[Swan] Help with CentOS 7/Windows 10 interoperability

Paul Warwicker Wed, 12 Feb 2020 04:31:20 -0800

 Hello,

First time user of libreswan and I am trying to set up a test environment
to evaluate the overhead of using IPsec with our product as follows:


Database daemon (dbserver 10.2.130.186) <-> VPN gateway (vpnserver
10.2.130.207) <-> multiple Windows 10 clients (client*)

The Windows clients are using the built-in VPN client and a route is
automatically added on a connection. It is using X.509 certificates which
are installed correctly on the client. It is on an internal network and all
firewalls are currently disabled. Everything is currently in the same VLAN.

ipsec verify all [OK]

Client IP 10.2.130.187

Add-VpnConnection -Name "test" -ServerAddress "d
<http://cbgps279.nms.dev.ps.ge.com/>bserver.fully.qualified.domain"
-TunnelType "IKEv2" -EncryptionLevel "Required" -AuthenticationMethod
MachineCertificate -RememberCredential -SplitTunneling -PassThru -Force
Set-VpnConnectionIPsecConfiguration -ConnectionName "test"
-EncryptionMethod AES256 -DHGroup Group14 -IntegrityCheckMethod SHA256
-PfsGroup None –AuthenticationTransformConstants SHA256128
-CipherTransformConstants AES256 -PassThru -Force
(Get-VpnConnection -Name "test").ipseccustompolicy
Add-VpnConnectionRoute -ConnectionName "test" -DestinationPrefix "
10.2.130.186/32" -RouteMetric 10

Client routing table during test

IPv4 Route Table
===========================================================================
Active Routes:
Network Destination        Netmask          Gateway       Interface  Metric
          0.0.0.0          0.0.0.0       10.2.130.1     10.2.130.187    271
         10.0.0.0        255.0.0.0         On-link      10.2.130.211     26
       10.2.130.0    255.255.255.0         On-link      10.2.130.187    271
     10.2.130.186  255.255.255.255         On-link      10.2.130.211     35
     10.2.130.187  255.255.255.255         On-link      10.2.130.187    271
     10.2.130.207  255.255.255.255         On-link      10.2.130.187     16
     10.2.130.211  255.255.255.255         On-link      10.2.130.211    281
     10.2.130.255  255.255.255.255         On-link      10.2.130.187    271
   10.255.255.255  255.255.255.255         On-link      10.2.130.211    281
        127.0.0.0        255.0.0.0         On-link         127.0.0.1    331
        127.0.0.1  255.255.255.255         On-link         127.0.0.1    331
  127.255.255.255  255.255.255.255         On-link         127.0.0.1    331
        224.0.0.0        240.0.0.0         On-link         127.0.0.1    331
        224.0.0.0        240.0.0.0         On-link      10.2.130.187    271
        224.0.0.0        240.0.0.0         On-link      10.2.130.211    281
  255.255.255.255  255.255.255.255         On-link         127.0.0.1    331
  255.255.255.255  255.255.255.255         On-link      10.2.130.187    271
  255.255.255.255  255.255.255.255         On-link      10.2.130.211    281
===========================================================================
Persistent Routes:
  Network Address          Netmask  Gateway Address  Metric
          0.0.0.0          0.0.0.0       10.2.130.1  Default
===========================================================================

The Windows client connects, authenticates and establishes an AES256
tunnel. However, the dbserver is not accessible from any client (neither
proprietary tcp/udp based protocol tests or ICMP ping). The same test from
vpnserver to dbserver is successful. During the test on a Windows client
there is observable ESP chatter on port 4500.

Windows Event Viewer reports successful connection:

CoId={202425CC-59DB-42D4-A548-5439FA786107}: The user DDD\uuu has dialed a
connection named test to the Remote Access Server which has successfully
connected. The connection parameters are:
TunnelIpAddress = 10.2.130.211
TunnelIpv6Address = None
Dial-in User = .

/var/log/secure during test

Feb 12 09:34:06 vpnserver pluto[50237]: packet from 10.2.130.187:500:
ignoring unknown Vendor ID payload
[01528bbbc00696121849ab9a1c5b2a5100000002]
Feb 12 09:34:06 vpnserver pluto[50237]: packet from 10.2.130.187:500: local
IKE proposals for testvpn (IKE SA responder matching remote proposals):
1:IKE:ENCR=AES_CBC_256;PRF=HMAC_SHA2_256;INTEG=HMAC_SHA2_256_128;DH=MODP2048
2:IKE:ENCR=AES_CBC_256;PRF=HMAC_SHA1;INTEG=HMAC_SHA1_96;DH=MODP2048
3:IKE:ENCR=AES_CBC_256;PRF=HMAC_SHA2_256;INTEG=HMAC_SHA2_256_128;DH=MODP1024
4:IKE:ENCR=AES_CBC_128;PRF=HMAC_SHA2_256;INTEG=HMAC_SHA2_256_128;DH=MODP2048
5:IKE:ENCR=AES_CBC_128;PRF=HMAC_SHA1;INTEG=HMAC_SHA1_96;DH=MODP2048
6:IKE:ENCR=AES_CBC_128;PRF=HMAC_SHA1;INTEG=HMAC_SHA1_96;DH=MODP1024
Feb 12 09:34:06 vpnserver pluto[50237]: packet from 10.2.130.187:500:
proposal
2:IKE:ENCR=AES_CBC_256;PRF=HMAC_SHA2_256;INTEG=HMAC_SHA2_256_128;DH=MODP2048
chosen from remote proposals
1:IKE:ENCR=AES_CBC_256;INTEG=HMAC_SHA1_96;PRF=HMAC_SHA1;DH=MODP2048[first-match]
2:IKE:ENCR=AES_CBC_256;INTEG=HMAC_SHA2_256_128;PRF=HMAC_SHA2_256;DH=MODP2048[better-match]
3:IKE:ENCR=AES_CBC_256;INTEG=HMAC_SHA2_384_192;PRF=HMAC_SHA2_384;DH=MODP2048
Feb 12 09:34:06 vpnserver pluto[50237]: "testvpn"[1] 10.2.130.187 #1:
STATE_PARENT_R1: received v2I1, sent v2R1 {auth=IKEv2 cipher=aes_256
integ=sha256_128 prf=sha2_256 group=MODP2048}
Feb 12 09:34:06 vpnserver pluto[50237]: "testvpn"[1] 10.2.130.187 #1:
certificate verified OK: O=xxxxxx,CN=client282.fully.qualified.domain
<http://cbgps282.nms.dev.ps.ge.com/>
Feb 12 09:34:06 vpnserver pluto[50237]: "testvpn"[1] 10.2.130.187 #1: IKEv2
mode peer ID is ID_DER_ASN1_DN: 'CN=client282.fully.qualified.domain
<http://cbgps282.nms.dev.ps.ge.com/>, O=xxxxxx'
Feb 12 09:34:06 vpnserver pluto[50237]: "testvpn"[1] 10.2.130.187 #1:
Authenticated using RSA
Feb 12 09:34:06 vpnserver pluto[50237]: "testvpn"[1] 10.2.130.187 #1: local
ESP/AH proposals for testvpn (IKE SA responder matching remote ESP/AH
proposals):
1:ESP:ENCR=AES_GCM_C_128,AES_GCM_C_256;INTEG=NONE;DH=NONE;ESN=DISABLED
2:ESP:ENCR=AES_CBC_256;INTEG=HMAC_SHA2_256_128;DH=NONE;ESN=DISABLED
3:ESP:ENCR=AES_CBC_256;INTEG=HMAC_SHA1_96;DH=NONE;ESN=DISABLED
4:ESP:ENCR=AES_CBC_128;INTEG=HMAC_SHA2_256_128;DH=NONE;ESN=DISABLED
5:ESP:ENCR=AES_CBC_128;INTEG=HMAC_SHA1_96;DH=NONE;ESN=DISABLED
Feb 12 09:34:06 vpnserver pluto[50237]: "testvpn"[1] 10.2.130.187 #1:
proposal
1:ESP:SPI=0fd6e1e8;ENCR=AES_CBC_256;INTEG=HMAC_SHA2_256_128;ESN=DISABLED
chosen from remote proposals
1:ESP:ENCR=AES_CBC_256;INTEG=HMAC_SHA2_256_128;ESN=DISABLED[first-match]
Feb 12 09:34:06 vpnserver pluto[50237]: "testvpn"[1] 10.2.130.187 #2:
negotiated connection [0.0.0.0-255.255.255.255:0-65535 0] ->
[10.2.130.211-10.2.130.211:0-65535 0]
Feb 12 09:34:06 vpnserver pluto[50237]: "testvpn"[1] 10.2.130.187 #2:
STATE_V2_IPSEC_R: IPsec SA established tunnel mode {ESP/NAT=>0x0fd6e1e8
<0xfe3b0d44 xfrm=AES_CBC_256-HMAC_SHA2_256_128 NATOA=none NATD=
10.2.130.187:4500 DPD=active}
...
...
Feb 12 09:35:27 vpnserver pluto[50237]: "testvpn"[1] 10.2.130.187 #1:
received Delete SA payload: expire IPSEC State #2 now
Feb 12 09:35:27 vpnserver pluto[50237]: "testvpn"[1] 10.2.130.187 #2:
deleting state (STATE_V2_IPSEC_R) and NOT sending notification
Feb 12 09:35:27 vpnserver pluto[50237]: "testvpn"[1] 10.2.130.187 #2: ESP
traffic information: in=60KB out=0B
Feb 12 09:35:27 vpnserver pluto[50237]: expire unused parent SA #1
"testvpn"[1] 10.2.130.187
Feb 12 09:35:27 vpnserver pluto[50237]: "testvpn"[1] 10.2.130.187 #1:
deleting state (STATE_IKESA_DEL) and NOT sending notification
Feb 12 09:35:27 vpnserver pluto[50237]: packet from 10.2.130.187:4500:
deleting connection "testvpn"[1] 10.2.130.187 instance with peer
10.2.130.187 {isakmp=#0/ipsec=#0}


The Windows connection is terminated with error 631 (The port was
disconnected by the user.). This is not a deliberate action.

conn testvpn

        left=%defaultroute      # (1) - 10.2.130.207
        leftcert=vpnserver.fully.qualified.domain # name changed
        [email protected]
        leftsendcert=always     # (1)
        leftsubnet=0.0.0.0/0    # (1)
        #leftsubnet=10.2.130.186/32 # specific IP of dbserver
        #leftsubnet=10.2.130.0/24
        leftrsasigkey=%cert     # (1)
        right=%any              # (1)
        rightid=%fromcert       # (1)
        rightaddresspool=10.2.130.211-10.2.130.254
        rightca=%same           # (1)
        rightrsasigkey=%cert    # (1)
        narrowing=yes           # (1)
        dpddelay=30             # (1)
        dpdtimeout=40           # (1) - clear sooner. was 120
        dpdaction=clear         # (1)
        auto=add                # (1)
        ikev2=insist            # (1)
        rekey=no                # (1)
        pfs=no                  # (1)
        ike-frag=yes            # (1)
        
ike=aes256-sha2,aes256-sha1,aes256-sha2;modp1024,aes128-sha2,aes128-sha1,aes128-sha1;modp1024
                                # (1)
        phase2alg=aes_gcm-null,aes256-sha2,aes256-sha1,aes128-sha2,aes128-sha1
                                # (1)

        # ipsec --version >= libreswan 3.23
        modecfgdns=10.2.8.20,10.2.8.21
                                # (1)
        encapsulation=yes       # (1)
        mobike=no               # (1)

        # (1)
https://github.com/hwdsl2/setup-ipsec-vpn/blob/master/docs/ikev2-howto.md
        # (2) https://libreswan.org/man/ipsec.conf.5.html
        # (3)
https://libreswan.org/wiki/FAQ#Microsoft_Windows_connection_attempts_fail_with_NO_POROPOSAL_CHOSEN
        # (4)
https://libreswan.org/wiki/VPN_server_for_remote_clients_using_IKEv2
        # (5)
https://wiki.strongswan.org/projects/strongswan/wiki/WindowsClients


It may be something simple but I just can't figure out what it is. Any help
to resolve this would be appreciated.

Thanks in advance
-paul

_______________________________________________
Swan mailing list
[email protected]
https://lists.libreswan.org/mailman/listinfo/swan

[Swan] Help with CentOS 7/Windows 10 interoperability

Reply via email to