Hi Matt, in my opinion the subjectDistinguished Name contained in the server certificate should be the rightid:
rightid="CN=verrado.aaronline.com" Regards Andreas On 09.11.2011 04:56, Matthew F. Hymowitz wrote:
Andreas Got it working. I needed to add rightsubnet=192.168.1.0/24 to the connection. I still have a question about removing rightid=%any Thanks again for all your help. Matt Hymowitz, CISSP Manager GMP Networks, LLC 520 577-3891 ________________________________________ From: Matthew F. Hymowitz Sent: Tuesday, November 08, 2011 6:00 PM To: Andreas Steffen Cc: [email protected] Subject: RE: [strongSwan] IKEV2 windows 2008 r2 Hi Andreas With your expert help, I am now able to establish a connection between my two sites. From my ubuntu box I am to ping 192.168.1.45, which I think is my local VPN adapter. I can not, however, ping 192.168.1.43 which I think is the windows PPP adaptor. I do not see any entries for 192.168.1.x when I do a netstat -r (should I?). I also can not ping anything else on the 192.168.1.x network. I greatly appreciate all the help you providing me. Thank you again. sudo ipsec statusall shows the following: Status of IKEv2 charon daemon (strongSwan 4.5.3): uptime: 16 minutes, since Nov 08 17:33:32 2011 malloc: sbrk 270336, mmap 0, used 154064, free 116272 worker threads: 9 of 16 idle, 6/1/0/0 working, job queue: 0/0/0/0, scheduled: 3 loaded plugins: aes des sha1 sha2 md4 md5 random x509 constraints pubkey pkcs1 pgp pem fips-prf gmp xcbc hmac attr kernel-netlink resolve socket-default stroke updown eap-identity eap-mschapv2 Listening IP addresses: 10.0.0.106 Connections: net-net: 10.0.0.106...66.238.30.124 net-net: local: [10.0.0.106] uses EAP_MSCHAPV2 authentication with EAP identity 'matt' net-net: remote: [%any] uses public key authentication net-net: child: dynamic === dynamic TUNNEL Security Associations (1 up, 0 connecting): net-net[1]: ESTABLISHED 16 minutes ago, 10.0.0.106[10.0.0.106]...66.238.30.124[CN=verrado.aaronline.com] net-net[1]: IKE SPIs: d970b6f80746b929_i* 0b2a24b30601e1e3_r, EAP reauthentication in 39 minutes net-net[1]: IKE proposal: 3DES_CBC/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024 Also I had to add an %any for rightid, it says it is looking for verrado's ip address when I put that in there it still complains. Not sure what the rightid should really be. Here is my current config ( i did change ip addresses on the ubunutu machine since the last config I sent you). # /etc/ipsec.conf - strongSwan IPsec configuration file config setup crlcheckinterval=0s strictcrlpolicy=no plutostart=no nat_traversal=yes charonstart=yes conn %default ikelifetime=60m keylife=20m rekeymargin=3m keyingtries=1 keyexchange=ikev2 mobike=no forceencaps=yes conn net-net left=10.0.0.106 leftsourceip=%config leftfirewall=yes leftauth=eap-mschapv2 eap_identity=matt right=verrado.aaronline.com rightid=%any rightauth=pubkey auto=add ca carefree-aaronline-ca cacert=/usr/local/etc/ipsec.d/cacerts/aaronline.carefree.cert Here is the log file 00[DMN] Starting IKEv2 charon daemon (strongSwan 4.5.3) 00[KNL] listening on interfaces: 00[KNL] eth0 00[KNL] 10.0.0.106 00[KNL] fe80::215:5dff:fe01:6609 00[CFG] loading ca certificates from '/usr/local/etc/ipsec.d/cacerts' 00[CFG] loaded ca certificate "DC=com, DC=aaronline, CN=aaronline-CAREFREE-CA" from '/usr/local/etc/ipsec.d/cacerts/aaronline.carefree.cert' 00[CFG] loading aa certificates from '/usr/local/etc/ipsec.d/aacerts' 00[CFG] loading ocsp signer certificates from '/usr/local/etc/ipsec.d/ocspcerts' 00[CFG] loading attribute certificates from '/usr/local/etc/ipsec.d/acerts' 00[CFG] loading crls from '/usr/local/etc/ipsec.d/crls' 00[CFG] loading secrets from '/usr/local/etc/ipsec.secrets' 00[CFG] loaded EAP secret for matt 00[DMN] loaded plugins: aes des sha1 sha2 md4 md5 random x509 constraints pubkey pkcs1 pgp pem fips-prf gmp xcbc hmac attr kernel-netlink resolve socket-default stroke updown eap-identity eap-mschapv2 00[JOB] spawning 16 worker threads 00[DMN] signal of type SIGINT received. Shutting down 00[DMN] Starting IKEv2 charon daemon (strongSwan 4.5.3) 00[KNL] listening on interfaces: 00[KNL] eth0 00[KNL] 10.0.0.106 00[KNL] fe80::215:5dff:fe01:6609 00[CFG] loading ca certificates from '/usr/local/etc/ipsec.d/cacerts' 00[CFG] loaded ca certificate "DC=com, DC=aaronline, CN=aaronline-CAREFREE-CA" from '/usr/local/etc/ipsec.d/cacerts/aaronline.carefree.cert' 00[CFG] loading aa certificates from '/usr/local/etc/ipsec.d/aacerts' 00[CFG] loading ocsp signer certificates from '/usr/local/etc/ipsec.d/ocspcerts' 00[CFG] loading attribute certificates from '/usr/local/etc/ipsec.d/acerts' 00[CFG] loading crls from '/usr/local/etc/ipsec.d/crls' 00[CFG] loading secrets from '/usr/local/etc/ipsec.secrets' 00[CFG] loaded EAP secret for matt 00[DMN] loaded plugins: aes des sha1 sha2 md4 md5 random x509 constraints pubkey pkcs1 pgp pem fips-prf gmp xcbc hmac attr kernel-netlink resolve socket-default stroke updown eap-identity eap-mschapv2 00[JOB] spawning 16 worker threads 00[DMN] signal of type SIGINT received. Shutting down 00[DMN] Starting IKEv2 charon daemon (strongSwan 4.5.3) 00[KNL] listening on interfaces: 00[KNL] eth0 00[KNL] 10.0.0.106 00[KNL] fe80::215:5dff:fe01:6609 00[CFG] loading ca certificates from '/usr/local/etc/ipsec.d/cacerts' 00[CFG] loaded ca certificate "DC=com, DC=aaronline, CN=aaronline-CAREFREE-CA" from '/usr/local/etc/ipsec.d/cacerts/aaronline.carefree.cert' 00[CFG] loading aa certificates from '/usr/local/etc/ipsec.d/aacerts' 00[CFG] loading ocsp signer certificates from '/usr/local/etc/ipsec.d/ocspcerts' 00[CFG] loading attribute certificates from '/usr/local/etc/ipsec.d/acerts' 00[CFG] loading crls from '/usr/local/etc/ipsec.d/crls' 00[CFG] loading secrets from '/usr/local/etc/ipsec.secrets' 00[CFG] loaded EAP secret for matt 00[DMN] loaded plugins: aes des sha1 sha2 md4 md5 random x509 constraints pubkey pkcs1 pgp pem fips-prf gmp xcbc hmac attr kernel-netlink resolve socket-default stroke updown eap-identity eap-mschapv2 00[JOB] spawning 16 worker threads 09[CFG] received stroke: add connection 'net-net' 09[CFG] added configuration 'net-net' 11[CFG] received stroke: initiate 'net-net' 13[IKE] initiating IKE_SA net-net[1] to 66.238.30.124 13[ENC] generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) ] 13[NET] sending packet: from 10.0.0.106[500] to 66.238.30.124[500] 02[IKE] retransmit 1 of request with message ID 0 02[NET] sending packet: from 10.0.0.106[500] to 66.238.30.124[500] 14[IKE] retransmit 2 of request with message ID 0 14[NET] sending packet: from 10.0.0.106[500] to 66.238.30.124[500] 15[NET] received packet: from 66.238.30.124[500] to 10.0.0.106[500] 15[ENC] parsed IKE_SA_INIT response 0 [ N(INVAL_KE) ] 15[IKE] peer didn't accept DH group MODP_2048, it requested MODP_1024 15[IKE] initiating IKE_SA net-net[1] to 66.238.30.124 15[ENC] generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) ] 15[NET] sending packet: from 10.0.0.106[500] to 66.238.30.124[500] 16[NET] received packet: from 66.238.30.124[500] to 10.0.0.106[500] 16[ENC] parsed IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) ] 16[IKE] local host is behind NAT, sending keep alives 16[IKE] remote host is behind NAT 16[IKE] sending cert request for "DC=com, DC=aaronline, CN=aaronline-CAREFREE-CA" 16[IKE] establishing CHILD_SA net-net 16[ENC] generating IKE_AUTH request 1 [ IDi N(INIT_CONTACT) CERTREQ CP(ADDR DNS) SA TSi TSr N(EAP_ONLY) ] 16[NET] sending packet: from 10.0.0.106[4500] to 66.238.30.124[4500] 01[NET] received packet: from 66.238.30.124[4500] to 10.0.0.106[4500] 01[ENC] parsed IKE_AUTH response 1 [ IDr CERT AUTH EAP/REQ/ID ] 01[IKE] received end entity cert "CN=verrado.aaronline.com" 01[CFG] using certificate "CN=verrado.aaronline.com" 01[CFG] using trusted ca certificate "DC=com, DC=aaronline, CN=aaronline-CAREFREE-CA" 01[CFG] reached self-signed root ca with a path length of 0 01[IKE] authentication of 'CN=verrado.aaronline.com' with RSA signature successful 01[IKE] server requested EAP_IDENTITY (id 0x00), sending 'matt' 01[ENC] generating IKE_AUTH request 2 [ EAP/RES/ID ] 01[NET] sending packet: from 10.0.0.106[4500] to 66.238.30.124[4500] 09[NET] received packet: from 66.238.30.124[4500] to 10.0.0.106[4500] 09[ENC] parsed IKE_AUTH response 2 [ EAP/REQ/MSCHAPV2 ] 09[IKE] server requested EAP_MSCHAPV2 authentication (id 0x01) 09[ENC] generating IKE_AUTH request 3 [ EAP/RES/MSCHAPV2 ] 09[NET] sending packet: from 10.0.0.106[4500] to 66.238.30.124[4500] 10[NET] received packet: from 66.238.30.124[4500] to 10.0.0.106[4500] 10[ENC] parsed IKE_AUTH response 3 [ EAP/REQ/MSCHAPV2 ] 10[IKE] EAP-MS-CHAPv2 succeeded: '(null)' 10[ENC] generating IKE_AUTH request 4 [ EAP/RES/MSCHAPV2 ] 10[NET] sending packet: from 10.0.0.106[4500] to 66.238.30.124[4500] 12[NET] received packet: from 66.238.30.124[4500] to 10.0.0.106[4500] 12[ENC] parsed IKE_AUTH response 4 [ EAP/SUCC ] 12[IKE] EAP method EAP_MSCHAPV2 succeeded, MSK established 12[IKE] authentication of '10.0.0.106' (myself) with EAP 12[ENC] generating IKE_AUTH request 5 [ AUTH ] 12[NET] sending packet: from 10.0.0.106[4500] to 66.238.30.124[4500] 13[NET] received packet: from 66.238.30.124[4500] to 10.0.0.106[4500] 13[ENC] parsed IKE_AUTH response 5 [ AUTH N(MOBIKE_SUP) CP(ADDR DNS DNS) SA TSi TSr ] 13[IKE] authentication of 'CN=verrado.aaronline.com' with EAP successful 13[IKE] IKE_SA net-net[1] established between 10.0.0.106[10.0.0.106]...66.238.30.124[CN=verrado.aaronline.com] 13[IKE] scheduling reauthentication in 3335s 13[IKE] maximum IKE_SA lifetime 3515s 13[IKE] installing DNS server 192.168.1.3 to /usr/local/etc/resolv.conf 13[IKE] installing DNS server 192.168.1.5 to /usr/local/etc/resolv.conf 13[IKE] installing new virtual IP 192.168.1.45 13[IKE] CHILD_SA net-net{1} established with SPIs c7f02950_i e7875dae_o and TS 192.168.1.45/32 === 66.238.30.124/32 11[IKE] sending keep alive 11[NET] sending packet: from 10.0.0.106[4500] to 66.238.30.124[4500] 13[IKE] sending keep alive Matt Hymowitz, CISSP Manager GMP Networks, LLC 520 577-3891 ________________________________________ From: Andreas Steffen [[email protected]] Sent: Tuesday, November 08, 2011 10:22 AM To: Matthew F. Hymowitz Cc: [email protected] Subject: Re: [strongSwan] IKEV2 windows 2008 r2 Hello Matt, the Windows Server 2008 r2 expects strongSwan to request a virtual IP address to be used as a source address within the IPsec tunnel. Therefore add this statement: leftsourceip=%config With a virtual IP address leftsubnet=10.0.0.0/24 doesn't make much sense, so you'd better omit the leftsubnet statement. Regards Andreas On 08.11.2011 16:21, Matthew F. Hymowitz wrote:Thanks Again for your help Andreas Here is the current config and non-debug log file: -Matt # ipsec.conf - strongSwan IPsec configuration file config setup crlcheckinterval=0s strictcrlpolicy=no cachecrls=yes nat_traversal=yes charonstart=yes plutostart=no # Add connections here. # Sample VPN connections #conn sample-self-signed # left=%defaultroute # leftsubnet=10.10.0.0/16 # leftcert=selfCert.der # leftsendcert=never # right=192.168.0.2 # rightsubnet=10.2.0.0/16 # rightcert=peerCert.der # auto=start conn net-net left=10.0.0.90 leftsubnet=10.0.0.0/24 leftauth=eap-mschapv2 eap_identity=matt right=verrado.aaronline.com rightsubnet=192.168.1.0/24 rightauth=pubkey keyexchange=ikev2 auto=add ca carefree-aaronline-ca cacert=/usr/local/etc/ipsec.d/cacert/aaronline.carefree.cert Nov 8 %f 00[DMN] Starting IKEv2 charon daemon (strongSwan 4.5.3) Nov 8 %f 00[KNL] listening on interfaces: Nov 8 %f 00[KNL] eth0 Nov 8 %f 00[KNL] 10.0.0.90 Nov 8 %f 00[KNL] fe80::215:5dff:fe01:660d Nov 8 %f 00[CFG] loading ca certificates from '/usr/local/etc/ipsec.d/cacerts' Nov 8 %f 00[CFG] loaded ca certificate "DC=com, DC=aaronline, CN=aaronline-CAREFREE-CA" from '/usr/local/etc/ipsec.d/cacerts/aaronline.carefree.cert' Nov 8 %f 00[CFG] loading aa certificates from '/usr/local/etc/ipsec.d/aacerts' Nov 8 %f 00[CFG] loading ocsp signer certificates from '/usr/local/etc/ipsec.d/ocspcerts' Nov 8 %f 00[CFG] loading attribute certificates from '/usr/local/etc/ipsec.d/acerts' Nov 8 %f 00[CFG] loading crls from '/usr/local/etc/ipsec.d/crls' Nov 8 %f 00[CFG] loading secrets from '/usr/local/etc/ipsec.secrets' Nov 8 %f 00[CFG] loaded EAP secret for matt Nov 8 %f 00[DMN] loaded plugins: aes des sha1 sha2 md4 md5 random x509 constraints pubkey pkcs1 pgp pem fips-prf gmp xcbc hmac attr kernel-netlink resolve socket-default stroke updown eap-identity eap-mschapv2 Nov 8 %f 00[JOB] spawning 16 worker threads Nov 8 %f 10[CFG] crl caching to /usr/local/etc/ipsec.d/crls enabled Nov 8 %f 12[CFG] received stroke: add connection 'net-net' Nov 8 %f 12[CFG] added configuration 'net-net' Nov 8 %f 14[CFG] received stroke: initiate 'net-net' Nov 8 %f 03[IKE] initiating IKE_SA net-net[1] to 66.238.30.124 Nov 8 %f 03[ENC] generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) ] Nov 8 %f 03[NET] sending packet: from 10.0.0.90[500] to 66.238.30.124[500] Nov 8 %f 16[NET] received packet: from 66.238.30.124[500] to 10.0.0.90[500] Nov 8 %f 16[ENC] parsed IKE_SA_INIT response 0 [ N(INVAL_KE) ] Nov 8 %f 16[IKE] peer didn't accept DH group MODP_2048, it requested MODP_1024 Nov 8 %f 16[IKE] initiating IKE_SA net-net[1] to 66.238.30.124 Nov 8 %f 16[ENC] generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) ] Nov 8 %f 16[NET] sending packet: from 10.0.0.90[500] to 66.238.30.124[500] Nov 8 %f 02[NET] received packet: from 66.238.30.124[500] to 10.0.0.90[500] Nov 8 %f 02[ENC] parsed IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) ] Nov 8 %f 02[IKE] local host is behind NAT, sending keep alives Nov 8 %f 02[IKE] remote host is behind NAT Nov 8 %f 02[IKE] sending cert request for "DC=com, DC=aaronline, CN=aaronline-CAREFREE-CA" Nov 8 %f 02[IKE] establishing CHILD_SA net-net Nov 8 %f 02[ENC] generating IKE_AUTH request 1 [ IDi N(INIT_CONTACT) CERTREQ IDr SA TSi TSr N(MOBIKE_SUP) N(NO_ADD_ADDR) N(EAP_ONLY) ] Nov 8 %f 02[NET] sending packet: from 10.0.0.90[4500] to 66.238.30.124[4500] Nov 8 %f 01[NET] received packet: from 66.238.30.124[4500] to 10.0.0.90[4500] Nov 8 %f 01[ENC] parsed IKE_AUTH response 1 [ IDr CERT AUTH EAP/REQ/ID ] Nov 8 %f 01[IKE] received end entity cert "CN=verrado.aaronline.com" Nov 8 %f 01[CFG] using certificate "CN=verrado.aaronline.com" Nov 8 %f 01[CFG] using trusted ca certificate "DC=com, DC=aaronline, CN=aaronline-CAREFREE-CA" Nov 8 %f 01[CFG] reached self-signed root ca with a path length of 0 Nov 8 %f 01[IKE] authentication of 'CN=verrado.aaronline.com' with RSA signature successful Nov 8 %f 01[IKE] server requested EAP_IDENTITY (id 0x00), sending 'matt' Nov 8 %f 01[ENC] generating IKE_AUTH request 2 [ EAP/RES/ID ] Nov 8 %f 01[NET] sending packet: from 10.0.0.90[4500] to 66.238.30.124[4500] Nov 8 %f 10[NET] received packet: from 66.238.30.124[4500] to 10.0.0.90[4500] Nov 8 %f 10[ENC] parsed IKE_AUTH response 2 [ EAP/REQ/MSCHAPV2 ] Nov 8 %f 10[IKE] server requested EAP_MSCHAPV2 authentication (id 0x01) Nov 8 %f 10[ENC] generating IKE_AUTH request 3 [ EAP/RES/MSCHAPV2 ] Nov 8 %f 10[NET] sending packet: from 10.0.0.90[4500] to 66.238.30.124[4500] Nov 8 %f 11[NET] received packet: from 66.238.30.124[4500] to 10.0.0.90[4500] Nov 8 %f 11[ENC] parsed IKE_AUTH response 3 [ EAP/REQ/MSCHAPV2 ] Nov 8 %f 11[IKE] EAP-MS-CHAPv2 succeeded: '(null)' Nov 8 %f 11[ENC] generating IKE_AUTH request 4 [ EAP/RES/MSCHAPV2 ] Nov 8 %f 11[NET] sending packet: from 10.0.0.90[4500] to 66.238.30.124[4500] Nov 8 %f 12[NET] received packet: from 66.238.30.124[4500] to 10.0.0.90[4500] Nov 8 %f 12[ENC] parsed IKE_AUTH response 4 [ EAP/SUCC ] Nov 8 %f 12[IKE] EAP method EAP_MSCHAPV2 succeeded, MSK established Nov 8 %f 12[IKE] authentication of '10.0.0.90' (myself) with EAP Nov 8 %f 12[ENC] generating IKE_AUTH request 5 [ AUTH ] Nov 8 %f 12[NET] sending packet: from 10.0.0.90[4500] to 66.238.30.124[4500] Nov 8 %f 10[IKE] retransmit 1 of request with message ID 5 Nov 8 %f 10[NET] sending packet: from 10.0.0.90[4500] to 66.238.30.124[4500] Nov 8 %f 11[NET] received packet: from 66.238.30.124[4500] to 10.0.0.90[4500] Nov 8 %f 11[ENC] parsed IKE_AUTH response 5 [ N(FAIL_CP_REQ) ] Nov 8 %f 11[IKE] AUTH payload missing Nov 8 %f 00[DMN] signal of type SIGINT received. Shutting down Matt Hymowitz, CISSP Manager GMP Networks, LLC 520 577-3891 ________________________________________ From: Andreas Steffen [[email protected]] Sent: Monday, November 07, 2011 10:05 PM To: Matthew F. Hymowitz Cc: [email protected] Subject: Re: [strongSwan] IKEV2 windows 2008 r2 Hi Matt, yes, the current ipsec.conf file and the log (but please without increasing the debug level!!!) would help. Regards Andreas On 11/08/2011 12:21 AM, Matthew F. Hymowitz wrote:Hi Andreas Thanks for your quick response. I made the changes you suggest and reconfigured with the following switches --disable-pluto --disable-revocation --enable-eap-identity --enable-eap-mschapv2 and --enable-md4 I am now getting much further along in the negotiation. I am now failing with the error parsed IKE_AUTH response 5 [ N(FAIL_CP_REQ) ] Auth payload missing The is after I get the message EAP method EAP_MSCHAPV2 succeeded, MSK established. Let me know if you need complete logs, and thanks again for such a quick response. Matt Hymowitz, CISSP Manager GMP Networks, LLC 520 577-3891
====================================================================== Andreas Steffen [email protected] strongSwan - the Linux VPN Solution! www.strongswan.org Institute for Internet Technologies and Applications University of Applied Sciences Rapperswil CH-8640 Rapperswil (Switzerland) ===========================================================[ITA-HSR]==
smime.p7s
Description: S/MIME Cryptographic Signature
_______________________________________________ Users mailing list [email protected] https://lists.strongswan.org/mailman/listinfo/users
