Project

General

Profile

Issue #3446

Can´t make it works with Windows10

Added by CST SOPORTE about 2 months ago. Updated about 2 months ago.

Status:
Feedback
Priority:
Normal
Assignee:
-
Category:
configuration
Affected version:
5.7.2
Resolution:

Description

Hi there

I´m new to StrongSwan, so maybe it´s an easy one for you. I´m trying to connect Win10 PC (using native VPN client or Forcepoint client) and I can´t make it works.

On the PC, we have installed the CACert issued by StrongSwan, and we have defined a user/secret on ipsec.secrets

We tried lots of diferent IKE= parameters, since we don´t know what WIN10 PC uses as proposals.

If we delete those ike and esp lines on ipsec.conf, we see

May 14 14:05:11 [localhost] strongswan: 07[CFG] received proposals: IKE:3DES_CBC/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024, IKE:3DES_CBC/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_1024, IKE:3DES_CBC/HMAC_SHA2_384_192/PRF_HMAC_SHA2_384/MODP_1024, IKE:AES_CBC_128/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024, IKE:AES_CBC_128/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_1024, IKE:AES_CBC_128/HMAC_SHA2_384_192/PRF_HMAC_SHA2_384/MODP_1024, IKE:AES_CBC_192/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024, IKE:AES_CBC_192/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_1024, IKE:AES_CBC_192/HMAC_SHA2_384_192/PRF_HMAC_SHA2_384/MODP_1024, IKE:AES_CBC_256/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024, IKE:AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_1024, IKE:AES_CBC_256/HMAC_SHA2_384_192/PRF_HMAC_SHA2_384/MODP_1024
May 14 14:05:11 [localhost] systemd: Stopped strongSwan IPsec IKEv1/IKEv2 daemon using ipsec.conf.
May 14 14:05:11 [localhost] strongswan: 07[CFG] configured proposals: IKE:AES_CBC_128/AES_CBC_192/AES_CBC_256/AES_CTR_128/AES_CTR_192/AES_CTR_256/CAMELLIA_CBC_128/CAMELLIA_CBC_192/CAMELLIA_CBC_256/CAMELLIA_CTR_128/CAMELLIA_CTR_192/CAMELLIA_CTR_256/3DES_CBC/HMAC_SHA2_256_128/HMAC_SHA2_384_192/HMAC_SHA2_512_256/AES_XCBC_96/AES_CMAC_96/HMAC_SHA1_96/PRF_AES128_XCBC/PRF_AES128_CMAC/PRF_HMAC_SHA2_256/PRF_HMAC_SHA2_384/PRF_HMAC_SHA2_512/PRF_HMAC_SHA1/ECP_256/ECP_384/ECP_521/ECP_256_BP/ECP_384_BP/ECP_512_BP/CURVE_25519/MODP_3072/MODP_4096/MODP_6144/MODP_8192/MODP_2048, IKE:AES_CCM_16_128/AES_CCM_16_192/AES_CCM_16_256/AES_GCM_16_128/AES_GCM_16_192/AES_GCM_16_256/CHACHA20_POLY1305/CAMELLIA_CCM_16_128/CAMELLIA_CCM_16_192/CAMELLIA_CCM_16_256/AES_CCM_8_128/AES_CCM_8_192/AES_CCM_8_256/AES_CCM_12_128/AES_CCM_12_192/AES_CCM_12_256/AES_GCM_8_128/AES_GCM_8_192/AES_GCM_8_256/AES_GCM_12_128/AES_GCM_12_192/AES_GCM_12_256/CAMELLIA_CCM_8_128/CAMELLIA_CCM_8_192/CAMELLIA_CCM_8_256/CAMELLIA_CCM_12_128/CAMELLIA_CCM_12_192/CAMELLIA_CCM_12_256/PRF_AES128_XCBC/PRF_AES128_CMAC/PRF_HMAC_SHA2_256/PRF_HMAC_SHA2_384/PRF_HMAC_SHA2_512/PRF_HMAC_SHA1/ECP_256/ECP_384/ECP_521/ECP_256_BP/ECP_384_BP/ECP_512_BP/CURVE_25519/MODP_3072/MODP_4096/MODP_6144/MODP_8192/MODP_2048

If we try to configure some of these received proposals on the ipsec.conf, then the connection goes to "DESTROYING" state by timeout.

Here my last conf

config setup
charondebug="ike 2, knl 1, cfg 2, esp 1"
uniqueids=no

conn ikev2-vpn
auto=add
compress=no
type=tunnel
keyexchange=ikev2
fragmentation=no
forceencaps=yes
ike=aes256-sha1-modp1024,es256gcm16-sha256-ecp521,aes256-sha256-ecp384,3des-sha1-prfsha1-modp1024,aes256-3des-sha1-modp2048,aes256-3des-sha256-sha1-modp2048-modp1024,aes256-sha256-prfsha256-modp2048-modp1024
esp=aes256gcm16-sha256
dpdaction=clear
dpddelay=300s
rekey=no
left=%any
leftid=93.191.138.135
leftcert=serverCert.der
leftsendcert=always
leftsubnet=172.31.0.0/24
right=%any
rightid=%any
rightauth=eap-mschapv2
rightsourceip=10.10.10.0/24
rightdns=8.8.8.8,8.8.4.4
rightsendcert=never
eap_identity=%identity
~

Logs:

May 14 12:54:48 [localhost] charon: 05[IKE] received 49 cert requests for an unknown ca
May 14 12:54:48 [localhost] charon: 05[CFG] looking for peer configs matching 93.191.138.135[%any]...87.216.79.224[192.168.1.46]
May 14 12:54:48 [localhost] charon: 05[CFG] selected peer config 'ikev2-vpn'
May 14 12:54:48 [localhost] charon: 05[IKE] initiating EAP_IDENTITY method (id 0x00)
May 14 12:54:48 [localhost] charon: 05[IKE] processing INTERNAL_IP4_ADDRESS attribute
May 14 12:54:48 [localhost] charon: 05[IKE] processing INTERNAL_IP4_DNS attribute
May 14 12:54:48 [localhost] charon: 05[IKE] processing INTERNAL_IP4_NBNS attribute
May 14 12:54:48 [localhost] charon: 05[IKE] processing INTERNAL_IP4_SERVER attribute
May 14 12:54:48 [localhost] charon: 05[IKE] processing INTERNAL_IP6_ADDRESS attribute
May 14 12:54:48 [localhost] charon: 05[IKE] processing INTERNAL_IP6_DNS attribute
May 14 12:54:48 [localhost] charon: 05[IKE] processing INTERNAL_IP6_SERVER attribute
May 14 12:54:48 [localhost] charon: 05[IKE] peer supports MOBIKE
May 14 12:54:48 [localhost] charon: 05[IKE] authentication of '93.191.138.135' (myself) with RSA signature successful
May 14 12:54:48 [localhost] charon: 05[IKE] sending end entity cert "C=ES, O=IECISA, CN=93.191.138.135"
May 14 12:54:48 [localhost] charon: 05[ENC] generating IKE_AUTH response 1 [ IDr CERT AUTH EAP/REQ/ID ]
May 14 12:54:48 [localhost] charon: 05[NET] sending packet: from 93.191.138.1354500 to 87.216.79.2244500 (1156 bytes)
May 14 12:55:18 [localhost] charon: 11[JOB] deleting half open IKE_SA with 87.216.79.224 after timeout
May 14 12:55:18 [localhost] charon: 11[IKE] IKE_SA ikev2-vpn19 state change: CONNECTING => DESTROYING

May 14 13:11:39 [localhost] charon: 11[NET] received packet: from 87.216.79.224500 to 93.191.138.135500 (880 bytes)
May 14 13:11:39 [localhost] charon: 11[ENC] parsed IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) V V V V ]
May 14 13:11:39 [localhost] charon: 11[IKE] received MS NT5 ISAKMPOAKLEY v9 vendor ID
May 14 13:11:39 [localhost] charon: 11[IKE] received MS-Negotiation Discovery Capable vendor ID
May 14 13:11:39 [localhost] charon: 11[IKE] received Vid-Initial-Contact vendor ID
May 14 13:11:39 [localhost] charon: 11[ENC] received unknown vendor ID: 01:52:8b:bb:c0:06:96:12:18:49:ab:9a:1c:5b:2a:51:00:00:00:02
May 14 13:11:39 [localhost] charon: 11[IKE] 87.216.79.224 is initiating an IKE_SA
May 14 13:11:39 [localhost] charon: 11[IKE] IKE_SA (unnamed)[20] state change: CREATED => CONNECTING
May 14 13:11:39 [localhost] charon: 11[CFG] selected proposal: IKE:3DES_CBC/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024
May 14 13:11:39 [localhost] charon: 11[IKE] remote host is behind NAT
May 14 13:11:39 [localhost] charon: 11[ENC] generating IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(MULT_AUTH) ]
May 14 13:11:39 [localhost] charon: 11[NET] sending packet: from 93.191.138.135500 to 87.216.79.224500 (308 bytes)
May 14 13:11:39 [localhost] charon: 12[NET] received packet: from 87.216.79.2244500 to 93.191.138.1354500 (1436 bytes)
May 14 13:11:39 [localhost] charon: 12[ENC] parsed IKE_AUTH request 1 [ IDi CERTREQ N(MOBIKE_SUP) CPRQ SA TSi TSr ]
May 14 13:11:39 [localhost] charon: 12[IKE] received cert request for unknown ca with keyid 0e:ac:82:60:40:56:27:97:e5:25:13:fc:2a:e1:0a:53:95:59:e4:a4
May 14 13:11:39 [localhost] charon: 12[IKE] received cert request for unknown ca with keyid dd:bc:bd:86:9c:3f:07:ed:40:e3:1b:08:ef:ce:c4:d1:88:cd:3b:15
May 14 13:11:39 [localhost] charon: 12[IKE] received cert request for unknown ca with keyid 4a:5c:75:22:aa:46:bf:a4:08:9d:39:97:4e:bd:b4:a3:60:f7:a0:1d
May 14 13:11:39 [localhost] charon: 12[IKE] received cert request for unknown ca with keyid 6a:47:a2:67:c9:2e:2f:19:68:8b:9b:86:61:66:95:ed:c1:2c:13:00
May 14 13:11:39 [localhost] strongswan: 05[IKE] processing INTERNAL_IP6_SERVER attribute
May 14 13:11:39 [localhost] strongswan: 05[IKE] peer supports MOBIKE
May 14 13:11:39 [localhost] strongswan: 05[IKE] authentication of '93.191.138.135' (myself) with RSA signature successful
May 14 13:11:39 [localhost] strongswan: 05[IKE] sending end entity cert "C=ES, O=IECISA, CN=93.191.138.135"
May 14 13:11:39 [localhost] strongswan: 05[ENC] generating IKE_AUTH response 1 [ IDr CERT AUTH EAP/REQ/ID ]
May 14 13:11:39 [localhost] strongswan: 05[NET] sending packet: from 93.191.138.1354500 to 87.216.79.2244500 (1156 bytes)
May 14 13:11:39 [localhost] strongswan: 11[JOB] deleting half open IKE_SA with 87.216.79.224 after timeout
May 14 13:11:39 [localhost] strongswan: 11[IKE] IKE_SA ikev2-vpn19 state change: CONNECTING => DESTROYING
May 14 13:11:39 [localhost] strongswan: 11[NET] received packet: from 87.216.79.224500 to 93.191.138.135500 (880 bytes)
May 14 13:11:39 [localhost] strongswan: 11[ENC] parsed IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) V V V V ]
May 14 13:11:39 [localhost] strongswan: 11[IKE] received MS NT5 ISAKMPOAKLEY v9 vendor ID
May 14 13:11:39 [localhost] strongswan: 11[IKE] received MS-Negotiation Discovery Capable vendor ID
May 14 13:11:39 [localhost] strongswan: 11[IKE] received Vid-Initial-Contact vendor ID
May 14 13:11:39 [localhost] strongswan: 11[ENC] received unknown vendor ID: 01:52:8b:bb:c0:06:96:12:18:49:ab:9a:1c:5b:2a:51:00:00:00:02
May 14 13:11:39 [localhost] strongswan: 11[IKE] 87.216.79.224 is initiating an IKE_SA
May 14 13:11:39 [localhost] strongswan: 11[IKE] IKE_SA (unnamed)[20] state change: CREATED => CONNECTING
May 14 13:11:39 [localhost] strongswan: 11[CFG] selected proposal: IKE:3DES_CBC/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024
May 14 13:11:39 [localhost] strongswan: 11[IKE] remote host is behind NAT
May 14 13:11:39 [localhost] strongswan: 11[ENC] generating IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(MULT_AUTH) ]
May 14 13:11:39 [localhost] strongswan: 11[NET] sending packet: from 93.191.138.135500 to 87.216.79.224500 (308 bytes)
May 14 13:11:39 [localhost] strongswan: 12[NET] received packet: from 87.216.79.2244500 to 93.191.138.1354500 (1436 bytes)
May 14 13:11:39 [localhost] strongswan: 12[ENC] parsed IKE_AUTH request 1 [ IDi CERTREQ N(MOBIKE_SUP) CPRQ SA TSi TSr ]
[...]
May 14 13:11:39 [localhost] strongswan: 12[IKE] received 50 cert requests for an unknown ca
May 14 13:11:39 [localhost] strongswan: 12[CFG] looking for peer configs matching 93.191.138.135[%any]...87.216.79.224[192.168.1.46]
May 14 13:11:39 [localhost] strongswan: 12[CFG] selected peer config 'ikev2-vpn'
May 14 13:11:39 [localhost] strongswan: 12[IKE] initiating EAP_IDENTITY method (id 0x00)
May 14 13:11:39 [localhost] strongswan: 12[IKE] processing INTERNAL_IP4_ADDRESS attribute
May 14 13:11:39 [localhost] strongswan: 12[IKE] processing INTERNAL_IP4_DNS attribute
May 14 13:11:39 [localhost] strongswan: 12[IKE] processing INTERNAL_IP4_NBNS attribute
May 14 13:11:39 [localhost] strongswan: 12[IKE] processing INTERNAL_IP4_SERVER attribute
May 14 13:11:39 [localhost] strongswan: 12[IKE] processing INTERNAL_IP6_ADDRESS attribute
May 14 13:11:39 [localhost] strongswan: 12[IKE] processing INTERNAL_IP6_DNS attribute
May 14 13:11:39 [localhost] strongswan: 12[IKE] processing INTERNAL_IP6_SERVER attribute
May 14 13:11:39 [localhost] strongswan: 12[IKE] peer supports MOBIKE
May 14 13:11:39 [localhost] charon: 12[IKE] received cert request for unknown ca with keyid 3e:df:29:0c:c1:f5:cc:73:2c:eb:3d:24:e1:7e:52:da:bd:27:e2:f0
May 14 13:11:39 [localhost] strongswan: 12[IKE] authentication of '93.191.138.135' (myself) with RSA signature successful
May 14 13:11:39 [localhost] strongswan: 12[IKE] sending end entity cert "C=ES, O=IECISA, CN=93.191.138.135"
May 14 13:11:39 [localhost] strongswan: 12[ENC] generating IKE_AUTH response 1 [ IDr CERT AUTH EAP/REQ/ID ]
[...]
May 14 13:11:39 [localhost] charon: 12[IKE] received 50 cert requests for an unknown ca
May 14 13:11:39 [localhost] charon: 12[CFG] looking for peer configs matching 93.191.138.135[%any]...87.216.79.224[192.168.1.46]
May 14 13:11:39 [localhost] charon: 12[CFG] selected peer config 'ikev2-vpn'
May 14 13:11:39 [localhost] charon: 12[IKE] initiating EAP_IDENTITY method (id 0x00)
May 14 13:11:39 [localhost] charon: 12[IKE] processing INTERNAL_IP4_ADDRESS attribute
May 14 13:11:39 [localhost] charon: 12[IKE] processing INTERNAL_IP4_DNS attribute
May 14 13:11:39 [localhost] charon: 12[IKE] processing INTERNAL_IP4_NBNS attribute
May 14 13:11:39 [localhost] charon: 12[IKE] processing INTERNAL_IP4_SERVER attribute
May 14 13:11:39 [localhost] charon: 12[IKE] processing INTERNAL_IP6_ADDRESS attribute
May 14 13:11:39 [localhost] charon: 12[IKE] processing INTERNAL_IP6_DNS attribute
May 14 13:11:39 [localhost] charon: 12[IKE] processing INTERNAL_IP6_SERVER attribute
May 14 13:11:39 [localhost] charon: 12[IKE] peer supports MOBIKE
May 14 13:11:39 [localhost] charon: 12[IKE] authentication of '93.191.138.135' (myself) with RSA signature successful
May 14 13:11:39 [localhost] charon: 12[IKE] sending end entity cert "C=ES, O=IECISA, CN=93.191.138.135"
May 14 13:11:39 [localhost] charon: 12[ENC] generating IKE_AUTH response 1 [ IDr CERT AUTH EAP/REQ/ID ]
May 14 13:11:39 [localhost] charon: 12[NET] sending packet: from 93.191.138.1354500 to 87.216.79.2244500 (1156 bytes)
May 14 13:12:09 [localhost] charon: 06[JOB] deleting half open IKE_SA with 87.216.79.224 after timeout
May 14 13:12:09 [localhost] charon: 06[IKE] IKE_SA ikev2-vpn20 state change: CONNECTING => DESTROYING

Sometimes I see a "selected proposal":

May 14 14:19:20 [localhost] strongswan: 08[CFG] selected proposal: IKE:3DES_CBC/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024
May 14 14:19:20 [localhost] strongswan: 08[IKE] remote host is behind NAT
May 14 14:19:20 [localhost] strongswan: 08[ENC] generating IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(MULT_AUTH) ]
May 14 14:19:20 [localhost] strongswan: 08[NET] sending packet: from 93.191.138.135500 to 88.14.149.44500 (308 bytes)
May 14 14:19:20 [localhost] strongswan: 10[NET] received packet: from 88.14.149.444500 to 93.191.138.1354500 (404 bytes)
May 14 14:19:20 [localhost] strongswan: 10[ENC] unknown attribute type (16403)
May 14 14:19:20 [localhost] strongswan: 10[ENC] parsed IKE_AUTH request 1 [ IDi CPRQ DNS) SA TSi TSr N(MOBIKE_SUP) N((50001)) N(HTTP_CERT_LOOK) N(MSG_ID_SYN_SUP) N(INIT_CONTACT) N(ESP_TFC_PAD_N) N(NON_FIRST_FRAG) ]
May 14 14:19:20 [localhost] strongswan: 10[CFG] looking for peer configs matching 93.191.138.135[%any]...88.14.149.44[rdediego]
May 14 14:19:20 [localhost] strongswan: 10[CFG] candidate "ikev2-vpn", match: 1/1/28 (me/other/ike)
May 14 14:19:20 [localhost] strongswan: 10[CFG] selected peer config 'ikev2-vpn'
May 14 14:19:20 [localhost] strongswan: 10[IKE] initiating EAP_IDENTITY method (id 0x00)
May 14 14:19:20 [localhost] strongswan: 10[IKE] processing INTERNAL_IP4_NETMASK attribute
May 14 14:19:20 [localhost] strongswan: 10[IKE] processing INTERNAL_IP4_ADDRESS attribute
May 14 14:19:20 [localhost] strongswan: 10[IKE] processing (16403) attribute
May 14 14:19:20 [localhost] strongswan: 10[IKE] processing INTERNAL_IP4_DNS attribute
May 14 14:19:20 [localhost] strongswan: 10[IKE] received ESP_TFC_PADDING_NOT_SUPPORTED, not using ESPv3 TFC padding
May 14 14:19:20 [localhost] strongswan: 10[IKE] peer supports MOBIKE
May 14 14:19:20 [localhost] strongswan: 10[IKE] authentication of '93.191.138.135' (myself) with RSA signature successful
May 14 14:19:20 [localhost] strongswan: 10[IKE] sending end entity cert "C=ES, O=IECISA, CN=93.191.138.135"
May 14 14:19:20 [localhost] strongswan: 10[ENC] generating IKE_AUTH response 1 [ IDr CERT AUTH EAP/REQ/ID ]
May 14 14:19:20 [localhost] strongswan: 10[NET] sending packet: from 93.191.138.1354500 to 88.14.149.444500 (1156 bytes)
May 14 14:19:20 [localhost] strongswan: 11[NET] received packet: from 88.14.149.444500 to 93.191.138.1354500 (76 bytes)
May 14 14:19:20 [localhost] strongswan: 11[ENC] parsed IKE_AUTH request 2 [ EAP/RES/ID ]
May 14 14:19:20 [localhost] strongswan: 11[IKE] received EAP identity 'rdediego'
May 14 14:19:20 [localhost] strongswan: 11[IKE] initiating EAP_MSCHAPV2 method (id 0xCE)
May 14 14:19:20 [localhost] strongswan: 11[ENC] generating IKE_AUTH response 2 [ EAP/REQ/MSCHAPV2 ]
May 14 14:19:20 [localhost] strongswan: 11[NET] sending packet: from 93.191.138.1354500 to 88.14.149.444500 (100 bytes)
May 14 14:19:20 [localhost] strongswan: 12[NET] received packet: from 88.14.149.444500 to 93.191.138.1354500 (68 bytes)
May 14 14:19:20 [localhost] strongswan: 12[ENC] parsed IKE_AUTH request 3 [ EAP/RES/NAK ]
May 14 14:19:20 [localhost] strongswan: 12[IKE] received EAP_NAK, sending EAP_FAILURE
May 14 14:19:20 [localhost] strongswan: 12[ENC] generating IKE_AUTH response 3 [ EAP/FAIL ]
May 14 14:19:20 [localhost] strongswan: 12[NET] sending packet: from 93.191.138.1354500 to 88.14.149.444500 (68 bytes)
May 14 14:19:20 [localhost] strongswan: 12[IKE] IKE_SA ikev2-vpn2 state change: CONNECTING => DESTROYING

Please, anyone can tell us how should it be configured to make it work with Windows10 native VPN Client? Where is this failing exactly?

If you need more info, logs, or config please ask for it

Thanks a lot in advance for helping.

Regards.

History

#1 Updated by Tobias Brunner about 2 months ago

  • Category changed from windows to configuration
  • Status changed from New to Feedback

We tried lots of diferent IKE= parameters, since we don´t know what WIN10 PC uses as proposals.

You see that in the log (even the one you posted). And you can even control it via PowerShell or Registry (see WindowsClients).

If we try to configure some of these received proposals on the ipsec.conf, then the connection goes to "DESTROYING" state by timeout.

That's probably not related to the proposal. More likely is that the client either doesn't like the response (server certificate not trusted or invalid for some reason), or that it's an IP fragmentation issue (the IKE_AUTH response might be too big, gets fragmented, and never reaches the client because the fragments are dropped somewhere). Since we don't see retransmits, the former might be more likely, but you should get an error on the client.

fragmentation=no

You don't want to disable IKEv2 fragmentation, Windows 10 supports it (at least newer releases).

Sometimes I see a "selected proposal":

May 14 14:19:20 [localhost] strongswan: 08[CFG] selected proposal: IKE:3DES_CBC/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024

You don't want to use these algorithms (see SecurityRecommendations).

May 14 14:19:20 [localhost] strongswan: 11[IKE] initiating EAP_MSCHAPV2 method (id 0xCE)
May 14 14:19:20 [localhost] strongswan: 11[ENC] generating IKE_AUTH response 2 [ EAP/REQ/MSCHAPV2 ]
May 14 14:19:20 [localhost] strongswan: 11[NET] sending packet: from 93.191.138.1354500 to 88.14.149.444500 (100 bytes)
May 14 14:19:20 [localhost] strongswan: 12[NET] received packet: from 88.14.149.444500 to 93.191.138.1354500 (68 bytes)
May 14 14:19:20 [localhost] strongswan: 12[ENC] parsed IKE_AUTH request 3 [ EAP/RES/NAK ]
May 14 14:19:20 [localhost] strongswan: 12[IKE] received EAP_NAK, sending EAP_FAILURE

Looks like the client doesn't accept the request for username/password authentication via EAP-MSCHAPv2. Maybe you configured it for EAP-TLS or some other method.

Also available in: Atom PDF