StrongSwan – StrongSwan Server with Windows 7 Clients Doesn’t Route Traffic

amazon ec2amazon-vpcroutingstrongswanwindows 7

I have a server running strongSwan on an Amazon EC2 instance that I want to connect to with Windows 7. The strongSwan server is on a private network (IP address 172.16.1.15 on the network 172.16.0.0/17) and has traffic forwarded to its private address from a public IP address – this is what Amazon calls "Elastic IP".

I want to assign the clients addresses from another private subnet – 10.127.0.0/22 – and route traffic between the two private subnets. Note that the 172.16.0.0/17 subnet is managed by Amazon, but the 10.127.0.0/22 subnet isn't managed by anything right now (other than my ipsec.conf).

My Windows clients do connect to the VPN, but cannot connect to any hosts on the private network. My theory is that it is related to a problem with either the client routing or a lack of some iptables invocation on the server, but I'm not very knowledgeable in either domain and I've gotten stuck.

I have installed Ubuntu 12.04 and strongswan-ikev2 on the server.
ipsec version reports Linux strongSwan U4.5.2/K3.2.0-52-virtual
Note that both the client and server are behind NAT (the client because it is on a local office network, and the server because it is in Amazon's cloud). I have unblocked UDP ports 500 and 4500 in the Amazon dashboard, and on the client's firewall.
I have enabled IPv4 forwarding on the server: echo 1 > /proc/sys/net/ipv4/ip_forward
I have gone into Amazon's VPC administrative UI for the 172.16.0.0/17 subnet and allowed all traffic to/from the 10.127.0.0/23 subnet.

This is /etc/ipsec.conf:

config setup
    plutostart=no

conn %default
    keyexchange=ikev2
    dpdaction=clear
    dpddelay=300s
    rekey=no

conn dlpvpn
    left=172.16.1.15
    leftauth=pubkey
    leftcert=openssl-cert.pem
    leftid=vpn.example.com
    leftsubnet=172.16.0.0/17
    right=%any
    rightsourceip=10.127.0.0/22
    rightauth=eap-mschapv2
    rightsendcert=never
    eap_identity=%any
    auto=add

This is /etc/ipsec.secrets:

: RSA openssl-key.rsa
TESTDOMAIN\testuser : EAP "testpassword"

This is /etc/strongswan.conf:

charon {
    threads = 16
    dns1 = 172.16.3.246
}

I want to use split tunneling – where only traffic for the private 172.16.0.0/17 network goes over the VPN, and traffic bound for the Internet uses the client's local gateway. To do this, I have unchecked "Use default gateway on remote network", and checked "Disable class based route addition" on the Windows client.

The connection completes sucessfully. ipconfig /all shows:

PPP adapter strongswan:

   Description . . . . . . . . . . . : strongswan
   IPv4 Address. . . . . . . . . . . : 10.127.0.1(Preferred)
   Subnet Mask . . . . . . . . . . . : 255.255.255.255
   Default Gateway . . . . . . . . . :
   DNS Servers . . . . . . . . . . . : 172.16.3.246

However, I can't ping any host on the 172.16.0.0/17 network. In fact, if I do an nslookup, it attempts to contact the DNS server I specified in strongswan.conf, but Wireshark on that DNS server shows that it received nothing. I can't even ping the 172.16.1.15 address of the strongSwan server itself.
It's my understanding that route rules must be added manually on Windows. However, what do they need to be? The only answer that I could come up with was to try adding the route for the 172.16.0.0/17 network to use the VPN server's address as the gateway using the command route add 172.16.0.0/17 172.16.1.15 if 45. However, that didn't change anything – traffic from my VPN client did not make it to the 172.16.0.0/17 network.

I'd appreciate any help. Thanks.

Best Answer

I finally have this working, thanks to help from @ecdsa here and some help from the #strongswan irc channel.

My VPN client's route rules were incomplete. I needed to add both of these rules:
```
route add 172.16.1.15/32 10.127.0.1
route add 172.16.0.0/17 172.16.1.15
```
The first one adds a route for the VPN server's private IP address, specifying my client's VPN-assigned IP address as the gateway to it (route print will then display this as being on-link AKA local to that interface). The second one does what I was trying to do with the route rule in my question - it adds a route for the whole private network, specifying the VPN server as the gateway.
I needed to specify leftsubnet=172.16.0.0/17 on the server, or else IPsec policy wouldn't permit traffic to the subnet no matter what the routes were.
I needed to specify leftfirewall=yes on the server so that it would insert appropriate rules into iptables.
I needed to disable "source/dest check" on my Amazon instance. While I had allowed traffic from my VPN subnet to/from the security groups in the Amazon VPC dashboard, I didn't realize there was another setting. On the EC2 dashboard, you can right click on an instance and go to "Change source/dest check". This check is enabled by default and prevented my VPN traffic from ever leaving the VPN server (and it prevented traffic from other VPC hosts to my VPN subnet from entering the VPN server).

About the error

The error message was "Error 13801: IKE authentication credentials are unacceptable", which sounded like my user credentials weren't working. However, this is a message about authenticating the server, which is done (per my configuration) by the server's SSL certificate. Microsoft has published documentation on Troubleshooting IKEv2 VPN Connections that lists possible causes for this error:

The certificate is expired.
The trusted root for the certificate is not present on the client.
The subject name of the certificate does not match the remote computer.
The certificate does not have the required Enhanced Key Usage (EKU) values assigned.

In my case, my problem had to do with the EKU values. Following the guide I linked at the top, I was able to generate a certificate with the correct EKU values, and it worked great.

To troubleshoot this, you can disable EKU checking on your Windows client (of course, this should only be done for testing):

Launch regedit
Navigate to HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\RasMan\Parameters
Add a DWORD called DisableIKENameEkuCheck, and set its value to 1
Microsoft documentation instructs you to reboot after doing this, but I didn't need to in order for this to take effect.

Windows VPN server can talk to VPN clients, but won’t send packets from its local network to the VPN clients

What if you add a static route on your servers telling them that in order to reach 10.128.0.0/20 they have to go through the VPN's server LAN address?

route add 10.128.0.0 mask 255.255.240.0 a.b.c.d

Substitute a.b.c.d with the VPN server's LAN address.

This will, at least, rule out problems with amazon's routing.

Best Answer

Related Solutions

StrongSwan IKEv2 + Windows 7 Agile VPN: What is causing Error 13801

About the error

Windows VPN server can talk to VPN clients, but won’t send packets from its local network to the VPN clients

Related Topic