[strongSwan] Antw: Re: Best practice for win7 <-> strongswan 5.1

bjoern wahl bjoern.wahl at hospital-borken.de
Thu Oct 24 11:37:13 CEST 2013 

Hello Martin,

thank you for your response.

First:
I know that " does not work" would not help anybody, but i send an email
to the list so time ago 
describing what was really the problem. As i did not get an respond i
would like to start with a 
"more easy" configuration. 

So not to the error message:

I get :

Error 13801 ike authentication credentials are unacceptable...

The connection initiation
=================================================

# /usr/local/sbin/ipsec start --nofork
Starting strongSwan 5.1.0 IPsec [starter]...
00[DMN] Starting IKE charon daemon (strongSwan 5.1.0, Linux
3.0.93-0.8-default, x86_64)
00[NET] could not open socket: Address family not supported by protocol
00[NET] could not open IPv6 socket, IPv6 disabled
00[KNL] received netlink error: Address family not supported by protocol
(97)
00[KNL] unable to create IPv6 routing table rule
00[CFG] loading ca certificates from '/usr/local/etc/ipsec.d/cacerts'
00[CFG]   loaded ca certificate "C=DE, ST=NRW, L=abc, O=xy-z, OU=EDV,
CN=123" from '/usr/local/etc/ipsec.d/cacerts/cacert.pem'
00[CFG] loading aa certificates from '/usr/local/etc/ipsec.d/aacerts'
00[CFG] loading ocsp signer certificates from
'/usr/local/etc/ipsec.d/ocspcerts'
00[CFG] loading attribute certificates from
'/usr/local/etc/ipsec.d/acerts'
00[CFG] loading crls from '/usr/local/etc/ipsec.d/crls'
00[CFG] loading secrets from '/usr/local/etc/ipsec.secrets'
00[CFG]   loaded RSA private key from
'/usr/local/etc/ipsec.d/private/maikaKey.pem'
00[CFG]   loaded EAP secret for testing
00[CFG] loaded 0 RADIUS server configurations
00[LIB] loaded plugins: charon aes des rc2 sha1 sha2 md4 md5 random
nonce x509 revocation constraints pubkey pkcs1 pkcs7 pkcs8 pkcs12 pgp
dnskey sshkey pem fips-prf gmp xcbc cmac hmac attr kernel-netlink
resolve socket-default stroke updown eap-identity eap-mschapv2
eap-radius eap-tls xauth-generic
00[LIB] unable to load 6 plugin features (6 due to unmet dependencies)
00[JOB] spawning 16 worker threads
charon (27949) started after 20 ms
05[CFG] received stroke: add connection 'win7'
05[CFG] adding virtual IP address pool 10.10.3.0/24
05[CFG]   loaded certificate "C=DE, ST=NRW, O=xy-z, OU=EDV, CN=123" from
'theCert.pem'
05[CFG] added configuration 'win7'
06[NET] received packet: from 234.234.234.234[500] to
456.456.456.456[500] (528 bytes)
06[ENC] parsed IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP)
N(NATD_D_IP) ]
06[IKE] 234.234.234.234 is initiating an IKE_SA
06[IKE] remote host is behind NAT
06[ENC] generating IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP)
N(NATD_D_IP) N(MULT_AUTH) ]
06[NET] sending packet: from 456.456.456.456[500] to
234.234.234.234[500] (312 bytes)
07[NET] received packet: from 234.234.234.234[16576] to
456.456.456.456[4500] (748 bytes)
07[ENC] parsed IKE_AUTH request 1 [ IDi CERTREQ N(MOBIKE_SUP) CP(ADDR
DNS NBNS SRV) SA TSi TSr ]
07[IKE] received cert request for "C=DE, ST=NRW, L=abc, O=xy-z, OU=EDV,
CN=123"
07[IKE] received 24 cert requests for an unknown ca
07[CFG] looking for peer configs matching
456.456.456.456[%any]...234.234.234.234[10.27.227.128]
07[CFG] selected peer config 'win7'
07[IKE] initiating EAP_IDENTITY method (id 0x00)
07[IKE] peer supports MOBIKE
07[IKE] authentication of 'C=DE, ST=NRW, O=xy-z, OU=EDV, CN=123'
(myself) with RSA signature successful
07[IKE] sending end entity cert "C=DE, ST=NRW, O=xy-z, OU=EDV, CN=123"
07[ENC] generating IKE_AUTH response 1 [ IDr CERT AUTH EAP/REQ/ID ]
07[NET] sending packet: from 456.456.456.456[4500] to
234.234.234.234[16576] (1644 bytes)
09[NET] received packet: from 234.234.234.234[500] to
456.456.456.456[500] (528 bytes)
09[ENC] parsed IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP)
N(NATD_D_IP) ]
09[IKE] 234.234.234.234 is initiating an IKE_SA
09[IKE] remote host is behind NAT
09[ENC] generating IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP)
N(NATD_D_IP) N(MULT_AUTH) ]
09[NET] sending packet: from 456.456.456.456[500] to
234.234.2
34.234[500] (312 bytes)
10[JOB] deleting half open IKE_SA aft# ipsec.conf - strongSwan IPsec configuration file

config setup

conn %default
    keyexchange=ikev2
    ike=aes256-sha1-modp1024!
    esp=aes256-sha1!
    dpdaction=clear
    dpddelay=300s
    rekey=no

conn win7
    left=456.456.456.456
    leftsubnet=0.0.0.0/0
    leftauth=pubkey
    leftid="C=DE, ST=NRW, O=xy-z, OU=EDV, CN=123"
    leftcert=theCert.pem
    right=%any
    rightsourceip=10.10.3.0/24
    rightauth=eap-mschapv2
    rightsendcert=never
    eap_identity=%any
    auto=add

=================================================
# /etc/ipsec.secrets - strongSwan IPsec secrets file

: RSA theKey.pem 123456789

testing : EAP "password"

==================================================


Thanks for your ideas !

Björn 


>>> Martin Willi <martin at strongswan.org> 24.10.13 9.24 Uhr >>>
Hello Björn,

> As you can see i tried to do that with eap, but didn`t get it to work.

"didn't work" is not a failure description that allows us to help.

I'd try to start with a simple setup terminating EAP-MSCHAPv2 at the
Gateway, no RADIUS involved. 

> strongswan-5.1.0 # ./configure --enable-pem --enable-pkcs1
> --enable-eap-radius --enable-eap-identity --enable-md4
> --enable-eap-mschapv2 --enable-eap-tls && make && make install

Your ./configure is fine so far (pem/pkcs1 are enabled by default,
though, and eap-radius is not required before you use RADIUS).

> - What would be best practice to get Strongswan 5.1 working with
> Win7 ?

Try the configuration at [1], and generate the certificates as outlined
at [2]. Read carefully the requirements about subjectAltNames and
certificate usage.

If you have issues, post an excerpt of the strongSwan log and the exact
Windows error description.

Regards
Martin

[1]http://wiki.strongswan.org/projects/strongswan/wiki/Win7EapMultipleConfig
[2]http://wiki.strongswan.org/projects/strongswan/wiki/Win7CertReq




----------------------------------------------------------------------------------------------------
Klinikverbund Westmünsterland gGmbH
 Jur. Sitz der Gesellschaft: Am Boltenhof 7, 46325 Borken
 Registergericht Coesfeld, HRB Nr. 8983
 Ust.-Id.Nr.: DE 222740345
 Hauptgeschäftsführer: Hermann Nientiedt
 Geschäftsführer: Christoph Bröcker, Ludger Hellmann
 
 Diese E-Mail enthält vertrauliche oder rechtlich geschützte
Informationen. Wenn Sie nicht der beabsichtige Empfänger sind,
informieren Sie bitte sofort den Absender und löschen Sie diese E-Mail.
 
 Das unbefugte Kopieren dieser E-Mail oder die unbefugte Weitergabe der
enthaltenen Informationen ist nicht gestattet.
 
 Dem Klinikverbund Westmünsterland sind fünf Krankenhäuser mit 1.332
Planbetten und mehrere Einrichtungen der Altenhilfe angeschlossen. Mehr
als 50 Fachbereiche orientieren sich an neusten medizinischen Standards
und erfüllen die hohen Anforderungen einer qualifizierten und
zertifizierten Versorgung. Rund 50.000 Patienten werden jährlich in den
Krankenhäusern stationär behandelt. Mit über 3.800 Mitarbeitern gehört
der Verbund zu den größten Arbeitgebern der Region.

More information about the Users mailing list