[Swan] Continuing to work through Windows 10

Mr. Jan Walter Fri, 18 Jan 2019 12:08:48 -0800

It definitely looks like some of the wiki documentation is out of date, but I 
have been making progress. Pulled the code from github just now, and re-built 
it ( v3.27-622-gd451f77d5-master).
When the Windows 10 client tries to connect, the log says:
Jan 18 19:44:08 ip-10-0-0-194 pluto[10183]: "ikev2-cp"[1] xx.xx.xx.xx: 
constructed local IKE proposals for ikev2-cp (IKE SA responder matching remote 
proposals): 
1:IKE:ENCR=AES_CBC_256;PRF=HMAC_SHA2_512;INTEG=HMAC_SHA2_512_256;DH=MODP2048 
2:IKE:ENCR=AES_CBC_128;PRF=HMAC_SHA2_512;INTEG=HMAC_SHA2_512_256;DH=MODP2048 
3:IKE:ENCR=AES_CBC_256;PRF=HMAC_SHA1;INTEG=HMAC_SHA1_96;DH=MODP1024 
4:IKE:ENCR=AES_CBC_128;PRF=HMAC_SHA1;INTEG=HMAC_SHA1_96;DH=MODP1024 
5:IKE:ENCR=AES_CBC_256,AES_CBC_128;PRF=HMAC_SHA2_256;INTEG=HMAC_SHA2_256_128;DH=MODP1024Jan
 18 19:44:08 ip-10-0-0-194 pluto[10183]: "ikev2-cp"[1] xx.xx.xx.xx #1: proposal 
1:IKE:ENCR=AES_CBC_256;PRF=HMAC_SHA2_256;INTEG=HMAC_SHA2_256_128;DH=MODP1024 
chosen from remote proposals 
1:IKE:ENCR=AES_CBC_256;INTEG=HMAC_SHA2_256_128;PRF=HMAC_SHA2_256;DH=MODP1024[first-match]Jan
 18 19:44:08 ip-10-0-0-194 pluto[10183]: "ikev2-cp"[1] xx.xx.xx.xx #1: 
STATE_PARENT_R1: received v2I1, sent v2R1 {auth=IKEv2 cipher=AES_CBC_256 
integ=HMAC_SHA2_256_128 prf=HMAC_SHA2_256 group=MODP1024}Jan 18 19:44:08 
ip-10-0-0-194 pluto[10183]: "ikev2-cp"[1] xx.xx.xx.xx #1: certificate verified 
OK: O=Client1,CN=client1.zzz.netJan 18 19:44:08 ip-10-0-0-194 pluto[10183]: 
"ikev2-cp"[1] xx.xx.xx.xx #1: No matching subjectAltName foundJan 18 19:44:08 
ip-10-0-0-194 pluto[10183]: "ikev2-cp"[1] xx.xx.xx.xx #1: certificate does not 
contain ID_IP subjectAltName=xx.xx.xx.xxJan 18 19:44:08 ip-10-0-0-194 
pluto[10183]: "ikev2-cp"[1] xx.xx.xx.xx #1: Peer public key SubjectAltName does 
not match peer ID for this connectionJan 18 19:44:08 ip-10-0-0-194 
pluto[10183]: "ikev2-cp"[1] xx.xx.xx.xx #1: switched from "ikev2-cp"[1] 
xx.xx.xx.xx to "ikev2-cp"Jan 18 19:44:08 ip-10-0-0-194 pluto[10183]: 
"ikev2-cp"[2] xx.xx.xx.xx #1: deleting connection "ikev2-cp"[1] xx.xx.xx.xx 
instance with peer xx.xx.xx.xx {isakmp=#0/ipsec=#0}Jan 18 19:44:08 
ip-10-0-0-194 pluto[10183]: "ikev2-cp"[2] xx.xx.xx.xx #1: IKEv2 mode peer ID is 
ID_DER_ASN1_DN: 'CN=client1.zzz.net, O=Client1'Jan 18 19:44:08 ip-10-0-0-194 
pluto[10183]: "ikev2-cp"[2] xx.xx.xx.xx #1: Authenticated using RSAJan 18 
19:44:08 ip-10-0-0-194 pluto[10183]: "ikev2-cp"[2] xx.xx.xx.xx: constructed 
local ESP/AH proposals for ikev2-cp (IKE_AUTH responder matching remote ESP/AH 
proposals): 1:ESP:ENCR=AES_GCM_C_256;INTEG=NONE;DH=NONE;ESN=DISABLED 
2:ESP:ENCR=AES_GCM_C_128;INTEG=NONE;DH=NONE;ESN=DISABLED 
3:ESP:ENCR=AES_CBC_256;INTEG=HMAC_SHA2_512_256;DH=NONE;ESN=DISABLED 
4:ESP:ENCR=AES_CBC_128;INTEG=HMAC_SHA2_512_256;DH=NONE;ESN=DISABLEDJan 18 
19:44:08 ip-10-0-0-194 pluto[10183]: "ikev2-cp"[2] xx.xx.xx.xx #1: no local 
proposal matches remote proposals 
1:ESP:ENCR=AES_CBC_256;INTEG=HMAC_SHA1_96;ESN=DISABLEDJan 18 19:44:08 
ip-10-0-0-194 pluto[10183]: "ikev2-cp"[2] xx.xx.xx.xx #1: IKE_AUTH responder 
matching remote ESP/AH proposals failed, responder SA processing returned 
STF_FAIL+v2N_NO_PROPOSAL_CHOSENJan 18 19:44:08 ip-10-0-0-194 pluto[10183]: 
"ikev2-cp"[2] xx.xx.xx.xx #2: responding to IKE_AUTH message (ID 1) from 
xx.xx.xx.xx:4500 with encrypted notification NO_PROPOSAL_CHOSEN


Config line items are (the last set was per the wiki to play nice with Windows, 
but no dice): 
ike=aes256-sha2_512;modp2048,aes128-sha2_512;modp2048,aes256-sha1;modp1024,aes128-sha1;modp1024,aes-sha2;modp1024
esp=aes_gcm256-null,aes_gcm128-null,aes256-sha2_512,aes128-sha2_512
ms-dh-downgrade=yes

(Paul, you left out the dash in your email to Derek C, and the Wiki refers to 
'ms-dh-fallback')
Things done to Windows in PowerShell:
Set-VpnConnection -Name "vv" -AuthenticationMethod "MachineCertificate"
Set-VpnConnectionipsecconfiguration -Name "vv" 
-AuthenticationTransformConstants SHA196 -CipherTransformConstants AES256 
-DHGroup Group2 -EncryptionMethod AES256 -IntegrityCheckMethod SHA256  
-PfsGroup None

I also tried Group1.
The Windows 10 client just comes back with "Policy Error" and there isn't much 
else in the system or application logs, with no ipsec configuration cmdlet, 
with it run for Group1 and for Group2 DH Groups.
I am going to hit it with OSX in a couple of minutes, and then try an Ubuntu 
client.
Cheers,
Jan

_______________________________________________
Swan mailing list
[email protected]
https://lists.libreswan.org/mailman/listinfo/swan

[Swan] Continuing to work through Windows 10

Reply via email to