Project

General

Profile

Issue #965

Updated by Tobias Brunner over 5 years ago

I followed this tutorial:
https://www.zeitgeist.se/2013/11/22/strongswan-howto-create-your-own-vpn/
on a cloud ubuntu instance built a VPN server using IKEv2.
The weird part is, under the same wifi network, my Windows Phone8.1 can connect to it easily,
but my windows 8.1 laptop still refuses to connect, saying error 809.

I tried both auth options (used client-cert / eap-mschapv2), still no help.

Syslog on the server side (ubuntu) when try to connect from win8.1:

<pre>
May 23 09:04:08 netlink charon: 03[CFG] selecting proposal:
May 23 09:04:08 netlink charon: 03[CFG] no acceptable PSEUDO_RANDOM_FUNCTION found
May 23 09:04:08 netlink charon: 03[CFG] selecting proposal:
May 23 09:04:08 netlink charon: 03[CFG] proposal matches
May 23 09:04:08 netlink charon: 03[CFG] received proposals: IKE:3DES_CBC/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024, IKE:3DES_CBC/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_1024, IKE:3DES_CBC/HMAC_SHA2_384_192/PRF_HMAC_SHA2_384/MODP_1024, IKE:AES_CBC_128/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024, IKE:AES_CBC_128/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_1024, IKE:AES_CBC_128/HMAC_SHA2_384_192/PRF_HMAC_SHA2_384/MODP_1024, IKE:AES_CBC_192/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024, IKE:AES_CBC_192/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_1024, IKE:AES_CBC_192/HMAC_SHA2_384_192/PRF_HMAC_SHA2_384/MODP_1024, IKE:AES_CBC_256/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024, IKE:AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_1024, IKE:AES_CBC_256/HMAC_SHA2_384_192/PRF_HMAC_SHA2_384/MODP_1024
May 23 09:04:08 netlink charon: 03[CFG] configured proposals: IKE:AES_CBC_128/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/ECP_256, IKE:AES_CBC_256/HMAC_SHA2_384_192/PRF_HMAC_SHA2_384/ECP_384, IKE:AES_CBC_128/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_2048, IKE:AES_CBC_128/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_2048, IKE:AES_CBC_256/HMAC_SHA2_384_192/PRF_HMAC_SHA2_384/MODP_4096, IKE:AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_4096, IKE:AES_CBC_256/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_4096, IKE:AES_CBC_128/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_1536, IKE:AES_CBC_128/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1536, IKE:AES_CBC_256/HMAC_SHA2_384_192/PRF_HMAC_SHA2_384/MODP_2048, IKE:AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_2048, IKE:AES_CBC_256/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_2048, IKE:AES_CBC_128/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_1024, IKE:AES_CBC_128/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024, IKE:AES_CBC_256/HMAC_SHA2_384_192/PRF_HMAC_SHA2_384/MODP_1536, IKE:AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_1536, IKE:AES_CBC_256/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1536, IKE:AES_CBC_256/HMAC_SHA2_384_192/PRF_HMAC_SHA2_384/MODP_1024, IKE:AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_1024, IKE:AES_CBC_256/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024
May 23 09:04:08 netlink charon: 03[CFG] selected proposal: IKE:AES_CBC_128/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_1024
May 23 09:04:08 netlink charon: 03[IKE] local host is behind NAT, sending keep alives
May 23 09:04:08 netlink charon: 03[IKE] remote host is behind NAT
May 23 09:04:08 netlink charon: 03[IKE] sending cert request for "C=CH, O=MockyTech, CN=MockyTech Root CA"
May 23 09:04:08 netlink charon: 03[ENC] generating IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) CERTREQ N(MULT_AUTH) ]
May 23 09:04:08 netlink charon: 03[NET] sending packet: from 100.68.156.125[500] to 50.197.66.210[49850] (337 bytes)
May 23 09:04:08 netlink charon: 09[NET] sending packet: from 100.68.156.125[500] to 50.197.66.210[49850]
May 23 09:04:28 netlink charon: 05[IKE] sending keep alive to 50.197.66.210[49850]
May 23 09:04:28 netlink charon: 09[NET] sending packet: from 100.68.156.125[500] to 50.197.66.210[49850]
May 23 09:04:38 netlink charon: 01[JOB] deleting half open IKE_SA after timeout
May 23 09:04:38 netlink charon: 01[IKE] IKE_SA (unnamed)[39] state change: CONNECTING => DESTROYING
</pre>


Wireshark Capture on the client side (Win8.1) when trying to connect:
<pre>
Time Source Destination Src.Prt Dst.Prt Protocol Length Info
9.423422000 192.168.1.2 23.99.92.105 500 500 ISAKMP 922 IKE_SA_INIT MID=00 Initiator Request
9.931315000 23.99.92.105 192.168.1.2 500 500 ISAKMP 379 IKE_SA_INIT MID=00 Responder Response
9.977419000 192.168.1.2 23.99.92.105 4500 4500 ISAKMP 1238 IKE_AUTH MID=01 Initiator Request
10.965163000 192.168.1.2 23.99.92.105 4500 4500 ISAKMP 1238 IKE_AUTH MID=01 Initiator Request
11.980558000 192.168.1.2 23.99.92.105 4500 4500 ISAKMP 1238 IKE_AUTH MID=01 Initiator Request
</pre>


Thanks.

Back