[strongSwan] ikev2 win7pro win7ultimate - domain member/not domain member

Marc Roos M.Roos at f1-outsourcing.eu
Mon Jan 29 22:18:32 CET 2018 

Workstations on a smb domain 192.168.x.x network can dialin on the 
remote strongswan server and are gettings ips.
There are also a few test vms on the libvirt 192.168.122 range. One can 
dial in, but the other cannot dial in. This is the one that is not 
member of the domain. 

Could it be that domain specific settings, like eg. lower security 
protocols have been enabled allowing the ipsec connection to succeed on 
domain members?

On the good session after candidate "win7" and cert match(?) I get logs 
like these:
Jan 29 20:40:14 test2 charon: 11[ENC] generating IKE_AUTH response 1 [ 
IDr CERT AUTH EAP/REQ/ID ]
Jan 29 20:40:14 test2 charon: 13[ENC] parsed IKE_AUTH request 2 [ 
EAP/RES/ID ]
Jan 29 20:40:14 test2 charon: 13[IKE] received EAP identity 'user1'
Jan 29 20:40:14 test2 charon: 13[IKE] initiating EAP_MSCHAPV2 method (id 
0x8C)
Jan 29 20:40:14 test2 charon: 13[ENC] generating IKE_AUTH response 2 [ 
EAP/REQ/MSCHAPV2 ]

While on the session that breaks down I get these, but never the 
eap_mschapv2
Jan 29 20:42:48 test2 charon: 13[IKE] received cert request for unknown 
ca with keyid 
4a:5c:75:22:aa:46:bf:a4:08:9d:39:97:4e:bd:b4:a3:60:f7:a0:1d
Jan 29 20:42:48 test2 charon: 13[IKE] received cert request for unknown 
ca with keyid 
6a:47:a2:67:c9:2e:2f:19:68:8b:9b:86:61:66:95:ed:c1:2c:13:00
Jan 29 20:42:48 test2 charon: 13[IKE] received cert request for unknown 
ca with keyid 
01:f0:33:4c:1a:a1:d9:ee:5b:7b:a9:de:43:bc:02:7d:57:09:33:fb
Jan 29 20:42:48 test2 charon: 13[IKE] received cert request for unknown 
ca with keyid 
8d:a7:1b:f9:3c:da:45:76:89:e9:fe:d0:ee:04:97:58:cb:1e:c3:5b
Jan 29 20:42:48 test2 charon: 13[IKE] received cert request for unknown 
ca with keyid 
88:a9:5a:ef:c0:84:fc:13:74:41:6b:b1:63:32:c2:cf:92:59:bb:3b
Jan 29 20:42:48 test2 charon: 13[IKE] received cert request for unknown 
ca with keyid 
b4:64:ba:c4:50:86:1b:f8:2d:51:ac:24:2c:cd:d8:3b:24:6f:36:fa
Jan 29 20:42:48 test2 charon: 13[IKE] received cert request for unknown 
ca with keyid 
34:4f:30:2d:25:69:31:91:ea:f7:73:5c:ab:f5:86:8d:37:82:40:ec
Jan 29 20:42:48 test2 charon: 13[IKE] received cert request for unknown 
ca with keyid 
3e:df:29:0c:c1:f5:cc:73:2c:eb:3d:24:e1:7e:52:da:bd:27:e2:f0
Jan 29 20:42:48 test2 charon: 13[IKE] received cert request for unknown 
ca with keyid 
da:ed:64:74:14:9c:14:3c:ab:dd:99:a9:bd:5b:28:4d:8b:3c:c9:d8
Jan 29 20:42:48 test2 charon: 13[IKE] received cert request for unknown 
ca with keyid 
dd:bc:bd:86:9c:3f:07:ed:40:e3:1b:08:ef:ce:c4:d1:88:cd:3b:15

More information about the Users mailing list