Houman,
The Windows client proposals do not match your configured proposals.
Your Windows client expect DG group 15 (MODP2048), where as you have:
aes256-3des-sha1-modp1024
change that to:
aes256-3des-sha1-modp2048
I'd also add sha256 at least before sha1 (deemed insecure). If you still
have other clients expecting modp1024, make it:
aes256-3des-sha256-sha1-modp2048-modp1024
That should get you covered.
Regards,
Jafar
On 5/7/2018 8:17 AM, Houman wrote:
Hello,
Until a week ago a user with Windows 10 had no issue connecting to the
StrongSwan server. But now out of the blue, he can't connect to the
StrongSwan server anymore.
The log on the server is:
May 7 12:31:06 vpn-p1 charon: 08[IKE] received proposals inacceptable
May 7 12:31:06 vpn-p1 charon: 08[ENC] generating IKE_SA_INIT response
0 [ N(NO_PROP) ]
May 7 12:31:06 vpn-p1 charon: 08[NET] sending packet: from
xxx.x.xx.92[500] to 91.98.xxx.xxx[500] (36 bytes)
May 7 12:32:09 vpn-p1 systemd[1]: Started Session 35 of user root.
May 7 12:46:21 vpn-p1 systemd[1]: Starting Cleanup of Temporary
Directories...
May 7 12:46:21 vpn-p1 systemd-tmpfiles[7016]:
[/usr/lib/tmpfiles.d/var.conf:14] Duplicate line for path "/var/log",
ignoring.
May 7 12:46:21 vpn-p1 systemd[1]: Started Cleanup of Temporary
Directories.
May 7 13:00:13 vpn-p1 systemd[1]: Starting Certbot...
May 7 13:00:13 vpn-p1 systemd[1]: Started Certbot.
May 7 13:08:20 vpn-p1 systemd[1]: Started Session 36 of user root.
May 7 13:11:27 vpn-p1 charon: 12[NET] received packet: from
91.98.xxx.xxx[500] to xxx.x.xx.92[500] (624 bytes)
May 7 13:11:27 vpn-p1 charon: 12[ENC] parsed IKE_SA_INIT request 0 [
SA KE No N(NATD_S_IP) N(NATD_D_IP) V V V V ]
May 7 13:11:27 vpn-p1 charon: 12[IKE] received MS NT5 ISAKMPOAKLEY v9
vendor ID
May 7 13:11:27 vpn-p1 charon: 12[IKE] received MS-Negotiation
Discovery Capable vendor ID
May 7 13:11:27 vpn-p1 charon: 12[IKE] received Vid-Initial-Contact
vendor ID
May 7 13:11:27 vpn-p1 charon: 12[ENC] received unknown vendor ID:
01:52:8b:bb:c0:06:96:12:18:49:ab:9a:1c:5b:2a:51:00:00:00:02
May 7 13:11:27 vpn-p1 charon: 12[IKE] 91.98.xxx.xxx is initiating an
IKE_SA
May 7 13:11:27 vpn-p1 charon: 12[CFG] received proposals:
IKE:AES_CBC_256/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_2048,
IKE:AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_2048,
IKE:AES_CBC_256/HMAC_SHA2_384_192/PRF_HMAC_SHA2_384/MODP_2048
May 7 13:11:27 vpn-p1 charon: 12[CFG] configured proposals:
IKE:AES_GCM_16_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/ECP_521,
IKE:AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/ECP_384,
IKE:AES_CBC_256/3DES_CBC/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024
May 7 13:11:27 vpn-p1 charon: 12[IKE] remote host is behind NAT
May 7 13:11:27 vpn-p1 charon: 12[IKE] received proposals inacceptable
May 7 13:11:27 vpn-p1 charon: 12[ENC] generating IKE_SA_INIT response
0 [ N(NO_PROP) ]
May 7 13:11:27 vpn-p1 charon: 12[NET] sending packet: from
xxx.x.xx.92[500] to 91.98.xxx.xxx[500] (36 bytes)
May 7 13:11:28 vpn-p1 charon: 16[NET] received packet: from
91.98.xxx.xxx[500] to xxx.x.xx.92[500] (624 bytes)
May 7 13:11:28 vpn-p1 charon: 16[ENC] parsed IKE_SA_INIT request 0 [
SA KE No N(NATD_S_IP) N(NATD_D_IP) V V V V ]
May 7 13:11:28 vpn-p1 charon: 16[IKE] received MS NT5 ISAKMPOAKLEY v9
vendor ID
May 7 13:11:28 vpn-p1 charon: 16[IKE] received MS-Negotiation
Discovery Capable vendor ID
May 7 13:11:28 vpn-p1 charon: 16[IKE] received Vid-Initial-Contact
vendor ID
May 7 13:11:28 vpn-p1 charon: 16[ENC] received unknown vendor ID:
01:52:8b:bb:c0:06:96:12:18:49:ab:9a:1c:5b:2a:51:00:00:00:02
May 7 13:11:28 vpn-p1 charon: 16[IKE] 91.98.xxx.xxx is initiating an
IKE_SA
May 7 13:11:28 vpn-p1 charon: 16[CFG] received proposals:
IKE:AES_CBC_256/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_2048,
IKE:AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_2048,
IKE:AES_CBC_256/HMAC_SHA2_384_192/PRF_HMAC_SHA2_384/MODP_2048
May 7 13:11:28 vpn-p1 charon: 16[CFG] configured proposals:
IKE:AES_GCM_16_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/ECP_521,
IKE:AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/ECP_384,
IKE:AES_CBC_256/3DES_CBC/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024
May 7 13:11:28 vpn-p1 charon: 16[IKE] remote host is behind NAT
May 7 13:11:28 vpn-p1 charon: 16[IKE] received proposals inacceptable
May 7 13:11:28 vpn-p1 charon: 16[ENC] generating IKE_SA_INIT response
0 [ N(NO_PROP) ]
May 7 13:11:28 vpn-p1 charon: 16[NET] sending packet: from
xxx.x.xx.92[500] to 91.98.xxx.xxx[500] (36 bytes)
The Server's ipsec.conf is:
config setup
strictcrlpolicy=yes
uniqueids=never
conn roadwarrior
auto=add
compress=no
type=tunnel
keyexchange=ikev2
fragmentation=yes
forceencaps=yes
ike=aes256gcm16-sha256-ecp521,aes256-sha256-ecp384,aes256-3des-sha1-modp1024!
esp=aes256gcm16-sha256,aes256-3des-sha256-sha1!
dpdaction=clear
dpddelay=180s
rekey=no
left=%any
leftid=@${VPNHOST}
leftcert=cert.pem
leftsendcert=always
leftsubnet=0.0.0.0/0 <http://0.0.0.0/0>
right=%any
rightid=%any
rightauth=eap-radius
eap_identity=%any
rightdns=208.67.222.222,208.67.220.220
rightsourceip=${VPNIPPOOL}
rightsendcert=never
Have the supported ike/esp proposals somehow been changed recently
after a recent Windows 10 update?
I have made these changes on the Windows 10, after googling for a
solution:
- The firewall on Windows 10 is currently disabled.
- I have set NegotiateDH2048_AES256 = 1 in Regedit
- AssumeUDPEncapsulationContextOnSendRule = 2 in Regedit
I can't think of anything else I could do on the Windows 10 client.
According to my notes, these are the proposed protocols for Windows 10:
# these ike and esp settings are tested on Mac 10.12, iOS 10 and
Windows 10
# iOS/Mac with appropriate configuration profiles use
AES_GCM_16_256/PRF_HMAC_SHA2_256/ECP_521
# Windows 10 uses AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/ECP_384
Is there a website that translates
AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/ECP_384 into the right
naming for ipsec.conf so that I enter them under ike and esp
respectively? I can't quite make out if I have these settings there or
not.
If you have any other advice, please help me.
Many Thanks,
