[strongSwan] IKEv2 RSA or EAP (mschap2) with Windows 10 client

Andreas Steffen andreas.steffen at strongswan.org
Wed Nov 25 09:36:02 CET 2015 

Hi,

I think the Windows 10 client does not like the strongSwan VPN
gateway certificate. Either it is the subjectDistinguishedName

  C=CH, O=strongSwan, CN=5.196.157.166

which must contain the hostname either in the CN field or as a
separate subjectAltName or the serverAuth extended key usage
flag is missing. I don't know how Windows handles IP addresses
as IKEv2 identities, though. In your case you are connecting
to the gateway using its IP address 5.196.157.166 instead of
its hostname, so I don't know if the IP address is acceptable
in the CN field.

Best regards

Andreas

On 11/24/2015 09:54 PM, Krešo Kunjas wrote:
> Hi to all!
> 
> I have some problem with strongswan setup using WIndows10 builtin VPN
> client.
> 
> I have configured everything using this guide:
> 
> https://www.zeitgeist.se/2013/11/22/strongswan-howto-create-your-own-vpn/
> 
> When im using linux clients with RSA keys everything works as expected.
> Even using Android client with IKEv1 Xauth everything works.
> 
> But when using Windows 10 builtin VPN clients i cannot connect,
> connection timeouts.
> 
> This is the log when Windows 10 client is connecting:
> 
> http://paste2.org/t2JXOHhF
> 
> This is my ipsec.conf
> 
> kkunjas at linfw:~$ cat /etc/ipsec.conf
> config setup
>         uniqueids=never
>         charondebug="cfg 2, dmn 2, ike 2, net 2"
> 
> conn %default
>         keyexchange=ikev2
>        
> ike=aes128-sha256-ecp256,aes256-sha384-ecp384,aes128-sha256-modp2048,aes128-sha1-modp2048,aes256-sha384-modp4096,aes256-sha256-modp4096,aes256-sha1-modp4096,aes128-sha256-modp1536,aes128-sha1-modp1536,aes256-sha384-modp2048,aes256-sha256-modp2048,aes256-sha1-modp2048,aes128-sha256-modp1024,aes128-sha1-modp1024,aes256-sha384-modp1536,aes256-sha256-modp1536,aes256-sha1-modp1536,aes256-sha384-modp1024,aes256-sha256-modp1024,aes256-sha1-modp1024!
>        
> esp=aes128gcm16-ecp256,aes256gcm16-ecp384,aes128-sha256-ecp256,aes256-sha384-ecp384,aes128-sha256-modp2048,aes128-sha1-modp2048,aes256-sha384-modp4096,aes256-sha256-modp4096,aes256-sha1-modp4096,aes128-sha256-modp1536,aes128-sha1-modp1536,aes256-sha384-modp2048,aes256-sha256-modp2048,aes256-sha1-modp2048,aes128-sha256-modp1024,aes128-sha1-modp1024,aes256-sha384-modp1536,aes256-sha256-modp1536,aes256-sha1-modp1536,aes256-sha384-modp1024,aes256-sha256-modp1024,aes256-sha1-modp1024,aes128gcm16,aes256gcm16,aes128-sha256,aes128-sha1,aes256-sha384,aes256-sha256,aes256-sha1!
>         dpdaction=clear
>         dpddelay=300s
>         rekey=no
>         left=%any
>         leftsubnet=10.0.117.0/24 <http://10.0.117.0/24>
>         leftcert=vpnHostCert.pem
>         leftfirewall=yes
>         right=%any
>         #rightsourceip=10.0.117.48/28 <http://10.0.117.48/28>
>         rightsourceip=10.0.118.0/24 <http://10.0.118.0/24>
> 
> conn IPSec-IKEv2
>         keyexchange=ikev2
>         auto=add
> 
> conn IPSec-IKEv2-EAP
>         also="IPSec-IKEv2"
>         rightauth=eap-mschapv2
>         rightsendcert=never
>         eap_identity=%any
> 
> conn CiscoIPSec
>         keyexchange=ikev1
>         # forceencaps=yes
>         rightauth=pubkey
>         rightauth2=xauth
>         auto=add
> 
> strongswan version:
> 
> ~$ ipsec --version
> Linux strongSwan U5.1.2/K3.13.0-68-generic
> Institute for Internet Technologies and Applications
> University of Applied Sciences Rapperswil, Switzerland
> See 'ipsec --copyright' for copyright information.
> 
> Server and client certificate are succesfully imported into Windows.
> 
> The errors are the same if i'm using client RSA cert for auto or EAP-MsChap2
> 
> I'm still new to IPsec and Strongswan, so im currenty stuck and i need
> Win10 native clients to connect, so please advise.
> If you need additional info please feel free to ask.
> 
> ty
======================================================================
Andreas Steffen                         andreas.steffen at strongswan.org
strongSwan - the Open Source VPN Solution!          www.strongswan.org
Institute for Internet Technologies and Applications
University of Applied Sciences Rapperswil
CH-8640 Rapperswil (Switzerland)
===========================================================[ITA-HSR]==

-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4275 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://lists.strongswan.org/pipermail/users/attachments/20151125/54a10c7a/attachment-0001.bin>

More information about the Users mailing list