Thanks Again for your help Andreas
Here is the current config and non-debug log file:
-Matt
# ipsec.conf - strongSwan IPsec configuration file
config setup
crlcheckinterval=0s
strictcrlpolicy=no
cachecrls=yes
nat_traversal=yes
charonstart=yes
plutostart=no
# Add connections here.
# Sample VPN connections
#conn sample-self-signed
# left=%defaultroute
# leftsubnet=10.10.0.0/16
# leftcert=selfCert.der
# leftsendcert=never
# right=192.168.0.2
# rightsubnet=10.2.0.0/16
# rightcert=peerCert.der
# auto=start
conn net-net
left=10.0.0.90
leftsubnet=10.0.0.0/24
leftauth=eap-mschapv2
eap_identity=matt
right=verrado.aaronline.com
rightsubnet=192.168.1.0/24
rightauth=pubkey
keyexchange=ikev2
auto=add
ca carefree-aaronline-ca
cacert=/usr/local/etc/ipsec.d/cacert/aaronline.carefree.cert
Nov 8 %f 00[DMN] Starting IKEv2 charon daemon (strongSwan 4.5.3)
Nov 8 %f 00[KNL] listening on interfaces:
Nov 8 %f 00[KNL] eth0
Nov 8 %f 00[KNL] 10.0.0.90
Nov 8 %f 00[KNL] fe80::215:5dff:fe01:660d
Nov 8 %f 00[CFG] loading ca certificates from '/usr/local/etc/ipsec.d/cacerts'
Nov 8 %f 00[CFG] loaded ca certificate "DC=com, DC=aaronline,
CN=aaronline-CAREFREE-CA" from
'/usr/local/etc/ipsec.d/cacerts/aaronline.carefree.cert'
Nov 8 %f 00[CFG] loading aa certificates from '/usr/local/etc/ipsec.d/aacerts'
Nov 8 %f 00[CFG] loading ocsp signer certificates from
'/usr/local/etc/ipsec.d/ocspcerts'
Nov 8 %f 00[CFG] loading attribute certificates from
'/usr/local/etc/ipsec.d/acerts'
Nov 8 %f 00[CFG] loading crls from '/usr/local/etc/ipsec.d/crls'
Nov 8 %f 00[CFG] loading secrets from '/usr/local/etc/ipsec.secrets'
Nov 8 %f 00[CFG] loaded EAP secret for matt
Nov 8 %f 00[DMN] loaded plugins: aes des sha1 sha2 md4 md5 random x509
constraints pubkey pkcs1 pgp pem fips-prf gmp xcbc hmac attr kernel-netlink
resolve socket-default stroke updown eap-identity eap-mschapv2
Nov 8 %f 00[JOB] spawning 16 worker threads
Nov 8 %f 10[CFG] crl caching to /usr/local/etc/ipsec.d/crls enabled
Nov 8 %f 12[CFG] received stroke: add connection 'net-net'
Nov 8 %f 12[CFG] added configuration 'net-net'
Nov 8 %f 14[CFG] received stroke: initiate 'net-net'
Nov 8 %f 03[IKE] initiating IKE_SA net-net[1] to 66.238.30.124
Nov 8 %f 03[ENC] generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP)
N(NATD_D_IP) ]
Nov 8 %f 03[NET] sending packet: from 10.0.0.90[500] to 66.238.30.124[500]
Nov 8 %f 16[NET] received packet: from 66.238.30.124[500] to 10.0.0.90[500]
Nov 8 %f 16[ENC] parsed IKE_SA_INIT response 0 [ N(INVAL_KE) ]
Nov 8 %f 16[IKE] peer didn't accept DH group MODP_2048, it requested MODP_1024
Nov 8 %f 16[IKE] initiating IKE_SA net-net[1] to 66.238.30.124
Nov 8 %f 16[ENC] generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP)
N(NATD_D_IP) ]
Nov 8 %f 16[NET] sending packet: from 10.0.0.90[500] to 66.238.30.124[500]
Nov 8 %f 02[NET] received packet: from 66.238.30.124[500] to 10.0.0.90[500]
Nov 8 %f 02[ENC] parsed IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP)
N(NATD_D_IP) ]
Nov 8 %f 02[IKE] local host is behind NAT, sending keep alives
Nov 8 %f 02[IKE] remote host is behind NAT
Nov 8 %f 02[IKE] sending cert request for "DC=com, DC=aaronline,
CN=aaronline-CAREFREE-CA"
Nov 8 %f 02[IKE] establishing CHILD_SA net-net
Nov 8 %f 02[ENC] generating IKE_AUTH request 1 [ IDi N(INIT_CONTACT) CERTREQ
IDr SA TSi TSr N(MOBIKE_SUP) N(NO_ADD_ADDR) N(EAP_ONLY) ]
Nov 8 %f 02[NET] sending packet: from 10.0.0.90[4500] to 66.238.30.124[4500]
Nov 8 %f 01[NET] received packet: from 66.238.30.124[4500] to 10.0.0.90[4500]
Nov 8 %f 01[ENC] parsed IKE_AUTH response 1 [ IDr CERT AUTH EAP/REQ/ID ]
Nov 8 %f 01[IKE] received end entity cert "CN=verrado.aaronline.com"
Nov 8 %f 01[CFG] using certificate "CN=verrado.aaronline.com"
Nov 8 %f 01[CFG] using trusted ca certificate "DC=com, DC=aaronline,
CN=aaronline-CAREFREE-CA"
Nov 8 %f 01[CFG] reached self-signed root ca with a path length of 0
Nov 8 %f 01[IKE] authentication of 'CN=verrado.aaronline.com' with RSA
signature successful
Nov 8 %f 01[IKE] server requested EAP_IDENTITY (id 0x00), sending 'matt'
Nov 8 %f 01[ENC] generating IKE_AUTH request 2 [ EAP/RES/ID ]
Nov 8 %f 01[NET] sending packet: from 10.0.0.90[4500] to 66.238.30.124[4500]
Nov 8 %f 10[NET] received packet: from 66.238.30.124[4500] to 10.0.0.90[4500]
Nov 8 %f 10[ENC] parsed IKE_AUTH response 2 [ EAP/REQ/MSCHAPV2 ]
Nov 8 %f 10[IKE] server requested EAP_MSCHAPV2 authentication (id 0x01)
Nov 8 %f 10[ENC] generating IKE_AUTH request 3 [ EAP/RES/MSCHAPV2 ]
Nov 8 %f 10[NET] sending packet: from 10.0.0.90[4500] to 66.238.30.124[4500]
Nov 8 %f 11[NET] received packet: from 66.238.30.124[4500] to 10.0.0.90[4500]
Nov 8 %f 11[ENC] parsed IKE_AUTH response 3 [ EAP/REQ/MSCHAPV2 ]
Nov 8 %f 11[IKE] EAP-MS-CHAPv2 succeeded: '(null)'
Nov 8 %f 11[ENC] generating IKE_AUTH request 4 [ EAP/RES/MSCHAPV2 ]
Nov 8 %f 11[NET] sending packet: from 10.0.0.90[4500] to 66.238.30.124[4500]
Nov 8 %f 12[NET] received packet: from 66.238.30.124[4500] to 10.0.0.90[4500]
Nov 8 %f 12[ENC] parsed IKE_AUTH response 4 [ EAP/SUCC ]
Nov 8 %f 12[IKE] EAP method EAP_MSCHAPV2 succeeded, MSK established
Nov 8 %f 12[IKE] authentication of '10.0.0.90' (myself) with EAP
Nov 8 %f 12[ENC] generating IKE_AUTH request 5 [ AUTH ]
Nov 8 %f 12[NET] sending packet: from 10.0.0.90[4500] to 66.238.30.124[4500]
Nov 8 %f 10[IKE] retransmit 1 of request with message ID 5
Nov 8 %f 10[NET] sending packet: from 10.0.0.90[4500] to 66.238.30.124[4500]
Nov 8 %f 11[NET] received packet: from 66.238.30.124[4500] to 10.0.0.90[4500]
Nov 8 %f 11[ENC] parsed IKE_AUTH response 5 [ N(FAIL_CP_REQ) ]
Nov 8 %f 11[IKE] AUTH payload missing
Nov 8 %f 00[DMN] signal of type SIGINT received. Shutting down
Matt Hymowitz, CISSP
Manager
GMP Networks, LLC
520 577-3891
________________________________________
From: Andreas Steffen [andreas.stef...@strongswan.org]
Sent: Monday, November 07, 2011 10:05 PM
To: Matthew F. Hymowitz
Cc: users@lists.strongswan.org
Subject: Re: [strongSwan] IKEV2 windows 2008 r2
Hi Matt,
yes, the current ipsec.conf file and the log (but please without
increasing the debug level!!!) would help.
Regards
Andreas
On 11/08/2011 12:21 AM, Matthew F. Hymowitz wrote:
> Hi Andreas
>
> Thanks for your quick response. I made the changes you suggest and
> reconfigured with the following switches
> --disable-pluto --disable-revocation --enable-eap-identity
> --enable-eap-mschapv2 and --enable-md4
>
> I am now getting much further along in the negotiation. I am now failing
> with the error
>
> parsed IKE_AUTH response 5 [ N(FAIL_CP_REQ) ]
> Auth payload missing
>
>
> The is after I get the message EAP method EAP_MSCHAPV2 succeeded, MSK
> established.
>
>
> Let me know if you need complete logs, and thanks again for such a quick
> response.
>
>
> Matt Hymowitz, CISSP
> Manager
> GMP Networks, LLC
> 520 577-3891
======================================================================
Andreas Steffen andreas.stef...@strongswan.org
strongSwan - the Linux VPN Solution! www.strongswan.org
Institute for Internet Technologies and Applications
University of Applied Sciences Rapperswil
CH-8640 Rapperswil (Switzerland)
===========================================================[ITA-HSR]==
_______________________________________________
Users mailing list
Users@lists.strongswan.org
https://lists.strongswan.org/mailman/listinfo/users
