[strongSwan] IKEv2 VPN server
Noel Kuntze
noel.kuntze at thermi.consulting
Thu Jul 25 16:20:18 CEST 2019
Hello Alexey,
Looks like your Windows clients don't trust your CA.
Kind regards
Noel
Am 25.07.19 um 16:00 schrieb Alexey Vlasov:
> Hi,
>
> After several days of digging and trying tens working configs I given up
> to find out why in my case ikev2 does not work with any vpn clients.
>
> So, I have fresh Gentoo box with strongswan 5.7.2,
>
> ipsec.conf :
> ==================
> config setup
> charondebug="ike 2, knl 2, cfg 2, net 2, esp 2, dmn 2, mgr 2"
>
> conn VPN-IKEV2
> auto=add
> dpdaction=clear
> keyexchange=ikev2
> ike=aes256-sha1-modp1024,3des-sha1-modp1024!
> esp=aes256-sha1,3des-sha1!
> fragmentation=yes
>
> leftsubnet=0.0.0.0/0
> leftcert=/etc/ipsec.d/certs/vpn-server-cert.pem
> leftsendcert=always
> leftid=5.231.208.198
>
> rightauth=eap-mschapv2
> ==================
>
> # ipsec listcerts
>
> List of X.509 End Entity Certificates
>
> subject: "C=DE, O=LLC Lucky-Host, CN=5.231.208.198"
> issuer: "C=DE, O=LLC Lucky-Host, CN=Lucky-Host VPN Service Root CA"
> validity: not before Jul 24 19:40:35 2019, ok
> not after Jul 21 19:40:35 2029, ok (expires in 3649 days)
> serial: 57:d9:c8:a8:f3:c5:cf:5a
> altNames: 5.231.208.198
> flags: serverAuth ikeIntermediate
> authkeyId: d3:77:ff:85:bc:51:12:6b:cc:cf:3f:97:da:f6:81:59:00:dd:81:f8
> subjkeyId: d5:bb:9c:d5:67:24:71:6c:40:ac:55:a7:d3:33:d3:ac:a6:1c:ac:d3
> pubkey: RSA 4096 bits, has private key
> keyid: 04:9a:94:1e:de:5c:ee:33:20:4b:c3:c3:2a:62:8d:6a:11:58:74:03
> subjkey: d5:bb:9c:d5:67:24:71:6c:40:ac:55:a7:d3:33:d3:ac:a6:1c:ac:d3
>
> ipsec.secrets :
> ==================
> vpn : EAP "testvpn"
> 5.231.208.198 : RSA /etc/ipsec.d/private/vpn-server-key.pem
> ==================
>
> The built-in Windows 10 VPN client says "IKE authentication credentials are unacceptable" after an attempt to connect.
>
> IPSec logs end on this row:
> Jul 25 15:55:40 vpn1 charon: 13[NET] sending packet: from 5.231.208.198[4500] to 128.70.239.23[4500] (848 bytes)
> Jul 25 15:55:40 vpn1 charon: 04[NET] sending packet: from 5.231.208.198[4500] to 128.70.239.23[4500]
> Jul 25 15:55:40 vpn1 charon: 13[MGR] checkin IKE_SA VPN-IKEV2[5]
> Jul 25 15:55:40 vpn1 charon: 13[MGR] checkin of IKE_SA successful
>
> and after 30 seconds adding
> Jul 25 15:56:10 vpn1 charon: 15[MGR] checkout IKEv2 SA with SPIs 6eed288a380403e2_i 1e6835aaf130f6fe_r
> Jul 25 15:56:10 vpn1 charon: 15[MGR] IKE_SA VPN-IKEV2[5] successfully checked out
> Jul 25 15:56:10 vpn1 charon: 15[JOB] deleting half open IKE_SA with 128.70.239.23 after timeout
> Jul 25 15:56:10 vpn1 charon: 15[MGR] checkin and destroy IKE_SA VPN-IKEV2[5]
> Jul 25 15:56:10 vpn1 charon: 15[IKE] IKE_SA VPN-IKEV2[5] state change: CONNECTING => DESTROYING
> Jul 25 15:56:10 vpn1 charon: 15[MGR] checkin and destroy of IKE_SA successful
>
> The CA cert have been installed on windows side.
>
> Full log is in attach.
>
> Are there any ideas what is wrong?
>
> Thanks in advance.
--
Noel Kuntze
IT security consultant
GPG Key ID: 0x0739AD6C
Fingerprint: 3524 93BE B5F7 8E63 1372 AF2D F54E E40B 0739 AD6C
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: OpenPGP digital signature
URL: <http://lists.strongswan.org/pipermail/users/attachments/20190725/e092801d/attachment-0001.sig>
More information about the Users
mailing list