[strongSwan] Problem with static ip on Windows IKEv2

Noel Kuntze noel at familie-kuntze.de
Thu Mar 9 12:16:44 CET 2017


iOS:
> Mar 09 11:38:08 900333e2e8f1 charon[18975]: 12[ENC] parsed INFORMATIONAL request 6 [ D ]

Unrelated to virtual IPs. Check log on iOS for information. Maybe iOS doesn't trust certificates that are issued by Let's Encrypt for IPsec?

windows:

> Mar 09 11:50:29 900333e2e8f1 charon[18975]: 13[CFG] looking for peer configs matching 176.31.13.185[%any]...79.153.142.222[192.168.222.130]
> Mar 09 11:50:29 900333e2e8f1 charon[18975]: 13[CFG] no matching peer config found

It's because the ID "192.168.222.130" is not configured in any of your two conns, where the IDs are specified.
Don't specify the IDs. Just use a conn for your roadwarriors and add a pool with the leases you need.

You can't make this work for Windows (or Mac OSX) with static IDs, because those hosts send their LAN IP as initiator IDs
by default and they're hence unpredictable and unrelated to their actual usernames that are used during EAP authentication.

On 09.03.2017 11:58, Daniel wrote:
> Hi, i have uploaded my logs with your considerations (without sql database) when strongswan starts and example of ios device connection and windows device error connection.
> 
> strongswan_log_load.log -> https://paste.ee/p/GBEJ7
> working_ios_connection.log -> https://paste.ee/p/cibrx
> windows_cant_connnect.log -> https://paste.ee/p/AnTsJ
> 
> Thaks for your help.
> 
>> El 8 mar 2017, a las 14:22, Noel Kuntze <noel at familie-kuntze.de <mailto:noel at familie-kuntze.de>> escribió:
>>
>> Logs, please.
>>
>> On 08.03.2017 08:49, Daniel wrote:
>>>
>>> I made the change (auto=add) and it still does not work. I'm going to try integrating pools into sqlite and tell them the result.
>>>
>>> Thank you
>>>
>>>> El 8 mar 2017, a las 0:32, Noel Kuntze <noel at familie-kuntze.de <mailto:noel at familie-kuntze.de> <mailto:noel at familie-kuntze.de>> escribió:
>>>>
>>>> Move the "auto=add" out of conn %default into each individual conn you actually need.
>>>> The way you're doing it makesno sense.
>>>> The proper way to do this is to use a static IP pool backed by an sqlite file or a MySQL server
>>>> and to assign the leases based on the identity there.
>>>>
>>>> The proper way to do this is to 
>>>> On 07.03.2017 21:56, Daniel wrote:
>>>>> Hi, I have a strongswan 5.3.5 on Ubuntu server. I use this VPN server to iOS devices and Windows 10 laptops.
>>>>>
>>>>> I will try to explain the problem:
>>>>>
>>>>> I have ipsec.secrets with user/password EAP auth ex: 
>>>>>
>>>>>> # This file holds shared secrets or RSA private keys for authentication.
>>>>>>
>>>>>> # This is private key located at /etc/ipsec.d/private/
>>>>>> : RSA privkey.pem
>>>>>>
>>>>>> # VPN users
>>>>>> strike : EAP "12341234"
>>>>>> dottas : EAP "45645645"
>>>>>
>>>>> I have my ipsec.conf assign static ip config to users based on rightid:
>>>>>
>>>>>> config setup
>>>>>>   charondebug = ike 3, cfg 3
>>>>>>
>>>>>> conn %default
>>>>>>
>>>>>>   dpdaction=clear
>>>>>>   dpddelay=550s
>>>>>>   dpdtimeout=72000s
>>>>>>   keyexchange=ikev2
>>>>>>   auto=add
>>>>>>   rekey=no
>>>>>>   reauth=no
>>>>>>   fragmentation=yes
>>>>>>   compress=yes
>>>>>>
>>>>>>   # left - local (server) side
>>>>>>   leftcert=fullchain.pem# Filename of certificate located at /etc/ipsec.d/certs/
>>>>>>   leftsendcert=always
>>>>>>   # Routes pushed to clients. If you don't have ipv6 then remove ::/0
>>>>>>   leftsubnet=0.0.0.0/0
>>>>>>
>>>>>>   # right - remote (client) side
>>>>>>   eap_identity=%identity
>>>>>>   # ipv4 subnets that assigns to clients.
>>>>>>   rightsourceip=10.8.0.0/24
>>>>>>   rightdns=8.8.8.8
>>>>>>
>>>>>> # Windows Auth CFG
>>>>>> conn ikev2-mschapv2
>>>>>>   rightauth=eap-mschapv2
>>>>>>
>>>>>> # Apple Auth CFG
>>>>>> conn ikev2-mschapv2-apple
>>>>>>   rightauth=eap-mschapv2
>>>>>>   leftid=mydomain.com <http://mydomain.com/> <http://mydomain.com/> <http://mydomain.com <http://mydomain.com/> <http://mydomain.com/>>
>>>>>>
>>>>>> # Static IP configs
>>>>>>
>>>>>> conn static-ip-for-strike
>>>>>>   also="ikev2-mschapv2-apple"
>>>>>>   right=%any
>>>>>>   rightid=strike
>>>>>>   rightsourceip=10.8.0.100/32
>>>>>>   auto=add
>>>>>>
>>>>>> conn static-ip-for-dottas
>>>>>>   also="ikev2-mschapv2"
>>>>>>   right=%any
>>>>>>   rightid=dottas
>>>>>>   rightsourceip=10.8.0.33/32
>>>>>>   auto=add
>>>>>
>>>>> All iOS clients connect fine and take static IP but Windows always get an IP address by DHCP pool. If I delete rightsourceip=10.8.0.0/24 field Windows dont recibe any IP address and dont connect.
>>>>>
>>>>> Some log outputs:
>>>>>
>>>>> ipsec leases
>>>>>
>>>>>>
>>>>>> Leases in pool '10.8.0.0/24', usage: 0/254, 0 online
>>>>>> no matching leases found
>>>>>> Leases in pool '10.8.0.33/32', usage: 0/1, 0 online
>>>>>> no matching leases found
>>>>>> Leases in pool '10.8.0.100/32', usage: 0/1, 0 online
>>>>>> no matching leases found
>>>>>> ...
>>>>>
>>>>> journalctl -f -u strongswan
>>>>>
>>>>>> Mar 07 21:53:29 900333e2e8f1 charon[5111]: 12[IKE] IKE_SA ikev2-mschapv2[1] state change: CONNECTING => ESTABLISHED
>>>>>> Mar 07 21:53:29 900333e2e8f1 charon[5111]: 12[IKE] peer requested virtual IP %any
>>>>>> Mar 07 21:53:29 900333e2e8f1 charon[5111]: 12[CFG] assigning new lease to 'dottas'
>>>>>> Mar 07 21:53:29 900333e2e8f1 charon[5111]: 12[IKE] assigning virtual IP 10.8.0.1 to peer 'dottas'
>>>>>> Mar 07 21:53:29 900333e2e8f1 charon[5111]: 12[IKE] peer requested virtual IP %any6
>>>>>> Mar 07 21:53:29 900333e2e8f1 charon[5111]: 12[IKE] no virtual IP found for %any6 requested by 'dottas'
>>>>>> Mar 07 21:53:29 900333e2e8f1 charon[5111]: 12[IKE] building INTERNAL_IP4_DNS attribute
>>>>>> Mar 07 21:53:29 900333e2e8f1 charon[5111]: 12[CFG] looking for a child config for 0.0.0.0/0 ::/0 === 0.0.0.0/0 ::/0
>>>>>> Mar 07 21:53:29 900333e2e8f1 charon[5111]: 12[CFG] proposing traffic selectors for us:
>>>>>> Mar 07 21:53:29 900333e2e8f1 charon[5111]: 12[CFG]  0.0.0.0/0
>>>>>> Mar 07 21:53:29 900333e2e8f1 charon[5111]: 12[CFG] proposing traffic selectors for other:
>>>>>> Mar 07 21:53:29 900333e2e8f1 charon[5111]: 12[CFG]  10.8.0.1/32
>>>>>> Mar 07 21:53:29 900333e2e8f1 charon[5111]: 12[CFG]   candidate "ikev2-mschapv2" with prio 10+2
>>>>>> Mar 07 21:53:29 900333e2e8f1 charon[5111]: 12[CFG] found matching child config "ikev2-mschapv2" with prio 12
>>>>>> Mar 07 21:53:29 900333e2e8f1 charon[5111]: 12[CFG] selecting proposal:
>>>>>> Mar 07 21:53:29 900333e2e8f1 charon[5111]: 12[CFG]   no acceptable ENCRYPTION_ALGORITHM found
>>>>>> Mar 07 21:53:29 900333e2e8f1 charon[5111]: 12[CFG] selecting proposal:
>>>>>> Mar 07 21:53:29 900333e2e8f1 charon[5111]: 12[CFG]   no acceptable ENCRYPTION_ALGORITHM found
>>>>>> Mar 07 21:53:29 900333e2e8f1 charon[5111]: 12[CFG] selecting proposal:
>>>>>> Mar 07 21:53:29 900333e2e8f1 charon[5111]: 12[CFG]   no acceptable ENCRYPTION_ALGORITHM found
>>>>>> Mar 07 21:53:29 900333e2e8f1 charon[5111]: 12[CFG] selecting proposal:
>>>>>> Mar 07 21:53:29 900333e2e8f1 charon[5111]: 12[CFG]   proposal matches
>>>>>> Mar 07 21:53:29 900333e2e8f1 charon[5111]: 12[CFG] received proposals: ESP:AES_CBC_256/HMAC_SHA1_96/NO_EXT_SEQ, ESP:3DES_CBC/HMAC_SHA1_96/NO_EXT_SEQ
>>>>>> Mar 07 21:53:29 900333e2e8f1 charon[5111]: 12[CFG] configured proposals: ESP:AES_CBC_128/HMAC_SHA1_96/NO_EXT_SEQ, ESP:3DES_CBC/HMAC_SHA1_96/NO_EXT_SEQ, ESP:AES_CBC_128/AES_CBC_192/AES_CBC_256/3DES_CBC/BLOWFISH_CBC_256/HMAC_SHA1_96/AES_XCBC_96/HMAC_MD5_96/NO_EXT_SEQ
>>>>>> Mar 07 21:53:29 900333e2e8f1 charon[5111]: 12[CFG] selected proposal: ESP:3DES_CBC/HMAC_SHA1_96/NO_EXT_SEQ
>>>>>> Mar 07 21:53:29 900333e2e8f1 charon[5111]: 12[CFG] selecting traffic selectors for us:
>>>>>> Mar 07 21:53:29 900333e2e8f1 charon[5111]: 12[CFG]  config: 0.0.0.0/0, received: 0.0.0.0/0 => match: 0.0.0.0/0
>>>>>> Mar 07 21:53:29 900333e2e8f1 charon[5111]: 12[CFG]  config: 0.0.0.0/0, received: ::/0 => no match
>>>>>> Mar 07 21:53:29 900333e2e8f1 charon[5111]: 12[CFG] selecting traffic selectors for other:
>>>>>> Mar 07 21:53:29 900333e2e8f1 charon[5111]: 12[CFG]  config: 10.8.0.1/32, received: 0.0.0.0/0 => match: 10.8.0.1/32
>>>>>> Mar 07 21:53:29 900333e2e8f1 charon[5111]: 12[CFG]  config: 10.8.0.1/32, received: ::/0 => no match
>>>>>> Mar 07 21:53:29 900333e2e8f1 charon[5111]: 12[IKE] CHILD_SA ikev2-mschapv2{1} established with SPIs ccd1079d_i 9a38f558_o and TS 0.0.0.0/0 === 10.8.0.1/32
>>>>>> Mar 07 21:53:29 900333e2e8f1 charon[5111]: 12[IKE] CHILD_SA ikev2-mschapv2{1} established with SPIs ccd1079d_i 9a38f558_o and TS 0.0.0.0/0 === 10.8.0.1/32
>>>>>> Mar 07 21:53:29 900333e2e8f1 charon[5111]: 12[ENC] generating IKE_AUTH response 5 [ AUTH CPRP(ADDR DNS) SA TSi TSr N(MOBIKE_SUP) N(ADD_4_ADDR) N(ADD_4_ADDR) ]
>>>>>> ...
>>>>>
>>>>> ipsec leases
>>>>>
>>>>>> Leases in pool '10.8.0.0/24', usage: 1/254, 0 online
>>>>>>        10.8.0.1   online   'dottas'
>>>>>> Leases in pool '10.8.0.33/32', usage: 0/1, 0 online
>>>>>> no matching leases found
>>>>>> Leases in pool '10.8.0.100/32', usage: 0/1, 0 online
>>>>>> no matching leases found
>>>>>> ...
>>>>>
>>>>>
>>>>> Any idea to assign static ip address to windows clients?
>>>>>
>>>>> Thank you.
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>> _______________________________________________
>>>>> Users mailing list
>>>>> Users at lists.strongswan.org <mailto:Users at lists.strongswan.org> <mailto:Users at lists.strongswan.org>
>>>>> https://lists.strongswan.org/mailman/listinfo/users
>>>>>
>>>>
>>>> -- 
>>>>
>>>> Mit freundlichen Grüßen/Kind Regards,
>>>> Noel Kuntze
>>>>
>>>> GPG Key ID: 0x63EC6658
>>>> Fingerprint: 23CA BB60 2146 05E7 7278 6592 3839 298F 63EC 6658
>>>
>>>
>>>
>>> _______________________________________________
>>> Users mailing list
>>> Users at lists.strongswan.org <mailto:Users at lists.strongswan.org>
>>> https://lists.strongswan.org/mailman/listinfo/users
>>>
>>
>> -- 
>>
>> Mit freundlichen Grüßen/Kind Regards,
>> Noel Kuntze
>>
>> GPG Key ID: 0x63EC6658
>> Fingerprint: 23CA BB60 2146 05E7 7278 6592 3839 298F 63EC 6658
> 
> 
> 
> _______________________________________________
> Users mailing list
> Users at lists.strongswan.org
> https://lists.strongswan.org/mailman/listinfo/users
> 

-- 

Mit freundlichen Grüßen/Kind Regards,
Noel Kuntze

GPG Key ID: 0x63EC6658
Fingerprint: 23CA BB60 2146 05E7 7278 6592 3839 298F 63EC 6658


-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 866 bytes
Desc: OpenPGP digital signature
URL: <http://lists.strongswan.org/pipermail/users/attachments/20170309/7e55efa4/attachment.sig>


More information about the Users mailing list