[strongSwan] IKEV2 windows 2008 r2
Matthew F. Hymowitz
mhymowitz at gmpnet.net
Sat Nov 12 23:27:24 CET 2011
Thanks again for all your help. This worked perfectly.
Matt Hymowitz, CISSP
Manager
GMP Networks, LLC
520 577-3891
________________________________________
From: Andreas Steffen [andreas.steffen at strongswan.org]
Sent: Friday, November 11, 2011 7:56 AM
To: Matthew F. Hymowitz
Cc: users at lists.strongswan.org
Subject: Re: [strongSwan] IKEV2 windows 2008 r2
Hi Matt,
in my opinion the subjectDistinguished Name contained in
the server certificate should be the rightid:
rightid="CN=verrado.aaronline.com"
Regards
Andreas
On 09.11.2011 04:56, Matthew F. Hymowitz wrote:
> Andreas
>
> Got it working. I needed to add rightsubnet=192.168.1.0/24 to the connection. I still have a question about removing rightid=%any
>
> Thanks again for all your help.
>
>
> Matt Hymowitz, CISSP
> Manager
> GMP Networks, LLC
> 520 577-3891
> ________________________________________
> From: Matthew F. Hymowitz
> Sent: Tuesday, November 08, 2011 6:00 PM
> To: Andreas Steffen
> Cc: users at lists.strongswan.org
> Subject: RE: [strongSwan] IKEV2 windows 2008 r2
>
> Hi Andreas
>
> With your expert help, I am now able to establish a connection between my two sites. From my ubuntu box I am to ping 192.168.1.45, which I think is my local VPN adapter. I can not, however, ping 192.168.1.43 which I think is the windows PPP adaptor. I do not see any entries for 192.168.1.x when I do a netstat -r (should I?). I also can not ping anything else on the 192.168.1.x network.
>
>
> I greatly appreciate all the help you providing me. Thank you again.
>
>
>
> sudo ipsec statusall shows the following:
>
>
> Status of IKEv2 charon daemon (strongSwan 4.5.3):
> uptime: 16 minutes, since Nov 08 17:33:32 2011
> malloc: sbrk 270336, mmap 0, used 154064, free 116272
> worker threads: 9 of 16 idle, 6/1/0/0 working, job queue: 0/0/0/0, scheduled: 3
> loaded plugins: aes des sha1 sha2 md4 md5 random x509 constraints pubkey pkcs1 pgp pem fips-prf gmp xcbc hmac attr kernel-netlink resolve socket-default stroke updown eap-identity eap-mschapv2
> Listening IP addresses:
> 10.0.0.106
> Connections:
> net-net: 10.0.0.106...66.238.30.124
> net-net: local: [10.0.0.106] uses EAP_MSCHAPV2 authentication with EAP identity 'matt'
> net-net: remote: [%any] uses public key authentication
> net-net: child: dynamic === dynamic TUNNEL
> Security Associations (1 up, 0 connecting):
> net-net[1]: ESTABLISHED 16 minutes ago, 10.0.0.106[10.0.0.106]...66.238.30.124[CN=verrado.aaronline.com]
> net-net[1]: IKE SPIs: d970b6f80746b929_i* 0b2a24b30601e1e3_r, EAP reauthentication in 39 minutes
> net-net[1]: IKE proposal: 3DES_CBC/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024
>
>
>
>
> Also I had to add an %any for rightid, it says it is looking for verrado's ip address when I put that in there it still complains. Not sure what the rightid should really be.
>
>
> Here is my current config ( i did change ip addresses on the ubunutu machine since the last config I sent you).
>
> # /etc/ipsec.conf - strongSwan IPsec configuration file
> config setup
> crlcheckinterval=0s
> strictcrlpolicy=no
> plutostart=no
> nat_traversal=yes
> charonstart=yes
> conn %default
> ikelifetime=60m
> keylife=20m
> rekeymargin=3m
> keyingtries=1
> keyexchange=ikev2
> mobike=no
> forceencaps=yes
> conn net-net
> left=10.0.0.106
> leftsourceip=%config
> leftfirewall=yes
> leftauth=eap-mschapv2
> eap_identity=matt
> right=verrado.aaronline.com
> rightid=%any
> rightauth=pubkey
> auto=add
> ca carefree-aaronline-ca
> cacert=/usr/local/etc/ipsec.d/cacerts/aaronline.carefree.cert
>
>
>
>
> Here is the log file
>
> 00[DMN] Starting IKEv2 charon daemon (strongSwan 4.5.3)
> 00[KNL] listening on interfaces:
> 00[KNL] eth0
> 00[KNL] 10.0.0.106
> 00[KNL] fe80::215:5dff:fe01:6609
> 00[CFG] loading ca certificates from '/usr/local/etc/ipsec.d/cacerts'
> 00[CFG] loaded ca certificate "DC=com, DC=aaronline, CN=aaronline-CAREFREE-CA" from '/usr/local/etc/ipsec.d/cacerts/aaronline.carefree.cert'
> 00[CFG] loading aa certificates from '/usr/local/etc/ipsec.d/aacerts'
> 00[CFG] loading ocsp signer certificates from '/usr/local/etc/ipsec.d/ocspcerts'
> 00[CFG] loading attribute certificates from '/usr/local/etc/ipsec.d/acerts'
> 00[CFG] loading crls from '/usr/local/etc/ipsec.d/crls'
> 00[CFG] loading secrets from '/usr/local/etc/ipsec.secrets'
> 00[CFG] loaded EAP secret for matt
> 00[DMN] loaded plugins: aes des sha1 sha2 md4 md5 random x509 constraints pubkey pkcs1 pgp pem fips-prf gmp xcbc hmac attr kernel-netlink resolve socket-default stroke updown eap-identity eap-mschapv2
> 00[JOB] spawning 16 worker threads
> 00[DMN] signal of type SIGINT received. Shutting down
> 00[DMN] Starting IKEv2 charon daemon (strongSwan 4.5.3)
> 00[KNL] listening on interfaces:
> 00[KNL] eth0
> 00[KNL] 10.0.0.106
> 00[KNL] fe80::215:5dff:fe01:6609
> 00[CFG] loading ca certificates from '/usr/local/etc/ipsec.d/cacerts'
> 00[CFG] loaded ca certificate "DC=com, DC=aaronline, CN=aaronline-CAREFREE-CA" from '/usr/local/etc/ipsec.d/cacerts/aaronline.carefree.cert'
> 00[CFG] loading aa certificates from '/usr/local/etc/ipsec.d/aacerts'
> 00[CFG] loading ocsp signer certificates from '/usr/local/etc/ipsec.d/ocspcerts'
> 00[CFG] loading attribute certificates from '/usr/local/etc/ipsec.d/acerts'
> 00[CFG] loading crls from '/usr/local/etc/ipsec.d/crls'
> 00[CFG] loading secrets from '/usr/local/etc/ipsec.secrets'
> 00[CFG] loaded EAP secret for matt
> 00[DMN] loaded plugins: aes des sha1 sha2 md4 md5 random x509 constraints pubkey pkcs1 pgp pem fips-prf gmp xcbc hmac attr kernel-netlink resolve socket-default stroke updown eap-identity eap-mschapv2
> 00[JOB] spawning 16 worker threads
> 00[DMN] signal of type SIGINT received. Shutting down
> 00[DMN] Starting IKEv2 charon daemon (strongSwan 4.5.3)
> 00[KNL] listening on interfaces:
> 00[KNL] eth0
> 00[KNL] 10.0.0.106
> 00[KNL] fe80::215:5dff:fe01:6609
> 00[CFG] loading ca certificates from '/usr/local/etc/ipsec.d/cacerts'
> 00[CFG] loaded ca certificate "DC=com, DC=aaronline, CN=aaronline-CAREFREE-CA" from '/usr/local/etc/ipsec.d/cacerts/aaronline.carefree.cert'
> 00[CFG] loading aa certificates from '/usr/local/etc/ipsec.d/aacerts'
> 00[CFG] loading ocsp signer certificates from '/usr/local/etc/ipsec.d/ocspcerts'
> 00[CFG] loading attribute certificates from '/usr/local/etc/ipsec.d/acerts'
> 00[CFG] loading crls from '/usr/local/etc/ipsec.d/crls'
> 00[CFG] loading secrets from '/usr/local/etc/ipsec.secrets'
> 00[CFG] loaded EAP secret for matt
> 00[DMN] loaded plugins: aes des sha1 sha2 md4 md5 random x509 constraints pubkey pkcs1 pgp pem fips-prf gmp xcbc hmac attr kernel-netlink resolve socket-default stroke updown eap-identity eap-mschapv2
> 00[JOB] spawning 16 worker threads
> 09[CFG] received stroke: add connection 'net-net'
> 09[CFG] added configuration 'net-net'
> 11[CFG] received stroke: initiate 'net-net'
> 13[IKE] initiating IKE_SA net-net[1] to 66.238.30.124
> 13[ENC] generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) ]
> 13[NET] sending packet: from 10.0.0.106[500] to 66.238.30.124[500]
> 02[IKE] retransmit 1 of request with message ID 0
> 02[NET] sending packet: from 10.0.0.106[500] to 66.238.30.124[500]
> 14[IKE] retransmit 2 of request with message ID 0
> 14[NET] sending packet: from 10.0.0.106[500] to 66.238.30.124[500]
> 15[NET] received packet: from 66.238.30.124[500] to 10.0.0.106[500]
> 15[ENC] parsed IKE_SA_INIT response 0 [ N(INVAL_KE) ]
> 15[IKE] peer didn't accept DH group MODP_2048, it requested MODP_1024
> 15[IKE] initiating IKE_SA net-net[1] to 66.238.30.124
> 15[ENC] generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) ]
> 15[NET] sending packet: from 10.0.0.106[500] to 66.238.30.124[500]
> 16[NET] received packet: from 66.238.30.124[500] to 10.0.0.106[500]
> 16[ENC] parsed IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) ]
> 16[IKE] local host is behind NAT, sending keep alives
> 16[IKE] remote host is behind NAT
> 16[IKE] sending cert request for "DC=com, DC=aaronline, CN=aaronline-CAREFREE-CA"
> 16[IKE] establishing CHILD_SA net-net
> 16[ENC] generating IKE_AUTH request 1 [ IDi N(INIT_CONTACT) CERTREQ CP(ADDR DNS) SA TSi TSr N(EAP_ONLY) ]
> 16[NET] sending packet: from 10.0.0.106[4500] to 66.238.30.124[4500]
> 01[NET] received packet: from 66.238.30.124[4500] to 10.0.0.106[4500]
> 01[ENC] parsed IKE_AUTH response 1 [ IDr CERT AUTH EAP/REQ/ID ]
> 01[IKE] received end entity cert "CN=verrado.aaronline.com"
> 01[CFG] using certificate "CN=verrado.aaronline.com"
> 01[CFG] using trusted ca certificate "DC=com, DC=aaronline, CN=aaronline-CAREFREE-CA"
> 01[CFG] reached self-signed root ca with a path length of 0
> 01[IKE] authentication of 'CN=verrado.aaronline.com' with RSA signature successful
> 01[IKE] server requested EAP_IDENTITY (id 0x00), sending 'matt'
> 01[ENC] generating IKE_AUTH request 2 [ EAP/RES/ID ]
> 01[NET] sending packet: from 10.0.0.106[4500] to 66.238.30.124[4500]
> 09[NET] received packet: from 66.238.30.124[4500] to 10.0.0.106[4500]
> 09[ENC] parsed IKE_AUTH response 2 [ EAP/REQ/MSCHAPV2 ]
> 09[IKE] server requested EAP_MSCHAPV2 authentication (id 0x01)
> 09[ENC] generating IKE_AUTH request 3 [ EAP/RES/MSCHAPV2 ]
> 09[NET] sending packet: from 10.0.0.106[4500] to 66.238.30.124[4500]
> 10[NET] received packet: from 66.238.30.124[4500] to 10.0.0.106[4500]
> 10[ENC] parsed IKE_AUTH response 3 [ EAP/REQ/MSCHAPV2 ]
> 10[IKE] EAP-MS-CHAPv2 succeeded: '(null)'
> 10[ENC] generating IKE_AUTH request 4 [ EAP/RES/MSCHAPV2 ]
> 10[NET] sending packet: from 10.0.0.106[4500] to 66.238.30.124[4500]
> 12[NET] received packet: from 66.238.30.124[4500] to 10.0.0.106[4500]
> 12[ENC] parsed IKE_AUTH response 4 [ EAP/SUCC ]
> 12[IKE] EAP method EAP_MSCHAPV2 succeeded, MSK established
> 12[IKE] authentication of '10.0.0.106' (myself) with EAP
> 12[ENC] generating IKE_AUTH request 5 [ AUTH ]
> 12[NET] sending packet: from 10.0.0.106[4500] to 66.238.30.124[4500]
> 13[NET] received packet: from 66.238.30.124[4500] to 10.0.0.106[4500]
> 13[ENC] parsed IKE_AUTH response 5 [ AUTH N(MOBIKE_SUP) CP(ADDR DNS DNS) SA TSi TSr ]
> 13[IKE] authentication of 'CN=verrado.aaronline.com' with EAP successful
> 13[IKE] IKE_SA net-net[1] established between 10.0.0.106[10.0.0.106]...66.238.30.124[CN=verrado.aaronline.com]
> 13[IKE] scheduling reauthentication in 3335s
> 13[IKE] maximum IKE_SA lifetime 3515s
> 13[IKE] installing DNS server 192.168.1.3 to /usr/local/etc/resolv.conf
> 13[IKE] installing DNS server 192.168.1.5 to /usr/local/etc/resolv.conf
> 13[IKE] installing new virtual IP 192.168.1.45
> 13[IKE] CHILD_SA net-net{1} established with SPIs c7f02950_i e7875dae_o and TS 192.168.1.45/32 === 66.238.30.124/32
> 11[IKE] sending keep alive
> 11[NET] sending packet: from 10.0.0.106[4500] to 66.238.30.124[4500]
> 13[IKE] sending keep alive
>
>
> Matt Hymowitz, CISSP
> Manager
> GMP Networks, LLC
> 520 577-3891
> ________________________________________
> From: Andreas Steffen [andreas.steffen at strongswan.org]
> Sent: Tuesday, November 08, 2011 10:22 AM
> To: Matthew F. Hymowitz
> Cc: users at lists.strongswan.org
> Subject: Re: [strongSwan] IKEV2 windows 2008 r2
>
> Hello Matt,
>
> the Windows Server 2008 r2 expects strongSwan
> to request a virtual IP address to be used
> as a source address within the IPsec tunnel.
> Therefore add this statement:
>
> leftsourceip=%config
>
> With a virtual IP address
>
> leftsubnet=10.0.0.0/24
>
> doesn't make much sense, so you'd better
> omit the leftsubnet statement.
>
> Regards
>
> Andreas
>
> On 08.11.2011 16:21, Matthew F. Hymowitz wrote:
>> Thanks Again for your help Andreas
>>
>>
>>
>>
>> Here is the current config and non-debug log file:
>>
>>
>>
>> -Matt
>>
>>
>> # ipsec.conf - strongSwan IPsec configuration file
>>
>> config setup
>> crlcheckinterval=0s
>> strictcrlpolicy=no
>> cachecrls=yes
>> nat_traversal=yes
>> charonstart=yes
>> plutostart=no
>>
>> # Add connections here.
>>
>> # Sample VPN connections
>>
>> #conn sample-self-signed
>> # left=%defaultroute
>> # leftsubnet=10.10.0.0/16
>> # leftcert=selfCert.der
>> # leftsendcert=never
>> # right=192.168.0.2
>> # rightsubnet=10.2.0.0/16
>> # rightcert=peerCert.der
>> # auto=start
>>
>> conn net-net
>> left=10.0.0.90
>> leftsubnet=10.0.0.0/24
>> leftauth=eap-mschapv2
>> eap_identity=matt
>> right=verrado.aaronline.com
>> rightsubnet=192.168.1.0/24
>> rightauth=pubkey
>> keyexchange=ikev2
>> auto=add
>>
>> ca carefree-aaronline-ca
>> cacert=/usr/local/etc/ipsec.d/cacert/aaronline.carefree.cert
>>
>>
>> Nov 8 %f 00[DMN] Starting IKEv2 charon daemon (strongSwan 4.5.3)
>> Nov 8 %f 00[KNL] listening on interfaces:
>> Nov 8 %f 00[KNL] eth0
>> Nov 8 %f 00[KNL] 10.0.0.90
>> Nov 8 %f 00[KNL] fe80::215:5dff:fe01:660d
>> Nov 8 %f 00[CFG] loading ca certificates from '/usr/local/etc/ipsec.d/cacerts'
>> Nov 8 %f 00[CFG] loaded ca certificate "DC=com, DC=aaronline, CN=aaronline-CAREFREE-CA" from '/usr/local/etc/ipsec.d/cacerts/aaronline.carefree.cert'
>> Nov 8 %f 00[CFG] loading aa certificates from '/usr/local/etc/ipsec.d/aacerts'
>> Nov 8 %f 00[CFG] loading ocsp signer certificates from '/usr/local/etc/ipsec.d/ocspcerts'
>> Nov 8 %f 00[CFG] loading attribute certificates from '/usr/local/etc/ipsec.d/acerts'
>> Nov 8 %f 00[CFG] loading crls from '/usr/local/etc/ipsec.d/crls'
>> Nov 8 %f 00[CFG] loading secrets from '/usr/local/etc/ipsec.secrets'
>> Nov 8 %f 00[CFG] loaded EAP secret for matt
>> Nov 8 %f 00[DMN] loaded plugins: aes des sha1 sha2 md4 md5 random x509 constraints pubkey pkcs1 pgp pem fips-prf gmp xcbc hmac attr kernel-netlink resolve socket-default stroke updown eap-identity eap-mschapv2
>> Nov 8 %f 00[JOB] spawning 16 worker threads
>> Nov 8 %f 10[CFG] crl caching to /usr/local/etc/ipsec.d/crls enabled
>> Nov 8 %f 12[CFG] received stroke: add connection 'net-net'
>> Nov 8 %f 12[CFG] added configuration 'net-net'
>> Nov 8 %f 14[CFG] received stroke: initiate 'net-net'
>> Nov 8 %f 03[IKE] initiating IKE_SA net-net[1] to 66.238.30.124
>> Nov 8 %f 03[ENC] generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) ]
>> Nov 8 %f 03[NET] sending packet: from 10.0.0.90[500] to 66.238.30.124[500]
>> Nov 8 %f 16[NET] received packet: from 66.238.30.124[500] to 10.0.0.90[500]
>> Nov 8 %f 16[ENC] parsed IKE_SA_INIT response 0 [ N(INVAL_KE) ]
>> Nov 8 %f 16[IKE] peer didn't accept DH group MODP_2048, it requested MODP_1024
>> Nov 8 %f 16[IKE] initiating IKE_SA net-net[1] to 66.238.30.124
>> Nov 8 %f 16[ENC] generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) ]
>> Nov 8 %f 16[NET] sending packet: from 10.0.0.90[500] to 66.238.30.124[500]
>> Nov 8 %f 02[NET] received packet: from 66.238.30.124[500] to 10.0.0.90[500]
>> Nov 8 %f 02[ENC] parsed IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) ]
>> Nov 8 %f 02[IKE] local host is behind NAT, sending keep alives
>> Nov 8 %f 02[IKE] remote host is behind NAT
>> Nov 8 %f 02[IKE] sending cert request for "DC=com, DC=aaronline, CN=aaronline-CAREFREE-CA"
>> Nov 8 %f 02[IKE] establishing CHILD_SA net-net
>> Nov 8 %f 02[ENC] generating IKE_AUTH request 1 [ IDi N(INIT_CONTACT) CERTREQ IDr SA TSi TSr N(MOBIKE_SUP) N(NO_ADD_ADDR) N(EAP_ONLY) ]
>> Nov 8 %f 02[NET] sending packet: from 10.0.0.90[4500] to 66.238.30.124[4500]
>> Nov 8 %f 01[NET] received packet: from 66.238.30.124[4500] to 10.0.0.90[4500]
>> Nov 8 %f 01[ENC] parsed IKE_AUTH response 1 [ IDr CERT AUTH EAP/REQ/ID ]
>> Nov 8 %f 01[IKE] received end entity cert "CN=verrado.aaronline.com"
>> Nov 8 %f 01[CFG] using certificate "CN=verrado.aaronline.com"
>> Nov 8 %f 01[CFG] using trusted ca certificate "DC=com, DC=aaronline, CN=aaronline-CAREFREE-CA"
>> Nov 8 %f 01[CFG] reached self-signed root ca with a path length of 0
>> Nov 8 %f 01[IKE] authentication of 'CN=verrado.aaronline.com' with RSA signature successful
>> Nov 8 %f 01[IKE] server requested EAP_IDENTITY (id 0x00), sending 'matt'
>> Nov 8 %f 01[ENC] generating IKE_AUTH request 2 [ EAP/RES/ID ]
>> Nov 8 %f 01[NET] sending packet: from 10.0.0.90[4500] to 66.238.30.124[4500]
>> Nov 8 %f 10[NET] received packet: from 66.238.30.124[4500] to 10.0.0.90[4500]
>> Nov 8 %f 10[ENC] parsed IKE_AUTH response 2 [ EAP/REQ/MSCHAPV2 ]
>> Nov 8 %f 10[IKE] server requested EAP_MSCHAPV2 authentication (id 0x01)
>> Nov 8 %f 10[ENC] generating IKE_AUTH request 3 [ EAP/RES/MSCHAPV2 ]
>> Nov 8 %f 10[NET] sending packet: from 10.0.0.90[4500] to 66.238.30.124[4500]
>> Nov 8 %f 11[NET] received packet: from 66.238.30.124[4500] to 10.0.0.90[4500]
>> Nov 8 %f 11[ENC] parsed IKE_AUTH response 3 [ EAP/REQ/MSCHAPV2 ]
>> Nov 8 %f 11[IKE] EAP-MS-CHAPv2 succeeded: '(null)'
>> Nov 8 %f 11[ENC] generating IKE_AUTH request 4 [ EAP/RES/MSCHAPV2 ]
>> Nov 8 %f 11[NET] sending packet: from 10.0.0.90[4500] to 66.238.30.124[4500]
>> Nov 8 %f 12[NET] received packet: from 66.238.30.124[4500] to 10.0.0.90[4500]
>> Nov 8 %f 12[ENC] parsed IKE_AUTH response 4 [ EAP/SUCC ]
>> Nov 8 %f 12[IKE] EAP method EAP_MSCHAPV2 succeeded, MSK established
>> Nov 8 %f 12[IKE] authentication of '10.0.0.90' (myself) with EAP
>> Nov 8 %f 12[ENC] generating IKE_AUTH request 5 [ AUTH ]
>> Nov 8 %f 12[NET] sending packet: from 10.0.0.90[4500] to 66.238.30.124[4500]
>> Nov 8 %f 10[IKE] retransmit 1 of request with message ID 5
>> Nov 8 %f 10[NET] sending packet: from 10.0.0.90[4500] to 66.238.30.124[4500]
>> Nov 8 %f 11[NET] received packet: from 66.238.30.124[4500] to 10.0.0.90[4500]
>> Nov 8 %f 11[ENC] parsed IKE_AUTH response 5 [ N(FAIL_CP_REQ) ]
>> Nov 8 %f 11[IKE] AUTH payload missing
>> Nov 8 %f 00[DMN] signal of type SIGINT received. Shutting down
>>
>>
>>
>>
>>
>>
>>
>>
>>
>> Matt Hymowitz, CISSP
>> Manager
>> GMP Networks, LLC
>> 520 577-3891
>> ________________________________________
>> From: Andreas Steffen [andreas.steffen at strongswan.org]
>> Sent: Monday, November 07, 2011 10:05 PM
>> To: Matthew F. Hymowitz
>> Cc: users at lists.strongswan.org
>> Subject: Re: [strongSwan] IKEV2 windows 2008 r2
>>
>> Hi Matt,
>>
>> yes, the current ipsec.conf file and the log (but please without
>> increasing the debug level!!!) would help.
>>
>> Regards
>>
>> Andreas
>>
>> On 11/08/2011 12:21 AM, Matthew F. Hymowitz wrote:
>>> Hi Andreas
>>>
>>> Thanks for your quick response. I made the changes you suggest and reconfigured with the following switches
>>> --disable-pluto --disable-revocation --enable-eap-identity --enable-eap-mschapv2 and --enable-md4
>>>
>>> I am now getting much further along in the negotiation. I am now failing with the error
>>>
>>> parsed IKE_AUTH response 5 [ N(FAIL_CP_REQ) ]
>>> Auth payload missing
>>>
>>>
>>> The is after I get the message EAP method EAP_MSCHAPV2 succeeded, MSK established.
>>>
>>>
>>> Let me know if you need complete logs, and thanks again for such a quick response.
>>>
>>>
>>> Matt Hymowitz, CISSP
>>> Manager
>>> GMP Networks, LLC
>>> 520 577-3891
======================================================================
Andreas Steffen andreas.steffen at strongswan.org
strongSwan - the Linux VPN Solution! www.strongswan.org
Institute for Internet Technologies and Applications
University of Applied Sciences Rapperswil
CH-8640 Rapperswil (Switzerland)
===========================================================[ITA-HSR]==
More information about the Users
mailing list