Re: IKEv2 on Windows 10
On 2021/01/16 13:35, Ian Timothy wrote: > > > > On 14 Jan 2021, at 01:28, Stuart Henderson wrote: > > > > On 2021-01-13, Ian Timothy wrote: > >> Looking at some of the other information provided, I tried this along with > >> the registry edit below: > >> > >> PS> Add-VpnConnection -Name "IPB2" -ServerAddress "vpn.company.com" > >> -TunnelType IKEv2 -AuthenticationMethod MachineCertificate > >> -AllUserConnection -Force > > > > "-AuthenticationMethod MachineCertificate" - I thought you were using > > MSCHAP not machine certs? > > I’m just trying anything and everything at this point. I’ll do whatever works. I can't help with machine cert config, but the config I outlined works well for mschapv2 for me, it needs the CA and server certificate on the server, and just the CA cert installing on the client, no machine cert on the client. (There should be a way of getting machine cert to work, but I haven't gone down that rabbit hole). > $ ikectl show ca vpn certificates > subject= /C=US/ST=State/L=City/O=Company/OU=Information > Systems/CN=VPN/emailAddress=t...@company.com > SHA256 > Fingerprint=83:BE:37:FD:A9:B1:53:11:F6:7D:90:25:20:42:21:46:13:52:E1:C3:14:9B:F9:E1:74:C8:89:6A:3E:55:0F:FC > notBefore=Jan 16 19:51:53 2021 GMT > notAfter=May 13 19:51:53 2033 GMT > > subject= /C=US/ST=State/L=City/O=Company/OU=Information > Systems/CN=vpn.company.com/emailAddress=t...@company.com > SHA256 > Fingerprint=9F:93:75:73:6A:F2:BE:59:4A:14:BD:C6:F3:1C:C0:DC:20:26:0D:B7:AE:1C:07:BC:FE:6A:04:C2:20:07:BC:6D > notBefore=Jan 16 19:52:15 2021 GMT > notAfter=Jan 16 19:52:15 2022 GMT Make a calendar note to generate a new server certificate. The CA certificate will still be valid so you don't need to touch clients for that change, just the new server cert. > subject= /C=US/ST=State/L=City/O=Company/OU=Information > Systems/CN=10.0.2.100/emailAddress=t...@company.com > SHA256 > Fingerprint=BF:E5:C4:64:55:4D:4E:E7:BC:7F:D9:6E:90:C2:06:BD:66:9A:40:04:EB:C3:BE:A3:2A:DA:91:1A:E7:3D:42:A4 > notBefore=Jan 16 19:52:41 2021 GMT > notAfter=Jan 16 19:52:41 2022 GMT If you are using client machine certs (rather than mschapv2), you will need to be prepared to get that cert updated on the clients (or use some other CA tool that allows setting a longer time). > # Install certificates on Windows > # > > 1. scp 10.0.2.100.zip from vpn.company.com to Windows client > 2. Unzip > 3. Double click ca.pfx > 1. Select “Local Machine” > 2. Select “Place certificates in following store” > 1. Select “Trusted Root Certificate Authorities” fwiw I normally put them in Enterprise under there so they don't get mixed up with internet CAs, either should work though. Be aware that after this change is made, someone with access to the key for the CA certificate is able to use it to spoof/intercept https requests to sites on the internet in a way that they will usually be accepted by the client machines. This is what needs doing here, but do look after the key carefully, it protects more than just vpn access.
Re: IKEv2 on Windows 10
> On 14 Jan 2021, at 01:28, Stuart Henderson wrote: > > On 2021-01-13, Ian Timothy wrote: >> Looking at some of the other information provided, I tried this along with >> the registry edit below: >> >> PS> Add-VpnConnection -Name "IPB2" -ServerAddress "vpn.company.com" >> -TunnelType IKEv2 -AuthenticationMethod MachineCertificate >> -AllUserConnection -Force > > "-AuthenticationMethod MachineCertificate" - I thought you were using > MSCHAP not machine certs? I’m just trying anything and everything at this point. I’ll do whatever works. > FWIW I'm adding the connection manually and then doing this: > > Set-VpnConnection -ConnectionName "vpn" -EncryptionLevel Maximum > -SplitTunneling $false -passthru > > Set-VpnConnectionIPsecConfiguration -ConnectionName "vpn" > -AuthenticationTransformConstants GCMAES128 -CipherTransformConstants > GCMAES128 -EncryptionMethod AES128 -IntegrityCheckMethod SHA256 -DHGroup > ECP256 -PfsGroup ECP256 -passthru > > iked.conf (using the same config for Windows/Android/iOS cloents, and > for ease of client setup allowing the default Windows crypto as well as > better ones): > > ikev2 "vpn" passive esp from 0.0.0.0/0 to 0.0.0.0 \ > local xxx \ > peer any \ > ikesa enc aes-128 enc aes-256 prf hmac-sha2-256 prf hmac-sha1 auth > hmac-sha2-256 group curve25519 group ecp521 group ecp256 group modp2048 > group modp1024 \ > childsa enc aes-128-gcm enc aes-256-gcm group curve25519 group ecp521 group > ecp256 group modp2048 \ > childsa enc aes-128 enc aes-256 auth hmac-sha2-256 auth hmac-sha1 \ > childsa enc aes-128-gcm enc aes-256-gcm \ > srcid "xxx" \ > eap "mschap-v2" \ > config address xxx/25 \ > config name-server xxx \ > tag "$name-$id" > > (plus the user config). I’m getting the following error on Windows upon connecting: “IKE failed to find valid machine certificate.” I’ve done a fresh install of Windows 10 Pro using a new download of the ISO, but still get the above error. # # Generate certificates # ikectl ca vpn delete # CN is “VPN" ikectl ca vpn create ikectl ca vpn install # CN is “vpn.company.com”, same as srcid in iked.conf ikectl ca vpn certificate 10.0.0.1 create ikectl ca vpn certificate 10.0.0.1 install # CN is 10.0.2.100, same is IP in following line ikectl ca vpn certificate 10.0.2.100 create ikectl ca vpn certificate 10.0.2.100 export # # Show certificates # $ ikectl show ca vpn certificates subject= /C=US/ST=State/L=City/O=Company/OU=Information Systems/CN=VPN/emailAddress=t...@company.com SHA256 Fingerprint=83:BE:37:FD:A9:B1:53:11:F6:7D:90:25:20:42:21:46:13:52:E1:C3:14:9B:F9:E1:74:C8:89:6A:3E:55:0F:FC notBefore=Jan 16 19:51:53 2021 GMT notAfter=May 13 19:51:53 2033 GMT subject= /C=US/ST=State/L=City/O=Company/OU=Information Systems/CN=vpn.company.com/emailAddress=t...@company.com SHA256 Fingerprint=9F:93:75:73:6A:F2:BE:59:4A:14:BD:C6:F3:1C:C0:DC:20:26:0D:B7:AE:1C:07:BC:FE:6A:04:C2:20:07:BC:6D notBefore=Jan 16 19:52:15 2021 GMT notAfter=Jan 16 19:52:15 2022 GMT subject= /C=US/ST=State/L=City/O=Company/OU=Information Systems/CN=10.0.2.100/emailAddress=t...@company.com SHA256 Fingerprint=BF:E5:C4:64:55:4D:4E:E7:BC:7F:D9:6E:90:C2:06:BD:66:9A:40:04:EB:C3:BE:A3:2A:DA:91:1A:E7:3D:42:A4 notBefore=Jan 16 19:52:41 2021 GMT notAfter=Jan 16 19:52:41 2022 GMT # # Install certificates on Windows # 1. scp 10.0.2.100.zip from vpn.company.com to Windows client 2. Unzip 3. Double click ca.pfx 1. Select “Local Machine” 2. Select “Place certificates in following store” 1. Select “Trusted Root Certificate Authorities” 4. Double click 10.0.2.100.pfx, repeat above except use “Personal” store Windows VPN device settings at the moment: Name: “VPN” General tab Server: vpn.company.com Security tab VPN type: IKEv2 Authentication: Use machine certificates PowerShell: PS> Set-VpnConnection -ConnectionName "VPN" -EncryptionLevel Maximum -SplitTunneling $false -passthru PS> Set-VpnConnectionIPsecConfiguration -ConnectionName "VPN" -AuthenticationTransformConstants GCMAES128 -CipherTransformConstants GCMAES128 -EncryptionMethod AES128 -IntegrityCheckMethod SHA256 -DHGroup ECP256 -PfsGroup ECP256 -passthru # # iked.conf at the moment # ikev2 "vpn-eap" passive esp \ from 0.0.0.0/0 to 0.0.0.0 \ local egress peer any \ ikesa enc aes-128 enc aes-256 prf hmac-sha2-256 prf hmac-sha1 auth hmac-sha2-256 group curve25519 group ecp521 group ecp256 group modp2048 group modp1024 \ childsa enc aes-128-gcm enc aes-256-gcm group curve25519 group ecp521 group ecp256 group modp2048 \ childsa enc aes-128 enc aes-256 auth hmac-sha2-256 auth hmac-sha1 \ childsa enc aes-128-gcm enc aes-256-gcm \ srcid vpn.company.com \ config address 10.0.2.0/24 \ config netmask 255.255.0.0 \ config name-server 10.0.0.1 \ # # iked log # $ doas iked -dvv create_ike: using signature for peer ikev2 "vpn-eap" passive tunnel esp inet from 0.0.0.0/0 to 0.0.0.0 local 23.AAA.AAA.129
Re: IKEv2 on Windows 10
On 2021-01-13, Ian Timothy wrote: > Looking at some of the other information provided, I tried this along with > the registry edit below: > > PS> Add-VpnConnection -Name "IPB2" -ServerAddress "vpn.company.com" > -TunnelType IKEv2 -AuthenticationMethod MachineCertificate -AllUserConnection > -Force "-AuthenticationMethod MachineCertificate" - I thought you were using MSCHAP not machine certs? FWIW I'm adding the connection manually and then doing this: Set-VpnConnection -ConnectionName "vpn" -EncryptionLevel Maximum -SplitTunneling $false -passthru Set-VpnConnectionIPsecConfiguration -ConnectionName "vpn" -AuthenticationTransformConstants GCMAES128 -CipherTransformConstants GCMAES128 -EncryptionMethod AES128 -IntegrityCheckMethod SHA256 -DHGroup ECP256 -PfsGroup ECP256 -passthru iked.conf (using the same config for Windows/Android/iOS cloents, and for ease of client setup allowing the default Windows crypto as well as better ones): ikev2 "vpn" passive esp from 0.0.0.0/0 to 0.0.0.0 \ local xxx \ peer any \ ikesa enc aes-128 enc aes-256 prf hmac-sha2-256 prf hmac-sha1 auth hmac-sha2-256 group curve25519 group ecp521 group ecp256 group modp2048 group modp1024 \ childsa enc aes-128-gcm enc aes-256-gcm group curve25519 group ecp521 group ecp256 group modp2048 \ childsa enc aes-128 enc aes-256 auth hmac-sha2-256 auth hmac-sha1 \ childsa enc aes-128-gcm enc aes-256-gcm \ srcid "xxx" \ eap "mschap-v2" \ config address xxx/25 \ config name-server xxx \ tag "$name-$id" (plus the user config).
Re: IKEv2 on Windows 10
> On 13 Jan 2021, at 06:04, Cand Tec wrote: > > This is my first time responding to a post so forgive me if I violate any > protocols here. I currently use OBSD 6.8 amd64 as a FW for 3 office clients, > all running on high-end repurposed desktops. Due to covid I've had to quickly > setup ikev for a very small number of home users, none of which are > roadwarriors and all use Win10. Yes, I know I should be using ikev2, so don't > chew me out, at the time it was just quicker. > Using the UI in Win10 is not the way to go. Apparently the Win10 default > parameters via UI does not provide the required ciphers. > I used powershell to modify the parameters first then use the vpn connection > properties to finalize the settings. It worked 100% of the times without > fail. When I duplicated using only the Win10 UI iand t failed in every > instance. > > Here are the powershell cmds I used to modify my default vpn settings which > has worked everytime - > PS C:\> Add-VpnConnection -Name "VPN_NAME" -ServerAddress vpn.domain.com > -TunnelType "L2tp" > PS C:\> Set-VpnConnectionIPsecConfiguration -ConnectionName "VPN_NAME" > -AuthenticationTransformConstants None -CipherTransformConstants AES256 > -EncryptionMethod AES256 -IntegrityCheckMethod SHA256 -PfsGroup None -DHGroup > Group14 -PassThru -Force Indeed that does not work for IKEv2: ikev1_recv: header ispi 0x94edd5a8931477d9 rspi 0x nextpayload 1 version 0x10 exchange 2 flags 0x00 msgid 0 length 256 ikev1_recv: IKEv1 not supported Looking at some of the other information provided, I tried this along with the registry edit below: PS> Add-VpnConnection -Name "IPB2" -ServerAddress "vpn.company.com" -TunnelType IKEv2 -AuthenticationMethod MachineCertificate -AllUserConnection -Force PS> Set-VpnConnectionIPsecConfiguration -ConnectionName "IPB2" -AuthenticationTransformConstants None -CipherTransformConstants AES256 -EncryptionMethod AES256 -IntegrityCheckMethod SHA256 -DHGroup Group14 -PfsGroup None -PassThru -AllUserConnection But that doesn’t seem to help anything. > Here's some info I found helpful - > > > > > > L2TP issues with Win 10 – phase1 does not form due to insecure default > parameters > REGISTRY SOLUTION: > https://www.stevenjordan.net/2016/09/secure-ikev2-win-10.html > > Create a registry key that enforces modern cipher and transform sets. > > STEP 1: Edit Registry or create GPO: > > HKLM\SYSTEM\CurrentControlSet\Services\RasMan\Parameters\ > STEP 2: Create new DWORD value: > NegotiateDH2048_AES256 > STEP 3: Modify DWORD value: 2 > > > > One caveat, whenever a major Win10 update is installed it tends to reset the > Win10 vpn parameters you modified. It's not consistent, but I've had to reset > it a few times. Other than that it has been flawless so far...if you can call > it that. > > Hopefully this helps. >
Re: IKEv2 on Windows 10
This is my first time responding to a post so forgive me if I violate any protocols here. I currently use OBSD 6.8 amd64 as a FW for 3 office clients, all running on high-end repurposed desktops. Due to covid I've had to quickly setup ikev for a very small number of home users, none of which are roadwarriors and all use Win10. Yes, I know I should be using ikev2, so don't chew me out, at the time it was just quicker. Using the UI in Win10 is not the way to go. Apparently the Win10 default parameters via UI does not provide the required ciphers. I used powershell to modify the parameters first then use the vpn connection properties to finalize the settings. It worked 100% of the times without fail. When I duplicated using only the Win10 UI iand t failed in every instance. Here are the powershell cmds I used to modify my default vpn settings which has worked everytime - PS C:\> Add-VpnConnection -Name "VPN_NAME" -ServerAddress vpn.domain.com -TunnelType "L2tp" PS C:\> Set-VpnConnectionIPsecConfiguration -ConnectionName "VPN_NAME" -AuthenticationTransformConstants None -CipherTransformConstants AES256 -EncryptionMethod AES256 -IntegrityCheckMethod SHA256 -PfsGroup None -DHGroup Group14 -PassThru -Force Here's some info I found helpful - [image: image.png] L2TP issues with Win 10 – phase1 does not form due to insecure default parameters *REGISTRY SOLUTION:* https://www.stevenjordan.net/2016/09/secure-ikev2-win-10.html Create a registry key that enforces modern cipher and transform sets. *STEP 1*: Edit Registry or create GPO: HKLM\SYSTEM\CurrentControlSet\Services\RasMan\Parameters\ *STEP 2:* Create new DWORD value: NegotiateDH2048_AES256 *STEP 3:* Modify DWORD value: 2 One caveat, whenever a major Win10 update is installed it tends to reset the Win10 vpn parameters you modified. It's not consistent, but I've had to reset it a few times. Other than that it has been flawless so far...if you can call it that. Hopefully this helps. On Wed, Jan 13, 2021 at 5:30 AM Patrick Wildt wrote: > Am Wed, Jan 13, 2021 at 01:12:09AM -0700 schrieb Ian Timothy: > > Hi, > > > > I'm trying to get IKEv2 VPN working with Windows 10. I'm able to use PSK > with macOS without issue. Changing to EAP MSCHAP for use with Windows > results in the following error: > > > > "The network connection between your computer and the VPN server could > not be established because the remote server is not responding. The could > be because one of the network devices (e.g. firewalls, NAT, routers, etc.) > between your computer and the remote server is not configured to allow VPN > connections." > > > > I’ve worked through many examples online, but I’m not sure what's the > next step to troubleshoot this? > > > > Thanks! > > > > > > > > # uname -rsv > > OpenBSD 6.8 GENERIC.MP#2 > > > > > > # > > # iked.conf > > # > > > > ikev2 "vpn-psk" passive esp \ > > from 0.0.0.0/0 to 0.0.0.0/0 \ > > Hi, > > if you're using config address (as in giving peers a tunnel IP), you > need to configure > > from 0.0.0.0/0 to 0.0.0.0 \ > > The "to" becomes a /32, a /0 is wrong. This is because of internal > semantics. Anyway, this confusing bit has been changed in -current, > as you can read here: > > https://www.openbsd.org/faq/current.html > > But unless you're using current, you still need the line above. > > But since you're complaining about EAP MSCHAP, I don't know what's the > issue there. Maybe tobhe@ or sthen@ have an idea. > > Patrick > > > local egress peer any \ > > srcid vpn.company.com \ > > eap "mschap-v2" \ > > config address 10.0.2.0/24 \ > > config netmask 255.255.0.0 \ > > config name-server 10.0.0.1 \ > > tag "$name-$id" > > > > # Changing 'eap "mschap-v2"' to 'psk "password"' works just fine for > macOS. > > > > > > # > > # Generate certificates > > # > > > > pkg_add zip > > > > ikectl ca vpn create > > ikectl ca vpn install > > > > # CN should be same as srcid in iked.conf > > ikectl ca vpn certificate vpn.company.com create > > ikectl ca vpn certificate vpn.company.com install > > > > # CN should be same as client ip address > > ikectl ca vpn certificate 10.0.2.100 create > > ikectl ca vpn certificate 10.0.2.100 export > > > > > > # > > # Windows config > > # > > > > - VPN device > >- General tab > > - Server: vpn.company.com > >- Security tab > > - VPN type: IKEv2 > > - Authentication: Use machine certificates > > > > - Certs install > >- ca.crt --> Certificates (Local Computer)/Trusted Root Certification > Authorities/Certificates > >- 10.0.2.100 --> Certificates (Local Computer)/Personal/Certificates > > > > > > # > > # iked log > > # > > > > doas iked -dvv > > create_ike: using signature for peer > > ikev2 "vpn-eap" passive tunnel esp inet from 0.0.0.0/0 to 0.0.0.0/0 > local 23.AAA.AAA.129 peer any ikesa enc aes-128-gcm,aes-256-gcm prf > hmac-sha2-256,hmac-sha2-384,hmac-sha2-512,hmac-sha1 group >
Re: IKEv2 on Windows 10
Am Wed, Jan 13, 2021 at 01:12:09AM -0700 schrieb Ian Timothy: > Hi, > > I'm trying to get IKEv2 VPN working with Windows 10. I'm able to use PSK with > macOS without issue. Changing to EAP MSCHAP for use with Windows results in > the following error: > > "The network connection between your computer and the VPN server could not be > established because the remote server is not responding. The could be because > one of the network devices (e.g. firewalls, NAT, routers, etc.) between your > computer and the remote server is not configured to allow VPN connections." > > I’ve worked through many examples online, but I’m not sure what's the next > step to troubleshoot this? > > Thanks! > > > > # uname -rsv > OpenBSD 6.8 GENERIC.MP#2 > > > # > # iked.conf > # > > ikev2 "vpn-psk" passive esp \ > from 0.0.0.0/0 to 0.0.0.0/0 \ Hi, if you're using config address (as in giving peers a tunnel IP), you need to configure from 0.0.0.0/0 to 0.0.0.0 \ The "to" becomes a /32, a /0 is wrong. This is because of internal semantics. Anyway, this confusing bit has been changed in -current, as you can read here: https://www.openbsd.org/faq/current.html But unless you're using current, you still need the line above. But since you're complaining about EAP MSCHAP, I don't know what's the issue there. Maybe tobhe@ or sthen@ have an idea. Patrick > local egress peer any \ > srcid vpn.company.com \ > eap "mschap-v2" \ > config address 10.0.2.0/24 \ > config netmask 255.255.0.0 \ > config name-server 10.0.0.1 \ > tag "$name-$id" > > # Changing 'eap "mschap-v2"' to 'psk "password"' works just fine for macOS. > > > # > # Generate certificates > # > > pkg_add zip > > ikectl ca vpn create > ikectl ca vpn install > > # CN should be same as srcid in iked.conf > ikectl ca vpn certificate vpn.company.com create > ikectl ca vpn certificate vpn.company.com install > > # CN should be same as client ip address > ikectl ca vpn certificate 10.0.2.100 create > ikectl ca vpn certificate 10.0.2.100 export > > > # > # Windows config > # > > - VPN device >- General tab > - Server: vpn.company.com >- Security tab > - VPN type: IKEv2 > - Authentication: Use machine certificates > > - Certs install >- ca.crt --> Certificates (Local Computer)/Trusted Root Certification > Authorities/Certificates >- 10.0.2.100 --> Certificates (Local Computer)/Personal/Certificates > > > # > # iked log > # > > doas iked -dvv > create_ike: using signature for peer > ikev2 "vpn-eap" passive tunnel esp inet from 0.0.0.0/0 to 0.0.0.0/0 local > 23.AAA.AAA.129 peer any ikesa enc aes-128-gcm,aes-256-gcm prf > hmac-sha2-256,hmac-sha2-384,hmac-sha2-512,hmac-sha1 group > curve25519,ecp521,ecp384,ecp256,modp4096,modp3072,modp2048,modp1536,modp1024 > ikesa enc aes-256,aes-192,aes-128,3des prf > hmac-sha2-256,hmac-sha2-384,hmac-sha2-512,hmac-sha1 auth > hmac-sha2-256,hmac-sha2-384,hmac-sha2-512,hmac-sha1 group > curve25519,ecp521,ecp384,ecp256,modp4096,modp3072,modp2048,modp1536,modp1024 > childsa enc aes-128-gcm,aes-256-gcm esn,noesn childsa enc > aes-256,aes-192,aes-128 auth > hmac-sha2-256,hmac-sha2-384,hmac-sha2-512,hmac-sha1 esn,noesn srcid > vpn.ipaperbox.com lifetime 10800 bytes 536870912 eap "MSCHAP_V2" config > address 10.0.2.0 config netmask 255.255.0.0 config name-server 10.0.0.1 > /etc/iked.conf: loaded 2 configuration rules > ca_privkey_serialize: type RSA_KEY length 1192 > ca_pubkey_serialize: type RSA_KEY length 270 > config_new_user: inserting new user windows > user "windows" "password" > config_getpolicy: received policy > ca_privkey_to_method: type RSA_KEY method RSA_SIG > config_getpfkey: received pfkey fd 3 > ca_getkey: received private key type RSA_KEY length 1192 > config_getcompile: compilation done > config_getsocket: received socket fd 4 > config_getsocket: received socket fd 5 > config_getsocket: received socket fd 6 > config_getsocket: received socket fd 7 > config_getstatic: dpd_check_interval 60 > config_getstatic: no enforcesingleikesa > config_getstatic: no fragmentation > config_getstatic: mobike > config_getstatic: nattport 4500 > ca_getkey: received public key type RSA_KEY length 270 > ca_dispatch_parent: config reset > ca_reload: loaded ca file ca.crt > ca_reload: loaded crl file ca.crl > ca_reload: /C=US/ST=State/L=City/O=Company Name/OU=Information > Systems/CN=vpn.company.com/emailAddress=t...@company.com > ca_reload: loaded 1 ca certificate > ca_reload: loaded cert file 10.0.0.1.crt > ca_validate_cert: /C=US/ST=State/L=City/O=Company Name/OU=Information > Systems/CN=vpn.company.com/emailAddress=t...@company.com subject issuer > mismatch > ca_reload: local cert type X509_CERT > config_getocsp: ocsp_url none tolerate 0 maxage -1 > ikev2_dispatch_cert: updated local CERTREQ type X509_CERT length 20 > ikev2_dispatch_cert: updated local CERTREQ type X509_CERT length 20 > > policy_lookup: setting policy 'vpn-eap' >
IKEv2 on Windows 10
Hi, I'm trying to get IKEv2 VPN working with Windows 10. I'm able to use PSK with macOS without issue. Changing to EAP MSCHAP for use with Windows results in the following error: "The network connection between your computer and the VPN server could not be established because the remote server is not responding. The could be because one of the network devices (e.g. firewalls, NAT, routers, etc.) between your computer and the remote server is not configured to allow VPN connections." I’ve worked through many examples online, but I’m not sure what's the next step to troubleshoot this? Thanks! # uname -rsv OpenBSD 6.8 GENERIC.MP#2 # # iked.conf # ikev2 "vpn-psk" passive esp \ from 0.0.0.0/0 to 0.0.0.0/0 \ local egress peer any \ srcid vpn.company.com \ eap "mschap-v2" \ config address 10.0.2.0/24 \ config netmask 255.255.0.0 \ config name-server 10.0.0.1 \ tag "$name-$id" # Changing 'eap "mschap-v2"' to 'psk "password"' works just fine for macOS. # # Generate certificates # pkg_add zip ikectl ca vpn create ikectl ca vpn install # CN should be same as srcid in iked.conf ikectl ca vpn certificate vpn.company.com create ikectl ca vpn certificate vpn.company.com install # CN should be same as client ip address ikectl ca vpn certificate 10.0.2.100 create ikectl ca vpn certificate 10.0.2.100 export # # Windows config # - VPN device - General tab - Server: vpn.company.com - Security tab - VPN type: IKEv2 - Authentication: Use machine certificates - Certs install - ca.crt --> Certificates (Local Computer)/Trusted Root Certification Authorities/Certificates - 10.0.2.100 --> Certificates (Local Computer)/Personal/Certificates # # iked log # doas iked -dvv create_ike: using signature for peer ikev2 "vpn-eap" passive tunnel esp inet from 0.0.0.0/0 to 0.0.0.0/0 local 23.AAA.AAA.129 peer any ikesa enc aes-128-gcm,aes-256-gcm prf hmac-sha2-256,hmac-sha2-384,hmac-sha2-512,hmac-sha1 group curve25519,ecp521,ecp384,ecp256,modp4096,modp3072,modp2048,modp1536,modp1024 ikesa enc aes-256,aes-192,aes-128,3des prf hmac-sha2-256,hmac-sha2-384,hmac-sha2-512,hmac-sha1 auth hmac-sha2-256,hmac-sha2-384,hmac-sha2-512,hmac-sha1 group curve25519,ecp521,ecp384,ecp256,modp4096,modp3072,modp2048,modp1536,modp1024 childsa enc aes-128-gcm,aes-256-gcm esn,noesn childsa enc aes-256,aes-192,aes-128 auth hmac-sha2-256,hmac-sha2-384,hmac-sha2-512,hmac-sha1 esn,noesn srcid vpn.ipaperbox.com lifetime 10800 bytes 536870912 eap "MSCHAP_V2" config address 10.0.2.0 config netmask 255.255.0.0 config name-server 10.0.0.1 /etc/iked.conf: loaded 2 configuration rules ca_privkey_serialize: type RSA_KEY length 1192 ca_pubkey_serialize: type RSA_KEY length 270 config_new_user: inserting new user windows user "windows" "password" config_getpolicy: received policy ca_privkey_to_method: type RSA_KEY method RSA_SIG config_getpfkey: received pfkey fd 3 ca_getkey: received private key type RSA_KEY length 1192 config_getcompile: compilation done config_getsocket: received socket fd 4 config_getsocket: received socket fd 5 config_getsocket: received socket fd 6 config_getsocket: received socket fd 7 config_getstatic: dpd_check_interval 60 config_getstatic: no enforcesingleikesa config_getstatic: no fragmentation config_getstatic: mobike config_getstatic: nattport 4500 ca_getkey: received public key type RSA_KEY length 270 ca_dispatch_parent: config reset ca_reload: loaded ca file ca.crt ca_reload: loaded crl file ca.crl ca_reload: /C=US/ST=State/L=City/O=Company Name/OU=Information Systems/CN=vpn.company.com/emailAddress=t...@company.com ca_reload: loaded 1 ca certificate ca_reload: loaded cert file 10.0.0.1.crt ca_validate_cert: /C=US/ST=State/L=City/O=Company Name/OU=Information Systems/CN=vpn.company.com/emailAddress=t...@company.com subject issuer mismatch ca_reload: local cert type X509_CERT config_getocsp: ocsp_url none tolerate 0 maxage -1 ikev2_dispatch_cert: updated local CERTREQ type X509_CERT length 20 ikev2_dispatch_cert: updated local CERTREQ type X509_CERT length 20 policy_lookup: setting policy 'vpn-eap' spi=0x804dbcb818c0c11e: recv IKE_SA_INIT req 0 peer 166.BBB.BBB.161:56819 local 23.AAA.AAA.129:500, 624 bytes, policy 'vpn-eap' ikev2_recv: ispi 0x804dbcb818c0c11e rspi 0x ikev2_policy2id: srcid FQDN/vpn.ipaperbox.com length 21 ikev2_pld_parse: header ispi 0x804dbcb818c0c11e rspi 0x nextpayload SA version 0x20 exchange IKE_SA_INIT flags 0x08 msgid 0 length 624 response 0 ikev2_pld_payloads: payload SA nextpayload KE critical 0x00 length 256 ikev2_pld_sa: more 2 reserved 0 length 40 proposal #1 protoid IKE spisize 0 xforms 4 spi 0 ikev2_pld_xform: more 3 reserved 0 length 8 type ENCR id 3DES ikev2_pld_xform: more 3 reserved 0 length 8 type INTEGR id HMAC_SHA1_96 ikev2_pld_xform: more 3 reserved 0 length 8 type PRF id HMAC_SHA1 ikev2_pld_xform: more 0 reserved 0 length 8 type DH id