[strongSwan] strongswan connect issue

Xin knightluffy at live.com
Fri Dec 12 03:03:32 CET 2014 

Hi, 

 

I'm running a new strongswan server on Windows Azure, but the issue happened
when connect from win7. Here is the log following below:

 

Dec 11 08:30:58 00[DMN] Starting IKE charon daemon (strongSwan 5.2.1, Linux
3.13.0-40-generic, x86_64)

Dec 11 08:30:58 00[LIB] created TUN device: ipsec0

Dec 11 08:30:58 00[CFG] loading ca certificates from
'/usr/local/etc/ipsec.d/cacerts'

Dec 11 08:30:58 00[CFG]   loaded ca certificate "C=DE, O=Personal,
CN=xxx.xxx.net" from '/usr/local/etc/ipsec.d/cacerts/ca.cert.pem'

Dec 11 08:30:58 00[CFG] loading aa certificates from
'/usr/local/etc/ipsec.d/aacerts'

Dec 11 08:30:58 00[CFG] loading ocsp signer certificates from
'/usr/local/etc/ipsec.d/ocspcerts'

Dec 11 08:30:58 00[CFG] loading attribute certificates from
'/usr/local/etc/ipsec.d/acerts'

Dec 11 08:30:58 00[CFG] loading crls from '/usr/local/etc/ipsec.d/crls'

Dec 11 08:30:58 00[CFG] loading secrets from '/usr/local/etc/ipsec.secrets'

Dec 11 08:30:58 00[CFG]   loaded RSA private key from
'/usr/local/etc/ipsec.d/private/server.pem'

Dec 11 08:30:58 00[CFG]   loaded IKE secret for %any

Dec 11 08:30:58 00[CFG]   loaded EAP secret for test

Dec 11 08:30:58 00[CFG] loaded 0 RADIUS server configurations

Dec 11 08:30:58 00[LIB] loaded plugins: charon aes des rc2 sha1 sha2 md5
random nonce x509 revocation constraints pubkey pkcs1 pkcs7 pkcs8 pkcs12 pgp
dnskey sshkey pem openssl fips-prf xcbc cmac hmac attr kernel-libipsec
kernel-netlink resolve socket-default stroke updown eap-identity eap-md5
eap-mschapv2 eap-dynamic eap-radius eap-tls eap-ttls eap-peap eap-tnc
xauth-generic xauth-eap xauth-pam tnc-tnccs dhcp certexpire radattr
addrblock unity

Dec 11 08:30:58 00[LIB] unable to load 3 plugin features (3 due to unmet
dependencies)

Dec 11 08:30:58 00[JOB] spawning 16 worker threads

Dec 11 08:30:58 14[CFG] received stroke: add connection 'iOS_cert'

Dec 11 08:30:58 14[CFG] left nor right host is our side, assuming left=local

Dec 11 08:30:58 14[CFG] adding virtual IP address pool 10.0.0.0/24

Dec 11 08:30:58 14[CFG]   loaded certificate "C=DE, O=Personal,
CN=xxx.xxx.net" from 'server.cert.pem'

Dec 11 08:30:58 14[CFG]   id '%any' not confirmed by certificate, defaulting
to 'C=DE, O=Personal, CN=xxx.xxx.net'

Dec 11 08:30:58 14[CFG]   loaded certificate "C=DE, O=Personal,
CN=xxx.xxx.net" from 'client.cert.pem'

Dec 11 08:30:58 14[CFG]   id '%any' not confirmed by certificate, defaulting
to 'C=DE, O=Personal, CN=xxx.xxx.net'

Dec 11 08:30:58 14[CFG] added configuration 'iOS_cert'

Dec 11 08:30:58 16[CFG] received stroke: add connection 'android_xauth_psk'

Dec 11 08:30:58 16[CFG] left nor right host is our side, assuming left=local

Dec 11 08:30:58 16[CFG] reusing virtual IP address pool 10.0.0.0/24

Dec 11 08:30:58 16[CFG] added configuration 'android_xauth_psk'

Dec 11 08:30:58 04[CFG] received stroke: add connection
'networkmanager-strongswan'

Dec 11 08:30:58 04[CFG] left nor right host is our side, assuming left=local

Dec 11 08:30:58 04[CFG] reusing virtual IP address pool 10.0.0.0/24

Dec 11 08:30:58 04[CFG]   loaded certificate "C=DE, O=Personal,
CN=xxx.xxx.net" from 'server.cert.pem'

Dec 11 08:30:58 04[CFG]   id '%any' not confirmed by certificate, defaulting
to 'C=DE, O=Personal, CN=xxx.xxx.net'

Dec 11 08:30:58 04[CFG]   loaded certificate "C=DE, O=Personal,
CN=xxx.xxx.net" from 'client.cert.pem'

Dec 11 08:30:58 04[CFG]   id '%any' not confirmed by certificate, defaulting
to 'C=DE, O=Personal, CN=xxx.xxx.net'

Dec 11 08:30:58 04[CFG] added configuration 'networkmanager-strongswan'

Dec 11 08:30:58 02[CFG] received stroke: add connection 'windows7'

Dec 11 08:30:58 02[CFG] left nor right host is our side, assuming left=local

Dec 11 08:30:58 02[CFG] reusing virtual IP address pool 10.0.0.0/24

Dec 11 08:30:58 02[CFG]   loaded certificate "C=DE, O=Personal,
CN=xxx.xxx.net" from 'server.cert.pem'

Dec 11 08:30:58 02[CFG]   id '%any' not confirmed by certificate, defaulting
to 'C=DE, O=Personal, CN=xxx.xxx.net'

Dec 11 08:30:58 02[CFG] added configuration 'windows7'

Dec 11 08:31:57 16[NET] received packet: from vpn_client_ip[500] to
strongswan_server_ip[500] (528 bytes)

Dec 11 08:31:57 16[ENC] parsed IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP)
N(NATD_D_IP) ]

Dec 11 08:31:57 16[IKE] vpn_client_ip is initiating an IKE_SA

Dec 11 08:31:57 16[IKE] local host is behind NAT, sending keep alives

Dec 11 08:31:57 16[IKE] remote host is behind NAT

Dec 11 08:31:57 16[IKE] sending cert request for "C=DE, O=Personal,
CN=xxx.xxx.net"

Dec 11 08:31:57 16[ENC] generating IKE_SA_INIT response 0 [ SA KE No
N(NATD_S_IP) N(NATD_D_IP) CERTREQ N(MULT_AUTH) ]

Dec 11 08:31:57 16[NET] sending packet: from strongswan_server_ip[500] to
vpn_client_ip[500] (333 bytes)

Dec 11 08:32:17 02[IKE] sending keep alive to vpn_client_ip[500]

Dec 11 08:32:27 15[JOB] deleting half open IKE_SA after timeout

Dec 11 08:36:13 15[NET] received packet: from vpn_client_ip[500] to
strongswan_server_ip[500] (528 bytes)

Dec 11 08:36:13 15[ENC] parsed IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP)
N(NATD_D_IP) ]

Dec 11 08:36:13 15[IKE] vpn_client_ip is initiating an IKE_SA

Dec 11 08:36:13 15[IKE] local host is behind NAT, sending keep alives

Dec 11 08:36:13 15[IKE] remote host is behind NAT

Dec 11 08:36:13 15[IKE] sending cert request for "C=DE, O=Personal,
CN=xxx.xxx.net"

Dec 11 08:36:13 15[ENC] generating IKE_SA_INIT response 0 [ SA KE No
N(NATD_S_IP) N(NATD_D_IP) CERTREQ N(MULT_AUTH) ]

Dec 11 08:36:13 15[NET] sending packet: from strongswan_server_ip[500] to
vpn_client_ip[500] (333 bytes)

Dec 11 08:36:33 01[IKE] sending keep alive to vpn_client_ip[500]

Dec 11 08:36:43 16[JOB] deleting half open IKE_SA after timeout

Dec 11 08:50:17 04[NET] received packet: from vpn_client_ip2[500] to
strongswan_server_ip[500] (528 bytes)

Dec 11 08:50:17 04[ENC] parsed IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP)
N(NATD_D_IP) ]

Dec 11 08:50:17 04[IKE] vpn_client_ip2 is initiating an IKE_SA

Dec 11 08:50:17 04[IKE] local host is behind NAT, sending keep alives

Dec 11 08:50:17 04[IKE] remote host is behind NAT

Dec 11 08:50:17 04[IKE] sending cert request for "C=DE, O=Personal,
CN=xxx.xxx.net"

Dec 11 08:50:17 04[ENC] generating IKE_SA_INIT response 0 [ SA KE No
N(NATD_S_IP) N(NATD_D_IP) CERTREQ N(MULT_AUTH) ]

Dec 11 08:50:17 04[NET] sending packet: from strongswan_server_ip[500] to
vpn_client_ip2[500] (333 bytes)

Dec 11 08:50:18 14[NET] received packet: from vpn_client_ip2[500] to
strongswan_server_ip[500] (528 bytes)

Dec 11 08:50:18 14[ENC] parsed IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP)
N(NATD_D_IP) ]

Dec 11 08:50:18 14[IKE] received retransmit of request with ID 0,
retransmitting response

Dec 11 08:50:18 14[NET] sending packet: from strongswan_server_ip[500] to
vpn_client_ip2[500] (333 bytes)

Dec 11 08:50:37 03[IKE] sending keep alive to vpn_client_ip2[500]

Dec 11 08:50:47 01[JOB] deleting half open IKE_SA after timeout

Dec 11 08:57:07 05[NET] received packet: from vpn_client_ip[500] to
strongswan_server_ip[500] (528 bytes)

Dec 11 08:57:07 05[ENC] parsed IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP)
N(NATD_D_IP) ]

Dec 11 08:57:07 05[IKE] vpn_client_ip is initiating an IKE_SA

Dec 11 08:57:07 05[IKE] local host is behind NAT, sending keep alives

Dec 11 08:57:07 05[IKE] remote host is behind NAT

Dec 11 08:57:07 05[IKE] sending cert request for "C=DE, O=Personal,
CN=xxx.xxx.net"

Dec 11 08:57:07 05[ENC] generating IKE_SA_INIT response 0 [ SA KE No
N(NATD_S_IP) N(NATD_D_IP) CERTREQ N(MULT_AUTH) ]

Dec 11 08:57:07 05[NET] sending packet: from strongswan_server_ip[500] to
vpn_client_ip[500] (333 bytes)

Dec 11 08:57:27 16[IKE] sending keep alive to vpn_client_ip[500]

Dec 11 08:57:33 02[NET] received packet: from vpn_client_ip[500] to
strongswan_server_ip[500] (528 bytes)

Dec 11 08:57:33 02[ENC] parsed IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP)
N(NATD_D_IP) ]

Dec 11 08:57:33 02[IKE] vpn_client_ip is initiating an IKE_SA

Dec 11 08:57:33 02[IKE] local host is behind NAT, sending keep alives

Dec 11 08:57:33 02[IKE] remote host is behind NAT

Dec 11 08:57:33 02[IKE] sending cert request for "C=DE, O=Personal,
CN=xxx.xxx.net"

Dec 11 08:57:33 02[ENC] generating IKE_SA_INIT response 0 [ SA KE No
N(NATD_S_IP) N(NATD_D_IP) CERTREQ N(MULT_AUTH) ]

Dec 11 08:57:33 02[NET] sending packet: from strongswan_server_ip[500] to
vpn_client_ip[500] (333 bytes)

Dec 11 08:57:37 04[JOB] deleting half open IKE_SA after timeout

Dec 11 08:57:53 03[IKE] sending keep alive to vpn_client_ip[500]

Dec 11 08:58:03 02[JOB] deleting half open IKE_SA after timeout

 

Ipsec.conf:

 

conn windows7

    keyexchange=ikev2

    ike=aes256-sha1-modp1024!

    dpdaction=none

    rekey=no

    left=%any

    leftsubnet=0.0.0.0/0

    leftauth=pubkey

    leftcert=server.cert.pem

    right=%any

    rightsourceip=10.0.0.0/24

    rightauth=eap-mschapv2

    rightsendcert=never

    eap_identity=%any

    auto=add

 

I have opened 4500(udp),500(udp),500(tcp) ports on the website, but still
not work. Appreciate for the help. 

 

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20141212/72f4a1ea/attachment.html>

More information about the Users mailing list