Enable IKE tracing on windows 10 VPN
Solution 1
For enabling logs atleast in Creators update and above for windows we added a new trace provider.
Netsh trace start VpnClient per=yes maxsize=0 filemode=single
<Repro the scenario>
Netsh trace stop
There is also VpnClient_dbg for additional verbose logging
Solution 2
Ok - for anyone that experiences similar issues: The windows event log showed that the connection failed with error code 13801. I looked that up here: https://blogs.technet.microsoft.com/rrasblog/2009/08/12/troubleshooting-common-vpn-related-errors/. #4 is 'VPN Server Name as given on client doesn’t match with the subjectName of the server certificate.'. I was trying to connect to the VPN server's IP address. I switched to the hostname and voila.
I would still be interested to know how to enable useful logging on the windows 10 VPN though ...
Related videos on Youtube
02 : 01
03 : 57
06 : 23
03 : 03
![What is a VPN and How Does it Work? [Video Explainer]](https://i.ytimg.com/vi/_wQTRMBAvzg/hq720.jpg?sqp=-oaymwEcCNAFEJQDSFXyq4qpAw4IARUAAIhCGAFwAcABBg==&rs=AOn4CLAIvwXf8-uhdm-F-lOPSMeb3tTaLg)
04 : 20
01 : 25
10 : 18
FatalFlaw
Updated on September 18, 2022Comments
-
FatalFlaw over 1 year
I have an IKEV2 VPN setup (including certs) that worked fine on windows 7. On Windows 10, the same config fails with 'IKE authentication credentials are unacceptable'. Server is StrongSwan. The last line in the log for a connection attempt is:
2016-02-11T12:34:57.457606+00:00 e01pfw01 charon: [info] 05[IKE] assigning virtual IP 10.7.220.6 to peer '**<removed>**' 2016-02-11T12:34:57.461904+00:00 e01pfw01 charon: [info] 05[IKE] CHILD_SA rw-ops{5592} established with SPIs c221e19b_i 29212c9e_o and TS 10.6.75.0/24 10.7.240.0/20 === 10.7.220.6/32 2016-02-11T12:34:57.518381+00:00 e01pfw01 vpn: [notice] + **<removed>** 10.7.220.6/32 == 212.159.106.131 -- 62.23.139.70 == 10.6.75.0/24 2016-02-11T12:34:57.580529+00:00 e01pfw01 vpn: [notice] + **<removed>** 10.7.220.6/32 == 212.159.106.131 -- 62.23.139.70 == 10.7.240.0/20 2016-02-11T12:34:57.581975+00:00 e01pfw01 charon: [info] 05[ENC] generating IKE_AUTH response 1 [ IDr CERT AUTH CPRP(ADDR) SA TSi TSr N(AUTH_LFT) ] 2016-02-11T12:34:57.582578+00:00 e01pfw01 charon: [info] 05[NET] sending packet: from 62.23.139.70[4500] to 212.159.106.131[4500] (1412 bytes)I cannot see any issues in the strongswan log, in fact I don't even see a response to the t line above (even though I can see from a pcap that the client sends a response), so I would like to debug the IKE authentication process on the Windows 10 client. Can anyone tell me how this is done?
I have tried
netsh set ras tracing * enabled. Log files are created, but nothing relevant to IKE authentication.netsh ipsec dynamic set config property=ikelogging value=1fails with 'The request is not supported`. I haven't been able to unearth anything else.It occurred to me that if the windows 10 client was causing a crash in strongswan, but something would appear in the log, right?