Re: ikev2 between openbsd and windows
On Tue, May 29, 2012 at 01:55:45PM +0200, Mike Belopuhov wrote: On Wed, May 16, 2012 at 17:30 +0400, Pavel Shvagirev wrote: 2. Doesn't work EAP mode - Windows stops on Checking username and password error. Then #13803, 1931... Hi, Just to mention it for those not following source-changes@ that there was a bug in the message ID handling that prevented EAP from working correctly. The fix was committed on Friday. Cheers, Mike Hi, I still can't get it to work. I made two screenshots they are here: http://ipv4.goldflipper.net/private/iked-eap1.jpg and http://ipv4.goldflipper.net/private/iked-eap2.jpg My iked config looks like this: ikev2 win7 passive esp \ from 172.16.20.0/24 to 0.0.0.0/0 local any peer any \ srcid 10.0.0.1 \ eap mschap-v2 \ config address 172.16.20.1 \ config name-server 212.18.3.5 \ tag $name-$id I installed the iked from the -current source on top of the 5.0 binary I believe these are the right ones because I see your recent timestamp in them: ikev2_msg.c:/* $OpenBSD: ikev2_msg.c,v 1.15 2012/05/30 09:18:14 mikeb Exp $ Any hint on what I'm doing wrong? Sorry the screenshots are in german, Fehler 13843 is Error 13843. I googled for that but wasn't any wiser after. Regards, -peter
Re: ikev2 between openbsd and windows
On Thu, May 31, 2012 at 12:18 +0200, Peter J. Philipp wrote: On Tue, May 29, 2012 at 01:55:45PM +0200, Mike Belopuhov wrote: On Wed, May 16, 2012 at 17:30 +0400, Pavel Shvagirev wrote: 2. Doesn't work EAP mode - Windows stops on Checking username and password error. Then #13803, 1931... Hi, Just to mention it for those not following source-changes@ that there was a bug in the message ID handling that prevented EAP from working correctly. The fix was committed on Friday. Cheers, Mike Hi, I still can't get it to work. I made two screenshots they are here: http://ipv4.goldflipper.net/private/iked-eap1.jpg and http://ipv4.goldflipper.net/private/iked-eap2.jpg My iked config looks like this: do you have a user specification in your iked.conf? which user are you trying to authenticate as? user specification occupies a separate line and looks like that: user username password iked can't consult the local password database or radius or any other authentication service at the moment except this internal database. also, have you tried w/o mschap? you need to select the Computerzertifikate verwenden radio button to turn eap off. ikev2 win7 passive esp \ from 172.16.20.0/24 to 0.0.0.0/0 local any peer any \ srcid 10.0.0.1 \ eap mschap-v2 \ config address 172.16.20.1 \ config name-server 212.18.3.5 \ tag $name-$id looks fine except of absent of the user specification. i'd ditch the tag though as i didn't test it but it shouldn't affect anything. I installed the iked from the -current source on top of the 5.0 binary I believe these are the right ones because I see your recent timestamp in them: ikev2_msg.c:/* $OpenBSD: ikev2_msg.c,v 1.15 2012/05/30 09:18:14 mikeb Exp $ Any hint on what I'm doing wrong? Sorry the screenshots are in german, Fehler 13843 is Error 13843. I googled for that but wasn't any wiser after. Regards, -peter
Re: ikev2 between openbsd and windows
On Thu, May 31, 2012 at 12:28:47PM +0200, Mike Belopuhov wrote: My iked config looks like this: do you have a user specification in your iked.conf? which user are you trying to authenticate as? user specification occupies a separate line and looks like that: user username password iked can't consult the local password database or radius or any other authentication service at the moment except this internal database. Yes I do have a user entry, right at the top. I didn't think posting it was a good idea. also, have you tried w/o mschap? you need to select the Computerzertifikate verwenden radio button to turn eap off. I tried that but it had an error, which made me want to try EAP again. ikev2 win7 passive esp \ from 172.16.20.0/24 to 0.0.0.0/0 local any peer any \ srcid 10.0.0.1 \ eap mschap-v2 \ config address 172.16.20.1 \ config name-server 212.18.3.5 \ tag $name-$id looks fine except of absent of the user specification. i'd ditch the tag though as i didn't test it but it shouldn't affect anything. Hmm. What to do... Any hint on how to debug this best? -peter
Re: ikev2 between openbsd and windows
On Thu, May 31, 2012 at 12:47 +0200, Peter J. Philipp wrote: On Thu, May 31, 2012 at 12:28:47PM +0200, Mike Belopuhov wrote: My iked config looks like this: do you have a user specification in your iked.conf? which user are you trying to authenticate as? user specification occupies a separate line and looks like that: user username password iked can't consult the local password database or radius or any other authentication service at the moment except this internal database. Yes I do have a user entry, right at the top. I didn't think posting it was a good idea. also, have you tried w/o mschap? you need to select the Computerzertifikate verwenden radio button to turn eap off. I tried that but it had an error, which made me want to try EAP again. ikev2 win7 passive esp \ from 172.16.20.0/24 to 0.0.0.0/0 local any peer any \ srcid 10.0.0.1 \ eap mschap-v2 \ config address 172.16.20.1 \ config name-server 212.18.3.5 \ tag $name-$id looks fine except of absent of the user specification. i'd ditch the tag though as i didn't test it but it shouldn't affect anything. Hmm. What to do... Any hint on how to debug this best? try to verify that certificates are installed correctly on windows and are valid. make sure you didn't install them by doubleclicking (as i initially wrote) but imported them via mmc into the right section (under Komputerkonto). try to change to 0.0.0.0/0 to something like to 10.50.0.1, where you can assign 10.50.0.1 to lo1. make sure that certificates were created by commands like: ikectl ca CA certificate 10.0.0.1 create and host using FQDN. srcid must match that otherwise windows refuses to connect. and at last, please provice output from the iked -dvv. cheers, mike
Re: ikev2 between openbsd and windows
On Thu, May 31, 2012 at 12:18 +0200, Peter J. Philipp wrote: My iked config looks like this: ikev2 win7 passive esp \ from 172.16.20.0/24 to 0.0.0.0/0 local any peer any \ srcid 10.0.0.1 \ eap mschap-v2 \ config address 172.16.20.1 \ config name-server 212.18.3.5 \ tag $name-$id i've just realised you made a mistake by exchanging from and to specifications. the correct way is: from 0.0.0.0/0 to 172.16.20.0/24 local any peer any \ it should always read i provide access from a network behind MYSELF to a network behind my PEER regardless of whether you initiate or a respond. in other words just like in ipsec.conf.
Re: ikev2 between openbsd and windows
On Wed, May 16, 2012 at 17:30 +0400, Pavel Shvagirev wrote: 2. Doesn't work EAP mode - Windows stops on Checking username and password error. Then #13803, 1931... Hi, Just to mention it for those not following source-changes@ that there was a bug in the message ID handling that prevented EAP from working correctly. The fix was committed on Friday. Cheers, Mike
Re: ikev2 between openbsd and windows
Thank you very much for the detailed reply. It helped a lot, though I have something to add. 6) Transfer 10.5.0.1.zip to the Windows host and load the certificates by doubleclicking on them. You should not import the cert by doubleclicking on it - it will import to the current user's facility instead of a local computer. That will cause 13806 errormessage telling that there is no appropriate computer certificate etc. MMC and the local computer account switch should be used instead. 7) Configure iked to do RSA auth w/o EAP (for the start): ikev2 win7 passive esp \ from 192.168.0.0/24 to 192.168.1.0/24 local any peer any \ srcid 10.1.0.1 \ config address 192.168.1.100 \ config name-server 192.168.0.1 Here, 192.168.0.0/24 is a network client is getting access to, 192.168.1.0/24 is a DHCP-like network from which client is getting an ip address (192.168.1.100 specifically). Please note, that the code to turn this awkwardness into real (DHCP-like) address pool specification is not written yet. Note that srcid has to match the host that the certificate is issued to, otherwise windows will refuse to connect. Once you do that you can load iked and see that it hooks up the server certificate (in the iked -dvv output that is). This is the most intriguing part :) ikev2 win7 esp \ from 172.16.2.0/24 to 0.0.0.0/0 \ peer 10.0.0.0/8 local 192.168.56.0/24 \ eap mschap-v2 \ config address 172.16.2.1 \ tag $name-$id This example is from the man page. `config address' is in the range of `from source', not from the destination subnet. Are you sure it sould be like you said? How do I manage the `DHCP-like' addresses? Is this address range where the client should be granted an IP from OR is that a client's local private network? I found that dhcpd cannot run on enc0 interface. How do you manage that? Now the negotiation seems to be complete but still the connection can not be established due to various reasons: 1. Windows side stops on error #31 Attached device is not working properly (looks like a Windows problem though). Have you seen that? 2. Doesn't work EAP mode - Windows stops on Checking username and password error. Then #13803, 1931... If someone thinks that this might be turned into some sort of a howto or FAQ entry or whatever, please feel free to reuse any piece of text. Attribution is welcomed but not required. Your instructoins really did the trick - I got rid of those anoying troubles that were caused by strictly following the manuals... I think it should have been written in more detail, covering in detail _every_ network part (with its role) that participate in the negotiation. 'cause sometimes it has contradicting points. Probably it is a matter of individual perception, nevertheless I had what I had as well as tons of others struggling with that in mail lists across the web =) Thanks. -- Best regards, Pavel Shvagirev skype: pavel.shvagirev
Re: ikev2 between openbsd and windows
On Wed, May 16, 2012 at 17:30 +0400, Pavel Shvagirev wrote: Thank you very much for the detailed reply. It helped a lot, though I have something to add. 6) Transfer 10.5.0.1.zip to the Windows host and load the certificates by doubleclicking on them. You should not import the cert by doubleclicking on it - it will import to the current user's facility instead of a local computer. That will cause 13806 errormessage telling that there is no appropriate computer certificate etc. MMC and the local computer account switch should be used instead. Yes, I admit I have just tested the possibility of installing certificates and hoped that user certs will work just fine. We have a tool to do the right thing automatically, so I didn't bother to test this part. Shame on me (: 7) Configure iked to do RSA auth w/o EAP (for the start): ikev2 win7 passive esp \ from 192.168.0.0/24 to 192.168.1.0/24 local any peer any \ srcid 10.1.0.1 \ config address 192.168.1.100 \ config name-server 192.168.0.1 Here, 192.168.0.0/24 is a network client is getting access to, 192.168.1.0/24 is a DHCP-like network from which client is getting an ip address (192.168.1.100 specifically). Please note, that the code to turn this awkwardness into real (DHCP-like) address pool specification is not written yet. Note that srcid has to match the host that the certificate is issued to, otherwise windows will refuse to connect. Once you do that you can load iked and see that it hooks up the server certificate (in the iked -dvv output that is). This is the most intriguing part :) ikev2 win7 esp \ from 172.16.2.0/24 to 0.0.0.0/0 \ peer 10.0.0.0/8 local 192.168.56.0/24 \ eap mschap-v2 \ config address 172.16.2.1 \ tag $name-$id This example is from the man page. `config address' is in the range of `from source', not from the destination subnet. Are you sure it sould be like you said? Yes, I'm sure. The syntax was changing over time but in the end the from network is always the network behind the host running iked regardless of whether it's initiator or responder. Here's a config I use at the moment for my testing: ikev2 win7 passive esp \ from 10.1.0.2 to 10.1.0.5 local any peer any \ srcid 172.23.55.126 \ config address 10.1.0.5 \ config name-server 10.1.0.2 10.1.0.2 is configured as ifconfig lo1 10.1.0.2/24 on openbsd. Man page should be updated. How do I manage the `DHCP-like' addresses? Is this address range where the client should be granted an IP from OR is that a client's local private network? I found that dhcpd cannot run on enc0 interface. How do you manage that? No, DHCP is NOT involved at all. IKEv2 does it itself. I said that you can only configure one IP address per ikev2 rule atm and the address pool code is not written (but it should/will be). Now the negotiation seems to be complete but still the connection can not be established due to various reasons: 1. Windows side stops on error #31 Attached device is not working properly (looks like a Windows problem though). Have you seen that? Nope. 2. Doesn't work EAP mode - Windows stops on Checking username and password error. Then #13803, 1931... Well, as I said, try certificates first. Disable EAP. If someone thinks that this might be turned into some sort of a howto or FAQ entry or whatever, please feel free to reuse any piece of text. Attribution is welcomed but not required. Your instructoins really did the trick - I got rid of those anoying troubles that were caused by strictly following the manuals... I think it should have been written in more detail, covering in detail _every_ network part (with its role) that participate in the negotiation. 'cause sometimes it has contradicting points. Probably it is a matter of individual perception, nevertheless I had what I had as well as tons of others struggling with that in mail lists across the web =) Everyone is encouraged to contribute to this thread so that we can work out an unambiguous instruction. Thanks. -- Best regards, Pavel Shvagirev skype: pavel.shvagirev
Re: ikev2 between openbsd and windows
On Mon, May 14, 2012 at 12:53:34PM +0200, Mike Belopuhov wrote: 4) Install the server certificate on the server: ikectl ca vpn certificate 10.1.0.1 install 5) To export the client certificate in a ZIP'ed PFX format, you need to install zip utility (pkg_add -i zip). ikectl ca vpn certificate 10.5.0.1 export Does the .tgz file need to be extracted at all on the server? I've tried and tried for too long and my certificates are out of sync I think, is there a command to delete everything and just keep the original blank iked structure so that one can start over without old certificates in the way? 6) Transfer 10.5.0.1.zip to the Windows host and load the certificates by doubleclicking on them. Make sure that certificates are valid in the MMC Certificates Snap-In. This gave me a huge headache. I tried using MMC (as administrator and other user) but my vpn client stayed at 13806 error. Perhaps VPN wasn't meant for people like me. 7) Configure iked to do RSA auth w/o EAP (for the start): ikev2 win7 passive esp \ from 192.168.0.0/24 to 192.168.1.0/24 local any peer any \ srcid 10.1.0.1 \ config address 192.168.1.100 \ config name-server 192.168.0.1 Here, 192.168.0.0/24 is a network client is getting access to, 192.168.1.0/24 is a DHCP-like network from which client is getting an ip address (192.168.1.100 specifically). Please note, that the code to turn this awkwardness into real (DHCP-like) address pool specification is not written yet. Note that srcid has to match the host that the certificate is issued to, otherwise windows will refuse to connect. Once you do that you can load iked and see that it hooks up the server certificate (in the iked -dvv output that is). 7) Now on the windows box, go to the Network Connections Center and create an IKEv2 VPN connection with the client. Make sure to check the Certificate radio button on the Security tab in the connection properties, so that you won't do EAP. 8) Start the connection. 9) Profit!!! PS. If someone thinks that this might be turned into some sort of a howto or FAQ entry or whatever, please feel free to reuse any piece of text. Attribution is welcomed but not required. Would love to write something if it worked considering I've struck out so many times with this. -peter
Re: ikev2 between openbsd and windows
On Wed, May 16, 2012 at 10:00 PM, Peter J. Philipp p...@centroid.eu wrote: On Mon, May 14, 2012 at 12:53:34PM +0200, Mike Belopuhov wrote: 4) Install the server certificate on the server: ikectl ca vpn certificate 10.1.0.1 install 5) To export the client certificate in a ZIP'ed PFX format, you need to install zip utility (pkg_add -i zip). ikectl ca vpn certificate 10.5.0.1 export Does the .tgz file need to be extracted at all on the server? On the server? No. For the server certificate you just do the install. I've tried and tried for too long and my certificates are out of sync I think, is there a command to delete everything and just keep the original blank iked structure so that one can start over without old certificates in the way? I guess you can do ikectl ca vpn delete and that should remove most of the stuff that gets in the way. 6) Transfer 10.5.0.1.zip to the Windows host and load the certificates by doubleclicking on them. Make sure that certificates are valid in the MMC Certificates Snap-In. This gave me a huge headache. I tried using MMC (as administrator and other user) but my vpn client stayed at 13806 error. Perhaps VPN wasn't meant for people like me. As Pavel described, you shouldn't doubleclick as I said because then windows will install it to the user certificates. Quoting Pavel: MMC and the local computer account switch should be used instead. I believe he refers to the Certificates snap-in. It asks you this question when you add it to the MMC.
Re: ikev2 between openbsd and windows
On Fri, May 11, 2012 at 20:39 +0400, Pavel Shvagirev wrote: Hi everyone. Trying to build ikev2 vpn between openbsd 5.1 and windows 7 via certificates. Windows stops at #13843 error message - Invalid payload received. Iked -vd output has a 'sa_state: VALID - ESTABLISHED' meaning that 2nd phase is ok but just before that line I have: ca_getreq: no valid local certificate found What local cert does it mean? 'ikectl show ca certificates' output is ok - it returnes all the certs that I have installed/exported/imported on windows side Did install both obsd's and win7's certificates like ikectl ca caname certificate openbsdmachine create | install | export ikectl ca caname certificate win7machine create | install | export - just like it's said in the man page. Google has just one link for that queue - openbsd sources =) -- Best regards, Pavel Shvagirev skype: pavel.shvagirev OK, this is how you do it. First of all, fun facts about Windows 7 [simple VPN client]: 0) It CANNOT do PSK; 1) It REQUIRES certificates regardless of whether you want to do EAP or not; 2) It has TWO ipsec clients and both(?) can do IKEv2, but these instructions are for the simple one found in the Network Connnections Center (or whatever it's called). 3) You need to supply windows with two certificates: one for CA, one for the server. Also please make sure that the time on the CA is somewhat sensible from the clients point of view, so that certificates won't be invalid because your time is not synchronized. To setup a CA on the same host as iked do the following: 1) Copy the template /usr/src/usr.sbin/ikectl/ikeca.cnf to /etc/ssl and edit as appropriate; 2) Create and install CA certificate: ikectl ca vpn create ikectl ca vpn install 3) Create certificates for the server and clients. Make sure that host specification matches the SourceID specification in iked.conf. You can use IP addressess, but iked defaults to FQDN/hostname. ikectl ca vpn certificate 10.1.0.1 create # server ikectl ca vpn certificate 10.5.0.1 create # host 4) Install the server certificate on the server: ikectl ca vpn certificate 10.1.0.1 install 5) To export the client certificate in a ZIP'ed PFX format, you need to install zip utility (pkg_add -i zip). ikectl ca vpn certificate 10.5.0.1 export 6) Transfer 10.5.0.1.zip to the Windows host and load the certificates by doubleclicking on them. Make sure that certificates are valid in the MMC Certificates Snap-In. 7) Configure iked to do RSA auth w/o EAP (for the start): ikev2 win7 passive esp \ from 192.168.0.0/24 to 192.168.1.0/24 local any peer any \ srcid 10.1.0.1 \ config address 192.168.1.100 \ config name-server 192.168.0.1 Here, 192.168.0.0/24 is a network client is getting access to, 192.168.1.0/24 is a DHCP-like network from which client is getting an ip address (192.168.1.100 specifically). Please note, that the code to turn this awkwardness into real (DHCP-like) address pool specification is not written yet. Note that srcid has to match the host that the certificate is issued to, otherwise windows will refuse to connect. Once you do that you can load iked and see that it hooks up the server certificate (in the iked -dvv output that is). 7) Now on the windows box, go to the Network Connections Center and create an IKEv2 VPN connection with the client. Make sure to check the Certificate radio button on the Security tab in the connection properties, so that you won't do EAP. 8) Start the connection. 9) Profit!!! PS. If someone thinks that this might be turned into some sort of a howto or FAQ entry or whatever, please feel free to reuse any piece of text. Attribution is welcomed but not required.
ikev2 between openbsd and windows
Hi everyone. Trying to build ikev2 vpn between openbsd 5.1 and windows 7 via certificates. Windows stops at #13843 error message - Invalid payload received. Iked -vd output has a 'sa_state: VALID - ESTABLISHED' meaning that 2nd phase is ok but just before that line I have: ca_getreq: no valid local certificate found What local cert does it mean? 'ikectl show ca certificates' output is ok - it returnes all the certs that I have installed/exported/imported on windows side Did install both obsd's and win7's certificates like ikectl ca caname certificate openbsdmachine create | install | export ikectl ca caname certificate win7machine create | install | export - just like it's said in the man page. Google has just one link for that queue - openbsd sources =) -- Best regards, Pavel Shvagirev skype: pavel.shvagirev
Re: ikev2 between openbsd and windows
Hi, I take a entire week to try ikev2 between a win7 road warrior and an OpenBSD 5.1 gateway. All in following the man pages of ikectl, iked, and iked.conf. It doesn't work for me... Bugs ? Perhaps, certainly because, iked is not yet finished. So i keep isakmpd and the GreenBowVPN. Good luck to have it works. ;-) -- Wesley Le 2012-05-11 20:39, Pavel Shvagirev a C)critB : Hi everyone. Trying to build ikev2 vpn between openbsd 5.1 and windows 7 via certificates. Windows stops at #13843 error message - Invalid payload received. Iked -vd output has a 'sa_state: VALID - ESTABLISHED' meaning that 2nd phase is ok but just before that line I have: ca_getreq: no valid local certificate found What local cert does it mean? 'ikectl show ca certificates' output is ok - it returnes all the certs that I have installed/exported/imported on windows side Did install both obsd's and win7's certificates like ikectl ca caname certificate openbsdmachine create | install | export ikectl ca caname certificate win7machine create | install | export - just like it's said in the man page. Google has just one link for that queue - openbsd sources =)
