<html xmlns:o="urn:schemas-microsoft-com:office:office" xmlns:w="urn:schemas-microsoft-com:office:word" xmlns:m="http://schemas.microsoft.com/office/2004/12/omml" xmlns="http://www.w3.org/TR/REC-html40">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8">
<meta name="Title" content="">
<meta name="Keywords" content="">
<meta name="Generator" content="Microsoft Word 15 (filtered medium)">
<style><!--
/* Font Definitions */
@font-face
{font-family:"Cambria Math";
panose-1:2 4 5 3 5 4 6 3 2 4;}
@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0in;
margin-bottom:.0001pt;
font-size:12.0pt;
font-family:"Calibri",sans-serif;}
a:link, span.MsoHyperlink
{mso-style-priority:99;
color:#0563C1;
text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
{mso-style-priority:99;
color:#954F72;
text-decoration:underline;}
span.EmailStyle17
{mso-style-type:personal-compose;
font-family:"Calibri",sans-serif;
color:windowtext;}
span.msoIns
{mso-style-type:export-only;
mso-style-name:"";
text-decoration:underline;
color:teal;}
.MsoChpDefault
{mso-style-type:export-only;
font-family:"Calibri",sans-serif;}
@page WordSection1
{size:8.5in 11.0in;
margin:1.0in 1.0in 1.0in 1.0in;}
div.WordSection1
{page:WordSection1;}
--></style>
</head>
<body bgcolor="white" lang="EN-US" link="#0563C1" vlink="#954F72">
<div class="WordSection1">
<p class="MsoNormal"><span style="font-size:11.0pt">Back in 2014 when Yosemite came out, I wrote an almost identical e-mail to this one, and now it’s history repeating.<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt">After several years (and several OS upgrades) the OS X widget again reports “No common traffic selectors found” when attempting to start up my strongSwan VPN.<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt">In 2014, Martin W. created a version of the app that “included a short delay before callinggetifaddrs() on the RTM_IFINFO event” to give the kernel a slightly longer chance to get the new tunnel address ready
before getifaddrs tried to enumerate it. That was a practical workaround in the absence of better support from the kernel, but it’s workaround that seems to no longer be working (around?).<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt">In looking at the OS X page on the strongSwan wiki, I notice a new homebrew version of strongSwan is available, and it can be built “with Suite B support (does not use the IPsec implementation provided by
the kernel”. Should I take the plunge into trying to get the config files right for my road warrior machine and abandon the widget? Can others confirm or deny problems with High Sierra and the widget?<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt">Thanks in advance for any advice/help. The log file from a connection attempt is provided below.<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt">-Dan<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt">initiating IKE_SA VPC VPN[2] to x.x.x.x<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt">generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(HASH_ALG) ]<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt">sending packet: from 192.168.0.5[55919] to x.x.x.x [4500] (1124 bytes)<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt">received packet: from x.x.x.x [4500] to 192.168.0.5[55919] (38 bytes)<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt">parsed IKE_SA_INIT response 0 [ N(INVAL_KE) ]<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt">peer didn't accept DH group MODP_2048, it requested MODP_1024<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt">initiating IKE_SA VPC VPN[2] to x.x.x.x<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt">generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(HASH_ALG) ]<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt">sending packet: from 192.168.0.5[55919] to x.x.x.x[4500] (996 bytes)<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt">received packet: from x.x.x.x[4500] to 192.168.0.5[55919] (312 bytes)<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt">parsed IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(MULT_AUTH) ]<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt">local host is behind NAT, sending keep alives<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt">remote host is behind NAT<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt">establishing CHILD_SA VPC VPN<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt">generating IKE_AUTH request 1 [ IDi N(INIT_CONTACT) CPRQ(ADDR DNS) SA TSi TSr N(MOBIKE_SUP) N(ADD_4_ADDR) N(MULT_AUTH) N(EAP_ONLY) ]<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt">sending packet: from 192.168.0.5[49633] to x.x.x.x[4500] (380 bytes)<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt">received packet: from x.x.x.x[4500] to 192.168.0.5[49633] (1196 bytes)<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt">parsed IKE_AUTH response 1 [ IDr CERT AUTH EAP/REQ/ID ]<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt">received end entity cert "C=CH, O=Coname, CN=vpn.myco.com"<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt"> using certificate "C=CH, O=Coname, CN=vpn.myco.com"<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt"> using trusted ca certificate "C=CH, O=Coname, CN=Coname MN"<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt"> reached self-signed root ca with a path length of 0<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt">authentication of 'vpn.myco.com' with RSA signature successful<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt">server requested EAP_IDENTITY (id 0x00), sending 'myname'<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt">generating IKE_AUTH request 2 [ EAP/RES/ID ]<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt">sending packet: from 192.168.0.5[49633] to x.x.x.x[4500] (76 bytes)<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt">received packet: from x.x.x.x[4500] to 192.168.0.5[49633] (108 bytes)<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt">parsed IKE_AUTH response 2 [ EAP/REQ/MSCHAPV2 ]<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt">server requested EAP_MSCHAPV2 authentication (id 0x33)<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt">generating IKE_AUTH request 3 [ EAP/RES/MSCHAPV2 ]<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt">sending packet: from 192.168.0.5[49633] to x.x.x.x[4500] (140 bytes)<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt">received packet: from x.x.x.x[4500] to 192.168.0.5[49633] (140 bytes)<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt">parsed IKE_AUTH response 3 [ EAP/REQ/MSCHAPV2 ]<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt">EAP-MS-CHAPv2 succeeded: 'Welcome2strongSwan'<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt">generating IKE_AUTH request 4 [ EAP/RES/MSCHAPV2 ]<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt">sending packet: from 192.168.0.5[49633] to x.x.x.x[4500] (76 bytes)<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt">received packet: from x.x.x.x[4500] to 192.168.0.5[49633] (76 bytes)<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt">parsed IKE_AUTH response 4 [ EAP/SUCC ]<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt">EAP method EAP_MSCHAPV2 succeeded, MSK established<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt">authentication of 'myname' (myself) with EAP<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt">generating IKE_AUTH request 5 [ AUTH ]<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt">sending packet: from 192.168.0.5[49633] to x.x.x.x[4500] (92 bytes)<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt">received packet: from x.x.x.x[4500] to 192.168.0.5[49633] (252 bytes)<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt">parsed IKE_AUTH response 5 [ AUTH CPRP(ADDR DNS) SA TSi TSr N(MOBIKE_SUP) N(ADD_4_ADDR) N(ADD_4_ADDR) N(ADD_4_ADDR) ]<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt">authentication of 'vpn.myco.com' with EAP successful<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt">IKE_SA VPC VPN[2] established between 192.168.0.5[myname]...x.x.x.x[vpn.myco.com]<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt">scheduling rekeying in 35578s<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt">maximum IKE_SA lifetime 36178s<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt">installing 192.168.100.5 as DNS server<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt">installing new virtual IP 10.100.255.4<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt">created TUN device: utun4<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt">virtual IP 10.100.255.4 did not appear on utun4<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt">installing virtual IP 10.100.255.4 failed<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt">no acceptable traffic selectors found<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt">closing IKE_SA due CHILD_SA setup failure<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt">peer supports MOBIKE<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt">sending DELETE for ESP CHILD_SA with SPI 1f89bd98<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt">generating INFORMATIONAL request 6 [ D ]<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt">sending packet: from 192.168.0.5[49633] to x.x.x.x[4500] (76 bytes)<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt">received packet: from x.x.x.x[4500] to 192.168.0.5[49633] (76 bytes)<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt">parsed INFORMATIONAL response 6 [ D ]<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt">deleting IKE_SA VPC VPN[2] between 192.168.0.5[myname]...x.x.x.x[vpn.myco.com]<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt">sending DELETE for IKE_SA VPC VPN[2]<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt">generating INFORMATIONAL request 7 [ D ]<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt">sending packet: from 192.168.0.5[49633] to x.x.x.x[4500] (76 bytes)<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt">received packet: from x.x.x.x[4500] to 192.168.0.5[49633] (76 bytes)<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt">parsed INFORMATIONAL response 7 [ ]<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt">IKE_SA deleted<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt"><o:p> </o:p></span></p>
</div>
</body>
</html>