[strongSwan] IKEv2 VPN server
Alexey Vlasov
renton at renton.name
Thu Jul 25 16:37:34 CEST 2019
(my ca cert is on top of the list)
On Thu, Jul 25, 2019 at 05:35:54PM +0300, Alexey Vlasov wrote:
> I've rechecked again,
> https://www.dropbox.com/s/c67ua5uzs05dkgo/vpn_cert_ca.png?dl=0
>
> On Thu, Jul 25, 2019 at 04:20:18PM +0200, Noel Kuntze wrote:
> > Hello Alexey,
> >
> > Looks like your Windows clients don't trust your CA.
> >
> > Kind regards
> >
> > Noel
> >
> > Am 25.07.19 um 16:00 schrieb Alexey Vlasov:
> > > Hi,
> > >
> > > After several days of digging and trying tens working configs I given up
> > > to find out why in my case ikev2 does not work with any vpn clients.
> > >
> > > So, I have fresh Gentoo box with strongswan 5.7.2,
> > >
> > > ipsec.conf :
> > > ==================
> > > config setup
> > > charondebug="ike 2, knl 2, cfg 2, net 2, esp 2, dmn 2, mgr 2"
> > >
> > > conn VPN-IKEV2
> > > auto=add
> > > dpdaction=clear
> > > keyexchange=ikev2
> > > ike=aes256-sha1-modp1024,3des-sha1-modp1024!
> > > esp=aes256-sha1,3des-sha1!
> > > fragmentation=yes
> > >
> > > leftsubnet=0.0.0.0/0
> > > leftcert=/etc/ipsec.d/certs/vpn-server-cert.pem
> > > leftsendcert=always
> > > leftid=5.231.208.198
> > >
> > > rightauth=eap-mschapv2
> > > ==================
> > >
> > > # ipsec listcerts
> > >
> > > List of X.509 End Entity Certificates
> > >
> > > subject: "C=DE, O=LLC Lucky-Host, CN=5.231.208.198"
> > > issuer: "C=DE, O=LLC Lucky-Host, CN=Lucky-Host VPN Service Root CA"
> > > validity: not before Jul 24 19:40:35 2019, ok
> > > not after Jul 21 19:40:35 2029, ok (expires in 3649 days)
> > > serial: 57:d9:c8:a8:f3:c5:cf:5a
> > > altNames: 5.231.208.198
> > > flags: serverAuth ikeIntermediate
> > > authkeyId: d3:77:ff:85:bc:51:12:6b:cc:cf:3f:97:da:f6:81:59:00:dd:81:f8
> > > subjkeyId: d5:bb:9c:d5:67:24:71:6c:40:ac:55:a7:d3:33:d3:ac:a6:1c:ac:d3
> > > pubkey: RSA 4096 bits, has private key
> > > keyid: 04:9a:94:1e:de:5c:ee:33:20:4b:c3:c3:2a:62:8d:6a:11:58:74:03
> > > subjkey: d5:bb:9c:d5:67:24:71:6c:40:ac:55:a7:d3:33:d3:ac:a6:1c:ac:d3
> > >
> > > ipsec.secrets :
> > > ==================
> > > vpn : EAP "testvpn"
> > > 5.231.208.198 : RSA /etc/ipsec.d/private/vpn-server-key.pem
> > > ==================
> > >
> > > The built-in Windows 10 VPN client says "IKE authentication credentials are unacceptable" after an attempt to connect.
> > >
> > > IPSec logs end on this row:
> > > Jul 25 15:55:40 vpn1 charon: 13[NET] sending packet: from 5.231.208.198[4500] to 128.70.239.23[4500] (848 bytes)
> > > Jul 25 15:55:40 vpn1 charon: 04[NET] sending packet: from 5.231.208.198[4500] to 128.70.239.23[4500]
> > > Jul 25 15:55:40 vpn1 charon: 13[MGR] checkin IKE_SA VPN-IKEV2[5]
> > > Jul 25 15:55:40 vpn1 charon: 13[MGR] checkin of IKE_SA successful
> > >
> > > and after 30 seconds adding
> > > Jul 25 15:56:10 vpn1 charon: 15[MGR] checkout IKEv2 SA with SPIs 6eed288a380403e2_i 1e6835aaf130f6fe_r
> > > Jul 25 15:56:10 vpn1 charon: 15[MGR] IKE_SA VPN-IKEV2[5] successfully checked out
> > > Jul 25 15:56:10 vpn1 charon: 15[JOB] deleting half open IKE_SA with 128.70.239.23 after timeout
> > > Jul 25 15:56:10 vpn1 charon: 15[MGR] checkin and destroy IKE_SA VPN-IKEV2[5]
> > > Jul 25 15:56:10 vpn1 charon: 15[IKE] IKE_SA VPN-IKEV2[5] state change: CONNECTING => DESTROYING
> > > Jul 25 15:56:10 vpn1 charon: 15[MGR] checkin and destroy of IKE_SA successful
> > >
> > > The CA cert have been installed on windows side.
> > >
> > > Full log is in attach.
> > >
> > > Are there any ideas what is wrong?
> > >
> > > Thanks in advance.
> >
> > --
> > Noel Kuntze
> > IT security consultant
> >
> > GPG Key ID: 0x0739AD6C
> > Fingerprint: 3524 93BE B5F7 8E63 1372 AF2D F54E E40B 0739 AD6C
> >
> >
>
>
>
More information about the Users
mailing list