[strongSwan] Still fighting with Windows 10 clients :)
Karl Denninger
karl at denninger.net
Wed Jul 19 21:26:42 CEST 2017
So I found a "Greenbow" VPN client that claims to support IKEv2
fragmentation, and after discovering that unless you set up DH groups
first (when it tries the default and gets bounced it then SHUTS OFF the
IkeV2 frag enabled bit!) I am now getting hosed here:
Jul 19 13:56:53 IpGw charon: 05[NET] received packet: from
172.56.21.33[43505] to 68.1.57.197[500] (672 bytes)
Jul 19 13:56:53 IpGw charon: 05[ENC] parsed IKE_SA_INIT request 0 [ SA
No N(NATD_S_IP) N(NATD_D_IP) KE N(FRAG_SUP) ]
Jul 19 13:56:53 IpGw charon: 05[IKE] 172.56.21.33 is initiating an IKE_SA
Jul 19 13:56:53 IpGw charon: 05[IKE] remote host is behind NAT
Jul 19 13:56:53 IpGw charon: 05[IKE] sending cert request for "C=US,
ST=Florida, L=Niceville, O=Cuda Systems LLC, CN=Cuda Systems LLC CA,
E=Cuda Systems LLC CA"
Jul 19 13:56:53 IpGw charon: 05[ENC] generating IKE_SA_INIT response 0 [
SA KE No N(NATD_S_IP) N(NATD_D_IP) CERTREQ N(FRAG_SUP) N(MULT_AUTH) ]
Jul 19 13:56:53 IpGw charon: 05[NET] sending packet: from
68.1.57.197[500] to 172.56.21.33[43505] (601 bytes)
Jul 19 13:56:53 IpGw charon: 05[NET] received packet: from
172.56.21.33[53004] to 68.1.57.197[4500] (1188 bytes)
Jul 19 13:56:53 IpGw charon: 05[ENC] parsed IKE_AUTH request 1 [ EF(2/2) ]
Jul 19 13:56:53 IpGw charon: 05[ENC] received fragment #2 of 2, waiting
for complete IKE message
Jul 19 13:56:53 IpGw charon: 05[NET] received packet: from
172.56.21.33[53004] to 68.1.57.197[4500] (1444 bytes)
Jul 19 13:56:53 IpGw charon: 05[ENC] parsed IKE_AUTH request 1 [ EF(1/2) ]
Jul 19 13:56:53 IpGw charon: 05[ENC] received fragment #1 of 2,
reassembling fragmented IKE message
Jul 19 13:56:53 IpGw charon: 05[ENC] parsed IKE_AUTH request 1 [ IDi
CERT CERTREQ AUTH CPRQ(ADDR) SA TSi TSr N(INIT_CONTACT) N(ESP_TFC_PAD_N) ]
Jul 19 13:56:53 IpGw charon: 05[IKE] received cert request for "C=US,
ST=Florida, L=Niceville, O=Cuda Systems LLC, CN=Cuda Systems LLC CA,
E=Cuda Systems LLC CA"
Jul 19 13:56:53 IpGw charon: 05[IKE] received end entity cert "C=US,
ST=Florida, O=Cuda Systems LLC, CN=karl at denninger.net"
Jul 19 13:56:53 IpGw charon: 05[CFG] looking for peer configs matching
68.1.57.197[%any]...172.56.21.33[C=US, ST=Florida, O=Cuda Systems LLC,
CN=karl at denninger.net]
Jul 19 13:56:53 IpGw charon: 05[CFG] selected peer config 'StrongSwan'
Jul 19 13:56:53 IpGw charon: 05[CFG] using certificate "C=US,
ST=Florida, O=Cuda Systems LLC, CN=karl at denninger.net"
Jul 19 13:56:53 IpGw charon: 05[CFG] no issuer certificate found for
"C=US, ST=Florida, O=Cuda Systems LLC, CN=karl at denninger.net"
Jul 19 13:56:53 IpGw charon: 05[IKE] no trusted RSA public key found for
'C=US, ST=Florida, O=Cuda Systems LLC, CN=karl at denninger.net'
Jul 19 13:56:53 IpGw charon: 05[IKE] received
ESP_TFC_PADDING_NOT_SUPPORTED, not using ESPv3 TFC padding
Jul 19 13:56:53 IpGw charon: 05[ENC] generating IKE_AUTH response 1 [
N(AUTH_FAILED) ]
Jul 19 13:56:53 IpGw charon: 05[NET] sending packet: from
68.1.57.197[4500] to 172.56.21.33[53004] (80 bytes)
What the blankety-blank? That implies there's no CA that issued the
cert presented by the client -- but there is, and yes, it's on the
client too (and the "view certificate" option from the client shows the
correct path back to the CA, and that the certificate is ok)
The ipsec.conf config for this connection is:
conn StrongSwan
fragmentation=yes
left=%any
leftsubnet=0.0.0.0/0
leftcert=ipgw-ecdsa.denninger.net.crt
leftid=ipgw.denninger.net
leftauth=pubkey
right=%any
rightsourceip=192.168.2.0/24
rightauth=pubkey
auto=add
The *same* certificate on my Android phone with the *same* peer config
works (in other words yes, the CA cert IS present on the server)
Jul 19 14:05:44 IpGw charon: 14[NET] received packet: from
208.54.70.231[28852] to 68.1.57.197[500] (746 bytes)
Jul 19 14:05:44 IpGw charon: 14[ENC] parsed IKE_SA_INIT request 0 [ SA
KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG) N(REDIR_SUP) ]
Jul 19 14:05:44 IpGw charon: 14[IKE] 208.54.70.231 is initiating an IKE_SA
Jul 19 14:05:44 IpGw charon: 14[IKE] remote host is behind NAT
Jul 19 14:05:44 IpGw charon: 14[IKE] DH group ECP_256 inacceptable,
requesting CURVE_25519
Jul 19 14:05:44 IpGw charon: 14[ENC] generating IKE_SA_INIT response 0 [
N(INVAL_KE) ]
Jul 19 14:05:44 IpGw charon: 14[NET] sending packet: from
68.1.57.197[500] to 208.54.70.231[28852] (38 bytes)
Jul 19 14:05:44 IpGw charon: 14[NET] received packet: from
208.54.70.231[28852] to 68.1.57.197[500] (714 bytes)
Jul 19 14:05:44 IpGw charon: 14[ENC] parsed IKE_SA_INIT request 0 [ SA
KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG) N(REDIR_SUP) ]
Jul 19 14:05:44 IpGw charon: 14[IKE] 208.54.70.231 is initiating an IKE_SA
Jul 19 14:05:44 IpGw charon: 14[IKE] remote host is behind NAT
Jul 19 14:05:44 IpGw charon: 14[IKE] sending cert request for "C=US,
ST=Florida, L=Niceville, O=Cuda Systems LLC, CN=Cuda Systems LLC CA,
E=Cuda Systems LLC CA"
Jul 19 14:05:44 IpGw charon: 14[ENC] generating IKE_SA_INIT response 0 [
SA KE No N(NATD_S_IP) N(NATD_D_IP) CERTREQ N(FRAG_SUP) N(HASH_ALG)
N(MULT_AUTH) ]
Jul 19 14:05:44 IpGw charon: 14[NET] sending packet: from
68.1.57.197[500] to 208.54.70.231[28852] (267 bytes)
Jul 19 14:05:45 IpGw charon: 14[NET] received packet: from
208.54.70.231[43987] to 68.1.57.197[4500] (1364 bytes)
Jul 19 14:05:45 IpGw charon: 14[ENC] parsed IKE_AUTH request 1 [ EF(1/3) ]
Jul 19 14:05:45 IpGw charon: 14[ENC] received fragment #1 of 3, waiting
for complete IKE message
Jul 19 14:05:45 IpGw charon: 12[NET] received packet: from
208.54.70.231[43987] to 68.1.57.197[4500] (244 bytes)
Jul 19 14:05:45 IpGw charon: 12[ENC] parsed IKE_AUTH request 1 [ EF(3/3) ]
Jul 19 14:05:45 IpGw charon: 12[ENC] received fragment #3 of 3, waiting
for complete IKE message
Jul 19 14:05:45 IpGw charon: 13[NET] received packet: from
208.54.70.231[43987] to 68.1.57.197[4500] (1364 bytes)
Jul 19 14:05:45 IpGw charon: 13[ENC] parsed IKE_AUTH request 1 [ EF(2/3) ]
Jul 19 14:05:45 IpGw charon: 13[ENC] received fragment #2 of 3,
reassembling fragmented IKE message
Jul 19 14:05:45 IpGw charon: 13[ENC] parsed IKE_AUTH request 1 [ IDi
CERT N(INIT_CONTACT) CERTREQ IDr AUTH CPRQ(ADDR ADDR6 DNS DNS6)
N(ESP_TFC_PAD_N) SA TSi TSr N(MOBIKE_SUP) N(NO_ADD_ADDR) N(MULT_AUTH)
N(EAP_ONLY) N(MSG_ID_SYN_SUP) ]
Jul 19 14:05:45 IpGw charon: 13[IKE] received cert request for "C=US,
ST=Florida, L=Niceville, O=Cuda Systems LLC, CN=Cuda Systems LLC CA,
E=Cuda Systems LLC CA"
Jul 19 14:05:45 IpGw charon: 13[IKE] received end entity cert "C=US,
ST=Florida, O=Cuda Systems LLC, CN=karl at denninger.net"
Jul 19 14:05:45 IpGw charon: 13[CFG] looking for peer configs matching
68.1.57.197[ipgw.denninger.net]...208.54.70.231[C=US, ST=Florida, O=Cuda
Systems LLC, CN=karl at denninger.net]
Jul 19 14:05:45 IpGw charon: 13[CFG] selected peer config 'StrongSwan'
Jul 19 14:05:45 IpGw charon: 13[CFG] using certificate "C=US,
ST=Florida, O=Cuda Systems LLC, CN=karl at denninger.net"
Jul 19 14:05:45 IpGw charon: 13[CFG] using trusted ca certificate
"C=US, ST=Florida, L=Niceville, O=Cuda Systems LLC, CN=Cuda Systems LLC
CA, E=Cuda Systems LLC CA"
Jul 19 14:05:45 IpGw charon: 13[CFG] checking certificate status of
"C=US, ST=Florida, O=Cuda Systems LLC, CN=karl at denninger.net"
Jul 19 14:05:45 IpGw charon: 13[CFG] requesting ocsp status from
'http://cudasystems.net:8888' ...
Jul 19 14:05:45 IpGw charon: 13[CFG] ocsp response correctly signed by
"C=US, ST=Florida, O=Cuda Systems LLC, CN=ocsp.cudasystems.net,
E=info at cudasystems.net"
Jul 19 14:05:45 IpGw charon: 13[CFG] ocsp response is valid: until Jul
19 14:06:15 2017
Jul 19 14:05:45 IpGw charon: 13[CFG] certificate status is good
Jul 19 14:05:45 IpGw charon: 13[CFG] reached self-signed root ca with
a path length of 0
Jul 19 14:05:45 IpGw charon: 13[IKE] authentication of 'C=US,
ST=Florida, O=Cuda Systems LLC, CN=karl at denninger.net' with
RSA_EMSA_PKCS1_SHA2_384 successful
Jul 19 14:05:45 IpGw charon: 13[IKE] received
ESP_TFC_PADDING_NOT_SUPPORTED, not using ESPv3 TFC padding
Jul 19 14:05:45 IpGw charon: 13[IKE] peer supports MOBIKE
Jul 19 14:05:45 IpGw charon: 13[IKE] authentication of
'ipgw.denninger.net' (myself) with ECDSA_WITH_SHA512_DER successful
Jul 19 14:05:45 IpGw charon: 13[IKE] IKE_SA StrongSwan[3] established
between 68.1.57.197[ipgw.denninger.net]...208.54.70.231[C=US,
ST=Florida, O=Cuda Systems LLC, CN=karl at denninger.net]
Jul 19 14:05:45 IpGw charon: 13[IKE] scheduling reauthentication in 10200s
Jul 19 14:05:45 IpGw charon: 13[IKE] maximum IKE_SA lifetime 10740s
Jul 19 14:05:45 IpGw charon: 13[IKE] sending end entity cert "C=US,
ST=Florida, O=Cuda Systems LLC, CN=ipgw-ecdsa.denninger.net"
Jul 19 14:05:45 IpGw charon: 13[IKE] peer requested virtual IP %any
Jul 19 14:05:45 IpGw charon: 13[CFG] assigning new lease to 'C=US,
ST=Florida, O=Cuda Systems LLC, CN=karl at denninger.net'
Jul 19 14:05:45 IpGw charon: 13[IKE] assigning virtual IP 192.168.2.1 to
peer 'C=US, ST=Florida, O=Cuda Systems LLC, CN=karl at denninger.net'
Jul 19 14:05:45 IpGw charon: 13[IKE] peer requested virtual IP %any6
Jul 19 14:05:45 IpGw charon: 13[IKE] no virtual IP found for %any6
requested by 'C=US, ST=Florida, O=Cuda Systems LLC, CN=karl at denninger.net'
Jul 19 14:05:45 IpGw charon: 13[IKE] CHILD_SA StrongSwan{1} established
with SPIs cf732136_i 0b63ec42_o and TS 0.0.0.0/0 === 192.168.2.1/32
Jul 19 14:05:45 IpGw charon: 13[ENC] generating IKE_AUTH response 1 [
IDr CERT AUTH CPRP(ADDR DNS NBNS) N(ESP_TFC_PAD_N) SA TSi TSr
N(AUTH_LFT) N(MOBIKE_SUP) N(ADD_4_ADDR) N(ADD_4_ADDR) N(ADD_4_ADDR)
N(ADD_4_ADDR) N(ADD_6_ADDR) N(ADD_6_ADDR) ]
Jul 19 14:05:45 IpGw charon: 13[ENC] splitting IKE message with length
of 1792 bytes into 2 fragments
Jul 19 14:05:45 IpGw charon: 13[ENC] generating IKE_AUTH response 1 [
EF(1/2) ]
Jul 19 14:05:45 IpGw charon: 13[ENC] generating IKE_AUTH response 1 [
EF(2/2) ]
Jul 19 14:05:45 IpGw charon: 13[NET] sending packet: from
68.1.57.197[4500] to 208.54.70.231[43987] (1236 bytes)
Jul 19 14:05:45 IpGw charon: 13[NET] sending packet: from
68.1.57.197[4500] to 208.54.70.231[43987] (628 bytes)
Jul 19 14:05:46 IpGw charon: 13[NET] received packet: from
208.54.70.231[43987] to 68.1.57.197[4500] (80 bytes)
Jul 19 14:05:46 IpGw charon: 13[ENC] parsed INFORMATIONAL request 2 [
N(NO_ADD_ADDR) ]
Jul 19 14:05:46 IpGw charon: 13[ENC] generating INFORMATIONAL response 2 [ ]
Jul 19 14:05:46 IpGw charon: 13[NET] sending packet: from
68.1.57.197[4500] to 208.54.70.231[43987] (80 bytes)
Jul 19 14:05:53 IpGw charon: 13[NET] received packet: from
208.54.70.231[43987] to 68.1.57.197[4500] (80 bytes)
Jul 19 14:05:53 IpGw charon: 13[ENC] parsed INFORMATIONAL request 3 [ D ]
Jul 19 14:05:53 IpGw charon: 13[IKE] received DELETE for IKE_SA
StrongSwan[3]
Jul 19 14:05:53 IpGw charon: 13[IKE] deleting IKE_SA StrongSwan[3]
between 68.1.57.197[ipgw.denninger.net]...208.54.70.231[C=US,
ST=Florida, O=Cuda Systems LLC, CN=karl at denninger.net]
Jul 19 14:05:53 IpGw charon: 13[IKE] IKE_SA deleted
Jul 19 14:05:53 IpGw charon: 13[ENC] generating INFORMATIONAL response 3 [ ]
Jul 19 14:05:53 IpGw charon: 13[NET] sending packet: from
68.1.57.197[4500] to 208.54.70.231[43987] (80 bytes)
Jul 19 14:05:53 IpGw charon: 13[CFG] lease 192.168.2.1 by 'C=US,
ST=Florida, O=Cuda Systems LLC, CN=karl at denninger.net' went offline
One interesting difference between the two -- if I uncomment the
"WinUserCert" stanza in the config file it will try to match that, even
though I do not have it set up to use EAP-TLS, but fails with the exact
same message. I/suspect /it would switch to the "StrongSwan" config
once it validated the presented cert (since I don't ask for EAP-TLS) but
it never gets that far.
Any idea how to chase this and figure out why it doesn't like the cert?
I *think* I can get this client to work (and thus solve my no-frag
problem) if I can figure out why it doesn't like my presented
certificate.... I'll wind up having to buy the client piece but that's
acceptable -- if it works :-)
--
Karl Denninger
karl at denninger.net <mailto:karl at denninger.net>
/The Market Ticker/
/[S/MIME encrypted email preferred]/
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20170719/710bf9e4/attachment-0001.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 2993 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://lists.strongswan.org/pipermail/users/attachments/20170719/710bf9e4/attachment-0001.bin>
More information about the Users
mailing list