[strongSwan] Upgrade to 5.6.3 breaks Windows 10
Christian Salway
christian.salway at naimuri.com
Thu May 31 12:14:41 CEST 2018
5.6.2
#swanctl --stats
uptime: 27 minutes, since May 31 09:40:48 2018
worker threads: 16 total, 11 idle, working: 4/0/1/0
job queues: 0/0/0/0
jobs scheduled: 12
IKE_SAs: 0 total, 0 half-open
mallinfo: sbrk 1843200, mmap 0, used 681440, free 1161760
loaded plugins: charon-systemd charon-systemd aes des rc2 sha2 sha1 md4 md5 mgf1 random nonce x509 revocation constraints pubkey pkcs1 pkcs7 pkcs8 pkcs12 pgp dnskey sshkey pem openssl fips-prf gmp curve25519 xcbc cmac hmac gcm curl attr kernel-netlink resolve socket-default vici updown eap-identity eap-mschapv2 eap-dynamic eap-tls xauth-generic
#/etc/swanctl/conf.d/conn-ecdsa.conf
connections {
ecdsa {
version = 2
send_cert = always
encap = yes
unique = replace
proposals = aes256-sha256-prfsha256-modp2048-modp1024
pools = pool1
local {
id = vpnserver1
certs = vpnserver1.crt
}
remote {
auth = eap-dynamic
eap_id = %any
}
children {
net {
local_ts = 10.0.0.0/18
}
}
}
}
#swanctl --list-certs
List of X.509 End Entity Certificates
subject: "CN=vpnuser"
issuer: "CN=Vivace Root CA"
validity: not before May 31 09:38:38 2018, ok
not after Jun 30 09:38:38 2019, ok (expires in 394 days)
serial: cd:b8:5a:3f:bb:df:f2:a7
altNames: vpnuser
flags: clientAuth
OCSP URIs: http://127.0.0.1:2560
authkeyId: ff:4e:05:ee:8a:b3:d7:24:62:96:78:9a:b6:f0:51:82:b4:8f:f9:50
subjkeyId: 93:26:d4:8e:d0:5e:4b:82:4c:2f:c0:08:fd:b0:44:72:06:d0:75:2e
pubkey: ECDSA 384 bits
keyid: 97:2b:7f:05:46:62:48:65:a9:64:8c:28:09:a5:24:40:26:26:6e:3d
subjkey: 93:26:d4:8e:d0:5e:4b:82:4c:2f:c0:08:fd:b0:44:72:06:d0:75:2e
subject: "CN=vpnserver"
issuer: "CN=Vivace Root CA"
validity: not before May 24 11:39:02 2018, ok
not after Jun 23 11:39:02 2019, ok (expires in 388 days)
serial: cd:b8:5a:3f:bb:df:f2:a3
altNames: vpnserver, 35.177.138.182
flags: serverAuth ikeIntermediate
OCSP URIs: http://127.0.0.1:2560
authkeyId: ff:4e:05:ee:8a:b3:d7:24:62:96:78:9a:b6:f0:51:82:b4:8f:f9:50
subjkeyId: 6b:89:5b:56:c9:ef:31:06:aa:f5:19:70:72:dd:ca:7b:44:04:c5:ae
pubkey: RSA 4096 bits, has private key
keyid: b5:9e:2e:12:30:3e:8f:19:ef:29:94:a4:36:ae:31:59:7f:22:4e:11
subjkey: 6b:89:5b:56:c9:ef:31:06:aa:f5:19:70:72:dd:ca:7b:44:04:c5:ae
List of X.509 CA Certificates
subject: "CN=Vivace Root CA"
issuer: "CN=Vivace Root CA"
validity: not before May 01 12:10:28 2018, ok
not after Apr 28 12:10:28 2028, ok (expires in 3620 days)
serial: dd:d4:40:a6:c0:e7:f0:e2
flags: CA self-signed
authkeyId: ff:4e:05:ee:8a:b3:d7:24:62:96:78:9a:b6:f0:51:82:b4:8f:f9:50
subjkeyId: ff:4e:05:ee:8a:b3:d7:24:62:96:78:9a:b6:f0:51:82:b4:8f:f9:50
pubkey: RSA 4096 bits
keyid: 33:20:dc:2c:7c:d7:83:a2:58:4c:c1:01:d7:92:da:fb:a0:18:94:c4
subjkey: ff:4e:05:ee:8a:b3:d7:24:62:96:78:9a:b6:f0:51:82:b4:8f:f9:50
5.6.3
#swanctl --stats
uptime: 14 minutes, since May 31 09:54:04 2018
worker threads: 16 total, 11 idle, working: 4/0/1/0
job queues: 0/0/0/0
jobs scheduled: 7
IKE_SAs: 0 total, 0 half-open
mallinfo: sbrk 1769472, mmap 0, used 667760, free 1101712
loaded plugins: charon-systemd charon-systemd aes des rc2 sha2 sha1 md4 md5 mgf1 random nonce x509 revocation constraints pubkey pkcs1 pkcs7 pkcs8 pkcs12 pgp dnskey sshkey pem openssl fips-prf gmp curve25519 xcbc cmac hmac gcm curl attr kernel-netlink resolve socket-default vici updown eap-identity eap-mschapv2 eap-dynamic eap-tls xauth-generic
#/etc/swanctl/conf.d/conn-ecdsa.conf
connections {
ecdsa {
version = 2
send_cert = always
encap = yes
unique = replace
proposals = aes256-sha256-prfsha256-modp2048-modp1024
pools = pool1
local {
id = vpnserver1
certs = vpnserver1.crt
}
remote {
auth = eap-dynamic
eap_id = %any
}
children {
net {
local_ts = 10.0.0.0/18
}
}
}
}
#swanctl --list-certs
List of X.509 End Entity Certificates
subject: "CN=vpnserver"
issuer: "CN=Vivace Root CA"
validity: not before May 24 11:39:02 2018, ok
not after Jun 23 11:39:02 2019, ok (expires in 388 days)
serial: cd:b8:5a:3f:bb:df:f2:a3
altNames: vpnserver, 35.177.138.182
flags: serverAuth ikeIntermediate
OCSP URIs: http://127.0.0.1:2560
authkeyId: ff:4e:05:ee:8a:b3:d7:24:62:96:78:9a:b6:f0:51:82:b4:8f:f9:50
subjkeyId: 6b:89:5b:56:c9:ef:31:06:aa:f5:19:70:72:dd:ca:7b:44:04:c5:ae
pubkey: RSA 4096 bits, has private key
keyid: b5:9e:2e:12:30:3e:8f:19:ef:29:94:a4:36:ae:31:59:7f:22:4e:11
subjkey: 6b:89:5b:56:c9:ef:31:06:aa:f5:19:70:72:dd:ca:7b:44:04:c5:ae
subject: "CN=test_user"
issuer: "CN=Vivace Root CA"
validity: not before May 31 09:53:01 2018, ok
not after Jun 30 09:53:01 2019, ok (expires in 394 days)
serial: cd:b8:5a:3f:bb:df:f2:a8
altNames: test_user
flags: clientAuth
OCSP URIs: http://127.0.0.1:2560
authkeyId: ff:4e:05:ee:8a:b3:d7:24:62:96:78:9a:b6:f0:51:82:b4:8f:f9:50
subjkeyId: bb:91:05:24:c3:f0:ee:a4:86:8a:09:4e:de:76:31:76:65:94:8d:38
pubkey: ECDSA 384 bits
keyid: 79:47:d3:e0:11:e7:a2:d8:89:69:43:d8:8a:f2:81:02:3b:fc:ea:de
subjkey: bb:91:05:24:c3:f0:ee:a4:86:8a:09:4e:de:76:31:76:65:94:8d:38
List of X.509 CA Certificates
subject: "CN=Vivace Root CA"
issuer: "CN=Vivace Root CA"
validity: not before May 01 12:10:28 2018, ok
not after Apr 28 12:10:28 2028, ok (expires in 3620 days)
serial: dd:d4:40:a6:c0:e7:f0:e2
flags: CA self-signed
authkeyId: ff:4e:05:ee:8a:b3:d7:24:62:96:78:9a:b6:f0:51:82:b4:8f:f9:50
subjkeyId: ff:4e:05:ee:8a:b3:d7:24:62:96:78:9a:b6:f0:51:82:b4:8f:f9:50
pubkey: RSA 4096 bits
keyid: 33:20:dc:2c:7c:d7:83:a2:58:4c:c1:01:d7:92:da:fb:a0:18:94:c4
subjkey: ff:4e:05:ee:8a:b3:d7:24:62:96:78:9a:b6:f0:51:82:b4:8f:f9:50
> On 31 May 2018, at 10:54, Tobias Brunner <tobias at strongswan.org> wrote:
>
> Hi Christian,
>
>> I’m running dual 5.6.2 and 5.6.3 with the same cert on each and Windows10 can still connect to 5.6.2 but not 5.6.3 .
>
> Please provide server logs for both cases (see [1]).
>
> Regards,
> Tobias
>
> [1] https://wiki.strongswan.org/projects/strongswan/wiki/HelpRequests
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20180531/4e1dea5c/attachment-0001.html>
More information about the Users
mailing list