[strongSwan] Win7 and Window10Mobile: IKE authentication credentials are unacceptable

Arne Schmid arne.j.schmid at outlook.com
Fri May 6 17:17:22 CEST 2016 

Hi Tobias,

I changed forwarding to 500/4500 to only use UDP and deleted the esp - while that shouldn't have hurt, though.

> To avoid conflicts you should probably add -s. If you capture traffic
> on the server do you see packets getting natted properly?

It doesn't look like anything is going through after the connection succeedes... I remove the old -t nat FORWARD rules and added them again with -s
$ iptables -t nat -A POSTROUTING -s 172.20.1.0/24 -o eth0 -m policy --dir out --pol ipsec -j ACCEPT
$ iptables -t nat -A POSTROUTING -s 172.20.1.0/24 -o eth0 -j MASQUERADE

in /var/log/messages I see the connect and disconnect of the client:
May  6 17:06:59 localuser vpn: + 10.145.250.41 172.20.1.1/32 == XXX.XXX.210.187 -- 192.168.0.3 == 0.0.0.0/0
May  6 17:07:59 localuser vpn: + 10.145.250.41 172.20.1.1/32 == XXX.XXX.210.187 -- 192.168.0.3 == 0.0.0.0/0

Before connecting:
Chain PREROUTING (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination

Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination

Chain OUTPUT (policy ACCEPT 1 packets, 60 bytes)
 pkts bytes target     prot opt in     out     source               destination

Chain POSTROUTING (policy ACCEPT 1 packets, 60 bytes)
 pkts bytes target     prot opt in     out     source               destination
    0     0 ACCEPT     all  --  any    eth0    172.20.1.0/24        anywhere             policy match dir out pol ipsec
    0     0 MASQUERADE  all  --  any    eth0    172.20.1.0/24        anywhere

	
After trying to open a some local adresses (192.168.0.x)	on the client device
Chain PREROUTING (policy ACCEPT 1 packets, 52 bytes)
 pkts bytes target     prot opt in     out     source               destination

Chain INPUT (policy ACCEPT 1 packets, 52 bytes)
 pkts bytes target     prot opt in     out     source               destination

Chain OUTPUT (policy ACCEPT 5 packets, 340 bytes)
 pkts bytes target     prot opt in     out     source               destination

Chain POSTROUTING (policy ACCEPT 5 packets, 340 bytes)
 pkts bytes target     prot opt in     out     source               destination
    0     0 ACCEPT     all  --  any    eth0    172.20.1.0/24        anywhere             policy match dir out pol ipsec
    0     0 MASQUERADE  all  --  any    eth0    172.20.1.0/24        anywhere

There was zero traffic, when watching the leftfirewall=yes created FORWARD rules, as well...

I'm not sure if I followed the steps on CorrectTrafficDump correctly and didn't see anything along the line or if I did something wrong. But I didn't see any throughput there, too.

The wired thing is, I can connect via PPTP (using PopTop) to the same machine and browse tunneled through the internet (didn't do any special configuration there) - However, I'd 
rather like to use StrongSwan IKEv2 instead of PopTop PPTP. (Stopping PopTop didn't make StrongSwan to work)

Thanks,
Arne

More information about the Users mailing list