Project

General

Profile

Issue #2881

windows client connection

Added by Pardhasaradhi Y 3 months ago. Updated 3 months ago.

Status:
Feedback
Priority:
Normal
Assignee:
Category:
configuration
Affected version:
5.1.3
Resolution:

Description

Hi team,

I am trying to establish IPsec connection using strongswan from Linux to Windows. Followed all instructions while generating the certificates. Able to establish the connection using EAP-MSCHAPv2 and also using Machine certificates for first time. But now when I try to connect using Machine certificates its failing? and after connection establishment with EAP-MSCHAPv2 connection is lost after IKelifetime while its reauthenticating in case of Linux-Linux connection.
And configuration file for these two is changing. Can you please can me with following questions?

01.Why Machine certificate way is not working now?
02.How can we make the configuration file common for all three ways of connecting with windows client(EAP-MSCHAPv2,machine certicfaites.X509 certificates?
03.Why connection is lost after ikeLifetime different to case of Linux-Linux connection

I am attaching the configuration file at Linux side.

Please help me

Regards,
Sindhura.

ipsec.secrets (209 Bytes) ipsec.secrets Pardhasaradhi Y, 09.01.2019 08:24
ipsec.conf (532 Bytes) ipsec.conf Pardhasaradhi Y, 09.01.2019 08:24
error_machine certifcaites.PNG (17.6 KB) error_machine certifcaites.PNG Pardhasaradhi Y, 09.01.2019 08:25
ipsec_machine.conf (540 Bytes) ipsec_machine.conf Pardhasaradhi Y, 09.01.2019 08:26
linuxwindows_strongswan_logs.docx (649 KB) linuxwindows_strongswan_logs.docx Pardhasaradhi Y, 11.01.2019 07:26
logs_problem1.txt (22.1 KB) logs_problem1.txt Pardhasaradhi Y, 14.01.2019 10:05
logs-prtoblem2.txt (2.71 KB) logs-prtoblem2.txt Pardhasaradhi Y, 14.01.2019 10:05
problem3.txt (60.6 KB) problem3.txt Pardhasaradhi Y, 14.01.2019 10:05
problem4.txt (818 Bytes) problem4.txt Pardhasaradhi Y, 14.01.2019 10:05

History

#1 Updated by Noel Kuntze 3 months ago

  • Category set to configuration
  • Status changed from New to Feedback
  • Assignee set to Noel Kuntze

Hello Sindhura,

Please follow the instructions on the HelpRequests page.

Kind regards

Noel

#2 Updated by Pardhasaradhi Y 3 months ago

Hello Noel,

I have read all the documents related to Strongswan and also configured using examples provided.But still Facing those issues.SO,need your help.

Regards,
Sindhura.

#3 Updated by Noel Kuntze 3 months ago

Hello Sindhura,

What I'm telling you is to read the document and follow the instructions given under Finding solutions for your problems effectively and efficiently point 8. Specifically the first point:

  • The complete log from daemon start to the point where the problem occurs

Full listing:

We generally require all of the following from you:

  • The complete log from daemon start to the point where the problem occurs
  • The complete configuration (ipsec.conf or swanctl.conf, depending on which configuration backend you are using)
  • The complete current status of the daemon (ipsec statusall or swanctl -L and swanctl -l)
  • The complete firewall rules (output of iptables-save and ip6tables-save on Linux, analogously on other operating systems using the corresponding command(s))
  • The complete contents of all routing tables (output of ip route show table all on Linux, analogously on other operating systems)
  • The complete overview over all IP addresses (output of ip address on Linux, analogously on other operating systems)

#4 Updated by Pardhasaradhi Y 3 months ago

Hi Noel,

Please find document attached with all information and logs.Please let me know in case if you need any more info.
Please help me with all my queries.

Regards,
Sindhura.

#5 Updated by Noel Kuntze 3 months ago

Hello Sindhura,

I will not open complex office files on my machines. Please attach text files.

Kind regards

Noel

#6 Updated by Pardhasaradhi Y 3 months ago

Hi Noel,

It is a word document consisting of all screenshots and all the process I followed.
I am also attaching you the logs in Notepad.

Please have a look and help me in solving my issues.

Regards,
Sindhura.

#7 Updated by Pardhasaradhi Y 3 months ago

Hi Noel,

Any update on this please?

Regards,
Sindhura.

#8 Updated by Noel Kuntze 3 months ago

First some comments on your attached config:

type=transport

That makes no sense.

rightsendcert=never

Neither does this.

Btw, you should upgrade your strongSwan version to something more modern, so you can use swanctl.

Following your questions from "problems4.txt". Answers are inline.

01.Why Machine certicfaites method is failing in second time?

That's not a machine certificate method. Machine certificate method is what Windows people say to describe pubkey auth in P1, which this in fact is, but for Windows it's just used for the client side. In any other authentication mode in the Windows VPN client, pubkey auth one is always used, even if you configure eap-tls or eap-mschapv2. Machine certificate authentication for IKEv2 in Windows is pubkey auth.

02.Can we have a common configuration file for all three cases(EAP_MSCHAPv2,X509 certificates,Machine certifciates)

Yes, look in the UsableExamples article for an example. Look for eap-dynamic.

03.What is the correct way to generate certificates(I followed using windows 7 certicfaite instructions from strongswan but it seems to be working only when I use above commands )

There were no commands attached or shown in the issue. Just use ipsec pki and give the server cert the serverAuth and clientAuth EKU flags. A SAN field has to contain the IP. The type of the SAN field has to correspond to the type of the IKE ID field.
ipsec pki already figures out the type by itself based on what your input looks like. An IP address will default to type IP, for example.

04.Why public ip is not pingable from outside?and why we need to give @ before leftid and rightsouceid as 141.137.47.230/16.

1) That I don't know. It probably depends on how Windows is configured.
2) Windows seems to send the type of the ID as type FQDN, which an IP address evidently shouldn't be by default because it's not an FQDN. By writing @ in front of the ID, strongSwan treats it as type FQDN, not as type IP. During authentication, both the type of the IDs has to match and the actual ID.
3) rightsourceip specifies the IP pool to be used. To make the configuration more verbose, switch to using swanctl. The UsableExamples article contains configurations for both ipsec.conf and swanctl.

05.IkeLiefetime issue why its asking for password in case of EAP method?

Because it seems like the Windows client treats the server deleting the IKE SA as authentication failure, not as just the IKE SA being closed. It might not react this way if the client initiates rekeyings and reauthentications, which is what you should configure. The example configurations in the UsableExamples article already do that.

If I change any small thing in this connection is failing.

Yeah.

I need a stable configuration file and also certificate generation method for windows for all three ways Please help me with this.

Win7CertReq doesn't help?

Also available in: Atom PDF