[strongSwan] Sudden issues with Windows 10 clients

Houman houmie at gmail.com
Mon May 7 15:17:38 CEST 2018


Hello,

Until a week ago a user with Windows 10 had no issue connecting to the
StrongSwan server. But now out of the blue, he can't connect to the
StrongSwan server anymore.

The log on the server is:

May  7 12:31:06 vpn-p1 charon: 08[IKE] received proposals inacceptable
May  7 12:31:06 vpn-p1 charon: 08[ENC] generating IKE_SA_INIT response 0 [
N(NO_PROP) ]
May  7 12:31:06 vpn-p1 charon: 08[NET] sending packet: from
xxx.x.xx.92[500] to 91.98.xxx.xxx[500] (36 bytes)
May  7 12:32:09 vpn-p1 systemd[1]: Started Session 35 of user root.
May  7 12:46:21 vpn-p1 systemd[1]: Starting Cleanup of Temporary
Directories...
May  7 12:46:21 vpn-p1 systemd-tmpfiles[7016]:
[/usr/lib/tmpfiles.d/var.conf:14] Duplicate line for path "/var/log",
ignoring.
May  7 12:46:21 vpn-p1 systemd[1]: Started Cleanup of Temporary Directories.
May  7 13:00:13 vpn-p1 systemd[1]: Starting Certbot...
May  7 13:00:13 vpn-p1 systemd[1]: Started Certbot.
May  7 13:08:20 vpn-p1 systemd[1]: Started Session 36 of user root.
May  7 13:11:27 vpn-p1 charon: 12[NET] received packet: from
91.98.xxx.xxx[500] to xxx.x.xx.92[500] (624 bytes)
May  7 13:11:27 vpn-p1 charon: 12[ENC] parsed IKE_SA_INIT request 0 [ SA KE
No N(NATD_S_IP) N(NATD_D_IP) V V V V ]
May  7 13:11:27 vpn-p1 charon: 12[IKE] received MS NT5 ISAKMPOAKLEY v9
vendor ID
May  7 13:11:27 vpn-p1 charon: 12[IKE] received MS-Negotiation Discovery
Capable vendor ID
May  7 13:11:27 vpn-p1 charon: 12[IKE] received Vid-Initial-Contact vendor
ID
May  7 13:11:27 vpn-p1 charon: 12[ENC] received unknown vendor ID:
01:52:8b:bb:c0:06:96:12:18:49:ab:9a:1c:5b:2a:51:00:00:00:02
May  7 13:11:27 vpn-p1 charon: 12[IKE] 91.98.xxx.xxx is initiating an IKE_SA
May  7 13:11:27 vpn-p1 charon: 12[CFG] received proposals:
IKE:AES_CBC_256/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_2048,
IKE:AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_2048,
IKE:AES_CBC_256/HMAC_SHA2_384_192/PRF_HMAC_SHA2_384/MODP_2048
May  7 13:11:27 vpn-p1 charon: 12[CFG] configured proposals:
IKE:AES_GCM_16_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/ECP_521,
IKE:AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/ECP_384,
IKE:AES_CBC_256/3DES_CBC/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024
May  7 13:11:27 vpn-p1 charon: 12[IKE] remote host is behind NAT
May  7 13:11:27 vpn-p1 charon: 12[IKE] received proposals inacceptable
May  7 13:11:27 vpn-p1 charon: 12[ENC] generating IKE_SA_INIT response 0 [
N(NO_PROP) ]
May  7 13:11:27 vpn-p1 charon: 12[NET] sending packet: from
xxx.x.xx.92[500] to 91.98.xxx.xxx[500] (36 bytes)
May  7 13:11:28 vpn-p1 charon: 16[NET] received packet: from
91.98.xxx.xxx[500] to xxx.x.xx.92[500] (624 bytes)
May  7 13:11:28 vpn-p1 charon: 16[ENC] parsed IKE_SA_INIT request 0 [ SA KE
No N(NATD_S_IP) N(NATD_D_IP) V V V V ]
May  7 13:11:28 vpn-p1 charon: 16[IKE] received MS NT5 ISAKMPOAKLEY v9
vendor ID
May  7 13:11:28 vpn-p1 charon: 16[IKE] received MS-Negotiation Discovery
Capable vendor ID
May  7 13:11:28 vpn-p1 charon: 16[IKE] received Vid-Initial-Contact vendor
ID
May  7 13:11:28 vpn-p1 charon: 16[ENC] received unknown vendor ID:
01:52:8b:bb:c0:06:96:12:18:49:ab:9a:1c:5b:2a:51:00:00:00:02
May  7 13:11:28 vpn-p1 charon: 16[IKE] 91.98.xxx.xxx is initiating an IKE_SA
May  7 13:11:28 vpn-p1 charon: 16[CFG] received proposals:
IKE:AES_CBC_256/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_2048,
IKE:AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_2048,
IKE:AES_CBC_256/HMAC_SHA2_384_192/PRF_HMAC_SHA2_384/MODP_2048
May  7 13:11:28 vpn-p1 charon: 16[CFG] configured proposals:
IKE:AES_GCM_16_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/ECP_521,
IKE:AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/ECP_384,
IKE:AES_CBC_256/3DES_CBC/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024
May  7 13:11:28 vpn-p1 charon: 16[IKE] remote host is behind NAT
May  7 13:11:28 vpn-p1 charon: 16[IKE] received proposals inacceptable
May  7 13:11:28 vpn-p1 charon: 16[ENC] generating IKE_SA_INIT response 0 [
N(NO_PROP) ]
May  7 13:11:28 vpn-p1 charon: 16[NET] sending packet: from
xxx.x.xx.92[500] to 91.98.xxx.xxx[500] (36 bytes)

The Server's ipsec.conf is:

config setup
  strictcrlpolicy=yes
  uniqueids=never
conn roadwarrior
  auto=add
  compress=no
  type=tunnel
  keyexchange=ikev2
  fragmentation=yes
  forceencaps=yes

ike=aes256gcm16-sha256-ecp521,aes256-sha256-ecp384,aes256-3des-sha1-modp1024!
  esp=aes256gcm16-sha256,aes256-3des-sha256-sha1!
  dpdaction=clear
  dpddelay=180s
  rekey=no
  left=%any
  leftid=@${VPNHOST}
  leftcert=cert.pem
  leftsendcert=always
  leftsubnet=0.0.0.0/0
  right=%any
  rightid=%any
  rightauth=eap-radius
  eap_identity=%any
  rightdns=208.67.222.222,208.67.220.220
  rightsourceip=${VPNIPPOOL}
  rightsendcert=never

Have the supported ike/esp proposals somehow been changed recently after a
recent Windows 10 update?

I have made these changes on the Windows 10, after googling for a solution:

- The firewall on Windows 10 is currently disabled.
- I have set NegotiateDH2048_AES256 = 1 in Regedit
- AssumeUDPEncapsulationContextOnSendRule = 2 in Regedit

I can't think of anything else I could do on the Windows 10 client.

According to my notes, these are the proposed protocols for Windows 10:

# these ike and esp settings are tested on Mac 10.12, iOS 10 and Windows 10
# iOS/Mac with appropriate configuration profiles use
AES_GCM_16_256/PRF_HMAC_SHA2_256/ECP_521
# Windows 10 uses AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/ECP_384

Is there a website that translates
AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/ECP_384 into the right
naming for ipsec.conf so that I enter them under ike and esp respectively?
I can't quite make out if I have these settings there or not.

If you have any other advice, please help me.

Many Thanks,
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20180507/b8a50ead/attachment.html>


More information about the Users mailing list