<div dir="ltr">







<p class="gmail-p1"><span class="gmail-s1">Hi,</span></p>
<p class="gmail-p1"><span class="gmail-s1">I’m trying to establish a VPN link using x.509 certificates on an Ubuntu client talking to an Ubuntu SSwan server. Both ends are using Vsn 5.5.3.  and are running on Ubuntu 16.04.02</span></p>
<p class="gmail-p1"><span class="gmail-s1">I’m also trying to use the attr-sql module to assign an ip address from a managed ip pool  and have built a MySQL db and created the appropriate tables.</span></p>
<p class="gmail-p1"><span class="gmail-s1">Although I’ve got this working I’m having problems  with (i assume) the  attr-sql module</span></p>
<p class="gmail-p2">When configured to use  eap-radius with a userid and password everything works just fine.</p>
<p class="gmail-p1"><span class="gmail-s1">Client end is using</span></p>
<p class="gmail-p1"><span class="gmail-s1">conn UoY-ikev2</span></p>
<p class="gmail-p1"><span class="gmail-s1">        left=%defaultroute</span></p>
<p class="gmail-p1"><span class="gmail-s1">        leftcert=sumvision@yorkacuk.cer</span></p>
<p class="gmail-p1"><span class="gmail-s1">        leftid="CN=<a href="mailto:sumvision@york.ac.uk">sumvision@york.ac.uk</a>, O=University of York, OU=IT Services, L=York, ST=North Yorkshire, C=GB"</span></p>
<p class="gmail-p1"><span class="gmail-s1">        leftsourceip=%config</span></p>
<p class="gmail-p1"><span class="gmail-s1">        leftfirewall=yes</span></p>
<p class="gmail-p1"><span class="gmail-s1">        right=144.32.128.199</span></p>
<p class="gmail-p1"><span class="gmail-s1">        rightid="CN=<a href="http://vpn10.york.ac.uk">vpn10.york.ac.uk</a>, O=University of York, OU=IT Services, L=York, ST=North Yorkshire, C=GB"</span></p>
<p class="gmail-p1"><span class="gmail-s1">        rightsubnet=<a href="http://0.0.0.0/0">0.0.0.0/0</a></span></p>
<p class="gmail-p1"><span class="gmail-s1">        auto=add</span></p>
<p class="gmail-p1"><span class="gmail-s1">The server end  ….</span></p>
<p class="gmail-p2">conn it-services-ikev2<br><span class="gmail-s1"></span></p>
<p class="gmail-p1"><span class="gmail-s1">  left=%any</span></p>
<p class="gmail-p1"><span class="gmail-s1">  leftauth=pubkey</span></p>
<p class="gmail-p1"><span class="gmail-s1">  leftcert=vpn10yorkacuk.pem</span></p>
<p class="gmail-p1"><span class="gmail-s1">  leftid="CN=<a href="http://vpn10.york.ac.uk">vpn10.york.ac.uk</a>, O=University of York, OU=IT Services, L=York, ST=North Yorkshire, C=GB"</span></p>
<p class="gmail-p1"><span class="gmail-s1">  leftsendcert=always</span></p>
<p class="gmail-p1"><span class="gmail-s1">  leftsubnet=<a href="http://0.0.0.0/0,::/0">0.0.0.0/0,::/0</a></span></p>
<p class="gmail-p1"><span class="gmail-s1">  leftupdown=/etc/strongswan.d/no_rules</span></p>
<p class="gmail-p1"><span class="gmail-s1">  right=%any</span></p>
<p class="gmail-p1"><span class="gmail-s1">  rightauth=eap-radius</span></p>
<p class="gmail-p1"><span class="gmail-s1">  rightsendcert=never</span></p>
<p class="gmail-p1"><span class="gmail-s1">  rightgroups=“Cserv"</span></p>
<p class="gmail-p1"><span class="gmail-s1">  eap_identity=%any</span></p>
<p class="gmail-p1"><span class="gmail-s1">  keyexchange=ikev2</span></p>
<p class="gmail-p1"><span class="gmail-s1">  rightsourceip=%itservices</span></p>
<p class="gmail-p1"><span class="gmail-s1">  fragmentation=yes</span></p>
<p class="gmail-p1"><span class="gmail-s1">  auto=add</span></p>
<p class="gmail-p2"><span class="gmail-s1"></span><br></p>
<p class="gmail-p1"><span class="gmail-s1">Where the  Ip address pulled from a mysql managed Ip address pool. </span></p>
<p class="gmail-p1"><span class="gmail-s1">The 1st time I try it everything works and I’m assigned an IP address. I can then shut down the connection.</span></p>
<p class="gmail-p2"><span class="gmail-s1"></span><br></p>
<p class="gmail-p1"><span class="gmail-s1">=== Start of log on client</span> ====</p><p class="gmail-p1"><span class="gmail-s1">authentication of 'CN=<a href="http://vpn10.york.ac.uk">vpn10.york.ac.uk</a>, O=University of York, OU=IT Services, L=York, ST=North Yorkshire, C=GB' with RSA_EMSA_PKCS1_SHA2_256 successful</span></p>
<p class="gmail-p1"><span class="gmail-s1">IKE_SA UoY-ikev2[3] established between 144.32.231.214[CN=<a href="mailto:sumvision@york.ac.uk">sumvision@york.ac.uk</a>, O=University of York, OU=IT Services, L=York, ST=North Yorkshire, C=GB]...144.32.128.199[CN=<a href="http://vpn10.york.ac.uk">vpn10.york.ac.uk</a>, O=University of York, OU=IT Services, L=York, ST=North Yorkshire, C=GB]</span></p>
<p class="gmail-p1"><span class="gmail-s1">installing DNS server 144.32.128.243 via resolvconf</span></p>
<p class="gmail-p1"><span class="gmail-s1">installing DNS server 144.32.128.242 via resolvconf</span></p>
<p class="gmail-p1"><span class="gmail-s1">installing new virtual IP 172.18.64.8</span></p>
<p class="gmail-p1"><span class="gmail-s1">CHILD_SA UoY-ikev2{4} established with SPIs cef147fe_i c43ac4c3_o and TS <a href="http://172.18.64.8/32">172.18.64.8/32</a> === <a href="http://0.0.0.0/0">0.0.0.0/0</a></span></p>
<p class="gmail-p1"><span class="gmail-s1">peer supports MOBIKE</span></p>
<p class="gmail-p1"><span class="gmail-s1">connection 'UoY-ikev2' established successfully</span></p>
<p class="gmail-p1"><span class="gmail-s1">root@sumvision:/usr/local/etc# ipsec down UoY-ikev2</span></p>
<p class="gmail-p1"><span class="gmail-s1">deleting IKE_SA UoY-ikev2[3] between 144.32.231.214[CN=<a href="mailto:sumvision@york.ac.uk">sumvision@york.ac.uk</a>, O=University of York, OU=IT Services, L=York, ST=North Yorkshire, C=GB]...144.32.128.199[CN=<a href="http://vpn10.york.ac.uk">vpn10.york.ac.uk</a>, O=University of York, OU=IT Services, L=York, ST=North Yorkshire, C=GB]</span></p>
<p class="gmail-p1"><span class="gmail-s1">sending DELETE for IKE_SA UoY-ikev2[3]</span></p>
<p class="gmail-p1"><span class="gmail-s1">generating INFORMATIONAL request 2 [ D ]</span></p><p class="gmail-p1"><span class="gmail-s1">=====End of log on client ===</span></p>
<p class="gmail-p1"><span class="gmail-s1">If I then try another connect, on the client I get</span></p><p class="gmail-p1"><span class="gmail-s1">==== Start of log on client ====</span></p>
<p class="gmail-p1"><span class="gmail-s1"> ocsp response correctly signed by "CN=University of York Root CA 2, O=University of York, OU=IT Services, L=York, ST=North Yorkshire, C=GB, E=<a href="mailto:netops@york.ac.uk">netops@york.ac.uk</a>"</span></p>
<p class="gmail-p1"><span class="gmail-s1">  certificate from Jun 28 13:48:23 2017 is newer - existing certificate from Jun 28 13:17:07 2017 replaced</span></p>
<p class="gmail-p1"><span class="gmail-s1">  ocsp response is valid: until Jun 29 13:53:23 2017</span></p>
<p class="gmail-p1"><span class="gmail-s1">  using cached ocsp response</span></p>
<p class="gmail-p1"><span class="gmail-s1">certificate status is good</span></p>
<p class="gmail-p1"><span class="gmail-s1">  reached self-signed root ca with a path length of 1</span></p>
<p class="gmail-p1"><span class="gmail-s1">authentication of 'CN=<a href="http://vpn10.york.ac.uk">vpn10.york.ac.uk</a>, O=University of York, OU=IT Services, L=York, ST=North Yorkshire, C=GB' with RSA_EMSA_PKCS1_SHA2_256 successful</span></p>
<p class="gmail-p1"><span class="gmail-s1">IKE_SA UoY-ikev2[4] established between 144.32.231.214[CN=<a href="mailto:sumvision@york.ac.uk">sumvision@york.ac.uk</a>, O=University of York, OU=IT Services, L=York, ST=North Yorkshire, C=GB]...144.32.128.199[CN=<a href="http://vpn10.york.ac.uk">vpn10.york.ac.uk</a>, O=University of York, OU=IT Services, L=York, ST=North Yorkshire, C=GB]</span></p>
<p class="gmail-p1"><span class="gmail-s1">received INTERNAL_ADDRESS_FAILURE notify, no CHILD_SA built</span></p>
<p class="gmail-p1"><span class="gmail-s1">failed to establish CHILD_SA, keeping IKE_SA</span></p>
<p class="gmail-p1"><span class="gmail-s1">establishing connection 'UoY-ikev2’ failed</span></p>
<p class="gmail-p2"><span class="gmail-s1"></span>==== End of log on client =====</p>
<p class="gmail-p1"><span class="gmail-s1">Looking at the VPN server end I can see</span></p>
<p class="gmail-p2"><span class="gmail-s1"></span><br></p>
<p class="gmail-p1">===== Start of log on server  ====</p><p class="gmail-p1">Jun 29 13:49:12 06[CFG] <x509-certs-ikev2|1> certificate status is good<br></p>
<p class="gmail-p1"><span class="gmail-s1">Jun 29 13:49:12 06[CFG] <x509-certs-ikev2|1>   reached self-signed root ca with a path length of 1</span></p>
<p class="gmail-p1"><span class="gmail-s1">Jun 29 13:49:12 06[IKE] <x509-certs-ikev2|1> authentication of 'CN=<a href="mailto:sumvision@york.ac.uk">sumvision@york.ac.uk</a>, O=University of York, OU=IT Services, L=Yo</span></p>
<p class="gmail-p1"><span class="gmail-s1">rk, ST=North Yorkshire, C=GB' with RSA_EMSA_PKCS1_SHA2_256 successful</span></p>
<p class="gmail-p1"><span class="gmail-s1">Jun 29 13:49:12 06[IKE] <x509-certs-ikev2|1> peer supports MOBIKE</span></p>
<p class="gmail-p1"><span class="gmail-s1">Jun 29 13:49:12 06[IKE] <x509-certs-ikev2|1> authentication of 'CN=<a href="http://vpn10.york.ac.uk">vpn10.york.ac.uk</a>, O=University of York, OU=IT Services, L=York,</span></p>
<p class="gmail-p1"><span class="gmail-s1">ST=North Yorkshire, C=GB' (myself) with RSA_EMSA_PKCS1_SHA2_256 successful</span></p>
<p class="gmail-p1"><span class="gmail-s1">Jun 29 13:49:12 06[IKE] <x509-certs-ikev2|1> IKE_SA x509-certs-ikev2[1] established between 144.32.128.199[CN=<a href="http://vpn10.york.ac.uk">vpn10.york.ac.uk</a>, O=U</span></p>
<p class="gmail-p1"><span class="gmail-s1">niversity of York, OU=IT Services, L=York, ST=North Yorkshire, C=GB]...144.32.231.214[CN=<a href="mailto:sumvision@york.ac.uk">sumvision@york.ac.uk</a>, O=University of York, OU=IT Services, L=York, ST=North Yorkshire, C=GB]</span></p>
<p class="gmail-p1"><span class="gmail-s1">Jun 29 13:49:12 06[IKE] <x509-certs-ikev2|1> sending end entity cert "CN=<a href="http://vpn10.york.ac.uk">vpn10.york.ac.uk</a>, O=University of York, OU=IT Services, L=York, ST=North Yorkshire, C=GB"</span></p>
<p class="gmail-p1"><span class="gmail-s1">Jun 29 13:49:12 06[IKE] <x509-certs-ikev2|1> peer requested virtual IP %any</span></p>
<p class="gmail-p1"><span class="gmail-s1">Jun 29 13:49:12 06[LIB] <x509-certs-ikev2|1> executing MySQL statement failed: Duplicate entry '9-0\x81\x881\x1D0\x1B\x06\x03U\x04\x03\x0C\<a href="mailto:x14sumvision@york.ac">x14sumvision@york.ac</a>.' for key 'type'</span></p>
<p class="gmail-p1"><span class="gmail-s1">Jun 29 13:49:12 06[IKE] <x509-certs-ikev2|1> no virtual IP found for %any requested by 'CN=<a href="mailto:sumvision@york.ac.uk">sumvision@york.ac.uk</a>, O=University of York, OU=IT Services, L=York, ST=North Yorkshire, C=GB’</span></p>
<p class="gmail-p2"><span class="gmail-s1"></span>==== End of log on server ======</p>
<p class="gmail-p1"><span class="gmail-s1">Looking in the mysql database I can see an entry in table “identities"</span></p>
<p class="gmail-p1"><span class="gmail-s1">type =9 data = ……. sumvision……</span></p>
<p class="gmail-p2"><span class="gmail-s1"></span><br></p>
<p class="gmail-p1"><span class="gmail-s1">If I delete this  entry and try again, the connection still fails. If I delete this entry and restart the server vpn I get connected and have an Ip address assigned successfully.</span></p>
<p class="gmail-p2"><span class="gmail-s1"></span><br></p>
<p class="gmail-p1"><span class="gmail-s1">Is there something wrong with my config  or in SSWan 5.5.3 ? </span></p>
<p class="gmail-p2"><span class="gmail-s1"></span><br></p>
<p class="gmail-p2"><span class="gmail-s1"></span><br></p>
<p class="gmail-p1"><span class="gmail-s1">Rgds</span></p>
<p class="gmail-p1"><span class="gmail-s1">Alex</span></p></div>