[strongSwan] win8 to strongswan ikev2

Christian Huldt christian at solvare.se
Thu May 21 17:53:05 CEST 2015 

For the record and my fellow googlers/duckduckgoers/ixquickers the error
code (13801) is a local (win) issue, I had left out some flags
( --flag serverAuth --flag ikeIntermediate ) in the server cert
which caused windows to panic...

Den 2015-05-20 19:02, Christian Huldt skrev:
> I have a strange problem, the windows computer errors out fast saying
> "Authentication details for IKE is not being accepted" (translated from
> Swedish...), but strongswan says (ipsec status) that the connection is
> established...
> 
> I just don't understand...
> 
> 
> ipsec.conf
> 
> conn ikev2
>      left=%defaultroute
>      leftcert=ca.pem
>      leftsubnet=192.168.103.0/24
>      right=%any
>      leftsourceip=192.168.103.201
>      rightsourceip=%dhcp
>      keyexchange=ikev2
>      leftfirewall=yes
>      rightid="C=SE, O=Solvare, OU=net, CN=*"
>      dpdaction=clear
>      dpddelay=300s
>      rekey=no
>      auto=add
> 
> 
> 
> 
> 
> charon_log:
> 
> 2015-05-20 18:18 06[CFG] <2>   candidate "ikev2", match: 1/19/28
> (me/other/ike)
> 2015-05-20 18:18 06[CFG] <ikev2|2> selected peer config 'ikev2'
> 2015-05-20 18:18 06[CFG] <ikev2|2>   using certificate "C=SE, O=Solvare,
> OU=net, CN=c-dator"
> 2015-05-20 18:18 06[CFG] <ikev2|2>   certificate "C=SE, O=Solvare,
> OU=net, CN=c-dator" key: 2048 bit RSA
> 2015-05-20 18:18 06[CFG] <ikev2|2>   using trusted ca certificate "C=SE,
> O=Support, CN=Solvare CA"
> 2015-05-20 18:18 06[CFG] <ikev2|2> checking certificate status of "C=SE,
> O=Solvare, OU=net, CN=c-dator"
> 2015-05-20 18:18 06[CFG] <ikev2|2> ocsp check skipped, no ocsp found
> 2015-05-20 18:18 06[CFG] <ikev2|2> certificate status is not available
> 2015-05-20 18:18 06[CFG] <ikev2|2>   certificate "C=SE, O=Support,
> CN=Solvare CA" key: 2048 bit RSA
> 2015-05-20 18:18 06[CFG] <ikev2|2>   reached self-signed root ca with a
> path length of 0
> 2015-05-20 18:18 06[IKE] <ikev2|2> authentication of 'C=SE, O=Solvare,
> OU=net, CN=c-dator' with RSA signature successful
> 2015-05-20 18:18 06[IKE] <ikev2|2> processing INTERNAL_IP4_ADDRESS attribute
> 2015-05-20 18:18 06[IKE] <ikev2|2> processing INTERNAL_IP4_DNS attribute
> 2015-05-20 18:18 06[IKE] <ikev2|2> processing INTERNAL_IP4_NBNS attribute
> 2015-05-20 18:18 06[IKE] <ikev2|2> processing INTERNAL_IP4_SERVER attribute
> 2015-05-20 18:18 06[IKE] <ikev2|2> processing INTERNAL_IP6_ADDRESS attribute
> 2015-05-20 18:18 06[IKE] <ikev2|2> processing INTERNAL_IP6_DNS attribute
> 2015-05-20 18:18 06[IKE] <ikev2|2> processing INTERNAL_IP6_SERVER attribute
> 2015-05-20 18:18 06[IKE] <ikev2|2> peer supports MOBIKE
> 2015-05-20 18:18 06[ENC] <ikev2|2> added payload of type ID_RESPONDER to
> message
> 2015-05-20 18:18 06[ENC] <ikev2|2> added payload of type AUTH to message
> 2015-05-20 18:18 06[IKE] <ikev2|2> authentication of 'C=SE, ST=Solvare,
> O=Solvare, CN=VPN' (myself) with RSA signature successful
> 2015-05-20 18:18 06[IKE] <ikev2|2> IKE_SA ikev2[2] established between
> 37.46.166.66[C=SE, ST=Solvare, O=Solvare, CN=VPN]...46.59.24.181[C=SE,
> O=Solvare, OU=net, CN=c-dator]
> 2015-05-20 18:18 06[IKE] <ikev2|2> IKE_SA ikev2[2] state change:
> CONNECTING => ESTABLISHED
> 2015-05-20 18:18 01[JOB] next event in 29s 881ms, waiting
> 2015-05-20 18:18 06[IKE] <ikev2|2> sending end entity cert "C=SE,
> ST=Solvare, O=Solvare, CN=VPN"
> 2015-05-20 18:18 06[ENC] <ikev2|2> added payload of type CERTIFICATE to
> message
> 2015-05-20 18:18 06[IKE] <ikev2|2> peer requested virtual IP %any
> 2015-05-20 18:18 06[KNL] <ikev2|2> using 192.168.103.201 as address to
> reach 192.168.103.200/32
> 2015-05-20 18:18 06[CFG] <ikev2|2> sending DHCP DISCOVER to 192.168.103.200
> 2015-05-20 18:18 16[JOB] watched FD 21 ready to read
> 2015-05-20 18:18 16[JOB] watcher going to poll() 7 fds
> 2015-05-20 18:18 05[CFG] received DHCP ACK for 192.168.103.160
> 2015-05-20 18:18 16[JOB] watcher got notification, rebuilding
> 2015-05-20 18:18 16[JOB] watcher going to poll() 8 fds
> 2015-05-20 18:18 06[IKE] <ikev2|2> assigning virtual IP 192.168.103.160
> to peer 'C=SE, O=Solvare, OU=net, CN=c-dator'
> 2015-05-20 18:18 06[IKE] <ikev2|2> peer requested virtual IP %any6
> 2015-05-20 18:18 06[IKE] <ikev2|2> no virtual IP found for %any6
> requested by 'C=SE, O=Solvare, OU=net, CN=c-dator'
> 2015-05-20 18:18 06[IKE] <ikev2|2> building INTERNAL_IP4_DNS attribute
> 2015-05-20 18:18 16[JOB] watcher going to poll() 7 fds
> 2015-05-20 18:18 05[CFG] received DHCP ACK for 192.168.103.160
> 2015-05-20 18:18 16[JOB] watcher got notification, rebuilding
> 2015-05-20 18:18 16[JOB] watcher going to poll() 8 fds
> 2015-05-20 18:18 06[IKE] <ikev2|2> assigning virtual IP 192.168.103.160
> to peer 'C=SE, O=Solvare, OU=net, CN=c-dator'
> 2015-05-20 18:18 06[IKE] <ikev2|2> peer requested virtual IP %any6
> 2015-05-20 18:18 06[IKE] <ikev2|2> no virtual IP found for %any6
> requested by 'C=SE, O=Solvare, OU=net, CN=c-dator'
> 2015-05-20 18:18 06[IKE] <ikev2|2> building INTERNAL_IP4_DNS attribute
> 2015-05-20 18:18 06[ENC] <ikev2|2> added payload of type CONFIGURATION
> to message
> 2015-05-20 18:18 06[CFG] <ikev2|2> looking for a child config for ::/0
> 0.0.0.0/0 === ::/0 0.0.0.0/0
> 2015-05-20 18:18 06[CFG] <ikev2|2> proposing traffic selectors for us:
> 2015-05-20 18:18 06[CFG] <ikev2|2>  192.168.103.0/24
> 2015-05-20 18:18 06[CFG] <ikev2|2> proposing traffic selectors for other:
> 2015-05-20 18:18 06[CFG] <ikev2|2>  192.168.103.160/32
> 2015-05-20 18:18 06[CFG] <ikev2|2>   candidate "ikev2" with prio 1+1
> 2015-05-20 18:18 06[CFG] <ikev2|2> found matching child config "ikev2"
> with prio 2
> 2015-05-20 18:18 06[CFG] <ikev2|2> selecting proposal:
> 2015-05-20 18:18 06[CFG] <ikev2|2>   no acceptable ENCRYPTION_ALGORITHM
> found
> 2015-05-20 18:18 06[CFG] <ikev2|2> selecting proposal:
> 2015-05-20 18:18 06[CFG] <ikev2|2>   no acceptable ENCRYPTION_ALGORITHM
> found
> 2015-05-20 18:18 06[CFG] <ikev2|2> selecting proposal:
> 2015-05-20 18:18 06[CFG] <ikev2|2>   no acceptable ENCRYPTION_ALGORITHM
> found
> 2015-05-20 18:18 06[CFG] <ikev2|2> selecting proposal:
> 2015-05-20 18:18 06[CFG] <ikev2|2>   proposal matches
> 2015-05-20 18:18 06[CFG] <ikev2|2> received proposals:
> ESP:AES_CBC_256/HMAC_SHA1_96/NO_EXT_SEQ,
> ESP:3DES_CBC/HMAC_SHA1_96/NO_EXT_SEQ
> 2015-05-20 18:18 06[CFG] <ikev2|2> configured proposals:
> ESP:AES_CBC_128/HMAC_SHA1_96/NO_EXT_SEQ,
> ESP:3DES_CBC/HMAC_SHA1_96/NO_EXT_SEQ,
> ESP:AES_CBC_128/AES_CBC_192/AES_CBC_256/3DES_CBC/BLOWFISH_CBC_256/HMAC_SHA1_96/AES_XCBC_96/HMAC_MD5_96/NO_EXT_SEQ
> 2015-05-20 18:18 06[CFG] <ikev2|2> selected proposal:
> ESP:3DES_CBC/HMAC_SHA1_96/NO_EXT_SEQ
> 2015-05-20 18:18 06[KNL] <ikev2|2> getting SPI for reqid {2}
> 2015-05-20 18:18 06[KNL] <ikev2|2> got SPI cf9d9615 for reqid {2}
> 2015-05-20 18:18 06[CFG] <ikev2|2> selecting traffic selectors for us:
> 2015-05-20 18:18 06[CFG] <ikev2|2>  config: 192.168.103.0/24, received:
> ::/0 => no match
> 2015-05-20 18:18 06[CFG] <ikev2|2>  config: 192.168.103.0/24, received:
> 0.0.0.0/0 => match: 192.168.103.0/24
> 2015-05-20 18:18 06[CFG] <ikev2|2> selecting traffic selectors for other:
> 2015-05-20 18:18 06[CFG] <ikev2|2>  config: 192.168.103.160/32,
> received: ::/0 => no match
> 2015-05-20 18:18 06[CFG] <ikev2|2>  config: 192.168.103.160/32,
> received: 0.0.0.0/0 => match: 192.168.103.160/32
> 2015-05-20 18:18 06[CHD] <ikev2|2>   using 3DES_CBC for encryption
> 2015-05-20 18:18 06[CHD] <ikev2|2>   using HMAC_SHA1_96 for integrity
> 2015-05-20 18:18 06[CHD] <ikev2|2> adding inbound ESP SA
> 2015-05-20 18:18 06[CHD] <ikev2|2>   SPI 0xcf9d9615, src 46.59.24.181
> dst 37.46.166.66
> 2015-05-20 18:18 06[KNL] <ikev2|2> adding SAD entry with SPI cf9d9615
> and reqid {2}  (mark 0/0x00000000)
> 2015-05-20 18:18 06[KNL] <ikev2|2>   using encryption algorithm 3DES_CBC
> with key size 192
> 2015-05-20 18:18 06[KNL] <ikev2|2>   using integrity algorithm
> HMAC_SHA1_96 with key size 160
> 2015-05-20 18:18 06[KNL] <ikev2|2>   using replay window of 32 packets
> 2015-05-20 18:18 06[CHD] <ikev2|2> adding outbound ESP SA
> 2015-05-20 18:18 06[CHD] <ikev2|2>   SPI 0x4b13e8c9, src 37.46.166.66
> dst 46.59.24.181
> 2015-05-20 18:18 06[KNL] <ikev2|2> adding SAD entry with SPI 4b13e8c9
> and reqid {2}  (mark 0/0x00000000)
> 2015-05-20 18:18 06[KNL] <ikev2|2>   using encryption algorithm 3DES_CBC
> with key size 192
> 2015-05-20 18:18 06[KNL] <ikev2|2>   using integrity algorithm
> HMAC_SHA1_96 with key size 160
> 2015-05-20 18:18 06[KNL] <ikev2|2>   using replay window of 32 packets
> 2015-05-20 18:18 06[KNL] <ikev2|2> adding policy 192.168.103.0/24 ===
> 192.168.103.160/32 out  (mark 0/0x00000000)
> 2015-05-20 18:18 06[KNL] <ikev2|2> adding policy 192.168.103.160/32 ===
> 192.168.103.0/24 in  (mark 0/0x00000000)
> 2015-05-20 18:18 06[KNL] <ikev2|2> adding policy 192.168.103.160/32 ===
> 192.168.103.0/24 fwd  (mark 0/0x00000000)
> 2015-05-20 18:18 06[KNL] <ikev2|2> getting a local address in traffic
> selector 192.168.103.0/24
> 2015-05-20 18:18 06[KNL] <ikev2|2> using host 192.168.103.201
> 2015-05-20 18:18 06[KNL] <ikev2|2> using 37.46.166.65 as nexthop to
> reach 46.59.24.181/32
> 2015-05-20 18:18 06[KNL] <ikev2|2> 37.46.166.66 is on interface enp4s1
> 2015-05-20 18:18 06[KNL] <ikev2|2> installing route: 192.168.103.160/32
> via 37.46.166.65 src 192.168.103.201 dev enp4s1
> 2015-05-20 18:18 06[KNL] <ikev2|2> getting iface index for enp4s1
> 
> 
> 
> _______________________________________________
> Users mailing list
> Users at lists.strongswan.org
> https://lists.strongswan.org/mailman/listinfo/users
> 

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 455 bytes
Desc: OpenPGP digital signature
URL: <http://lists.strongswan.org/pipermail/users/attachments/20150521/60c12642/attachment-0001.pgp>

More information about the Users mailing list