[strongSwan] Windows 10 VPN client won't send the strongswan server id

Thu Dec 17 00:51:20 CET 2015

Hi,

May I append a piece of log to my previous message :
Dec 17 00:37:42 09[IKE] <19> remote host is behind NAT
Dec 17 00:37:42 09[ENC] <19> generating IKE_SA_INIT response 0 [ SA KE
No N(NATD_S_IP) N(NATD_D_IP) N(MULT_AUTH) ]
Dec 17 00:37:42 09[NET] <19> sending packet: from 1.1.1.1[500] to
2.2.2.2[500] (308 bytes)
Dec 17 00:37:42 12[NET] <19> received packet: from 2.2.2.2[4500] to
1.1.1.1[4500] (868 bytes)
Dec 17 00:37:42 12[ENC] <19> parsed IKE_AUTH request 1 [ IDi CERTREQ
N(MOBIKE_SUP) CPRQ(ADDR DNS NBNS SRV ADDR6 DNS6 SRV6) SA TSi TSr ]
Dec 17 00:37:42 12[IKE] <19> received cert request for "C=FR, CN=Wonderful CA"
Dec 17 00:37:42 12[IKE] <19> received 26 cert requests for an unknown ca
Dec 17 00:37:42 12[CFG] <19> looking for peer configs matching
2.2.2.2[%any]...1.1.1.1[10.8.8.1]
Dec 17 00:37:42 12[CFG] <connection-radius|19> selected peer config
'connection-radius'
Dec 17 00:37:42 12[IKE] <connection-radius|19> initiating EAP_IDENTITY
method (id 0x00)
Dec 17 00:37:42 12[IKE] <connection-radius|19> peer supports MOBIKE

And here are my two connection in ipsec.conf :
conn connection-radius
        left=2.2.2.2
        leftsubnet=10.2.2.1/24
        leftfirewall=yes
        leftauth=pubkey
        leftcert=IPSEC_CERT.der
        leftid=gateway.example.com
        right=%any
        rightsourceip=10.5.5.0/24
        rightauth=eap-radius
        rightfirewall=yes
        rightsendcert=never
        eap_identity=%any
        auto=add
        mobike=yes
        type=tunnel

conn connection-rescue
        left=2.2.2.2
        leftsubnet=10.2.2.1/24
        leftfirewall=yes
        leftauth=pubkey
        leftcert=IPSEC_CERT.der
        leftid=gateway-rescue.example.com
        right=%any
        rightsourceip=10.10.10.0/24
        rightauth=eap-mschapv2
        rightfirewall=yes
        rightsendcert=never
        eap_identity=%any
        auto=add
        mobike=yes

Both gateway.example.com and gateway-rescue.example.com have DNS A
record to 2.2.2.2.
My windows client is configured to connect to gateway-rescue.example.com
IPSEC_CERT.der is valid for both gateway.example.com and
gateway-rescue.example.com (with ssl extensions)

I expect Strongswan to choose connection-rescue since I'm targetting
gateway-rescue.example.com
But as you can see, strongswan won't be able to do so since
roadwarrior Windows won't send any id corresponding to leftid in my
connections.

The goal is to provide another authentication method, depending on the
DNS name used to connect to strongswan.

All is working well when I'm using roadwarrior linux Strongswan client
with the ipsec.conf :
conn roadwarrior-test
        leftid=roadwarrior at example.com
        leftsourceip=%config
        eap_identity=my_login
        leftauth=eap-mschapv2
        leftfirewall=yes
        right=gateway.example.com
        rightid=gateway.example.com
        rightsubnet=10.2.2.0/24
        rightauth=pubkey
        auto=add

conn roadwarrior-rescue
        leftid=roadwarrior at example.com
        leftsourceip=%config
        eap_identity=my_login
        leftauth=eap-mschapv2
        leftfirewall=yes
        right=gateway-rescue.example.com
        rightid=gateway-rescue.example.com
        rightsubnet=10.2.2.0/24
        rightauth=pubkey
        auto=add

I hope it's useful to get some little help regarding this issue.

All the best

François L

2015-12-10 0:01 GMT+01:00 François Lacombe <fl.infosreseaux at gmail.com>:
> Hi all,
>
> This is my first post on this list.
> I'm here as a private Strongswan user, using it for domestic applications.
>
> The Strongswan 2.5.1 i'm using is configured with several connections
> exposing different values of leftid and associated pubkeys.
>
> Some of those connections are supposed to enable Windows 10 clients to
> connect following the IKEv2 / eap-mschapv2 method.
> Strongswan is authentified by a RSA pubkey with a CN corresponding to
> the DNS name of the listening interface whereas clients are sending
> psk.
>
> Windows 10 cliens aren't sending the server id in the request and
> Strongswan can't choose any existing connection.
> "Looking for a connection matching ip_addr [%any]" can be read in log.
> While i'm expecting "Looking for a connection matching ip_addr [pubkey CN]".
>
> Since windows is expecting pubkeys matching the DNS name, the server
> id is the only way I see to use different connection with the same
> method (eap-mschapv2)
> It would be nice to make windows IKEv2 client sending the server id
> matching the leftid attribute of the strongswan connection.
>
> Can someone help me rearding this issue ?
>
>
> Many thanks in advance for any help
>
> François Lacombe
> @InfosReseaux