This is my first time responding to a post so forgive me if I violate any protocols here. I currently use OBSD 6.8 amd64 as a FW for 3 office clients, all running on high-end repurposed desktops. Due to covid I've had to quickly setup ikev for a very small number of home users, none of which are roadwarriors and all use Win10. Yes, I know I should be using ikev2, so don't chew me out, at the time it was just quicker. Using the UI in Win10 is not the way to go. Apparently the Win10 default parameters via UI does not provide the required ciphers. I used powershell to modify the parameters first then use the vpn connection properties to finalize the settings. It worked 100% of the times without fail. When I duplicated using only the Win10 UI iand t failed in every instance.
Here are the powershell cmds I used to modify my default vpn settings which has worked everytime - PS C:\> Add-VpnConnection -Name "VPN_NAME" -ServerAddress vpn.domain.com -TunnelType "L2tp" PS C:\> Set-VpnConnectionIPsecConfiguration -ConnectionName "VPN_NAME" -AuthenticationTransformConstants None -CipherTransformConstants AES256 -EncryptionMethod AES256 -IntegrityCheckMethod SHA256 -PfsGroup None -DHGroup Group14 -PassThru -Force Here's some info I found helpful - [image: image.png] L2TP issues with Win 10 – phase1 does not form due to insecure default parameters *REGISTRY SOLUTION:* https://www.stevenjordan.net/2016/09/secure-ikev2-win-10.html Create a registry key that enforces modern cipher and transform sets. *STEP 1*: Edit Registry or create GPO: HKLM\SYSTEM\CurrentControlSet\Services\RasMan\Parameters\ *STEP 2:* Create new DWORD value: NegotiateDH2048_AES256 *STEP 3:* Modify DWORD value: 2 One caveat, whenever a major Win10 update is installed it tends to reset the Win10 vpn parameters you modified. It's not consistent, but I've had to reset it a few times. Other than that it has been flawless so far...if you can call it that. Hopefully this helps. On Wed, Jan 13, 2021 at 5:30 AM Patrick Wildt <patr...@blueri.se> wrote: > Am Wed, Jan 13, 2021 at 01:12:09AM -0700 schrieb Ian Timothy: > > Hi, > > > > I'm trying to get IKEv2 VPN working with Windows 10. I'm able to use PSK > with macOS without issue. Changing to EAP MSCHAP for use with Windows > results in the following error: > > > > "The network connection between your computer and the VPN server could > not be established because the remote server is not responding. The could > be because one of the network devices (e.g. firewalls, NAT, routers, etc.) > between your computer and the remote server is not configured to allow VPN > connections." > > > > I’ve worked through many examples online, but I’m not sure what's the > next step to troubleshoot this? > > > > Thanks! > > > > > > > > # uname -rsv > > OpenBSD 6.8 GENERIC.MP#2 > > > > > > # > > # iked.conf > > # > > > > ikev2 "vpn-psk" passive esp \ > > from 0.0.0.0/0 to 0.0.0.0/0 \ > > Hi, > > if you're using config address (as in giving peers a tunnel IP), you > need to configure > > from 0.0.0.0/0 to 0.0.0.0 \ > > The "to" becomes a /32, a /0 is wrong. This is because of internal > semantics. Anyway, this confusing bit has been changed in -current, > as you can read here: > > https://www.openbsd.org/faq/current.html > > But unless you're using current, you still need the line above. > > But since you're complaining about EAP MSCHAP, I don't know what's the > issue there. Maybe tobhe@ or sthen@ have an idea. > > Patrick > > > local egress peer any \ > > srcid vpn.company.com \ > > eap "mschap-v2" \ > > config address 10.0.2.0/24 \ > > config netmask 255.255.0.0 \ > > config name-server 10.0.0.1 \ > > tag "$name-$id" > > > > # Changing 'eap "mschap-v2"' to 'psk "password"' works just fine for > macOS. > > > > > > # > > # Generate certificates > > # > > > > pkg_add zip > > > > ikectl ca vpn create > > ikectl ca vpn install > > > > # CN should be same as srcid in iked.conf > > ikectl ca vpn certificate vpn.company.com create > > ikectl ca vpn certificate vpn.company.com install > > > > # CN should be same as client ip address > > ikectl ca vpn certificate 10.0.2.100 create > > ikectl ca vpn certificate 10.0.2.100 export > > > > > > # > > # Windows config > > # > > > > - VPN device > > - General tab > > - Server: vpn.company.com > > - Security tab > > - VPN type: IKEv2 > > - Authentication: Use machine certificates > > > > - Certs install > > - ca.crt --> Certificates (Local Computer)/Trusted Root Certification > Authorities/Certificates > > - 10.0.2.100 --> Certificates (Local Computer)/Personal/Certificates > > > > > > # > > # iked log > > # > > > > doas iked -dvv > > create_ike: using signature for peer > > ikev2 "vpn-eap" passive tunnel esp inet from 0.0.0.0/0 to 0.0.0.0/0 > local 23.AAA.AAA.129 peer any ikesa enc aes-128-gcm,aes-256-gcm prf > hmac-sha2-256,hmac-sha2-384,hmac-sha2-512,hmac-sha1 group > curve25519,ecp521,ecp384,ecp256,modp4096,modp3072,modp2048,modp1536,modp1024 > ikesa enc aes-256,aes-192,aes-128,3des prf > hmac-sha2-256,hmac-sha2-384,hmac-sha2-512,hmac-sha1 auth > hmac-sha2-256,hmac-sha2-384,hmac-sha2-512,hmac-sha1 group > curve25519,ecp521,ecp384,ecp256,modp4096,modp3072,modp2048,modp1536,modp1024 > childsa enc aes-128-gcm,aes-256-gcm esn,noesn childsa enc > aes-256,aes-192,aes-128 auth > hmac-sha2-256,hmac-sha2-384,hmac-sha2-512,hmac-sha1 esn,noesn srcid > vpn.ipaperbox.com lifetime 10800 bytes 536870912 eap "MSCHAP_V2" config > address 10.0.2.0 config netmask 255.255.0.0 config name-server 10.0.0.1 > > /etc/iked.conf: loaded 2 configuration rules > > ca_privkey_serialize: type RSA_KEY length 1192 > > ca_pubkey_serialize: type RSA_KEY length 270 > > config_new_user: inserting new user windows > > user "windows" "password" > > config_getpolicy: received policy > > ca_privkey_to_method: type RSA_KEY method RSA_SIG > > config_getpfkey: received pfkey fd 3 > > ca_getkey: received private key type RSA_KEY length 1192 > > config_getcompile: compilation done > > config_getsocket: received socket fd 4 > > config_getsocket: received socket fd 5 > > config_getsocket: received socket fd 6 > > config_getsocket: received socket fd 7 > > config_getstatic: dpd_check_interval 60 > > config_getstatic: no enforcesingleikesa > > config_getstatic: no fragmentation > > config_getstatic: mobike > > config_getstatic: nattport 4500 > > ca_getkey: received public key type RSA_KEY length 270 > > ca_dispatch_parent: config reset > > ca_reload: loaded ca file ca.crt > > ca_reload: loaded crl file ca.crl > > ca_reload: /C=US/ST=State/L=City/O=Company Name/OU=Information > Systems/CN=vpn.company.com/emailAddress=t...@company.com > > ca_reload: loaded 1 ca certificate > > ca_reload: loaded cert file 10.0.0.1.crt > > ca_validate_cert: /C=US/ST=State/L=City/O=Company Name/OU=Information > Systems/CN=vpn.company.com/emailAddress=t...@company.com subject issuer > mismatch > > ca_reload: local cert type X509_CERT > > config_getocsp: ocsp_url none tolerate 0 maxage -1 > > ikev2_dispatch_cert: updated local CERTREQ type X509_CERT length 20 > > ikev2_dispatch_cert: updated local CERTREQ type X509_CERT length 20 > > > > policy_lookup: setting policy 'vpn-eap' > > spi=0x804dbcb818c0c11e: recv IKE_SA_INIT req 0 peer > 166.BBB.BBB.161:56819 local 23.AAA.AAA.129:500, 624 bytes, policy 'vpn-eap' > > ikev2_recv: ispi 0x804dbcb818c0c11e rspi 0x0000000000000000 > > ikev2_policy2id: srcid FQDN/vpn.ipaperbox.com length 21 > > ikev2_pld_parse: header ispi 0x804dbcb818c0c11e rspi 0x0000000000000000 > nextpayload SA version 0x20 exchange IKE_SA_INIT flags 0x08 msgid 0 length > 624 response 0 > > ikev2_pld_payloads: payload SA nextpayload KE critical 0x00 length 256 > > ikev2_pld_sa: more 2 reserved 0 length 40 proposal #1 protoid IKE > spisize 0 xforms 4 spi 0 > > ikev2_pld_xform: more 3 reserved 0 length 8 type ENCR id 3DES > > ikev2_pld_xform: more 3 reserved 0 length 8 type INTEGR id HMAC_SHA1_96 > > ikev2_pld_xform: more 3 reserved 0 length 8 type PRF id HMAC_SHA1 > > ikev2_pld_xform: more 0 reserved 0 length 8 type DH id MODP_1024 > > ikev2_pld_sa: more 2 reserved 0 length 44 proposal #2 protoid IKE > spisize 0 xforms 4 spi 0 > > ikev2_pld_xform: more 3 reserved 0 length 12 type ENCR id AES_CBC > > ikev2_pld_attr: attribute type KEY_LENGTH length 256 total 4 > > ikev2_pld_xform: more 3 reserved 0 length 8 type INTEGR id HMAC_SHA1_96 > > ikev2_pld_xform: more 3 reserved 0 length 8 type PRF id HMAC_SHA1 > > ikev2_pld_xform: more 0 reserved 0 length 8 type DH id MODP_1024 > > ikev2_pld_sa: more 2 reserved 0 length 40 proposal #3 protoid IKE > spisize 0 xforms 4 spi 0 > > ikev2_pld_xform: more 3 reserved 0 length 8 type ENCR id 3DES > > ikev2_pld_xform: more 3 reserved 0 length 8 type INTEGR id > HMAC_SHA2_256_128 > > ikev2_pld_xform: more 3 reserved 0 length 8 type PRF id HMAC_SHA2_256 > > ikev2_pld_xform: more 0 reserved 0 length 8 type DH id MODP_1024 > > ikev2_pld_sa: more 2 reserved 0 length 44 proposal #4 protoid IKE > spisize 0 xforms 4 spi 0 > > ikev2_pld_xform: more 3 reserved 0 length 12 type ENCR id AES_CBC > > ikev2_pld_attr: attribute type KEY_LENGTH length 256 total 4 > > ikev2_pld_xform: more 3 reserved 0 length 8 type INTEGR id > HMAC_SHA2_256_128 > > ikev2_pld_xform: more 3 reserved 0 length 8 type PRF id HMAC_SHA2_256 > > ikev2_pld_xform: more 0 reserved 0 length 8 type DH id MODP_1024 > > ikev2_pld_sa: more 2 reserved 0 length 40 proposal #5 protoid IKE > spisize 0 xforms 4 spi 0 > > ikev2_pld_xform: more 3 reserved 0 length 8 type ENCR id 3DES > > ikev2_pld_xform: more 3 reserved 0 length 8 type INTEGR id > HMAC_SHA2_384_192 > > ikev2_pld_xform: more 3 reserved 0 length 8 type PRF id HMAC_SHA2_384 > > ikev2_pld_xform: more 0 reserved 0 length 8 type DH id MODP_1024 > > ikev2_pld_sa: more 0 reserved 0 length 44 proposal #6 protoid IKE > spisize 0 xforms 4 spi 0 > > ikev2_pld_xform: more 3 reserved 0 length 12 type ENCR id AES_CBC > > ikev2_pld_attr: attribute type KEY_LENGTH length 256 total 4 > > ikev2_pld_xform: more 3 reserved 0 length 8 type INTEGR id > HMAC_SHA2_384_192 > > ikev2_pld_xform: more 3 reserved 0 length 8 type PRF id HMAC_SHA2_384 > > ikev2_pld_xform: more 0 reserved 0 length 8 type DH id MODP_1024 > > ikev2_pld_payloads: payload KE nextpayload NONCE critical 0x00 length 136 > > ikev2_pld_ke: dh group MODP_1024 reserved 0 > > ikev2_pld_payloads: payload NONCE nextpayload NOTIFY critical 0x00 > length 52 > > ikev2_pld_payloads: payload NOTIFY nextpayload NOTIFY critical 0x00 > length 8 > > ikev2_pld_notify: protoid NONE spisize 0 type FRAGMENTATION_SUPPORTED > > ikev2_pld_payloads: payload NOTIFY nextpayload NOTIFY critical 0x00 > length 28 > > ikev2_pld_notify: protoid NONE spisize 0 type NAT_DETECTION_SOURCE_IP > > ikev2_nat_detection: peer source 0x804dbcb818c0c11e 0x0000000000000000 > 166.70.94.161:56819 > > ikev2_pld_notify: NAT_DETECTION_SOURCE_IP detected NAT > > ikev2_pld_payloads: payload NOTIFY nextpayload VENDOR critical 0x00 > length 28 > > ikev2_pld_notify: protoid NONE spisize 0 type > NAT_DETECTION_DESTINATION_IP > > ikev2_nat_detection: peer destination 0x804dbcb818c0c11e > 0x0000000000000000 23.30.51.129:500 > > ikev2_pld_payloads: payload VENDOR nextpayload VENDOR critical 0x00 > length 24 > > ikev2_pld_payloads: payload VENDOR nextpayload VENDOR critical 0x00 > length 20 > > ikev2_pld_payloads: payload VENDOR nextpayload VENDOR critical 0x00 > length 20 > > ikev2_pld_payloads: payload VENDOR nextpayload NONE critical 0x00 length > 24 > > proposals_negotiate: score 0 > > proposals_negotiate: score 0 > > proposals_negotiate: score 0 > > proposals_negotiate: score 0 > > proposals_negotiate: score 0 > > proposals_negotiate: score 0 > > proposals_negotiate: score 41 > > proposals_negotiate: score 32 > > proposals_negotiate: score 29 > > proposals_negotiate: score 20 > > proposals_negotiate: score 33 > > proposals_negotiate: score 24 > > policy_lookup: setting policy 'vpn-eap' > > spi=0x804dbcb818c0c11e: sa_state: INIT -> SA_INIT > > proposals_negotiate: score 0 > > proposals_negotiate: score 0 > > proposals_negotiate: score 0 > > proposals_negotiate: score 0 > > proposals_negotiate: score 0 > > proposals_negotiate: score 0 > > proposals_negotiate: score 41 > > proposals_negotiate: score 32 > > proposals_negotiate: score 29 > > proposals_negotiate: score 20 > > proposals_negotiate: score 33 > > proposals_negotiate: score 24 > > sa_stateok: SA_INIT flags 0x0000, require 0x0000 > > sa_stateflags: 0x0000 -> 0x0020 sa (required 0x0000 ) > > spi=0x804dbcb818c0c11e: ikev2_sa_keys: DHSECRET with 128 bytes > > ikev2_sa_keys: SKEYSEED with 32 bytes > > spi=0x804dbcb818c0c11e: ikev2_sa_keys: S with 96 bytes > > ikev2_prfplus: T1 with 32 bytes > > ikev2_prfplus: T2 with 32 bytes > > ikev2_prfplus: T3 with 32 bytes > > ikev2_prfplus: T4 with 32 bytes > > ikev2_prfplus: T5 with 32 bytes > > ikev2_prfplus: T6 with 32 bytes > > ikev2_prfplus: T7 with 32 bytes > > ikev2_prfplus: Tn with 224 bytes > > ikev2_sa_keys: SK_d with 32 bytes > > ikev2_sa_keys: SK_ai with 32 bytes > > ikev2_sa_keys: SK_ar with 32 bytes > > ikev2_sa_keys: SK_ei with 32 bytes > > ikev2_sa_keys: SK_er with 32 bytes > > ikev2_sa_keys: SK_pi with 32 bytes > > ikev2_sa_keys: SK_pr with 32 bytes > > ikev2_resp_ike_sa_init: detected NAT, enabling UDP encapsulation > > ikev2_add_proposals: length 44 > > ikev2_next_payload: length 48 nextpayload KE > > ikev2_next_payload: length 136 nextpayload NONCE > > ikev2_next_payload: length 36 nextpayload NOTIFY > > ikev2_nat_detection: local source 0x804dbcb818c0c11e 0x6f4965951700d887 > 23.AAA.AAA.129:500 > > ikev2_next_payload: length 28 nextpayload NOTIFY > > ikev2_nat_detection: local destination 0x804dbcb818c0c11e > 0x6f4965951700d887 166.BBB.BBB.161:56819 > > ikev2_next_payload: length 28 nextpayload CERTREQ > > ikev2_add_certreq: type X509_CERT length 21 > > ikev2_next_payload: length 25 nextpayload NONE > > ikev2_pld_parse: header ispi 0x804dbcb818c0c11e rspi 0x6f4965951700d887 > nextpayload SA version 0x20 exchange IKE_SA_INIT flags 0x20 msgid 0 length > 329 response 1 > > ikev2_pld_payloads: payload SA nextpayload KE critical 0x00 length 48 > > ikev2_pld_sa: more 0 reserved 0 length 44 proposal #4 protoid IKE > spisize 0 xforms 4 spi 0 > > ikev2_pld_xform: more 3 reserved 0 length 12 type ENCR id AES_CBC > > ikev2_pld_attr: attribute type KEY_LENGTH length 256 total 4 > > ikev2_pld_xform: more 3 reserved 0 length 8 type PRF id HMAC_SHA2_256 > > ikev2_pld_xform: more 3 reserved 0 length 8 type INTEGR id > HMAC_SHA2_256_128 > > ikev2_pld_xform: more 0 reserved 0 length 8 type DH id MODP_1024 > > ikev2_pld_payloads: payload KE nextpayload NONCE critical 0x00 length 136 > > ikev2_pld_ke: dh group MODP_1024 reserved 0 > > ikev2_pld_payloads: payload NONCE nextpayload NOTIFY critical 0x00 > length 36 > > ikev2_pld_payloads: payload NOTIFY nextpayload NOTIFY critical 0x00 > length 28 > > ikev2_pld_notify: protoid NONE spisize 0 type NAT_DETECTION_SOURCE_IP > > ikev2_pld_payloads: payload NOTIFY nextpayload CERTREQ critical 0x00 > length 28 > > ikev2_pld_notify: protoid NONE spisize 0 type > NAT_DETECTION_DESTINATION_IP > > ikev2_pld_payloads: payload CERTREQ nextpayload NONE critical 0x00 > length 25 > > ikev2_pld_certreq: type X509_CERT length 20 > > spi=0x804dbcb818c0c11e: send IKE_SA_INIT res 0 peer > 166.BBB.BBB.161:56819 local 23.AAA.AAA.129:500, 329 bytes > > config_free_proposals: free 0x70869600 > > config_free_proposals: free 0x4db805c0 > > config_free_proposals: free 0x70869540 > > config_free_proposals: free 0x70869c80 > > config_free_proposals: free 0x4a03f800 > > config_free_proposals: free 0x4a03ff00 > > spi=0x804dbcb818c0c11e: recv IKE_AUTH req 1 peer 166.70.94.161:61645 > local 23.AAA.AAA.129:4500, 2560 bytes, policy 'vpn-eap' > > ikev2_recv: ispi 0x804dbcb818c0c11e rspi 0x6f4965951700d887 > > ikev2_recv: updated SA to peer 166.70.94.161:61645 local > 23.AAA.AAA.129:4500 > > ikev2_pld_parse: header ispi 0x804dbcb818c0c11e rspi 0x6f4965951700d887 > nextpayload SK version 0x20 exchange IKE_AUTH flags 0x08 msgid 1 length > 2560 response 0 > > ikev2_pld_payloads: payload SK nextpayload IDi critical 0x00 length 2532 > > ikev2_msg_decrypt: IV length 16 > > ikev2_msg_decrypt: encrypted payload length 2496 > > ikev2_msg_decrypt: integrity checksum length 16 > > ikev2_msg_decrypt: integrity check succeeded > > ikev2_msg_decrypt: decrypted payload length 2496/2496 padding 9 > > ikev2_pld_payloads: decrypted payload IDi nextpayload CERT critical 0x00 > length 184 > > ikev2_pld_id: id ASN1_DN//C=US/ST=State/L=City/O=Company/OU=Information > Systems/CN=10.0.2.100/emailAddress=t...@company.com length 180 > > ikev2_pld_payloads: decrypted payload CERT nextpayload CERTREQ critical > 0x00 length 1081 > > ikev2_pld_cert: type X509_CERT length 1076 > > ikev2_pld_payloads: decrypted payload CERTREQ nextpayload AUTH critical > 0x00 length 705 > > ikev2_pld_certreq: type X509_CERT length 700 > > ikev2_pld_payloads: decrypted payload AUTH nextpayload NOTIFY critical > 0x00 length 264 > > ikev2_pld_auth: method RSA_SIG length 256 > > ikev2_pld_payloads: decrypted payload NOTIFY nextpayload CP critical > 0x00 length 8 > > ikev2_pld_notify: protoid NONE spisize 0 type MOBIKE_SUPPORTED > > ikev2_pld_payloads: decrypted payload CP nextpayload SA critical 0x00 > length 36 > > ikev2_pld_cp: type REQUEST length 28 > > ikev2_pld_cp: INTERNAL_IP4_ADDRESS 0x0001 length 0 > > ikev2_pld_cp: INTERNAL_IP4_DNS 0x0003 length 0 > > ikev2_pld_cp: INTERNAL_IP4_NBNS 0x0004 length 0 > > ikev2_pld_cp: INTERNAL_IP4_SERVER 0x5ba0 length 0 > > ikev2_pld_cp: INTERNAL_IP6_ADDRESS 0x0008 length 0 > > ikev2_pld_cp: INTERNAL_IP6_DNS 0x000a length 0 > > ikev2_pld_cp: INTERNAL_IP6_SERVER 0x5ba1 length 0 > > ikev2_pld_payloads: decrypted payload SA nextpayload TSi critical 0x00 > length 80 > > ikev2_pld_sa: more 2 reserved 0 length 40 proposal #1 protoid ESP > spisize 4 xforms 3 spi 0x47a03160 > > ikev2_pld_xform: more 3 reserved 0 length 12 type ENCR id AES_CBC > > ikev2_pld_attr: attribute type KEY_LENGTH length 256 total 4 > > ikev2_pld_xform: more 3 reserved 0 length 8 type INTEGR id HMAC_SHA1_96 > > ikev2_pld_xform: more 0 reserved 0 length 8 type ESN id NONE > > ikev2_pld_sa: more 0 reserved 0 length 36 proposal #2 protoid ESP > spisize 4 xforms 3 spi 0x47a03160 > > ikev2_pld_xform: more 3 reserved 0 length 8 type ENCR id 3DES > > ikev2_pld_xform: more 3 reserved 0 length 8 type INTEGR id HMAC_SHA1_96 > > ikev2_pld_xform: more 0 reserved 0 length 8 type ESN id NONE > > ikev2_pld_payloads: decrypted payload TSi nextpayload TSr critical 0x00 > length 64 > > ikev2_pld_tss: count 2 length 56 > > ikev2_pld_tss: type IPV4_ADDR_RANGE protoid 0 length 16 startport 0 > endport 65535 > > ikev2_pld_ts: start 0.0.0.0 end 255.255.255.255 > > ikev2_pld_tss: type IPV6_ADDR_RANGE protoid 0 length 40 startport 0 > endport 65535 > > ikev2_pld_ts: start :: end ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff > > ikev2_pld_payloads: decrypted payload TSr nextpayload NONE critical 0x00 > length 64 > > ikev2_pld_tss: count 2 length 56 > > ikev2_pld_tss: type IPV4_ADDR_RANGE protoid 0 length 16 startport 0 > endport 65535 > > ikev2_pld_ts: start 0.0.0.0 end 255.255.255.255 > > ikev2_pld_tss: type IPV6_ADDR_RANGE protoid 0 length 40 startport 0 > endport 65535 > > ikev2_pld_ts: start :: end ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff > > ikev2_handle_notifies: mobike enabled > > sa_stateok: SA_INIT flags 0x0000, require 0x0000 > > spi=0x804dbcb818c0c11e: sa_state: SA_INIT -> AUTH_REQUEST > > policy_lookup: peerid '/C=US/ST=State/L=City/O=Company/OU=Information > Systems/CN=10.0.2.100/emailAddress=t...@company.com' > > proposals_negotiate: score 0 > > proposals_negotiate: score 20 > > policy_lookup: setting policy 'vpn-eap' > > ikev2_policy2id: srcid FQDN/vpn.company.com length 21 > > sa_stateflags: 0x0020 -> 0x0024 certreq,sa (required 0x0079 > cert,auth,authvalid,sa,eapvalid) > > ikev2_msg_auth: responder auth data length 409 > > ca_setauth: switching SIG to RSA_SIG(*) > > ca_setauth: auth length 409 > > proposals_negotiate: score 0 > > proposals_negotiate: score 0 > > proposals_negotiate: score 13 > > proposals_negotiate: score 0 > > sa_stateflags: 0x0024 -> 0x0024 certreq,sa (required 0x0079 > cert,auth,authvalid,sa,eapvalid) > > config_free_proposals: free 0x4db80100 > > config_free_proposals: free 0x70869f40 > > ca_getreq: found CA /C=US/ST=State/L=City/O=Company/OU=Information > Systems/CN=vpn.company.com/emailAddress=t...@company.com > > ca_x509_subjectaltname_do: did not find subjectAltName in certificate > > ca_x509_subjectaltname_do: did not find subjectAltName in certificate > > spi=0x804dbcb818c0c11e: ca_getreq: no valid local certificate found for > FQDN/vpn.company.com > > spi=0x804dbcb818c0c11e: ca_getreq: issuer: > /C=US/ST=State/L=City/O=Company/OU=Information Systems/CN= > vpn.company.com/emailAddress=t...@company.com > > spi=0x804dbcb818c0c11e: ca_getreq: serial: 01 > > spi=0x804dbcb818c0c11e: ca_getreq: subject: > /C=US/ST=State/L=City/O=Company/OU=Information Systems/CN= > vpn.company.com/emailAddress=t...@company.com > > spi=0x804dbcb818c0c11e: ca_getreq: altname: IPV4/10.0.0.1 > > ca_x509_subjectaltname_do: did not find subjectAltName in certificate > > spi=0x804dbcb818c0c11e: ca_getreq: using local public key of type RSA_KEY > > ca_setauth: auth length 256 > > ikev2_getimsgdata: imsg 22 rspi 0x6f4965951700d887 ispi > 0x804dbcb818c0c11e initiator 0 sa valid type 11 data length 270 > > ikev2_dispatch_cert: cert type RSA_KEY length 270, ok > > sa_stateflags: 0x0024 -> 0x0025 cert,certreq,sa (required 0x0079 > cert,auth,authvalid,sa,eapvalid) > > ikev2_getimsgdata: imsg 28 rspi 0x6f4965951700d887 ispi > 0x804dbcb818c0c11e initiator 0 sa valid type 1 data length 256 > > ikev2_dispatch_cert: AUTH type 1 len 256 > > sa_stateflags: 0x0025 -> 0x002d cert,certreq,auth,sa (required 0x0079 > cert,auth,authvalid,sa,eapvalid) > > ca_validate_pubkey: unsupported public key type ASN1_DN > > ca_validate_cert: /C=US/ST=State/L=City/O=Company/OU=Information > Systems/CN=10.0.2.100/emailAddress=t...@company.com ok > > ikev2_getimsgdata: imsg 23 rspi 0x6f4965951700d887 ispi > 0x804dbcb818c0c11e initiator 0 sa valid type 4 data length 1076 > > ikev2_msg_auth: initiator auth data length 688 > > ikev2_msg_authverify: method RSA_SIG keylen 1076 type X509_CERT > > ikev2_msg_authverify: authentication successful > > spi=0x804dbcb818c0c11e: sa_state: AUTH_REQUEST -> AUTH_SUCCESS > > sa_stateflags: 0x002d -> 0x003d cert,certreq,auth,authvalid,sa (required > 0x0079 cert,auth,authvalid,sa,eapvalid) > > ikev2_dispatch_cert: peer certificate is valid > > sa_stateflags: 0x003d -> 0x003f cert,certvalid,certreq,auth,authvalid,sa > (required 0x0079 cert,auth,authvalid,sa,eapvalid) > > sa_stateok: VALID flags 0x0039, require 0x0079 > cert,auth,authvalid,sa,eapvalid > > spi=0x804dbcb818c0c11e: sa_state: cannot switch: AUTH_SUCCESS -> VALID > > spi=0x804dbcb818c0c11e: recv IKE_AUTH req 1 peer 166.BBB.BBB.161:61645 > local 23.AAA.AAA.129:4500, 2560 bytes, policy 'vpn-eap' > > ikev2_recv: ispi 0x804dbcb818c0c11e rspi 0x6f4965951700d887 > > spi=0x804dbcb818c0c11e: recv IKE_AUTH req 1 peer 166.BBB.BBB.161:61645 > local 23.AAA.AAA.129:4500, 2560 bytes, policy 'vpn-eap' > > ikev2_recv: ispi 0x804dbcb818c0c11e rspi 0x6f4965951700d887 > > > >
