[strongSwan] Sudden issues with Windows 10 clients

Jafar Al-Gharaibeh jafar at atcorp.com
Sat May 12 17:19:38 CEST 2018 

Hi Houman,

   The information on the Wiki is probably old, and it is not wrong 
anyway.
3des is broken and shouldn't be used if the client can do better.

   The behavior I see in the log this time is very different from the 
previous
email. Last time we could see a complete and successful negotiation 
leading
to established connections. That is why I asked you to run "ipsec 
statusall".
This time around, the client doesn't seem to be getting responses from 
your server.
you can see multiple IKE_SA_INIT packets received, indicating the client 
is not
seeing the responses.

Since This is a completely different behavior, it is hard to draw 
conclusions.
The best way to debug is to have strongSwan at both ends so you can see 
complete
logs both ends.

--Jafar



On 2018-05-12 05:15, Houman wrote:
> Hello Jafar,
> 
> Thank you for the final proposals. I have entered them and it works
> great with iOS and OSX. I have no Windows to test it yet.
> 
> The only reason I had picked 3des-shal1, was because the StrongSwan
> Wiki claims this was needed for Mac (OSX)
> https://wiki.strongswan.org/projects/strongswan/wiki/AppleClients.
> But I can see it works even without that.
> 
> My user in Iran still can't connect successfully. I have followed your
> instructions. I have tailed the syslog below, hence this is all I can
> see:
> 
> May 12 11:03:07 vpn-server charon: 02[NET] received packet: from
> 91.99.xxx.xxx[500] to 172.31.xxx.xxx[500] (604 bytes)
> 
> May 12 11:03:07 vpn-server charon: 02[ENC] parsed IKE_SA_INIT request
> 0 [ SA KE No N(REDIR_SUP) N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) ]
> 
> May 12 11:03:07 vpn-server charon: 02[IKE] 91.99.xxx.xxx is initiating
> an IKE_SA
> 
> May 12 11:03:07 vpn-server charon: 02[IKE] local host is behind NAT,
> sending keep alives
> 
> May 12 11:03:07 vpn-server charon: 02[IKE] remote host is behind NAT
> 
> May 12 11:03:07 vpn-server charon: 02[ENC] generating IKE_SA_INIT
> response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP)
> N(MULT_AUTH) ]
> 
> May 12 11:03:07 vpn-server charon: 02[NET] sending packet: from
> 172.31.xxx.xxx[500] to 91.99.xxx.xxx[500] (448 bytes)
> 
> May 12 11:03:13 vpn-server charon: 11[NET] received packet: from
> 91.99.xxx.xxx[500] to 172.31.xxx.xxx[500] (604 bytes)
> 
> May 12 11:03:13 vpn-server charon: 11[ENC] parsed IKE_SA_INIT request
> 0 [ SA KE No N(REDIR_SUP) N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) ]
> 
> May 12 11:03:13 vpn-server charon: 11[IKE] received retransmit of
> request with ID 0, retransmitting response
> 
> May 12 11:03:13 vpn-server charon: 11[NET] sending packet: from
> 172.31.xxx.xxx[500] to 91.99.xxx.xxx[500] (448 bytes)
> 
> May 12 11:03:16 vpn-server charon: 12[NET] received packet: from
> 91.99.xxx.xxx[500] to 172.31.xxx.xxx[500] (604 bytes)
> 
> May 12 11:03:16 vpn-server charon: 12[ENC] parsed IKE_SA_INIT request
> 0 [ SA KE No N(REDIR_SUP) N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) ]
> 
> May 12 11:03:16 vpn-server charon: 12[IKE] received retransmit of
> request with ID 0, retransmitting response
> 
> May 12 11:03:16 vpn-server charon: 12[NET] sending packet: from
> 172.31.xxx.xxx[500] to 91.99.xxx.xxx[500] (448 bytes)
> 
> May 12 11:03:27 vpn-server charon: 10[IKE] sending keep alive to
> 91.99.xxx.xxx[500]
> 
> May 12 11:03:37 vpn-server charon: 05[JOB] deleting half open IKE_SA
> after timeout
> 
> I have also executed ipsec statusall
> 
> Status of IKE charon daemon (strongSwan 5.3.5, Linux 4.4.0-1057-aws,
> x86_64):
> 
>   uptime: 68 minutes, since May 12 09:55:31 2018
> 
>   malloc: sbrk 1773568, mmap 0, used 572416, free 1201152
> 
>   worker threads: 11 of 16 idle, 5/0/0/0 working, job queue: 0/0/0/0,
> scheduled: 1
> 
>   loaded plugins: charon test-vectors aes rc2 sha1 sha2 md4 md5 random
> nonce x509 revocation constraints pubkey pkcs1 pkcs7 pkcs8 pkcs12 pgp
> dnskey sshkey pem openssl fips-prf gmp agent xcbc hmac gcm attr
> kernel-netlink resolve socket-default connmark farp stroke updown
> eap-identity eap-sim eap-sim-pcsc eap-aka eap-aka-3gpp2
> eap-simaka-pseudonym eap-simaka-reauth eap-md5 eap-gtc eap-mschapv2
> eap-dynamic eap-radius eap-tls eap-ttls eap-peap eap-tnc xauth-generic
> xauth-eap xauth-pam xauth-noauth tnc-tnccs tnccs-20 tnccs-11
> tnccs-dynamic dhcp lookip error-notify certexpire led addrblock unity
> 
> Virtual IP pools (size/online/offline):
> 
>   10.10.10.0/24 [5]: 254/0/1
> 
> Listening IP addresses:
> 
>   172.31.xxx.xxx
> 
> Connections:
> 
>  roadwarrior:  %any...%any  IKEv2, dpddelay=180s
> 
>  roadwarrior:   local:  [vpn1.xxx.com [1]] uses public key
> authentication
> 
>  roadwarrior:    cert:  "CN=vpn1.xxx.com [1]"
> 
>  roadwarrior:   remote: uses EAP_MSCHAPV2 authentication with EAP
> identity '%any'
> 
>  roadwarrior:   child:  0.0.0.0/0 [2] === dynamic TUNNEL,
> dpdaction=clear
> 
> Security Associations (0 up, 0 connecting):
> 
>   none
> 
> I can't quite see from this if they have blocked ESP or not. But I
> suspect this is the case.
> 
> Many Thanks for your help,
> 
> Houman
>

More information about the Users mailing list