1

Closed

StrongSwan and IKEv2 on WIN7

description

There appears to be a problem with DotRas while using an IKEv2 connection and a StrongSwan VPN server that causes a 1931 error on Windows 7 32-bit and 64-bit. This issue does not replicate on Windows 8.

1931: ERROR_CONTEXT_EXPIRED

Already tried leaving the handles to the dial params and dial extensions open in the RasHelper.Dial method with no luck.

file attachments

Closed Jul 3, 2013 at 1:08 AM by jeff_winn
Unable to reproduce.

comments

jeff_winn wrote Jun 20, 2013 at 2:05 PM

I had to create this so you can attach files to the work item. I'm going to need you to enable RAS diagnostic logging on your client and upload all of them in a zip file here. If you need help enabling diagnostic logging see this page.

onlybird wrote Jun 21, 2013 at 1:52 AM

thanks for your hard work.

here it is.

jeff_winn wrote Jun 21, 2013 at 3:57 AM

Lets get a copy of the DotRas diagnostic logging as well to see what's going on under the hood in it. I just updated that same page here with the instructions how to enable it as well.

I didn't see anything out of the ordinary in your Windows log file, other than there was a call to RasSetEapInfo which appeared to clear the data from it as it was trying to connect. Does your VPN connection use EAP at all, or is it just using certificates?

onlybird wrote Jun 21, 2013 at 6:13 AM

conn IKEv2
 rekey=no
 keyexchange=ikev2
 auto=add
 leftauth=pubkey
 leftcert=ikev2Cert.pem
 rightauth=eap-radius
 rightsendcert=never
 eap_identity=%identity
 compress=yes
 rightsourceip=50.0.16.1/24
this is my vpn server setting.

jeff_winn wrote Jun 21, 2013 at 11:11 PM

I do still need the DotRas log file uploaded to take a look at it

onlybird wrote Jun 22, 2013 at 9:10 AM

log file uploaded (win7,win8)

jeff_winn wrote Jun 22, 2013 at 3:00 PM

Which build flavor are you using on each of the operating systems? WIN7 for Windows 7 and WIN8 for Windows 8?

onlybird wrote Jun 22, 2013 at 3:25 PM

both win7 and win8 using DOTRAS-WIN7

jeff_winn wrote Jun 25, 2013 at 2:09 AM

At first glance over the weekend I didn't see anything, but after going line by line between both Win7 and Win8 log files you provided, the Win7 log file indicates that an EAP custom auth key was provided in your RasEntry.

You can see it on line 166 of the log file:
customAuthKey: '26'

Since it's not present in your Win8 log file, and you're having a problem with EAP, which that property is EAP related, you might try setting it to 0.

jeff_winn wrote Jun 25, 2013 at 2:11 AM

The biggest problem with this area of RAS is that there isn't much documentation on how to use it, and there is absolutely no documentation on how to do what you're asking. Unfortunately it's been a lot of trial and error as I don't have the resources to contact Microsoft to get assistance.

onlybird wrote Jun 25, 2013 at 2:45 PM

Hello,

i changed the CustomAuthKey to 0,

but in win7 log file , CustomAuthKey value is still 26....

jeff_winn wrote Jun 26, 2013 at 4:17 AM

I didn't expect it to fix it, given that Windows dials the connection correctly... it was more of a long shot.

I've done what I can, it looks like you're going to have to diagnose it yourself from here out. Like I said, this area of RAS isn't very well documented (if at all), and VPN server you're using is the only one I've heard causing the issue.

I wish I had better news, but it is what it is.

onlybird wrote Jun 27, 2013 at 12:48 PM

use dotras

man log

[1292] 06-27 19:58:53:699: ProtocolStart: UserName: onlybird
[1292] 06-27 19:58:53:699: ProtocolStart: Domain:
[1292] 06-27 19:58:53:699: DwCacheCredMgrCredentials
[1292] 06-27 19:58:53:699: DwCacheCredMgrCredentials: 0x0
[1512] 06-27 19:58:53:715: ProtocolStarted...VPN1-2
[856] 06-27 19:59:57:533: HandleSessionChange: lpEventData (WTSSESSION_NOTIFICATION) is NULL
[1292] 06-27 19:59:58:718: SendProtocolResultToRasman: msgid=1

eap log

[1292] 06-27 19:58:53:793: EapHost returned Action = EapHostPeerResponseInvokeUi. Invoking UI...



use system

man log

[2816] 06-27 19:54:47:571: ProtocolStart: UserName: onlybird
[2816] 06-27 19:54:47:571: ProtocolStart: Domain:
[2816] 06-27 19:54:47:571: DwCacheCredMgrCredentials
[2816] 06-27 19:54:47:571: DwCacheCredMgrCredentials: 0x0
[1512] 06-27 19:54:47:571: ProtocolStarted...VPN1-2
[2816] 06-27 19:54:48:320: SendProtocolResultToRasman: msgid=3

eap log

[2816] 06-27 19:54:47:680: EapHost returned Action = EapHostPeerResponseSend. Processing send packet...

server log

12[ENC] <IPSec-IKEv2|7> generating IKE_AUTH response 1 [ IDr CERT CERT AUTH EAP/REQ/ID ] //system
09[ENC] <IPSec-IKEv2|9> generating IKE_AUTH response 1 [ IDr CERT CERT AUTH EAP/REQ/ID ] //dotras

12[NET] <IPSec-IKEv2|7> sending packet: from 157.7.x.x[4500] to 216.36.x.x[52945] (4316 bytes)
09[NET] <IPSec-IKEv2|9> sending packet: from 157.7.x.x[4500] to 216.36.x.x[52945] (4316 bytes)

11[NET] <IPSec-IKEv2|7> received packet: from 216.36.x.x[52945] to 157.7.x.x[4500] (76 bytes)
.................................................................................................................................................................................time out


Trying to find issues for error 1931

Thanks for your help