[strongSwan] IKEv2 RSA or EAP (mschap2) with Windows 10 client
Andreas Steffen
andreas.steffen at strongswan.org
Wed Nov 25 09:36:02 CET 2015
Hi,
I think the Windows 10 client does not like the strongSwan VPN
gateway certificate. Either it is the subjectDistinguishedName
C=CH, O=strongSwan, CN=5.196.157.166
which must contain the hostname either in the CN field or as a
separate subjectAltName or the serverAuth extended key usage
flag is missing. I don't know how Windows handles IP addresses
as IKEv2 identities, though. In your case you are connecting
to the gateway using its IP address 5.196.157.166 instead of
its hostname, so I don't know if the IP address is acceptable
in the CN field.
Best regards
Andreas
On 11/24/2015 09:54 PM, Krešo Kunjas wrote:
> Hi to all!
>
> I have some problem with strongswan setup using WIndows10 builtin VPN
> client.
>
> I have configured everything using this guide:
>
> https://www.zeitgeist.se/2013/11/22/strongswan-howto-create-your-own-vpn/
>
> When im using linux clients with RSA keys everything works as expected.
> Even using Android client with IKEv1 Xauth everything works.
>
> But when using Windows 10 builtin VPN clients i cannot connect,
> connection timeouts.
>
> This is the log when Windows 10 client is connecting:
>
> http://paste2.org/t2JXOHhF
>
> This is my ipsec.conf
>
> kkunjas at linfw:~$ cat /etc/ipsec.conf
> config setup
> uniqueids=never
> charondebug="cfg 2, dmn 2, ike 2, net 2"
>
> conn %default
> keyexchange=ikev2
>
> ike=aes128-sha256-ecp256,aes256-sha384-ecp384,aes128-sha256-modp2048,aes128-sha1-modp2048,aes256-sha384-modp4096,aes256-sha256-modp4096,aes256-sha1-modp4096,aes128-sha256-modp1536,aes128-sha1-modp1536,aes256-sha384-modp2048,aes256-sha256-modp2048,aes256-sha1-modp2048,aes128-sha256-modp1024,aes128-sha1-modp1024,aes256-sha384-modp1536,aes256-sha256-modp1536,aes256-sha1-modp1536,aes256-sha384-modp1024,aes256-sha256-modp1024,aes256-sha1-modp1024!
>
> esp=aes128gcm16-ecp256,aes256gcm16-ecp384,aes128-sha256-ecp256,aes256-sha384-ecp384,aes128-sha256-modp2048,aes128-sha1-modp2048,aes256-sha384-modp4096,aes256-sha256-modp4096,aes256-sha1-modp4096,aes128-sha256-modp1536,aes128-sha1-modp1536,aes256-sha384-modp2048,aes256-sha256-modp2048,aes256-sha1-modp2048,aes128-sha256-modp1024,aes128-sha1-modp1024,aes256-sha384-modp1536,aes256-sha256-modp1536,aes256-sha1-modp1536,aes256-sha384-modp1024,aes256-sha256-modp1024,aes256-sha1-modp1024,aes128gcm16,aes256gcm16,aes128-sha256,aes128-sha1,aes256-sha384,aes256-sha256,aes256-sha1!
> dpdaction=clear
> dpddelay=300s
> rekey=no
> left=%any
> leftsubnet=10.0.117.0/24 <http://10.0.117.0/24>
> leftcert=vpnHostCert.pem
> leftfirewall=yes
> right=%any
> #rightsourceip=10.0.117.48/28 <http://10.0.117.48/28>
> rightsourceip=10.0.118.0/24 <http://10.0.118.0/24>
>
> conn IPSec-IKEv2
> keyexchange=ikev2
> auto=add
>
> conn IPSec-IKEv2-EAP
> also="IPSec-IKEv2"
> rightauth=eap-mschapv2
> rightsendcert=never
> eap_identity=%any
>
> conn CiscoIPSec
> keyexchange=ikev1
> # forceencaps=yes
> rightauth=pubkey
> rightauth2=xauth
> auto=add
>
> strongswan version:
>
> ~$ ipsec --version
> Linux strongSwan U5.1.2/K3.13.0-68-generic
> Institute for Internet Technologies and Applications
> University of Applied Sciences Rapperswil, Switzerland
> See 'ipsec --copyright' for copyright information.
>
> Server and client certificate are succesfully imported into Windows.
>
> The errors are the same if i'm using client RSA cert for auto or EAP-MsChap2
>
> I'm still new to IPsec and Strongswan, so im currenty stuck and i need
> Win10 native clients to connect, so please advise.
> If you need additional info please feel free to ask.
>
> ty
======================================================================
Andreas Steffen andreas.steffen at strongswan.org
strongSwan - the Open Source VPN Solution! www.strongswan.org
Institute for Internet Technologies and Applications
University of Applied Sciences Rapperswil
CH-8640 Rapperswil (Switzerland)
===========================================================[ITA-HSR]==
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4275 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://lists.strongswan.org/pipermail/users/attachments/20151125/54a10c7a/attachment-0001.bin>
More information about the Users
mailing list