[strongSwan] Strongswan responder QM fails, Windows 7 initiating
onramp123 at yahoo.com
Thu Jul 18 23:16:43 CEST 2013
Hi, we are bringing up a VPN between strongswan and windows 7
We see a strange problem. When strongswan initiates to windows, the VPN is up OK.
But when strongswan responds, the negotiation fails in Phase 2 quick mode.
The main mode ECDSA cert auth is OK, but not quick mode.
Can someone please comment and see if we are missing something?
After a lot of trial and error, I ended up writing a windows netsh script to automate the firewall rule.
It is included below in the hopes it will be helpful to others.
In our configuration we are using ECDSA-P256 machine certificate
The strongswan wiki is very helpful to get up to speed how to configure Windows
firewall from the MMC snap-in and netsh command line.
However the IKE main mode methods (mmsecmethods) used in that example include ECDHP256
but we don't use it. Instead, we use a standard DH group 2 Modp 1024.
Here is the netsh script that does the complete setup of the firewall rule
After the machine certificates are installed, then this script is run and adds the rule from scratch.
rem restart windows firewall:
net stop mpssvc
net start mpssvc
rem configure global IPSec mainmode settings:
netsh advfirewall set global mainmode mmsecmethods dhgroup2:aes128-sha256
netsh advfirewall show global
rem configure the suiteb firewall rule:
netsh advfirewall consec del rule name=suiteb
netsh advfirewall consec add rule name=suiteb ^
description="SuiteB Configuration" ^
auth1ecdsap256ca="O=\'XYZ Company\', OU=Operations, E=info at xyz.com, L=Anytown, S=CA, C=US, CN=\'XYZ Company\'"
netsh advfirewall consec show rule name=suiteb
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the Users