[strongSwan] Windows 10 1903 - IKE authentication credentials are unacceptable

lejeczek peljasz at yahoo.co.uk
Thu Oct 31 17:14:49 CET 2019


hi guys,

ufff.. I've been on my strongswan case for last few days and I hope I'm
getting there, but here is where I hope an expert to advise.

On the server in logs:

...

09[ENC] parsed IKE_AUTH request 1 [ EF(3/3) ]
09[ENC] received fragment #3 of 3, reassembled fragmented IKE message
(1120 bytes)
09[ENC] parsed IKE_AUTH request 1 [ IDi CERTREQ N(MOBIKE_SUP) CPRQ(ADDR
DNS NBNS SRV ADDR6 DNS6 SRV6) SA TSi TSr ]
09[IKE] received cert request for unknown ca with keyid
0e:ac:82:60:40:56:27:97:e5:25:13:fc:2a:e1:0a:53:95:59:e4:a4
09[IKE] received cert request for unknown ca with keyid
dd:bc:bd:86:9c:3f:07:ed:40:e3:1b:08:ef:ce:c4:d1:88:cd:3b:15
09[IKE] received cert request for unknown ca with keyid
6e:58:4e:33:75:bd:57:f6:d5:42:1b:16:01:c2:d8:c0:f5:3a:9f:6e
09[IKE] received cert request for unknown ca with keyid
4a:5c:75:22:aa:46:bf:a4:08:9d:39:97:4e:bd:b4:a3:60:f7:a0:1d
09[IKE] received cert request for unknown ca with keyid
5c:b8:69:fe:8d:ef:c1:ed:66:27:ee:b2:12:0f:72:1b:b8:0a:0e:04
09[IKE] received cert request for unknown ca with keyid
6a:47:a2:67:c9:2e:2f:19:68:8b:9b:86:61:66:95:ed:c1:2c:13:00
09[IKE] received cert request for "C=Shire, O=NNR, CN=private.tam.cos"
09[IKE] received cert request for unknown ca with keyid
01:f0:33:4c:1a:a1:d9:ee:5b:7b:a9:de:43:bc:02:7d:57:09:33:fb
09[IKE] received cert request for unknown ca with keyid
88:a9:5a:ef:c0:84:fc:13:74:41:6b:b1:63:32:c2:cf:92:59:bb:3b
09[IKE] received cert request for unknown ca with keyid
f9:27:b6:1b:0a:37:f3:c3:1a:fa:17:ec:2d:46:17:16:12:9d:0c:0e
09[IKE] received cert request for unknown ca with keyid
34:4f:30:2d:25:69:31:91:ea:f7:73:5c:ab:f5:86:8d:37:82:40:ec
09[IKE] received cert request for unknown ca with keyid
3e:df:29:0c:c1:f5:cc:73:2c:eb:3d:24:e1:7e:52:da:bd:27:e2:f0
09[IKE] received cert request for unknown ca with keyid
7c:32:d4:85:fd:89:0a:66:b5:97:ce:86:f4:d5:26:a9:21:07:e8:3e
09[IKE] received cert request for unknown ca with keyid
64:1d:f8:d5:0e:23:31:c2:29:b2:50:cb:32:f5:6d:f5:5c:8e:00:fa
09[IKE] received cert request for unknown ca with keyid
86:26:cb:1b:c5:54:b3:9f:bd:6b:ed:63:7f:b9:89:a9:80:f1:f4:8a
09[IKE] received cert request for unknown ca with keyid
a8:e3:02:96:70:a6:8b:57:eb:ec:ef:cc:29:4e:91:74:9a:d4:92:38
09[IKE] received cert request for unknown ca with keyid
f7:93:19:ef:df:c1:f5:20:fb:ac:85:55:2c:f2:d2:8f:5a:b9:ca:0b
09[IKE] received cert request for unknown ca with keyid
30:a4:e6:4f:de:76:8a:fc:ed:5a:90:84:28:30:46:79:2c:29:15:70
09[IKE] received cert request for unknown ca with keyid
87:db:d4:5f:b0:92:8d:4e:1d:f8:15:67:e7:f2:ab:af:d6:2b:67:75
09[IKE] received cert request for unknown ca with keyid
4a:81:0c:de:f0:c0:90:0f:19:06:42:31:35:a2:a2:8d:d3:44:fd:08
09[IKE] received cert request for unknown ca with keyid
d5:2e:13:c1:ab:e3:49:da:e8:b4:95:94:ef:7c:38:43:60:64:66:bd
09[IKE] received cert request for unknown ca with keyid
ab:30:d3:af:4b:d8:f1:6b:58:69:ee:45:69:29:da:84:b8:73:94:88
09[IKE] received cert request for unknown ca with keyid
a5:06:8a:78:cf:84:bd:74:32:dd:58:f9:65:eb:3a:55:e7:c7:80:dc
09[IKE] received cert request for unknown ca with keyid
e2:7f:7b:d8:77:d5:df:9e:0a:3f:9e:b4:cb:0e:2e:a9:ef:db:69:77
09[IKE] received cert request for unknown ca with keyid
83:31:7e:62:85:42:53:d6:d7:78:31:90:ec:91:90:56:e9:91:b9:e3
09[IKE] received cert request for unknown ca with keyid
3e:22:d4:2c:1f:02:44:b8:04:10:65:61:7c:c7:6b:ae:da:87:29:9c
09[IKE] received cert request for unknown ca with keyid
55:e4:81:d1:11:80:be:d8:89:b9:08:a3:31:f9:a1:24:09:16:b9:70
09[IKE] received cert request for unknown ca with keyid
b1:81:08:1a:19:a4:c0:94:1f:fa:e8:95:28:c1:24:c9:9b:34:ac:c7
09[IKE] received cert request for unknown ca with keyid
bb:c2:3e:29:0b:b3:28:77:1d:ad:3e:a2:4d:bd:f4:23:bd:06:b0:3d
09[IKE] received cert request for unknown ca with keyid
c8:95:13:68:01:97:28:0a:2c:55:c3:fc:d3:90:f5:3a:05:3b:c9:fb
09[IKE] received cert request for unknown ca with keyid
ee:e5:9f:1e:2a:a5:44:c3:cb:25:43:a6:9a:5b:d4:6a:25:bc:bb:8e
09[IKE] received cert request for unknown ca with keyid
68:33:0e:61:35:85:21:59:29:83:a3:c8:d2:d2:e1:40:6e:7a:b3:c1
09[IKE] received cert request for unknown ca with keyid
4f:9c:7d:21:79:9c:ad:0e:d8:b9:0c:57:9f:1a:02:99:e7:90:f3:87
09[IKE] received 32 cert requests for an unknown ca
09[CFG] looking for peer configs matching
10.5.8.202[%any]...10.5.8.133[10.5.8.133]
09[CFG]   candidate "NNR-windows-TO-ME", match: 1/1/1052 (me/other/ike)
09[CFG] selected peer config 'NNR-windows-TO-ME'
09[IKE] initiating EAP_IDENTITY method (id 0x00)
09[IKE] processing INTERNAL_IP4_ADDRESS attribute
09[IKE] processing INTERNAL_IP4_DNS attribute
09[IKE] processing INTERNAL_IP4_NBNS attribute
09[IKE] processing INTERNAL_IP4_SERVER attribute
09[IKE] processing INTERNAL_IP6_ADDRESS attribute
09[IKE] processing INTERNAL_IP6_DNS attribute
09[IKE] processing INTERNAL_IP6_SERVER attribute
09[IKE] peer supports MOBIKE
09[IKE] authentication of 'C=Shire, O=NNR, CN=vpn.private.tam.cos'
(myself) with RSA signature successful
09[IKE] sending end entity cert "C=Shire, O=NNR, CN=vpn.private.tam.cos"
09[ENC] generating IKE_AUTH response 1 [ IDr CERT AUTH EAP/REQ/ID ]
09[ENC] splitting IKE message (1632 bytes) into 2 fragments
09[ENC] generating IKE_AUTH response 1 [ EF(1/2) ]
09[ENC] generating IKE_AUTH response 1 [ EF(2/2) ]
09[NET] sending packet: from 10.5.8.202[4500] to 10.5.8.133[4500] (1236
bytes)
09[NET] sending packet: from 10.5.8.202[4500] to 10.5.8.133[4500] (468
bytes)
09[MGR] checkin IKE_SA NNR-windows-TO-ME[2]
09[MGR] checkin of IKE_SA successful
03[NET] sending packet: from 10.5.8.202[4500] to 10.5.8.133[4500]
03[NET] sending packet: from 10.5.8.202[4500] to 10.5.8.133[4500]
10[MGR] checkout IKEv2 SA with SPIs 4afa2773f5ac97fd_i 3fdd66e6717c1a90_r
10[MGR] IKE_SA NNR-windows-TO-ME[2] successfully checked out
10[JOB] deleting half open IKE_SA with 10.5.8.133 after timeout
10[MGR] checkin and destroy IKE_SA NNR-windows-TO-ME[2]
10[IKE] IKE_SA NNR-windows-TO-ME[2] state change: CONNECTING => DESTROYING
10[MGR] checkin and destroy of IKE_SA successful

I'm using that I found in 'regular' docs with regards to win7, with
'user certs'

Though above that snippet in the logs I see this:

6[CFG] selecting proposal:
06[CFG]   no acceptable ENCRYPTION_ALGORITHM found
06[CFG] selecting proposal:
06[CFG]   no acceptable ENCRYPTION_ALGORITHM found
06[CFG] selecting proposal:
06[CFG]   no acceptable ENCRYPTION_ALGORITHM found
06[CFG] selecting proposal:
06[CFG]   no acceptable ENCRYPTION_ALGORITHM found

Server conf uses:

ike=aes256-sha2_256-prfsha256-modp1024

but I have not setting for 'esp'.

All help very much appreciated.

Many thanks, L.


-------------- next part --------------
A non-text attachment was scrubbed...
Name: pEpkey.asc
Type: application/pgp-keys
Size: 1757 bytes
Desc: not available
URL: <http://lists.strongswan.org/pipermail/users/attachments/20191031/bcf8a19a/attachment.key>


More information about the Users mailing list