[strongSwan] Sudden issues with Windows 10 clients

Jafar Al-Gharaibeh jafar at atcorp.com
Mon May 7 16:50:23 CEST 2018 

Houman,

   The Windows client proposals do not match your configured proposals. 
Your Windows client expect DG group 15 (MODP2048), where as you have:

aes256-3des-sha1-modp1024

change that to:

aes256-3des-sha1-modp2048

I'd also add sha256 at least before sha1 (deemed insecure). If you still 
have other clients expecting modp1024, make it:

aes256-3des-sha256-sha1-modp2048-modp1024

That should get you covered.

Regards,
Jafar


On 5/7/2018 8:17 AM, Houman wrote:
> Hello,
>
> Until a week ago a user with Windows 10 had no issue connecting to the 
> StrongSwan server. But now out of the blue, he can't connect to the 
> StrongSwan server anymore.
>
> The log on the server is:
>
> May  7 12:31:06 vpn-p1 charon: 08[IKE] received proposals inacceptable
> May  7 12:31:06 vpn-p1 charon: 08[ENC] generating IKE_SA_INIT response 
> 0 [ N(NO_PROP) ]
> May  7 12:31:06 vpn-p1 charon: 08[NET] sending packet: from 
> xxx.x.xx.92[500] to 91.98.xxx.xxx[500] (36 bytes)
> May  7 12:32:09 vpn-p1 systemd[1]: Started Session 35 of user root.
> May  7 12:46:21 vpn-p1 systemd[1]: Starting Cleanup of Temporary 
> Directories...
> May  7 12:46:21 vpn-p1 systemd-tmpfiles[7016]: 
> [/usr/lib/tmpfiles.d/var.conf:14] Duplicate line for path "/var/log", 
> ignoring.
> May  7 12:46:21 vpn-p1 systemd[1]: Started Cleanup of Temporary 
> Directories.
> May  7 13:00:13 vpn-p1 systemd[1]: Starting Certbot...
> May  7 13:00:13 vpn-p1 systemd[1]: Started Certbot.
> May  7 13:08:20 vpn-p1 systemd[1]: Started Session 36 of user root.
> May  7 13:11:27 vpn-p1 charon: 12[NET] received packet: from 
> 91.98.xxx.xxx[500] to xxx.x.xx.92[500] (624 bytes)
> May  7 13:11:27 vpn-p1 charon: 12[ENC] parsed IKE_SA_INIT request 0 [ 
> SA KE No N(NATD_S_IP) N(NATD_D_IP) V V V V ]
> May  7 13:11:27 vpn-p1 charon: 12[IKE] received MS NT5 ISAKMPOAKLEY v9 
> vendor ID
> May  7 13:11:27 vpn-p1 charon: 12[IKE] received MS-Negotiation 
> Discovery Capable vendor ID
> May  7 13:11:27 vpn-p1 charon: 12[IKE] received Vid-Initial-Contact 
> vendor ID
> May  7 13:11:27 vpn-p1 charon: 12[ENC] received unknown vendor ID: 
> 01:52:8b:bb:c0:06:96:12:18:49:ab:9a:1c:5b:2a:51:00:00:00:02
> May  7 13:11:27 vpn-p1 charon: 12[IKE] 91.98.xxx.xxx is initiating an 
> IKE_SA
> May  7 13:11:27 vpn-p1 charon: 12[CFG] received proposals: 
> IKE:AES_CBC_256/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_2048, 
> IKE:AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_2048, 
> IKE:AES_CBC_256/HMAC_SHA2_384_192/PRF_HMAC_SHA2_384/MODP_2048
> May  7 13:11:27 vpn-p1 charon: 12[CFG] configured proposals: 
> IKE:AES_GCM_16_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/ECP_521, 
> IKE:AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/ECP_384, 
> IKE:AES_CBC_256/3DES_CBC/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024
> May  7 13:11:27 vpn-p1 charon: 12[IKE] remote host is behind NAT
> May  7 13:11:27 vpn-p1 charon: 12[IKE] received proposals inacceptable
> May  7 13:11:27 vpn-p1 charon: 12[ENC] generating IKE_SA_INIT response 
> 0 [ N(NO_PROP) ]
> May  7 13:11:27 vpn-p1 charon: 12[NET] sending packet: from 
> xxx.x.xx.92[500] to 91.98.xxx.xxx[500] (36 bytes)
> May  7 13:11:28 vpn-p1 charon: 16[NET] received packet: from 
> 91.98.xxx.xxx[500] to xxx.x.xx.92[500] (624 bytes)
> May  7 13:11:28 vpn-p1 charon: 16[ENC] parsed IKE_SA_INIT request 0 [ 
> SA KE No N(NATD_S_IP) N(NATD_D_IP) V V V V ]
> May  7 13:11:28 vpn-p1 charon: 16[IKE] received MS NT5 ISAKMPOAKLEY v9 
> vendor ID
> May  7 13:11:28 vpn-p1 charon: 16[IKE] received MS-Negotiation 
> Discovery Capable vendor ID
> May  7 13:11:28 vpn-p1 charon: 16[IKE] received Vid-Initial-Contact 
> vendor ID
> May  7 13:11:28 vpn-p1 charon: 16[ENC] received unknown vendor ID: 
> 01:52:8b:bb:c0:06:96:12:18:49:ab:9a:1c:5b:2a:51:00:00:00:02
> May  7 13:11:28 vpn-p1 charon: 16[IKE] 91.98.xxx.xxx is initiating an 
> IKE_SA
> May  7 13:11:28 vpn-p1 charon: 16[CFG] received proposals: 
> IKE:AES_CBC_256/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_2048, 
> IKE:AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_2048, 
> IKE:AES_CBC_256/HMAC_SHA2_384_192/PRF_HMAC_SHA2_384/MODP_2048
> May  7 13:11:28 vpn-p1 charon: 16[CFG] configured proposals: 
> IKE:AES_GCM_16_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/ECP_521, 
> IKE:AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/ECP_384, 
> IKE:AES_CBC_256/3DES_CBC/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024
> May  7 13:11:28 vpn-p1 charon: 16[IKE] remote host is behind NAT
> May  7 13:11:28 vpn-p1 charon: 16[IKE] received proposals inacceptable
> May  7 13:11:28 vpn-p1 charon: 16[ENC] generating IKE_SA_INIT response 
> 0 [ N(NO_PROP) ]
> May  7 13:11:28 vpn-p1 charon: 16[NET] sending packet: from 
> xxx.x.xx.92[500] to 91.98.xxx.xxx[500] (36 bytes)
>
> The Server's ipsec.conf is:
>
> config setup
>   strictcrlpolicy=yes
>   uniqueids=never
> conn roadwarrior
>   auto=add
>   compress=no
>   type=tunnel
>   keyexchange=ikev2
>   fragmentation=yes
>   forceencaps=yes
> ike=aes256gcm16-sha256-ecp521,aes256-sha256-ecp384,aes256-3des-sha1-modp1024!
> esp=aes256gcm16-sha256,aes256-3des-sha256-sha1!
>   dpdaction=clear
>   dpddelay=180s
>   rekey=no
>   left=%any
>   leftid=@${VPNHOST}
>   leftcert=cert.pem
>   leftsendcert=always
>   leftsubnet=0.0.0.0/0 <http://0.0.0.0/0>
>   right=%any
>   rightid=%any
>   rightauth=eap-radius
>   eap_identity=%any
> rightdns=208.67.222.222,208.67.220.220
> rightsourceip=${VPNIPPOOL}
>   rightsendcert=never
>
> Have the supported ike/esp proposals somehow been changed recently 
> after a recent Windows 10 update?
>
> I have made these changes on the Windows 10, after googling for a 
> solution:
>
> - The firewall on Windows 10 is currently disabled.
> - I have set NegotiateDH2048_AES256 = 1 in Regedit
> - AssumeUDPEncapsulationContextOnSendRule = 2 in Regedit
>
> I can't think of anything else I could do on the Windows 10 client.
>
> According to my notes, these are the proposed protocols for Windows 10:
>
> # these ike and esp settings are tested on Mac 10.12, iOS 10 and 
> Windows 10
> # iOS/Mac with appropriate configuration profiles use 
> AES_GCM_16_256/PRF_HMAC_SHA2_256/ECP_521
> # Windows 10 uses AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/ECP_384
>
> Is there a website that translates 
> AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/ECP_384 into the right 
> naming for ipsec.conf so that I enter them under ike and esp 
> respectively? I can't quite make out if I have these settings there or 
> not.
>
> If you have any other advice, please help me.
>
> Many Thanks,
>
>
>
>

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20180507/df833523/attachment.html>

More information about the Users mailing list