[strongSwan] Windows 7 IKEv2 Error

Kimmo K koippa at gmail.com
Tue Jan 7 17:32:52 CET 2014 

Hello Chris

Did you regenerate your server certificate when the public IP address changed?
You really should use DNS for your server (example
server1.edens.domain.com) and then add that to your certificate CN
field and optionally to Subject Alternative Name DNS field.

Then you could use
  leftid=@server1.edens.domain.com
and changes to the public IP address would not be so difficult.

You are now sending your id as:
 leftid=@24.211.x.xx
So you are telling to the other end (Win7) that your IP is 24.211.x.x
and it should to check you identity against certificate. If that IP
address is not in the certificate (CN, Subject Alternative Name DNS),
it can fail.


What comes to the fragmentation, you should try to open the VPN from
some other location with a different kind of connection (use home
WLAN, tether to your iphone etc).
You can also follow the IKE messages with tcpdump, but it can be a bit
challenging to see what happends.

I'd try to regenerate new certificate with DNS-name or new IP-address.
Server certificate is enough, no need to re-create whole CA.

Regards,
Kimmo

2014/1/6 Chris Arnold <carnold at electrichendrix.com>:
> I really need some assistance on this matter. Kimmo, are you out there? You
> helped set this up and thus, were a great help.
>
>
>> I see a lot of this in the log:
>> > received cert request for unknown ca with keyid
>> > 0e:ac:82:60:40:56:27:97:e5:25:13:fc:2a:e1:0a:53:95:59:e4:a4
>> > 12[IKE] received cert request for unknown ca with keyid
>> > dd:bb:bd:86:9c:7f:07:ed:40:e3:1b:08:ef:ce:c4:d1:88:cd:3b:15
>> > 12[IKE] received cert request for unknown ca with keyid
>> > 4a:5e:75:22:ad:46:bf:a4:08:9d:39:97:4e:bd:b4:a3:60:f7:a0:1d
>> > 12[IKE] received cert request for unknown ca with keyid
>> > 01:f0:33:4f:1a:a1:e9:bb:5b:4b:a9:de:43:bc:02:7d:57:09:33:fb
>> > 12[IKE] received cert request for "C=US, ST=NC, L=Durham, O=Edens Land
>> > Corp, OU=ELC, CN=Jarrod, E=email address"
>> > 12[IKE] received cert request for unknown ca with keyid
>> > 34:4f:50:2e:25:69:31:91:bd:f7:73:5e:ab:f5:86:8d:37:82:40:ec
>
> Sent from my iPhone
>
>
>> On Jan 3, 2014, at 10:47 AM, "Chris Arnold" wrote:
>>
>> Sorry, this was meant to go to the list. Not directly to Martin
>>
>> Sent from my iPhone
>>
>> On Jan 3, 2014, at 8:31 AM, "Chris Arnold" wrote:
>>
>> >>> Hi,
>> >
>> > Hi Martin. Thanks for your reply.
>> >
>> >> This use to work until we moved offices and got a new public ip. The
>> >> above leftid reflects the new public ip. I just thought about
>> >> something, the CN in the cert, does it need to reflect the new public
>> >> ip?
>> >
>> >>> No, authentication works independent of payload encryption in IKEv2,
>> >>> so
>> >>> anything wrong with your credentials wouldn't fail that way.
>> >
>> >>> More likely is a fragmentation issue: Windows 7 sends a certificate
>> >>> request for each and every CA it knows about, sometimes summing up to
>> >>> several KB of CERTREQs. If these fragments are not reassembled
>> >>> completely/correctly, decryption fails.
>> >
>> > I see a lot of this in the log:
>> > received cert request for unknown ca with keyid
>> > 0e:ac:82:60:40:56:27:97:e5:25:13:fc:2a:e1:0a:53:95:59:e4:a4
>> > 12[IKE] received cert request for unknown ca with keyid
>> > dd:bb:bd:86:9c:7f:07:ed:40:e3:1b:08:ef:ce:c4:d1:88:cd:3b:15
>> > 12[IKE] received cert request for unknown ca with keyid
>> > 4a:5e:75:22:ad:46:bf:a4:08:9d:39:97:4e:bd:b4:a3:60:f7:a0:1d
>> > 12[IKE] received cert request for unknown ca with keyid
>> > 01:f0:33:4f:1a:a1:e9:bb:5b:4b:a9:de:43:bc:02:7d:57:09:33:fb
>> > 12[IKE] received cert request for "C=US, ST=NC, L=Durham, O=Edens Land
>> > Corp, OU=ELC, CN=Jarrod, E=email address"
>> > 12[IKE] received cert request for unknown ca with keyid
>> > 34:4f:50:2e:25:69:31:91:bd:f7:73:5e:ab:f5:86:8d:37:82:40:ec
>> >
>> >>> I'd try to identify how many fragments you see for this IKE_AUTH, and
>> >>> if
>> >>> they get reassembled correctly on the strongSwan end.
>> >
>> > How do i identify how many fragments for this IKE_AUTH?
>> _______________________________________________
>> Users mailing list
>> Users at lists.strongswan.org
>> https://lists.strongswan.org/mailman/listinfo/users
>
> _______________________________________________
> Users mailing list
> Users at lists.strongswan.org
> https://lists.strongswan.org/mailman/listinfo/users

More information about the Users mailing list