[strongSwan] Sudden issues with Windows 10 clients
Houman
houmie at gmail.com
Fri May 11 10:17:42 CEST 2018
Hello Jafar,
Apologies, as I didn't explain what I had already tried.
1) I have tried your suggestion:
ike=aes256-sha256-prfsha256-modp2048-modp1024!
esp=aes256-sha256,aes256-sha1,3des-sha1!
I can connect to it via iOS 11 and OSX High Sierra without any problem from
UK. And I no longer get that error message: "DH group MODP_2048
inacceptable, requesting MODP_1024".
However my user still can't connect. As he is connecting from Iran, I
strongly suspect this is because of a recent tightening of the VPN traffic
due to the recent political circumstances. Further below I have pasted the
log when he is trying to connect unsuccessfully. It says "Connecting..."
and after a few sconds, it drops.
2) Unrelated to that, considering what we discussed in this thread, it
seems I could skip both *prfsha256* and *modp1024*. Would you say this is
now the perfect settings for iOS 10+, OSX and Windows 10?
* ike=aes256-sha256-modp2048!*
* esp=aes256-sha256,aes256-sha1,3des-sha1!*
Many Thanks for your help,
Houman
Btw here is the log when he is trying to connect:
May 11 07:55:16 vpn-server charon: 02[NET] received packet: from
109.230.xxx.xx[500] to 172.31.xxx.xxx[500] (604 bytes)
May 11 07:55:16 vpn-server charon: 02[ENC] parsed IKE_SA_INIT request 0 [
SA KE No N(REDIR_SUP) N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) ]
May 11 07:55:16 vpn-server charon: 02[IKE] 109.230.xxx.xx is initiating an
IKE_SA
May 11 07:55:16 vpn-server charon: 02[IKE] local host is behind NAT,
sending keep alives
May 11 07:55:16 vpn-server charon: 02[IKE] remote host is behind NAT
May 11 07:55:16 vpn-server charon: 02[ENC] generating IKE_SA_INIT response
0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(MULT_AUTH) ]
May 11 07:55:16 vpn-server charon: 02[NET] sending packet: from
172.31.xxx.xxx[500] to 109.230.xxx.xx[500] (448 bytes)
May 11 07:55:36 vpn-server charon: 01[IKE] sending keep alive to
109.230.xxx.xx[500]
May 11 07:55:46 vpn-server charon: 11[JOB] deleting half open IKE_SA after
timeout
May 11 07:57:44 vpn-server charon: 16[NET] received packet: from
109.230.xxx.xx[1] to 172.31.xxx.xxx[500] (624 bytes)
May 11 07:57:44 vpn-server charon: 16[ENC] parsed IKE_SA_INIT request 0 [
SA KE No N(NATD_S_IP) N(NATD_D_IP) V V V V ]
May 11 07:57:44 vpn-server charon: 16[IKE] received MS NT5 ISAKMPOAKLEY v9
vendor ID
May 11 07:57:44 vpn-server charon: 16[IKE] received MS-Negotiation
Discovery Capable vendor ID
May 11 07:57:44 vpn-server charon: 16[IKE] received Vid-Initial-Contact
vendor ID
May 11 07:57:44 vpn-server charon: 16[ENC] received unknown vendor ID:
01:52:8b:bb:c0:06:96:12:18:49:ab:9a:1c:5b:2a:51:00:00:00:02
May 11 07:57:44 vpn-server charon: 16[IKE] 109.230.xxx.xx is initiating an
IKE_SA
May 11 07:57:44 vpn-server charon: 16[IKE] local host is behind NAT,
sending keep alives
May 11 07:57:44 vpn-server charon: 16[IKE] remote host is behind NAT
May 11 07:57:44 vpn-server charon: 16[ENC] generating IKE_SA_INIT response
0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(MULT_AUTH) ]
May 11 07:57:44 vpn-server charon: 16[NET] sending packet: from
172.31.xxx.xxx[500] to 109.230.xxx.xx[1] (440 bytes)
May 11 07:57:45 vpn-server charon: 04[NET] received packet: from
109.230.xxx.xx[1024] to 172.31.xxx.xxx[4500] (1536 bytes)
May 11 07:57:45 vpn-server charon: 04[ENC] parsed IKE_AUTH request 1 [ IDi
CERTREQ N(MOBIKE_SUP) CPRQ(ADDR DNS NBNS SRV ADDR6 DNS6 SRV6) SA TSi TSr ]
May 11 07:57:45 vpn-server charon: 04[IKE] received 54 cert requests for an
unknown ca
May 11 07:57:45 vpn-server charon: 04[CFG] looking for peer configs
matching 172.31.xxx.xxx[%any]...109.230.xxx.xx[192.168.1.103]
May 11 07:57:45 vpn-server charon: 04[CFG] selected peer config
'roadwarrior'
May 11 07:57:45 vpn-server charon: 04[IKE] initiating EAP_IDENTITY method
(id 0x00)
May 11 07:57:45 vpn-server charon: 04[IKE] peer supports MOBIKE
May 11 07:57:45 vpn-server charon: 04[IKE] authentication of 'vpn1.xxx.com'
(myself) with RSA signature successful
May 11 07:57:45 vpn-server charon: 04[IKE] sending end entity cert "CN=
vpn1.xxx.com"
May 11 07:57:45 vpn-server charon: 04[IKE] sending issuer cert "C=US,
O=Let's Encrypt, CN=Let's Encrypt Authority X3"
May 11 07:57:45 vpn-server charon: 04[ENC] generating IKE_AUTH response 1 [
IDr CERT CERT AUTH EAP/REQ/ID ]
May 11 07:57:45 vpn-server charon: 04[NET] sending packet: from
172.31.xxx.xxx[4500] to 109.230.xxx.xx[1024] (3616 bytes)
May 11 07:57:45 vpn-server charon: 02[NET] received packet: from
109.230.xxx.xx[1024] to 172.31.xxx.xxx[4500] (96 bytes)
May 11 07:57:45 vpn-server charon: 02[ENC] parsed IKE_AUTH request 2 [
EAP/RES/ID ]
May 11 07:57:45 vpn-server charon: 02[IKE] received EAP identity 'houmie'
May 11 07:57:45 vpn-server charon: 02[IKE] initiating EAP_MSCHAPV2 method
(id 0x6C)
May 11 07:57:45 vpn-server charon: 02[ENC] generating IKE_AUTH response 2 [
EAP/REQ/MSCHAPV2 ]
May 11 07:57:45 vpn-server charon: 02[NET] sending packet: from
172.31.xxx.xxx[4500] to 109.230.xxx.xx[1024] (112 bytes)
May 11 07:57:45 vpn-server charon: 03[NET] received packet: from
109.230.xxx.xx[1024] to 172.31.xxx.xxx[4500] (144 bytes)
May 11 07:57:45 vpn-server charon: 03[ENC] parsed IKE_AUTH request 3 [
EAP/RES/MSCHAPV2 ]
May 11 07:57:45 vpn-server charon: 03[ENC] generating IKE_AUTH response 3 [
EAP/REQ/MSCHAPV2 ]
May 11 07:57:45 vpn-server charon: 03[NET] sending packet: from
172.31.xxx.xxx[4500] to 109.230.xxx.xx[1024] (144 bytes)
May 11 07:57:45 vpn-server charon: 01[NET] received packet: from
109.230.xxx.xx[1024] to 172.31.xxx.xxx[4500] (80 bytes)
May 11 07:57:45 vpn-server charon: 01[ENC] parsed IKE_AUTH request 4 [
EAP/RES/MSCHAPV2 ]
May 11 07:57:45 vpn-server charon: 01[IKE] EAP method EAP_MSCHAPV2
succeeded, MSK established
May 11 07:57:45 vpn-server charon: 01[ENC] generating IKE_AUTH response 4 [
EAP/SUCC ]
May 11 07:57:45 vpn-server charon: 01[NET] sending packet: from
172.31.xxx.xxx[4500] to 109.230.xxx.xx[1024] (80 bytes)
May 11 07:57:46 vpn-server charon: 11[NET] received packet: from
109.230.xxx.xx[1024] to 172.31.xxx.xxx[4500] (112 bytes)
May 11 07:57:46 vpn-server charon: 11[ENC] parsed IKE_AUTH request 5 [ AUTH
]
May 11 07:57:46 vpn-server charon: 11[IKE] authentication of
'192.168.1.103' with EAP successful
May 11 07:57:46 vpn-server charon: 11[IKE] authentication of 'vpn1.xxx.com'
(myself) with EAP
May 11 07:57:46 vpn-server charon: 11[IKE] IKE_SA roadwarrior[4]
established between 172.31.xxx.xxx[vpn1.xxx.com
]...109.230.xxx.xx[192.168.1.103]
May 11 07:57:46 vpn-server charon: 11[IKE] peer requested virtual IP %any
May 11 07:57:46 vpn-server charon: 11[CFG] reassigning offline lease to
'houmie'
May 11 07:57:46 vpn-server charon: 11[IKE] assigning virtual IP 10.10.10.1
to peer 'houmie'
May 11 07:57:46 vpn-server charon: 11[IKE] peer requested virtual IP %any6
May 11 07:57:46 vpn-server charon: 11[IKE] no virtual IP found for %any6
requested by 'houmie'
May 11 07:57:46 vpn-server charon: 11[IKE] CHILD_SA roadwarrior{2}
established with SPIs caa2d799_i 8f5ab10c_o and TS 0.0.0.0/0 ===
10.10.10.1/32
May 11 07:57:46 vpn-server charon: 11[ENC] generating IKE_AUTH response 5 [
AUTH CPRP(ADDR DNS DNS) SA TSi TSr N(MOBIKE_SUP) N(NO_ADD_ADDR) ]
May 11 07:57:46 vpn-server charon: 11[NET] sending packet: from
172.31.xxx.xxx[4500] to 109.230.xxx.xx[1024] (256 bytes)
On 10 May 2018 at 21:52, John Connett <jrc at skylon.demon.co.uk> wrote:
> Don't know if this might be related:
>
>
> https://support.microsoft.com/en-gb/help/4103721/windows-10-
> update-kb4103721
>
> "Addresses an issue that prevents certain VPN apps from working on builds
> of Windows 10, version 1803. These apps were developed using an SDK version
> that precedes Windows 10, version 1803, and use the public
> RasSetEntryProperties API".
>
> Regards
> --
> John Connett
>
> ------------------------------
> *From:* Users <users-bounces at lists.strongswan.org> on behalf of Jafar
> Al-Gharaibeh <jafar at atcorp.com>
> *Sent:* 10 May 2018 21:33
> *To:* Houman
> *Cc:* users at lists.strongswan.org
> *Subject:* Re: [strongSwan] Sudden issues with Windows 10 clients
>
> Hi Houman,
>
> Similar to the Windows problem you had earlier, you don't have the
> correct combination of configured algorithms. look at the logs:
>
> May 10 20:26:48 vpn-server charon: 12[IKE] DH group MODP_2048
> inacceptable, requesting MODP_1024
>
> The iphone expect modp2048, but your configuration says modp1024.
> Look back at the suggestion we made for Windows and just use the same
> configuration.
>
> Regards,
> Jafar
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20180511/c9b62e97/attachment-0001.html>
More information about the Users
mailing list