[Swan] Options for Windows clients

Alex mysqlstudent at gmail.com
Wed Dec 30 02:25:27 UTC 2020 

Hi,

> >> How can I tell what type of cert I'm using?
> >
> > openssl x509 -noout -text -in /your/cert.pem
>
> If you used certutil to generate the certificate directly inside the NSS
> database, you may have to export first, or use something like:
>
>     certutil -L -d sql:/etc/ipsec.d -n your_cert_nickname

This is fedora32. It appears the NSS database is physically in
/var/lib/ipsec/nss while the certificates I've been creating are
stored in /etc/ipsec.d/*.db. What's the difference? Why does ipsec
appear to use /var/lib/ipsec/nss while certutil uses /etc/ipsec.d?
It's also not necessary to preface it with sql:.

> >> This is with "plutodebug = all crypt". In addition to the
> >> NO_PROPOSAL_CHOSEN messages, the highlights appear to include:
>
> I've given a quick look, and I don't have much more to add to Paul's
> comment below (maybe "all crypt" is too much).

I've gotten past that NO_PROPOSAL_CHOSEN error, or at least it's not
producing it anymore.

Are the references to 'vpn.example.com' just labels, or is it a host
that has to resolve to an IP?
https://libreswan.org/wiki/VPN_server_for_remote_clients_using_IKEv2

I think I screwed up the leftid setting in the config. It couldn't
even find the config when I ran the following. Now it just reports it
can't connect (presumably because it's a mobile worker with a dynamic
IP).

# ipsec auto --up ikev2-cp
029 "ikev2-cp": cannot initiate connection without knowing peer IP
address (kind=CK_TEMPLATE narrowing=yes)
036 "ikev2-cp": failed to initiate connection

Now Windows is saying "IKE failed to find valid machine certificate.
.... install a valid certificate" but I've rebuilt the entire thing,
deleted the old certs and inserted a new pk12 cert as I've done
before. This strongswan post appears to indicate that "Maybe Windows
wants to do ECDSA and searches for such a certificate". Could that be
the case here?
https://wiki.strongswan.org/issues/3021

I've used the following two commands on the Windows side to build the
connection:

Add-VpnConnection -Name "ikev2-cp" -ServerAddress orion.example.com
-TunnelType "Ikev2" -PassThru -Force -EncryptionLevel "Required"
-AllUserConnection -AuthenticationMethod MachineCertificate

Set-VpnConnectionipsecconfiguration -connectionname "ikev2-cp"
-authenticationtransformconstants SHA256128 -ciphertransformconstants
AES256 -EncryptionMethod AES256 -IntegrityCheckMethod SHA384 -Pfsgroup
ECP384 -DHGroup Group14 -PassThru -Force

Now trying to connect produces the following:

Dec 29 21:08:37.408754: | found policy =
ECDSA+ENCRYPT+TUNNEL+PFS+DONT_REKEY+IKEV2_ALLOW+IKEV2_ALLOW_NARROWING+IKE_FRAG_ALLOW+ESN_NO
(ikev2-cp)
Dec 29 21:08:37.409050: | found connection: "ikev2-cp"[1] 192.168.1.35
with policy ECDSA+IKEV2_ALLOW
Dec 29 21:12:44.610613: "ikev2-cp"[5] 192.168.1.35 #16: proposal
2:IKE=AES_CBC_256-HMAC_SHA2_256-HMAC_SHA2_256_128-MODP2048 chosen from
remote proposals
1:IKE:ENCR=AES_CBC_256;INTEG=HMAC_SHA1_96;PRF=HMAC_SHA1;DH=MODP2048
2:IKE:ENCR=AES_CBC_256;INTEG=HMAC_SHA2_256_128;PRF=HMAC_SHA2_256;DH=MODP2048[first-match]
3:IKE:ENCR=AES_CBC_256;INTEG=HMAC_SHA2_384_192;PRF=HMAC_SHA2_384;DH=MODP2048

Dec 29 21:12:44.613300: "ikev2-cp"[5] 192.168.1.35 #16: sent
IKE_SA_INIT reply {auth=IKEv2 cipher=AES_CBC_256
integ=HMAC_SHA2_256_128 prf=HMAC_SHA2_256 group=MODP2048}

Then that's it.

> > - uses right=192.168.1.35 or right=%any
> > - uses authby=ecdsa or authby=rsa or authby=secret (or a combination
> >    thereof, or it is not set in which case the defaults would include rsa
> >    and/or rsa+ecdsa depending on the version of libreswan)
> > - an ike= line that matches the remote client proposal list (or the
> >    client uses something that is not a default ike parameter when no ike=
> >    line is specified)

I've tried combinations of all of those. Here's what I have now. Left
is my libreswan server and right is my Win10 laptop.

conn ikev2-cp
    left=68.195.111.42
    leftcert=orion.example.com
    leftid=@orion.example.com
    leftsendcert=always
    leftsubnet=0.0.0.0/0
    leftrsasigkey=%cert
    right=%any
    rightaddresspool=192.168.6.2-192.168.6.254
    rightca=%same
    rightrsasigkey=%cert
    modecfgdns=8.8.8.8,193.100.157.123
    narrowing=yes
    dpddelay=30
    dpdtimeout=120
    dpdaction=clear
    auto=add
    ikev2=insist
    rekey=no
    authby=ecdsa
    fragmentation=yes

More information about the Swan mailing list