[strongSwan] Windows 7 IKEv2 Error

Chris Arnold carnold at electrichendrix.com
Fri Jan 3 02:37:51 CET 2014 

Anyone have any ideas?

Sent from my iPhone

> On Dec 31, 2013, at 3:58 PM, "Chris Arnold" <carnold at electrichendrix.com> wrote:
> 
> Stongswan 4.4.x on SLES11 SP2. A windows 7 client using ikev2 is trying to connect using rclients config from ipsec.conf. They get a invalid payload received from the windows 7 client. Here is the exchange from windows 7 to strongswan server:
> 
> received packet: from 98.26.22x.xx[500] to 192.168.1.18[500]
> 07[ENC] parsed IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) ]
> 07[IKE] 98.26.22x.xx is initiating an IKE_SA
> 07[IKE] local host is behind NAT, sending keep alives
> 07[IKE] remote host is behind NAT
> 07[IKE] sending cert request for "C=US, ST=NC, L=Durham, O=Edens Land Corp, OU=ELC, CN=name, E=email address"
> 07[IKE] sending cert request for "C=US, ST=North Carolina, L=Durham, O=Edens Land Corp, OU=ELC, CN=name, E=email address"
> 07[IKE] sending cert request for "C=CH, O=Edens Land Corp, CN=Edens Land Corp CA"
> 07[IKE] sending cert request for "C=FI, O=Test, CN=Test CA"
> 07[IKE] sending cert request for "C=CH, O=Edens Land Corp. CN=ELC RW VPN"
> 07[ENC] generating IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) CERTREQ N(MULT_AUTH) ]
> 07[NET] sending packet: from 192.168.1.18[500] to 98.26.22x.xx[500]
> 03[NET] received packet: from 98.26.22x.xx[4500] to 192.168.1.18[4500]
> 03[ENC]   not enough input to parse rule 10 ENCRYPTED_DATA
> 03[ENC] payload type ENCRYPTED could not be parsed
> 03[IKE] message parsing failed
> 03[ENC] generating IKE_AUTH response 1 [ N(INVAL_SYN) ]
> 03[NET] sending packet: from 192.168.1.18[500] to 98.26.22x.xx[500]
> 03[IKE] IKE_AUTH request with message ID 1 processing failed
> 
> Here is the ipsec config:
> conn rclientscerts
>        rekey=no
>        left=%any
>        leftauth=pubkey
>        leftcert=server_cert.crt
>        leftid=@24.211.x.xx
>        leftsubnet=0.0.0.0/0
>        right=%any
>        rightsourceip=192.168.2.0/24
>        #rightauth=eap-mschapv2
>        #rightsendcert=never
>        #eap_identity=%any
>        mobike=yes
>        auto=add
> 
> This use to work until we moved offices and got a new public ip. The above leftid reflects the new public ip. I just thought about something, the CN in the cert, does it need to reflect the new public ip? Not sure if that would matter....
> We have a site to site VPN with this same office and that works fine. Any ideas?
> 
> _______________________________________________
> Users mailing list
> Users at lists.strongswan.org
> https://lists.strongswan.org/mailman/listinfo/users
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20140102/859f5c49/attachment.html>

More information about the Users mailing list