SSL VPN
Reply
Juniper Employee
negreuj67
Posts: 3
Registered: ‎08-20-2008
0

Re: ikev2, anyone got it working?

Hi,

 

User/PW Auth will be supported with 7.1. Can you please share strong swan config. I have the same SA config, but it does not work!

 

Regards

 

JS

Contributor
VincentM
Posts: 27
Registered: ‎08-04-2008
0

Re: ikev2, anyone got it working?

[ Edited ]

Hi There,

 

I have the same problem as yours. So this makes me open a case this morning...

 

- Strongswan IKEv2 Client is working Fine on Linux (for both EAP-MSCHAPv2 and certificate authentication)

- But, I'am unable to connect with Windows 7: I've got a 13868 error on Windows 7. SSL VPN user logs shows that  credentials are accepted and a IKEv2 Protocol error  (IKEV2_NO_PROPOSAL_CHOSEN).

 

For info, on linux, my ipsec.conf contains the following:

 

# ipsec.conf - strongSwan IPsec configuration file
config setup
    charonstart=yes
    plutostart=yes

# Add connections here.
conn %default
    ikelifetime=60m
    keylife=20m
    rekeymargin=3m
    keyingtries=1
    keyexchange=ikev2

conn sslvpn
    leftauth=eap-mschapv2
    leftid=<your username>
    right=<your SSL VPN IP Address used for IKEv2>
    rightid=%any
    rightauth=rsasig
    rightsubnet=<the subnet you want to have access>
    auto=add
    leftsourceip=%config

 

 

 

You should  add the corresponding password on ipsec.secrets file:

<your username> : EAP "<your password>"

 

You should add the corresponding ROOT CA used for the SSL VPN certificate on the /etc/ipsec.d/cacerts folder.

 

On the SSL VPN, I use a local backend, with clear text password. Do not forget that only local auth (with clear text password option ) and Active Directory Backend are supported to do MSCHAPv2.

 

I hope that radius backend will be supported soon (all the EAP stuff is already on my radius server...).

 

 

Regards,

 

 

Vincent

Contributor
VincentM
Posts: 27
Registered: ‎08-04-2008
0

Re: ikev2, anyone got it working?

Finally, I am able to connect with IKEv2 on Windows 7 Client.

 

I had to change something on my "Ressource profile":

I had to set "Network Connect" Transport mode to "ESP AES128/SHA1" (as shown on screenshot) "ESP AES128/MD5" is not working.

 

 

Now IKEv2 tunnels works on Windows 7 and Linux clients.

oge
Visitor
oge
Posts: 1
Registered: ‎03-19-2009
0

Re: ikev2, anyone got it working?

Are certs still needed to do EAP user auth with IVE 7.1? Admin Guide has lttle on this and seems to merge EAP and Cert auth. I didn't do anything with certs and I'm getting following error from Windows 7  client "Error 13801: IKE auth credentials are unacceptable".

Moderator
zanyterp
Posts: 2,306
Registered: ‎11-19-2007
0

Re: ikev2, anyone got it working?

No, certificate authentication is no longer needed (starting with 7.1).

Have you verified the steps/instructions outlined here: KB21321?

Copyright© 1999-2013 Juniper Networks, Inc. All rights reserved.