Hi there,
I try to get iked working with a windows 10 client but it seems windows
10 isnt going to work with the certificates I created and installed.
so far I did:
- followed the OpenIKED howto to get my openbsd box set up
ikev2 "win" passive ipcomp esp \
from 0.0.0.0/0 to 10.10.10.0/24 \
local 192.168.0.73 peer any \
srcid 192.168.0.73 \
tag IKED
- added the pf rules
- created a client cert with the ip address of the client as FQDN
(because the cert with the client machine name didnt worked)
- I started iked in debug mode with some verbosity (added the output
below)
Is it even possible to get it to work for win 10 with the given howto or
do I need to add something else?
I think the problem is with the windows site because it tells me there
is no certificate to be found. I added the certificate to local machine
store -> own certificates (at least in the german UI is no personal folder)
if someone like to see the debug output .....
start debug output
--------------------------
ikev2_recv: IKE_SA_INIT request from initiator 192.168.0.72:500 to
192.168.0.73:500 policy 'win' id 0, 616 bytes
ikev2_recv: ispi 0xb76efcd4402276ed rspi 0x0000000000000000
ikev2_policy2id: srcid IPV4/192.168.0.73 length 8
ikev2_pld_parse: header ispi 0xb76efcd4402276ed rspi 0x0000000000000000
nextpayload SA version 0x20 exchange IKE_SA_INIT flags 0x08 msgid 0
length 616 response 0
ikev2_pld_payloads: payload SA nextpayload KE critical 0x00 length 256
ikev2_pld_sa: more than one proposal specified
ikev2_pld_sa: more 2 reserved 0 length 40 proposal #1 protoid IKE
spisize 0 xforms 4 spi 0
ikev2_pld_xform: more 3 reserved 0 length 8 type ENCR id 3DES
ikev2_pld_xform: more 3 reserved 0 length 8 type INTEGR id HMAC_SHA1_96
ikev2_pld_xform: more 3 reserved 0 length 8 type PRF id HMAC_SHA1
ikev2_pld_xform: more 0 reserved 0 length 8 type DH id MODP_1024
ikev2_pld_payloads: payload KE nextpayload NONCE critical 0x00 length 136
ikev2_pld_ke: dh group MODP_1024 reserved 0
c97aca74 9caa3cbb 70f6eb31 c55e8687 b41431ec 5550e6b8 1233795f 247be2a8
f17eb8fc 67560aa7 e0131fa3 edb43993 95a321aa e39c39f5 e40306d7 098ff42e
3ef6e79f 7f0a5c30 8b2cd031 4980a9f4 339b6518 107a9733 1ae169dd ea421996
d07651db 65ef1a91 b04fc991 e31379c0 18fc4a5c 26c87981 81c54dbb f7c8d223
ikev2_pld_payloads: payload NONCE nextpayload NOTIFY critical 0x00 length 52
dca1e1cf 770662d4 77cfc0d4 a35c3685 5d2a59a4 1aeac0cc 6ee900b7 1505ad22
75956bde caa6bed9 a70601f9 e3b0b1e1
ikev2_pld_payloads: payload NOTIFY nextpayload NOTIFY critical 0x00
length 28
ikev2_pld_notify: protoid NONE spisize 0 type NAT_DETECTION_SOURCE_IP
4dd57bae f055f8d8 9a347ca0 7a22f663 992117c8
ikev2_nat_detection: peer source 0xb76efcd4402276ed 0x0000000000000000
192.168.0.72:500
4dd57bae f055f8d8 9a347ca0 7a22f663 992117c8
ikev2_pld_payloads: payload NOTIFY nextpayload VENDOR critical 0x00
length 28
ikev2_pld_notify: protoid NONE spisize 0 type NAT_DETECTION_DESTINATION_IP
fe055aee aa293f41 af77541d a89ff4b0 126306ef
ikev2_nat_detection: peer destination 0xb76efcd4402276ed
0x0000000000000000 192.168.0.73:500
fe055aee aa293f41 af77541d a89ff4b0 126306ef
ikev2_pld_payloads: payload VENDOR nextpayload VENDOR critical 0x00
length 24
1e2b5169 05991c7d 7c96fcbf b587e461 00000009
ikev2_pld_payloads: payload VENDOR nextpayload VENDOR critical 0x00
length 20
fb1de3cd f341b7ea 16b7e5be 0855f120
ikev2_pld_payloads: payload VENDOR nextpayload VENDOR critical 0x00
length 20
26244d38 eddb61b3 172a36e3 d0cfb819
ikev2_pld_payloads: payload VENDOR nextpayload NONE critical 0x00 length 24
01528bbb c0069612 1849ab9a 1c5b2a51 00000002
sa_state: INIT -> SA_INIT
ikev2_match_proposals: xform 1 <-> 1 (10): ENCR 3DES (keylength 0 <-> 0)
ikev2_match_proposals: xform 1 <-> 1 (4): INTEGR HMAC_SHA1_96 (keylength
0 <-> 0)
ikev2_match_proposals: xform 1 <-> 1 (2): PRF HMAC_SHA1 (keylength 0 <-> 0)
ikev2_match_proposals: xform 1 <-> 1 (5): DH MODP_1024 (keylength 0 <-> 0)
ikev2_sa_negotiate: score 21
ikev2_sa_negotiate: score 10: ENCR 3DES
ikev2_sa_negotiate: score 2: PRF HMAC_SHA1
ikev2_sa_negotiate: score 4: INTEGR HMAC_SHA1_96
ikev2_sa_negotiate: score 5: DH MODP_1024
sa_stateok: SA_INIT flags 0x0000, require 0x0000
sa_stateflags: 0x0000 -> 0x0020 sa (required 0x0000 )
ikev2_sa_keys: SKEYSEED with 20 bytes
5ba80078 e765d093 dbe64f3f 27681da3 5a08771e
ikev2_sa_keys: S with 96 bytes
dca1e1cf 770662d4 77cfc0d4 a35c3685 5d2a59a4 1aeac0cc 6ee900b7 1505ad22
75956bde caa6bed9 a70601f9 e3b0b1e1 36b9b513 2ecbd6f8 a8d0fbee 9fd4722c
161f2c1f adb72626 4b04d05a 1caaf322 b76efcd4 402276ed 3031dda0 cca39594
ikev2_prfplus: T1 with 20 bytes
d1b97d70 91d8868c 72c4c28c abc1d900 22164363
ikev2_prfplus: T2 with 20 bytes
b36dbd6f 32c602e5 df8172d7 7f86d2f1 d2709260
ikev2_prfplus: T3 with 20 bytes
8086e540 a1c6e0b5 ac31ae5f 33ce6e99 54f8c64f
ikev2_prfplus: T4 with 20 bytes
0e9fed35 b812d76b 261f8b70 40dec377 3a84f431
ikev2_prfplus: T5 with 20 bytes
b4a1bac2 8c82df78 fcec5523 0ea7d837 3830a842
ikev2_prfplus: T6 with 20 bytes
03d9b573 49632abf 2f63c8a3 270291f5 b447e67e
ikev2_prfplus: T7 with 20 bytes
012b20b4 b7c1f2e1 35453a0f 70b6e0b4 0361d0be
ikev2_prfplus: T8 with 20 bytes
606aefca 8492f287 7fac1d67 851690f0 dec82da9
ikev2_prfplus: Tn with 160 bytes
d1b97d70 91d8868c 72c4c28c abc1d900 22164363 b36dbd6f 32c602e5 df8172d7
7f86d2f1 d2709260 8086e540 a1c6e0b5 ac31ae5f 33ce6e99 54f8c64f 0e9fed35
b812d76b 261f8b70 40dec377 3a84f431 b4a1bac2 8c82df78 fcec5523 0ea7d837
3830a842 03d9b573 49632abf 2f63c8a3 270291f5 b447e67e 012b20b4 b7c1f2e1
35453a0f 70b6e0b4 0361d0be 606aefca 8492f287 7fac1d67 851690f0 dec82da9
ikev2_sa_keys: SK_d with 20 bytes
d1b97d70 91d8868c 72c4c28c abc1d900 22164363
ikev2_sa_keys: SK_ai with 20 bytes
b36dbd6f 32c602e5 df8172d7 7f86d2f1 d2709260
ikev2_sa_keys: SK_ar with 20 bytes
8086e540 a1c6e0b5 ac31ae5f 33ce6e99 54f8c64f
ikev2_sa_keys: SK_ei with 24 bytes
0e9fed35 b812d76b 261f8b70 40dec377 3a84f431 b4a1bac2
ikev2_sa_keys: SK_er with 24 bytes
8c82df78 fcec5523 0ea7d837 3830a842 03d9b573 49632abf
ikev2_sa_keys: SK_pi with 20 bytes
2f63c8a3 270291f5 b447e67e 012b20b4 b7c1f2e1
ikev2_sa_keys: SK_pr with 20 bytes
35453a0f 70b6e0b4 0361d0be 606aefca 8492f287
ikev2_add_proposals: length 40
ikev2_next_payload: length 44 nextpayload KE
ikev2_next_payload: length 136 nextpayload NONCE
ikev2_next_payload: length 36 nextpayload NOTIFY
ikev2_nat_detection: local source 0xb76efcd4402276ed 0x3031dda0cca39594
192.168.0.73:500
ikev2_next_payload: length 28 nextpayload NOTIFY
ikev2_nat_detection: local destination 0xb76efcd4402276ed
0x3031dda0cca39594 192.168.0.72:500
ikev2_next_payload: length 28 nextpayload CERTREQ
ikev2_add_certreq: type X509_CERT length 21
ikev2_next_payload: length 25 nextpayload NONE
ikev2_pld_parse: header ispi 0xb76efcd4402276ed rspi 0x3031dda0cca39594
nextpayload SA version 0x20 exchange IKE_SA_INIT flags 0x20 msgid 0
length 325 response 1
ikev2_pld_payloads: payload SA nextpayload KE critical 0x00 length 44
ikev2_pld_sa: more 0 reserved 0 length 40 proposal #1 protoid IKE
spisize 0 xforms 4 spi 0
ikev2_pld_xform: more 3 reserved 0 length 8 type ENCR id 3DES
ikev2_pld_xform: more 3 reserved 0 length 8 type PRF id HMAC_SHA1
ikev2_pld_xform: more 3 reserved 0 length 8 type INTEGR id HMAC_SHA1_96
ikev2_pld_xform: more 0 reserved 0 length 8 type DH id MODP_1024
ikev2_pld_payloads: payload KE nextpayload NONCE critical 0x00 length 136
ikev2_pld_ke: dh group MODP_1024 reserved 0
8b8f9aa2 b0070c1b 76b731fb 1bfbce1f 35777e94 d42d584b c10aad2e 41f3dd0f
d30c9be4 fd85374e 639a1f5e 48e6831c b3e1b91f 38615673 fab2ec23 c7269eed
87dec5d3 f737cd40 03e6be29 557dccb9 b7c3bbef 64e21704 2f88036d 1a5fef95
3b6cfa6a cf80c478 8adf88b2 e585062e 3c2a8894 2960489c e3351acf 41d95795
ikev2_pld_payloads: payload NONCE nextpayload NOTIFY critical 0x00 length 36
36b9b513 2ecbd6f8 a8d0fbee 9fd4722c 161f2c1f adb72626 4b04d05a 1caaf322
ikev2_pld_payloads: payload NOTIFY nextpayload NOTIFY critical 0x00
length 28
ikev2_pld_notify: protoid NONE spisize 0 type NAT_DETECTION_SOURCE_IP
5d780347 24748949 971b4a51 ef7e3c47 8b68a5b9
ikev2_pld_payloads: payload NOTIFY nextpayload CERTREQ critical 0x00
length 28
ikev2_pld_notify: protoid NONE spisize 0 type NAT_DETECTION_DESTINATION_IP
5fa4a694 a3a2c96c dbd080fb 45197f71 982a8839
ikev2_pld_payloads: payload CERTREQ nextpayload NONE critical 0x00 length 25
ikev2_pld_certreq: type X509_CERT length 20
599ac30f ca3aaba9 dfd60bd8 7cdca0c7 8c679fe8
ikev2_msg_send: IKE_SA_INIT response from 192.168.0.73:500 to
192.168.0.72:500 msgid 0, 325 bytes
config_free_proposals: free 0xa3bec71f200
ikev2_recv: IKE_SA_INIT request from initiator 192.168.0.72:500 to
192.168.0.73:500 policy 'win' id 0, 616 bytes
ikev2_recv: ispi 0xdbec126ab17d4a81 rspi 0x0000000000000000
ikev2_policy2id: srcid IPV4/192.168.0.73 length 8
ikev2_pld_parse: header ispi 0xdbec126ab17d4a81 rspi 0x0000000000000000
nextpayload SA version 0x20 exchange IKE_SA_INIT flags 0x08 msgid 0
length 616 response 0
ikev2_pld_payloads: payload SA nextpayload KE critical 0x00 length 256
ikev2_pld_sa: more than one proposal specified
ikev2_pld_sa: more 2 reserved 0 length 40 proposal #1 protoid IKE
spisize 0 xforms 4 spi 0
ikev2_pld_xform: more 3 reserved 0 length 8 type ENCR id 3DES
ikev2_pld_xform: more 3 reserved 0 length 8 type INTEGR id HMAC_SHA1_96
ikev2_pld_xform: more 3 reserved 0 length 8 type PRF id HMAC_SHA1
ikev2_pld_xform: more 0 reserved 0 length 8 type DH id MODP_1024
ikev2_pld_payloads: payload KE nextpayload NONCE critical 0x00 length 136
ikev2_pld_ke: dh group MODP_1024 reserved 0
05d2604e 9094ece5 b12c9c57 182e8dad 49caaaa7 df12d66d c2fc1c9a 847d3b3c
cbda5ed0 16226388 559b0dc5 cfbf4372 4013205d dfcea3c0 1ccbe0e4 8abf38bc
e16f3a34 4034859f 27bb9f1a d47b6d0f 69a211b0 26977cf2 d9a4e2d7 be81035b
4c85974c 14bffd76 3ff90313 95dbb1f1 1e975e60 6622b62e 2adfcdae d293b4ba
ikev2_pld_payloads: payload NONCE nextpayload NOTIFY critical 0x00 length 52
ca6ccbcc 5b046ff8 6ddf7c21 d0dead35 4c0cdb70 1a6e6e27 5ec37743 0d2c5f3b
70aa87e1 e6f33e50 1fed4c9b 1c94435d
ikev2_pld_payloads: payload NOTIFY nextpayload NOTIFY critical 0x00
length 28
ikev2_pld_notify: protoid NONE spisize 0 type NAT_DETECTION_SOURCE_IP
1f393fea 9a071a8b 0d4409ab 73aa6c8f 6a9f944c
ikev2_nat_detection: peer source 0xdbec126ab17d4a81 0x0000000000000000
192.168.0.72:500
1f393fea 9a071a8b 0d4409ab 73aa6c8f 6a9f944c
ikev2_pld_payloads: payload NOTIFY nextpayload VENDOR critical 0x00
length 28
ikev2_pld_notify: protoid NONE spisize 0 type NAT_DETECTION_DESTINATION_IP
f62736db 5eefcf22 a65aba75 b7e0a3d8 5b2c2d5c
ikev2_nat_detection: peer destination 0xdbec126ab17d4a81
0x0000000000000000 192.168.0.73:500
f62736db 5eefcf22 a65aba75 b7e0a3d8 5b2c2d5c
ikev2_pld_payloads: payload VENDOR nextpayload VENDOR critical 0x00
length 24
1e2b5169 05991c7d 7c96fcbf b587e461 00000009
ikev2_pld_payloads: payload VENDOR nextpayload VENDOR critical 0x00
length 20
fb1de3cd f341b7ea 16b7e5be 0855f120
ikev2_pld_payloads: payload VENDOR nextpayload VENDOR critical 0x00
length 20
26244d38 eddb61b3 172a36e3 d0cfb819
ikev2_pld_payloads: payload VENDOR nextpayload NONE critical 0x00 length 24
01528bbb c0069612 1849ab9a 1c5b2a51 00000002
sa_state: INIT -> SA_INIT
ikev2_match_proposals: xform 1 <-> 1 (10): ENCR 3DES (keylength 0 <-> 0)
ikev2_match_proposals: xform 1 <-> 1 (4): INTEGR HMAC_SHA1_96 (keylength
0 <-> 0)
ikev2_match_proposals: xform 1 <-> 1 (2): PRF HMAC_SHA1 (keylength 0 <-> 0)
ikev2_match_proposals: xform 1 <-> 1 (5): DH MODP_1024 (keylength 0 <-> 0)
ikev2_sa_negotiate: score 21
ikev2_sa_negotiate: score 10: ENCR 3DES
ikev2_sa_negotiate: score 2: PRF HMAC_SHA1
ikev2_sa_negotiate: score 4: INTEGR HMAC_SHA1_96
ikev2_sa_negotiate: score 5: DH MODP_1024
sa_stateok: SA_INIT flags 0x0000, require 0x0000
sa_stateflags: 0x0000 -> 0x0020 sa (required 0x0000 )
ikev2_sa_keys: SKEYSEED with 20 bytes
c3e58bc0 7c6350dc 03613459 b262c293 62b147e6
ikev2_sa_keys: S with 96 bytes
ca6ccbcc 5b046ff8 6ddf7c21 d0dead35 4c0cdb70 1a6e6e27 5ec37743 0d2c5f3b
70aa87e1 e6f33e50 1fed4c9b 1c94435d 37bcd238 7a7330f8 b316abe2 c70a206a
2d57e73a 3a3c3bfc 2cac3049 c0493e7b dbec126a b17d4a81 2fe0a424 1cca9069
ikev2_prfplus: T1 with 20 bytes
89e1dfa6 fa2d7ec5 d18535f3 1676da4f 5ba2e292
ikev2_prfplus: T2 with 20 bytes
0fdaa7bc cb0fd3e5 7dfbad0d 45f4a76a 2ae2201f
ikev2_prfplus: T3 with 20 bytes
16010335 b11534d2 c8c3ebb9 d41e885b 951cb6fe
ikev2_prfplus: T4 with 20 bytes
74f2ea4d 88ee9904 6f76601b 943a39c3 d8ce74db
ikev2_prfplus: T5 with 20 bytes
50d4c197 36a03631 9e92a929 9eb7abbd c2997b62
ikev2_prfplus: T6 with 20 bytes
04152b72 3a7d1e68 d22ef1a8 70906c2f c6f52d93
ikev2_prfplus: T7 with 20 bytes
857bc1d7 a45e9ae0 0eb31bbb b337fda7 038eeaf9
ikev2_prfplus: T8 with 20 bytes
424c00fc 7b0418b3 649240dd 6df0d265 17d5c8c7
ikev2_prfplus: Tn with 160 bytes
89e1dfa6 fa2d7ec5 d18535f3 1676da4f 5ba2e292 0fdaa7bc cb0fd3e5 7dfbad0d
45f4a76a 2ae2201f 16010335 b11534d2 c8c3ebb9 d41e885b 951cb6fe 74f2ea4d
88ee9904 6f76601b 943a39c3 d8ce74db 50d4c197 36a03631 9e92a929 9eb7abbd
c2997b62 04152b72 3a7d1e68 d22ef1a8 70906c2f c6f52d93 857bc1d7 a45e9ae0
0eb31bbb b337fda7 038eeaf9 424c00fc 7b0418b3 649240dd 6df0d265 17d5c8c7
ikev2_sa_keys: SK_d with 20 bytes
89e1dfa6 fa2d7ec5 d18535f3 1676da4f 5ba2e292
ikev2_sa_keys: SK_ai with 20 bytes
0fdaa7bc cb0fd3e5 7dfbad0d 45f4a76a 2ae2201f
ikev2_sa_keys: SK_ar with 20 bytes
16010335 b11534d2 c8c3ebb9 d41e885b 951cb6fe
ikev2_sa_keys: SK_ei with 24 bytes
74f2ea4d 88ee9904 6f76601b 943a39c3 d8ce74db 50d4c197
ikev2_sa_keys: SK_er with 24 bytes
36a03631 9e92a929 9eb7abbd c2997b62 04152b72 3a7d1e68
ikev2_sa_keys: SK_pi with 20 bytes
d22ef1a8 70906c2f c6f52d93 857bc1d7 a45e9ae0
ikev2_sa_keys: SK_pr with 20 bytes
0eb31bbb b337fda7 038eeaf9 424c00fc 7b0418b3
ikev2_add_proposals: length 40
ikev2_next_payload: length 44 nextpayload KE
ikev2_next_payload: length 136 nextpayload NONCE
ikev2_next_payload: length 36 nextpayload NOTIFY
ikev2_nat_detection: local source 0xdbec126ab17d4a81 0x2fe0a4241cca9069
192.168.0.73:500
ikev2_next_payload: length 28 nextpayload NOTIFY
ikev2_nat_detection: local destination 0xdbec126ab17d4a81
0x2fe0a4241cca9069 192.168.0.72:500
ikev2_next_payload: length 28 nextpayload CERTREQ
ikev2_add_certreq: type X509_CERT length 21
ikev2_next_payload: length 25 nextpayload NONE
ikev2_pld_parse: header ispi 0xdbec126ab17d4a81 rspi 0x2fe0a4241cca9069
nextpayload SA version 0x20 exchange IKE_SA_INIT flags 0x20 msgid 0
length 325 response 1
ikev2_pld_payloads: payload SA nextpayload KE critical 0x00 length 44
ikev2_pld_sa: more 0 reserved 0 length 40 proposal #1 protoid IKE
spisize 0 xforms 4 spi 0
ikev2_pld_xform: more 3 reserved 0 length 8 type ENCR id 3DES
ikev2_pld_xform: more 3 reserved 0 length 8 type PRF id HMAC_SHA1
ikev2_pld_xform: more 3 reserved 0 length 8 type INTEGR id HMAC_SHA1_96
ikev2_pld_xform: more 0 reserved 0 length 8 type DH id MODP_1024
ikev2_pld_payloads: payload KE nextpayload NONCE critical 0x00 length 136
ikev2_pld_ke: dh group MODP_1024 reserved 0
b836f509 cffb767b 195b214e eec0bee4 8f09d051 65e86ede 333fc989 630171d3
7b4c945f 2c2077b5 2c567d35 9940a34b a2d230ee 1f8b213b 51a10c60 ddc0d559
f1781eda 6b48ce2a 16515961 9ffbd6bb 54df7651 68d64454 69ce7224 02690945
612c6ec1 33fd3d66 87860737 8c583e5a 5a6fcde6 2b707d59 00ebb905 5dc5d63d
ikev2_pld_payloads: payload NONCE nextpayload NOTIFY critical 0x00 length 36
37bcd238 7a7330f8 b316abe2 c70a206a 2d57e73a 3a3c3bfc 2cac3049 c0493e7b
ikev2_pld_payloads: payload NOTIFY nextpayload NOTIFY critical 0x00
length 28
ikev2_pld_notify: protoid NONE spisize 0 type NAT_DETECTION_SOURCE_IP
440c65e1 bb0e01db 450305c7 8580e958 e677a0ad
ikev2_pld_payloads: payload NOTIFY nextpayload CERTREQ critical 0x00
length 28
ikev2_pld_notify: protoid NONE spisize 0 type NAT_DETECTION_DESTINATION_IP
3c4291d3 331a1068 29e4cfb5 e916aca9 fb61b15c
ikev2_pld_payloads: payload CERTREQ nextpayload NONE critical 0x00 length 25
ikev2_pld_certreq: type X509_CERT length 20
599ac30f ca3aaba9 dfd60bd8 7cdca0c7 8c679fe8
ikev2_msg_send: IKE_SA_INIT response from 192.168.0.73:500 to
192.168.0.72:500 msgid 0, 325 bytes
config_free_proposals: free 0xa3bec71f800
----------------------
end debug output
regards
--
Markus Rosjat fon: +49 351 8107223 mail: ros...@ghweb.de
G+H Webservice GbR Gorzolla, Herrmann
Königsbrücker Str. 70, 01099 Dresden
http://www.ghweb.de
fon: +49 351 8107220 fax: +49 351 8107227
Bitte prüfen Sie, ob diese Mail wirklich ausgedruckt werden muss! Before
you print it, think about your responsibility and commitment to the
ENVIRONMENT
