[strongSwan] Win7 and Window10Mobile: IKE authentication credentials are unacceptable
Arne Schmid
arne.j.schmid at outlook.com
Fri May 6 13:39:45 CEST 2016
Hi Tobias,
> And it looks like your server is behind a NAT router. Does that router
> know that it has to forward packets addressed to 172.20.1.0/24 back to
> your server (192.168.0.3)? Otherwise, you might have to NAT traffic
> from that subnet to the server's private IP first (again, see [1]).
My router has ports 500/4500 fwd to 192.168.0.3 (both TCP/UDP) and the ESP protocoll is bound to 192.168.0.3 - there is not much more to configure (pulling my hairs)
Here is my recent conf without rightsubnet...
conn winCert
left=%defaultroute
leftcert=vpn.server.cert.pem
leftauth=pubkey
leftsubnet=0.0.0.0/0
leftfirewall=yes
right=%any
rightauth=eap-tls
eap_identity=%identity
rightsendcert=never
rightsourceip=172.20.1.0/24
& rightsubnet=172.20.1.0/24
keyexchange=ikev2
& type=passthrough
auto=add
$ sysctl net.ipv4.ip_forward
net.ipv4.ip_forward = 1
$ sysctl net.ipv6.conf.all.forwarding
net.ipv6.conf.all.forwarding = 1
I added following nat POSTROUTING according to [1] (tried with -s 172.10.1.0/24 and now omitted the -s completely)
iptables -t nat -A POSTROUTING -o eth0 -m policy --dir out --pol ipsec -j ACCEPT
iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
$ iptables -L -t nat
Chain POSTROUTING (policy ACCEPT)
target prot opt source destination
ACCEPT all -- anywhere anywhere policy match dir out pol ipsec
MASQUERADE all -- anywhere anywhere
These are the FORWARD policies applied due to leftfirewall=yes (leftfirewall=no doesn't work, as well)
$ iptables -L
Chain FORWARD (policy ACCEPT)
target prot opt source destination
ACCEPT all -- 172.20.1.1 anywhere policy match dir in pol ipsec reqid 1 proto esp
ACCEPT all -- anywhere 172.20.1.1 policy match dir out pol ipsec reqid 1 proto esp
I found a script to list the kernel modules [2] - seems sufficient for me:
CONFIG_XFRM_USER=y
CONFIG_NET_KEY=y
CONFIG_INET=y
CONFIG_IP_ADVANCED_ROUTER=y
CONFIG_IP_MULTIPLE_TABLES=y
CONFIG_INET_AH=y
CONFIG_INET_ESP=y
CONFIG_INET_IPCOMP=y
CONFIG_INET_XFRM_MODE_TRANSPORT=y
CONFIG_INET_XFRM_MODE_TUNNEL=y
CONFIG_INET_XFRM_MODE_BEET=y
CONFIG_IPV6=y
CONFIG_INET6_AH=m
CONFIG_INET6_ESP=m
CONFIG_INET6_IPCOMP=m
CONFIG_INET6_XFRM_MODE_TRANSPORT=m
CONFIG_INET6_XFRM_MODE_TUNNEL=m
CONFIG_INET6_XFRM_MODE_BEET=m
CONFIG_IPV6_MULTIPLE_TABLES=y
CONFIG_NETFILTER=y
CONFIG_NETFILTER_XTABLES=m
CONFIG_NETFILTER_XT_MATCH_POLICY=m
192.168.0.1 is my router
192.168.0.3 is my box with strongswan installed
$ ipsec statusall
Status of IKEv2 charon daemon (strongSwan 4.5.2):
uptime: 4 minutes, since May 06 12:11:15 2016
malloc: sbrk 675840, mmap 0, used 174720, free 501120
worker threads: 7 idle of 16, job queue load: 0, scheduled events: 2
loaded plugins: test-vectors curl ldap aes des sha1 sha2 md5 random x509 revocation constraints pubkey pkcs1 pgp pem openssl fips-prf gmp agent pkcs11 xcbc hmac ctr ccm gcm attr kernel-netlink resolve socket-raw farp stroke updown eap-identity eap-aka eap-md5 eap-gtc eap-mschapv2 eap-radius eap-tls eap-ttls eap-tnc dhcp led addrblock
Virtual IP pools (size/online/offline):
winCert: 255/1/0
Listening IP addresses:
192.168.0.3
Connections:
winCert: 192.168.0.3...%any, dpddelay=300s
winCert: local: [C=CN, O=EXAMPLE, CN=vpn.EXAMPLE.de] uses public key authentication
winCert: cert: "C=CN, O=EXAMPLE, CN=vpn.EXAMPLE.de"
winCert: remote: [%any] uses EAP_TLS authentication with EAP identity '%any'
winCert: child: 0.0.0.0/0 === dynamic , dpdaction=clear
Security Associations:
winCert[1]: ESTABLISHED 4 minutes ago, 192.168.0.3[C=CN, O=EXAMPLE, CN=vpn.EXAMPLE.de]...XXX.XXX.210.187[10.145.250.41]
winCert[1]: IKE SPIs: a6ef5b5011f4b1ee_i c12d66636104fad2_r*, rekeying disabled
winCert[1]: IKE proposal: AES_CBC_128/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024
winCert{1}: INSTALLED, TUNNEL, ESP in UDP SPIs: cf45fa36_i 8b715638_o
winCert{1}: AES_CBC_128/HMAC_SHA1_96, 1064 bytes_i, 0 bytes_o, rekeying disabled
winCert{1}: 0.0.0.0/0 === 172.20.1.1/32
And then charon.log which adds the policies
May 6 12:01:57 11[CFG] <winCert|1> assigning new lease to 'client at vpn.EXAMPLE.de'
May 6 12:01:57 11[IKE] <winCert|1> assigning virtual IP 172.20.1.1 to peer 'client at vpn.EXAMPLE.de'
May 6 12:01:57 11[IKE] <winCert|1> building INTERNAL_IP4_DNS attribute
May 6 12:01:57 11[IKE] <winCert|1> building INTERNAL_IP4_NBNS attribute
May 6 12:01:57 11[IKE] <winCert|1> building INTERNAL_IP4_DNS attribute
May 6 12:01:57 11[IKE] <winCert|1> building INTERNAL_IP4_NBNS attribute
May 6 12:01:57 11[CFG] <winCert|1> looking for a child config for 0.0.0.0/0 ::/0 === 0.0.0.0/0 ::/0
May 6 12:01:57 11[CFG] <winCert|1> proposing traffic selectors for us:
May 6 12:01:57 11[CFG] <winCert|1> 0.0.0.0/0 (derived from 0.0.0.0/0)
May 6 12:01:57 11[CFG] <winCert|1> proposing traffic selectors for other:
May 6 12:01:57 11[CFG] <winCert|1> 172.20.1.1/32 (derived from dynamic)
May 6 12:01:57 11[CFG] <winCert|1> candidate "winCert" with prio 10+2
May 6 12:01:57 11[CFG] <winCert|1> found matching child config "winCert" with prio 12
May 6 12:01:57 11[CFG] <winCert|1> selecting proposal:
May 6 12:01:57 11[CFG] <winCert|1> no acceptable ENCRYPTION_ALGORITHM found
May 6 12:01:57 11[CFG] <winCert|1> selecting proposal:
May 6 12:01:57 11[CFG] <winCert|1> proposal matches
May 6 12:01:57 11[CFG] <winCert|1> received proposals: ESP:AES_CBC_256/HMAC_SHA1_96/NO_EXT_SEQ, ESP:AES_CBC_128/HMAC_SHA1_96/NO_EXT_SEQ, ESP:3DES_CBC/HMAC_SHA1_96/NO_EXT_SEQ, ESP:DES_CBC/HMAC_SHA1_96/NO_EXT_SEQ, ESP:NULL/HMAC_SHA1_96/NO_EXT_SEQ
May 6 12:01:57 11[CFG] <winCert|1> configured proposals: ESP:AES_CBC_128/HMAC_SHA1_96/NO_EXT_SEQ, ESP:AES_CBC_256/HMAC_SHA1_96/NO_EXT_SEQ, ESP:AES_GCM_16_128/ECP_256/NO_EXT_SEQ, ESP:AES_GCM_16_256/ECP_384/NO_EXT_SEQ, ESP:AES_CBC_128/AES_CBC_192/AES_CBC_256/3DES_CBC/BLOWFISH_CBC_256/HMAC_SHA1_96/AES_XCBC_96/HMAC_MD5_96/NO_EXT_SEQ
May 6 12:01:57 11[CFG] <winCert|1> selected proposal: ESP:AES_CBC_128/HMAC_SHA1_96/NO_EXT_SEQ
May 6 12:01:57 11[KNL] <winCert|1> getting SPI for reqid {1}
May 6 12:01:57 11[KNL] <winCert|1> got SPI c783f290 for reqid {1}
May 6 12:01:57 11[CFG] <winCert|1> selecting traffic selectors for us:
May 6 12:01:57 11[CFG] <winCert|1> config: 0.0.0.0/0, received: 0.0.0.0/0 => match: 0.0.0.0/0
May 6 12:01:57 11[CFG] <winCert|1> config: 0.0.0.0/0, received: ::/0 => no match
May 6 12:01:57 11[CFG] <winCert|1> selecting traffic selectors for other:
May 6 12:01:57 11[CFG] <winCert|1> config: 172.20.1.1/32, received: 0.0.0.0/0 => match: 172.20.1.1/32
May 6 12:01:57 11[CFG] <winCert|1> config: 172.20.1.1/32, received: ::/0 => no match
May 6 12:01:57 11[KNL] <winCert|1> adding SAD entry with SPI c783f290 and reqid {1}
May 6 12:01:57 11[KNL] <winCert|1> using encryption algorithm AES_CBC with key size 128
May 6 12:01:57 11[KNL] <winCert|1> using integrity algorithm HMAC_SHA1_96 with key size 160
May 6 12:01:57 11[KNL] <winCert|1> adding SAD entry with SPI 8e872a58 and reqid {1}
May 6 12:01:57 11[KNL] <winCert|1> using encryption algorithm AES_CBC with key size 128
May 6 12:01:57 11[KNL] <winCert|1> using integrity algorithm HMAC_SHA1_96 with key size 160
May 6 12:01:57 11[KNL] <winCert|1> adding policy 0.0.0.0/0 === 172.20.1.1/32 out
May 6 12:01:57 11[KNL] <winCert|1> adding policy 172.20.1.1/32 === 0.0.0.0/0 in
May 6 12:01:57 11[KNL] <winCert|1> adding policy 172.20.1.1/32 === 0.0.0.0/0 fwd
May 6 12:01:57 11[KNL] <winCert|1> getting a local address in traffic selector 0.0.0.0/0
May 6 12:01:57 11[KNL] <winCert|1> using host %any
May 6 12:01:57 11[KNL] <winCert|1> getting address to reach XXX.XXX.210.187
May 6 12:01:57 11[KNL] <winCert|1> getting interface name for 192.168.0.3
May 6 12:01:57 11[KNL] <winCert|1> 192.168.0.3 is on interface eth0
May 6 12:01:57 11[KNL] <winCert|1> installing route: 172.20.1.1/32 via 192.168.0.1 src %any dev eth0
May 6 12:01:57 11[KNL] <winCert|1> getting iface index for eth0
May 6 12:01:57 11[IKE] <winCert|1> CHILD_SA winCert{1} established with SPIs c783f290_i 8e872a58_o and TS 0.0.0.0/0 === 172.20.1.1/32
May 6 12:01:57 11[KNL] <winCert|1> getting interface name for 192.168.0.3
May 6 12:01:57 11[KNL] <winCert|1> 192.168.0.3 is on interface eth0
[1] https://wiki.strongswan.org/projects/strongswan/wiki/ForwardingAndSplitTunneling
[2] https://wiki.strongswan.org/projects/strongswan/wiki/KernelModules
sent from my Windows 8 Tablet
----------------------------------------
> To: arne.j.schmid at outlook.com; users at lists.strongswan.org
> From: tobias at strongswan.org
> Date: Fri, 6 May 2016 10:01:17 +0200
> Subject: Re: [strongSwan] Win7 and Window10Mobile: IKE authentication credentials are unacceptable
>
> Hi Arne,
>
>> rightsubnet=172.20.1.0/24
>
> That's wrong. Don't configure a rightsubnet when using virtual IPs.
> The remote traffic selector will automatically be set to the assigned
> virtual IP.
>
> And it looks like your server is behind a NAT router. Does that router
> know that it has to forward packets addressed to 172.20.1.0/24 back to
> your server (192.168.0.3)? Otherwise, you might have to NAT traffic
> from that subnet to the server's private IP first (again, see [1]).
>
> Regards,
> Tobias
>
> [1]
> https://wiki.strongswan.org/projects/strongswan/wiki/ForwardingAndSplitTunneling
>
> _______________________________________________
> Users mailing list
> Users at lists.strongswan.org
> https://lists.strongswan.org/mailman/listinfo/users
More information about the Users
mailing list