[strongSwan] Sudden issues with Windows 10 clients

Houman houmie at gmail.com
Sat May 12 12:15:58 CEST 2018


Hello Jafar,

Thank you for the final proposals. I have entered them and it works great
with iOS and OSX. I have no Windows to test it yet.

The only reason I had picked 3des-shal1, was because the StrongSwan Wiki
claims this was needed for Mac (OSX)
https://wiki.strongswan.org/projects/strongswan/wiki/AppleClients.  But I
can see it works even without that.

My user in Iran still can't connect successfully. I have followed your
instructions. I have tailed the syslog below, hence this is all I can see:

May 12 11:03:07 vpn-server charon: 02[NET] received packet: from
91.99.xxx.xxx[500] to 172.31.xxx.xxx[500] (604 bytes)

May 12 11:03:07 vpn-server charon: 02[ENC] parsed IKE_SA_INIT request 0 [
SA KE No N(REDIR_SUP) N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) ]

May 12 11:03:07 vpn-server charon: 02[IKE] 91.99.xxx.xxx is initiating an
IKE_SA

May 12 11:03:07 vpn-server charon: 02[IKE] local host is behind NAT,
sending keep alives

May 12 11:03:07 vpn-server charon: 02[IKE] remote host is behind NAT

May 12 11:03:07 vpn-server charon: 02[ENC] generating IKE_SA_INIT response
0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(MULT_AUTH) ]

May 12 11:03:07 vpn-server charon: 02[NET] sending packet: from
172.31.xxx.xxx[500] to 91.99.xxx.xxx[500] (448 bytes)

May 12 11:03:13 vpn-server charon: 11[NET] received packet: from
91.99.xxx.xxx[500] to 172.31.xxx.xxx[500] (604 bytes)

May 12 11:03:13 vpn-server charon: 11[ENC] parsed IKE_SA_INIT request 0 [
SA KE No N(REDIR_SUP) N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) ]

May 12 11:03:13 vpn-server charon: 11[IKE] received retransmit of request
with ID 0, retransmitting response

May 12 11:03:13 vpn-server charon: 11[NET] sending packet: from
172.31.xxx.xxx[500] to 91.99.xxx.xxx[500] (448 bytes)

May 12 11:03:16 vpn-server charon: 12[NET] received packet: from
91.99.xxx.xxx[500] to 172.31.xxx.xxx[500] (604 bytes)

May 12 11:03:16 vpn-server charon: 12[ENC] parsed IKE_SA_INIT request 0 [
SA KE No N(REDIR_SUP) N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) ]

May 12 11:03:16 vpn-server charon: 12[IKE] received retransmit of request
with ID 0, retransmitting response

May 12 11:03:16 vpn-server charon: 12[NET] sending packet: from
172.31.xxx.xxx[500] to 91.99.xxx.xxx[500] (448 bytes)

May 12 11:03:27 vpn-server charon: 10[IKE] sending keep alive to
91.99.xxx.xxx[500]

May 12 11:03:37 vpn-server charon: 05[JOB] deleting half open IKE_SA after
timeout


I have also executed ipsec statusall


Status of IKE charon daemon (strongSwan 5.3.5, Linux 4.4.0-1057-aws,
x86_64):

  uptime: 68 minutes, since May 12 09:55:31 2018

  malloc: sbrk 1773568, mmap 0, used 572416, free 1201152

  worker threads: 11 of 16 idle, 5/0/0/0 working, job queue: 0/0/0/0,
scheduled: 1

  loaded plugins: charon test-vectors aes rc2 sha1 sha2 md4 md5 random
nonce x509 revocation constraints pubkey pkcs1 pkcs7 pkcs8 pkcs12 pgp
dnskey sshkey pem openssl fips-prf gmp agent xcbc hmac gcm attr
kernel-netlink resolve socket-default connmark farp stroke updown
eap-identity eap-sim eap-sim-pcsc eap-aka eap-aka-3gpp2
eap-simaka-pseudonym eap-simaka-reauth eap-md5 eap-gtc eap-mschapv2
eap-dynamic eap-radius eap-tls eap-ttls eap-peap eap-tnc xauth-generic
xauth-eap xauth-pam xauth-noauth tnc-tnccs tnccs-20 tnccs-11 tnccs-dynamic
dhcp lookip error-notify certexpire led addrblock unity

Virtual IP pools (size/online/offline):

  10.10.10.0/24: 254/0/1

Listening IP addresses:

  172.31.xxx.xxx

Connections:

 roadwarrior:  %any...%any  IKEv2, dpddelay=180s

 roadwarrior:   local:  [vpn1.xxx.com] uses public key authentication

 roadwarrior:    cert:  "CN=vpn1.xxx.com"

 roadwarrior:   remote: uses EAP_MSCHAPV2 authentication with EAP identity
'%any'

 roadwarrior:   child:  0.0.0.0/0 === dynamic TUNNEL, dpdaction=clear

Security Associations (0 up, 0 connecting):

  none


I can't quite see from this if they have blocked ESP or not. But I suspect
this is the case.


Many Thanks for your help,

Houman



On 11 May 2018 at 16:00, Jafar Al-Gharaibeh <jafar at atcorp.com> wrote:

> 1) The log shows that while it took a couple of attempts to establish and
> IKE SA, it was eventually up with and ESP Child SA as well. So, as far as I
> can see in your logs, the connection should be up. What happens next? do
> the logs show that the connection is dropped for some reason? what is the
> output of  "ipsec statusall"? Can you confirm that you are receiving ESP
> packets afterward, or if ESP is blocked?
>
> 2) Depending on the vpn clients  you use, your proposals seem OK. I would
> expand them a bit with better DH group in case the client supports it in
> both IKE and ESP configs. In ESP case you can have two proposals, with and
> without DH groups if you have clients that can't do DH with ESP. Unless you
> really think you need 3des-sha1 for some clients, there is no reason to
> keep it. Here is an example:
>
> ike=aes256-sha256-ecp521-ecp256-modp4096-modp2048!
> esp=aes256-sha256-sha1-ecp521-ecp256-modp4096-modp2048,
> aes256-sha256-sha1!
>
>
> Regards,
> Jafar
>
>
> On 5/11/2018 3:17 AM, Houman wrote:
>
> Hello Jafar,
>
> Apologies, as I didn't explain what I had already tried.
>
> 1) I have tried your suggestion:
>
>  ike=aes256-sha256-prfsha256-modp2048-modp1024!
>  esp=aes256-sha256,aes256-sha1,3des-sha1!
>
> I can connect to it via iOS 11 and OSX High Sierra without any problem
> from UK.  And I no longer get that error message: "DH group MODP_2048
> inacceptable, requesting MODP_1024".
>
> However my user still can't connect.  As he is connecting from Iran, I
> strongly suspect this is because of a recent tightening of the VPN traffic
> due to the recent political circumstances.  Further below I have pasted the
> log when he is trying to connect unsuccessfully. It says "Connecting..."
> and after a few sconds, it drops.
>
> 2) Unrelated to that, considering what we discussed in this thread, it
> seems I could skip both *prfsha256* and *modp1024*. Would you say this is
> now the perfect settings for iOS 10+, OSX and Windows 10?
>
> * ike=aes256-sha256-modp2048!*
> * esp=aes256-sha256,aes256-sha1,3des-sha1!*
>
> Many Thanks for your help,
> Houman
>
> Btw here is the log when he is trying to connect:
>
> May 11 07:55:16 vpn-server charon: 02[NET] received packet: from
> 109.230.xxx.xx[500] to 172.31.xxx.xxx[500] (604 bytes)
>
> May 11 07:55:16 vpn-server charon: 02[ENC] parsed IKE_SA_INIT request 0 [
> SA KE No N(REDIR_SUP) N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) ]
>
> May 11 07:55:16 vpn-server charon: 02[IKE] 109.230.xxx.xx is initiating an
> IKE_SA
>
> May 11 07:55:16 vpn-server charon: 02[IKE] local host is behind NAT,
> sending keep alives
>
> May 11 07:55:16 vpn-server charon: 02[IKE] remote host is behind NAT
>
> May 11 07:55:16 vpn-server charon: 02[ENC] generating IKE_SA_INIT response
> 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(MULT_AUTH) ]
>
> May 11 07:55:16 vpn-server charon: 02[NET] sending packet: from
> 172.31.xxx.xxx[500] to 109.230.xxx.xx[500] (448 bytes)
>
> May 11 07:55:36 vpn-server charon: 01[IKE] sending keep alive to
> 109.230.xxx.xx[500]
>
> May 11 07:55:46 vpn-server charon: 11[JOB] deleting half open IKE_SA after
> timeout
>
> May 11 07:57:44 vpn-server charon: 16[NET] received packet: from
> 109.230.xxx.xx[1] to 172.31.xxx.xxx[500] (624 bytes)
>
> May 11 07:57:44 vpn-server charon: 16[ENC] parsed IKE_SA_INIT request 0 [
> SA KE No N(NATD_S_IP) N(NATD_D_IP) V V V V ]
>
> May 11 07:57:44 vpn-server charon: 16[IKE] received MS NT5 ISAKMPOAKLEY v9
> vendor ID
>
> May 11 07:57:44 vpn-server charon: 16[IKE] received MS-Negotiation
> Discovery Capable vendor ID
>
> May 11 07:57:44 vpn-server charon: 16[IKE] received Vid-Initial-Contact
> vendor ID
>
> May 11 07:57:44 vpn-server charon: 16[ENC] received unknown vendor ID:
> 01:52:8b:bb:c0:06:96:12:18:49:ab:9a:1c:5b:2a:51:00:00:00:02
>
> May 11 07:57:44 vpn-server charon: 16[IKE] 109.230.xxx.xx is initiating an
> IKE_SA
>
> May 11 07:57:44 vpn-server charon: 16[IKE] local host is behind NAT,
> sending keep alives
>
> May 11 07:57:44 vpn-server charon: 16[IKE] remote host is behind NAT
>
> May 11 07:57:44 vpn-server charon: 16[ENC] generating IKE_SA_INIT response
> 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(MULT_AUTH) ]
>
> May 11 07:57:44 vpn-server charon: 16[NET] sending packet: from
> 172.31.xxx.xxx[500] to 109.230.xxx.xx[1] (440 bytes)
>
> May 11 07:57:45 vpn-server charon: 04[NET] received packet: from
> 109.230.xxx.xx[1024] to 172.31.xxx.xxx[4500] (1536 bytes)
>
> May 11 07:57:45 vpn-server charon: 04[ENC] parsed IKE_AUTH request 1 [ IDi
> CERTREQ N(MOBIKE_SUP) CPRQ(ADDR DNS NBNS SRV ADDR6 DNS6 SRV6) SA TSi TSr ]
>
> May 11 07:57:45 vpn-server charon: 04[IKE] received 54 cert requests for
> an unknown ca
>
> May 11 07:57:45 vpn-server charon: 04[CFG] looking for peer configs
> matching 172.31.xxx.xxx[%any]...109.230.xxx.xx[192.168.1.103]
>
> May 11 07:57:45 vpn-server charon: 04[CFG] selected peer config
> 'roadwarrior'
>
> May 11 07:57:45 vpn-server charon: 04[IKE] initiating EAP_IDENTITY method
> (id 0x00)
>
> May 11 07:57:45 vpn-server charon: 04[IKE] peer supports MOBIKE
>
> May 11 07:57:45 vpn-server charon: 04[IKE] authentication of 'vpn1.xxx.com'
> (myself) with RSA signature successful
>
> May 11 07:57:45 vpn-server charon: 04[IKE] sending end entity cert "CN=
> vpn1.xxx.com"
>
> May 11 07:57:45 vpn-server charon: 04[IKE] sending issuer cert "C=US,
> O=Let's Encrypt, CN=Let's Encrypt Authority X3"
>
> May 11 07:57:45 vpn-server charon: 04[ENC] generating IKE_AUTH response 1
> [ IDr CERT CERT AUTH EAP/REQ/ID ]
>
> May 11 07:57:45 vpn-server charon: 04[NET] sending packet: from
> 172.31.xxx.xxx[4500] to 109.230.xxx.xx[1024] (3616 bytes)
>
> May 11 07:57:45 vpn-server charon: 02[NET] received packet: from
> 109.230.xxx.xx[1024] to 172.31.xxx.xxx[4500] (96 bytes)
>
> May 11 07:57:45 vpn-server charon: 02[ENC] parsed IKE_AUTH request 2 [
> EAP/RES/ID ]
>
> May 11 07:57:45 vpn-server charon: 02[IKE] received EAP identity 'houmie'
>
> May 11 07:57:45 vpn-server charon: 02[IKE] initiating EAP_MSCHAPV2 method
> (id 0x6C)
>
> May 11 07:57:45 vpn-server charon: 02[ENC] generating IKE_AUTH response 2
> [ EAP/REQ/MSCHAPV2 ]
>
> May 11 07:57:45 vpn-server charon: 02[NET] sending packet: from
> 172.31.xxx.xxx[4500] to 109.230.xxx.xx[1024] (112 bytes)
>
> May 11 07:57:45 vpn-server charon: 03[NET] received packet: from
> 109.230.xxx.xx[1024] to 172.31.xxx.xxx[4500] (144 bytes)
>
> May 11 07:57:45 vpn-server charon: 03[ENC] parsed IKE_AUTH request 3 [
> EAP/RES/MSCHAPV2 ]
>
> May 11 07:57:45 vpn-server charon: 03[ENC] generating IKE_AUTH response 3
> [ EAP/REQ/MSCHAPV2 ]
>
> May 11 07:57:45 vpn-server charon: 03[NET] sending packet: from
> 172.31.xxx.xxx[4500] to 109.230.xxx.xx[1024] (144 bytes)
>
> May 11 07:57:45 vpn-server charon: 01[NET] received packet: from
> 109.230.xxx.xx[1024] to 172.31.xxx.xxx[4500] (80 bytes)
>
> May 11 07:57:45 vpn-server charon: 01[ENC] parsed IKE_AUTH request 4 [
> EAP/RES/MSCHAPV2 ]
>
> May 11 07:57:45 vpn-server charon: 01[IKE] EAP method EAP_MSCHAPV2
> succeeded, MSK established
>
> May 11 07:57:45 vpn-server charon: 01[ENC] generating IKE_AUTH response 4
> [ EAP/SUCC ]
>
> May 11 07:57:45 vpn-server charon: 01[NET] sending packet: from
> 172.31.xxx.xxx[4500] to 109.230.xxx.xx[1024] (80 bytes)
>
> May 11 07:57:46 vpn-server charon: 11[NET] received packet: from
> 109.230.xxx.xx[1024] to 172.31.xxx.xxx[4500] (112 bytes)
>
> May 11 07:57:46 vpn-server charon: 11[ENC] parsed IKE_AUTH request 5 [
> AUTH ]
>
> May 11 07:57:46 vpn-server charon: 11[IKE] authentication of
> '192.168.1.103' with EAP successful
>
> May 11 07:57:46 vpn-server charon: 11[IKE] authentication of 'vpn1.xxx.com'
> (myself) with EAP
>
> May 11 07:57:46 vpn-server charon: 11[IKE] IKE_SA roadwarrior[4]
> established between 172.31.xxx.xxx[vpn1.xxx.com]..
> .109.230.xxx.xx[192.168.1.103]
>
> May 11 07:57:46 vpn-server charon: 11[IKE] peer requested virtual IP %any
>
> May 11 07:57:46 vpn-server charon: 11[CFG] reassigning offline lease to
> 'houmie'
>
> May 11 07:57:46 vpn-server charon: 11[IKE] assigning virtual IP 10.10.10.1
> to peer 'houmie'
>
> May 11 07:57:46 vpn-server charon: 11[IKE] peer requested virtual IP %any6
>
> May 11 07:57:46 vpn-server charon: 11[IKE] no virtual IP found for %any6
> requested by 'houmie'
>
> May 11 07:57:46 vpn-server charon: 11[IKE] CHILD_SA roadwarrior{2}
> established with SPIs caa2d799_i 8f5ab10c_o and TS 0.0.0.0/0 ===
> 10.10.10.1/32
>
> May 11 07:57:46 vpn-server charon: 11[ENC] generating IKE_AUTH response 5
> [ AUTH CPRP(ADDR DNS DNS) SA TSi TSr N(MOBIKE_SUP) N(NO_ADD_ADDR) ]
>
> May 11 07:57:46 vpn-server charon: 11[NET] sending packet: from
> 172.31.xxx.xxx[4500] to 109.230.xxx.xx[1024] (256 bytes)
>
>
>
>
>
>
>
>
>
> On 10 May 2018 at 21:52, John Connett <jrc at skylon.demon.co.uk> wrote:
>
>> Don't know if this might be related:
>>
>>
>> https://support.microsoft.com/en-gb/help/4103721/windows-10-
>> update-kb4103721
>>
>> "Addresses an issue that prevents certain VPN apps from working on
>> builds of Windows 10, version 1803. These apps were developed using an SDK
>> version that precedes Windows 10, version 1803, and use the public
>> RasSetEntryProperties API".
>>
>> Regards
>> --
>> John Connett
>>
>> ------------------------------
>> *From:* Users <users-bounces at lists.strongswan.org> on behalf of Jafar
>> Al-Gharaibeh <jafar at atcorp.com>
>> *Sent:* 10 May 2018 21:33
>> *To:* Houman
>> *Cc:* users at lists.strongswan.org
>> *Subject:* Re: [strongSwan] Sudden issues with Windows 10 clients
>>
>> Hi Houman,
>>
>>  Similar to the Windows problem you had earlier, you don't have the
>> correct combination of configured algorithms. look at the logs:
>>
>>     May 10 20:26:48 vpn-server charon: 12[IKE] DH group MODP_2048
>> inacceptable, requesting MODP_1024
>>
>>    The iphone expect modp2048, but your configuration  says modp1024.
>> Look  back at the suggestion we made for Windows and just use the same
>> configuration.
>>
>> Regards,
>> Jafar
>>
>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20180512/1a83a32f/attachment-0001.html>


More information about the Users mailing list