[strongSwan] IKEv2 VPN server

Alexey Vlasov renton at renton.name
Thu Jul 25 16:35:54 CEST 2019 

I've rechecked again,
https://www.dropbox.com/s/c67ua5uzs05dkgo/vpn_cert_ca.png?dl=0

On Thu, Jul 25, 2019 at 04:20:18PM +0200, Noel Kuntze wrote:
> Hello Alexey,
> 
> Looks like your Windows clients don't trust your CA.
> 
> Kind regards
> 
> Noel
> 
> Am 25.07.19 um 16:00 schrieb Alexey Vlasov:
> > Hi,
> >
> > After several days of digging and trying tens working configs I given up
> > to find out why in my case ikev2 does not work with any vpn clients.
> >
> > So, I have fresh Gentoo box with strongswan 5.7.2,
> >
> > ipsec.conf :
> > ==================
> > config setup
> > 	charondebug="ike 2, knl 2, cfg 2, net 2, esp 2, dmn 2, mgr 2"
> >
> > conn VPN-IKEV2
> >         auto=add
> >         dpdaction=clear
> >         keyexchange=ikev2
> >         ike=aes256-sha1-modp1024,3des-sha1-modp1024!
> >         esp=aes256-sha1,3des-sha1!
> >         fragmentation=yes
> >
> >         leftsubnet=0.0.0.0/0
> >         leftcert=/etc/ipsec.d/certs/vpn-server-cert.pem
> >         leftsendcert=always
> >         leftid=5.231.208.198
> >
> >         rightauth=eap-mschapv2
> > ==================
> >
> > # ipsec listcerts
> >
> > List of X.509 End Entity Certificates
> >
> >   subject:  "C=DE, O=LLC Lucky-Host, CN=5.231.208.198"
> >   issuer:   "C=DE, O=LLC Lucky-Host, CN=Lucky-Host VPN Service Root CA"
> >   validity:  not before Jul 24 19:40:35 2019, ok
> >              not after  Jul 21 19:40:35 2029, ok (expires in 3649 days)
> >   serial:    57:d9:c8:a8:f3:c5:cf:5a
> >   altNames:  5.231.208.198
> >   flags:     serverAuth ikeIntermediate
> >   authkeyId: d3:77:ff:85:bc:51:12:6b:cc:cf:3f:97:da:f6:81:59:00:dd:81:f8
> >   subjkeyId: d5:bb:9c:d5:67:24:71:6c:40:ac:55:a7:d3:33:d3:ac:a6:1c:ac:d3
> >   pubkey:    RSA 4096 bits, has private key
> >   keyid:     04:9a:94:1e:de:5c:ee:33:20:4b:c3:c3:2a:62:8d:6a:11:58:74:03
> >   subjkey:   d5:bb:9c:d5:67:24:71:6c:40:ac:55:a7:d3:33:d3:ac:a6:1c:ac:d3
> >
> > ipsec.secrets :
> > ==================
> > vpn : EAP "testvpn"
> > 5.231.208.198 : RSA /etc/ipsec.d/private/vpn-server-key.pem
> > ==================
> >
> > The built-in Windows 10 VPN client says "IKE authentication credentials are unacceptable" after an attempt to connect.
> >
> > IPSec logs end on this row:
> > Jul 25 15:55:40 vpn1 charon: 13[NET] sending packet: from 5.231.208.198[4500] to 128.70.239.23[4500] (848 bytes)
> > Jul 25 15:55:40 vpn1 charon: 04[NET] sending packet: from 5.231.208.198[4500] to 128.70.239.23[4500]
> > Jul 25 15:55:40 vpn1 charon: 13[MGR] checkin IKE_SA VPN-IKEV2[5]
> > Jul 25 15:55:40 vpn1 charon: 13[MGR] checkin of IKE_SA successful
> >
> > and after 30 seconds adding
> > Jul 25 15:56:10 vpn1 charon: 15[MGR] checkout IKEv2 SA with SPIs 6eed288a380403e2_i 1e6835aaf130f6fe_r
> > Jul 25 15:56:10 vpn1 charon: 15[MGR] IKE_SA VPN-IKEV2[5] successfully checked out
> > Jul 25 15:56:10 vpn1 charon: 15[JOB] deleting half open IKE_SA with 128.70.239.23 after timeout
> > Jul 25 15:56:10 vpn1 charon: 15[MGR] checkin and destroy IKE_SA VPN-IKEV2[5]
> > Jul 25 15:56:10 vpn1 charon: 15[IKE] IKE_SA VPN-IKEV2[5] state change: CONNECTING => DESTROYING
> > Jul 25 15:56:10 vpn1 charon: 15[MGR] checkin and destroy of IKE_SA successful
> >
> > The CA cert have been installed on windows side.
> >
> > Full log is in attach.
> >
> > Are there any ideas what is wrong?
> >
> > Thanks in advance.
> 
> -- 
> Noel Kuntze
> IT security consultant
> 
> GPG Key ID: 0x0739AD6C
> Fingerprint: 3524 93BE B5F7 8E63 1372 AF2D F54E E40B 0739 AD6C
> 
>

More information about the Users mailing list