[strongSwan] Win7 and Window10Mobile: IKE authentication credentials are unacceptable

Arne Schmid arne.j.schmid at outlook.com
Thu Apr 28 20:24:52 CEST 2016 

Hi Tobias,

thanks a lot for the input. Still not much luck here. This is my config + the logs. They

config setup
  charondebug="ike 2, knl 3, cfg 1, enc -1, lib -1"
  charonstart=yes
  plutostart=no

conn %default
  leftcert=vpn.server.cert.pem
  dpdaction=clear
  dpddelay=300s
  dpdtimeout=1h
  keyexchange=ikev2
  auto=add
  rekey=no

conn rw
  left=%any
  leftcert=vpn.server.cert.pem
  leftauth=pubkey
  leftsubnet=0.0.0.0/24
  right=%any
  rightauth=eap-tls
  rightsendcert=never
  eap_identity=%any
  keyexchange=ikev2
  rightsourceip=172.20.1.1/24
  rightid="C=CN, O=EXAMPLE, CN=client"
  auto=add

Apr 28 20:09:38 00[KNL] listening on interfaces:
Apr 28 20:09:38 00[KNL]   eth0
Apr 28 20:09:38 00[KNL]     192.168.0.3
Apr 28 20:09:38 00[KNL]     fd00:788d:f701:302:c2b0:a6ff:fec0:fd21
Apr 28 20:09:38 00[KNL]     fe80::c2b0:a6ff:fec0:fd21
Apr 28 20:09:39 05[KNL] getting interface name for %any
Apr 28 20:09:39 05[KNL] %any is not a local address
Apr 28 20:09:39 05[KNL] getting interface name for %any
Apr 28 20:09:39 05[KNL] %any is not a local address
Apr 28 20:09:48 11[IKE] <1> 89.204.137.247 is initiating an IKE_SA
Apr 28 20:09:48 11[IKE] <1> IKE_SA (unnamed)[1] state change: CREATED => CONNECTING
Apr 28 20:09:49 11[IKE] <1> local host is behind NAT, sending keep alives
Apr 28 20:09:49 11[IKE] <1> remote host is behind NAT
Apr 28 20:09:50 12[IKE] <1> received cert request for "C=CN, O=EXAMPLE, CN=EXAMPLE ca"
Apr 28 20:09:50 12[IKE] <1> received cert request for unknown ca with keyid 0e:ac:82:60:40:56:27:97:e5:25:13:fc:2a:e1:0a:53:95:59:e4:a4
...
Apr 28 20:09:50 12[IKE] <1> received cert request for unknown ca with keyid ee:6a:0f:1d:67:94:cf:44:ff:cf:1b:a8:e2:f2:68:50:86:6d:15:f8
Apr 28 20:09:50 12[IKE] <1> received 43 cert requests for an unknown ca
Apr 28 20:09:50 12[IKE] <1> processing INTERNAL_IP4_ADDRESS attribute
Apr 28 20:09:50 12[IKE] <1> processing INTERNAL_IP4_DNS attribute
Apr 28 20:09:50 12[IKE] <1> processing INTERNAL_IP4_NBNS attribute
Apr 28 20:09:50 12[IKE] <1> processing INTERNAL_IP4_SERVER attribute
Apr 28 20:09:50 12[IKE] <1> processing INTERNAL_IP6_ADDRESS attribute
Apr 28 20:09:50 12[IKE] <1> processing INTERNAL_IP6_DNS attribute
Apr 28 20:09:50 12[IKE] <1> processing INTERNAL_IP6_SERVER attribute
Apr 28 20:09:50 12[IKE] <1> peer supports MOBIKE
Apr 28 20:09:50 12[IKE] <1> IKE_SA (unnamed)[1] state change: CONNECTING => DESTROYING


Not sure if there is something wrong with my iptables. So adding it, too:

Chain INPUT (policy ACCEPT)
target     prot opt source               destination
fail2ban-ssh  tcp  --  anywhere             anywhere             multiport dports ssh
ACCEPT     gre  --  anywhere             anywhere
ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:1723 state NEW
ACCEPT     gre  --  anywhere             anywhere
ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:http-alt state NEW
ACCEPT     all  --  anywhere             anywhere
ACCEPT     udp  --  anywhere             anywhere             udp dpt:isakmp
ACCEPT     udp  --  anywhere             anywhere             udp dpt:ipsec-nat-t
ACCEPT     icmp --  anywhere             anywhere
ACCEPT     esp  --  anywhere             anywhere
ACCEPT     all  --  anywhere             anywhere             ctstate RELATED,ESTABLISHED
ACCEPT     all  --  loopback/24          loopback/24

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination
TCPMSS     tcp  --  172.20.1.0/24        anywhere             tcp flags:SYN,RST/SYN TCPMSS clamp to PMTU
ACCEPT     all  --  anywhere             anywhere
ACCEPT     all  --  anywhere             anywhere             state RELATED,ESTABLISHED

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination

Chain fail2ban-ssh (1 references)
target     prot opt source               destination
RETURN     all  --  anywhere             anywhere

Thanks,
Arne

From: Tobias Brunner<mailto:tobias at strongswan.org>
Sent: Thursday, April 28, 2016 18:31
To: Arne Schmid<mailto:arne.j.schmid at outlook.com>; users at lists.strongswan.org<mailto:users at lists.strongswan.org>
Subject: Re: [strongSwan] Win7 and Window10Mobile: IKE authentication credentials are unacceptable

:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true" Name="Body Text Indent"/>
Hi Arne,

> Apr 28 12:13:58 12[IKE] <rw|1> peer requested EAP, config inacceptable

Your clients probably want to authenticate with EAP-TLS.  Refer to [1]
for details.

Also, please reduce the log levels, in particular for the lib and enc
log groups [2].

Regards,
Tobias

[1] https://wiki.strongswan.org/projects/strongswan/wiki/Windows7
[2] https://wiki.strongswan.org/projects/strongswan/wiki/LoggerConfiguration
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20160428/19f30e7c/attachment-0001.html>

More information about the Users mailing list