.5 to /usr/local/etc/resolv.conf
> 13[IKE] installing new virtual IP 192.168.1.45
> 13[IKE] CHILD_SA net-net{1} established with SPIs c7f02950_i e7875dae_o and TS 192.168.1.45/32 === 66.238.30.124/32
> 11[IKE] sending keep alive
> 11[NET] sending packet: from 10.0.0.106[4500] to 66.238.30.124[4500]
> 13[IKE] sending keep alive
>
>
> Matt Hymowitz, CISSP
> Manager
> GMP Networks, LLC
> 520 577-3891
> ________________________________________
> From: Andreas Steffen [andreas.steffen at strongswan.org]
> Sent: Tuesday, November 08, 2011 10:22 AM
> To: Matthew F. Hymowitz
> Cc: users at lists.strongswan.org
> Subject: Re: [strongSwan] IKEV2   windows 2008 r2
>
> Hello Matt,
>
> the Windows Server 2008 r2 expects strongSwan
> to request a virtual IP address to be used
> as a source address within the IPsec tunnel.
> Therefore add this statement:
>
>     leftsourceip=%config
>
> With a virtual IP address
>
>     leftsubnet=10.0.0.0/24
>
> doesn't make much sense, so you'd better
> omit the leftsubnet statement.
>
> Regards
>
> Andreas
>
>   On 08.11.2011 16:21, Matthew F. Hymowitz wrote:
>> Thanks Again for your help Andreas
>>
>>
>>
>>
>> Here is the current config and non-debug log file:
>>
>>
>>
>> -Matt
>>
>>
>> # ipsec.conf - strongSwan IPsec configuration file
>>
>> config setup
>>        crlcheckinterval=0s
>>        strictcrlpolicy=no
>>        cachecrls=yes
>>        nat_traversal=yes
>>        charonstart=yes
>>        plutostart=no
>>
>> # Add connections here.
>>
>> # Sample VPN connections
>>
>> #conn sample-self-signed
>> #      left=%defaultroute
>> #      leftsubnet=10.10.0.0/16
>> #      leftcert=selfCert.der
>> #      leftsendcert=never
>> #      right=192.168.0.2
>> #      rightsubnet=10.2.0.0/16
>> #      rightcert=peerCert.der
>> #      auto=start
>>
>> conn net-net
>>        left=10.0.0.90
>>        leftsubnet=10.0.0.0/24
>>        leftauth=eap-mschapv2
>>        eap_identity=matt
>>        right=verrado.aaronline.com
>>        rightsubnet=192.168.1.0/24
>>        rightauth=pubkey
>>        keyexchange=ikev2
>>        auto=add
>>
>> ca carefree-aaronline-ca
>>        cacert=/usr/local/etc/ipsec.d/cacert/aaronline.carefree.cert
>>
>>
>> Nov  8 %f 00[DMN] Starting IKEv2 charon daemon (strongSwan 4.5.3)
>> Nov  8 %f 00[KNL] listening on interfaces:
>> Nov  8 %f 00[KNL]   eth0
>> Nov  8 %f 00[KNL]     10.0.0.90
>> Nov  8 %f 00[KNL]     fe80::215:5dff:fe01:660d
>> Nov  8 %f 00[CFG] loading ca certificates from '/usr/local/etc/ipsec.d/cacerts'
>> Nov  8 %f 00[CFG]   loaded ca certificate "DC=com, DC=aaronline, CN=aaronline-CAREFREE-CA" from '/usr/local/etc/ipsec.d/cacerts/aaronline.carefree.cert'
>> Nov  8 %f 00[CFG] loading aa certificates from '/usr/local/etc/ipsec.d/aacerts'
>> Nov  8 %f 00[CFG] loading ocsp signer certificates from '/usr/local/etc/ipsec.d/ocspcerts'
>> Nov  8 %f 00[CFG] loading attribute certificates from '/usr/local/etc/ipsec.d/acerts'
>> Nov  8 %f 00[CFG] loading crls from '/usr/local/etc/ipsec.d/crls'
>> Nov  8 %f 00[CFG] loading secrets from '/usr/local/etc/ipsec.secrets'
>> Nov  8 %f 00[CFG]   loaded EAP secret for matt
>> Nov  8 %f 00[DMN] loaded plugins: aes des sha1 sha2 md4 md5 random x509 constraints pubkey pkcs1 pgp pem fips-prf gmp xcbc hmac attr kernel-netlink resolve socket-default stroke updown eap-identity eap-mschapv2
>> Nov  8 %f 00[JOB] spawning 16 worker threads
>> Nov  8 %f 10[CFG] crl caching to /usr/local/etc/ipsec.d/crls enabled
>> Nov  8 %f 12[CFG] received stroke: add connection 'net-net'
>> Nov  8 %f 12[CFG] added configuration 'net-net'
>> Nov  8 %f 14[CFG] received stroke: initiate 'net-net'
>> Nov  8 %f 03[IKE] initiating IKE_SA net-net[1] to 66.238.30.124
>> Nov  8 %f 03[ENC] generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) ]
>> Nov  8 %f 03[NET] sending packet: from 10.0.0.90[500] to 66.238.30.124[500]
>> Nov  8 %f 16[NET] received packet: from 66.238.30.124[500] to 10.0.0.90[500]
>> Nov  8 %f 16[ENC] parsed IKE_SA_INIT response 0 [ N(INVAL_KE) ]
>> Nov  8 %f 16[IKE] peer didn't accept DH group MODP_2048, it requested MODP_1024
>> Nov  8 %f 16[IKE] initiating IKE_SA net-net[1] to 66.238.30.124
>> Nov  8 %f 16[ENC] generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) ]
>> Nov  8 %f 16[NET] sending packet: from 10.0.0.90[500] to 66.238.30.124[500]
>> Nov  8 %f 02[NET] received packet: from 66.238.30.124[500] to 10.0.0.90[500]
>> Nov  8 %f 02[ENC] parsed IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) ]
>> Nov  8 %f 02[IKE] local host is behind NAT, sending keep alives
>> Nov  8 %f 02[IKE] remote host is behind NAT
>> Nov  8 %f 02[IKE] sending cert request for "DC=com, DC=aaronline, CN=aaronline-CAREFREE-CA"
>> Nov  8 %f 02[IKE] establishing CHILD_SA net-net
>> Nov  8 %f 02[ENC] generating IKE_AUTH request 1 [ IDi N(INIT_CONTACT) CERTREQ IDr SA TSi TSr N(MOBIKE_SUP) N(NO_ADD_ADDR) N(EAP_ONLY) ]
>> Nov  8 %f 02[NET] sending packet: from 10.0.0.90[4500] to 66.238.30.124[4500]
>> Nov  8 %f 01[NET] received packet: from 66.238.30.124[4500] to 10.0.0.90[4500]
>> Nov  8 %f 01[ENC] parsed IKE_AUTH response 1 [ IDr CERT AUTH EAP/REQ/ID ]
>> Nov  8 %f 01[IKE] received end entity cert "CN=verrado.aaronline.com"
>> Nov  8 %f 01[CFG]   using certificate "CN=verrado.aaronline.com"
>> Nov  8 %f 01[CFG]   using trusted ca certificate "DC=com, DC=aaronline, CN=aaronline-CAREFREE-CA"
>> Nov  8 %f 01[CFG]   reached self-signed root ca with a path length of 0
>> Nov  8 %f 01[IKE] authentication of 'CN=verrado.aaronline.com' with RSA signature successful
>> Nov  8 %f 01[IKE] server requested EAP_IDENTITY (id 0x00), sending 'matt'
>> Nov  8 %f 01[ENC] generating IKE_AUTH request 2 [ EAP/RES/ID ]
>> Nov  8 %f 01[NET] sending packet: from 10.0.0.90[4500] to 66.238.30.124[4500]
>> Nov  8 %f 10[NET] received packet: from 66.238.30.124[4500] to 10.0.0.90[4500]
>> Nov  8 %f 10[ENC] parsed IKE_AUTH response 2 [ EAP/REQ/MSCHAPV2 ]
>> Nov  8 %f 10[IKE] server requested EAP_MSCHAPV2 authentication (id 0x01)
>> Nov  8 %f 10[ENC] generating IKE_AUTH request 3 [ EAP/RES/MSCHAPV2 ]
>> Nov  8 %f 10[NET] sending packet: from 10.0.0.90[4500] to 66.238.30.124[4500]
>> Nov  8 %f 11[NET] received packet: from 66.238.30.124[4500] to 10.0.0.90[4500]
>> Nov  8 %f 11[ENC] parsed IKE_AUTH response 3 [ EAP/REQ/MSCHAPV2 ]
>> Nov  8 %f 11[IKE] EAP-MS-CHAPv2 succeeded: '(null)'
>> Nov  8 %f 11[ENC] generating IKE_AUTH request 4 [ EAP/RES/MSCHAPV2 ]
>> Nov  8 %f 11[NET] sending packet: from 10.0.0.90[4500] to 66.238.30.124[4500]
>> Nov  8 %f 12[NET] received packet: from 66.238.30.124[4500] to 10.0.0.90[4500]
>> Nov  8 %f 12[ENC] parsed IKE_AUTH response 4 [ EAP/SUCC ]
>> Nov  8 %f 12[IKE] EAP method EAP_MSCHAPV2 succeeded, MSK established
>> Nov  8 %f 12[IKE] authentication of '10.0.0.90' (myself) with EAP
>> Nov  8 %f 12[ENC] generating IKE_AUTH request 5 [ AUTH ]
>> Nov  8 %f 12[NET] sending packet: from 10.0.0.90[4500] to 66.238.30.124[4500]
>> Nov  8 %f 10[IKE] retransmit 1 of request with message ID 5
>> Nov  8 %f 10[NET] sending packet: from 10.0.0.90[4500] to 66.238.30.124[4500]
>> Nov  8 %f 11[NET] received packet: from 66.238.30.124[4500] to 10.0.0.90[4500]
>> Nov  8 %f 11[ENC] parsed IKE_AUTH response 5 [ N(FAIL_CP_REQ) ]
>> Nov  8 %f 11[IKE] AUTH payload missing
>> Nov  8 %f 00[DMN] signal of type SIGINT received. Shutting down
>>
>>
>>
>>
>>
>>
>>
>>
>>
>> Matt Hymowitz, CISSP
>> Manager
>> GMP Networks, LLC
>> 520 577-3891
>> ________________________________________
>> From: Andreas Steffen [andreas.steffen at strongswan.org]
>> Sent: Monday, November 07, 2011 10:05 PM
>> To: Matthew F. Hymowitz
>> Cc: users at lists.strongswan.org
>> Subject: Re: [strongSwan] IKEV2   windows 2008 r2
>>
>> Hi Matt,
>>
>> yes, the current ipsec.conf file and the log (but please without
>> increasing the debug level!!!) would help.
>>
>> Regards
>>
>> Andreas
>>
>> On 11/08/2011 12:21 AM, Matthew F. Hymowitz wrote:
>>> Hi Andreas
>>>
>>> Thanks for your quick response.  I made the changes you suggest and reconfigured with the following switches
>>> --disable-pluto --disable-revocation --enable-eap-identity --enable-eap-mschapv2 and --enable-md4
>>>
>>> I am now getting much further along in the negotiation.  I am now failing with the error
>>>
>>> parsed IKE_AUTH response 5 [ N(FAIL_CP_REQ) ]
>>> Auth payload missing
>>>
>>>
>>> The is after I get the message EAP method EAP_MSCHAPV2 succeeded, MSK established.
>>>
>>>
>>> Let me know if you need complete logs, and thanks again for such a quick response.
>>>
>>>
>>> Matt Hymowitz, CISSP
>>> Manager
>>> GMP Networks, LLC
>>> 520 577-3891

======================================================================
Andreas Steffen                         andreas.steffen at strongswan.org
strongSwan - the Linux VPN Solution!                www.strongswan.org
Institute for Internet Technologies and Applications
University of Applied Sciences Rapperswil
CH-8640 Rapperswil (Switzerland)
===========================================================[ITA-HSR]==




More information about the Users mailing list