[strongSwan] IKEv2 VPN server

Alexey Vlasov renton at renton.name
Thu Jul 25 16:37:34 CEST 2019


(my ca cert is on top of the list)

On Thu, Jul 25, 2019 at 05:35:54PM +0300, Alexey Vlasov wrote:
> I've rechecked again,
> https://www.dropbox.com/s/c67ua5uzs05dkgo/vpn_cert_ca.png?dl=0
> 
> On Thu, Jul 25, 2019 at 04:20:18PM +0200, Noel Kuntze wrote:
> > Hello Alexey,
> > 
> > Looks like your Windows clients don't trust your CA.
> > 
> > Kind regards
> > 
> > Noel
> > 
> > Am 25.07.19 um 16:00 schrieb Alexey Vlasov:
> > > Hi,
> > >
> > > After several days of digging and trying tens working configs I given up
> > > to find out why in my case ikev2 does not work with any vpn clients.
> > >
> > > So, I have fresh Gentoo box with strongswan 5.7.2,
> > >
> > > ipsec.conf :
> > > ==================
> > > config setup
> > > 	charondebug="ike 2, knl 2, cfg 2, net 2, esp 2, dmn 2, mgr 2"
> > >
> > > conn VPN-IKEV2
> > >         auto=add
> > >         dpdaction=clear
> > >         keyexchange=ikev2
> > >         ike=aes256-sha1-modp1024,3des-sha1-modp1024!
> > >         esp=aes256-sha1,3des-sha1!
> > >         fragmentation=yes
> > >
> > >         leftsubnet=0.0.0.0/0
> > >         leftcert=/etc/ipsec.d/certs/vpn-server-cert.pem
> > >         leftsendcert=always
> > >         leftid=5.231.208.198
> > >
> > >         rightauth=eap-mschapv2
> > > ==================
> > >
> > > # ipsec listcerts
> > >
> > > List of X.509 End Entity Certificates
> > >
> > >   subject:  "C=DE, O=LLC Lucky-Host, CN=5.231.208.198"
> > >   issuer:   "C=DE, O=LLC Lucky-Host, CN=Lucky-Host VPN Service Root CA"
> > >   validity:  not before Jul 24 19:40:35 2019, ok
> > >              not after  Jul 21 19:40:35 2029, ok (expires in 3649 days)
> > >   serial:    57:d9:c8:a8:f3:c5:cf:5a
> > >   altNames:  5.231.208.198
> > >   flags:     serverAuth ikeIntermediate
> > >   authkeyId: d3:77:ff:85:bc:51:12:6b:cc:cf:3f:97:da:f6:81:59:00:dd:81:f8
> > >   subjkeyId: d5:bb:9c:d5:67:24:71:6c:40:ac:55:a7:d3:33:d3:ac:a6:1c:ac:d3
> > >   pubkey:    RSA 4096 bits, has private key
> > >   keyid:     04:9a:94:1e:de:5c:ee:33:20:4b:c3:c3:2a:62:8d:6a:11:58:74:03
> > >   subjkey:   d5:bb:9c:d5:67:24:71:6c:40:ac:55:a7:d3:33:d3:ac:a6:1c:ac:d3
> > >
> > > ipsec.secrets :
> > > ==================
> > > vpn : EAP "testvpn"
> > > 5.231.208.198 : RSA /etc/ipsec.d/private/vpn-server-key.pem
> > > ==================
> > >
> > > The built-in Windows 10 VPN client says "IKE authentication credentials are unacceptable" after an attempt to connect.
> > >
> > > IPSec logs end on this row:
> > > Jul 25 15:55:40 vpn1 charon: 13[NET] sending packet: from 5.231.208.198[4500] to 128.70.239.23[4500] (848 bytes)
> > > Jul 25 15:55:40 vpn1 charon: 04[NET] sending packet: from 5.231.208.198[4500] to 128.70.239.23[4500]
> > > Jul 25 15:55:40 vpn1 charon: 13[MGR] checkin IKE_SA VPN-IKEV2[5]
> > > Jul 25 15:55:40 vpn1 charon: 13[MGR] checkin of IKE_SA successful
> > >
> > > and after 30 seconds adding
> > > Jul 25 15:56:10 vpn1 charon: 15[MGR] checkout IKEv2 SA with SPIs 6eed288a380403e2_i 1e6835aaf130f6fe_r
> > > Jul 25 15:56:10 vpn1 charon: 15[MGR] IKE_SA VPN-IKEV2[5] successfully checked out
> > > Jul 25 15:56:10 vpn1 charon: 15[JOB] deleting half open IKE_SA with 128.70.239.23 after timeout
> > > Jul 25 15:56:10 vpn1 charon: 15[MGR] checkin and destroy IKE_SA VPN-IKEV2[5]
> > > Jul 25 15:56:10 vpn1 charon: 15[IKE] IKE_SA VPN-IKEV2[5] state change: CONNECTING => DESTROYING
> > > Jul 25 15:56:10 vpn1 charon: 15[MGR] checkin and destroy of IKE_SA successful
> > >
> > > The CA cert have been installed on windows side.
> > >
> > > Full log is in attach.
> > >
> > > Are there any ideas what is wrong?
> > >
> > > Thanks in advance.
> > 
> > -- 
> > Noel Kuntze
> > IT security consultant
> > 
> > GPG Key ID: 0x0739AD6C
> > Fingerprint: 3524 93BE B5F7 8E63 1372 AF2D F54E E40B 0739 AD6C
> > 
> > 
> 
> 
> 


More information about the Users mailing list