Re: [strongSwan] Strongswan on Ubuntu - Failure to connect from Windows 10 client -error: deleting half open IKE_SA with 154.**.***.** after timeout

2019-02-26 Thread Yuri 
Well, there are a couple of resources:

1. generating certificates from Strongswan:

https://wiki.strongswan.org/projects/strongswan/wiki/SimpleCA

2. import certificates on Windows machine

https://wiki.strongswan.org/projects/strongswan/wiki/Win7Certs

3. a nice enough how-to for Windows machines

https://console.kim.sg/strongswan-ipsec-vpn-with-pre-shared-key-and-certificates

P.S. generating #PKCS12 sets is a command of openssl, so You can look for its 
man, but all those thing above are enough, I suppose.
  - Исходное сообщение - 
  От: MOSES KARIUKI 
  Кому: Kostya Vasilyev ; Tobias Brunner ; IL Ka 
  Копия: users@lists.strongswan.org 
  Отправлено: 20 февраля 2019 г. 20:41
  Тема: Re: [strongSwan] Strongswan on Ubuntu - Failure to connect from Windows 
10 client -error: deleting half open IKE_SA with 154.**.***.** after timeout


  Dear Team,


  Thanks for your very valuable reply. I have set up a Linux Client and I am 
able to connect. :)


  On the client side :
  ipsec statusall
  Status of IKE charon daemon (strongSwan 5.6.2, Linux 4.15.0, x86_64):
uptime: 29 minutes, since Feb 20 17:55:09 2019
malloc: sbrk 3256320, mmap 532480, used 1349136, free 1907184
worker threads: 11 of 16 idle, 5/0/0/0 working, job queue: 0/0/0/0, 
scheduled: 2
loaded plugins: charon test-vectors unbound ldap pkcs11 tpm aesni aes rc2 
sha2 sha1 md4 md5 mgf1 rdrand random nonce x509 revocation constraints acert 
pubkey pkcs1 pkcs7 pkcs8 pkcs12 pgp dnskey sshkey dnscert ipseckey pem openssl 
gcrypt fips-prf gmp curve25519 agent chapoly xcbc cmac hmac ctr ccm gcm ntru 
bliss curl soup mysql sqlite attr kernel-netlink resolve socket-default 
connmark farp stroke updown eap-identity eap-sim eap-sim-pcsc eap-aka 
eap-aka-3gpp2 eap-simaka-pseudonym eap-simaka-reauth eap-md5 eap-gtc 
eap-mschapv2 eap-dynamic eap-radius eap-tls eap-ttls eap-peap eap-tnc 
xauth-generic xauth-eap xauth-pam xauth-noauth tnc-tnccs tnccs-20 tnccs-11 
tnccs-dynamic dhcp whitelist lookip error-notify certexpire led radattr 
addrblock unity counters
  Listening IP addresses:
185.135.*.**
2a03:a960:5:42a:8000::
::2
  Connections:
  ipsec-ikev2-vpn-client:  %any...102.1*9.2**.***  IKEv1/2
  ipsec-ikev2-vpn-client:   local:  [remoteprivate] uses EAP_MSCHAPV2 
authentication with EAP identity '%any'
  ipsec-ikev2-vpn-client:   remote: [102.1*9.2**.***] uses public key 
authentication
  ipsec-ikev2-vpn-client:   child:  dynamic === 0.0.0.0/0 TUNNEL
  Security Associations (1 up, 0 connecting):
  ipsec-ikev2-vpn-client[1]: ESTABLISHED 29 minutes ago, 
185.135.9.62[remoteprivate]...102.1*9.2**.***[102.1*9.2**.***]
  ipsec-ikev2-vpn-client[1]: IKEv2 SPIs: 0338f500edc84652_i* 
1ae30618408f64a4_r, EAP reauthentication in 2 hours
  ipsec-ikev2-vpn-client[1]: IKE proposal: 
AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_2048


  hostname -I
  127.0.0.1 185.135.*.** 10.10.10.1 2a03:a960:5:42a:8000:: ::2


  On the server : 
  ipsec statusall
  Status of IKE charon daemon (strongSwan 5.6.2, Linux 4.15.0-45-generic, 
x86_64):
uptime: 21 hours, since Feb 19 23:58:30 2019
malloc: sbrk 3256320, mmap 532480, used 1645568, free 1610752
worker threads: 11 of 16 idle, 5/0/0/0 working, job queue: 0/0/0/0, 
scheduled: 1
loaded plugins: charon test-vectors unbound ldap pkcs11 tpm aesni aes rc2 
sha2 sha1 md4 md5 mgf1 rdrand random nonce x509 revocation constraints acert 
pubkey pkcs1 pkcs7 pkcs8 pkcs12 pgp dnskey sshkey dnscert ipseckey pem openssl 
gcrypt af-alg fips-prf gmp curve25519 agent chapoly xcbc cmac hmac ctr ccm gcm 
ntru bliss curl soup mysql sqlite attr kernel-netlink resolve socket-default 
connmark farp stroke updown eap-identity eap-sim eap-sim-pcsc eap-aka 
eap-aka-3gpp2 eap-simaka-pseudonym eap-simaka-reauth eap-md5 eap-gtc 
eap-mschapv2 eap-dynamic eap-radius eap-tls eap-ttls eap-peap eap-tnc 
xauth-generic xauth-eap xauth-pam xauth-noauth tnc-tnccs tnccs-20 tnccs-11 
tnccs-dynamic dhcp whitelist lookip error-notify certexpire led radattr 
addrblock unity counters
  Virtual IP pools (size/online/offline):
10.10.10.0/24: 254/1/0
  Listening IP addresses:
102.1*9.2**.***
  Connections:
 ikev2-vpn:  %any...%any  IKEv2, dpddelay=300s
 ikev2-vpn:   local:  [ 102.1*9.2**.*** ] uses public key authentication
 ikev2-vpn:cert:  "CN= 102.1*9.2**.***"
 ikev2-vpn:   remote: uses EAP_MSCHAPV2 authentication with EAP identity 
'%any'
 ikev2-vpn:   child:  0.0.0.0/0 === dynamic TUNNEL, dpdaction=clear
  Security Associations (1 up, 0 connecting):
 ikev2-vpn[21]: ESTABLISHED 41 minutes ago,  102.1*9.2**.***[ 
102.1*9.2**.***]... 185.135.*.** [remoteprivate]
 ikev2-vpn[21]: IKEv2 SPIs: 0338f500edc84652_i 1ae30618408f64a4_r*, 
rekeying disabled
 ikev2-vpn[21]: IKE proposal: 
AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_2048




  That said, how can I verify that the connection to the VPN client from the 
server works?


  Only issue

Re: [strongSwan] Strongswan on Ubuntu - Failure to connect from Windows 10 client -error: deleting half open IKE_SA with 154.**.***.** after timeout

2019-02-21 Thread Yuri 
No, I meant a different thing. You need a little bit learn about PKI structure 
a whole thing and PKI structure i strongswan particularly, I think. Windows 
requires right install infrastructure.
So, again, CA cert in not enough to make Windows work with VPN.
1. CA cert You issued is only first step.
2. You had to issue server and client certs signed by Your CA made on step 1
3. Put Your CA, server key and server cert on server at appropriate folders
3. Make .p12 file with Your CA cert, client key, client cert, put it on Your 
windows machine and import all that stuff at computer account.
And please read certificates requirements for Strongswan and Windows before 
issue server and client certs; You can find these ones on strongswan.org

  - Исходное сообщение - 
  От: MOSES KARIUKI 
  Кому: Yuri 
  Отправлено: 20 февраля 2019 г. 13:47
  Тема: Re: [strongSwan] Strongswan on Ubuntu - Failure to connect from Windows 
10 client -error: deleting half open IKE_SA with 154.**.***.** after timeout


  Dear Yuri,


  I already installed the ca-cert.pem  certificate  under Trusted Root 
Certification Authorities and under the Personal folder. Is this what you meant?


  Below are the instructions that I followed. 
  Connecting from WindowsFirst, import the root certificate by following these 
steps:
1.. Press WINDOWS+R to bring up the Run dialog, and enter mmc.exe to launch 
the Windows Management Console.
2.. From the File menu, navigate to Add or Remove Snap-in, select 
Certificates from the list of available snap-ins, and click Add.
3.. We want the VPN to work with any user, so select Computer Account and 
click Next.
4.. We're configuring things on the local computer, so select Local 
Computer, then click Finish.
5.. Under the Console Root node, expand the Certificates (Local Computer) 
entry, expand Trusted Root Certification Authorities, and then select the 
Certificates entry:

6.. From the Action menu, select All Tasks and click Import to display the 
Certificate Import Wizard. Click Next to move past the introduction.

7.. On the File to Import screen, press the Browse button and select the 
certificate file that you've saved. Then click Next.

8.. Ensure that the Certificate Store is set to Trusted Root Certification 
Authorities, and click Next.

9.. Click Finish to import the certificate.

  Then configure the VPN with these steps:
1.. Launch Control Panel, then navigate to the Network and Sharing Center.
2.. Click on Set up a new connection or network, then select Connect to a 
workplace.
3.. Select Use my Internet connection (VPN).
4.. Enter the VPN server details. Enter the server's domain name or IP 
address in the Internet addressfield, then fill in Destination name with 
something that describes your VPN connection. Then click Done.
  Your new VPN connection will be visible under the list of networks. Select 
the VPN and click Connect. You'll be prompted for your username and password. 
Type them in, click OK, and you'll be connected.




  On Wed, Feb 20, 2019 at 1:32 PM Yuri  wrote:

Hi!
I don't see any client certs in Your message, that's a reason for Yor 
problem possibly.
That's what You should install on client Windows machine:
- CA cert
- client cert
Cheers
Yuri


  Dear Users,


  Below were the suggestions : 
  - Installing EAP-Identity support - Done
  - Setting UFW to allow all traffic from client
   ufw allow 500,4500/udp
   ufw allow in from 154.77.***.** proto gre 
   ufw allow in from 154.77.***.** proto ah
   ufw allow in from 154.77.***.** proto esp


  - Checking if your server certificates have https:// CRL's
 openssl x509 -noout -text -in ca-cert.pem 
  Certificate:
  Data:
  Version: 3 (0x2)
  Serial Number: 5360843625440499832 (0x4a658adfd6cc5878)
  Signature Algorithm: sha384WithRSAEncryption
  Issuer: CN = VPN root CA
  Validity
  Not Before: Feb 12 21:01:05 2019 GMT
  Not After : Feb  9 21:01:05 2029 GMT
  Subject: CN = VPN root CA
  Subject Public Key Info:
  Public Key Algorithm: rsaEncryption
  Public-Key: (4096 bit)
  Modulus:
  00:c5:bb:cc:c2:90:92:b4:40:fa:12:7b:39:30:cb:
  e8:54:8f:09:59:38:f1:9e:52:6d:eb:a3:fc:e2:dd:
  a3:64:30:d4:20:0b:85:f7:09:fc:5b:8f:7f:eb:c6:
  25:12:20:45:fb:1a:2c:2d:80:f7:d3:a9:3f:81:04:
  27:80:e5:2c:87:ef:08:81:c7:b0:cf:fc:f2:e4:cb:
  18:09:3a:a2:fe:2e:27:44:fd:9f:7f:3d:a7:ed:1c:
  d6:71:f6:e4:c2:c2:e3:fd:54:bd:31:fe:de:c7:1d:
  52:ea:49:aa:48:0c:2d:46:b0:dc:fe:15:6d:8c:0f:

Re: [strongSwan] Strongswan on Ubuntu - Failure to connect from Windows 10 client -error: deleting half open IKE_SA with 154.**.***.** after timeout

2019-02-20 Thread MOSES KARIUKI 
Dear Team,

Thanks for your very valuable reply. I have set up a Linux Client and I am
able to connect. :)

*On the client side :*
*ipsec statusall*
Status of IKE charon daemon (strongSwan 5.6.2, Linux 4.15.0, x86_64):
  uptime: 29 minutes, since Feb 20 17:55:09 2019
  malloc: sbrk 3256320, mmap 532480, used 1349136, free 1907184
  worker threads: 11 of 16 idle, 5/0/0/0 working, job queue: 0/0/0/0,
scheduled: 2
  loaded plugins: charon test-vectors unbound ldap pkcs11 tpm aesni aes rc2
sha2 sha1 md4 md5 mgf1 rdrand random nonce x509 revocation constraints
acert pubkey pkcs1 pkcs7 pkcs8 pkcs12 pgp dnskey sshkey dnscert ipseckey
pem openssl gcrypt fips-prf gmp curve25519 agent chapoly xcbc cmac hmac ctr
ccm gcm ntru bliss curl soup mysql sqlite attr kernel-netlink resolve
socket-default connmark farp stroke updown eap-identity eap-sim
eap-sim-pcsc eap-aka eap-aka-3gpp2 eap-simaka-pseudonym eap-simaka-reauth
eap-md5 eap-gtc eap-mschapv2 eap-dynamic eap-radius eap-tls eap-ttls
eap-peap eap-tnc xauth-generic xauth-eap xauth-pam xauth-noauth tnc-tnccs
tnccs-20 tnccs-11 tnccs-dynamic dhcp whitelist lookip error-notify
certexpire led radattr addrblock unity counters
Listening IP addresses:
  185.135.*.**
  2a03:a960:5:42a:8000::
  ::2
Connections:
ipsec-ikev2-vpn-client:  %any...102.1*9.2**.***  IKEv1/2
ipsec-ikev2-vpn-client:   local:  [remoteprivate] uses EAP_MSCHAPV2
authentication with EAP identity '%any'
ipsec-ikev2-vpn-client:   remote: [102.1*9.2**.***] uses public key
authentication
ipsec-ikev2-vpn-client:   child:  dynamic === 0.0.0.0/0 TUNNEL
Security Associations (1 up, 0 connecting):
ipsec-ikev2-vpn-client[1]: ESTABLISHED 29 minutes ago,
185.135.9.62[remoteprivate]...102.1*9.2**.***[102.1*9.2**.***]
ipsec-ikev2-vpn-client[1]: IKEv2 SPIs: 0338f500edc84652_i*
1ae30618408f64a4_r, EAP reauthentication in 2 hours
ipsec-ikev2-vpn-client[1]: IKE proposal:
AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_2048

*hostname -I*
127.0.0.1 185.135.*.** *10.10.10.1* 2a03:a960:5:42a:8000:: ::2

*On the server : *
ipsec statusall
Status of IKE charon daemon (strongSwan 5.6.2, Linux 4.15.0-45-generic,
x86_64):
  uptime: 21 hours, since Feb 19 23:58:30 2019
  malloc: sbrk 3256320, mmap 532480, used 1645568, free 1610752
  worker threads: 11 of 16 idle, 5/0/0/0 working, job queue: 0/0/0/0,
scheduled: 1
  loaded plugins: charon test-vectors unbound ldap pkcs11 tpm aesni aes rc2
sha2 sha1 md4 md5 mgf1 rdrand random nonce x509 revocation constraints
acert pubkey pkcs1 pkcs7 pkcs8 pkcs12 pgp dnskey sshkey dnscert ipseckey
pem openssl gcrypt af-alg fips-prf gmp curve25519 agent chapoly xcbc cmac
hmac ctr ccm gcm ntru bliss curl soup mysql sqlite attr kernel-netlink
resolve socket-default connmark farp stroke updown eap-identity eap-sim
eap-sim-pcsc eap-aka eap-aka-3gpp2 eap-simaka-pseudonym eap-simaka-reauth
eap-md5 eap-gtc eap-mschapv2 eap-dynamic eap-radius eap-tls eap-ttls
eap-peap eap-tnc xauth-generic xauth-eap xauth-pam xauth-noauth tnc-tnccs
tnccs-20 tnccs-11 tnccs-dynamic dhcp whitelist lookip error-notify
certexpire led radattr addrblock unity counters
Virtual IP pools (size/online/offline):
  10.10.10.0/24: 254/1/0
Listening IP addresses:
  102.1*9.2**.***
Connections:
   ikev2-vpn:  %any...%any  IKEv2, dpddelay=300s
   ikev2-vpn:   local:  [ 102.1*9.2**.*** ] uses public key authentication
   ikev2-vpn:cert:  "CN= 102.1*9.2**.***"
   ikev2-vpn:   remote: uses EAP_MSCHAPV2 authentication with EAP identity
'%any'
   ikev2-vpn:   child:  0.0.0.0/0 === dynamic TUNNEL, dpdaction=clear
Security Associations (1 up, 0 connecting):
   ikev2-vpn[21]: ESTABLISHED 41 minutes ago,  102.1*9.2**.***[
102.1*9.2**.***]... 185.135.*.** [remoteprivate]
   ikev2-vpn[21]: IKEv2 SPIs: 0338f500edc84652_i 1ae30618408f64a4_r*,
rekeying disabled
   ikev2-vpn[21]: IKE proposal:
AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_2048


That said, how can I verify that the connection to the VPN client from the
server works?

Only issue now is to connect from Windows.

Thanks,
Moses K


On Wed, Feb 20, 2019 at 4:24 AM Kostya Vasilyev  wrote:

> Ok looks to me like an auth error on the client (windows) I mean the error
> code
>
>
> https://social.technet.microsoft.com/Forums/ie/en-US/771bf5ec-7017-4fd3-9496-52137dfa616a/error-description-13801-ike-authentication-credentials-are-unacceptable
>
> Also in your windows client settings screenshot you have EAP auth selected
> - did you mean to use machine certificate rather?
>
> The connection type there looks good as IKEv2. Did you just fix this?
>
> The CA doesn't have a CRL link as I can see, so my theory about "ufw
> blocks port 443" looks wrong (and Il Ka's looks more likely).
>
> On the windows error code some possible causes have to do with the server
> certificate's subjectAltName - so you will want to dump the server cert the
> same way and examine that.
>
> But personally I'd still do PSK as a test, an easy way to be sure that
> everything else (except cert or eap auth) is working.

Re: [strongSwan] Strongswan on Ubuntu - Failure to connect from Windows 10 client -error: deleting half open IKE_SA with 154.**.***.** after timeout

2019-02-19 Thread Kostya Vasilyev 
Ok looks to me like an auth error on the client (windows) I mean the error code https://social.technet.microsoft.com/Forums/ie/en-US/771bf5ec-7017-4fd3-9496-52137dfa616a/error-description-13801-ike-authentication-credentials-are-unacceptableAlso in your windows client settings screenshot you have EAP auth selected - did you mean to use machine certificate rather?The connection type there looks good as IKEv2. Did you just fix this?The CA doesn't have a CRL link as I can see, so my theory about "ufw blocks port 443" looks wrong (and Il Ka's looks more likely).On the windows error code some possible causes have to do with the server certificate's subjectAltName - so you will want to dump the server cert the same way and examine that. But personally I'd still do PSK as a test, an easy way to be sure that everything else (except cert or eap auth) is working. Oh and you're still not allowing all traffic from client. ufw allow in from 154.77.***.** I'd do this as a test (and then either revert or tighten based on the results).-- K20 февр. 2019 г. 1:26 пользователь MOSES KARIUKI  написал:Dear Users,Below were the suggestions : - Installing EAP-Identity support - Done- Setting UFW to allow all traffic from client     ufw allow 500,4500/udp     ufw allow in from 154.77.***.** proto gre     ufw allow in from 154.77.***.** proto ah     ufw allow in from 154.77.***.** proto esp- Checking if your server certificates have https:// CRL's   openssl x509 -noout -text -in ca-cert.pemCertificate:    Data:        Version: 3 (0x2)        Serial Number: 5360843625440499832 (0x4a658adfd6cc5878)    Signature Algorithm: sha384WithRSAEncryption        Issuer: CN = VPN root CA        Validity            Not Before: Feb 12 21:01:05 2019 GMT            Not After : Feb  9 21:01:05 2029 GMT        Subject: CN = VPN root CA        Subject Public Key Info:            Public Key Algorithm: rsaEncryption                Public-Key: (4096 bit)                Modulus:                    00:c5:bb:cc:c2:90:92:b4:40:fa:12:7b:39:30:cb:                    e8:54:8f:09:59:38:f1:9e:52:6d:eb:a3:fc:e2:dd:                    a3:64:30:d4:20:0b:85:f7:09:fc:5b:8f:7f:eb:c6:                    25:12:20:45:fb:1a:2c:2d:80:f7:d3:a9:3f:81:04:                    27:80:e5:2c:87:ef:08:81:c7:b0:cf:fc:f2:e4:cb:                    18:09:3a:a2:fe:2e:27:44:fd:9f:7f:3d:a7:ed:1c:                    d6:71:f6:e4:c2:c2:e3:fd:54:bd:31:fe:de:c7:1d:                    52:ea:49:aa:48:0c:2d:46:b0:dc:fe:15:6d:8c:0f:                    49:f0:af:b7:7c:62:d7:36:e9:34:20:3a:0e:04:4e:                    73:ab:78:fe:bb:44:b5:22:ff:33:f4:60:3e:ab:36:                    26:c3:bd:f0:9f:e4:04:eb:c2:2b:8f:cf:61:53:9c:                    38:0e:ce:db:a0:5b:48:73:9f:fe:63:d1:02:05:59:                    8b:64:7d:ab:2f:6f:b5:c6:55:78:24:ba:a3:0a:6b:                    cb:88:96:0d:56:c0:ea:17:58:1e:55:09:e2:17:61:                    37:24:02:2a:96:39:5c:6d:b7:2a:6f:63:0d:d1:b0:                    44:65:d8:28:97:c6:74:5c:af:b9:10:b7:ec:4c:0e:                    2b:b2:6b:f5:39:89:53:d9:81:bd:2d:18:e8:1e:e5:                    a0:3b:76:d2:04:ee:92:00:a1:a7:e8:21:27:74:b6:                    e1:b5:77:7c:73:49:2f:cc:eb:54:04:29:c9:9a:3a:                    75:34:5c:d0:f9:dd:5e:e9:76:69:25:c3:b0:d3:d6:                    74:bc:a3:1d:07:18:67:7b:24:60:a1:88:9d:c6:f0:                    7d:6a:e8:b1:e2:3e:a6:df:c7:1e:54:e9:8d:16:a2:                    be:60:91:e1:42:6e:50:18:0a:6f:4d:32:b3:df:17:                    0d:e1:fa:3f:bf:d2:a6:3e:17:40:69:e9:d7:a0:da:                    7f:2e:1f:dd:c2:88:e4:72:09:bd:c4:35:76:9d:3a:                    1c:38:53:5f:13:12:28:10:0a:27:a3:69:5e:66:7a:                    1d:4d:82:13:91:49:4c:99:a8:4c:5d:30:e5:ab:9f:                    5f:c6:63:d4:e0:45:e7:c5:6e:b9:45:3f:a8:73:92:                    ea:88:fc:ae:2b:16:d9:92:53:2e:f8:95:57:06:7e:                    6b:cc:4c:53:ae:76:31:b1:f0:14:47:00:33:19:03:                    24:34:90:df:f0:ca:93:c5:4c:4f:96:34:16:f3:c7:                    eb:b4:82:d9:67:10:f1:70:b2:b6:64:55:81:5e:b3:                    70:4e:c1:05:b1:bc:65:2e:49:10:1d:30:1e:79:9e:                    a3:62:c5:c3:9f:06:5a:c9:34:36:af:14:2e:6a:23:                    f2:39:4f                Exponent: 65537 (0x10001)        X509v3 extensions:            X509v3 Basic Constraints: critical                CA:TRUE            X509v3 Key Usage: critical                Certificate Sign, CRL Sign            X509v3 Subject Key Identifier:                92:3F:B1:C0:05:82:F8:11:B1:69:7E:9E:4F:B4:71:31:F0:AD:18:B7    Signature Algorithm: sha384WithRSAEncryption         88:53:04:b1:a3:d7:7d:00:d6:f7:06:80:c5:c4:cb:f3:86:30:         43:54:11:f6:e8:4d:42:70:12:b9:5f:26:07:ab:7c:d1:48:b1:         f7:d4:28:c8:f0:53:49:bc:c1:5b:71:45:bd:f1:3a:a2:06:c2:         38:08:c5:e7:d4:d4:51:19:9d:27:d2:f0:fa:71:8b:50:aa:cd:         e3:00:96:a8:9c:f8:db:16:00:eb:6f:1f:3c:39:ee:1c:02:ac: On the client side  - Checking actual error message from the client  Client error log :Informatio

Re: [strongSwan] Strongswan on Ubuntu - Failure to connect from Windows 10 client -error: deleting half open IKE_SA with 154.**.***.** after timeout

2019-02-19 Thread MOSES KARIUKI 
Dear Users,

Below were the suggestions :
- Installing EAP-Identity support - Done
- Setting UFW to allow all traffic from client
 ufw allow 500,4500/udp
 ufw allow in from 154.77.***.** proto gre
 ufw allow in from 154.77.***.** proto ah
 ufw allow in from 154.77.***.** proto esp

- Checking if your server certificates have https:// CRL's
  * openssl x509 -noout -text -in ca-cert.pem*
Certificate:
Data:
Version: 3 (0x2)
Serial Number: 5360843625440499832 (0x4a658adfd6cc5878)
Signature Algorithm: sha384WithRSAEncryption
Issuer: CN = VPN root CA
Validity
Not Before: Feb 12 21:01:05 2019 GMT
Not After : Feb  9 21:01:05 2029 GMT
Subject: CN = VPN root CA
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
Public-Key: (4096 bit)
Modulus:
00:c5:bb:cc:c2:90:92:b4:40:fa:12:7b:39:30:cb:
e8:54:8f:09:59:38:f1:9e:52:6d:eb:a3:fc:e2:dd:
a3:64:30:d4:20:0b:85:f7:09:fc:5b:8f:7f:eb:c6:
25:12:20:45:fb:1a:2c:2d:80:f7:d3:a9:3f:81:04:
27:80:e5:2c:87:ef:08:81:c7:b0:cf:fc:f2:e4:cb:
18:09:3a:a2:fe:2e:27:44:fd:9f:7f:3d:a7:ed:1c:
d6:71:f6:e4:c2:c2:e3:fd:54:bd:31:fe:de:c7:1d:
52:ea:49:aa:48:0c:2d:46:b0:dc:fe:15:6d:8c:0f:
49:f0:af:b7:7c:62:d7:36:e9:34:20:3a:0e:04:4e:
73:ab:78:fe:bb:44:b5:22:ff:33:f4:60:3e:ab:36:
26:c3:bd:f0:9f:e4:04:eb:c2:2b:8f:cf:61:53:9c:
38:0e:ce:db:a0:5b:48:73:9f:fe:63:d1:02:05:59:
8b:64:7d:ab:2f:6f:b5:c6:55:78:24:ba:a3:0a:6b:
cb:88:96:0d:56:c0:ea:17:58:1e:55:09:e2:17:61:
37:24:02:2a:96:39:5c:6d:b7:2a:6f:63:0d:d1:b0:
44:65:d8:28:97:c6:74:5c:af:b9:10:b7:ec:4c:0e:
2b:b2:6b:f5:39:89:53:d9:81:bd:2d:18:e8:1e:e5:
a0:3b:76:d2:04:ee:92:00:a1:a7:e8:21:27:74:b6:
e1:b5:77:7c:73:49:2f:cc:eb:54:04:29:c9:9a:3a:
75:34:5c:d0:f9:dd:5e:e9:76:69:25:c3:b0:d3:d6:
74:bc:a3:1d:07:18:67:7b:24:60:a1:88:9d:c6:f0:
7d:6a:e8:b1:e2:3e:a6:df:c7:1e:54:e9:8d:16:a2:
be:60:91:e1:42:6e:50:18:0a:6f:4d:32:b3:df:17:
0d:e1:fa:3f:bf:d2:a6:3e:17:40:69:e9:d7:a0:da:
7f:2e:1f:dd:c2:88:e4:72:09:bd:c4:35:76:9d:3a:
1c:38:53:5f:13:12:28:10:0a:27:a3:69:5e:66:7a:
1d:4d:82:13:91:49:4c:99:a8:4c:5d:30:e5:ab:9f:
5f:c6:63:d4:e0:45:e7:c5:6e:b9:45:3f:a8:73:92:
ea:88:fc:ae:2b:16:d9:92:53:2e:f8:95:57:06:7e:
6b:cc:4c:53:ae:76:31:b1:f0:14:47:00:33:19:03:
24:34:90:df:f0:ca:93:c5:4c:4f:96:34:16:f3:c7:
eb:b4:82:d9:67:10:f1:70:b2:b6:64:55:81:5e:b3:
70:4e:c1:05:b1:bc:65:2e:49:10:1d:30:1e:79:9e:
a3:62:c5:c3:9f:06:5a:c9:34:36:af:14:2e:6a:23:
f2:39:4f
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Basic Constraints: critical
CA:TRUE
X509v3 Key Usage: critical
Certificate Sign, CRL Sign
X509v3 Subject Key Identifier:
92:3F:B1:C0:05:82:F8:11:B1:69:7E:9E:4F:B4:71:31:F0:AD:18:B7
Signature Algorithm: sha384WithRSAEncryption
 88:53:04:b1:a3:d7:7d:00:d6:f7:06:80:c5:c4:cb:f3:86:30:
 43:54:11:f6:e8:4d:42:70:12:b9:5f:26:07:ab:7c:d1:48:b1:
 f7:d4:28:c8:f0:53:49:bc:c1:5b:71:45:bd:f1:3a:a2:06:c2:
 38:08:c5:e7:d4:d4:51:19:9d:27:d2:f0:fa:71:8b:50:aa:cd:
 e3:00:96:a8:9c:f8:db:16:00:eb:6f:1f:3c:39:ee:1c:02:ac: 

*On the client side*

[image: image.png]

- Checking actual error message from the client
[image: image.png]

Client error log :

*Information 2/20/2019 12:51:31 AM RasClient 20221 None*
CoId={E5273640-B6B0-4B4B-A0FF-8B5FC33EEDFB}: The user DESKTOP-ICV578Q\User
has started dialing a VPN connection using a per-user connection profile
named VPN Connection. The connection settings are:
Dial-in User = remoteprivate
VpnStrategy = IKEv2
DataEncryption = Requested
PrerequisiteEntry =
AutoLogon = No
UseRasCredentials = Yes
Authentication Type = EAP
Ipv4DefaultGateway = Yes
Ipv4AddressAssignment = By Server
Ipv4DNSServerAssignment = By Server
Ipv6DefaultGateway = Yes
Ipv6AddressAssignment = By Server
Ipv6DNSServerAssignment = By Server
IpDnsFlags =
IpNBTEnabled = Yes
UseFlags = Private Connection
ConnectOnWinlogon = No
Mobility enabled for IKEv2 = Yes.

*Information 2/20/2019 12:51:31 AM RasClient 20222 None*
CoId={E5273640-B6B0-4B4B-A0FF-8B5FC33EEDFB}: The user DESKTOP-ICV578Q\User
is trying to establish a link to the Remote Access Server for the
connection named VPN Connection using the following device:
Se

Re: [strongSwan] Strongswan on Ubuntu - Failure to connect from Windows 10 client -error: deleting half open IKE_SA with 154.**.***.** after timeout

2019-02-19 Thread Kostya Vasilyev 
It would also help to know your actual Windows VPN settings
including VPN Type.
I'm not much of a Windows person, but 

This Cisco tutorial has nice screenshots under "Configure Windows 7 built-
in client":
https://www.cisco.com/c/en/us/support/docs/security/adaptive-security-appliance-asa-software/213246-asa-ikev2-ra-vpn-with-windows-7-or-andro.html
In particular please see "step 10" near the end:

https://www.cisco.com/c/dam/en/us/support/docs/security/adaptive-security-appliance-asa-software/213246-asa-ikev2-ra-vpn-with-windows-7-or-andro-50.png
If you have "automatic" as VPN type - it would explain the client trying
to use ports OpenVPN / PPTP / L2TP ports which we're seeing ("UFW
blocked" messages).
I believe you want IKEv2 as VPN type here.

If I'm wrong, hopefully someone more knowledgeable in Windows can
correct me.
And here is a different tutorial about strongSwan and Windows - it has
nice screenshots of how to properly configure Windows side (same screen
as I linked above, basically, just a different presentation).
https://docplayer.net/1323154-Vpn-with-windows-7-and-linux-strongswan-using-ikev2.html
--
Kostya Vasilyev
k...@fastmail.com


On Tue, Feb 19, 2019, at 4:02 PM, MOSES KARIUKI wrote:
> Thanks a lot. Let me load the WIndows logs.
> 
> On Tue, Feb 19, 2019 at 4:00 PM Kostya Vasilyev
>  wrote:>> __
>> 
>> On Tue, Feb 19, 2019, at 3:56 PM, MOSES KARIUKI wrote:
>>> Hello Vasilyev,
>>> 
>>> I can't get this to work.  *openssl -noout -text -in ca-key.pem. *I
>>> have tried Googling but this also gives nothing.>>> **openssl x509 
>>> -noout -text -in ca-key.pem
>>> 
>>> Any ideas. Sorry I am a newbie on this one.
>> 
>> You want to do this with the certificate - not its key.
>> 
>> But like I said it could be a red herring too - as Il Ka just wrote,
>> it could be that Windows client tries several protos including
>> PPTP/GRE, L2TP and so on ...>> 
>> ... which is a reason to make sure that Windows it's not trying to
>> use some other protocol like PPTP or L2TP, and that you're not trying
>> to use OpenVPN or some such.>> 
>> Tom Rymes just suggested you check your Windows connection
>> properties. I second this.>> 
>> -- K
>> 
>>> 
>>> 
>>> On Tue, Feb 19, 2019 at 12:40 PM Kostya Vasilyev 
>>> wrote: 
 On Tue, Feb 19, 2019, at 12:34 PM, IL Ka wrote:
 > 
 > On Tue, Feb 19, 2019 at 8:48 AM Kostya Vasilyev
 >  wrote: >> Looks like the connection is "almost 
 > there" but gets blocked by
 >> your firewall (UFW) >>  
 >>  Very end of your log:
 >>  
 >>  Feb 19 02:10:01 VM-e2b7 charon: 11[NET] sending packet: from
 >>  102.1*9.2**.***[4500] to 154.77.***.**[4500] (772 bytes) >>  Feb 
 >> 19 02:10:01 VM-e2b7 kernel: [ 2543.189073] [UFW BLOCK]
 >>  IN=ens3 OUT= MAC=06:97:9c:00:00:8f:00:1d:b5:c0:a7:c0:08:00
 >>  SRC=154.77.***.** DST=102.1*9.2**.*** LEN=52 TOS=0x10 PREC=0x20
 >>  TTL=116 ID=27223 DF PROTO=TCP SPT=54229 DPT=443 WINDOW=17520
 >>  RES=0x00 SYN URGP=0 >>  Feb 19 02:10:30 VM-e2b7 charon: 14[JOB] 
 >> deleting half open
 >>  IKE_SA with 154.77.***.** after timeout > 
 > 
 > DPT=443 looks like OpenVPN or HTTPS. 
 > IKE uses UDP/500 (or UDP/4500 in case of NAT).
 > 
 > I am not sure this message is somehow connected to problem.
 > 
 
 Could be unrelated - good find on the EAP-Identity
 
 But it could also be the client trying to fetch the CA
 certificate's CRL. 
 Moses can you check if your CA cert has a CRL?
 
 openssl -text -noout -in your_CA_cert
 
 Is there a CRL? Is it an https:// link?
 
 X509v3 CRL Distribution Points:
 
 Full Name:
   URI:https://..
 
 -- K
>>

Re: [strongSwan] Strongswan on Ubuntu - Failure to connect from Windows 10 client -error: deleting half open IKE_SA with 154.**.***.** after timeout

2019-02-19 Thread MOSES KARIUKI 
Thanks a lot. Let me load the WIndows logs.

On Tue, Feb 19, 2019 at 4:00 PM Kostya Vasilyev  wrote:

>
> On Tue, Feb 19, 2019, at 3:56 PM, MOSES KARIUKI wrote:
>
> Hello Vasilyev,
>
> I can't get this to work.  *openssl -noout -text -in ca-key.pem. *I have
> tried Googling but this also gives nothing.
> openssl x509 -noout -text -in ca-key.pem
>
> Any ideas. Sorry I am a newbie on this one.
>
>
> You want to do this with the certificate - not its key.
>
> But like I said it could be a red herring too - as Il Ka just wrote, it
> could be that Windows client tries several protos including PPTP/GRE, L2TP
> and so on ...
>
> ... which is a reason to make sure that Windows it's not trying to use
> some other protocol like PPTP or L2TP, and that you're not trying to use
> OpenVPN or some such.
>
> Tom Rymes just suggested you check your Windows connection properties. I
> second this.
>
> -- K
>
>
>
> On Tue, Feb 19, 2019 at 12:40 PM Kostya Vasilyev 
> wrote:
>
>
> On Tue, Feb 19, 2019, at 12:34 PM, IL Ka wrote:
> >
> > On Tue, Feb 19, 2019 at 8:48 AM Kostya Vasilyev 
> wrote:
> >> Looks like the connection is "almost there" but gets blocked by your
> firewall (UFW)
> >>
> >>  Very end of your log:
> >>
> >>  Feb 19 02:10:01 VM-e2b7 charon: 11[NET] sending packet: from
> 102.1*9.2**.***[4500] to 154.77.***.**[4500] (772 bytes)
> >>  Feb 19 02:10:01 VM-e2b7 kernel: [ 2543.189073] [UFW BLOCK] IN=ens3
> OUT= MAC=06:97:9c:00:00:8f:00:1d:b5:c0:a7:c0:08:00 SRC=154.77.***.**
> DST=102.1*9.2**.*** LEN=52 TOS=0x10 PREC=0x20 TTL=116 ID=27223 DF PROTO=TCP
> SPT=54229 DPT=443 WINDOW=17520 RES=0x00 SYN URGP=0
> >>  Feb 19 02:10:30 VM-e2b7 charon: 14[JOB] deleting half open IKE_SA with
> 154.77.***.** after timeout
> >
> >
> > DPT=443 looks like OpenVPN or HTTPS.
> > IKE uses UDP/500 (or UDP/4500 in case of NAT).
> >
> > I am not sure this message is somehow connected to problem.
> >
>
> Could be unrelated - good find on the EAP-Identity
>
> But it could also be the client trying to fetch the CA certificate's CRL.
>
> Moses can you check if your CA cert has a CRL?
>
> openssl -text -noout -in your_CA_cert
>
> Is there a CRL? Is it an https:// link?
>
> X509v3 CRL Distribution Points:
>
> Full Name:
>   URI:https://..
>
> -- K
>
>
>

Re: [strongSwan] Strongswan on Ubuntu - Failure to connect from Windows 10 client -error: deleting half open IKE_SA with 154.**.***.** after timeout

2019-02-19 Thread Kostya Vasilyev 

On Tue, Feb 19, 2019, at 3:56 PM, MOSES KARIUKI wrote:
> Hello Vasilyev,
> 
> I can't get this to work.  *openssl -noout -text -in ca-key.pem. *I
> have tried Googling but this also gives nothing.> **openssl x509 
> -noout -text -in ca-key.pem
> 
> Any ideas. Sorry I am a newbie on this one.

You want to do this with the certificate - not its key.

But like I said it could be a red herring too - as Il Ka just wrote, it
could be that Windows client tries several protos including PPTP/GRE,
L2TP and so on ...
... which is a reason to make sure that Windows it's not trying to use
some other protocol like PPTP or L2TP, and that you're not trying to use
OpenVPN or some such.
Tom Rymes just suggested you check your Windows connection properties. I
second this.
-- K

> 
> 
> On Tue, Feb 19, 2019 at 12:40 PM Kostya Vasilyev
>  wrote:>> 
>> On Tue, Feb 19, 2019, at 12:34 PM, IL Ka wrote:
>>  > 
>>  > On Tue, Feb 19, 2019 at 8:48 AM Kostya Vasilyev
>>  >  wrote:>>  >> Looks like the connection is "almost 
>> there" but gets blocked by
>>  >> your firewall (UFW)>>  >>  
>>  >>  Very end of your log:
>>  >>  
>>  >>  Feb 19 02:10:01 VM-e2b7 charon: 11[NET] sending packet: from
>>  >>  102.1*9.2**.***[4500] to 154.77.***.**[4500] (772 bytes)>>  >>  Feb 19 
>> 02:10:01 VM-e2b7 kernel: [ 2543.189073] [UFW BLOCK]
>>  >>  IN=ens3 OUT= MAC=06:97:9c:00:00:8f:00:1d:b5:c0:a7:c0:08:00
>>  >>  SRC=154.77.***.** DST=102.1*9.2**.*** LEN=52 TOS=0x10 PREC=0x20
>>  >>  TTL=116 ID=27223 DF PROTO=TCP SPT=54229 DPT=443 WINDOW=17520
>>  >>  RES=0x00 SYN URGP=0>>  >>  Feb 19 02:10:30 VM-e2b7 charon: 14[JOB] 
>> deleting half open
>>  >>  IKE_SA with 154.77.***.** after timeout>>  > 
>>  > 
>>  > DPT=443 looks like OpenVPN or HTTPS. 
>>  > IKE uses UDP/500 (or UDP/4500 in case of NAT).
>>  > 
>>  > I am not sure this message is somehow connected to problem.
>>  > 
>> 
>>  Could be unrelated - good find on the EAP-Identity
>> 
>>  But it could also be the client trying to fetch the CA
>>  certificate's CRL.>> 
>>  Moses can you check if your CA cert has a CRL?
>> 
>>  openssl -text -noout -in your_CA_cert
>> 
>>  Is there a CRL? Is it an https:// link?
>> 
>>  X509v3 CRL Distribution Points:
>> 
>>  Full Name:
>>URI:https://..
>> 
>>  -- K

Re: [strongSwan] Strongswan on Ubuntu - Failure to connect from Windows 10 client -error: deleting half open IKE_SA with 154.**.***.** after timeout

2019-02-19 Thread MOSES KARIUKI 
Hello Vasilyev,

I can't get this to work.  *openssl -noout -text -in ca-key.pem. *I have
tried Googling but this also gives nothing.
openssl x509 -noout -text -in ca-key.pem

Any ideas. Sorry I am a newbie on this one.



On Tue, Feb 19, 2019 at 12:40 PM Kostya Vasilyev  wrote:

>
> On Tue, Feb 19, 2019, at 12:34 PM, IL Ka wrote:
> >
> > On Tue, Feb 19, 2019 at 8:48 AM Kostya Vasilyev 
> wrote:
> >> Looks like the connection is "almost there" but gets blocked by your
> firewall (UFW)
> >>
> >>  Very end of your log:
> >>
> >>  Feb 19 02:10:01 VM-e2b7 charon: 11[NET] sending packet: from
> 102.1*9.2**.***[4500] to 154.77.***.**[4500] (772 bytes)
> >>  Feb 19 02:10:01 VM-e2b7 kernel: [ 2543.189073] [UFW BLOCK] IN=ens3
> OUT= MAC=06:97:9c:00:00:8f:00:1d:b5:c0:a7:c0:08:00 SRC=154.77.***.**
> DST=102.1*9.2**.*** LEN=52 TOS=0x10 PREC=0x20 TTL=116 ID=27223 DF PROTO=TCP
> SPT=54229 DPT=443 WINDOW=17520 RES=0x00 SYN URGP=0
> >>  Feb 19 02:10:30 VM-e2b7 charon: 14[JOB] deleting half open IKE_SA with
> 154.77.***.** after timeout
> >
> >
> > DPT=443 looks like OpenVPN or HTTPS.
> > IKE uses UDP/500 (or UDP/4500 in case of NAT).
> >
> > I am not sure this message is somehow connected to problem.
> >
>
> Could be unrelated - good find on the EAP-Identity
>
> But it could also be the client trying to fetch the CA certificate's CRL.
>
> Moses can you check if your CA cert has a CRL?
>
> openssl -text -noout -in your_CA_cert
>
> Is there a CRL? Is it an https:// link?
>
> X509v3 CRL Distribution Points:
>
> Full Name:
>   URI:https://..
>
> -- K
>

Re: [strongSwan] Strongswan on Ubuntu - Failure to connect from Windows 10 client -error: deleting half open IKE_SA with 154.**.***.** after timeout

2019-02-19 Thread MOSES KARIUKI 
Let me fetch the windows error logs and I will revert back to you. Thanks
all for the help. Much appreciated.

On Tue, Feb 19, 2019 at 3:31 PM Tom Rymes  wrote:

>
>
> > On Feb 19, 2019, at 7:07 AM, IL Ka  wrote:
> >
> > 1701 is L2TP port.
> > It could be that Windows client tries several protos including PPTP/GRE,
> L2TP and so on.
> >
> > What do you see on Windows side? Which error?
>
> [snip]
>
> Moses,
>
> I think your instructions for configuring the connection in windows are
> incomplete. As pointed out above, Windows is configured to use a VPN of
> type “auto”, so it throws everything at the server until something works.
>
> Go back into Network and Sharing Center and click edit adapter settings on
> the left side. Get properties for the VPN connection you are using and set
> it to a type of IKE2 and configure it to use machine certificates, assuming
> that’s how you intend to authenticate (is it?).
>
> Also, when windows fails to connect, it’s giving you an error. Multiple
> folks have asked what it is, but I don’t think you’ve answered them. That
> would be helpful.
>
> Lastly, rather than build your own server from scratch, you may want to
> consider using a firewall distribution like IPFire, or a project like Algo
> that makes the configuration far simpler.
>
> Tom
>

Re: [strongSwan] Strongswan on Ubuntu - Failure to connect from Windows 10 client -error: deleting half open IKE_SA with 154.**.***.** after timeout

2019-02-19 Thread Tom Rymes 



> On Feb 19, 2019, at 7:07 AM, IL Ka  wrote:
> 
> 1701 is L2TP port.
> It could be that Windows client tries several protos including PPTP/GRE, L2TP 
> and so on.
> 
> What do you see on Windows side? Which error?

[snip]

Moses,

I think your instructions for configuring the connection in windows are 
incomplete. As pointed out above, Windows is configured to use a VPN of type 
“auto”, so it throws everything at the server until something works.

Go back into Network and Sharing Center and click edit adapter settings on the 
left side. Get properties for the VPN connection you are using and set it to a 
type of IKE2 and configure it to use machine certificates, assuming that’s how 
you intend to authenticate (is it?).

Also, when windows fails to connect, it’s giving you an error. Multiple folks 
have asked what it is, but I don’t think you’ve answered them. That would be 
helpful.

Lastly, rather than build your own server from scratch, you may want to 
consider using a firewall distribution like IPFire, or a project like Algo that 
makes the configuration far simpler.

Tom

Re: [strongSwan] Strongswan on Ubuntu - Failure to connect from Windows 10 client -error: deleting half open IKE_SA with 154.**.***.** after timeout

2019-02-19 Thread IL Ka 
1701 is L2TP port.
It could be that Windows client tries several protos including PPTP/GRE,
L2TP and so on.

What do you see on Windows side? Which error?

On Tue, Feb 19, 2019 at 2:55 PM MOSES KARIUKI  wrote:

> Hello Team,
>
> This is the full LOG. The redacted IPs with ** are the VPN server (
> '102.1*9.2**.***') and Windows client (154.77.***.**).
>
> Feb 19 02:10:01 VM-e2b7 ipsec[1011]: 11[CFG] looking for peer configs
> matching 102.1*9.2**.***[%any]...154.77.***.**[192.168.43.156]
> Feb 19 02:10:01 VM-e2b7 ipsec[1011]: 11[CFG]   candidate "ikev2-vpn",
> match: 1/1/28 (me/other/ike)
> Feb 19 02:10:01 VM-e2b7 ipsec[1011]: 11[CFG] selected peer config
> 'ikev2-vpn'
> Feb 19 02:10:01 VM-e2b7 ipsec[1011]: 11[IKE] EAP-Identity request
> configured, but not supported
> Feb 19 02:10:01 VM-e2b7 ipsec[1011]: 11[IKE] initiating EAP_MSCHAPV2
> method (id 0x64)
> Feb 19 02:10:01 VM-e2b7 ipsec[1011]: 11[IKE] peer supports MOBIKE
> Feb 19 02:10:01 VM-e2b7 ipsec[1011]: 11[IKE] authentication of
> '102.1*9.2**.***' (myself) with RSA signature successful
> Feb 19 02:10:01 VM-e2b7 ipsec[1011]: 11[IKE] sending end entity cert
> "CN=102.1*9.2**.***"
> Feb 19 02:10:01 VM-e2b7 ipsec[1011]: 11[ENC] generating IKE_AUTH response
> 1 [ IDr CERT AUTH EAP/REQ/MSCHAPV2 ]
> Feb 19 02:10:01 VM-e2b7 ipsec[1011]: 11[ENC] splitting IKE message with
> length of 1936 bytes into 2 fragments
> Feb 19 02:10:01 VM-e2b7 charon: 11[ENC] generating IKE_AUTH response 1 [
> EF(1/2) ]
> Feb 19 02:10:01 VM-e2b7 charon: 11[ENC] generating IKE_AUTH response 1 [
> EF(2/2) ]
> Feb 19 02:10:01 VM-e2b7 charon: 11[NET] sending packet: from
> 102.1*9.2**.***[4500] to 154.77.***.**[4500] (1236 bytes)
> Feb 19 02:10:01 VM-e2b7 charon: 11[NET] sending packet: from
> 102.1*9.2**.***[4500] to 154.77.***.**[4500] (772 bytes)
> Feb 19 02:10:01 VM-e2b7 kernel: [ 2543.189073] [UFW BLOCK] IN=ens3 OUT=
> MAC=06:97:9c:00:00:8f:00:1d:b5:c0:a7:c0:08:00 SRC=154.77.***.**
> DST=102.1*9.2**.*** LEN=52 TOS=0x10 PREC=0x20 TTL=116 ID=27223 DF PROTO=TCP
> SPT=54229 DPT=443 WINDOW=17520 RES=0x00 SYN URGP=0
> Feb 19 02:10:04 VM-e2b7 kernel: [ 2546.194639] [UFW BLOCK] IN=ens3 OUT=
> MAC=06:97:9c:00:00:8f:00:1d:b5:c0:a7:c0:08:00 SRC=154.77.***.**
> DST=102.1*9.2**.*** LEN=52 TOS=0x10 PREC=0x20 TTL=116 ID=27227 DF PROTO=TCP
> SPT=54229 DPT=443 WINDOW=17520 RES=0x00 SYN URGP=0
> Feb 19 02:10:10 VM-e2b7 kernel: [ 2552.209139] [UFW BLOCK] IN=ens3 OUT=
> MAC=06:97:9c:00:00:8f:00:1d:b5:c0:a7:c0:08:00 SRC=154.77.***.**
> DST=102.1*9.2**.*** LEN=52 TOS=0x10 PREC=0x20 TTL=116 ID=27234 DF PROTO=TCP
> SPT=54229 DPT=443 WINDOW=17520 RES=0x00 SYN URGP=0
> Feb 19 02:10:12 VM-e2b7 kernel: [ 2553.847176] [UFW BLOCK] IN=ens3 OUT=
> MAC=06:97:9c:00:00:8f:00:1d:b5:c0:a7:c0:08:00 SRC=191.96.110.25
> DST=102.1*9.2**.*** LEN=44 TOS=0x00 PREC=0x00 TTL=248 ID=54321 PROTO=TCP
> SPT=50543 DPT=990 WINDOW=65535 RES=0x00 SYN URGP=0
> Feb 19 02:10:22 VM-e2b7 kernel: [ 2564.254984] [UFW BLOCK] IN=ens3 OUT=
> MAC=06:97:9c:00:00:8f:00:1d:b5:c0:a7:c0:08:00 SRC=154.77.***.**
> DST=102.1*9.2**.*** LEN=44 TOS=0x10 PREC=0x20 TTL=113 ID=53967 PROTO=TCP
> SPT=54230 DPT=1723 WINDOW=32120 RES=0x00 SYN URGP=0
> Feb 19 02:10:24 VM-e2b7 kernel: [ 2566.134188] [UFW BLOCK] IN=ens3 OUT=
> MAC=06:97:9c:00:00:8f:00:1d:b5:c0:a7:c0:08:00 SRC=154.77.***.**
> DST=102.1*9.2**.*** LEN=44 TOS=0x10 PREC=0x20 TTL=112 ID=53967 PROTO=TCP
> SPT=54230 DPT=1723 WINDOW=32120 RES=0x00 SYN URGP=0
> Feb 19 02:10:24 VM-e2b7 kernel: [ 2566.425334] [UFW BLOCK] IN=ens3 OUT=
> MAC=06:97:9c:00:00:8f:00:1d:b5:c0:a7:c0:08:00 SRC=37.157.72.207
> DST=102.1*9.2**.*** LEN=40 TOS=0x08 PREC=0x40 TTL=43 ID=10093 PROTO=TCP
> SPT=34401 DPT=8080 WINDOW=20539 RES=0x00 SYN URGP=0
> Feb 19 02:10:30 VM-e2b7 charon: 14[JOB] deleting half open IKE_SA with
> 154.77.***.** after timeout
> Feb 19 02:10:40 VM-e2b7 kernel: [ 2582.134308] [UFW BLOCK] IN=ens3 OUT=
> MAC=06:97:9c:00:00:8f:00:1d:b5:c0:a7:c0:08:00 SRC=154.77.***.**
> DST=102.1*9.2**.*** LEN=44 TOS=0x10 PREC=0x20 TTL=112 ID=53967 PROTO=TCP
> SPT=54230 DPT=1723 WINDOW=32120 RES=0x00 SYN URGP=0
> Feb 19 02:11:08 VM-e2b7 kernel: [ 2610.346853] [UFW BLOCK] IN=ens3 OUT=
> MAC=06:97:9c:00:00:8f:00:1d:b5:c0:a7:c0:08:00 SRC=154.77.***.**
> DST=102.1*9.2**.*** LEN=136 TOS=0x10 PREC=0x20 TTL=116 ID=27300 PROTO=UDP
> SPT=1701 DPT=1701 LEN=116
> Feb 19 02:12:13 VM-e2b7 kernel: [ 2674.792576] [UFW BLOCK] IN=ens3 OUT=
> MAC=06:97:9c:00:00:8f:00:1d:b5:c0:a7:c0:08:00 SRC=173.212.236.49
> DST=102.1*9.2**.*** LEN=40 TOS=0x08 PREC=0x40 TTL=239 ID=12005 PROTO=TCP
> SPT=50816 DPT=50802 WINDOW=1024 RES=0x00 SYN URGP=0
> Feb 19 02:13:28 VM-e2b7 charon: 13[CFG] proposing traffic selectors for us:
> Feb 19 02:13:28 VM-e2b7 charon: 13[CFG]  0.0.0.0/0
> Feb 19 02:13:28 VM-e2b7 charon: 13[CFG] proposing traffic selectors for
> other:
> Feb 19 02:13:28 VM-e2b7 charon: 13[CFG]  dynamic
>
> Thanks a lot for your assistance.
>
>
>
> On Tue, Feb 19, 2019 at 1:03 PM Kostya Vasilyev  wrote:
>
>> On Tue, Feb 19, 2019, at 12:50 PM, IL Ka wrote:
>> >

Re: [strongSwan] Strongswan on Ubuntu - Failure to connect from Windows 10 client -error: deleting half open IKE_SA with 154.**.***.** after timeout

2019-02-19 Thread Kostya Vasilyev 
---
I had installed OpenVPN in the same client that I uninstalled later.
---

And you also tried a PPTP connection?

Then UFW blocks is probably a red herring - but since these are present, you'll 
want to uninstall / turn off PPTP and OpenVPN on the client, to avoid confusion.

Attempting to use PPTP or OpenVPN clients with IPSec server *most probably* 
will not work and is only going to be a distraction.

-- 
Kostya Vasilyev
k...@fastmail.com

On Tue, Feb 19, 2019, at 2:46 PM, Kostya Vasilyev wrote:
> And here it is again:
> 
> Feb 19 02:10:01 VM-e2b7 charon: 11[ENC] generating IKE_AUTH response 1 
> [ EF(2/2) ]
> Feb 19 02:10:01 VM-e2b7 charon: 11[NET] sending packet: from 
> 102.1*9.2**.***[4500] to 154.77.***.**[4500] (1236 bytes)
> Feb 19 02:10:01 VM-e2b7 charon: 11[NET] sending packet: from 
> 102.1*9.2**.***[4500] to 154.77.***.**[4500] (772 bytes)
> 
> Feb 19 02:10:01 VM-e2b7 kernel: [ 2543.189073] [UFW BLOCK] IN=ens3 OUT= 
> MAC=06:97:9c:00:00:8f:00:1d:b5:c0:a7:c0:08:00 SRC=154.77.***.** 
> DST=102.1*9.2**.*** LEN=52 TOS=0x10 PREC=0x20 TTL=116 ID=27223 DF 
> PROTO=TCP SPT=54229 DPT=443 WINDOW=17520 RES=0x00 SYN URGP=0
> 
> Feb 19 02:10:04 VM-e2b7 kernel: [ 2546.194639] [UFW BLOCK] IN=ens3 OUT= 
> MAC=06:97:9c:00:00:8f:00:1d:b5:c0:a7:c0:08:00 SRC=154.77.***.** 
> DST=102.1*9.2**.*** LEN=52 TOS=0x10 PREC=0x20 TTL=116 ID=27227 DF 
> PROTO=TCP SPT=54229 DPT=443 WINDOW=17520 RES=0x00 SYN URGP=0
> 
> Feb 19 02:10:10 VM-e2b7 kernel: [ 2552.209139] [UFW BLOCK] IN=ens3 OUT= 
> MAC=06:97:9c:00:00:8f:00:1d:b5:c0:a7:c0:08:00 SRC=154.77.***.** 
> DST=102.1*9.2**.*** LEN=52 TOS=0x10 PREC=0x20 TTL=116 ID=27234 DF 
> PROTO=TCP SPT=54229 DPT=443 WINDOW=17520 RES=0x00 SYN URGP=0
> 
> Feb 19 02:10:22 VM-e2b7 kernel: [ 2564.254984] [UFW BLOCK] IN=ens3 OUT= 
> MAC=06:97:9c:00:00:8f:00:1d:b5:c0:a7:c0:08:00 SRC=154.77.***.** 
> DST=102.1*9.2**.*** LEN=44 TOS=0x10 PREC=0x20 TTL=113 ID=53967 PROTO=TCP 
> SPT=54230 DPT=1723 WINDOW=32120 RES=0x00 SYN URGP=0
> 
> Feb 19 02:10:24 VM-e2b7 kernel: [ 2566.134188] [UFW BLOCK] IN=ens3 OUT= 
> MAC=06:97:9c:00:00:8f:00:1d:b5:c0:a7:c0:08:00 SRC=154.77.***.** 
> DST=102.1*9.2**.*** LEN=44 TOS=0x10 PREC=0x20 TTL=112 ID=53967 PROTO=TCP 
> SPT=54230 DPT=1723 WINDOW=32120 RES=0x00 SYN URGP=0
> 
> Feb 19 02:10:30 VM-e2b7 charon: 14[JOB] deleting half open IKE_SA with 
> 154.77.***.** after timeout
> 
> This time there is port 1723 too - which is PPTP. But port 443 is there 
> too. Both are blocked by the firewall.
> 
> Moses, several people gave you several different suggestions today, including:
> 
> - Installing EAP-Identity support
> - Setting UFW to allow all traffic from client
> - Checking client logs
> - Checking actual error message from the client
> - Checking if your server certificates have https:// CRL's
> - Simplifying your setup to use PSK (pre-shared-keys) for authentication 
> *for now*
> 
> Have you tried any of these?
> 
> -- K
> 
> 
> On Tue, Feb 19, 2019, at 2:39 PM, MOSES KARIUKI wrote:
> > Hello Team,
> > 
> > This is the full LOG. The redacted IPs with ** are the VPN server 
> > ('102.1*9.2**.***') and Windows client (154.77.***.**).
> > 
> > Feb 19 02:10:01 VM-e2b7 ipsec[1011]: 11[CFG] looking for peer configs 
> > matching 102.1*9.2**.***[%any]...154.77.***.**[192.168.43.156]
> > Feb 19 02:10:01 VM-e2b7 ipsec[1011]: 11[CFG]   candidate "ikev2-vpn", 
> > match: 1/1/28 (me/other/ike)
> > Feb 19 02:10:01 VM-e2b7 ipsec[1011]: 11[CFG] selected peer config 
> > 'ikev2-vpn'
> > Feb 19 02:10:01 VM-e2b7 ipsec[1011]: 11[IKE] EAP-Identity request 
> > configured, but not supported
> > Feb 19 02:10:01 VM-e2b7 ipsec[1011]: 11[IKE] initiating EAP_MSCHAPV2 method 
> > (id 0x64)
> > Feb 19 02:10:01 VM-e2b7 ipsec[1011]: 11[IKE] peer supports MOBIKE
> > Feb 19 02:10:01 VM-e2b7 ipsec[1011]: 11[IKE] authentication of 
> > '102.1*9.2**.***' (myself) with RSA signature successful
> > Feb 19 02:10:01 VM-e2b7 ipsec[1011]: 11[IKE] sending end entity cert 
> > "CN=102.1*9.2**.***"
> > Feb 19 02:10:01 VM-e2b7 ipsec[1011]: 11[ENC] generating IKE_AUTH response 1 
> > [ IDr CERT AUTH EAP/REQ/MSCHAPV2 ]
> > Feb 19 02:10:01 VM-e2b7 ipsec[1011]: 11[ENC] splitting IKE message with 
> > length of 1936 bytes into 2 fragments
> > Feb 19 02:10:01 VM-e2b7 charon: 11[ENC] generating IKE_AUTH response 1 [ 
> > EF(1/2) ]
> > Feb 19 02:10:01 VM-e2b7 charon: 11[ENC] generating IKE_AUTH response 1 [ 
> > EF(2/2) ]
> > Feb 19 02:10:01 VM-e2b7 charon: 11[NET] sending packet: from 
> > 102.1*9.2**.***[4500] to 154.77.***.**[4500] (1236 bytes)
> > Feb 19 02:10:01 VM-e2b7 charon: 11[NET] sending packet: from 
> > 102.1*9.2**.***[4500] to 154.77.***.**[4500] (772 bytes)
> > Feb 19 02:10:01 VM-e2b7 kernel: [ 2543.189073] [UFW BLOCK] IN=ens3 OUT= 
> > MAC=06:97:9c:00:00:8f:00:1d:b5:c0:a7:c0:08:00 SRC=154.77.***.** 
> > DST=102.1*9.2**.*** LEN=52 TOS=0x10 PREC=0x20 TTL=116 ID=27223 DF PROTO=TCP 
> > SPT=54229 DPT=443 WINDOW=17520 RES=0x00 SYN URGP=0
> > Feb 19 02:10:04 VM-e2b7 kernel: [ 2546.194639] [UFW BLOCK] IN=en

Re: [strongSwan] Strongswan on Ubuntu - Failure to connect from Windows 10 client -error: deleting half open IKE_SA with 154.**.***.** after timeout

2019-02-19 Thread Kostya Vasilyev 
And here it is again:

Feb 19 02:10:01 VM-e2b7 charon: 11[ENC] generating IKE_AUTH response 1 [ 
EF(2/2) ]
Feb 19 02:10:01 VM-e2b7 charon: 11[NET] sending packet: from 
102.1*9.2**.***[4500] to 154.77.***.**[4500] (1236 bytes)
Feb 19 02:10:01 VM-e2b7 charon: 11[NET] sending packet: from 
102.1*9.2**.***[4500] to 154.77.***.**[4500] (772 bytes)

Feb 19 02:10:01 VM-e2b7 kernel: [ 2543.189073] [UFW BLOCK] IN=ens3 OUT= 
MAC=06:97:9c:00:00:8f:00:1d:b5:c0:a7:c0:08:00 SRC=154.77.***.** 
DST=102.1*9.2**.*** LEN=52 TOS=0x10 PREC=0x20 TTL=116 ID=27223 DF PROTO=TCP 
SPT=54229 DPT=443 WINDOW=17520 RES=0x00 SYN URGP=0

Feb 19 02:10:04 VM-e2b7 kernel: [ 2546.194639] [UFW BLOCK] IN=ens3 OUT= 
MAC=06:97:9c:00:00:8f:00:1d:b5:c0:a7:c0:08:00 SRC=154.77.***.** 
DST=102.1*9.2**.*** LEN=52 TOS=0x10 PREC=0x20 TTL=116 ID=27227 DF PROTO=TCP 
SPT=54229 DPT=443 WINDOW=17520 RES=0x00 SYN URGP=0

Feb 19 02:10:10 VM-e2b7 kernel: [ 2552.209139] [UFW BLOCK] IN=ens3 OUT= 
MAC=06:97:9c:00:00:8f:00:1d:b5:c0:a7:c0:08:00 SRC=154.77.***.** 
DST=102.1*9.2**.*** LEN=52 TOS=0x10 PREC=0x20 TTL=116 ID=27234 DF PROTO=TCP 
SPT=54229 DPT=443 WINDOW=17520 RES=0x00 SYN URGP=0

Feb 19 02:10:22 VM-e2b7 kernel: [ 2564.254984] [UFW BLOCK] IN=ens3 OUT= 
MAC=06:97:9c:00:00:8f:00:1d:b5:c0:a7:c0:08:00 SRC=154.77.***.** 
DST=102.1*9.2**.*** LEN=44 TOS=0x10 PREC=0x20 TTL=113 ID=53967 PROTO=TCP 
SPT=54230 DPT=1723 WINDOW=32120 RES=0x00 SYN URGP=0

Feb 19 02:10:24 VM-e2b7 kernel: [ 2566.134188] [UFW BLOCK] IN=ens3 OUT= 
MAC=06:97:9c:00:00:8f:00:1d:b5:c0:a7:c0:08:00 SRC=154.77.***.** 
DST=102.1*9.2**.*** LEN=44 TOS=0x10 PREC=0x20 TTL=112 ID=53967 PROTO=TCP 
SPT=54230 DPT=1723 WINDOW=32120 RES=0x00 SYN URGP=0

Feb 19 02:10:30 VM-e2b7 charon: 14[JOB] deleting half open IKE_SA with 
154.77.***.** after timeout

This time there is port 1723 too - which is PPTP. But port 443 is there too. 
Both are blocked by the firewall.

Moses, several people gave you several different suggestions today, including:

- Installing EAP-Identity support
- Setting UFW to allow all traffic from client
- Checking client logs
- Checking actual error message from the client
- Checking if your server certificates have https:// CRL's
- Simplifying your setup to use PSK (pre-shared-keys) for authentication *for 
now*

Have you tried any of these?

-- K


On Tue, Feb 19, 2019, at 2:39 PM, MOSES KARIUKI wrote:
> Hello Team,
> 
> This is the full LOG. The redacted IPs with ** are the VPN server 
> ('102.1*9.2**.***') and Windows client (154.77.***.**).
> 
> Feb 19 02:10:01 VM-e2b7 ipsec[1011]: 11[CFG] looking for peer configs 
> matching 102.1*9.2**.***[%any]...154.77.***.**[192.168.43.156]
> Feb 19 02:10:01 VM-e2b7 ipsec[1011]: 11[CFG]   candidate "ikev2-vpn", match: 
> 1/1/28 (me/other/ike)
> Feb 19 02:10:01 VM-e2b7 ipsec[1011]: 11[CFG] selected peer config 'ikev2-vpn'
> Feb 19 02:10:01 VM-e2b7 ipsec[1011]: 11[IKE] EAP-Identity request configured, 
> but not supported
> Feb 19 02:10:01 VM-e2b7 ipsec[1011]: 11[IKE] initiating EAP_MSCHAPV2 method 
> (id 0x64)
> Feb 19 02:10:01 VM-e2b7 ipsec[1011]: 11[IKE] peer supports MOBIKE
> Feb 19 02:10:01 VM-e2b7 ipsec[1011]: 11[IKE] authentication of 
> '102.1*9.2**.***' (myself) with RSA signature successful
> Feb 19 02:10:01 VM-e2b7 ipsec[1011]: 11[IKE] sending end entity cert 
> "CN=102.1*9.2**.***"
> Feb 19 02:10:01 VM-e2b7 ipsec[1011]: 11[ENC] generating IKE_AUTH response 1 [ 
> IDr CERT AUTH EAP/REQ/MSCHAPV2 ]
> Feb 19 02:10:01 VM-e2b7 ipsec[1011]: 11[ENC] splitting IKE message with 
> length of 1936 bytes into 2 fragments
> Feb 19 02:10:01 VM-e2b7 charon: 11[ENC] generating IKE_AUTH response 1 [ 
> EF(1/2) ]
> Feb 19 02:10:01 VM-e2b7 charon: 11[ENC] generating IKE_AUTH response 1 [ 
> EF(2/2) ]
> Feb 19 02:10:01 VM-e2b7 charon: 11[NET] sending packet: from 
> 102.1*9.2**.***[4500] to 154.77.***.**[4500] (1236 bytes)
> Feb 19 02:10:01 VM-e2b7 charon: 11[NET] sending packet: from 
> 102.1*9.2**.***[4500] to 154.77.***.**[4500] (772 bytes)
> Feb 19 02:10:01 VM-e2b7 kernel: [ 2543.189073] [UFW BLOCK] IN=ens3 OUT= 
> MAC=06:97:9c:00:00:8f:00:1d:b5:c0:a7:c0:08:00 SRC=154.77.***.** 
> DST=102.1*9.2**.*** LEN=52 TOS=0x10 PREC=0x20 TTL=116 ID=27223 DF PROTO=TCP 
> SPT=54229 DPT=443 WINDOW=17520 RES=0x00 SYN URGP=0
> Feb 19 02:10:04 VM-e2b7 kernel: [ 2546.194639] [UFW BLOCK] IN=ens3 OUT= 
> MAC=06:97:9c:00:00:8f:00:1d:b5:c0:a7:c0:08:00 SRC=154.77.***.** 
> DST=102.1*9.2**.*** LEN=52 TOS=0x10 PREC=0x20 TTL=116 ID=27227 DF PROTO=TCP 
> SPT=54229 DPT=443 WINDOW=17520 RES=0x00 SYN URGP=0
> Feb 19 02:10:10 VM-e2b7 kernel: [ 2552.209139] [UFW BLOCK] IN=ens3 OUT= 
> MAC=06:97:9c:00:00:8f:00:1d:b5:c0:a7:c0:08:00 SRC=154.77.***.** 
> DST=102.1*9.2**.*** LEN=52 TOS=0x10 PREC=0x20 TTL=116 ID=27234 DF PROTO=TCP 
> SPT=54229 DPT=443 WINDOW=17520 RES=0x00 SYN URGP=0
> Feb 19 02:10:12 VM-e2b7 kernel: [ 2553.847176] [UFW BLOCK] IN=ens3 OUT= 
> MAC=06:97:9c:00:00:8f:00:1d:b5:c0:a7:c0:08:00 SRC=191.96.110.25 
> DST=102.1*9.2**.*** LEN=44 TOS=0x00 PREC=0x00 TTL=248 ID=54321 PROTO=T

Re: [strongSwan] Strongswan on Ubuntu - Failure to connect from Windows 10 client -error: deleting half open IKE_SA with 154.**.***.** after timeout

2019-02-19 Thread MOSES KARIUKI 
I had installed OpenVPN in the same client that I uninstalled later.

On Tue, Feb 19, 2019 at 12:40 PM IL Ka  wrote:

>
> On Tue, Feb 19, 2019 at 8:48 AM Kostya Vasilyev  wrote:
>
>> Looks like the connection is "almost there" but gets blocked by your
>> firewall (UFW)
>>
>> Very end of your log:
>>
>> Feb 19 02:10:01 VM-e2b7 charon: 11[NET] sending packet: from
>> 102.1*9.2**.***[4500] to 154.77.***.**[4500] (772 bytes)
>> Feb 19 02:10:01 VM-e2b7 kernel: [ 2543.189073] [UFW BLOCK] IN=ens3 OUT=
>> MAC=06:97:9c:00:00:8f:00:1d:b5:c0:a7:c0:08:00 SRC=154.77.***.**
>> DST=102.1*9.2**.*** LEN=52 TOS=0x10 PREC=0x20 TTL=116 ID=27223 DF PROTO=TCP
>> SPT=54229 DPT=443 WINDOW=17520 RES=0x00 SYN URGP=0
>> Feb 19 02:10:30 VM-e2b7 charon: 14[JOB] deleting half open IKE_SA with
>> 154.77.***.** after timeout
>>
>
>
> DPT=443 looks like OpenVPN or HTTPS.
> IKE uses UDP/500 (or UDP/4500 in case of NAT).
>
> I am not sure this message is somehow connected to problem.
>
>
>
>
> 
>  Без
> вирусов. www.avg.com
> 
> <#m_8202965045219887372_DAB4FAD8-2DD7-40BB-A1B8-4E2AA1F9FDF2>
>

Re: [strongSwan] Strongswan on Ubuntu - Failure to connect from Windows 10 client -error: deleting half open IKE_SA with 154.**.***.** after timeout

2019-02-19 Thread MOSES KARIUKI 
Hello IL Ka,

I followed this instructions here :
https://wiki.strongswan.org/projects/strongswan/wiki/WindowsClients#AES-256-CBC-and-MODP2048

And installed the Cert using this steps to install the Certs in Windows :


   - cat /etc/ipsec.d/cacerts/ca-cert.pem

You'll see output similar to this:

Output
-BEGIN CERTIFICATE-
MIIFQjCCAyqgAwIBAgIIFkQGvkH4ej0wDQYJKoZIhvcNAQEMBQAwPzELMAkGA1UE

. . .

EwbVLOXcNduWK2TPbk/+82GRMtjftran6hKbpKGghBVDPVFGFT6Z0OfubpkQ9RsQ
BayqOb/Q
-END CERTIFICATE-

Copy this output to your computer, including the -BEGIN CERTIFICATE-
 and -END CERTIFICATE- lines, and save it to a file with a
recognizable name, such as ca-cert.pem. Ensure the file you create has the
.pem extension.

Alternatively, use SFTP to transfer the file to your computer

.

Once you have the ca-cert.pem file downloaded to your computer, you can set
up the connection to the VPN.
Connecting from Windows

First, import the root certificate by following these steps:

   1. Press WINDOWS+R to bring up the Run dialog, and enter mmc.exe to
   launch the Windows Management Console.
   2. From the File menu, navigate to Add or Remove Snap-in, select
   Certificates from the list of available snap-ins, and click Add.
   3. We want the VPN to work with any user, so select Computer Account and
   click Next.
   4. We're configuring things on the local computer, so select Local
   Computer, then click Finish.
   5.

   Under the Console Root node, expand the Certificates (Local Computer) entry,
   expand Trusted Root Certification Authorities, and then select the
   Certificates entry:
   [image: Certificates view]
   6.

   From the Action menu, select All Tasks and click Import to display the
   Certificate Import Wizard. Click Next to move past the introduction.
   7.

   On the File to Import screen, press the Browse button and select the
   certificate file that you've saved. Then click Next.
   8.

   Ensure that the Certificate Store is set to Trusted Root Certification
   Authorities, and click Next.
   9.

   Click Finish to import the certificate.

Then configure the VPN with these steps:

   1. Launch Control Panel, then navigate to the Network and Sharing Center.
   2. Click on Set up a new connection or network, then select Connect to a
   workplace.
   3. Select Use my Internet connection (VPN).
   4. Enter the VPN server details. Enter the server's domain name or IP
   address in the Internet addressfield, then fill in Destination name with
   something that describes your VPN connection. Then click Done.

Thanks

On Tue, Feb 19, 2019 at 12:29 PM IL Ka  wrote:

> > EAP-Identity request configured, but not supported
> try
> "apt install libcharon-extra-plugins"
>
> Did you install cert to your windows machine, btw? What error do you see
> on Windows side?
>
>
> On Tue, Feb 19, 2019 at 2:43 AM MOSES KARIUKI  wrote:
>
>> Dear Team,
>>
>> I have been having long days trying to configure Strongswan on Ubuntu
>> 18.04. I am not able to connect to the VPN from Windows 10 client, after
>> following the instructions on this link :
>>
>> https://www.digitalocean.com/community/tutorials/how-to-set-up-an-ikev2-vpn-server-with-strongswan-on-ubuntu-18-04-2
>> and setting up windows for modp_2048 following these instructions here :
>>
>> https://wiki.strongswan.org/projects/strongswan/wiki/WindowsClients#AES-256-CBC-and-MODP2048
>>
>>
>
> 
>  Без
> вирусов. www.avg.com
> 
> <#m_-1195591788851411328_DAB4FAD8-2DD7-40BB-A1B8-4E2AA1F9FDF2>
>

Re: [strongSwan] Strongswan on Ubuntu - Failure to connect from Windows 10 client -error: deleting half open IKE_SA with 154.**.***.** after timeout

2019-02-19 Thread MOSES KARIUKI 
Hello Team,

This is the full LOG. The redacted IPs with ** are the VPN server (
'102.1*9.2**.***') and Windows client (154.77.***.**).

Feb 19 02:10:01 VM-e2b7 ipsec[1011]: 11[CFG] looking for peer configs
matching 102.1*9.2**.***[%any]...154.77.***.**[192.168.43.156]
Feb 19 02:10:01 VM-e2b7 ipsec[1011]: 11[CFG]   candidate "ikev2-vpn",
match: 1/1/28 (me/other/ike)
Feb 19 02:10:01 VM-e2b7 ipsec[1011]: 11[CFG] selected peer config
'ikev2-vpn'
Feb 19 02:10:01 VM-e2b7 ipsec[1011]: 11[IKE] EAP-Identity request
configured, but not supported
Feb 19 02:10:01 VM-e2b7 ipsec[1011]: 11[IKE] initiating EAP_MSCHAPV2 method
(id 0x64)
Feb 19 02:10:01 VM-e2b7 ipsec[1011]: 11[IKE] peer supports MOBIKE
Feb 19 02:10:01 VM-e2b7 ipsec[1011]: 11[IKE] authentication of
'102.1*9.2**.***' (myself) with RSA signature successful
Feb 19 02:10:01 VM-e2b7 ipsec[1011]: 11[IKE] sending end entity cert
"CN=102.1*9.2**.***"
Feb 19 02:10:01 VM-e2b7 ipsec[1011]: 11[ENC] generating IKE_AUTH response 1
[ IDr CERT AUTH EAP/REQ/MSCHAPV2 ]
Feb 19 02:10:01 VM-e2b7 ipsec[1011]: 11[ENC] splitting IKE message with
length of 1936 bytes into 2 fragments
Feb 19 02:10:01 VM-e2b7 charon: 11[ENC] generating IKE_AUTH response 1 [
EF(1/2) ]
Feb 19 02:10:01 VM-e2b7 charon: 11[ENC] generating IKE_AUTH response 1 [
EF(2/2) ]
Feb 19 02:10:01 VM-e2b7 charon: 11[NET] sending packet: from
102.1*9.2**.***[4500] to 154.77.***.**[4500] (1236 bytes)
Feb 19 02:10:01 VM-e2b7 charon: 11[NET] sending packet: from
102.1*9.2**.***[4500] to 154.77.***.**[4500] (772 bytes)
Feb 19 02:10:01 VM-e2b7 kernel: [ 2543.189073] [UFW BLOCK] IN=ens3 OUT=
MAC=06:97:9c:00:00:8f:00:1d:b5:c0:a7:c0:08:00 SRC=154.77.***.**
DST=102.1*9.2**.*** LEN=52 TOS=0x10 PREC=0x20 TTL=116 ID=27223 DF PROTO=TCP
SPT=54229 DPT=443 WINDOW=17520 RES=0x00 SYN URGP=0
Feb 19 02:10:04 VM-e2b7 kernel: [ 2546.194639] [UFW BLOCK] IN=ens3 OUT=
MAC=06:97:9c:00:00:8f:00:1d:b5:c0:a7:c0:08:00 SRC=154.77.***.**
DST=102.1*9.2**.*** LEN=52 TOS=0x10 PREC=0x20 TTL=116 ID=27227 DF PROTO=TCP
SPT=54229 DPT=443 WINDOW=17520 RES=0x00 SYN URGP=0
Feb 19 02:10:10 VM-e2b7 kernel: [ 2552.209139] [UFW BLOCK] IN=ens3 OUT=
MAC=06:97:9c:00:00:8f:00:1d:b5:c0:a7:c0:08:00 SRC=154.77.***.**
DST=102.1*9.2**.*** LEN=52 TOS=0x10 PREC=0x20 TTL=116 ID=27234 DF PROTO=TCP
SPT=54229 DPT=443 WINDOW=17520 RES=0x00 SYN URGP=0
Feb 19 02:10:12 VM-e2b7 kernel: [ 2553.847176] [UFW BLOCK] IN=ens3 OUT=
MAC=06:97:9c:00:00:8f:00:1d:b5:c0:a7:c0:08:00 SRC=191.96.110.25
DST=102.1*9.2**.*** LEN=44 TOS=0x00 PREC=0x00 TTL=248 ID=54321 PROTO=TCP
SPT=50543 DPT=990 WINDOW=65535 RES=0x00 SYN URGP=0
Feb 19 02:10:22 VM-e2b7 kernel: [ 2564.254984] [UFW BLOCK] IN=ens3 OUT=
MAC=06:97:9c:00:00:8f:00:1d:b5:c0:a7:c0:08:00 SRC=154.77.***.**
DST=102.1*9.2**.*** LEN=44 TOS=0x10 PREC=0x20 TTL=113 ID=53967 PROTO=TCP
SPT=54230 DPT=1723 WINDOW=32120 RES=0x00 SYN URGP=0
Feb 19 02:10:24 VM-e2b7 kernel: [ 2566.134188] [UFW BLOCK] IN=ens3 OUT=
MAC=06:97:9c:00:00:8f:00:1d:b5:c0:a7:c0:08:00 SRC=154.77.***.**
DST=102.1*9.2**.*** LEN=44 TOS=0x10 PREC=0x20 TTL=112 ID=53967 PROTO=TCP
SPT=54230 DPT=1723 WINDOW=32120 RES=0x00 SYN URGP=0
Feb 19 02:10:24 VM-e2b7 kernel: [ 2566.425334] [UFW BLOCK] IN=ens3 OUT=
MAC=06:97:9c:00:00:8f:00:1d:b5:c0:a7:c0:08:00 SRC=37.157.72.207
DST=102.1*9.2**.*** LEN=40 TOS=0x08 PREC=0x40 TTL=43 ID=10093 PROTO=TCP
SPT=34401 DPT=8080 WINDOW=20539 RES=0x00 SYN URGP=0
Feb 19 02:10:30 VM-e2b7 charon: 14[JOB] deleting half open IKE_SA with
154.77.***.** after timeout
Feb 19 02:10:40 VM-e2b7 kernel: [ 2582.134308] [UFW BLOCK] IN=ens3 OUT=
MAC=06:97:9c:00:00:8f:00:1d:b5:c0:a7:c0:08:00 SRC=154.77.***.**
DST=102.1*9.2**.*** LEN=44 TOS=0x10 PREC=0x20 TTL=112 ID=53967 PROTO=TCP
SPT=54230 DPT=1723 WINDOW=32120 RES=0x00 SYN URGP=0
Feb 19 02:11:08 VM-e2b7 kernel: [ 2610.346853] [UFW BLOCK] IN=ens3 OUT=
MAC=06:97:9c:00:00:8f:00:1d:b5:c0:a7:c0:08:00 SRC=154.77.***.**
DST=102.1*9.2**.*** LEN=136 TOS=0x10 PREC=0x20 TTL=116 ID=27300 PROTO=UDP
SPT=1701 DPT=1701 LEN=116
Feb 19 02:12:13 VM-e2b7 kernel: [ 2674.792576] [UFW BLOCK] IN=ens3 OUT=
MAC=06:97:9c:00:00:8f:00:1d:b5:c0:a7:c0:08:00 SRC=173.212.236.49
DST=102.1*9.2**.*** LEN=40 TOS=0x08 PREC=0x40 TTL=239 ID=12005 PROTO=TCP
SPT=50816 DPT=50802 WINDOW=1024 RES=0x00 SYN URGP=0
Feb 19 02:13:28 VM-e2b7 charon: 13[CFG] proposing traffic selectors for us:
Feb 19 02:13:28 VM-e2b7 charon: 13[CFG]  0.0.0.0/0
Feb 19 02:13:28 VM-e2b7 charon: 13[CFG] proposing traffic selectors for
other:
Feb 19 02:13:28 VM-e2b7 charon: 13[CFG]  dynamic

Thanks a lot for your assistance.



On Tue, Feb 19, 2019 at 1:03 PM Kostya Vasilyev  wrote:

> On Tue, Feb 19, 2019, at 12:50 PM, IL Ka wrote:
> > > But it could also be the client trying to fetch the CA certificate's
> CRL.
> > I now think you are right.
> >
> > Client tries to fetch whole cert chain and fails to do so.
> > It explains both: packet with DST=443 and client timeout.
>
> The missing EAP-identity support could also be an issue - there can be two
> problems at once not one.
>
> But this sequence -
>
> conn

Re: [strongSwan] Strongswan on Ubuntu - Failure to connect from Windows 10 client -error: deleting half open IKE_SA with 154.**.***.** after timeout

2019-02-19 Thread Kostya Vasilyev 
On Tue, Feb 19, 2019, at 12:50 PM, IL Ka wrote:
> > But it could also be the client trying to fetch the CA certificate's CRL.
> I now think you are right.
> 
> Client tries to fetch whole cert chain and fails to do so.
> It explains both: packet with DST=443 and client timeout.

The missing EAP-identity support could also be an issue - there can be two 
problems at once not one.

But this sequence -

connection almost up, server sends packet to client, UFW blocks packet from 
client to server port 443

- has occurred twice, in *two* of Moses' logs.

Feb 19:

Feb 19 02:10:01 VM-e2b7 charon: 11[NET] sending packet: from 
102.1*9.2**.***[4500] to 154.77.***.**[4500] (772 bytes)
Feb 19 02:10:01 VM-e2b7 kernel: [ 2543.189073] [UFW BLOCK] IN=ens3 OUT= 
MAC=06:97:9c:00:00:8f:00:1d:b5:c0:a7:c0:08:00 SRC=154.77.***.** 
DST=102.1*9.2**.*** LEN=52 TOS=0x10 PREC=0x20 TTL=116 ID=27223 DF PROTO=TCP 
SPT=54229 DPT=443 WINDOW=17520 RES=0x00 SYN URGP=0
Feb 19 02:10:30 VM-e2b7 charon: 14[JOB] deleting half open IKE_SA with 
154.77.***.** after timeout

Feb 15:

Feb 15 20:13:11 VM-e2b7eaee-4c52-4455-8364-c1977c8afa6a charon: 08[NET] sending 
packet: from  102.1*9.2*9.** [500] to  154.76.***.1*1 [500] (36 bytes)
Feb 15 20:13:12 VM-e2b7eaee-4c52-4455-8364-c1977c8afa6a kernel: [ 1898.916216] 
[UFW BLOCK] IN=ens3 OUT= MAC=06:97:9c:00:00:8f:00:1d:b5:c0:a7:c0:08:00 
SRC=154.76.122.161 DST=102.129.249.173 LEN=52 TOS=0x10 PREC=0x20 TTL=115 
ID=24830 DF PROTO=TCP SPT=57716 DPT=443 WINDOW=17520 RES=0x00 SYN URGP=0

Unfortunately this log is cut off short, there is no "deleting half open 
connection" here.

But the server sending a UDP packet followed immediately by UFW BLOCK is.

Moses - I would also consider getting things to work using the basic PSK auth 
method and only then switching to certs and EAP.

It just might be easier to solve problems one at a time.

-- K

> 
> Whole chain must be installed on Win10 to sovle it
> 
[http://www.avg.com/email-signature?utm_medium=email&utm_source=link&utm_campaign=sig-email&utm_content=webmail]
> Без вирусов. 
> www.avg.com[http://www.avg.com/email-signature?utm_medium=email&utm_source=link&utm_campaign=sig-email&utm_content=webmail]
[https://www.fastmail.com/mail/compose?u=c414417f#DAB4FAD8-2DD7-40BB-A1B8-4E2AA1F9FDF2]
> 
> On Tue, Feb 19, 2019 at 12:40 PM Kostya Vasilyev  wrote:
>> 
>> On Tue, Feb 19, 2019, at 12:34 PM, IL Ka wrote:
>>  > 
>>  > On Tue, Feb 19, 2019 at 8:48 AM Kostya Vasilyev  wrote:
>>  >> Looks like the connection is "almost there" but gets blocked by your 
>> firewall (UFW)
>>  >>  
>>  >>  Very end of your log:
>>  >>  
>>  >>  Feb 19 02:10:01 VM-e2b7 charon: 11[NET] sending packet: from 
>> 102.1*9.2**.***[4500] to 154.77.***.**[4500] (772 bytes)
>>  >>  Feb 19 02:10:01 VM-e2b7 kernel: [ 2543.189073] [UFW BLOCK] IN=ens3 OUT= 
>> MAC=06:97:9c:00:00:8f:00:1d:b5:c0:a7:c0:08:00 SRC=154.77.***.** 
>> DST=102.1*9.2**.*** LEN=52 TOS=0x10 PREC=0x20 TTL=116 ID=27223 DF PROTO=TCP 
>> SPT=54229 DPT=443 WINDOW=17520 RES=0x00 SYN URGP=0
>>  >>  Feb 19 02:10:30 VM-e2b7 charon: 14[JOB] deleting half open IKE_SA with 
>> 154.77.***.** after timeout
>>  > 
>>  > 
>>  > DPT=443 looks like OpenVPN or HTTPS. 
>>  > IKE uses UDP/500 (or UDP/4500 in case of NAT).
>>  > 
>>  > I am not sure this message is somehow connected to problem.
>>  > 
>>  
>>  Could be unrelated - good find on the EAP-Identity
>>  
>>  But it could also be the client trying to fetch the CA certificate's CRL.
>>  
>>  Moses can you check if your CA cert has a CRL?
>>  
>>  openssl -text -noout -in your_CA_cert
>>  
>>  Is there a CRL? Is it an https:// link?
>>  
>>      X509v3 CRL Distribution Points:
>>  
>>          Full Name:
>>            URI:https://..
>>  
>>  -- K

Re: [strongSwan] Strongswan on Ubuntu - Failure to connect from Windows 10 client -error: deleting half open IKE_SA with 154.**.***.** after timeout

2019-02-19 Thread IL Ka 
> But it could also be the client trying to fetch the CA certificate's CRL.
I now think you are right.

Client tries to fetch whole cert chain and fails to do so.
It explains both: packet with DST=443 and client timeout.

Whole chain must be installed on Win10 to sovle it


Без
вирусов. www.avg.com

<#DAB4FAD8-2DD7-40BB-A1B8-4E2AA1F9FDF2>

On Tue, Feb 19, 2019 at 12:40 PM Kostya Vasilyev  wrote:

>
> On Tue, Feb 19, 2019, at 12:34 PM, IL Ka wrote:
> >
> > On Tue, Feb 19, 2019 at 8:48 AM Kostya Vasilyev 
> wrote:
> >> Looks like the connection is "almost there" but gets blocked by your
> firewall (UFW)
> >>
> >>  Very end of your log:
> >>
> >>  Feb 19 02:10:01 VM-e2b7 charon: 11[NET] sending packet: from
> 102.1*9.2**.***[4500] to 154.77.***.**[4500] (772 bytes)
> >>  Feb 19 02:10:01 VM-e2b7 kernel: [ 2543.189073] [UFW BLOCK] IN=ens3
> OUT= MAC=06:97:9c:00:00:8f:00:1d:b5:c0:a7:c0:08:00 SRC=154.77.***.**
> DST=102.1*9.2**.*** LEN=52 TOS=0x10 PREC=0x20 TTL=116 ID=27223 DF PROTO=TCP
> SPT=54229 DPT=443 WINDOW=17520 RES=0x00 SYN URGP=0
> >>  Feb 19 02:10:30 VM-e2b7 charon: 14[JOB] deleting half open IKE_SA with
> 154.77.***.** after timeout
> >
> >
> > DPT=443 looks like OpenVPN or HTTPS.
> > IKE uses UDP/500 (or UDP/4500 in case of NAT).
> >
> > I am not sure this message is somehow connected to problem.
> >
>
> Could be unrelated - good find on the EAP-Identity
>
> But it could also be the client trying to fetch the CA certificate's CRL.
>
> Moses can you check if your CA cert has a CRL?
>
> openssl -text -noout -in your_CA_cert
>
> Is there a CRL? Is it an https:// link?
>
> X509v3 CRL Distribution Points:
>
> Full Name:
>   URI:https://..
>
> -- K
>

Re: [strongSwan] Strongswan on Ubuntu - Failure to connect from Windows 10 client -error: deleting half open IKE_SA with 154.**.***.** after timeout

2019-02-19 Thread Kostya Vasilyev 


On Tue, Feb 19, 2019, at 12:34 PM, IL Ka wrote:
> 
> On Tue, Feb 19, 2019 at 8:48 AM Kostya Vasilyev  wrote:
>> Looks like the connection is "almost there" but gets blocked by your 
>> firewall (UFW)
>>  
>>  Very end of your log:
>>  
>>  Feb 19 02:10:01 VM-e2b7 charon: 11[NET] sending packet: from 
>> 102.1*9.2**.***[4500] to 154.77.***.**[4500] (772 bytes)
>>  Feb 19 02:10:01 VM-e2b7 kernel: [ 2543.189073] [UFW BLOCK] IN=ens3 OUT= 
>> MAC=06:97:9c:00:00:8f:00:1d:b5:c0:a7:c0:08:00 SRC=154.77.***.** 
>> DST=102.1*9.2**.*** LEN=52 TOS=0x10 PREC=0x20 TTL=116 ID=27223 DF PROTO=TCP 
>> SPT=54229 DPT=443 WINDOW=17520 RES=0x00 SYN URGP=0
>>  Feb 19 02:10:30 VM-e2b7 charon: 14[JOB] deleting half open IKE_SA with 
>> 154.77.***.** after timeout
> 
> 
> DPT=443 looks like OpenVPN or HTTPS. 
> IKE uses UDP/500 (or UDP/4500 in case of NAT).
> 
> I am not sure this message is somehow connected to problem.
> 

Could be unrelated - good find on the EAP-Identity

But it could also be the client trying to fetch the CA certificate's CRL.

Moses can you check if your CA cert has a CRL?

openssl -text -noout -in your_CA_cert

Is there a CRL? Is it an https:// link?

X509v3 CRL Distribution Points:

Full Name:
  URI:https://..

-- K

Re: [strongSwan] Strongswan on Ubuntu - Failure to connect from Windows 10 client -error: deleting half open IKE_SA with 154.**.***.** after timeout

2019-02-19 Thread IL Ka 
On Tue, Feb 19, 2019 at 8:48 AM Kostya Vasilyev  wrote:

> Looks like the connection is "almost there" but gets blocked by your
> firewall (UFW)
>
> Very end of your log:
>
> Feb 19 02:10:01 VM-e2b7 charon: 11[NET] sending packet: from
> 102.1*9.2**.***[4500] to 154.77.***.**[4500] (772 bytes)
> Feb 19 02:10:01 VM-e2b7 kernel: [ 2543.189073] [UFW BLOCK] IN=ens3 OUT=
> MAC=06:97:9c:00:00:8f:00:1d:b5:c0:a7:c0:08:00 SRC=154.77.***.**
> DST=102.1*9.2**.*** LEN=52 TOS=0x10 PREC=0x20 TTL=116 ID=27223 DF PROTO=TCP
> SPT=54229 DPT=443 WINDOW=17520 RES=0x00 SYN URGP=0
> Feb 19 02:10:30 VM-e2b7 charon: 14[JOB] deleting half open IKE_SA with
> 154.77.***.** after timeout
>


DPT=443 looks like OpenVPN or HTTPS.
IKE uses UDP/500 (or UDP/4500 in case of NAT).

I am not sure this message is somehow connected to problem.




Без
вирусов. www.avg.com

<#DAB4FAD8-2DD7-40BB-A1B8-4E2AA1F9FDF2>

Re: [strongSwan] Strongswan on Ubuntu - Failure to connect from Windows 10 client -error: deleting half open IKE_SA with 154.**.***.** after timeout

2019-02-19 Thread IL Ka 
> EAP-Identity request configured, but not supported
try
"apt install libcharon-extra-plugins"

Did you install cert to your windows machine, btw? What error do you see on
Windows side?


On Tue, Feb 19, 2019 at 2:43 AM MOSES KARIUKI  wrote:

> Dear Team,
>
> I have been having long days trying to configure Strongswan on Ubuntu
> 18.04. I am not able to connect to the VPN from Windows 10 client, after
> following the instructions on this link :
>
> https://www.digitalocean.com/community/tutorials/how-to-set-up-an-ikev2-vpn-server-with-strongswan-on-ubuntu-18-04-2
> and setting up windows for modp_2048 following these instructions here :
>
> https://wiki.strongswan.org/projects/strongswan/wiki/WindowsClients#AES-256-CBC-and-MODP2048
>
>

Без
вирусов. www.avg.com

<#DAB4FAD8-2DD7-40BB-A1B8-4E2AA1F9FDF2>

Re: [strongSwan] Strongswan on Ubuntu - Failure to connect from Windows 10 client -error: deleting half open IKE_SA with 154.**.***.** after timeout

2019-02-19 Thread Michael Schwartzkopff 
answers inline.

Am 19.02.19 um 00:43 schrieb MOSES KARIUKI:
> Dear Team,
>
> I have been having long days trying to configure Strongswan on Ubuntu
> 18.04. I am not able to connect to the VPN from Windows 10 client, after
> following the instructions on this link :
> https://www.digitalocean.com/community/tutorials/how-to-set-up-an-ikev2-vpn-server-with-strongswan-on-ubuntu-18-04-2
> and setting up windows for modp_2048 following these instructions here :
> https://wiki.strongswan.org/projects/strongswan/wiki/WindowsClients#AES-256-CBC-and-MODP2048

(...)

After starting IKE your server gets at some point an answer from the client

> Feb 19 02:10:01 VM-e2b7 ipsec[1011]: 09[NET] received packet: from
> 154.77.***.**[4500] to 102.1*9.2**.***[4500] (580 bytes)
> Feb 19 02:10:01 VM-e2b7 ipsec[1011]: 09[ENC] parsed IKE_AUTH request 1 [
> EF(1/3) ]
> Feb 19 02:10:01 VM-e2b7 ipsec[1011]: 09[ENC] received fragment #1 of 3,
> waiting for complete IKE message
> Feb 19 02:10:01 VM-e2b7 ipsec[1011]: 10[NET] received packet: from
> 154.77.***.**[4500] to 102.1*9.2**.***[4500] (580 bytes)
> Feb 19 02:10:01 VM-e2b7 ipsec[1011]: 10[ENC] parsed IKE_AUTH request 1 [
> EF(2/3) ]
> Feb 19 02:10:01 VM-e2b7 ipsec[1011]: 10[ENC] received fragment #2 of 3,
> waiting for complete IKE message
> Feb 19 02:10:01 VM-e2b7 charon: 11[ENC] splitting IKE message with length
> of 1936 bytes into 2 fragments
> Feb 19 02:10:01 VM-e2b7 ipsec[1011]: 11[NET] received packet: from
> 154.77.***.**[4500] to 102.1*9.2**.***[4500] (532 bytes)
> Feb 19 02:10:01 VM-e2b7 ipsec[1011]: 11[ENC] parsed IKE_AUTH request 1 [
> EF(3/3) ]
> Feb 19 02:10:01 VM-e2b7 ipsec[1011]: 11[ENC] received fragment #3 of 3,
> reassembling fragmented IKE message
> Feb 19 02:10:01 VM-e2b7 ipsec[1011]: 11[ENC] parsed IKE_AUTH request 1 [
> IDi CERTREQ N(MOBIKE_SUP) CPRQ(ADDR DNS NBNS SRV ADDR6 DNS6 SRV6) SA TSi
> TSr ]

The answer was fragmented. But all fragments were recieved.


> Feb 19 02:10:01 VM-e2b7 ipsec[1011]: 11[IKE] received 53 cert requests for
> an unknown ca
> Feb 19 02:10:01 VM-e2b7 ipsec[1011]: 11[CFG] looking for peer configs
> matching 102.1*9.2**.***[%any]...154.77.***.**[192.168.43.156]
> Feb 19 02:10:01 VM-e2b7 ipsec[1011]: 11[CFG]   candidate "ikev2-vpn",
> match: 1/1/28 (me/other/ike)
> Feb 19 02:10:01 VM-e2b7 ipsec[1011]: 11[CFG] selected peer config
> 'ikev2-vpn'
your server found a config that matches the request.
> Feb 19 02:10:01 VM-e2b7 ipsec[1011]: 11[IKE] EAP-Identity request
> configured, but not supported
> Feb 19 02:10:01 VM-e2b7 ipsec[1011]: 11[IKE] initiating EAP_MSCHAPV2 method
> (id 0x64)
> Feb 19 02:10:01 VM-e2b7 ipsec[1011]: 11[IKE] peer supports MOBIKE
> Feb 19 02:10:01 VM-e2b7 ipsec[1011]: 11[IKE] authentication of
> '102.1*9.2**.***' (myself) with RSA signature successful
> Feb 19 02:10:01 VM-e2b7 ipsec[1011]: 11[IKE] sending end entity cert
> "CN=102.1*9.2**.***"
> Feb 19 02:10:01 VM-e2b7 ipsec[1011]: 11[ENC] generating IKE_AUTH response 1
> [ IDr CERT AUTH EAP/REQ/MSCHAPV2 ]

Your server sends out the answer. the CN= is also uncommon.
Perhaps the client cannot authenticate the server?


> Feb 19 02:10:01 VM-e2b7 ipsec[1011]: 11[ENC] splitting IKE message with
> length of 1936 bytes into 2 fragments
> Feb 19 02:10:01 VM-e2b7 charon: 11[ENC] generating IKE_AUTH response 1 [
> EF(1/2) ]
> Feb 19 02:10:01 VM-e2b7 charon: 11[ENC] generating IKE_AUTH response 1 [
> EF(2/2) ]
> Feb 19 02:10:01 VM-e2b7 charon: 11[NET] sending packet: from
> 102.1*9.2**.***[4500] to 154.77.***.**[4500] (1236 bytes)
> Feb 19 02:10:01 VM-e2b7 charon: 11[NET] sending packet: from
> 102.1*9.2**.***[4500] to 154.77.***.**[4500] (772 bytes)
> Feb 19 02:10:01 VM-e2b7 kernel: [ 2543.189073] [UFW BLOCK] IN=ens3 OUT=
> MAC=06:97:9c:00:00:8f:00:1d:b5:c0:a7:c0:08:00 SRC=154.77.***.**
> DST=102.1*9.2**.*** LEN=52 TOS=0x10 PREC=0x20 TTL=116 ID=27223 DF PROTO=TCP
> SPT=54229 DPT=443 WINDOW=17520 RES=0x00 SYN URGP=0
> Feb 19 02:10:30 VM-e2b7 charon: 14[JOB] deleting half open IKE_SA with
> 154.77.***.** after timeout


But gets no answer. So after the timeout the server deletes the
half-open session.


Please check on the client, why it does not answer the packet. Are there
log on the client? Perhaps the auth methods are not accepted. Does the
client get this packet at all? Why does the client send a packet on port
tcp/443, that is dropped by the firewall of the server?

Perhaps the client wants authentication with certificates but the CA is
not installed on the VPN server?


> Feb 19 02:13:28 VM-e2b7 charon: 13[CFG] proposing traffic selectors for us:
> Feb 19 02:13:28 VM-e2b7 charon: 13[CFG]  0.0.0.0/0
> Feb 19 02:13:28 VM-e2b7 charon: 13[CFG] proposing traffic selectors for
> other:
> Feb 19 02:13:28 VM-e2b7 charon: 13[CFG]  dynamic
>
> Please assist with this. I am almost there.
>
> Thanks in advance.
>
> regards,
> Moses K
>

Mit freundlichen Grüßen,

-- 

[*] sys4 AG
 
https://sys4.de, +49 (89) 30 90 46 64
Schleißheimer Straße 26/MG,80333 München
 
Sitz der Gesellsc

Re: [strongSwan] Strongswan on Ubuntu - Failure to connect from Windows 10 client -error: deleting half open IKE_SA with 154.**.***.** after timeout

2019-02-18 Thread Kostya Vasilyev 
Looks like the connection is "almost there" but gets blocked by your firewall 
(UFW)

Very end of your log:

Feb 19 02:10:01 VM-e2b7 charon: 11[NET] sending packet: from 
102.1*9.2**.***[4500] to 154.77.***.**[4500] (772 bytes)
Feb 19 02:10:01 VM-e2b7 kernel: [ 2543.189073] [UFW BLOCK] IN=ens3 OUT= 
MAC=06:97:9c:00:00:8f:00:1d:b5:c0:a7:c0:08:00 SRC=154.77.***.** 
DST=102.1*9.2**.*** LEN=52 TOS=0x10 PREC=0x20 TTL=116 ID=27223 DF PROTO=TCP 
SPT=54229 DPT=443 WINDOW=17520 RES=0x00 SYN URGP=0
Feb 19 02:10:30 VM-e2b7 charon: 14[JOB] deleting half open IKE_SA with 
154.77.***.** after timeout

1 - 02:10:01 - strongSwan sends a packet to client

3 - 02:10:30 - there is no response from client in 30 seconds, the SA is deleted

2 - 02:10:01 - something coming from client IP and going to server IP was 
blocked by the firewall

FWIW, these are my UFW rules on the strongSwan server:

ufw allow in from 89.0.0.1 proto gre
ufw allow in from 89.0.0.1 proto ah
ufw allow in from 89.0.0.1 proto esp
ufw allow in proto udp from 89.0.0.1 port 500
ufw allow in proto udp from 89.0.0.1 port 4500

where 89.0.0.1 is the client's address.

My tunnel is for GRE, not sure if yours is - if not you won't need the "proto 
gre" rule but I think you'll need another rule to allow *your* traffic.

You could also try a "broad" rule allowing anything and everything from the 
client's IP (and tighten it later):

ufw allow in from client_ip_here

--

Kostya Vasilyev
k...@fastmail.com



On Tue, Feb 19, 2019, at 2:43 AM, MOSES KARIUKI wrote:
> Dear Team,
> 
> I have been having long days trying to configure Strongswan on Ubuntu 18.04. 
> I am not able to connect to the VPN from Windows 10 client, after following 
> the instructions on this link : 
> https://www.digitalocean.com/community/tutorials/how-to-set-up-an-ikev2-vpn-server-with-strongswan-on-ubuntu-18-04-2
> and setting up windows for modp_2048 following these instructions here :
> https://wiki.strongswan.org/projects/strongswan/wiki/WindowsClients#AES-256-CBC-and-MODP2048
> 
> See below my settings
> 
> **ipsec statusall**
> Status of IKE charon daemon (strongSwan 5.6.2, Linux 4.15.0-45-generic, 
> x86_64):
>   uptime: 45 minutes, since Feb 19 01:27:59 2019
>   malloc: sbrk 2568192, mmap 0, used 664784, free 1903408
>   worker threads: 11 of 16 idle, 5/0/0/0 working, job queue: 0/0/0/0, 
> scheduled: 0
>   loaded plugins: charon aesni aes rc2 sha2 sha1 md4 md5 mgf1 random nonce 
> x509 revocation constraints pubkey pkcs1 pkcs7 pkcs8 pkcs12 pgp dnskey sshkey 
> pem openssl fips-prf gmp agent xcbc hmac gcm attr kernel-netlink resolve 
> socket-default connmark stroke updown eap-mschapv2 xauth-generic counters
> Virtual IP pools (size/online/offline):
>   10.10.10.0/24: 254/0/0
> Listening IP addresses:
>   102.1*9.2**.***
> Connections:
>    ikev2-vpn:  %any...%any  IKEv2, dpddelay=300s
>    ikev2-vpn:   local:  [102.1*9.2**.***] uses public key authentication
>    ikev2-vpn:    cert:  "CN=102.1*9.2**.***"
>    ikev2-vpn:   remote: uses EAP_MSCHAPV2 authentication with EAP identity 
> '%any'
>    ikev2-vpn:   child:  0.0.0.0/0 === dynamic TUNNEL, dpdaction=clear
> Security Associations (0 up, 0 connecting):
>   none
> 
> **vi /etc/ipsec.conf**
> config setup
>     charondebug="ike 1, knl 1, cfg 2"
>     uniqueids=no
> 
> conn ikev2-vpn
>     auto=add
>     compress=no
>     type=tunnel
>     keyexchange=ikev2
>     fragmentation=yes
>     forceencaps=yes
>     dpdaction=clear
>     dpddelay=300s
>     rekey=no
>     left=%any
>     leftid=102.1*9.2**.***
>     leftcert=server-cert.pem
>     leftsendcert=always
>     leftsubnet=0.0.0.0/0
>     right=%any
>     rightid=%any
>     rightauth=eap-mschapv2
>     rightsourceip=10.10.10.0/24
>     rightdns=8.8.8.8,8.8.4.4
>     rightsendcert=never
>     eap_identity=%identity
>     
> ike=aes256-sha1-modp1024,aes128-sha1-modp1024,3des-sha1-modp1024,aes256-sha256-modp2048,aes128-sha256-modp2048,aes256-sha1-modp2048,aes128-sha1-modp2048
>     
> esp=aes256-sha256,aes256-sha1,3des-sha1,aes256-sha256-modp2048,aes128-sha256-modp2048,aes256-sha1-modp2048,aes128-sha1-modp2048
> 
> Below is the log :
> 
> Feb 19 02:10:00 VM-e2b7 charon: 07[NET] received packet: from 
> 154.77.***.**[500] to 102.1*9.2**.***[500] (632 bytes)
> Feb 19 02:10:00 VM-e2b7 charon: 07[ENC] parsed IKE_SA_INIT request 0 [ SA KE 
> No N(FRAG_SUP) N(NATD_S_IP) N(NATD_D_IP) V V V V ]
> Feb 19 02:10:00 VM-e2b7 ipsec[1011]: 11[CFG] configured proposals: 
> IKE:AES_CBC_256/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024, 
> IKE:AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_2048,
> 
> Feb 19 02:10:00 VM-e2b7 ipsec[1011]: 11[CFG] selected proposal: 
> IKE:AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_2048
> Feb 19 02:10:00 VM-e2b7 ipsec[1011]: 11[IKE] remote host is behind NAT
> Feb 19 02:10:00 VM-e2b7 ipsec[1011]: 11[ENC] generating IKE_SA_INIT response 
> 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(MULT_AUTH) ]
> Feb 19 02:10:00 VM-e2b7 ipsec[1011]: 11[NET] sending packet:

Re: [strongSwan] Strongswan on Ubuntu - Failure to connect from Windows 10 client -error: deleting half open IKE_SA with 154.**.***.** after timeout

2019-02-18 Thread Tom Rymes 
Moses,

While I cannot speak to your specific issue here, you should likely look into 
using PowerShell to modify the Windows VPN parameters to use more robust 
encryption, as it provides many more options:

https://docs.microsoft.com/en-us/powershell/module/vpnclient/set-vpnconnectionipsecconfiguration?view=win10-ps

Tom

> On Feb 18, 2019, at 6:43 PM, MOSES KARIUKI  wrote:
> 
> Dear Team,
> 
> I have been having long days trying to configure Strongswan on Ubuntu 18.04. 
> I am not able to connect to the VPN from Windows 10 client, after following 
> the instructions on this link : 
> https://www.digitalocean.com/community/tutorials/how-to-set-up-an-ikev2-vpn-server-with-strongswan-on-ubuntu-18-04-2
> and setting up windows for modp_2048 following these instructions here :
> https://wiki.strongswan.org/projects/strongswan/wiki/WindowsClients#AES-256-CBC-and-MODP2048
> 
> See below my settings
> 
> ipsec statusall
> Status of IKE charon daemon (strongSwan 5.6.2, Linux 4.15.0-45-generic, 
> x86_64):
>   uptime: 45 minutes, since Feb 19 01:27:59 2019
>   malloc: sbrk 2568192, mmap 0, used 664784, free 1903408
>   worker threads: 11 of 16 idle, 5/0/0/0 working, job queue: 0/0/0/0, 
> scheduled: 0
>   loaded plugins: charon aesni aes rc2 sha2 sha1 md4 md5 mgf1 random nonce 
> x509 revocation constraints pubkey pkcs1 pkcs7 pkcs8 pkcs12 pgp dnskey sshkey 
> pem openssl fips-prf gmp agent xcbc hmac gcm attr kernel-netlink resolve 
> socket-default connmark stroke updown eap-mschapv2 xauth-generic counters
> Virtual IP pools (size/online/offline):
>   10.10.10.0/24: 254/0/0
> Listening IP addresses:
>   102.1*9.2**.***
> Connections:
>ikev2-vpn:  %any...%any  IKEv2, dpddelay=300s
>ikev2-vpn:   local:  [102.1*9.2**.***] uses public key authentication
>ikev2-vpn:cert:  "CN=102.1*9.2**.***"
>ikev2-vpn:   remote: uses EAP_MSCHAPV2 authentication with EAP identity 
> '%any'
>ikev2-vpn:   child:  0.0.0.0/0 === dynamic TUNNEL, dpdaction=clear
> Security Associations (0 up, 0 connecting):
>   none
> 
> vi /etc/ipsec.conf
> config setup
> charondebug="ike 1, knl 1, cfg 2"
> uniqueids=no
> 
> conn ikev2-vpn
> auto=add
> compress=no
> type=tunnel
> keyexchange=ikev2
> fragmentation=yes
> forceencaps=yes
> dpdaction=clear
> dpddelay=300s
> rekey=no
> left=%any
> leftid=102.1*9.2**.***
> leftcert=server-cert.pem
> leftsendcert=always
> leftsubnet=0.0.0.0/0
> right=%any
> rightid=%any
> rightauth=eap-mschapv2
> rightsourceip=10.10.10.0/24
> rightdns=8.8.8.8,8.8.4.4
> rightsendcert=never
> eap_identity=%identity
> 
> ike=aes256-sha1-modp1024,aes128-sha1-modp1024,3des-sha1-modp1024,aes256-sha256-modp2048,aes128-sha256-modp2048,aes256-sha1-modp2048,aes128-sha1-modp2048
> 
> esp=aes256-sha256,aes256-sha1,3des-sha1,aes256-sha256-modp2048,aes128-sha256-modp2048,aes256-sha1-modp2048,aes128-sha1-modp2048
> 
> Below is the log :
> 
> Feb 19 02:10:00 VM-e2b7 charon: 07[NET] received packet: from 
> 154.77.***.**[500] to 102.1*9.2**.***[500] (632 bytes)
> Feb 19 02:10:00 VM-e2b7 charon: 07[ENC] parsed IKE_SA_INIT request 0 [ SA KE 
> No N(FRAG_SUP) N(NATD_S_IP) N(NATD_D_IP) V V V V ]
> Feb 19 02:10:00 VM-e2b7 ipsec[1011]: 11[CFG] configured proposals: 
> IKE:AES_CBC_256/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024, 
> IKE:AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_2048,
> 
> Feb 19 02:10:00 VM-e2b7 ipsec[1011]: 11[CFG] selected proposal: 
> IKE:AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_2048
> Feb 19 02:10:00 VM-e2b7 ipsec[1011]: 11[IKE] remote host is behind NAT
> Feb 19 02:10:00 VM-e2b7 ipsec[1011]: 11[ENC] generating IKE_SA_INIT response 
> 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(MULT_AUTH) ]
> Feb 19 02:10:00 VM-e2b7 ipsec[1011]: 11[NET] sending packet: from 
> 102.1*9.2**.***[500] to 154.77.***.**[500] (448 bytes)
> Feb 19 02:10:00 VM-e2b7 ipsec[1011]: 12[NET] received packet: from 
> 154.77.***.**[4500] to 102.1*9.2**.***[4500] (580 bytes)
> Feb 19 02:10:00 VM-e2b7 ipsec[1011]: 12[ENC] parsed IKE_AUTH request 1 [ 
> EF(1/3) ]
> Feb 19 02:10:00 VM-e2b7 ipsec[1011]: 12[ENC] received fragment #1 of 3, 
> waiting for complete IKE message
> Feb 19 02:10:00 VM-e2b7 ipsec[1011]: 12[NET] received packet: from 
> 154.77.***.**[4500] to 102.1*9.2**.***[4500] (532 bytes)
> Feb 19 02:10:00 VM-e2b7 ipsec[1011]: 12[ENC] parsed IKE_AUTH request 1 [ 
> EF(3/3) ]
> Feb 19 02:10:00 VM-e2b7 ipsec[1011]: 12[ENC] received fragment #3 of 3, 
> waiting for complete IKE message
> Feb 19 02:10:00 VM-e2b7 charon: 07[CFG] looking for an ike config for 
> 102.1*9.2**.***...154.77.***.**
> Feb 19 02:10:00 VM-e2b7 ipsec[1011]: 12[NET] received packet: from 
> 154.77.***.**[4500] to 102.1*9.2**.***[4500] (580 bytes)
> Feb 19 02:10:00 VM-e2b7 ipsec[1011]: 12[ENC] parsed IKE_AUTH request 1 [ 
> EF(2/3) ]
> Feb 19 02:10:00 VM-e2b7 ipsec[1011]: 12[ENC] received fragment #2 of 3, 
> reassembling fragmented IKE message