https://wiki.strongswan.org/projects/strongswan/wiki/Win7Certs
The other thing is that for Win10 you have to go into the NETWORK panel (NOT the Windows 10 network panel, the old control panel one) and drill down into the connection and set the default gateway on the remote network or you will get split routing and only the subnet that you get back from the server will go over the VPN.
This is the stanza that I have in my ipsec.conf for Windows clients: conn WinUserCert left=%any leftsubnet=0.0.0.0/0 leftcert=ipgw-rsa.denninger.net.crt leftauth=pubkey right=%any rightsourceip=192.168.2.0/24 rightauth=eap-tls eap_identity=%identity auto=add dpdaction=clear dpddelay=300s ike=aes256-sha2_256-prfsha256-modp1024This gives the client machine an address out of 192.168.2.x/24; note that "rightauth" has to be set to eap-tls for Windows clients.
There was a long-standing problem with IKE fragmentation in the internal Windows client that used to be bedevil me beyond words that would often prevent connections from coming up at all but it has been fixed now for about a year provided you have a reasonably-recent Win10 version.
I put this stanza first in the configuration since EAP-TLS isn't something anything else that connects to my gateway (Macs, Unix Machines, IOS and Android phones) will ask for and this way I'm sure Windows will get it first (Windows is a bit.... odd.....)
On 11/3/2020 11:59, Mike Hill wrote:
Hi all,I’m trying to get Windows 10 clients connecting to our StrongSwan server with machine certificates (only), but I’m hitting a roadblock with the following error:“Verifying username and password...IKE failed to find valid machine certificate. Contact your Network Security Administrator about installing a valid certificate in the appropriate Certificate Store.”Error in Windows Event Viewer is 13806, which appears to be pretty common, but despite looking at various sources, I cannot make it work.We’re using a PKI-as-a-service (SecureW2) for our certs and have placed intermediate and root CA certs into /etc/ipsec.d/cacerts, along with StrongSwan server’s cert in /etc/ipsec.d/certs and its private key in /etc/ipsec.d/private/. Server device cert has Server and Client authentication set for EKU and hostname.domain.com for CN and SAN.The Windows test device has its own cert in the machine store, along with CA intermediate and root certs in the appropriate cert stores. VPN connection is configured with PowerShell, and MachineCertificate set as authentication method and VPN address is hostname.domain.com which matches CN on StrongSwan device cert. Machine cert is hostname.domain.com for CN and SAN and has Client Authentication set for EKU.Events from /var/log/syslog:Nov 3 16:40:18 swan charon: 07[NET] received packet: from XXX.XXX.XXX.XXX[500] to XXX.XXX.XXX.XXX [500] (344 bytes)Nov 3 16:40:18 swan charon: 07[ENC] parsed IKE_SA_INIT request 0 [ SA KE No N(FRAG_SUP) N(NATD_S_IP) N(NATD_D_IP) V V V V ]Nov 3 16:40:18 swan charon: 07[CFG] looking for an ike config for XXX.XXX.XXX.XXX... XXX.XXX.XXX.XXXNov 3 16:40:18 swan charon: 07[CFG] candidate: %any...%any, prio 28Nov 3 16:40:18 swan charon: 07[CFG] found matching ike config: %any...%any with prio 28Nov 3 16:40:18 swan charon: 07[IKE] received MS NT5 ISAKMPOAKLEY v9 vendor IDNov 3 16:40:18 swan charon: 07[IKE] received MS-Negotiation Discovery Capable vendor IDNov 3 16:40:18 swan charon: 07[IKE] received Vid-Initial-Contact vendor IDNov 3 16:40:18 swan charon: 07[ENC] received unknown vendor ID: 01:52:8b:bb:c0:06:96:12:18:49:ab:9a:1c:5b:2a:51:00:00:00:02Nov 3 16:40:18 swan charon: 07[IKE] XXX.XXX.XXX.XXX is initiating an IKE_SANov 3 16:40:18 swan charon: 07[IKE] IKE_SA (unnamed)[7] state change: CREATED => CONNECTINGNov 3 16:40:18 swan charon: 07[CFG] selecting proposal: Nov 3 16:40:18 swan charon: 07[CFG] proposal matchesNov 3 16:40:18 swan charon: 07[CFG] received proposals: IKE:AES_GCM_16_128/PRF_HMAC_SHA2_256/ECP_256Nov 3 16:40:18 swan charon: 07[CFG] configured proposals: IKE:AES_GCM_16_128/PRF_HMAC_SHA2_256/ECP_256Nov 3 16:40:18 swan charon: 07[CFG] selected proposal: IKE:AES_GCM_16_128/PRF_HMAC_SHA2_256/ECP_256Nov 3 16:40:18 swan charon: 07[IKE] local host is behind NAT, sending keep alivesNov 3 16:40:18 swan charon: 07[IKE] remote host is behind NATNov 3 16:40:18 swan charon: 07[IKE] sending cert request for "O=Org, CN=Org Device Root CA"Nov 3 16:40:18 swan charon: 07[IKE] sending cert request for "O=Org, CN=Org Device Intermediate CA"Nov 3 16:40:18 swan charon: 07[ENC] generating IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) CERTREQ N(FRAG_SUP) N(MULT_AUTH) ]Nov 3 16:40:18 swan charon: 07[NET] sending packet: from XXX.XXX.XXX.XXX [500] to XXX.XXX.XXX.XXX [500] (293 bytes)Nov 3 16:40:18 swan charon: 09[NET] received packet: from XXX.XXX.XXX.XXX [500] to XXX.XXX.XXX.XXX [500] (344 bytes)Nov 3 16:40:18 swan charon: 09[ENC] parsed IKE_SA_INIT request 0 [ SA KE No N(FRAG_SUP) N(NATD_S_IP) N(NATD_D_IP) V V V V ]We have this setup working with macOS devices, so we know that the server is able to accept and establish connections.Many thanks in advance, Mike 3rd Floor, Vivo Building, 30 Stamford Street, London SE1 9LQ P: 020 3422 0000 • M: *07763 230443 * <tel:07763%20230443> • E: *mike.h...@techahoy.com* <mailto:mike.h...@techahoy.com> *www.techahoy.co* <https://www.techahoy.com/>m
-- Karl Denninger k...@denninger.net <mailto:k...@denninger.net> /The Market Ticker/ /[S/MIME encrypted email preferred]/
smime.p7s
Description: S/MIME Cryptographic Signature