I’ve been following the wikis to create an IPSec roadwarrior configuration.
I have had great success with macOS and iOS, I have a .mobileconfig profile that I can push out and iOS/macOS connects really great.
Windows however, is proving difficult. The exact same .p12 file that I am using for macOS and iOS successfully, I am importing into Windows certificate store.
I am following the instructions at the wiki here: wiki.ipfire.org - Example Configuration - Roadwarrior with Windows
And yet with everything setup as per the wiki, Windows is refusing to use my certificate to authenticate. This is the error I am getting from Windows:
My CA root cert is in trusted root certificate store, and the client auth cert is in the computer/personal store as it should be.
I also cross checked with the strondSwan documentation here: Storing a Windows 7 Machine Certificate - strongSwan and here: Windows 7 Client Configuration - strongSwan
All is the same, yet it keeps telling me that error. Has anyone experienced this? What could it be?
I have a feeling that it is going to be something with the certificate?
I should mention this is the crypto profile of the Windows VPN:
Set-VpnConnectionIPsecConfiguration -Name "WKITIPFire1" `
-AuthenticationTransformConstants GCMAES128 ` -CipherTransformConstants GCMAES128 ` -DHGroup ECP384 ` -IntegrityCheckMethod SHA256 ` -PfsGroup ECP384 ` -EncryptionMethod GCMAES128
And I have allowed ECP384 AES-128-GCM server side, looking at the stronSwan log it is matching up the proposed ciphers with configured ciphers so there does not appear to be a protocol missmatch, and indeed Windows gave a “protocol error” when there was one.
May 23 11:37:55 NF-WKIT-01 charon: 07[CFG] selected proposal: IKE:AES_GCM_16_128/PRF_HMAC_SHA2_256/ECP_384 May 23 11:37:55 NF-WKIT-01 charon: 07[IKE] local host is behind NAT, sending keep alives May 23 11:37:55 NF-WKIT-01 charon: 07[IKE] remote host is behind NAT May 23 11:37:55 NF-WKIT-01 charon: 07[IKE] sending cert request for "C=AU, ST=NSW, L=Sydney, O=WKIT, OU=None, CN=WKIT CA, Efirstname.lastname@example.org" May 23 11:37:55 NF-WKIT-01 charon: 07[ENC] generating IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) CERTREQ N(FRAG_SUP) N(CHDLESS_SUP) N(MULT_AUTH) ] May 23 11:37:55 NF-WKIT-01 charon: 07[NET] sending packet: from 192.168.1.4 to 126.96.36.199 (313 bytes) May 23 11:38:12 NF-WKIT-01 charon: 07[IKE] sending keep alive to 188.8.131.52 May 23 11:38:12 NF-WKIT-01 charon: 09[IKE] sending keep alive to 184.108.40.206 May 23 11:38:15 NF-WKIT-01 charon: 14[IKE] sending keep alive to 220.127.116.11 May 23 11:38:15 NF-WKIT-01 charon: 13[IKE] sending keep alive to 18.104.22.168
From what I can see in the logs, it has negotiated to use AES_GCM_16_128/PRF_HMAC_SHA2_256/ECP_384 just fine, and it is awaiting the presentation of a certificate by the WIndows client, and it seems that it just times out as I guess Windows is not selecting the certificate as it thinks it doesn’t have one.