[strongSwan] Android VPN Client - no matching outbound IPsec policy
g s
gs59937 at gmail.com
Sat Feb 2 16:32:24 CET 2013
Hello,
I am trying to establish an ikev2/cert connection between a strongswan
vpnclient on android(4.1.) and a
strongswan server (4.5.2). The ipsec SA appears to be in place, but traffic
does not flow through the tunnel. The vpn client log indicates "no matching
outbound IPsec policy" for any traffic sent when leftsubnet=0.0.0.0/0 in
the server's ipsec.conf. The client vpn status counts indicate packets
sent, but none received and packets are not seen on the network. If
leftsubnet is narrowed, any packets with destinations outside of
leftsubnetare sent outside of the tunnel.
The server (192.168.50.101) is nat-ed behind the router 192.168.1.2. The
client is on the router's local network at 192.168.1.141 and gets a virtual
IP (192.168.47.1) from the server. The behavior is the same if both the
client and server are nat-ed. The intended behavior is for all traffic from
the client to pass through the tunnel.
I suspect the configuration is wrong on the server, but I have not found
what prevents the client from installing a policy for traffic through the
tunnel. The attached file includes configuration and logs. Any assistance
is greatly appreciated.
-gs
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20130202/de7dca1a/attachment.html>
-------------- next part --------------
------------------------------------
Server ipsec.conf
config setup
# plutodebug=control
nat_traversal=yes
charonstart=yes
charondebug= "default 1, ike 3, cfg 3"
crlcheckinterval=180
strictcrlpolicy=no
plutostart=no
ca sample
cacert=sampleCAcert.pem
auto=add
conn %default
type=tunnel
keyexchange=ikev2
reauth=no
rekey=no
authby=rsa
pfs=no
keyingtries=3
conn IPSEC-VPN-NAT
left=192.168.50.101
leftsubnet=0.0.0.0/0
leftprotoport=17/1701
leftcert=serverdnsandipCert.pem
leftid=serverdnsandipKey.der
leftfirewall=yes
right=%any
rightprotoport=17/%any
rightsourceip=192.168.47.0/24
rightid=%any
auto=add
---------------------------------
server ipsec.secrets
#include /var/lib/strongswan/ipsec.secrets.inc
: RSA serverdnsandipKey.der "xxxx"
-----------------------------------
>> ipsec listcerts
List of X.509 End Entity Certificates:
altNames: vpn.sample.org, 192.168.1.2
subject: "C=US, O=Sample, CN=vpn.sample.org, E=support at sample.org"
issuer: "C=US, O=Sample, OU=Sample CA, CN=ca.sample.org, E=support.ca at sample.org"
serial: 20:24
validity: not before Feb 01 09:34:48 2013, ok
not after Feb 01 09:34:48 2015, ok
pubkey: RSA 2048 bits, has private key
keyid: 75:75:4f:b2:02:28:16:80:a6:6c:fa:87:cd:10:5d:28:04:f1:77:4f
subjkey: 8b:55:0c:eb:d7:60:97:02:ea:81:96:d0:bf:86:5f:34:d7:54:8c:3f
authkey: 50:86:71:86:aa:c3:25:08:12:22:5a:12:c6:a7:90:9b:cf:0b:7b:71
test at VPN:~$
>> ipsec statusall
Status of IKEv2 charon daemon (strongSwan 4.5.2):
uptime: 5 minutes, since Feb 01 11:15:56 2013
malloc: sbrk 282624, mmap 0, used 232168, free 50456
worker threads: 6 idle of 16, job queue load: 0, scheduled events: 0
loaded plugins: test-vectors curl ldap aes des sha1 sha2 md5 random x509 revocation constraints pubkey pkcs1 pgp pem openssl fips-prf gmp agent pkcs11 xcbc hmac ctr ccm gcm attr kernel-netlink resolve socket-raw farp stroke updown eap-identity eap-aka eap-md5 eap-gtc eap-mschapv2 eap-radius eap-tls eap-ttls eap-tnc nm dhcp led addrblock
Virtual IP pools (size/online/offline):
IPSEC-VPN-NAT: 255/0/0
Listening IP addresses:
192.168.50.101
Connections:
IPSEC-VPN-NAT: 192.168.50.101...%any
IPSEC-VPN-NAT: local: [C=US, O=Sample, CN=vpn.sample.org, E=support at sample.org] uses public key authentication
IPSEC-VPN-NAT: cert: "C=US, O=Sample, CN=vpn.sample.org, E=support at sample.org"
IPSEC-VPN-NAT: remote: [%any] uses any authentication
IPSEC-VPN-NAT: child: 0.0.0.0/0[udp/l2f] === dynamic[udp]
Security Associations:
none
>> ipsec status
Security Associations:
IPSEC-VPN-NAT[1]: ESTABLISHED 7 seconds ago, 192.168.50.101[C=US, O=Sample, CN=vpn.sample.org, E=support at sample.org]...192.168.1.141[C=US, O=Sample, CN=rw.sample.org, E=rw at sample.org]
IPSEC-VPN-NAT{1}: INSTALLED, TUNNEL, ESP in UDP SPIs: c7e346d6_i 5dd3d9e2_o
IPSEC-VPN-NAT{1}: 0.0.0.0/0[udp/l2f] === 192.168.47.1/32[udp]
test at VPN:~$
sudo
---------------------------------------
server syslog
Feb 1 11:15:55 VPN charon: 00[DMN] Starting IKEv2 charon daemon (strongSwan 4.5.2)
Feb 1 11:15:55 VPN charon: 00[LIB] Padlock not found, CPU is GenuineIntel
Feb 1 11:15:55 VPN charon: 00[LIB] plugin 'padlock': failed to load - padlock_plugin_create returned NULL
Feb 1 11:15:55 VPN charon: 00[KNL] listening on interfaces:
Feb 1 11:15:55 VPN charon: 00[KNL] eth2
Feb 1 11:15:55 VPN charon: 00[KNL] 192.168.50.101
Feb 1 11:15:55 VPN charon: 00[KNL] fe80::20b:abff:fe4b:782
Feb 1 11:15:55 VPN charon: 00[CFG] loading ca certificates from '/etc/ipsec.d/cacerts'
Feb 1 11:15:55 VPN charon: 00[CFG] loaded ca certificate "C=US, O=Sample, OU=Sample CA, CN=ca.sample.org, E=support.ca at sample.org" from '/etc/ipsec.d/cacerts/sampleCAcert.pem'
Feb 1 11:15:55 VPN charon: 00[CFG] loaded ca certificate "C=US, O=Sample, OU=Sample CA, CN=ca.sample.org, E=support.ca at sample.org" from '/etc/ipsec.d/cacerts/sampleCAcert.der'
Feb 1 11:15:55 VPN charon: 00[CFG] loading aa certificates from '/etc/ipsec.d/aacerts'
Feb 1 11:15:55 VPN charon: 00[CFG] loading ocsp signer certificates from '/etc/ipsec.d/ocspcerts'
Feb 1 11:15:55 VPN charon: 00[CFG] loading attribute certificates from '/etc/ipsec.d/acerts'
Feb 1 11:15:55 VPN charon: 00[CFG] loading crls from '/etc/ipsec.d/crls'
Feb 1 11:15:55 VPN charon: 00[CFG] loading secrets from '/etc/ipsec.secrets'
Feb 1 11:15:55 VPN charon: 00[CFG] loaded RSA private key from '/etc/ipsec.d/private/serverdnsandipKey.der'
Feb 1 11:15:55 VPN charon: 00[CFG] sql plugin: database URI not set
Feb 1 11:15:55 VPN charon: 00[LIB] plugin 'sql': failed to load - sql_plugin_create returned NULL
Feb 1 11:15:55 VPN charon: 00[CFG] loaded 0 RADIUS server configurations
Feb 1 11:15:55 VPN charon: 00[LIB] plugin 'medsrv' failed to load: /usr/lib/ipsec/plugins/libstrongswan-medsrv.so: cannot open shared object file: No such file or directory
Feb 1 11:15:55 VPN charon: 00[CFG] mediation client database URI not defined, skipped
Feb 1 11:15:55 VPN charon: 00[LIB] plugin 'medcli': failed to load - medcli_plugin_create returned NULL
Feb 1 11:15:55 VPN charon: 00[CFG] HA config misses local/remote address
Feb 1 11:15:55 VPN charon: 00[LIB] plugin 'ha': failed to load - ha_plugin_create returned NULL
Feb 1 11:15:55 VPN charon: 00[DMN] loaded plugins: test-vectors curl ldap aes des sha1 sha2 md5 random x509 revocation constraints pubkey pkcs1 pgp pem openssl fips-prf gmp agent pkcs11 xcbc hmac ctr ccm gcm attr kernel-netlink resolve socket-raw farp stroke updown eap-identity eap-aka eap-md5 eap-gtc eap-mschapv2 eap-radius eap-tls eap-ttls eap-tnc nm dhcp led addrblock
Feb 1 11:15:55 VPN charon: 00[JOB] spawning 16 worker threads
Feb 1 11:15:55 VPN charon: 04[CFG] received stroke: add ca 'sample'
Feb 1 11:15:55 VPN charon: 04[CFG] added ca 'sample'
Feb 1 11:15:55 VPN charon: 10[CFG] received stroke: add connection 'IPSEC-VPN-NAT'
Feb 1 11:15:55 VPN charon: 10[CFG] loaded certificate "C=US, O=Sample, CN=vpn.sample.org, E=support at sample.org" from 'serverdnsandipCert.pem'
Feb 1 11:15:55 VPN charon: 10[CFG] id 'serverdnsandipKey.der' not confirmed by certificate, defaulting to 'C=US, O=Sample, CN=vpn.sample.org, E=support at sample.org'
Feb 1 11:15:55 VPN charon: 10[CFG] added configuration 'IPSEC-VPN-NAT'
Feb 1 11:15:55 VPN charon: 10[CFG] adding virtual IP address pool 'IPSEC-VPN-NAT': 192.168.47.0/24
Feb 1 11:16:53 VPN charon: 15[CFG] rereading secrets
Feb 1 11:16:53 VPN charon: 15[CFG] loading secrets from '/etc/ipsec.secrets'
Feb 1 11:16:53 VPN charon: 15[CFG] loaded RSA private key from '/etc/ipsec.d/private/serverdnsandipKey.der'
Feb 1 11:17:01 VPN CRON[32219]: (root) CMD ( cd / && run-parts --report /etc/cron.hourly)
Feb 1 11:22:28 VPN charon: 11[NET] received packet: from 192.168.1.141[47081] to 192.168.50.101[500]
Feb 1 11:22:28 VPN charon: 11[ENC] parsed IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) ]
Feb 1 11:22:28 VPN charon: 11[IKE] 192.168.1.141 is initiating an IKE_SA
Feb 1 11:22:28 VPN charon: 11[IKE] local host is behind NAT, sending keep alives
Feb 1 11:22:28 VPN charon: 11[IKE] remote host is behind NAT
Feb 1 11:22:28 VPN charon: 11[IKE] sending cert request for "C=US, O=Sample, OU=Sample CA, CN=ca.sample.org, E=support.ca at sample.org"
Feb 1 11:22:28 VPN charon: 11[ENC] generating IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) CERTREQ N(MULT_AUTH) ]
Feb 1 11:22:28 VPN charon: 11[NET] sending packet: from 192.168.50.101[500] to 192.168.1.141[47081]
Feb 1 11:22:29 VPN charon: 13[NET] received packet: from 192.168.1.141[36761] to 192.168.50.101[4500]
Feb 1 11:22:29 VPN charon: 13[ENC] parsed IKE_AUTH request 1 [ IDi CERT N(INIT_CONTACT) CERTREQ AUTH CP(ADDR DNS) SA TSi TSr N(MOBIKE_SUP) N(NO_ADD_ADDR) N(MULT_AUTH) N(EAP_ONLY) ]
Feb 1 11:22:29 VPN charon: 13[IKE] received cert request for "C=US, O=Sample, OU=Sample CA, CN=ca.sample.org, E=support.ca at sample.org"
Feb 1 11:22:29 VPN charon: 13[IKE] received end entity cert "C=US, O=Sample, CN=rw.sample.org, E=rw at sample.org"
Feb 1 11:22:29 VPN charon: 13[CFG] looking for peer configs matching 192.168.50.101[%any]...192.168.1.141[C=US, O=Sample, CN=rw.sample.org, E=rw at sample.org]
Feb 1 11:22:29 VPN charon: 13[CFG] selected peer config 'IPSEC-VPN-NAT'
Feb 1 11:22:29 VPN charon: 13[CFG] using certificate "C=US, O=Sample, CN=rw.sample.org, E=rw at sample.org"
Feb 1 11:22:29 VPN charon: 13[CFG] using trusted ca certificate "C=US, O=Sample, OU=Sample CA, CN=ca.sample.org, E=support.ca at sample.org"
Feb 1 11:22:29 VPN charon: 13[CFG] checking certificate status of "C=US, O=Sample, CN=rw.sample.org, E=rw at sample.org"
Feb 1 11:22:29 VPN charon: 13[CFG] certificate status is not available
Feb 1 11:22:29 VPN charon: 13[CFG] reached self-signed root ca with a path length of 0
Feb 1 11:22:29 VPN charon: 13[IKE] authentication of 'C=US, O=Sample, CN=rw.sample.org, E=rw at sample.org' with RSA signature successful
Feb 1 11:22:29 VPN charon: 13[IKE] peer supports MOBIKE
Feb 1 11:22:29 VPN charon: 13[IKE] authentication of 'C=US, O=Sample, CN=vpn.sample.org, E=support at sample.org' (myself) with RSA signature successful
Feb 1 11:22:29 VPN charon: 13[IKE] IKE_SA IPSEC-VPN-NAT[1] established between 192.168.50.101[C=US, O=Sample, CN=vpn.sample.org, E=support at sample.org]...192.168.1.141[C=US, O=Sample, CN=rw.sample.org, E=rw at sample.org]
Feb 1 11:22:29 VPN charon: 13[IKE] sending end entity cert "C=US, O=Sample, CN=vpn.sample.org, E=support at sample.org"
Feb 1 11:22:29 VPN charon: 13[IKE] peer requested virtual IP %any
Feb 1 11:22:29 VPN charon: 13[CFG] assigning new lease to 'C=US, O=Sample, CN=rw.sample.org, E=rw at sample.org'
Feb 1 11:22:29 VPN charon: 13[IKE] assigning virtual IP 192.168.47.1 to peer 'C=US, O=Sample, CN=rw.sample.org, E=rw at sample.org'
Feb 1 11:22:29 VPN charon: 13[IKE] CHILD_SA IPSEC-VPN-NAT{1} established with SPIs c7e346d6_i 5dd3d9e2_o and TS 0.0.0.0/0[udp/l2f] === 192.168.47.1/32[udp]
Feb 1 11:22:29 VPN vpn: + C=US, O=Sample, CN=rw.sample.org, E=rw at sample.org 192.168.47.1/32 == 192.168.1.141 -- 192.168.50.101 == 0.0.0.0/0
Feb 1 11:22:29 VPN charon: 13[ENC] generating IKE_AUTH response 1 [ IDr CERT AUTH CP(ADDR) SA TSi TSr N(MOBIKE_SUP) N(ADD_4_ADDR) N(ADD_4_ADDR) N(ADD_4_ADDR) ]
Feb 1 11:22:29 VPN charon: 13[NET] sending packet: from 192.168.50.101[4500] to 192.168.1.141[36761]
Feb 1 11:22:49 VPN charon: 10[IKE] sending keep alive
Feb 1 11:22:49 VPN charon: 10[NET] sending packet: from 192.168.50.101[4500] to 192.168.1.141[36761]
... Disconnected from client at this point
Feb 1 11:28:54 VPN charon: 04[NET] received packet: from 192.168.1.141[36761] to 192.168.50.101[4500]
Feb 1 11:28:54 VPN charon: 04[ENC] parsed INFORMATIONAL request 2 [ D ]
Feb 1 11:28:54 VPN charon: 04[IKE] received DELETE for IKE_SA IPSEC-VPN-NAT[1]
Feb 1 11:28:54 VPN charon: 04[IKE] deleting IKE_SA IPSEC-VPN-NAT[1] between 192.168.50.101[C=US, O=Sample, CN=vpn.sample.org, E=support at sample.org]...192.168.1.141[C=US, O=Sample, CN=rw.sample.org, E=rw at sample.org]
Feb 1 11:28:54 VPN charon: 04[IKE] IKE_SA deleted
Feb 1 11:28:54 VPN vpn: - C=US, O=Sample, CN=rw.sample.org, E=rw at sample.org 192.168.47.1/32 == 192.168.1.141 -- 192.168.50.101 == 0.0.0.0/0
Feb 1 11:28:54 VPN charon: 04[ENC] generating INFORMATIONAL response 2 [ ]
Feb 1 11:28:54 VPN charon: 04[NET] sending packet: from 192.168.50.101[4500] to 192.168.1.141[36761]
Feb 1 11:28:54 VPN charon: 04[CFG] lease 192.168.47.1 by 'C=US, O=Sample, CN=rw.sample.org, E=rw at sample.org' went offline
--------------------------
server auth.log
Feb 1 11:15:55 VPN ipsec_starter[32161]: Starting strongSwan 4.5.2 IPsec [starter]...
Feb 1 11:22:28 VPN charon: 11[IKE] 192.168.1.141 is initiating an IKE_SA
Feb 1 11:22:29 VPN charon: 13[IKE] IKE_SA IPSEC-VPN-NAT[1] established between 192.168.50.101
[C=US, O=Sample, CN=vpn.sample.org, E=support at sample.org]...
192.168.1.141[C=US, O=Sample, CN=rw.sample.org, E=rw at sample.org]
Feb 1 11:22:29 VPN charon: 13[IKE] CHILD_SA IPSEC-VPN-NAT{1} established with
SPIs c7e346d6_i 5dd3d9e2_o and TS 0.0.0.0/0[udp/l2f] === 192.168.47.1/32[udp]
Feb 1 11:28:54 VPN charon: 04[IKE] deleting IKE_SA IPSEC-VPN-NAT[1] between 192.168.50.101
[C=US, O=Sample, CN=vpn.sample.org, E=support at sample.org]...
192.168.1.141[C=US, O=Sample, CN=rw.sample.org, E=rw at sample.org]
Feb 1 11:28:54 VPN charon: 04[IKE] IKE_SA deleted
------------------------------
client log
Feb 1 11:21:13 00[DMN] Starting IKE charon daemon (strongSwan 5.0.2dr4, Linux 3.0.31-381038, armv7l)
Feb 1 11:21:13 00[DMN] loaded plugins: androidbridge charon android-log openssl fips-prf random nonce pubkey pkcs1 pkcs8 pem xcbc hmac socket-default eap-identity eap-mschapv2 eap-md5 eap-gtc
Feb 1 11:21:13 00[JOB] spawning 16 worker threads
Feb 1 11:21:13 12[CFG] loaded user certificate 'C=US, O=Sample, CN=rw.sample.org, E=rw at sample.org' and private key
Feb 1 11:21:13 12[CFG] loaded CA certificate 'C=US, O=Sample, OU=Sample CA, CN=ca.sample.org, E=support.ca at sample.org'
Feb 1 11:21:13 12[IKE] initiating IKE_SA android[31] to 192.168.1.2
Feb 1 11:21:13 12[ENC] generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) ]
Feb 1 11:21:13 12[NET] sending packet: from 192.168.1.141[47081] to 192.168.1.2[500]
Feb 1 11:21:15 14[IKE] retransmit 1 of request with message ID 0
Feb 1 11:21:15 14[NET] sending packet: from 192.168.1.141[47081] to 192.168.1.2[500]
Feb 1 11:21:16 15[NET] received packet: from 192.168.1.2[500] to 192.168.1.141[47081]
Feb 1 11:21:16 15[ENC] parsed IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) CERTREQ N(MULT_AUTH) ]
Feb 1 11:21:16 15[IKE] remote host is behind NAT
Feb 1 11:21:16 15[IKE] received cert request for "C=US, O=Sample, OU=Sample CA, CN=ca.sample.org, E=support.ca at sample.org"
Feb 1 11:21:16 15[IKE] sending cert request for "C=US, O=Sample, OU=Sample CA, CN=ca.sample.org, E=support.ca at sample.org"
Feb 1 11:21:16 15[IKE] authentication of 'C=US, O=Sample, CN=rw.sample.org, E=rw at sample.org' (myself) with RSA signature successful
Feb 1 11:21:16 15[IKE] sending end entity cert "C=US, O=Sample, CN=rw.sample.org, E=rw at sample.org"
Feb 1 11:21:16 15[IKE] establishing CHILD_SA android
Feb 1 11:21:16 15[ENC] generating IKE_AUTH request 1 [ IDi CERT N(INIT_CONTACT) CERTREQ AUTH CP(ADDR DNS) SA TSi TSr N(MOBIKE_SUP) N(NO_ADD_ADDR) N(MULT_AUTH) N(EAP_ONLY) ]
Feb 1 11:21:16 15[NET] sending packet: from 192.168.1.141[36761] to 192.168.1.2[4500]
Feb 1 11:21:16 16[NET] received packet: from 192.168.1.2[4500] to 192.168.1.141[36761]
Feb 1 11:21:16 16[ENC] parsed IKE_AUTH response 1 [ IDr CERT AUTH CP(ADDR) SA TSi TSr N(MOBIKE_SUP) N(ADD_4_ADDR) N(ADD_4_ADDR) N(ADD_4_ADDR) ]
Feb 1 11:21:16 16[IKE] received end entity cert "C=US, O=Sample, CN=vpn.sample.org, E=support at sample.org"
Feb 1 11:21:16 16[CFG] using certificate "C=US, O=Sample, CN=vpn.sample.org, E=support at sample.org"
Feb 1 11:21:16 16[CFG] using trusted ca certificate "C=US, O=Sample, OU=Sample CA, CN=ca.sample.org, E=support.ca at sample.org"
Feb 1 11:21:16 16[CFG] reached self-signed root ca with a path length of 0
Feb 1 11:21:16 16[IKE] authentication of 'C=US, O=Sample, CN=vpn.sample.org, E=support at sample.org' with RSA signature successful
Feb 1 11:21:16 16[IKE] IKE_SA android[31] established between 192.168.1.141[C=US, O=Sample, CN=rw.sample.org, E=rw at sample.org]...192.168.1.2[C=US, O=Sample, CN=vpn.sample.org, E=support at sample.org]
Feb 1 11:21:16 16[IKE] scheduling rekeying in 35884s
Feb 1 11:21:16 16[IKE] maximum IKE_SA lifetime 36484s
Feb 1 11:21:16 16[IKE] installing new virtual IP 192.168.47.1
Feb 1 11:21:16 16[IKE] CHILD_SA android{26} established with SPIs 5dd3d9e2_i c7e346d6_o and TS 192.168.47.1/32[17] === 0.0.0.0/0[17/1701]
Feb 1 11:21:16 16[DMN] setting up TUN device for CHILD_SA android{26}
Feb 1 11:21:16 16[DMN] successfully created TUN device
Feb 1 11:21:16 16[IKE] peer supports MOBIKE
Feb 1 11:23:13 11[ESP] no matching outbound IPsec policy for 192.168.47.1 == 10.0.0.8
Feb 1 11:23:14 11[ESP] no matching outbound IPsec policy for 192.168.47.1 == 10.0.0.8
Feb 1 11:23:15 11[ESP] no matching outbound IPsec policy for 192.168.47.1 == 10.0.0.8
Feb 1 11:23:16 11[ESP] no matching outbound IPsec policy for 192.168.47.1 == 10.0.0.8
Disconnect Requested from Client UI
Feb 1 11:27:42 00[IKE] deleting IKE_SA android[31] between 192.168.1.141[C=US, O=Sample, CN=rw.sample.org, E=rw at sample.org]...192.168.1.2[C=US, O=Sample, CN=vpn.sample.org, E=support at sample.org]
Feb 1 11:27:42 00[IKE] sending DELETE for IKE_SA android[31]
Feb 1 11:27:42 00[ENC] generating INFORMATIONAL request 2 [ D ]
Feb 1 11:27:42 00[NET] sending packet: from 192.168.1.141[36761] to 192.168.1.2[4500]
More information about the Users
mailing list