[strongSwan] Windows VPN client issue with Strongswan

Makarand Pradhan MakarandPradhan at is5com.com
Tue Oct 13 14:18:37 CEST 2020

Thanks Tobias for responding.

There is no firewall.

Windows has not yet sent an IKE_AUTH.
Windows sends an IKE_SA_INIT.
Strongswan sends a CA CERT REQ. I think it's going to windows. The CA cert is installed on windows Trusted folder.
On windows I see a msg saying "Ask your admin to config certificates properly."

I think, I'm messing up with certificates somehow. I've created a CA and signed the certificates using this CA on the Strongswan server. 
The CA cert and the Win Cert with it's private key is installed on windows.
The CA cert and Server cert is installed in ipsec.d/cacert, ipsec.d/cert and the server private key is installed in ipsec.d/private

Will recheck and get back.

Thanks again.

-----Original Message-----
From: Tobias Brunner <tobias at strongswan.org> 
Sent: October 12, 2020 10:59 AM
To: Makarand Pradhan <MakarandPradhan at is5com.com>; users at lists.strongswan.org
Subject: Re: [strongSwan] Windows VPN client issue with Strongswan

Hi Makarand,

> 06[ENC] generating IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) 
> sending packet: from[500] to[500] (353 bytes) 
> 15[JOB] deleting half open IKE_SA with after timeout

This could indicate an IP fragmentation issue (IKE_AUTH too large with certificate and certificate requests, fragments dropped).  But since both peers support IKEv2 fragmentation (FRAG_SUP) that seems unlikely.

While there is no NAT between the hosts, with MOBIKE there will still be a switch to UDP port 4500, so make sure no firewall blocks that port.

What error is the client reporting exactly?  Does it actually send an IKE_AUTH request?

> I was expecting a windows cert request. Instead I see a CA Cert req.

The request is for certificates issued by that CA.


More information about the Users mailing list