[strongSwan] Strongswan 5.3.0 windows 7/8 configuration problem

Hans Boone H.Boone at Globiq.com
Tue May 19 11:34:55 CEST 2015 

Hi all,

We're using Strongswan to connect to Amazon AWS. So far we've been using strongswan 4.6.2 to connect windows 7 / 8 clients using eap-mschapv2 with IkeV2 to the linux Strongswan server.

Recently we've installed a new linux Strongswan server, and we've copied the installation to the new server. Of course we've created a new server certificate for this new server.
Unfortunately we're not able to connect with any windows client to the server. The security assertion is created, but somehow the VPN connection is not created, the windows clients (win 7 and win 8) report an 809 error.

Any ideas what to do?

Log:
May 19 08:57:13 00[DMN] Starting IKE charon daemon (strongSwan 5.3.0, Linux 3.14.42-31.38.amzn1.x86_64, x86_64)
May 19 08:57:13 00[LIB] openssl FIPS mode(0) - disabled
May 19 08:57:13 00[CFG] loading ca certificates from '/etc/ipsec.d/cacerts'
May 19 08:57:13 00[CFG] loading aa certificates from '/etc/ipsec.d/aacerts'
May 19 08:57:13 00[CFG] loading ocsp signer certificates from '/etc/ipsec.d/ocspcerts'
May 19 08:57:13 00[CFG] loading attribute certificates from '/etc/ipsec.d/acerts'
May 19 08:57:13 00[CFG] loading crls from '/etc/ipsec.d/crls'
May 19 08:57:13 00[CFG] loading secrets from '/etc/ipsec.secrets'
May 19 08:57:13 00[CFG]   loaded RSA private key from '/etc/ipsec.d/private/aws_gateway.key'
May 19 08:57:13 00[CFG]   loaded RSA private key from '/etc/ipsec.d/private/aws_gateway_frankfurt.key'
May 19 08:57:13 00[CFG]   loaded EAP secret for hanboo1
May 19 08:57:13 00[CFG]   loaded EAP secret for marvel
May 19 08:57:13 00[CFG]   loaded IKE secret for gateway.ph at globiq.com %any
May 19 08:57:13 00[CFG]   loaded IKE secret for gateway.ph at globiq.com zywall_usg_20w_ph at globiq.com
May 19 08:57:13 00[LIB] loaded plugins: charon aes des rc2 sha1 sha2 md4 md5 random nonce x509 revocation constraints pubkey pkcs1 pkcs7 pkcs8 pkcs12 pgp dnskey sshkey pem openssl fips-prf gmp xcbc cmac hmac attr kernel-netlink resolve socket-default stroke updown eap-identity eap-mschapv2 eap-tls xauth-generic
May 19 08:57:13 00[JOB] spawning 16 worker threads
May 19 08:57:13 11[CFG] received stroke: add connection 'win7'
May 19 08:57:13 11[CFG] adding virtual IP address pool 10.100.0.0/24
May 19 08:57:13 11[CFG]   loaded certificate "C=NL, ST=Utrecht, L=Amersfoort, O=Globiq BV, CN=<<full qualified host name>>" from 'aws_gateway_frankfurt.crt'
May 19 08:57:13 11[CFG] added configuration 'win7'
May 19 08:59:07 13[NET] <1> received packet: from 222.127.206.61[60052] to 10.10.0.125[500] (528 bytes)
May 19 08:59:07 13[ENC] <1> parsed IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) ]
May 19 08:59:07 13[IKE] <1> 222.127.206.61 is initiating an IKE_SA
May 19 08:59:07 13[IKE] <1> local host is behind NAT, sending keep alives
May 19 08:59:07 13[IKE] <1> remote host is behind NAT
May 19 08:59:07 13[ENC] <1> generating IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(MULT_AUTH) ]
May 19 08:59:07 13[NET] <1> sending packet: from 10.10.0.125[500] to 222.127.206.61[60052] (312 bytes)
May 19 08:59:07 14[NET] <1> received packet: from 222.127.206.61[39239] to 10.10.0.125[4500] (1100 bytes)
May 19 08:59:07 14[ENC] <1> parsed IKE_AUTH request 1 [ IDi CERTREQ N(MOBIKE_SUP) CPRQ(ADDR DNS NBNS SRV ADDR6 DNS6 SRV6) SA TSi TSr ]
May 19 08:59:07 14[IKE] <1> received cert request for "C=NL, ST=Utrecht, L=Amersfoort, O=Globiq BV, CN=<<full qualified host name>>"
May 19 08:59:07 14[IKE] <1> received 37 cert requests for an unknown ca
May 19 08:59:07 14[CFG] <1> looking for peer configs matching 10.10.0.125[%any]...222.127.206.61[192.168.100.199]
May 19 08:59:07 14[CFG] <win7|1> selected peer config 'win7'
May 19 08:59:07 14[IKE] <win7|1> initiating EAP_IDENTITY method (id 0x00)
May 19 08:59:07 14[IKE] <win7|1> peer supports MOBIKE
May 19 08:59:07 14[IKE] <win7|1> authentication of '<<full qualified host name>>' (myself) with RSA signature successful
May 19 08:59:07 14[IKE] <win7|1> sending end entity cert "C=NL, ST=Utrecht, L=Amersfoort, O=Globiq BV, CN=<<full qualified host name>>"
May 19 08:59:07 14[ENC] <win7|1> generating IKE_AUTH response 1 [ IDr CERT AUTH EAP/REQ/ID ]
May 19 08:59:07 14[NET] <win7|1> sending packet: from 10.10.0.125[4500] to 222.127.206.61[39239] (1468 bytes)
May 19 08:59:08 15[NET] <win7|1> received packet: from 222.127.206.61[39239] to 10.10.0.125[4500] (1100 bytes)
May 19 08:59:08 15[ENC] <win7|1> parsed IKE_AUTH request 1 [ IDi CERTREQ N(MOBIKE_SUP) CPRQ(ADDR DNS NBNS SRV ADDR6 DNS6 SRV6) SA TSi TSr ]
May 19 08:59:08 15[IKE] <win7|1> received retransmit of request with ID 1, retransmitting response
May 19 08:59:08 15[NET] <win7|1> sending packet: from 10.10.0.125[4500] to 222.127.206.61[39239] (1468 bytes)
May 19 08:59:11 06[NET] <win7|1> received packet: from 222.127.206.61[39239] to 10.10.0.125[4500] (1100 bytes)
May 19 08:59:11 06[ENC] <win7|1> parsed IKE_AUTH request 1 [ IDi CERTREQ N(MOBIKE_SUP) CPRQ(ADDR DNS NBNS SRV ADDR6 DNS6 SRV6) SA TSi TSr ]
May 19 08:59:11 06[IKE] <win7|1> received retransmit of request with ID 1, retransmitting response
May 19 08:59:11 06[NET] <win7|1> sending packet: from 10.10.0.125[4500] to 222.127.206.61[39239] (1468 bytes)
May 19 08:59:27 16[IKE] <win7|1> sending keep alive to 222.127.206.61[39239]
May 19 08:59:37 05[JOB] <win7|1> deleting half open IKE_SA after timeout

Ipsec.conf:
conn win7
    keyexchange=ikev2
    ike=aes256-sha1-modp1024!
    esp=aes256-sha1!
    dpdaction=clear
    dpddelay=300s
    rekey=no
    # The "left" parameter is the gateway's private IP
    left=10.10.0.125
    # We are protecting the entire VPC, not just this subnet
    leftsubnet=10.10.0.0/24,10.10.10.0/24,10.10.20.0/24,10.10.30.0/24
    leftfirewall=yes
    leftauth=pubkey
    # both the dns name and the ip adress are stored in the machine certificates
    # if the leftid doensn't match the dns name, windows vpn client will not
    # open the VPN  tunnel
    leftcert=aws_gateway_frankfurt.crt
    leftid=@<<full qualified host name>>
    right=%any
    rightsourceip=10.100.0.0/24
    rightauth=eap-mschapv2
    # rightauth=eap-tls
    rightsendcert=never
    eap_identity=%any
    auto=add

ipsec statusall:
Status of IKE charon daemon (strongSwan 5.3.0, Linux 3.14.42-31.38.amzn1.x86_64, x86_64):
  uptime: 32 minutes, since May 19 08:57:13 2015
  malloc: sbrk 1482752, mmap 0, used 350624, free 1132128
  worker threads: 11 of 16 idle, 5/0/0/0 working, job queue: 0/0/0/0, scheduled: 2
  loaded plugins: charon aes des rc2 sha1 sha2 md4 md5 random nonce x509 revocation constraints pubkey pkcs1 pkcs7 pkcs8 pkcs12 pgp dnskey sshkey pem openssl fips-prf gmp xcbc cmac hmac attr kernel-netlink resolve socket-default stroke updown eap-identity eap-mschapv2 eap-tls xauth-generic
Virtual IP pools (size/online/offline):
  10.100.0.0/24: 254/0/0
Listening IP addresses:
  10.10.0.125
Connections:
        win7:  10.10.0.125...%any  IKEv2, dpddelay=300s
        win7:   local:  [<<full qualified host name>>] uses public key authentication
        win7:    cert:  "C=NL, ST=Utrecht, L=Amersfoort, O=Globiq BV, CN=<<full qualified host name>>"
        win7:   remote: uses EAP_MSCHAPV2 authentication with EAP identity '%any'
        win7:   child:  10.10.0.0/24 10.10.10.0/24 10.10.20.0/24 10.10.30.0/24 === dynamic TUNNEL, dpdaction=clear
Security Associations (0 up, 1 connecting):
        win7[2]: CONNECTING, 10.10.0.125[<<full qualified host name>>]...222.127.206.61[192.168.100.90]
        win7[2]: IKEv2 SPIs: a65ea4c37c5f0fcd_i 86036036696d65c5_r*
        win7[2]: IKE proposal: AES_CBC_256/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024
        win7[2]: Tasks passive: IKE_CERT_PRE IKE_AUTH IKE_CERT_POST IKE_CONFIG CHILD_CREATE IKE_AUTH_LIFETIME IKE_MOBIKE

I guess the problem has to do with the eap-mschapv2 authentication. If I change the entries in the ipsec.secrets, e.g. change my username, I would expect an error and a challenge from the server to enter my username. In fact, I checked this on our strongswan 4.6.2 server. However the new server doesn't inform me of my incorrect logon information, therefore I think the problem has to do with authentication not working.

Extended key usage for the server certificates are identical for the old and new gateway, so I'm sure the problem is not related to that




Met vriendelijke groet, Kind regards,

Hans Boone

Business development manager
Mob: + 31 (0) 650 62 83 23

[email_footer]
P Please consider the environment before printing this e-mail

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20150519/ed43e507/attachment-0001.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image001.png
Type: image/png
Size: 56478 bytes
Desc: image001.png
URL: <http://lists.strongswan.org/pipermail/users/attachments/20150519/ed43e507/attachment-0001.png>

More information about the Users mailing list