[strongSwan] Windows VPN client issue with Strongswan
rajivkulkarni69 at gmail.com
Mon Oct 19 03:32:54 CEST 2020
Maybe this info maybe of some use/help for the users. It took up a lot of
time spent in studying various aspects and arriving at this config....hence
sharing for some use to other users too.
The below is the config for Strongswan VPN server for Windows-IKEv2 clients
(using Certs-ONLY and/or EAP-MSCHAPv2 for auth). This is working for me
with multiple concurrent windows-ikev2 clients connected to this server
Note: The use of option "rekey=no" on this VPN server is necessary so that
this will enable and ensure the windows-IKEv2-clients to be the
rekey-initiators always. This option was more necessary when the remote
Windows-IKEv2-clients were behind NAT-Routers...and they would NOT respond
to rekey requests initiated from the VPN-server....hence rekey is disabled
on server. BUT the VPN-server WILL RESPOND TO ALL REKEY REQUESTS FROM
root at gw1:/tmp# cat /etc/ipsec.conf
# ipsec config file
charondebug="chd 2,knl 1,ike 2,cfg 1"
root at gw1:/tmp# cat /etc/ipsec.secrets
# ipsec-secrets file
: RSA vRouterKey.pem
user1 : EAP "test1234"
user2 : EAP "test1234"
user3 : EAP "test1234"
user4 : EAP "test1234"
user5 : EAP "test1234"
user6 : EAP "test1234"
thanks & regards
On Tue, Oct 13, 2020 at 5:48 PM Makarand Pradhan <MakarandPradhan at is5com.com>
> Thanks Tobias for responding.
> There is no firewall.
> Windows has not yet sent an IKE_AUTH.
> Windows sends an IKE_SA_INIT.
> Strongswan sends a CA CERT REQ. I think it's going to windows. The CA cert
> is installed on windows Trusted folder.
> On windows I see a msg saying "Ask your admin to config certificates
> I think, I'm messing up with certificates somehow. I've created a CA and
> signed the certificates using this CA on the Strongswan server.
> The CA cert and the Win Cert with it's private key is installed on windows.
> The CA cert and Server cert is installed in ipsec.d/cacert, ipsec.d/cert
> and the server private key is installed in ipsec.d/private
> Will recheck and get back.
> Thanks again.
> -----Original Message-----
> From: Tobias Brunner <tobias at strongswan.org>
> Sent: October 12, 2020 10:59 AM
> To: Makarand Pradhan <MakarandPradhan at is5com.com>;
> users at lists.strongswan.org
> Subject: Re: [strongSwan] Windows VPN client issue with Strongswan
> Hi Makarand,
> > 06[ENC] generating IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP)
> > N(NATD_D_IP) CERTREQ N(FRAG_SUP) N(CHDLESS_SUP) N(MULT_AUTH) ] 06[NET]
> > sending packet: from 10.10.5.1 to 10.10.5.7 (353 bytes)
> > 15[JOB] deleting half open IKE_SA with 10.10.5.7 after timeout
> This could indicate an IP fragmentation issue (IKE_AUTH too large with
> certificate and certificate requests, fragments dropped). But since both
> peers support IKEv2 fragmentation (FRAG_SUP) that seems unlikely.
> While there is no NAT between the hosts, with MOBIKE there will still be a
> switch to UDP port 4500, so make sure no firewall blocks that port.
> What error is the client reporting exactly? Does it actually send an
> IKE_AUTH request?
> > I was expecting a windows cert request. Instead I see a CA Cert req.
> The request is for certificates issued by that CA.
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the Users