[strongSwan] Windows 10 IKEv2 VPN Not Connecting

Karl Denninger karl at denninger.net
Tue Nov 3 18:27:07 CET 2020 

This works with a user certificate here -- make SURE Windows put the 
certificate in the correct store.  The StrongSwan Wiki has instructions; 
if it goes in the wrong certificate store Windows will not find it and 
you'll get exactly what you're seeing.

https://wiki.strongswan.org/projects/strongswan/wiki/Win7Certs

The other thing is that for Win10 you have to go into the NETWORK panel 
(NOT the Windows 10 network panel, the old control panel one) and drill 
down into the connection and set the default gateway on the remote 
network or you will get split routing and only the subnet that you get 
back from the server will go over the VPN.

This is the stanza that I have in my ipsec.conf for Windows clients:

conn WinUserCert
         left=%any
         leftsubnet=0.0.0.0/0
         leftcert=ipgw-rsa.denninger.net.crt
         leftauth=pubkey
         right=%any
         rightsourceip=192.168.2.0/24
         rightauth=eap-tls
         eap_identity=%identity
         auto=add
         dpdaction=clear
         dpddelay=300s
         ike=aes256-sha2_256-prfsha256-modp1024

This gives the client machine an address out of 192.168.2.x/24; note 
that "rightauth" has to be set to eap-tls for Windows clients.

There was a long-standing problem with IKE fragmentation in the internal 
Windows client that used to be bedevil me beyond words that would often 
prevent connections from coming up at all but it has been fixed now for 
about a year provided you have a reasonably-recent Win10 version.

I put this stanza first in the configuration since EAP-TLS isn't 
something anything else that connects to my gateway (Macs, Unix 
Machines, IOS and Android phones) will ask for and this way I'm sure 
Windows will get it first (Windows is a bit.... odd.....)

On 11/3/2020 11:59, Mike Hill wrote:
>
> Hi all,
>
> I’m trying to get Windows 10 clients connecting to our StrongSwan 
> server with machine certificates (only), but I’m hitting a roadblock 
> with the following error:
>
> “Verifying username and password...IKE failed to find valid machine 
> certificate. Contact your Network Security Administrator about 
> installing a valid certificate in the appropriate Certificate Store.”
>
> Error in Windows Event Viewer is 13806, which appears to be pretty 
> common, but despite looking at various sources, I cannot make it work.
>
> We’re using a PKI-as-a-service (SecureW2) for our certs and have 
> placed intermediate and root CA certs into /etc/ipsec.d/cacerts, along 
> with StrongSwan server’s cert in /etc/ipsec.d/certs and its private 
> key in /etc/ipsec.d/private/. Server device cert has Server and Client 
> authentication set for EKU and hostname.domain.com for CN and SAN.
>
> The Windows test device has its own cert in the machine store, along 
> with CA intermediate and root certs in the appropriate cert stores. 
> VPN connection is configured with PowerShell, and MachineCertificate 
> set as authentication method and VPN address is hostname.domain.com 
> which matches CN on StrongSwan device cert. Machine cert is 
> hostname.domain.com for CN and SAN and has Client Authentication set 
> for EKU.
>
> Events from /var/log/syslog:
>
> Nov  3 16:40:18 swan charon: 07[NET] received packet: from 
> XXX.XXX.XXX.XXX[500] to XXX.XXX.XXX.XXX [500] (344 bytes)
>
> Nov  3 16:40:18 swan charon: 07[ENC] parsed IKE_SA_INIT request 0 [ SA 
> KE No N(FRAG_SUP) N(NATD_S_IP) N(NATD_D_IP) V V V V ]
>
> Nov  3 16:40:18 swan charon: 07[CFG] looking for an ike config for 
> XXX.XXX.XXX.XXX... XXX.XXX.XXX.XXX
>
> Nov  3 16:40:18 swan charon: 07[CFG]   candidate: %any...%any, prio 28
>
> Nov  3 16:40:18 swan charon: 07[CFG] found matching ike config: 
> %any...%any with prio 28
>
> Nov  3 16:40:18 swan charon: 07[IKE] received MS NT5 ISAKMPOAKLEY v9 
> vendor ID
>
> Nov  3 16:40:18 swan charon: 07[IKE] received MS-Negotiation Discovery 
> Capable vendor ID
>
> Nov  3 16:40:18 swan charon: 07[IKE] received Vid-Initial-Contact 
> vendor ID
>
> Nov  3 16:40:18 swan charon: 07[ENC] received unknown vendor ID: 
> 01:52:8b:bb:c0:06:96:12:18:49:ab:9a:1c:5b:2a:51:00:00:00:02
>
> Nov  3 16:40:18 swan charon: 07[IKE] XXX.XXX.XXX.XXX is initiating an 
> IKE_SA
>
> Nov  3 16:40:18 swan charon: 07[IKE] IKE_SA (unnamed)[7] state change: 
> CREATED => CONNECTING
>
> Nov  3 16:40:18 swan charon: 07[CFG] selecting proposal:
>
> Nov  3 16:40:18 swan charon: 07[CFG]   proposal matches
>
> Nov  3 16:40:18 swan charon: 07[CFG] received proposals: 
> IKE:AES_GCM_16_128/PRF_HMAC_SHA2_256/ECP_256
>
> Nov  3 16:40:18 swan charon: 07[CFG] configured proposals: 
> IKE:AES_GCM_16_128/PRF_HMAC_SHA2_256/ECP_256
>
> Nov  3 16:40:18 swan charon: 07[CFG] selected proposal: 
> IKE:AES_GCM_16_128/PRF_HMAC_SHA2_256/ECP_256
>
> Nov  3 16:40:18 swan charon: 07[IKE] local host is behind NAT, sending 
> keep alives
>
> Nov  3 16:40:18 swan charon: 07[IKE] remote host is behind NAT
>
> Nov  3 16:40:18 swan charon: 07[IKE] sending cert request for "O=Org, 
> CN=Org Device Root CA"
>
> Nov  3 16:40:18 swan charon: 07[IKE] sending cert request for "O=Org, 
> CN=Org Device Intermediate CA"
>
> Nov  3 16:40:18 swan charon: 07[ENC] generating IKE_SA_INIT response 0 
> [ SA KE No N(NATD_S_IP) N(NATD_D_IP) CERTREQ N(FRAG_SUP) N(MULT_AUTH) ]
>
> Nov  3 16:40:18 swan charon: 07[NET] sending packet: from 
> XXX.XXX.XXX.XXX [500] to XXX.XXX.XXX.XXX [500] (293 bytes)
>
> Nov  3 16:40:18 swan charon: 09[NET] received packet: from 
> XXX.XXX.XXX.XXX [500] to XXX.XXX.XXX.XXX [500] (344 bytes)
>
> Nov  3 16:40:18 swan charon: 09[ENC] parsed IKE_SA_INIT request 0 [ SA 
> KE No N(FRAG_SUP) N(NATD_S_IP) N(NATD_D_IP) V V V V ]
>
> We have this setup working with macOS devices, so we know that the 
> server is able to accept and establish connections.
>
> Many thanks in advance,
>
> Mike
>
>
> ​​
>
> 	
> 3rd Floor, Vivo Building, 30 Stamford Street, London SE1 9LQ
> P: 020 3422 0000
> 	• M: *07763 230443
> * <tel:07763%20230443> 	•
> 	E: *mike.hill at techahoy.com* <mailto:mike.hill at techahoy.com>
>
> *www.techahoy.co* <https://www.techahoy.com/>m
>
>
-- 
Karl Denninger
karl at denninger.net <mailto:karl at denninger.net>
/The Market Ticker/
/[S/MIME encrypted email preferred]/
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20201103/cc7aba21/attachment-0001.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4897 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://lists.strongswan.org/pipermail/users/attachments/20201103/cc7aba21/attachment-0001.bin>

More information about the Users mailing list