Re: OpenIKED and Windows 10 Client

[Bobby Johnson]

Just the CA and server cert need to be installed on the OpenBSD side.

On Thu, Apr 13, 2017 at 3:10 AM, Markus Rosjat  wrote:

> just to be clear I don't need to install the client cert on the openbsd
> machine?
>
> And since this is eating up my time I might switch back to ikev1 and
> isakmpd. At least there I know I get it done
>
> regards
>
> markus
>
>
> Am 13.04.2017 um 10:13 schrieb Markus Rosjat:
>
>> As I stated befor I did all the cert installing for the local machine
>> store I will try to create some more certs with diffrent "names" just to
>> see if this makes a diffrence. I might be wrong what the real FQDN is or
>> better what windows believe it should be :)
>>
>> regards
>>
>> Markus
>>
>> Am 12.04.2017 um 17:21 schrieb Bobby Johnson:
>>
>>> If you're doing pure certificate auth, not eap I think you need both
>>> certs.  They do need to be installed under the local computer account.
>>> Install the CA cert in the trusted root CA store, put the machine cert in
>>> the personal store.  I also think it may be necessary to put the full
>>> asn1_dn of the server and client certs in the src_id and dst_id lines of
>>> the iked config.
>>>
>>>
>>> On Wed, Apr 12, 2017 at 6:45 AM, Stuart Henderson 
>>> wrote:
>>>
>>> On 2017-04-12, Markus Rosjat  wrote:

> Am 12.04.2017 um 11:49 schrieb Martijn van Duren:
>
>> On 04/12/17 11:42, Stuart Henderson wrote:
>>
>>> On 2017-04-11, Markus Rosjat  wrote:
>>>
 I think the problem is with the windows site because it tells me
 there
 is no certificate to be found. I added the certificate to local

>>> machine

> store -> own certificates (at least in the german UI is no personal

>>> folder)

>
>>> I think you're adding this cert to the wrong one of the many cert
>>>
>> stores

> on Windows. It worked for me in trusted CAs, though there may be a
>>>
>> better

> option that also works.
>>>
>>> One thing that also bit me was that I had to put them in the
>> system-wide
>> store and not in the personal store.
>>
>>
> well I put the CA certs in the trusted CA Folder and the cert for the
> machine in "Eigene Zertifikate" in the local machine store
>
> it seems to be a problem on the windows site thought
>

 You only want the CA certificate, not the machine certificate.

>>>
>>>
>>
> --
> Markus Rosjatfon: +49 351 8107223mail: ros...@ghweb.de
>
> G+H Webservice GbR Gorzolla, Herrmann
> Königsbrücker Str. 70, 01099 Dresden
>
> http://www.ghweb.de
> fon: +49 351 8107220   fax: +49 351 8107227
>
> Bitte prüfen Sie, ob diese Mail wirklich ausgedruckt werden muss! Before
> you print it, think about your responsibility and commitment to the
> ENVIRONMENT

Re: OpenIKED and Windows 10 Client

[Markus Rosjat]

just to be clear I don't need to install the client cert on the openbsd 
machine?


And since this is eating up my time I might switch back to ikev1 and 
isakmpd. At least there I know I get it done


regards

markus

Am 13.04.2017 um 10:13 schrieb Markus Rosjat:

As I stated befor I did all the cert installing for the local machine
store I will try to create some more certs with diffrent "names" just to
see if this makes a diffrence. I might be wrong what the real FQDN is or
better what windows believe it should be :)

regards

Markus

Am 12.04.2017 um 17:21 schrieb Bobby Johnson:

If you're doing pure certificate auth, not eap I think you need both
certs.  They do need to be installed under the local computer account.
Install the CA cert in the trusted root CA store, put the machine cert in
the personal store.  I also think it may be necessary to put the full
asn1_dn of the server and client certs in the src_id and dst_id lines of
the iked config.


On Wed, Apr 12, 2017 at 6:45 AM, Stuart Henderson 
wrote:


On 2017-04-12, Markus Rosjat  wrote:

Am 12.04.2017 um 11:49 schrieb Martijn van Duren:

On 04/12/17 11:42, Stuart Henderson wrote:

On 2017-04-11, Markus Rosjat  wrote:

I think the problem is with the windows site because it tells me
there
is no certificate to be found. I added the certificate to local

machine

store -> own certificates (at least in the german UI is no personal

folder)


I think you're adding this cert to the wrong one of the many cert

stores

on Windows. It worked for me in trusted CAs, though there may be a

better

option that also works.


One thing that also bit me was that I had to put them in the
system-wide
store and not in the personal store.



well I put the CA certs in the trusted CA Folder and the cert for the
machine in "Eigene Zertifikate" in the local machine store

it seems to be a problem on the windows site thought


You only want the CA certificate, not the machine certificate.






--
Markus Rosjatfon: +49 351 8107223mail: ros...@ghweb.de

G+H Webservice GbR Gorzolla, Herrmann
Königsbrücker Str. 70, 01099 Dresden

http://www.ghweb.de
fon: +49 351 8107220   fax: +49 351 8107227

Bitte prüfen Sie, ob diese Mail wirklich ausgedruckt werden muss! Before 
you print it, think about your responsibility and commitment to the 
ENVIRONMENT

Re: OpenIKED and Windows 10 Client

[Markus Rosjat]

As I stated befor I did all the cert installing for the local machine 
store I will try to create some more certs with diffrent "names" just to 
see if this makes a diffrence. I might be wrong what the real FQDN is or 
better what windows believe it should be :)


regards

Markus

Am 12.04.2017 um 17:21 schrieb Bobby Johnson:

If you're doing pure certificate auth, not eap I think you need both
certs.  They do need to be installed under the local computer account.
Install the CA cert in the trusted root CA store, put the machine cert in
the personal store.  I also think it may be necessary to put the full
asn1_dn of the server and client certs in the src_id and dst_id lines of
the iked config.


On Wed, Apr 12, 2017 at 6:45 AM, Stuart Henderson 
wrote:


On 2017-04-12, Markus Rosjat  wrote:

Am 12.04.2017 um 11:49 schrieb Martijn van Duren:

On 04/12/17 11:42, Stuart Henderson wrote:

On 2017-04-11, Markus Rosjat  wrote:

I think the problem is with the windows site because it tells me there
is no certificate to be found. I added the certificate to local

machine

store -> own certificates (at least in the german UI is no personal

folder)


I think you're adding this cert to the wrong one of the many cert

stores

on Windows. It worked for me in trusted CAs, though there may be a

better

option that also works.


One thing that also bit me was that I had to put them in the system-wide
store and not in the personal store.



well I put the CA certs in the trusted CA Folder and the cert for the
machine in "Eigene Zertifikate" in the local machine store

it seems to be a problem on the windows site thought


You only want the CA certificate, not the machine certificate.




--
Markus Rosjatfon: +49 351 8107223mail: ros...@ghweb.de

G+H Webservice GbR Gorzolla, Herrmann
Königsbrücker Str. 70, 01099 Dresden

http://www.ghweb.de
fon: +49 351 8107220   fax: +49 351 8107227

Bitte prüfen Sie, ob diese Mail wirklich ausgedruckt werden muss! Before 
you print it, think about your responsibility and commitment to the 
ENVIRONMENT

Re: OpenIKED and Windows 10 Client

[Bobby Johnson]

If you're doing pure certificate auth, not eap I think you need both
certs.  They do need to be installed under the local computer account.
Install the CA cert in the trusted root CA store, put the machine cert in
the personal store.  I also think it may be necessary to put the full
asn1_dn of the server and client certs in the src_id and dst_id lines of
the iked config.


On Wed, Apr 12, 2017 at 6:45 AM, Stuart Henderson 
wrote:

> On 2017-04-12, Markus Rosjat  wrote:
> > Am 12.04.2017 um 11:49 schrieb Martijn van Duren:
> >> On 04/12/17 11:42, Stuart Henderson wrote:
> >>> On 2017-04-11, Markus Rosjat  wrote:
>  I think the problem is with the windows site because it tells me there
>  is no certificate to be found. I added the certificate to local
> machine
>  store -> own certificates (at least in the german UI is no personal
> folder)
> >>>
> >>> I think you're adding this cert to the wrong one of the many cert
> stores
> >>> on Windows. It worked for me in trusted CAs, though there may be a
> better
> >>> option that also works.
> >>>
> >> One thing that also bit me was that I had to put them in the system-wide
> >> store and not in the personal store.
> >>
> >
> > well I put the CA certs in the trusted CA Folder and the cert for the
> > machine in "Eigene Zertifikate" in the local machine store
> >
> > it seems to be a problem on the windows site thought
>
> You only want the CA certificate, not the machine certificate.

Re: OpenIKED and Windows 10 Client

[Stuart Henderson]

On 2017-04-12, Markus Rosjat  wrote:
> Am 12.04.2017 um 11:49 schrieb Martijn van Duren:
>> On 04/12/17 11:42, Stuart Henderson wrote:
>>> On 2017-04-11, Markus Rosjat  wrote:
 I think the problem is with the windows site because it tells me there
 is no certificate to be found. I added the certificate to local machine
 store -> own certificates (at least in the german UI is no personal folder)
>>>
>>> I think you're adding this cert to the wrong one of the many cert stores
>>> on Windows. It worked for me in trusted CAs, though there may be a better
>>> option that also works.
>>>
>> One thing that also bit me was that I had to put them in the system-wide
>> store and not in the personal store.
>>
>
> well I put the CA certs in the trusted CA Folder and the cert for the 
> machine in "Eigene Zertifikate" in the local machine store
>
> it seems to be a problem on the windows site thought

You only want the CA certificate, not the machine certificate.

Re: OpenIKED and Windows 10 Client

[Markus Rosjat]

well I put the CA certs in the trusted CA Folder and the cert for the 
machine in "Eigene Zertifikate" in the local machine store


it seems to be a problem on the windows site thought

regards

markus

Am 12.04.2017 um 11:49 schrieb Martijn van Duren:

On 04/12/17 11:42, Stuart Henderson wrote:

On 2017-04-11, Markus Rosjat  wrote:

I think the problem is with the windows site because it tells me there
is no certificate to be found. I added the certificate to local machine
store -> own certificates (at least in the german UI is no personal folder)


I think you're adding this cert to the wrong one of the many cert stores
on Windows. It worked for me in trusted CAs, though there may be a better
option that also works.


One thing that also bit me was that I had to put them in the system-wide
store and not in the personal store.



--
Markus Rosjatfon: +49 351 8107223mail: ros...@ghweb.de

G+H Webservice GbR Gorzolla, Herrmann
Königsbrücker Str. 70, 01099 Dresden

http://www.ghweb.de
fon: +49 351 8107220   fax: +49 351 8107227

Bitte prüfen Sie, ob diese Mail wirklich ausgedruckt werden muss! Before 
you print it, think about your responsibility and commitment to the 
ENVIRONMENT

Re: OpenIKED and Windows 10 Client

[Martijn van Duren]

On 04/12/17 11:42, Stuart Henderson wrote:
> On 2017-04-11, Markus Rosjat  wrote:
>> I think the problem is with the windows site because it tells me there 
>> is no certificate to be found. I added the certificate to local machine 
>> store -> own certificates (at least in the german UI is no personal folder)
> 
> I think you're adding this cert to the wrong one of the many cert stores
> on Windows. It worked for me in trusted CAs, though there may be a better
> option that also works.
> 
One thing that also bit me was that I had to put them in the system-wide
store and not in the personal store.

Re: OpenIKED and Windows 10 Client

[Stuart Henderson]

On 2017-04-11, Markus Rosjat  wrote:
> I think the problem is with the windows site because it tells me there 
> is no certificate to be found. I added the certificate to local machine 
> store -> own certificates (at least in the german UI is no personal folder)

I think you're adding this cert to the wrong one of the many cert stores
on Windows. It worked for me in trusted CAs, though there may be a better
option that also works.

OpenIKED and Windows 10 Client

[Markus Rosjat]

Hi there,

I try to get iked working with a windows 10 client but it seems windows 
10 isnt going to work with the certificates I created and installed.


so far I did:

 - followed the OpenIKED howto to get my openbsd box set up

ikev2 "win" passive ipcomp esp \
from 0.0.0.0/0 to 10.10.10.0/24 \
local 192.168.0.73 peer any \
srcid 192.168.0.73 \
tag IKED

 - added the pf rules
 - created a client cert with the ip address of the client as FQDN 
(because the cert with the client machine name didnt worked)
 - I started iked in debug mode with some verbosity (added the output 
below)


Is it even possible to get it to work for win 10 with the given howto or 
do I need to add something else?


I think the problem is with the windows site because it tells me there 
is no certificate to be found. I added the certificate to local machine 
store -> own certificates (at least in the german UI is no personal folder)


if someone like to see the debug output .

start debug output
--

ikev2_recv: IKE_SA_INIT request from initiator 192.168.0.72:500 to 
192.168.0.73:500 policy 'win' id 0, 616 bytes

ikev2_recv: ispi 0xb76efcd4402276ed rspi 0x
ikev2_policy2id: srcid IPV4/192.168.0.73 length 8
ikev2_pld_parse: header ispi 0xb76efcd4402276ed rspi 0x 
nextpayload SA version 0x20 exchange IKE_SA_INIT flags 0x08 msgid 0 
length 616 response 0

ikev2_pld_payloads: payload SA nextpayload KE critical 0x00 length 256
ikev2_pld_sa: more than one proposal specified
ikev2_pld_sa: more 2 reserved 0 length 40 proposal #1 protoid IKE 
spisize 0 xforms 4 spi 0

ikev2_pld_xform: more 3 reserved 0 length 8 type ENCR id 3DES
ikev2_pld_xform: more 3 reserved 0 length 8 type INTEGR id HMAC_SHA1_96
ikev2_pld_xform: more 3 reserved 0 length 8 type PRF id HMAC_SHA1
ikev2_pld_xform: more 0 reserved 0 length 8 type DH id MODP_1024
ikev2_pld_payloads: payload KE nextpayload NONCE critical 0x00 length 136
ikev2_pld_ke: dh group MODP_1024 reserved 0
c97aca74 9caa3cbb 70f6eb31 c55e8687 b41431ec 5550e6b8 1233795f 247be2a8
f17eb8fc 67560aa7 e0131fa3 edb43993 95a321aa e39c39f5 e40306d7 098ff42e
3ef6e79f 7f0a5c30 8b2cd031 4980a9f4 339b6518 107a9733 1ae169dd ea421996
d07651db 65ef1a91 b04fc991 e31379c0 18fc4a5c 26c87981 81c54dbb f7c8d223
ikev2_pld_payloads: payload NONCE nextpayload NOTIFY critical 0x00 length 52
dca1e1cf 770662d4 77cfc0d4 a35c3685 5d2a59a4 1aeac0cc 6ee900b7 1505ad22
75956bde caa6bed9 a70601f9 e3b0b1e1
ikev2_pld_payloads: payload NOTIFY nextpayload NOTIFY critical 0x00 
length 28

ikev2_pld_notify: protoid NONE spisize 0 type NAT_DETECTION_SOURCE_IP
4dd57bae f055f8d8 9a347ca0 7a22f663 992117c8
ikev2_nat_detection: peer source 0xb76efcd4402276ed 0x 
192.168.0.72:500

4dd57bae f055f8d8 9a347ca0 7a22f663 992117c8
ikev2_pld_payloads: payload NOTIFY nextpayload VENDOR critical 0x00 
length 28

ikev2_pld_notify: protoid NONE spisize 0 type NAT_DETECTION_DESTINATION_IP
fe055aee aa293f41 af77541d a89ff4b0 126306ef
ikev2_nat_detection: peer destination 0xb76efcd4402276ed 
0x 192.168.0.73:500

fe055aee aa293f41 af77541d a89ff4b0 126306ef
ikev2_pld_payloads: payload VENDOR nextpayload VENDOR critical 0x00 
length 24

1e2b5169 05991c7d 7c96fcbf b587e461 0009
ikev2_pld_payloads: payload VENDOR nextpayload VENDOR critical 0x00 
length 20

fb1de3cd f341b7ea 16b7e5be 0855f120
ikev2_pld_payloads: payload VENDOR nextpayload VENDOR critical 0x00 
length 20

26244d38 eddb61b3 172a36e3 d0cfb819
ikev2_pld_payloads: payload VENDOR nextpayload NONE critical 0x00 length 24
01528bbb c0069612 1849ab9a 1c5b2a51 0002
sa_state: INIT -> SA_INIT
ikev2_match_proposals: xform 1 <-> 1 (10): ENCR 3DES (keylength 0 <-> 0)
ikev2_match_proposals: xform 1 <-> 1 (4): INTEGR HMAC_SHA1_96 (keylength 
0 <-> 0)

ikev2_match_proposals: xform 1 <-> 1 (2): PRF HMAC_SHA1 (keylength 0 <-> 0)
ikev2_match_proposals: xform 1 <-> 1 (5): DH MODP_1024 (keylength 0 <-> 0)
ikev2_sa_negotiate: score 21
ikev2_sa_negotiate: score 10: ENCR 3DES
ikev2_sa_negotiate: score 2: PRF HMAC_SHA1
ikev2_sa_negotiate: score 4: INTEGR HMAC_SHA1_96
ikev2_sa_negotiate: score 5: DH MODP_1024
sa_stateok: SA_INIT flags 0x, require 0x
sa_stateflags: 0x -> 0x0020 sa (required 0x )
ikev2_sa_keys: SKEYSEED with 20 bytes
5ba80078 e765d093 dbe64f3f 27681da3 5a08771e
ikev2_sa_keys: S with 96 bytes
dca1e1cf 770662d4 77cfc0d4 a35c3685 5d2a59a4 1aeac0cc 6ee900b7 1505ad22
75956bde caa6bed9 a70601f9 e3b0b1e1 36b9b513 2ecbd6f8 a8d0fbee 9fd4722c
161f2c1f adb72626 4b04d05a 1caaf322 b76efcd4 402276ed 3031dda0 cca39594
ikev2_prfplus: T1 with 20 bytes
d1b97d70 91d8868c 72c4c28c abc1d900 22164363
ikev2_prfplus: T2 with 20 bytes
b36dbd6f 32c602e5 df8172d7 7f86d2f1 d2709260
ikev2_prfplus: T3 with 20 bytes
8086e540 a1c6e0b5 ac31ae5f 33ce6e99 54f8c64f
ikev2_prfplus: T4 with 20 bytes
0e9fed35 b812d76b 261f8b70 40dec377 3a84f431
ikev2_prfplus: T5 with 20 bytes
b4a1bac2 8c82df78 fcec5523 0ea7d837 3830a842