[strongSwan] IKEv2 VPN server

Noel Kuntze noel.kuntze at thermi.consulting
Thu Jul 25 16:20:18 CEST 2019 

Hello Alexey,

Looks like your Windows clients don't trust your CA.

Kind regards

Noel

Am 25.07.19 um 16:00 schrieb Alexey Vlasov:
> Hi,
>
> After several days of digging and trying tens working configs I given up
> to find out why in my case ikev2 does not work with any vpn clients.
>
> So, I have fresh Gentoo box with strongswan 5.7.2,
>
> ipsec.conf :
> ==================
> config setup
> 	charondebug="ike 2, knl 2, cfg 2, net 2, esp 2, dmn 2, mgr 2"
>
> conn VPN-IKEV2
>         auto=add
>         dpdaction=clear
>         keyexchange=ikev2
>         ike=aes256-sha1-modp1024,3des-sha1-modp1024!
>         esp=aes256-sha1,3des-sha1!
>         fragmentation=yes
>
>         leftsubnet=0.0.0.0/0
>         leftcert=/etc/ipsec.d/certs/vpn-server-cert.pem
>         leftsendcert=always
>         leftid=5.231.208.198
>
>         rightauth=eap-mschapv2
> ==================
>
> # ipsec listcerts
>
> List of X.509 End Entity Certificates
>
>   subject:  "C=DE, O=LLC Lucky-Host, CN=5.231.208.198"
>   issuer:   "C=DE, O=LLC Lucky-Host, CN=Lucky-Host VPN Service Root CA"
>   validity:  not before Jul 24 19:40:35 2019, ok
>              not after  Jul 21 19:40:35 2029, ok (expires in 3649 days)
>   serial:    57:d9:c8:a8:f3:c5:cf:5a
>   altNames:  5.231.208.198
>   flags:     serverAuth ikeIntermediate
>   authkeyId: d3:77:ff:85:bc:51:12:6b:cc:cf:3f:97:da:f6:81:59:00:dd:81:f8
>   subjkeyId: d5:bb:9c:d5:67:24:71:6c:40:ac:55:a7:d3:33:d3:ac:a6:1c:ac:d3
>   pubkey:    RSA 4096 bits, has private key
>   keyid:     04:9a:94:1e:de:5c:ee:33:20:4b:c3:c3:2a:62:8d:6a:11:58:74:03
>   subjkey:   d5:bb:9c:d5:67:24:71:6c:40:ac:55:a7:d3:33:d3:ac:a6:1c:ac:d3
>
> ipsec.secrets :
> ==================
> vpn : EAP "testvpn"
> 5.231.208.198 : RSA /etc/ipsec.d/private/vpn-server-key.pem
> ==================
>
> The built-in Windows 10 VPN client says "IKE authentication credentials are unacceptable" after an attempt to connect.
>
> IPSec logs end on this row:
> Jul 25 15:55:40 vpn1 charon: 13[NET] sending packet: from 5.231.208.198[4500] to 128.70.239.23[4500] (848 bytes)
> Jul 25 15:55:40 vpn1 charon: 04[NET] sending packet: from 5.231.208.198[4500] to 128.70.239.23[4500]
> Jul 25 15:55:40 vpn1 charon: 13[MGR] checkin IKE_SA VPN-IKEV2[5]
> Jul 25 15:55:40 vpn1 charon: 13[MGR] checkin of IKE_SA successful
>
> and after 30 seconds adding
> Jul 25 15:56:10 vpn1 charon: 15[MGR] checkout IKEv2 SA with SPIs 6eed288a380403e2_i 1e6835aaf130f6fe_r
> Jul 25 15:56:10 vpn1 charon: 15[MGR] IKE_SA VPN-IKEV2[5] successfully checked out
> Jul 25 15:56:10 vpn1 charon: 15[JOB] deleting half open IKE_SA with 128.70.239.23 after timeout
> Jul 25 15:56:10 vpn1 charon: 15[MGR] checkin and destroy IKE_SA VPN-IKEV2[5]
> Jul 25 15:56:10 vpn1 charon: 15[IKE] IKE_SA VPN-IKEV2[5] state change: CONNECTING => DESTROYING
> Jul 25 15:56:10 vpn1 charon: 15[MGR] checkin and destroy of IKE_SA successful
>
> The CA cert have been installed on windows side.
>
> Full log is in attach.
>
> Are there any ideas what is wrong?
>
> Thanks in advance.

-- 
Noel Kuntze
IT security consultant

GPG Key ID: 0x0739AD6C
Fingerprint: 3524 93BE B5F7 8E63 1372 AF2D F54E E40B 0739 AD6C


-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: OpenPGP digital signature
URL: <http://lists.strongswan.org/pipermail/users/attachments/20190725/e092801d/attachment-0001.sig>

More information about the Users mailing list