Hi all, We're using Strongswan to connect to Amazon AWS. So far we've been using strongswan 4.6.2 to connect windows 7 / 8 clients using eap-mschapv2 with IkeV2 to the linux Strongswan server.
Recently we've installed a new linux Strongswan server, and we've copied the installation to the new server. Of course we've created a new server certificate for this new server. Unfortunately we're not able to connect with any windows client to the server. The security assertion is created, but somehow the VPN connection is not created, the windows clients (win 7 and win 8) report an 809 error. Any ideas what to do? Log: May 19 08:57:13 00[DMN] Starting IKE charon daemon (strongSwan 5.3.0, Linux 3.14.42-31.38.amzn1.x86_64, x86_64) May 19 08:57:13 00[LIB] openssl FIPS mode(0) - disabled May 19 08:57:13 00[CFG] loading ca certificates from '/etc/ipsec.d/cacerts' May 19 08:57:13 00[CFG] loading aa certificates from '/etc/ipsec.d/aacerts' May 19 08:57:13 00[CFG] loading ocsp signer certificates from '/etc/ipsec.d/ocspcerts' May 19 08:57:13 00[CFG] loading attribute certificates from '/etc/ipsec.d/acerts' May 19 08:57:13 00[CFG] loading crls from '/etc/ipsec.d/crls' May 19 08:57:13 00[CFG] loading secrets from '/etc/ipsec.secrets' May 19 08:57:13 00[CFG] loaded RSA private key from '/etc/ipsec.d/private/aws_gateway.key' May 19 08:57:13 00[CFG] loaded RSA private key from '/etc/ipsec.d/private/aws_gateway_frankfurt.key' May 19 08:57:13 00[CFG] loaded EAP secret for hanboo1 May 19 08:57:13 00[CFG] loaded EAP secret for marvel May 19 08:57:13 00[CFG] loaded IKE secret for [email protected] %any May 19 08:57:13 00[CFG] loaded IKE secret for [email protected] [email protected] May 19 08:57:13 00[LIB] loaded plugins: charon aes des rc2 sha1 sha2 md4 md5 random nonce x509 revocation constraints pubkey pkcs1 pkcs7 pkcs8 pkcs12 pgp dnskey sshkey pem openssl fips-prf gmp xcbc cmac hmac attr kernel-netlink resolve socket-default stroke updown eap-identity eap-mschapv2 eap-tls xauth-generic May 19 08:57:13 00[JOB] spawning 16 worker threads May 19 08:57:13 11[CFG] received stroke: add connection 'win7' May 19 08:57:13 11[CFG] adding virtual IP address pool 10.100.0.0/24 May 19 08:57:13 11[CFG] loaded certificate "C=NL, ST=Utrecht, L=Amersfoort, O=Globiq BV, CN=<<full qualified host name>>" from 'aws_gateway_frankfurt.crt' May 19 08:57:13 11[CFG] added configuration 'win7' May 19 08:59:07 13[NET] <1> received packet: from 222.127.206.61[60052] to 10.10.0.125[500] (528 bytes) May 19 08:59:07 13[ENC] <1> parsed IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) ] May 19 08:59:07 13[IKE] <1> 222.127.206.61 is initiating an IKE_SA May 19 08:59:07 13[IKE] <1> local host is behind NAT, sending keep alives May 19 08:59:07 13[IKE] <1> remote host is behind NAT May 19 08:59:07 13[ENC] <1> generating IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(MULT_AUTH) ] May 19 08:59:07 13[NET] <1> sending packet: from 10.10.0.125[500] to 222.127.206.61[60052] (312 bytes) May 19 08:59:07 14[NET] <1> received packet: from 222.127.206.61[39239] to 10.10.0.125[4500] (1100 bytes) May 19 08:59:07 14[ENC] <1> parsed IKE_AUTH request 1 [ IDi CERTREQ N(MOBIKE_SUP) CPRQ(ADDR DNS NBNS SRV ADDR6 DNS6 SRV6) SA TSi TSr ] May 19 08:59:07 14[IKE] <1> received cert request for "C=NL, ST=Utrecht, L=Amersfoort, O=Globiq BV, CN=<<full qualified host name>>" May 19 08:59:07 14[IKE] <1> received 37 cert requests for an unknown ca May 19 08:59:07 14[CFG] <1> looking for peer configs matching 10.10.0.125[%any]...222.127.206.61[192.168.100.199] May 19 08:59:07 14[CFG] <win7|1> selected peer config 'win7' May 19 08:59:07 14[IKE] <win7|1> initiating EAP_IDENTITY method (id 0x00) May 19 08:59:07 14[IKE] <win7|1> peer supports MOBIKE May 19 08:59:07 14[IKE] <win7|1> authentication of '<<full qualified host name>>' (myself) with RSA signature successful May 19 08:59:07 14[IKE] <win7|1> sending end entity cert "C=NL, ST=Utrecht, L=Amersfoort, O=Globiq BV, CN=<<full qualified host name>>" May 19 08:59:07 14[ENC] <win7|1> generating IKE_AUTH response 1 [ IDr CERT AUTH EAP/REQ/ID ] May 19 08:59:07 14[NET] <win7|1> sending packet: from 10.10.0.125[4500] to 222.127.206.61[39239] (1468 bytes) May 19 08:59:08 15[NET] <win7|1> received packet: from 222.127.206.61[39239] to 10.10.0.125[4500] (1100 bytes) May 19 08:59:08 15[ENC] <win7|1> parsed IKE_AUTH request 1 [ IDi CERTREQ N(MOBIKE_SUP) CPRQ(ADDR DNS NBNS SRV ADDR6 DNS6 SRV6) SA TSi TSr ] May 19 08:59:08 15[IKE] <win7|1> received retransmit of request with ID 1, retransmitting response May 19 08:59:08 15[NET] <win7|1> sending packet: from 10.10.0.125[4500] to 222.127.206.61[39239] (1468 bytes) May 19 08:59:11 06[NET] <win7|1> received packet: from 222.127.206.61[39239] to 10.10.0.125[4500] (1100 bytes) May 19 08:59:11 06[ENC] <win7|1> parsed IKE_AUTH request 1 [ IDi CERTREQ N(MOBIKE_SUP) CPRQ(ADDR DNS NBNS SRV ADDR6 DNS6 SRV6) SA TSi TSr ] May 19 08:59:11 06[IKE] <win7|1> received retransmit of request with ID 1, retransmitting response May 19 08:59:11 06[NET] <win7|1> sending packet: from 10.10.0.125[4500] to 222.127.206.61[39239] (1468 bytes) May 19 08:59:27 16[IKE] <win7|1> sending keep alive to 222.127.206.61[39239] May 19 08:59:37 05[JOB] <win7|1> deleting half open IKE_SA after timeout Ipsec.conf: conn win7 keyexchange=ikev2 ike=aes256-sha1-modp1024! esp=aes256-sha1! dpdaction=clear dpddelay=300s rekey=no # The "left" parameter is the gateway's private IP left=10.10.0.125 # We are protecting the entire VPC, not just this subnet leftsubnet=10.10.0.0/24,10.10.10.0/24,10.10.20.0/24,10.10.30.0/24 leftfirewall=yes leftauth=pubkey # both the dns name and the ip adress are stored in the machine certificates # if the leftid doensn't match the dns name, windows vpn client will not # open the VPN tunnel leftcert=aws_gateway_frankfurt.crt leftid=@<<full qualified host name>> right=%any rightsourceip=10.100.0.0/24 rightauth=eap-mschapv2 # rightauth=eap-tls rightsendcert=never eap_identity=%any auto=add ipsec statusall: Status of IKE charon daemon (strongSwan 5.3.0, Linux 3.14.42-31.38.amzn1.x86_64, x86_64): uptime: 32 minutes, since May 19 08:57:13 2015 malloc: sbrk 1482752, mmap 0, used 350624, free 1132128 worker threads: 11 of 16 idle, 5/0/0/0 working, job queue: 0/0/0/0, scheduled: 2 loaded plugins: charon aes des rc2 sha1 sha2 md4 md5 random nonce x509 revocation constraints pubkey pkcs1 pkcs7 pkcs8 pkcs12 pgp dnskey sshkey pem openssl fips-prf gmp xcbc cmac hmac attr kernel-netlink resolve socket-default stroke updown eap-identity eap-mschapv2 eap-tls xauth-generic Virtual IP pools (size/online/offline): 10.100.0.0/24: 254/0/0 Listening IP addresses: 10.10.0.125 Connections: win7: 10.10.0.125...%any IKEv2, dpddelay=300s win7: local: [<<full qualified host name>>] uses public key authentication win7: cert: "C=NL, ST=Utrecht, L=Amersfoort, O=Globiq BV, CN=<<full qualified host name>>" win7: remote: uses EAP_MSCHAPV2 authentication with EAP identity '%any' win7: child: 10.10.0.0/24 10.10.10.0/24 10.10.20.0/24 10.10.30.0/24 === dynamic TUNNEL, dpdaction=clear Security Associations (0 up, 1 connecting): win7[2]: CONNECTING, 10.10.0.125[<<full qualified host name>>]...222.127.206.61[192.168.100.90] win7[2]: IKEv2 SPIs: a65ea4c37c5f0fcd_i 86036036696d65c5_r* win7[2]: IKE proposal: AES_CBC_256/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024 win7[2]: Tasks passive: IKE_CERT_PRE IKE_AUTH IKE_CERT_POST IKE_CONFIG CHILD_CREATE IKE_AUTH_LIFETIME IKE_MOBIKE I guess the problem has to do with the eap-mschapv2 authentication. If I change the entries in the ipsec.secrets, e.g. change my username, I would expect an error and a challenge from the server to enter my username. In fact, I checked this on our strongswan 4.6.2 server. However the new server doesn't inform me of my incorrect logon information, therefore I think the problem has to do with authentication not working. Extended key usage for the server certificates are identical for the old and new gateway, so I'm sure the problem is not related to that Met vriendelijke groet, Kind regards, Hans Boone Business development manager Mob: + 31 (0) 650 62 83 23 [email_footer] P Please consider the environment before printing this e-mail
_______________________________________________ Users mailing list [email protected] https://lists.strongswan.org/mailman/listinfo/users
