[strongSwan] Sudden issues with Windows 10 clients
Jafar Al-Gharaibeh
jafar at atcorp.com
Mon May 7 16:50:23 CEST 2018
Houman,
The Windows client proposals do not match your configured proposals.
Your Windows client expect DG group 15 (MODP2048), where as you have:
aes256-3des-sha1-modp1024
change that to:
aes256-3des-sha1-modp2048
I'd also add sha256 at least before sha1 (deemed insecure). If you still
have other clients expecting modp1024, make it:
aes256-3des-sha256-sha1-modp2048-modp1024
That should get you covered.
Regards,
Jafar
On 5/7/2018 8:17 AM, Houman wrote:
> Hello,
>
> Until a week ago a user with Windows 10 had no issue connecting to the
> StrongSwan server. But now out of the blue, he can't connect to the
> StrongSwan server anymore.
>
> The log on the server is:
>
> May 7 12:31:06 vpn-p1 charon: 08[IKE] received proposals inacceptable
> May 7 12:31:06 vpn-p1 charon: 08[ENC] generating IKE_SA_INIT response
> 0 [ N(NO_PROP) ]
> May 7 12:31:06 vpn-p1 charon: 08[NET] sending packet: from
> xxx.x.xx.92[500] to 91.98.xxx.xxx[500] (36 bytes)
> May 7 12:32:09 vpn-p1 systemd[1]: Started Session 35 of user root.
> May 7 12:46:21 vpn-p1 systemd[1]: Starting Cleanup of Temporary
> Directories...
> May 7 12:46:21 vpn-p1 systemd-tmpfiles[7016]:
> [/usr/lib/tmpfiles.d/var.conf:14] Duplicate line for path "/var/log",
> ignoring.
> May 7 12:46:21 vpn-p1 systemd[1]: Started Cleanup of Temporary
> Directories.
> May 7 13:00:13 vpn-p1 systemd[1]: Starting Certbot...
> May 7 13:00:13 vpn-p1 systemd[1]: Started Certbot.
> May 7 13:08:20 vpn-p1 systemd[1]: Started Session 36 of user root.
> May 7 13:11:27 vpn-p1 charon: 12[NET] received packet: from
> 91.98.xxx.xxx[500] to xxx.x.xx.92[500] (624 bytes)
> May 7 13:11:27 vpn-p1 charon: 12[ENC] parsed IKE_SA_INIT request 0 [
> SA KE No N(NATD_S_IP) N(NATD_D_IP) V V V V ]
> May 7 13:11:27 vpn-p1 charon: 12[IKE] received MS NT5 ISAKMPOAKLEY v9
> vendor ID
> May 7 13:11:27 vpn-p1 charon: 12[IKE] received MS-Negotiation
> Discovery Capable vendor ID
> May 7 13:11:27 vpn-p1 charon: 12[IKE] received Vid-Initial-Contact
> vendor ID
> May 7 13:11:27 vpn-p1 charon: 12[ENC] received unknown vendor ID:
> 01:52:8b:bb:c0:06:96:12:18:49:ab:9a:1c:5b:2a:51:00:00:00:02
> May 7 13:11:27 vpn-p1 charon: 12[IKE] 91.98.xxx.xxx is initiating an
> IKE_SA
> May 7 13:11:27 vpn-p1 charon: 12[CFG] received proposals:
> IKE:AES_CBC_256/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_2048,
> IKE:AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_2048,
> IKE:AES_CBC_256/HMAC_SHA2_384_192/PRF_HMAC_SHA2_384/MODP_2048
> May 7 13:11:27 vpn-p1 charon: 12[CFG] configured proposals:
> IKE:AES_GCM_16_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/ECP_521,
> IKE:AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/ECP_384,
> IKE:AES_CBC_256/3DES_CBC/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024
> May 7 13:11:27 vpn-p1 charon: 12[IKE] remote host is behind NAT
> May 7 13:11:27 vpn-p1 charon: 12[IKE] received proposals inacceptable
> May 7 13:11:27 vpn-p1 charon: 12[ENC] generating IKE_SA_INIT response
> 0 [ N(NO_PROP) ]
> May 7 13:11:27 vpn-p1 charon: 12[NET] sending packet: from
> xxx.x.xx.92[500] to 91.98.xxx.xxx[500] (36 bytes)
> May 7 13:11:28 vpn-p1 charon: 16[NET] received packet: from
> 91.98.xxx.xxx[500] to xxx.x.xx.92[500] (624 bytes)
> May 7 13:11:28 vpn-p1 charon: 16[ENC] parsed IKE_SA_INIT request 0 [
> SA KE No N(NATD_S_IP) N(NATD_D_IP) V V V V ]
> May 7 13:11:28 vpn-p1 charon: 16[IKE] received MS NT5 ISAKMPOAKLEY v9
> vendor ID
> May 7 13:11:28 vpn-p1 charon: 16[IKE] received MS-Negotiation
> Discovery Capable vendor ID
> May 7 13:11:28 vpn-p1 charon: 16[IKE] received Vid-Initial-Contact
> vendor ID
> May 7 13:11:28 vpn-p1 charon: 16[ENC] received unknown vendor ID:
> 01:52:8b:bb:c0:06:96:12:18:49:ab:9a:1c:5b:2a:51:00:00:00:02
> May 7 13:11:28 vpn-p1 charon: 16[IKE] 91.98.xxx.xxx is initiating an
> IKE_SA
> May 7 13:11:28 vpn-p1 charon: 16[CFG] received proposals:
> IKE:AES_CBC_256/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_2048,
> IKE:AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_2048,
> IKE:AES_CBC_256/HMAC_SHA2_384_192/PRF_HMAC_SHA2_384/MODP_2048
> May 7 13:11:28 vpn-p1 charon: 16[CFG] configured proposals:
> IKE:AES_GCM_16_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/ECP_521,
> IKE:AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/ECP_384,
> IKE:AES_CBC_256/3DES_CBC/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024
> May 7 13:11:28 vpn-p1 charon: 16[IKE] remote host is behind NAT
> May 7 13:11:28 vpn-p1 charon: 16[IKE] received proposals inacceptable
> May 7 13:11:28 vpn-p1 charon: 16[ENC] generating IKE_SA_INIT response
> 0 [ N(NO_PROP) ]
> May 7 13:11:28 vpn-p1 charon: 16[NET] sending packet: from
> xxx.x.xx.92[500] to 91.98.xxx.xxx[500] (36 bytes)
>
> The Server's ipsec.conf is:
>
> config setup
> strictcrlpolicy=yes
> uniqueids=never
> conn roadwarrior
> auto=add
> compress=no
> type=tunnel
> keyexchange=ikev2
> fragmentation=yes
> forceencaps=yes
> ike=aes256gcm16-sha256-ecp521,aes256-sha256-ecp384,aes256-3des-sha1-modp1024!
> esp=aes256gcm16-sha256,aes256-3des-sha256-sha1!
> dpdaction=clear
> dpddelay=180s
> rekey=no
> left=%any
> leftid=@${VPNHOST}
> leftcert=cert.pem
> leftsendcert=always
> leftsubnet=0.0.0.0/0 <http://0.0.0.0/0>
> right=%any
> rightid=%any
> rightauth=eap-radius
> eap_identity=%any
> rightdns=208.67.222.222,208.67.220.220
> rightsourceip=${VPNIPPOOL}
> rightsendcert=never
>
> Have the supported ike/esp proposals somehow been changed recently
> after a recent Windows 10 update?
>
> I have made these changes on the Windows 10, after googling for a
> solution:
>
> - The firewall on Windows 10 is currently disabled.
> - I have set NegotiateDH2048_AES256 = 1 in Regedit
> - AssumeUDPEncapsulationContextOnSendRule = 2 in Regedit
>
> I can't think of anything else I could do on the Windows 10 client.
>
> According to my notes, these are the proposed protocols for Windows 10:
>
> # these ike and esp settings are tested on Mac 10.12, iOS 10 and
> Windows 10
> # iOS/Mac with appropriate configuration profiles use
> AES_GCM_16_256/PRF_HMAC_SHA2_256/ECP_521
> # Windows 10 uses AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/ECP_384
>
> Is there a website that translates
> AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/ECP_384 into the right
> naming for ipsec.conf so that I enter them under ike and esp
> respectively? I can't quite make out if I have these settings there or
> not.
>
> If you have any other advice, please help me.
>
> Many Thanks,
>
>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20180507/df833523/attachment.html>
More information about the Users
mailing list