[strongSwan] Problem with static ip on Windows IKEv2

Daniel daniel at ghcrecemos.com
Tue Mar 7 21:56:46 CET 2017 

Hi, I have a strongswan 5.3.5 on Ubuntu server. I use this VPN server to iOS devices and Windows 10 laptops.

I will try to explain the problem:

I have ipsec.secrets with user/password EAP auth ex:

> # This file holds shared secrets or RSA private keys for authentication.
> 
> # This is private key located at /etc/ipsec.d/private/
> : RSA privkey.pem
> 
> # VPN users
> strike : EAP "12341234"
> dottas : EAP "45645645"

I have my ipsec.conf assign static ip config to users based on rightid:

> config setup
>     charondebug = ike 3, cfg 3
> 
> conn %default
> 
>     dpdaction=clear
>     dpddelay=550s
>     dpdtimeout=72000s
>     keyexchange=ikev2
>     auto=add
>     rekey=no
>     reauth=no
>     fragmentation=yes
>     compress=yes
> 
>     # left - local (server) side
>     leftcert=fullchain.pem	# Filename of certificate located at /etc/ipsec.d/certs/
>     leftsendcert=always
>     # Routes pushed to clients. If you don't have ipv6 then remove ::/0
>     leftsubnet=0.0.0.0/0
> 
>     # right - remote (client) side
>     eap_identity=%identity
>     # ipv4 subnets that assigns to clients.
>     rightsourceip=10.8.0.0/24
>     rightdns=8.8.8.8
> 
> # Windows Auth CFG
> conn ikev2-mschapv2
>     rightauth=eap-mschapv2
> 
> # Apple Auth CFG
> conn ikev2-mschapv2-apple
>     rightauth=eap-mschapv2
>     leftid=mydomain.com
> 
> # Static IP configs
> 
> conn static-ip-for-strike
>     also="ikev2-mschapv2-apple"
>     right=%any
>     rightid=strike
>     rightsourceip=10.8.0.100/32
>     auto=add
> 
> conn static-ip-for-dottas
>     also="ikev2-mschapv2"
>     right=%any
>     rightid=dottas
>     rightsourceip=10.8.0.33/32
>     auto=add


All iOS clients connect fine and take static IP but Windows always get an IP address by DHCP pool. If I delete rightsourceip=10.8.0.0/24 field Windows dont recibe any IP address and dont connect.

Some log outputs:

ipsec leases

> 
> Leases in pool '10.8.0.0/24', usage: 0/254, 0 online
>   no matching leases found
> Leases in pool '10.8.0.33/32', usage: 0/1, 0 online
>   no matching leases found
> Leases in pool '10.8.0.100/32', usage: 0/1, 0 online
>   no matching leases found
> ...

journalctl -f -u strongswan

> Mar 07 21:53:29 900333e2e8f1 charon[5111]: 12[IKE] IKE_SA ikev2-mschapv2[1] state change: CONNECTING => ESTABLISHED
> Mar 07 21:53:29 900333e2e8f1 charon[5111]: 12[IKE] peer requested virtual IP %any
> Mar 07 21:53:29 900333e2e8f1 charon[5111]: 12[CFG] assigning new lease to 'dottas'
> Mar 07 21:53:29 900333e2e8f1 charon[5111]: 12[IKE] assigning virtual IP 10.8.0.1 to peer 'dottas'
> Mar 07 21:53:29 900333e2e8f1 charon[5111]: 12[IKE] peer requested virtual IP %any6
> Mar 07 21:53:29 900333e2e8f1 charon[5111]: 12[IKE] no virtual IP found for %any6 requested by 'dottas'
> Mar 07 21:53:29 900333e2e8f1 charon[5111]: 12[IKE] building INTERNAL_IP4_DNS attribute
> Mar 07 21:53:29 900333e2e8f1 charon[5111]: 12[CFG] looking for a child config for 0.0.0.0/0 ::/0 === 0.0.0.0/0 ::/0
> Mar 07 21:53:29 900333e2e8f1 charon[5111]: 12[CFG] proposing traffic selectors for us:
> Mar 07 21:53:29 900333e2e8f1 charon[5111]: 12[CFG]  0.0.0.0/0
> Mar 07 21:53:29 900333e2e8f1 charon[5111]: 12[CFG] proposing traffic selectors for other:
> Mar 07 21:53:29 900333e2e8f1 charon[5111]: 12[CFG]  10.8.0.1/32
> Mar 07 21:53:29 900333e2e8f1 charon[5111]: 12[CFG]   candidate "ikev2-mschapv2" with prio 10+2
> Mar 07 21:53:29 900333e2e8f1 charon[5111]: 12[CFG] found matching child config "ikev2-mschapv2" with prio 12
> Mar 07 21:53:29 900333e2e8f1 charon[5111]: 12[CFG] selecting proposal:
> Mar 07 21:53:29 900333e2e8f1 charon[5111]: 12[CFG]   no acceptable ENCRYPTION_ALGORITHM found
> Mar 07 21:53:29 900333e2e8f1 charon[5111]: 12[CFG] selecting proposal:
> Mar 07 21:53:29 900333e2e8f1 charon[5111]: 12[CFG]   no acceptable ENCRYPTION_ALGORITHM found
> Mar 07 21:53:29 900333e2e8f1 charon[5111]: 12[CFG] selecting proposal:
> Mar 07 21:53:29 900333e2e8f1 charon[5111]: 12[CFG]   no acceptable ENCRYPTION_ALGORITHM found
> Mar 07 21:53:29 900333e2e8f1 charon[5111]: 12[CFG] selecting proposal:
> Mar 07 21:53:29 900333e2e8f1 charon[5111]: 12[CFG]   proposal matches
> Mar 07 21:53:29 900333e2e8f1 charon[5111]: 12[CFG] received proposals: ESP:AES_CBC_256/HMAC_SHA1_96/NO_EXT_SEQ, ESP:3DES_CBC/HMAC_SHA1_96/NO_EXT_SEQ
> Mar 07 21:53:29 900333e2e8f1 charon[5111]: 12[CFG] configured proposals: ESP:AES_CBC_128/HMAC_SHA1_96/NO_EXT_SEQ, ESP:3DES_CBC/HMAC_SHA1_96/NO_EXT_SEQ, ESP:AES_CBC_128/AES_CBC_192/AES_CBC_256/3DES_CBC/BLOWFISH_CBC_256/HMAC_SHA1_96/AES_XCBC_96/HMAC_MD5_96/NO_EXT_SEQ
> Mar 07 21:53:29 900333e2e8f1 charon[5111]: 12[CFG] selected proposal: ESP:3DES_CBC/HMAC_SHA1_96/NO_EXT_SEQ
> Mar 07 21:53:29 900333e2e8f1 charon[5111]: 12[CFG] selecting traffic selectors for us:
> Mar 07 21:53:29 900333e2e8f1 charon[5111]: 12[CFG]  config: 0.0.0.0/0, received: 0.0.0.0/0 => match: 0.0.0.0/0
> Mar 07 21:53:29 900333e2e8f1 charon[5111]: 12[CFG]  config: 0.0.0.0/0, received: ::/0 => no match
> Mar 07 21:53:29 900333e2e8f1 charon[5111]: 12[CFG] selecting traffic selectors for other:
> Mar 07 21:53:29 900333e2e8f1 charon[5111]: 12[CFG]  config: 10.8.0.1/32, received: 0.0.0.0/0 => match: 10.8.0.1/32
> Mar 07 21:53:29 900333e2e8f1 charon[5111]: 12[CFG]  config: 10.8.0.1/32, received: ::/0 => no match
> Mar 07 21:53:29 900333e2e8f1 charon[5111]: 12[IKE] CHILD_SA ikev2-mschapv2{1} established with SPIs ccd1079d_i 9a38f558_o and TS 0.0.0.0/0 === 10.8.0.1/32
> Mar 07 21:53:29 900333e2e8f1 charon[5111]: 12[IKE] CHILD_SA ikev2-mschapv2{1} established with SPIs ccd1079d_i 9a38f558_o and TS 0.0.0.0/0 === 10.8.0.1/32
> Mar 07 21:53:29 900333e2e8f1 charon[5111]: 12[ENC] generating IKE_AUTH response 5 [ AUTH CPRP(ADDR DNS) SA TSi TSr N(MOBIKE_SUP) N(ADD_4_ADDR) N(ADD_4_ADDR) ]
> ...

ipsec leases

> Leases in pool '10.8.0.0/24', usage: 1/254, 0 online
>          10.8.0.1   online   'dottas'
> Leases in pool '10.8.0.33/32', usage: 0/1, 0 online
>   no matching leases found
> Leases in pool '10.8.0.100/32', usage: 0/1, 0 online
>   no matching leases found
> ...


Any idea to assign static ip address to windows clients?

Thank you.




-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20170307/a952b573/attachment-0001.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 801 bytes
Desc: Message signed with OpenPGP
URL: <http://lists.strongswan.org/pipermail/users/attachments/20170307/a952b573/attachment-0001.sig>

More information about the Users mailing list