[strongSwan] Windows VPN client issue with Strongswan

Makarand Pradhan MakarandPradhan at is5com.com
Fri Oct 9 20:49:42 CEST 2020


Hello All,

I am having trouble while connecting a Windows VPN client to Strongswan using Machine certificates. I am following the wiki:
https://wiki.strongswan.org/projects/strongswan/wiki/WindowsClients
Would appreciate any pointers to resolve the issue.

Issue: Windows client is not connecting 

As per wiki, have created CA and signed the Strongswan server and Windows client req.
The certificates and private keys are kept at proper locations as specified.
update-ca-certificates is done to update the trusted certificates on the linux machine running strongswan server.

On the windows side, both CA certificate and windows client certificate is imported. Both the certificate shows "This certificateis ok"

When the client initiates connection, I see strongswan sending a cert request for the CA certificate.
The CA, server and client are as follows:
CA:  "C=CA, ST=ON, L=Miss, O=iS5, OU=SW, CN=ca at 10.10.5.1, E=ca at is5com.com"
Strongswan server: "C=CA, ST=ON, L=Miss, O=iS5, OU=SW, CN=server at 10.10.5.1, E=server at is5com.com"
Win client: "C=CA, ST=ON, L=Miss, O=iS5, OU=SW, CN=win at 10.10.5.7, E=swin at is5com.com"

swanctl --log
06[NET] received packet: from 10.10.5.7[500] to 10.10.5.1[500] (624 bytes)
06[ENC] parsed IKE_SA_INIT request 0 [ SA KE No N(FRAG_SUP) N(NATD_S_IP) N(NATD_D_IP) V V V V ]
06[IKE] received MS NT5 ISAKMPOAKLEY v9 vendor ID
06[IKE] received MS-Negotiation Discovery Capable vendor ID
06[IKE] received Vid-Initial-Contact vendor ID
06[ENC] received unknown vendor ID: 01:52:8b:bb:c0:06:96:12:18:49:ab:9a:1c:5b:2a:51:00:00:00:02
06[IKE] 10.10.5.7 is initiating an IKE_SA
06[CFG] selected proposal: IKE:AES_CBC_256/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024
06[IKE] sending cert request for "C=CA, ST=ON, L=Miss, O=iS5, OU=SW, CN=10.10.5.1, E=ca at is5com.com"
06[ENC] generating IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) CERTREQ N(FRAG_SUP) N(CHDLESS_SUP) N(MULT_AUTH) ]
06[NET] sending packet: from 10.10.5.1[500] to 10.10.5.7[500] (353 bytes)
15[JOB] deleting half open IKE_SA with 10.10.5.7 after timeout

I was expecting a windows cert request. Instead I see a CA Cert req. Am I missing anything?

Thanks.
Makarand.


More information about the Users mailing list