5

I have an IKEV2 VPN setup (including certs) that worked fine on windows 7. On Windows 10, the same config fails with 'IKE authentication credentials are unacceptable'. Server is StrongSwan. The last line in the log for a connection attempt is:

2016-02-11T12:34:57.457606+00:00 e01pfw01 charon: [info] 05[IKE] assigning virtual IP 10.7.220.6 to peer '**<removed>**'
2016-02-11T12:34:57.461904+00:00 e01pfw01 charon: [info] 05[IKE] CHILD_SA rw-ops{5592} established with SPIs c221e19b_i 29212c9e_o and TS 10.6.75.0/24 10.7.240.0/20 === 10.7.220.6/32 
2016-02-11T12:34:57.518381+00:00 e01pfw01 vpn: [notice] + **<removed>** 10.7.220.6/32 == 212.159.106.131 -- 62.23.139.70 == 10.6.75.0/24
2016-02-11T12:34:57.580529+00:00 e01pfw01 vpn: [notice] + **<removed>** 10.7.220.6/32 == 212.159.106.131 -- 62.23.139.70 == 10.7.240.0/20
2016-02-11T12:34:57.581975+00:00 e01pfw01 charon: [info] 05[ENC] generating IKE_AUTH response 1 [ IDr CERT AUTH CPRP(ADDR) SA TSi TSr N(AUTH_LFT) ]
2016-02-11T12:34:57.582578+00:00 e01pfw01 charon: [info] 05[NET] sending packet: from 62.23.139.70[4500] to 212.159.106.131[4500] (1412 bytes)

I cannot see any issues in the strongswan log, in fact I don't even see a response to the t line above (even though I can see from a pcap that the client sends a response), so I would like to debug the IKE authentication process on the Windows 10 client. Can anyone tell me how this is done?

I have tried netsh set ras tracing * enabled. Log files are created, but nothing relevant to IKE authentication. netsh ipsec dynamic set config property=ikelogging value=1 fails with 'The request is not supported`. I haven't been able to unearth anything else.

It occurred to me that if the windows 10 client was causing a crash in strongswan, but something would appear in the log, right?

FatalFlaw
  • 171
  • 1
  • 1
  • 4
  • Check `netsh ras diagnostics * state=enabled` Please check this file: `C:\Windows\tracing\RASMAN.LOG` – Tilo Dec 22 '17 at 21:02
  • Depends on Win version try or `netsh ras diagnostics set rastracing * enabled` – Tilo Dec 22 '17 at 21:07

2 Answers2

5

For enabling logs atleast in Creators update and above for windows we added a new trace provider.

Netsh trace start VpnClient per=yes maxsize=0 filemode=single
<Repro the scenario>
Netsh trace stop

There is also VpnClient_dbg for additional verbose logging

  • 1
    here background info: https://blogs.msdn.microsoft.com/canberrapfe/2012/03/30/capture-a-network-trace-without-installing-anything-capture-a-network-trace-of-a-reboot/ – Tilo Dec 22 '17 at 20:16
2

Ok - for anyone that experiences similar issues: The windows event log showed that the connection failed with error code 13801. I looked that up here: https://blogs.technet.microsoft.com/rrasblog/2009/08/12/troubleshooting-common-vpn-related-errors/. #4 is 'VPN Server Name as given on client doesn’t match with the subjectName of the server certificate.'. I was trying to connect to the VPN server's IP address. I switched to the hostname and voila.

I would still be interested to know how to enable useful logging on the windows 10 VPN though ...

FatalFlaw
  • 171
  • 1
  • 1
  • 4