Hi Andreas With your expert help, I am now able to establish a connection between my two sites. From my ubuntu box I am to ping 192.168.1.45, which I think is my local VPN adapter. I can not, however, ping 192.168.1.43 which I think is the windows PPP adaptor. I do not see any entries for 192.168.1.x when I do a netstat -r (should I?). I also can not ping anything else on the 192.168.1.x network.
I greatly appreciate all the help you providing me. Thank you again. sudo ipsec statusall shows the following: Status of IKEv2 charon daemon (strongSwan 4.5.3): uptime: 16 minutes, since Nov 08 17:33:32 2011 malloc: sbrk 270336, mmap 0, used 154064, free 116272 worker threads: 9 of 16 idle, 6/1/0/0 working, job queue: 0/0/0/0, scheduled: 3 loaded plugins: aes des sha1 sha2 md4 md5 random x509 constraints pubkey pkcs1 pgp pem fips-prf gmp xcbc hmac attr kernel-netlink resolve socket-default stroke updown eap-identity eap-mschapv2 Listening IP addresses: 10.0.0.106 Connections: net-net: 10.0.0.106...66.238.30.124 net-net: local: [10.0.0.106] uses EAP_MSCHAPV2 authentication with EAP identity 'matt' net-net: remote: [%any] uses public key authentication net-net: child: dynamic === dynamic TUNNEL Security Associations (1 up, 0 connecting): net-net[1]: ESTABLISHED 16 minutes ago, 10.0.0.106[10.0.0.106]...66.238.30.124[CN=verrado.aaronline.com] net-net[1]: IKE SPIs: d970b6f80746b929_i* 0b2a24b30601e1e3_r, EAP reauthentication in 39 minutes net-net[1]: IKE proposal: 3DES_CBC/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024 Also I had to add an %any for rightid, it says it is looking for verrado's ip address when I put that in there it still complains. Not sure what the rightid should really be. Here is my current config ( i did change ip addresses on the ubunutu machine since the last config I sent you). # /etc/ipsec.conf - strongSwan IPsec configuration file config setup crlcheckinterval=0s strictcrlpolicy=no plutostart=no nat_traversal=yes charonstart=yes conn %default ikelifetime=60m keylife=20m rekeymargin=3m keyingtries=1 keyexchange=ikev2 mobike=no forceencaps=yes conn net-net left=10.0.0.106 leftsourceip=%config leftfirewall=yes leftauth=eap-mschapv2 eap_identity=matt right=verrado.aaronline.com rightid=%any rightauth=pubkey auto=add ca carefree-aaronline-ca cacert=/usr/local/etc/ipsec.d/cacerts/aaronline.carefree.cert Here is the log file 00[DMN] Starting IKEv2 charon daemon (strongSwan 4.5.3) 00[KNL] listening on interfaces: 00[KNL] eth0 00[KNL] 10.0.0.106 00[KNL] fe80::215:5dff:fe01:6609 00[CFG] loading ca certificates from '/usr/local/etc/ipsec.d/cacerts' 00[CFG] loaded ca certificate "DC=com, DC=aaronline, CN=aaronline-CAREFREE-CA" from '/usr/local/etc/ipsec.d/cacerts/aaronline.carefree.cert' 00[CFG] loading aa certificates from '/usr/local/etc/ipsec.d/aacerts' 00[CFG] loading ocsp signer certificates from '/usr/local/etc/ipsec.d/ocspcerts' 00[CFG] loading attribute certificates from '/usr/local/etc/ipsec.d/acerts' 00[CFG] loading crls from '/usr/local/etc/ipsec.d/crls' 00[CFG] loading secrets from '/usr/local/etc/ipsec.secrets' 00[CFG] loaded EAP secret for matt 00[DMN] loaded plugins: aes des sha1 sha2 md4 md5 random x509 constraints pubkey pkcs1 pgp pem fips-prf gmp xcbc hmac attr kernel-netlink resolve socket-default stroke updown eap-identity eap-mschapv2 00[JOB] spawning 16 worker threads 00[DMN] signal of type SIGINT received. Shutting down 00[DMN] Starting IKEv2 charon daemon (strongSwan 4.5.3) 00[KNL] listening on interfaces: 00[KNL] eth0 00[KNL] 10.0.0.106 00[KNL] fe80::215:5dff:fe01:6609 00[CFG] loading ca certificates from '/usr/local/etc/ipsec.d/cacerts' 00[CFG] loaded ca certificate "DC=com, DC=aaronline, CN=aaronline-CAREFREE-CA" from '/usr/local/etc/ipsec.d/cacerts/aaronline.carefree.cert' 00[CFG] loading aa certificates from '/usr/local/etc/ipsec.d/aacerts' 00[CFG] loading ocsp signer certificates from '/usr/local/etc/ipsec.d/ocspcerts' 00[CFG] loading attribute certificates from '/usr/local/etc/ipsec.d/acerts' 00[CFG] loading crls from '/usr/local/etc/ipsec.d/crls' 00[CFG] loading secrets from '/usr/local/etc/ipsec.secrets' 00[CFG] loaded EAP secret for matt 00[DMN] loaded plugins: aes des sha1 sha2 md4 md5 random x509 constraints pubkey pkcs1 pgp pem fips-prf gmp xcbc hmac attr kernel-netlink resolve socket-default stroke updown eap-identity eap-mschapv2 00[JOB] spawning 16 worker threads 00[DMN] signal of type SIGINT received. Shutting down 00[DMN] Starting IKEv2 charon daemon (strongSwan 4.5.3) 00[KNL] listening on interfaces: 00[KNL] eth0 00[KNL] 10.0.0.106 00[KNL] fe80::215:5dff:fe01:6609 00[CFG] loading ca certificates from '/usr/local/etc/ipsec.d/cacerts' 00[CFG] loaded ca certificate "DC=com, DC=aaronline, CN=aaronline-CAREFREE-CA" from '/usr/local/etc/ipsec.d/cacerts/aaronline.carefree.cert' 00[CFG] loading aa certificates from '/usr/local/etc/ipsec.d/aacerts' 00[CFG] loading ocsp signer certificates from '/usr/local/etc/ipsec.d/ocspcerts' 00[CFG] loading attribute certificates from '/usr/local/etc/ipsec.d/acerts' 00[CFG] loading crls from '/usr/local/etc/ipsec.d/crls' 00[CFG] loading secrets from '/usr/local/etc/ipsec.secrets' 00[CFG] loaded EAP secret for matt 00[DMN] loaded plugins: aes des sha1 sha2 md4 md5 random x509 constraints pubkey pkcs1 pgp pem fips-prf gmp xcbc hmac attr kernel-netlink resolve socket-default stroke updown eap-identity eap-mschapv2 00[JOB] spawning 16 worker threads 09[CFG] received stroke: add connection 'net-net' 09[CFG] added configuration 'net-net' 11[CFG] received stroke: initiate 'net-net' 13[IKE] initiating IKE_SA net-net[1] to 66.238.30.124 13[ENC] generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) ] 13[NET] sending packet: from 10.0.0.106[500] to 66.238.30.124[500] 02[IKE] retransmit 1 of request with message ID 0 02[NET] sending packet: from 10.0.0.106[500] to 66.238.30.124[500] 14[IKE] retransmit 2 of request with message ID 0 14[NET] sending packet: from 10.0.0.106[500] to 66.238.30.124[500] 15[NET] received packet: from 66.238.30.124[500] to 10.0.0.106[500] 15[ENC] parsed IKE_SA_INIT response 0 [ N(INVAL_KE) ] 15[IKE] peer didn't accept DH group MODP_2048, it requested MODP_1024 15[IKE] initiating IKE_SA net-net[1] to 66.238.30.124 15[ENC] generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) ] 15[NET] sending packet: from 10.0.0.106[500] to 66.238.30.124[500] 16[NET] received packet: from 66.238.30.124[500] to 10.0.0.106[500] 16[ENC] parsed IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) ] 16[IKE] local host is behind NAT, sending keep alives 16[IKE] remote host is behind NAT 16[IKE] sending cert request for "DC=com, DC=aaronline, CN=aaronline-CAREFREE-CA" 16[IKE] establishing CHILD_SA net-net 16[ENC] generating IKE_AUTH request 1 [ IDi N(INIT_CONTACT) CERTREQ CP(ADDR DNS) SA TSi TSr N(EAP_ONLY) ] 16[NET] sending packet: from 10.0.0.106[4500] to 66.238.30.124[4500] 01[NET] received packet: from 66.238.30.124[4500] to 10.0.0.106[4500] 01[ENC] parsed IKE_AUTH response 1 [ IDr CERT AUTH EAP/REQ/ID ] 01[IKE] received end entity cert "CN=verrado.aaronline.com" 01[CFG] using certificate "CN=verrado.aaronline.com" 01[CFG] using trusted ca certificate "DC=com, DC=aaronline, CN=aaronline-CAREFREE-CA" 01[CFG] reached self-signed root ca with a path length of 0 01[IKE] authentication of 'CN=verrado.aaronline.com' with RSA signature successful 01[IKE] server requested EAP_IDENTITY (id 0x00), sending 'matt' 01[ENC] generating IKE_AUTH request 2 [ EAP/RES/ID ] 01[NET] sending packet: from 10.0.0.106[4500] to 66.238.30.124[4500] 09[NET] received packet: from 66.238.30.124[4500] to 10.0.0.106[4500] 09[ENC] parsed IKE_AUTH response 2 [ EAP/REQ/MSCHAPV2 ] 09[IKE] server requested EAP_MSCHAPV2 authentication (id 0x01) 09[ENC] generating IKE_AUTH request 3 [ EAP/RES/MSCHAPV2 ] 09[NET] sending packet: from 10.0.0.106[4500] to 66.238.30.124[4500] 10[NET] received packet: from 66.238.30.124[4500] to 10.0.0.106[4500] 10[ENC] parsed IKE_AUTH response 3 [ EAP/REQ/MSCHAPV2 ] 10[IKE] EAP-MS-CHAPv2 succeeded: '(null)' 10[ENC] generating IKE_AUTH request 4 [ EAP/RES/MSCHAPV2 ] 10[NET] sending packet: from 10.0.0.106[4500] to 66.238.30.124[4500] 12[NET] received packet: from 66.238.30.124[4500] to 10.0.0.106[4500] 12[ENC] parsed IKE_AUTH response 4 [ EAP/SUCC ] 12[IKE] EAP method EAP_MSCHAPV2 succeeded, MSK established 12[IKE] authentication of '10.0.0.106' (myself) with EAP 12[ENC] generating IKE_AUTH request 5 [ AUTH ] 12[NET] sending packet: from 10.0.0.106[4500] to 66.238.30.124[4500] 13[NET] received packet: from 66.238.30.124[4500] to 10.0.0.106[4500] 13[ENC] parsed IKE_AUTH response 5 [ AUTH N(MOBIKE_SUP) CP(ADDR DNS DNS) SA TSi TSr ] 13[IKE] authentication of 'CN=verrado.aaronline.com' with EAP successful 13[IKE] IKE_SA net-net[1] established between 10.0.0.106[10.0.0.106]...66.238.30.124[CN=verrado.aaronline.com] 13[IKE] scheduling reauthentication in 3335s 13[IKE] maximum IKE_SA lifetime 3515s 13[IKE] installing DNS server 192.168.1.3 to /usr/local/etc/resolv.conf 13[IKE] installing DNS server 192.168.1.5 to /usr/local/etc/resolv.conf 13[IKE] installing new virtual IP 192.168.1.45 13[IKE] CHILD_SA net-net{1} established with SPIs c7f02950_i e7875dae_o and TS 192.168.1.45/32 === 66.238.30.124/32 11[IKE] sending keep alive 11[NET] sending packet: from 10.0.0.106[4500] to 66.238.30.124[4500] 13[IKE] sending keep alive Matt Hymowitz, CISSP Manager GMP Networks, LLC 520 577-3891 ________________________________________ From: Andreas Steffen [andreas.stef...@strongswan.org] Sent: Tuesday, November 08, 2011 10:22 AM To: Matthew F. Hymowitz Cc: users@lists.strongswan.org Subject: Re: [strongSwan] IKEV2 windows 2008 r2 Hello Matt, the Windows Server 2008 r2 expects strongSwan to request a virtual IP address to be used as a source address within the IPsec tunnel. Therefore add this statement: leftsourceip=%config With a virtual IP address leftsubnet=10.0.0.0/24 doesn't make much sense, so you'd better omit the leftsubnet statement. Regards Andreas On 08.11.2011 16:21, Matthew F. Hymowitz wrote: > Thanks Again for your help Andreas > > > > > Here is the current config and non-debug log file: > > > > -Matt > > > # ipsec.conf - strongSwan IPsec configuration file > > config setup > crlcheckinterval=0s > strictcrlpolicy=no > cachecrls=yes > nat_traversal=yes > charonstart=yes > plutostart=no > > # Add connections here. > > # Sample VPN connections > > #conn sample-self-signed > # left=%defaultroute > # leftsubnet=10.10.0.0/16 > # leftcert=selfCert.der > # leftsendcert=never > # right=192.168.0.2 > # rightsubnet=10.2.0.0/16 > # rightcert=peerCert.der > # auto=start > > conn net-net > left=10.0.0.90 > leftsubnet=10.0.0.0/24 > leftauth=eap-mschapv2 > eap_identity=matt > right=verrado.aaronline.com > rightsubnet=192.168.1.0/24 > rightauth=pubkey > keyexchange=ikev2 > auto=add > > ca carefree-aaronline-ca > cacert=/usr/local/etc/ipsec.d/cacert/aaronline.carefree.cert > > > Nov 8 %f 00[DMN] Starting IKEv2 charon daemon (strongSwan 4.5.3) > Nov 8 %f 00[KNL] listening on interfaces: > Nov 8 %f 00[KNL] eth0 > Nov 8 %f 00[KNL] 10.0.0.90 > Nov 8 %f 00[KNL] fe80::215:5dff:fe01:660d > Nov 8 %f 00[CFG] loading ca certificates from > '/usr/local/etc/ipsec.d/cacerts' > Nov 8 %f 00[CFG] loaded ca certificate "DC=com, DC=aaronline, > CN=aaronline-CAREFREE-CA" from > '/usr/local/etc/ipsec.d/cacerts/aaronline.carefree.cert' > Nov 8 %f 00[CFG] loading aa certificates from > '/usr/local/etc/ipsec.d/aacerts' > Nov 8 %f 00[CFG] loading ocsp signer certificates from > '/usr/local/etc/ipsec.d/ocspcerts' > Nov 8 %f 00[CFG] loading attribute certificates from > '/usr/local/etc/ipsec.d/acerts' > Nov 8 %f 00[CFG] loading crls from '/usr/local/etc/ipsec.d/crls' > Nov 8 %f 00[CFG] loading secrets from '/usr/local/etc/ipsec.secrets' > Nov 8 %f 00[CFG] loaded EAP secret for matt > Nov 8 %f 00[DMN] loaded plugins: aes des sha1 sha2 md4 md5 random x509 > constraints pubkey pkcs1 pgp pem fips-prf gmp xcbc hmac attr kernel-netlink > resolve socket-default stroke updown eap-identity eap-mschapv2 > Nov 8 %f 00[JOB] spawning 16 worker threads > Nov 8 %f 10[CFG] crl caching to /usr/local/etc/ipsec.d/crls enabled > Nov 8 %f 12[CFG] received stroke: add connection 'net-net' > Nov 8 %f 12[CFG] added configuration 'net-net' > Nov 8 %f 14[CFG] received stroke: initiate 'net-net' > Nov 8 %f 03[IKE] initiating IKE_SA net-net[1] to 66.238.30.124 > Nov 8 %f 03[ENC] generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) > N(NATD_D_IP) ] > Nov 8 %f 03[NET] sending packet: from 10.0.0.90[500] to 66.238.30.124[500] > Nov 8 %f 16[NET] received packet: from 66.238.30.124[500] to 10.0.0.90[500] > Nov 8 %f 16[ENC] parsed IKE_SA_INIT response 0 [ N(INVAL_KE) ] > Nov 8 %f 16[IKE] peer didn't accept DH group MODP_2048, it requested > MODP_1024 > Nov 8 %f 16[IKE] initiating IKE_SA net-net[1] to 66.238.30.124 > Nov 8 %f 16[ENC] generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) > N(NATD_D_IP) ] > Nov 8 %f 16[NET] sending packet: from 10.0.0.90[500] to 66.238.30.124[500] > Nov 8 %f 02[NET] received packet: from 66.238.30.124[500] to 10.0.0.90[500] > Nov 8 %f 02[ENC] parsed IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) > N(NATD_D_IP) ] > Nov 8 %f 02[IKE] local host is behind NAT, sending keep alives > Nov 8 %f 02[IKE] remote host is behind NAT > Nov 8 %f 02[IKE] sending cert request for "DC=com, DC=aaronline, > CN=aaronline-CAREFREE-CA" > Nov 8 %f 02[IKE] establishing CHILD_SA net-net > Nov 8 %f 02[ENC] generating IKE_AUTH request 1 [ IDi N(INIT_CONTACT) CERTREQ > IDr SA TSi TSr N(MOBIKE_SUP) N(NO_ADD_ADDR) N(EAP_ONLY) ] > Nov 8 %f 02[NET] sending packet: from 10.0.0.90[4500] to 66.238.30.124[4500] > Nov 8 %f 01[NET] received packet: from 66.238.30.124[4500] to 10.0.0.90[4500] > Nov 8 %f 01[ENC] parsed IKE_AUTH response 1 [ IDr CERT AUTH EAP/REQ/ID ] > Nov 8 %f 01[IKE] received end entity cert "CN=verrado.aaronline.com" > Nov 8 %f 01[CFG] using certificate "CN=verrado.aaronline.com" > Nov 8 %f 01[CFG] using trusted ca certificate "DC=com, DC=aaronline, > CN=aaronline-CAREFREE-CA" > Nov 8 %f 01[CFG] reached self-signed root ca with a path length of 0 > Nov 8 %f 01[IKE] authentication of 'CN=verrado.aaronline.com' with RSA > signature successful > Nov 8 %f 01[IKE] server requested EAP_IDENTITY (id 0x00), sending 'matt' > Nov 8 %f 01[ENC] generating IKE_AUTH request 2 [ EAP/RES/ID ] > Nov 8 %f 01[NET] sending packet: from 10.0.0.90[4500] to 66.238.30.124[4500] > Nov 8 %f 10[NET] received packet: from 66.238.30.124[4500] to 10.0.0.90[4500] > Nov 8 %f 10[ENC] parsed IKE_AUTH response 2 [ EAP/REQ/MSCHAPV2 ] > Nov 8 %f 10[IKE] server requested EAP_MSCHAPV2 authentication (id 0x01) > Nov 8 %f 10[ENC] generating IKE_AUTH request 3 [ EAP/RES/MSCHAPV2 ] > Nov 8 %f 10[NET] sending packet: from 10.0.0.90[4500] to 66.238.30.124[4500] > Nov 8 %f 11[NET] received packet: from 66.238.30.124[4500] to 10.0.0.90[4500] > Nov 8 %f 11[ENC] parsed IKE_AUTH response 3 [ EAP/REQ/MSCHAPV2 ] > Nov 8 %f 11[IKE] EAP-MS-CHAPv2 succeeded: '(null)' > Nov 8 %f 11[ENC] generating IKE_AUTH request 4 [ EAP/RES/MSCHAPV2 ] > Nov 8 %f 11[NET] sending packet: from 10.0.0.90[4500] to 66.238.30.124[4500] > Nov 8 %f 12[NET] received packet: from 66.238.30.124[4500] to 10.0.0.90[4500] > Nov 8 %f 12[ENC] parsed IKE_AUTH response 4 [ EAP/SUCC ] > Nov 8 %f 12[IKE] EAP method EAP_MSCHAPV2 succeeded, MSK established > Nov 8 %f 12[IKE] authentication of '10.0.0.90' (myself) with EAP > Nov 8 %f 12[ENC] generating IKE_AUTH request 5 [ AUTH ] > Nov 8 %f 12[NET] sending packet: from 10.0.0.90[4500] to 66.238.30.124[4500] > Nov 8 %f 10[IKE] retransmit 1 of request with message ID 5 > Nov 8 %f 10[NET] sending packet: from 10.0.0.90[4500] to 66.238.30.124[4500] > Nov 8 %f 11[NET] received packet: from 66.238.30.124[4500] to 10.0.0.90[4500] > Nov 8 %f 11[ENC] parsed IKE_AUTH response 5 [ N(FAIL_CP_REQ) ] > Nov 8 %f 11[IKE] AUTH payload missing > Nov 8 %f 00[DMN] signal of type SIGINT received. Shutting down > > > > > > > > > > Matt Hymowitz, CISSP > Manager > GMP Networks, LLC > 520 577-3891 > ________________________________________ > From: Andreas Steffen [andreas.stef...@strongswan.org] > Sent: Monday, November 07, 2011 10:05 PM > To: Matthew F. Hymowitz > Cc: users@lists.strongswan.org > Subject: Re: [strongSwan] IKEV2 windows 2008 r2 > > Hi Matt, > > yes, the current ipsec.conf file and the log (but please without > increasing the debug level!!!) would help. > > Regards > > Andreas > > On 11/08/2011 12:21 AM, Matthew F. Hymowitz wrote: >> Hi Andreas >> >> Thanks for your quick response. I made the changes you suggest and >> reconfigured with the following switches >> --disable-pluto --disable-revocation --enable-eap-identity >> --enable-eap-mschapv2 and --enable-md4 >> >> I am now getting much further along in the negotiation. I am now failing >> with the error >> >> parsed IKE_AUTH response 5 [ N(FAIL_CP_REQ) ] >> Auth payload missing >> >> >> The is after I get the message EAP method EAP_MSCHAPV2 succeeded, MSK >> established. >> >> >> Let me know if you need complete logs, and thanks again for such a quick >> response. >> >> >> Matt Hymowitz, CISSP >> Manager >> GMP Networks, LLC >> 520 577-3891 > > ====================================================================== > Andreas Steffen andreas.stef...@strongswan.org > strongSwan - the Linux VPN Solution! www.strongswan.org > Institute for Internet Technologies and Applications > University of Applied Sciences Rapperswil > CH-8640 Rapperswil (Switzerland) > ===========================================================[ITA-HSR]== > -- ====================================================================== Andreas Steffen andreas.stef...@strongswan.org strongSwan - the Linux VPN Solution! www.strongswan.org Institute for Internet Technologies and Applications University of Applied Sciences Rapperswil CH-8640 Rapperswil (Switzerland) ===========================================================[ITA-HSR]== _______________________________________________ Users mailing list Users@lists.strongswan.org https://lists.strongswan.org/mailman/listinfo/users