[strongSwan] Newbie question on setting up VPN server for mobile devices
Ashwin Rao
ashwin.shirvanthe at gmail.com
Sat Jun 30 03:38:01 CEST 2012
Hi,
I am trying to setup up a VPN connection using mobile clients using
authby=xauthrsasig. The log messages on the server show that the
authentication was successful but the clients shows that negotiation
with VPN server failed. I am providing the entire output seen when
running the command, ipsec start --nofork --debug-all, for the state
of my server. To summarize, I am presenting a subset of the log
messages which I found useful in understanding the state of the
system. These set of log messages show that the connection was
established. This was verified by running ipsec statusall which showed
""" 000 #1: "rw"[1] sss.sss.202.73 STATE_XAUTH_R3 (received XAUTH
ack, established); EVENT_SA_REPLACE in 3326s; newest ISAKMP """
Summary of log messages is as follows:
"rw"[1] sss.sss.202.73 #1: responding to Main Mode from unknown peer
sss.sss.202.73
"rw"[1] sss.sss.202.73 #1: NAT-Traversal: Result using RFC 3947: no NAT detected
"rw"[1] sss.sss.202.73 #1: Peer ID is ID_DER_ASN1_DN: 'C=US,
O=snowmane, CN=client'
"rw"[1] sss.sss.202.73 #1: we have a cert and are sending it upon request
"rw"[1] sss.sss.202.73 #1: sent MR3, ISAKMP SA established
"rw"[1] sss.sss.202.73 #1: sending XAUTH request
"rw"[1] sss.sss.202.73 #1: parsing XAUTH reply
| processing XAUTH_USER_NAME attribute
| processing XAUTH_USER_PASSWORD attribute
"rw"[1] sss.sss.202.73 #1: extended authentication was successful
"rw"[1] sss.sss.202.73 #1: sending XAUTH status
"rw"[1] sss.sss.202.73 #1: parsing XAUTH ack
| processing XAUTH_STATUS attribute
"rw"[1] sss.sss.202.73 #1: received XAUTH ack, established
"rw"[1] sss.sss.202.73 #1: received ModeCfg message when in state
STATE_XAUTH_R3, and we aren't mode config client
"rw"[1] sss.sss.202.73 #1: received ModeCfg message when in state
STATE_XAUTH_R3, and we aren't mode config client
"rw"[1] sss.sss.202.73 #1: received Delete SA payload: deleting ISAKMP State #1
"rw"[1] sss.sss.202.73: deleting connection "rw" instance with peer
sss.sss.202.73 {isakmp=#0/ipsec=#0}
| certs and keys locked by 'delete_connection'
| certs and keys unlocked by 'delete_connection'
| unref key: 0x83b490 0x8371e0 cnt 2 'C=US, O=snowmane, CN=client'
I would like to know where I am going wrong. The ipsec.conf file is
available at the head of the output which is as follows. The logs show
that there is no problem with my certificates however I could not set
up the tunnel.
Thanks and Regards,
Ashwin
The log messages are as follows.
Starting strongSwan 4.6.4 IPsec [starter]...
| Default route found: iface=eth1, addr=ccc.ccc.4.186, nexthop=ccc.ccc.4.100
| Loading config setup
| plutodebug=controlmore dns emitting klips lifecycle natt
| nat_traversal=yes
| plutostart=yes
| Loading conn 'rw'
| auto=add
| authby=xauthrsasig
| xauth=server
| keyexchange=ikev1
| left=%defaultroute
| right=%any
| leftcert=serverCert.pem
| leftfirewall=yes
| leftid=@snowmane.mydomain.edu
| rightcert=clientCert.pem
| rightid=C=US, O=snowmane, CN=client
| leftsubnet=0.0.0.0/32
| rightsubnet=0.0.0.0/32
| Found netkey IPsec stack
listening on interfaces:
eth1
ccc.ccc.4.186
fe80::221:9bff:fe06:2ddb
| Attempting to start pluto...
starter_start_pluto entered
Pluto initialized
Starting IKEv1 pluto daemon (strongSwan 4.6.4) THREADS VENDORID
listening on interfaces:
eth1
ccc.ccc.4.186
fe80::221:9bff:fe06:2ddb
loaded plugins: aes des sha1 sha2 md5 random x509 pkcs1 pkcs8 pgp
dnskey pem openssl gcrypt gmp hmac xauth attr kernel-netlink resolve
including NAT-Traversal patch (Version 0.6c)
| finish_pfkey_msg: SADB_REGISTER message 1 for AH
| 02 07 00 02 02 00 00 00 01 00 00 00 f0 6a 00 00
| pfkey_get: SADB_REGISTER message 1
| AH registered with kernel.
| finish_pfkey_msg: SADB_REGISTER message 2 for ESP
| 02 07 00 03 02 00 00 00 02 00 00 00 f0 6a 00 00
| pfkey_get: SADB_REGISTER message 2
| alg_init(): memset(0x67dfc0, 0, 2024) memset(0x67d7c0, 0, 2032)
| kernel_alg_register_pfkey(): SADB_SATYPE_ESP: sadb_msg_len=22
sadb_supported_len=72
| kernel_alg_add(): satype=3, exttype=14, alg_id=251
| kernel_alg_register_pfkey(): SADB_SATYPE_ESP: alg[0], exttype=14,
satype=3, alg_id=251, alg_ivlen=0, alg_minbits=0, alg_maxbits=0, res=0
| kernel_alg_add(): satype=3, exttype=14, alg_id=2
| kernel_alg_register_pfkey(): SADB_SATYPE_ESP: alg[1], exttype=14,
satype=3, alg_id=2, alg_ivlen=0, alg_minbits=128, alg_maxbits=128,
res=0
| kernel_alg_add(): satype=3, exttype=14, alg_id=3
| kernel_alg_register_pfkey(): SADB_SATYPE_ESP: alg[2], exttype=14,
satype=3, alg_id=3, alg_ivlen=0, alg_minbits=160, alg_maxbits=160,
res=0
| kernel_alg_add(): satype=3, exttype=14, alg_id=5
| kernel_alg_register_pfkey(): SADB_SATYPE_ESP: alg[3], exttype=14,
satype=3, alg_id=5, alg_ivlen=0, alg_minbits=256, alg_maxbits=256,
res=0
| kernel_alg_add(): satype=3, exttype=14, alg_id=252
| kernel_alg_add(): satype=3, exttype=14, alg_id=6
| kernel_alg_register_pfkey(): SADB_SATYPE_ESP: alg[4], exttype=14,
satype=3, alg_id=6, alg_ivlen=0, alg_minbits=384, alg_maxbits=384,
res=0
| kernel_alg_add(): satype=3, exttype=14, alg_id=7
| kernel_alg_register_pfkey(): SADB_SATYPE_ESP: alg[5], exttype=14,
satype=3, alg_id=7, alg_ivlen=0, alg_minbits=512, alg_maxbits=512,
res=0
| kernel_alg_add(): satype=3, exttype=14, alg_id=8
| kernel_alg_register_pfkey(): SADB_SATYPE_ESP: alg[6], exttype=14,
satype=3, alg_id=8, alg_ivlen=0, alg_minbits=160, alg_maxbits=160,
res=0
| kernel_alg_add(): satype=3, exttype=14, alg_id=9
| kernel_alg_register_pfkey(): SADB_SATYPE_ESP: alg[7], exttype=14,
satype=3, alg_id=9, alg_ivlen=0, alg_minbits=128, alg_maxbits=128,
res=0
| kernel_alg_register_pfkey(): SADB_SATYPE_ESP: sadb_msg_len=22
sadb_supported_len=88
| kernel_alg_add(): satype=3, exttype=15, alg_id=11
| kernel_alg_register_pfkey(): SADB_SATYPE_ESP: alg[8], exttype=15,
satype=3, alg_id=11, alg_ivlen=0, alg_minbits=0, alg_maxbits=0, res=0
| kernel_alg_add(): satype=3, exttype=15, alg_id=2
| kernel_alg_register_pfkey(): SADB_SATYPE_ESP: alg[9], exttype=15,
satype=3, alg_id=2, alg_ivlen=8, alg_minbits=64, alg_maxbits=64, res=0
| kernel_alg_add(): satype=3, exttype=15, alg_id=3
| kernel_alg_register_pfkey(): SADB_SATYPE_ESP: alg[10], exttype=15,
satype=3, alg_id=3, alg_ivlen=8, alg_minbits=192, alg_maxbits=192,
res=0
| kernel_alg_add(): satype=3, exttype=15, alg_id=6
| kernel_alg_register_pfkey(): SADB_SATYPE_ESP: alg[11], exttype=15,
satype=3, alg_id=6, alg_ivlen=8, alg_minbits=40, alg_maxbits=128,
res=0
| kernel_alg_add(): satype=3, exttype=15, alg_id=7
| kernel_alg_register_pfkey(): SADB_SATYPE_ESP: alg[12], exttype=15,
satype=3, alg_id=7, alg_ivlen=8, alg_minbits=40, alg_maxbits=448,
res=0
| kernel_alg_add(): satype=3, exttype=15, alg_id=12
| kernel_alg_register_pfkey(): SADB_SATYPE_ESP: alg[13], exttype=15,
satype=3, alg_id=12, alg_ivlen=8, alg_minbits=128, alg_maxbits=256,
res=0
| kernel_alg_add(): satype=3, exttype=15, alg_id=14
| kernel_alg_add(): satype=3, exttype=15, alg_id=15
| kernel_alg_add(): satype=3, exttype=15, alg_id=16
| kernel_alg_add(): satype=3, exttype=15, alg_id=18
| kernel_alg_add(): satype=3, exttype=15, alg_id=19
| kernel_alg_add(): satype=3, exttype=15, alg_id=20
| kernel_alg_add(): satype=3, exttype=15, alg_id=23
| kernel_alg_add(): satype=3, exttype=15, alg_id=252
| kernel_alg_register_pfkey(): SADB_SATYPE_ESP: alg[14], exttype=15,
satype=3, alg_id=252, alg_ivlen=8, alg_minbits=128, alg_maxbits=256,
res=0
| kernel_alg_add(): satype=3, exttype=15, alg_id=22
| kernel_alg_register_pfkey(): SADB_SATYPE_ESP: alg[15], exttype=15,
satype=3, alg_id=22, alg_ivlen=8, alg_minbits=128, alg_maxbits=256,
res=0
| kernel_alg_add(): satype=3, exttype=15, alg_id=253
| kernel_alg_register_pfkey(): SADB_SATYPE_ESP: alg[16], exttype=15,
satype=3, alg_id=253, alg_ivlen=8, alg_minbits=128, alg_maxbits=256,
res=0
| kernel_alg_add(): satype=3, exttype=15, alg_id=13
| kernel_alg_register_pfkey(): SADB_SATYPE_ESP: alg[17], exttype=15,
satype=3, alg_id=13, alg_ivlen=8, alg_minbits=160, alg_maxbits=288,
res=0
| ESP registered with kernel.
| finish_pfkey_msg: SADB_REGISTER message 3 for IPCOMP
| 02 07 00 09 02 00 00 00 03 00 00 00 f0 6a 00 00
pluto (27376) started after 20 ms
| Attempting to start charon...
00[DMN] Starting IKEv2 charon daemon (strongSwan 4.6.4)
| pfkey_get: SADB_REGISTER message 3
| IPCOMP registered with kernel.
00[KNL] listening on interfaces:
00[KNL] eth1
00[KNL] ccc.ccc.4.186
00[KNL] fe80::221:9bff:fe06:2ddb
00[CFG] loading ca certificates from '/home/arao/etc/ipsec.d/cacerts'
00[CFG] loaded ca certificate "C=US, O=snowmane, CN=snowmane CA"
from '/home/arao/etc/ipsec.d/cacerts/caCert.pem'
00[CFG] loading aa certificates from '/home/arao/etc/ipsec.d/aacerts'
00[CFG] loading ocsp signer certificates from '/home/arao/etc/ipsec.d/ocspcerts'
00[CFG] loading attribute certificates from '/home/arao/etc/ipsec.d/acerts'
00[CFG] loading crls from '/home/arao/etc/ipsec.d/crls'
00[CFG] loading secrets from '/home/arao/etc/ipsec.secrets'
00[CFG] loaded RSA private key from
'/home/arao/etc/ipsec.d/private/serverKey.pem'
00[CFG] loaded EAP secret for test
loading ca certificates from '/home/arao/etc/ipsec.d/cacerts'
loaded ca certificate from '/home/arao/etc/ipsec.d/cacerts/caCert.pem'
| authcert list locked by 'add_authcert'
| authcert list unlocked by 'add_authcert'
loading aa certificates from '/home/arao/etc/ipsec.d/aacerts'
loading ocsp certificates from '/home/arao/etc/ipsec.d/ocspcerts'
Changing to directory '/home/arao/etc/ipsec.d/crls'
loading attribute certificates from '/home/arao/etc/ipsec.d/acerts'
spawning 4 worker threads
00[CFG] loaded 0 RADIUS server configurations
00[DMN] loaded plugins: aes des sha1 sha2 md4 md5 random x509
revocation constraints pubkey pkcs1 pkcs8 pgp pem openssl gcrypt
fips-prf gmp agent xcbc cmac hmac attr kernel-netlink resolve
socket-default socket-raw socket-dynamic stroke updown eap-identity
eap-aka eap-aka-3gpp2 eap-md5 eap-gtc eap-mschapv2 eap-radius
00[JOB] spawning 16 worker threads
listening for IKE messages
charon (27397) started after 20 ms
adding interface eth1/eth1 ccc.ccc.4.186:500
adding interface eth1/eth1 ccc.ccc.4.186:4500
adding interface lo/lo 127.0.0.1:500
adding interface lo/lo 127.0.0.1:4500
adding interface lo/lo ::1:500
| certs and keys locked by 'free_preshared_secrets'
| certs and keys unlocked by 'free_preshard_secrets'
13[CFG] received stroke: add connection 'rw'
loading secrets from "/home/arao/etc/ipsec.secrets"
13[CFG] loaded certificate "C=US, O=snowmane,
CN=snowmane.mydomain.edu" from 'serverCert.pem'
13[CFG] loaded certificate "C=US, O=snowmane, CN=client" from 'clientCert.pem'
13[CFG] added configuration 'rw'
loaded private key from 'serverKey.pem'
| certs and keys locked by 'process_secret'
| certs and keys unlocked by 'process_secrets'
loaded XAUTH secret for test
| certs and keys locked by 'process_secret'
| certs and keys unlocked by 'process_secrets'
loaded host certificate from '/home/arao/etc/ipsec.d/certs/serverCert.pem'
| ref key: 0x833090 0x8309a0 cnt 0 'C=US, O=snowmane,
CN=snowmane.mydomain.edu'
| ref key: 0x832cd0 0x8309a0 cnt 0 'snowmane.mydomain.edu'
| certs and keys locked by 'cert_add'
| certs and keys unlocked by 'cert_add'
loaded host certificate from '/home/arao/etc/ipsec.d/certs/clientCert.pem'
| ref key: 0x831620 0x834350 cnt 0 'C=US, O=snowmane, CN=client'
| certs and keys locked by 'cert_add'
| certs and keys unlocked by 'cert_add'
added connection description "rw"
packet from sss.sss.202.73:500: received Vendor ID payload [RFC 3947]
packet from sss.sss.202.73:500: ignoring Vendor ID payload
[4df37928e9fc4fd1b3262170d515c662]
packet from sss.sss.202.73:500: ignoring Vendor ID payload
[8f8d83826d246b6fc7a8a6a428c11de8]
packet from sss.sss.202.73:500: ignoring Vendor ID payload
[439b59f8ba676c4c7737ae22eab8f582]
packet from sss.sss.202.73:500: ignoring Vendor ID payload
[4d1e0e136deafa34c4f3ea9f02ec7285]
packet from sss.sss.202.73:500: ignoring Vendor ID payload
[80d0bb3def54565ee84645d4c85ce3ee]
packet from sss.sss.202.73:500: ignoring Vendor ID payload
[9909b64eed937c6573de52ace952fa6b]
packet from sss.sss.202.73:500: ignoring Vendor ID payload
[draft-ietf-ipsec-nat-t-ike-03]
packet from sss.sss.202.73:500: ignoring Vendor ID payload
[draft-ietf-ipsec-nat-t-ike-02]
packet from sss.sss.202.73:500: ignoring Vendor ID payload
[draft-ietf-ipsec-nat-t-ike-02_n]
packet from sss.sss.202.73:500: received Vendor ID payload [XAUTH]
packet from sss.sss.202.73:500: ignoring Vendor ID payload [Cisco-Unity]
packet from sss.sss.202.73:500: received Vendor ID payload [Dead Peer Detection]
"rw"[1] sss.sss.202.73 #1: responding to Main Mode from unknown peer
sss.sss.202.73
| **emit ISAKMP Message:
| initiator cookie:
| c3 30 92 47 94 f0 21 9e
| responder cookie:
| b7 cd 5c ee c9 6e a8 d0
| next payload type: ISAKMP_NEXT_SA
| ISAKMP version: ISAKMP Version 1.0
| exchange type: ISAKMP_XCHG_IDPROT
| flags: none
| message ID: 00 00 00 00
| ***emit ISAKMP Security Association Payload:
| next payload type: ISAKMP_NEXT_VID
| DOI: ISAKMP_DOI_IPSEC
| ****emit IPsec DOI SIT:
| IPsec DOI SIT: SIT_IDENTITY_ONLY
| ****emit ISAKMP Proposal Payload:
| next payload type: ISAKMP_NEXT_NONE
| proposal number: 1
| protocol ID: PROTO_ISAKMP
| SPI size: 0
| number of transforms: 1
| *****emit ISAKMP Transform Payload (ISAKMP):
| next payload type: ISAKMP_NEXT_NONE
| transform number: 1
| transform ID: KEY_IKE
| emitting 28 raw bytes of attributes into ISAKMP Transform Payload (ISAKMP)
| attributes 80 0b 00 01 80 0c 0e 10 80 01 00 07 80 0e 01 00
| 80 03 fd ed 80 02 00 02 80 04 00 05
| emitting length of ISAKMP Transform Payload (ISAKMP): 36
| emitting length of ISAKMP Proposal Payload: 44
| emitting length of ISAKMP Security Association Payload: 56
| out_vendorid(): sending [strongSwan]
| ***emit ISAKMP Vendor ID Payload:
| next payload type: ISAKMP_NEXT_VID
| emitting 16 raw bytes of V_ID into ISAKMP Vendor ID Payload
| V_ID 88 2f e5 6d 6f d2 0d bc 22 51 61 3b 2e be 5b eb
| emitting length of ISAKMP Vendor ID Payload: 20
| out_vendorid(): sending [XAUTH]
| ***emit ISAKMP Vendor ID Payload:
| next payload type: ISAKMP_NEXT_VID
| emitting 8 raw bytes of V_ID into ISAKMP Vendor ID Payload
| V_ID 09 00 26 89 df d6 b7 12
| emitting length of ISAKMP Vendor ID Payload: 12
| out_vendorid(): sending [Dead Peer Detection]
| ***emit ISAKMP Vendor ID Payload:
| next payload type: ISAKMP_NEXT_VID
| emitting 16 raw bytes of V_ID into ISAKMP Vendor ID Payload
| V_ID af ca d7 13 68 a1 f1 c9 6b 86 96 fc 77 57 01 00
| emitting length of ISAKMP Vendor ID Payload: 20
| out_vendorid(): sending [RFC 3947]
| ***emit ISAKMP Vendor ID Payload:
| next payload type: ISAKMP_NEXT_NONE
| emitting 16 raw bytes of V_ID into ISAKMP Vendor ID Payload
| V_ID 4a 13 1c 81 07 03 58 45 5c 57 28 f2 0e 95 45 2f
| emitting length of ISAKMP Vendor ID Payload: 20
| emitting length of ISAKMP Message: 156
| **emit ISAKMP Message:
| initiator cookie:
| c3 30 92 47 94 f0 21 9e
| responder cookie:
| b7 cd 5c ee c9 6e a8 d0
| next payload type: ISAKMP_NEXT_KE
| ISAKMP version: ISAKMP Version 1.0
| exchange type: ISAKMP_XCHG_IDPROT
| flags: none
| message ID: 00 00 00 00
| _natd_hash: icookie=
| c3 30 92 47 94 f0 21 9e
| _natd_hash: rcookie=
| b7 cd 5c ee c9 6e a8 d0
| _natd_hash: ip= 80 d0 04 ba
| _natd_hash: port=62465
| _natd_hash: hash= a4 6e 89 9d 63 b7 55 c9 26 44 27 33 01 57 ac ec
| 89 f0 e4 04
| _natd_hash: icookie=
| c3 30 92 47 94 f0 21 9e
| _natd_hash: rcookie=
| b7 cd 5c ee c9 6e a8 d0
| _natd_hash: ip= ad fa ca 49
| _natd_hash: port=62465
| _natd_hash: hash= 5f b8 b5 d8 e0 c1 52 ba ad 83 34 e5 d3 3d 55 9f
| cb df c3 cf
"rw"[1] sss.sss.202.73 #1: NAT-Traversal: Result using RFC 3947: no NAT detected
| ***emit ISAKMP Key Exchange Payload:
| next payload type: ISAKMP_NEXT_NONCE
| emitting 192 raw bytes of keyex value into ISAKMP Key Exchange Payload
| keyex value a8 f0 ea a8 fe 2f e7 4b 17 59 b1 04 fa 46 86 5c
| ba af 69 19 55 60 22 6a 8b 00 1d 82 0a 69 6b 6f
| 39 fe 77 92 2b ac 4a de 37 01 5d 4e 55 1c f8 49
| 8f 24 ea b5 da b2 4f 7e 1d ed 8a 12 f7 f4 71 84
| 1f a9 7b 7f 6f 81 98 d9 eb 5d 43 20 81 c4 82 0a
| e2 d9 d1 6c 60 0f a1 f3 0b ba 94 d3 68 68 db 30
| 69 07 0f c8 b9 df 37 ef 7c 52 54 02 af 3c a3 a5
| f0 80 8e 46 20 d0 fd ed db 84 be d1 a9 f4 b2 d5
| 95 fc af 10 81 f1 b6 2a ce 0c 08 b1 f7 5e 63 fd
| 3a 69 4b ce d0 60 35 d3 9f c4 99 57 9f 64 be f2
| 3b f0 dd be 37 7a e7 3b 46 1f 37 cf 75 36 b6 94
| d1 d6 34 1a 5f c7 13 d0 08 0a 22 71 76 b6 78 be
| emitting length of ISAKMP Key Exchange Payload: 196
| ***emit ISAKMP Nonce Payload:
| next payload type: ISAKMP_NEXT_CR
| emitting 16 raw bytes of Nr into ISAKMP Nonce Payload
| Nr 0a ac e2 94 64 cf a8 3d 3e ed ab 8d 24 aa 49 d3
| emitting length of ISAKMP Nonce Payload: 20
| ***emit ISAKMP Certificate RequestPayload:
| next payload type: ISAKMP_NEXT_NAT-D
| cert type: CERT_X509_SIGNATURE
| emitting 56 raw bytes of CA into ISAKMP Certificate RequestPayload
| CA 30 36 31 0b 30 09 06 03 55 04 06 13 02 55 53 31
| 11 30 0f 06 03 55 04 0a 13 08 73 6e 6f 77 6d 61
| 6e 65 31 14 30 12 06 03 55 04 03 13 0b 73 6e 6f
| 77 6d 61 6e 65 20 43 41
| emitting length of ISAKMP Certificate RequestPayload: 61
| sending NATD payloads
| _natd_hash: icookie=
| c3 30 92 47 94 f0 21 9e
| _natd_hash: rcookie=
| b7 cd 5c ee c9 6e a8 d0
| _natd_hash: ip= ad fa ca 49
| _natd_hash: port=62465
| _natd_hash: hash= 5f b8 b5 d8 e0 c1 52 ba ad 83 34 e5 d3 3d 55 9f
| cb df c3 cf
| ***emit ISAKMP NAT-D Payload:
| next payload type: ISAKMP_NEXT_NAT-D
| emitting 20 raw bytes of NAT-D into ISAKMP NAT-D Payload
| NAT-D 5f b8 b5 d8 e0 c1 52 ba ad 83 34 e5 d3 3d 55 9f
| cb df c3 cf
| emitting length of ISAKMP NAT-D Payload: 24
| _natd_hash: icookie=
| c3 30 92 47 94 f0 21 9e
| _natd_hash: rcookie=
| b7 cd 5c ee c9 6e a8 d0
| _natd_hash: ip= 80 d0 04 ba
| _natd_hash: port=62465
| _natd_hash: hash= a4 6e 89 9d 63 b7 55 c9 26 44 27 33 01 57 ac ec
| 89 f0 e4 04
| ***emit ISAKMP NAT-D Payload:
| next payload type: ISAKMP_NEXT_NONE
| emitting 20 raw bytes of NAT-D into ISAKMP NAT-D Payload
| NAT-D a4 6e 89 9d 63 b7 55 c9 26 44 27 33 01 57 ac ec
| 89 f0 e4 04
| emitting length of ISAKMP NAT-D Payload: 24
| emitting 3 zero bytes of message padding into ISAKMP Message
| emitting length of ISAKMP Message: 356
"rw"[1] sss.sss.202.73 #1: ignoring informational payload, type
IPSEC_INITIAL_CONTACT
"rw"[1] sss.sss.202.73 #1: Peer ID is ID_DER_ASN1_DN: 'C=US,
O=snowmane, CN=client'
| authcert list locked by 'verify_x509cert'
| authcert list unlocked by 'verify_x509cert'
| crl list locked by 'verify_by_crl'
| crl list unlocked by 'verify_by_crl'
"rw"[1] sss.sss.202.73 #1: crl not found
"rw"[1] sss.sss.202.73 #1: certificate status unknown
| authcert list locked by 'verify_x509cert'
| authcert list unlocked by 'verify_x509cert'
| unref key: 0x831620 0x834350 cnt 1 'C=US, O=snowmane, CN=client'
| ref key: 0x83b490 0x8371e0 cnt 0 'C=US, O=snowmane, CN=client'
| ref key: 0x83b490 0x8371e0 cnt 1 'C=US, O=snowmane, CN=client'
| **emit ISAKMP Message:
| initiator cookie:
| c3 30 92 47 94 f0 21 9e
| responder cookie:
| b7 cd 5c ee c9 6e a8 d0
| next payload type: ISAKMP_NEXT_ID
| ISAKMP version: ISAKMP Version 1.0
| exchange type: ISAKMP_XCHG_IDPROT
| flags: ISAKMP_FLAG_ENCRYPTION
| message ID: 00 00 00 00
| ***emit ISAKMP Identification Payload (IPsec DOI):
| next payload type: ISAKMP_NEXT_CERT
| ID type: ID_FQDN
| Protocol ID: 0
| port: 0
| emitting 26 raw bytes of my identity into ISAKMP Identification
Payload (IPsec DOI)
| my identity 73 6e 6f 77 6d 61 6e 65 2e 63 73 2e 77 61 73 68
| 69 6e 67 74 6f 6e 2e 65 64 75
| emitting length of ISAKMP Identification Payload (IPsec DOI): 34
"rw"[1] sss.sss.202.73 #1: we have a cert and are sending it upon request
| ***emit ISAKMP Certificate Payload:
| next payload type: ISAKMP_NEXT_SIG
| cert encoding: CERT_X509_SIGNATURE
| emitting 875 raw bytes of CERT into ISAKMP Certificate Payload
| CERT 30 82 03 67 30 82 02 4f a0 03 02 01 02 02 09 00
| be d4 c2 4f 49 92 64 7d 30 0d 06 09 2a 86 48 86
| f7 0d 01 01 05 05 00 30 36 31 0b 30 09 06 03 55
| 04 06 13 02 55 53 31 11 30 0f 06 03 55 04 0a 13
| 08 73 6e 6f 77 6d 61 6e 65 31 14 30 12 06 03 55
| 04 03 13 0b 73 6e 6f 77 6d 61 6e 65 20 43 41 30
| 1e 17 0d 31 32 30 36 32 37 31 38 30 38 34 33 5a
| 17 0d 31 35 30 36 32 37 31 38 30 38 34 33 5a 30
| 45 31 0b 30 09 06 03 55 04 06 13 02 55 53 31 11
| 30 0f 06 03 55 04 0a 13 08 73 6e 6f 77 6d 61 6e
| 65 31 23 30 21 06 03 55 04 03 13 1a 73 6e 6f 77
| 6d 61 6e 65 2e 63 73 2e 77 61 73 68 69 6e 67 74
| 6f 6e 2e 65 64 75 30 82 01 22 30 0d 06 09 2a 86
| 48 86 f7 0d 01 01 01 05 00 03 82 01 0f 00 30 82
| 01 0a 02 82 01 01 00 d7 d4 bd 31 05 0a b4 c7 5c
| ac af dd dc 05 09 99 06 0e 25 ec a8 05 22 b1 d6
| 53 ba 37 2d 2e 20 ba c4 d1 62 be b2 96 9c f3 56
| c5 30 62 3e a5 e2 5c ac 20 d5 e2 0b 41 2c 2f 08
| 8d 55 fe 05 95 60 9b 6b ce 58 03 9b d8 54 48 b9
| 72 85 78 aa 85 73 f3 ef 0a 14 0e 28 ad 9c c1 bd
| 5b 05 f4 28 26 51 12 5a 78 cb 94 39 d1 eb b6 94
| bb c4 ba 25 cf 93 ed ef 7c f2 7f 2b 79 1f c9 83
| 76 b5 33 98 47 44 f9 d4 99 8d 8c aa 08 ff 34 fe
| 45 59 62 b0 cd 79 b5 6d 44 45 04 62 2c a2 da 72
| 09 d5 28 0c 7d 88 10 62 70 e5 3d 41 28 42 49 a0
| 47 7d ae fe ec cc cd 9e 2f ed 7f a2 0c c9 17 05
| 35 b8 c7 48 18 50 fa 17 e6 0f 7d 52 7d 82 34 b0
| bc c2 a8 b3 9d 07 c7 35 8c e6 8b 7a 5d 0c b7 c1
| 63 af 57 e8 9e 7a 2f d7 9f 62 9c 1a 5f 2e 8e 24
| 5a 9b 17 3c 23 8c 00 e8 05 0a 63 1c df 69 7b d1
| bc 4e 4e e1 bf e4 ff 02 03 01 00 01 a3 69 30 67
| 30 1f 06 03 55 1d 23 04 18 30 16 80 14 57 ce 24
| 36 27 e0 e6 e9 ab 4c cc 78 a7 72 63 1e 4f 86 5e
| d7 30 25 06 03 55 1d 11 04 1e 30 1c 82 1a 73 6e
| 6f 77 6d 61 6e 65 2e 63 73 2e 77 61 73 68 69 6e
| 67 74 6f 6e 2e 65 64 75 30 1d 06 03 55 1d 25 04
| 16 30 14 06 08 2b 06 01 05 05 07 03 01 06 08 2b
| 06 01 05 05 08 02 02 30 0d 06 09 2a 86 48 86 f7
| 0d 01 01 05 05 00 03 82 01 01 00 20 6d 1b ac aa
| b3 98 8f 8e 54 0d 7c f6 49 a5 4c 23 89 73 0b a0
| 76 dc 4a b8 40 4e 9b 19 f7 a4 57 1a cc ce dd 22
| 75 7e 80 98 45 33 72 9f ac 30 6d 08 dc 40 84 a4
| 07 68 a5 ac 0a 5b 0b 46 0b 3a af 4e 31 43 c1 3f
| 1c 7c a8 12 d6 d2 e4 73 17 01 2f 74 d1 dd 2d a1
| 6e 2a ca b8 20 cd 32 8f 0a 45 f3 6e 4a 8f 69 6b
| df 7c 75 5d c4 6b f4 1b 00 34 f1 76 d9 75 ab c8
| b9 18 d9 94 c0 c4 1c a8 56 02 9f ea 91 9b 6d 55
| 68 ae 75 5c a4 10 55 a6 36 a2 09 e3 0e 59 69 d4
| 8b 71 32 66 3e 7b 40 a0 5b 48 4d 3a 2b 7e 9b 5e
| 66 22 8d 48 be a7 5b f6 f1 99 db c8 37 d3 d8 53
| 3d 63 e2 f0 57 2a b4 02 1d 8c 4e 78 92 b2 5b 69
| ae d4 43 66 a2 85 0a be 08 85 da 70 88 f4 a8 4d
| 10 98 e6 26 b4 c7 49 87 54 e7 75 71 7a b2 d9 f4
| 93 d2 eb 91 24 04 e8 c3 c9 91 6a c4 c2 83 67 49
| 41 94 e2 63 75 dc 2c e5 16 2f d5
| emitting length of ISAKMP Certificate Payload: 880
| ***emit ISAKMP Signature Payload:
| next payload type: ISAKMP_NEXT_NONE
| emitting 256 raw bytes of SIG_R into ISAKMP Signature Payload
| SIG_R 3f 1e bb 11 99 26 54 b7 34 d4 09 c8 c5 eb 17 a0
| 3c 03 3f 0f 41 41 9a e9 05 f7 f3 6d c5 9d 4e da
| c3 87 63 78 e6 42 02 93 47 53 85 e0 c8 8b 0a e9
| 1a 2d f5 1c 51 12 d4 30 90 ba 2a 20 56 49 99 72
| 67 8d 43 d8 e1 11 4b 1e 3b 29 4b 0f 24 e3 27 61
| 20 ad 22 60 e1 5f 88 99 07 9d e3 83 4b c8 4d 71
| 57 e9 51 41 fc 2d e6 88 bf 64 a4 92 1d 2b 06 b4
| ca 9c 7c d3 c1 d4 d5 32 c0 a5 ae 61 46 02 e0 8d
| 70 10 7c 60 cc f7 83 ea d0 52 01 bd 16 3c 8e 15
| 91 6f 2e 2e d2 f6 7b 1b 50 35 b2 4d 72 c1 bd 1a
| 12 7e 88 60 57 cd a4 8d 47 09 b7 86 57 dc dc ea
| de 30 16 48 cf 98 d6 4b 7c 07 f0 ea 4a 76 49 82
| 46 3f 50 ce da 95 07 81 66 cf 0b 97 79 0d 1b 92
| ce f6 d3 ee e3 dc 61 1e c1 3e c1 e5 eb 02 13 12
| fe cd 4f 97 04 cb 91 b2 4c 5d c0 0f c7 9d fa cf
| 06 4e c0 a2 fb 16 24 9a ae d8 63 85 bf aa 67 f4
| emitting length of ISAKMP Signature Payload: 260
| emitting 10 zero bytes of encryption padding into ISAKMP Message
| emitting length of ISAKMP Message: 1212
"rw"[1] sss.sss.202.73 #1: sent MR3, ISAKMP SA established
"rw"[1] sss.sss.202.73 #1: sending XAUTH request
| **emit ISAKMP Message:
| initiator cookie:
| c3 30 92 47 94 f0 21 9e
| responder cookie:
| b7 cd 5c ee c9 6e a8 d0
| next payload type: ISAKMP_NEXT_HASH
| ISAKMP version: ISAKMP Version 1.0
| exchange type: ISAKMP_XCHG_MODE_CFG
| flags: ISAKMP_FLAG_ENCRYPTION
| message ID: 4c 92 ad 0b
| ***emit ISAKMP Hash Payload:
| next payload type: ISAKMP_NEXT_MODECFG
| emitting 20 zero bytes of HASH into ISAKMP Hash Payload
| emitting length of ISAKMP Hash Payload: 24
| ***emit ISAKMP Mode Attribute:
| next payload type: ISAKMP_NEXT_NONE
| Attr Msg Type: ISAKMP_CFG_REQUEST
| Identifier: 0
| building XAUTH_USER_NAME attribute
| ****emit ISAKMP ModeCfg attribute:
| ModeCfg attr type: XAUTH_USER_NAME
| emitting 0 raw bytes of XAUTH_USER_NAME into ISAKMP ModeCfg attribute
| XAUTH_USER_NAME
| emitting length of ISAKMP ModeCfg attribute: 0
| building XAUTH_USER_PASSWORD attribute
| ****emit ISAKMP ModeCfg attribute:
| ModeCfg attr type: XAUTH_USER_PASSWORD
| emitting 0 raw bytes of XAUTH_USER_PASSWORD into ISAKMP ModeCfg attribute
| XAUTH_USER_PASSWORD
| emitting length of ISAKMP ModeCfg attribute: 0
| emitting length of ISAKMP Mode Attribute: 16
| emitting length of ISAKMP Message: 68
| emitting 8 zero bytes of encryption padding into ISAKMP Message
| emitting length of ISAKMP Message: 76
| **emit ISAKMP Message:
| initiator cookie:
| c3 30 92 47 94 f0 21 9e
| responder cookie:
| b7 cd 5c ee c9 6e a8 d0
| next payload type: ISAKMP_NEXT_HASH
| ISAKMP version: ISAKMP Version 1.0
| exchange type: ISAKMP_XCHG_MODE_CFG
| flags: ISAKMP_FLAG_ENCRYPTION
| message ID: 4c 92 ad 0b
"rw"[1] sss.sss.202.73 #1: parsing XAUTH reply
| processing XAUTH_USER_NAME attribute
| processing XAUTH_USER_PASSWORD attribute
"rw"[1] sss.sss.202.73 #1: extended authentication was successful
"rw"[1] sss.sss.202.73 #1: sending XAUTH status
| **emit ISAKMP Message:
| initiator cookie:
| c3 30 92 47 94 f0 21 9e
| responder cookie:
| b7 cd 5c ee c9 6e a8 d0
| next payload type: ISAKMP_NEXT_HASH
| ISAKMP version: ISAKMP Version 1.0
| exchange type: ISAKMP_XCHG_MODE_CFG
| flags: ISAKMP_FLAG_ENCRYPTION
| message ID: fd 17 ed 94
| ***emit ISAKMP Hash Payload:
| next payload type: ISAKMP_NEXT_MODECFG
| emitting 20 zero bytes of HASH into ISAKMP Hash Payload
| emitting length of ISAKMP Hash Payload: 24
| ***emit ISAKMP Mode Attribute:
| next payload type: ISAKMP_NEXT_NONE
| Attr Msg Type: ISAKMP_CFG_SET
| Identifier: 0
| building XAUTH_STATUS attribute
| ****emit ISAKMP ModeCfg attribute:
| ModeCfg attr type: XAUTH_STATUS
| length/value: 1
| emitting length of ISAKMP Mode Attribute: 12
| emitting length of ISAKMP Message: 64
| emitting 12 zero bytes of encryption padding into ISAKMP Message
| emitting length of ISAKMP Message: 76
"rw"[1] sss.sss.202.73 #1: parsing XAUTH ack
| processing XAUTH_STATUS attribute
"rw"[1] sss.sss.202.73 #1: received XAUTH ack, established
"rw"[1] sss.sss.202.73 #1: received ModeCfg message when in state
STATE_XAUTH_R3, and we aren't mode config client
"rw"[1] sss.sss.202.73 #1: received ModeCfg message when in state
STATE_XAUTH_R3, and we aren't mode config client
"rw"[1] sss.sss.202.73 #1: received ModeCfg message when in state
STATE_XAUTH_R3, and we aren't mode config client
"rw"[1] sss.sss.202.73 #1: received ModeCfg message when in state
STATE_XAUTH_R3, and we aren't mode config client
"rw"[1] sss.sss.202.73 #1: received ModeCfg message when in state
STATE_XAUTH_R3, and we aren't mode config client
"rw"[1] sss.sss.202.73 #1: received ModeCfg message when in state
STATE_XAUTH_R3, and we aren't mode config client
"rw"[1] sss.sss.202.73 #1: received ModeCfg message when in state
STATE_XAUTH_R3, and we aren't mode config client
"rw"[1] sss.sss.202.73 #1: received ModeCfg message when in state
STATE_XAUTH_R3, and we aren't mode config client
"rw"[1] sss.sss.202.73 #1: received ModeCfg message when in state
STATE_XAUTH_R3, and we aren't mode config client
"rw"[1] sss.sss.202.73 #1: received ModeCfg message when in state
STATE_XAUTH_R3, and we aren't mode config client
"rw"[1] sss.sss.202.73 #1: received Delete SA payload: deleting ISAKMP State #1
| **emit ISAKMP Message:
| initiator cookie:
| c3 30 92 47 94 f0 21 9e
| responder cookie:
| b7 cd 5c ee c9 6e a8 d0
| next payload type: ISAKMP_NEXT_HASH
| ISAKMP version: ISAKMP Version 1.0
| exchange type: ISAKMP_XCHG_INFO
| flags: ISAKMP_FLAG_ENCRYPTION
| message ID: 0f 5b 64 e3
| ***emit ISAKMP Hash Payload:
| next payload type: ISAKMP_NEXT_D
| emitting 20 zero bytes of HASH(1) into ISAKMP Hash Payload
| emitting length of ISAKMP Hash Payload: 24
| ***emit ISAKMP Delete Payload:
| next payload type: ISAKMP_NEXT_NONE
| DOI: ISAKMP_DOI_IPSEC
| protocol ID: 1
| SPI size: 16
| number of SPIs: 1
| emitting 16 raw bytes of delete payload into ISAKMP Delete Payload
| delete payload c3 30 92 47 94 f0 21 9e b7 cd 5c ee c9 6e a8 d0
| emitting length of ISAKMP Delete Payload: 28
| emitting 12 zero bytes of encryption padding into ISAKMP Message
| emitting length of ISAKMP Message: 92
"rw"[1] sss.sss.202.73: deleting connection "rw" instance with peer
sss.sss.202.73 {isakmp=#0/ipsec=#0}
| certs and keys locked by 'delete_connection'
| certs and keys unlocked by 'delete_connection'
| unref key: 0x83b490 0x8371e0 cnt 2 'C=US, O=snowmane, CN=client'
On Wed, Jun 27, 2012 at 12:57 AM, Martin Willi <martin at strongswan.org> wrote:
> Hi Ashwin,
>
>> plutostart=no
>> keyexchange=ikev2
>
>> I am using an android device (version 4.0) to connect to this VPN
>> server. I am not using the android client for strongswan as I cannot
>> root these devices.
>
> The built-in client coming with Android uses IKEv1 and does not support
> IKEv2. Either switch to pluto, or use our 5.0rc that brings IKEv1
> support to charon.
>
> Regards
> Martin
>
More information about the Users
mailing list