[Swan] Windows IKEv2 Error 809

Tom Robinson tom.robinson at motec.com.au
Mon May 23 01:47:09 UTC 2016 

Hi,

I've having trouble connecting Windows 8 to libreswan (version 3.15-5) using IKEv2. I get the 809 error.

The ipsec connection I have configured is copied from another libreswan host (version 3.13-1) that
does work (we're migrating) but I can't seem to locate the issue on the new server.

The connection appears to succeed on the server. Then, on the Windows 8 client, I see a message
"Verifying your credentials" after which I see the "Error 809: ..." message.

Here's my log of the connection:

May 23 11:29:38 apex pluto[29341]: "ikev2-cp"[1] 165.228.94.4 #8: STATE_PARENT_R1: received v2I1,
sent v2R1 {auth=IKEv2 cipher=oakley_3des_cbc_192 integ=sha1_96 prf=sha group=MODP1024}
May 23 11:29:39 apex pluto[29341]: "ikev2-cp"[1] 165.228.94.4 #8: new NAT mapping for #8, was
165.228.94.4:500, now 165.228.94.4:4500
May 23 11:29:39 apex pluto[29341]: "ikev2-cp"[1] 165.228.94.4 #8: certificate
E=thomas.robinson at motec.com.au,CN=Thomas Robinson,OU=IT,O=MoTeC Pty Ltd,ST=Victoria,C=AU OK
May 23 11:29:39 apex pluto[29341]: "ikev2-cp"[1] 165.228.94.4 #8: IKEv2 mode peer ID is
ID_DER_ASN1_DN: 'C=AU, ST=Victoria, O=MoTeC Pty Ltd, OU=IT, CN=Thomas Robinson,
E=thomas.robinson at motec.com.au'
May 23 11:29:39 apex pluto[29341]: | Sending [CERT] of certificate:
E=authority at motec.com.au,CN=motec5.motec.com.au,OU=IT,O=MoTeC Pty Ltd,L=Melbourne,ST=Victoria,C=AU
May 23 11:29:39 apex pluto[29341]: "ikev2-cp"[1] 165.228.94.4 #9: negotiated tunnel
[0.0.0.0,255.255.255.255:0-65535 0] -> [10.0.9.1,10.0.9.1:0-65535 0]
May 23 11:29:39 apex pluto[29341]: "ikev2-cp"[1] 165.228.94.4 #9: STATE_PARENT_R2: received v2I2,
PARENT SA established tunnel mode {ESP/NAT=>0xefe27442 <0x1fd6e1dc xfrm=AES_128-HMAC_SHA1 NATOA=none
NATD=165.228.94.4:4500 DPD=active}

Here's the config:

conn ikev2-cp
        also=leftcert
        leftsendcert=always
        leftsubnet=0.0.0.0/0
        # Clients
        rightsendcert=always
        right=%any
        rightaddresspool=10.0.9.1-10.0.9.10
        rightid=%fromcert
        rightrsasigkey=%cert
        modecfgdns1=10.0.19.13
        modecfgdns2=10.0.18.1
        narrowing=yes
        dpddelay=30
        dpdtimeout=120
        dpdaction=clear
        auto=add
        ikev2=insist
        ike=aes256-sha1;modp1024,3des-sha1;modp1024
        rekey=no

conn leftcert
        left=115.70.189.242
        leftid=%fromcert
        leftcert=motec5.motec.com.au
        leftrsasigkey=%cert

For my own sanity, is someone able to run their eyes over this?

Kind regards,
Tom



-- 

Tom Robinson
IT Manager/System Administrator

MoTeC Pty Ltd

121 Merrindale Drive
Croydon South
3136 Victoria
Australia

T: +61 3 9761 5050
F: +61 3 9761 5051
E: tom.robinson at motec.com.au

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 198 bytes
Desc: OpenPGP digital signature
URL: <https://lists.libreswan.org/pipermail/swan/attachments/20160523/3b195630/attachment.sig>

More information about the Swan mailing list