[strongSwan] Windows 7 IKEv2 Error

Chris Arnold carnold at electrichendrix.com
Tue Dec 31 21:57:30 CET 2013 

Stongswan 4.4.x on SLES11 SP2. A windows 7 client using ikev2 is trying to connect using rclients config from ipsec.conf. They get a invalid payload received from the windows 7 client. Here is the exchange from windows 7 to strongswan server:

received packet: from 98.26.22x.xx[500] to 192.168.1.18[500]
07[ENC] parsed IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) ]
07[IKE] 98.26.22x.xx is initiating an IKE_SA
07[IKE] local host is behind NAT, sending keep alives
07[IKE] remote host is behind NAT
07[IKE] sending cert request for "C=US, ST=NC, L=Durham, O=Edens Land Corp, OU=ELC, CN=name, E=email address"
07[IKE] sending cert request for "C=US, ST=North Carolina, L=Durham, O=Edens Land Corp, OU=ELC, CN=name, E=email address"
07[IKE] sending cert request for "C=CH, O=Edens Land Corp, CN=Edens Land Corp CA"
07[IKE] sending cert request for "C=FI, O=Test, CN=Test CA"
07[IKE] sending cert request for "C=CH, O=Edens Land Corp. CN=ELC RW VPN"
07[ENC] generating IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) CERTREQ N(MULT_AUTH) ]
07[NET] sending packet: from 192.168.1.18[500] to 98.26.22x.xx[500]
03[NET] received packet: from 98.26.22x.xx[4500] to 192.168.1.18[4500]
03[ENC]   not enough input to parse rule 10 ENCRYPTED_DATA
03[ENC] payload type ENCRYPTED could not be parsed
03[IKE] message parsing failed
03[ENC] generating IKE_AUTH response 1 [ N(INVAL_SYN) ]
03[NET] sending packet: from 192.168.1.18[500] to 98.26.22x.xx[500]
03[IKE] IKE_AUTH request with message ID 1 processing failed

Here is the ipsec config:
conn rclientscerts
        rekey=no
        left=%any
        leftauth=pubkey
        leftcert=server_cert.crt
        leftid=@24.211.x.xx
        leftsubnet=0.0.0.0/0
        right=%any
        rightsourceip=192.168.2.0/24
        #rightauth=eap-mschapv2
        #rightsendcert=never
        #eap_identity=%any
        mobike=yes
        auto=add

This use to work until we moved offices and got a new public ip. The above leftid reflects the new public ip. I just thought about something, the CN in the cert, does it need to reflect the new public ip? Not sure if that would matter....
We have a site to site VPN with this same office and that works fine. Any ideas?

More information about the Users mailing list