[strongSwan] Strongswan on Ubuntu - Failure to connect from Windows 10 client -error: deleting half open IKE_SA with 154.**.***.** after timeout

[Michael Schwartzkopff]

answers inline.

Am 19.02.19 um 00:43 schrieb MOSES KARIUKI:
> Dear Team,
>
> I have been having long days trying to configure Strongswan on Ubuntu
> 18.04. I am not able to connect to the VPN from Windows 10 client, after
> following the instructions on this link :
> https://www.digitalocean.com/community/tutorials/how-to-set-up-an-ikev2-vpn-server-with-strongswan-on-ubuntu-18-04-2
> and setting up windows for modp_2048 following these instructions here :
> https://wiki.strongswan.org/projects/strongswan/wiki/WindowsClients#AES-256-CBC-and-MODP2048

(...)

After starting IKE your server gets at some point an answer from the client

> Feb 19 02:10:01 VM-e2b7 ipsec[1011]: 09[NET] received packet: from
> 154.77.***.**[4500] to 102.1*9.2**.***[4500] (580 bytes)
> Feb 19 02:10:01 VM-e2b7 ipsec[1011]: 09[ENC] parsed IKE_AUTH request 1 [
> EF(1/3) ]
> Feb 19 02:10:01 VM-e2b7 ipsec[1011]: 09[ENC] received fragment #1 of 3,
> waiting for complete IKE message
> Feb 19 02:10:01 VM-e2b7 ipsec[1011]: 10[NET] received packet: from
> 154.77.***.**[4500] to 102.1*9.2**.***[4500] (580 bytes)
> Feb 19 02:10:01 VM-e2b7 ipsec[1011]: 10[ENC] parsed IKE_AUTH request 1 [
> EF(2/3) ]
> Feb 19 02:10:01 VM-e2b7 ipsec[1011]: 10[ENC] received fragment #2 of 3,
> waiting for complete IKE message
> Feb 19 02:10:01 VM-e2b7 charon: 11[ENC] splitting IKE message with length
> of 1936 bytes into 2 fragments
> Feb 19 02:10:01 VM-e2b7 ipsec[1011]: 11[NET] received packet: from
> 154.77.***.**[4500] to 102.1*9.2**.***[4500] (532 bytes)
> Feb 19 02:10:01 VM-e2b7 ipsec[1011]: 11[ENC] parsed IKE_AUTH request 1 [
> EF(3/3) ]
> Feb 19 02:10:01 VM-e2b7 ipsec[1011]: 11[ENC] received fragment #3 of 3,
> reassembling fragmented IKE message
> Feb 19 02:10:01 VM-e2b7 ipsec[1011]: 11[ENC] parsed IKE_AUTH request 1 [
> IDi CERTREQ N(MOBIKE_SUP) CPRQ(ADDR DNS NBNS SRV ADDR6 DNS6 SRV6) SA TSi
> TSr ]

The answer was fragmented. But all fragments were recieved.


> Feb 19 02:10:01 VM-e2b7 ipsec[1011]: 11[IKE] received 53 cert requests for
> an unknown ca
> Feb 19 02:10:01 VM-e2b7 ipsec[1011]: 11[CFG] looking for peer configs
> matching 102.1*9.2**.***[%any]...154.77.***.**[192.168.43.156]
> Feb 19 02:10:01 VM-e2b7 ipsec[1011]: 11[CFG]   candidate "ikev2-vpn",
> match: 1/1/28 (me/other/ike)
> Feb 19 02:10:01 VM-e2b7 ipsec[1011]: 11[CFG] selected peer config
> 'ikev2-vpn'
your server found a config that matches the request.
> Feb 19 02:10:01 VM-e2b7 ipsec[1011]: 11[IKE] EAP-Identity request
> configured, but not supported
> Feb 19 02:10:01 VM-e2b7 ipsec[1011]: 11[IKE] initiating EAP_MSCHAPV2 method
> (id 0x64)
> Feb 19 02:10:01 VM-e2b7 ipsec[1011]: 11[IKE] peer supports MOBIKE
> Feb 19 02:10:01 VM-e2b7 ipsec[1011]: 11[IKE] authentication of
> '102.1*9.2**.***' (myself) with RSA signature successful
> Feb 19 02:10:01 VM-e2b7 ipsec[1011]: 11[IKE] sending end entity cert
> "CN=102.1*9.2**.***"
> Feb 19 02:10:01 VM-e2b7 ipsec[1011]: 11[ENC] generating IKE_AUTH response 1
> [ IDr CERT AUTH EAP/REQ/MSCHAPV2 ]

Your server sends out the answer. the CN=<IP address> is also uncommon.
Perhaps the client cannot authenticate the server?


> Feb 19 02:10:01 VM-e2b7 ipsec[1011]: 11[ENC] splitting IKE message with
> length of 1936 bytes into 2 fragments
> Feb 19 02:10:01 VM-e2b7 charon: 11[ENC] generating IKE_AUTH response 1 [
> EF(1/2) ]
> Feb 19 02:10:01 VM-e2b7 charon: 11[ENC] generating IKE_AUTH response 1 [
> EF(2/2) ]
> Feb 19 02:10:01 VM-e2b7 charon: 11[NET] sending packet: from
> 102.1*9.2**.***[4500] to 154.77.***.**[4500] (1236 bytes)
> Feb 19 02:10:01 VM-e2b7 charon: 11[NET] sending packet: from
> 102.1*9.2**.***[4500] to 154.77.***.**[4500] (772 bytes)
> Feb 19 02:10:01 VM-e2b7 kernel: [ 2543.189073] [UFW BLOCK] IN=ens3 OUT=
> MAC=06:97:9c:00:00:8f:00:1d:b5:c0:a7:c0:08:00 SRC=154.77.***.**
> DST=102.1*9.2**.*** LEN=52 TOS=0x10 PREC=0x20 TTL=116 ID=27223 DF PROTO=TCP
> SPT=54229 DPT=443 WINDOW=17520 RES=0x00 SYN URGP=0
> Feb 19 02:10:30 VM-e2b7 charon: 14[JOB] deleting half open IKE_SA with
> 154.77.***.** after timeout


But gets no answer. So after the timeout the server deletes the
half-open session.


Please check on the client, why it does not answer the packet. Are there
log on the client? Perhaps the auth methods are not accepted. Does the
client get this packet at all? Why does the client send a packet on port
tcp/443, that is dropped by the firewall of the server?

Perhaps the client wants authentication with certificates but the CA is
not installed on the VPN server?


> Feb 19 02:13:28 VM-e2b7 charon: 13[CFG] proposing traffic selectors for us:
> Feb 19 02:13:28 VM-e2b7 charon: 13[CFG]  0.0.0.0/0
> Feb 19 02:13:28 VM-e2b7 charon: 13[CFG] proposing traffic selectors for
> other:
> Feb 19 02:13:28 VM-e2b7 charon: 13[CFG]  dynamic
>
> Please assist with this. I am almost there.
>
> Thanks in advance.
>
> regards,
> Moses K
>

Mit freundlichen Grüßen,

-- 

[*] sys4 AG
 
https://sys4.de, +49 (89) 30 90 46 64
Schleißheimer Straße 26/MG,80333 München
 
Sitz der Gesellschaft: München, Amtsgericht München: HRB 199263
Vorstand: Patrick Ben Koetter, Marc Schiffbauer, Wolfgang Stief
Aufsichtsratsvorsitzender: Florian Kirstein


-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 213 bytes
Desc: OpenPGP digital signature
URL: <http://lists.strongswan.org/pipermail/users/attachments/20190219/ebd0fe57/attachment-0001.sig>