The following is a stable and working VPN connection between my Windows client and my strongSwan/Linux.
On Windows, using get-VpnConnection
Name : myvpn
ServerAddress : 172.16.2.3
AllUserConnection : False
Guid : {CAFEBABE-DEAD-BEEF-FADE-123456789ABC}
TunnelType : Ikev2
AuthenticationMethod : {MachineCertificate}
EncryptionLevel : Required
L2tpIPsecAuth :
UseWinlogonCredential : False
EapConfigXmlStream :
ConnectionStatus : Disconnected
RememberCredential : False
SplitTunneling : False
DnsSuffix :
IdleDisconnectSeconds : 0
The VPN is configured as such:
Set-VpnConnectionIPsecConfiguration `
-ConnectionName "myvpn" `
-AuthenticationTransformConstants SHA1 `
-CipherTransformConstants AES256 `
-EncryptionMethod AES256 `
-IntegrityCheckMethod SHA1 `
-DHGroup Group2 `
-PfsGroup None `
-Force
On Linux, using strongSwan’s, conf file:
conn myvpn
…
leftauth=pubkey
rightauth=pubkey
esp=aes256-sha1!
ike=aes256-sha1-modp1024!
auto=add
I have generated, and installed, a self signed ca and p12 on my Windows computer.
ca
- Signature algorithm : sha384RSA
- Signature hash algorithm : sha384
- Public key : RSA (4096 Bits)
- Public key parameters : 05 00
- Subject : devel,MANAGER,NETWORK
- Issuer : devel,MANAGER,NETWORK
- Basic Constraints : Type=CA, Path Length Constraint=None
- Certificate Signing, Off-line CRL Signing, CRL Signing (06)
p12
- Signature algorithm : sha256RSA
- Signature hash algorithm : sha256
- Subject : nathan,DVL-00-000-605,MANAGER,NETWORK
- Public key : RSA (2048 Bits)
- Public key parameters : 05 00
- Subject : nathan,DVL-00-000-605,MANAGER,NETWORK
- Issuer : devel,MANAGER,NETWORK
- You have a private key that correspond to this certificate
Which Windows and strongSwan happily accepts and the VPN connects.
The problem is I need to upgrade the encryption scheme for my VPN.
I’ve been instructed these settings at least:
esp=aes256-sha256-noesn!
ike=aes256-sha256-prfsha256-ecp256!
It seems to me that the equivalent in Windows terms would be:
PS C:Usersnrago> Set-VpnConnectionIPsecConfiguration `
-ConnectionName "myvpn" `
-AuthenticationTransformConstants SHA256128 `
-CipherTransformConstants AES256 `
-DHGroup ECP256 `
-EncryptionMethod AES256 `
-IntegrityCheckMethod SHA256 `
-PfsGroup ECP256 `
-Force
The Windows client and strongSwan seems to agree on the new encryption standard:
Mar 19 11:55:58.+0100 DVL-00-000-605 ipsec: 11[ENC] parsed IKE_SA_INIT request 0 [ SA KE No N(FRAG_SUP) N(NATD_S_IP) N(NATD_D_IP) V V V V ]
Mar 19 11:55:58.+0100 DVL-00-000-605 ipsec: 11[IKE] received MS NT5 ISAKMPOAKLEY v9 vendor ID
Mar 19 11:55:58.+0100 DVL-00-000-605 ipsec: 11[IKE] received MS-Negotiation Discovery Capable vendor ID
Mar 19 11:55:58.+0100 DVL-00-000-605 ipsec: 11[IKE] received Vid-Initial-Contact vendor ID
Mar 19 11:55:58.+0100 DVL-00-000-605 ipsec: 11[ENC] received unknown vendor ID: 01:52:8b:bb:c0:06:96:12:18:49:ab:9a:1c:5b:2a:51:00:00:00:02
Mar 19 11:55:58.+0100 DVL-00-000-605 ipsec: 11[IKE] 172.16.2.2 is initiating an IKE_SA
Mar 19 11:55:58.+0100 DVL-00-000-605 ipsec: 11[CFG] selected proposal: IKE:AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/ECP_256
Mar 19 11:55:58.+0100 DVL-00-000-605 ipsec: 11[IKE] sending cert request for "C=NETWORK, O=MANAGER, CN=devel"
Mar 19 11:55:58.+0100 DVL-00-000-605 ipsec: 11[ENC] generating IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) CERTREQ N(FRAG_SUP) N(CHDLESS_SUP) N(MULT_AUTH) ]
Mar 19 11:55:58.+0100 DVL-00-000-605 ipsec: 08[ENC] parsed IKE_SA_INIT request 0 [ SA KE No N(FRAG_SUP) N(NATD_S_IP) N(NATD_D_IP) V V V V ]
Mar 19 11:55:58.+0100 DVL-00-000-605 ipsec: 08[IKE] received MS NT5 ISAKMPOAKLEY v9 vendor ID
Mar 19 11:55:58.+0100 DVL-00-000-605 ipsec: 08[IKE] received MS-Negotiation Discovery Capable vendor ID
Mar 19 11:55:58.+0100 DVL-00-000-605 ipsec: 08[IKE] received Vid-Initial-Contact vendor ID
Mar 19 11:55:58.+0100 DVL-00-000-605 ipsec: 08[ENC] received unknown vendor ID: 01:52:8b:bb:c0:06:96:12:18:49:ab:9a:1c:5b:2a:51:00:00:00:02
Mar 19 11:55:58.+0100 DVL-00-000-605 ipsec: 08[IKE] 172.16.2.2 is initiating an IKE_SA
Mar 19 11:55:58.+0100 DVL-00-000-605 ipsec: 08[CFG] selected proposal: IKE:AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/ECP_256
Mar 19 11:55:58.+0100 DVL-00-000-605 ipsec: 08[IKE] sending cert request for "C=NETWORK, O=MANAGER, CN=devel"
Mar 19 11:55:58.+0100 DVL-00-000-605 ipsec: 08[ENC] generating IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) CERTREQ N(FRAG_SUP) N(CHDLESS_SUP) N(MULT_AUTH) ]
But unlike before, with the lower encryption level, Windows no longer find my certificate suitable. The GUI returns:
“IKE failed to find valid machine certificate. Contact your Network Security Administrator about installing a valid certificate in the appropriate Certificate Store.”
Why does Windows no longer accept the certificate after changing the encryption level? What step can I add, or change, to allow Windows to connect to the server?