Hello, the Windows Server 2008 R2 client seems to send a malformed IKE header. In order to debug the situation could you increase the debug level by defining
charondebug="net 3, enc 3" in the config setup section of ipsec.conf Regards Andreas On 07/02/2012 05:01 PM, Boleslav Sykora wrote: > Hello, > > > > I am trying to run strongSwan on a Ubuntu 12.04 instance in Amazon VPC, > using a compiled version strongswan-5.0.0.tar.gz and connect from > Windows Server 2008 R2 client. I am using certificates for both sides. > The 206.248.156.92 is my WS 2008 client What’s My IP. The vpngw has two > interfaces, one 10.20.1.232 which is NATed to an Elastic IP and a > private interface 10.20.2.117 on the subnet where I want the tunnel to > have access. I implemented your VPC suggestions. I have been fighting > with this for over a week, and previously with an older strongSwan > version. Please help. > > > > Here is my /usr/local/etc/ipsec.conf config: > > config setup > > > > ca cloudCA > > cacert=caCert.pem > > auto=add > > > > conn %default > > # keyexchange=ikev2 > > ikelifetime=60m > > keylife=20m > > rekeymargin=3m > > keyingtries=1 > > > > conn nat-cert > > left=10.20.1.232 > > leftsubnet=10.20.2.0/24 > > leftcert=vpngwCert.pem > > leftfirewall=yes > > right=%any > > rightsubnet=10.1.20.0/24 > > rightsourceip=10.20.2.192/26 > > rightid="C=US, O=Cloud1215 CN=student.lt1215.com" > > auto=add > > > > The /var/log/syslog file: > > Jul 2 14:51:13 vpngw charon: 00[DMN] Starting IKE charon daemon > (strongSwan 5.0.0, Linux 3.2.0-26-virtual, x86_64) > > Jul 2 14:51:13 vpngw charon: 00[KNL] listening on interfaces: > > Jul 2 14:51:13 vpngw charon: 00[KNL] eth0 > > Jul 2 14:51:13 vpngw charon: 00[KNL] 10.20.1.232 > > Jul 2 14:51:13 vpngw charon: 00[KNL] fe80::81f:b5ff:fe7e:9f68 > > Jul 2 14:51:13 vpngw charon: 00[KNL] eth1 > > Jul 2 14:51:13 vpngw charon: 00[KNL] 10.20.2.117 > > Jul 2 14:51:13 vpngw charon: 00[KNL] fe80::81f:b5ff:fe49:c917 > > Jul 2 14:51:13 vpngw charon: 00[CFG] loading ca certificates from > '/usr/local/etc/ipsec.d/cacerts' > > Jul 2 14:51:13 vpngw charon: 00[CFG] loaded ca certificate "C=US, > O=Cloud1215, CN=cloudCA" from '/usr/local/etc/ipsec.d/cacerts/caCert.pem' > > Jul 2 14:51:13 vpngw charon: 00[CFG] loaded ca certificate "C=US, > O=Cloud1215, CN=cloudCA" from '/usr/local/etc/ipsec.d/cacerts/caCert.der' > > Jul 2 14:51:13 vpngw charon: 00[CFG] loading aa certificates from > '/usr/local/etc/ipsec.d/aacerts' > > Jul 2 14:51:13 vpngw charon: 00[CFG] loading ocsp signer certificates > from '/usr/local/etc/ipsec.d/ocspcerts' > > Jul 2 14:51:13 vpngw charon: 00[CFG] loading attribute certificates > from '/usr/local/etc/ipsec.d/acerts' > > Jul 2 14:51:13 vpngw charon: 00[CFG] loading crls from > '/usr/local/etc/ipsec.d/crls' > > Jul 2 14:51:13 vpngw charon: 00[CFG] loading secrets from > '/usr/local/etc/ipsec.secrets' > > Jul 2 14:51:13 vpngw charon: 00[CFG] loaded RSA private key from > '/usr/local/etc/ipsec.d/private/vpngwKey.pem' > > Jul 2 14:51:13 vpngw charon: 00[DMN] loaded plugins: charon aes des > sha1 sha2 md5 random nonce x509 revocation constraints pubkey pkcs1 > pkcs8 pgp dnskey pem fips-prf gmp xcbc cmac hmac attr kernel-netlink > resolve socket-default stroke updown xauth-generic > > Jul 2 14:51:13 vpngw charon: 00[JOB] spawning 16 worker threads > > Jul 2 14:51:13 vpngw charon: 12[CFG] received stroke: add ca 'cloudCA' > > Jul 2 14:51:13 vpngw charon: 12[CFG] added ca 'cloudCA' > > Jul 2 14:51:13 vpngw charon: 14[CFG] received stroke: add connection > 'nat-cert' > > Jul 2 14:51:13 vpngw charon: 14[CFG] loaded certificate "C=US, > O=Cloud1215, CN=vpngw.lt1215.com" from 'vpngwCert.pem' > > Jul 2 14:51:13 vpngw charon: 14[CFG] id '10.20.1.232' not confirmed > by certificate, defaulting to 'C=US, O=Cloud1215, CN=vpngw.lt1215.com' > > Jul 2 14:51:13 vpngw charon: 14[CFG] added configuration 'nat-cert' > > Jul 2 14:51:13 vpngw charon: 14[CFG] adding virtual IP address pool > 'nat-cert': 10.20.2.192/26 > > Jul 2 14:51:23 vpngw charon: 05[ENC] header verification failed > > Jul 2 14:51:23 vpngw charon: 05[NET] received invalid IKE header from > 206.248.156.92 - ignored > > Jul 2 14:51:24 vpngw charon: 05[ENC] header verification failed > > Jul 2 14:51:24 vpngw charon: 05[NET] received invalid IKE header from > 206.248.156.92 - ignored ====================================================================== Andreas Steffen [email protected] strongSwan - the Linux VPN Solution! www.strongswan.org Institute for Internet Technologies and Applications University of Applied Sciences Rapperswil CH-8640 Rapperswil (Switzerland) ===========================================================[ITA-HSR]== _______________________________________________ Users mailing list [email protected] https://lists.strongswan.org/mailman/listinfo/users
