[strongSwan] Windows connection and PSK

Noel Kuntze noel at familie-kuntze.de
Thu Apr 23 21:13:46 CEST 2015 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Hello Gilad,

That's because Windows does not support PSK authentication[1].

[1]https://wiki.strongswan.org/projects/strongswan/wiki/Windows7

Mit freundlichen Grüßen/Kind Regards,
Noel Kuntze

GPG Key ID: 0x63EC6658
Fingerprint: 23CA BB60 2146 05E7 7278 6592 3839 298F 63EC 6658

Am 23.04.2015 um 21:04 schrieb gilad:
> I'm trying to setup Strongswan for both iOS devices and Windows machines. I would like to use PSK and/or passwords and not have the user install any certificate on his side.
>
> I've setup 2 types of connections: one using IKEv2 and one using IKEv1+XAuth. Both work well with iOS devices and PSK setup.
>
> The problem starts when I try to connect from a Windows machine. I was not able yet to setup Strongswan to accept connections from Windows without using a certificate. When using IKEv2 - Windows does not even offer an option to enter PSK.
>
> -Gilad
>
>
>
> Apr 23 14:43:46 00[DMN] Starting IKE charon daemon (strongSwan 5.3.0, Linux 3.13.0-43-generic, x86_64)
> Apr 23 14:43:46 00[CFG] loading ca certificates from '/etc/ipsec.d/cacerts'
> Apr 23 14:43:46 00[CFG]   loaded ca certificate "C=AU, ST=Some-State, O=Internet Widgits Pty Ltd" from '/etc/ipsec.d/cacerts/strongswanCert.pem'
> Apr 23 14:43:46 00[CFG] loading aa certificates from '/etc/ipsec.d/aacerts'
> Apr 23 14:43:46 00[CFG] loading ocsp signer certificates from '/etc/ipsec.d/ocspcerts'
> Apr 23 14:43:46 00[CFG] loading attribute certificates from '/etc/ipsec.d/acerts'
> Apr 23 14:43:46 00[CFG] loading crls from '/etc/ipsec.d/crls'
> Apr 23 14:43:46 00[CFG] loading secrets from '/etc/ipsec.secrets'
> Apr 23 14:43:47 00[CFG]   loaded RSA private key from '/etc/ipsec.d/private/strongswanKey.pem'
> Apr 23 14:43:47 00[CFG]   loaded IKE secret for %any
> Apr 23 14:43:47 00[LIB] loaded plugins: charon aes des rc2 sha1 sha2 md4 md5 random nonce x509 revocation constraints pubkey pkcs1 pkcs7 pkcs8 pkcs12 pgp dnskey sshkey pem gcrypt fips-prf gmp agent xcbc cmac hmac attr kernel-netlink resolve socket-default connmark farp stroke updown eap-identity eap-md5 eap-mschapv2 eap-tls eap-ttls xauth-generic
> Apr 23 14:43:47 00[JOB] spawning 16 worker threads
> Apr 23 14:43:47 10[CFG] received stroke: add connection 'ios8'
> Apr 23 14:43:47 10[CFG] conn ios8
> Apr 23 14:43:47 10[CFG]   left=%any
> Apr 23 14:43:47 10[CFG]   leftsubnet=0.0.0.0/0
> Apr 23 14:43:47 10[CFG]   leftauth=psk
> Apr 23 14:43:47 10[CFG]   leftid=vpn.hola.org
> Apr 23 14:43:47 10[CFG]   right=%any
> Apr 23 14:43:47 10[CFG]   rightsourceip=10.0.0.0/15
> Apr 23 14:43:47 10[CFG]   rightdns=8.8.8.8,8.8.4.4
> Apr 23 14:43:47 10[CFG]   rightauth=eap-mschapv2
> Apr 23 14:43:47 10[CFG]   eap_identity=%any
> Apr 23 14:43:47 10[CFG]   ike=aes128-sha1-modp2048,3des-sha1-modp1536
> Apr 23 14:43:47 10[CFG]   esp=aes128-sha1,3des-sha1
> Apr 23 14:43:47 10[CFG]   dpddelay=30
> Apr 23 14:43:47 10[CFG]   dpdtimeout=150
> Apr 23 14:43:47 10[CFG]   dpdaction=1
> Apr 23 14:43:47 10[CFG]   mediation=no
> Apr 23 14:43:47 10[CFG]   keyexchange=ikev2
> Apr 23 14:43:47 10[CFG] left nor right host is our side, assuming left=local
> Apr 23 14:43:47 10[CFG] adding virtual IP address pool 10.0.0.0/15
> Apr 23 14:43:47 10[CFG] added configuration 'ios8'
> Apr 23 14:43:47 12[CFG] received stroke: add connection 'ios7'
> Apr 23 14:43:47 12[CFG] conn ios7
> Apr 23 14:43:47 12[CFG]   left=%any
> Apr 23 14:43:47 12[CFG]   leftsubnet=0.0.0.0/0
> Apr 23 14:43:47 12[CFG]   leftauth=psk
> Apr 23 14:43:47 12[CFG]   right=%any
> Apr 23 14:43:47 12[CFG]   rightsourceip=10.0.0.0/15
> Apr 23 14:43:47 12[CFG]   rightdns=8.8.8.8,8.8.4.4
> Apr 23 14:43:47 12[CFG]   rightauth=psk
> Apr 23 14:43:47 12[CFG]   rightauth2=xauth-generic
> Apr 23 14:43:47 12[CFG]   eap_identity=%any
> Apr 23 14:43:47 12[CFG]   ike=aes128-sha1-modp2048,3des-sha1-modp1536
> Apr 23 14:43:47 12[CFG]   esp=aes128-sha1,3des-sha1
> Apr 23 14:43:47 12[CFG]   dpddelay=30
> Apr 23 14:43:47 12[CFG]   dpdtimeout=150
> Apr 23 14:43:47 12[CFG]   dpdaction=1
> Apr 23 14:43:47 12[CFG]   mediation=no
> Apr 23 14:43:47 12[CFG]   keyexchange=ikev1
> Apr 23 14:43:47 12[CFG] left nor right host is our side, assuming left=local
> Apr 23 14:43:47 12[CFG] reusing virtual IP address pool 10.0.0.0/15
> Apr 23 14:43:47 12[CFG] added configuration 'ios7'
> Apr 23 14:45:16 14[NET] <1> received packet: from 52.8.76.87[500] to 104.236.254.145[500] (880 bytes)
> Apr 23 14:45:16 14[ENC] <1> parsed IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) V V V V ]
> Apr 23 14:45:16 14[CFG] <1> looking for an ike config for 104.236.254.145...52.8.76.87
> Apr 23 14:45:16 14[CFG] <1>   candidate: %any...%any, prio 28
> Apr 23 14:45:16 14[CFG] <1> found matching ike config: %any...%any with prio 28
> Apr 23 14:45:16 14[ENC] <1> received unknown vendor ID: 1e:2b:51:69:05:99:1c:7d:7c:96:fc:bf:b5:87:e4:61:00:00:00:09
> Apr 23 14:45:16 14[ENC] <1> received unknown vendor ID: fb:1d:e3:cd:f3:41:b7:ea:16:b7:e5:be:08:55:f1:20
> Apr 23 14:45:16 14[ENC] <1> received unknown vendor ID: 26:24:4d:38:ed:db:61:b3:17:2a:36:e3:d0:cf:b8:19
> Apr 23 14:45:16 14[ENC] <1> received unknown vendor ID: 01:52:8b:bb:c0:06:96:12:18:49:ab:9a:1c:5b:2a:51:00:00:00:02
> Apr 23 14:45:16 14[IKE] <1> 52.8.76.87 is initiating an IKE_SA
> Apr 23 14:45:16 14[CFG] <1> selecting proposal:
> Apr 23 14:45:16 14[CFG] <1>   no acceptable ENCRYPTION_ALGORITHM found
> Apr 23 14:45:16 14[CFG] <1> selecting proposal:
> Apr 23 14:45:16 14[CFG] <1>   no acceptable ENCRYPTION_ALGORITHM found
> Apr 23 14:45:16 14[CFG] <1> selecting proposal:
> Apr 23 14:45:16 14[CFG] <1>   no acceptable ENCRYPTION_ALGORITHM found
> Apr 23 14:45:16 14[CFG] <1> selecting proposal:
> Apr 23 14:45:16 14[CFG] <1>   no acceptable DIFFIE_HELLMAN_GROUP found
> Apr 23 14:45:16 14[CFG] <1> selecting proposal:
> Apr 23 14:45:16 14[CFG] <1>   no acceptable PSEUDO_RANDOM_FUNCTION found
> Apr 23 14:45:16 14[CFG] <1> selecting proposal:
> Apr 23 14:45:16 14[CFG] <1>   no acceptable PSEUDO_RANDOM_FUNCTION found
> Apr 23 14:45:16 14[CFG] <1> selecting proposal:
> Apr 23 14:45:16 14[CFG] <1>   no acceptable ENCRYPTION_ALGORITHM found
> Apr 23 14:45:16 14[CFG] <1> selecting proposal:
> Apr 23 14:45:16 14[CFG] <1>   no acceptable ENCRYPTION_ALGORITHM found
> Apr 23 14:45:16 14[CFG] <1> selecting proposal:
> Apr 23 14:45:16 14[CFG] <1>   no acceptable ENCRYPTION_ALGORITHM found
> Apr 23 14:45:16 14[CFG] <1> selecting proposal:
> Apr 23 14:45:16 14[CFG] <1>   no acceptable ENCRYPTION_ALGORITHM found
> Apr 23 14:45:16 14[CFG] <1> selecting proposal:
> Apr 23 14:45:16 14[CFG] <1>   no acceptable ENCRYPTION_ALGORITHM found
> Apr 23 14:45:16 14[CFG] <1> selecting proposal:
> Apr 23 14:45:16 14[CFG] <1>   no acceptable ENCRYPTION_ALGORITHM found
> Apr 23 14:45:16 14[CFG] <1> selecting proposal:
> Apr 23 14:45:16 14[CFG] <1>   no acceptable DIFFIE_HELLMAN_GROUP found
> Apr 23 14:45:16 14[CFG] <1> selecting proposal:
> Apr 23 14:45:16 14[CFG] <1>   no acceptable PSEUDO_RANDOM_FUNCTION found
> Apr 23 14:45:16 14[CFG] <1> selecting proposal:
> Apr 23 14:45:16 14[CFG] <1>   no acceptable PSEUDO_RANDOM_FUNCTION found
> Apr 23 14:45:16 14[CFG] <1> selecting proposal:
> Apr 23 14:45:16 14[CFG] <1>   no acceptable ENCRYPTION_ALGORITHM found
> Apr 23 14:45:16 14[CFG] <1> selecting proposal:
> Apr 23 14:45:16 14[CFG] <1>   no acceptable ENCRYPTION_ALGORITHM found
> Apr 23 14:45:16 14[CFG] <1> selecting proposal:
> Apr 23 14:45:16 14[CFG] <1>   no acceptable ENCRYPTION_ALGORITHM found
> Apr 23 14:45:16 14[CFG] <1> selecting proposal:
> Apr 23 14:45:16 14[CFG] <1>   no acceptable ENCRYPTION_ALGORITHM found
> Apr 23 14:45:16 14[CFG] <1> selecting proposal:
> Apr 23 14:45:16 14[CFG] <1>   no acceptable ENCRYPTION_ALGORITHM found
> Apr 23 14:45:16 14[CFG] <1> selecting proposal:
> Apr 23 14:45:16 14[CFG] <1>   no acceptable ENCRYPTION_ALGORITHM found
> Apr 23 14:45:16 14[CFG] <1> selecting proposal:
> Apr 23 14:45:16 14[CFG] <1>   no acceptable ENCRYPTION_ALGORITHM found
> Apr 23 14:45:16 14[CFG] <1> selecting proposal:
> Apr 23 14:45:16 14[CFG] <1>   no acceptable ENCRYPTION_ALGORITHM found
> Apr 23 14:45:16 14[CFG] <1> selecting proposal:
> Apr 23 14:45:16 14[CFG] <1>   no acceptable ENCRYPTION_ALGORITHM found
> Apr 23 14:45:16 14[CFG] <1> selecting proposal:
> Apr 23 14:45:16 14[CFG] <1>   proposal matches
> Apr 23 14:45:16 14[CFG] <1> received proposals: IKE:3DES_CBC/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024, IKE:3DES_CBC/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_1024, IKE:3DES_CBC/HMAC_SHA2_384_192/PRF_HMAC_SHA2_384/MODP_1024, IKE:AES_CBC_128/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024, IKE:AES_CBC_128/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_1024, IKE:AES_CBC_128/HMAC_SHA2_384_192/PRF_HMAC_SHA2_384/MODP_1024, IKE:AES_CBC_192/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024, IKE:AES_CBC_192/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_1024, IKE:AES_CBC_192/HMAC_SHA2_384_192/PRF_HMAC_SHA2_384/MODP_1024, IKE:AES_CBC_256/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024, IKE:AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_1024, IKE:AES_CBC_256/HMAC_SHA2_384_192/PRF_HMAC_SHA2_384/MODP_1024
> Apr 23 14:45:16 14[CFG] <1> configured proposals: IKE:AES_CBC_128/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_2048, IKE:3DES_CBC/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1536, IKE:AES_CBC_128/AES_CBC_192/AES_CBC_256/3DES_CBC/AES_CTR_128/AES_CTR_192/AES_CTR_256/CAMELLIA_CTR_128/CAMELLIA_CTR_192/CAMELLIA_CTR_256/CAMELLIA_CBC_128/CAMELLIA_CBC_192/CAMELLIA_CBC_256/AES_XCBC_96/AES_CMAC_96/HMAC_SHA1_96/HMAC_MD5_96/HMAC_SHA2_256_128/HMAC_SHA2_384_192/HMAC_SHA2_512_256/PRF_AES128_XCBC/PRF_AES128_CMAC/PRF_HMAC_SHA1/PRF_HMAC_MD5/PRF_HMAC_SHA2_256/PRF_HMAC_SHA2_384/PRF_HMAC_SHA2_512/MODP_2048/MODP_2048_224/MODP_2048_256/MODP_1536/MODP_3072/MODP_4096/MODP_8192/MODP_1024/MODP_1024_160
> Apr 23 14:45:16 14[CFG] <1> selected proposal: IKE:3DES_CBC/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024
> Apr 23 14:45:16 14[IKE] <1> remote host is behind NAT
> Apr 23 14:45:16 14[ENC] <1> generating IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(MULT_AUTH) ]
> Apr 23 14:45:16 14[NET] <1> sending packet: from 104.236.254.145[500] to 52.8.76.87[500] (308 bytes)
> Apr 23 14:45:16 15[NET] <1> received packet: from 52.8.76.87[4500] to 104.236.254.145[4500] (676 bytes)
> Apr 23 14:45:16 15[ENC] <1> parsed IKE_AUTH request 1 [ IDi CERTREQ N(MOBIKE_SUP) CPRQ(ADDR DNS NBNS SRV ADDR6 DNS6 SRV6) SA TSi TSr ]
> Apr 23 14:45:16 15[IKE] <1> received 12 cert requests for an unknown ca
> Apr 23 14:45:16 15[CFG] <1> looking for peer configs matching 104.236.254.145[%any]...52.8.76.87[172.31.18.184]
> Apr 23 14:45:16 15[CFG] <1>   candidate "ios8", match: 1/1/28 (me/other/ike)
> Apr 23 14:45:16 15[CFG] <ios8|1> selected peer config 'ios8'
> Apr 23 14:45:16 15[IKE] <ios8|1> initiating EAP_IDENTITY method (id 0x00)
> Apr 23 14:45:16 15[IKE] <ios8|1> peer supports MOBIKE
> Apr 23 14:45:16 15[IKE] <ios8|1> authentication of 'vpn.hola.org' (myself) with pre-shared key
> Apr 23 14:45:16 15[ENC] <ios8|1> generating IKE_AUTH response 1 [ IDr AUTH EAP/REQ/ID ]
> Apr 23 14:45:16 15[NET] <ios8|1> sending packet: from 104.236.254.145[4500] to 52.8.76.87[4500] (116 bytes)
> Apr 23 14:45:46 16[JOB] <ios8|1> deleting half open IKE_SA after timeout
> _______________________________________________
> Users mailing list
> Users at lists.strongswan.org
> https://lists.strongswan.org/mailman/listinfo/users

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2

iQIcBAEBCAAGBQJVOURmAAoJEDg5KY9j7GZY+VwP/3cK0hn86O0OISpm9YdcSokd
a8K2WBUgFA8xMTW4/v8v8Eeu9Lieh/NoBOmlqZ8fN1kaDykord5BSDfzzgZvIM1j
KSlF35CSiOhTtof7IIy4aOQWY4CD5w+PXXhAx3FdZoQ5h2kdNkQCZ2L+RjYrxIjh
qZMHect8UTx7Vokj1FRLSkQW/RNIyD35tNqSKFifVuOvWev9/wjEg/PWc10wnJ+o
e7l1Rjfg1fWAeuUJ0n957+yX7j7HSWirKOiD8QDc0tIVaJ0j8t1DbTuxoDgRGnfL
NyyzAAVmmQZA5Rmg3sw1g2TbVSCFo/inccqJ9TuY4q3yTnm6lDs4MsbzjbOexyCq
CfWcjYk59BGwM1YQMXlCvsStcFYQ/Ce8mSnRikm7ngFUUkdi0C5JUlautE5eFIKT
ryuEwqIN4f9uSuIe9S+TZ7nukPvTEZLqwCV+E3WXSVzByxNPSlxspWZVD6YfO6Y4
8Yutn7+BLjoC5cgO9qArH7f/phKm7x6OaejVXtOmRSvY3j8YJcHay2eytEqhL8Hg
c+PF2OXkKUo18XbWeOQnRlrCawHlqmQTSsFYculX66PQiLJl5qEZOIkSnq9JETJz
fmBKRhE4mkMAwHslym2xExf3oQKJ1fnZfKTmWlnF0AKiWokzireyWmUERxXH4HB+
O+dJbRdSgEe9TIBJEmzI
=+Cd4
-----END PGP SIGNATURE-----

More information about the Users mailing list