[strongSwan] Windows 10 IKEv2 VPN Not Connecting

bls s bls3427 at outlook.com
Sat Nov 28 15:41:34 CET 2020 

Another resource for information on installing strongSwan certs on Windows,  besides https://wiki.strongswan.org/projects/strongswan/wiki/Win7Certs is https://github.com/gitbls/pistrong/blob/master/CertInstall.md. Although slightly discussed in the context of pistrong, it explicitly details how to properly install Certs on Windows 10.

From: Karl Denninger<mailto:karl at denninger.net>
Sent: Tuesday, November 3, 2020 9:27 AM
To: users at lists.strongswan.org<mailto:users at lists.strongswan.org>
Subject: Re: [strongSwan] Windows 10 IKEv2 VPN Not Connecting


This works with a user certificate here -- make SURE Windows put the certificate in the correct store.  The StrongSwan Wiki has instructions; if it goes in the wrong certificate store Windows will not find it and you'll get exactly what you're seeing.

https://wiki.strongswan.org/projects/strongswan/wiki/Win7Certs

The other thing is that for Win10 you have to go into the NETWORK panel (NOT the Windows 10 network panel, the old control panel one) and drill down into the connection and set the default gateway on the remote network or you will get split routing and only the subnet that you get back from the server will go over the VPN.

This is the stanza that I have in my ipsec.conf for Windows clients:

conn WinUserCert
        left=%any
        leftsubnet=0.0.0.0/0
        leftcert=ipgw-rsa.denninger.net.crt
        leftauth=pubkey
        right=%any
        rightsourceip=192.168.2.0/24
        rightauth=eap-tls
        eap_identity=%identity
        auto=add
        dpdaction=clear
        dpddelay=300s
        ike=aes256-sha2_256-prfsha256-modp1024

This gives the client machine an address out of 192.168.2.x/24; note that "rightauth" has to be set to eap-tls for Windows clients.

There was a long-standing problem with IKE fragmentation in the internal Windows client that used to be bedevil me beyond words that would often prevent connections from coming up at all but it has been fixed now for about a year provided you have a reasonably-recent Win10 version.

I put this stanza first in the configuration since EAP-TLS isn't something anything else that connects to my gateway (Macs, Unix Machines, IOS and Android phones) will ask for and this way I'm sure Windows will get it first (Windows is a bit.... odd.....)
On 11/3/2020 11:59, Mike Hill wrote:
Hi all,

I’m trying to get Windows 10 clients connecting to our StrongSwan server with machine certificates (only), but I’m hitting a roadblock with the following error:

“Verifying username and password...IKE failed to find valid machine certificate. Contact your Network Security Administrator about installing a valid certificate in the appropriate Certificate Store.”

Error in Windows Event Viewer is 13806, which appears to be pretty common, but despite looking at various sources, I cannot make it work.

We’re using a PKI-as-a-service (SecureW2) for our certs and have placed intermediate and root CA certs into /etc/ipsec.d/cacerts, along with StrongSwan server’s cert in /etc/ipsec.d/certs and its private key in /etc/ipsec.d/private/. Server device cert has Server and Client authentication set for EKU and hostname.domain.com for CN and SAN.

The Windows test device has its own cert in the machine store, along with CA intermediate and root certs in the appropriate cert stores. VPN connection is configured with PowerShell, and MachineCertificate set as authentication method and VPN address is hostname.domain.com which matches CN on StrongSwan device cert. Machine cert is hostname.domain.com for CN and SAN and has Client Authentication set for EKU.

Events from /var/log/syslog:


Nov  3 16:40:18 swan charon: 07[NET] received packet: from XXX.XXX.XXX.XXX[500] to XXX.XXX.XXX.XXX [500] (344 bytes)
Nov  3 16:40:18 swan charon: 07[ENC] parsed IKE_SA_INIT request 0 [ SA KE No N(FRAG_SUP) N(NATD_S_IP) N(NATD_D_IP) V V V V ]
Nov  3 16:40:18 swan charon: 07[CFG] looking for an ike config for XXX.XXX.XXX.XXX... XXX.XXX.XXX.XXX
Nov  3 16:40:18 swan charon: 07[CFG]   candidate: %any...%any, prio 28
Nov  3 16:40:18 swan charon: 07[CFG] found matching ike config: %any...%any with prio 28
Nov  3 16:40:18 swan charon: 07[IKE] received MS NT5 ISAKMPOAKLEY v9 vendor ID
Nov  3 16:40:18 swan charon: 07[IKE] received MS-Negotiation Discovery Capable vendor ID
Nov  3 16:40:18 swan charon: 07[IKE] received Vid-Initial-Contact vendor ID
Nov  3 16:40:18 swan charon: 07[ENC] received unknown vendor ID: 01:52:8b:bb:c0:06:96:12:18:49:ab:9a:1c:5b:2a:51:00:00:00:02
Nov  3 16:40:18 swan charon: 07[IKE] XXX.XXX.XXX.XXX is initiating an IKE_SA
Nov  3 16:40:18 swan charon: 07[IKE] IKE_SA (unnamed)[7] state change: CREATED => CONNECTING
Nov  3 16:40:18 swan charon: 07[CFG] selecting proposal:
Nov  3 16:40:18 swan charon: 07[CFG]   proposal matches
Nov  3 16:40:18 swan charon: 07[CFG] received proposals: IKE:AES_GCM_16_128/PRF_HMAC_SHA2_256/ECP_256
Nov  3 16:40:18 swan charon: 07[CFG] configured proposals: IKE:AES_GCM_16_128/PRF_HMAC_SHA2_256/ECP_256
Nov  3 16:40:18 swan charon: 07[CFG] selected proposal: IKE:AES_GCM_16_128/PRF_HMAC_SHA2_256/ECP_256
Nov  3 16:40:18 swan charon: 07[IKE] local host is behind NAT, sending keep alives
Nov  3 16:40:18 swan charon: 07[IKE] remote host is behind NAT
Nov  3 16:40:18 swan charon: 07[IKE] sending cert request for "O=Org, CN=Org Device Root CA"
Nov  3 16:40:18 swan charon: 07[IKE] sending cert request for "O=Org, CN=Org Device Intermediate CA"
Nov  3 16:40:18 swan charon: 07[ENC] generating IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) CERTREQ N(FRAG_SUP) N(MULT_AUTH) ]
Nov  3 16:40:18 swan charon: 07[NET] sending packet: from XXX.XXX.XXX.XXX [500] to XXX.XXX.XXX.XXX [500] (293 bytes)
Nov  3 16:40:18 swan charon: 09[NET] received packet: from XXX.XXX.XXX.XXX [500] to XXX.XXX.XXX.XXX [500] (344 bytes)
Nov  3 16:40:18 swan charon: 09[ENC] parsed IKE_SA_INIT request 0 [ SA KE No N(FRAG_SUP) N(NATD_S_IP) N(NATD_D_IP) V V V V ]

We have this setup working with macOS devices, so we know that the server is able to accept and establish connections.

Many thanks in advance,

Mike


​​
[https://s3-eu-west-1.amazonaws.com/assets.techahoy.co.uk/email/image001-coral.png]
3rd Floor, Vivo Building, 30 Stamford Street, London SE1 9LQ
P: 020 3422 0000
• M: 07763 230443
<tel:07763%20230443>
•
E: mike.hill at techahoy.com<mailto:mike.hill at techahoy.com>
www.techahoy.co<https://www.techahoy.com/>m

--
Karl Denninger
karl at denninger.net<mailto:karl at denninger.net>
The Market Ticker
[S/MIME encrypted email preferred]

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20201128/fb750092/attachment-0001.html>

More information about the Users mailing list