Windows – Enable IKE tracing on windows 10 VPN

ipsecstrongswanvpnwindows

I have an IKEV2 VPN setup (including certs) that worked fine on windows 7. On Windows 10, the same config fails with 'IKE authentication credentials are unacceptable'. Server is StrongSwan. The last line in the log for a connection attempt is:

2016-02-11T12:34:57.457606+00:00 e01pfw01 charon: [info] 05[IKE] assigning virtual IP 10.7.220.6 to peer '**<removed>**'
2016-02-11T12:34:57.461904+00:00 e01pfw01 charon: [info] 05[IKE] CHILD_SA rw-ops{5592} established with SPIs c221e19b_i 29212c9e_o and TS 10.6.75.0/24 10.7.240.0/20 === 10.7.220.6/32 
2016-02-11T12:34:57.518381+00:00 e01pfw01 vpn: [notice] + **<removed>** 10.7.220.6/32 == 212.159.106.131 -- 62.23.139.70 == 10.6.75.0/24
2016-02-11T12:34:57.580529+00:00 e01pfw01 vpn: [notice] + **<removed>** 10.7.220.6/32 == 212.159.106.131 -- 62.23.139.70 == 10.7.240.0/20
2016-02-11T12:34:57.581975+00:00 e01pfw01 charon: [info] 05[ENC] generating IKE_AUTH response 1 [ IDr CERT AUTH CPRP(ADDR) SA TSi TSr N(AUTH_LFT) ]
2016-02-11T12:34:57.582578+00:00 e01pfw01 charon: [info] 05[NET] sending packet: from 62.23.139.70[4500] to 212.159.106.131[4500] (1412 bytes)

I cannot see any issues in the strongswan log, in fact I don't even see a response to the t line above (even though I can see from a pcap that the client sends a response), so I would like to debug the IKE authentication process on the Windows 10 client. Can anyone tell me how this is done?

I have tried netsh set ras tracing * enabled. Log files are created, but nothing relevant to IKE authentication. netsh ipsec dynamic set config property=ikelogging value=1 fails with 'The request is not supported`. I haven't been able to unearth anything else.

It occurred to me that if the windows 10 client was causing a crash in strongswan, but something would appear in the log, right?

Best Answer

For enabling logs atleast in Creators update and above for windows we added a new trace provider.

Netsh trace start VpnClient per=yes maxsize=0 filemode=single
<Repro the scenario>
Netsh trace stop

There is also VpnClient_dbg for additional verbose logging

Related Solutions

StrongSwan IKEv2 + Windows 7 Agile VPN: What is causing Error 13801

Figured this out. @ecdsa pointed me in the right direction, and I finally was able to solve the problem by following this guide.

ipsec pki --gen --type rsa --size 4096 --outform pem > vpnca.key.pem
ipsec pki --self --flag serverAuth --in vpnca.key.pem --type rsa --digest sha1 \
    --dn "C=US, O=Example Company, CN=Example VPN CA" --ca > vpnca.crt.der
ipsec pki --gen --type rsa --size 4096 --outform pem > vpn.example.com.key.pem
ipsec pki --pub --in vpn.example.com.key.pem --type rsa > vpn.example.com.csr
ipsec pki --issue --cacert vpnca.crt.der --cakey vpnca.key.pem --digest sha1 \
    --dn "C=US, O=Example Company, CN=vpn.example.com" \
    --san "vpn.example.com" --flag serverAuth --outform pem \
    < vpn.example.com.csr > vpn.example.com.crt.pem 
openssl rsa -in vpn.example.com.key.pem -out vpn.example.com.key.der -outform DER

cp vpnca.crt.der /etc/ipsec.d/cacerts
cp vpn.example.com.crt.pem /etc/ipsec.d/certs
cp vpn.example.com.key.der /etc/ipsec.d/private

About the error

The error message was "Error 13801: IKE authentication credentials are unacceptable", which sounded like my user credentials weren't working. However, this is a message about authenticating the server, which is done (per my configuration) by the server's SSL certificate. Microsoft has published documentation on Troubleshooting IKEv2 VPN Connections that lists possible causes for this error:

The certificate is expired.
The trusted root for the certificate is not present on the client.
The subject name of the certificate does not match the remote computer.
The certificate does not have the required Enhanced Key Usage (EKU) values assigned.

In my case, my problem had to do with the EKU values. Following the guide I linked at the top, I was able to generate a certificate with the correct EKU values, and it worked great.

To troubleshoot this, you can disable EKU checking on your Windows client (of course, this should only be done for testing):

Launch regedit
Navigate to HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\RasMan\Parameters
Add a DWORD called DisableIKENameEkuCheck, and set its value to 1
Microsoft documentation instructs you to reboot after doing this, but I didn't need to in order for this to take effect.

PfSense/strongSwan “deleting half open IKE_SA after timeout” – IPSec connection Android 4.4 to pfSense 2.2.1 fails

I've been having this exact same issue.

As per this [IKEv1 can't connect from Android's default vpn client], there is a bug in the current Android VPN IKEv1 client that happens if aggressive mode is selected and a "IPsec identifier" is used to configure the Android client.

The solution is to clear the "IPsec identifier" entry from the android client and in Phase 1 proposal the negotiation mode should be Main.

In my setup the Phase 1 proposal (Authentication) : Authentication method is Mutual PSK + Xauth and not just Mutual PSK.

Best Answer

Related Solutions

StrongSwan IKEv2 + Windows 7 Agile VPN: What is causing Error 13801

About the error

PfSense/strongSwan “deleting half open IKE_SA after timeout” – IPSec connection Android 4.4 to pfSense 2.2.1 fails

Related Topic