1

Auth made with certificates

ubuntu 16.04 + strongswan.

Client connecting from win7, certificate was added like said in strongswan Wiki.

Config made also like in strongswan wiki, but i got error: 'plutostart deprecated, so i removed it.

So my ipsec.conf:

config setup
     #plutostart=no

conn win7
     left=%defaultroute
     leftcert=vpnHostCert.der
     leftsubnet=0.0.0.0/0
     right=%any
     rightsendcert=never
     rightsourceip=10.42.42.0/24,2002:25f7:7489:3::/112
     keyexchange=ikev2
     auto=add

log:

Jun 28 03:20:26 myserver charon: 12[IKE] IKE_SA (unnamed)[2] state change: CONNECTING => DESTROYING
Jun 28 03:20:30 myserver charon: 13[NET] received packet: from MYIP[500] to SERVERIP[500] (528 bytes)
Jun 28 03:20:30 myserver charon: 13[ENC] parsed IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) ]
Jun 28 03:20:30 myserver charon: 13[IKE] MYIP is initiating an IKE_SA
Jun 28 03:20:30 myserver charon: 13[IKE] IKE_SA (unnamed)[3] state change: CREATED => CONNECTING
Jun 28 03:20:30 myserver charon: 13[IKE] remote host is behind NAT
Jun 28 03:20:30 myserver charon: 13[ENC] generating IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(MULT_AUTH) ]
Jun 28 03:20:30 myserver charon: 13[NET] sending packet: from SERVERIP[500] to MYIP[500] (308 bytes)
Jun 28 03:21:00 myserver charon: 14[JOB] deleting half open IKE_SA after timeout
Jun 28 03:21:00 myserver charon: 14[IKE] IKE_SA (unnamed)[3] state change: CONNECTING => DESTROYING
littleguga
  • 166
  • 1
  • 7
  • Is there a network device between the two endpoints which isn't handling IP Fragmentation nicely, resulting in a half-open IKE exchange? Some firewalls will drop IP fragments which can be typical when large certificates are being exchanged over UDP. – Mark Riddell Jun 28 '16 at 20:16
  • @MarkoPolo Client is behind NAT(ASUS RTN10u, but NAT Passthrough is enabled). What about server - i don't know. Is there a way to detect this? – littleguga Jun 28 '16 at 21:13

0 Answers0