[strongSwan] Windows Client to Linux server question

bls s blslist1 at outlook.com
Fri Apr 14 01:20:27 CEST 2017 

I had a problem enabling a Windows client to access strongSwan 5.5.1 on OpenSUSE 42.2. I was able get it working, but I'd like to understand why the workaround I identified was required. Appreciate your thoughts on this.

I first got iOS phone connecting to it, which was the primary driver for installing strongSwan. Next on the list was Windows 10-1703 (Latest).

Updated  ipsec.conf, created the certs and keys (script at end of message) and ipsec reload, copied the relvant bits to the Windows system and installed them via certmgr into the correct cert stores. When Windows tried to connect, it had a generic error. strongSwan said:

 Apr 12 19:27:09 host charon[5115]: 07[CFG] no IDr configured, fall back on IP address
 Apr 12 19:27:09 host charon[5115]: 07[IKE] no private key found for '192.168.x.x'
 Apr 12 19:27:09 host charon[5115]: 07[ENC] generating IKE_AUTH response 1 [ N(AUTH_FAILED) ]

This was true whether I tried from on the same LAN or from outside the firewall.
After a bit of head-scratching, added the server's internal IP address to the VPN host cert by adding "--san 192.168.x.x" (when creating vpnHostCert.pem)

ipsec pki --pub --in private/vpnHostKey.pem --type rsa | \
       ipsec pki --issue --lifetime 730 --cacert cacerts/strongswanCert.pem --cakey private/strongswanKey.pem \
       --dn "C=CH, O=strongSwan, CN=host.domain.xxx" --san host.domain.xxx --san 192.168.x.x \
       --flag serverAuth --flag ikeIntermediate --outform pem > certs/vpnHostCert.pem
That fixed the problem, which is great, but based on everything I read, I shouldn't have needed to do that. The relevant log output now is:
 Apr 12 19:31:23 host charon[5528]: 15[CFG] no IDr configured, fall back on IP address
 Apr 12 19:31:23 host charon[5528]: 15[IKE] authentication of '192.168.x.x' (myself) with RSA signature successful
 Apr 12 19:31:23 host charon[5528]: 15[IKE] IKE_SA IPSec-IKEV2[1] established between 192.168.x.x[192.168.x.x]...192.168.x.9[C=CH, O=strongSwan, CN=myemail at domain.xxx]

What other alternatives are there to make this work without adding the IP address? (aka the correct way)
Thanks
Network: Internet <---> Router (ports 500 and 4500 forwarded) <---> Linux system (192.168.x.x)
ipsec.conf
----------
config setup
    strictcrlpolicy=no
    uniqueids=no
#    nat_traversal=yes
conn %default
    dpdaction=clear
    dpddelay=35s
    dpdtimeout=200s
    fragmentation=yes
    rekey=no
    left=%any
    left=%defaultroute
    leftsubnet=0.0.0.0/0
    right=%any
    rightdns=192.168.x.x,8.8.8.8
    rightsourceip=10.92.10.1/24
conn iOS-IKEV2
    keyexchange=ikev2
    auto=add
    mobike=yes
    eap_identity=%any
    leftauth=psk
    leftid=xxx.domain.ipsec.server
    leftfirewall=yes
    rightauth=eap-mschapv2
    rightid=xxxt.domain.ipsec.client

conn IPSec-IKEV2
    keyexchange=ikev2
    auto=add
conn IPSec-IKEV2-EAP
    also=IPSec-IKEV2
    ike=aes256-sha1-modp1024!
    esp=aes256-sha1!
    mobike=yes
    leftauth=pubkey
    leftcert=vpnHostCert.pem
    leftid=host.domain.xxx
    rightauth=eap-mschapv2
    rightsendcert=never
    eap_identity=%any

Key and Cert creation
-------------
#!/bin/bash
# Create CA
# This is based on https://www.zeitgeist.se/2013/11/22/strongswan-howto-create-your-own-vpn/
#
ipsec pki --gen --type rsa --size 4096 --outform pem > private/strongswanKey.pem
chmod 600 private/strongswanKey.pem
# Create self-signed root CA Cert
ipsec pki --self --ca --lifetime 3650 --in private/strongswanKey.pem --type rsa \
      --dn "C=CH, O=strongSwan, CN=strongSwan Root CA" --outform pem > cacerts/strongswanCert.pem
ipsec pki --print --in cacerts/strongswanCert.pem
# Create VPN Host Key
ipsec pki --gen --type rsa --size 2048 --outform pem > private/vpnHostKey.pem
chmod 600 private/vpnHostKey.pem
# Create VPN Host Cert
ipsec pki --pub --in private/vpnHostKey.pem --type rsa | \
       ipsec pki --issue --lifetime 730 --cacert cacerts/strongswanCert.pem --cakey private/strongswanKey.pem \
       --dn "C=CH, O=strongSwan, CN=host.domain.xxx" --san host.domain.xxx --san 192.168.x.x \
       --flag serverAuth --flag ikeIntermediate --outform pem > certs/vpnHostCert.pem
ipsec pki --print --in certs/vpnHostCert.pem
# Creat Client Key
ipsec pki --gen --type rsa --size 2048 --outform pem > private/windowsKey.pem
chmod 600 private/windowsKey.pem
# Create Client Cert
ipsec pki --pub --in private/windowsKey.pem --type rsa | \
      ipsec pki --issue --lifetime 730 --cacert cacerts/strongswanCert.pem --cakey private/strongswanKey.pem \
      --dn "C=CH, O=strongSwan, CN=myemail at domain.xxx" --san myemail at domain.xxx --outform pem > certs/winhostCert.pem
#
# Export Client Cert as a PKCS#12 file
#
openssl pkcs12 -export -inkey private/windowsKey.pem \
 -in certs/windowsCert.pem -name "windows VPN Certificate" \
 -certfile cacerts/strongswanCert.pem \
 -caname "strongSwan Root CA" \
 -out windows.p12


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20170413/d668e6b6/attachment-0001.html>

More information about the Users mailing list