[strongSwan] Windows VPN client issue with Strongswan

Rajiv Kulkarni rajivkulkarni69 at gmail.com
Mon Oct 19 03:32:54 CEST 2020 

Hi

Maybe this info maybe of some use/help for the users. It took up a lot of
time spent in studying various aspects and arriving at this config....hence
sharing for some use to other users too.

The below is the config for Strongswan VPN server for Windows-IKEv2 clients
(using Certs-ONLY and/or EAP-MSCHAPv2 for auth). This is working for me
with multiple concurrent windows-ikev2 clients connected to this server
Note: The use of option "rekey=no" on this VPN server is necessary so that
this will enable and ensure the windows-IKEv2-clients to be the
rekey-initiators always. This option was more necessary when the remote
Windows-IKEv2-clients were behind NAT-Routers...and they would NOT respond
to rekey requests initiated from the VPN-server....hence rekey is disabled
on server. BUT the VPN-server WILL RESPOND TO ALL REKEY REQUESTS FROM
CLIENTS..


root at gw1:/tmp# cat /etc/ipsec.conf
# ipsec config file
config setup
        charondebug="chd 2,knl 1,ike 2,cfg 1"
        strictcrlpolicy=no

conn %default
        auto=route
        leftfirewall=yes
        lefthostaccess=yes
        keyingtries=1
        mobike=no
        fragmentation=yes
        leftsendcert=always

conn WindArdClients_V2_wCertsOnly
        auto=add
        left=20.20.20.7
        right=%any
        ikelifetime=28800s
        esp=aes256-sha1!
        lifetime=3600s
        rekeymargin=180s
        ike=aes256-sha1-modp1024
        keyexchange=ikev2
        reauth=no
        rekey=no
        leftauth=pubkey
        rightauth=pubkey
        leftid="/C=US/ST=CA/L=SFO/O=Cisco Systems/OU=SVTQA/CN=
vRouter.dyndns.org"
        rightid=%any
        leftcert=/etc/ssl/certs/vRoutercert.pem
        dpddelay=40
        dpdtimeout=120
        dpdaction=clear
        rightsourceip=10.1.103.100-10.1.103.200
        modeconfig=pull
        leftsubnet=0.0.0.0/0
        rightdns=192.168.110.26,192.168.110.27

conn WindArdOthClients_V2_wEAP
        auto=add
        left=20.20.20.7
        right=%any
        ikelifetime=28800s
        esp=aes256-sha1!
        lifetime=3600s
        margintime=180s
        ike=aes256-sha1-modp1024
        keyexchange=ikev2
        reauth=no
        rekey=no
        leftauth=pubkey
        rightauth=eap-mschapv2
        eap_identity=%any
        leftsendcert=always
        rightsendcert=never
        leftid=vRouter.dyndns.org
        rightid=%any
        leftcert=/etc/ssl/certs/vRoutercert.pem
        dpddelay=40
        dpdtimeout=120
        dpdaction=clear
        rightsourceip=10.1.104.100-10.1.104.200
        modeconfig=pull
        leftsubnet=192.168.20.0/24,192.168.25.0/24,192.168.110.0/24
        rightdns=192.168.110.26,192.168.110.27

---------------------------------------------------------
root at gw1:/tmp# cat /etc/ipsec.secrets
# ipsec-secrets file
: RSA vRouterKey.pem
user1 : EAP "test1234"
user2 : EAP "test1234"
user3 : EAP "test1234"
user4 : EAP "test1234"
user5 : EAP "test1234"
user6 : EAP "test1234"

===========================================


thanks & regards
Rajiv









On Tue, Oct 13, 2020 at 5:48 PM Makarand Pradhan <MakarandPradhan at is5com.com>
wrote:

> Thanks Tobias for responding.
>
> There is no firewall.
>
> Windows has not yet sent an IKE_AUTH.
> Windows sends an IKE_SA_INIT.
> Strongswan sends a CA CERT REQ. I think it's going to windows. The CA cert
> is installed on windows Trusted folder.
> On windows I see a msg saying "Ask your admin to config certificates
> properly."
>
> I think, I'm messing up with certificates somehow. I've created a CA and
> signed the certificates using this CA on the Strongswan server.
> The CA cert and the Win Cert with it's private key is installed on windows.
> The CA cert and Server cert is installed in ipsec.d/cacert, ipsec.d/cert
> and the server private key is installed in ipsec.d/private
>
> Will recheck and get back.
>
> Thanks again.
> Makarand.
>
>
> -----Original Message-----
> From: Tobias Brunner <tobias at strongswan.org>
> Sent: October 12, 2020 10:59 AM
> To: Makarand Pradhan <MakarandPradhan at is5com.com>;
> users at lists.strongswan.org
> Subject: Re: [strongSwan] Windows VPN client issue with Strongswan
>
> Hi Makarand,
>
> > 06[ENC] generating IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP)
> > N(NATD_D_IP) CERTREQ N(FRAG_SUP) N(CHDLESS_SUP) N(MULT_AUTH) ] 06[NET]
> > sending packet: from 10.10.5.1[500] to 10.10.5.7[500] (353 bytes)
> > 15[JOB] deleting half open IKE_SA with 10.10.5.7 after timeout
>
> This could indicate an IP fragmentation issue (IKE_AUTH too large with
> certificate and certificate requests, fragments dropped).  But since both
> peers support IKEv2 fragmentation (FRAG_SUP) that seems unlikely.
>
> While there is no NAT between the hosts, with MOBIKE there will still be a
> switch to UDP port 4500, so make sure no firewall blocks that port.
>
> What error is the client reporting exactly?  Does it actually send an
> IKE_AUTH request?
>
> > I was expecting a windows cert request. Instead I see a CA Cert req.
>
> The request is for certificates issued by that CA.
>
> Regards,
> Tobias
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20201019/ae74aa0d/attachment.html>

More information about the Users mailing list