I have StrongSwan 5.6.2 running on a Ubuntu 16.04 server which I am able to connect to from OSX Sierra using certificates, but I am not able to connect the same way from Windows 10. Can anyone please help?
I have opened UDP 500/4500 through the Firewall (AWS Security Group) and as mentioned, I can connect and authenticate to StrongSwan from OSX.
I have built StrongSwan from source using the following configuration:
./configure --prefix=/usr --sysconfdir=/etc \
--enable-systemd --enable-swanctl \
--disable-charon --disable-stroke --disable-scepclient \
--enable-gcm --enable-eap-tls --enable-eap-identity
and my swanctl configuration file has the following setup:
connections {
ikev2-cert {
version = 2
send_cert = always
encap = yes
pools = pool1
dpd_delay = 60s
unique = keep
local {
certs = vpn-server-cert.pem
id = vpnserver
}
remote {
auth = eap-tls
eap_id = %any
}
children {
net {
local_ts = 10.0.0.0/20
inactivity = 120s
}
}
}
}
pools {
pool1 {
addrs = 172.16.0.0/12
}
}
with the Server Certificate created with the flags --flag serverAuth --flag ikeIntermediate
ipsec pki --pub --in vpn-server-key.pem \
--type rsa | ipsec pki --issue --lifetime 1825 \
--cacert /etc/swanctl/x509ca/server-root-ca.pem \
--cakey /etc/swanctl/private/server-root-key.pem \
--dn "C=GB, O=Self signed, CN=VPN Server" \
--san vpnserver \
--flag serverAuth --flag ikeIntermediate \
--outform pem > vpn-server-cert.pem
I also had to set a registration key in Windows 10 so as to use better ciphers (head slap)
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Rasman\Parameters [DWORD 32bit] NegotiateDH2048_AES256 1
The server log when the Windows 10 client tries to connect is as follows:
Apr 05 15:25:12 charon-systemd[1497]: 14[MGR] checkout IKEv2 SA by message with SPIs 6177fa9aadb3cdd5_i 0000000000000000_r
Apr 05 15:25:12 charon-systemd[1497]: received packet: from 35.36.37.38[42772] to 10.0.3.212[500] (624 bytes)
Apr 05 15:25:12 charon-systemd[1497]: 14[MGR] created IKE_SA (unnamed)[19]
Apr 05 15:25:12 charon-systemd[1497]: parsed IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) V V V V ]
Apr 05 15:25:12 charon-systemd[1497]: 14[NET] received packet: from 35.36.37.38[42772] to 10.0.3.212[500] (624 bytes)
Apr 05 15:25:12 charon-systemd[1497]: received MS NT5 ISAKMPOAKLEY v9 vendor ID
Apr 05 15:25:12 charon-systemd[1497]: 14[ENC] parsed IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) V V V V ]
Apr 05 15:25:12 charon-systemd[1497]: received MS-Negotiation Discovery Capable vendor ID
Apr 05 15:25:12 charon-systemd[1497]: 14[CFG] looking for an ike config for 10.0.3.212...35.36.37.38
Apr 05 15:25:12 charon-systemd[1497]: received Vid-Initial-Contact vendor ID
Apr 05 15:25:12 charon-systemd[1497]: 14[CFG] ike config match: 28 (10.0.3.212 35.36.37.38 IKEv2)
Apr 05 15:25:12 charon-systemd[1497]: received unknown vendor ID: 01:52:8b:bb:c0:06:96:12:18:49:ab:9a:1c:5b:2a:51:00:00:00:02
Apr 05 15:25:12 charon-systemd[1497]: 14[CFG] candidate: %any...%any, prio 28
Apr 05 15:25:12 charon-systemd[1497]: 35.36.37.38 is initiating an IKE_SA
Apr 05 15:25:12 charon-systemd[1497]: 14[CFG] found matching ike config: %any...%any with prio 28
Apr 05 15:25:12 charon-systemd[1497]: 14[IKE] received MS NT5 ISAKMPOAKLEY v9 vendor ID
Apr 05 15:25:12 charon-systemd[1497]: 14[IKE] received MS-Negotiation Discovery Capable vendor ID
Apr 05 15:25:12 charon-systemd[1497]: 14[IKE] received Vid-Initial-Contact vendor ID
Apr 05 15:25:12 charon-systemd[1497]: 14[ENC] received unknown vendor ID: 01:52:8b:bb:c0:06:96:12:18:49:ab:9a:1c:5b:2a:51:00:00:00:02
Apr 05 15:25:12 charon-systemd[1497]: 14[IKE] 35.36.37.38 is initiating an IKE_SA
Apr 05 15:25:12 charon-systemd[1497]: 14[IKE] IKE_SA (unnamed)[19] state change: CREATED => CONNECTING
Apr 05 15:25:12 charon-systemd[1497]: 14[CFG] selecting proposal:
Apr 05 15:25:12 charon-systemd[1497]: 14[CFG] proposal matches
Apr 05 15:25:12 charon-systemd[1497]: 14[CFG] received proposals: IKE:AES_CBC_256/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_2048, IKE:AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_2048, IKE:AES_CBC_256/HMAC_SHA2_384_192/PRF_HMAC_SHA2_384/MODP_2048
Apr 05 15:25:12 charon-systemd[1497]: 14[CFG] configured proposals: IKE:AES_CBC_128/AES_CBC_192/AES_CBC_256/3DES_CBC/HMAC_SHA2_256_128/HMAC_SHA2_384_192/HMAC_SHA2_512_256/AES_XCBC_96/AES_CMAC_96/HMAC_SHA1_96/PRF_AES128_XCBC/PRF_AES128_CMAC/PRF_HMAC_SHA2_256/PRF_HMAC_SHA2_384/PRF_HMAC_SHA2_512/PRF_HMAC_SHA1/CURVE_25519/MODP_3072/MODP_4096/MODP_6144/MODP_8192/MODP_2048, IKE:AES_GCM_16_128/AES_GCM_16_192/AES_GCM_16_256/AES_GCM_8_128/AES_GCM_8_192/AES_GCM_8_256/AES_GCM_12_128/AES_GCM_12_192/AES_GCM_12_256/PRF_AES128_XCBC/PRF_AES128_CMAC/PRF_HMAC_SHA2_256/PRF_HMAC_SHA2_384/PRF_HMAC_SHA2_512/PRF_HMAC_SHA1/CURVE_25519/MODP_3072/MODP_4096/MODP_6144/MODP_8192/MODP_2048
Apr 05 15:25:12 charon-systemd[1497]: 14[CFG] selected proposal: IKE:AES_CBC_256/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_2048
Apr 05 15:25:12 charon-systemd[1497]: 14[LIB] size of DH secret exponent: 2047 bits
Apr 05 15:25:12 charon-systemd[1497]: 14[IKE] local host is behind NAT, sending keep alives
Apr 05 15:25:12 charon-systemd[1497]: local host is behind NAT, sending keep alives
Apr 05 15:25:12 charon-systemd[1497]: 01[JOB] next event in 19s 999ms, waiting
Apr 05 15:25:12 charon-systemd[1497]: 14[IKE] remote host is behind NAT
Apr 05 15:25:12 charon-systemd[1497]: remote host is behind NAT
Apr 05 15:25:12 charon-systemd[1497]: sending cert request for "C=GB, O=Self Signed, CN=VPN Server Root CA"
Apr 05 15:25:12 charon-systemd[1497]: 14[IKE] 0: 0E F2 A0 61 A3 44 38 E5 49 4A B1 50 BE 3C 7C 7B ...a.D8.IJ.P.<|{
Apr 05 15:25:12 charon-systemd[1497]: generating IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) CERTREQ N(MULT_AUTH) ]
Apr 05 15:25:12 charon-systemd[1497]: 14[IKE] 16: E0 B4 5C C1 ..\.
Apr 05 15:25:12 charon-systemd[1497]: sending packet: from 10.0.3.212[500] to 35.36.37.38[42772] (465 bytes)
Apr 05 15:25:12 charon-systemd[1497]: 14[IKE] sending cert request for "C=GB, O=Self Signed, CN=VPN Server Root CA"
Apr 05 15:25:12 charon-systemd[1497]: 14[ENC] generating IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) CERTREQ N(MULT_AUTH) ]
Apr 05 15:25:12 charon-systemd[1497]: 14[NET] sending packet: from 10.0.3.212[500] to 35.36.37.38[42772] (465 bytes)
Apr 05 15:25:12 charon-systemd[1497]: 01[JOB] next event in 19s 998ms, waiting
Apr 05 15:25:12 charon-systemd[1497]: 14[MGR] checkin IKE_SA (unnamed)[19]
Apr 05 15:25:12 charon-systemd[1497]: 14[MGR] checkin of IKE_SA successful
Apr 05 15:25:32 charon-systemd[1497]: 01[JOB] got event, queuing job for execution
Apr 05 15:25:32 charon-systemd[1497]: sending keep alive to 35.36.37.38[42772]
Apr 05 15:25:32 charon-systemd[1497]: 01[JOB] next event in 10s 1ms, waiting
Apr 05 15:25:32 charon-systemd[1497]: 16[MGR] checkout IKEv2 SA with SPIs 6177fa9aadb3cdd5_i 222d0fd2d78e519d_r
Apr 05 15:25:32 charon-systemd[1497]: 16[MGR] IKE_SA (unnamed)[19] successfully checked out
Apr 05 15:25:32 charon-systemd[1497]: 16[IKE] sending keep alive to 35.36.37.38[42772]
Apr 05 15:25:32 charon-systemd[1497]: 16[MGR] checkin IKE_SA (unnamed)[19]
Apr 05 15:25:32 charon-systemd[1497]: 16[MGR] checkin of IKE_SA successful
Apr 05 15:25:32 charon-systemd[1497]: 01[JOB] next event in 10s 0ms, waiting
Apr 05 15:25:42 charon-systemd[1497]: 01[JOB] got event, queuing job for execution
Apr 05 15:25:42 charon-systemd[1497]: deleting half open IKE_SA with 35.36.37.38 after timeout
I notice in the Windows 10 VPN configurator, that there is no where to set the Remote ID or the Local ID (as there is in OSX), so I'm guessing there's a magical way for Microsoft (as usual).
The answer was in the certificate format for both the server and the client.
Windows requires the Hostname or IP Address to be listed in a
san, whilst OSX requires theRemote IDto be in asan, so you end up with a server certificate that looks like thisA similar story applies for the client certificate. With the swanctl configuration set as
eap_id = %any, StrongSwan requests the client for its identity. Windows returns the CN part of its certificate, whilst OSX returns theLocal ID, which means the certificate looks like this:In the configuration settings of Windows, you can tell it to use a different username and also what server to connect to, which I suspect will make it act the same as OSX, but by default, these are not selected.
Windows also authenticates the server which will give a warning of unknown server, which you can click 'continue' to or you can disable
server authentication checkingfrom inside the Windows client VPN settings (not recommended).