Discussion:
[strongSwan] Sudden issues with Windows 10 clients
Houman
2018-05-07 13:17:38 UTC
Permalink
Hello,

Until a week ago a user with Windows 10 had no issue connecting to the
StrongSwan server. But now out of the blue, he can't connect to the
StrongSwan server anymore.

The log on the server is:

May 7 12:31:06 vpn-p1 charon: 08[IKE] received proposals inacceptable
May 7 12:31:06 vpn-p1 charon: 08[ENC] generating IKE_SA_INIT response 0 [
N(NO_PROP) ]
May 7 12:31:06 vpn-p1 charon: 08[NET] sending packet: from
xxx.x.xx.92[500] to 91.98.xxx.xxx[500] (36 bytes)
May 7 12:32:09 vpn-p1 systemd[1]: Started Session 35 of user root.
May 7 12:46:21 vpn-p1 systemd[1]: Starting Cleanup of Temporary
Directories...
May 7 12:46:21 vpn-p1 systemd-tmpfiles[7016]:
[/usr/lib/tmpfiles.d/var.conf:14] Duplicate line for path "/var/log",
ignoring.
May 7 12:46:21 vpn-p1 systemd[1]: Started Cleanup of Temporary Directories.
May 7 13:00:13 vpn-p1 systemd[1]: Starting Certbot...
May 7 13:00:13 vpn-p1 systemd[1]: Started Certbot.
May 7 13:08:20 vpn-p1 systemd[1]: Started Session 36 of user root.
May 7 13:11:27 vpn-p1 charon: 12[NET] received packet: from
91.98.xxx.xxx[500] to xxx.x.xx.92[500] (624 bytes)
May 7 13:11:27 vpn-p1 charon: 12[ENC] parsed IKE_SA_INIT request 0 [ SA KE
No N(NATD_S_IP) N(NATD_D_IP) V V V V ]
May 7 13:11:27 vpn-p1 charon: 12[IKE] received MS NT5 ISAKMPOAKLEY v9
vendor ID
May 7 13:11:27 vpn-p1 charon: 12[IKE] received MS-Negotiation Discovery
Capable vendor ID
May 7 13:11:27 vpn-p1 charon: 12[IKE] received Vid-Initial-Contact vendor
ID
May 7 13:11:27 vpn-p1 charon: 12[ENC] received unknown vendor ID:
01:52:8b:bb:c0:06:96:12:18:49:ab:9a:1c:5b:2a:51:00:00:00:02
May 7 13:11:27 vpn-p1 charon: 12[IKE] 91.98.xxx.xxx is initiating an IKE_SA
May 7 13:11:27 vpn-p1 charon: 12[CFG] received proposals:
IKE:AES_CBC_256/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_2048,
IKE:AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_2048,
IKE:AES_CBC_256/HMAC_SHA2_384_192/PRF_HMAC_SHA2_384/MODP_2048
May 7 13:11:27 vpn-p1 charon: 12[CFG] configured proposals:
IKE:AES_GCM_16_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/ECP_521,
IKE:AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/ECP_384,
IKE:AES_CBC_256/3DES_CBC/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024
May 7 13:11:27 vpn-p1 charon: 12[IKE] remote host is behind NAT
May 7 13:11:27 vpn-p1 charon: 12[IKE] received proposals inacceptable
May 7 13:11:27 vpn-p1 charon: 12[ENC] generating IKE_SA_INIT response 0 [
N(NO_PROP) ]
May 7 13:11:27 vpn-p1 charon: 12[NET] sending packet: from
xxx.x.xx.92[500] to 91.98.xxx.xxx[500] (36 bytes)
May 7 13:11:28 vpn-p1 charon: 16[NET] received packet: from
91.98.xxx.xxx[500] to xxx.x.xx.92[500] (624 bytes)
May 7 13:11:28 vpn-p1 charon: 16[ENC] parsed IKE_SA_INIT request 0 [ SA KE
No N(NATD_S_IP) N(NATD_D_IP) V V V V ]
May 7 13:11:28 vpn-p1 charon: 16[IKE] received MS NT5 ISAKMPOAKLEY v9
vendor ID
May 7 13:11:28 vpn-p1 charon: 16[IKE] received MS-Negotiation Discovery
Capable vendor ID
May 7 13:11:28 vpn-p1 charon: 16[IKE] received Vid-Initial-Contact vendor
ID
May 7 13:11:28 vpn-p1 charon: 16[ENC] received unknown vendor ID:
01:52:8b:bb:c0:06:96:12:18:49:ab:9a:1c:5b:2a:51:00:00:00:02
May 7 13:11:28 vpn-p1 charon: 16[IKE] 91.98.xxx.xxx is initiating an IKE_SA
May 7 13:11:28 vpn-p1 charon: 16[CFG] received proposals:
IKE:AES_CBC_256/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_2048,
IKE:AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_2048,
IKE:AES_CBC_256/HMAC_SHA2_384_192/PRF_HMAC_SHA2_384/MODP_2048
May 7 13:11:28 vpn-p1 charon: 16[CFG] configured proposals:
IKE:AES_GCM_16_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/ECP_521,
IKE:AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/ECP_384,
IKE:AES_CBC_256/3DES_CBC/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024
May 7 13:11:28 vpn-p1 charon: 16[IKE] remote host is behind NAT
May 7 13:11:28 vpn-p1 charon: 16[IKE] received proposals inacceptable
May 7 13:11:28 vpn-p1 charon: 16[ENC] generating IKE_SA_INIT response 0 [
N(NO_PROP) ]
May 7 13:11:28 vpn-p1 charon: 16[NET] sending packet: from
xxx.x.xx.92[500] to 91.98.xxx.xxx[500] (36 bytes)

The Server's ipsec.conf is:

config setup
strictcrlpolicy=yes
uniqueids=never
conn roadwarrior
auto=add
compress=no
type=tunnel
keyexchange=ikev2
fragmentation=yes
forceencaps=yes

ike=aes256gcm16-sha256-ecp521,aes256-sha256-ecp384,aes256-3des-sha1-modp1024!
esp=aes256gcm16-sha256,aes256-3des-sha256-sha1!
dpdaction=clear
dpddelay=180s
rekey=no
left=%any
leftid=@${VPNHOST}
leftcert=cert.pem
leftsendcert=always
leftsubnet=0.0.0.0/0
right=%any
rightid=%any
rightauth=eap-radius
eap_identity=%any
rightdns=208.67.222.222,208.67.220.220
rightsourceip=${VPNIPPOOL}
rightsendcert=never

Have the supported ike/esp proposals somehow been changed recently after a
recent Windows 10 update?

I have made these changes on the Windows 10, after googling for a solution:

- The firewall on Windows 10 is currently disabled.
- I have set NegotiateDH2048_AES256 = 1 in Regedit
- AssumeUDPEncapsulationContextOnSendRule = 2 in Regedit

I can't think of anything else I could do on the Windows 10 client.

According to my notes, these are the proposed protocols for Windows 10:

# these ike and esp settings are tested on Mac 10.12, iOS 10 and Windows 10
# iOS/Mac with appropriate configuration profiles use
AES_GCM_16_256/PRF_HMAC_SHA2_256/ECP_521
# Windows 10 uses AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/ECP_384

Is there a website that translates
AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/ECP_384 into the right
naming for ipsec.conf so that I enter them under ike and esp respectively?
I can't quite make out if I have these settings there or not.

If you have any other advice, please help me.

Many Thanks,
Jafar Al-Gharaibeh
2018-05-07 14:50:23 UTC
Permalink
Houman,

  The Windows client proposals do not match your configured proposals.
Your Windows client expect DG group 15 (MODP2048), where as you have:

aes256-3des-sha1-modp1024

change that to:

aes256-3des-sha1-modp2048

I'd also add sha256 at least before sha1 (deemed insecure). If you still
have other clients expecting modp1024, make it:

aes256-3des-sha256-sha1-modp2048-modp1024

That should get you covered.

Regards,
Jafar
Post by Houman
Hello,
Until a week ago a user with Windows 10 had no issue connecting to the
StrongSwan server. But now out of the blue, he can't connect to the
StrongSwan server anymore.
May  7 12:31:06 vpn-p1 charon: 08[IKE] received proposals inacceptable
May  7 12:31:06 vpn-p1 charon: 08[ENC] generating IKE_SA_INIT response
0 [ N(NO_PROP) ]
May  7 12:31:06 vpn-p1 charon: 08[NET] sending packet: from
xxx.x.xx.92[500] to 91.98.xxx.xxx[500] (36 bytes)
May  7 12:32:09 vpn-p1 systemd[1]: Started Session 35 of user root.
May  7 12:46:21 vpn-p1 systemd[1]: Starting Cleanup of Temporary
Directories...
[/usr/lib/tmpfiles.d/var.conf:14] Duplicate line for path "/var/log",
ignoring.
May  7 12:46:21 vpn-p1 systemd[1]: Started Cleanup of Temporary
Directories.
May  7 13:00:13 vpn-p1 systemd[1]: Starting Certbot...
May  7 13:00:13 vpn-p1 systemd[1]: Started Certbot.
May  7 13:08:20 vpn-p1 systemd[1]: Started Session 36 of user root.
May  7 13:11:27 vpn-p1 charon: 12[NET] received packet: from
91.98.xxx.xxx[500] to xxx.x.xx.92[500] (624 bytes)
May  7 13:11:27 vpn-p1 charon: 12[ENC] parsed IKE_SA_INIT request 0 [
SA KE No N(NATD_S_IP) N(NATD_D_IP) V V V V ]
May  7 13:11:27 vpn-p1 charon: 12[IKE] received MS NT5 ISAKMPOAKLEY v9
vendor ID
May  7 13:11:27 vpn-p1 charon: 12[IKE] received MS-Negotiation
Discovery Capable vendor ID
May  7 13:11:27 vpn-p1 charon: 12[IKE] received Vid-Initial-Contact
vendor ID
01:52:8b:bb:c0:06:96:12:18:49:ab:9a:1c:5b:2a:51:00:00:00:02
May  7 13:11:27 vpn-p1 charon: 12[IKE] 91.98.xxx.xxx is initiating an
IKE_SA
IKE:AES_CBC_256/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_2048,
IKE:AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_2048,
IKE:AES_CBC_256/HMAC_SHA2_384_192/PRF_HMAC_SHA2_384/MODP_2048
IKE:AES_GCM_16_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/ECP_521,
IKE:AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/ECP_384,
IKE:AES_CBC_256/3DES_CBC/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024
May  7 13:11:27 vpn-p1 charon: 12[IKE] remote host is behind NAT
May  7 13:11:27 vpn-p1 charon: 12[IKE] received proposals inacceptable
May  7 13:11:27 vpn-p1 charon: 12[ENC] generating IKE_SA_INIT response
0 [ N(NO_PROP) ]
May  7 13:11:27 vpn-p1 charon: 12[NET] sending packet: from
xxx.x.xx.92[500] to 91.98.xxx.xxx[500] (36 bytes)
May  7 13:11:28 vpn-p1 charon: 16[NET] received packet: from
91.98.xxx.xxx[500] to xxx.x.xx.92[500] (624 bytes)
May  7 13:11:28 vpn-p1 charon: 16[ENC] parsed IKE_SA_INIT request 0 [
SA KE No N(NATD_S_IP) N(NATD_D_IP) V V V V ]
May  7 13:11:28 vpn-p1 charon: 16[IKE] received MS NT5 ISAKMPOAKLEY v9
vendor ID
May  7 13:11:28 vpn-p1 charon: 16[IKE] received MS-Negotiation
Discovery Capable vendor ID
May  7 13:11:28 vpn-p1 charon: 16[IKE] received Vid-Initial-Contact
vendor ID
01:52:8b:bb:c0:06:96:12:18:49:ab:9a:1c:5b:2a:51:00:00:00:02
May  7 13:11:28 vpn-p1 charon: 16[IKE] 91.98.xxx.xxx is initiating an
IKE_SA
IKE:AES_CBC_256/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_2048,
IKE:AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_2048,
IKE:AES_CBC_256/HMAC_SHA2_384_192/PRF_HMAC_SHA2_384/MODP_2048
IKE:AES_GCM_16_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/ECP_521,
IKE:AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/ECP_384,
IKE:AES_CBC_256/3DES_CBC/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024
May  7 13:11:28 vpn-p1 charon: 16[IKE] remote host is behind NAT
May  7 13:11:28 vpn-p1 charon: 16[IKE] received proposals inacceptable
May  7 13:11:28 vpn-p1 charon: 16[ENC] generating IKE_SA_INIT response
0 [ N(NO_PROP) ]
May  7 13:11:28 vpn-p1 charon: 16[NET] sending packet: from
xxx.x.xx.92[500] to 91.98.xxx.xxx[500] (36 bytes)
config setup
  strictcrlpolicy=yes
  uniqueids=never
conn roadwarrior
  auto=add
  compress=no
  type=tunnel
  keyexchange=ikev2
  fragmentation=yes
  forceencaps=yes
ike=aes256gcm16-sha256-ecp521,aes256-sha256-ecp384,aes256-3des-sha1-modp1024!
esp=aes256gcm16-sha256,aes256-3des-sha256-sha1!
  dpdaction=clear
  dpddelay=180s
  rekey=no
  left=%any
  leftcert=cert.pem
  leftsendcert=always
  leftsubnet=0.0.0.0/0 <http://0.0.0.0/0>
  right=%any
  rightid=%any
  rightauth=eap-radius
  eap_identity=%any
rightdns=208.67.222.222,208.67.220.220
rightsourceip=${VPNIPPOOL}
  rightsendcert=never
Have the supported ike/esp proposals somehow been changed recently
after a recent Windows 10 update?
I have made these changes on the Windows 10, after googling for a
- The firewall on Windows 10 is currently disabled.
- I have set NegotiateDH2048_AES256 = 1 in Regedit
- AssumeUDPEncapsulationContextOnSendRule = 2 in Regedit
I can't think of anything else I could do on the Windows 10 client.
# these ike and esp settings are tested on Mac 10.12, iOS 10 and Windows 10
# iOS/Mac with appropriate configuration profiles use
AES_GCM_16_256/PRF_HMAC_SHA2_256/ECP_521
# Windows 10 uses AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/ECP_384
Is there a website that translates
AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/ECP_384 into the right
naming for ipsec.conf so that I enter them under ike and esp
respectively? I can't quite make out if I have these settings there or
not.
If you have any other advice, please help me.
Many Thanks,
Houman
2018-05-10 19:34:12 UTC
Permalink
Hi guys,

Unfortunately, this isn't just limited to Windows, I have the same issue
with iPhone. I strongly believe this is because IKEV2 traffic could have
been blocked in my user's country. My user has been utilising this server
without any issues until last week and suddenly it has stopped working.

Please see the logs, this is when he is trying to connect from an iPhone:

May 10 20:26:45 vpn-server charon: 01[NET] received packet: from
91.99.xxx.xx[500] to 172.31.xxx.xxx[500] (604 bytes)

May 10 20:26:45 vpn-server charon: 01[ENC] parsed IKE_SA_INIT request 0 [
SA KE No N(REDIR_SUP) N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) ]

May 10 20:26:45 vpn-server charon: 01[IKE] 91.99.xxx.xx is initiating an
IKE_SA

May 10 20:26:45 vpn-server charon: 01[IKE] local host is behind NAT,
sending keep alives

May 10 20:26:45 vpn-server charon: 01[IKE] remote host is behind NAT

May 10 20:26:45 vpn-server charon: 01[IKE] DH group MODP_2048 inacceptable,
requesting MODP_1024

May 10 20:26:45 vpn-server charon: 01[ENC] generating IKE_SA_INIT response
0 [ N(INVAL_KE) ]

May 10 20:26:45 vpn-server charon: 01[NET] sending packet: from
172.31.xxx.xxx[500] to 91.99.xxx.xx[500] (38 bytes)

May 10 20:26:48 vpn-server charon: 12[NET] received packet: from
91.99.xxx.xx[500] to 172.31.xxx.xxx[500] (604 bytes)

May 10 20:26:48 vpn-server charon: 12[ENC] parsed IKE_SA_INIT request 0 [
SA KE No N(REDIR_SUP) N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) ]

May 10 20:26:48 vpn-server charon: 12[IKE] 91.99.xxx.xx is initiating an
IKE_SA

May 10 20:26:48 vpn-server charon: 12[IKE] local host is behind NAT,
sending keep alives

May 10 20:26:48 vpn-server charon: 12[IKE] remote host is behind NAT

May 10 20:26:48 vpn-server charon: 12[IKE] DH group MODP_2048 inacceptable,
requesting MODP_1024

May 10 20:26:48 vpn-server charon: 12[ENC] generating IKE_SA_INIT response
0 [ N(INVAL_KE) ]

May 10 20:26:48 vpn-server charon: 12[NET] sending packet: from
172.31.xxx.xxx[500] to 91.99.xxx.xx[500] (38 bytes)


And this when I try to connect from my iphone:


May 10 20:10:25 vpn-server systemd[1]: Starting Cleanup of Temporary
Directories...

May 10 20:10:25 vpn-server systemd-tmpfiles[2631]:
[/usr/lib/tmpfiles.d/var.conf:14] Duplicate line for path "/var/log",
ignoring.

May 10 20:10:25 vpn-server systemd[1]: Started Cleanup of Temporary
Directories.

May 10 20:10:57 vpn-server charon: 06[NET] received packet: from
88.98.xxx.xxx[39064] to 172.31.xxx.xxx[500] (604 bytes)

May 10 20:10:57 vpn-server charon: 06[ENC] parsed IKE_SA_INIT request 0 [
SA KE No N(REDIR_SUP) N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) ]

May 10 20:10:57 vpn-server charon: 06[IKE] 88.98.xxx.xxx is initiating an
IKE_SA

May 10 20:10:57 vpn-server charon: 06[IKE] local host is behind NAT,
sending keep alives

May 10 20:10:57 vpn-server charon: 06[IKE] remote host is behind NAT

May 10 20:10:57 vpn-server charon: 06[IKE] DH group MODP_2048 inacceptable,
requesting MODP_1024

May 10 20:10:57 vpn-server charon: 06[ENC] generating IKE_SA_INIT response
0 [ N(INVAL_KE) ]

May 10 20:10:57 vpn-server charon: 06[NET] sending packet: from
172.31.xxx.xxx[500] to 88.98.xxx.xxx[39064] (38 bytes)

May 10 20:10:57 vpn-server charon: 05[NET] received packet: from
88.98.xxx.xxx[39064] to 172.31.xxx.xxx[500] (476 bytes)

May 10 20:10:57 vpn-server charon: 05[ENC] parsed IKE_SA_INIT request 0 [
SA KE No N(REDIR_SUP) N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) ]

May 10 20:10:57 vpn-server charon: 05[IKE] 88.98.xxx.xxx is initiating an
IKE_SA

May 10 20:10:57 vpn-server charon: 05[IKE] local host is behind NAT,
sending keep alives

May 10 20:10:57 vpn-server charon: 05[IKE] remote host is behind NAT

May 10 20:10:57 vpn-server charon: 05[ENC] generating IKE_SA_INIT response
0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(MULT_AUTH) ]

May 10 20:10:57 vpn-server charon: 05[NET] sending packet: from
172.31.xxx.xxx[500] to 88.98.xxx.xxx[39064] (316 bytes)

May 10 20:10:58 vpn-server charon: 04[NET] received packet: from
88.98.xxx.xxx[39065] to 172.31.xxx.xxx[4500] (500 bytes)

May 10 20:10:58 vpn-server charon: 04[ENC] unknown attribute type (25)

May 10 20:10:58 vpn-server charon: 04[ENC] parsed IKE_AUTH request 1 [ IDi
N(INIT_CONTACT) N(MOBIKE_SUP) IDr CPRQ(ADDR DHCP DNS MASK ADDR6 DHCP6 DNS6
(25)) N(ESP_TFC_PAD_N) N(NON_FIRST_FRAG) SA TSi TSr ]

May 10 20:10:58 vpn-server charon: 04[CFG] looking for peer configs
matching 172.31.xxx.xxx[vpn1.xxx.com]...88.98.xxx.xxx[vpn1.xxx.com]

May 10 20:10:58 vpn-server charon: 04[CFG] selected peer config
'roadwarrior'

May 10 20:10:58 vpn-server charon: 04[IKE] initiating EAP_IDENTITY method
(id 0x00)

May 10 20:10:58 vpn-server charon: 04[IKE] received
ESP_TFC_PADDING_NOT_SUPPORTED, not using ESPv3 TFC padding

May 10 20:10:58 vpn-server charon: 04[IKE] peer supports MOBIKE

May 10 20:10:58 vpn-server charon: 04[IKE] authentication of 'vpn1.xxx.com'
(myself) with RSA signature successful

May 10 20:10:58 vpn-server charon: 04[IKE] sending end entity cert "CN=
vpn1.xxx.com"

May 10 20:10:58 vpn-server charon: 04[IKE] sending issuer cert "C=US,
O=Let's Encrypt, CN=Let's Encrypt Authority X3"

May 10 20:10:58 vpn-server charon: 04[ENC] generating IKE_AUTH response 1 [
IDr CERT CERT AUTH EAP/REQ/ID ]

May 10 20:10:58 vpn-server charon: 04[ENC] splitting IKE message with
length of 3596 bytes into 8 fragments

May 10 20:10:58 vpn-server charon: 04[ENC] generating IKE_AUTH response 1 [
EF(1/8) ]

May 10 20:10:58 vpn-server charon: 04[ENC] generating IKE_AUTH response 1 [
EF(2/8) ]

May 10 20:10:58 vpn-server charon: 04[ENC] generating IKE_AUTH response 1 [
EF(3/8) ]

May 10 20:10:58 vpn-server charon: 04[ENC] generating IKE_AUTH response 1 [
EF(4/8) ]

May 10 20:10:58 vpn-server charon: 04[ENC] generating IKE_AUTH response 1 [
EF(5/8) ]

May 10 20:10:58 vpn-server charon: 04[ENC] generating IKE_AUTH response 1 [
EF(6/8) ]

May 10 20:10:58 vpn-server charon: 04[ENC] generating IKE_AUTH response 1 [
EF(7/8) ]

May 10 20:10:58 vpn-server charon: 04[ENC] generating IKE_AUTH response 1 [
EF(8/8) ]

May 10 20:10:58 vpn-server charon: 04[NET] sending packet: from
172.31.xxx.xxx[4500] to 88.98.xxx.xxx[39065] (544 bytes)

May 10 20:10:58 vpn-server charon: message repeated 6 times: [ 04[NET]
sending packet: from 172.31.xxx.xxx[4500] to 88.98.xxx.xxx[39065] (544
bytes)]

May 10 20:10:58 vpn-server charon: 04[NET] sending packet: from
172.31.xxx.xxx[4500] to 88.98.xxx.xxx[39065] (192 bytes)

May 10 20:10:58 vpn-server charon: 03[NET] received packet: from
88.98.xxx.xxx[39065] to 172.31.xxx.xxx[4500] (76 bytes)

May 10 20:10:58 vpn-server charon: 03[ENC] parsed IKE_AUTH request 2 [
EAP/RES/ID ]

May 10 20:10:58 vpn-server charon: 03[IKE] received EAP identity 'houmie'

May 10 20:10:58 vpn-server charon: 03[IKE] initiating EAP_MSCHAPV2 method
(id 0xAE)

May 10 20:10:58 vpn-server charon: 03[ENC] generating IKE_AUTH response 2 [
EAP/REQ/MSCHAPV2 ]

May 10 20:10:58 vpn-server charon: 03[NET] sending packet: from
172.31.xxx.xxx[4500] to 88.98.xxx.xxx[39065] (100 bytes)

May 10 20:10:58 vpn-server charon: 02[NET] received packet: from
88.98.xxx.xxx[39065] to 172.31.xxx.xxx[4500] (124 bytes)

May 10 20:10:58 vpn-server charon: 02[ENC] parsed IKE_AUTH request 3 [
EAP/RES/MSCHAPV2 ]

May 10 20:10:58 vpn-server charon: 02[ENC] generating IKE_AUTH response 3 [
EAP/REQ/MSCHAPV2 ]

May 10 20:10:58 vpn-server charon: 02[NET] sending packet: from
172.31.xxx.xxx[4500] to 88.98.xxx.xxx[39065] (132 bytes)

May 10 20:10:58 vpn-server charon: 01[NET] received packet: from
88.98.xxx.xxx[39065] to 172.31.xxx.xxx[4500] (68 bytes)

May 10 20:10:58 vpn-server charon: 01[ENC] parsed IKE_AUTH request 4 [
EAP/RES/MSCHAPV2 ]

May 10 20:10:58 vpn-server charon: 01[IKE] EAP method EAP_MSCHAPV2
succeeded, MSK established

May 10 20:10:58 vpn-server charon: 01[ENC] generating IKE_AUTH response 4 [
EAP/SUCC ]

May 10 20:10:58 vpn-server charon: 01[NET] sending packet: from
172.31.xxx.xxx[4500] to 88.98.xxx.xxx[39065] (68 bytes)

May 10 20:10:58 vpn-server charon: 12[NET] received packet: from
88.98.xxx.xxx[39065] to 172.31.xxx.xxx[4500] (84 bytes)

May 10 20:10:58 vpn-server charon: 12[ENC] parsed IKE_AUTH request 5 [ AUTH
]

May 10 20:10:58 vpn-server charon: 12[IKE] authentication of 'vpn1.xxx.com'
with EAP successful

May 10 20:10:58 vpn-server charon: 12[IKE] authentication of 'vpn1.xxx.com'
(myself) with EAP

May 10 20:10:58 vpn-server charon: 12[IKE] IKE_SA roadwarrior[2]
established between 172.31.xxx.xxx[vpn1.xxx.com]...88.98.xxx.xxx[
vpn1.xxx.com]

May 10 20:10:58 vpn-server charon: 12[IKE] peer requested virtual IP %any

May 10 20:10:58 vpn-server charon: 12[CFG] assigning new lease to 'houmie'

May 10 20:10:58 vpn-server charon: 12[IKE] assigning virtual IP 10.10.10.1
to peer 'houmie'

May 10 20:10:58 vpn-server charon: 12[IKE] peer requested virtual IP %any6

May 10 20:10:58 vpn-server charon: 12[IKE] no virtual IP found for %any6
requested by 'houmie'

May 10 20:10:58 vpn-server charon: 12[IKE] CHILD_SA roadwarrior{1}
established with SPIs c0b075ce_i 0789b8c0_o and TS 0.0.0.0/0 ===
10.10.10.1/32

May 10 20:10:58 vpn-server charon: 12[ENC] generating IKE_AUTH response 5 [
AUTH CPRP(ADDR DNS DNS) SA TSi TSr N(MOBIKE_SUP) N(NO_ADD_ADDR) ]

May 10 20:10:58 vpn-server charon: 12[NET] sending packet: from
172.31.xxx.xxx[4500] to 88.98.xxx.xxx[39065] (228 bytes)

The config that is working for my iphone is this:

config setup

strictcrlpolicy=yes

uniqueids=never

conn roadwarrior

auto=add

compress=no

type=tunnel

keyexchange=ikev2

fragmentation=yes

forceencaps=yes


ike=aes256gcm16-sha256-ecp521,aes256-sha256-ecp384,aes256-3des-sha1-modp1024!

esp=aes256gcm16-sha256,aes256-3des-sha256-sha1!

dpdaction=clear

dpddelay=180s

rekey=no

left=%any

leftid=@vpn1.xxx.com

leftcert=cert.pem

leftsendcert=always

leftsubnet=0.0.0.0/0

right=%any

rightid=%any

rightauth=eap-mschapv2

eap_identity=%any

rightdns=8.8.8.8,8.8.4.4

rightsourceip=10.10.10.0/24

rightsendcert=never

Please let me know if you see any obvious problem. But I strongly believe
they have blocked the IKEV2 traffic...

Many Thanks,
Houman
Hi Tobias,
The PRF algorithm is derived from the integrity algorithm,
but only if a DH group is also configured.
Correct?
Regards,
Jafar
Hi Jafar,
No need to configure a prf, it is already assumed when you
configured a DH group; so you can drop prfsha256.
Small correction, the PRF algorithm, if not configured explicitly, is
not derived from the DH group, but the integrity algorithm, in this case
sha256.
Regards,
Tobias
Jafar Al-Gharaibeh
2018-05-11 15:00:14 UTC
Permalink
1) The log shows that while it took a couple of attempts to establish
and IKE SA, it was eventually up with and ESP Child SA as well. So, as
far as I can see in your logs, the connection should be up. What happens
next? do the logs show that the connection is dropped for some reason?
what is the output of  "ipsec statusall"? Can you confirm that you are
receiving ESP packets afterward, or if ESP is blocked?

2) Depending on the vpn clients  you use, your proposals seem OK. I
would expand them a bit with better DH group in case the client supports
it in both IKE and ESP configs. In ESP case you can have two proposals,
with and without DH groups if you have clients that can't do DH with
ESP. Unless you really think you need 3des-sha1 for some clients, there
is no reason to keep it. Here is an example:

ike=aes256-sha256-ecp521-ecp256-modp4096-modp2048!
esp=aes256-sha256-sha1-ecp521-ecp256-modp4096-modp2048, aes256-sha256-sha1!


Regards,
Jafar
Hello Jafar,
Apologies, as I didn't explain what I had already tried.
 ike=aes256-sha256-prfsha256-modp2048-modp1024!
 esp=aes256-sha256,aes256-sha1,3des-sha1!
I can connect to it via iOS 11 and OSX High Sierra without any problem
from UK.  And I no longer get that error message: "DH group MODP_2048
inacceptable, requesting MODP_1024".
However my user still can't connect.  As he is connecting from Iran, I
strongly suspect this is because of a recent tightening of the VPN
traffic due to the recent political circumstances.  Further below I
have pasted the log when he is trying to connect unsuccessfully. It
says "Connecting..." and after a few sconds, it drops.
2) Unrelated to that, considering what we discussed in this thread, it
seems I could skip both *prfsha256* and *modp1024*. Would you say this
is now the perfect settings for iOS 10+, OSX and Windows 10?
* ike=aes256-sha256-modp2048!*
* esp=aes256-sha256,aes256-sha1,3des-sha1!*
Many Thanks for your help,
Houman
May 11 07:55:16 vpn-server charon: 02[NET] received packet: from
109.230.xxx.xx[500] to 172.31.xxx.xxx[500] (604 bytes)
May 11 07:55:16 vpn-server charon: 02[ENC] parsed IKE_SA_INIT request
0 [ SA KE No N(REDIR_SUP) N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) ]
May 11 07:55:16 vpn-server charon: 02[IKE] 109.230.xxx.xx is
initiating an IKE_SA
May 11 07:55:16 vpn-server charon: 02[IKE] local host is behind NAT,
sending keep alives
May 11 07:55:16 vpn-server charon: 02[IKE] remote host is behind NAT
May 11 07:55:16 vpn-server charon: 02[ENC] generating IKE_SA_INIT
response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(MULT_AUTH) ]
May 11 07:55:16 vpn-server charon: 02[NET] sending packet: from
172.31.xxx.xxx[500] to 109.230.xxx.xx[500] (448 bytes)
May 11 07:55:36 vpn-server charon: 01[IKE] sending keep alive to
109.230.xxx.xx[500]
May 11 07:55:46 vpn-server charon: 11[JOB] deleting half open IKE_SA
after timeout
May 11 07:57:44 vpn-server charon: 16[NET] received packet: from
109.230.xxx.xx[1] to 172.31.xxx.xxx[500] (624 bytes)
May 11 07:57:44 vpn-server charon: 16[ENC] parsed IKE_SA_INIT request
0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) V V V V ]
May 11 07:57:44 vpn-server charon: 16[IKE] received MS NT5
ISAKMPOAKLEY v9 vendor ID
May 11 07:57:44 vpn-server charon: 16[IKE] received MS-Negotiation
Discovery Capable vendor ID
May 11 07:57:44 vpn-server charon: 16[IKE] received
Vid-Initial-Contact vendor ID
01:52:8b:bb:c0:06:96:12:18:49:ab:9a:1c:5b:2a:51:00:00:00:02
May 11 07:57:44 vpn-server charon: 16[IKE] 109.230.xxx.xx is
initiating an IKE_SA
May 11 07:57:44 vpn-server charon: 16[IKE] local host is behind NAT,
sending keep alives
May 11 07:57:44 vpn-server charon: 16[IKE] remote host is behind NAT
May 11 07:57:44 vpn-server charon: 16[ENC] generating IKE_SA_INIT
response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(MULT_AUTH) ]
May 11 07:57:44 vpn-server charon: 16[NET] sending packet: from
172.31.xxx.xxx[500] to 109.230.xxx.xx[1] (440 bytes)
May 11 07:57:45 vpn-server charon: 04[NET] received packet: from
109.230.xxx.xx[1024] to 172.31.xxx.xxx[4500] (1536 bytes)
May 11 07:57:45 vpn-server charon: 04[ENC] parsed IKE_AUTH request 1 [
IDi CERTREQ N(MOBIKE_SUP) CPRQ(ADDR DNS NBNS SRV ADDR6 DNS6 SRV6) SA
TSi TSr ]
May 11 07:57:45 vpn-server charon: 04[IKE] received 54 cert requests
for an unknown ca
May 11 07:57:45 vpn-server charon: 04[CFG] looking for peer configs
matching 172.31.xxx.xxx[%any]...109.230.xxx.xx[192.168.1.103]
May 11 07:57:45 vpn-server charon: 04[CFG] selected peer config
'roadwarrior'
May 11 07:57:45 vpn-server charon: 04[IKE] initiating EAP_IDENTITY
method (id 0x00)
May 11 07:57:45 vpn-server charon: 04[IKE] peer supports MOBIKE
May 11 07:57:45 vpn-server charon: 04[IKE] authentication of
'vpn1.xxx.com <http://vpn1.xxx.com>' (myself) with RSA signature
successful
May 11 07:57:45 vpn-server charon: 04[IKE] sending end entity cert
"CN=vpn1.xxx.com <http://vpn1.xxx.com>"
May 11 07:57:45 vpn-server charon: 04[IKE] sending issuer cert "C=US,
O=Let's Encrypt, CN=Let's Encrypt Authority X3"
May 11 07:57:45 vpn-server charon: 04[ENC] generating IKE_AUTH
response 1 [ IDr CERT CERT AUTH EAP/REQ/ID ]
May 11 07:57:45 vpn-server charon: 04[NET] sending packet: from
172.31.xxx.xxx[4500] to 109.230.xxx.xx[1024] (3616 bytes)
May 11 07:57:45 vpn-server charon: 02[NET] received packet: from
109.230.xxx.xx[1024] to 172.31.xxx.xxx[4500] (96 bytes)
May 11 07:57:45 vpn-server charon: 02[ENC] parsed IKE_AUTH request 2 [
EAP/RES/ID ]
May 11 07:57:45 vpn-server charon: 02[IKE] received EAP identity 'houmie'
May 11 07:57:45 vpn-server charon: 02[IKE] initiating EAP_MSCHAPV2
method (id 0x6C)
May 11 07:57:45 vpn-server charon: 02[ENC] generating IKE_AUTH
response 2 [ EAP/REQ/MSCHAPV2 ]
May 11 07:57:45 vpn-server charon: 02[NET] sending packet: from
172.31.xxx.xxx[4500] to 109.230.xxx.xx[1024] (112 bytes)
May 11 07:57:45 vpn-server charon: 03[NET] received packet: from
109.230.xxx.xx[1024] to 172.31.xxx.xxx[4500] (144 bytes)
May 11 07:57:45 vpn-server charon: 03[ENC] parsed IKE_AUTH request 3 [
EAP/RES/MSCHAPV2 ]
May 11 07:57:45 vpn-server charon: 03[ENC] generating IKE_AUTH
response 3 [ EAP/REQ/MSCHAPV2 ]
May 11 07:57:45 vpn-server charon: 03[NET] sending packet: from
172.31.xxx.xxx[4500] to 109.230.xxx.xx[1024] (144 bytes)
May 11 07:57:45 vpn-server charon: 01[NET] received packet: from
109.230.xxx.xx[1024] to 172.31.xxx.xxx[4500] (80 bytes)
May 11 07:57:45 vpn-server charon: 01[ENC] parsed IKE_AUTH request 4 [
EAP/RES/MSCHAPV2 ]
May 11 07:57:45 vpn-server charon: 01[IKE] EAP method EAP_MSCHAPV2
succeeded, MSK established
May 11 07:57:45 vpn-server charon: 01[ENC] generating IKE_AUTH
response 4 [ EAP/SUCC ]
May 11 07:57:45 vpn-server charon: 01[NET] sending packet: from
172.31.xxx.xxx[4500] to 109.230.xxx.xx[1024] (80 bytes)
May 11 07:57:46 vpn-server charon: 11[NET] received packet: from
109.230.xxx.xx[1024] to 172.31.xxx.xxx[4500] (112 bytes)
May 11 07:57:46 vpn-server charon: 11[ENC] parsed IKE_AUTH request 5 [
AUTH ]
May 11 07:57:46 vpn-server charon: 11[IKE] authentication of
'192.168.1.103' with EAP successful
May 11 07:57:46 vpn-server charon: 11[IKE] authentication of
'vpn1.xxx.com <http://vpn1.xxx.com>' (myself) with EAP
May 11 07:57:46 vpn-server charon: 11[IKE] IKE_SA roadwarrior[4]
established between 172.31.xxx.xxx[vpn1.xxx.com
<http://vpn1.xxx.com>]...109.230.xxx.xx[192.168.1.103]
May 11 07:57:46 vpn-server charon: 11[IKE] peer requested virtual IP %any
May 11 07:57:46 vpn-server charon: 11[CFG] reassigning offline lease
to 'houmie'
May 11 07:57:46 vpn-server charon: 11[IKE] assigning virtual IP
10.10.10.1 to peer 'houmie'
May 11 07:57:46 vpn-server charon: 11[IKE] peer requested virtual IP %any6
May 11 07:57:46 vpn-server charon: 11[IKE] no virtual IP found for
%any6 requested by 'houmie'
May 11 07:57:46 vpn-server charon: 11[IKE] CHILD_SA roadwarrior{2}
established with SPIs caa2d799_i 8f5ab10c_o and TS 0.0.0.0/0
<http://0.0.0.0/0> === 10.10.10.1/32 <http://10.10.10.1/32>
May 11 07:57:46 vpn-server charon: 11[ENC] generating IKE_AUTH
response 5 [ AUTH CPRP(ADDR DNS DNS) SA TSi TSr N(MOBIKE_SUP)
N(NO_ADD_ADDR) ]
May 11 07:57:46 vpn-server charon: 11[NET] sending packet: from
172.31.xxx.xxx[4500] to 109.230.xxx.xx[1024] (256 bytes)
https://support.microsoft.com/en-gb/help/4103721/windows-10-update-kb4103721
<https://support.microsoft.com/en-gb/help/4103721/windows-10-update-kb4103721>
"Addresses an issue that prevents certain VPN apps from working on
builds of Windows 10, version 1803. These apps were developed
using an SDK version that precedes Windows 10, version 1803, and
use the public RasSetEntryProperties API".
Regards
--
John Connett
------------------------------------------------------------------------
*Sent:* 10 May 2018 21:33
*To:* Houman
*Subject:* Re: [strongSwan] Sudden issues with Windows 10 clients
Hi Houman,
 Similar to the Windows problem you had earlier, you don't have
    May 10 20:26:48 vpn-server charon: 12[IKE] DH group MODP_2048
inacceptable, requesting MODP_1024
   The iphone expect modp2048, but your configuration  says
modp1024.  Look  back at the suggestion we made for Windows and
just use the same configuration.
Regards,
Jafar
Jafar Al-Gharaibeh
2018-05-12 15:19:38 UTC
Permalink
Hi Houman,

The information on the Wiki is probably old, and it is not wrong
anyway.
3des is broken and shouldn't be used if the client can do better.

The behavior I see in the log this time is very different from the
previous
email. Last time we could see a complete and successful negotiation
leading
to established connections. That is why I asked you to run "ipsec
statusall".
This time around, the client doesn't seem to be getting responses from
your server.
you can see multiple IKE_SA_INIT packets received, indicating the client
is not
seeing the responses.

Since This is a completely different behavior, it is hard to draw
conclusions.
The best way to debug is to have strongSwan at both ends so you can see
complete
logs both ends.

--Jafar
Hello Jafar,
Thank you for the final proposals. I have entered them and it works
great with iOS and OSX. I have no Windows to test it yet.
The only reason I had picked 3des-shal1, was because the StrongSwan
Wiki claims this was needed for Mac (OSX)
https://wiki.strongswan.org/projects/strongswan/wiki/AppleClients.
But I can see it works even without that.
My user in Iran still can't connect successfully. I have followed your
instructions. I have tailed the syslog below, hence this is all I can
May 12 11:03:07 vpn-server charon: 02[NET] received packet: from
91.99.xxx.xxx[500] to 172.31.xxx.xxx[500] (604 bytes)
May 12 11:03:07 vpn-server charon: 02[ENC] parsed IKE_SA_INIT request
0 [ SA KE No N(REDIR_SUP) N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) ]
May 12 11:03:07 vpn-server charon: 02[IKE] 91.99.xxx.xxx is initiating
an IKE_SA
May 12 11:03:07 vpn-server charon: 02[IKE] local host is behind NAT,
sending keep alives
May 12 11:03:07 vpn-server charon: 02[IKE] remote host is behind NAT
May 12 11:03:07 vpn-server charon: 02[ENC] generating IKE_SA_INIT
response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP)
N(MULT_AUTH) ]
May 12 11:03:07 vpn-server charon: 02[NET] sending packet: from
172.31.xxx.xxx[500] to 91.99.xxx.xxx[500] (448 bytes)
May 12 11:03:13 vpn-server charon: 11[NET] received packet: from
91.99.xxx.xxx[500] to 172.31.xxx.xxx[500] (604 bytes)
May 12 11:03:13 vpn-server charon: 11[ENC] parsed IKE_SA_INIT request
0 [ SA KE No N(REDIR_SUP) N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) ]
May 12 11:03:13 vpn-server charon: 11[IKE] received retransmit of
request with ID 0, retransmitting response
May 12 11:03:13 vpn-server charon: 11[NET] sending packet: from
172.31.xxx.xxx[500] to 91.99.xxx.xxx[500] (448 bytes)
May 12 11:03:16 vpn-server charon: 12[NET] received packet: from
91.99.xxx.xxx[500] to 172.31.xxx.xxx[500] (604 bytes)
May 12 11:03:16 vpn-server charon: 12[ENC] parsed IKE_SA_INIT request
0 [ SA KE No N(REDIR_SUP) N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) ]
May 12 11:03:16 vpn-server charon: 12[IKE] received retransmit of
request with ID 0, retransmitting response
May 12 11:03:16 vpn-server charon: 12[NET] sending packet: from
172.31.xxx.xxx[500] to 91.99.xxx.xxx[500] (448 bytes)
May 12 11:03:27 vpn-server charon: 10[IKE] sending keep alive to
91.99.xxx.xxx[500]
May 12 11:03:37 vpn-server charon: 05[JOB] deleting half open IKE_SA
after timeout
I have also executed ipsec statusall
Status of IKE charon daemon (strongSwan 5.3.5, Linux 4.4.0-1057-aws,
uptime: 68 minutes, since May 12 09:55:31 2018
malloc: sbrk 1773568, mmap 0, used 572416, free 1201152
worker threads: 11 of 16 idle, 5/0/0/0 working, job queue: 0/0/0/0,
scheduled: 1
loaded plugins: charon test-vectors aes rc2 sha1 sha2 md4 md5 random
nonce x509 revocation constraints pubkey pkcs1 pkcs7 pkcs8 pkcs12 pgp
dnskey sshkey pem openssl fips-prf gmp agent xcbc hmac gcm attr
kernel-netlink resolve socket-default connmark farp stroke updown
eap-identity eap-sim eap-sim-pcsc eap-aka eap-aka-3gpp2
eap-simaka-pseudonym eap-simaka-reauth eap-md5 eap-gtc eap-mschapv2
eap-dynamic eap-radius eap-tls eap-ttls eap-peap eap-tnc xauth-generic
xauth-eap xauth-pam xauth-noauth tnc-tnccs tnccs-20 tnccs-11
tnccs-dynamic dhcp lookip error-notify certexpire led addrblock unity
10.10.10.0/24 [5]: 254/0/1
172.31.xxx.xxx
roadwarrior: %any...%any IKEv2, dpddelay=180s
roadwarrior: local: [vpn1.xxx.com [1]] uses public key
authentication
roadwarrior: cert: "CN=vpn1.xxx.com [1]"
roadwarrior: remote: uses EAP_MSCHAPV2 authentication with EAP
identity '%any'
roadwarrior: child: 0.0.0.0/0 [2] === dynamic TUNNEL,
dpdaction=clear
none
I can't quite see from this if they have blocked ESP or not. But I
suspect this is the case.
Many Thanks for your help,
Houman
Tobias Brunner
2018-05-09 12:12:47 UTC
Permalink
Hi Christian,
Is there a way to authenticate against local Linux users?
Not with Windows or Apple clients, unless you use IKEv1 (see [1] and [2]).

Regards,
Tobias

[1] https://wiki.strongswan.org/projects/strongswan/wiki/XAuthPAM
[2] https://wiki.strongswan.org/projects/strongswan/wiki/Eap-gtc
Tony Hoyle
2018-05-09 20:05:54 UTC
Permalink
Unfortunately IKEv2 is a requirement, and they have requested
username/password authentication because they don't like the "struggles"
of installed a CA cert and a client cert.
Currently the authentication is done with MSCHAPv2 which requires SS to
have a plain text copy of the password in order to create the Challenge
hash, I understand that.... however, what if SS was able to retrieve the
plain text password from another source other than a local config file,
eg Amazon's SecretsManager for example?  Is this something that is
available or that you guys could write (at a price Im sure)?
If you migrate all the password information into a radius server, that
can handle both linux and strongswan login.

Tony
Thor Simon
2018-05-09 20:31:43 UTC
Permalink
At the expense of reducing the strength of your authentication (and potentially the confidentiality of your passwords) to that of an ad-hoc stream cipher based on MD5 -- unless you encapsulate RADIUS in something else, which adds some complexity but would work.

-----Original Message-----
From: Users <users-***@lists.strongswan.org> On Behalf Of Tony Hoyle
Sent: Wednesday, May 9, 2018 4:06 PM
To: ***@lists.strongswan.org
Subject: Re: [strongSwan] Authentication against Linux Users
Unfortunately IKEv2 is a requirement, and they have requested
username/password authentication because they don't like the "struggles"
of installed a CA cert and a client cert.
Currently the authentication is done with MSCHAPv2 which requires SS
to have a plain text copy of the password in order to create the
Challenge hash, I understand that.... however, what if SS was able to
retrieve the plain text password from another source other than a
local config file, eg Amazon's SecretsManager for example?  Is this
something that is available or that you guys could write (at a price Im sure)?
If you migrate all the password information into a radius server, that can handle both linux and strongswan login.

Tony
Christian Salway
2018-05-10 07:59:44 UTC
Permalink
Great thoughts guys, appreciate it.

AWS does not have a built in RADIUS server (maybe..only did a quick search) so I have to think about service reliability (scalable, backup, resilience, etc). It does have Active Directory though if thats a replaceable solution.

So the problem is that the MSCHAP Response from the client is an md4 hash of the password, which is a weak hash so even storing the plaintext as an md4 hash is insecure...

but what if the server stored the password in a sha256(md4(password)) hash and then when it received the md4 hash from the client, hashed that with sha256 to compare to?

The Server can send any fake md4 hash across the network to the client (unless the client does its own check of the hash)...

< send md4(anything)
recv md4(password)
# hash md4(password) with sha256 and compare to locally stored hash


[1] https://tools.ietf.org/html/rfc2759 <https://tools.ietf.org/html/rfc2759>
[2] http://www.arubanetworks.com/techdocs/ClearPass/Aruba_DeployGd_HTML/Content/A%20802.1X%20EAP-PEAP%20Reference/EAP_PEAP_handshake.htm <http://www.arubanetworks.com/techdocs/ClearPass/Aruba_DeployGd_HTML/Content/A%20802.1X%20EAP-PEAP%20Reference/EAP_PEAP_handshake.htm>
[3] http://manpages.ubuntu.com/manpages/xenial/man5/shadow.5.html <http://manpages.ubuntu.com/manpages/xenial/man5/shadow.5.html>
At the expense of reducing the strength of your authentication (and potentially the confidentiality of your passwords) to that of an ad-hoc stream cipher based on MD5 -- unless you encapsulate RADIUS in something else, which adds some complexity but would work.
-----Original Message-----
Sent: Wednesday, May 9, 2018 4:06 PM
Subject: Re: [strongSwan] Authentication against Linux Users
Unfortunately IKEv2 is a requirement, and they have requested
username/password authentication because they don't like the "struggles"
of installed a CA cert and a client cert.
Currently the authentication is done with MSCHAPv2 which requires SS
to have a plain text copy of the password in order to create the
Challenge hash, I understand that.... however, what if SS was able to
retrieve the plain text password from another source other than a
local config file, eg Amazon's SecretsManager for example? Is this
something that is available or that you guys could write (at a price Im sure)?
If you migrate all the password information into a radius server, that can handle both linux and strongswan login.
Tony
Tobias Brunner
2018-05-14 09:13:58 UTC
Permalink
Hi Christian,
Post by Christian Salway
but what if the server stored the password in a sha256(md4(password))
hash and then when it received the md4 hash from the client, hashed that
with sha256 to compare to?
It doesn't receive the MD4 hash, which is only a part of the calculation
of EAP-MSCHAPv2 (the NT password hash). The actual value that's
transmitted (ChallengeResponse) and has to be verified (by doing the
same calculation) also incorporates random challenges (see RFC 2759 [1]
for details). Which is why the only thing you can store instead of the
plainttext password is the NT hash (ntlm secrets in swanctl.conf).
Post by Christian Salway
The Server can send any fake md4 hash across the network to the client
(unless the client does its own check of the hash)...
It does, the server sends its an AuthenticatorResponse, which
incorporates the client's response and the random challenges (including
one provided by the client) to prove it knows the password. So the EAP
method does provide mutual authentication, however, a weak version
because the server is authenticated after the client. Which means a
MITM could attack a weak client password, which is why the server should
be authenticated via IKEv2 pubkey authentication first (i.e. EAP-only
authentication is not allowed for EAP-MSCHAPv2). EAP-MSCHAPv2 can also
be tunneled in another EAP method (e.g. EAP-TTLS or EAP-PEAP) to
authenticate the AAA server first.

There are, of course, several other EAP methods based on passwords, with
much stronger algorithms and some of them don't require plaintext
passwords. The problem is that common clients (as those built-in
Windows and Apple OSes) don't support them (and neither does strongSwan
actually).

Regards,
Tobias
Christian Salway
2018-05-14 11:52:37 UTC
Permalink
thanks. I've swapped over to using NTLM hashes

Regards,

Christian Salway
IT Consultant
Tel: 07463 331432
***@naimuri.com

<http://www.naimuri.com/>
<http://www.naimuri.com/>
Post by Tobias Brunner
Hi Christian,
Post by Christian Salway
but what if the server stored the password in a sha256(md4(password))
hash and then when it received the md4 hash from the client, hashed that
with sha256 to compare to?
It doesn't receive the MD4 hash, which is only a part of the calculation
of EAP-MSCHAPv2 (the NT password hash). The actual value that's
transmitted (ChallengeResponse) and has to be verified (by doing the
same calculation) also incorporates random challenges (see RFC 2759 [1]
for details). Which is why the only thing you can store instead of the
plainttext password is the NT hash (ntlm secrets in swanctl.conf).
Post by Christian Salway
The Server can send any fake md4 hash across the network to the client
(unless the client does its own check of the hash)...
It does, the server sends its an AuthenticatorResponse, which
incorporates the client's response and the random challenges (including
one provided by the client) to prove it knows the password. So the EAP
method does provide mutual authentication, however, a weak version
because the server is authenticated after the client. Which means a
MITM could attack a weak client password, which is why the server should
be authenticated via IKEv2 pubkey authentication first (i.e. EAP-only
authentication is not allowed for EAP-MSCHAPv2). EAP-MSCHAPv2 can also
be tunneled in another EAP method (e.g. EAP-TTLS or EAP-PEAP) to
authenticate the AAA server first.
There are, of course, several other EAP methods based on passwords, with
much stronger algorithms and some of them don't require plaintext
passwords. The problem is that common clients (as those built-in
Windows and Apple OSes) don't support them (and neither does strongSwan
actually).
Regards,
Tobias
Pete Ashdown
2018-05-15 22:00:29 UTC
Permalink
Post by Tobias Brunner
Hi Christian,
Post by Christian Salway
but what if the server stored the password in a sha256(md4(password))
hash and then when it received the md4 hash from the client, hashed that
with sha256 to compare to?
It doesn't receive the MD4 hash, which is only a part of the calculation
of EAP-MSCHAPv2 (the NT password hash). The actual value that's
transmitted (ChallengeResponse) and has to be verified (by doing the
same calculation) also incorporates random challenges (see RFC 2759 [1]
for details). Which is why the only thing you can store instead of the
plainttext password is the NT hash (ntlm secrets in swanctl.conf).
Greetings Tobias,
I am trying to get NTLM hashes stored in LDAP to be authenticated via eap-radius.  However, when I connect a Windows client (7 or 10), I see this type of failure in the freeradius logs:

    radius3 freeradius[23803]: Login Incorrect: [\\300\\250z+/] from client vpn01 (mac=, cli=[IP deleted][4500], port=ikev2-mschapv2)

An incorrect login would normally have the form of:

    Login Incorrect: [username/badpassword]

Any idea why Windows (or Strongswan) is sending garbage for the username/password?
Tobias Brunner
2018-05-16 08:57:37 UTC
Permalink
Hi Pete,
Post by Pete Ashdown
    radius3 freeradius[23803]: Login Incorrect: [\\300\\250z+/] from client vpn01 (mac=, cli=[IP deleted][4500], port=ikev2-mschapv2)
    Login Incorrect: [username/badpassword]
Any idea why Windows (or Strongswan) is sending garbage for the username/password?
Nope (you asked that a while ago already). With eap-radius strongSwan
simply forwards EAP messages between client and RADIUS server, so you
might want to debug FreeRADIUS ([1], [2]) to see more about what happens
and/or ask on the FreeRADIUS mailing list about this.

Regards,
Tobias

[1] https://freeradius.org/radiusd/man/radiusd.html
[2] https://freeradius.org/radiusd/man/raddebug.html
Phil Frost
2018-05-16 13:12:23 UTC
Permalink
Post by Pete Ashdown
I am trying to get NTLM hashes stored in LDAP to be authenticated via
eap-radius. However, when I connect a Windows client (7 or 10), I see this
radius3 freeradius[23803]: Login Incorrect: [\\300\\250z+/] from
client vpn01 (mac=, cli=[IP deleted][4500], port=ikev2-mschapv2)
Login Incorrect: [username/badpassword]
Any idea why Windows (or Strongswan) is sending garbage for the username/password?
I have seen this, and I'm having a vague recollection! It's not entirely
garbage, it's the client IP in binary, interpreted as a string.

ord("\300") -> 192
ord("\250") -> 168
ord("z") -> 122
ord("+") -> 43

It's been a while, but I'm 65% sure this "garbage username" symptom is what
you'll see if the EAP exchange between Strongswan and FreeRADIUS isn't
working, and the garbage username is a red herring. I'd guess without a
functional EAP exchange the real username is never exchanged, and so what
you're seeing is some fallback.

http://lists.freeradius.org/pipermail/freeradius-users/2018-March/090898.html
Pete Ashdown
2018-05-16 15:59:26 UTC
Permalink
     radius3 freeradius[23803]: Login Incorrect: [\\300\\250z+/] from client vpn01 (mac=, cli=[IP deleted][4500], port=ikev2-mschapv2)
     Login Incorrect: [username/badpassword]
Any idea why Windows (or Strongswan) is sending garbage for the username/password?
I have seen this, and I'm having a vague recollection! It's not entirely garbage, it's the client IP in binary, interpreted as a string.
ord("\300") -> 192
ord("\250") -> 168
ord("z") -> 122
ord("+") -> 43
It's been a while, but I'm 65% sure this "garbage username" symptom is what you'll see if the EAP exchange between Strongswan and FreeRADIUS isn't working, and the garbage username is a red herring. I'd guess without a functional EAP exchange the real username is never exchanged, and so what you're seeing is some fallback.
http://lists.freeradius.org/pipermail/freeradius-users/2018-March/090898.html
Thank you Phil.  The odd thing here is that the proper username/password is exchanged with MacOS clients.  I'm at a loss as to why the EAP exchange works for MacOS, but not Windows.  So it isn't "never exchanged".  I'll keep working on it.  Is anyone else using StrongSwan eap-radius -> freeradius -> ldap and has a working setup?
Christian Salway
2018-05-09 00:42:04 UTC
Permalink
I don’t change the default ESP ciphers, only the IKE ones. I should probably look into them at some point.
Thank you both Christian and Jafar for the clear proposals.
So yes, if I wanted to support Windows 10, iOS/OSX and Linux with the stronger set of encryption. Do I set aes256-sha256-prfsha256-modp2048 into ike only? Or both in ike and esp?
This part wasn't quite clear to me.
Yeah, I have already set [NegotiateDH2048_AES256] in Windows 10.
Many Thanks,
Houman
The problem with Windows (10 at least) is that it offers the weakest ciphers first, so you should remove sha1 and 3des.
The minimum proposals you should have and which are compatible with Windows 10, OSX, IOS and Linux are the following.
proposals = aes256-sha256-prfsha256-modp2048-modp1024
Although I would recommend adding the Windows 10 registry key [NegotiateDH2048_AES256] to use strong ciphers and then you can remove MODP1024
<http://www.naimuri.com/>
Post by Jafar Al-Gharaibeh
Houman,
aes256-3des-sha1-modp1024
aes256-3des-sha1-modp2048
aes256-3des-sha256-sha1-modp2048-modp1024
That should get you covered.
Regards,
Jafar
Post by Houman
Hello,
Until a week ago a user with Windows 10 had no issue connecting to the StrongSwan server. But now out of the blue, he can't connect to the StrongSwan server anymore.
May 7 12:31:06 vpn-p1 charon: 08[IKE] received proposals inacceptable
May 7 12:31:06 vpn-p1 charon: 08[ENC] generating IKE_SA_INIT response 0 [ N(NO_PROP) ]
May 7 12:31:06 vpn-p1 charon: 08[NET] sending packet: from xxx.x.xx.92[500] to 91.98.xxx.xxx[500] (36 bytes)
May 7 12:32:09 vpn-p1 systemd[1]: Started Session 35 of user root.
May 7 12:46:21 vpn-p1 systemd[1]: Starting Cleanup of Temporary Directories...
May 7 12:46:21 vpn-p1 systemd-tmpfiles[7016]: [/usr/lib/tmpfiles.d/var.conf:14] Duplicate line for path "/var/log", ignoring.
May 7 12:46:21 vpn-p1 systemd[1]: Started Cleanup of Temporary Directories.
May 7 13:00:13 vpn-p1 systemd[1]: Starting Certbot...
May 7 13:00:13 vpn-p1 systemd[1]: Started Certbot.
May 7 13:08:20 vpn-p1 systemd[1]: Started Session 36 of user root.
May 7 13:11:27 vpn-p1 charon: 12[NET] received packet: from 91.98.xxx.xxx[500] to xxx.x.xx.92[500] (624 bytes)
May 7 13:11:27 vpn-p1 charon: 12[ENC] parsed IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) V V V V ]
May 7 13:11:27 vpn-p1 charon: 12[IKE] received MS NT5 ISAKMPOAKLEY v9 vendor ID
May 7 13:11:27 vpn-p1 charon: 12[IKE] received MS-Negotiation Discovery Capable vendor ID
May 7 13:11:27 vpn-p1 charon: 12[IKE] received Vid-Initial-Contact vendor ID
May 7 13:11:27 vpn-p1 charon: 12[ENC] received unknown vendor ID: 01:52:8b:bb:c0:06:96:12:18:49:ab:9a:1c:5b:2a:51:00:00:00:02
May 7 13:11:27 vpn-p1 charon: 12[IKE] 91.98.xxx.xxx is initiating an IKE_SA
May 7 13:11:27 vpn-p1 charon: 12[CFG] received proposals: IKE:AES_CBC_256/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_2048, IKE:AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_2048, IKE:AES_CBC_256/HMAC_SHA2_384_192/PRF_HMAC_SHA2_384/MODP_2048
May 7 13:11:27 vpn-p1 charon: 12[CFG] configured proposals: IKE:AES_GCM_16_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/ECP_521, IKE:AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/ECP_384, IKE:AES_CBC_256/3DES_CBC/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024
May 7 13:11:27 vpn-p1 charon: 12[IKE] remote host is behind NAT
May 7 13:11:27 vpn-p1 charon: 12[IKE] received proposals inacceptable
May 7 13:11:27 vpn-p1 charon: 12[ENC] generating IKE_SA_INIT response 0 [ N(NO_PROP) ]
May 7 13:11:27 vpn-p1 charon: 12[NET] sending packet: from xxx.x.xx.92[500] to 91.98.xxx.xxx[500] (36 bytes)
May 7 13:11:28 vpn-p1 charon: 16[NET] received packet: from 91.98.xxx.xxx[500] to xxx.x.xx.92[500] (624 bytes)
May 7 13:11:28 vpn-p1 charon: 16[ENC] parsed IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) V V V V ]
May 7 13:11:28 vpn-p1 charon: 16[IKE] received MS NT5 ISAKMPOAKLEY v9 vendor ID
May 7 13:11:28 vpn-p1 charon: 16[IKE] received MS-Negotiation Discovery Capable vendor ID
May 7 13:11:28 vpn-p1 charon: 16[IKE] received Vid-Initial-Contact vendor ID
May 7 13:11:28 vpn-p1 charon: 16[ENC] received unknown vendor ID: 01:52:8b:bb:c0:06:96:12:18:49:ab:9a:1c:5b:2a:51:00:00:00:02
May 7 13:11:28 vpn-p1 charon: 16[IKE] 91.98.xxx.xxx is initiating an IKE_SA
May 7 13:11:28 vpn-p1 charon: 16[CFG] received proposals: IKE:AES_CBC_256/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_2048, IKE:AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_2048, IKE:AES_CBC_256/HMAC_SHA2_384_192/PRF_HMAC_SHA2_384/MODP_2048
May 7 13:11:28 vpn-p1 charon: 16[CFG] configured proposals: IKE:AES_GCM_16_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/ECP_521, IKE:AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/ECP_384, IKE:AES_CBC_256/3DES_CBC/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024
May 7 13:11:28 vpn-p1 charon: 16[IKE] remote host is behind NAT
May 7 13:11:28 vpn-p1 charon: 16[IKE] received proposals inacceptable
May 7 13:11:28 vpn-p1 charon: 16[ENC] generating IKE_SA_INIT response 0 [ N(NO_PROP) ]
May 7 13:11:28 vpn-p1 charon: 16[NET] sending packet: from xxx.x.xx.92[500] to 91.98.xxx.xxx[500] (36 bytes)
config setup
strictcrlpolicy=yes
uniqueids=never
conn roadwarrior
auto=add
compress=no
type=tunnel
keyexchange=ikev2
fragmentation=yes
forceencaps=yes
ike=aes256gcm16-sha256-ecp521,aes256-sha256-ecp384,aes256-3des-sha1-modp1024!
esp=aes256gcm16-sha256,aes256-3des-sha256-sha1!
dpdaction=clear
dpddelay=180s
rekey=no
left=%any
leftcert=cert.pem
leftsendcert=always
leftsubnet=0.0.0.0/0 <http://0.0.0.0/0>
right=%any
rightid=%any
rightauth=eap-radius
eap_identity=%any
rightdns=208.67.222.222,208.67.220.220
rightsourceip=${VPNIPPOOL}
rightsendcert=never
Have the supported ike/esp proposals somehow been changed recently after a recent Windows 10 update?
- The firewall on Windows 10 is currently disabled.
- I have set NegotiateDH2048_AES256 = 1 in Regedit
- AssumeUDPEncapsulationContextOnSendRule = 2 in Regedit
I can't think of anything else I could do on the Windows 10 client.
# these ike and esp settings are tested on Mac 10.12, iOS 10 and Windows 10
# iOS/Mac with appropriate configuration profiles use AES_GCM_16_256/PRF_HMAC_SHA2_256/ECP_521
# Windows 10 uses AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/ECP_384
Is there a website that translates AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/ECP_384 into the right naming for ipsec.conf so that I enter them under ike and esp respectively? I can't quite make out if I have these settings there or not.
If you have any other advice, please help me.
Many Thanks,
Tobias Brunner
2018-05-14 09:16:35 UTC
Permalink
Hi Jafar,
             The PRF algorithm is derived from the integrity algorithm,
but only if a DH group is also configured.
 Correct?
No, the DH group has nothing to do with the PRF or the integrity
algorithm. And for IKE proposals you always have to configure at least
one DH group.

Regards,
Tobias
Jafar Al-Gharaibeh
2018-05-15 04:38:56 UTC
Permalink
Tobias,

My next question then is:

In the case of aesgcm algorithms where the integrity is built into
the encryption algorithm, How does that map to prf algorithms ? Do yo
have to explicitly configure prf in that case? or are those mapped too?
I didn't see such mapping in wiki pages.

Thanks,
Jaafr
Hi Jafar,
             The PRF algorithm is derived from the integrity algorithm,
but only if a DH group is also configured.
 Correct?
No, the DH group has nothing to do with the PRF or the integrity
algorithm. And for IKE proposals you always have to configure at least
one DH group.
Regards,
Tobias
ccsalway
2018-05-15 07:11:43 UTC
Permalink
I’m generating an ecdsa server cert but am getting the following errors.. I’ve built with openssl.. what am I missing?


# swanctl --load-creds
loaded certificate from '/etc/swanctl/x509/vpnserver.crt'
loaded certificate from '/etc/swanctl/x509/vpnserver1.crt'
building CRED_PRIVATE_KEY - ANY failed, tried 4 builders
loaded private key from '/etc/swanctl/private/vpnserver.key'
loaded rsa key from '/etc/swanctl/private/vpnserver1.key’

List of X.509 End Entity Certificates

subject: "CN=vpnserver1"
issuer: "CN=Vivace Root CA"
validity: not before May 15 07:00:32 2018, ok
not after Jun 14 07:00:32 2019, ok (expires in 394 days)
serial: c2:79:0c:c6:8b:27:50:6c
altNames: vpnserver1, 35.177.138.182
flags: serverAuth ikeIntermediate
OCSP URIs: http://127.0.0.1:2560
authkeyId: ff:4e:05:ee:8a:b3:d7:24:62:96:78:9a:b6:f0:51:82:b4:8f:f9:50
subjkeyId: d8:12:51:d5:a8:6c:d1:f3:f4:6e:77:d0:79:51:bc:1f:56:a3:0a:5e
pubkey: RSA 2048 bits, has private key
keyid: 6b:2a:e9:4f:82:d7:d1:cd:b4:3d:71:56:d9:90:62:1f:1a:c9:3a:a2
subjkey: d8:12:51:d5:a8:6c:d1:f3:f4:6e:77:d0:79:51:bc:1f:56:a3:0a:5e
building CRED_CERTIFICATE - X509 failed, tried 3 builders
parsing certificate failed



openssl req -new -newkey ec:<(openssl ecparam -name secp384r1) -nodes \
-subj "/CN=vpnserver" \
-keyout /ca/private/vpnserver.key -out /ca/requests/vpnserver.csr

openssl ca -config /ca/openssl.cnf -create_serial -days 395 \
-keyfile /ca/private/ca.key -cert /ca/ca.crt -passin pass:"${CAKEYPSWD}" \
-in /ca/requests/vpnserver.csr -notext \
-extfile <(cat <<EOF
basicConstraints = CA:false
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid,issuer
authorityInfoAccess = OCSP;URI:http://127.0.0.1:2560
extendedKeyUsage = serverAuth, ikeIntermediate
subjectAltName = DNS:vpnserver
EOF
)


./configure --prefix=/usr --sysconfdir=/etc \
--enable-systemd --enable-swanctl \
--disable-charon --disable-stroke --disable-scepclient \
--enable-eap-identity --enable-eap-mschapv2 --enable-md4 \
--enable-eap-tls --enable-eap-dynamic \
--enable-curl --enable-gcm --enable-openssl
Tobias Brunner
2018-05-15 08:59:11 UTC
Permalink
Hi Christian,
I’m generating an ecdsa server cert but am getting the following
errors.. I’ve built with openssl.. what am I missing?
Make sure the plugin is actually loaded (swanctl --help), if not, you
might not have run make clean after you added --enable-openssl to the
configure options, or you configured an explicit swanctl.load statement
in strongswan.conf that doesn't include the openssl plugin.

Regards,
Tobias
Tobias Brunner
2018-05-15 08:27:30 UTC
Permalink
Hi Jafar,
Post by Jafar Al-Gharaibeh
In the case of aesgcm algorithms where the integrity is built into
the encryption algorithm, How does that map to prf algorithms ? Do yo
have to explicitly configure prf in that case? or are those mapped too?
No, they aren't. You have to explicitly configure a PRF in such proposals.

Regards,
Tobias
Continue reading on narkive:
Loading...