[strongSwan] Strongswan responder QM fails, Windows 7 initiating

Steve DeLaney onramp123 at yahoo.com
Thu Jul 18 23:16:43 CEST 2013 


Hi, we are bringing up a VPN between strongswan and windows 7
We see a strange problem.  When strongswan initiates to windows, the VPN is up OK.
But when strongswan responds, the negotiation fails in Phase 2 quick mode.
The main mode ECDSA cert auth is OK, but not quick mode.

Can someone please comment and see if we are missing something?

After a lot of trial and error, I ended up writing a windows netsh script to automate the firewall rule.
It is included below in the hopes it will be helpful to others.


In our configuration we are using ECDSA-P256 machine certificate

The strongswan wiki is very helpful to get up to speed how to configure Windows 

firewall from the MMC snap-in and netsh command line. 

wiki.strongswan.org/projects/strongswan/wiki/WindowsSuiteB


However the IKE main mode methods (mmsecmethods) used in that example include ECDHP256 
but we don't use it.   Instead, we use a standard DH group 2 Modp 1024.

Strongswan configuration:


ike=aes128-sha256-modp1024!
esp=aes128-sha1! 

Windows rule:

dhgroup2:aese128-sha256
auth1=computercertecdsap256
auth1ecdsap256ca=...


Here is the netsh script that does the complete setup of the firewall rule
After the machine certificates are installed, then this script is run and adds the rule from scratch.


rem restart windows firewall:
net stop mpssvc
net start mpssvc

rem configure global IPSec mainmode settings:
netsh advfirewall set global mainmode mmsecmethods dhgroup2:aes128-sha256
netsh advfirewall show global


rem configure the suiteb firewall rule:

netsh advfirewall consec del rule name=suiteb

netsh advfirewall consec add rule name=suiteb ^
description="SuiteB Configuration"       ^
endpoint1=192.168.0.1                         ^
endpoint2=192.168.0.100                       ^
action=requireinrequireout                    ^
qmsecmethods=esp:sha1-aes128                  ^
auth1=computercertecdsap256                   ^
auth1ecdsap256ca="O=\'XYZ Company\', OU=Operations, E=info at xyz.com, L=Anytown, S=CA, C=US, CN=\'XYZ Company\'"


netsh advfirewall consec show rule name=suiteb
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20130718/36561aa0/attachment.html>

More information about the Users mailing list