<html>
<head>
<meta http-equiv="content-type" content="text/html; charset=UTF-8">
</head>
<body>
<p>Uh, this looks new and bad.... My Android phone, which has worked
forever, suddenly stopped when I updated the kernel on my gateway
box, and this appears to be related to the reason:</p>
<p>.....</p>
<p>Oct 10 11:28:36 IpGw charon[1586]: 01[IKE] received cert request
for "C=US, ST=F<br>
lorida, L=Niceville, O=Cuda Systems LLC, OU=Cuda Systems CA,
CN=Cuda Systems LLC<br>
2017 CA"<br>
Oct 10 11:28:36 IpGw charon[1586]: 01[IKE] received cert request
for "C=US, ST=F<br>
lorida, O=Cuda Systems LLC, OU=Cuda Systems CA, CN=Cuda Systems
LLC 2017 Int CA"<br>
Oct 10 11:28:36 IpGw charon[1586]: 01[IKE] received 129 cert
requests for an unk<br>
nown ca<br>
Oct 10 11:28:36 IpGw charon[1586]: 01[IKE] received end entity
cert "C=US, ST=Te<br>
nnessee, CN=Karl Denninger"<br>
Oct 10 11:28:36 IpGw charon[1586]: 01[CFG] looking for peer
configs matching 97.<br>
81.26.48[%any]...172.58.146.200[C=US, ST=Tennessee, CN=Karl
Denninger]<br>
Oct 10 11:28:36 IpGw charon[1586]: 01[CFG] selected peer config
'WinUserCert'<br>
Oct 10 11:28:36 IpGw charon[1586]: 01[CFG] using certificate
"C=US, ST=Tenness<br>
ee, CN=Karl Denninger"<br>
Oct 10 11:28:36 IpGw charon[1586]: 01[CFG] using trusted
intermediate ca certi<br>
ficate "C=US, ST=Florida, O=Cuda Systems LLC, OU=Cuda Systems CA,
CN=Cuda System<br>
s LLC 2017 Int CA"<br>
Oct 10 11:28:36 IpGw charon[1586]: 01[CFG] checking certificate
status of "C=US,<br>
ST=Tennessee, CN=Karl Denninger"<br>
Oct 10 11:28:36 IpGw charon[1586]: 01[CFG] ocsp response
correctly signed by "<br>
C=US, ST=Florida, O=Cuda Systems LLC, CN=ocsp.cudasystems.net,
E=info@cudasystem<br>
s.net"<br>
Oct 10 11:28:36 IpGw charon[1586]: 01[CFG] ocsp response is
stale: since Oct 1<br>
0 11:27:09 2022<br>
Oct 10 11:28:36 IpGw charon[1586]: 01[CFG] requesting ocsp
status from 'http:/<br>
/ocsp.cudasystems.net:8888' ...<br>
Oct 10 11:28:36 IpGw charon[1586]: 01[CFG] ocsp response
correctly signed by "<br>
C=US, ST=Florida, O=Cuda Systems LLC, CN=ocsp.cudasystems.net,
E=info@cudasystem<br>
s.net"<br>
Oct 10 11:28:36 IpGw charon[1586]: 01[LIB] certificate from Oct
10 11:28:36 20<br>
22 is newer - existing certificate from Oct 10 11:26:39 2022
replaced<br>
Oct 10 11:28:36 IpGw charon[1586]: 01[CFG] ocsp response is
valid: until Oct 1<br>
0 11:29:06 2022<br>
Oct 10 11:28:36 IpGw charon[1586]: 01[CFG] certificate status is
good<br>
Oct 10 11:28:36 IpGw charon[1586]: 01[CFG] using trusted ca
certificate "C=US,<br>
ST=Florida, L=Niceville, O=Cuda Systems LLC, OU=Cuda Systems CA,
CN=Cuda System<br>
s LLC 2017 CA"<br>
Oct 10 11:28:36 IpGw charon[1586]: 01[CFG] checking certificate
status of "C=US,<br>
ST=Florida, O=Cuda Systems LLC, OU=Cuda Systems CA, CN=Cuda
Systems LLC 2017 In<br>
t CA"<br>
Oct 10 11:28:36 IpGw charon[1586]: 01[CFG] ocsp response
correctly signed by "<br>
C=US, ST=Florida, O=Cuda Systems LLC, CN=ocsp.cudasystems.net,
E=info@cudasystem<br>
s.net"<br>
Oct 10 11:28:36 IpGw charon[1586]: 01[CFG] ocsp response
contains no status on<br>
our certificate<br>
Oct 10 11:28:36 IpGw charon[1586]: 01[CFG] ocsp response
correctly signed by "<br>
C=US, ST=Florida, O=Cuda Systems LLC, CN=ocsp.cudasystems.net,
E=info@cudasystem<br>
s.net"<br>
Oct 10 11:28:36 IpGw charon[1586]: 01[CFG] ocsp response
contains no status on<br>
our certificate<br>
Oct 10 11:28:36 IpGw charon[1586]: 01[CFG] certificate status is
not available<br>
Oct 10 11:28:36 IpGw charon[1586]: 01[CFG] reached self-signed
root ca with a<br>
path length of 1<br>
<b>Oct 10 11:28:36 IpGw charon[1586]: 01[IKE] authentication of
'C=US, ST=Tennessee</b><b><br>
</b><b>, CN=Karl Denninger' with RSA_EMSA_PKCS1_SHA2_384
successful</b><br>
Oct 10 11:28:36 IpGw charon[1586]: 01[CFG] constraint check
failed: EAP identity<br>
'%any' required<br>
Oct 10 11:28:36 IpGw charon[1586]: 01[CFG] selected peer config
'WinUserCert' un<br>
acceptable: non-matching authentication done<br>
Oct 10 11:28:36 IpGw charon[1586]: 01[CFG] switching to peer
config 'StrongSwan'<br>
Oct 10 11:28:36 IpGw charon[1586]: 01[IKE] received
ESP_TFC_PADDING_NOT_SUPPORTE<br>
D, not using ESPv3 TFC padding<br>
Oct 10 11:28:36 IpGw charon[1586]: 01[IKE] peer supports MOBIKE<br>
Oct 10 11:28:36 IpGw charon[1586]: 01[IKE] authentication of
'ipgw.denninger.net<br>
' (myself) with ECDSA_WITH_SHA384_DER successful<br>
Oct 10 11:28:36 IpGw charon[1586]: 01[IKE] IKE_SA StrongSwan[4]
established betw<br>
een 97.81.26.48[ipgw.denninger.net]...172.58.146.200[C=US,
ST=Tennessee, CN=Karl<br>
Denninger]<br>
Oct 10 11:28:36 IpGw charon[1586]: 01[IKE] scheduling
reauthentication in 9977s<br>
Oct 10 11:28:36 IpGw charon[1586]: 01[IKE] maximum IKE_SA lifetime
10517s<br>
Oct 10 11:28:36 IpGw charon[1586]: 01[IKE] sending end entity cert
"C=US, ST=Flo<br>
rida, O=Cuda Systems LLC, CN=ipgw.denninger.net"<br>
Oct 10 11:28:36 IpGw charon[1586]: 01[IKE] peer requested virtual
IP %any<br>
Oct 10 11:28:36 IpGw charon[1586]: 01[CFG] reassigning offline
lease to 'C=US, S<br>
T=Tennessee, CN=Karl Denninger'<br>
Oct 10 11:28:36 IpGw charon[1586]: 01[IKE] assigning virtual IP
192.168.2.1 to p<br>
eer 'C=US, ST=Tennessee, CN=Karl Denninger'<br>
Oct 10 11:28:36 IpGw charon[1586]: 01[IKE] peer requested virtual
IP %any6<br>
Oct 10 11:28:36 IpGw charon[1586]: 01[IKE] no virtual IP found for
%any6 request<br>
ed by 'C=US, ST=Tennessee, CN=Karl Denninger'<br>
Oct 10 11:28:36 IpGw charon[1586]: 01[CFG] selected proposal:
ESP:AES_CBC_128/HM<br>
AC_SHA2_256_128/NO_EXT_SEQ<br>
<b>Oct 10 11:28:36 IpGw charon[1586]: 01[KNL] unable to add SAD
entry with SPI c1be</b><b><br>
</b><b>56e1: Invalid argument (22)</b><b><br>
</b><b>Oct 10 11:28:36 IpGw charon[1586]: 01[KNL] unable to add
SAD entry with SPI 9526</b><b><br>
</b><b>f1c1: Invalid argument (22)</b><br>
Oct 10 11:28:36 IpGw charon[1586]: 01[IKE] unable to install
inbound and outboun<br>
d IPsec SA (SAD) in kernel<br>
Oct 10 11:28:36 IpGw charon[1586]: 01[IKE] failed to establish
CHILD_SA, keeping<br>
IKE_SA<br>
Oct 10 11:28:36 IpGw charon[1586]: 01[KNL] deleting policy
192.168.2.1/32 === 0.<br>
0.0.0/0 in failed, not found<br>
Oct 10 11:28:36 IpGw charon[1586]: 01[KNL] unable to delete SAD
entry with SPI c<br>
1be56e1: No such process (3)<br>
Oct 10 11:28:36 IpGw charon[1586]: 01[KNL] unable to delete SAD
entry with SPI 9<br>
526f1c1: No such process (3)<br>
</p>
<p>......</p>
<p>The client on the Android phone says it cannot validate the user,
but the above looks like it DID validate it on the server side but
did not add the encryption entries for the client into the kernel,
and that's why its failing. I am running GENERIC on the gateway
as the docs say that's now ok; I used to run a custom kernel for
other reasons (mostly PPS which I don't use anymore as I no longer
have a local NTP clock) and the only material difference I can see
is that the 12.2-STABLE custom kernel has the "enc" driver
included in it ("device enc") while GENERIC does not.</p>
<div class="moz-signature">-- <br>
Karl Denninger<br>
<a href="mailto:karl@denninger.net" class="moz-txt-link-freetext">karl@denninger.net</a><br>
<i>The Market Ticker</i><br>
<font size="-2"><i>[S/MIME encrypted email preferred]</i></font></div>
</body>
</html>