Issue #2652
tunnel establishment failed in windows 10
Affected version:
5.3.5
Resolution:
No change required
Description
I am using ikev2 rsa authentication between swanctl 5.3.5 and windows 10 without eap or eap tls and certificates i am using as machine certificates. I followed the certificates guidance for windows setup.Still I am getting "IKE authentication credentials are unacceptable".At the swanctl we are establishing tunnel but at client(windows) side it is failing to authenticate.
*swanctl.conf file*++
connections {
home {
local_addrs=63.63.63.63
remote_addrs=172.23.103.117
pools = rw_pool
local {
auth=pubkey
certs=secgw_windows_CERT.pem
#id="C=XXX, ST=XXX, O=XXX, OU=XXX, CN=server.mycompany.local"
id=server.mycompany.local
}
remote {
auth=pubkey
id=%any
}
children {
home {
local_ts=21.21.21.0/24
start_action=none
rekey_bytes=0
}
}
version=2
}
}
pools {
rw_pool {
addrs = 10.0.0.0/23
}
}
*caCert.pem file:*++
Certificate:
Data:
Version: 3 (0x2)
Serial Number: 17476514221699313568 (0xf2890d1710732fa0)
Signature Algorithm: sha256WithRSAEncryption
Issuer: C=XXX, ST=XXX, L=XXX, O=XXX, OU=XXX, CN=ROOTCA
Validity
Not Before: Apr 29 10:57:01 2018 GMT
Not After : Apr 26 10:57:01 2028 GMT
Subject: C=XXX, ST=XXX, L=BG, O=XXX, OU=XXX, CN=ROOTCA
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
Public-Key: (1024 bit)
Modulus:
00:dc:fc:13:4d:aa:a0:85:dc:10:0e:04:7f:8a:79:
cc:07:16:67:b3:82:d8:88:43:d5:00:ae:c0:3f:33:
ca:d0:0e:80:35:1c:cc:56:88:58:a5:b2:74:3c:eb:
94:c0:76:06:9d:2e:08:84:79:bd:8c:92:0e:d9:79:
fb:88:2e:2c:34:3e:98:63:05:68:d4:86:b2:92:3a:
e6:8d:8b:24:01:10:d5:a7:5e:97:91:fd:71:f5:11:
26:5b:68:ab:4e:31:11:73:fc:a8:75:22:e3:90:84:
91:68:43:e7:2f:e1:03:d9:06:37:36:84:66:4b:3e:
b7:55:3c:02:2c:c8:00:e2:0b
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Subject Key Identifier:
30:F6:B3:47:80:A2:CB:A4:2C:39:32:CD:DA:1B:4B:24:7E:37:4A:AD
X509v3 Authority Key Identifier:
keyid:30:F6:B3:47:80:A2:CB:A4:2C:39:32:CD:DA:1B:4B:24:7E:37:4A:AD
X509v3 Basic Constraints:
CA:TRUE
Signature Algorithm: sha256WithRSAEncryption
6a:70:c6:38:cb:b2:47:18:1c:56:0d:01:d4:a1:07:55:c7:c9:
f4:f2:c5:2c:f7:b9:95:6b:ae:1e:48:5b:2a:9b:0c:de:01:30:
f9:d5:bd:79:4e:70:0d:b1:48:22:d3:7e:d6:3b:88:93:8a:33:
18:e0:13:a2:62:09:70:cf:0b:73:4a:02:9e:45:2e:0d:48:55:
71:01:57:f8:e3:8e:6b:be:76:ee:a4:e7:14:e6:87:6d:13:be:
81:b3:6c:b2:0a:3c:00:37:c0:91:f0:b2:e2:de:0f:ed:f6:52:
74:24:4a:a3:1d:3f:68:e8:e4:76:b0:99:a1:f2:b2:44:f3:dd:
19:60
-----BEGIN CERTIFICATE-----
MIICgjCCAeugAwIBAgIJAPKJDRcQcy+gMA0GCSqGSIb3DQEBCwUAMFoxCzAJBgNV
BAYTAklOMQswCQYDVQQIDAJLVDELMAkGA1UEBwwCQkcxDjAMBgNVBAoMBUFMVEVO
MRAwDgYDVQQLDAdDQUxTT0ZUMQ8wDQYDVQQDDAZST09UQ0EwHhcNMTgwNDI5MTA1
NzAxWhcNMjgwNDI2MTA1NzAxWjBaMQswCQYDVQQGEwJJTjELMAkGA1UECAwCS1Qx
CzAJBgNVBAcMAkJHMQ4wDAYDVQQKDAVBTFRFTjEQMA4GA1UECwwHQ0FMU09GVDEP
MA0GA1UEAwwGUk9PVENBMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDc/BNN
qqCF3BAOBH+KecwHFmezgtiIQ9UArsA/M8rQDoA1HMxWiFilsnQ865TAdgadLgiE
eb2Mkg7ZefuILiw0PphjBWjUhrKSOuaNiyQBENWnXpeR/XH1ESZbaKtOMRFz/Kh1
IuOQhJFoQ+cv4QPZBjc2hGZLPrdVPAIsyADiCwIDAQABo1AwTjAdBgNVHQ4EFgQU
MPazR4Ciy6QsOTLN2htLJH43Sq0wHwYDVR0jBBgwFoAUMPazR4Ciy6QsOTLN2htL
JH43Sq0wDAYDVR0TBAUwAwEB/zANBgkqhkiG9w0BAQsFAAOBgQBqcMY4y7JHGBxW
DQHUoQdVx8n08sUs97mVa64eSFsqmwzeATD51b15TnANsUgi037WO4iTijMY4BOi
YglwzwtzSgKeRS4NSFVxAVf4445rvnbupOcU5odtE76Bs2yyCjwAN8CR8LLi3g/t
9lJ0JEqjHT9o6OR2sJmh8rJE890ZYA==
-----END CERTIFICATE-----
*server certificate*++:
Certificate:
Data:
Version: 3 (0x2)
Serial Number: 13398 (0x3456)
Signature Algorithm: sha256WithRSAEncryption
Issuer: C=XXX, ST=XXX, L=XXX, O=XXX, OU=XXX, CN=ROOTCA
Validity
Not Before: Apr 29 11:01:33 2018 GMT
Not After : Apr 29 11:01:33 2019 GMT
Subject: C=XXX, ST=XXX, O=XXX, OU=XXX, CN=server.mycompany.local
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
Public-Key: (1024 bit)
Modulus:
00:da:fe:27:4e:b4:69:a8:67:27:9b:28:79:58:b1:
6d:7a:c4:71:2c:4e:1e:e5:44:27:85:66:4b:40:03:
c7:ef:a3:c9:c8:58:47:6d:43:75:bb:11:18:6f:75:
6e:84:9d:00:76:b9:e3:22:66:8b:9a:6b:f4:be:7c:
30:0b:77:12:ac:b5:fd:a3:3a:30:1f:64:d0:04:db:
4f:f1:78:ca:45:1f:90:3c:af:b9:2b:3c:21:0c:14:
27:e4:49:1b:70:1b:b0:00:27:5e:41:12:1a:fd:a8:
53:78:81:8c:71:f3:b9:e6:df:e1:4d:02:21:aa:36:
b1:82:03:3e:5f:5c:38:28:05
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Basic Constraints:
CA:FALSE
Netscape Comment:
OpenSSL Generated Certificate
X509v3 Subject Key Identifier:
03:8F:A4:D7:4D:B5:1A:F0:FD:5E:3D:33:A4:32:CF:06:1A:95:8C:92
X509v3 Authority Key Identifier:
keyid:30:F6:B3:47:80:A2:CB:A4:2C:39:32:CD:DA:1B:4B:24:7E:37:4A:AD
X509v3 Subject Alternative Name:
DNS:server.mycompany.local
X509v3 Extended Key Usage:
1.3.6.1.5.5.8.2.2, TLS Web Server Authentication
Signature Algorithm: sha256WithRSAEncryption
11:d9:0f:60:ee:e9:50:f7:d5:f1:d0:af:40:80:67:10:ca:f5:
9e:3b:99:8e:f7:e6:95:32:1c:f9:6b:14:62:5e:27:5b:33:21:
34:45:14:95:6e:41:4d:5c:4b:fe:96:dc:1e:ea:40:fe:cc:dc:
0f:69:32:6a:af:0a:c9:e9:db:6a:5e:bf:6a:20:cf:7f:e0:be:
03:64:93:00:06:73:47:ca:5b:41:3b:34:94:b7:06:2f:8a:d5:
ae:f5:d1:a2:50:39:42:e1:75:56:ab:90:7d:cb:3a:00:e4:28:
a4:31:f8:61:c5:a2:9a:1a:b0:4c:d7:9c:db:6c:b1:71:fe:fb:
4e:da
-----BEGIN CERTIFICATE-----
MIIC7TCCAlagAwIBAgICNFYwDQYJKoZIhvcNAQELBQAwWjELMAkGA1UEBhMCSU4x
CzAJBgNVBAgMAktUMQswCQYDVQQHDAJCRzEOMAwGA1UECgwFQUxURU4xEDAOBgNV
BAsMB0NBTFNPRlQxDzANBgNVBAMMBlJPT1RDQTAeFw0xODA0MjkxMTAxMzNaFw0x
OTA0MjkxMTAxMzNaMF0xCzAJBgNVBAYTAklOMQswCQYDVQQIDAJLVDEOMAwGA1UE
CgwFQUxURU4xEDAOBgNVBAsMB0NBTFNPRlQxHzAdBgNVBAMMFnNlcnZlci5teWNv
bXBhbnkubG9jYWwwgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBANr+J060aahn
J5soeVixbXrEcSxOHuVEJ4VmS0ADx++jychYR21DdbsRGG91boSdAHa54yJmi5pr
9L58MAt3Eqy1/aM6MB9k0ATbT/F4ykUfkDyvuSs8IQwUJ+RJG3AbsAAnXkESGv2o
U3iBjHHzuebf4U0CIao2sYIDPl9cOCgFAgMBAAGjgb4wgbswCQYDVR0TBAIwADAs
BglghkgBhvhCAQ0EHxYdT3BlblNTTCBHZW5lcmF0ZWQgQ2VydGlmaWNhdGUwHQYD
VR0OBBYEFAOPpNdNtRrw/V49M6QyzwYalYySMB8GA1UdIwQYMBaAFDD2s0eAosuk
LDkyzdobSyR+N0qtMCEGA1UdEQQaMBiCFnNlcnZlci5teWNvbXBhbnkubG9jYWww
HQYDVR0lBBYwFAYIKwYBBQUIAgIGCCsGAQUFBwMBMA0GCSqGSIb3DQEBCwUAA4GB
ABHZD2Du6VD31fHQr0CAZxDK9Z47mY735pUyHPlrFGJeJ1szITRFFJVuQU1cS/6W
3B7qQP7M3A9pMmqvCsnp22pev2ogz3/gvgNkkwAGc0fKW0E7NJS3Bi+K1a710aJQ
OULhdVarkH3LOgDkKKQx+GHFopoasEzXnNtssXH++07a
-----END CERTIFICATE-----
*client certificate*++
Certificate:
Data:
Version: 3 (0x2)
Serial Number: 13399 (0x3457)
Signature Algorithm: sha256WithRSAEncryption
Issuer: C=XXX, ST=XXX, L=BG, O=XXX, OU=XXX, CN=ROOTCA
Validity
Not Before: Apr 29 11:05:00 2018 GMT
Not After : Apr 29 11:05:00 2019 GMT
Subject: C=XXX, ST=XXX, O=XXX, OU=XXX, CN=win7.mycompany.local
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
Public-Key: (1024 bit)
Modulus:
00:ba:eb:c2:69:03:12:1b:94:e5:9a:2d:67:ca:41:
bb:de:d4:e0:e2:bb:b2:b6:55:1c:4e:b6:e2:f7:cb:
a9:cd:91:49:52:c5:5a:66:59:12:cb:fa:2a:4e:a3:
44:52:8b:32:55:a1:51:34:70:59:22:62:e9:fc:1c:
fd:e6:79:fa:81:3e:67:70:e6:6d:7b:54:58:8f:d1:
f1:71:a5:09:17:a4:4d:e9:41:00:51:23:3a:db:98:
b5:03:71:17:6a:fd:e6:02:70:ba:36:01:68:f7:85:
bb:59:82:d8:77:31:54:12:7a:90:2c:18:17:14:8f:
96:b3:fc:1c:48:00:51:bd:73
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Basic Constraints:
CA:FALSE
Netscape Comment:
OpenSSL Generated Certificate
X509v3 Subject Key Identifier:
90:75:BA:0B:8E:F5:16:69:7F:B1:CA:BB:B7:6A:65:00:DC:B1:32:C1
X509v3 Authority Key Identifier:
keyid:30:F6:B3:47:80:A2:CB:A4:2C:39:32:CD:DA:1B:4B:24:7E:37:4A:AD
X509v3 Subject Alternative Name:
DNS:win7.mycompany.local
X509v3 Extended Key Usage:
1.3.6.1.5.5.8.2.2, TLS Web Server Authentication, TLS Web Client Authentication
Signature Algorithm: sha256WithRSAEncryption
aa:ff:14:4b:da:21:0f:49:da:b6:37:57:cc:9d:81:73:10:0a:
fb:e3:6c:ee:9e:44:df:0b:54:52:99:58:ea:b1:83:d8:09:df:
13:52:ac:d1:04:e1:c9:ac:2f:29:15:bb:0e:3c:33:e3:75:a7:
11:3f:a2:2b:32:26:33:8e:aa:5d:27:f7:2c:8f:2f:e7:3c:a4:
9d:74:cd:88:9c:2b:3e:7e:35:af:6c:57:af:b9:76:10:e6:ec:
a4:64:d2:9b:c5:fe:3b:0b:be:d6:43:76:26:ba:32:05:2f:8c:
6f:10:54:f0:7e:cb:d1:f4:a9:28:93:18:e4:4d:27:ef:ae:e7:
d5:fa
-----BEGIN CERTIFICATE-----
MIIC8zCCAlygAwIBAgICNFcwDQYJKoZIhvcNAQELBQAwWjELMAkGA1UEBhMCSU4x
CzAJBgNVBAgMAktUMQswCQYDVQQHDAJCRzEOMAwGA1UECgwFQUxURU4xEDAOBgNV
BAsMB0NBTFNPRlQxDzANBgNVBAMMBlJPT1RDQTAeFw0xODA0MjkxMTA1MDBaFw0x
OTA0MjkxMTA1MDBaMFsxCzAJBgNVBAYTAklOMQswCQYDVQQIDAJLVDEOMAwGA1UE
CgwFQUxURU4xEDAOBgNVBAsMB0NBTFNPRlQxHTAbBgNVBAMMFHdpbjcubXljb21w
YW55LmxvY2FsMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQC668JpAxIblOWa
LWfKQbve1ODiu7K2VRxOtuL3y6nNkUlSxVpmWRLL+ipOo0RSizJVoVE0cFkiYun8
HP3mefqBPmdw5m17VFiP0fFxpQkXpE3pQQBRIzrbmLUDcRdq/eYCcLo2AWj3hbtZ
gth3MVQSepAsGBcUj5az/BxIAFG9cwIDAQABo4HGMIHDMAkGA1UdEwQCMAAwLAYJ
YIZIAYb4QgENBB8WHU9wZW5TU0wgR2VuZXJhdGVkIENlcnRpZmljYXRlMB0GA1Ud
DgQWBBSQdboLjvUWaX+xyru3amUA3LEywTAfBgNVHSMEGDAWgBQw9rNHgKLLpCw5
Ms3aG0skfjdKrTAfBgNVHREEGDAWghR3aW43Lm15Y29tcGFueS5sb2NhbDAnBgNV
HSUEIDAeBggrBgEFBQgCAgYIKwYBBQUHAwEGCCsGAQUFBwMCMA0GCSqGSIb3DQEB
CwUAA4GBAKr/FEvaIQ9J2rY3V8ydgXMQCvvjbO6eRN8LVFKZWOqxg9gJ3xNSrNEE
4cmsLykVuw48M+N1pxE/oisyJjOOql0n9yyPL+c8pJ10zYicKz5+Na9sV6+5dhDm
7KRk0pvF/jsLvtZDdia6MgUvjG8QVPB+y9H0qSiTGORNJ++u59X6
-----END CERTIFICATE-----
History
#1 Updated by Rahul surya over 7 years ago
*SwanctlLogs:*++
16[NET] received packet: from 172.23.103.117[500] to 63.63.63.63[500] (616 bytes)
16[ENC] parsed IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) V V V V ]
16[IKE] received MS NT5 ISAKMPOAKLEY v9 vendor ID
16[IKE] received MS-Negotiation Discovery Capable vendor ID
16[IKE] received Vid-Initial-Contact vendor ID
16[ENC] received unknown vendor ID: 01:52:8b:bb:c0:06:96:12:18:49:ab:9a:1c:5b:2a:51:00:00:00:02
16[IKE] 172.23.103.117 is initiating an IKE_SA
16[IKE] sending cert request for "C=IN, ST=KT, L=BG, O=XXX, OU=XXX, CN=ROOTCA"
16[ENC] generating IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) CERTREQ N(MULT_AUTH) ]
16[NET] sending packet: from 63.63.63.63[500] to 172.23.103.117[500] (333 bytes)
03[NET] received packet: from 172.23.103.117[500] to 63.63.63.63[500] (2316 bytes)
03[ENC] parsed IKE_AUTH request 1 [ IDi CERT CERTREQ AUTH CPRQ(ADDR DNS NBNS SRV) SA TSi TSr ]
03[IKE] received cert request for "C=IN, ST=KT, L=BG, O=XXX, OU=XXX, CN=ROOTCA"
03[IKE] received 50 cert requests for an unknown ca
03[IKE] received end entity cert "C=IN, ST=KT, O=XXX, OU=XXX, CN=win7.mycompany.local"
03[CFG] looking for peer configs matching 63.63.63.63[%any]...172.23.103.117[C=IN, ST=KT, O=XXX, OU=XXX, CN=win7.mycompany.local]
03[CFG] selected peer config 'home'
03[CFG] using certificate "C=IN, ST=KT, O=XXX, OU=XXX, CN=win7.mycompany.local"
03[CFG] using trusted ca certificate "C=IN, ST=KT, L=BG, O=XXX, OU=XXX, CN=ROOTCA"
03[CFG] checking certificate status of "C=IN, ST=KT, O=XXX, OU=XXX, CN=win7.mycompany.local"
03[CFG] certificate status is not available
03[CFG] reached self-signed root ca with a path length of 0
03[IKE] authentication of 'C=IN, ST=KT, O=XXX, OU=XXX, CN=win7.mycompany.local' with RSA signature successful
03[IKE] authentication of 'C=IN, ST=KT, O=XXX, OU=XXX, CN=server.mycompany.local' (myself) with RSA signature successful
03[IKE] IKE_SA home[1] established between 63.63.63.63[C=IN, ST=KT, O=XXX, OU=XXX, CN=server.mycompany.local]...172.23.103.117[C=IN, ST=KT, O=XXX, OU=XXX, CN=win7.mycompany.local]
03[IKE] scheduling rekeying in 12965s
03[IKE] maximum IKE_SA lifetime 14405s
03[IKE] sending end entity cert "C=IN, ST=KT, O=XXX, OU=XXX, CN=server.mycompany.local"
03[IKE] peer requested virtual IP %any
03[CFG] assigning new lease to 'C=IN, ST=KT, O=XXX, OU=XXX, CN=win7.mycompany.local'
03[IKE] assigning virtual IP 10.0.0.1 to peer 'C=IN, ST=KT, O=XXX, OU=XXX, CN=win7.mycompany.local'
03[KNL] unable to install source route for 63.63.63.63
03[KNL] unable to install source route for 63.63.63.63
03[IKE] CHILD_SA home{1} established with SPIs cb6e7302_i aaec5ac4_o and TS 63.63.63.0/24 === 10.0.0.1/32
03[ENC] generating IKE_AUTH response 1 [ IDr CERT AUTH CPRP(ADDR) SA TSi TSr ]
03[NET] sending packet: from 63.63.63.63[500] to 172.23.103.117[500] (1164 bytes)
^R
#2 Updated by Tobias Brunner over 7 years ago
- Status changed from New to Feedback
- Priority changed from High to Normal
You configured id=server.mycompany.local, however, the server authenticates itself as C=IN, ST=KT, O=XXX, OU=XXX, CN=server.mycompany.local, which is strange. Or was the log from a different test run, where you configured the complete subject DN (or no identity)?
Also, what did you configure on the client as server address? The IP address or server.mycompany.local?
#3 Updated by Rahul surya over 7 years ago
Thanks It got resolved,In windows client i am mentioning ip rather than host name for connecting with server and during server certificate creation we are giving --san as domain name rather than IP.so I added one more alternative name as IP and started working.
X509v3 Subject Alternative Name:
DNS:server.mycompany.local
So i made one more alternative name, based on IP
X509v3 Subject Alternative Name:
DNS:server.mycompany.local, IP Address:63.63.63.63
#4 Updated by Tobias Brunner over 7 years ago
- Category changed from swanctl to configuration
- Status changed from Feedback to Closed
- Assignee set to Tobias Brunner
- Resolution set to No change required
#5 Updated by Rahul surya over 7 years ago
id in swanctl conf is "C=IN, ST=KT, O=ALTEN, OU=CALSOFT, CN=server.mycompany.local" not "server.mycompany.local" ,I forgot to change while uploading the conf.