Issue #714
Updated by Tobias Brunner almost 11 years ago
I have Xl2tpd and Strongswan 5.1.2 installed at Ubuntu 14.04 LTS from its repository as Vpn server and Win XP / Win 7 / Android 4.x.x clients (part of them are behind NAT) . Server is not behind NAT.
I set up 3 connection' s types: l2tp/psk, l2tp/ipsec (cert) and ikev2.
Connection of l2tp/psk is successfull both as for Win XP and for win 7.
Connection of l2tp/ipsec (cert) is successfull for Win XP only.
But connections of l2tp/ipsec (cert) and ikev2 doesn' t work for Win 7.
There are interactive logging (made at ipsec --nofork mode) while Win 7 connects to and ipsec.conf for l2tp/ipsec (cert) and for two types of ikev2 procedure.
There is external IP of strongswan server is used at Vpn connection properties.
Server certificate (located at strongswan server) has FQDN and external IP 95.24.95.95 in subjectAltName and CN contents FQDN of strongswan server.
*For L2tp/Ipsec with Certificate (Win 7 is connecting to) :*
<pre>
11[IKE] @11[IKE] IKE_SA ikev1_l2tp_rsa[1] state change: CONNECTING => ESTABLISHED
11[IKE] DPD not supported by peer, disabled
11[IKE] sending end entity cert "C=RU, ST=North, L=City, O=Org, OU=Main, CN=gate_name.mydomain.net, N=My Server certificate, E=admin at mydomain.net"
11[ENC] generating ID_PROT response 0 [ ID CERT SIG ]
11[NET] sending packet: from 95.24.95.95[4500] to 79.135.235.142[64775] (1484 bytes)
15[NET] received packet: from 79.135.235.142[64775] to 95.24.95.95[4500] (1900 bytes)
15[IKE] received retransmit of request with ID 0, retransmitting response
15[NET] sending packet: from 95.24.95.95[4500] to 79.135.235.142[64775] (1484 bytes)
11[NET] received packet: from 79.135.235.142[64775] to 95.24.95.95[4500] (1900 bytes)
11[IKE] received retransmit of request with ID 0, retransmitting response
11[NET] sending packet: from 95.24.95.95[4500] to 79.135.235.142[64775] (1484 bytes)
12[NET] received packet: from 79.135.235.142[64775] to 95.24.95.95[4500] (1900 bytes)
12[IKE] received retransmit of request with ID 0, retransmitting response
12[NET] sending packet: from 95.24.95.95[4500] to 79.135.235.142[64775] (1484 bytes)
</pre> bytes)@
*For Ikev2 with machine sited certificate (Win 7 is connecting to) :*
<pre>
14[IKE] @14[IKE] CHILD_SA ikev2_machine_cert{2} established with SPIs c8c7c4c5_i333c9d8a_o and TS 0.0.0.0/0 === 10.10.1.2/32
14[ENC] generating IKE_AUTH response 1 [ IDr CERT AUTH CPRP(ADDR DNS NBNS) SA TSi TSr N(MOBIKE_SUP) N(ADD_4_ADDR) ]
14[NET] sending packet: from 95.24.95.95[4500] to 79.135.235.142[64775] (1660 bytes)
05[NET] received packet: from 79.135.235.142[64775] to 95.24.95.95[4500] (2476 bytes)
05[ENC] parsed IKE_AUTH request 1 [ IDi CERT CERTREQ AUTH N(MOBIKE_SUP) CPRQ(ADDR DNS NBNS SRV ADDR6 DNS6 SRV6) SA TSi TSr ]
05[IKE] received retransmit of request with ID 1, retransmitting response
05[NET] sending packet: from 95.24.95.95[4500] to 79.135.235.142[64775] (1660 bytes)
14[IKE] retransmit 2 of request with message ID 0
14[NET] sending packet: from 95.24.95.95[4500] to 79.135.235.142[64775] (76 bytes)
15[NET] received packet: from 79.135.235.142[64775] to 95.24.95.95[4500] (2476 bytes)
15[ENC] parsed IKE_AUTH request 1 [ IDi CERT CERTREQ AUTH N(MOBIKE_SUP) CPRQ(ADDR DNS NBNS SRV ADDR6 DNS6 SRV6) SA TSi TSr ]
15[IKE] received retransmit of request with ID 1, retransmitting response
15[NET] sending packet: from 95.24.95.95[4500] to 79.135.235.142[64775] (1660 bytes)
13[IKE] retransmit 3 of request with message ID 0
13[NET] sending packet: from 95.24.95.95[4500] to 79.135.235.142[64775] (76 bytes)
</pre> bytes)@
*For Ikev2 with eap-mschap v2 and and certificate (Win 7 is connecting to) :*
<pre>
15[IKE] @15[IKE] authentication of '95.24.95.95' (myself) with RSA signature successful
15[IKE] sending end entity cert "C=RU, ST=North, L=City, O=Org, OU=Main, CN=gate_name.mydomain.net, N=My Server certificate, E=admin at mydomain.net"
15[ENC] generating IKE_AUTH response 1 [ IDr CERT AUTH EAP/REQ/ID ]
15[NET] sending packet: from 95.24.95.95[4500] to 79.135.235.142[64775] (1516 bytes)
08[NET] received packet: from 79.135.235.142[64775] to 95.24.95.95[4500] (1340 bytes)
08[ENC] parsed IKE_AUTH request 1 [ IDi CERTREQ N(MOBIKE_SUP) CPRQ(ADDR DNS NBNS SRV ADDR6 DNS6 SRV6) SA TSi TSr ]
08[IKE] received retransmit of request with ID 1, retransmitting response
08[NET] sending packet: from 95.24.95.95[4500] to 79.135.235.142[64775] (1516 bytes)
14[NET] received packet: from 79.135.235.142[64775] to 95.24.95.95[4500] (1340 bytes)
14[ENC] parsed IKE_AUTH request 1 [ IDi CERTREQ N(MOBIKE_SUP) CPRQ(ADDR DNS NBNS SRV ADDR6 DNS6 SRV6) SA TSi TSr ]
14[IKE] received retransmit of request with ID 1, retransmitting response
14[NET] sending packet: from 95.24.95.95[4500] to 79.135.235.142[64775] (1516 bytes)
</pre> bytes)@
*Ipsec.conf:*
<pre>
conn %default _conn %default_
compress=yes
dpdaction=clear # tried dpdaction=restart
dpddelay=40
dpdtimeout=130
forceencaps=yes
ikelifetime=8h
keyingtries=10
keylife=10800
margintime=15m
conn l2tp_ipsec _conn l2tp_ipsec_
auto=add
esp=aes256-sha1!
ike=aes256-sha1-modp1024!
keyexchange=ikev1
keyingtries=2
left=95.24.95.95
leftauth=pubkey
leftcert=/etc/ipsec.d/certs/server.crt
leftid=95.24.95.95
leftprotoport=udp/%any
mobike=no
rekey=no
right=%any
rightauth=pubkey (also tried rsa)
rightsendcert=never
rightsubnet=0.0.0.0/0
type=transport
conn ikev2_eap_mschapv2 _conn ikev2_eap_mschapv2_
auto=add
eap_identity=%any
esp=aes256-sha1!
ike=aes256-sha1-modp1024!
keyexchange=ikev2
left=95.24.95.95
leftauth=pubkey
leftcert=/etc/ipsec.d/certs/server.crt
leftid=95.24.95.95
leftsendcert = always
leftsubnet=0.0.0.0/0
mobike=yes
rekey=no
right=%any
rightauth=eap-mschapv2
rightsourceip=192.168.1.0/24
rightsendcert=never
conn ikev2_machine_cert _conn ikev2_machine_cert_
auto=add
esp=aes256-sha1!
ike=aes256-sha1-modp1024!
keyexchange=ikev2
left=95.24.95.95
leftcert=/etc/ipsec.d/certs/server.crt
leftid=95.24.95.95
leftsendcert = always
leftsubnet=0.0.0.0/0
mobike=yes
rekey=no
right=%any
rightsourceip=192.168.1.0/24
rightsendcert=never
</pre>
I think that some trouble is in some connection parameters for especially Win 7, but I don' t suppose which ones.
As I see, 1st phase is successfull, that is certificate is valid and good in all 3 cases.
Can somebody tell where is/are trouble/troubles ?
I will remember:
_connection from Win XP accross l2tp/ipsec-cert successed;_
_connection from Android 4.4.x (Sony Xperia Z2) accross l2tp/ipsec-cert successed;_
+connection from Win 7 accross l2tp/ipsec-cert, ikev2-machine-cert, ikev2-eap-mschapv2 failed.+
*Such situation is at 5.1.2 version and up to nightly build 5.2.1dr1 (5.2.1-~10879+53 in Ubuntu repository) downoaded on Sep, 24, 2014.*
I set up 3 connection' s types: l2tp/psk, l2tp/ipsec (cert) and ikev2.
Connection of l2tp/psk is successfull both as for Win XP and for win 7.
Connection of l2tp/ipsec (cert) is successfull for Win XP only.
But connections of l2tp/ipsec (cert) and ikev2 doesn' t work for Win 7.
There are interactive logging (made at ipsec --nofork mode) while Win 7 connects to and ipsec.conf for l2tp/ipsec (cert) and for two types of ikev2 procedure.
There is external IP of strongswan server is used at Vpn connection properties.
Server certificate (located at strongswan server) has FQDN and external IP 95.24.95.95 in subjectAltName and CN contents FQDN of strongswan server.
*For L2tp/Ipsec with Certificate (Win 7 is connecting to) :*
<pre>
11[IKE] @11[IKE] IKE_SA ikev1_l2tp_rsa[1] state change: CONNECTING => ESTABLISHED
11[IKE] DPD not supported by peer, disabled
11[IKE] sending end entity cert "C=RU, ST=North, L=City, O=Org, OU=Main, CN=gate_name.mydomain.net, N=My Server certificate, E=admin at mydomain.net"
11[ENC] generating ID_PROT response 0 [ ID CERT SIG ]
11[NET] sending packet: from 95.24.95.95[4500] to 79.135.235.142[64775] (1484 bytes)
15[NET] received packet: from 79.135.235.142[64775] to 95.24.95.95[4500] (1900 bytes)
15[IKE] received retransmit of request with ID 0, retransmitting response
15[NET] sending packet: from 95.24.95.95[4500] to 79.135.235.142[64775] (1484 bytes)
11[NET] received packet: from 79.135.235.142[64775] to 95.24.95.95[4500] (1900 bytes)
11[IKE] received retransmit of request with ID 0, retransmitting response
11[NET] sending packet: from 95.24.95.95[4500] to 79.135.235.142[64775] (1484 bytes)
12[NET] received packet: from 79.135.235.142[64775] to 95.24.95.95[4500] (1900 bytes)
12[IKE] received retransmit of request with ID 0, retransmitting response
12[NET] sending packet: from 95.24.95.95[4500] to 79.135.235.142[64775] (1484 bytes)
</pre> bytes)@
*For Ikev2 with machine sited certificate (Win 7 is connecting to) :*
<pre>
14[IKE] @14[IKE] CHILD_SA ikev2_machine_cert{2} established with SPIs c8c7c4c5_i333c9d8a_o and TS 0.0.0.0/0 === 10.10.1.2/32
14[ENC] generating IKE_AUTH response 1 [ IDr CERT AUTH CPRP(ADDR DNS NBNS) SA TSi TSr N(MOBIKE_SUP) N(ADD_4_ADDR) ]
14[NET] sending packet: from 95.24.95.95[4500] to 79.135.235.142[64775] (1660 bytes)
05[NET] received packet: from 79.135.235.142[64775] to 95.24.95.95[4500] (2476 bytes)
05[ENC] parsed IKE_AUTH request 1 [ IDi CERT CERTREQ AUTH N(MOBIKE_SUP) CPRQ(ADDR DNS NBNS SRV ADDR6 DNS6 SRV6) SA TSi TSr ]
05[IKE] received retransmit of request with ID 1, retransmitting response
05[NET] sending packet: from 95.24.95.95[4500] to 79.135.235.142[64775] (1660 bytes)
14[IKE] retransmit 2 of request with message ID 0
14[NET] sending packet: from 95.24.95.95[4500] to 79.135.235.142[64775] (76 bytes)
15[NET] received packet: from 79.135.235.142[64775] to 95.24.95.95[4500] (2476 bytes)
15[ENC] parsed IKE_AUTH request 1 [ IDi CERT CERTREQ AUTH N(MOBIKE_SUP) CPRQ(ADDR DNS NBNS SRV ADDR6 DNS6 SRV6) SA TSi TSr ]
15[IKE] received retransmit of request with ID 1, retransmitting response
15[NET] sending packet: from 95.24.95.95[4500] to 79.135.235.142[64775] (1660 bytes)
13[IKE] retransmit 3 of request with message ID 0
13[NET] sending packet: from 95.24.95.95[4500] to 79.135.235.142[64775] (76 bytes)
</pre> bytes)@
*For Ikev2 with eap-mschap v2 and and certificate (Win 7 is connecting to) :*
<pre>
15[IKE] @15[IKE] authentication of '95.24.95.95' (myself) with RSA signature successful
15[IKE] sending end entity cert "C=RU, ST=North, L=City, O=Org, OU=Main, CN=gate_name.mydomain.net, N=My Server certificate, E=admin at mydomain.net"
15[ENC] generating IKE_AUTH response 1 [ IDr CERT AUTH EAP/REQ/ID ]
15[NET] sending packet: from 95.24.95.95[4500] to 79.135.235.142[64775] (1516 bytes)
08[NET] received packet: from 79.135.235.142[64775] to 95.24.95.95[4500] (1340 bytes)
08[ENC] parsed IKE_AUTH request 1 [ IDi CERTREQ N(MOBIKE_SUP) CPRQ(ADDR DNS NBNS SRV ADDR6 DNS6 SRV6) SA TSi TSr ]
08[IKE] received retransmit of request with ID 1, retransmitting response
08[NET] sending packet: from 95.24.95.95[4500] to 79.135.235.142[64775] (1516 bytes)
14[NET] received packet: from 79.135.235.142[64775] to 95.24.95.95[4500] (1340 bytes)
14[ENC] parsed IKE_AUTH request 1 [ IDi CERTREQ N(MOBIKE_SUP) CPRQ(ADDR DNS NBNS SRV ADDR6 DNS6 SRV6) SA TSi TSr ]
14[IKE] received retransmit of request with ID 1, retransmitting response
14[NET] sending packet: from 95.24.95.95[4500] to 79.135.235.142[64775] (1516 bytes)
</pre> bytes)@
*Ipsec.conf:*
<pre>
conn %default _conn %default_
compress=yes
dpdaction=clear # tried dpdaction=restart
dpddelay=40
dpdtimeout=130
forceencaps=yes
ikelifetime=8h
keyingtries=10
keylife=10800
margintime=15m
conn l2tp_ipsec _conn l2tp_ipsec_
auto=add
esp=aes256-sha1!
ike=aes256-sha1-modp1024!
keyexchange=ikev1
keyingtries=2
left=95.24.95.95
leftauth=pubkey
leftcert=/etc/ipsec.d/certs/server.crt
leftid=95.24.95.95
leftprotoport=udp/%any
mobike=no
rekey=no
right=%any
rightauth=pubkey (also tried rsa)
rightsendcert=never
rightsubnet=0.0.0.0/0
type=transport
conn ikev2_eap_mschapv2 _conn ikev2_eap_mschapv2_
auto=add
eap_identity=%any
esp=aes256-sha1!
ike=aes256-sha1-modp1024!
keyexchange=ikev2
left=95.24.95.95
leftauth=pubkey
leftcert=/etc/ipsec.d/certs/server.crt
leftid=95.24.95.95
leftsendcert = always
leftsubnet=0.0.0.0/0
mobike=yes
rekey=no
right=%any
rightauth=eap-mschapv2
rightsourceip=192.168.1.0/24
rightsendcert=never
conn ikev2_machine_cert _conn ikev2_machine_cert_
auto=add
esp=aes256-sha1!
ike=aes256-sha1-modp1024!
keyexchange=ikev2
left=95.24.95.95
leftcert=/etc/ipsec.d/certs/server.crt
leftid=95.24.95.95
leftsendcert = always
leftsubnet=0.0.0.0/0
mobike=yes
rekey=no
right=%any
rightsourceip=192.168.1.0/24
rightsendcert=never
</pre>
I think that some trouble is in some connection parameters for especially Win 7, but I don' t suppose which ones.
As I see, 1st phase is successfull, that is certificate is valid and good in all 3 cases.
Can somebody tell where is/are trouble/troubles ?
I will remember:
_connection from Win XP accross l2tp/ipsec-cert successed;_
_connection from Android 4.4.x (Sony Xperia Z2) accross l2tp/ipsec-cert successed;_
+connection from Win 7 accross l2tp/ipsec-cert, ikev2-machine-cert, ikev2-eap-mschapv2 failed.+
*Such situation is at 5.1.2 version and up to nightly build 5.2.1dr1 (5.2.1-~10879+53 in Ubuntu repository) downoaded on Sep, 24, 2014.*