<html>
<head>
<meta http-equiv="content-type" content="text/html; charset=UTF-8">
</head>
<body>
<p>Dear Sir,</p>
<p>I have proceeded to configure IKEv2 auth according to your
advice, as even the libreswan.org website wiki says<br>
that L2TP is legacy and to be avoided for new connections. It
became clear that I will have to manually setup<br>
each user's laptop or mobile device as I can neither memorize nor
publish the 32 key PSK I use (as it is recommended<br>
for security).</p>
<p>However, my IKEv2 conn with RSA reports an error. I have had
problems with wrong policy and (since modp1024 is no longer
allowed in libreswan v3.32) enabled the
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Rasman\Parameters\NegotiateDH2048_AES256
registry key in Windows 10 according to instructions here:
<a class="moz-txt-link-freetext" href="https://wiki.strongswan.org/projects/strongswan/wiki/WindowsClients#A-Authentication-using-X509-Machine-Certificates">https://wiki.strongswan.org/projects/strongswan/wiki/WindowsClients#A-Authentication-using-X509-Machine-Certificates</a>
.</p>
<p>The error I receive now is:<br>
</p>
<p> <img src="cid:part1.HRYUEmnZ.H0m6gvVw@alu.hr" alt=""></p>
<p>The IKEv2 conn setup is here:</p>
<p><font face="monospace">conn MYCONN-ikev2-cp<br>
# The server's actual IP goes here - not elastic IPs<br>
left=161.53.235.3<br>
leftcert=vpn.alu.hr<br>
<a class="moz-txt-link-abbreviated" href="mailto:leftid=@vpn.alu.hr">leftid=@vpn.alu.hr</a><br>
leftsendcert=always<br>
leftsubnet=0.0.0.0/0<br>
leftrsasigkey=%cert<br>
# Clients<br>
right=%any<br>
# your addresspool to use - you might need NAT rules if
providing full internet to clients<br>
rightaddresspool=192.168.100.10-192.168.100.253<br>
# optional rightid with restrictions<br>
rightid="C=HR, L=Zagreb, O=Akademija likovnih
umjetnosti, OU=*, CN=*, E=*"<br>
rightca=%same<br>
rightrsasigkey=%cert<br>
#<br>
# connection configuration<br>
# DNS servers for clients to use<br>
modecfgdns=8.8.8.8,192.168.100.1<br>
# Versions up to 3.22 used modecfgdns1 and modecfgdns2<br>
#modecfgdns1=8.8.8.8<br>
#modecfgdns2=193.110.157.123<br>
narrowing=yes<br>
# recommended dpd/liveness to cleanup vanished clients<br>
dpddelay=30<br>
dpdtimeout=120<br>
dpdaction=clear<br>
auto=add<br>
ikev2=insist<br>
rekey=no<br>
# ikev2 fragmentation support requires libreswan 3.14 or
newer<br>
fragmentation=yes<br>
# optional PAM username verification (eg to implement
bandwidth quota<br>
# pam-authorize=yes</font><br>
</p>
<p>The session log is:
<a class="moz-txt-link-freetext" href="https://domac.alu.hr/mtodorov/ikev2-v3.32-20211124-07.log">https://domac.alu.hr/mtodorov/ikev2-v3.32-20211124-07.log</a></p>
<p>The most notable error is:</p>
<p>Nov 24 22:05:52.272134: | [RE]START processing: state #1
connection "MYCONN-ikev2-cp"[1] 188.252.255.83 from
188.252.255.83:500 (in complete_v2_state_transition() at
ikev2.c:3235)<br>
Nov 24 22:05:52.272145: | #1 complete_v2_state_transition()
PARENT_R1 -> PARENT_R1 with status STF_FATAL<br>
Nov 24 22:05:52.272158: "MYCONN-ikev2-cp"[1] 188.252.255.83 #1:
encountered fatal error in state STATE_PARENT_R1<br>
Nov 24 22:05:52.272167: | Message ID: exchange zombie as no
response?<br>
Nov 24 22:05:52.272177: | release_pending_whacks: state #1 has no
whack fd<br>
Nov 24 22:05:52.272186: | pstats #1 ikev2.ike deleted other<br>
Nov 24 22:05:52.272198: | #1 spent 13.2 milliseconds in total<br>
Nov 24 22:05:52.272213: | [RE]START processing: state #1
connection "MYCONN-ikev2-cp"[1] 188.252.255.83 from
188.252.255.83:500 (in delete_state() at state.c:944)<br>
Nov 24 22:05:52.272227: "MYCONN-ikev2-cp"[1] 188.252.255.83 #1:
deleting state (STATE_PARENT_R1) aged 0.031s and NOT sending
notification<br>
Nov 24 22:05:52.272237: | parent state #1: PARENT_R1(half-open IKE
SA) => delete<br>
</p>
<p>At this point Googling didn't help and I am stuck.</p>
<p>Do you please have an idea of what should I try next?</p>
<p>Kind regards,<br>
Mirsad Todorovac</p>
<p><br>
</p>
</body>
</html>