I have an AWS instance that I want to be a VPN server. It will connect Windows 7 clients to a private network in the Amazon cloud.
- I have installed Ubuntu 12.04 and the
strongswan-ikev2
package. ipsec version
reportsLinux strongSwan U4.5.2/K3.2.0-52-virtual
- Note that both the client and server are behind NAT (the client because it is on a local office network, and the server because it is in Amazon's cloud). I have unblocked UDP ports 500 and 4500 on both the Amazon dashboard and the client's firewall.
This is /etc/ipsec.conf:
config setup plutostart=no conn %default keyexchange=ikev2 ike=aes256-sha1-modp1024! esp=aes256-sha1! dpdaction=clear dpddelay=300s rekey=no conn win7vpn left=%any leftsubnet=<amazon VPC CIDR block> leftauth=pubkey leftcert=openssl-cert.pem leftid=<vpn server public dns name> right=%any rightsourceip=<amazon private IP address, which elastic ip is forwarded to> rightauth=eap-mschapv2 rightsendcert=never eap_identity=%any auto=add
This is /etc/ipsec.secrets:
: RSA openssl-key.rsa TESTDOMAIN\testuser : EAP "testpassword"
I have added the CA certificate that signed the server's host cert to the local machine (not user) cert store so that Windows can authenticate the server.
I then try to connect to the server using the Windows 7 client as prescribed here, with one exception - I'm using the DNS name rather than the IP address. I enter the username, domain, and password in my ipsec.secrets file, and it tries to connect.
When it does, I get strongSwan logs that look like this. I munged these a bit for both censorship and clarity; CLIENTPUB/CLIENTPRIV are the client's public and private IP addresses and AMAZONPRIV is the server's private IP address (which is what the server's public IP - Amazon calls this an "Elastic IP" - forwards to).
Sep 4 00:16:17 localhost charon: 14[IKE] CLIENTPUB is initiating an IKE_SA
Sep 4 00:16:17 localhost charon: 14[NET] received packet: from CLIENTPUB[500] to AMAZONPRIV[500]
Sep 4 00:16:17 localhost charon: 14[ENC] parsed IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) ]
Sep 4 00:16:17 localhost charon: 14[IKE] CLIENTPUB is initiating an IKE_SA
Sep 4 00:16:17 localhost charon: 14[IKE] local host is behind NAT, sending keep alives
Sep 4 00:16:17 localhost charon: 14[IKE] remote host is behind NAT
Sep 4 00:16:17 localhost charon: 14[ENC] generating IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(MULT_AUTH) ]
Sep 4 00:16:17 localhost charon: 14[NET] sending packet: from AMAZONPRIV[500] to CLIENTPUB[500]
Sep 4 00:16:17 localhost charon: 15[NET] received packet: from CLIENTPUB[4500] to AMAZONPRIV[4500]
Sep 4 00:16:17 localhost charon: 15[ENC] unknown attribute type INTERNAL_IP4_SERVER
Sep 4 00:16:17 localhost charon: 15[ENC] parsed IKE_AUTH request 1 [ IDi CERTREQ N(MOBIKE_SUP) CP(ADDR DNS NBNS SRV) SA TSi TSr ]
Sep 4 00:16:17 localhost charon: 15[IKE] received cert request for "C=US, ST=TX, O=Test CA, CN=Test CA"
Sep 4 00:16:17 localhost charon: 15[IKE] received 316 cert requests for an unknown ca
Sep 4 00:16:17 localhost charon: 15[CFG] looking for peer configs matching AMAZONPRIV[%any]...CLIENTPUB[CLIENTPRIV]
Sep 4 00:16:17 localhost charon: 15[CFG] selected peer config 'dlpvpn'
Sep 4 00:16:17 localhost charon: 15[IKE] initiating EAP-Identity request
Sep 4 00:16:17 localhost charon: 15[IKE] peer supports MOBIKE
Sep 4 00:16:17 localhost charon: 15[IKE] authentication of 'C=US, ST=TX, O=DLP Test CA, CN=vpn.example.com' (myself) with RSA signature successful
Sep 4 00:16:17 localhost charon: 15[IKE] sending end entity cert "C=US, ST=TX, O=DLP Test CA, CN=vpn.example.com"
Sep 4 00:16:17 localhost charon: 15[ENC] generating IKE_AUTH response 1 [ IDr CERT AUTH EAP/REQ/ID ]
Sep 4 00:16:17 localhost charon: 15[NET] sending packet: from AMAZONPRIV[4500] to CLIENTPUB[4500]
At this point, Windows pops up an error message immediately:
Verifying user name and password...
Error 13801: IKE authentication credentials are unacceptable
After a few seconds, charon tries again and then closes the connection.
Sep 4 00:16:37 localhost charon: 16[IKE] sending keep alive
Sep 4 00:16:37 localhost charon: 16[NET] sending packet: from AMAZONPRIV[4500] to CLIENTPUB[4500]
Sep 4 00:16:47 localhost charon: 03[JOB] deleting half open IKE_SA after timeout
And that's it.
As far as I can tell, I'm following all of the instructions on the strongSwan wiki.
What am I doing wrong here?
Edit: this is definitely a problem with certificates. I disabled the extended validation checks by editing the registry and rebooting as described in MSKB926182 (lol if you wanted a link to that) and I can now connect to my VPN server with no errors. I'll figure out how to generate certs that satisfy the requirements and add an answer. Thanks to @ecdsa for the pointer to the cert page on the strongSwan wiki that got me pointed in the right direction.