[strongSwan] Sudden issues with Windows 10 clients
Jafar Al-Gharaibeh
jafar at atcorp.com
Fri May 11 17:00:14 CEST 2018
1) The log shows that while it took a couple of attempts to establish
and IKE SA, it was eventually up with and ESP Child SA as well. So, as
far as I can see in your logs, the connection should be up. What happens
next? do the logs show that the connection is dropped for some reason?
what is the output of "ipsec statusall"? Can you confirm that you are
receiving ESP packets afterward, or if ESP is blocked?
2) Depending on the vpn clients you use, your proposals seem OK. I
would expand them a bit with better DH group in case the client supports
it in both IKE and ESP configs. In ESP case you can have two proposals,
with and without DH groups if you have clients that can't do DH with
ESP. Unless you really think you need 3des-sha1 for some clients, there
is no reason to keep it. Here is an example:
ike=aes256-sha256-ecp521-ecp256-modp4096-modp2048!
esp=aes256-sha256-sha1-ecp521-ecp256-modp4096-modp2048, aes256-sha256-sha1!
Regards,
Jafar
On 5/11/2018 3:17 AM, Houman wrote:
> Hello Jafar,
>
> Apologies, as I didn't explain what I had already tried.
>
> 1) I have tried your suggestion:
>
> ike=aes256-sha256-prfsha256-modp2048-modp1024!
> esp=aes256-sha256,aes256-sha1,3des-sha1!
>
> I can connect to it via iOS 11 and OSX High Sierra without any problem
> from UK. And I no longer get that error message: "DH group MODP_2048
> inacceptable, requesting MODP_1024".
>
> However my user still can't connect. As he is connecting from Iran, I
> strongly suspect this is because of a recent tightening of the VPN
> traffic due to the recent political circumstances. Further below I
> have pasted the log when he is trying to connect unsuccessfully. It
> says "Connecting..." and after a few sconds, it drops.
>
> 2) Unrelated to that, considering what we discussed in this thread, it
> seems I could skip both *prfsha256* and *modp1024*. Would you say this
> is now the perfect settings for iOS 10+, OSX and Windows 10?
>
> * ike=aes256-sha256-modp2048!*
> * esp=aes256-sha256,aes256-sha1,3des-sha1!*
>
> Many Thanks for your help,
> Houman
>
> Btw here is the log when he is trying to connect:
>
> May 11 07:55:16 vpn-server charon: 02[NET] received packet: from
> 109.230.xxx.xx[500] to 172.31.xxx.xxx[500] (604 bytes)
>
> May 11 07:55:16 vpn-server charon: 02[ENC] parsed IKE_SA_INIT request
> 0 [ SA KE No N(REDIR_SUP) N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) ]
>
> May 11 07:55:16 vpn-server charon: 02[IKE] 109.230.xxx.xx is
> initiating an IKE_SA
>
> May 11 07:55:16 vpn-server charon: 02[IKE] local host is behind NAT,
> sending keep alives
>
> May 11 07:55:16 vpn-server charon: 02[IKE] remote host is behind NAT
>
> May 11 07:55:16 vpn-server charon: 02[ENC] generating IKE_SA_INIT
> response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(MULT_AUTH) ]
>
> May 11 07:55:16 vpn-server charon: 02[NET] sending packet: from
> 172.31.xxx.xxx[500] to 109.230.xxx.xx[500] (448 bytes)
>
> May 11 07:55:36 vpn-server charon: 01[IKE] sending keep alive to
> 109.230.xxx.xx[500]
>
> May 11 07:55:46 vpn-server charon: 11[JOB] deleting half open IKE_SA
> after timeout
>
> May 11 07:57:44 vpn-server charon: 16[NET] received packet: from
> 109.230.xxx.xx[1] to 172.31.xxx.xxx[500] (624 bytes)
>
> May 11 07:57:44 vpn-server charon: 16[ENC] parsed IKE_SA_INIT request
> 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) V V V V ]
>
> May 11 07:57:44 vpn-server charon: 16[IKE] received MS NT5
> ISAKMPOAKLEY v9 vendor ID
>
> May 11 07:57:44 vpn-server charon: 16[IKE] received MS-Negotiation
> Discovery Capable vendor ID
>
> May 11 07:57:44 vpn-server charon: 16[IKE] received
> Vid-Initial-Contact vendor ID
>
> May 11 07:57:44 vpn-server charon: 16[ENC] received unknown vendor ID:
> 01:52:8b:bb:c0:06:96:12:18:49:ab:9a:1c:5b:2a:51:00:00:00:02
>
> May 11 07:57:44 vpn-server charon: 16[IKE] 109.230.xxx.xx is
> initiating an IKE_SA
>
> May 11 07:57:44 vpn-server charon: 16[IKE] local host is behind NAT,
> sending keep alives
>
> May 11 07:57:44 vpn-server charon: 16[IKE] remote host is behind NAT
>
> May 11 07:57:44 vpn-server charon: 16[ENC] generating IKE_SA_INIT
> response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(MULT_AUTH) ]
>
> May 11 07:57:44 vpn-server charon: 16[NET] sending packet: from
> 172.31.xxx.xxx[500] to 109.230.xxx.xx[1] (440 bytes)
>
> May 11 07:57:45 vpn-server charon: 04[NET] received packet: from
> 109.230.xxx.xx[1024] to 172.31.xxx.xxx[4500] (1536 bytes)
>
> May 11 07:57:45 vpn-server charon: 04[ENC] parsed IKE_AUTH request 1 [
> IDi CERTREQ N(MOBIKE_SUP) CPRQ(ADDR DNS NBNS SRV ADDR6 DNS6 SRV6) SA
> TSi TSr ]
>
> May 11 07:57:45 vpn-server charon: 04[IKE] received 54 cert requests
> for an unknown ca
>
> May 11 07:57:45 vpn-server charon: 04[CFG] looking for peer configs
> matching 172.31.xxx.xxx[%any]...109.230.xxx.xx[192.168.1.103]
>
> May 11 07:57:45 vpn-server charon: 04[CFG] selected peer config
> 'roadwarrior'
>
> May 11 07:57:45 vpn-server charon: 04[IKE] initiating EAP_IDENTITY
> method (id 0x00)
>
> May 11 07:57:45 vpn-server charon: 04[IKE] peer supports MOBIKE
>
> May 11 07:57:45 vpn-server charon: 04[IKE] authentication of
> 'vpn1.xxx.com <http://vpn1.xxx.com>' (myself) with RSA signature
> successful
>
> May 11 07:57:45 vpn-server charon: 04[IKE] sending end entity cert
> "CN=vpn1.xxx.com <http://vpn1.xxx.com>"
>
> May 11 07:57:45 vpn-server charon: 04[IKE] sending issuer cert "C=US,
> O=Let's Encrypt, CN=Let's Encrypt Authority X3"
>
> May 11 07:57:45 vpn-server charon: 04[ENC] generating IKE_AUTH
> response 1 [ IDr CERT CERT AUTH EAP/REQ/ID ]
>
> May 11 07:57:45 vpn-server charon: 04[NET] sending packet: from
> 172.31.xxx.xxx[4500] to 109.230.xxx.xx[1024] (3616 bytes)
>
> May 11 07:57:45 vpn-server charon: 02[NET] received packet: from
> 109.230.xxx.xx[1024] to 172.31.xxx.xxx[4500] (96 bytes)
>
> May 11 07:57:45 vpn-server charon: 02[ENC] parsed IKE_AUTH request 2 [
> EAP/RES/ID ]
>
> May 11 07:57:45 vpn-server charon: 02[IKE] received EAP identity 'houmie'
>
> May 11 07:57:45 vpn-server charon: 02[IKE] initiating EAP_MSCHAPV2
> method (id 0x6C)
>
> May 11 07:57:45 vpn-server charon: 02[ENC] generating IKE_AUTH
> response 2 [ EAP/REQ/MSCHAPV2 ]
>
> May 11 07:57:45 vpn-server charon: 02[NET] sending packet: from
> 172.31.xxx.xxx[4500] to 109.230.xxx.xx[1024] (112 bytes)
>
> May 11 07:57:45 vpn-server charon: 03[NET] received packet: from
> 109.230.xxx.xx[1024] to 172.31.xxx.xxx[4500] (144 bytes)
>
> May 11 07:57:45 vpn-server charon: 03[ENC] parsed IKE_AUTH request 3 [
> EAP/RES/MSCHAPV2 ]
>
> May 11 07:57:45 vpn-server charon: 03[ENC] generating IKE_AUTH
> response 3 [ EAP/REQ/MSCHAPV2 ]
>
> May 11 07:57:45 vpn-server charon: 03[NET] sending packet: from
> 172.31.xxx.xxx[4500] to 109.230.xxx.xx[1024] (144 bytes)
>
> May 11 07:57:45 vpn-server charon: 01[NET] received packet: from
> 109.230.xxx.xx[1024] to 172.31.xxx.xxx[4500] (80 bytes)
>
> May 11 07:57:45 vpn-server charon: 01[ENC] parsed IKE_AUTH request 4 [
> EAP/RES/MSCHAPV2 ]
>
> May 11 07:57:45 vpn-server charon: 01[IKE] EAP method EAP_MSCHAPV2
> succeeded, MSK established
>
> May 11 07:57:45 vpn-server charon: 01[ENC] generating IKE_AUTH
> response 4 [ EAP/SUCC ]
>
> May 11 07:57:45 vpn-server charon: 01[NET] sending packet: from
> 172.31.xxx.xxx[4500] to 109.230.xxx.xx[1024] (80 bytes)
>
> May 11 07:57:46 vpn-server charon: 11[NET] received packet: from
> 109.230.xxx.xx[1024] to 172.31.xxx.xxx[4500] (112 bytes)
>
> May 11 07:57:46 vpn-server charon: 11[ENC] parsed IKE_AUTH request 5 [
> AUTH ]
>
> May 11 07:57:46 vpn-server charon: 11[IKE] authentication of
> '192.168.1.103' with EAP successful
>
> May 11 07:57:46 vpn-server charon: 11[IKE] authentication of
> 'vpn1.xxx.com <http://vpn1.xxx.com>' (myself) with EAP
>
> May 11 07:57:46 vpn-server charon: 11[IKE] IKE_SA roadwarrior[4]
> established between 172.31.xxx.xxx[vpn1.xxx.com
> <http://vpn1.xxx.com>]...109.230.xxx.xx[192.168.1.103]
>
> May 11 07:57:46 vpn-server charon: 11[IKE] peer requested virtual IP %any
>
> May 11 07:57:46 vpn-server charon: 11[CFG] reassigning offline lease
> to 'houmie'
>
> May 11 07:57:46 vpn-server charon: 11[IKE] assigning virtual IP
> 10.10.10.1 to peer 'houmie'
>
> May 11 07:57:46 vpn-server charon: 11[IKE] peer requested virtual IP %any6
>
> May 11 07:57:46 vpn-server charon: 11[IKE] no virtual IP found for
> %any6 requested by 'houmie'
>
> May 11 07:57:46 vpn-server charon: 11[IKE] CHILD_SA roadwarrior{2}
> established with SPIs caa2d799_i 8f5ab10c_o and TS 0.0.0.0/0
> <http://0.0.0.0/0> === 10.10.10.1/32 <http://10.10.10.1/32>
>
> May 11 07:57:46 vpn-server charon: 11[ENC] generating IKE_AUTH
> response 5 [ AUTH CPRP(ADDR DNS DNS) SA TSi TSr N(MOBIKE_SUP)
> N(NO_ADD_ADDR) ]
>
> May 11 07:57:46 vpn-server charon: 11[NET] sending packet: from
> 172.31.xxx.xxx[4500] to 109.230.xxx.xx[1024] (256 bytes)
>
>
>
>
>
>
>
>
>
>
> On 10 May 2018 at 21:52, John Connett <jrc at skylon.demon.co.uk
> <mailto:jrc at skylon.demon.co.uk>> wrote:
>
> Don't know if this might be related:
>
>
> https://support.microsoft.com/en-gb/help/4103721/windows-10-update-kb4103721
> <https://support.microsoft.com/en-gb/help/4103721/windows-10-update-kb4103721>
>
> "Addresses an issue that prevents certain VPN apps from working on
> builds of Windows 10, version 1803. These apps were developed
> using an SDK version that precedes Windows 10, version 1803, and
> use the public RasSetEntryProperties API".
>
> Regards
> --
> John Connett
>
> ------------------------------------------------------------------------
> *From:* Users <users-bounces at lists.strongswan.org
> <mailto:users-bounces at lists.strongswan.org>> on behalf of Jafar
> Al-Gharaibeh <jafar at atcorp.com <mailto:jafar at atcorp.com>>
> *Sent:* 10 May 2018 21:33
> *To:* Houman
> *Cc:* users at lists.strongswan.org <mailto:users at lists.strongswan.org>
> *Subject:* Re: [strongSwan] Sudden issues with Windows 10 clients
> Hi Houman,
>
> Similar to the Windows problem you had earlier, you don't have
> the correct combination of configured algorithms. look at the logs:
>
> May 10 20:26:48 vpn-server charon: 12[IKE] DH group MODP_2048
> inacceptable, requesting MODP_1024
>
> The iphone expect modp2048, but your configuration says
> modp1024. Look back at the suggestion we made for Windows and
> just use the same configuration.
>
> Regards,
> Jafar
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20180511/f401a56e/attachment-0001.html>
More information about the Users
mailing list