<html>
<head>
<meta content="text/html; charset=UTF-8" http-equiv="Content-Type">
</head>
<body text="#000000" bgcolor="#FFFFFF">
<br>
-----BEGIN PGP SIGNED MESSAGE-----<br>
Hash: SHA1<br>
<br>
AFAIK you have to import the (at least some of) certificates into
the right keychain<br>
<br>
On 12/13/2014 04:59 AM, Cindy Moore wrote:<br>
<span style="white-space: pre;">> OK, so on the mac client,
system.log shows:<br>
><br>
> Dec 12 18:28:17 minerva pppd[2349]: L2TP connecting to server<br>
> 'vpn.example.com' ([vpn ip])...<br>
> Dec 12 18:28:17 minerva pppd[2349]: IPSec connection started<br>
> Dec 12 18:28:17 minerva racoon[2350]: Connecting.<br>
> Dec 12 18:28:17 minerva racoon[2350]: IKE Packet: transmit
success.<br>
> (Initiator, Main-Mode message 1).<br>
> Dec 12 18:28:17 minerva racoon[2350]: IKE Packet: receive
success.<br>
> (Initiator, Main-Mode message 2).<br>
> Dec 12 18:28:17 minerva racoon[2350]: IKE Packet: transmit
success.<br>
> (Initiator, Main-Mode message 3).<br>
> Dec 12 18:28:17 minerva racoon[2350]: IKE Packet: receive
success.<br>
> (Initiator, Main-Mode message 4).<br>
> Dec 12 18:28:18 minerva racoon[2350]: IKE Packet: transmit
success.<br>
> (Initiator, Main-Mode message 5).<br>
> Dec 12 18:28:18 minerva racoon[2350]: IKEv1 Phase1 AUTH:
failed.<br>
> (Initiator, Main-Mode Message 6).<br>
> Dec 12 18:28:18 minerva racoon[2350]: IKE Packet: transmit
success.<br>
> (Information message).<br>
> Dec 12 18:28:18 minerva racoon[2350]: IKEv1
Information-Notice:<br>
> transmit success. (ISAKMP-SA).<br>
> Dec 12 18:28:18 minerva racoon[2350]: IKE Packet: receive
failed.<br>
> (Initiator, Main-Mode Message 6).<br>
> Dec 12 18:28:18 minerva pppd[2349]: IPSec connection failed
<IKE Error<br>
> 22 (0x16) Invalid cert authority><br>
> Dec 12 18:28:18 minerva configd[14]: SCNCController:
Disconnecting.<br>
> (Connection tried to negotiate for, 1 seconds).<br>
> Dec 12 18:28:18 minerva racoon[2350]: Disconnecting.
(Connection tried<br>
> to negotiate for, 0.735722 seconds).<br>
> Dec 12 18:28:18 minerva racoon[2350]: IKE Packets Receive
Failure-Rate<br>
> Statistic. (Failure-Rate = 50.000).<br>
> Dec 12 18:28:18 minerva racoon[2350]: IKE Phase1
Authentication<br>
> Failure-Rate Statistic. (Failure-Rate = 100.000).<br>
><br>
> So it seems pretty clear something is hinky with the
certificate. I'm<br>
> not entirely sure where to look for this. The pem versions
of the<br>
> certificates work just fine from my linux client. The
certificates<br>
> look okay on the mac when I display them from the keychain,
although<br>
> as I mentioned, i can't seem to pull up the vpnHost
certificate when<br>
> setting up the vpn. Any suggestions as to what I can look at
to try<br>
> and figure out what exactly is going wrong with the
certificates? I<br>
> created the p12 files using openssl:<br>
><br>
> # openssl pkcs12 -export -in certs/vpnHostCert.pem -nokeys
-nodes -out<br>
> exports/vpnHost.p12<br>
> # openssl pkcs12 -export -in cacerts/strongswanCert.pem
-nokeys -nodes<br>
> -out exports/strongSwan.p12<br>
><br>
> and<br>
><br>
> openssl pkcs12 -export -inkey private/cindyKey.pem \<br>
>> -in certs/cindyCert.pem -name "Cindy's VPN Certificate" \<br>
>> -certfile cacerts/strongswanCert.pem \<br>
>> -caname "strongSwan Root CA" \<br>
>> -out exports/cindy.p12<br>
><br>
> I would appreciate any suggestions at all.<br>
><br>
> Thanks,<br>
> Cindy<br>
><br>
> On Fri, Dec 12, 2014 at 2:46 PM, Cindy Moore
<a class="moz-txt-link-rfc2396E" href="mailto:ctmoore@cs.ucsd.edu"><ctmoore@cs.ucsd.edu></a> wrote:<br>
>> I wonder if it's the noauth. I commented that out, just
to be sure<br>
>> that various changes were "taking" (the authby is
completely ignored<br>
>> in the ipsec restart output in /var/log/syslog, so I
changed something<br>
>> else in order to make sure the restarts were reflecting
changes in the<br>
>> ipsec.conf). If I remove the xauth-noauth, then I get<br>
>><br>
>> Dec 12 14:39:08 vpn charon: 13[IKE] received end entity
cert "C=US,<br>
>> O=ThatsUs, <a class="moz-txt-link-abbreviated" href="mailto:CN=ctmoore@example.com">CN=ctmoore@example.com</a>"<br>
>> Dec 12 14:39:08 vpn charon: 13[CFG] looking for RSA
signature peer<br>
>> configs matching [vpn ip]...[client ip][C=US, O=ThatsUs,<br>
>> <a class="moz-txt-link-abbreviated" href="mailto:CN=ctmoore@example.com">CN=ctmoore@example.com</a>]<br>
>> Dec 12 14:39:08 vpn charon: 13[CFG] candidate
"roadwarrior-ikev1",<br>
>> match: 1/1/1052 (me/other/ike)<br>
>> Dec 12 14:39:08 vpn charon: 13[CFG] selected peer config
"roadwarrior-ikev1"<br>
>> Dec 12 14:39:08 vpn charon: 13[CFG] using certificate
"C=US,<br>
>> O=ThatsUs, <a class="moz-txt-link-abbreviated" href="mailto:CN=ctmoore@example.com">CN=ctmoore@example.com</a>"<br>
>> Dec 12 14:39:08 vpn charon: 13[CFG] certificate "C=US,
O=ThatsUs,<br>
>> <a class="moz-txt-link-abbreviated" href="mailto:CN=ctmoore@example.com">CN=ctmoore@example.com</a>" key: 2048 bit RSA<br>
>> Dec 12 14:39:08 vpn charon: 13[CFG] using trusted ca
certificate<br>
>> "C=US, O=ThatsUs, CN=strongSwan Root CA"<br>
>> Dec 12 14:39:08 vpn charon: 13[CFG] checking certificate
status of<br>
>> "C=US, O=ThatsUs, <a class="moz-txt-link-abbreviated" href="mailto:CN=ctmoore@example.com">CN=ctmoore@example.com</a>"<br>
>> Dec 12 14:39:08 vpn charon: 13[CFG] ocsp check skipped,
no ocsp found<br>
>> Dec 12 14:39:08 vpn charon: 13[CFG] certificate status is
not available<br>
>> Dec 12 14:39:08 vpn charon: 13[CFG] certificate "C=US,
O=ThatsUs,<br>
>> CN=strongSwan Root CA" key: 4096 bit RSA<br>
>> Dec 12 14:39:08 vpn charon: 13[CFG] reached self-signed
root ca with<br>
>> a path length of 0<br>
>> Dec 12 14:39:08 vpn charon: 13[IKE] authentication of
'C=US,<br>
>> O=ThatsUs, <a class="moz-txt-link-abbreviated" href="mailto:CN=ctmoore@example.com">CN=ctmoore@example.com</a>' with RSA successful<br>
>> Dec 12 14:39:08 vpn charon: 13[IKE] authentication of
'C=US,<br>
>> O=ThatsUs, CN=vpn.example.com' (myself) successful<br>
>> Dec 12 14:39:08 vpn charon: 13[IKE] IKE_SA
roadwarrior-ikev1[1]<br>
>> established between [vpn ip][C=US, O=ThatsUs,<br>
>> CN=vpn.example.com]...[client ip][C=US, O=ThatsUs,<br>
>> <a class="moz-txt-link-abbreviated" href="mailto:CN=ctmoore@example.com">CN=ctmoore@example.com</a>]<br>
>> Dec 12 14:39:08 vpn charon: 13[IKE] IKE_SA
roadwarrior-ikev1[1] state<br>
>> change: CONNECTING => ESTABLISHED<br>
>> Dec 12 14:39:08 vpn charon: 13[IKE] scheduling
reauthentication in 3271s<br>
>> Dec 12 14:39:08 vpn charon: 13[IKE] maximum IKE_SA
lifetime 3451s<br>
>> Dec 12 14:39:08 vpn charon: 13[IKE] sending end entity
cert "C=US,<br>
>> O=ThatsUs, CN=vpn.example.com"<br>
>> Dec 12 14:39:08 vpn charon: 13[ENC] generating ID_PROT
response 0 [ ID<br>
>> CERT SIG ]<br>
>> Dec 12 14:39:08 vpn charon: 13[NET] sending packet: from
[vpn<br>
>> ip][4500] to [client ip][45779] (1484 bytes)<br>
>> Dec 12 14:39:08 vpn charon: 03[NET] sending packet: from
[vpn<br>
>> ip][4500] to [client ip][45779]<br>
>> Dec 12 14:39:08 vpn charon: 01[NET] received packet: from
[client<br>
>> ip][45779] to [vpn ip][4500]<br>
>> Dec 12 14:39:08 vpn charon: 01[NET] waiting for data on
sockets<br>
>> Dec 12 14:39:08 vpn charon: 15[NET] received packet: from
[client<br>
>> ip][45779] to [vpn ip][4500] (68 bytes)<br>
>> Dec 12 14:39:08 vpn charon: 15[ENC] invalid HASH_V1
payload length,<br>
>> decryption failed?<br>
>> Dec 12 14:39:08 vpn charon: 15[ENC] could not decrypt
payloads<br>
>> Dec 12 14:39:08 vpn charon: 15[IKE] message parsing
failed<br>
>> Dec 12 14:39:08 vpn charon: 15[IKE] ignore malformed
INFORMATIONAL request<br>
>> Dec 12 14:39:08 vpn charon: 15[IKE] INFORMATIONAL_V1
request with<br>
>> message ID 3172758586 processing failed<br>
>><br>
>> On Fri, Dec 12, 2014 at 2:39 PM, Cindy Moore
<a class="moz-txt-link-rfc2396E" href="mailto:ctmoore@cs.ucsd.edu"><ctmoore@cs.ucsd.edu></a> wrote:<br>
>>> Thought authby was deprecated long before Strongswan
5.2.1 (which is<br>
>>> what I'm using)? In any case, I tested it out, but
that didn't make a<br>
>>> difference).<br>
>>><br>
>>> On Fri, Dec 12, 2014 at 2:30 PM, Noel Kuntze
<a class="moz-txt-link-rfc2396E" href="mailto:noel@familie-kuntze.de"><noel@familie-kuntze.de></a> wrote:<br>
>>>><br>
> Hello,<br>
><br>
> Judging from the manpage, using "authby=xauthrsasig" is the
same as your configuration with leftauth and rightauth parameters.<br>
> Maybe try that? I don't know if it helps. *shrugs*<br>
><br>
> Mit freundlichen Grüßen/Regards,<br>
> Noel Kuntze<br>
><br>
> GPG Key ID: 0x63EC6658<br>
> Fingerprint: 23CA BB60 2146 05E7 7278 6592 3839 298F 63EC
6658<br>
><br>
> Am 12.12.2014 um 23:19 schrieb Cindy Moore:<br>
> >>>>> I'm really at a loss over this one. I
can get the connections going<br>
> >>>>> with other clients, for example Network
Manager on a Ubuntu 14.04 has<br>
> >>>>> no difficulties connecting with my
strongswan server.<br>
> >>>>><br>
> >>>>> This seems to be a possible clue:<br>
> >>>>> Dec 11 12:47:54 vpn charon: 10[IKE]
found 1 matching config, but none<br>
> >>>>> allows RSA signature authentication
using Main Mode<br>
> >>>>><br>
> >>>>> But I'm not sure how to interpret it, or
begin to address it.<br>
> >>>>><br>
> >>>>> I'm also unsure about how the mac's vpn
connection should be<br>
> >>>>> configured (I haven't found an
equivalent to<br>
> >>>>>
<a class="moz-txt-link-freetext" href="https://wiki.strongswan.org/projects/strongswan/wiki/NetworkManager">https://wiki.strongswan.org/projects/strongswan/wiki/NetworkManager</a><br>
> >>>>> under the Howto's for a Mac VPN setup,
so I don't know if its some<br>
> >>>>> kind of problem that I can't select the
vpn host certificate from the<br>
> >>>>> vpn setup dialog even though it shows up
just fine in the system<br>
> >>>>> keychain. Any thoughts?<br>
> >>>>><br>
> >>>>> On Thu, Dec 11, 2014 at 1:20 PM, Cindy
Moore <a class="moz-txt-link-rfc2396E" href="mailto:ctmoore@cs.ucsd.edu"><ctmoore@cs.ucsd.edu></a> wrote:<br>
> >>>>>> I'm trying to get a basic connection
going with a mac os x client to<br>
> >>>>>> strongswan (latest) installed on
ubuntu (14.04 lts). I'm not entirely<br>
> >>>>>> certain what is going on. It seems
like the client isn't sending the<br>
> >>>>>> desired certificate. in the log
file, vpnHostCert doesn't seem to<br>
> >>>>>> play a part at all which i find
unexpected.<br>
> >>>>>><br>
> >>>>>> When I set up the mac I sent the p12
packages over to the mac, added<br>
> >>>>>> the three of them (root, vpnHost,
cindy) to the system keychain.<br>
> >>>>>> What's weird though, is that I can
only seem to select, for both User<br>
> >>>>>> Authentication certificate &
Machine Authentication certificate, the<br>
> >>>>>> one identified with
<a class="moz-txt-link-abbreviated" href="mailto:ctmoore@example.com">ctmoore@example.com</a> (I had expected to select that<br>
> >>>>>> for User Auth, and the
vpn.example.com for Machine Auth -- all three<br>
> >>>>>> (root, vpn, cindy) certificates are
visible in the system keychain,<br>
> >>>>>> but only the cindy one appears in
the list of options when selecting<br>
> >>>>>> User/Machine Auth in setting up a
vpn connection on the mac. I set<br>
> >>>>>> the strongswan root up as a trusted
cert, and authorized the use of<br>
> >>>>>> all three in any kind of setting.<br>
> >>>>>><br>
> >>>>>><br>
> >>>>>> Overview of setup (syslog copy at
end)<br>
> >>>>>><br>
> >>>>>><br>
> >>>>>> Created the certificates. Sorry, my
email program is eating tabs.<br>
> >>>>>><br>
> >>>>>> ========<br>
> >>>>>> "root":<br>
> >>>>>> ipsec pki --gen --type rsa --size
4096 \<br>
> >>>>>> --outform pem \<br>
> >>>>>>> private/strongswanKey.pem<br>
> >>>>>> chmod 600 private/strongswanKey.pem<br>
> >>>>>> ipsec pki --self --ca --lifetime
3650 \<br>
> >>>>>> --in private/strongswanKey.pem
--type rsa \<br>
> >>>>>> --dn "C=US, O=ThatsUs, CN=strongSwan
Root CA" \<br>
> >>>>>> --outform pem \<br>
> >>>>>>> cacerts/strongswanCert.pem<br>
> >>>>>><br>
> >>>>>> ========<br>
> >>>>>> host:<br>
> >>>>>> ipsec pki --gen --type rsa --size
2048 \<br>
> >>>>>> --outform pem \<br>
> >>>>>>> private/vpnHostKey.pem<br>
> >>>>>> chmod 600 private/vpnHostKey.pem<br>
> >>>>>> ipsec pki --pub --in
private/vpnHostKey.pem --type rsa | \<br>
> >>>>>> ipsec pki --issue --lifetime 730 \<br>
> >>>>>> --cacert cacerts/strongswanCert.pem
\<br>
> >>>>>> --cakey private/strongswanKey.pem \<br>
> >>>>>> --dn "C=US, O=ThatsUs,
CN=vpn.example.com" \<br>
> >>>>>> --san vpn.example.com \<br>
> >>>>>> --flag serverAuth --flag
ikeIntermediate \<br>
> >>>>>> --outform pem >
certs/vpnHostCert.pem<br>
> >>>>>><br>
> >>>>>> ipsec pki --print looks okay for
both<br>
> >>>>>><br>
> >>>>>> ========<br>
> >>>>>> created p12 packages<br>
> >>>>>> # openssl pkcs12 -export -in
certs/vpnHostCert.pem -nokeys -nodes -out<br>
> >>>>>> exports/vpnHost.p12<br>
> >>>>>> Enter Export Password:<br>
> >>>>>> Verifying - Enter Export Password:<br>
> >>>>>><br>
> >>>>>> # openssl pkcs12 -export -in
cacerts/strongswanCert.pem -nokeys -nodes<br>
> >>>>>> -out exports/strongSwan.p12<br>
> >>>>>> Enter Export Password:<br>
> >>>>>> Verifying - Enter Export Password:<br>
> >>>>>><br>
> >>>>>> ========<br>
> >>>>>> client certificate<br>
> >>>>>> ipsec pki --gen --type rsa --size
2048 \<br>
> >>>>>> --outform pem \<br>
> >>>>>>> private/cindyKey.pem<br>
> >>>>>> chmod 600 private/cindyKey.pem<br>
> >>>>>> ipsec pki --pub --in
private/cindyKey.pem --type rsa | \<br>
> >>>>>> ipsec pki --issue --lifetime 730 \<br>
> >>>>>> --cacert cacerts/strongswanCert.pem
\<br>
> >>>>>> --cakey private/strongswanKey.pem \<br>
> >>>>>> --dn "C=US, O=ThatsUs,
<a class="moz-txt-link-abbreviated" href="mailto:CN=ctmoore@example.com">CN=ctmoore@example.com</a>" \<br>
> >>>>>> --san <a class="moz-txt-link-abbreviated" href="mailto:ctmoore@example.com">ctmoore@example.com</a> \<br>
> >>>>>> --outform pem >
certs/cindyCert.pem<br>
> >>>>>><br>
> >>>>>> (plus p12 packaging)<br>
> >>>>>><br>
> >>>>>> ========<br>
> >>>>>> ipsec.secrets<br>
> >>>>>> : RSA vpnHostKey.pem<br>
> >>>>>><br>
> >>>>>> =========<br>
> >>>>>> ipsec.conf<br>
> >>>>>><br>
> >>>>>> conn %default<br>
> >>>>>> ikelifetime=60m<br>
> >>>>>> keylife=60m<br>
> >>>>>> rekeymargin=3m<br>
> >>>>>> keyingtries=1<br>
> >>>>>> #vpn server<br>
> >>>>>> left=[vpn ip]<br>
> >>>>>> leftcert=vpnHostCert.pem<br>
> >>>>>> # certificate based ID<br>
> >>>>>> leftid="C=US, O=strongSwan,
CN=vpn.example.com"<br>
> >>>>>> #allow full tunneling<br>
> >>>>>> leftsubnet=0.0.0.0/0<br>
> >>>>>> #assign ip addr from this
pool<br>
> >>>>>> rightsourceip=[...]<br>
> >>>>>> # assign dns servers once
connected<br>
> >>>>>> rightdns=[...]<br>
> >>>>>><br>
> >>>>>> ca %default<br>
> >>>>>> cacert=strongswanCert.pem<br>
> >>>>>><br>
> >>>>>> # certificate only<br>
> >>>>>> conn roadwarrior-ikev2<br>
> >>>>>> keyexchange=ikev2<br>
> >>>>>> leftauth=pubkey<br>
> >>>>>> right=%any<br>
> >>>>>> rightid=%any<br>
> >>>>>> rightauth=pubkey<br>
> >>>>>> auto=add<br>
> >>>>>><br>
> >>>>>> # certificate only, fakeout on xauth
(for eg Mac/iOS that must do<br>
> >>>>>> xauth. and ikev1 for that matter)<br>
> >>>>>> conn roadwarrior-ikev1<br>
> >>>>>> keyexchange=ikev1<br>
> >>>>>> leftauth=pubkey<br>
> >>>>>> right=%any<br>
> >>>>>> rightid=%any<br>
> >>>>>> rightauth=pubkey<br>
> >>>>>> rightauth2=xauth-noauth<br>
> >>>>>> auto=add<br>
> >>>>>><br>
> >>>>>><br>
> >>>>>> ========<br>
> >>>>>><br>
> >>>>>><br>
> >>>>>> Using the same ctmoore cert on
User/Machine auth in the mac vpn and<br>
> >>>>>> connect anyway, I get the following
in the syslog<br>
> >>>>>><br>
> >>>>>> I find the<br>
> >>>>>> Dec 11 12:47:54 vpn charon: 10[IKE]
found 1 matching config, but none<br>
> >>>>>> allows RSA signature authentication
using Main Mode<br>
> >>>>>> entry interesting, but I don't know
if that's the issue, and if it is,<br>
> >>>>>> what I can do about it.<br>
> >>>>>><br>
> >>>>>><br>
> >>>>>> /var/log/syslog<br>
> >>>>>> ========<br>
> >>>>>> Dec 11 12:47:54 vpn charon: 02[NET]
received packet: from [client<br>
> >>>>>> ip][500] to [vpn ip][500]<br>
> >>>>>> Dec 11 12:47:54 vpn charon: 02[NET]
waiting for data on sockets<br>
> >>>>>> Dec 11 12:47:54 vpn charon: 04[NET]
received packet: from [client<br>
> >>>>>> ip][500] to [vpn ip][500] (300
bytes)<br>
> >>>>>> Dec 11 12:47:54 vpn charon: 04[ENC]
parsed ID_PROT request 0 [ SA V V<br>
> >>>>>> V V V V V V V V V ]<br>
> >>>>>> Dec 11 12:47:54 vpn charon: 04[CFG]
looking for an ike config for [vpn<br>
> >>>>>> ip]...[client ip]<br>
> >>>>>> Dec 11 12:47:54 vpn charon:
04[CFG] candidate: [vpn ip]...%any, prio 1052<br>
> >>>>>> Dec 11 12:47:54 vpn charon: 04[CFG]
found matching ike config: [vpn<br>
> >>>>>> ip]...%any with prio 1052<br>
> >>>>>> Dec 11 12:47:54 vpn charon: 04[IKE]
received NAT-T (RFC 3947) vendor ID<br>
> >>>>>> Dec 11 12:47:54 vpn charon: 04[IKE]
received<br>
> >>>>>> draft-ietf-ipsec-nat-t-ike vendor ID<br>
> >>>>>> Dec 11 12:47:54 vpn charon: 04[IKE]
received<br>
> >>>>>> draft-ietf-ipsec-nat-t-ike-08 vendor
ID<br>
> >>>>>> Dec 11 12:47:54 vpn charon: 04[IKE]
received<br>
> >>>>>> draft-ietf-ipsec-nat-t-ike-07 vendor
ID<br>
> >>>>>> Dec 11 12:47:54 vpn charon: 04[IKE]
received<br>
> >>>>>> draft-ietf-ipsec-nat-t-ike-06 vendor
ID<br>
> >>>>>> Dec 11 12:47:54 vpn charon: 04[IKE]
received<br>
> >>>>>> draft-ietf-ipsec-nat-t-ike-05 vendor
ID<br>
> >>>>>> Dec 11 12:47:54 vpn charon: 04[IKE]
received<br>
> >>>>>> draft-ietf-ipsec-nat-t-ike-04 vendor
ID<br>
> >>>>>> Dec 11 12:47:54 vpn charon: 04[IKE]
received<br>
> >>>>>> draft-ietf-ipsec-nat-t-ike-03 vendor
ID<br>
> >>>>>> Dec 11 12:47:54 vpn charon: 04[IKE]
received<br>
> >>>>>> draft-ietf-ipsec-nat-t-ike-02 vendor
ID<br>
> >>>>>> Dec 11 12:47:54 vpn charon: 04[IKE]
received<br>
> >>>>>> draft-ietf-ipsec-nat-t-ike-02\n
vendor ID<br>
> >>>>>> Dec 11 12:47:54 vpn charon: 04[IKE]
received DPD vendor ID<br>
> >>>>>> Dec 11 12:47:54 vpn charon: 04[IKE]
[client ip] is initiating a Main Mode IKE_SA<br>
> >>>>>> Dec 11 12:47:54 vpn charon: 04[IKE]
IKE_SA (unnamed)[3] state change:<br>
> >>>>>> CREATED => CONNECTING<br>
> >>>>>> Dec 11 12:47:54 vpn charon: 04[CFG]
selecting proposal:<br>
> >>>>>> Dec 11 12:47:54 vpn charon:
04[CFG] no acceptable ENCRYPTION_ALGORITHM found<br>
> >>>>>> Dec 11 12:47:54 vpn charon: 04[CFG]
selecting proposal:<br>
> >>>>>> Dec 11 12:47:54 vpn charon:
04[CFG] no acceptable DIFFIE_HELLMAN_GROUP found<br>
> >>>>>> Dec 11 12:47:54 vpn charon: 04[CFG]
selecting proposal:<br>
> >>>>>> Dec 11 12:47:54 vpn charon:
04[CFG] proposal matches<br>
> >>>>>> Dec 11 12:47:54 vpn charon: 04[CFG]
received proposals:<br>
> >>>>>>
IKE:3DES_CBC/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024<br>
> >>>>>> Dec 11 12:47:54 vpn charon: 04[CFG]
configured proposals:<br>
> >>>>>>
IKE:AES_CBC_128/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_2048,<br>
> >>>>>>
IKE:3DES_CBC/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1536,<br>
> >>>>>>
IKE:AES_CBC_128/AES_CBC_192/AES_CBC_256/3DES_CBC/AES_XCBC_96/AES_CMAC_96/HMAC_SHA1_96/HMAC_MD5_96/HMAC_SHA2_256_128/HMAC_SHA2_384_192/HMAC_SHA2_512_256/PRF_AES128_XCBC/PRF_AES128_CMAC/PRF_HMAC_SHA1/PRF_HMAC_MD5/PRF_HMAC_SHA2_256/PRF_HMAC_SHA2_384/PRF_HMAC_SHA2_512/MODP_2048/MODP_2048_224/MODP_2048_256/MODP_1536/MODP_3072/MODP_4096/MODP_8192/MODP_1024/MODP_1024_160<br>
> >>>>>> Dec 11 12:47:54 vpn charon: 04[CFG]
selected proposal:<br>
> >>>>>>
IKE:3DES_CBC/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024<br>
> >>>>>> Dec 11 12:47:54 vpn charon: 04[IKE]
sending XAuth vendor ID<br>
> >>>>>> Dec 11 12:47:54 vpn charon: 04[IKE]
sending DPD vendor ID<br>
> >>>>>> Dec 11 12:47:54 vpn charon: 04[IKE]
sending NAT-T (RFC 3947) vendor ID<br>
> >>>>>> Dec 11 12:47:54 vpn charon: 04[ENC]
generating ID_PROT response 0 [ SA V V V ]<br>
> >>>>>> Dec 11 12:47:54 vpn charon: 04[NET]
sending packet: from [vpn ip][500]<br>
> >>>>>> to [client ip][500] (132 bytes)<br>
> >>>>>> Dec 11 12:47:54 vpn charon: 03[NET]
sending packet: from [vpn ip][500]<br>
> >>>>>> to [client ip][500]<br>
> >>>>>> Dec 11 12:47:54 vpn charon: 02[NET]
received packet: from [client<br>
> >>>>>> ip][500] to [vpn ip][500]<br>
> >>>>>> Dec 11 12:47:54 vpn charon: 02[NET]
waiting for data on sockets<br>
> >>>>>> Dec 11 12:47:54 vpn charon: 09[NET]
received packet: from [client<br>
> >>>>>> ip][500] to [vpn ip][500] (228
bytes)<br>
> >>>>>> Dec 11 12:47:54 vpn charon: 09[ENC]
parsed ID_PROT request 0 [ KE No<br>
> >>>>>> NAT-D NAT-D ]<br>
> >>>>>> Dec 11 12:47:54 vpn charon: 09[IKE]
sending cert request for "C=US,<br>
> >>>>>> O=ThatsUs, CN=strongSwan Root CA"<br>
> >>>>>> Dec 11 12:47:54 vpn charon: 09[ENC]
generating ID_PROT response 0 [ KE<br>
> >>>>>> No CERTREQ NAT-D NAT-D ]<br>
> >>>>>> Dec 11 12:47:54 vpn charon: 09[NET]
sending packet: from [vpn ip][500]<br>
> >>>>>> to [client ip][500] (310 bytes)<br>
> >>>>>> Dec 11 12:47:54 vpn charon: 03[NET]
sending packet: from [vpn ip][500]<br>
> >>>>>> to [client ip][500]<br>
> >>>>>> Dec 11 12:47:54 vpn charon: 02[NET]
received packet: from [client<br>
> >>>>>> ip][500] to [vpn ip][500]<br>
> >>>>>> Dec 11 12:47:54 vpn charon: 02[NET]
waiting for data on sockets<br>
> >>>>>> Dec 11 12:47:54 vpn charon: 10[NET]
received packet: from [client<br>
> >>>>>> ip][500] to [vpn ip][500] (1492
bytes)<br>
> >>>>>> Dec 11 12:47:54 vpn charon: 10[ENC]
parsed ID_PROT request 0 [ ID CERT<br>
> >>>>>> SIG CERTREQ N(INITIAL_CONTACT) ]<br>
> >>>>>> Dec 11 12:47:54 vpn charon: 10[IKE]
ignoring certificate request without data<br>
> >>>>>> Dec 11 12:47:54 vpn charon: 10[IKE]
received end entity cert "C=US,<br>
> >>>>>> O=ThatsUs, <a class="moz-txt-link-abbreviated" href="mailto:CN=ctmoore@example.com">CN=ctmoore@example.com</a>"<br>
> >>>>>> Dec 11 12:47:54 vpn charon: 10[CFG]
looking for RSA signature peer<br>
> >>>>>> configs matching [vpn ip]...[client
ip][C=US, O=ThatsUs,<br>
> >>>>>> <a class="moz-txt-link-abbreviated" href="mailto:CN=ctmoore@example.com">CN=ctmoore@example.com</a>]<br>
> >>>>>> Dec 11 12:47:54 vpn charon:
10[CFG] candidate "roadwarrior-ikev1",<br>
> >>>>>> match: 1/1/1052 (me/other/ike)<br>
> >>>>>> Dec 11 12:47:54 vpn charon: 10[IKE]
found 1 matching config, but none<br>
> >>>>>> allows RSA signature authentication
using Main Mode<br>
> >>>>>> Dec 11 12:47:54 vpn charon: 10[IKE]
queueing INFORMATIONAL task<br>
> >>>>>> Dec 11 12:47:54 vpn charon: 10[IKE]
activating new tasks<br>
> >>>>>> Dec 11 12:47:54 vpn charon:
10[IKE] activating INFORMATIONAL task<br>
> >>>>>> Dec 11 12:47:54 vpn charon: 10[ENC]
generating INFORMATIONAL_V1<br>
> >>>>>> request 2651689082 [ HASH
N(AUTH_FAILED) ]<br>
> >>>>>> Dec 11 12:47:54 vpn charon: 10[NET]
sending packet: from [vpn ip][500]<br>
> >>>>>> to [client ip][500] (84 bytes)<br>
> >>>>>> Dec 11 12:47:54 vpn charon: 10[IKE]
IKE_SA (unnamed)[3] state change:<br>
> >>>>>> CONNECTING => DESTROYING<br>
> >>>>>> Dec 11 12:47:54 vpn charon: 03[NET]
sending packet: from [vpn ip][500]<br>
> >>>>>> to [client ip][500]<br>
> >>>>>> Dec 11 12:47:57 vpn charon: 02[NET]
received packet: from [client<br>
> >>>>>> ip][500] to [vpn ip][500]<br>
> >>>>>> Dec 11 12:47:57 vpn charon: 02[NET]
waiting for data on sockets<br>
> >>>>>> Dec 11 12:48:00 vpn charon: 02[NET]
received packet: from [client<br>
> >>>>>> ip][500] to [vpn ip][500]<br>
> >>>>>> Dec 11 12:48:00 vpn charon: 02[NET]
waiting for data on sockets<br>
> >>>>>> Dec 11 12:48:03 vpn charon: 02[NET]
received packet: from [client<br>
> >>>>>> ip][500] to [vpn ip][500]<br>
> >>>>>> Dec 11 12:48:03 vpn charon: 02[NET]
waiting for data on sockets<br>
> >>>>>> Dec 11 12:48:06 vpn charon: 02[NET]
received packet: from [client<br>
> >>>>>> ip][500] to [vpn ip][500]<br>
> >>>>>> Dec 11 12:48:06 vpn charon: 02[NET]
waiting for data on sockets<br>
> >>>>>> Dec 11 12:48:09 vpn charon: 02[NET]
received packet: from [client<br>
> >>>>>> ip][500] to [vpn ip][500]<br>
> >>>>>> Dec 11 12:48:09 vpn charon: 02[NET]
waiting for data on sockets<br>
> >>>>>> Dec 11 12:48:16 vpn charon: 02[NET]
received packet: from [client<br>
> >>>>>> ip][500] to [vpn ip][500]<br>
> >>>>>> Dec 11 12:48:16 vpn charon: 02[NET]
waiting for data on sockets<br>
> >>>>>> Dec 11 12:48:19 vpn charon: 02[NET]
received packet: from [client<br>
> >>>>>> ip][500] to [vpn ip][500]<br>
> >>>>>> Dec 11 12:48:19 vpn charon: 02[NET]
waiting for data on sockets<br>
> >>>>>> Dec 11 12:48:22 vpn charon: 02[NET]
received packet: from [client<br>
> >>>>>> ip][500] to [vpn ip][500]<br>
> >>>>>> Dec 11 12:48:22 vpn charon: 02[NET]
waiting for data on sockets<br>
> >>>>>> Dec 11 12:48:24 vpn charon: 02[NET]
received packet: from [client<br>
> >>>>>> ip][500] to [vpn ip][500]<br>
> >>>>>> Dec 11 12:48:24 vpn charon: 02[NET]
waiting for data on sockets<br>
> >>>>>> Dec 11 12:48:24 vpn charon: 04[NET]
received packet: from [client<br>
> >>>>>> ip][500] to [vpn ip][500] (300
bytes)<br>
> >>>>>> Dec 11 12:48:24 vpn charon: 04[ENC]
parsed ID_PROT request 0 [ SA V V<br>
> >>>>>> V V V V V V V V V ]<br>
> >>>>>> Dec 11 12:48:24 vpn charon: 04[CFG]
looking for an ike config for [vpn<br>
> >>>>>> ip]...[client ip]<br>
> >>>>>> Dec 11 12:48:24 vpn charon:
04[CFG] candidate: [vpn ip]...%any, prio 1052<br>
> >>>>>> Dec 11 12:48:24 vpn charon: 04[CFG]
found matching ike config: [vpn<br>
> >>>>>> ip]...%any with prio 1052<br>
> >>>>>> Dec 11 12:48:24 vpn charon: 04[IKE]
received NAT-T (RFC 3947) vendor ID<br>
> >>>>>> Dec 11 12:48:24 vpn charon: 04[IKE]
received<br>
> >>>>>> draft-ietf-ipsec-nat-t-ike vendor ID<br>
> >>>>>> Dec 11 12:48:24 vpn charon: 04[IKE]
received<br>
> >>>>>> draft-ietf-ipsec-nat-t-ike-08 vendor
ID<br>
> >>>>>> Dec 11 12:48:24 vpn charon: 04[IKE]
received<br>
> >>>>>> draft-ietf-ipsec-nat-t-ike-07 vendor
ID<br>
> >>>>>> Dec 11 12:48:24 vpn charon: 04[IKE]
received<br>
> >>>>>> draft-ietf-ipsec-nat-t-ike-06 vendor
ID<br>
> >>>>>> Dec 11 12:48:24 vpn charon: 04[IKE]
received<br>
> >>>>>> draft-ietf-ipsec-nat-t-ike-05 vendor
ID<br>
> >>>>>> Dec 11 12:48:24 vpn charon: 04[IKE]
received<br>
> >>>>>> draft-ietf-ipsec-nat-t-ike-04 vendor
ID<br>
> >>>>>> Dec 11 12:48:24 vpn charon: 04[IKE]
received<br>
> >>>>>> draft-ietf-ipsec-nat-t-ike-03 vendor
ID<br>
> >>>>>> Dec 11 12:48:24 vpn charon: 04[IKE]
received<br>
> >>>>>> draft-ietf-ipsec-nat-t-ike-02 vendor
ID<br>
> >>>>>> Dec 11 12:48:24 vpn charon: 04[IKE]
received<br>
> >>>>>> draft-ietf-ipsec-nat-t-ike-02\n
vendor ID<br>
> >>>>>> Dec 11 12:48:24 vpn charon: 04[IKE]
received DPD vendor ID<br>
> >>>>>> Dec 11 12:48:24 vpn charon: 04[IKE]
[client ip] is initiating a Main Mode IKE_SA<br>
> >>>>>> Dec 11 12:48:24 vpn charon: 04[IKE]
IKE_SA (unnamed)[4] state change:<br>
> >>>>>> CREATED => CONNECTING<br>
> >>>>>> Dec 11 12:48:24 vpn charon: 04[CFG]
selecting proposal:<br>
> >>>>>> Dec 11 12:48:24 vpn charon:
04[CFG] no acceptable ENCRYPTION_ALGORITHM found<br>
> >>>>>> Dec 11 12:48:24 vpn charon: 04[CFG]
selecting proposal:<br>
> >>>>>> Dec 11 12:48:24 vpn charon:
04[CFG] no acceptable DIFFIE_HELLMAN_GROUP found<br>
> >>>>>> Dec 11 12:48:24 vpn charon: 04[CFG]
selecting proposal:<br>
> >>>>>> Dec 11 12:48:24 vpn charon:
04[CFG] proposal matches<br>
> >>>>>> Dec 11 12:48:24 vpn charon: 04[CFG]
received proposals:<br>
> >>>>>>
IKE:3DES_CBC/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024<br>
> >>>>>> Dec 11 12:48:24 vpn charon: 04[CFG]
configured proposals:<br>
> >>>>>>
IKE:AES_CBC_128/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_2048,<br>
> >>>>>>
IKE:3DES_CBC/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1536,<br>
> >>>>>>
IKE:AES_CBC_128/AES_CBC_192/AES_CBC_256/3DES_CBC/AES_XCBC_96/AES_CMAC_96/HMAC_SHA1_96/HMAC_MD5_96/HMAC_SHA2_256_128/HMAC_SHA2_384_192/HMAC_SHA2_512_256/PRF_AES128_XCBC/PRF_AES128_CMAC/PRF_HMAC_SHA1/PRF_HMAC_MD5/PRF_HMAC_SHA2_256/PRF_HMAC_SHA2_384/PRF_HMAC_SHA2_512/MODP_2048/MODP_2048_224/MODP_2048_256/MODP_1536/MODP_3072/MODP_4096/MODP_8192/MODP_1024/MODP_1024_160<br>
> >>>>>> Dec 11 12:48:24 vpn charon: 04[CFG]
selected proposal:<br>
> >>>>>>
IKE:3DES_CBC/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024<br>
> >>>>>> Dec 11 12:48:24 vpn charon: 04[IKE]
sending XAuth vendor ID<br>
> >>>>>> Dec 11 12:48:24 vpn charon: 04[IKE]
sending DPD vendor ID<br>
> >>>>>> Dec 11 12:48:24 vpn charon: 04[IKE]
sending NAT-T (RFC 3947) vendor ID<br>
> >>>>>> Dec 11 12:48:24 vpn charon: 04[ENC]
generating ID_PROT response 0 [ SA V V V ]<br>
> >>>>>> Dec 11 12:48:24 vpn charon: 04[NET]
sending packet: from [vpn ip][500]<br>
> >>>>>> to [client ip][500] (132 bytes)<br>
> >>>>>> Dec 11 12:48:24 vpn charon: 03[NET]
sending packet: from [vpn ip][500]<br>
> >>>>>> to [client ip][500]<br>
> >>>>>> Dec 11 12:48:24 vpn charon: 02[NET]
received packet: from [client<br>
> >>>>>> ip][500] to [vpn ip][500]<br>
> >>>>>> Dec 11 12:48:24 vpn charon: 02[NET]
waiting for data on sockets<br>
> >>>>>> Dec 11 12:48:24 vpn charon: 09[NET]
received packet: from [client<br>
> >>>>>> ip][500] to [vpn ip][500] (228
bytes)<br>
> >>>>>> Dec 11 12:48:24 vpn charon: 09[ENC]
parsed ID_PROT request 0 [ KE No<br>
> >>>>>> NAT-D NAT-D ]<br>
> >>>>>> Dec 11 12:48:24 vpn charon: 09[IKE]
sending cert request for "C=US,<br>
> >>>>>> O=ThatsUs, CN=strongSwan Root CA"<br>
> >>>>>> Dec 11 12:48:24 vpn charon: 09[ENC]
generating ID_PROT response 0 [ KE<br>
> >>>>>> No CERTREQ NAT-D NAT-D ]<br>
> >>>>>> Dec 11 12:48:24 vpn charon: 09[NET]
sending packet: from [vpn ip][500]<br>
> >>>>>> to [client ip][500] (310 bytes)<br>
> >>>>>> Dec 11 12:48:24 vpn charon: 03[NET]
sending packet: from [vpn ip][500]<br>
> >>>>>> to [client ip][500]<br>
> >>>>>> Dec 11 12:48:54 vpn charon: 10[JOB]
deleting half open IKE_SA after timeout<br>
> >>>>>> Dec 11 12:48:54 vpn charon: 10[IKE]
IKE_SA (unnamed)[4] state change:<br>
> >>>>>> CONNECTING => DESTROYING<br>
> >>>>>
_______________________________________________<br>
> >>>>> Users mailing list<br>
> >>>>> <a class="moz-txt-link-abbreviated" href="mailto:Users@lists.strongswan.org">Users@lists.strongswan.org</a><br>
> >>>>>
<a class="moz-txt-link-freetext" href="https://lists.strongswan.org/mailman/listinfo/users">https://lists.strongswan.org/mailman/listinfo/users</a><br>
><br>
>>>><br>
>>>> _______________________________________________<br>
>>>> Users mailing list<br>
>>>> <a class="moz-txt-link-abbreviated" href="mailto:Users@lists.strongswan.org">Users@lists.strongswan.org</a><br>
>>>>
<a class="moz-txt-link-freetext" href="https://lists.strongswan.org/mailman/listinfo/users">https://lists.strongswan.org/mailman/listinfo/users</a><br>
> _______________________________________________<br>
> Users mailing list<br>
> <a class="moz-txt-link-abbreviated" href="mailto:Users@lists.strongswan.org">Users@lists.strongswan.org</a><br>
> <a class="moz-txt-link-freetext" href="https://lists.strongswan.org/mailman/listinfo/users">https://lists.strongswan.org/mailman/listinfo/users</a></span><br>
<br>
-----BEGIN PGP SIGNATURE-----<br>
Version: GnuPG v2.0.22 (GNU/Linux)<br>
<br>
iQEcBAEBAgAGBQJUjEYVAAoJEOB3m+uCZjRDBwIIAJXX12I5i6kTieOY5NEIxHqk<br>
oXE3NrJqTzOYKNUF3Hqeoy6BybqAtUui5taZoWveWCrV3dhXhTc50rsbQvLTNBZm<br>
R2s+OwWfm+/C0QJfkrS0GusqXO1Cod6LsWl6uEwDRrHJdbA711IjqPSgQvuJpwso<br>
uJkW5H4KCOCtkFHzJ5QEV3DPh12kmoXXClcyEKpz8lMydNAcK2DfXiPemW9irWzs<br>
GjoVRYoS9T635cWvaTf75Bf6W7tSrHnX7ohJJATH0In0/wAEwVNnQdLW04ofhdd4<br>
209PyDiyogbMKv1CDiLSxexw6Q1ewnBP5AP+HjF37pxl42VE5LPoUDPO65R29KA=<br>
=Ff9N<br>
-----END PGP SIGNATURE-----<br>
<br>
</body>
</html>