Another resource for information on installing strongSwan certs on Windows, besides https://wiki.strongswan.org/projects/strongswan/wiki/Win7Certs is https://github.com/gitbls/pistrong/blob/master/CertInstall.md. Although slightly discussed in the context of pistrong, it explicitly details how to properly install Certs on Windows 10.
From: Karl Denninger<mailto:[email protected]> Sent: Tuesday, November 3, 2020 9:27 AM To: [email protected]<mailto:[email protected]> Subject: Re: [strongSwan] Windows 10 IKEv2 VPN Not Connecting This works with a user certificate here -- make SURE Windows put the certificate in the correct store. The StrongSwan Wiki has instructions; if it goes in the wrong certificate store Windows will not find it and you'll get exactly what you're seeing. https://wiki.strongswan.org/projects/strongswan/wiki/Win7Certs The other thing is that for Win10 you have to go into the NETWORK panel (NOT the Windows 10 network panel, the old control panel one) and drill down into the connection and set the default gateway on the remote network or you will get split routing and only the subnet that you get back from the server will go over the VPN. This is the stanza that I have in my ipsec.conf for Windows clients: conn WinUserCert left=%any leftsubnet=0.0.0.0/0 leftcert=ipgw-rsa.denninger.net.crt leftauth=pubkey right=%any rightsourceip=192.168.2.0/24 rightauth=eap-tls eap_identity=%identity auto=add dpdaction=clear dpddelay=300s ike=aes256-sha2_256-prfsha256-modp1024 This gives the client machine an address out of 192.168.2.x/24; note that "rightauth" has to be set to eap-tls for Windows clients. There was a long-standing problem with IKE fragmentation in the internal Windows client that used to be bedevil me beyond words that would often prevent connections from coming up at all but it has been fixed now for about a year provided you have a reasonably-recent Win10 version. I put this stanza first in the configuration since EAP-TLS isn't something anything else that connects to my gateway (Macs, Unix Machines, IOS and Android phones) will ask for and this way I'm sure Windows will get it first (Windows is a bit.... odd.....) On 11/3/2020 11:59, Mike Hill wrote: Hi all, I’m trying to get Windows 10 clients connecting to our StrongSwan server with machine certificates (only), but I’m hitting a roadblock with the following error: “Verifying username and password...IKE failed to find valid machine certificate. Contact your Network Security Administrator about installing a valid certificate in the appropriate Certificate Store.” Error in Windows Event Viewer is 13806, which appears to be pretty common, but despite looking at various sources, I cannot make it work. We’re using a PKI-as-a-service (SecureW2) for our certs and have placed intermediate and root CA certs into /etc/ipsec.d/cacerts, along with StrongSwan server’s cert in /etc/ipsec.d/certs and its private key in /etc/ipsec.d/private/. Server device cert has Server and Client authentication set for EKU and hostname.domain.com for CN and SAN. The Windows test device has its own cert in the machine store, along with CA intermediate and root certs in the appropriate cert stores. VPN connection is configured with PowerShell, and MachineCertificate set as authentication method and VPN address is hostname.domain.com which matches CN on StrongSwan device cert. Machine cert is hostname.domain.com for CN and SAN and has Client Authentication set for EKU. Events from /var/log/syslog: Nov 3 16:40:18 swan charon: 07[NET] received packet: from XXX.XXX.XXX.XXX[500] to XXX.XXX.XXX.XXX [500] (344 bytes) Nov 3 16:40:18 swan charon: 07[ENC] parsed IKE_SA_INIT request 0 [ SA KE No N(FRAG_SUP) N(NATD_S_IP) N(NATD_D_IP) V V V V ] Nov 3 16:40:18 swan charon: 07[CFG] looking for an ike config for XXX.XXX.XXX.XXX... XXX.XXX.XXX.XXX Nov 3 16:40:18 swan charon: 07[CFG] candidate: %any...%any, prio 28 Nov 3 16:40:18 swan charon: 07[CFG] found matching ike config: %any...%any with prio 28 Nov 3 16:40:18 swan charon: 07[IKE] received MS NT5 ISAKMPOAKLEY v9 vendor ID Nov 3 16:40:18 swan charon: 07[IKE] received MS-Negotiation Discovery Capable vendor ID Nov 3 16:40:18 swan charon: 07[IKE] received Vid-Initial-Contact vendor ID Nov 3 16:40:18 swan charon: 07[ENC] received unknown vendor ID: 01:52:8b:bb:c0:06:96:12:18:49:ab:9a:1c:5b:2a:51:00:00:00:02 Nov 3 16:40:18 swan charon: 07[IKE] XXX.XXX.XXX.XXX is initiating an IKE_SA Nov 3 16:40:18 swan charon: 07[IKE] IKE_SA (unnamed)[7] state change: CREATED => CONNECTING Nov 3 16:40:18 swan charon: 07[CFG] selecting proposal: Nov 3 16:40:18 swan charon: 07[CFG] proposal matches Nov 3 16:40:18 swan charon: 07[CFG] received proposals: IKE:AES_GCM_16_128/PRF_HMAC_SHA2_256/ECP_256 Nov 3 16:40:18 swan charon: 07[CFG] configured proposals: IKE:AES_GCM_16_128/PRF_HMAC_SHA2_256/ECP_256 Nov 3 16:40:18 swan charon: 07[CFG] selected proposal: IKE:AES_GCM_16_128/PRF_HMAC_SHA2_256/ECP_256 Nov 3 16:40:18 swan charon: 07[IKE] local host is behind NAT, sending keep alives Nov 3 16:40:18 swan charon: 07[IKE] remote host is behind NAT Nov 3 16:40:18 swan charon: 07[IKE] sending cert request for "O=Org, CN=Org Device Root CA" Nov 3 16:40:18 swan charon: 07[IKE] sending cert request for "O=Org, CN=Org Device Intermediate CA" Nov 3 16:40:18 swan charon: 07[ENC] generating IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) CERTREQ N(FRAG_SUP) N(MULT_AUTH) ] Nov 3 16:40:18 swan charon: 07[NET] sending packet: from XXX.XXX.XXX.XXX [500] to XXX.XXX.XXX.XXX [500] (293 bytes) Nov 3 16:40:18 swan charon: 09[NET] received packet: from XXX.XXX.XXX.XXX [500] to XXX.XXX.XXX.XXX [500] (344 bytes) Nov 3 16:40:18 swan charon: 09[ENC] parsed IKE_SA_INIT request 0 [ SA KE No N(FRAG_SUP) N(NATD_S_IP) N(NATD_D_IP) V V V V ] We have this setup working with macOS devices, so we know that the server is able to accept and establish connections. Many thanks in advance, Mike [https://s3-eu-west-1.amazonaws.com/assets.techahoy.co.uk/email/image001-coral.png] 3rd Floor, Vivo Building, 30 Stamford Street, London SE1 9LQ P: 020 3422 0000 • M: 07763 230443 <tel:07763%20230443> • E: [email protected]<mailto:[email protected]> www.techahoy.co<https://www.techahoy.com/>m -- Karl Denninger [email protected]<mailto:[email protected]> The Market Ticker [S/MIME encrypted email preferred]
