Hello Matt, the Windows Server 2008 r2 expects strongSwan to request a virtual IP address to be used as a source address within the IPsec tunnel. Therefore add this statement:
leftsourceip=%config With a virtual IP address leftsubnet=10.0.0.0/24 doesn't make much sense, so you'd better omit the leftsubnet statement. Regards Andreas On 08.11.2011 16:21, Matthew F. Hymowitz wrote: > Thanks Again for your help Andreas > > > > > Here is the current config and non-debug log file: > > > > -Matt > > > # ipsec.conf - strongSwan IPsec configuration file > > config setup > crlcheckinterval=0s > strictcrlpolicy=no > cachecrls=yes > nat_traversal=yes > charonstart=yes > plutostart=no > > # Add connections here. > > # Sample VPN connections > > #conn sample-self-signed > # left=%defaultroute > # leftsubnet=10.10.0.0/16 > # leftcert=selfCert.der > # leftsendcert=never > # right=192.168.0.2 > # rightsubnet=10.2.0.0/16 > # rightcert=peerCert.der > # auto=start > > conn net-net > left=10.0.0.90 > leftsubnet=10.0.0.0/24 > leftauth=eap-mschapv2 > eap_identity=matt > right=verrado.aaronline.com > rightsubnet=192.168.1.0/24 > rightauth=pubkey > keyexchange=ikev2 > auto=add > > ca carefree-aaronline-ca > cacert=/usr/local/etc/ipsec.d/cacert/aaronline.carefree.cert > > > Nov 8 %f 00[DMN] Starting IKEv2 charon daemon (strongSwan 4.5.3) > Nov 8 %f 00[KNL] listening on interfaces: > Nov 8 %f 00[KNL] eth0 > Nov 8 %f 00[KNL] 10.0.0.90 > Nov 8 %f 00[KNL] fe80::215:5dff:fe01:660d > Nov 8 %f 00[CFG] loading ca certificates from > '/usr/local/etc/ipsec.d/cacerts' > Nov 8 %f 00[CFG] loaded ca certificate "DC=com, DC=aaronline, > CN=aaronline-CAREFREE-CA" from > '/usr/local/etc/ipsec.d/cacerts/aaronline.carefree.cert' > Nov 8 %f 00[CFG] loading aa certificates from > '/usr/local/etc/ipsec.d/aacerts' > Nov 8 %f 00[CFG] loading ocsp signer certificates from > '/usr/local/etc/ipsec.d/ocspcerts' > Nov 8 %f 00[CFG] loading attribute certificates from > '/usr/local/etc/ipsec.d/acerts' > Nov 8 %f 00[CFG] loading crls from '/usr/local/etc/ipsec.d/crls' > Nov 8 %f 00[CFG] loading secrets from '/usr/local/etc/ipsec.secrets' > Nov 8 %f 00[CFG] loaded EAP secret for matt > Nov 8 %f 00[DMN] loaded plugins: aes des sha1 sha2 md4 md5 random x509 > constraints pubkey pkcs1 pgp pem fips-prf gmp xcbc hmac attr kernel-netlink > resolve socket-default stroke updown eap-identity eap-mschapv2 > Nov 8 %f 00[JOB] spawning 16 worker threads > Nov 8 %f 10[CFG] crl caching to /usr/local/etc/ipsec.d/crls enabled > Nov 8 %f 12[CFG] received stroke: add connection 'net-net' > Nov 8 %f 12[CFG] added configuration 'net-net' > Nov 8 %f 14[CFG] received stroke: initiate 'net-net' > Nov 8 %f 03[IKE] initiating IKE_SA net-net[1] to 66.238.30.124 > Nov 8 %f 03[ENC] generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) > N(NATD_D_IP) ] > Nov 8 %f 03[NET] sending packet: from 10.0.0.90[500] to 66.238.30.124[500] > Nov 8 %f 16[NET] received packet: from 66.238.30.124[500] to 10.0.0.90[500] > Nov 8 %f 16[ENC] parsed IKE_SA_INIT response 0 [ N(INVAL_KE) ] > Nov 8 %f 16[IKE] peer didn't accept DH group MODP_2048, it requested > MODP_1024 > Nov 8 %f 16[IKE] initiating IKE_SA net-net[1] to 66.238.30.124 > Nov 8 %f 16[ENC] generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) > N(NATD_D_IP) ] > Nov 8 %f 16[NET] sending packet: from 10.0.0.90[500] to 66.238.30.124[500] > Nov 8 %f 02[NET] received packet: from 66.238.30.124[500] to 10.0.0.90[500] > Nov 8 %f 02[ENC] parsed IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) > N(NATD_D_IP) ] > Nov 8 %f 02[IKE] local host is behind NAT, sending keep alives > Nov 8 %f 02[IKE] remote host is behind NAT > Nov 8 %f 02[IKE] sending cert request for "DC=com, DC=aaronline, > CN=aaronline-CAREFREE-CA" > Nov 8 %f 02[IKE] establishing CHILD_SA net-net > Nov 8 %f 02[ENC] generating IKE_AUTH request 1 [ IDi N(INIT_CONTACT) CERTREQ > IDr SA TSi TSr N(MOBIKE_SUP) N(NO_ADD_ADDR) N(EAP_ONLY) ] > Nov 8 %f 02[NET] sending packet: from 10.0.0.90[4500] to 66.238.30.124[4500] > Nov 8 %f 01[NET] received packet: from 66.238.30.124[4500] to 10.0.0.90[4500] > Nov 8 %f 01[ENC] parsed IKE_AUTH response 1 [ IDr CERT AUTH EAP/REQ/ID ] > Nov 8 %f 01[IKE] received end entity cert "CN=verrado.aaronline.com" > Nov 8 %f 01[CFG] using certificate "CN=verrado.aaronline.com" > Nov 8 %f 01[CFG] using trusted ca certificate "DC=com, DC=aaronline, > CN=aaronline-CAREFREE-CA" > Nov 8 %f 01[CFG] reached self-signed root ca with a path length of 0 > Nov 8 %f 01[IKE] authentication of 'CN=verrado.aaronline.com' with RSA > signature successful > Nov 8 %f 01[IKE] server requested EAP_IDENTITY (id 0x00), sending 'matt' > Nov 8 %f 01[ENC] generating IKE_AUTH request 2 [ EAP/RES/ID ] > Nov 8 %f 01[NET] sending packet: from 10.0.0.90[4500] to 66.238.30.124[4500] > Nov 8 %f 10[NET] received packet: from 66.238.30.124[4500] to 10.0.0.90[4500] > Nov 8 %f 10[ENC] parsed IKE_AUTH response 2 [ EAP/REQ/MSCHAPV2 ] > Nov 8 %f 10[IKE] server requested EAP_MSCHAPV2 authentication (id 0x01) > Nov 8 %f 10[ENC] generating IKE_AUTH request 3 [ EAP/RES/MSCHAPV2 ] > Nov 8 %f 10[NET] sending packet: from 10.0.0.90[4500] to 66.238.30.124[4500] > Nov 8 %f 11[NET] received packet: from 66.238.30.124[4500] to 10.0.0.90[4500] > Nov 8 %f 11[ENC] parsed IKE_AUTH response 3 [ EAP/REQ/MSCHAPV2 ] > Nov 8 %f 11[IKE] EAP-MS-CHAPv2 succeeded: '(null)' > Nov 8 %f 11[ENC] generating IKE_AUTH request 4 [ EAP/RES/MSCHAPV2 ] > Nov 8 %f 11[NET] sending packet: from 10.0.0.90[4500] to 66.238.30.124[4500] > Nov 8 %f 12[NET] received packet: from 66.238.30.124[4500] to 10.0.0.90[4500] > Nov 8 %f 12[ENC] parsed IKE_AUTH response 4 [ EAP/SUCC ] > Nov 8 %f 12[IKE] EAP method EAP_MSCHAPV2 succeeded, MSK established > Nov 8 %f 12[IKE] authentication of '10.0.0.90' (myself) with EAP > Nov 8 %f 12[ENC] generating IKE_AUTH request 5 [ AUTH ] > Nov 8 %f 12[NET] sending packet: from 10.0.0.90[4500] to 66.238.30.124[4500] > Nov 8 %f 10[IKE] retransmit 1 of request with message ID 5 > Nov 8 %f 10[NET] sending packet: from 10.0.0.90[4500] to 66.238.30.124[4500] > Nov 8 %f 11[NET] received packet: from 66.238.30.124[4500] to 10.0.0.90[4500] > Nov 8 %f 11[ENC] parsed IKE_AUTH response 5 [ N(FAIL_CP_REQ) ] > Nov 8 %f 11[IKE] AUTH payload missing > Nov 8 %f 00[DMN] signal of type SIGINT received. Shutting down > > > > > > > > > > Matt Hymowitz, CISSP > Manager > GMP Networks, LLC > 520 577-3891 > ________________________________________ > From: Andreas Steffen [[email protected]] > Sent: Monday, November 07, 2011 10:05 PM > To: Matthew F. Hymowitz > Cc: [email protected] > Subject: Re: [strongSwan] IKEV2 windows 2008 r2 > > Hi Matt, > > yes, the current ipsec.conf file and the log (but please without > increasing the debug level!!!) would help. > > Regards > > Andreas > > On 11/08/2011 12:21 AM, Matthew F. Hymowitz wrote: >> Hi Andreas >> >> Thanks for your quick response. I made the changes you suggest and >> reconfigured with the following switches >> --disable-pluto --disable-revocation --enable-eap-identity >> --enable-eap-mschapv2 and --enable-md4 >> >> I am now getting much further along in the negotiation. I am now failing >> with the error >> >> parsed IKE_AUTH response 5 [ N(FAIL_CP_REQ) ] >> Auth payload missing >> >> >> The is after I get the message EAP method EAP_MSCHAPV2 succeeded, MSK >> established. >> >> >> Let me know if you need complete logs, and thanks again for such a quick >> response. >> >> >> Matt Hymowitz, CISSP >> Manager >> GMP Networks, LLC >> 520 577-3891 > > ====================================================================== > Andreas Steffen [email protected] > strongSwan - the Linux VPN Solution! www.strongswan.org > Institute for Internet Technologies and Applications > University of Applied Sciences Rapperswil > CH-8640 Rapperswil (Switzerland) > ===========================================================[ITA-HSR]== > -- ====================================================================== Andreas Steffen [email protected] strongSwan - the Linux VPN Solution! www.strongswan.org Institute for Internet Technologies and Applications University of Applied Sciences Rapperswil CH-8640 Rapperswil (Switzerland) ===========================================================[ITA-HSR]==
smime.p7s
Description: S/MIME Cryptographic Signature
_______________________________________________ Users mailing list [email protected] https://lists.strongswan.org/mailman/listinfo/users
