[strongSwan] certificate only vpn connection with mac

Cindy Moore ctmoore at cs.ucsd.edu
Fri Dec 12 23:46:40 CET 2014


I wonder if it's the noauth.  I commented that out, just to be sure
that various changes were "taking" (the authby is completely ignored
in the ipsec restart output in /var/log/syslog, so I changed something
else in order to make sure the restarts were reflecting changes in the
ipsec.conf).  If I remove the xauth-noauth, then I get

Dec 12 14:39:08 vpn charon: 13[IKE] received end entity cert "C=US,
O=ThatsUs, CN=ctmoore at example.com"
Dec 12 14:39:08 vpn charon: 13[CFG] looking for RSA signature peer
configs matching [vpn ip]...[client ip][C=US, O=ThatsUs,
CN=ctmoore at example.com]
Dec 12 14:39:08 vpn charon: 13[CFG]   candidate "roadwarrior-ikev1",
match: 1/1/1052 (me/other/ike)
Dec 12 14:39:08 vpn charon: 13[CFG] selected peer config "roadwarrior-ikev1"
Dec 12 14:39:08 vpn charon: 13[CFG]   using certificate "C=US,
O=ThatsUs, CN=ctmoore at example.com"
Dec 12 14:39:08 vpn charon: 13[CFG]   certificate "C=US, O=ThatsUs,
CN=ctmoore at example.com" key: 2048 bit RSA
Dec 12 14:39:08 vpn charon: 13[CFG]   using trusted ca certificate
"C=US, O=ThatsUs, CN=strongSwan Root CA"
Dec 12 14:39:08 vpn charon: 13[CFG] checking certificate status of
"C=US, O=ThatsUs, CN=ctmoore at example.com"
Dec 12 14:39:08 vpn charon: 13[CFG] ocsp check skipped, no ocsp found
Dec 12 14:39:08 vpn charon: 13[CFG] certificate status is not available
Dec 12 14:39:08 vpn charon: 13[CFG]   certificate "C=US, O=ThatsUs,
CN=strongSwan Root CA" key: 4096 bit RSA
Dec 12 14:39:08 vpn charon: 13[CFG]   reached self-signed root ca with
a path length of 0
Dec 12 14:39:08 vpn charon: 13[IKE] authentication of 'C=US,
O=ThatsUs, CN=ctmoore at example.com' with RSA successful
Dec 12 14:39:08 vpn charon: 13[IKE] authentication of 'C=US,
O=ThatsUs, CN=vpn.example.com' (myself) successful
Dec 12 14:39:08 vpn charon: 13[IKE] IKE_SA roadwarrior-ikev1[1]
established between [vpn ip][C=US, O=ThatsUs,
CN=vpn.example.com]...[client ip][C=US, O=ThatsUs,
CN=ctmoore at example.com]
Dec 12 14:39:08 vpn charon: 13[IKE] IKE_SA roadwarrior-ikev1[1] state
change: CONNECTING => ESTABLISHED
Dec 12 14:39:08 vpn charon: 13[IKE] scheduling reauthentication in 3271s
Dec 12 14:39:08 vpn charon: 13[IKE] maximum IKE_SA lifetime 3451s
Dec 12 14:39:08 vpn charon: 13[IKE] sending end entity cert "C=US,
O=ThatsUs, CN=vpn.example.com"
Dec 12 14:39:08 vpn charon: 13[ENC] generating ID_PROT response 0 [ ID
CERT SIG ]
Dec 12 14:39:08 vpn charon: 13[NET] sending packet: from [vpn
ip][4500] to [client ip][45779] (1484 bytes)
Dec 12 14:39:08 vpn charon: 03[NET] sending packet: from [vpn
ip][4500] to [client ip][45779]
Dec 12 14:39:08 vpn charon: 01[NET] received packet: from [client
ip][45779] to [vpn ip][4500]
Dec 12 14:39:08 vpn charon: 01[NET] waiting for data on sockets
Dec 12 14:39:08 vpn charon: 15[NET] received packet: from [client
ip][45779] to [vpn ip][4500] (68 bytes)
Dec 12 14:39:08 vpn charon: 15[ENC] invalid HASH_V1 payload length,
decryption failed?
Dec 12 14:39:08 vpn charon: 15[ENC] could not decrypt payloads
Dec 12 14:39:08 vpn charon: 15[IKE] message parsing failed
Dec 12 14:39:08 vpn charon: 15[IKE] ignore malformed INFORMATIONAL request
Dec 12 14:39:08 vpn charon: 15[IKE] INFORMATIONAL_V1 request with
message ID 3172758586 processing failed

On Fri, Dec 12, 2014 at 2:39 PM, Cindy Moore <ctmoore at cs.ucsd.edu> wrote:
> Thought authby was deprecated long before Strongswan 5.2.1 (which is
> what I'm using)?  In any case, I tested it out, but that didn't make a
> difference).
>
> On Fri, Dec 12, 2014 at 2:30 PM, Noel Kuntze <noel at familie-kuntze.de> wrote:
>>
>> -----BEGIN PGP SIGNED MESSAGE-----
>> Hash: SHA256
>>
>> Hello,
>>
>> Judging from the manpage, using "authby=xauthrsasig" is the same as your configuration with leftauth and rightauth parameters.
>> Maybe try that? I don't know if it helps. *shrugs*
>>
>> Mit freundlichen Grüßen/Regards,
>> Noel Kuntze
>>
>> GPG Key ID: 0x63EC6658
>> Fingerprint: 23CA BB60 2146 05E7 7278 6592 3839 298F 63EC 6658
>>
>> Am 12.12.2014 um 23:19 schrieb Cindy Moore:
>>> I'm really at a loss over this one.  I can get the connections going
>>> with other clients, for example Network Manager on a Ubuntu 14.04 has
>>> no difficulties connecting with my strongswan server.
>>>
>>> This seems to be a possible clue:
>>> Dec 11 12:47:54 vpn charon: 10[IKE] found 1 matching config, but none
>>> allows RSA signature authentication using Main Mode
>>>
>>> But I'm not sure how to interpret it, or begin to address it.
>>>
>>> I'm also unsure about how the mac's vpn connection should be
>>> configured (I haven't found an equivalent to
>>> https://wiki.strongswan.org/projects/strongswan/wiki/NetworkManager
>>> under the Howto's for a Mac VPN setup, so I don't know if its some
>>> kind of problem that I can't select the vpn host certificate from the
>>> vpn setup dialog even though it shows up just fine in the system
>>> keychain.  Any thoughts?
>>>
>>> On Thu, Dec 11, 2014 at 1:20 PM, Cindy Moore <ctmoore at cs.ucsd.edu> wrote:
>>>> I'm trying to get a basic connection going with a mac os x client to
>>>> strongswan (latest) installed on ubuntu (14.04 lts).  I'm not entirely
>>>> certain what is going on.  It seems like the client isn't sending the
>>>> desired certificate.  in the log file, vpnHostCert doesn't seem to
>>>> play a part at all which i find unexpected.
>>>>
>>>> When I set up the mac I sent the p12 packages over to the mac, added
>>>> the three of them (root, vpnHost, cindy) to the system keychain.
>>>> What's weird though, is that I can only seem to select, for both User
>>>> Authentication certificate & Machine Authentication certificate, the
>>>> one identified with ctmoore at example.com (I had expected to select that
>>>> for User Auth, and the vpn.example.com for Machine Auth -- all three
>>>> (root, vpn, cindy) certificates are visible in the system keychain,
>>>> but only the cindy one appears in the list of options when selecting
>>>> User/Machine Auth in setting up a vpn connection on the mac.  I set
>>>> the strongswan root up as a trusted cert, and authorized the use of
>>>> all three in any kind of setting.
>>>>
>>>>
>>>> Overview of setup (syslog copy at end)
>>>>
>>>>
>>>> Created the certificates.  Sorry, my email program is eating tabs.
>>>>
>>>> ========
>>>> "root":
>>>> ipsec pki --gen --type rsa --size 4096 \
>>>> --outform pem \
>>>>> private/strongswanKey.pem
>>>> chmod 600 private/strongswanKey.pem
>>>> ipsec pki --self --ca --lifetime 3650 \
>>>> --in private/strongswanKey.pem --type rsa \
>>>> --dn "C=US, O=ThatsUs, CN=strongSwan Root CA" \
>>>> --outform pem \
>>>>> cacerts/strongswanCert.pem
>>>>
>>>> ========
>>>> host:
>>>> ipsec pki --gen --type rsa --size 2048 \
>>>> --outform pem \
>>>>> private/vpnHostKey.pem
>>>> chmod 600 private/vpnHostKey.pem
>>>> ipsec pki --pub --in private/vpnHostKey.pem --type rsa | \
>>>> ipsec pki --issue --lifetime 730 \
>>>> --cacert cacerts/strongswanCert.pem \
>>>> --cakey private/strongswanKey.pem \
>>>> --dn "C=US, O=ThatsUs, CN=vpn.example.com" \
>>>> --san vpn.example.com \
>>>> --flag serverAuth --flag ikeIntermediate \
>>>> --outform pem > certs/vpnHostCert.pem
>>>>
>>>> ipsec pki --print looks okay for both
>>>>
>>>> ========
>>>> created p12 packages
>>>> # openssl pkcs12 -export -in certs/vpnHostCert.pem -nokeys -nodes -out
>>>> exports/vpnHost.p12
>>>> Enter Export Password:
>>>> Verifying - Enter Export Password:
>>>>
>>>> # openssl pkcs12 -export -in cacerts/strongswanCert.pem -nokeys -nodes
>>>> -out exports/strongSwan.p12
>>>> Enter Export Password:
>>>> Verifying - Enter Export Password:
>>>>
>>>> ========
>>>> client certificate
>>>> ipsec pki --gen --type rsa --size 2048 \
>>>> --outform pem \
>>>>> private/cindyKey.pem
>>>> chmod 600 private/cindyKey.pem
>>>> ipsec pki --pub --in private/cindyKey.pem --type rsa | \
>>>> ipsec pki --issue --lifetime 730 \
>>>> --cacert cacerts/strongswanCert.pem \
>>>> --cakey private/strongswanKey.pem \
>>>> --dn "C=US, O=ThatsUs, CN=ctmoore at example.com" \
>>>> --san ctmoore at example.com \
>>>> --outform pem > certs/cindyCert.pem
>>>>
>>>> (plus p12 packaging)
>>>>
>>>> ========
>>>> ipsec.secrets
>>>> : RSA vpnHostKey.pem
>>>>
>>>> =========
>>>> ipsec.conf
>>>>
>>>> conn %default
>>>>         ikelifetime=60m
>>>>         keylife=60m
>>>>         rekeymargin=3m
>>>>         keyingtries=1
>>>>         #vpn server
>>>>         left=[vpn ip]
>>>>         leftcert=vpnHostCert.pem
>>>>         # certificate based ID
>>>>         leftid="C=US, O=strongSwan, CN=vpn.example.com"
>>>>         #allow full tunneling
>>>>         leftsubnet=0.0.0.0/0
>>>>         #assign ip addr from this pool
>>>>         rightsourceip=[...]
>>>>         # assign dns servers once connected
>>>>         rightdns=[...]
>>>>
>>>> ca %default
>>>>         cacert=strongswanCert.pem
>>>>
>>>> # certificate only
>>>> conn roadwarrior-ikev2
>>>>         keyexchange=ikev2
>>>>         leftauth=pubkey
>>>>         right=%any
>>>>         rightid=%any
>>>>         rightauth=pubkey
>>>>         auto=add
>>>>
>>>> # certificate only, fakeout on xauth (for eg Mac/iOS that must do
>>>> xauth. and ikev1 for that matter)
>>>> conn roadwarrior-ikev1
>>>>         keyexchange=ikev1
>>>>         leftauth=pubkey
>>>>         right=%any
>>>>         rightid=%any
>>>>         rightauth=pubkey
>>>>         rightauth2=xauth-noauth
>>>>         auto=add
>>>>
>>>>
>>>> ========
>>>>
>>>>
>>>> Using the same ctmoore cert on User/Machine auth in the mac vpn and
>>>> connect anyway, I get the following in the syslog
>>>>
>>>> I find the
>>>> Dec 11 12:47:54 vpn charon: 10[IKE] found 1 matching config, but none
>>>> allows RSA signature authentication using Main Mode
>>>> entry interesting, but I don't know if that's the issue, and if it is,
>>>> what I can do about it.
>>>>
>>>>
>>>> /var/log/syslog
>>>> ========
>>>> Dec 11 12:47:54 vpn charon: 02[NET] received packet: from [client
>>>> ip][500] to [vpn ip][500]
>>>> Dec 11 12:47:54 vpn charon: 02[NET] waiting for data on sockets
>>>> Dec 11 12:47:54 vpn charon: 04[NET] received packet: from [client
>>>> ip][500] to [vpn ip][500] (300 bytes)
>>>> Dec 11 12:47:54 vpn charon: 04[ENC] parsed ID_PROT request 0 [ SA V V
>>>> V V V V V V V V V ]
>>>> Dec 11 12:47:54 vpn charon: 04[CFG] looking for an ike config for [vpn
>>>> ip]...[client ip]
>>>> Dec 11 12:47:54 vpn charon: 04[CFG]   candidate: [vpn ip]...%any, prio 1052
>>>> Dec 11 12:47:54 vpn charon: 04[CFG] found matching ike config: [vpn
>>>> ip]...%any with prio 1052
>>>> Dec 11 12:47:54 vpn charon: 04[IKE] received NAT-T (RFC 3947) vendor ID
>>>> Dec 11 12:47:54 vpn charon: 04[IKE] received
>>>> draft-ietf-ipsec-nat-t-ike vendor ID
>>>> Dec 11 12:47:54 vpn charon: 04[IKE] received
>>>> draft-ietf-ipsec-nat-t-ike-08 vendor ID
>>>> Dec 11 12:47:54 vpn charon: 04[IKE] received
>>>> draft-ietf-ipsec-nat-t-ike-07 vendor ID
>>>> Dec 11 12:47:54 vpn charon: 04[IKE] received
>>>> draft-ietf-ipsec-nat-t-ike-06 vendor ID
>>>> Dec 11 12:47:54 vpn charon: 04[IKE] received
>>>> draft-ietf-ipsec-nat-t-ike-05 vendor ID
>>>> Dec 11 12:47:54 vpn charon: 04[IKE] received
>>>> draft-ietf-ipsec-nat-t-ike-04 vendor ID
>>>> Dec 11 12:47:54 vpn charon: 04[IKE] received
>>>> draft-ietf-ipsec-nat-t-ike-03 vendor ID
>>>> Dec 11 12:47:54 vpn charon: 04[IKE] received
>>>> draft-ietf-ipsec-nat-t-ike-02 vendor ID
>>>> Dec 11 12:47:54 vpn charon: 04[IKE] received
>>>> draft-ietf-ipsec-nat-t-ike-02\n vendor ID
>>>> Dec 11 12:47:54 vpn charon: 04[IKE] received DPD vendor ID
>>>> Dec 11 12:47:54 vpn charon: 04[IKE] [client ip] is initiating a Main Mode IKE_SA
>>>> Dec 11 12:47:54 vpn charon: 04[IKE] IKE_SA (unnamed)[3] state change:
>>>> CREATED => CONNECTING
>>>> Dec 11 12:47:54 vpn charon: 04[CFG] selecting proposal:
>>>> Dec 11 12:47:54 vpn charon: 04[CFG]   no acceptable ENCRYPTION_ALGORITHM found
>>>> Dec 11 12:47:54 vpn charon: 04[CFG] selecting proposal:
>>>> Dec 11 12:47:54 vpn charon: 04[CFG]   no acceptable DIFFIE_HELLMAN_GROUP found
>>>> Dec 11 12:47:54 vpn charon: 04[CFG] selecting proposal:
>>>> Dec 11 12:47:54 vpn charon: 04[CFG]   proposal matches
>>>> Dec 11 12:47:54 vpn charon: 04[CFG] received proposals:
>>>> IKE:3DES_CBC/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024
>>>> Dec 11 12:47:54 vpn charon: 04[CFG] configured proposals:
>>>> IKE:AES_CBC_128/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_2048,
>>>> IKE:3DES_CBC/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1536,
>>>> IKE:AES_CBC_128/AES_CBC_192/AES_CBC_256/3DES_CBC/AES_XCBC_96/AES_CMAC_96/HMAC_SHA1_96/HMAC_MD5_96/HMAC_SHA2_256_128/HMAC_SHA2_384_192/HMAC_SHA2_512_256/PRF_AES128_XCBC/PRF_AES128_CMAC/PRF_HMAC_SHA1/PRF_HMAC_MD5/PRF_HMAC_SHA2_256/PRF_HMAC_SHA2_384/PRF_HMAC_SHA2_512/MODP_2048/MODP_2048_224/MODP_2048_256/MODP_1536/MODP_3072/MODP_4096/MODP_8192/MODP_1024/MODP_1024_160
>>>> Dec 11 12:47:54 vpn charon: 04[CFG] selected proposal:
>>>> IKE:3DES_CBC/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024
>>>> Dec 11 12:47:54 vpn charon: 04[IKE] sending XAuth vendor ID
>>>> Dec 11 12:47:54 vpn charon: 04[IKE] sending DPD vendor ID
>>>> Dec 11 12:47:54 vpn charon: 04[IKE] sending NAT-T (RFC 3947) vendor ID
>>>> Dec 11 12:47:54 vpn charon: 04[ENC] generating ID_PROT response 0 [ SA V V V ]
>>>> Dec 11 12:47:54 vpn charon: 04[NET] sending packet: from [vpn ip][500]
>>>> to [client ip][500] (132 bytes)
>>>> Dec 11 12:47:54 vpn charon: 03[NET] sending packet: from [vpn ip][500]
>>>> to [client ip][500]
>>>> Dec 11 12:47:54 vpn charon: 02[NET] received packet: from [client
>>>> ip][500] to [vpn ip][500]
>>>> Dec 11 12:47:54 vpn charon: 02[NET] waiting for data on sockets
>>>> Dec 11 12:47:54 vpn charon: 09[NET] received packet: from [client
>>>> ip][500] to [vpn ip][500] (228 bytes)
>>>> Dec 11 12:47:54 vpn charon: 09[ENC] parsed ID_PROT request 0 [ KE No
>>>> NAT-D NAT-D ]
>>>> Dec 11 12:47:54 vpn charon: 09[IKE] sending cert request for "C=US,
>>>> O=ThatsUs, CN=strongSwan Root CA"
>>>> Dec 11 12:47:54 vpn charon: 09[ENC] generating ID_PROT response 0 [ KE
>>>> No CERTREQ NAT-D NAT-D ]
>>>> Dec 11 12:47:54 vpn charon: 09[NET] sending packet: from [vpn ip][500]
>>>> to [client ip][500] (310 bytes)
>>>> Dec 11 12:47:54 vpn charon: 03[NET] sending packet: from [vpn ip][500]
>>>> to [client ip][500]
>>>> Dec 11 12:47:54 vpn charon: 02[NET] received packet: from [client
>>>> ip][500] to [vpn ip][500]
>>>> Dec 11 12:47:54 vpn charon: 02[NET] waiting for data on sockets
>>>> Dec 11 12:47:54 vpn charon: 10[NET] received packet: from [client
>>>> ip][500] to [vpn ip][500] (1492 bytes)
>>>> Dec 11 12:47:54 vpn charon: 10[ENC] parsed ID_PROT request 0 [ ID CERT
>>>> SIG CERTREQ N(INITIAL_CONTACT) ]
>>>> Dec 11 12:47:54 vpn charon: 10[IKE] ignoring certificate request without data
>>>> Dec 11 12:47:54 vpn charon: 10[IKE] received end entity cert "C=US,
>>>> O=ThatsUs, CN=ctmoore at example.com"
>>>> Dec 11 12:47:54 vpn charon: 10[CFG] looking for RSA signature peer
>>>> configs matching [vpn ip]...[client ip][C=US, O=ThatsUs,
>>>> CN=ctmoore at example.com]
>>>> Dec 11 12:47:54 vpn charon: 10[CFG]   candidate "roadwarrior-ikev1",
>>>> match: 1/1/1052 (me/other/ike)
>>>> Dec 11 12:47:54 vpn charon: 10[IKE] found 1 matching config, but none
>>>> allows RSA signature authentication using Main Mode
>>>> Dec 11 12:47:54 vpn charon: 10[IKE] queueing INFORMATIONAL task
>>>> Dec 11 12:47:54 vpn charon: 10[IKE] activating new tasks
>>>> Dec 11 12:47:54 vpn charon: 10[IKE]   activating INFORMATIONAL task
>>>> Dec 11 12:47:54 vpn charon: 10[ENC] generating INFORMATIONAL_V1
>>>> request 2651689082 [ HASH N(AUTH_FAILED) ]
>>>> Dec 11 12:47:54 vpn charon: 10[NET] sending packet: from [vpn ip][500]
>>>> to [client ip][500] (84 bytes)
>>>> Dec 11 12:47:54 vpn charon: 10[IKE] IKE_SA (unnamed)[3] state change:
>>>> CONNECTING => DESTROYING
>>>> Dec 11 12:47:54 vpn charon: 03[NET] sending packet: from [vpn ip][500]
>>>> to [client ip][500]
>>>> Dec 11 12:47:57 vpn charon: 02[NET] received packet: from [client
>>>> ip][500] to [vpn ip][500]
>>>> Dec 11 12:47:57 vpn charon: 02[NET] waiting for data on sockets
>>>> Dec 11 12:48:00 vpn charon: 02[NET] received packet: from [client
>>>> ip][500] to [vpn ip][500]
>>>> Dec 11 12:48:00 vpn charon: 02[NET] waiting for data on sockets
>>>> Dec 11 12:48:03 vpn charon: 02[NET] received packet: from [client
>>>> ip][500] to [vpn ip][500]
>>>> Dec 11 12:48:03 vpn charon: 02[NET] waiting for data on sockets
>>>> Dec 11 12:48:06 vpn charon: 02[NET] received packet: from [client
>>>> ip][500] to [vpn ip][500]
>>>> Dec 11 12:48:06 vpn charon: 02[NET] waiting for data on sockets
>>>> Dec 11 12:48:09 vpn charon: 02[NET] received packet: from [client
>>>> ip][500] to [vpn ip][500]
>>>> Dec 11 12:48:09 vpn charon: 02[NET] waiting for data on sockets
>>>> Dec 11 12:48:16 vpn charon: 02[NET] received packet: from [client
>>>> ip][500] to [vpn ip][500]
>>>> Dec 11 12:48:16 vpn charon: 02[NET] waiting for data on sockets
>>>> Dec 11 12:48:19 vpn charon: 02[NET] received packet: from [client
>>>> ip][500] to [vpn ip][500]
>>>> Dec 11 12:48:19 vpn charon: 02[NET] waiting for data on sockets
>>>> Dec 11 12:48:22 vpn charon: 02[NET] received packet: from [client
>>>> ip][500] to [vpn ip][500]
>>>> Dec 11 12:48:22 vpn charon: 02[NET] waiting for data on sockets
>>>> Dec 11 12:48:24 vpn charon: 02[NET] received packet: from [client
>>>> ip][500] to [vpn ip][500]
>>>> Dec 11 12:48:24 vpn charon: 02[NET] waiting for data on sockets
>>>> Dec 11 12:48:24 vpn charon: 04[NET] received packet: from [client
>>>> ip][500] to [vpn ip][500] (300 bytes)
>>>> Dec 11 12:48:24 vpn charon: 04[ENC] parsed ID_PROT request 0 [ SA V V
>>>> V V V V V V V V V ]
>>>> Dec 11 12:48:24 vpn charon: 04[CFG] looking for an ike config for [vpn
>>>> ip]...[client ip]
>>>> Dec 11 12:48:24 vpn charon: 04[CFG]   candidate: [vpn ip]...%any, prio 1052
>>>> Dec 11 12:48:24 vpn charon: 04[CFG] found matching ike config: [vpn
>>>> ip]...%any with prio 1052
>>>> Dec 11 12:48:24 vpn charon: 04[IKE] received NAT-T (RFC 3947) vendor ID
>>>> Dec 11 12:48:24 vpn charon: 04[IKE] received
>>>> draft-ietf-ipsec-nat-t-ike vendor ID
>>>> Dec 11 12:48:24 vpn charon: 04[IKE] received
>>>> draft-ietf-ipsec-nat-t-ike-08 vendor ID
>>>> Dec 11 12:48:24 vpn charon: 04[IKE] received
>>>> draft-ietf-ipsec-nat-t-ike-07 vendor ID
>>>> Dec 11 12:48:24 vpn charon: 04[IKE] received
>>>> draft-ietf-ipsec-nat-t-ike-06 vendor ID
>>>> Dec 11 12:48:24 vpn charon: 04[IKE] received
>>>> draft-ietf-ipsec-nat-t-ike-05 vendor ID
>>>> Dec 11 12:48:24 vpn charon: 04[IKE] received
>>>> draft-ietf-ipsec-nat-t-ike-04 vendor ID
>>>> Dec 11 12:48:24 vpn charon: 04[IKE] received
>>>> draft-ietf-ipsec-nat-t-ike-03 vendor ID
>>>> Dec 11 12:48:24 vpn charon: 04[IKE] received
>>>> draft-ietf-ipsec-nat-t-ike-02 vendor ID
>>>> Dec 11 12:48:24 vpn charon: 04[IKE] received
>>>> draft-ietf-ipsec-nat-t-ike-02\n vendor ID
>>>> Dec 11 12:48:24 vpn charon: 04[IKE] received DPD vendor ID
>>>> Dec 11 12:48:24 vpn charon: 04[IKE] [client ip] is initiating a Main Mode IKE_SA
>>>> Dec 11 12:48:24 vpn charon: 04[IKE] IKE_SA (unnamed)[4] state change:
>>>> CREATED => CONNECTING
>>>> Dec 11 12:48:24 vpn charon: 04[CFG] selecting proposal:
>>>> Dec 11 12:48:24 vpn charon: 04[CFG]   no acceptable ENCRYPTION_ALGORITHM found
>>>> Dec 11 12:48:24 vpn charon: 04[CFG] selecting proposal:
>>>> Dec 11 12:48:24 vpn charon: 04[CFG]   no acceptable DIFFIE_HELLMAN_GROUP found
>>>> Dec 11 12:48:24 vpn charon: 04[CFG] selecting proposal:
>>>> Dec 11 12:48:24 vpn charon: 04[CFG]   proposal matches
>>>> Dec 11 12:48:24 vpn charon: 04[CFG] received proposals:
>>>> IKE:3DES_CBC/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024
>>>> Dec 11 12:48:24 vpn charon: 04[CFG] configured proposals:
>>>> IKE:AES_CBC_128/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_2048,
>>>> IKE:3DES_CBC/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1536,
>>>> IKE:AES_CBC_128/AES_CBC_192/AES_CBC_256/3DES_CBC/AES_XCBC_96/AES_CMAC_96/HMAC_SHA1_96/HMAC_MD5_96/HMAC_SHA2_256_128/HMAC_SHA2_384_192/HMAC_SHA2_512_256/PRF_AES128_XCBC/PRF_AES128_CMAC/PRF_HMAC_SHA1/PRF_HMAC_MD5/PRF_HMAC_SHA2_256/PRF_HMAC_SHA2_384/PRF_HMAC_SHA2_512/MODP_2048/MODP_2048_224/MODP_2048_256/MODP_1536/MODP_3072/MODP_4096/MODP_8192/MODP_1024/MODP_1024_160
>>>> Dec 11 12:48:24 vpn charon: 04[CFG] selected proposal:
>>>> IKE:3DES_CBC/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024
>>>> Dec 11 12:48:24 vpn charon: 04[IKE] sending XAuth vendor ID
>>>> Dec 11 12:48:24 vpn charon: 04[IKE] sending DPD vendor ID
>>>> Dec 11 12:48:24 vpn charon: 04[IKE] sending NAT-T (RFC 3947) vendor ID
>>>> Dec 11 12:48:24 vpn charon: 04[ENC] generating ID_PROT response 0 [ SA V V V ]
>>>> Dec 11 12:48:24 vpn charon: 04[NET] sending packet: from [vpn ip][500]
>>>> to [client ip][500] (132 bytes)
>>>> Dec 11 12:48:24 vpn charon: 03[NET] sending packet: from [vpn ip][500]
>>>> to [client ip][500]
>>>> Dec 11 12:48:24 vpn charon: 02[NET] received packet: from [client
>>>> ip][500] to [vpn ip][500]
>>>> Dec 11 12:48:24 vpn charon: 02[NET] waiting for data on sockets
>>>> Dec 11 12:48:24 vpn charon: 09[NET] received packet: from [client
>>>> ip][500] to [vpn ip][500] (228 bytes)
>>>> Dec 11 12:48:24 vpn charon: 09[ENC] parsed ID_PROT request 0 [ KE No
>>>> NAT-D NAT-D ]
>>>> Dec 11 12:48:24 vpn charon: 09[IKE] sending cert request for "C=US,
>>>> O=ThatsUs, CN=strongSwan Root CA"
>>>> Dec 11 12:48:24 vpn charon: 09[ENC] generating ID_PROT response 0 [ KE
>>>> No CERTREQ NAT-D NAT-D ]
>>>> Dec 11 12:48:24 vpn charon: 09[NET] sending packet: from [vpn ip][500]
>>>> to [client ip][500] (310 bytes)
>>>> Dec 11 12:48:24 vpn charon: 03[NET] sending packet: from [vpn ip][500]
>>>> to [client ip][500]
>>>> Dec 11 12:48:54 vpn charon: 10[JOB] deleting half open IKE_SA after timeout
>>>> Dec 11 12:48:54 vpn charon: 10[IKE] IKE_SA (unnamed)[4] state change:
>>>> CONNECTING => DESTROYING
>>> _______________________________________________
>>> Users mailing list
>>> Users at lists.strongswan.org
>>> https://lists.strongswan.org/mailman/listinfo/users
>>
>> -----BEGIN PGP SIGNATURE-----
>> Version: GnuPG v2
>>
>> iQIcBAEBCAAGBQJUi2yBAAoJEDg5KY9j7GZY9m8P/3PCh9zGrW9lwY22ITbmyFWk
>> SRncTc9fOii0l6lSMxQTJmiBn6TkFtzP+4TOW4TnYnaoCyVxxnNeROeIN95iRchz
>> QOwAX9hvLeDxxePWGw2VqtuRKRp4fb5qDUxEoCXVc5Bjmtq+BjOzYmpg+zDo3N0W
>> ISvtKsPB7YgNDx/yFKsqbjuVNqOC5Qri/saWtQMB30p3W9rXO4C90sruBYB6hrEV
>> +UOcLNojrPEjS6AwGPwc6eQ13Ic+JC8uQYF9Di5UykorQANJnjbaPEWuj8QWSzxx
>> qCy2aESQfG+OENCa8e2xmVLGVVUDGtYkoXySamcg4vWgiTe9TiDQgOIBE0IV0zaP
>> qfnlN3HIyS76Rg77yoejUEh8EWD2lGBqBGuLRMwh1c0tsHRn0AJGLC8bljBcy3tK
>> +m3Kiyv9v0d9uuwLIGJpAew7JZN75wbXHkkrO/gSVDlQ/4imDQIo4tLEZjOXsuwE
>> WWqJGmsTZOp8GLooBGhbfypPEDhte911A5cB3kHb+f4il0sj+Hg+go+KxdsOJ0TF
>> l2KdXXIWqezzW6ZiVvUTRknB0/AUM7xlICx82+ZK5kB9WUCsflLchal8OO3Sq+yK
>> cgT+vmMYiP3vSM/itnsdgqneP8rSPoE7x1AqWv8yj2nWaO5B0TywAiNvxETO+tUo
>> EuxuuFFxj9HMEKtHGueC
>> =n6gj
>> -----END PGP SIGNATURE-----
>>
>> _______________________________________________
>> Users mailing list
>> Users at lists.strongswan.org
>> https://lists.strongswan.org/mailman/listinfo/users


More information about the Users mailing list