[strongSwan] Win7 and Window10Mobile: IKE authentication credentials are unacceptable

Arne Schmid arne.j.schmid at outlook.com
Fri May 6 09:52:11 CEST 2016 

Hi Tobias,

I was looking yesterday at a lot of articles on wiki.strongswan.org to no avail. Here is my complete config / ip route + some logging. For me, everything looks ok... Still, when connected via VPN, I can't access my network internals and my data is still not routhed through (ipaddress.com still shows I'm not going through my private infrastructure)

config setup
  # crlcheckinterval=600
  # strictcrlpolicy=yes
  # cachecrls=yes
  nat_traversal=yes
  charondebug="ike 2, knl 2, cfg 1, enc -1, lib -1"
  charonstart=yes
  plutostart=no

conn %default
  keyexchange=ikev2
  dpdaction=clear
  ike=aes128-sha1-modp1024,aes128-sha1-modp2048,aes256-sha1-modp1024,aes128-sha256-ecp256,aes256-sha384-ecp384
  esp=aes128-sha1,aes256-sha1,aes128gcm128-ecp256,aes256gcm128-ecp384
  dpddelay=300s
  rekey=no

conn winCert
  left=%defaultroute
  # left=%any
  leftcert=vpn.server.cert.pem
  leftauth=pubkey
  leftsubnet=0.0.0.0/0
  leftfirewall=yes
  # forceencaps=yes
  right=%any
  rightauth=eap-tls
  eap_identity=%identity
  rightsendcert=never
  rightsourceip=172.20.1.0/24
  rightsubnet=172.20.1.0/24
  keyexchange=ikev2
  #type=passthrough
  auto=add
  
  
$ ip addr
    1: lo: <LOOPBACK,UP,LOWER_UP> mtu 16436 qdisc noqueue state UNKNOWN group default
        link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
        inet 127.0.0.1/8 scope host lo
        inet6 ::1/128 scope host
           valid_lft forever preferred_lft forever
    2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP group default qlen 1000
        link/ether c0:b0:a6:c0:fd:21 brd ff:ff:ff:ff:ff:ff
        inet 192.168.0.3/24 brd 192.168.0.255 scope global eth0
        inet6 fe80::c2b0:a6ff:fec0:fd21/64 scope link
           valid_lft forever preferred_lft forever
    3: tunl0: <NOARP> mtu 1480 qdisc noop state DOWN group default
        link/ipip 0.0.0.0 brd 0.0.0.0

$ip route
    default via 192.168.0.1 dev eth0
    192.168.0.0/24 dev eth0  proto kernel  scope link  src 192.168.0.3

$# iptables -L
    Chain INPUT (policy ACCEPT)
    target     prot opt source               destination
    
    Chain FORWARD (policy ACCEPT)
    target     prot opt source               destination
    ACCEPT     all  --  172.20.1.1           anywhere             policy match dir in pol ipsec reqid 2 proto esp
    ACCEPT     all  --  anywhere             172.20.1.1           policy match dir out pol ipsec reqid 2 proto esp
    
    Chain OUTPUT (policy ACCEPT)
    target     prot opt source               destination

charon.log
May  6 09:09:54 11[CFG] <winCert|1> selecting traffic selectors for us:
May  6 09:09:54 11[CFG] <winCert|1>  config: 0.0.0.0/0, received: 0.0.0.0/0 => match: 0.0.0.0/0
May  6 09:09:54 11[CFG] <winCert|1> selecting traffic selectors for other:
May  6 09:09:54 11[CFG] <winCert|1>  config: 172.20.1.0/24, received: 0.0.0.0/0 => match: 172.20.1.0/24
May  6 09:09:54 11[KNL] <winCert|1> adding SAD entry with SPI cda74c88 and reqid {1}
May  6 09:09:54 11[KNL] <winCert|1>   using encryption algorithm AES_CBC with key size 128
May  6 09:09:54 11[KNL] <winCert|1>   using integrity algorithm HMAC_SHA1_96 with key size 160
May  6 09:09:54 11[KNL] <winCert|1> adding SAD entry with SPI 6e551312 and reqid {1}
May  6 09:09:54 11[KNL] <winCert|1>   using encryption algorithm AES_CBC with key size 128
May  6 09:09:54 11[KNL] <winCert|1>   using integrity algorithm HMAC_SHA1_96 with key size 160
May  6 09:09:54 11[KNL] <winCert|1> adding policy 0.0.0.0/0 === 172.20.1.0/24 out
May  6 09:09:54 11[KNL] <winCert|1> adding policy 172.20.1.0/24 === 0.0.0.0/0 in
May  6 09:09:54 11[KNL] <winCert|1> adding policy 172.20.1.0/24 === 0.0.0.0/0 fwd
May  6 09:09:54 11[KNL] <winCert|1> getting a local address in traffic selector 0.0.0.0/0
May  6 09:09:54 11[KNL] <winCert|1> using host %any
May  6 09:09:54 11[KNL] <winCert|1> getting address to reach XXX.XXX.210.187
May  6 09:09:54 11[KNL] <winCert|1> getting interface name for 192.168.0.3
May  6 09:09:54 11[KNL] <winCert|1> 192.168.0.3 is on interface eth0
May  6 09:09:54 11[KNL] <winCert|1> installing route: 172.20.1.0/24 via 192.168.0.1 src %any dev eth0
May  6 09:09:54 11[KNL] <winCert|1> getting iface index for eth0
May  6 09:09:54 11[IKE] <winCert|1> CHILD_SA winCert{1} established with SPIs cda74c88_i 6e551312_o and TS 0.0.0.0/0 === 172.20.1.0/24


Thanks,
Arne




----------------------------------------
> Subject: Re: [strongSwan] Win7 and Window10Mobile: IKE authentication credentials are unacceptable
> To: arne.j.schmid at outlook.com; users at lists.strongswan.org
> From: tobias at strongswan.org
> Date: Wed, 4 May 2016 16:42:37 +0200
>
> Hi Arne,
>
>> With TLS_RSA_WITH_AES_256_CBC_SHA256 the authentication works.
>
> OK, strange. I currently don't have access to a Win10 Mobile device but
> would be interesting to do some experiments to find out what's wrong
> with the other suite.
>
>> I'm not able to reach any devices inside my network and the traffic is not routed over the vpn (whatismyip.com still shows my real IP instead of that of the vpn) - but I'll tackle that one next.
>
> If your config is still the same as in your original mail the problem is
> probably leftsubnet=0.0.0.0/24. To tunnel everything you have to use
> leftsubnet=0.0.0.0/0. And please also have a look at [1].
>
> Regards,
> Tobias
>
> [1]
> https://wiki.strongswan.org/projects/strongswan/wiki/ForwardingAndSplitTunneling
>
>
>

More information about the Users mailing list