[strongSwan] Win7 machine certificate connection failing

Gregg Hughes ghughes at iscinternational.com
Wed Jul 10 22:50:46 CEST 2013


Good afternoon, all!

 

I've been working on getting a Strongswan installation running on a VMware
Workstation test platform.  The server is Ubuntu Server 12.04 with
Strongswan 4.5.2 from the Ubuntu repository.

I've been able to get a  net-net test config to work, but have had trouble
with a roadwarrior config.  I think it's a problem with certificates because
I get "Error 13801: IKE authentication credentials are unacceptable", so I
know the client is reaching the server and trying to get in.

 

 

I followed the examples listed here, working on an X.509 machine certificate
to start:  http://wiki.strongswan.org/projects/strongswan/wiki/Windows7  I
used the multiple client configs and the instructions on importing
certificates into Win7.

 

All certs were generated and signed on the strongswan server and are in the
proper directories under /etc/ipsec.d.  Content of ipsec.conf and greps from
auth.log and syslog also.

 

I confess to being at a loss as to why I am still getting the Error 13801
after several hours troubleshooting.

 

Thanks in advance!

 

 

 

Gregg

 

 

 

# ipsec.conf - strongSwan1 IPsec configuration file

 

# basic configuration

 

config setup

                # plutodebug=all

                # crlcheckinterval=180

                # strictcrlpolicy=no

                # cachecrls=yes

                # nat_traversal=yes

                charonstart=yes

                plutostart=no

 

# Add connections here.

 

conn %default

                ikelifetime=60m

                keylife=20m

                rekeymargin=3m

                keyingtries=1

                # authby=secret

                keyexchange=ikev2

                # mobike=no

                

 

conn net-net

                left=192.168.91.163

                leftsubnet=10.1.0.0/16

                leftid=@strongswan1

                leftfirewall=yes

                right=192.168.91.160

                rightsubnet=10.2.0.0/16

                rightid=@strongswan2

                auto=add

 

conn Win7

                left=%defaultroute

                # leftcert=cacert.pem

                leftsubnet=10.1.0.0/16

                leftid=strongswan1

                right=%any

                rightsourceip=192.168.93.0/24

                # rightauth=eap-mschapv2

                # rightsendcert=never

                # eap_identity=%any

                # rightcert=client1cert.pem

                # keyexchange=ikev2

                auto=add

 

include /var/lib/strongswan/ipsec.conf.inc

 

 

----------------------------------------

auth.log cuts

 

Jul 10 15:20:28 strongswan1 charon: 03[IKE] 192.168.91.166 is initiating an
IKE_SA

Jul 10 15:21:51 strongswan1 ipsec_starter[1606]: charon stopped after 200 ms

Jul 10 15:21:54 strongswan1 ipsec_starter[1641]: charon (1667) started after
60 ms

Jul 10 15:23:02 strongswan1 ipsec_starter[1641]: charon stopped after 200 ms

Jul 10 15:23:25 strongswan1 ipsec_starter[931]: charon (939) started after
1120 ms

Jul 10 15:32:19 strongswan1 ipsec_starter[999]: charon (1003) started after
1060 ms

Jul 10 15:32:43 strongswan1 charon: 13[IKE] 192.168.91.166 is initiating an
IKE_SA

 

 

--------------------------------------------

syslog cuts

 

Jul 10 15:32:20 strongswan1 charon: 00[DMN] Starting IKEv2 charon daemon
(strongSwan 4.5.2)

Jul 10 15:32:19 strongswan1 charon: 00[KNL] listening on interfaces:

Jul 10 15:32:19 strongswan1 charon: 00[KNL]   eth0

Jul 10 15:32:19 strongswan1 charon: 00[KNL]     192.168.91.163

Jul 10 15:32:19 strongswan1 charon: 00[KNL]     fe80::20c:29ff:fecd:2c6b

Jul 10 15:32:19 strongswan1 charon: 00[KNL]   eth1

Jul 10 15:32:19 strongswan1 charon: 00[KNL]     10.1.0.1

Jul 10 15:32:19 strongswan1 charon: 00[KNL]     fe80::20c:29ff:fecd:2c75

Jul 10 15:32:19 strongswan1 charon: 00[CFG] loading ca certificates from
'/etc/ipsec.d/cacerts'

Jul 10 15:32:19 strongswan1 charon: 00[CFG]   loaded ca certificate "C=US,
ST=Wisconsin, L=Milwaukee, O=ISC International, Ltd., CN=strongswan1,
E=ghughes at iscinternational.com" from '/etc/ipsec.d/cacerts/cacert.pem'

Jul 10 15:32:19 strongswan1 charon: 00[CFG] loading aa certificates from
'/etc/ipsec.d/aacerts'

Jul 10 15:32:19 strongswan1 charon: 00[CFG] loading ocsp signer certificates
from '/etc/ipsec.d/ocspcerts'

Jul 10 15:32:19 strongswan1 charon: 00[CFG] loading attribute certificates
from '/etc/ipsec.d/acerts'

Jul 10 15:32:19 strongswan1 charon: 00[CFG] loading crls from
'/etc/ipsec.d/crls'

Jul 10 15:32:19 strongswan1 charon: 00[CFG] loading secrets from
'/etc/ipsec.secrets'

Jul 10 15:32:19 strongswan1 charon: 00[CFG]   loaded RSA private key from
'/etc/ipsec.d/private/cakey.pem'

Jul 10 15:32:19 strongswan1 charon: 00[CFG] expanding file expression
'/var/lib/strongswan/ipsec.secrets.inc' failed

Jul 10 15:32:19 strongswan1 charon: 00[CFG] sql plugin: database URI not set

Jul 10 15:32:19 strongswan1 charon: 00[LIB] plugin 'sql': failed to load -
sql_plugin_create returned NULL

Jul 10 15:32:19 strongswan1 charon: 00[CFG] loaded 0 RADIUS server
configurations

Jul 10 15:32:19 strongswan1 charon: 00[LIB] plugin 'medsrv' failed to load:
/usr/lib/ipsec/plugins/libstrongswan-medsrv.so: cannot open shared object
file: No such file or directory

Jul 10 15:32:19 strongswan1 charon: 00[CFG] mediation client database URI
not defined, skipped

Jul 10 15:32:19 strongswan1 charon: 00[LIB] plugin 'medcli': failed to load
- medcli_plugin_create returned NULL

Jul 10 15:32:19 strongswan1 charon: 00[LIB] plugin 'nm' failed to load:
/usr/lib/ipsec/plugins/libstrongswan-nm.so: cannot open shared object file:
No such file or directory

Jul 10 15:32:19 strongswan1 charon: 00[CFG] HA config misses local/remote
address

Jul 10 15:32:19 strongswan1 charon: 00[LIB] plugin 'ha': failed to load -
ha_plugin_create returned NULL

Jul 10 15:32:19 strongswan1 charon: 00[DMN] loaded plugins: test-vectors
curl ldap aes des sha1 sha2 md5 random x509 revocation constraints pubkey
pkcs1 pgp pem openssl fips-prf gmp agent pkcs11 xcbc hmac ctr ccm gcm attr
kernel-netlink resolve socket-raw farp stroke updown eap-identity eap-aka
eap-md5 eap-gtc eap-mschapv2 eap-radius eap-tls eap-ttls eap-tnc dhcp led
addrblock 

Jul 10 15:32:19 strongswan1 charon: 00[JOB] spawning 16 worker threads

Jul 10 15:32:19 strongswan1 charon: 05[CFG] received stroke: add connection
'net-net'

Jul 10 15:32:19 strongswan1 charon: 05[CFG] added configuration 'net-net'

Jul 10 15:32:19 strongswan1 charon: 10[CFG] received stroke: add connection
'Win7'

Jul 10 15:32:19 strongswan1 charon: 10[CFG] added configuration 'Win7'

Jul 10 15:32:19 strongswan1 charon: 10[CFG] adding virtual IP address pool
'Win7': 192.168.93.0/24

Jul 10 15:32:43 strongswan1 charon: 13[NET] received packet: from
192.168.91.166[500] to 192.168.91.163[500]

Jul 10 15:32:43 strongswan1 charon: 13[ENC] parsed IKE_SA_INIT request 0 [
SA KE No N(NATD_S_IP) N(NATD_D_IP) ]

Jul 10 15:32:43 strongswan1 charon: 13[IKE] 192.168.91.166 is initiating an
IKE_SA

Jul 10 15:32:43 strongswan1 charon: 13[IKE] sending cert request for "C=US,
ST=Wisconsin, L=Milwaukee, O=ISC International, Ltd., CN=strongswan1,
E=ghughes at iscinternational.com"

Jul 10 15:32:43 strongswan1 charon: 13[ENC] generating IKE_SA_INIT response
0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) CERTREQ N(MULT_AUTH) ]

Jul 10 15:32:43 strongswan1 charon: 13[NET] sending packet: from
192.168.91.163[500] to 192.168.91.166[500]

Jul 10 15:32:43 strongswan1 charon: 14[NET] received packet: from
192.168.91.166[4500] to 192.168.91.163[4500]

Jul 10 15:32:43 strongswan1 charon: 14[ENC] unknown attribute type
INTERNAL_IP4_SERVER

Jul 10 15:32:43 strongswan1 charon: 14[ENC] unknown attribute type
INTERNAL_IP6_SERVER

Jul 10 15:32:43 strongswan1 charon: 14[ENC] parsed IKE_AUTH request 1 [ IDi
CERT CERTREQ AUTH N(MOBIKE_SUP) CP(ADDR DNS NBNS SRV ADDR6 DNS6 SRV6) SA TSi
TSr ]

Jul 10 15:32:43 strongswan1 charon: 14[IKE] received cert request for "C=US,
ST=Wisconsin, L=Milwaukee, O=ISC International, Ltd., CN=strongswan1,
E=ghughes at iscinternational.com"

Jul 10 15:32:43 strongswan1 charon: 14[IKE] received 8 cert requests for an
unknown ca

Jul 10 15:32:43 strongswan1 charon: 14[IKE] received end entity cert "C=US,
ST=Wisconsin, O=ISC International, Ltd., CN=strongswan1, E=ghughes at
iscinternational.com"

Jul 10 15:32:43 strongswan1 charon: 14[CFG] looking for peer configs
matching 192.168.91.163[%any]...192.168.91.166[C=US, ST=Wisconsin, O=ISC
International, Ltd., CN=strongswan1, E=ghughes at iscinternational.com]

Jul 10 15:32:43 strongswan1 charon: 14[CFG] selected peer config 'Win7'

Jul 10 15:32:43 strongswan1 charon: 14[CFG]   using certificate "C=US,
ST=Wisconsin, O=ISC International, Ltd., CN=strongswan1, E=ghughes at
iscinternational.com"

Jul 10 15:32:43 strongswan1 charon: 14[CFG]   using trusted ca certificate
"C=US, ST=Wisconsin, L=Milwaukee, O=ISC International, Ltd., CN=strongswan1,
E=ghughes at iscinternational.com"

Jul 10 15:32:43 strongswan1 charon: 14[CFG] checking certificate status of
"C=US, ST=Wisconsin, O=ISC International, Ltd., CN=strongswan1, E=ghughes at
iscinternational.com"

Jul 10 15:32:43 strongswan1 charon: 14[CFG] certificate status is not
available

Jul 10 15:32:43 strongswan1 charon: 14[CFG]   reached self-signed root ca
with a path length of 0

Jul 10 15:32:43 strongswan1 charon: 14[IKE] authentication of 'C=US,
ST=Wisconsin, O=ISC International, Ltd., CN=strongswan1, E=ghughes at
iscinternational.com' with RSA signature successful

Jul 10 15:32:43 strongswan1 charon: 14[IKE] peer supports MOBIKE

Jul 10 15:32:43 strongswan1 charon: 14[IKE] no private key found for
'strongswan1'

Jul 10 15:32:43 strongswan1 charon: 14[ENC] generating IKE_AUTH response 1 [
N(AUTH_FAILED) ]

Jul 10 15:32:43 strongswan1 charon: 14[NET] sending packet: from
192.168.91.163[4500] to 192.168.91.166[4500]

 

 


Gregg Hughes

IT Administrator

www.iscinternational.com

414.721.0301 phone

262.313.3106 fax

 

 

 

 

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20130710/45a40d6a/attachment.html>


More information about the Users mailing list