[strongSwan] Win7 machine certificate connection failing

Paton, Andy andy.paton at hp.com
Wed Jul 10 23:12:31 CEST 2013


Can you post details of your certificates. Both the machine cert for the gateway and the device cert?

--
Andrew Paton



On 10 Jul 2013, at 21:55, "Gregg Hughes" <ghughes at iscinternational.com<mailto:ghughes at iscinternational.com>> wrote:

Good afternoon, all!

I've been working on getting a Strongswan installation running on a VMware Workstation test platform.  The server is Ubuntu Server 12.04 with Strongswan 4.5.2 from the Ubuntu repository.
I've been able to get a  net-net test config to work, but have had trouble with a roadwarrior config.  I think it's a problem with certificates because I get "Error 13801: IKE authentication credentials are unacceptable", so I know the client is reaching the server and trying to get in.


I followed the examples listed here, working on an X.509 machine certificate to start:  http://wiki.strongswan.org/projects/strongswan/wiki/Windows7  I used the multiple client configs and the instructions on importing certificates into Win7.

All certs were generated and signed on the strongswan server and are in the proper directories under /etc/ipsec.d.  Content of ipsec.conf and greps from auth.log and syslog also.

I confess to being at a loss as to why I am still getting the Error 13801 after several hours troubleshooting.

Thanks in advance!



Gregg



# ipsec.conf - strongSwan1 IPsec configuration file

# basic configuration

config setup
                # plutodebug=all
                # crlcheckinterval=180
                # strictcrlpolicy=no
                # cachecrls=yes
                # nat_traversal=yes
                charonstart=yes
                plutostart=no

# Add connections here.

conn %default
                ikelifetime=60m
                keylife=20m
                rekeymargin=3m
                keyingtries=1
                # authby=secret
                keyexchange=ikev2
                # mobike=no


conn net-net
                left=192.168.91.163
                leftsubnet=10.1.0.0/16
                leftid=@strongswan1
                leftfirewall=yes
                right=192.168.91.160
                rightsubnet=10.2.0.0/16
                rightid=@strongswan2
                auto=add

conn Win7
                left=%defaultroute
                # leftcert=cacert.pem
                leftsubnet=10.1.0.0/16
                leftid=strongswan1
                right=%any
                rightsourceip=192.168.93.0/24
                # rightauth=eap-mschapv2
                # rightsendcert=never
                # eap_identity=%any
                # rightcert=client1cert.pem
                # keyexchange=ikev2
                auto=add

include /var/lib/strongswan/ipsec.conf.inc


----------------------------------------
auth.log cuts

Jul 10 15:20:28 strongswan1 charon: 03[IKE] 192.168.91.166 is initiating an IKE_SA
Jul 10 15:21:51 strongswan1 ipsec_starter[1606]: charon stopped after 200 ms
Jul 10 15:21:54 strongswan1 ipsec_starter[1641]: charon (1667) started after 60 ms
Jul 10 15:23:02 strongswan1 ipsec_starter[1641]: charon stopped after 200 ms
Jul 10 15:23:25 strongswan1 ipsec_starter[931]: charon (939) started after 1120 ms
Jul 10 15:32:19 strongswan1 ipsec_starter[999]: charon (1003) started after 1060 ms
Jul 10 15:32:43 strongswan1 charon: 13[IKE] 192.168.91.166 is initiating an IKE_SA


--------------------------------------------
syslog cuts

Jul 10 15:32:20 strongswan1 charon: 00[DMN] Starting IKEv2 charon daemon (strongSwan 4.5.2)
Jul 10 15:32:19 strongswan1 charon: 00[KNL] listening on interfaces:
Jul 10 15:32:19 strongswan1 charon: 00[KNL]   eth0
Jul 10 15:32:19 strongswan1 charon: 00[KNL]     192.168.91.163
Jul 10 15:32:19 strongswan1 charon: 00[KNL]     fe80::20c:29ff:fecd:2c6b
Jul 10 15:32:19 strongswan1 charon: 00[KNL]   eth1
Jul 10 15:32:19 strongswan1 charon: 00[KNL]     10.1.0.1
Jul 10 15:32:19 strongswan1 charon: 00[KNL]     fe80::20c:29ff:fecd:2c75
Jul 10 15:32:19 strongswan1 charon: 00[CFG] loading ca certificates from '/etc/ipsec.d/cacerts'
Jul 10 15:32:19 strongswan1 charon: 00[CFG]   loaded ca certificate "C=US, ST=Wisconsin, L=Milwaukee, O=ISC International, Ltd., CN=strongswan1, E=ghughes at iscinternational.com<http://iscinternational.com>" from '/etc/ipsec.d/cacerts/cacert.pem'
Jul 10 15:32:19 strongswan1 charon: 00[CFG] loading aa certificates from '/etc/ipsec.d/aacerts'
Jul 10 15:32:19 strongswan1 charon: 00[CFG] loading ocsp signer certificates from '/etc/ipsec.d/ocspcerts'
Jul 10 15:32:19 strongswan1 charon: 00[CFG] loading attribute certificates from '/etc/ipsec.d/acerts'
Jul 10 15:32:19 strongswan1 charon: 00[CFG] loading crls from '/etc/ipsec.d/crls'
Jul 10 15:32:19 strongswan1 charon: 00[CFG] loading secrets from '/etc/ipsec.secrets'
Jul 10 15:32:19 strongswan1 charon: 00[CFG]   loaded RSA private key from '/etc/ipsec.d/private/cakey.pem'
Jul 10 15:32:19 strongswan1 charon: 00[CFG] expanding file expression '/var/lib/strongswan/ipsec.secrets.inc' failed
Jul 10 15:32:19 strongswan1 charon: 00[CFG] sql plugin: database URI not set
Jul 10 15:32:19 strongswan1 charon: 00[LIB] plugin 'sql': failed to load - sql_plugin_create returned NULL
Jul 10 15:32:19 strongswan1 charon: 00[CFG] loaded 0 RADIUS server configurations
Jul 10 15:32:19 strongswan1 charon: 00[LIB] plugin 'medsrv' failed to load: /usr/lib/ipsec/plugins/libstrongswan-medsrv.so: cannot open shared object file: No such file or directory
Jul 10 15:32:19 strongswan1 charon: 00[CFG] mediation client database URI not defined, skipped
Jul 10 15:32:19 strongswan1 charon: 00[LIB] plugin 'medcli': failed to load - medcli_plugin_create returned NULL
Jul 10 15:32:19 strongswan1 charon: 00[LIB] plugin 'nm' failed to load: /usr/lib/ipsec/plugins/libstrongswan-nm.so: cannot open shared object file: No such file or directory
Jul 10 15:32:19 strongswan1 charon: 00[CFG] HA config misses local/remote address
Jul 10 15:32:19 strongswan1 charon: 00[LIB] plugin 'ha': failed to load - ha_plugin_create returned NULL
Jul 10 15:32:19 strongswan1 charon: 00[DMN] loaded plugins: test-vectors curl ldap aes des sha1 sha2 md5 random x509 revocation constraints pubkey pkcs1 pgp pem openssl fips-prf gmp agent pkcs11 xcbc hmac ctr ccm gcm attr kernel-netlink resolve socket-raw farp stroke updown eap-identity eap-aka eap-md5 eap-gtc eap-mschapv2 eap-radius eap-tls eap-ttls eap-tnc dhcp led addrblock
Jul 10 15:32:19 strongswan1 charon: 00[JOB] spawning 16 worker threads
Jul 10 15:32:19 strongswan1 charon: 05[CFG] received stroke: add connection 'net-net'
Jul 10 15:32:19 strongswan1 charon: 05[CFG] added configuration 'net-net'
Jul 10 15:32:19 strongswan1 charon: 10[CFG] received stroke: add connection 'Win7'
Jul 10 15:32:19 strongswan1 charon: 10[CFG] added configuration 'Win7'
Jul 10 15:32:19 strongswan1 charon: 10[CFG] adding virtual IP address pool 'Win7': 192.168.93.0/24
Jul 10 15:32:43 strongswan1 charon: 13[NET] received packet: from 192.168.91.166[500] to 192.168.91.163[500]
Jul 10 15:32:43 strongswan1 charon: 13[ENC] parsed IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) ]
Jul 10 15:32:43 strongswan1 charon: 13[IKE] 192.168.91.166 is initiating an IKE_SA
Jul 10 15:32:43 strongswan1 charon: 13[IKE] sending cert request for "C=US, ST=Wisconsin, L=Milwaukee, O=ISC International, Ltd., CN=strongswan1, E=ghughes at iscinternational.com<http://iscinternational.com>"
Jul 10 15:32:43 strongswan1 charon: 13[ENC] generating IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) CERTREQ N(MULT_AUTH) ]
Jul 10 15:32:43 strongswan1 charon: 13[NET] sending packet: from 192.168.91.163[500] to 192.168.91.166[500]
Jul 10 15:32:43 strongswan1 charon: 14[NET] received packet: from 192.168.91.166[4500] to 192.168.91.163[4500]
Jul 10 15:32:43 strongswan1 charon: 14[ENC] unknown attribute type INTERNAL_IP4_SERVER
Jul 10 15:32:43 strongswan1 charon: 14[ENC] unknown attribute type INTERNAL_IP6_SERVER
Jul 10 15:32:43 strongswan1 charon: 14[ENC] parsed IKE_AUTH request 1 [ IDi CERT CERTREQ AUTH N(MOBIKE_SUP) CP(ADDR DNS NBNS SRV ADDR6 DNS6 SRV6) SA TSi TSr ]
Jul 10 15:32:43 strongswan1 charon: 14[IKE] received cert request for "C=US, ST=Wisconsin, L=Milwaukee, O=ISC International, Ltd., CN=strongswan1, E=ghughes at iscinternational.com<http://iscinternational.com>"
Jul 10 15:32:43 strongswan1 charon: 14[IKE] received 8 cert requests for an unknown ca
Jul 10 15:32:43 strongswan1 charon: 14[IKE] received end entity cert "C=US, ST=Wisconsin, O=ISC International, Ltd., CN=strongswan1, E=ghughes at iscinternational.com<http://iscinternational.com>"
Jul 10 15:32:43 strongswan1 charon: 14[CFG] looking for peer configs matching 192.168.91.163[%any]...192.168.91.166[C=US, ST=Wisconsin, O=ISC International, Ltd., CN=strongswan1, E=ghughes at iscinternational.com<http://iscinternational.com>]
Jul 10 15:32:43 strongswan1 charon: 14[CFG] selected peer config 'Win7'
Jul 10 15:32:43 strongswan1 charon: 14[CFG]   using certificate "C=US, ST=Wisconsin, O=ISC International, Ltd., CN=strongswan1, E=ghughes at iscinternational.com<http://iscinternational.com>"
Jul 10 15:32:43 strongswan1 charon: 14[CFG]   using trusted ca certificate "C=US, ST=Wisconsin, L=Milwaukee, O=ISC International, Ltd., CN=strongswan1, E=ghughes at iscinternational.com<http://iscinternational.com>"
Jul 10 15:32:43 strongswan1 charon: 14[CFG] checking certificate status of "C=US, ST=Wisconsin, O=ISC International, Ltd., CN=strongswan1, E=ghughes at iscinternational.com<http://iscinternational.com>"
Jul 10 15:32:43 strongswan1 charon: 14[CFG] certificate status is not available
Jul 10 15:32:43 strongswan1 charon: 14[CFG]   reached self-signed root ca with a path length of 0
Jul 10 15:32:43 strongswan1 charon: 14[IKE] authentication of 'C=US, ST=Wisconsin, O=ISC International, Ltd., CN=strongswan1, E=ghughes at iscinternational.com<http://iscinternational.com>' with RSA signature successful
Jul 10 15:32:43 strongswan1 charon: 14[IKE] peer supports MOBIKE
Jul 10 15:32:43 strongswan1 charon: 14[IKE] no private key found for 'strongswan1'
Jul 10 15:32:43 strongswan1 charon: 14[ENC] generating IKE_AUTH response 1 [ N(AUTH_FAILED) ]
Jul 10 15:32:43 strongswan1 charon: 14[NET] sending packet: from 192.168.91.163[4500] to 192.168.91.166[4500]


Gregg Hughes
IT Administrator
www.iscinternational.com<http://www.iscinternational.com>
414.721.0301 phone
262.313.3106 fax






_______________________________________________
Users mailing list
Users at lists.strongswan.org<mailto:Users at lists.strongswan.org>
https://lists.strongswan.org/mailman/listinfo/users




More information about the Users mailing list