[strongSwan] FW: FW: Win7 machine certificate connection failing
Paton, Andy
andy.paton at hp.com
Tue Jul 23 07:50:11 CEST 2013
Did you disable ipv6 as part of the VPN connection profile in the agile VPN client on windows? I find that this always enables itself. Right click the VPN conn and click properties it's under there somewhere.
--
Andrew Paton
On 22 Jul 2013, at 22:55, "Gregg Hughes" <ghughes at iscinternational.com> wrote:
> Good afternoon, Andreas!
>
> To update: I cleaned out the openssl certs and keys and used the ipsec pki
> utility to re-create the ca and host certs successfully. My ipsec server
> now loads completely and I can (briefly) make a connection with Win7.
> However, I've run into a new and more entertaining error.
>
> My Win7 test machine makes the connection, then throws an "Error 13843:
> Invalid payload received." The Win7 client then asks for a disconnect which
> the server provides. Apparently, the peer is requesting a virtual IP of
> %any6, as shown here in this syslog clip:
>
> Jul 22 16:26:27 strongswan1 charon: 06[IKE] IKE_SA rw-eap[3] established
> between 192.168.91.163[C=US, O=ISC,
> CN=strongswan1.iscinternational.com]...192.168.91.166[192.168.91.166]
> Jul 22 16:26:27 strongswan1 charon: 06[IKE] scheduling reauthentication in
> 3243s
> Jul 22 16:26:27 strongswan1 charon: 06[IKE] maximum IKE_SA lifetime 3423s
> Jul 22 16:26:27 strongswan1 charon: 06[IKE] peer requested virtual IP %any6
> Jul 22 16:26:27 strongswan1 charon: 06[IKE] no virtual IP found, sending
> INTERNAL_ADDRESS_FAILURE
> Jul 22 16:26:27 strongswan1 charon: 06[IKE] configuration payload
> negotiation failed, no CHILD_SA built
> Jul 22 16:26:27 strongswan1 charon: 06[ENC] generating IKE_AUTH response 5 [
> AUTH N(AUTH_LFT) N(MOBIKE_SUP) N(ADD_4_ADDR) N(INT_ADDR_FAIL) ]
> Jul 22 16:26:27 strongswan1 charon: 06[NET] sending packet: from
> 192.168.91.163[4500] to 192.168.91.166[4500]
> Jul 22 16:26:27 strongswan1 charon: 11[NET] received packet: from
> 192.168.91.166[4500] to 192.168.91.163[4500]
> Jul 22 16:26:27 strongswan1 charon: 11[ENC] parsed INFORMATIONAL request 6 [
> D ]
> Jul 22 16:26:27 strongswan1 charon: 11[IKE] received DELETE for IKE_SA
> rw-eap[3]
> Jul 22 16:26:27 strongswan1 charon: 11[IKE] deleting IKE_SA rw-eap[3]
> between 192.168.91.163[C=US, O=ISC,
> CN=strongswan1.iscinternational.com]...192.168.91.166[192.168.91.166]
> Jul 22 16:26:27 strongswan1 charon: 11[IKE] IKE_SA deleted
> Jul 22 16:26:27 strongswan1 charon: 11[ENC] generating INFORMATIONAL
> response 6 [ ]
> Jul 22 16:26:27 strongswan1 charon: 11[NET] sending packet: from
> 192.168.91.163[4500] to 192.168.91.166[4500]
>
> I don't have any ip6 machines, and I've disabled IP6 in Windows, so I don't
> know where the %any6 is coming from. I've found a couple of Google search
> items that do a regedit, but that's pretty invasive, and I don't want users
> to dive in those waters - sharks gobble up unwary users in the regedit
> oceans......
>
> Any help would be appreciated here. We're making progress!
>
> Thanks!
>
> Gregg
>
> -----Original Message-----
> From: Andreas Steffen [mailto:andreas.steffen at strongswan.org]
> Sent: Saturday, July 20, 2013 1:39 AM
> To: Gregg Hughes
> Cc: users at lists.strongswan.org
> Subject: Re: [strongSwan] FW: Win7 machine certificate connection failing
>
> Hi Gregg,
>
> openssl 1.x creates private key files in the PKCS#8 format. Support for
> parsing this key format was introduced with strongSwan 4.6.2 via the
> pkcs8 plugin.
>
> As a workaround either upgrade to a newer strongSwan version with PKCS#8
> support or convert your PKCS#8 key file into a PKCS#1 key format.
>
> Regards
>
> Andreas
>
> On 07/19/2013 11:54 PM, Gregg Hughes wrote:
>> I think I've found the problem, but I don't know how to fix it. It
> appears
>> that ipsec can't load the private ca key. Here's the relevant syslog cut:
>>
>> ---------------------syslog------------------------
>> Jul 19 15:33:18 strongswan1 charon: 00[DMN] Starting IKEv2 charon daemon
>> (strongSwan 4.5.2)
>> Jul 19 15:33:20 strongswan1 charon: 00[KNL] listening on interfaces:
>> Jul 19 15:33:20 strongswan1 charon: 00[KNL] eth0
>> Jul 19 15:33:20 strongswan1 charon: 00[KNL] 192.168.91.163
>> Jul 19 15:33:20 strongswan1 charon: 00[KNL] fe80::20c:29ff:fecd:2c6b
>> Jul 19 15:33:20 strongswan1 charon: 00[KNL] eth1
>> Jul 19 15:33:20 strongswan1 charon: 00[KNL] 10.1.0.1
>> Jul 19 15:33:20 strongswan1 charon: 00[KNL] fe80::20c:29ff:fecd:2c75
>> Jul 19 15:33:20 strongswan1 charon: 00[CFG] loading ca certificates from
>> '/etc/ipsec.d/cacerts'
>> Jul 19 15:33:20 strongswan1 charon: 00[CFG] loaded ca certificate "C=US,
>> ST=Wisconsin, L=Milwaukee, O=ISC International, Ltd.,
>> CN=strongswan1.iscinternational.com, E=support at iscinternational.com" from
>> '/etc/ipsec.d/cacerts/strongswan1cert.pem'
>> Jul 19 15:33:20 strongswan1 charon: 00[CFG] loading aa certificates from
>> '/etc/ipsec.d/aacerts'
>> Jul 19 15:33:20 strongswan1 charon: 00[CFG] loading ocsp signer
> certificates
>> from '/etc/ipsec.d/ocspcerts'
>> Jul 19 15:33:20 strongswan1 charon: 00[CFG] loading attribute certificates
>> from '/etc/ipsec.d/acerts'
>> Jul 19 15:33:20 strongswan1 charon: 00[CFG] loading crls from
>> '/etc/ipsec.d/crls'
>> Jul 19 15:33:20 strongswan1 charon: 00[CFG] loading secrets from
>> '/etc/ipsec.secrets'
>> Jul 19 15:33:20 strongswan1 charon: 00[LIB] L1 - version: ASN1 tag 0x02
>> expected, but is 0x30
>> Jul 19 15:33:20 strongswan1 charon: 00[LIB] building CRED_PRIVATE_KEY -
> RSA
>> failed, tried 8 builders
>> Jul 19 15:33:20 strongswan1 charon: 00[CFG] loading private key from
>> '/etc/ipsec.d/private/strongswan1key.pem' failed
>> ________________________________________
>>
>> So when the EAP session tries to initialize, this happens:
>>
>> ________________________________________
>> Jul 19 15:54:34 strongswan1 charon: 15[NET] received packet: from
>> 192.168.91.166[500] to 192.168.91.163[500]
>> Jul 19 15:54:34 strongswan1 charon: 15[ENC] parsed IKE_SA_INIT request 0 [
>> SA KE No N(NATD_S_IP) N(NATD_D_IP) ]
>> Jul 19 15:54:34 strongswan1 charon: 15[IKE] 192.168.91.166 is initiating
> an
>> IKE_SA
>> Jul 19 15:54:34 strongswan1 charon: 15[IKE] sending cert request for
> "C=US,
>> ST=Wisconsin, L=Milwaukee, O=ISC International, Ltd.,
>> CN=strongswan1.iscinternational.com, E=support at iscinternational.com"
>> Jul 19 15:54:34 strongswan1 charon: 15[ENC] generating IKE_SA_INIT
> response
>> 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) CERTREQ N(MULT_AUTH) ]
>> Jul 19 15:54:34 strongswan1 charon: 15[NET] sending packet: from
>> 192.168.91.163[500] to 192.168.91.166[500]
>> Jul 19 15:54:34 strongswan1 charon: 14[NET] received packet: from
>> 192.168.91.166[4500] to 192.168.91.163[4500]
>> Jul 19 15:54:34 strongswan1 charon: 14[ENC] unknown attribute type
>> INTERNAL_IP4_SERVER
>> Jul 19 15:54:34 strongswan1 charon: 14[ENC] unknown attribute type
>> INTERNAL_IP6_SERVER
>> Jul 19 15:54:34 strongswan1 charon: 14[ENC] parsed IKE_AUTH request 1 [
> IDi
>> CERTREQ N(MOBIKE_SUP) CP(ADDR DNS NBNS SRV ADDR6 DNS6 SRV6) SA TSi TSr ]
>> Jul 19 15:54:34 strongswan1 charon: 14[IKE] received cert request for
> "C=US,
>> ST=Wisconsin, L=Milwaukee, O=ISC International, Ltd.,
>> CN=strongswan1.iscinternational.com, E=support at iscinternational.com"
>> Jul 19 15:54:34 strongswan1 charon: 14[IKE] received 12 cert requests for
> an
>> unknown ca
>> Jul 19 15:54:34 strongswan1 charon: 14[CFG] looking for peer configs
>> matching 192.168.91.163[%any]...192.168.91.166[192.168.91.166]
>> Jul 19 15:54:34 strongswan1 charon: 14[CFG] selected peer config 'rw'
>> Jul 19 15:54:34 strongswan1 charon: 14[IKE] peer requested EAP, config
>> inacceptable
>> Jul 19 15:54:34 strongswan1 charon: 14[CFG] switching to peer config 'rw2'
>> Jul 19 15:54:34 strongswan1 charon: 14[IKE] peer requested EAP, config
>> inacceptable
>> Jul 19 15:54:34 strongswan1 charon: 14[CFG] switching to peer config
>> 'rw-eap'
>> Jul 19 15:54:34 strongswan1 charon: 14[IKE] initiating EAP-Identity
> request
>> Jul 19 15:54:34 strongswan1 charon: 14[IKE] peer supports MOBIKE
>> Jul 19 15:54:34 strongswan1 charon: 14[IKE] no private key found for
> 'C=US,
>> ST=Wisconsin, L=Milwaukee, O=ISC International, Ltd.,
>> CN=strongswan1.iscinternational.com, E=support at iscinternational.com'
>> Jul 19 15:54:34 strongswan1 charon: 14[ENC] generating IKE_AUTH response 1
> [
>> N(AUTH_FAILED) ]
>> Jul 19 15:54:34 strongswan1 charon: 14[NET] sending packet: from
>> 192.168.91.163[4500] to 192.168.91.166[4500]
>> _______________________________________
>> The last three lines of the syslog cutting above seem to be related to the
>> private key not loading.
>>
>> Now, I've done some searching for how to fix the ASN1 tag problem but
>> haven't come up with anything. I'm using openssl 1.0.1 and don't find any
>> bugs or issues with wrong tags. I'm going to recreate the ca, certs and
>> keys again and see if the problem comes with any particular steps. It
> does
>> appear that removing the quotes from the ipsec.secrets helped.
>>
>> Meanwhile, if anyone has some ideas about this......
>>
>> Many thanks for looking into this!
>>
>>
>> Gregg
>>
>> -----Original Message-----
>> From: Gregg Hughes [mailto:ghughes at iscinternational.com]
>> Sent: Thursday, July 18, 2013 2:02 PM
>> To: users at lists.strongswan.org
>> Subject: FW: [strongSwan] Win7 machine certificate connection failing
>>
>> I wanted to update the information here with results from some config
>> changes.
>>
>> I added/reconfigured the ipsec.conf to have an EAP-MSCHAPV2 connection
>> available, then changed the information on the Windows client side to use
>> EAP when making the connection. Here's the syslog output:
>>
>>
>> --------------Clip from syslog------------------
>>
>> Jul 17 13:41:40 strongswan1 charon: 16[CFG] received stroke: delete
>> connection 'net-net'
>> Jul 17 13:41:40 strongswan1 charon: 16[CFG] deleted connection 'net-net'
>> Jul 17 13:41:40 strongswan1 charon: 04[CFG] received stroke: delete
>> connection 'rw'
>> Jul 17 13:41:40 strongswan1 charon: 04[CFG] deleted connection 'rw'
>> Jul 17 13:41:40 strongswan1 charon: 07[CFG] received stroke: delete
>> connection 'rw2'
>> Jul 17 13:41:40 strongswan1 charon: 07[CFG] deleted connection 'rw2'
>> Jul 17 13:41:40 strongswan1 charon: 05[CFG] received stroke: delete
>> connection 'rw-eap'
>> Jul 17 13:41:40 strongswan1 charon: 05[CFG] deleted connection 'rw-eap'
>> Jul 17 13:41:40 strongswan1 charon: 16[CFG] received stroke: add
> connection
>> 'net-net'
>> Jul 17 13:41:40 strongswan1 charon: 16[CFG] added configuration 'net-net'
>> Jul 17 13:41:40 strongswan1 charon: 16[CFG] received stroke: add
> connection
>> 'rw'
>> Jul 17 13:41:40 strongswan1 charon: 16[CFG] added configuration 'rw'
>> Jul 17 13:41:40 strongswan1 charon: 16[CFG] received stroke: add
> connection
>> 'rw2'
>> Jul 17 13:41:40 strongswan1 charon: 16[CFG] loaded certificate "C=US,
>> ST=Wisconsin, O=ISC International, Ltd., CN=strongswan1" from 'cacert.pem'
>> Jul 17 13:41:40 strongswan1 charon: 16[CFG] id '192.168.91.163' not
>> confirmed by certificate, defaulting to 'C=US, ST=Wisconsin, O=ISC
>> International, Ltd., CN=strongswan1'
>> Jul 17 13:41:40 strongswan1 charon: 16[CFG] added configuration 'rw2'
>> Jul 17 13:41:40 strongswan1 charon: 07[CFG] received stroke: add
> connection
>> 'rw-eap'
>> Jul 17 13:41:40 strongswan1 charon: 07[CFG] loaded certificate "C=US,
>> ST=Wisconsin, O=ISC International, Ltd., CN=strongswan1" from 'cacert.pem'
>> Jul 17 13:41:40 strongswan1 charon: 07[CFG] id '192.168.91.163' not
>> confirmed by certificate, defaulting to 'C=US, ST=Wisconsin, O=ISC
>> International, Ltd., CN=strongswan1'
>> Jul 17 13:41:40 strongswan1 charon: 07[CFG] added configuration 'rw-eap'
>> Jul 17 13:42:46 strongswan1 charon: 11[NET] received packet: from
>> 192.168.91.166[500] to 192.168.91.163[500] Jul 17 13:42:46 strongswan1
>> charon: 11[ENC] parsed IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP)
>> N(NATD_D_IP) ] Jul 17 13:42:46 strongswan1 charon: 11[IKE] 192.168.91.166
> is
>> initiating an IKE_SA Jul 17 13:42:46 strongswan1 charon: 11[IKE] sending
>> cert request for "C=US, ST=Wisconsin, O=ISC International, Ltd.,
>> CN=strongswan1"
>> Jul 17 13:42:46 strongswan1 charon: 11[ENC] generating IKE_SA_INIT
> response
>> 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) CERTREQ N(MULT_AUTH) ] Jul 17
>> 13:42:46 strongswan1 charon: 11[NET] sending packet: from
>> 192.168.91.163[500] to 192.168.91.166[500] Jul 17 13:42:46 strongswan1
>> charon: 14[NET] received packet: from 192.168.91.166[4500] to
>> 192.168.91.163[4500] Jul 17 13:42:46 strongswan1 charon: 14[ENC] unknown
>> attribute type INTERNAL_IP4_SERVER Jul 17 13:42:46 strongswan1 charon:
>> 14[ENC] unknown attribute type INTERNAL_IP6_SERVER Jul 17 13:42:46
>> strongswan1 charon: 14[ENC] parsed IKE_AUTH request 1 [ IDi CERTREQ
>> N(MOBIKE_SUP) CP(ADDR DNS NBNS SRV ADDR6 DNS6 SRV6) SA TSi TSr ] Jul 17
>> 13:42:46 strongswan1 charon: 14[IKE] received cert request for "C=US,
>> ST=Wisconsin, O=ISC International, Ltd., CN=strongswan1"
>> Jul 17 13:42:46 strongswan1 charon: 14[IKE] received 8 cert requests for
> an
>> unknown ca Jul 17 13:42:46 strongswan1 charon: 14[CFG] looking for peer
>> configs matching 192.168.91.163[%any]...192.168.91.166[192.168.91.166]
>> Jul 17 13:42:46 strongswan1 charon: 14[CFG] selected peer config 'rw'
>> Jul 17 13:42:46 strongswan1 charon: 14[IKE] peer requested EAP, config
>> inacceptable Jul 17 13:42:46 strongswan1 charon: 14[CFG] switching to peer
>> config 'rw2'
>> Jul 17 13:42:46 strongswan1 charon: 14[IKE] peer requested EAP, config
>> inacceptable Jul 17 13:42:46 strongswan1 charon: 14[CFG] switching to peer
>> config 'rw-eap'
>> Jul 17 13:42:46 strongswan1 charon: 14[IKE] using configured EAP-Identity
>> gregg Jul 17 13:42:46 strongswan1 charon: 14[IKE] initiating EAP_MSCHAPV2
>> method (id 0x77) Jul 17 13:42:46 strongswan1 charon: 14[IKE] peer supports
>> MOBIKE Jul 17 13:42:46 strongswan1 charon: 14[IKE] no private key found
> for
>> 'C=US, ST=Wisconsin, O=ISC International, Ltd., CN=strongswan1'
>> Jul 17 13:42:46 strongswan1 charon: 14[ENC] generating IKE_AUTH response 1
> [
>> N(AUTH_FAILED) ] Jul 17 13:42:46 strongswan1 charon: 14[NET] sending
> packet:
>> from 192.168.91.163[4500] to 192.168.91.166[4500] Jul 17 13:43:35
>> strongswan1 dhclient: DHCPREQUEST of 192.168.91.163 on eth0 to
>> 192.168.91.254 port 67 Jul 17 13:43:35 strongswan1 dhclient: DHCPACK of
>> 192.168.91.163 from 192.168.91.254 Jul 17 13:43:35 strongswan1 dhclient:
>> bound to 192.168.91.163 -- renewal in 692 seconds.
>>
>> On the client side, I get the dreaded "Error 13801 IKE authentication
>> credentials are unacceptable." and the connection halts. It looks like
> the
>> EAP is clearing but the cacert isn't clearing the Windows client. I've
> used
>> seven different methods to create and re-create the self-signed CA and
>> certificate - openssl, the ipsec pki tool, the OpenVPN tools and probably
> a
>> couple others I tried. I edited the openssl.cnf each time to try and add
>> the extended key usage and the gateway name in the CN and/or the
>> subjectAltName - with no luck. I did find that removing the leftid didn't
>> help, nor did specifying the EAP user.
>>
>> It really appears that the connection is hanging on the server
> certificate.
>> I'm *this close* to getting this connection down - and I'm pretty sure
> it's
>> a certificate problem. If anyone has some suggestions on where to look
>> next, I'd really appreciate it!
>>
>>
>> Config----
>> # ipsec.conf - strongSwan1 IPsec configuration file
>>
>> # basic configuration
>>
>> config setup
>> # plutodebug=all
>> # crlcheckinterval=180
>> # strictcrlpolicy=no
>> # cachecrls=yes
>> # nat_traversal=yes
>> charonstart=yes
>> plutostart=no
>>
>> # Add connections here.
>>
>> conn %default
>> ikelifetime=60m
>> keylife=20m
>> rekeymargin=3m
>> keyingtries=1
>> # authby=secret
>> keyexchange=ikev2
>> # mobike=no
>>
>>
>> conn net-net
>> left=192.168.91.163
>> leftsubnet=10.1.0.0/16
>> leftid=@strongswan1
>> leftfirewall=yes
>> right=192.168.91.160
>> rightsubnet=10.2.0.0/16
>> rightid=@strongswan2
>> auto=add
>>
>> conn rw
>> left=192.168.91.163
>> leftsubnet=10.1.0.0/16
>> leftfirewall=yes
>> authby=secret
>> right=%any
>> auto=add
>>
>> conn rw2
>> left=192.168.91.163
>> leftsubnet=10.1.0.0/16
>> # leftid=@strongswan1
>> leftcert=cacert.pem
>> leftfirewall=yes
>> right=%any
>> keyexchange=ikev2
>> auto=add
>>
>> conn rw-eap
>> left=192.168.91.163
>> leftsubnet=10.1.0.0/16
>> # leftid=@strongswan1
>> leftcert=cacert.pem
>> leftauth=pubkey
>> leftfirewall=yes
>> right=%any
>> rightauth=eap-mschapv2
>> rightsendcert=never
>> eap_identity=gregg
>> auto=add
>>
>> include /var/lib/strongswan/ipsec.conf.inc
>>
>>
>> ---------ipsec.secrets---------
>> : RSA cakey.pem "newcapassword"
>>
>> 192.168.91.165 : PSK 1234567890
>>
>> 192.168.91.154 : PSK 1234567890
>>
>> gregg : EAP "1234567890"
>>
>> include /var/lib/strongswan/ipsec.secrets.inc
>>
>> Thanks to all!
>>
>> ---------------------------------------------------------------
>>
>>
>> -----Original Message-----
>> From: Gregg Hughes [mailto:ghughes at iscinternational.com]
>> Sent: Wednesday, July 10, 2013 4:41 PM
>> To: 'Paton, Andy'
>> Cc: 'users at lists.strongswan.org'
>> Subject: RE: [strongSwan] Win7 machine certificate connection failing
>>
>> Hi, Andy!
>>
>> Thanks for the quick response - it's good to know there's help out there
> for
>> new folks.....
>>
>> The CA key was generated like so:
>> openssl genrsa -des3 -out private/cakey.pem 4096 I added a password
>> for the key. Not much of one, but a password.
>>
>> Created CA Root Certificate
>> openssl req -new -x509 -key private/cakey.pem -out cacert.pem -days
>> 3650 -set_serial 0 Asked some questions:
>> Country Name US
>> State or Porvince Name Wisconsin
>> Locality Name Milwaukee
>> Organization Name ISC International, Ltd.
>> Organizational Unit .
>> Common name strongswan1
>> Email Address ghughes [at]
>> iscinternational.com
>> ....and I got my cert.
>>
>> I added the requirements to the openssl.cnf file for extendedKeyUsage and
>> for a subjectAltName, following a document here:
>> http://wiki.strongswan.org/projects/strongswan/wiki/Win7CertReq
>>
>> Oddly enough, when I do an "ipsec listcerts" I get nothing, even though
>> syslog shows the certificates being loaded correctly.
>>
>> Let me know other information you might need (and where to look for it) -
> I
>> probably haven't completely fulfilled your request.
>>
>> Thanks!
>>
>> Gregg
>>
>>
>> -----Original Message-----
>> From: Paton, Andy [mailto:andy.paton at hp.com]
>> Sent: Wednesday, July 10, 2013 4:13 PM
>> To: Gregg Hughes
>> Cc: users at lists.strongswan.org
>> Subject: Re: [strongSwan] Win7 machine certificate connection failing
>>
>> Can you post details of your certificates. Both the machine cert for the
>> gateway and the device cert?
>>
>> --
>> Andrew Paton
>>
>>
>>
>> On 10 Jul 2013, at 21:55, "Gregg Hughes"
>> <ghughes at iscinternational.com<mailto:ghughes at iscinternational.com>> wrote:
>>
>> Good afternoon, all!
>>
>> I've been working on getting a Strongswan installation running on a VMware
>> Workstation test platform. The server is Ubuntu Server 12.04 with
>> Strongswan 4.5.2 from the Ubuntu repository.
>> I've been able to get a net-net test config to work, but have had trouble
>> with a roadwarrior config. I think it's a problem with certificates
> because
>> I get "Error 13801: IKE authentication credentials are unacceptable", so I
>> know the client is reaching the server and trying to get in.
>>
>>
>> I followed the examples listed here, working on an X.509 machine
> certificate
>> to start: http://wiki.strongswan.org/projects/strongswan/wiki/Windows7 I
>> used the multiple client configs and the instructions on importing
>> certificates into Win7.
>>
>> All certs were generated and signed on the strongswan server and are in
> the
>> proper directories under /etc/ipsec.d. Content of ipsec.conf and greps
> from
>> auth.log and syslog also.
>>
>> I confess to being at a loss as to why I am still getting the Error 13801
>> after several hours troubleshooting.
>>
>> Thanks in advance!
>>
>>
>>
>> Gregg
>>
>>
>>
>> # ipsec.conf - strongSwan1 IPsec configuration file
>>
>> # basic configuration
>>
>> config setup
>> # plutodebug=all
>> # crlcheckinterval=180
>> # strictcrlpolicy=no
>> # cachecrls=yes
>> # nat_traversal=yes
>> charonstart=yes
>> plutostart=no
>>
>> # Add connections here.
>>
>> conn %default
>> ikelifetime=60m
>> keylife=20m
>> rekeymargin=3m
>> keyingtries=1
>> # authby=secret
>> keyexchange=ikev2
>> # mobike=no
>>
>>
>> conn net-net
>> left=192.168.91.163
>> leftsubnet=10.1.0.0/16
>> leftid=@strongswan1
>> leftfirewall=yes
>> right=192.168.91.160
>> rightsubnet=10.2.0.0/16
>> rightid=@strongswan2
>> auto=add
>>
>> conn Win7
>> left=%defaultroute
>> # leftcert=cacert.pem
>> leftsubnet=10.1.0.0/16
>> leftid=strongswan1
>> right=%any
>> rightsourceip=192.168.93.0/24
>> # rightauth=eap-mschapv2
>> # rightsendcert=never
>> # eap_identity=%any
>> # rightcert=client1cert.pem
>> # keyexchange=ikev2
>> auto=add
>>
>> include /var/lib/strongswan/ipsec.conf.inc
>
> ======================================================================
> Andreas Steffen andreas.steffen at strongswan.org
> strongSwan - the Open Source VPN Solution! www.strongswan.org
> Institute for Internet Technologies and Applications
> University of Applied Sciences Rapperswil
> CH-8640 Rapperswil (Switzerland)
> ===========================================================[ITA-HSR]==
>
>
>
> _______________________________________________
> Users mailing list
> Users at lists.strongswan.org
> https://lists.strongswan.org/mailman/listinfo/users
More information about the Users
mailing list