Re: [strongSwan] Windows 2008 R2 to Linux connection issues

2015-03-10 Thread Rightler, Dwayne R. 
That was it.  So simple it seems silly, but I don't know that I would have ever 
come across it myself.  Thanks!

-Original Message-
From: Martin Willi [mailto:mar...@strongswan.org] 
Sent: Tuesday, March 10, 2015 9:49 AM
To: Rightler, Dwayne R.
Cc: users@lists.strongswan.org
Subject: Re: [strongSwan] Windows 2008 R2 to Linux connection issues

Hi,

> 13[ENC] generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) 
> N(NATD_D_IP) ] 13[NET] sending packet: from 10.1.186.35[500] to 
> 10.1.186.174[500] (432 bytes) 17[KNL] WFP MM failure: 10.1.186.35/32 
> === 10.1.186.174/32, 0x3601, filterId 0

Have you disabled the IKEEXT Windows IKE service? The service must be disabled, 
as it binds to the same UDP ports and intercepts packets.

Regards
Martin

___
Users mailing list
Users@lists.strongswan.org
https://lists.strongswan.org/mailman/listinfo/users

Re: [strongSwan] Windows 2008 R2 to Linux connection issues

2015-03-10 Thread Martin Willi 
Hi,

> 13[ENC] generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) 
> ]
> 13[NET] sending packet: from 10.1.186.35[500] to 10.1.186.174[500] (432 bytes)
> 17[KNL] WFP MM failure: 10.1.186.35/32 === 10.1.186.174/32, 0x3601, 
> filterId 0

Have you disabled the IKEEXT Windows IKE service? The service must be
disabled, as it binds to the same UDP ports and intercepts packets.

Regards
Martin

___
Users mailing list
Users@lists.strongswan.org
https://lists.strongswan.org/mailman/listinfo/users

[strongSwan] Windows 2008 R2 to Linux connection issues

2015-03-10 Thread Rightler, Dwayne R. 
Windows firewall is off, IPTables is allowing connections.  I would hope it's a 
simple configuration issue, but I can't put my finger on it.  Connections from 
linux to linux work.  Any help would be appreciated.

Windows side: Swanctl.conf

connections {
host-to-host {
local_addrs = 10.1.186.35
remote_addrs = 10.1.186.174

local {
auth = pubkey
certs = stl-dfusapp-80.crt
id = 
"C=US,ST=Missouri,O=Company,OU=DBA Team,CN=stl-dfusapp-80"
}
remote {
auth = pubkey
id = 
"C=US,ST=Missouri,O=Company,OU=DBA Team,CN=stl-dfusadb-20"
}
children {
stl-dfusapp-80_stl-dfusadb-20 {
start_action = 
start
}
}
version = 2
mobike = yes
reauth_time = 60m
rekey_time =  20m
proposals = aes128-sha256-modp2048
}
}

Linux side: ipsec.conf

conn stl-dfusadb-20_stl-dfusapp-80
 left=stl-dfusadb-20
 leftcert=stl-dfusadb-20.crt
 leftid="C=US,ST=Missouri,O=Company,OU=DBA Team,CN=stl-dfusadb-20"
 right=stl-dfusapp-80
 rightid="C=US,ST=Missouri,O=Company,OU=DBA Team,CN=stl-dfusapp-80"
 auto=add


Windows output:

00[DMN] Starting IKE service charon-svc (strongSwan 5.2.2, Windows Server 6.1.76
01 (SP 1.0)
00[LIB] loaded plugins: charon-svc nonce x509 pubkey pkcs1 pem openssl kernel-wf
p kernel-iph socket-win vici
00[LIB] unable to load 5 plugin features (5 due to unmet dependencies)
00[JOB] spawning 16 worker threads
11[CFG] loaded certificate 'C=US, ST=Missouri, O=Company, OU=DBA Tea
m, CN=stl-dfusapp-80'
08[CFG] loaded certificate 'C=US, ST=Missouri, L=St. Louis, O=Compan
y, OU=DBA Team, CN=strongswanCA'
09[CFG] loaded RSA private key
13[CFG] added vici connection: host-to-host
09[CFG] vici initiate 'stl-dfusapp-80_stl-dfusadb-20'
13[IKE] initiating IKE_SA host-to-host[1] to 10.1.186.174
13[ENC] generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) ]
13[NET] sending packet: from 10.1.186.35[500] to 10.1.186.174[500] (432 bytes)
17[KNL] WFP MM failure: 10.1.186.35/32 === 10.1.186.174/32, 0x3601, filterId
0
08[IKE] retransmit 1 of request with message ID 0
08[NET] sending packet: from 10.1.186.35[500] to 10.1.186.174[500] (432 bytes)
17[KNL] WFP MM failure: 10.1.186.35/32 === 10.1.186.174/32, 0x3601, filterId
0
16[IKE] retransmit 2 of request with message ID 0
16[NET] sending packet: from 10.1.186.35[500] to 10.1.186.174[500] (432 bytes)
17[KNL] WFP MM failure: 10.1.186.35/32 === 10.1.186.174/32, 0x3601, filterId
0
13[IKE] retransmit 3 of request with message ID 0
13[NET] sending packet: from 10.1.186.35[500] to 10.1.186.174[500] (432 bytes)
17[KNL] WFP MM failure: 10.1.186.35/32 === 10.1.186.174/32, 0x3601, filterId
0
10[IKE] retransmit 4 of request with message ID 0
10[NET] sending packet: from 10.1.186.35[500] to 10.1.186.174[500] (432 bytes)
17[KNL] WFP MM failure: 10.1.186.35/32 === 10.1.186.174/32, 0x3601, filterId
0
06[IKE] retransmit 5 of request with message ID 0
06[NET] sending packet: from 10.1.186.35[500] to 10.1.186.174[500] (432 bytes)
17[KNL] WFP MM failure: 10.1.186.35/32 === 10.1.186.174/32, 0x3601, filterId
0
13[IKE] giving up after 5 retransmits
13[IKE] establishing IKE_SA failed, peer not responding

Linux log:

Mar 10 09:16:01 stl-dfusadb-20 charon: 16[NET] received packet: from 
10.1.186.35[500] to 10.1.186.174[500] (432 bytes)
Mar 10 09:16:01 stl-dfusadb-20 charon: 16[ENC] parsed IKE_SA_INIT request 0 [ 
SA KE No N(NATD_S_IP) N(NATD_D_IP) ]
Mar 10 09:16:01 stl-dfusadb-20 charon: 16[IKE] 10.1.186.35 is initiating an 
IKE_SA
Mar 10 09:16:01 stl-dfusadb-20 charon: 16[IKE] sending cert request for "C=US, 
ST=Missouri, L=St. Louis, O=Company, OU=DBA Team, CN=strongswanCA"
Mar 10 09:16:01 stl-dfusadb-20 charon: 16[ENC] generating IKE_SA_INIT response 
0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) CERTREQ N(MULT_AUTH) ]
Mar 10 09:16:01 stl-dfusadb-20 charon: 16[NET] sending packet: from 
10.1.186.174[500] to 10.1.186.35[500] (465 bytes)
Mar 10 09:16:31 stl-dfusadb-20 charon: 11[JOB] deleting half open IKE_SA after 
timeout
Mar 10 09:16:43 stl-dfusadb-20 charon: 13[NET] received packet: from 
10.1.186.35[500] to 10.1.186.174[500] (432 bytes)
Mar 10 09:16:43 stl-dfusadb-20 charon: 13[ENC] parsed IKE_SA_INIT request 0 [ 
SA KE No N(NATD_