[strongSwan] Windows Server 2012 R2 host to host to StrongSwan 5.6.0 Problems
Ben Lavender
ben.lavender at virtualdcs.co.uk
Tue Oct 10 17:50:46 CEST 2017
Hello, hopefully someone could help us with an issue we are having with this setup.
We have a Windows 2012 R2 Server and a Debian 9 server running the latest release of StrongSwan. The configuration we are trying to implement is a host-to-host IPSEC connection in transport mode between these two hosts on the same subnet using X.509 certificates for authentication.
Windows Server is on 192.168.1.76/24 (hostname LAB-DC-01)
Debian Server is on 192.168.1.73/24 (hostname LAB-DEBCLIENT-01)
Both servers have the same root CA certificate, except the Linux server has it converted to PEM from DER. My understanding is there isn't any requirements for extra certificates except this one mutual CA, correct me if I'm wrong. The Windows server configuration is done using the Connection Security Rules using RCA Certificate Signing, I then upload the rootca.pem to /etc/ipsec.d/cacerts
Configs LAB-DEBCLIENT-01:
/etc/ipsec.conf
# ipsec.conf - strongSwan IPsec configuration file
config setup
charondebug="ike 2, knl 2, cfg 2"
conn %default
ikelifetime=60m
keylife=20m
rekeymargin=3m
keyingtries=1
mobike=no
keyexchange=ike
conn host-host
left=192.168.1.73
# leftcert=rootca.pem
leftid=@LAB-DEBCLIENT-01
leftfirewall=yes
right=192.168.1.76
rightid=@LAB-DC-01
type=transport
auto=add
ca strongswan
cacert=rootca.pem
crluri=http://cdp.ourdomain.com/VP%20Issuing%20CA1.crl #changed ourdomain part for the mailing list
auto=add
Logs:
I've changed the domain name to ourcompany for security reasons, so that can be ignored. My concerns are the two log lines below but can't seem to find the reason:
Oct 10 16:43:40 LAB-DEBCLIENT-0 charon: 03[ENC] header verification failed
Oct 10 16:43:40 LAB-DEBCLIENT-0 charon: 03[NET] received invalid IKE header from 192.168.1.76 - ignored
Oct 10 16:43:41 LAB-DEBCLIENT-0 charon: 09[CFG] no acceptable ENCRYPTION_ALGORITHM found
Oct 10 16:43:33 LAB-DEBCLIENT-0 charon: 00[DMN] Starting IKE charon daemon (strongSwan 5.6.0, Linux 4.9.0-4-amd64, x86_64)
Oct 10 16:43:33 LAB-DEBCLIENT-0 charon: 00[KNL] known interfaces and IP addresses:
Oct 10 16:43:33 LAB-DEBCLIENT-0 charon: 00[KNL] lo
Oct 10 16:43:33 LAB-DEBCLIENT-0 charon: 00[KNL] 127.0.0.1
Oct 10 16:43:33 LAB-DEBCLIENT-0 charon: 00[KNL] ::1
Oct 10 16:43:33 LAB-DEBCLIENT-0 charon: 00[KNL] eth0
Oct 10 16:43:33 LAB-DEBCLIENT-0 charon: 00[KNL] 192.168.1.73
Oct 10 16:43:33 LAB-DEBCLIENT-0 charon: 00[KNL] fe80::215:5dff:fe01:82cd
Oct 10 16:43:33 LAB-DEBCLIENT-0 charon: 00[CFG] loading ca certificates from '/etc/ipsec.d/cacerts'
Oct 10 16:43:33 LAB-DEBCLIENT-0 charon: 00[CFG] loaded ca certificate "CN=ourcompany Root CA" from '/etc/ipsec.d/cacerts/rootca.pem'
Oct 10 16:43:33 LAB-DEBCLIENT-0 charon: 00[CFG] loading aa certificates from '/etc/ipsec.d/aacerts'
Oct 10 16:43:33 LAB-DEBCLIENT-0 charon: 00[CFG] loading ocsp signer certificates from '/etc/ipsec.d/ocspcerts'
Oct 10 16:43:33 LAB-DEBCLIENT-0 charon: 00[CFG] loading attribute certificates from '/etc/ipsec.d/acerts'
Oct 10 16:43:33 LAB-DEBCLIENT-0 charon: 00[CFG] loading crls from '/etc/ipsec.d/crls'
Oct 10 16:43:33 LAB-DEBCLIENT-0 charon: 00[CFG] loading secrets from '/etc/ipsec.secrets'
Oct 10 16:43:33 LAB-DEBCLIENT-0 charon: 00[LIB] loaded plugins: charon aes des rc2 sha2 sha1 md5 random nonce x509 revocation constraints pubkey pkcs1 pkcs7 pkcs8 pkcs12 pgp dnskey sshkey pem fips-prf gmp curve25519 xcbc cmac hmac curl attr kernel-netlink resolve socket-default stroke vici updown xauth-generic
Oct 10 16:43:33 LAB-DEBCLIENT-0 charon: 00[JOB] spawning 16 worker threads
Oct 10 16:43:33 LAB-DEBCLIENT-0 charon: 05[CFG] received stroke: add ca 'strongswan'
Oct 10 16:43:33 LAB-DEBCLIENT-0 charon: 05[CFG] ca strongswan
Oct 10 16:43:33 LAB-DEBCLIENT-0 charon: 05[CFG] cacert=rootca.pem
Oct 10 16:43:33 LAB-DEBCLIENT-0 charon: 05[CFG] crluri=http://cdp.ourdomain.com/VP%20Issuing%20CA1.crl
Oct 10 16:43:33 LAB-DEBCLIENT-0 charon: 05[CFG] loaded ca certificate "CN=company Root CA" from 'rootca.pem'
Oct 10 16:43:33 LAB-DEBCLIENT-0 charon: 05[CFG] added ca 'strongswan'
Oct 10 16:43:33 LAB-DEBCLIENT-0 charon: 06[CFG] received stroke: add connection 'host-host'
Oct 10 16:43:33 LAB-DEBCLIENT-0 charon: 06[CFG] conn host-host
Oct 10 16:43:33 LAB-DEBCLIENT-0 charon: 06[CFG] left=192.168.1.73
Oct 10 16:43:33 LAB-DEBCLIENT-0 charon: 06[CFG] leftid=@LAB-DEBCLIENT-01
Oct 10 16:43:33 LAB-DEBCLIENT-0 charon: 06[CFG] leftupdown=ipsec _updown iptables
Oct 10 16:43:33 LAB-DEBCLIENT-0 charon: 06[CFG] right=192.168.1.76
Oct 10 16:43:33 LAB-DEBCLIENT-0 charon: 06[CFG] rightid=@LAB-DC-01
Oct 10 16:43:33 LAB-DEBCLIENT-0 charon: 06[CFG] ike=aes128-sha256-curve25519
Oct 10 16:43:33 LAB-DEBCLIENT-0 charon: 06[CFG] esp=aes128-sha256
Oct 10 16:43:33 LAB-DEBCLIENT-0 charon: 06[CFG] dpddelay=30
Oct 10 16:43:33 LAB-DEBCLIENT-0 charon: 06[CFG] dpdtimeout=150
Oct 10 16:43:33 LAB-DEBCLIENT-0 charon: 06[CFG] sha256_96=no
Oct 10 16:43:33 LAB-DEBCLIENT-0 charon: 06[CFG] mediation=no
Oct 10 16:43:33 LAB-DEBCLIENT-0 charon: 06[KNL] 192.168.1.76 is not a local address or the interface is down
Oct 10 16:43:33 LAB-DEBCLIENT-0 charon: 06[CFG] added configuration 'host-host'
Oct 10 16:43:40 LAB-DEBCLIENT-0 charon: 03[ENC] header verification failed
Oct 10 16:43:40 LAB-DEBCLIENT-0 charon: 03[NET] received invalid IKE header from 192.168.1.76 - ignored
Oct 10 16:43:41 LAB-DEBCLIENT-0 charon: 03[ENC] header verification failed
Oct 10 16:43:41 LAB-DEBCLIENT-0 charon: 03[NET] received invalid IKE header from 192.168.1.76 - ignored
Oct 10 16:43:41 LAB-DEBCLIENT-0 charon: 09[NET] received packet: from 192.168.1.76[500] to 192.168.1.73[500] (312 bytes)
Oct 10 16:43:41 LAB-DEBCLIENT-0 charon: 09[ENC] parsed ID_PROT request 0 [ SA V V V V V V V V V ]
Oct 10 16:43:41 LAB-DEBCLIENT-0 charon: 09[CFG] looking for an ike config for 192.168.1.73...192.168.1.76
Oct 10 16:43:41 LAB-DEBCLIENT-0 charon: 09[CFG] candidate: 192.168.1.73...192.168.1.76, prio 3096
Oct 10 16:43:41 LAB-DEBCLIENT-0 charon: 09[CFG] found matching ike config: 192.168.1.73...192.168.1.76 with prio 3096
Oct 10 16:43:41 LAB-DEBCLIENT-0 charon: 09[ENC] received unknown vendor ID: 01:52:8b:bb:c0:06:96:12:18:49:ab:9a:1c:5b:2a:51:00:00:00:05
Oct 10 16:43:41 LAB-DEBCLIENT-0 charon: 09[ENC] received unknown vendor ID: 21:4c:a4:fa:ff:a7:f3:2d:67:48:e5:30:33:95:ae:83
Oct 10 16:43:41 LAB-DEBCLIENT-0 charon: 09[IKE] received MS NT5 ISAKMPOAKLEY vendor ID
Oct 10 16:43:41 LAB-DEBCLIENT-0 charon: 09[IKE] received NAT-T (RFC 3947) vendor ID
Oct 10 16:43:41 LAB-DEBCLIENT-0 charon: 09[IKE] received draft-ietf-ipsec-nat-t-ike-02\n vendor ID
Oct 10 16:43:41 LAB-DEBCLIENT-0 charon: 09[IKE] received FRAGMENTATION vendor ID
Oct 10 16:43:41 LAB-DEBCLIENT-0 charon: 09[ENC] received unknown vendor ID: fb:1d:e3:cd:f3:41:b7:ea:16:b7:e5:be:08:55:f1:20
Oct 10 16:43:41 LAB-DEBCLIENT-0 charon: 09[ENC] received unknown vendor ID: 26:24:4d:38:ed:db:61:b3:17:2a:36:e3:d0:cf:b8:19
Oct 10 16:43:41 LAB-DEBCLIENT-0 charon: 09[ENC] received unknown vendor ID: e3:a5:96:6a:76:37:9f:e7:07:22:82:31:e5:ce:86:52
Oct 10 16:43:41 LAB-DEBCLIENT-0 charon: 09[IKE] 192.168.1.76 is initiating a Main Mode IKE_SA
Oct 10 16:43:41 LAB-DEBCLIENT-0 charon: 09[IKE] IKE_SA (unnamed)[1] state change: CREATED => CONNECTING
Oct 10 16:43:41 LAB-DEBCLIENT-0 charon: 09[CFG] selecting proposal:
Oct 10 16:43:41 LAB-DEBCLIENT-0 charon: 09[CFG] no acceptable PSEUDO_RANDOM_FUNCTION found
Oct 10 16:43:41 LAB-DEBCLIENT-0 charon: 09[CFG] selecting proposal:
Oct 10 16:43:41 LAB-DEBCLIENT-0 charon: 09[CFG] no acceptable ENCRYPTION_ALGORITHM found
Oct 10 16:43:41 LAB-DEBCLIENT-0 charon: 09[CFG] selecting proposal:
Oct 10 16:43:41 LAB-DEBCLIENT-0 charon: 09[CFG] proposal matches
Oct 10 16:43:41 LAB-DEBCLIENT-0 charon: 09[CFG] received proposals: IKE:AES_CBC_128/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024, IKE:3DES_CBC/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024
Oct 10 16:43:41 LAB-DEBCLIENT-0 charon: 09[CFG] configured proposals: IKE:AES_CBC_128/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/CURVE_25519, IKE:AES_CBC_128/AES_CBC_192/AES_CBC_256/3DES_CBC/HMAC_SHA2_256_128/HMAC_SHA2_384_192/HMAC_SHA2_512_256/AES_XCBC_96/AES_CMAC_96/HMAC_SHA1_96/HMAC_MD5_96/PRF_AES128_XCBC/PRF_AES128_CMAC/PRF_HMAC_SHA2_256/PRF_HMAC_SHA2_384/PRF_HMAC_SHA2_512/PRF_HMAC_SHA1/PRF_HMAC_MD5/CURVE_25519/MODP_3072/MODP_4096/MODP_8192/MODP_2048/MODP_1024
Oct 10 16:43:41 LAB-DEBCLIENT-0 charon: 09[CFG] selected proposal: IKE:AES_CBC_128/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024
Oct 10 16:43:41 LAB-DEBCLIENT-0 charon: 09[IKE] sending XAuth vendor ID
Oct 10 16:43:41 LAB-DEBCLIENT-0 charon: 09[IKE] sending DPD vendor ID
Oct 10 16:43:41 LAB-DEBCLIENT-0 charon: 09[IKE] sending FRAGMENTATION vendor ID
Oct 10 16:43:41 LAB-DEBCLIENT-0 charon: 09[IKE] sending NAT-T (RFC 3947) vendor ID
Oct 10 16:43:41 LAB-DEBCLIENT-0 charon: 09[ENC] generating ID_PROT response 0 [ SA V V V V ]
Oct 10 16:43:41 LAB-DEBCLIENT-0 charon: 09[NET] sending packet: from 192.168.1.73[500] to 192.168.1.76[500] (160 bytes)
Oct 10 16:43:41 LAB-DEBCLIENT-0 charon: 10[NET] received packet: from 192.168.1.76[500] to 192.168.1.73[500] (260 bytes)
Oct 10 16:43:41 LAB-DEBCLIENT-0 charon: 10[ENC] parsed ID_PROT request 0 [ KE No NAT-D NAT-D ]
Oct 10 16:43:41 LAB-DEBCLIENT-0 charon: 10[IKE] sending cert request for "CN=ourcompany Root CA"
Oct 10 16:43:41 LAB-DEBCLIENT-0 charon: 10[ENC] generating ID_PROT response 0 [ KE No CERTREQ NAT-D NAT-D ]
Oct 10 16:43:41 LAB-DEBCLIENT-0 charon: 10[NET] sending packet: from 192.168.1.73[500] to 192.168.1.76[500] (280 bytes)
Oct 10 16:43:41 LAB-DEBCLIENT-0 charon: 11[NET] received packet: from 192.168.1.76[500] to 192.168.1.73[500] (92 bytes)
Oct 10 16:43:41 LAB-DEBCLIENT-0 charon: 11[ENC] parsed INFORMATIONAL_V1 request 799120018 [ HASH N((28)) ]
Oct 10 16:43:41 LAB-DEBCLIENT-0 charon: 11[IKE] received (28) error notify
Oct 10 16:43:41 LAB-DEBCLIENT-0 charon: 11[IKE] IKE_SA (unnamed)[1] state change: CONNECTING => DESTROYING
Oct 10 16:43:41 LAB-DEBCLIENT-0 charon: 11[NET] received packet: from 192.168.1.76[500] to 192.168.1.73[500] (312 bytes)
Oct 10 16:43:41 LAB-DEBCLIENT-0 charon: 11[ENC] parsed ID_PROT request 0 [ SA V V V V V V V V V ]
Oct 10 16:43:41 LAB-DEBCLIENT-0 charon: 11[CFG] looking for an ike config for 192.168.1.73...192.168.1.76
Oct 10 16:43:41 LAB-DEBCLIENT-0 charon: 11[CFG] candidate: 192.168.1.73...192.168.1.76, prio 3096
Oct 10 16:43:41 LAB-DEBCLIENT-0 charon: 11[CFG] found matching ike config: 192.168.1.73...192.168.1.76 with prio 3096
Oct 10 16:43:41 LAB-DEBCLIENT-0 charon: 11[ENC] received unknown vendor ID: 01:52:8b:bb:c0:06:96:12:18:49:ab:9a:1c:5b:2a:51:00:00:00:05
Oct 10 16:43:41 LAB-DEBCLIENT-0 charon: 11[ENC] received unknown vendor ID: 21:4c:a4:fa:ff:a7:f3:2d:67:48:e5:30:33:95:ae:83
Oct 10 16:43:41 LAB-DEBCLIENT-0 charon: 11[IKE] received MS NT5 ISAKMPOAKLEY vendor ID
Oct 10 16:43:41 LAB-DEBCLIENT-0 charon: 11[IKE] received NAT-T (RFC 3947) vendor ID
Oct 10 16:43:41 LAB-DEBCLIENT-0 charon: 11[IKE] received draft-ietf-ipsec-nat-t-ike-02\n vendor ID
Oct 10 16:43:41 LAB-DEBCLIENT-0 charon: 11[IKE] received FRAGMENTATION vendor ID
Oct 10 16:43:41 LAB-DEBCLIENT-0 charon: 11[ENC] received unknown vendor ID: fb:1d:e3:cd:f3:41:b7:ea:16:b7:e5:be:08:55:f1:20
Oct 10 16:43:41 LAB-DEBCLIENT-0 charon: 11[ENC] received unknown vendor ID: 26:24:4d:38:ed:db:61:b3:17:2a:36:e3:d0:cf:b8:19
Oct 10 16:43:41 LAB-DEBCLIENT-0 charon: 11[ENC] received unknown vendor ID: e3:a5:96:6a:76:37:9f:e7:07:22:82:31:e5:ce:86:52
Oct 10 16:43:41 LAB-DEBCLIENT-0 charon: 11[IKE] 192.168.1.76 is initiating a Main Mode IKE_SA
Oct 10 16:43:41 LAB-DEBCLIENT-0 charon: 11[IKE] IKE_SA (unnamed)[2] state change: CREATED => CONNECTING
Oct 10 16:43:41 LAB-DEBCLIENT-0 charon: 11[CFG] selecting proposal:
Oct 10 16:43:41 LAB-DEBCLIENT-0 charon: 11[CFG] no acceptable PSEUDO_RANDOM_FUNCTION found
Oct 10 16:43:41 LAB-DEBCLIENT-0 charon: 11[CFG] selecting proposal:
Oct 10 16:43:41 LAB-DEBCLIENT-0 charon: 11[CFG] no acceptable ENCRYPTION_ALGORITHM found
Oct 10 16:43:41 LAB-DEBCLIENT-0 charon: 11[CFG] selecting proposal:
Oct 10 16:43:41 LAB-DEBCLIENT-0 charon: 11[CFG] proposal matches
Oct 10 16:43:41 LAB-DEBCLIENT-0 charon: 11[CFG] received proposals: IKE:AES_CBC_128/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024, IKE:3DES_CBC/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024
Oct 10 16:43:41 LAB-DEBCLIENT-0 charon: 11[CFG] configured proposals: IKE:AES_CBC_128/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/CURVE_25519, IKE:AES_CBC_128/AES_CBC_192/AES_CBC_256/3DES_CBC/HMAC_SHA2_256_128/HMAC_SHA2_384_192/HMAC_SHA2_512_256/AES_XCBC_96/AES_CMAC_96/HMAC_SHA1_96/HMAC_MD5_96/PRF_AES128_XCBC/PRF_AES128_CMAC/PRF_HMAC_SHA2_256/PRF_HMAC_SHA2_384/PRF_HMAC_SHA2_512/PRF_HMAC_SHA1/PRF_HMAC_MD5/CURVE_25519/MODP_3072/MODP_4096/MODP_8192/MODP_2048/MODP_1024
Oct 10 16:43:41 LAB-DEBCLIENT-0 charon: 11[CFG] selected proposal: IKE:AES_CBC_128/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024
Oct 10 16:43:41 LAB-DEBCLIENT-0 charon: 11[IKE] sending XAuth vendor ID
Oct 10 16:43:41 LAB-DEBCLIENT-0 charon: 11[IKE] sending DPD vendor ID
Oct 10 16:43:41 LAB-DEBCLIENT-0 charon: 11[IKE] sending FRAGMENTATION vendor ID
Oct 10 16:43:41 LAB-DEBCLIENT-0 charon: 11[IKE] sending NAT-T (RFC 3947) vendor ID
Oct 10 16:43:41 LAB-DEBCLIENT-0 charon: 11[ENC] generating ID_PROT response 0 [ SA V V V V ]
Oct 10 16:43:41 LAB-DEBCLIENT-0 charon: 11[NET] sending packet: from 192.168.1.73[500] to 192.168.1.76[500] (160 bytes)
Oct 10 16:43:41 LAB-DEBCLIENT-0 charon: 13[NET] received packet: from 192.168.1.76[500] to 192.168.1.73[500] (260 bytes)
Oct 10 16:43:41 LAB-DEBCLIENT-0 charon: 13[ENC] parsed ID_PROT request 0 [ KE No NAT-D NAT-D ]
Oct 10 16:43:41 LAB-DEBCLIENT-0 charon: 13[IKE] sending cert request for "CN=ourcomapny Root CA"
Oct 10 16:43:41 LAB-DEBCLIENT-0 charon: 13[ENC] generating ID_PROT response 0 [ KE No CERTREQ NAT-D NAT-D ]
Oct 10 16:43:41 LAB-DEBCLIENT-0 charon: 13[NET] sending packet: from 192.168.1.73[500] to 192.168.1.76[500] (280 bytes)
Oct 10 16:43:41 LAB-DEBCLIENT-0 charon: 14[NET] received packet: from 192.168.1.76[500] to 192.168.1.73[500] (92 bytes)
Oct 10 16:43:41 LAB-DEBCLIENT-0 charon: 14[ENC] parsed INFORMATIONAL_V1 request 2327092492 [ HASH N((28)) ]
Oct 10 16:43:41 LAB-DEBCLIENT-0 charon: 14[IKE] received (28) error notify
Oct 10 16:43:41 LAB-DEBCLIENT-0 charon: 14[IKE] IKE_SA (unnamed)[2] state change: CONNECTING => DESTROYING
Oct 10 16:43:42 LAB-DEBCLIENT-0 charon: 03[ENC] header verification failed
Oct 10 16:43:42 LAB-DEBCLIENT-0 charon: 03[NET] received invalid IKE header from 192.168.1.76 - ignored
Oct 10 16:43:45 LAB-DEBCLIENT-0 charon: 03[ENC] header verification failed
Oct 10 16:43:45 LAB-DEBCLIENT-0 charon: 03[NET] received invalid IKE header from 192.168.1.76 - ignored
Thanks.
Ben Lavender | Technical Infrastructure Engineer at virtualDCS
Office: 01133023184 <tel:03453888327> | Mobile: 07958 167998
Award winning Cloud Computing Services and Hosting from UK Data Centres.
'UK's Most Cutting Edge Cloud Hosting Services Provider 2016-17' - TMT News
'Best International Cloud Computing Solutions Provider 2016-17' - CV Magazine
[cid:image002.png at 01D33E97.652B0BA0]
Virtual Data Centre Services (virtualDCS) is registered in England and Wales under company number 07238621; registered address: The Waterscape, 42 Leeds and Bradford Road, LS5 3EG. This e-mail and any attachments are strictly confidential and intended for the addressee only. If you are not the named addressee you must not disclose, copy, or take any action in reliance of this transmission, and you should notify us as soon as possible. Any views or opinions expressed are solely those of the author and do not necessarily represent those of virtualDCS. This e-mail and any attachments are believed to be free from viruses but it is your responsibility to carry out all necessary virus checks, and virtualDCS accepts no liability in connection therewith.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20171010/e27bf656/attachment-0001.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image001.png
Type: image/png
Size: 122682 bytes
Desc: image001.png
URL: <http://lists.strongswan.org/pipermail/users/attachments/20171010/e27bf656/attachment-0001.png>
More information about the Users
mailing list