> On 14 Jan 2021, at 01:28, Stuart Henderson <s...@spacehopper.org> wrote:
>
> On 2021-01-13, Ian Timothy <i...@thrivedata.it> wrote:
>> Looking at some of the other information provided, I tried this along with
>> the registry edit below:
>>
>> PS> Add-VpnConnection -Name "IPB2" -ServerAddress "vpn.company.com"
>> -TunnelType IKEv2 -AuthenticationMethod MachineCertificate
>> -AllUserConnection -Force
>
> "-AuthenticationMethod MachineCertificate" - I thought you were using
> MSCHAP not machine certs?
I’m just trying anything and everything at this point. I’ll do whatever works.
> FWIW I'm adding the connection manually and then doing this:
>
> Set-VpnConnection -ConnectionName "vpn" -EncryptionLevel Maximum
> -SplitTunneling $false -passthru
>
> Set-VpnConnectionIPsecConfiguration -ConnectionName "vpn"
> -AuthenticationTransformConstants GCMAES128 -CipherTransformConstants
> GCMAES128 -EncryptionMethod AES128 -IntegrityCheckMethod SHA256 -DHGroup
> ECP256 -PfsGroup ECP256 -passthru
>
> iked.conf (using the same config for Windows/Android/iOS cloents, and
> for ease of client setup allowing the default Windows crypto as well as
> better ones):
>
> ikev2 "vpn" passive esp from 0.0.0.0/0 to 0.0.0.0 \
> local xxx \
> peer any \
> ikesa enc aes-128 enc aes-256 prf hmac-sha2-256 prf hmac-sha1 auth
> hmac-sha2-256 group curve25519 group ecp521 group ecp256 group modp2048
> group modp1024 \
> childsa enc aes-128-gcm enc aes-256-gcm group curve25519 group ecp521 group
> ecp256 group modp2048 \
> childsa enc aes-128 enc aes-256 auth hmac-sha2-256 auth hmac-sha1 \
> childsa enc aes-128-gcm enc aes-256-gcm \
> srcid "xxx" \
> eap "mschap-v2" \
> config address xxx/25 \
> config name-server xxx \
> tag "$name-$id"
>
> (plus the user config).
I’m getting the following error on Windows upon connecting:
“IKE failed to find valid machine certificate.”
I’ve done a fresh install of Windows 10 Pro using a new download of the ISO,
but still get the above error.
#
# Generate certificates
#
ikectl ca vpn delete
# CN is “VPN"
ikectl ca vpn create
ikectl ca vpn install
# CN is “vpn.company.com”, same as srcid in iked.conf
ikectl ca vpn certificate 10.0.0.1 create
ikectl ca vpn certificate 10.0.0.1 install
# CN is 10.0.2.100, same is IP in following line
ikectl ca vpn certificate 10.0.2.100 create
ikectl ca vpn certificate 10.0.2.100 export
#
# Show certificates
#
$ ikectl show ca vpn certificates
subject= /C=US/ST=State/L=City/O=Company/OU=Information
Systems/CN=VPN/emailAddress=t...@company.com
SHA256
Fingerprint=83:BE:37:FD:A9:B1:53:11:F6:7D:90:25:20:42:21:46:13:52:E1:C3:14:9B:F9:E1:74:C8:89:6A:3E:55:0F:FC
notBefore=Jan 16 19:51:53 2021 GMT
notAfter=May 13 19:51:53 2033 GMT
subject= /C=US/ST=State/L=City/O=Company/OU=Information
Systems/CN=vpn.company.com/emailAddress=t...@company.com
SHA256
Fingerprint=9F:93:75:73:6A:F2:BE:59:4A:14:BD:C6:F3:1C:C0:DC:20:26:0D:B7:AE:1C:07:BC:FE:6A:04:C2:20:07:BC:6D
notBefore=Jan 16 19:52:15 2021 GMT
notAfter=Jan 16 19:52:15 2022 GMT
subject= /C=US/ST=State/L=City/O=Company/OU=Information
Systems/CN=10.0.2.100/emailAddress=t...@company.com
SHA256
Fingerprint=BF:E5:C4:64:55:4D:4E:E7:BC:7F:D9:6E:90:C2:06:BD:66:9A:40:04:EB:C3:BE:A3:2A:DA:91:1A:E7:3D:42:A4
notBefore=Jan 16 19:52:41 2021 GMT
notAfter=Jan 16 19:52:41 2022 GMT
#
# Install certificates on Windows
#
1. scp 10.0.2.100.zip from vpn.company.com to Windows client
2. Unzip
3. Double click ca.pfx
1. Select “Local Machine”
2. Select “Place certificates in following store”
1. Select “Trusted Root Certificate Authorities”
4. Double click 10.0.2.100.pfx, repeat above except use “Personal” store
Windows VPN device settings at the moment:
Name: “VPN”
General tab
Server: vpn.company.com
Security tab
VPN type: IKEv2
Authentication: Use machine certificates
PowerShell:
PS> Set-VpnConnection -ConnectionName "VPN" -EncryptionLevel Maximum
-SplitTunneling $false -passthru
PS> Set-VpnConnectionIPsecConfiguration -ConnectionName "VPN"
-AuthenticationTransformConstants GCMAES128 -CipherTransformConstants GCMAES128
-EncryptionMethod AES128 -IntegrityCheckMethod SHA256 -DHGroup ECP256 -PfsGroup
ECP256 -passthru
#
# iked.conf at the moment
#
ikev2 "vpn-eap" passive esp \
from 0.0.0.0/0 to 0.0.0.0 \
local egress peer any \
ikesa enc aes-128 enc aes-256 prf hmac-sha2-256 prf hmac-sha1 auth
hmac-sha2-256 group curve25519 group ecp521 group ecp256 group modp2048 group
modp1024 \
childsa enc aes-128-gcm enc aes-256-gcm group curve25519 group ecp521 group
ecp256 group modp2048 \
childsa enc aes-128 enc aes-256 auth hmac-sha2-256 auth hmac-sha1 \
childsa enc aes-128-gcm enc aes-256-gcm \
srcid vpn.company.com \
config address 10.0.2.0/24 \
config netmask 255.255.0.0 \
config name-server 10.0.0.1 \
#
# iked log
#
$ doas iked -dvv
create_ike: using signature for peer
ikev2 "vpn-eap" passive tunnel esp inet from 0.0.0.0/0 to 0.0.0.0 local
23.AAA.AAA.129 peer any ikesa enc aes-128,aes-256 prf hmac-sha2-256,hmac-sha1
auth hmac-sha2-256 group curve25519,ecp521,ecp256,modp2048,modp1024 childsa enc
aes-128-gcm,aes-256-gcm group curve25519,ecp521,ecp256,modp2048 esn,noesn
childsa enc aes-128,aes-256 auth hmac-sha2-256,hmac-sha1 esn,noesn childsa enc
aes-128-gcm,aes-256-gcm esn,noesn srcid vpn.company.com lifetime 10800 bytes
536870912 signature config address 10.0.2.0 config netmask 255.255.0.0 config
name-server 10.0.0.1 tag "$name-$id"
/etc/iked.conf: loaded 2 configuration rules
ca_privkey_serialize: type RSA_KEY length 1192
ca_pubkey_serialize: type RSA_KEY length 270
config_new_user: inserting new user windows
user "windows" "password"
config_getpolicy: received policy
config_getpfkey: received pfkey fd 3
config_getcompile: compilation done
config_getsocket: received socket fd 4
config_getsocket: received socket fd 5
config_getsocket: received socket fd 6
config_getsocket: received socket fd 7
config_getstatic: dpd_check_interval 60
config_getstatic: no enforcesingleikesa
config_getstatic: no fragmentation
config_getstatic: mobike
config_getstatic: nattport 4500
ca_privkey_to_method: type RSA_KEY method RSA_SIG
ca_getkey: received private key type RSA_KEY length 1192
ca_getkey: received public key type RSA_KEY length 270
ca_dispatch_parent: config reset
ca_reload: loaded ca file ca.crt
ca_reload: loaded crl file ca.crl
ca_reload: /C=US/ST=State/L=City/O=Company/OU=Information
Systems/CN=VPN/emailAddress=t...@company.com
ca_reload: loaded 1 ca certificate
ca_reload: loaded cert file 10.0.0.1.crt
ca_validate_cert: /C=US/ST=State/L=City/O=Company/OU=Information
Systems/CN=vpn.company.com/emailAddress=t...@company.com ok
ca_reload: local cert type X509_CERT
config_getocsp: ocsp_url none tolerate 0 maxage -1
ikev2_dispatch_cert: updated local CERTREQ type X509_CERT length 20
ikev2_dispatch_cert: updated local CERTREQ type X509_CERT length 20
<<< Click Connect in Windows >>>
policy_lookup: setting policy 'vpn-eap'
spi=0x2a26c182a19fc478: recv IKE_SA_INIT req 0 peer 166.BBB.BBB.161:59703 local
23.AAA.AAA.129:500, 352 bytes, policy 'vpn-eap'
ikev2_recv: ispi 0x2a26c182a19fc478 rspi 0x0000000000000000
ikev2_policy2id: srcid FQDN/vpn.company.com length 21
ikev2_pld_parse: header ispi 0x2a26c182a19fc478 rspi 0x0000000000000000
nextpayload SA version 0x20 exchange IKE_SA_INIT flags 0x08 msgid 0 length 352
response 0
ikev2_pld_payloads: payload SA nextpayload KE critical 0x00 length 48
ikev2_pld_sa: more 0 reserved 0 length 44 proposal #1 protoid IKE spisize 0
xforms 4 spi 0
ikev2_pld_xform: more 3 reserved 0 length 12 type ENCR id AES_CBC
ikev2_pld_attr: attribute type KEY_LENGTH length 128 total 4
ikev2_pld_xform: more 3 reserved 0 length 8 type INTEGR id HMAC_SHA2_256_128
ikev2_pld_xform: more 3 reserved 0 length 8 type PRF id HMAC_SHA2_256
ikev2_pld_xform: more 0 reserved 0 length 8 type DH id ECP_256
ikev2_pld_payloads: payload KE nextpayload NONCE critical 0x00 length 72
ikev2_pld_ke: dh group ECP_256 reserved 0
ikev2_pld_payloads: payload NONCE nextpayload NOTIFY critical 0x00 length 52
ikev2_pld_payloads: payload NOTIFY nextpayload NOTIFY critical 0x00 length 8
ikev2_pld_notify: protoid NONE spisize 0 type FRAGMENTATION_SUPPORTED
ikev2_pld_payloads: payload NOTIFY nextpayload NOTIFY critical 0x00 length 28
ikev2_pld_notify: protoid NONE spisize 0 type NAT_DETECTION_SOURCE_IP
ikev2_nat_detection: peer source 0x2a26c182a19fc478 0x0000000000000000
166.BBB.BBB.161:59703
ikev2_pld_notify: NAT_DETECTION_SOURCE_IP detected NAT
ikev2_pld_payloads: payload NOTIFY nextpayload VENDOR critical 0x00 length 28
ikev2_pld_notify: protoid NONE spisize 0 type NAT_DETECTION_DESTINATION_IP
ikev2_nat_detection: peer destination 0x2a26c182a19fc478 0x0000000000000000
23.AAA.AAA.129:500
ikev2_pld_payloads: payload VENDOR nextpayload VENDOR critical 0x00 length 24
ikev2_pld_payloads: payload VENDOR nextpayload VENDOR critical 0x00 length 20
ikev2_pld_payloads: payload VENDOR nextpayload VENDOR critical 0x00 length 20
ikev2_pld_payloads: payload VENDOR nextpayload NONE critical 0x00 length 24
proposals_negotiate: score 8
policy_lookup: setting policy 'vpn-eap'
spi=0x2a26c182a19fc478: sa_state: INIT -> SA_INIT
proposals_negotiate: score 8
sa_stateok: SA_INIT flags 0x0000, require 0x0000
sa_stateflags: 0x0000 -> 0x0020 sa (required 0x0000 )
spi=0x2a26c182a19fc478: ikev2_sa_keys: DHSECRET with 32 bytes
ikev2_sa_keys: SKEYSEED with 32 bytes
spi=0x2a26c182a19fc478: ikev2_sa_keys: S with 96 bytes
ikev2_prfplus: T1 with 32 bytes
ikev2_prfplus: T2 with 32 bytes
ikev2_prfplus: T3 with 32 bytes
ikev2_prfplus: T4 with 32 bytes
ikev2_prfplus: T5 with 32 bytes
ikev2_prfplus: T6 with 32 bytes
ikev2_prfplus: Tn with 192 bytes
ikev2_sa_keys: SK_d with 32 bytes
ikev2_sa_keys: SK_ai with 32 bytes
ikev2_sa_keys: SK_ar with 32 bytes
ikev2_sa_keys: SK_ei with 16 bytes
ikev2_sa_keys: SK_er with 16 bytes
ikev2_sa_keys: SK_pi with 32 bytes
ikev2_sa_keys: SK_pr with 32 bytes
ikev2_resp_ike_sa_init: detected NAT, enabling UDP encapsulation
ikev2_add_proposals: length 44
ikev2_next_payload: length 48 nextpayload KE
ikev2_next_payload: length 72 nextpayload NONCE
ikev2_next_payload: length 36 nextpayload NOTIFY
ikev2_nat_detection: local source 0x2a26c182a19fc478 0xb58029313324631d
23.AAA.AAA.129:500
ikev2_next_payload: length 28 nextpayload NOTIFY
ikev2_nat_detection: local destination 0x2a26c182a19fc478 0xb58029313324631d
166.BBB.BBB.161:59703
ikev2_next_payload: length 28 nextpayload CERTREQ
ikev2_add_certreq: type X509_CERT length 21
ikev2_next_payload: length 25 nextpayload NONE
ikev2_pld_parse: header ispi 0x2a26c182a19fc478 rspi 0xb58029313324631d
nextpayload SA version 0x20 exchange IKE_SA_INIT flags 0x20 msgid 0 length 265
response 1
ikev2_pld_payloads: payload SA nextpayload KE critical 0x00 length 48
ikev2_pld_sa: more 0 reserved 0 length 44 proposal #1 protoid IKE spisize 0
xforms 4 spi 0
ikev2_pld_xform: more 3 reserved 0 length 12 type ENCR id AES_CBC
ikev2_pld_attr: attribute type KEY_LENGTH length 128 total 4
ikev2_pld_xform: more 3 reserved 0 length 8 type PRF id HMAC_SHA2_256
ikev2_pld_xform: more 3 reserved 0 length 8 type INTEGR id HMAC_SHA2_256_128
ikev2_pld_xform: more 0 reserved 0 length 8 type DH id ECP_256
ikev2_pld_payloads: payload KE nextpayload NONCE critical 0x00 length 72
ikev2_pld_ke: dh group ECP_256 reserved 0
ikev2_pld_payloads: payload NONCE nextpayload NOTIFY critical 0x00 length 36
ikev2_pld_payloads: payload NOTIFY nextpayload NOTIFY critical 0x00 length 28
ikev2_pld_notify: protoid NONE spisize 0 type NAT_DETECTION_SOURCE_IP
ikev2_pld_payloads: payload NOTIFY nextpayload CERTREQ critical 0x00 length 28
ikev2_pld_notify: protoid NONE spisize 0 type NAT_DETECTION_DESTINATION_IP
ikev2_pld_payloads: payload CERTREQ nextpayload NONE critical 0x00 length 25
ikev2_pld_certreq: type X509_CERT length 20
spi=0x2a26c182a19fc478: send IKE_SA_INIT res 0 peer 166.BBB.BBB.161:59703 local
23.AAA.AAA.129:500, 265 bytes
config_free_proposals: free 0x76dda980
policy_lookup: setting policy 'vpn-eap'
spi=0x7a3404561f37aa56: recv IKE_SA_INIT req 0 peer 166.BBB.BBB.161:59703 local
23.AAA.AAA.129:500, 352 bytes, policy 'vpn-eap'
ikev2_recv: ispi 0x7a3404561f37aa56 rspi 0x0000000000000000
ikev2_policy2id: srcid FQDN/vpn.company.com length 21
ikev2_pld_parse: header ispi 0x7a3404561f37aa56 rspi 0x0000000000000000
nextpayload SA version 0x20 exchange IKE_SA_INIT flags 0x08 msgid 0 length 352
response 0
ikev2_pld_payloads: payload SA nextpayload KE critical 0x00 length 48
ikev2_pld_sa: more 0 reserved 0 length 44 proposal #1 protoid IKE spisize 0
xforms 4 spi 0
ikev2_pld_xform: more 3 reserved 0 length 12 type ENCR id AES_CBC
ikev2_pld_attr: attribute type KEY_LENGTH length 128 total 4
ikev2_pld_xform: more 3 reserved 0 length 8 type INTEGR id HMAC_SHA2_256_128
ikev2_pld_xform: more 3 reserved 0 length 8 type PRF id HMAC_SHA2_256
ikev2_pld_xform: more 0 reserved 0 length 8 type DH id ECP_256
ikev2_pld_payloads: payload KE nextpayload NONCE critical 0x00 length 72
ikev2_pld_ke: dh group ECP_256 reserved 0
ikev2_pld_payloads: payload NONCE nextpayload NOTIFY critical 0x00 length 52
ikev2_pld_payloads: payload NOTIFY nextpayload NOTIFY critical 0x00 length 8
ikev2_pld_notify: protoid NONE spisize 0 type FRAGMENTATION_SUPPORTED
ikev2_pld_payloads: payload NOTIFY nextpayload NOTIFY critical 0x00 length 28
ikev2_pld_notify: protoid NONE spisize 0 type NAT_DETECTION_SOURCE_IP
ikev2_nat_detection: peer source 0x7a3404561f37aa56 0x0000000000000000
166.BBB.BBB.161:59703
ikev2_pld_notify: NAT_DETECTION_SOURCE_IP detected NAT
ikev2_pld_payloads: payload NOTIFY nextpayload VENDOR critical 0x00 length 28
ikev2_pld_notify: protoid NONE spisize 0 type NAT_DETECTION_DESTINATION_IP
ikev2_nat_detection: peer destination 0x7a3404561f37aa56 0x0000000000000000
23.AAA.AAA.129:500
ikev2_pld_payloads: payload VENDOR nextpayload VENDOR critical 0x00 length 24
ikev2_pld_payloads: payload VENDOR nextpayload VENDOR critical 0x00 length 20
ikev2_pld_payloads: payload VENDOR nextpayload VENDOR critical 0x00 length 20
ikev2_pld_payloads: payload VENDOR nextpayload NONE critical 0x00 length 24
proposals_negotiate: score 8
policy_lookup: setting policy 'vpn-eap'
spi=0x7a3404561f37aa56: sa_state: INIT -> SA_INIT
proposals_negotiate: score 8
sa_stateok: SA_INIT flags 0x0000, require 0x0000
sa_stateflags: 0x0000 -> 0x0020 sa (required 0x0000 )
spi=0x7a3404561f37aa56: ikev2_sa_keys: DHSECRET with 32 bytes
ikev2_sa_keys: SKEYSEED with 32 bytes
spi=0x7a3404561f37aa56: ikev2_sa_keys: S with 96 bytes
ikev2_prfplus: T1 with 32 bytes
ikev2_prfplus: T2 with 32 bytes
ikev2_prfplus: T3 with 32 bytes
ikev2_prfplus: T4 with 32 bytes
ikev2_prfplus: T5 with 32 bytes
ikev2_prfplus: T6 with 32 bytes
ikev2_prfplus: Tn with 192 bytes
ikev2_sa_keys: SK_d with 32 bytes
ikev2_sa_keys: SK_ai with 32 bytes
ikev2_sa_keys: SK_ar with 32 bytes
ikev2_sa_keys: SK_ei with 16 bytes
ikev2_sa_keys: SK_er with 16 bytes
ikev2_sa_keys: SK_pi with 32 bytes
ikev2_sa_keys: SK_pr with 32 bytes
ikev2_resp_ike_sa_init: detected NAT, enabling UDP encapsulation
ikev2_add_proposals: length 44
ikev2_next_payload: length 48 nextpayload KE
ikev2_next_payload: length 72 nextpayload NONCE
ikev2_next_payload: length 36 nextpayload NOTIFY
ikev2_nat_detection: local source 0x7a3404561f37aa56 0xa9cc1f2f4edd6669
23.AAA.AAA.129:500
ikev2_next_payload: length 28 nextpayload NOTIFY
ikev2_nat_detection: local destination 0x7a3404561f37aa56 0xa9cc1f2f4edd6669
166.BBB.BBB.161:59703
ikev2_next_payload: length 28 nextpayload CERTREQ
ikev2_add_certreq: type X509_CERT length 21
ikev2_next_payload: length 25 nextpayload NONE
ikev2_pld_parse: header ispi 0x7a3404561f37aa56 rspi 0xa9cc1f2f4edd6669
nextpayload SA version 0x20 exchange IKE_SA_INIT flags 0x20 msgid 0 length 265
response 1
ikev2_pld_payloads: payload SA nextpayload KE critical 0x00 length 48
ikev2_pld_sa: more 0 reserved 0 length 44 proposal #1 protoid IKE spisize 0
xforms 4 spi 0
ikev2_pld_xform: more 3 reserved 0 length 12 type ENCR id AES_CBC
ikev2_pld_attr: attribute type KEY_LENGTH length 128 total 4
ikev2_pld_xform: more 3 reserved 0 length 8 type PRF id HMAC_SHA2_256
ikev2_pld_xform: more 3 reserved 0 length 8 type INTEGR id HMAC_SHA2_256_128
ikev2_pld_xform: more 0 reserved 0 length 8 type DH id ECP_256
ikev2_pld_payloads: payload KE nextpayload NONCE critical 0x00 length 72
ikev2_pld_ke: dh group ECP_256 reserved 0
ikev2_pld_payloads: payload NONCE nextpayload NOTIFY critical 0x00 length 36
ikev2_pld_payloads: payload NOTIFY nextpayload NOTIFY critical 0x00 length 28
ikev2_pld_notify: protoid NONE spisize 0 type NAT_DETECTION_SOURCE_IP
ikev2_pld_payloads: payload NOTIFY nextpayload CERTREQ critical 0x00 length 28
ikev2_pld_notify: protoid NONE spisize 0 type NAT_DETECTION_DESTINATION_IP
ikev2_pld_payloads: payload CERTREQ nextpayload NONE critical 0x00 length 25
ikev2_pld_certreq: type X509_CERT length 20
spi=0x7a3404561f37aa56: send IKE_SA_INIT res 0 peer 166.BBB.BBB.161:59703 local
23.AAA.AAA.129:500, 265 bytes
config_free_proposals: free 0x6dd88c80
spi=0x7a3404561f37aa56: recv INFORMATIONAL req 0 peer 166.BBB.BBB.161:59703
local 23.AAA.AAA.129:500, 40 bytes, policy 'vpn-eap'
ikev2_recv: ispi 0x7a3404561f37aa56 rspi 0x0000000000000000
<<< After a minute or two >>>
ikev2_init_ike_sa_timeout: ispi 0x2a26c182a19fc478 rspi 0xb58029313324631d
spi=0x2a26c182a19fc478: sa_free: SA_INIT timeout
config_free_proposals: free 0x76dda680
ikev2_init_ike_sa_timeout: ispi 0x7a3404561f37aa56 rspi 0xa9cc1f2f4edd6669
spi=0x7a3404561f37aa56: sa_free: SA_INIT timeout
config_free_proposals: free 0x76dda9c0
