Issue with connecting several remote Windows 10 clients to Strongswan with lets-encrypt certificates (IKEv2-EAP)
I set up a Strongswan server for VPN clients to access the internal network (EAP-IKEv2). I have successfully configured it using Letsencrypt server certificates and it works for clients using Mac OS X, IOS, Winodws 7 and Windows 10.
Everything was working fine for a year
But a few weeks ago several remote clients using windows 10 started getting error during the connection
Server: Strongswan version 5.8.2 on FreeBSD 11.2-RELEASE-p15 Client: Mac OS X (several versions) / IOS (several versions) / Windows 7 (several versions) / Windows 10 (several versions)
Windows 10 VPN error: 13801: IKE authentication credentials are unacceptable error
At the same time, other remote clients, including those using Windows 10 with the same build number, work fine.
The saddest thing is that the error does not correlate with the build number of Windows 10
Of course the certificate is extended and valid
You can find all the details below.
Thank you for your time. I would be grateful for any help
ipsec.conf
config setup
strictcrlpolicy=no
charondebug="ike 1, knl 1, cfg 0"
uniqueids=no
conn ikev2-vpn
auto=add
compress=no
type=transport
keyexchange=ikev2
fragmentation=yes
forceencaps=yes
ike=aes128-sha256-ecp256,aes256-sha384-ecp384,aes128-sha256-modp2048,aes128-sha1-modp2048,aes256-sha384-modp4096,aes256-sha256-modp4096,aes256-sha1-modp4096,aes128-sha256-modp1536,aes128-sha1-modp1536,aes256-sha384-modp2048,aes256-sha2
esp=aes128gcm16-ecp256,aes256gcm16-ecp384,aes128-sha256-ecp256,aes256-sha384-ecp384,aes128-sha256-modp2048,aes128-sha1-modp2048,aes256-sha384-modp4096,aes256-sha256-modp4096,aes256-sha1-modp4096,aes128-sha256-modp1536,aes128-sha1-modp1
dpdaction=clear
dpddelay=300s
rekey=no
left=%any
[email protected]
leftcert=fullchain.pem
leftsendcert=always
leftsubnet=0.0.0.0/0
right=%any
rightid=%any
rightauth=eap-mschapv2
rightsourceip=192.168.20.2-192.168.20.50
rightdns=192.168.70.253,192.168.70.254
eap_identity=%identity
final part of charon.log
Jun 23 09:12:17 11[MGR] <ikev2-vpn|10> checkin IKE_SA ikev2-vpn[10]
Jun 23 09:12:17 03[NET] sending packet: from *serverip*[4500] to *clientip*[4500]
Jun 23 09:12:17 11[MGR] <ikev2-vpn|10> checkin of IKE_SA successful
Jun 23 09:12:17 03[NET] sending packet: from *serverip*[4500] to *clientip*[4500]
Jun 23 09:12:46 06[NET] waiting for data on sockets
Jun 23 09:12:46 01[JOB] got event, queuing job for execution
Jun 23 09:12:46 01[JOB] next event in 628ms, waiting
Jun 23 09:12:46 11[MGR] checkout IKEv2 SA with SPIs 688d0386698d3362_i b3e60629dc447607_r
Jun 23 09:12:46 11[MGR] IKE_SA checkout not successful
Jun 23 09:12:47 01[JOB] got event, queuing job for execution
Jun 23 09:12:47 01[JOB] next event in 98s 38ms, waiting
Jun 23 09:12:47 11[MGR] checkout IKEv2 SA with SPIs ef71603dd0f2ce38_i 6e86dbaeb491d377_r
Jun 23 09:12:47 11[MGR] IKE_SA ikev2-vpn[10] successfully checked out
Jun 23 09:12:47 11[JOB] <ikev2-vpn|10> deleting half open IKE_SA with *clientip* after timeout
Jun 23 09:12:47 11[MGR] <ikev2-vpn|10> checkin and destroy IKE_SA ikev2-vpn[10]
Jun 23 09:12:47 11[IKE] <ikev2-vpn|10> IKE_SA ikev2-vpn[10] state change: CONNECTING => DESTROYING
Jun 23 09:12:47 11[MGR] checkin and destroy of IKE_SA successful
I had the same issue, resolved by adding the latest Let's Encrypt root CA cert into the Local Machine cert store.
Can't guarantee this was the same problem as you had, but it fixed it for me.
I did also add the PEM version of the same certificate into the /etc/ipsec/cacerts dir on the VPN server, which by itself didn't resolve the issue.
Here's a PowerShell script to install the root cert into your local Windows certificate store:
Write-Host " Fetching Lets Encrypt root CA Cert..." -ForegroundColor Cyan
$output = "isrgrootx1.der"
$configUrl = "https://letsencrypt.org/certs/isrgrootx1.der"
Invoke-WebRequest -Uri $configUrl -OutFile $output
Import-Certificate -FilePath "$output" -CertStoreLocation 'Cert:\LocalMachine\Root'-Verbose