<html>
<head>
<meta http-equiv="content-type" content="text/html; charset=utf-8">
</head>
<body text="#000000" bgcolor="#FFFFFF">
<p>So I found a "Greenbow" VPN client that claims to support IKEv2
fragmentation, and after discovering that unless you set up DH
groups first (when it tries the default and gets bounced it then
SHUTS OFF the IkeV2 frag enabled bit!) I am now getting hosed
here:</p>
<p><tt>Jul 19 13:56:53 IpGw charon: 05[NET] received packet: from
172.56.21.33[43505] to 68.1.57.197[500] (672 bytes)</tt><tt><br>
</tt><tt>Jul 19 13:56:53 IpGw charon: 05[ENC] parsed IKE_SA_INIT
request 0 [ SA No N(NATD_S_IP) N(NATD_D_IP) KE N(FRAG_SUP) ]</tt><tt><br>
</tt><tt>Jul 19 13:56:53 IpGw charon: 05[IKE] 172.56.21.33 is
initiating an IKE_SA</tt><tt><br>
</tt><tt>Jul 19 13:56:53 IpGw charon: 05[IKE] remote host is
behind NAT</tt><tt><br>
</tt><tt>Jul 19 13:56:53 IpGw charon: 05[IKE] sending cert request
for "C=US, ST=Florida, L=Niceville, O=Cuda Systems LLC, CN=Cuda
Systems LLC CA, E=Cuda Systems LLC CA"</tt><tt><br>
</tt><tt>Jul 19 13:56:53 IpGw charon: 05[ENC] generating
IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP)
CERTREQ N(FRAG_SUP) N(MULT_AUTH) ]</tt><tt><br>
</tt><tt>Jul 19 13:56:53 IpGw charon: 05[NET] sending packet: from
68.1.57.197[500] to 172.56.21.33[43505] (601 bytes)</tt><tt><br>
</tt><tt>Jul 19 13:56:53 IpGw charon: 05[NET] received packet:
from 172.56.21.33[53004] to 68.1.57.197[4500] (1188 bytes)</tt><tt><br>
</tt><tt>Jul 19 13:56:53 IpGw charon: 05[ENC] parsed IKE_AUTH
request 1 [ EF(2/2) ]</tt><tt><br>
</tt><tt>Jul 19 13:56:53 IpGw charon: 05[ENC] received fragment #2
of 2, waiting for complete IKE message</tt><tt><br>
</tt><tt>Jul 19 13:56:53 IpGw charon: 05[NET] received packet:
from 172.56.21.33[53004] to 68.1.57.197[4500] (1444 bytes)</tt><tt><br>
</tt><tt>Jul 19 13:56:53 IpGw charon: 05[ENC] parsed IKE_AUTH
request 1 [ EF(1/2) ]</tt><tt><br>
</tt><tt>Jul 19 13:56:53 IpGw charon: 05[ENC] received fragment #1
of 2, reassembling fragmented IKE message</tt><tt><br>
</tt><tt>Jul 19 13:56:53 IpGw charon: 05[ENC] parsed IKE_AUTH
request 1 [ IDi CERT CERTREQ AUTH CPRQ(ADDR) SA TSi TSr
N(INIT_CONTACT) N(ESP_TFC_PAD_N) ]</tt><tt><br>
</tt><tt>Jul 19 13:56:53 IpGw charon: 05[IKE] received cert
request for "C=US, ST=Florida, L=Niceville, O=Cuda Systems LLC,
CN=Cuda Systems LLC CA, E=Cuda Systems LLC CA"</tt><tt><br>
</tt><tt>Jul 19 13:56:53 IpGw charon: 05[IKE] received end entity
cert "C=US, ST=Florida, O=Cuda Systems LLC,
<a class="moz-txt-link-abbreviated" href="mailto:CN=karl@denninger.net">CN=karl@denninger.net</a>"</tt><tt><br>
</tt><tt>Jul 19 13:56:53 IpGw charon: 05[CFG] looking for peer
configs matching 68.1.57.197[%any]...172.56.21.33[C=US,
ST=Florida, O=Cuda Systems LLC, <a class="moz-txt-link-abbreviated" href="mailto:CN=karl@denninger.net">CN=karl@denninger.net</a>]</tt><tt><br>
</tt><tt>Jul 19 13:56:53 IpGw charon: 05[CFG] selected peer config
'StrongSwan'</tt><tt><br>
</tt><tt>Jul 19 13:56:53 IpGw charon: 05[CFG] using certificate
"C=US, ST=Florida, O=Cuda Systems LLC, <a class="moz-txt-link-abbreviated" href="mailto:CN=karl@denninger.net">CN=karl@denninger.net</a>"</tt><tt><br>
</tt><tt>Jul 19 13:56:53 IpGw charon: 05[CFG] no issuer
certificate found for "C=US, ST=Florida, O=Cuda Systems LLC,
<a class="moz-txt-link-abbreviated" href="mailto:CN=karl@denninger.net">CN=karl@denninger.net</a>"</tt><tt><br>
</tt><tt>Jul 19 13:56:53 IpGw charon: 05[IKE] no trusted RSA
public key found for 'C=US, ST=Florida, O=Cuda Systems LLC,
<a class="moz-txt-link-abbreviated" href="mailto:CN=karl@denninger.net">CN=karl@denninger.net</a>'</tt><tt><br>
</tt><tt>Jul 19 13:56:53 IpGw charon: 05[IKE] received
ESP_TFC_PADDING_NOT_SUPPORTED, not using ESPv3 TFC padding</tt><tt><br>
</tt><tt>Jul 19 13:56:53 IpGw charon: 05[ENC] generating IKE_AUTH
response 1 [ N(AUTH_FAILED) ]</tt><tt><br>
</tt><tt>Jul 19 13:56:53 IpGw charon: 05[NET] sending packet: from
68.1.57.197[4500] to 172.56.21.33[53004] (80 bytes)</tt><br>
</p>
<p>What the blankety-blank? That implies there's no CA that issued
the cert presented by the client -- but there is, and yes, it's on
the client too (and the "view certificate" option from the client
shows the correct path back to the CA, and that the certificate is
ok)</p>
<p>The ipsec.conf config for this connection is:</p>
<p>conn StrongSwan<br>
fragmentation=yes<br>
left=%any<br>
leftsubnet=0.0.0.0/0<br>
leftcert=ipgw-ecdsa.denninger.net.crt<br>
leftid=ipgw.denninger.net<br>
leftauth=pubkey<br>
right=%any<br>
rightsourceip=192.168.2.0/24<br>
rightauth=pubkey<br>
auto=add<br>
<br>
</p>
<p>The *same* certificate on my Android phone with the *same* peer
config works (in other words yes, the CA cert IS present on the
server)</p>
<p><tt>Jul 19 14:05:44 IpGw charon: 14[NET] received packet: from
208.54.70.231[28852] to 68.1.57.197[500] (746 bytes)<br>
Jul 19 14:05:44 IpGw charon: 14[ENC] parsed IKE_SA_INIT request
0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG)
N(REDIR_SUP) ]<br>
Jul 19 14:05:44 IpGw charon: 14[IKE] 208.54.70.231 is initiating
an IKE_SA<br>
Jul 19 14:05:44 IpGw charon: 14[IKE] remote host is behind NAT<br>
Jul 19 14:05:44 IpGw charon: 14[IKE] DH group ECP_256
inacceptable, requesting CURVE_25519<br>
Jul 19 14:05:44 IpGw charon: 14[ENC] generating IKE_SA_INIT
response 0 [ N(INVAL_KE) ]<br>
Jul 19 14:05:44 IpGw charon: 14[NET] sending packet: from
68.1.57.197[500] to 208.54.70.231[28852] (38 bytes)<br>
Jul 19 14:05:44 IpGw charon: 14[NET] received packet: from
208.54.70.231[28852] to 68.1.57.197[500] (714 bytes)<br>
Jul 19 14:05:44 IpGw charon: 14[ENC] parsed IKE_SA_INIT request
0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG)
N(REDIR_SUP) ]<br>
Jul 19 14:05:44 IpGw charon: 14[IKE] 208.54.70.231 is initiating
an IKE_SA<br>
Jul 19 14:05:44 IpGw charon: 14[IKE] remote host is behind NAT<br>
Jul 19 14:05:44 IpGw charon: 14[IKE] sending cert request for
"C=US, ST=Florida, L=Niceville, O=Cuda Systems LLC, CN=Cuda
Systems LLC CA, E=Cuda Systems LLC CA"<br>
Jul 19 14:05:44 IpGw charon: 14[ENC] generating IKE_SA_INIT
response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) CERTREQ
N(FRAG_SUP) N(HASH_ALG) N(MULT_AUTH) ]<br>
Jul 19 14:05:44 IpGw charon: 14[NET] sending packet: from
68.1.57.197[500] to 208.54.70.231[28852] (267 bytes)<br>
Jul 19 14:05:45 IpGw charon: 14[NET] received packet: from
208.54.70.231[43987] to 68.1.57.197[4500] (1364 bytes)<br>
Jul 19 14:05:45 IpGw charon: 14[ENC] parsed IKE_AUTH request 1 [
EF(1/3) ]<br>
Jul 19 14:05:45 IpGw charon: 14[ENC] received fragment #1 of 3,
waiting for complete IKE message<br>
Jul 19 14:05:45 IpGw charon: 12[NET] received packet: from
208.54.70.231[43987] to 68.1.57.197[4500] (244 bytes)<br>
Jul 19 14:05:45 IpGw charon: 12[ENC] parsed IKE_AUTH request 1 [
EF(3/3) ]<br>
Jul 19 14:05:45 IpGw charon: 12[ENC] received fragment #3 of 3,
waiting for complete IKE message<br>
Jul 19 14:05:45 IpGw charon: 13[NET] received packet: from
208.54.70.231[43987] to 68.1.57.197[4500] (1364 bytes)<br>
Jul 19 14:05:45 IpGw charon: 13[ENC] parsed IKE_AUTH request 1 [
EF(2/3) ]<br>
Jul 19 14:05:45 IpGw charon: 13[ENC] received fragment #2 of 3,
reassembling fragmented IKE message<br>
Jul 19 14:05:45 IpGw charon: 13[ENC] parsed IKE_AUTH request 1 [
IDi CERT N(INIT_CONTACT) CERTREQ IDr AUTH CPRQ(ADDR ADDR6 DNS
DNS6) N(ESP_TFC_PAD_N) SA TSi TSr N(MOBIKE_SUP) N(NO_ADD_ADDR)
N(MULT_AUTH) N(EAP_ONLY) N(MSG_ID_SYN_SUP) ]<br>
Jul 19 14:05:45 IpGw charon: 13[IKE] received cert request for
"C=US, ST=Florida, L=Niceville, O=Cuda Systems LLC, CN=Cuda
Systems LLC CA, E=Cuda Systems LLC CA"<br>
Jul 19 14:05:45 IpGw charon: 13[IKE] received end entity cert
"C=US, ST=Florida, O=Cuda Systems LLC, <a class="moz-txt-link-abbreviated" href="mailto:CN=karl@denninger.net">CN=karl@denninger.net</a>"<br>
Jul 19 14:05:45 IpGw charon: 13[CFG] looking for peer configs
matching 68.1.57.197[ipgw.denninger.net]...208.54.70.231[C=US,
ST=Florida, O=Cuda Systems LLC, <a class="moz-txt-link-abbreviated" href="mailto:CN=karl@denninger.net">CN=karl@denninger.net</a>]<br>
Jul 19 14:05:45 IpGw charon: 13[CFG] selected peer config
'StrongSwan'<br>
Jul 19 14:05:45 IpGw charon: 13[CFG] using certificate "C=US,
ST=Florida, O=Cuda Systems LLC, <a class="moz-txt-link-abbreviated" href="mailto:CN=karl@denninger.net">CN=karl@denninger.net</a>"<br>
Jul 19 14:05:45 IpGw charon: 13[CFG] using trusted ca
certificate "C=US, ST=Florida, L=Niceville, O=Cuda Systems LLC,
CN=Cuda Systems LLC CA, E=Cuda Systems LLC CA"<br>
Jul 19 14:05:45 IpGw charon: 13[CFG] checking certificate status
of "C=US, ST=Florida, O=Cuda Systems LLC, <a class="moz-txt-link-abbreviated" href="mailto:CN=karl@denninger.net">CN=karl@denninger.net</a>"<br>
Jul 19 14:05:45 IpGw charon: 13[CFG] requesting ocsp status
from '<a class="moz-txt-link-freetext" href="http://cudasystems.net:8888">http://cudasystems.net:8888</a>' ...<br>
Jul 19 14:05:45 IpGw charon: 13[CFG] ocsp response correctly
signed by "C=US, ST=Florida, O=Cuda Systems LLC,
CN=ocsp.cudasystems.net, <a class="moz-txt-link-abbreviated" href="mailto:E=info@cudasystems.net">E=info@cudasystems.net</a>"<br>
Jul 19 14:05:45 IpGw charon: 13[CFG] ocsp response is valid:
until Jul 19 14:06:15 2017<br>
Jul 19 14:05:45 IpGw charon: 13[CFG] certificate status is good<br>
Jul 19 14:05:45 IpGw charon: 13[CFG] reached self-signed root
ca with a path length of 0<br>
Jul 19 14:05:45 IpGw charon: 13[IKE] authentication of 'C=US,
ST=Florida, O=Cuda Systems LLC, <a class="moz-txt-link-abbreviated" href="mailto:CN=karl@denninger.net">CN=karl@denninger.net</a>' with
RSA_EMSA_PKCS1_SHA2_384 successful<br>
Jul 19 14:05:45 IpGw charon: 13[IKE] received
ESP_TFC_PADDING_NOT_SUPPORTED, not using ESPv3 TFC padding<br>
Jul 19 14:05:45 IpGw charon: 13[IKE] peer supports MOBIKE<br>
Jul 19 14:05:45 IpGw charon: 13[IKE] authentication of
'ipgw.denninger.net' (myself) with ECDSA_WITH_SHA512_DER
successful<br>
Jul 19 14:05:45 IpGw charon: 13[IKE] IKE_SA StrongSwan[3]
established between
68.1.57.197[ipgw.denninger.net]...208.54.70.231[C=US,
ST=Florida, O=Cuda Systems LLC, <a class="moz-txt-link-abbreviated" href="mailto:CN=karl@denninger.net">CN=karl@denninger.net</a>]<br>
Jul 19 14:05:45 IpGw charon: 13[IKE] scheduling reauthentication
in 10200s<br>
Jul 19 14:05:45 IpGw charon: 13[IKE] maximum IKE_SA lifetime
10740s<br>
Jul 19 14:05:45 IpGw charon: 13[IKE] sending end entity cert
"C=US, ST=Florida, O=Cuda Systems LLC,
CN=ipgw-ecdsa.denninger.net"<br>
Jul 19 14:05:45 IpGw charon: 13[IKE] peer requested virtual IP
%any<br>
Jul 19 14:05:45 IpGw charon: 13[CFG] assigning new lease to
'C=US, ST=Florida, O=Cuda Systems LLC, <a class="moz-txt-link-abbreviated" href="mailto:CN=karl@denninger.net">CN=karl@denninger.net</a>'<br>
Jul 19 14:05:45 IpGw charon: 13[IKE] assigning virtual IP
192.168.2.1 to peer 'C=US, ST=Florida, O=Cuda Systems LLC,
<a class="moz-txt-link-abbreviated" href="mailto:CN=karl@denninger.net">CN=karl@denninger.net</a>'<br>
Jul 19 14:05:45 IpGw charon: 13[IKE] peer requested virtual IP
%any6<br>
Jul 19 14:05:45 IpGw charon: 13[IKE] no virtual IP found for
%any6 requested by 'C=US, ST=Florida, O=Cuda Systems LLC,
<a class="moz-txt-link-abbreviated" href="mailto:CN=karl@denninger.net">CN=karl@denninger.net</a>'<br>
Jul 19 14:05:45 IpGw charon: 13[IKE] CHILD_SA StrongSwan{1}
established with SPIs cf732136_i 0b63ec42_o and TS 0.0.0.0/0 ===
192.168.2.1/32<br>
Jul 19 14:05:45 IpGw charon: 13[ENC] generating IKE_AUTH
response 1 [ IDr CERT AUTH CPRP(ADDR DNS NBNS) N(ESP_TFC_PAD_N)
SA TSi TSr N(AUTH_LFT) N(MOBIKE_SUP) N(ADD_4_ADDR) N(ADD_4_ADDR)
N(ADD_4_ADDR) N(ADD_4_ADDR) N(ADD_6_ADDR) N(ADD_6_ADDR) ]<br>
Jul 19 14:05:45 IpGw charon: 13[ENC] splitting IKE message with
length of 1792 bytes into 2 fragments<br>
Jul 19 14:05:45 IpGw charon: 13[ENC] generating IKE_AUTH
response 1 [ EF(1/2) ]<br>
Jul 19 14:05:45 IpGw charon: 13[ENC] generating IKE_AUTH
response 1 [ EF(2/2) ]<br>
Jul 19 14:05:45 IpGw charon: 13[NET] sending packet: from
68.1.57.197[4500] to 208.54.70.231[43987] (1236 bytes)<br>
Jul 19 14:05:45 IpGw charon: 13[NET] sending packet: from
68.1.57.197[4500] to 208.54.70.231[43987] (628 bytes)<br>
Jul 19 14:05:46 IpGw charon: 13[NET] received packet: from
208.54.70.231[43987] to 68.1.57.197[4500] (80 bytes)<br>
Jul 19 14:05:46 IpGw charon: 13[ENC] parsed INFORMATIONAL
request 2 [ N(NO_ADD_ADDR) ]<br>
Jul 19 14:05:46 IpGw charon: 13[ENC] generating INFORMATIONAL
response 2 [ ]<br>
Jul 19 14:05:46 IpGw charon: 13[NET] sending packet: from
68.1.57.197[4500] to 208.54.70.231[43987] (80 bytes)<br>
Jul 19 14:05:53 IpGw charon: 13[NET] received packet: from
208.54.70.231[43987] to 68.1.57.197[4500] (80 bytes)<br>
Jul 19 14:05:53 IpGw charon: 13[ENC] parsed INFORMATIONAL
request 3 [ D ]<br>
Jul 19 14:05:53 IpGw charon: 13[IKE] received DELETE for IKE_SA
StrongSwan[3]<br>
Jul 19 14:05:53 IpGw charon: 13[IKE] deleting IKE_SA
StrongSwan[3] between
68.1.57.197[ipgw.denninger.net]...208.54.70.231[C=US,
ST=Florida, O=Cuda Systems LLC, <a class="moz-txt-link-abbreviated" href="mailto:CN=karl@denninger.net">CN=karl@denninger.net</a>]<br>
Jul 19 14:05:53 IpGw charon: 13[IKE] IKE_SA deleted<br>
Jul 19 14:05:53 IpGw charon: 13[ENC] generating INFORMATIONAL
response 3 [ ]<br>
Jul 19 14:05:53 IpGw charon: 13[NET] sending packet: from
68.1.57.197[4500] to 208.54.70.231[43987] (80 bytes)<br>
Jul 19 14:05:53 IpGw charon: 13[CFG] lease 192.168.2.1 by 'C=US,
ST=Florida, O=Cuda Systems LLC, <a class="moz-txt-link-abbreviated" href="mailto:CN=karl@denninger.net">CN=karl@denninger.net</a>' went
offline</tt></p>
<p>One interesting difference between the two -- if I uncomment the
"WinUserCert" stanza in the config file it will try to match that,
even though I do not have it set up to use EAP-TLS, but fails with
the exact same message. I<i> suspect </i>it would switch to the
"StrongSwan" config once it validated the presented cert (since I
don't ask for EAP-TLS) but it never gets that far.<br>
</p>
<p>Any idea how to chase this and figure out why it doesn't like the
cert? I *think* I can get this client to work (and thus solve my
no-frag problem) if I can figure out why it doesn't like my
presented certificate.... I'll wind up having to buy the client
piece but that's acceptable -- if it works :-)</p>
<div class="moz-signature">-- <br>
Karl Denninger<br>
<a href="mailto:karl@denninger.net">karl@denninger.net</a><br>
<i>The Market Ticker</i><br>
<font size="-2"><i>[S/MIME encrypted email preferred]</i></font>
</div>
</body>
</html>