[strongSwan] strongswan connect issue
Andreas Steffen
andreas.steffen at strongswan.org
Fri Dec 12 07:12:47 CET 2014
Hi,
the strongSwan gateway just never receives the IKE_AUTH
request from the Win 7 client. Either port 4500 is not
available on either side or the Win 7 client does not find
its user credentials. Try using wireshark on the Win 7 client
to check whether any IKE_AUTH message is transmitted.
Regards
Andreas
On 12/12/2014 03:03 AM, Xin wrote:
> Hi,
>
>
>
> I’m running a new strongswan server on Windows Azure, but the issue
> happened when connect from win7. Here is the log following below:
>
>
>
> Dec 11 08:30:58 00[DMN] Starting IKE charon daemon (strongSwan 5.2.1,
> Linux 3.13.0-40-generic, x86_64)
>
> Dec 11 08:30:58 00[LIB] created TUN device: ipsec0
>
> Dec 11 08:30:58 00[CFG] loading ca certificates from
> '/usr/local/etc/ipsec.d/cacerts'
>
> Dec 11 08:30:58 00[CFG] loaded ca certificate "C=DE, O=Personal,
> CN=xxx.xxx.net" from '/usr/local/etc/ipsec.d/cacerts/ca.cert.pem'
>
> Dec 11 08:30:58 00[CFG] loading aa certificates from
> '/usr/local/etc/ipsec.d/aacerts'
>
> Dec 11 08:30:58 00[CFG] loading ocsp signer certificates from
> '/usr/local/etc/ipsec.d/ocspcerts'
>
> Dec 11 08:30:58 00[CFG] loading attribute certificates from
> '/usr/local/etc/ipsec.d/acerts'
>
> Dec 11 08:30:58 00[CFG] loading crls from '/usr/local/etc/ipsec.d/crls'
>
> Dec 11 08:30:58 00[CFG] loading secrets from '/usr/local/etc/ipsec.secrets'
>
> Dec 11 08:30:58 00[CFG] loaded RSA private key from
> '/usr/local/etc/ipsec.d/private/server.pem'
>
> Dec 11 08:30:58 00[CFG] loaded IKE secret for %any
>
> Dec 11 08:30:58 00[CFG] loaded EAP secret for test
>
> Dec 11 08:30:58 00[CFG] loaded 0 RADIUS server configurations
>
> Dec 11 08:30:58 00[LIB] loaded plugins: charon aes des rc2 sha1 sha2 md5
> random nonce x509 revocation constraints pubkey pkcs1 pkcs7 pkcs8 pkcs12
> pgp dnskey sshkey pem openssl fips-prf xcbc cmac hmac attr
> kernel-libipsec kernel-netlink resolve socket-default stroke updown
> eap-identity eap-md5 eap-mschapv2 eap-dynamic eap-radius eap-tls
> eap-ttls eap-peap eap-tnc xauth-generic xauth-eap xauth-pam tnc-tnccs
> dhcp certexpire radattr addrblock unity
>
> Dec 11 08:30:58 00[LIB] unable to load 3 plugin features (3 due to unmet
> dependencies)
>
> Dec 11 08:30:58 00[JOB] spawning 16 worker threads
>
> Dec 11 08:30:58 14[CFG] received stroke: add connection 'iOS_cert'
>
> Dec 11 08:30:58 14[CFG] left nor right host is our side, assuming left=local
>
> Dec 11 08:30:58 14[CFG] adding virtual IP address pool 10.0.0.0/24
>
> Dec 11 08:30:58 14[CFG] loaded certificate "C=DE, O=Personal,
> CN=xxx.xxx.net" from 'server.cert.pem'
>
> Dec 11 08:30:58 14[CFG] id '%any' not confirmed by certificate,
> defaulting to 'C=DE, O=Personal, CN=xxx.xxx.net'
>
> Dec 11 08:30:58 14[CFG] loaded certificate "C=DE, O=Personal,
> CN=xxx.xxx.net" from 'client.cert.pem'
>
> Dec 11 08:30:58 14[CFG] id '%any' not confirmed by certificate,
> defaulting to 'C=DE, O=Personal, CN=xxx.xxx.net'
>
> Dec 11 08:30:58 14[CFG] added configuration 'iOS_cert'
>
> Dec 11 08:30:58 16[CFG] received stroke: add connection 'android_xauth_psk'
>
> Dec 11 08:30:58 16[CFG] left nor right host is our side, assuming left=local
>
> Dec 11 08:30:58 16[CFG] reusing virtual IP address pool 10.0.0.0/24
>
> Dec 11 08:30:58 16[CFG] added configuration 'android_xauth_psk'
>
> Dec 11 08:30:58 04[CFG] received stroke: add connection
> 'networkmanager-strongswan'
>
> Dec 11 08:30:58 04[CFG] left nor right host is our side, assuming left=local
>
> Dec 11 08:30:58 04[CFG] reusing virtual IP address pool 10.0.0.0/24
>
> Dec 11 08:30:58 04[CFG] loaded certificate "C=DE, O=Personal,
> CN=xxx.xxx.net" from 'server.cert.pem'
>
> Dec 11 08:30:58 04[CFG] id '%any' not confirmed by certificate,
> defaulting to 'C=DE, O=Personal, CN=xxx.xxx.net'
>
> Dec 11 08:30:58 04[CFG] loaded certificate "C=DE, O=Personal,
> CN=xxx.xxx.net" from 'client.cert.pem'
>
> Dec 11 08:30:58 04[CFG] id '%any' not confirmed by certificate,
> defaulting to 'C=DE, O=Personal, CN=xxx.xxx.net'
>
> Dec 11 08:30:58 04[CFG] added configuration 'networkmanager-strongswan'
>
> Dec 11 08:30:58 02[CFG] received stroke: add connection 'windows7'
>
> Dec 11 08:30:58 02[CFG] left nor right host is our side, assuming left=local
>
> Dec 11 08:30:58 02[CFG] reusing virtual IP address pool 10.0.0.0/24
>
> Dec 11 08:30:58 02[CFG] loaded certificate "C=DE, O=Personal,
> CN=xxx.xxx.net" from 'server.cert.pem'
>
> Dec 11 08:30:58 02[CFG] id '%any' not confirmed by certificate,
> defaulting to 'C=DE, O=Personal, CN=xxx.xxx.net'
>
> Dec 11 08:30:58 02[CFG] added configuration 'windows7'
>
> Dec 11 08:31:57 16[NET] received packet: from vpn_client_ip[500] to
> strongswan_server_ip[500] (528 bytes)
>
> Dec 11 08:31:57 16[ENC] parsed IKE_SA_INIT request 0 [ SA KE No
> N(NATD_S_IP) N(NATD_D_IP) ]
>
> Dec 11 08:31:57 16[IKE] vpn_client_ip is initiating an IKE_SA
>
> Dec 11 08:31:57 16[IKE] local host is behind NAT, sending keep alives
>
> Dec 11 08:31:57 16[IKE] remote host is behind NAT
>
> Dec 11 08:31:57 16[IKE] sending cert request for "C=DE, O=Personal,
> CN=xxx.xxx.net"
>
> Dec 11 08:31:57 16[ENC] generating IKE_SA_INIT response 0 [ SA KE No
> N(NATD_S_IP) N(NATD_D_IP) CERTREQ N(MULT_AUTH) ]
>
> Dec 11 08:31:57 16[NET] sending packet: from strongswan_server_ip[500]
> to vpn_client_ip[500] (333 bytes)
>
> Dec 11 08:32:17 02[IKE] sending keep alive to vpn_client_ip[500]
>
> Dec 11 08:32:27 15[JOB] deleting half open IKE_SA after timeout
>
> Dec 11 08:36:13 15[NET] received packet: from vpn_client_ip[500] to
> strongswan_server_ip[500] (528 bytes)
>
> Dec 11 08:36:13 15[ENC] parsed IKE_SA_INIT request 0 [ SA KE No
> N(NATD_S_IP) N(NATD_D_IP) ]
>
> Dec 11 08:36:13 15[IKE] vpn_client_ip is initiating an IKE_SA
>
> Dec 11 08:36:13 15[IKE] local host is behind NAT, sending keep alives
>
> Dec 11 08:36:13 15[IKE] remote host is behind NAT
>
> Dec 11 08:36:13 15[IKE] sending cert request for "C=DE, O=Personal,
> CN=xxx.xxx.net"
>
> Dec 11 08:36:13 15[ENC] generating IKE_SA_INIT response 0 [ SA KE No
> N(NATD_S_IP) N(NATD_D_IP) CERTREQ N(MULT_AUTH) ]
>
> Dec 11 08:36:13 15[NET] sending packet: from strongswan_server_ip[500]
> to vpn_client_ip[500] (333 bytes)
>
> Dec 11 08:36:33 01[IKE] sending keep alive to vpn_client_ip[500]
>
> Dec 11 08:36:43 16[JOB] deleting half open IKE_SA after timeout
>
> Dec 11 08:50:17 04[NET] received packet: from vpn_client_ip2[500] to
> strongswan_server_ip[500] (528 bytes)
>
> Dec 11 08:50:17 04[ENC] parsed IKE_SA_INIT request 0 [ SA KE No
> N(NATD_S_IP) N(NATD_D_IP) ]
>
> Dec 11 08:50:17 04[IKE] vpn_client_ip2 is initiating an IKE_SA
>
> Dec 11 08:50:17 04[IKE] local host is behind NAT, sending keep alives
>
> Dec 11 08:50:17 04[IKE] remote host is behind NAT
>
> Dec 11 08:50:17 04[IKE] sending cert request for "C=DE, O=Personal,
> CN=xxx.xxx.net"
>
> Dec 11 08:50:17 04[ENC] generating IKE_SA_INIT response 0 [ SA KE No
> N(NATD_S_IP) N(NATD_D_IP) CERTREQ N(MULT_AUTH) ]
>
> Dec 11 08:50:17 04[NET] sending packet: from strongswan_server_ip[500]
> to vpn_client_ip2[500] (333 bytes)
>
> Dec 11 08:50:18 14[NET] received packet: from vpn_client_ip2[500] to
> strongswan_server_ip[500] (528 bytes)
>
> Dec 11 08:50:18 14[ENC] parsed IKE_SA_INIT request 0 [ SA KE No
> N(NATD_S_IP) N(NATD_D_IP) ]
>
> Dec 11 08:50:18 14[IKE] received retransmit of request with ID 0,
> retransmitting response
>
> Dec 11 08:50:18 14[NET] sending packet: from strongswan_server_ip[500]
> to vpn_client_ip2[500] (333 bytes)
>
> Dec 11 08:50:37 03[IKE] sending keep alive to vpn_client_ip2[500]
>
> Dec 11 08:50:47 01[JOB] deleting half open IKE_SA after timeout
>
> Dec 11 08:57:07 05[NET] received packet: from vpn_client_ip[500] to
> strongswan_server_ip[500] (528 bytes)
>
> Dec 11 08:57:07 05[ENC] parsed IKE_SA_INIT request 0 [ SA KE No
> N(NATD_S_IP) N(NATD_D_IP) ]
>
> Dec 11 08:57:07 05[IKE] vpn_client_ip is initiating an IKE_SA
>
> Dec 11 08:57:07 05[IKE] local host is behind NAT, sending keep alives
>
> Dec 11 08:57:07 05[IKE] remote host is behind NAT
>
> Dec 11 08:57:07 05[IKE] sending cert request for "C=DE, O=Personal,
> CN=xxx.xxx.net"
>
> Dec 11 08:57:07 05[ENC] generating IKE_SA_INIT response 0 [ SA KE No
> N(NATD_S_IP) N(NATD_D_IP) CERTREQ N(MULT_AUTH) ]
>
> Dec 11 08:57:07 05[NET] sending packet: from strongswan_server_ip[500]
> to vpn_client_ip[500] (333 bytes)
>
> Dec 11 08:57:27 16[IKE] sending keep alive to vpn_client_ip[500]
>
> Dec 11 08:57:33 02[NET] received packet: from vpn_client_ip[500] to
> strongswan_server_ip[500] (528 bytes)
>
> Dec 11 08:57:33 02[ENC] parsed IKE_SA_INIT request 0 [ SA KE No
> N(NATD_S_IP) N(NATD_D_IP) ]
>
> Dec 11 08:57:33 02[IKE] vpn_client_ip is initiating an IKE_SA
>
> Dec 11 08:57:33 02[IKE] local host is behind NAT, sending keep alives
>
> Dec 11 08:57:33 02[IKE] remote host is behind NAT
>
> Dec 11 08:57:33 02[IKE] sending cert request for "C=DE, O=Personal,
> CN=xxx.xxx.net"
>
> Dec 11 08:57:33 02[ENC] generating IKE_SA_INIT response 0 [ SA KE No
> N(NATD_S_IP) N(NATD_D_IP) CERTREQ N(MULT_AUTH) ]
>
> Dec 11 08:57:33 02[NET] sending packet: from strongswan_server_ip[500]
> to vpn_client_ip[500] (333 bytes)
>
> Dec 11 08:57:37 04[JOB] deleting half open IKE_SA after timeout
>
> Dec 11 08:57:53 03[IKE] sending keep alive to vpn_client_ip[500]
>
> Dec 11 08:58:03 02[JOB] deleting half open IKE_SA after timeout
>
>
>
> Ipsec.conf:
>
>
>
> conn windows7
>
> keyexchange=ikev2
>
> ike=aes256-sha1-modp1024!
>
> dpdaction=none
>
> rekey=no
>
> left=%any
>
> leftsubnet=0.0.0.0/0
>
> leftauth=pubkey
>
> leftcert=server.cert.pem
>
> right=%any
>
> rightsourceip=10.0.0.0/24
>
> rightauth=eap-mschapv2
>
> rightsendcert=never
>
> eap_identity=%any
>
> auto=add
>
>
>
> I have opened 4500(udp),500(udp),500(tcp) ports on the website, but
> still not work. Appreciate for the help.
-
======================================================================
Andreas Steffen andreas.steffen at strongswan.org
strongSwan - the Open Source VPN Solution! www.strongswan.org
Institute for Internet Technologies and Applications
University of Applied Sciences Rapperswil
CH-8640 Rapperswil (Switzerland)
===========================================================[ITA-HSR]==
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4255 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://lists.strongswan.org/pipermail/users/attachments/20141212/c6021b9f/attachment-0001.bin>
More information about the Users
mailing list