[strongSwan] Win 7 connection issue
Alex Sharaz
alex.sharaz at york.ac.uk
Mon Jul 3 16:35:10 CEST 2017
Hi,
Having configured Ubuntu and Win 10 to successfully connect to our SSwan
5.5.3 server, I thought I was on a roll and tried a Win 7 machine using
x509 certs.
Installed a client cert on the win 7 machine along with root and
intermediate certs.
Configured win 7 as per the sswan wiki page
Initally the sswan logs complained that the client had requested an ipv6
address and there wasn't one in the attr-sql pool I was using ( which
wascorrect, only ipv4 in it. I then added an fe80::2/64 address to the
conffile and yup that error in the logs went away. However the win 7
machine still comes back with
Verifying user name and password
Error 13801: IKE authentication credential are unacceptable
In the logs I see
Jul 3 15:23:46 14[IKE] <x509-certs-ikev2|4> peer supports MOBIKE
Jul 3 15:23:46 14[IKE] <x509-certs-ikev2|4> authentication of 'CN=
vpn10.york.ac.uk, O=University of York, OU=IT Services, L=York, ST=North Yor
kshire, C=GB' (myself) with RSA signature successful
Jul 3 15:23:46 14[IKE] <x509-certs-ikev2|4> IKE_SA x509-certs-ikev2[4]
established between 144.32.128.199[CN=vpn10.york.ac.uk, O=University of
York, OU=IT Services, L=York, ST=North Yorkshire,
C=GB]...144.32.230.183[CN=Alex Sharaz at york.ac.uk, O=University of York,
OU=IT Services, L=Yo
rk, ST=North Yorkshire, C=GB]
Jul 3 15:23:46 14[IKE] <x509-certs-ikev2|4> sending end entity cert "CN=
vpn10.york.ac.uk, O=University of York, OU=IT Services, L=York, ST=Nor
th Yorkshire, C=GB"
Jul 3 15:23:46 14[IKE] <x509-certs-ikev2|4> peer requested virtual IP %any
Jul 3 15:23:46 14[CFG] <x509-certs-ikev2|4> acquired new lease for address
172.18.64.15 in pool 'itservices'
Jul 3 15:23:46 14[IKE] <x509-certs-ikev2|4> assigning virtual IP
172.18.64.15 to peer 'CN=Alex Sharaz at york.ac.uk, O=University of York, OU=IT
Services, L=York, ST=North Yorkshire, C=GB'
Jul 3 15:23:46 14[IKE] <x509-certs-ikev2|4> peer requested virtual IP %any6
Jul 3 15:23:46 14[CFG] <x509-certs-ikev2|4> assigning new lease to
'CN=Alex Sharaz at york.ac.uk, O=University of York, OU=IT Services, L=York, S
T=North Yorkshire, C=GB'
Jul 3 15:23:46 14[IKE] <x509-certs-ikev2|4> assigning virtual IP fe80::5
to peer 'CN=Alex Sharaz at york.ac.uk, O=University of York, OU=IT Servi
ces, L=York, ST=North Yorkshire, C=GB'
Jul 3 15:23:46 14[IKE] <x509-certs-ikev2|4> CHILD_SA x509-certs-ikev2{4}
established with SPIs c08abc23_i f48f4a90_o and TS 0.0.0.0/0 === 172.
18.64.15/32 fe80::5/128
Jul 3 15:23:46 14[CFG] <x509-certs-ikev2|4> scheduling RADIUS
Interim-Updates every 700s
Jul 3 15:23:46 14[CFG] <x509-certs-ikev2|4> sending RADIUS
Accounting-Request to server 'primary'
Jul 3 15:23:46 14[CFG] <x509-certs-ikev2|4> received RADIUS
Accounting-Response from server 'primary'
Jul 3 15:23:46 14[ENC] <x509-certs-ikev2|4> generating IKE_AUTH response 1
[ IDr CERT AUTH CPRP(ADDR ADDR6 DNS DNS) SA TSi TSr N(MOBIKE_SUP) N
(ADD_4_ADDR) N(ADD_6_ADDR) ]
Jul 3 15:23:46 14[NET] <x509-certs-ikev2|4> sending packet: from
144.32.128.199[4500] to 144.32.230.183[4500] (2204 bytes)
Jul 3 15:23:56 06[IKE] <x509-certs-ikev2|3> deleting IKE_SA
x509-certs-ikev2[3] between 144.32.128.199[CN=vpn10.york.ac.uk,
O=University of Yo
rk, OU=IT Services, L=York, ST=North Yorkshire,
C=GB]...144.32.230.183[CN=Alex Sharaz at york.ac.uk, O=University of York,
OU=IT Services, L=York,
ST=North Yorkshire, C=GB]
ul 3 15:23:56 06[IKE] <x509-certs-ikev2|3> sending DELETE for IKE_SA
x509-certs-ikev2[3]
Jul 3 15:23:56 06[ENC] <x509-certs-ikev2|3> generating INFORMATIONAL
request 0 [ D ]
Jul 3 15:23:56 06[NET] <x509-certs-ikev2|3> sending packet: from
144.32.128.199[4500] to 144.32.230.183[4500] (76 bytes)
Jul 3 15:24:00 10[IKE] <x509-certs-ikev2|3> retransmit 1 of request with
message ID 0
Jul 3 15:24:00 10[NET] <x509-certs-ikev2|3> sending packet: from
144.32.128.199[4500] to 144.32.230.183[4500] (76 bytes)
Jul 3 15:24:07 10[IKE] <x509-certs-ikev2|3> retransmit 2 of request with
message ID 0
Jul 3 15:24:07 10[NET] <x509-certs-ikev2|3> sending packet: from
144.32.128.199[4500] to 144.32.230.183[4500] (76 bytes)
Jul 3 15:24:20 07[IKE] <x509-certs-ikev2|3> retransmit 3 of request with
message ID 0
Jul 3 15:24:20 07[NET] <x509-certs-ikev2|3> sending packet: from
144.32.128.199[4500] to 144.32.230.183[4500] (76 bytes)
Jul 3 15:24:24 15[IKE] <x509-certs-ikev2|2> retransmit 5 of request with
message ID 0
Jul 3 15:24:24 15[NET] <x509-certs-ikev2|2> sending packet: from
144.32.128.199[4500] to 144.32.230.183[4500] (76 bytes)
Jul 3 15:24:38 05[IKE] <x509-certs-ikev2|1> giving up after 5 retransmits
Jul 3 15:24:38 05[IKE] <x509-certs-ikev2|1> proper IKE_SA delete failed,
peer not responding
Jul 3 15:24:38 05[CFG] <x509-certs-ikev2|1> sending RADIUS
Accounting-Request to server 'primary'
Jul 3 15:24:38 05[CFG] <x509-certs-ikev2|1> received RADIUS
Accounting-Response from server 'primary'
Jul 3 15:24:38 05[CFG] <x509-certs-ikev2|1> lease fe80::2 by 'CN=Alex
Sharaz at york.ac.uk, O=University of York, OU=IT Services, L=York, ST=North
Yorkshire, C=GB' went offline
Jul 3 15:24:44 14[IKE] <x509-certs-ikev2|3> retransmit 4 of request with
message ID 0
Jul 3 15:24:44 14[NET] <x509-certs-ikev2|3> sending packet: from
144.32.128.199[4500] to 144.32.230.183[4500] (76 bytes)
Jul 3 15:25:26 12[IKE] <x509-certs-ikev2|3> retransmit 5 of request with
message ID 0
Jul 3 15:25:26 12[NET] <x509-certs-ikev2|3> sending packet: from
144.32.128.199[4500] to 144.32.230.183[4500] (76 bytes)
Jul 3 15:25:40 15[IKE] <x509-certs-ikev2|2> giving up after 5 retransmits
Jul 3 15:25:40 15[IKE] <x509-certs-ikev2|2> proper IKE_SA delete failed,
peer not responding
Jul 3 15:25:40 15[CFG] <x509-certs-ikev2|2> sending RADIUS
Accounting-Request to server 'primary'
Jul 3 15:25:40 15[CFG] <x509-certs-ikev2|2> received RADIUS
Accounting-Response from server 'primary'
Jul 3 15:25:40 15[CFG] <x509-certs-ikev2|2> lease fe80::3 by 'CN=Alex
Sharaz at york.ac.uk, O=University of York, OU=IT Services, L=York, ST=North
Yorkshire, C=GB' went offline
Jul 3 15:26:41 07[IKE] <x509-certs-ikev2|3> giving up after 5 retransmits
Jul 3 15:26:41 07[IKE] <x509-certs-ikev2|3> proper IKE_SA delete failed,
peer not responding
Jul 3 15:26:41 07[CFG] <x509-certs-ikev2|3> sending RADIUS
Accounting-Request to server 'primary'
Jul 3 15:26:41 07[CFG] <x509-certs-ikev2|3> received RADIUS
Accounting-Response from server 'primary'
Jul 3 15:26:41 07[CFG] <x509-certs-ikev2|3> lease fe80::4 by 'CN=Alex
Sharaz at york.ac.uk, O=University of York, OU=IT Services, L=York, ST=North
Yorkshire, C=GB' went offline
Server config is
conn x509-certs-ikev2
leftauth=pubkey
left=%any
leftcert=vpn10yorkacuk.pem
leftid="CN=vpn10.york.ac.uk, O=University of York, OU=IT Services,
L=York, ST=North Yorkshire, C=GB"
leftsubnet=0.0.0.0/0
leftfirewall=yes
#leftupdown=/etc/strongswan.d/no_rules
right=%any
rightsourceip=%itservices,fe80::2/64
fragmentation=yes
auto=add
... which works with win 10
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20170703/a3be4d5a/attachment.html>
More information about the Users
mailing list