[strongSwan] win8 to strongswan ikev2

Christian Huldt christian at solvare.se
Wed May 20 19:02:36 CEST 2015


I have a strange problem, the windows computer errors out fast saying
"Authentication details for IKE is not being accepted" (translated from
Swedish...), but strongswan says (ipsec status) that the connection is
established...

I just don't understand...


ipsec.conf

conn ikev2
     left=%defaultroute
     leftcert=ca.pem
     leftsubnet=192.168.103.0/24
     right=%any
     leftsourceip=192.168.103.201
     rightsourceip=%dhcp
     keyexchange=ikev2
     leftfirewall=yes
     rightid="C=SE, O=Solvare, OU=net, CN=*"
     dpdaction=clear
     dpddelay=300s
     rekey=no
     auto=add





charon_log:

2015-05-20 18:18 06[CFG] <2>   candidate "ikev2", match: 1/19/28
(me/other/ike)
2015-05-20 18:18 06[CFG] <ikev2|2> selected peer config 'ikev2'
2015-05-20 18:18 06[CFG] <ikev2|2>   using certificate "C=SE, O=Solvare,
OU=net, CN=c-dator"
2015-05-20 18:18 06[CFG] <ikev2|2>   certificate "C=SE, O=Solvare,
OU=net, CN=c-dator" key: 2048 bit RSA
2015-05-20 18:18 06[CFG] <ikev2|2>   using trusted ca certificate "C=SE,
O=Support, CN=Solvare CA"
2015-05-20 18:18 06[CFG] <ikev2|2> checking certificate status of "C=SE,
O=Solvare, OU=net, CN=c-dator"
2015-05-20 18:18 06[CFG] <ikev2|2> ocsp check skipped, no ocsp found
2015-05-20 18:18 06[CFG] <ikev2|2> certificate status is not available
2015-05-20 18:18 06[CFG] <ikev2|2>   certificate "C=SE, O=Support,
CN=Solvare CA" key: 2048 bit RSA
2015-05-20 18:18 06[CFG] <ikev2|2>   reached self-signed root ca with a
path length of 0
2015-05-20 18:18 06[IKE] <ikev2|2> authentication of 'C=SE, O=Solvare,
OU=net, CN=c-dator' with RSA signature successful
2015-05-20 18:18 06[IKE] <ikev2|2> processing INTERNAL_IP4_ADDRESS attribute
2015-05-20 18:18 06[IKE] <ikev2|2> processing INTERNAL_IP4_DNS attribute
2015-05-20 18:18 06[IKE] <ikev2|2> processing INTERNAL_IP4_NBNS attribute
2015-05-20 18:18 06[IKE] <ikev2|2> processing INTERNAL_IP4_SERVER attribute
2015-05-20 18:18 06[IKE] <ikev2|2> processing INTERNAL_IP6_ADDRESS attribute
2015-05-20 18:18 06[IKE] <ikev2|2> processing INTERNAL_IP6_DNS attribute
2015-05-20 18:18 06[IKE] <ikev2|2> processing INTERNAL_IP6_SERVER attribute
2015-05-20 18:18 06[IKE] <ikev2|2> peer supports MOBIKE
2015-05-20 18:18 06[ENC] <ikev2|2> added payload of type ID_RESPONDER to
message
2015-05-20 18:18 06[ENC] <ikev2|2> added payload of type AUTH to message
2015-05-20 18:18 06[IKE] <ikev2|2> authentication of 'C=SE, ST=Solvare,
O=Solvare, CN=VPN' (myself) with RSA signature successful
2015-05-20 18:18 06[IKE] <ikev2|2> IKE_SA ikev2[2] established between
37.46.166.66[C=SE, ST=Solvare, O=Solvare, CN=VPN]...46.59.24.181[C=SE,
O=Solvare, OU=net, CN=c-dator]
2015-05-20 18:18 06[IKE] <ikev2|2> IKE_SA ikev2[2] state change:
CONNECTING => ESTABLISHED
2015-05-20 18:18 01[JOB] next event in 29s 881ms, waiting
2015-05-20 18:18 06[IKE] <ikev2|2> sending end entity cert "C=SE,
ST=Solvare, O=Solvare, CN=VPN"
2015-05-20 18:18 06[ENC] <ikev2|2> added payload of type CERTIFICATE to
message
2015-05-20 18:18 06[IKE] <ikev2|2> peer requested virtual IP %any
2015-05-20 18:18 06[KNL] <ikev2|2> using 192.168.103.201 as address to
reach 192.168.103.200/32
2015-05-20 18:18 06[CFG] <ikev2|2> sending DHCP DISCOVER to 192.168.103.200
2015-05-20 18:18 16[JOB] watched FD 21 ready to read
2015-05-20 18:18 16[JOB] watcher going to poll() 7 fds
2015-05-20 18:18 05[CFG] received DHCP ACK for 192.168.103.160
2015-05-20 18:18 16[JOB] watcher got notification, rebuilding
2015-05-20 18:18 16[JOB] watcher going to poll() 8 fds
2015-05-20 18:18 06[IKE] <ikev2|2> assigning virtual IP 192.168.103.160
to peer 'C=SE, O=Solvare, OU=net, CN=c-dator'
2015-05-20 18:18 06[IKE] <ikev2|2> peer requested virtual IP %any6
2015-05-20 18:18 06[IKE] <ikev2|2> no virtual IP found for %any6
requested by 'C=SE, O=Solvare, OU=net, CN=c-dator'
2015-05-20 18:18 06[IKE] <ikev2|2> building INTERNAL_IP4_DNS attribute
2015-05-20 18:18 16[JOB] watcher going to poll() 7 fds
2015-05-20 18:18 05[CFG] received DHCP ACK for 192.168.103.160
2015-05-20 18:18 16[JOB] watcher got notification, rebuilding
2015-05-20 18:18 16[JOB] watcher going to poll() 8 fds
2015-05-20 18:18 06[IKE] <ikev2|2> assigning virtual IP 192.168.103.160
to peer 'C=SE, O=Solvare, OU=net, CN=c-dator'
2015-05-20 18:18 06[IKE] <ikev2|2> peer requested virtual IP %any6
2015-05-20 18:18 06[IKE] <ikev2|2> no virtual IP found for %any6
requested by 'C=SE, O=Solvare, OU=net, CN=c-dator'
2015-05-20 18:18 06[IKE] <ikev2|2> building INTERNAL_IP4_DNS attribute
2015-05-20 18:18 06[ENC] <ikev2|2> added payload of type CONFIGURATION
to message
2015-05-20 18:18 06[CFG] <ikev2|2> looking for a child config for ::/0
0.0.0.0/0 === ::/0 0.0.0.0/0
2015-05-20 18:18 06[CFG] <ikev2|2> proposing traffic selectors for us:
2015-05-20 18:18 06[CFG] <ikev2|2>  192.168.103.0/24
2015-05-20 18:18 06[CFG] <ikev2|2> proposing traffic selectors for other:
2015-05-20 18:18 06[CFG] <ikev2|2>  192.168.103.160/32
2015-05-20 18:18 06[CFG] <ikev2|2>   candidate "ikev2" with prio 1+1
2015-05-20 18:18 06[CFG] <ikev2|2> found matching child config "ikev2"
with prio 2
2015-05-20 18:18 06[CFG] <ikev2|2> selecting proposal:
2015-05-20 18:18 06[CFG] <ikev2|2>   no acceptable ENCRYPTION_ALGORITHM
found
2015-05-20 18:18 06[CFG] <ikev2|2> selecting proposal:
2015-05-20 18:18 06[CFG] <ikev2|2>   no acceptable ENCRYPTION_ALGORITHM
found
2015-05-20 18:18 06[CFG] <ikev2|2> selecting proposal:
2015-05-20 18:18 06[CFG] <ikev2|2>   no acceptable ENCRYPTION_ALGORITHM
found
2015-05-20 18:18 06[CFG] <ikev2|2> selecting proposal:
2015-05-20 18:18 06[CFG] <ikev2|2>   proposal matches
2015-05-20 18:18 06[CFG] <ikev2|2> received proposals:
ESP:AES_CBC_256/HMAC_SHA1_96/NO_EXT_SEQ,
ESP:3DES_CBC/HMAC_SHA1_96/NO_EXT_SEQ
2015-05-20 18:18 06[CFG] <ikev2|2> configured proposals:
ESP:AES_CBC_128/HMAC_SHA1_96/NO_EXT_SEQ,
ESP:3DES_CBC/HMAC_SHA1_96/NO_EXT_SEQ,
ESP:AES_CBC_128/AES_CBC_192/AES_CBC_256/3DES_CBC/BLOWFISH_CBC_256/HMAC_SHA1_96/AES_XCBC_96/HMAC_MD5_96/NO_EXT_SEQ
2015-05-20 18:18 06[CFG] <ikev2|2> selected proposal:
ESP:3DES_CBC/HMAC_SHA1_96/NO_EXT_SEQ
2015-05-20 18:18 06[KNL] <ikev2|2> getting SPI for reqid {2}
2015-05-20 18:18 06[KNL] <ikev2|2> got SPI cf9d9615 for reqid {2}
2015-05-20 18:18 06[CFG] <ikev2|2> selecting traffic selectors for us:
2015-05-20 18:18 06[CFG] <ikev2|2>  config: 192.168.103.0/24, received:
::/0 => no match
2015-05-20 18:18 06[CFG] <ikev2|2>  config: 192.168.103.0/24, received:
0.0.0.0/0 => match: 192.168.103.0/24
2015-05-20 18:18 06[CFG] <ikev2|2> selecting traffic selectors for other:
2015-05-20 18:18 06[CFG] <ikev2|2>  config: 192.168.103.160/32,
received: ::/0 => no match
2015-05-20 18:18 06[CFG] <ikev2|2>  config: 192.168.103.160/32,
received: 0.0.0.0/0 => match: 192.168.103.160/32
2015-05-20 18:18 06[CHD] <ikev2|2>   using 3DES_CBC for encryption
2015-05-20 18:18 06[CHD] <ikev2|2>   using HMAC_SHA1_96 for integrity
2015-05-20 18:18 06[CHD] <ikev2|2> adding inbound ESP SA
2015-05-20 18:18 06[CHD] <ikev2|2>   SPI 0xcf9d9615, src 46.59.24.181
dst 37.46.166.66
2015-05-20 18:18 06[KNL] <ikev2|2> adding SAD entry with SPI cf9d9615
and reqid {2}  (mark 0/0x00000000)
2015-05-20 18:18 06[KNL] <ikev2|2>   using encryption algorithm 3DES_CBC
with key size 192
2015-05-20 18:18 06[KNL] <ikev2|2>   using integrity algorithm
HMAC_SHA1_96 with key size 160
2015-05-20 18:18 06[KNL] <ikev2|2>   using replay window of 32 packets
2015-05-20 18:18 06[CHD] <ikev2|2> adding outbound ESP SA
2015-05-20 18:18 06[CHD] <ikev2|2>   SPI 0x4b13e8c9, src 37.46.166.66
dst 46.59.24.181
2015-05-20 18:18 06[KNL] <ikev2|2> adding SAD entry with SPI 4b13e8c9
and reqid {2}  (mark 0/0x00000000)
2015-05-20 18:18 06[KNL] <ikev2|2>   using encryption algorithm 3DES_CBC
with key size 192
2015-05-20 18:18 06[KNL] <ikev2|2>   using integrity algorithm
HMAC_SHA1_96 with key size 160
2015-05-20 18:18 06[KNL] <ikev2|2>   using replay window of 32 packets
2015-05-20 18:18 06[KNL] <ikev2|2> adding policy 192.168.103.0/24 ===
192.168.103.160/32 out  (mark 0/0x00000000)
2015-05-20 18:18 06[KNL] <ikev2|2> adding policy 192.168.103.160/32 ===
192.168.103.0/24 in  (mark 0/0x00000000)
2015-05-20 18:18 06[KNL] <ikev2|2> adding policy 192.168.103.160/32 ===
192.168.103.0/24 fwd  (mark 0/0x00000000)
2015-05-20 18:18 06[KNL] <ikev2|2> getting a local address in traffic
selector 192.168.103.0/24
2015-05-20 18:18 06[KNL] <ikev2|2> using host 192.168.103.201
2015-05-20 18:18 06[KNL] <ikev2|2> using 37.46.166.65 as nexthop to
reach 46.59.24.181/32
2015-05-20 18:18 06[KNL] <ikev2|2> 37.46.166.66 is on interface enp4s1
2015-05-20 18:18 06[KNL] <ikev2|2> installing route: 192.168.103.160/32
via 37.46.166.65 src 192.168.103.201 dev enp4s1
2015-05-20 18:18 06[KNL] <ikev2|2> getting iface index for enp4s1

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 455 bytes
Desc: OpenPGP digital signature
URL: <http://lists.strongswan.org/pipermail/users/attachments/20150520/1dbfe527/attachment.pgp>


More information about the Users mailing list