Since I am working on a config to use integrated clients as well, I thought
I'd run through Derek's how-to.
My notes:
1. You need to import the "client" vpn certificate to Personal Certificates and
do another import of the CA certificate to Trusted Root Certification
Authorities. The How-to only lists one import.
2. Paul, "msdh-downgrade=yes" causes a syntax error, and I can't find it in the
documentation.
3. Right now my connection still borks with a
Jan 15 20:15:41 ip-10-0-0-194 pluto[28581]: "ikev2-cp"[1] x.x.x.x: constructed
local IKE proposals for ikev2-cp (IKE SA responder matching remote proposals):
1:IKE:ENCR=AES_CBC_256;PRF=HMAC_SHA2_512;INTEG=HMAC_SHA2_512_256;DH=MODP2048
2:IKE:ENCR=AES_CBC_128;PRF=HMAC_SHA2_512;INTEG=HMAC_SHA2_512_256;DH=MODP2048
3:IKE:ENCR=AES_CBC_256;PRF=HMAC_SHA1;INTEG=HMAC_SHA1_96;DH=MODP1024
4:IKE:ENCR=AES_CBC_128;PRF=HMAC_SHA1;INTEG=HMAC_SHA1_96;DH=MODP1024
5:IKE:ENCR=AES_CBC_256,AES_CBC_128;PRF=HMAC_SHA2_256;INTEG=HMAC_SHA2_256_128;DH=MODP1024Jan
15 20:15:41 ip-10-0-0-194 pluto[28581]: "ikev2-cp"[1] x.x.x.x #1: proposal
10:IKE:ENCR=AES_CBC_256;PRF=HMAC_SHA1;INTEG=HMAC_SHA1_96;DH=MODP1024 chosen
from remote proposals
1:IKE:ENCR=3DES;INTEG=HMAC_SHA1_96;PRF=HMAC_SHA1;DH=MODP1024
2:IKE:ENCR=3DES;INTEG=HMAC_SHA2_256_128;PRF=HMAC_SHA2_256;DH=MODP1024
3:IKE:ENCR=3DES;INTEG=HMAC_SHA2_384_192;PRF=HMAC_SHA2_384;DH=MODP1024
4:IKE:ENCR=AES_CBC_128;INTEG=HMAC_SHA1_96;PRF=HMAC_SHA1;DH=MODP1024[first-match]
5:IKE:ENCR=AES_CBC_128;INTEG=HMAC_SHA2_256_128;PRF=HMAC_SHA2_256;DH=MODP1024
6:IKE:ENCR=AES_CBC_128;INTEG=HMAC_SHA2_384_192;PRF=HMAC_SHA2_384;DH=MODP1024
7:IKE:ENCR=AES_CBC_192;INTEG=HMAC_SHA1_96;PRF=HMAC_SHA1;DH=MODP1024
8:IKE:ENCR=AES_CBC_192;INTEG=HMAC_SHA2_256_128;PRF=HMAC_SHA2_256;DH=MODP1024
9:IKE:ENCR=AES_CBC_192;INTEG=HMAC_SHA2_384_192;PRF=HMAC_SHA2_384;DH=MODP1024
10:IKE:ENCR=AES_CBC_256;INTEG=HMAC_SHA1_96;PRF=HMAC_SHA1;DH=MODP1024[better-match]
11:IKE:ENCR=AES_CBC_256;INTEG=HMAC_SHA2_256_128;PRF=HMAC_SHA2_256;DH=MODP1024
12:IKE:ENCR=AES_CBC_256;INTEG=HMAC_SHA2_384_192;PRF=HMAC_SHA2_...Jan 15
20:15:41 ip-10-0-0-194 pluto[28581]: "ikev2-cp"[1] x.x.x.x #1:
STATE_PARENT_R1: received v2I1, sent v2R1 {auth=IKEv2 cipher=AES_CBC_256
integ=HMAC_SHA1_96 prf=HMAC_SHA1 group=MODP1024}Jan 15 20:15:41 ip-10-0-0-194
pluto[28581]: "ikev2-cp"[1] x.x.x.x #1: certificate verified OK:
O=Client1,CN=client1.zzz.netJan 15 20:15:41 ip-10-0-0-194 pluto[28581]:
"ikev2-cp"[1] x.x.x.x #1: No matching subjectAltName foundJan 15 20:15:41
ip-10-0-0-194 pluto[28581]: "ikev2-cp"[1] x.x.x.x #1: certificate does not
contain ID_IP subjectAltName=x.x.x.xJan 15 20:15:41 ip-10-0-0-194 pluto[28581]:
"ikev2-cp"[1] x.x.x.x #1: Peer public key SubjectAltName does not match peer
ID for this connectionJan 15 20:15:41 ip-10-0-0-194 pluto[28581]: "ikev2-cp"[1]
x.x.x.x #1: switched from "ikev2-cp"[1] x.x.x.x to "ikev2-cp"Jan 15 20:15:41
ip-10-0-0-194 pluto[28581]: "ikev2-cp"[2] x.x.x.x #1: deleting connection
"ikev2-cp"[1] x.x.x.x instance with peer x.x.x.x {isakmp=#0/ipsec=#0}Jan 15
20:15:41 ip-10-0-0-194 pluto[28581]: "ikev2-cp"[2] x.x.x.x #1: certificate
verified OK: O=Client1,CN=client1.zzz.netJan 15 20:15:41 ip-10-0-0-194
pluto[28581]: "ikev2-cp"[2] x.x.x.x #1: IKEv2 mode peer ID is ID_DER_ASN1_DN:
'CN=client1.zzz.net, O=Client1'Jan 15 20:15:41 ip-10-0-0-194 pluto[28581]:
"ikev2-cp"[2] x.x.x.x #1: Authenticated using RSAJan 15 20:15:41 ip-10-0-0-194
pluto[28581]: "ikev2-cp"[2] x.x.x.x: constructed local ESP/AH proposals for
ikev2-cp (IKE_AUTH responder matching remote ESP/AH proposals):
1:ESP:ENCR=AES_GCM_C_256;INTEG=NONE;DH=NONE;ESN=DISABLED
2:ESP:ENCR=AES_GCM_C_128;INTEG=NONE;DH=NONE;ESN=DISABLED
3:ESP:ENCR=AES_CBC_256;INTEG=HMAC_SHA2_512_256;DH=NONE;ESN=DISABLED
4:ESP:ENCR=AES_CBC_128;INTEG=HMAC_SHA2_512_256;DH=NONE;ESN=DISABLEDJan 15
20:15:41 ip-10-0-0-194 pluto[28581]: "ikev2-cp"[2] x.x.x.x #1: no local
proposal matches remote proposals
1:ESP:ENCR=AES_CBC_256;INTEG=HMAC_SHA1_96;ESN=DISABLED
2:ESP:ENCR=AES_CBC_128;INTEG=HMAC_SHA1_96;ESN=DISABLED
3:ESP:ENCR=3DES;INTEG=HMAC_SHA1_96;ESN=DISABLED
4:ESP:ENCR=DES(UNUSED);INTEG=HMAC_SHA1_96;ESN=DISABLED
5:ESP:ENCR=NULL;INTEG=HMAC_SHA1_96;ESN=DISABLEDJan 15 20:15:41 ip-10-0-0-194
pluto[28581]: "ikev2-cp"[2] x.x.x.x #1: IKE_AUTH responder matching remote
ESP/AH proposals failed, responder SA processing returned
STF_FAIL+v2N_NO_PROPOSAL_CHOSENJan 15 20:15:41 ip-10-0-0-194 pluto[28581]:
"ikev2-cp"[2] x.x.x.x #2: responding to IKE_AUTH message (ID 1) from
x.x.x.x:4500 with encrypted notification NO_PROPOSAL_CHOSEN
The ike line from ipsec.conf is the same as in the how-to and the wiki:
ike=aes256-sha2_512;modp2048,aes128-sha2_512;modp2048,aes256-sha1;modp1024,aes128-sha1;modp1024,aes-sha2;modp1024
Per the Wiki I added the 'aes-sha2;modp1024' to see if that would clear it up.
I am using Windows 10 Pro, current patch level.
Cheers,
Jan
On Wednesday, January 9, 2019, 1:07:24 PM EST, Paul Wouters
<[email protected]> wrote:
On Wed, 9 Jan 2019, Derek Cameron wrote:
>
> Thanks for your help. You're welcome to copy and paste anything you
> like from my blog post
> https://dc77312.wordpress.com/2019/01/09/libreswan-ipsec-ikev2-vpn-on-rhel-8-beta-server-and-windows-10-client/
Thanks, I'll see about merging it onto the libreswan wiki. Thanks for
the permission!
Some notes:
- Please use "libreswan" or "Libreswan", not "LibreSwan" :)
- Does it survive rekeying? You might want/need to add
msdh-downgrade=yes to allow rekeying without or with wrong/bad
DH group 1024 (perhaps the latest Windows build fixed this?)
- I think you can fixup the authentication without using powershell,
but I would have to reclick through a windows box again to remember
how I did that.
Paul
_______________________________________________
Swan mailing list
[email protected]
https://lists.libreswan.org/mailman/listinfo/swan
_______________________________________________
Swan mailing list
[email protected]
https://lists.libreswan.org/mailman/listinfo/swan
