[strongSwan] certificate only vpn connection with mac

Cindy Moore ctmoore at cs.ucsd.edu
Sat Dec 13 04:59:17 CET 2014


OK, so on the mac client, system.log shows:

Dec 12 18:28:17 minerva pppd[2349]: L2TP connecting to server
'vpn.example.com' ([vpn ip])...
Dec 12 18:28:17 minerva pppd[2349]: IPSec connection started
Dec 12 18:28:17 minerva racoon[2350]: Connecting.
Dec 12 18:28:17 minerva racoon[2350]: IKE Packet: transmit success.
(Initiator, Main-Mode message 1).
Dec 12 18:28:17 minerva racoon[2350]: IKE Packet: receive success.
(Initiator, Main-Mode message 2).
Dec 12 18:28:17 minerva racoon[2350]: IKE Packet: transmit success.
(Initiator, Main-Mode message 3).
Dec 12 18:28:17 minerva racoon[2350]: IKE Packet: receive success.
(Initiator, Main-Mode message 4).
Dec 12 18:28:18 minerva racoon[2350]: IKE Packet: transmit success.
(Initiator, Main-Mode message 5).
Dec 12 18:28:18 minerva racoon[2350]: IKEv1 Phase1 AUTH: failed.
(Initiator, Main-Mode Message 6).
Dec 12 18:28:18 minerva racoon[2350]: IKE Packet: transmit success.
(Information message).
Dec 12 18:28:18 minerva racoon[2350]: IKEv1 Information-Notice:
transmit success. (ISAKMP-SA).
Dec 12 18:28:18 minerva racoon[2350]: IKE Packet: receive failed.
(Initiator, Main-Mode Message 6).
Dec 12 18:28:18 minerva pppd[2349]: IPSec connection failed <IKE Error
22 (0x16) Invalid cert authority>
Dec 12 18:28:18 minerva configd[14]: SCNCController: Disconnecting.
(Connection tried to negotiate for, 1 seconds).
Dec 12 18:28:18 minerva racoon[2350]: Disconnecting. (Connection tried
to negotiate for, 0.735722 seconds).
Dec 12 18:28:18 minerva racoon[2350]: IKE Packets Receive Failure-Rate
Statistic. (Failure-Rate = 50.000).
Dec 12 18:28:18 minerva racoon[2350]: IKE Phase1 Authentication
Failure-Rate Statistic. (Failure-Rate = 100.000).

So it seems pretty clear something is hinky with the certificate.  I'm
not entirely sure where to look for this.  The pem versions of the
certificates work just fine from my linux client.  The certificates
look okay on the mac when I display them from the keychain, although
as I mentioned, i can't seem to pull up the vpnHost certificate when
setting up the vpn. Any suggestions as to what I can look at to try
and figure out what exactly is going wrong with the certificates?  I
created the p12 files using openssl:

# openssl pkcs12 -export -in certs/vpnHostCert.pem -nokeys -nodes -out
exports/vpnHost.p12
# openssl pkcs12 -export -in cacerts/strongswanCert.pem -nokeys -nodes
-out exports/strongSwan.p12

and

 openssl pkcs12 -export -inkey private/cindyKey.pem \
> -in certs/cindyCert.pem -name "Cindy's VPN Certificate" \
> -certfile cacerts/strongswanCert.pem \
> -caname "strongSwan Root CA" \
> -out exports/cindy.p12

I would appreciate any suggestions at all.

Thanks,
Cindy

On Fri, Dec 12, 2014 at 2:46 PM, Cindy Moore <ctmoore at cs.ucsd.edu> wrote:
> I wonder if it's the noauth.  I commented that out, just to be sure
> that various changes were "taking" (the authby is completely ignored
> in the ipsec restart output in /var/log/syslog, so I changed something
> else in order to make sure the restarts were reflecting changes in the
> ipsec.conf).  If I remove the xauth-noauth, then I get
>
> Dec 12 14:39:08 vpn charon: 13[IKE] received end entity cert "C=US,
> O=ThatsUs, CN=ctmoore at example.com"
> Dec 12 14:39:08 vpn charon: 13[CFG] looking for RSA signature peer
> configs matching [vpn ip]...[client ip][C=US, O=ThatsUs,
> CN=ctmoore at example.com]
> Dec 12 14:39:08 vpn charon: 13[CFG]   candidate "roadwarrior-ikev1",
> match: 1/1/1052 (me/other/ike)
> Dec 12 14:39:08 vpn charon: 13[CFG] selected peer config "roadwarrior-ikev1"
> Dec 12 14:39:08 vpn charon: 13[CFG]   using certificate "C=US,
> O=ThatsUs, CN=ctmoore at example.com"
> Dec 12 14:39:08 vpn charon: 13[CFG]   certificate "C=US, O=ThatsUs,
> CN=ctmoore at example.com" key: 2048 bit RSA
> Dec 12 14:39:08 vpn charon: 13[CFG]   using trusted ca certificate
> "C=US, O=ThatsUs, CN=strongSwan Root CA"
> Dec 12 14:39:08 vpn charon: 13[CFG] checking certificate status of
> "C=US, O=ThatsUs, CN=ctmoore at example.com"
> Dec 12 14:39:08 vpn charon: 13[CFG] ocsp check skipped, no ocsp found
> Dec 12 14:39:08 vpn charon: 13[CFG] certificate status is not available
> Dec 12 14:39:08 vpn charon: 13[CFG]   certificate "C=US, O=ThatsUs,
> CN=strongSwan Root CA" key: 4096 bit RSA
> Dec 12 14:39:08 vpn charon: 13[CFG]   reached self-signed root ca with
> a path length of 0
> Dec 12 14:39:08 vpn charon: 13[IKE] authentication of 'C=US,
> O=ThatsUs, CN=ctmoore at example.com' with RSA successful
> Dec 12 14:39:08 vpn charon: 13[IKE] authentication of 'C=US,
> O=ThatsUs, CN=vpn.example.com' (myself) successful
> Dec 12 14:39:08 vpn charon: 13[IKE] IKE_SA roadwarrior-ikev1[1]
> established between [vpn ip][C=US, O=ThatsUs,
> CN=vpn.example.com]...[client ip][C=US, O=ThatsUs,
> CN=ctmoore at example.com]
> Dec 12 14:39:08 vpn charon: 13[IKE] IKE_SA roadwarrior-ikev1[1] state
> change: CONNECTING => ESTABLISHED
> Dec 12 14:39:08 vpn charon: 13[IKE] scheduling reauthentication in 3271s
> Dec 12 14:39:08 vpn charon: 13[IKE] maximum IKE_SA lifetime 3451s
> Dec 12 14:39:08 vpn charon: 13[IKE] sending end entity cert "C=US,
> O=ThatsUs, CN=vpn.example.com"
> Dec 12 14:39:08 vpn charon: 13[ENC] generating ID_PROT response 0 [ ID
> CERT SIG ]
> Dec 12 14:39:08 vpn charon: 13[NET] sending packet: from [vpn
> ip][4500] to [client ip][45779] (1484 bytes)
> Dec 12 14:39:08 vpn charon: 03[NET] sending packet: from [vpn
> ip][4500] to [client ip][45779]
> Dec 12 14:39:08 vpn charon: 01[NET] received packet: from [client
> ip][45779] to [vpn ip][4500]
> Dec 12 14:39:08 vpn charon: 01[NET] waiting for data on sockets
> Dec 12 14:39:08 vpn charon: 15[NET] received packet: from [client
> ip][45779] to [vpn ip][4500] (68 bytes)
> Dec 12 14:39:08 vpn charon: 15[ENC] invalid HASH_V1 payload length,
> decryption failed?
> Dec 12 14:39:08 vpn charon: 15[ENC] could not decrypt payloads
> Dec 12 14:39:08 vpn charon: 15[IKE] message parsing failed
> Dec 12 14:39:08 vpn charon: 15[IKE] ignore malformed INFORMATIONAL request
> Dec 12 14:39:08 vpn charon: 15[IKE] INFORMATIONAL_V1 request with
> message ID 3172758586 processing failed
>
> On Fri, Dec 12, 2014 at 2:39 PM, Cindy Moore <ctmoore at cs.ucsd.edu> wrote:
>> Thought authby was deprecated long before Strongswan 5.2.1 (which is
>> what I'm using)?  In any case, I tested it out, but that didn't make a
>> difference).
>>
>> On Fri, Dec 12, 2014 at 2:30 PM, Noel Kuntze <noel at familie-kuntze.de> wrote:
>>>
>>> -----BEGIN PGP SIGNED MESSAGE-----
>>> Hash: SHA256
>>>
>>> Hello,
>>>
>>> Judging from the manpage, using "authby=xauthrsasig" is the same as your configuration with leftauth and rightauth parameters.
>>> Maybe try that? I don't know if it helps. *shrugs*
>>>
>>> Mit freundlichen Grüßen/Regards,
>>> Noel Kuntze
>>>
>>> GPG Key ID: 0x63EC6658
>>> Fingerprint: 23CA BB60 2146 05E7 7278 6592 3839 298F 63EC 6658
>>>
>>> Am 12.12.2014 um 23:19 schrieb Cindy Moore:
>>>> I'm really at a loss over this one.  I can get the connections going
>>>> with other clients, for example Network Manager on a Ubuntu 14.04 has
>>>> no difficulties connecting with my strongswan server.
>>>>
>>>> This seems to be a possible clue:
>>>> Dec 11 12:47:54 vpn charon: 10[IKE] found 1 matching config, but none
>>>> allows RSA signature authentication using Main Mode
>>>>
>>>> But I'm not sure how to interpret it, or begin to address it.
>>>>
>>>> I'm also unsure about how the mac's vpn connection should be
>>>> configured (I haven't found an equivalent to
>>>> https://wiki.strongswan.org/projects/strongswan/wiki/NetworkManager
>>>> under the Howto's for a Mac VPN setup, so I don't know if its some
>>>> kind of problem that I can't select the vpn host certificate from the
>>>> vpn setup dialog even though it shows up just fine in the system
>>>> keychain.  Any thoughts?
>>>>
>>>> On Thu, Dec 11, 2014 at 1:20 PM, Cindy Moore <ctmoore at cs.ucsd.edu> wrote:
>>>>> I'm trying to get a basic connection going with a mac os x client to
>>>>> strongswan (latest) installed on ubuntu (14.04 lts).  I'm not entirely
>>>>> certain what is going on.  It seems like the client isn't sending the
>>>>> desired certificate.  in the log file, vpnHostCert doesn't seem to
>>>>> play a part at all which i find unexpected.
>>>>>
>>>>> When I set up the mac I sent the p12 packages over to the mac, added
>>>>> the three of them (root, vpnHost, cindy) to the system keychain.
>>>>> What's weird though, is that I can only seem to select, for both User
>>>>> Authentication certificate & Machine Authentication certificate, the
>>>>> one identified with ctmoore at example.com (I had expected to select that
>>>>> for User Auth, and the vpn.example.com for Machine Auth -- all three
>>>>> (root, vpn, cindy) certificates are visible in the system keychain,
>>>>> but only the cindy one appears in the list of options when selecting
>>>>> User/Machine Auth in setting up a vpn connection on the mac.  I set
>>>>> the strongswan root up as a trusted cert, and authorized the use of
>>>>> all three in any kind of setting.
>>>>>
>>>>>
>>>>> Overview of setup (syslog copy at end)
>>>>>
>>>>>
>>>>> Created the certificates.  Sorry, my email program is eating tabs.
>>>>>
>>>>> ========
>>>>> "root":
>>>>> ipsec pki --gen --type rsa --size 4096 \
>>>>> --outform pem \
>>>>>> private/strongswanKey.pem
>>>>> chmod 600 private/strongswanKey.pem
>>>>> ipsec pki --self --ca --lifetime 3650 \
>>>>> --in private/strongswanKey.pem --type rsa \
>>>>> --dn "C=US, O=ThatsUs, CN=strongSwan Root CA" \
>>>>> --outform pem \
>>>>>> cacerts/strongswanCert.pem
>>>>>
>>>>> ========
>>>>> host:
>>>>> ipsec pki --gen --type rsa --size 2048 \
>>>>> --outform pem \
>>>>>> private/vpnHostKey.pem
>>>>> chmod 600 private/vpnHostKey.pem
>>>>> ipsec pki --pub --in private/vpnHostKey.pem --type rsa | \
>>>>> ipsec pki --issue --lifetime 730 \
>>>>> --cacert cacerts/strongswanCert.pem \
>>>>> --cakey private/strongswanKey.pem \
>>>>> --dn "C=US, O=ThatsUs, CN=vpn.example.com" \
>>>>> --san vpn.example.com \
>>>>> --flag serverAuth --flag ikeIntermediate \
>>>>> --outform pem > certs/vpnHostCert.pem
>>>>>
>>>>> ipsec pki --print looks okay for both
>>>>>
>>>>> ========
>>>>> created p12 packages
>>>>> # openssl pkcs12 -export -in certs/vpnHostCert.pem -nokeys -nodes -out
>>>>> exports/vpnHost.p12
>>>>> Enter Export Password:
>>>>> Verifying - Enter Export Password:
>>>>>
>>>>> # openssl pkcs12 -export -in cacerts/strongswanCert.pem -nokeys -nodes
>>>>> -out exports/strongSwan.p12
>>>>> Enter Export Password:
>>>>> Verifying - Enter Export Password:
>>>>>
>>>>> ========
>>>>> client certificate
>>>>> ipsec pki --gen --type rsa --size 2048 \
>>>>> --outform pem \
>>>>>> private/cindyKey.pem
>>>>> chmod 600 private/cindyKey.pem
>>>>> ipsec pki --pub --in private/cindyKey.pem --type rsa | \
>>>>> ipsec pki --issue --lifetime 730 \
>>>>> --cacert cacerts/strongswanCert.pem \
>>>>> --cakey private/strongswanKey.pem \
>>>>> --dn "C=US, O=ThatsUs, CN=ctmoore at example.com" \
>>>>> --san ctmoore at example.com \
>>>>> --outform pem > certs/cindyCert.pem
>>>>>
>>>>> (plus p12 packaging)
>>>>>
>>>>> ========
>>>>> ipsec.secrets
>>>>> : RSA vpnHostKey.pem
>>>>>
>>>>> =========
>>>>> ipsec.conf
>>>>>
>>>>> conn %default
>>>>>         ikelifetime=60m
>>>>>         keylife=60m
>>>>>         rekeymargin=3m
>>>>>         keyingtries=1
>>>>>         #vpn server
>>>>>         left=[vpn ip]
>>>>>         leftcert=vpnHostCert.pem
>>>>>         # certificate based ID
>>>>>         leftid="C=US, O=strongSwan, CN=vpn.example.com"
>>>>>         #allow full tunneling
>>>>>         leftsubnet=0.0.0.0/0
>>>>>         #assign ip addr from this pool
>>>>>         rightsourceip=[...]
>>>>>         # assign dns servers once connected
>>>>>         rightdns=[...]
>>>>>
>>>>> ca %default
>>>>>         cacert=strongswanCert.pem
>>>>>
>>>>> # certificate only
>>>>> conn roadwarrior-ikev2
>>>>>         keyexchange=ikev2
>>>>>         leftauth=pubkey
>>>>>         right=%any
>>>>>         rightid=%any
>>>>>         rightauth=pubkey
>>>>>         auto=add
>>>>>
>>>>> # certificate only, fakeout on xauth (for eg Mac/iOS that must do
>>>>> xauth. and ikev1 for that matter)
>>>>> conn roadwarrior-ikev1
>>>>>         keyexchange=ikev1
>>>>>         leftauth=pubkey
>>>>>         right=%any
>>>>>         rightid=%any
>>>>>         rightauth=pubkey
>>>>>         rightauth2=xauth-noauth
>>>>>         auto=add
>>>>>
>>>>>
>>>>> ========
>>>>>
>>>>>
>>>>> Using the same ctmoore cert on User/Machine auth in the mac vpn and
>>>>> connect anyway, I get the following in the syslog
>>>>>
>>>>> I find the
>>>>> Dec 11 12:47:54 vpn charon: 10[IKE] found 1 matching config, but none
>>>>> allows RSA signature authentication using Main Mode
>>>>> entry interesting, but I don't know if that's the issue, and if it is,
>>>>> what I can do about it.
>>>>>
>>>>>
>>>>> /var/log/syslog
>>>>> ========
>>>>> Dec 11 12:47:54 vpn charon: 02[NET] received packet: from [client
>>>>> ip][500] to [vpn ip][500]
>>>>> Dec 11 12:47:54 vpn charon: 02[NET] waiting for data on sockets
>>>>> Dec 11 12:47:54 vpn charon: 04[NET] received packet: from [client
>>>>> ip][500] to [vpn ip][500] (300 bytes)
>>>>> Dec 11 12:47:54 vpn charon: 04[ENC] parsed ID_PROT request 0 [ SA V V
>>>>> V V V V V V V V V ]
>>>>> Dec 11 12:47:54 vpn charon: 04[CFG] looking for an ike config for [vpn
>>>>> ip]...[client ip]
>>>>> Dec 11 12:47:54 vpn charon: 04[CFG]   candidate: [vpn ip]...%any, prio 1052
>>>>> Dec 11 12:47:54 vpn charon: 04[CFG] found matching ike config: [vpn
>>>>> ip]...%any with prio 1052
>>>>> Dec 11 12:47:54 vpn charon: 04[IKE] received NAT-T (RFC 3947) vendor ID
>>>>> Dec 11 12:47:54 vpn charon: 04[IKE] received
>>>>> draft-ietf-ipsec-nat-t-ike vendor ID
>>>>> Dec 11 12:47:54 vpn charon: 04[IKE] received
>>>>> draft-ietf-ipsec-nat-t-ike-08 vendor ID
>>>>> Dec 11 12:47:54 vpn charon: 04[IKE] received
>>>>> draft-ietf-ipsec-nat-t-ike-07 vendor ID
>>>>> Dec 11 12:47:54 vpn charon: 04[IKE] received
>>>>> draft-ietf-ipsec-nat-t-ike-06 vendor ID
>>>>> Dec 11 12:47:54 vpn charon: 04[IKE] received
>>>>> draft-ietf-ipsec-nat-t-ike-05 vendor ID
>>>>> Dec 11 12:47:54 vpn charon: 04[IKE] received
>>>>> draft-ietf-ipsec-nat-t-ike-04 vendor ID
>>>>> Dec 11 12:47:54 vpn charon: 04[IKE] received
>>>>> draft-ietf-ipsec-nat-t-ike-03 vendor ID
>>>>> Dec 11 12:47:54 vpn charon: 04[IKE] received
>>>>> draft-ietf-ipsec-nat-t-ike-02 vendor ID
>>>>> Dec 11 12:47:54 vpn charon: 04[IKE] received
>>>>> draft-ietf-ipsec-nat-t-ike-02\n vendor ID
>>>>> Dec 11 12:47:54 vpn charon: 04[IKE] received DPD vendor ID
>>>>> Dec 11 12:47:54 vpn charon: 04[IKE] [client ip] is initiating a Main Mode IKE_SA
>>>>> Dec 11 12:47:54 vpn charon: 04[IKE] IKE_SA (unnamed)[3] state change:
>>>>> CREATED => CONNECTING
>>>>> Dec 11 12:47:54 vpn charon: 04[CFG] selecting proposal:
>>>>> Dec 11 12:47:54 vpn charon: 04[CFG]   no acceptable ENCRYPTION_ALGORITHM found
>>>>> Dec 11 12:47:54 vpn charon: 04[CFG] selecting proposal:
>>>>> Dec 11 12:47:54 vpn charon: 04[CFG]   no acceptable DIFFIE_HELLMAN_GROUP found
>>>>> Dec 11 12:47:54 vpn charon: 04[CFG] selecting proposal:
>>>>> Dec 11 12:47:54 vpn charon: 04[CFG]   proposal matches
>>>>> Dec 11 12:47:54 vpn charon: 04[CFG] received proposals:
>>>>> IKE:3DES_CBC/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024
>>>>> Dec 11 12:47:54 vpn charon: 04[CFG] configured proposals:
>>>>> IKE:AES_CBC_128/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_2048,
>>>>> IKE:3DES_CBC/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1536,
>>>>> IKE:AES_CBC_128/AES_CBC_192/AES_CBC_256/3DES_CBC/AES_XCBC_96/AES_CMAC_96/HMAC_SHA1_96/HMAC_MD5_96/HMAC_SHA2_256_128/HMAC_SHA2_384_192/HMAC_SHA2_512_256/PRF_AES128_XCBC/PRF_AES128_CMAC/PRF_HMAC_SHA1/PRF_HMAC_MD5/PRF_HMAC_SHA2_256/PRF_HMAC_SHA2_384/PRF_HMAC_SHA2_512/MODP_2048/MODP_2048_224/MODP_2048_256/MODP_1536/MODP_3072/MODP_4096/MODP_8192/MODP_1024/MODP_1024_160
>>>>> Dec 11 12:47:54 vpn charon: 04[CFG] selected proposal:
>>>>> IKE:3DES_CBC/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024
>>>>> Dec 11 12:47:54 vpn charon: 04[IKE] sending XAuth vendor ID
>>>>> Dec 11 12:47:54 vpn charon: 04[IKE] sending DPD vendor ID
>>>>> Dec 11 12:47:54 vpn charon: 04[IKE] sending NAT-T (RFC 3947) vendor ID
>>>>> Dec 11 12:47:54 vpn charon: 04[ENC] generating ID_PROT response 0 [ SA V V V ]
>>>>> Dec 11 12:47:54 vpn charon: 04[NET] sending packet: from [vpn ip][500]
>>>>> to [client ip][500] (132 bytes)
>>>>> Dec 11 12:47:54 vpn charon: 03[NET] sending packet: from [vpn ip][500]
>>>>> to [client ip][500]
>>>>> Dec 11 12:47:54 vpn charon: 02[NET] received packet: from [client
>>>>> ip][500] to [vpn ip][500]
>>>>> Dec 11 12:47:54 vpn charon: 02[NET] waiting for data on sockets
>>>>> Dec 11 12:47:54 vpn charon: 09[NET] received packet: from [client
>>>>> ip][500] to [vpn ip][500] (228 bytes)
>>>>> Dec 11 12:47:54 vpn charon: 09[ENC] parsed ID_PROT request 0 [ KE No
>>>>> NAT-D NAT-D ]
>>>>> Dec 11 12:47:54 vpn charon: 09[IKE] sending cert request for "C=US,
>>>>> O=ThatsUs, CN=strongSwan Root CA"
>>>>> Dec 11 12:47:54 vpn charon: 09[ENC] generating ID_PROT response 0 [ KE
>>>>> No CERTREQ NAT-D NAT-D ]
>>>>> Dec 11 12:47:54 vpn charon: 09[NET] sending packet: from [vpn ip][500]
>>>>> to [client ip][500] (310 bytes)
>>>>> Dec 11 12:47:54 vpn charon: 03[NET] sending packet: from [vpn ip][500]
>>>>> to [client ip][500]
>>>>> Dec 11 12:47:54 vpn charon: 02[NET] received packet: from [client
>>>>> ip][500] to [vpn ip][500]
>>>>> Dec 11 12:47:54 vpn charon: 02[NET] waiting for data on sockets
>>>>> Dec 11 12:47:54 vpn charon: 10[NET] received packet: from [client
>>>>> ip][500] to [vpn ip][500] (1492 bytes)
>>>>> Dec 11 12:47:54 vpn charon: 10[ENC] parsed ID_PROT request 0 [ ID CERT
>>>>> SIG CERTREQ N(INITIAL_CONTACT) ]
>>>>> Dec 11 12:47:54 vpn charon: 10[IKE] ignoring certificate request without data
>>>>> Dec 11 12:47:54 vpn charon: 10[IKE] received end entity cert "C=US,
>>>>> O=ThatsUs, CN=ctmoore at example.com"
>>>>> Dec 11 12:47:54 vpn charon: 10[CFG] looking for RSA signature peer
>>>>> configs matching [vpn ip]...[client ip][C=US, O=ThatsUs,
>>>>> CN=ctmoore at example.com]
>>>>> Dec 11 12:47:54 vpn charon: 10[CFG]   candidate "roadwarrior-ikev1",
>>>>> match: 1/1/1052 (me/other/ike)
>>>>> Dec 11 12:47:54 vpn charon: 10[IKE] found 1 matching config, but none
>>>>> allows RSA signature authentication using Main Mode
>>>>> Dec 11 12:47:54 vpn charon: 10[IKE] queueing INFORMATIONAL task
>>>>> Dec 11 12:47:54 vpn charon: 10[IKE] activating new tasks
>>>>> Dec 11 12:47:54 vpn charon: 10[IKE]   activating INFORMATIONAL task
>>>>> Dec 11 12:47:54 vpn charon: 10[ENC] generating INFORMATIONAL_V1
>>>>> request 2651689082 [ HASH N(AUTH_FAILED) ]
>>>>> Dec 11 12:47:54 vpn charon: 10[NET] sending packet: from [vpn ip][500]
>>>>> to [client ip][500] (84 bytes)
>>>>> Dec 11 12:47:54 vpn charon: 10[IKE] IKE_SA (unnamed)[3] state change:
>>>>> CONNECTING => DESTROYING
>>>>> Dec 11 12:47:54 vpn charon: 03[NET] sending packet: from [vpn ip][500]
>>>>> to [client ip][500]
>>>>> Dec 11 12:47:57 vpn charon: 02[NET] received packet: from [client
>>>>> ip][500] to [vpn ip][500]
>>>>> Dec 11 12:47:57 vpn charon: 02[NET] waiting for data on sockets
>>>>> Dec 11 12:48:00 vpn charon: 02[NET] received packet: from [client
>>>>> ip][500] to [vpn ip][500]
>>>>> Dec 11 12:48:00 vpn charon: 02[NET] waiting for data on sockets
>>>>> Dec 11 12:48:03 vpn charon: 02[NET] received packet: from [client
>>>>> ip][500] to [vpn ip][500]
>>>>> Dec 11 12:48:03 vpn charon: 02[NET] waiting for data on sockets
>>>>> Dec 11 12:48:06 vpn charon: 02[NET] received packet: from [client
>>>>> ip][500] to [vpn ip][500]
>>>>> Dec 11 12:48:06 vpn charon: 02[NET] waiting for data on sockets
>>>>> Dec 11 12:48:09 vpn charon: 02[NET] received packet: from [client
>>>>> ip][500] to [vpn ip][500]
>>>>> Dec 11 12:48:09 vpn charon: 02[NET] waiting for data on sockets
>>>>> Dec 11 12:48:16 vpn charon: 02[NET] received packet: from [client
>>>>> ip][500] to [vpn ip][500]
>>>>> Dec 11 12:48:16 vpn charon: 02[NET] waiting for data on sockets
>>>>> Dec 11 12:48:19 vpn charon: 02[NET] received packet: from [client
>>>>> ip][500] to [vpn ip][500]
>>>>> Dec 11 12:48:19 vpn charon: 02[NET] waiting for data on sockets
>>>>> Dec 11 12:48:22 vpn charon: 02[NET] received packet: from [client
>>>>> ip][500] to [vpn ip][500]
>>>>> Dec 11 12:48:22 vpn charon: 02[NET] waiting for data on sockets
>>>>> Dec 11 12:48:24 vpn charon: 02[NET] received packet: from [client
>>>>> ip][500] to [vpn ip][500]
>>>>> Dec 11 12:48:24 vpn charon: 02[NET] waiting for data on sockets
>>>>> Dec 11 12:48:24 vpn charon: 04[NET] received packet: from [client
>>>>> ip][500] to [vpn ip][500] (300 bytes)
>>>>> Dec 11 12:48:24 vpn charon: 04[ENC] parsed ID_PROT request 0 [ SA V V
>>>>> V V V V V V V V V ]
>>>>> Dec 11 12:48:24 vpn charon: 04[CFG] looking for an ike config for [vpn
>>>>> ip]...[client ip]
>>>>> Dec 11 12:48:24 vpn charon: 04[CFG]   candidate: [vpn ip]...%any, prio 1052
>>>>> Dec 11 12:48:24 vpn charon: 04[CFG] found matching ike config: [vpn
>>>>> ip]...%any with prio 1052
>>>>> Dec 11 12:48:24 vpn charon: 04[IKE] received NAT-T (RFC 3947) vendor ID
>>>>> Dec 11 12:48:24 vpn charon: 04[IKE] received
>>>>> draft-ietf-ipsec-nat-t-ike vendor ID
>>>>> Dec 11 12:48:24 vpn charon: 04[IKE] received
>>>>> draft-ietf-ipsec-nat-t-ike-08 vendor ID
>>>>> Dec 11 12:48:24 vpn charon: 04[IKE] received
>>>>> draft-ietf-ipsec-nat-t-ike-07 vendor ID
>>>>> Dec 11 12:48:24 vpn charon: 04[IKE] received
>>>>> draft-ietf-ipsec-nat-t-ike-06 vendor ID
>>>>> Dec 11 12:48:24 vpn charon: 04[IKE] received
>>>>> draft-ietf-ipsec-nat-t-ike-05 vendor ID
>>>>> Dec 11 12:48:24 vpn charon: 04[IKE] received
>>>>> draft-ietf-ipsec-nat-t-ike-04 vendor ID
>>>>> Dec 11 12:48:24 vpn charon: 04[IKE] received
>>>>> draft-ietf-ipsec-nat-t-ike-03 vendor ID
>>>>> Dec 11 12:48:24 vpn charon: 04[IKE] received
>>>>> draft-ietf-ipsec-nat-t-ike-02 vendor ID
>>>>> Dec 11 12:48:24 vpn charon: 04[IKE] received
>>>>> draft-ietf-ipsec-nat-t-ike-02\n vendor ID
>>>>> Dec 11 12:48:24 vpn charon: 04[IKE] received DPD vendor ID
>>>>> Dec 11 12:48:24 vpn charon: 04[IKE] [client ip] is initiating a Main Mode IKE_SA
>>>>> Dec 11 12:48:24 vpn charon: 04[IKE] IKE_SA (unnamed)[4] state change:
>>>>> CREATED => CONNECTING
>>>>> Dec 11 12:48:24 vpn charon: 04[CFG] selecting proposal:
>>>>> Dec 11 12:48:24 vpn charon: 04[CFG]   no acceptable ENCRYPTION_ALGORITHM found
>>>>> Dec 11 12:48:24 vpn charon: 04[CFG] selecting proposal:
>>>>> Dec 11 12:48:24 vpn charon: 04[CFG]   no acceptable DIFFIE_HELLMAN_GROUP found
>>>>> Dec 11 12:48:24 vpn charon: 04[CFG] selecting proposal:
>>>>> Dec 11 12:48:24 vpn charon: 04[CFG]   proposal matches
>>>>> Dec 11 12:48:24 vpn charon: 04[CFG] received proposals:
>>>>> IKE:3DES_CBC/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024
>>>>> Dec 11 12:48:24 vpn charon: 04[CFG] configured proposals:
>>>>> IKE:AES_CBC_128/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_2048,
>>>>> IKE:3DES_CBC/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1536,
>>>>> IKE:AES_CBC_128/AES_CBC_192/AES_CBC_256/3DES_CBC/AES_XCBC_96/AES_CMAC_96/HMAC_SHA1_96/HMAC_MD5_96/HMAC_SHA2_256_128/HMAC_SHA2_384_192/HMAC_SHA2_512_256/PRF_AES128_XCBC/PRF_AES128_CMAC/PRF_HMAC_SHA1/PRF_HMAC_MD5/PRF_HMAC_SHA2_256/PRF_HMAC_SHA2_384/PRF_HMAC_SHA2_512/MODP_2048/MODP_2048_224/MODP_2048_256/MODP_1536/MODP_3072/MODP_4096/MODP_8192/MODP_1024/MODP_1024_160
>>>>> Dec 11 12:48:24 vpn charon: 04[CFG] selected proposal:
>>>>> IKE:3DES_CBC/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024
>>>>> Dec 11 12:48:24 vpn charon: 04[IKE] sending XAuth vendor ID
>>>>> Dec 11 12:48:24 vpn charon: 04[IKE] sending DPD vendor ID
>>>>> Dec 11 12:48:24 vpn charon: 04[IKE] sending NAT-T (RFC 3947) vendor ID
>>>>> Dec 11 12:48:24 vpn charon: 04[ENC] generating ID_PROT response 0 [ SA V V V ]
>>>>> Dec 11 12:48:24 vpn charon: 04[NET] sending packet: from [vpn ip][500]
>>>>> to [client ip][500] (132 bytes)
>>>>> Dec 11 12:48:24 vpn charon: 03[NET] sending packet: from [vpn ip][500]
>>>>> to [client ip][500]
>>>>> Dec 11 12:48:24 vpn charon: 02[NET] received packet: from [client
>>>>> ip][500] to [vpn ip][500]
>>>>> Dec 11 12:48:24 vpn charon: 02[NET] waiting for data on sockets
>>>>> Dec 11 12:48:24 vpn charon: 09[NET] received packet: from [client
>>>>> ip][500] to [vpn ip][500] (228 bytes)
>>>>> Dec 11 12:48:24 vpn charon: 09[ENC] parsed ID_PROT request 0 [ KE No
>>>>> NAT-D NAT-D ]
>>>>> Dec 11 12:48:24 vpn charon: 09[IKE] sending cert request for "C=US,
>>>>> O=ThatsUs, CN=strongSwan Root CA"
>>>>> Dec 11 12:48:24 vpn charon: 09[ENC] generating ID_PROT response 0 [ KE
>>>>> No CERTREQ NAT-D NAT-D ]
>>>>> Dec 11 12:48:24 vpn charon: 09[NET] sending packet: from [vpn ip][500]
>>>>> to [client ip][500] (310 bytes)
>>>>> Dec 11 12:48:24 vpn charon: 03[NET] sending packet: from [vpn ip][500]
>>>>> to [client ip][500]
>>>>> Dec 11 12:48:54 vpn charon: 10[JOB] deleting half open IKE_SA after timeout
>>>>> Dec 11 12:48:54 vpn charon: 10[IKE] IKE_SA (unnamed)[4] state change:
>>>>> CONNECTING => DESTROYING
>>>> _______________________________________________
>>>> Users mailing list
>>>> Users at lists.strongswan.org
>>>> https://lists.strongswan.org/mailman/listinfo/users
>>>
>>> -----BEGIN PGP SIGNATURE-----
>>> Version: GnuPG v2
>>>
>>> iQIcBAEBCAAGBQJUi2yBAAoJEDg5KY9j7GZY9m8P/3PCh9zGrW9lwY22ITbmyFWk
>>> SRncTc9fOii0l6lSMxQTJmiBn6TkFtzP+4TOW4TnYnaoCyVxxnNeROeIN95iRchz
>>> QOwAX9hvLeDxxePWGw2VqtuRKRp4fb5qDUxEoCXVc5Bjmtq+BjOzYmpg+zDo3N0W
>>> ISvtKsPB7YgNDx/yFKsqbjuVNqOC5Qri/saWtQMB30p3W9rXO4C90sruBYB6hrEV
>>> +UOcLNojrPEjS6AwGPwc6eQ13Ic+JC8uQYF9Di5UykorQANJnjbaPEWuj8QWSzxx
>>> qCy2aESQfG+OENCa8e2xmVLGVVUDGtYkoXySamcg4vWgiTe9TiDQgOIBE0IV0zaP
>>> qfnlN3HIyS76Rg77yoejUEh8EWD2lGBqBGuLRMwh1c0tsHRn0AJGLC8bljBcy3tK
>>> +m3Kiyv9v0d9uuwLIGJpAew7JZN75wbXHkkrO/gSVDlQ/4imDQIo4tLEZjOXsuwE
>>> WWqJGmsTZOp8GLooBGhbfypPEDhte911A5cB3kHb+f4il0sj+Hg+go+KxdsOJ0TF
>>> l2KdXXIWqezzW6ZiVvUTRknB0/AUM7xlICx82+ZK5kB9WUCsflLchal8OO3Sq+yK
>>> cgT+vmMYiP3vSM/itnsdgqneP8rSPoE7x1AqWv8yj2nWaO5B0TywAiNvxETO+tUo
>>> EuxuuFFxj9HMEKtHGueC
>>> =n6gj
>>> -----END PGP SIGNATURE-----
>>>
>>> _______________________________________________
>>> Users mailing list
>>> Users at lists.strongswan.org
>>> https://lists.strongswan.org/mailman/listinfo/users


More information about the Users mailing list