8

I have the newest version of Strongswan vpn on my ubuntu server running. I followed this tutorial here and got it to work on my android and Iphone.

Now I want to get it to work on my windows 10 laptop but when I try to connect via the vpn settings in windows I only get a "policy match error" and the event view gives me the error code "13868".

After much googling I still cant find any working solution.

What can I do?

sirzento
  • 183
  • 1
  • 1
  • 5

2 Answers2

16

The problem is most likely that the Windows client proposes a weak Diffie-Hellman (DH) group (1024-bit MODP). That group is not used anymore by strongSwan unless the user configures it explicitly.

You have two options:

  1. Configure Windows to use a stronger DH group. This can be done either
    • via Set-VpnConnectionIPsecConfiguration PowerShell cmdlet, which allows enabling stronger DH groups (e.g. group 14/2048-bit MODP or 384-bit ECP) and even other algorithms (e.g. AES-GCM combined-mode encryption/integrity, which is more efficient, but needs to be enabled explicitly on the server too)
    • or via registry by adding the DWORD key HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Rasman\Parameters\NegotiateDH2048_AES256. Set it to 1 to enable (the other algorithms are still proposed), or 2 to enforce the use of 256-bit AES-CBC and 2048-bit MODP DH (only these will be proposed).
  2. Add the proposed, weak DH group (1024-bit MODP) to the IKE proposal on the server (e.g. configure something like ike=aes256-aes128-sha256-sha1-modp3072-modp2048-modp1024, which adds it at the end so other clients may use stronger DH groups).

Option 1 is definitely preferred.

ecdsa
  • 3,800
  • 12
  • 26
-1

To find out what is the problem you should, as a first step, turn on logging and see what happens during the connection process. Here is the example config I use on my server.

/etc/strongswan.d/charon-logging.conf

charon {
    # Section to define file loggers, see LOGGER CONFIGURATION in
    # strongswan.conf(5).
    filelog {
        # <filename> is the full path to the log file.
        /var/log/strongswan.log {

            # Loglevel for a specific subsystem.
            # <subsystem> = <default>

            # If this option is enabled log entries are appended to the existing
            # file.
            append = yes

            # Default loglevel.
            default = 2

            # Enabling this option disables block buffering and enables line
            # buffering.
            # flush_line = no

            # Prefix each log entry with the connection name and a unique
            # numerical identifier for each IKE_SA.
            ike_name = yes

            # Adds the milliseconds within the current second after the
            # timestamp (separated by a dot, so time_format should end with %S
            # or %T).
            # time_add_ms = no

            # Prefix each log entry with a timestamp. The option accepts a
            # format string as passed to strftime(3).
            # time_format =
        }
    }
}

U can use it and analyze the log file to discover the issue. If you will not able to figure it out, post a connection log here I will try to help you.

  • I added this code to the conf file and restart the service with "systemctl restart strongswan". Tried to connect a few times with my windows laptop but I dont get a strongswan.log in /var/log/. – sirzento Apr 30 '19 at 10:41
  • Try to create this file with `sudo touch /var/log/strongswan.log`. Restart strongswan with `sudo service ipsec restart` or the way you've done it before. – Ivan Vartanyan Apr 30 '19 at 12:21
  • The problem could be that apparmor prevents the charon daemon from creating the log file. Unless you're in a high-security production environment, I find it easiest to disable apparmor. – deltamind106 Jan 26 '21 at 14:14