0

I'm trying to create an IKEv2 Strongswan VPN server (U5.7.2/K5.3.0-42-generic) since two days on my personnal VPS (Ubuntu 19.10) to make some tests before implement it on the Unifi equipment of my work (I hope that will be possible)

I've used differents tutorials and troubleshooting pages to make my conf

I'm using a radius authentication (with a local freeradius server) for the users

And I'm facing this stupid issue, I hope one of you can take 2 minutes to help me :)

I will try to be the most verbose than possible, do not hesitate to ask for more informations if needed

My ipsec.conf:

config setup
  strictcrlpolicy=yes
  uniqueids=never
conn roadwarrior
  auto=add
  compress=no
  type=tunnel
  keyexchange=ikev2
  fragmentation=yes
  forceencaps=yes

  ike=aes256-sha1-modp1024,aes256gcm16-sha256-ecp521,aes256-sha256-ecp384
  esp=aes256-sha1,aes128-sha256-modp3072,aes256gcm16-sha256,aes256gcm16-ecp384

  dpdaction=clear
  dpddelay=180s
  rekey=no
  left=%any
  leftid=vpsXXXXXX.ovh.net
  leftcert=vpn.example.com.crt.pem
  leftsendcert=always
  leftsubnet=0.0.0.0/0
  right=%any
  rightid=%any
  rightauth=eap-radius
  eap_identity=%identity
  rightdns=8.8.8.8,8.8.4.4
  rightsourceip=10.10.10.0/24
  rightsendcert=never

My ipsec.secrets:

vpsXXXXXX.ovh.net : RSA vpn.example.com.key.der

My ipsec.d/ files:

~$ sudo ls /etc/ipsec.d/private/
vpn.example.com.key.der
~$ sudo ls /etc/ipsec.d/certs/
vpn.example.com.crt.pem
~$ sudo ls /etc/ipsec.d/cacerts/
vpnca.crt.der

I've imported my vpnca.crt.der on my Mac, my Android (Strongswan client), my Windows 10 Enterprise and a Windows 10 Standard of a friend

Everything is working fine for my Mac and my Android, but impossible to establish the connexion with Windows

In the swanctl --log :

14[CFG] selected peer config 'roadwarrior'
14[IKE] initiating EAP_IDENTITY method (id 0x00)
14[IKE] peer supports MOBIKE
14[IKE] authentication of 'vpsXXXXXX.ovh.net' (myself) with RSA signature successful
14[IKE] sending end entity cert "C=FR, O=Test Company, CN=vpsXXXXXX.ovh.net"
14[ENC] generating IKE_AUTH response 1 [ IDr CERT AUTH EAP/REQ/ID ]
14[ENC] splitting IKE message (1996 bytes) into 2 fragments
14[ENC] generating IKE_AUTH response 1 [ EF(1/2) ]
14[ENC] generating IKE_AUTH response 1 [ EF(2/2) ]
14[NET] sending packet: from XX.XX.XX.XX[4500] to YY.YY.YY.YY[4500] (1248 bytes)
14[NET] sending packet: from XX.XX.XX.XX[4500] to YY.YY.YY.YY[4500] (816 bytes)

On the windows side, the error shown is the usual :

"IKE authentication credentials are unacceptable"

In the Event Viewer:

CoId={6C88B9D2-54F0-4671-A12D-B506DE75630F}: The user MYWORKDOMAIN\myuser dialed a connection named VPN Connection which has failed. The error code returned on failure is 13801.

What I've done on Windows side:

  • Import the CA cert in Local computer certificates -> Trusted Root Certification Authorities -> Certificates
  • Create the VPN Connexion under VPN Settings:
    • Server name or address: vpsXXXXXX.ovh.net
    • VPN Type: IKEv2
    • Type of sign-in info: User and password
  • In the ncpa.cpl addaptator properties:
    • Security:
      • Data encryption: Optionnal encryption
      • Authentication: Use Extensible Authentication Protocol (EAP): Microsoft: Secured password (EAP-MSCHAPv2) (encryption enabled)
    • Networking: unchecked IPv6

The CA has this attributes:

Verison:
V3
Serial Number:
73fbd6a8d90a33db
Signature algorithm:
sha1RSA
Signature hash algorithm:
sha1
Issuer:
CN = TEST VPS CA
O = Test Company
C = FR
Valid from:
‎Friday, ‎March ‎27, ‎2020 3:15:29 PM
Valid to:
‎Monday, ‎March ‎27, ‎2023 3:15:29 PM
Subject:
CN = TEST VPS CA
O = Test Company
C = FR
Pulic key:
RSA (4096 bits)
Pulic key parameters:
05 00
Subject key identifier:
214851f1fe79e3719be0139fab1799a9d4a08561
Enhanced Key Usage:
Server Authentication (1.3.6.1.5.5.7.3.1)
Basic Constraints:
Subject Type=CA
Path Length Constraint=None
Key Usage:
Information Not Available
Thumbprint:
78e8cc49ab508b8f477b419d369873036be488b4

The VPS cert attributes:

Version:
3
Serial Number:
3611432227629166526
Signature Algorithm:
sha1WithRSAEncryption
Issuer:
C = FR, O = Test Company, CN = TEST VPS CA
Validity:
Not Before: Mar 27 14:15:31 2020 GMT
Not After : Mar 27 14:15:31 2023 GMT
Subject:
C = FR, O = Test Company, CN = vpsXXXXXX.ovh.net
Public Key Algorithm:
rsaEncryption
RSA Public-Key:
(4096 bit)
X509v3 extensions:
X509v3 Authority Key Identifier:
keyid:21:48:51:F1:FE:79:E3:71:9B:E0:13:9F:AB:17:99:A9:D4:A0:85:61
X509v3 Subject Alternative Name:
DNS:vpsXXXXXX.ovh.net
X509v3 Extended Key Usage:
TLS Web Server Authentication
Signature Algorithm:
sha1WithRSAEncryption

Commands used to create the certificates:

ipsec pki --gen --type rsa --size 4096 --outform pem > vpnca.key.pem
ipsec pki --self --flag serverAuth --in vpnca.key.pem --type rsa --digest sha1 \
    --dn "C=FR, O=Test Company, CN=TEST VPS CA" --ca > vpnca.crt.der
ipsec pki --gen --type rsa --size 4096 --outform pem > vpn.example.com.key.pem
ipsec pki --pub --in vpn.example.com.key.pem --type rsa > vpn.example.com.csr
ipsec pki --issue --cacert vpnca.crt.der --cakey vpnca.key.pem --digest sha1 \
    --dn "C=FR, O=Test Company, CN=vpsXXXXXX.ovh.net" \
    --san "vps807542.ovh.net" --flag serverAuth --outform pem \
    < vpn.example.com.csr > vpn.example.com.crt.pem 
openssl rsa -in vpn.example.com.key.pem -out vpn.example.com.key.der -outform DER

cp vpnca.crt.der /etc/ipsec.d/cacerts
cp vpn.example.com.crt.pem /etc/ipsec.d/certs
cp vpn.example.com.key.der /etc/ipsec.d/private

I hope you have enought information and you will be able to help me because I really do not understand why my Windows does not reply to the IKE_AUTH packet...

Thanks for your help and take care!

mathpro
  • 1
  • 1
  • 1
    Is the CA certificate installed in the correct trust store on the Windows client (Local Computer / Trusted Root Certification Authorities / Certificates)? Also, you shouldn't use SHA-1 to sign certificates anymore. – ecdsa Mar 30 '20 at 08:49
  • Hey @ecdsa, as mentioned, yes, the RootCA is under Local Computer/Trusted Root CA/ Certificates And thanks for the advise, it's just a lab, but I'll keep this in consideration for the implementation on my work system – mathpro Mar 30 '20 at 08:52
  • Which point releases of Windows 10 did you use in the testing? – Gerrit Mar 30 '20 at 09:05
  • Hey @Gerrit: Tested with W10 : 10.0.18362 Build 18362 and another from a friend (I just asked him his version, waiting for his reply) – mathpro Mar 30 '20 at 09:14
  • That should be plenty new enough version. Perhaps whats going on here is that your CA doesn't allow the correct key usage. You should leave out the TLS webserver extended key usage, because it never is used as a webserver certificate itself and you should definitely include the basic usage keyCertSign. Windows will validate that the CA is allowed to sign your webserver certificate, and lacking the keyCertSign, will find that it is not. – Gerrit Mar 30 '20 at 11:33
  • The Extended Key Usage "TLS Webserver" is added when you add the "--serverAuth" flag to ipsec pki. I just tested without, and with it and --flag ikeIntermediate but it's the same https://wiki.strongswan.org/projects/strongswan/wiki/Win7CertReq – mathpro Mar 30 '20 at 11:43
  • PS: I also tried to add the key DisableIKENameEkuCheck (1) to Computer\HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\RasMan\Parameters – mathpro Mar 30 '20 at 11:43

0 Answers0