<div><div dir="auto">If you start with a p12 file containing all three components, then it is just one import, followed by a move (to put the CA certificate where it belongs).</div></div><div><br><div class="gmail_quote"><div dir="ltr">On Tue, Jan 15, 2019 at 12:20 PM, Mr. Jan Walter <<a href="mailto:hopping_hol@yahoo.com">hopping_hol@yahoo.com</a>> wrote:<br></div><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div><div class="m_2004741741488923476ydp76706dcbyahoo-style-wrap" style="font-family:Helvetica Neue,Helvetica,Arial,sans-serif;font-size:13px"><div></div>
<div>Since I am working on a config to use integrated clients as well, I thought I'd run through Derek's how-to.</div><div><br></div><div>My notes:</div><div><br></div><div>1. You need to import the "client" vpn certificate to Personal Certificates and do another import of the CA certificate to Trusted Root Certification Authorities. The How-to only lists one import.<br><br></div><div>2. Paul, "msdh-downgrade=yes" causes a syntax error, and I can't find it in the documentation.</div><div><br></div><div>3. Right now my connection still borks with a </div><div><br></div><div><span><div> <span><div><span><div>Jan 15 20:15:41 ip-10-0-0-194 pluto[28581]: "ikev2-cp"[1] x.x.x.x: constructed local IKE proposals for ikev2-cp (IKE SA responder matching remote proposals): 1:IKE:ENCR=AES_CBC_256;PRF=HMAC_SHA2_512;INTEG=HMAC_SHA2_512_256;DH=MODP2048 2:IKE:ENCR=AES_CBC_128;PRF=HMAC_SHA2_512;INTEG=HMAC_SHA2_512_256;DH=MODP2048 3:IKE:ENCR=AES_CBC_256;PRF=HMAC_SHA1;INTEG=HMAC_SHA1_96;DH=MODP1024 4:IKE:ENCR=AES_CBC_128;PRF=HMAC_SHA1;INTEG=HMAC_SHA1_96;DH=MODP1024 5:IKE:ENCR=AES_CBC_256,AES_CBC_128;PRF=HMAC_SHA2_256;INTEG=HMAC_SHA2_256_128;DH=MODP1024</div><div>Jan 15 20:15:41 ip-10-0-0-194 pluto[28581]: "ikev2-cp"[1] x.x.x.x #1: proposal 10:IKE:ENCR=AES_CBC_256;PRF=HMAC_SHA1;INTEG=HMAC_SHA1_96;DH=MODP1024 chosen from remote proposals 1:IKE:ENCR=3DES;INTEG=HMAC_SHA1_96;PRF=HMAC_SHA1;DH=MODP1024 2:IKE:ENCR=3DES;INTEG=HMAC_SHA2_256_128;PRF=HMAC_SHA2_256;DH=MODP1024 3:IKE:ENCR=3DES;INTEG=HMAC_SHA2_384_192;PRF=HMAC_SHA2_384;DH=MODP1024 4:IKE:ENCR=AES_CBC_128;INTEG=HMAC_SHA1_96;PRF=HMAC_SHA1;DH=MODP1024[first-match] 5:IKE:ENCR=AES_CBC_128;INTEG=HMAC_SHA2_256_128;PRF=HMAC_SHA2_256;DH=MODP1024 6:IKE:ENCR=AES_CBC_128;INTEG=HMAC_SHA2_384_192;PRF=HMAC_SHA2_384;DH=MODP1024 7:IKE:ENCR=AES_CBC_192;INTEG=HMAC_SHA1_96;PRF=HMAC_SHA1;DH=MODP1024 8:IKE:ENCR=AES_CBC_192;INTEG=HMAC_SHA2_256_128;PRF=HMAC_SHA2_256;DH=MODP1024 9:IKE:ENCR=AES_CBC_192;INTEG=HMAC_SHA2_384_192;PRF=HMAC_SHA2_384;DH=MODP1024 10:IKE:ENCR=AES_CBC_256;INTEG=HMAC_SHA1_96;PRF=HMAC_SHA1;DH=MODP1024[better-match] 11:IKE:ENCR=AES_CBC_256;INTEG=HMAC_SHA2_256_128;PRF=HMAC_SHA2_256;DH=MODP1024 12:IKE:ENCR=AES_CBC_256;INTEG=HMAC_SHA2_384_192;PRF=HMAC_SHA2_...</div><div>Jan 15 20:15:41 ip-10-0-0-194 pluto[28581]: "ikev2-cp"[1] x.x.x.x #1: STATE_PARENT_R1: received v2I1, sent v2R1 {auth=IKEv2 cipher=AES_CBC_256 integ=HMAC_SHA1_96 prf=HMAC_SHA1 group=MODP1024}</div><div>Jan 15 20:15:41 ip-10-0-0-194 pluto[28581]: "ikev2-cp"[1] x.x.x.x #1: certificate verified OK: O=Client1,CN=<a href="http://client1.zzz.net" target="_blank">client1.zzz.net</a></div><div>Jan 15 20:15:41 ip-10-0-0-194 pluto[28581]: "ikev2-cp"[1] x.x.x.x #1: No matching subjectAltName found</div><div>Jan 15 20:15:41 ip-10-0-0-194 pluto[28581]: "ikev2-cp"[1] x.x.x.x #1: certificate does not contain ID_IP subjectAltName=x.x.x.x</div><div>Jan 15 20:15:41 ip-10-0-0-194 pluto[28581]: "ikev2-cp"[1] x.x.x.x #1: Peer public key SubjectAltName does not match peer ID for this connection</div><div>Jan 15 20:15:41 ip-10-0-0-194 pluto[28581]: "ikev2-cp"[1] x.x.x.x #1: switched from "ikev2-cp"[1] x.x.x.x to "ikev2-cp"</div><div>Jan 15 20:15:41 ip-10-0-0-194 pluto[28581]: "ikev2-cp"[2] x.x.x.x #1: deleting connection "ikev2-cp"[1] x.x.x.x instance with peer x.x.x.x {isakmp=#0/ipsec=#0}</div><div>Jan 15 20:15:41 ip-10-0-0-194 pluto[28581]: "ikev2-cp"[2] x.x.x.x #1: certificate verified OK: O=Client1,CN=<a href="http://client1.zzz.net" target="_blank">client1.zzz.net</a></div><div>Jan 15 20:15:41 ip-10-0-0-194 pluto[28581]: "ikev2-cp"[2] x.x.x.x #1: IKEv2 mode peer ID is ID_DER_ASN1_DN: 'CN=<a href="http://client1.zzz.net" target="_blank">client1.zzz.net</a>, O=Client1'</div><div>Jan 15 20:15:41 ip-10-0-0-194 pluto[28581]: "ikev2-cp"[2] x.x.x.x #1: Authenticated using RSA</div><div>Jan 15 20:15:41 ip-10-0-0-194 pluto[28581]: "ikev2-cp"[2] x.x.x.x: constructed local ESP/AH proposals for ikev2-cp (IKE_AUTH responder matching remote ESP/AH proposals): 1:ESP:ENCR=AES_GCM_C_256;INTEG=NONE;DH=NONE;ESN=DISABLED 2:ESP:ENCR=AES_GCM_C_128;INTEG=NONE;DH=NONE;ESN=DISABLED 3:ESP:ENCR=AES_CBC_256;INTEG=HMAC_SHA2_512_256;DH=NONE;ESN=DISABLED 4:ESP:ENCR=AES_CBC_128;INTEG=HMAC_SHA2_512_256;DH=NONE;ESN=DISABLED</div><div>Jan 15 20:15:41 ip-10-0-0-194 pluto[28581]: "ikev2-cp"[2] x.x.x.x #1: no local proposal matches remote proposals 1:ESP:ENCR=AES_CBC_256;INTEG=HMAC_SHA1_96;ESN=DISABLED 2:ESP:ENCR=AES_CBC_128;INTEG=HMAC_SHA1_96;ESN=DISABLED 3:ESP:ENCR=3DES;INTEG=HMAC_SHA1_96;ESN=DISABLED 4:ESP:ENCR=DES(UNUSED);INTEG=HMAC_SHA1_96;ESN=DISABLED 5:ESP:ENCR=NULL;INTEG=HMAC_SHA1_96;ESN=DISABLED</div><div>Jan 15 20:15:41 ip-10-0-0-194 pluto[28581]: "ikev2-cp"[2] x.x.x.x #1: IKE_AUTH responder matching remote ESP/AH proposals failed, responder SA processing returned STF_FAIL+v2N_NO_PROPOSAL_CHOSEN</div><div>Jan 15 20:15:41 ip-10-0-0-194 pluto[28581]: "ikev2-cp"[2] x.x.x.x #2: responding to IKE_AUTH message (ID 1) from x.x.x.x:4500 with encrypted notification NO_PROPOSAL_CHOSEN</div></span><br></div><div><br></div></span><br></div><div><br></div><div>The ike line from ipsec.conf is the same as in the how-to and the wiki:</div><div> <span>ike=aes256-sha2_512;modp2048,aes128-sha2_512;modp2048,aes256-sha1;modp1024,aes128-sha1;modp1024,aes-sha2;modp1024</span><br></div><div><span><br></span></div><div><span><br></span></div><div>Per the Wiki I added the 'aes-sha2;modp1024' to see if that would clear it up.</div><div><br></div><div>I am using Windows 10 Pro, current patch level.</div><div><br></div><div>Cheers,</div><div><br></div><div>Jan</div></span><br></div><div><br></div><div><br></div>
</div><div id="m_2004741741488923476yahoo_quoted_8222792084" class="m_2004741741488923476yahoo_quoted">
<div style="font-family:'Helvetica Neue',Helvetica,Arial,sans-serif;font-size:13px;color:#26282a">
<div>
On Wednesday, January 9, 2019, 1:07:24 PM EST, Paul Wouters <<a href="mailto:paul@nohats.ca" target="_blank">paul@nohats.ca</a>> wrote:
</div>
<div><br></div>
<div><br></div>
<div><div dir="ltr">On Wed, 9 Jan 2019, Derek Cameron wrote:<br clear="none"><br clear="none">> <br clear="none">> Thanks for your help. You're welcome to copy and paste anything you<br clear="none">> like from my blog post<br clear="none">> <a shape="rect" href="https://dc77312.wordpress.com/2019/01/09/libreswan-ipsec-ikev2-vpn-on-rhel-8-beta-server-and-windows-10-client/" target="_blank">https://dc77312.wordpress.com/2019/01/09/libreswan-ipsec-ikev2-vpn-on-rhel-8-beta-server-and-windows-10-client/</a><br clear="none"><br clear="none">Thanks, I'll see about merging it onto the libreswan wiki. Thanks for<br clear="none">the permission!<br clear="none"><br clear="none">Some notes:<br clear="none"><br clear="none">- Please use "libreswan" or "Libreswan", not "LibreSwan" :)<br clear="none">- Does it survive rekeying? You might want/need to add<br clear="none"> msdh-downgrade=yes to allow rekeying without or with wrong/bad<br clear="none"> DH group 1024 (perhaps the latest Windows build fixed this?)<br clear="none">- I think you can fixup the authentication without using powershell,<br clear="none"> but I would have to reclick through a windows box again to remember<br clear="none"> how I did that.<div class="m_2004741741488923476yqt6096280710" id="m_2004741741488923476yqtfd46771"><br clear="none"><br clear="none">Paul<br clear="none">_______________________________________________<br clear="none">Swan mailing list<br clear="none"><a shape="rect" href="mailto:Swan@lists.libreswan.org" target="_blank">Swan@lists.libreswan.org</a><br clear="none"><a shape="rect" href="https://lists.libreswan.org/mailman/listinfo/swan" target="_blank">https://lists.libreswan.org/mailman/listinfo/swan</a><br clear="none"></div></div></div>
</div>
</div></div></blockquote></div></div>