[strongSwan] Sudden issues with Windows 10 clients
Jafar Al-Gharaibeh
jafar at atcorp.com
Thu May 10 22:33:59 CEST 2018
Hi Houman,
Similar to the Windows problem you had earlier, you don't have the
correct combination of configured algorithms. look at the logs:
May 10 20:26:48 vpn-server charon: 12[IKE] DH group MODP_2048
inacceptable, requesting MODP_1024
The iphone expect modp2048, but your configuration says modp1024.
Look back at the suggestion we made for Windows and just use the same
configuration.
Regards,
Jafar
On 5/10/2018 2:34 PM, Houman wrote:
> Hi guys,
>
> Unfortunately, this isn't just limited to Windows, I have the same
> issue with iPhone. I strongly believe this is because IKEV2 traffic
> could have been blocked in my user's country. My user has been
> utilising this server without any issues until last week and suddenly
> it has stopped working.
>
> Please see the logs, this is when he is trying to connect from an iPhone:
>
> May 10 20:26:45 vpn-server charon: 01[NET] received packet: from
> 91.99.xxx.xx[500] to 172.31.xxx.xxx[500] (604 bytes)
>
> May 10 20:26:45 vpn-server charon: 01[ENC] parsed IKE_SA_INIT request
> 0 [ SA KE No N(REDIR_SUP) N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) ]
>
> May 10 20:26:45 vpn-server charon: 01[IKE] 91.99.xxx.xx is initiating
> an IKE_SA
>
> May 10 20:26:45 vpn-server charon: 01[IKE] local host is behind NAT,
> sending keep alives
>
> May 10 20:26:45 vpn-server charon: 01[IKE] remote host is behind NAT
>
> May 10 20:26:45 vpn-server charon: 01[IKE] DH group MODP_2048
> inacceptable, requesting MODP_1024
>
> May 10 20:26:45 vpn-server charon: 01[ENC] generating IKE_SA_INIT
> response 0 [ N(INVAL_KE) ]
>
> May 10 20:26:45 vpn-server charon: 01[NET] sending packet: from
> 172.31.xxx.xxx[500] to 91.99.xxx.xx[500] (38 bytes)
>
> May 10 20:26:48 vpn-server charon: 12[NET] received packet: from
> 91.99.xxx.xx[500] to 172.31.xxx.xxx[500] (604 bytes)
>
> May 10 20:26:48 vpn-server charon: 12[ENC] parsed IKE_SA_INIT request
> 0 [ SA KE No N(REDIR_SUP) N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) ]
>
> May 10 20:26:48 vpn-server charon: 12[IKE] 91.99.xxx.xx is initiating
> an IKE_SA
>
> May 10 20:26:48 vpn-server charon: 12[IKE] local host is behind NAT,
> sending keep alives
>
> May 10 20:26:48 vpn-server charon: 12[IKE] remote host is behind NAT
>
> May 10 20:26:48 vpn-server charon: 12[IKE] DH group MODP_2048
> inacceptable, requesting MODP_1024
>
> May 10 20:26:48 vpn-server charon: 12[ENC] generating IKE_SA_INIT
> response 0 [ N(INVAL_KE) ]
>
> May 10 20:26:48 vpn-server charon: 12[NET] sending packet: from
> 172.31.xxx.xxx[500] to 91.99.xxx.xx[500] (38 bytes)
>
>
> And this when I try to connect from my iphone:
>
>
> May 10 20:10:25 vpn-server systemd[1]: Starting Cleanup of Temporary
> Directories...
>
> May 10 20:10:25 vpn-server systemd-tmpfiles[2631]:
> [/usr/lib/tmpfiles.d/var.conf:14] Duplicate line for path "/var/log",
> ignoring.
>
> May 10 20:10:25 vpn-server systemd[1]: Started Cleanup of Temporary
> Directories.
>
> May 10 20:10:57 vpn-server charon: 06[NET] received packet: from
> 88.98.xxx.xxx[39064] to 172.31.xxx.xxx[500] (604 bytes)
>
> May 10 20:10:57 vpn-server charon: 06[ENC] parsed IKE_SA_INIT request
> 0 [ SA KE No N(REDIR_SUP) N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) ]
>
> May 10 20:10:57 vpn-server charon: 06[IKE] 88.98.xxx.xxx is initiating
> an IKE_SA
>
> May 10 20:10:57 vpn-server charon: 06[IKE] local host is behind NAT,
> sending keep alives
>
> May 10 20:10:57 vpn-server charon: 06[IKE] remote host is behind NAT
>
> May 10 20:10:57 vpn-server charon: 06[IKE] DH group MODP_2048
> inacceptable, requesting MODP_1024
>
> May 10 20:10:57 vpn-server charon: 06[ENC] generating IKE_SA_INIT
> response 0 [ N(INVAL_KE) ]
>
> May 10 20:10:57 vpn-server charon: 06[NET] sending packet: from
> 172.31.xxx.xxx[500] to 88.98.xxx.xxx[39064] (38 bytes)
>
> May 10 20:10:57 vpn-server charon: 05[NET] received packet: from
> 88.98.xxx.xxx[39064] to 172.31.xxx.xxx[500] (476 bytes)
>
> May 10 20:10:57 vpn-server charon: 05[ENC] parsed IKE_SA_INIT request
> 0 [ SA KE No N(REDIR_SUP) N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) ]
>
> May 10 20:10:57 vpn-server charon: 05[IKE] 88.98.xxx.xxx is initiating
> an IKE_SA
>
> May 10 20:10:57 vpn-server charon: 05[IKE] local host is behind NAT,
> sending keep alives
>
> May 10 20:10:57 vpn-server charon: 05[IKE] remote host is behind NAT
>
> May 10 20:10:57 vpn-server charon: 05[ENC] generating IKE_SA_INIT
> response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(MULT_AUTH) ]
>
> May 10 20:10:57 vpn-server charon: 05[NET] sending packet: from
> 172.31.xxx.xxx[500] to 88.98.xxx.xxx[39064] (316 bytes)
>
> May 10 20:10:58 vpn-server charon: 04[NET] received packet: from
> 88.98.xxx.xxx[39065] to 172.31.xxx.xxx[4500] (500 bytes)
>
> May 10 20:10:58 vpn-server charon: 04[ENC] unknown attribute type (25)
>
> May 10 20:10:58 vpn-server charon: 04[ENC] parsed IKE_AUTH request 1 [
> IDi N(INIT_CONTACT) N(MOBIKE_SUP) IDr CPRQ(ADDR DHCP DNS MASK ADDR6
> DHCP6 DNS6 (25)) N(ESP_TFC_PAD_N) N(NON_FIRST_FRAG) SA TSi TSr ]
>
> May 10 20:10:58 vpn-server charon: 04[CFG] looking for peer configs
> matching 172.31.xxx.xxx[vpn1.xxx.com
> <http://vpn1.xxx.com>]...88.98.xxx.xxx[vpn1.xxx.com <http://vpn1.xxx.com>]
>
> May 10 20:10:58 vpn-server charon: 04[CFG] selected peer config
> 'roadwarrior'
>
> May 10 20:10:58 vpn-server charon: 04[IKE] initiating EAP_IDENTITY
> method (id 0x00)
>
> May 10 20:10:58 vpn-server charon: 04[IKE] received
> ESP_TFC_PADDING_NOT_SUPPORTED, not using ESPv3 TFC padding
>
> May 10 20:10:58 vpn-server charon: 04[IKE] peer supports MOBIKE
>
> May 10 20:10:58 vpn-server charon: 04[IKE] authentication of
> 'vpn1.xxx.com <http://vpn1.xxx.com>' (myself) with RSA signature
> successful
>
> May 10 20:10:58 vpn-server charon: 04[IKE] sending end entity cert
> "CN=vpn1.xxx.com <http://vpn1.xxx.com>"
>
> May 10 20:10:58 vpn-server charon: 04[IKE] sending issuer cert "C=US,
> O=Let's Encrypt, CN=Let's Encrypt Authority X3"
>
> May 10 20:10:58 vpn-server charon: 04[ENC] generating IKE_AUTH
> response 1 [ IDr CERT CERT AUTH EAP/REQ/ID ]
>
> May 10 20:10:58 vpn-server charon: 04[ENC] splitting IKE message with
> length of 3596 bytes into 8 fragments
>
> May 10 20:10:58 vpn-server charon: 04[ENC] generating IKE_AUTH
> response 1 [ EF(1/8) ]
>
> May 10 20:10:58 vpn-server charon: 04[ENC] generating IKE_AUTH
> response 1 [ EF(2/8) ]
>
> May 10 20:10:58 vpn-server charon: 04[ENC] generating IKE_AUTH
> response 1 [ EF(3/8) ]
>
> May 10 20:10:58 vpn-server charon: 04[ENC] generating IKE_AUTH
> response 1 [ EF(4/8) ]
>
> May 10 20:10:58 vpn-server charon: 04[ENC] generating IKE_AUTH
> response 1 [ EF(5/8) ]
>
> May 10 20:10:58 vpn-server charon: 04[ENC] generating IKE_AUTH
> response 1 [ EF(6/8) ]
>
> May 10 20:10:58 vpn-server charon: 04[ENC] generating IKE_AUTH
> response 1 [ EF(7/8) ]
>
> May 10 20:10:58 vpn-server charon: 04[ENC] generating IKE_AUTH
> response 1 [ EF(8/8) ]
>
> May 10 20:10:58 vpn-server charon: 04[NET] sending packet: from
> 172.31.xxx.xxx[4500] to 88.98.xxx.xxx[39065] (544 bytes)
>
> May 10 20:10:58 vpn-server charon: message repeated 6 times: [ 04[NET]
> sending packet: from 172.31.xxx.xxx[4500] to 88.98.xxx.xxx[39065] (544
> bytes)]
>
> May 10 20:10:58 vpn-server charon: 04[NET] sending packet: from
> 172.31.xxx.xxx[4500] to 88.98.xxx.xxx[39065] (192 bytes)
>
> May 10 20:10:58 vpn-server charon: 03[NET] received packet: from
> 88.98.xxx.xxx[39065] to 172.31.xxx.xxx[4500] (76 bytes)
>
> May 10 20:10:58 vpn-server charon: 03[ENC] parsed IKE_AUTH request 2 [
> EAP/RES/ID ]
>
> May 10 20:10:58 vpn-server charon: 03[IKE] received EAP identity 'houmie'
>
> May 10 20:10:58 vpn-server charon: 03[IKE] initiating EAP_MSCHAPV2
> method (id 0xAE)
>
> May 10 20:10:58 vpn-server charon: 03[ENC] generating IKE_AUTH
> response 2 [ EAP/REQ/MSCHAPV2 ]
>
> May 10 20:10:58 vpn-server charon: 03[NET] sending packet: from
> 172.31.xxx.xxx[4500] to 88.98.xxx.xxx[39065] (100 bytes)
>
> May 10 20:10:58 vpn-server charon: 02[NET] received packet: from
> 88.98.xxx.xxx[39065] to 172.31.xxx.xxx[4500] (124 bytes)
>
> May 10 20:10:58 vpn-server charon: 02[ENC] parsed IKE_AUTH request 3 [
> EAP/RES/MSCHAPV2 ]
>
> May 10 20:10:58 vpn-server charon: 02[ENC] generating IKE_AUTH
> response 3 [ EAP/REQ/MSCHAPV2 ]
>
> May 10 20:10:58 vpn-server charon: 02[NET] sending packet: from
> 172.31.xxx.xxx[4500] to 88.98.xxx.xxx[39065] (132 bytes)
>
> May 10 20:10:58 vpn-server charon: 01[NET] received packet: from
> 88.98.xxx.xxx[39065] to 172.31.xxx.xxx[4500] (68 bytes)
>
> May 10 20:10:58 vpn-server charon: 01[ENC] parsed IKE_AUTH request 4 [
> EAP/RES/MSCHAPV2 ]
>
> May 10 20:10:58 vpn-server charon: 01[IKE] EAP method EAP_MSCHAPV2
> succeeded, MSK established
>
> May 10 20:10:58 vpn-server charon: 01[ENC] generating IKE_AUTH
> response 4 [ EAP/SUCC ]
>
> May 10 20:10:58 vpn-server charon: 01[NET] sending packet: from
> 172.31.xxx.xxx[4500] to 88.98.xxx.xxx[39065] (68 bytes)
>
> May 10 20:10:58 vpn-server charon: 12[NET] received packet: from
> 88.98.xxx.xxx[39065] to 172.31.xxx.xxx[4500] (84 bytes)
>
> May 10 20:10:58 vpn-server charon: 12[ENC] parsed IKE_AUTH request 5 [
> AUTH ]
>
> May 10 20:10:58 vpn-server charon: 12[IKE] authentication of
> 'vpn1.xxx.com <http://vpn1.xxx.com>' with EAP successful
>
> May 10 20:10:58 vpn-server charon: 12[IKE] authentication of
> 'vpn1.xxx.com <http://vpn1.xxx.com>' (myself) with EAP
>
> May 10 20:10:58 vpn-server charon: 12[IKE] IKE_SA roadwarrior[2]
> established between 172.31.xxx.xxx[vpn1.xxx.com
> <http://vpn1.xxx.com>]...88.98.xxx.xxx[vpn1.xxx.com <http://vpn1.xxx.com>]
>
> May 10 20:10:58 vpn-server charon: 12[IKE] peer requested virtual IP %any
>
> May 10 20:10:58 vpn-server charon: 12[CFG] assigning new lease to 'houmie'
>
> May 10 20:10:58 vpn-server charon: 12[IKE] assigning virtual IP
> 10.10.10.1 to peer 'houmie'
>
> May 10 20:10:58 vpn-server charon: 12[IKE] peer requested virtual IP %any6
>
> May 10 20:10:58 vpn-server charon: 12[IKE] no virtual IP found for
> %any6 requested by 'houmie'
>
> May 10 20:10:58 vpn-server charon: 12[IKE] CHILD_SA roadwarrior{1}
> established with SPIs c0b075ce_i 0789b8c0_o and TS 0.0.0.0/0
> <http://0.0.0.0/0> === 10.10.10.1/32 <http://10.10.10.1/32>
>
> May 10 20:10:58 vpn-server charon: 12[ENC] generating IKE_AUTH
> response 5 [ AUTH CPRP(ADDR DNS DNS) SA TSi TSr N(MOBIKE_SUP)
> N(NO_ADD_ADDR) ]
>
> May 10 20:10:58 vpn-server charon: 12[NET] sending packet: from
> 172.31.xxx.xxx[4500] to 88.98.xxx.xxx[39065] (228 bytes)
>
>
> The config that is working for my iphone is this:
>
> config setup
>
> strictcrlpolicy=yes
>
> uniqueids=never
>
> conn roadwarrior
>
> auto=add
>
> compress=no
>
> type=tunnel
>
> keyexchange=ikev2
>
> fragmentation=yes
>
> forceencaps=yes
>
> ike=aes256gcm16-sha256-ecp521,aes256-sha256-ecp384,aes256-3des-sha1-modp1024!
>
> esp=aes256gcm16-sha256,aes256-3des-sha256-sha1!
>
> dpdaction=clear
>
> dpddelay=180s
>
> rekey=no
>
> left=%any
>
> leftid=@vpn1.xxx.com <http://vpn1.xxx.com>
>
> leftcert=cert.pem
>
> leftsendcert=always
>
> leftsubnet=0.0.0.0/0 <http://0.0.0.0/0>
>
> right=%any
>
> rightid=%any
>
> rightauth=eap-mschapv2
>
> eap_identity=%any
>
> rightdns=8.8.8.8,8.8.4.4
>
> rightsourceip=10.10.10.0/24 <http://10.10.10.0/24>
>
> rightsendcert=never
>
>
> Please let me know if you see any obvious problem. But I strongly
> believe they have blocked the IKEV2 traffic...
>
> Many Thanks,
> Houman
>
>
>
> On 9 May 2018 at 15:40, Jafar Al-Gharaibeh <jafar at atcorp.com
> <mailto:jafar at atcorp.com>> wrote:
>
> Hi Tobias,
>
> Thanks for the correction. What I meant to say is :
>
> The PRF algorithm is derived from the integrity
> algorithm, but only if a DH group is also configured.
>
> Correct?
>
> Regards,
> Jafar
>
>
> On 5/9/2018 2:21 AM, Tobias Brunner wrote:
>
> Hi Jafar,
>
> No need to configure a prf, it is already assumed when you
> configured a DH group; so you can drop prfsha256.
>
> Small correction, the PRF algorithm, if not configured
> explicitly, is
> not derived from the DH group, but the integrity algorithm, in
> this case
> sha256.
>
> Regards,
> Tobias
>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20180510/df0d6c0e/attachment-0001.html>
More information about the Users
mailing list