Re: Windows 7 and IkeV2 VPN Issue

2012-07-27 Thread Mike Belopuhov 
On Thu, Jul 26, 2012 at 9:27 PM, Bentley, Dain dbent...@nas.edu wrote:
 Hello fellow OpenBSD users,

 I've run into a of couple issues with setting up and IKE IPSEC VPN with a
 windows 7 native client.  Now I've ran through the lists and have found a
 solution to get it working somewhat how I'd like it working.


 And on my W7 client I have a static IP configured and using machine
 certificates.  I connect there with no issue and everything is kosher...kind
 of.

 I want to use a username and password so I have this in my iked.conf:

 user my user ID Wouldn't_you_like_to_know?

 When I do this I get an error:
 Error Code 13803 IKE Negotiation in progress and it just sits there.  Has
 anyone gotten this to work before?


Sure.


 Any help would be appreciated.  Is there any setting or something I should
 apply?  I'm running windows with 7 within NAT.  Like I said, certs work fine,
 password and usernames do not.


Are you running -current version of iked?  Because you have to.

Re: Windows 7 and IkeV2 VPN Issue

2012-07-27 Thread Bentley, Dain 
I see that now
It appears after browsing through the lists more a.change was.comitted
sometime in May or June that fixed the issue.

Regards,
Dain Bentley

-Original Message-
From: Mike Belopuhov [m...@crypt.org.ru]
Received: Friday, 27 Jul 2012, 6:54am
To: Bentley, Dain [dbent...@nas.edu]
CC: owner-m...@openbsd.org [owner-m...@openbsd.org]; misc@openbsd.org
[misc@openbsd.org]
Subject: Re: Windows 7 and IkeV2 VPN Issue

On Thu, Jul 26, 2012 at 9:27 PM, Bentley, Dain dbent...@nas.edu wrote:
 Hello fellow OpenBSD users,

 I've run into a of couple issues with setting up and IKE IPSEC VPN with a
 windows 7 native client.  Now I've ran through the lists and have found a
 solution to get it working somewhat how I'd like it working.


 And on my W7 client I have a static IP configured and using machine
 certificates.  I connect there with no issue and everything is
kosher...kind
 of.

 I want to use a username and password so I have this in my iked.conf:

 user my user ID Wouldn't_you_like_to_know?

 When I do this I get an error:
 Error Code 13803 IKE Negotiation in progress and it just sits there.  Has
 anyone gotten this to work before?


Sure.


 Any help would be appreciated.  Is there any setting or something I should
 apply?  I'm running windows with 7 within NAT.  Like I said, certs work
fine,
 password and usernames do not.


Are you running -current version of iked?  Because you have to.

Windows 7 and IkeV2 VPN Issue

2012-07-26 Thread Bentley, Dain 
Hello fellow OpenBSD users,

I've run into a of couple issues with setting up and IKE IPSEC VPN with a
windows 7 native client.  Now I've ran through the lists and have found a
solution to get it working somewhat how I'd like it working.

I currently have this in my iked.conf:

ikev2 passive esp \
from 192.168.200.0/24 to 10.10.10.0/24 local any peer any \
srcid xxx.xxx.xxx.xxx \
config address 10.10.10.1 \
config name-server 192.168.200.x

And on my W7 client I have a static IP configured and using machine
certificates.  I connect there with no issue and everything is kosher...kind
of.

I want to use a username and password so I have this in my iked.conf:

user my user ID Wouldn't_you_like_to_know?

ikev2 passive esp \
from 192.168.200.0/24 to 10.10.10.0/24 local any peer any \
eap mschap-v2 \
srcid xxx.xxx.xxx.xxx \
config address 10.10.10.1 \
config name-server 192.168.200.x \
tag $name-$id

When I do this I get an error:
Error Code 13803 IKE Negotiation in progress and it just sits there.  Has
anyone gotten this to work before?

I run iked in debug mode with verbose output and receiving the following;
/etc/iked.conf: loaded 2 configuration rules
config_new_user: inserting new user my_user
user my_user password
config_getpolicy: received policy
ikev2 win7 passive esp from 192.168.200.0/24 to 10.10.10.0/24 local any peer
any ikesa enc aes-256,aes-192,ca_reload: loaded ca file ca.crt
aes-128,3des prf hmac-sha2-256,hmac-sha1,hmac-md5 auth
hmac-sha2-256,hmac-sha1,hmac-md5 group modp2048-256,modp2048,modp1536,modp1024
childsa enc aes-256,aes-192,aes-128 auth hmac-sha2-256,hmac-sha1 srcid
xxx.xxx.xxx.xxxca_reload: loaded crl file ca.crl
lifetime 10800 bytes 536870912 eap MSCHAP_V2 config address 10.10.10.7
ca_reload:
/C=US/ST=/L=/O=xxx.com/OU=VPN/CN=cerberus.xxx.x/e
mailAddress=info@xxx.xx
config_getpfkey: received pfkey fd 4
ca_reload: loaded 1 ca certificate
config_getcompile: compilation done
config_getsocket: received socket fd 11
config_getsocket: received socket fd 12
config_getsocket: received socket fd 14
config_getsocket: received socket fd 20
ca_reload: loaded cert file xxx.xxx.xxx.xxx.crt
ca_validate_cert:
/C=US/ST=/L=/O=xxx.com/OU=VPN/CN=xxx.xxx.xxx.xxx/emailAdd
ress=i...@xxx.com ok
ikev2_dispatch_cert: updated local CERTREQ signatures length 20
ikev2_recv: IKE_SA_INIT from initiator xxx.xxx.xxx.xxx:56506 to
xxx.xxx.xxx.xxx:500 policy 'win7', 792 bytes
ikev2_policy2id: srcid IPV4/xxx.xxx.xxx.xxx length 8
ikev2_pld_parse: header ispi 0x46459f2713e1d8d3 rspi 0x
nextpayload SA version 0x20 exchange IKE_SA_INIT flags 0x08 msgid 0 length 792
response 0
ikev2_pld_payloads: payload SA nextpayload KE critical 0x00 length 520
ikev2_pld_sa: more 2 reserved 0 length 40 proposal #1 protoid IKE spisize 0
xforms 4 spi 0
ikev2_pld_xform: more 3 reserved 0 length 8 type ENCR id 3DES
ikev2_pld_xform: more 3 reserved 0 length 8 type INTEGR id HMAC_SHA1_96
ikev2_pld_xform: more 3 reserved 0 length 8 type PRF id HMAC_SHA1
ikev2_pld_xform: more 0 reserved 0 length 8 type DH id MODP_1024
ikev2_pld_payloads: payload KE nextpayload NONCE critical 0x00 length 136
ikev2_pld_ke: dh group MODP_1024 reserved 0
ikev2_pld_payloads: payload NONCE nextpayload NOTIFY critical 0x00 length 52
ikev2_pld_payloads: payload NOTIFY nextpayload NOTIFY critical 0x00 length 28
ikev2_pld_notify: protoid NONE spisize 0 type NAT_DETECTION_SOURCE_IP
ikev2_nat_detection: peer source 0x46459f2713e1d8d3 0x
xxx.xxx.xxx.xxx:56506
ikev2_pld_notify: NAT_DETECTION_SOURCE_IP detected NAT, enabling UDP
encapsulation
ikev2_pld_payloads: payload NOTIFY nextpayload NONE critical 0x00 length 28
ikev2_pld_notify: protoid NONE spisize 0 type NAT_DETECTION_DESTINATION_IP
ikev2_nat_detection: peer destination 0x46459f2713e1d8d3 0x
xxx.xxx.xxx.xxx:500
sa_state: INIT - SA_INIT
ikev2_sa_negotiate: score 23
sa_stateok: SA_INIT flags 0x00, require 0x00
sa_stateflags: 0x00 - 0x08 sa (required 0x00 )
ikev2_sa_keys: SKEYSEED with 20 bytes
ikev2_sa_keys: S with 96 bytes
ikev2_prfplus: T1 with 20 bytes
ikev2_prfplus: T2 with 20 bytes
ikev2_prfplus: T3 with 20 bytes
ikev2_prfplus: T4 with 20 bytes
ikev2_prfplus: T5 with 20 bytes
ikev2_prfplus: T6 with 20 bytes
ikev2_prfplus: T7 with 20 bytes
ikev2_prfplus: T8 with 20 bytes
ikev2_prfplus: Tn with 160 bytes
ikev2_sa_keys: SK_d with 20 bytes
ikev2_sa_keys: SK_ai with 20 bytes
ikev2_sa_keys: SK_ar with 20 bytes
ikev2_sa_keys: SK_ei with 24 bytes
ikev2_sa_keys: SK_er with 24 bytes
ikev2_sa_keys: SK_pi with 20 bytes
ikev2_sa_keys: SK_pr with 20 bytes
ikev2_add_proposals: length 40
ikev2_next_payload: length 44 nextpayload KE
ikev2_next_payload: length 136 nextpayload NONCE
ikev2_next_payload: length 36 nextpayload NOTIFY
ikev2_nat_detection: local source 0x46459f2713e1d8d3 0x7916745180423feb
xxx.xxx.xxx.xxx:500
ikev2_next_payload: length 28