[Swan] Windows IKEv2 Error 809

Sun, 22 May 2016 18:54:42 -0700 

Hi,

I've having trouble connecting Windows 8 to libreswan (version 3.15-5) using 
IKEv2. I get the 809 error.

The ipsec connection I have configured is copied from another libreswan host 
(version 3.13-1) that
does work (we're migrating) but I can't seem to locate the issue on the new 
server.

The connection appears to succeed on the server. Then, on the Windows 8 client, 
I see a message
"Verifying your credentials" after which I see the "Error 809: ..." message.

Here's my log of the connection:

May 23 11:29:38 apex pluto[29341]: "ikev2-cp"[1] 165.228.94.4 #8: 
STATE_PARENT_R1: received v2I1,
sent v2R1 {auth=IKEv2 cipher=oakley_3des_cbc_192 integ=sha1_96 prf=sha 
group=MODP1024}
May 23 11:29:39 apex pluto[29341]: "ikev2-cp"[1] 165.228.94.4 #8: new NAT 
mapping for #8, was
165.228.94.4:500, now 165.228.94.4:4500
May 23 11:29:39 apex pluto[29341]: "ikev2-cp"[1] 165.228.94.4 #8: certificate
[email protected],CN=Thomas Robinson,OU=IT,O=MoTeC Pty 
Ltd,ST=Victoria,C=AU OK
May 23 11:29:39 apex pluto[29341]: "ikev2-cp"[1] 165.228.94.4 #8: IKEv2 mode 
peer ID is
ID_DER_ASN1_DN: 'C=AU, ST=Victoria, O=MoTeC Pty Ltd, OU=IT, CN=Thomas Robinson,
[email protected]'
May 23 11:29:39 apex pluto[29341]: | Sending [CERT] of certificate:
[email protected],CN=motec5.motec.com.au,OU=IT,O=MoTeC Pty 
Ltd,L=Melbourne,ST=Victoria,C=AU
May 23 11:29:39 apex pluto[29341]: "ikev2-cp"[1] 165.228.94.4 #9: negotiated 
tunnel
[0.0.0.0,255.255.255.255:0-65535 0] -> [10.0.9.1,10.0.9.1:0-65535 0]
May 23 11:29:39 apex pluto[29341]: "ikev2-cp"[1] 165.228.94.4 #9: 
STATE_PARENT_R2: received v2I2,
PARENT SA established tunnel mode {ESP/NAT=>0xefe27442 <0x1fd6e1dc 
xfrm=AES_128-HMAC_SHA1 NATOA=none
NATD=165.228.94.4:4500 DPD=active}

Here's the config:

conn ikev2-cp
        also=leftcert
        leftsendcert=always
        leftsubnet=0.0.0.0/0
        # Clients
        rightsendcert=always
        right=%any
        rightaddresspool=10.0.9.1-10.0.9.10
        rightid=%fromcert
        rightrsasigkey=%cert
        modecfgdns1=10.0.19.13
        modecfgdns2=10.0.18.1
        narrowing=yes
        dpddelay=30
        dpdtimeout=120
        dpdaction=clear
        auto=add
        ikev2=insist
        ike=aes256-sha1;modp1024,3des-sha1;modp1024
        rekey=no

conn leftcert
        left=115.70.189.242
        leftid=%fromcert
        leftcert=motec5.motec.com.au
        leftrsasigkey=%cert

For my own sanity, is someone able to run their eyes over this?

Kind regards,
Tom



-- 

Tom Robinson
IT Manager/System Administrator

MoTeC Pty Ltd

121 Merrindale Drive
Croydon South
3136 Victoria
Australia

T: +61 3 9761 5050
F: +61 3 9761 5051
E: [email protected]

Attachment: signature.asc
Description: OpenPGP digital signature

_______________________________________________
Swan mailing list
[email protected]
https://lists.libreswan.org/mailman/listinfo/swan

Reply via email to