[strongSwan] Sudden issues with Windows 10 clients

Houman houmie at gmail.com
Thu May 10 21:34:12 CEST 2018 

Hi guys,

Unfortunately, this isn't just limited to Windows, I have the same issue
with iPhone.  I strongly believe this is because IKEV2 traffic could have
been blocked in my user's country. My user has been utilising this server
without any issues until last week and suddenly it has stopped working.

Please see the logs, this is when he is trying to connect from an iPhone:

May 10 20:26:45 vpn-server charon: 01[NET] received packet: from
91.99.xxx.xx[500] to 172.31.xxx.xxx[500] (604 bytes)

May 10 20:26:45 vpn-server charon: 01[ENC] parsed IKE_SA_INIT request 0 [
SA KE No N(REDIR_SUP) N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) ]

May 10 20:26:45 vpn-server charon: 01[IKE] 91.99.xxx.xx is initiating an
IKE_SA

May 10 20:26:45 vpn-server charon: 01[IKE] local host is behind NAT,
sending keep alives

May 10 20:26:45 vpn-server charon: 01[IKE] remote host is behind NAT

May 10 20:26:45 vpn-server charon: 01[IKE] DH group MODP_2048 inacceptable,
requesting MODP_1024

May 10 20:26:45 vpn-server charon: 01[ENC] generating IKE_SA_INIT response
0 [ N(INVAL_KE) ]

May 10 20:26:45 vpn-server charon: 01[NET] sending packet: from
172.31.xxx.xxx[500] to 91.99.xxx.xx[500] (38 bytes)

May 10 20:26:48 vpn-server charon: 12[NET] received packet: from
91.99.xxx.xx[500] to 172.31.xxx.xxx[500] (604 bytes)

May 10 20:26:48 vpn-server charon: 12[ENC] parsed IKE_SA_INIT request 0 [
SA KE No N(REDIR_SUP) N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) ]

May 10 20:26:48 vpn-server charon: 12[IKE] 91.99.xxx.xx is initiating an
IKE_SA

May 10 20:26:48 vpn-server charon: 12[IKE] local host is behind NAT,
sending keep alives

May 10 20:26:48 vpn-server charon: 12[IKE] remote host is behind NAT

May 10 20:26:48 vpn-server charon: 12[IKE] DH group MODP_2048 inacceptable,
requesting MODP_1024

May 10 20:26:48 vpn-server charon: 12[ENC] generating IKE_SA_INIT response
0 [ N(INVAL_KE) ]

May 10 20:26:48 vpn-server charon: 12[NET] sending packet: from
172.31.xxx.xxx[500] to 91.99.xxx.xx[500] (38 bytes)


And this when I try to connect from my iphone:


May 10 20:10:25 vpn-server systemd[1]: Starting Cleanup of Temporary
Directories...

May 10 20:10:25 vpn-server systemd-tmpfiles[2631]:
[/usr/lib/tmpfiles.d/var.conf:14] Duplicate line for path "/var/log",
ignoring.

May 10 20:10:25 vpn-server systemd[1]: Started Cleanup of Temporary
Directories.

May 10 20:10:57 vpn-server charon: 06[NET] received packet: from
88.98.xxx.xxx[39064] to 172.31.xxx.xxx[500] (604 bytes)

May 10 20:10:57 vpn-server charon: 06[ENC] parsed IKE_SA_INIT request 0 [
SA KE No N(REDIR_SUP) N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) ]

May 10 20:10:57 vpn-server charon: 06[IKE] 88.98.xxx.xxx is initiating an
IKE_SA

May 10 20:10:57 vpn-server charon: 06[IKE] local host is behind NAT,
sending keep alives

May 10 20:10:57 vpn-server charon: 06[IKE] remote host is behind NAT

May 10 20:10:57 vpn-server charon: 06[IKE] DH group MODP_2048 inacceptable,
requesting MODP_1024

May 10 20:10:57 vpn-server charon: 06[ENC] generating IKE_SA_INIT response
0 [ N(INVAL_KE) ]

May 10 20:10:57 vpn-server charon: 06[NET] sending packet: from
172.31.xxx.xxx[500] to 88.98.xxx.xxx[39064] (38 bytes)

May 10 20:10:57 vpn-server charon: 05[NET] received packet: from
88.98.xxx.xxx[39064] to 172.31.xxx.xxx[500] (476 bytes)

May 10 20:10:57 vpn-server charon: 05[ENC] parsed IKE_SA_INIT request 0 [
SA KE No N(REDIR_SUP) N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) ]

May 10 20:10:57 vpn-server charon: 05[IKE] 88.98.xxx.xxx is initiating an
IKE_SA

May 10 20:10:57 vpn-server charon: 05[IKE] local host is behind NAT,
sending keep alives

May 10 20:10:57 vpn-server charon: 05[IKE] remote host is behind NAT

May 10 20:10:57 vpn-server charon: 05[ENC] generating IKE_SA_INIT response
0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(MULT_AUTH) ]

May 10 20:10:57 vpn-server charon: 05[NET] sending packet: from
172.31.xxx.xxx[500] to 88.98.xxx.xxx[39064] (316 bytes)

May 10 20:10:58 vpn-server charon: 04[NET] received packet: from
88.98.xxx.xxx[39065] to 172.31.xxx.xxx[4500] (500 bytes)

May 10 20:10:58 vpn-server charon: 04[ENC] unknown attribute type (25)

May 10 20:10:58 vpn-server charon: 04[ENC] parsed IKE_AUTH request 1 [ IDi
N(INIT_CONTACT) N(MOBIKE_SUP) IDr CPRQ(ADDR DHCP DNS MASK ADDR6 DHCP6 DNS6
(25)) N(ESP_TFC_PAD_N) N(NON_FIRST_FRAG) SA TSi TSr ]

May 10 20:10:58 vpn-server charon: 04[CFG] looking for peer configs
matching 172.31.xxx.xxx[vpn1.xxx.com]...88.98.xxx.xxx[vpn1.xxx.com]

May 10 20:10:58 vpn-server charon: 04[CFG] selected peer config
'roadwarrior'

May 10 20:10:58 vpn-server charon: 04[IKE] initiating EAP_IDENTITY method
(id 0x00)

May 10 20:10:58 vpn-server charon: 04[IKE] received
ESP_TFC_PADDING_NOT_SUPPORTED, not using ESPv3 TFC padding

May 10 20:10:58 vpn-server charon: 04[IKE] peer supports MOBIKE

May 10 20:10:58 vpn-server charon: 04[IKE] authentication of 'vpn1.xxx.com'
(myself) with RSA signature successful

May 10 20:10:58 vpn-server charon: 04[IKE] sending end entity cert "CN=
vpn1.xxx.com"

May 10 20:10:58 vpn-server charon: 04[IKE] sending issuer cert "C=US,
O=Let's Encrypt, CN=Let's Encrypt Authority X3"

May 10 20:10:58 vpn-server charon: 04[ENC] generating IKE_AUTH response 1 [
IDr CERT CERT AUTH EAP/REQ/ID ]

May 10 20:10:58 vpn-server charon: 04[ENC] splitting IKE message with
length of 3596 bytes into 8 fragments

May 10 20:10:58 vpn-server charon: 04[ENC] generating IKE_AUTH response 1 [
EF(1/8) ]

May 10 20:10:58 vpn-server charon: 04[ENC] generating IKE_AUTH response 1 [
EF(2/8) ]

May 10 20:10:58 vpn-server charon: 04[ENC] generating IKE_AUTH response 1 [
EF(3/8) ]

May 10 20:10:58 vpn-server charon: 04[ENC] generating IKE_AUTH response 1 [
EF(4/8) ]

May 10 20:10:58 vpn-server charon: 04[ENC] generating IKE_AUTH response 1 [
EF(5/8) ]

May 10 20:10:58 vpn-server charon: 04[ENC] generating IKE_AUTH response 1 [
EF(6/8) ]

May 10 20:10:58 vpn-server charon: 04[ENC] generating IKE_AUTH response 1 [
EF(7/8) ]

May 10 20:10:58 vpn-server charon: 04[ENC] generating IKE_AUTH response 1 [
EF(8/8) ]

May 10 20:10:58 vpn-server charon: 04[NET] sending packet: from
172.31.xxx.xxx[4500] to 88.98.xxx.xxx[39065] (544 bytes)

May 10 20:10:58 vpn-server charon: message repeated 6 times: [ 04[NET]
sending packet: from 172.31.xxx.xxx[4500] to 88.98.xxx.xxx[39065] (544
bytes)]

May 10 20:10:58 vpn-server charon: 04[NET] sending packet: from
172.31.xxx.xxx[4500] to 88.98.xxx.xxx[39065] (192 bytes)

May 10 20:10:58 vpn-server charon: 03[NET] received packet: from
88.98.xxx.xxx[39065] to 172.31.xxx.xxx[4500] (76 bytes)

May 10 20:10:58 vpn-server charon: 03[ENC] parsed IKE_AUTH request 2 [
EAP/RES/ID ]

May 10 20:10:58 vpn-server charon: 03[IKE] received EAP identity 'houmie'

May 10 20:10:58 vpn-server charon: 03[IKE] initiating EAP_MSCHAPV2 method
(id 0xAE)

May 10 20:10:58 vpn-server charon: 03[ENC] generating IKE_AUTH response 2 [
EAP/REQ/MSCHAPV2 ]

May 10 20:10:58 vpn-server charon: 03[NET] sending packet: from
172.31.xxx.xxx[4500] to 88.98.xxx.xxx[39065] (100 bytes)

May 10 20:10:58 vpn-server charon: 02[NET] received packet: from
88.98.xxx.xxx[39065] to 172.31.xxx.xxx[4500] (124 bytes)

May 10 20:10:58 vpn-server charon: 02[ENC] parsed IKE_AUTH request 3 [
EAP/RES/MSCHAPV2 ]

May 10 20:10:58 vpn-server charon: 02[ENC] generating IKE_AUTH response 3 [
EAP/REQ/MSCHAPV2 ]

May 10 20:10:58 vpn-server charon: 02[NET] sending packet: from
172.31.xxx.xxx[4500] to 88.98.xxx.xxx[39065] (132 bytes)

May 10 20:10:58 vpn-server charon: 01[NET] received packet: from
88.98.xxx.xxx[39065] to 172.31.xxx.xxx[4500] (68 bytes)

May 10 20:10:58 vpn-server charon: 01[ENC] parsed IKE_AUTH request 4 [
EAP/RES/MSCHAPV2 ]

May 10 20:10:58 vpn-server charon: 01[IKE] EAP method EAP_MSCHAPV2
succeeded, MSK established

May 10 20:10:58 vpn-server charon: 01[ENC] generating IKE_AUTH response 4 [
EAP/SUCC ]

May 10 20:10:58 vpn-server charon: 01[NET] sending packet: from
172.31.xxx.xxx[4500] to 88.98.xxx.xxx[39065] (68 bytes)

May 10 20:10:58 vpn-server charon: 12[NET] received packet: from
88.98.xxx.xxx[39065] to 172.31.xxx.xxx[4500] (84 bytes)

May 10 20:10:58 vpn-server charon: 12[ENC] parsed IKE_AUTH request 5 [ AUTH
]

May 10 20:10:58 vpn-server charon: 12[IKE] authentication of 'vpn1.xxx.com'
with EAP successful

May 10 20:10:58 vpn-server charon: 12[IKE] authentication of 'vpn1.xxx.com'
(myself) with EAP

May 10 20:10:58 vpn-server charon: 12[IKE] IKE_SA roadwarrior[2]
established between 172.31.xxx.xxx[vpn1.xxx.com]...88.98.xxx.xxx[
vpn1.xxx.com]

May 10 20:10:58 vpn-server charon: 12[IKE] peer requested virtual IP %any

May 10 20:10:58 vpn-server charon: 12[CFG] assigning new lease to 'houmie'

May 10 20:10:58 vpn-server charon: 12[IKE] assigning virtual IP 10.10.10.1
to peer 'houmie'

May 10 20:10:58 vpn-server charon: 12[IKE] peer requested virtual IP %any6

May 10 20:10:58 vpn-server charon: 12[IKE] no virtual IP found for %any6
requested by 'houmie'

May 10 20:10:58 vpn-server charon: 12[IKE] CHILD_SA roadwarrior{1}
established with SPIs c0b075ce_i 0789b8c0_o and TS 0.0.0.0/0 ===
10.10.10.1/32

May 10 20:10:58 vpn-server charon: 12[ENC] generating IKE_AUTH response 5 [
AUTH CPRP(ADDR DNS DNS) SA TSi TSr N(MOBIKE_SUP) N(NO_ADD_ADDR) ]

May 10 20:10:58 vpn-server charon: 12[NET] sending packet: from
172.31.xxx.xxx[4500] to 88.98.xxx.xxx[39065] (228 bytes)

The config that is working for my iphone is this:

config setup

  strictcrlpolicy=yes

  uniqueids=never

conn roadwarrior

  auto=add

  compress=no

  type=tunnel

  keyexchange=ikev2

  fragmentation=yes

  forceencaps=yes


ike=aes256gcm16-sha256-ecp521,aes256-sha256-ecp384,aes256-3des-sha1-modp1024!

  esp=aes256gcm16-sha256,aes256-3des-sha256-sha1!

  dpdaction=clear

  dpddelay=180s

  rekey=no

  left=%any

  leftid=@vpn1.xxx.com

  leftcert=cert.pem

  leftsendcert=always

  leftsubnet=0.0.0.0/0

  right=%any

  rightid=%any

  rightauth=eap-mschapv2

  eap_identity=%any

  rightdns=8.8.8.8,8.8.4.4

  rightsourceip=10.10.10.0/24

  rightsendcert=never

Please let me know if you see any obvious problem. But I strongly believe
they have blocked the IKEV2 traffic...

Many Thanks,
Houman



On 9 May 2018 at 15:40, Jafar Al-Gharaibeh <jafar at atcorp.com> wrote:

> Hi Tobias,
>
>     Thanks for the correction.   What I meant to say is :
>
>              The PRF algorithm is derived from the integrity algorithm,
> but only if a DH group is also configured.
>
>  Correct?
>
> Regards,
> Jafar
>
>
> On 5/9/2018 2:21 AM, Tobias Brunner wrote:
>
>> Hi Jafar,
>>
>>       No need to configure a prf, it is already assumed when you
>>> configured a DH group; so you can drop prfsha256.
>>>
>> Small correction, the PRF algorithm, if not configured explicitly, is
>> not derived from the DH group, but the integrity algorithm, in this case
>> sha256.
>>
>> Regards,
>> Tobias
>>
>>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20180510/2366bd1b/attachment-0001.html>

More information about the Users mailing list