06-18-2010 07:16 AM
06-22-2010 03:21 AM
Tried with win7 client, get the "error 13843:invalid payload received" message..
Please mark this post as 'accepted solution' if my input answers your question!
A kudo would be nice if you think I deserve it.
2 A/P clustered 6500, 7.4R9.1
2 A/P clustered 2500, 8.0R3.1 LAB
06-24-2010 06:56 AM
08-18-2010 08:38 AM
I'm also looking at this new feature but can't get the gateway to log any messages or send any reply packets to the client. Anybpody had any luck getting this working yet?
08-18-2010 09:05 AM
I've just tried this with the WIndows 7 Agile VPN and get the same error as mentioned previously: "error 13843:invalid payload received". Have you seen this and do you know the reason for it?
I have so many questions about how this feature works and what with, but no clue from the admin guide.
If I have multiple realms / sign-in policies configured, how does the IKEv2 feature know which realm to go against or this there some unwritten feature that it has to be the "Users" realm?
08-18-2010 09:09 AM
12-06-2010 07:02 AM
I succeeded to use IKEv2 with strongswan on linux. I didn't try with another client.
But here is the steps I followed :
- Create a CA certificate and a client certificate and key.
- Put on the SSLVPN box the CA certificate in the section configuration -> certificate -> Trusted client certificate
- I created a new authentication server as a certificate server.
- I created a new Realm using this server for authentication and selecting a role based on userAgent (IKEv2) or the username.
- I check IKEv2 in the role used for these users
- I choose the new-created realm in configuration -> IKEv2.
But if anyone succeeded to authenticate the user with username/password, I'm interested...
03-03-2011 02:12 AM - edited 03-03-2011 02:22 AM
I have the same problem as yours. So this makes me open a case this morning...
- Strongswan IKEv2 Client is working Fine on Linux (for both EAP-MSCHAPv2 and certificate authentication)
- But, I'am unable to connect with Windows 7: I've got a 13868 error on Windows 7. SSL VPN user logs shows that credentials are accepted and a IKEv2 Protocol error (IKEV2_NO_PROPOSAL_CHOSEN).
For info, on linux, my ipsec.conf contains the following:
# ipsec.conf - strongSwan IPsec configuration file
# Add connections here.
right=<your SSL VPN IP Address used for IKEv2>
rightsubnet=<the subnet you want to have access>
You should add the corresponding password on ipsec.secrets file:
<your username> : EAP "<your password>"
You should add the corresponding ROOT CA used for the SSL VPN certificate on the /etc/ipsec.d/cacerts folder.
On the SSL VPN, I use a local backend, with clear text password. Do not forget that only local auth (with clear text password option ) and Active Directory Backend are supported to do MSCHAPv2.
I hope that radius backend will be supported soon (all the EAP stuff is already on my radius server...).
03-04-2011 02:52 AM
Finally, I am able to connect with IKEv2 on Windows 7 Client.
I had to change something on my "Ressource profile":
I had to set "Network Connect" Transport mode to "ESP AES128/SHA1" (as shown on screenshot) "ESP AES128/MD5" is not working.
Now IKEv2 tunnels works on Windows 7 and Linux clients.
04-18-2011 09:16 AM
Are certs still needed to do EAP user auth with IVE 7.1? Admin Guide has lttle on this and seems to merge EAP and Cert auth. I didn't do anything with certs and I'm getting following error from Windows 7 client "Error 13801: IKE auth credentials are unacceptable".