[strongSwan] Windows gives error 13868: Policy match error but Linux connect works

flyingrhino flyingrhino at orcon.net.nz
Thu May 3 11:34:44 CEST 2018


Hi fellow swan'ers,

Can anyone point me in the right direction to understand why I get the message "error 13868: Policy match error" when I connect using windows 8.1 & p12 cert to strongswan responder (5.6.2-2~local9.1 on debian stretch)?

When I connect to the same responder from a linux initiator running linux mint 18.3 with the cert components configured manually into ipsec.conf , ipsec.secrets, strongswan.conf (ipsec up CONN_NAME) - it works perfectly!

Here's the log from the responder with find/replace on private fields:

May  3 18:08:30 my_server charon: 02[NET] received packet: from 1.1.1.1[43473] to 2.2.2.2[500]
May  3 18:08:30 my_server charon: 12[NET] received packet: from 1.1.1.1[43473] to 2.2.2.2[500] (616 bytes)
May  3 18:08:30 my_server charon: 12[ENC] parsed IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) V V V V ]
May  3 18:08:30 my_server charon: 12[CFG] looking for an ike config for 2.2.2.2...1.1.1.1
May  3 18:08:30 my_server charon: 12[CFG]   candidate: 2.2.2.2...%any, prio 1052
May  3 18:08:30 my_server charon: 12[CFG] found matching ike config: 2.2.2.2...%any with prio 1052
May  3 18:08:30 my_server charon: 12[IKE] received MS NT5 ISAKMPOAKLEY v9 vendor ID
May  3 18:08:30 my_server charon: 12[IKE] received MS-Negotiation Discovery Capable vendor ID
May  3 18:08:30 my_server charon: 12[IKE] received Vid-Initial-Contact vendor ID
May  3 18:08:30 my_server charon: 12[ENC] received unknown vendor ID: 01:MORE HEX HERE:00:00:02
May  3 18:08:30 my_server charon: 12[IKE] 1.1.1.1 is initiating an IKE_SA
May  3 18:08:30 my_server charon: 12[IKE] IKE_SA (unnamed)[2] state change: CREATED => CONNECTING
May  3 18:08:30 my_server charon: 12[CFG] selecting proposal:
May  3 18:08:30 my_server charon: 12[CFG]   no acceptable DIFFIE_HELLMAN_GROUP found
May  3 18:08:30 my_server charon: 12[CFG] selecting proposal:
May  3 18:08:30 my_server charon: 12[CFG]   no acceptable DIFFIE_HELLMAN_GROUP found
May  3 18:08:30 my_server charon: 12[CFG] selecting proposal:
May  3 18:08:30 my_server charon: 12[CFG]   no acceptable DIFFIE_HELLMAN_GROUP found
May  3 18:08:30 my_server charon: 12[CFG] selecting proposal:
May  3 18:08:30 my_server charon: 12[CFG]   no acceptable DIFFIE_HELLMAN_GROUP found
May  3 18:08:30 my_server charon: 12[CFG] selecting proposal:
May  3 18:08:30 my_server charon: 12[CFG]   no acceptable DIFFIE_HELLMAN_GROUP found
May  3 18:08:30 my_server charon: 12[CFG] selecting proposal:
May  3 18:08:30 my_server charon: 12[CFG]   no acceptable DIFFIE_HELLMAN_GROUP found
May  3 18:08:30 my_server charon: 12[CFG] selecting proposal:
May  3 18:08:30 my_server charon: 12[CFG]   no acceptable ENCRYPTION_ALGORITHM found
May  3 18:08:30 my_server charon: 12[CFG] selecting proposal:
May  3 18:08:30 my_server charon: 12[CFG]   no acceptable ENCRYPTION_ALGORITHM found
May  3 18:08:30 my_server charon: 12[CFG] selecting proposal:
May  3 18:08:30 my_server charon: 12[CFG]   no acceptable ENCRYPTION_ALGORITHM found
May  3 18:08:30 my_server charon: 12[CFG] selecting proposal:
May  3 18:08:30 my_server charon: 12[CFG]   no acceptable ENCRYPTION_ALGORITHM found
May  3 18:08:30 my_server charon: 12[CFG] selecting proposal:
May  3 18:08:30 my_server charon: 12[CFG]   no acceptable ENCRYPTION_ALGORITHM found
May  3 18:08:30 my_server charon: 12[CFG] selecting proposal:
May  3 18:08:30 my_server charon: 12[CFG]   no acceptable ENCRYPTION_ALGORITHM found
May  3 18:08:30 my_server charon: 12[CFG] received proposals: IKE:3DES_CBC/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024, IKE:AES_CBC_256/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024, IKE:3DES_CBC/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_1024, IKE:AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_1024, IKE:3DES_CBC/HMAC_SHA2_384_192/PRF_HMAC_SHA2_384/MODP_1024, IKE:AES_CBC_256/HMAC_SHA2_384_192/PRF_HMAC_SHA2_384/MODP_1024
May  3 18:08:30 my_server charon: 12[CFG] configured proposals: IKE:AES_CBC_128/AES_CBC_192/AES_CBC_256/CAMELLIA_CBC_128/CAMELLIA_CBC_192/CAMELLIA_CBC_256/3DES_CBC/HMAC_SHA2_256_128/HMAC_SHA2_384_192/HMAC_SHA2_512_256/HMAC_SHA1_96/AES_XCBC_96/PRF_HMAC_SHA2_256/PRF_HMAC_SHA2_384/PRF_HMAC_SHA2_512/PRF_AES128_XCBC/PRF_HMAC_SHA1/CURVE_25519/ECP_256/ECP_384/ECP_521/ECP_256_BP/ECP_384_BP/ECP_512_BP/MODP_3072/MODP_4096/MODP_6144/MODP_8192/MODP_2048, IKE:AES_GCM_16_128/AES_GCM_16_192/AES_GCM_16_256/AES_GCM_12_128/AES_GCM_12_192/AES_GCM_12_256/AES_GCM_8_128/AES_GCM_8_192/AES_GCM_8_256/PRF_HMAC_SHA2_256/PRF_HMAC_SHA2_384/PRF_HMAC_SHA2_512/PRF_AES128_XCBC/PRF_HMAC_SHA1/CURVE_25519/ECP_256/ECP_384/ECP_521/ECP_256_BP/ECP_384_BP/ECP_512_BP/MODP_3072/MODP_4096/MODP_6144/MODP_8192/MODP_2048
May  3 18:08:30 my_server charon: 12[IKE] remote host is behind NAT
May  3 18:08:30 my_server charon: 12[IKE] received proposals inacceptable
May  3 18:08:30 my_server charon: 12[ENC] generating IKE_SA_INIT response 0 [ N(NO_PROP) ]
May  3 18:08:30 my_server charon: 12[NET] sending packet: from 2.2.2.2[500] to 1.1.1.1[43473] (36 bytes)
May  3 18:08:30 my_server charon: 12[IKE] IKE_SA (unnamed)[2] state change: CONNECTING => DESTROYING
May  3 18:08:30 my_server charon: 02[NET] waiting for data on sockets
May  3 18:08:30 my_server charon: 08[NET] sending packet: from 2.2.2.2[500] to 1.1.1.1[


Could it be something to do with how the client key is built - the CN, or san fields, or the IP addresses?

Here's how I made the keys. Again fields have been sanitized:

Responder
=========

ipsec pki --gen --type rsa --size 4096 --outform pem > /etc/ipsec.d/private/my_strongswanKey.pem


ipsec pki --self --ca --lifetime 720 --in /etc/ipsec.d/private/my_strongswanKey.pem --type rsa --dn "C=US, O=company, CN=myrootCA" --outform pem > /etc/ipsec.d/cacerts/my_strongswanCert.pem


ipsec pki --gen --type rsa --size 2048 --outform pem > /etc/ipsec.d/private/my_vpnHostKey.pem

ipsec pki --pub --in /etc/ipsec.d/private/my_vpnHostKey.pem --type rsa | ipsec pki --issue --lifetime 710 --cacert /etc/ipsec.d/cacerts/my_strongswanCert.pem --cakey /etc/ipsec.d/private/my_strongswanKey.pem --dn "C=US, O=company, CN=2.2.2.2" --san 2.2.2.2 --san @2.2.2.2 --san 10.10.10.10 --san @10.10.10.10 --san servername --flag serverAuth --flag ikeIntermediate --outform pem > /etc/ipsec.d/certs/my_vpnHostCert.pem

Initiator certs
===============

ipsec pki --gen --type rsa --size 2048 --outform pem > /etc/ipsec.d/private/my_MynameKey.pem

ipsec pki --pub --in /etc/ipsec.d/private/my_MynameKey.pem --type rsa | ipsec pki --issue --lifetime 710 --cacert /etc/ipsec.d/cacerts/my_strongswanCert.pem --cakey /etc/ipsec.d/private/my_strongswanKey.pem --dn "C=US, O=company, CN=Myname at company.com" --san Myname at company.com --san Myname at 2.2.2.2 --san Myname at 10.10.10.10 --outform pem > /etc/ipsec.d/certs/my_MynameCert.pem

openssl pkcs12 -export -inkey /etc/ipsec.d/private/my_MynameKey.pem -in /etc/ipsec.d/certs/my_MynameCert.pem -name "my_MynameCert" -certfile /etc/ipsec.d/cacerts/my_strongswanCert.pem -caname "myrootCA" -out /etc/ipsec.d/p12/my_Myname.p12

Thanks.



More information about the Users mailing list