[strongSwan] certificate only vpn connection with mac
Christian Huldt
christian at solvare.se
Sat Dec 13 14:58:45 CET 2014
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
AFAIK you have to import the (at least some of) certificates into the
right keychain
On 12/13/2014 04:59 AM, Cindy Moore wrote:
> OK, so on the mac client, system.log shows:
>
> Dec 12 18:28:17 minerva pppd[2349]: L2TP connecting to server
> 'vpn.example.com' ([vpn ip])...
> Dec 12 18:28:17 minerva pppd[2349]: IPSec connection started
> Dec 12 18:28:17 minerva racoon[2350]: Connecting.
> Dec 12 18:28:17 minerva racoon[2350]: IKE Packet: transmit success.
> (Initiator, Main-Mode message 1).
> Dec 12 18:28:17 minerva racoon[2350]: IKE Packet: receive success.
> (Initiator, Main-Mode message 2).
> Dec 12 18:28:17 minerva racoon[2350]: IKE Packet: transmit success.
> (Initiator, Main-Mode message 3).
> Dec 12 18:28:17 minerva racoon[2350]: IKE Packet: receive success.
> (Initiator, Main-Mode message 4).
> Dec 12 18:28:18 minerva racoon[2350]: IKE Packet: transmit success.
> (Initiator, Main-Mode message 5).
> Dec 12 18:28:18 minerva racoon[2350]: IKEv1 Phase1 AUTH: failed.
> (Initiator, Main-Mode Message 6).
> Dec 12 18:28:18 minerva racoon[2350]: IKE Packet: transmit success.
> (Information message).
> Dec 12 18:28:18 minerva racoon[2350]: IKEv1 Information-Notice:
> transmit success. (ISAKMP-SA).
> Dec 12 18:28:18 minerva racoon[2350]: IKE Packet: receive failed.
> (Initiator, Main-Mode Message 6).
> Dec 12 18:28:18 minerva pppd[2349]: IPSec connection failed <IKE Error
> 22 (0x16) Invalid cert authority>
> Dec 12 18:28:18 minerva configd[14]: SCNCController: Disconnecting.
> (Connection tried to negotiate for, 1 seconds).
> Dec 12 18:28:18 minerva racoon[2350]: Disconnecting. (Connection tried
> to negotiate for, 0.735722 seconds).
> Dec 12 18:28:18 minerva racoon[2350]: IKE Packets Receive Failure-Rate
> Statistic. (Failure-Rate = 50.000).
> Dec 12 18:28:18 minerva racoon[2350]: IKE Phase1 Authentication
> Failure-Rate Statistic. (Failure-Rate = 100.000).
>
> So it seems pretty clear something is hinky with the certificate. I'm
> not entirely sure where to look for this. The pem versions of the
> certificates work just fine from my linux client. The certificates
> look okay on the mac when I display them from the keychain, although
> as I mentioned, i can't seem to pull up the vpnHost certificate when
> setting up the vpn. Any suggestions as to what I can look at to try
> and figure out what exactly is going wrong with the certificates? I
> created the p12 files using openssl:
>
> # openssl pkcs12 -export -in certs/vpnHostCert.pem -nokeys -nodes -out
> exports/vpnHost.p12
> # openssl pkcs12 -export -in cacerts/strongswanCert.pem -nokeys -nodes
> -out exports/strongSwan.p12
>
> and
>
> openssl pkcs12 -export -inkey private/cindyKey.pem \
>> -in certs/cindyCert.pem -name "Cindy's VPN Certificate" \
>> -certfile cacerts/strongswanCert.pem \
>> -caname "strongSwan Root CA" \
>> -out exports/cindy.p12
>
> I would appreciate any suggestions at all.
>
> Thanks,
> Cindy
>
> On Fri, Dec 12, 2014 at 2:46 PM, Cindy Moore <ctmoore at cs.ucsd.edu> wrote:
>> I wonder if it's the noauth. I commented that out, just to be sure
>> that various changes were "taking" (the authby is completely ignored
>> in the ipsec restart output in /var/log/syslog, so I changed something
>> else in order to make sure the restarts were reflecting changes in the
>> ipsec.conf). If I remove the xauth-noauth, then I get
>>
>> Dec 12 14:39:08 vpn charon: 13[IKE] received end entity cert "C=US,
>> O=ThatsUs, CN=ctmoore at example.com"
>> Dec 12 14:39:08 vpn charon: 13[CFG] looking for RSA signature peer
>> configs matching [vpn ip]...[client ip][C=US, O=ThatsUs,
>> CN=ctmoore at example.com]
>> Dec 12 14:39:08 vpn charon: 13[CFG] candidate "roadwarrior-ikev1",
>> match: 1/1/1052 (me/other/ike)
>> Dec 12 14:39:08 vpn charon: 13[CFG] selected peer config
"roadwarrior-ikev1"
>> Dec 12 14:39:08 vpn charon: 13[CFG] using certificate "C=US,
>> O=ThatsUs, CN=ctmoore at example.com"
>> Dec 12 14:39:08 vpn charon: 13[CFG] certificate "C=US, O=ThatsUs,
>> CN=ctmoore at example.com" key: 2048 bit RSA
>> Dec 12 14:39:08 vpn charon: 13[CFG] using trusted ca certificate
>> "C=US, O=ThatsUs, CN=strongSwan Root CA"
>> Dec 12 14:39:08 vpn charon: 13[CFG] checking certificate status of
>> "C=US, O=ThatsUs, CN=ctmoore at example.com"
>> Dec 12 14:39:08 vpn charon: 13[CFG] ocsp check skipped, no ocsp found
>> Dec 12 14:39:08 vpn charon: 13[CFG] certificate status is not available
>> Dec 12 14:39:08 vpn charon: 13[CFG] certificate "C=US, O=ThatsUs,
>> CN=strongSwan Root CA" key: 4096 bit RSA
>> Dec 12 14:39:08 vpn charon: 13[CFG] reached self-signed root ca with
>> a path length of 0
>> Dec 12 14:39:08 vpn charon: 13[IKE] authentication of 'C=US,
>> O=ThatsUs, CN=ctmoore at example.com' with RSA successful
>> Dec 12 14:39:08 vpn charon: 13[IKE] authentication of 'C=US,
>> O=ThatsUs, CN=vpn.example.com' (myself) successful
>> Dec 12 14:39:08 vpn charon: 13[IKE] IKE_SA roadwarrior-ikev1[1]
>> established between [vpn ip][C=US, O=ThatsUs,
>> CN=vpn.example.com]...[client ip][C=US, O=ThatsUs,
>> CN=ctmoore at example.com]
>> Dec 12 14:39:08 vpn charon: 13[IKE] IKE_SA roadwarrior-ikev1[1] state
>> change: CONNECTING => ESTABLISHED
>> Dec 12 14:39:08 vpn charon: 13[IKE] scheduling reauthentication in 3271s
>> Dec 12 14:39:08 vpn charon: 13[IKE] maximum IKE_SA lifetime 3451s
>> Dec 12 14:39:08 vpn charon: 13[IKE] sending end entity cert "C=US,
>> O=ThatsUs, CN=vpn.example.com"
>> Dec 12 14:39:08 vpn charon: 13[ENC] generating ID_PROT response 0 [ ID
>> CERT SIG ]
>> Dec 12 14:39:08 vpn charon: 13[NET] sending packet: from [vpn
>> ip][4500] to [client ip][45779] (1484 bytes)
>> Dec 12 14:39:08 vpn charon: 03[NET] sending packet: from [vpn
>> ip][4500] to [client ip][45779]
>> Dec 12 14:39:08 vpn charon: 01[NET] received packet: from [client
>> ip][45779] to [vpn ip][4500]
>> Dec 12 14:39:08 vpn charon: 01[NET] waiting for data on sockets
>> Dec 12 14:39:08 vpn charon: 15[NET] received packet: from [client
>> ip][45779] to [vpn ip][4500] (68 bytes)
>> Dec 12 14:39:08 vpn charon: 15[ENC] invalid HASH_V1 payload length,
>> decryption failed?
>> Dec 12 14:39:08 vpn charon: 15[ENC] could not decrypt payloads
>> Dec 12 14:39:08 vpn charon: 15[IKE] message parsing failed
>> Dec 12 14:39:08 vpn charon: 15[IKE] ignore malformed INFORMATIONAL
request
>> Dec 12 14:39:08 vpn charon: 15[IKE] INFORMATIONAL_V1 request with
>> message ID 3172758586 processing failed
>>
>> On Fri, Dec 12, 2014 at 2:39 PM, Cindy Moore <ctmoore at cs.ucsd.edu> wrote:
>>> Thought authby was deprecated long before Strongswan 5.2.1 (which is
>>> what I'm using)? In any case, I tested it out, but that didn't make a
>>> difference).
>>>
>>> On Fri, Dec 12, 2014 at 2:30 PM, Noel Kuntze
<noel at familie-kuntze.de> wrote:
>>>>
> Hello,
>
> Judging from the manpage, using "authby=xauthrsasig" is the same as
your configuration with leftauth and rightauth parameters.
> Maybe try that? I don't know if it helps. *shrugs*
>
> Mit freundlichen Grüßen/Regards,
> Noel Kuntze
>
> GPG Key ID: 0x63EC6658
> Fingerprint: 23CA BB60 2146 05E7 7278 6592 3839 298F 63EC 6658
>
> Am 12.12.2014 um 23:19 schrieb Cindy Moore:
> >>>>> I'm really at a loss over this one. I can get the connections going
> >>>>> with other clients, for example Network Manager on a Ubuntu
14.04 has
> >>>>> no difficulties connecting with my strongswan server.
> >>>>>
> >>>>> This seems to be a possible clue:
> >>>>> Dec 11 12:47:54 vpn charon: 10[IKE] found 1 matching config, but
none
> >>>>> allows RSA signature authentication using Main Mode
> >>>>>
> >>>>> But I'm not sure how to interpret it, or begin to address it.
> >>>>>
> >>>>> I'm also unsure about how the mac's vpn connection should be
> >>>>> configured (I haven't found an equivalent to
> >>>>> https://wiki.strongswan.org/projects/strongswan/wiki/NetworkManager
> >>>>> under the Howto's for a Mac VPN setup, so I don't know if its some
> >>>>> kind of problem that I can't select the vpn host certificate
from the
> >>>>> vpn setup dialog even though it shows up just fine in the system
> >>>>> keychain. Any thoughts?
> >>>>>
> >>>>> On Thu, Dec 11, 2014 at 1:20 PM, Cindy Moore
<ctmoore at cs.ucsd.edu> wrote:
> >>>>>> I'm trying to get a basic connection going with a mac os x
client to
> >>>>>> strongswan (latest) installed on ubuntu (14.04 lts). I'm not
entirely
> >>>>>> certain what is going on. It seems like the client isn't
sending the
> >>>>>> desired certificate. in the log file, vpnHostCert doesn't seem to
> >>>>>> play a part at all which i find unexpected.
> >>>>>>
> >>>>>> When I set up the mac I sent the p12 packages over to the mac,
added
> >>>>>> the three of them (root, vpnHost, cindy) to the system keychain.
> >>>>>> What's weird though, is that I can only seem to select, for
both User
> >>>>>> Authentication certificate & Machine Authentication
certificate, the
> >>>>>> one identified with ctmoore at example.com (I had expected to
select that
> >>>>>> for User Auth, and the vpn.example.com for Machine Auth -- all
three
> >>>>>> (root, vpn, cindy) certificates are visible in the system keychain,
> >>>>>> but only the cindy one appears in the list of options when
selecting
> >>>>>> User/Machine Auth in setting up a vpn connection on the mac. I set
> >>>>>> the strongswan root up as a trusted cert, and authorized the use of
> >>>>>> all three in any kind of setting.
> >>>>>>
> >>>>>>
> >>>>>> Overview of setup (syslog copy at end)
> >>>>>>
> >>>>>>
> >>>>>> Created the certificates. Sorry, my email program is eating tabs.
> >>>>>>
> >>>>>> ========
> >>>>>> "root":
> >>>>>> ipsec pki --gen --type rsa --size 4096 \
> >>>>>> --outform pem \
> >>>>>>> private/strongswanKey.pem
> >>>>>> chmod 600 private/strongswanKey.pem
> >>>>>> ipsec pki --self --ca --lifetime 3650 \
> >>>>>> --in private/strongswanKey.pem --type rsa \
> >>>>>> --dn "C=US, O=ThatsUs, CN=strongSwan Root CA" \
> >>>>>> --outform pem \
> >>>>>>> cacerts/strongswanCert.pem
> >>>>>>
> >>>>>> ========
> >>>>>> host:
> >>>>>> ipsec pki --gen --type rsa --size 2048 \
> >>>>>> --outform pem \
> >>>>>>> private/vpnHostKey.pem
> >>>>>> chmod 600 private/vpnHostKey.pem
> >>>>>> ipsec pki --pub --in private/vpnHostKey.pem --type rsa | \
> >>>>>> ipsec pki --issue --lifetime 730 \
> >>>>>> --cacert cacerts/strongswanCert.pem \
> >>>>>> --cakey private/strongswanKey.pem \
> >>>>>> --dn "C=US, O=ThatsUs, CN=vpn.example.com" \
> >>>>>> --san vpn.example.com \
> >>>>>> --flag serverAuth --flag ikeIntermediate \
> >>>>>> --outform pem > certs/vpnHostCert.pem
> >>>>>>
> >>>>>> ipsec pki --print looks okay for both
> >>>>>>
> >>>>>> ========
> >>>>>> created p12 packages
> >>>>>> # openssl pkcs12 -export -in certs/vpnHostCert.pem -nokeys
-nodes -out
> >>>>>> exports/vpnHost.p12
> >>>>>> Enter Export Password:
> >>>>>> Verifying - Enter Export Password:
> >>>>>>
> >>>>>> # openssl pkcs12 -export -in cacerts/strongswanCert.pem -nokeys
-nodes
> >>>>>> -out exports/strongSwan.p12
> >>>>>> Enter Export Password:
> >>>>>> Verifying - Enter Export Password:
> >>>>>>
> >>>>>> ========
> >>>>>> client certificate
> >>>>>> ipsec pki --gen --type rsa --size 2048 \
> >>>>>> --outform pem \
> >>>>>>> private/cindyKey.pem
> >>>>>> chmod 600 private/cindyKey.pem
> >>>>>> ipsec pki --pub --in private/cindyKey.pem --type rsa | \
> >>>>>> ipsec pki --issue --lifetime 730 \
> >>>>>> --cacert cacerts/strongswanCert.pem \
> >>>>>> --cakey private/strongswanKey.pem \
> >>>>>> --dn "C=US, O=ThatsUs, CN=ctmoore at example.com" \
> >>>>>> --san ctmoore at example.com \
> >>>>>> --outform pem > certs/cindyCert.pem
> >>>>>>
> >>>>>> (plus p12 packaging)
> >>>>>>
> >>>>>> ========
> >>>>>> ipsec.secrets
> >>>>>> : RSA vpnHostKey.pem
> >>>>>>
> >>>>>> =========
> >>>>>> ipsec.conf
> >>>>>>
> >>>>>> conn %default
> >>>>>> ikelifetime=60m
> >>>>>> keylife=60m
> >>>>>> rekeymargin=3m
> >>>>>> keyingtries=1
> >>>>>> #vpn server
> >>>>>> left=[vpn ip]
> >>>>>> leftcert=vpnHostCert.pem
> >>>>>> # certificate based ID
> >>>>>> leftid="C=US, O=strongSwan, CN=vpn.example.com"
> >>>>>> #allow full tunneling
> >>>>>> leftsubnet=0.0.0.0/0
> >>>>>> #assign ip addr from this pool
> >>>>>> rightsourceip=[...]
> >>>>>> # assign dns servers once connected
> >>>>>> rightdns=[...]
> >>>>>>
> >>>>>> ca %default
> >>>>>> cacert=strongswanCert.pem
> >>>>>>
> >>>>>> # certificate only
> >>>>>> conn roadwarrior-ikev2
> >>>>>> keyexchange=ikev2
> >>>>>> leftauth=pubkey
> >>>>>> right=%any
> >>>>>> rightid=%any
> >>>>>> rightauth=pubkey
> >>>>>> auto=add
> >>>>>>
> >>>>>> # certificate only, fakeout on xauth (for eg Mac/iOS that must do
> >>>>>> xauth. and ikev1 for that matter)
> >>>>>> conn roadwarrior-ikev1
> >>>>>> keyexchange=ikev1
> >>>>>> leftauth=pubkey
> >>>>>> right=%any
> >>>>>> rightid=%any
> >>>>>> rightauth=pubkey
> >>>>>> rightauth2=xauth-noauth
> >>>>>> auto=add
> >>>>>>
> >>>>>>
> >>>>>> ========
> >>>>>>
> >>>>>>
> >>>>>> Using the same ctmoore cert on User/Machine auth in the mac vpn and
> >>>>>> connect anyway, I get the following in the syslog
> >>>>>>
> >>>>>> I find the
> >>>>>> Dec 11 12:47:54 vpn charon: 10[IKE] found 1 matching config,
but none
> >>>>>> allows RSA signature authentication using Main Mode
> >>>>>> entry interesting, but I don't know if that's the issue, and if
it is,
> >>>>>> what I can do about it.
> >>>>>>
> >>>>>>
> >>>>>> /var/log/syslog
> >>>>>> ========
> >>>>>> Dec 11 12:47:54 vpn charon: 02[NET] received packet: from [client
> >>>>>> ip][500] to [vpn ip][500]
> >>>>>> Dec 11 12:47:54 vpn charon: 02[NET] waiting for data on sockets
> >>>>>> Dec 11 12:47:54 vpn charon: 04[NET] received packet: from [client
> >>>>>> ip][500] to [vpn ip][500] (300 bytes)
> >>>>>> Dec 11 12:47:54 vpn charon: 04[ENC] parsed ID_PROT request 0 [
SA V V
> >>>>>> V V V V V V V V V ]
> >>>>>> Dec 11 12:47:54 vpn charon: 04[CFG] looking for an ike config
for [vpn
> >>>>>> ip]...[client ip]
> >>>>>> Dec 11 12:47:54 vpn charon: 04[CFG] candidate: [vpn
ip]...%any, prio 1052
> >>>>>> Dec 11 12:47:54 vpn charon: 04[CFG] found matching ike config: [vpn
> >>>>>> ip]...%any with prio 1052
> >>>>>> Dec 11 12:47:54 vpn charon: 04[IKE] received NAT-T (RFC 3947)
vendor ID
> >>>>>> Dec 11 12:47:54 vpn charon: 04[IKE] received
> >>>>>> draft-ietf-ipsec-nat-t-ike vendor ID
> >>>>>> Dec 11 12:47:54 vpn charon: 04[IKE] received
> >>>>>> draft-ietf-ipsec-nat-t-ike-08 vendor ID
> >>>>>> Dec 11 12:47:54 vpn charon: 04[IKE] received
> >>>>>> draft-ietf-ipsec-nat-t-ike-07 vendor ID
> >>>>>> Dec 11 12:47:54 vpn charon: 04[IKE] received
> >>>>>> draft-ietf-ipsec-nat-t-ike-06 vendor ID
> >>>>>> Dec 11 12:47:54 vpn charon: 04[IKE] received
> >>>>>> draft-ietf-ipsec-nat-t-ike-05 vendor ID
> >>>>>> Dec 11 12:47:54 vpn charon: 04[IKE] received
> >>>>>> draft-ietf-ipsec-nat-t-ike-04 vendor ID
> >>>>>> Dec 11 12:47:54 vpn charon: 04[IKE] received
> >>>>>> draft-ietf-ipsec-nat-t-ike-03 vendor ID
> >>>>>> Dec 11 12:47:54 vpn charon: 04[IKE] received
> >>>>>> draft-ietf-ipsec-nat-t-ike-02 vendor ID
> >>>>>> Dec 11 12:47:54 vpn charon: 04[IKE] received
> >>>>>> draft-ietf-ipsec-nat-t-ike-02\n vendor ID
> >>>>>> Dec 11 12:47:54 vpn charon: 04[IKE] received DPD vendor ID
> >>>>>> Dec 11 12:47:54 vpn charon: 04[IKE] [client ip] is initiating a
Main Mode IKE_SA
> >>>>>> Dec 11 12:47:54 vpn charon: 04[IKE] IKE_SA (unnamed)[3] state
change:
> >>>>>> CREATED => CONNECTING
> >>>>>> Dec 11 12:47:54 vpn charon: 04[CFG] selecting proposal:
> >>>>>> Dec 11 12:47:54 vpn charon: 04[CFG] no acceptable
ENCRYPTION_ALGORITHM found
> >>>>>> Dec 11 12:47:54 vpn charon: 04[CFG] selecting proposal:
> >>>>>> Dec 11 12:47:54 vpn charon: 04[CFG] no acceptable
DIFFIE_HELLMAN_GROUP found
> >>>>>> Dec 11 12:47:54 vpn charon: 04[CFG] selecting proposal:
> >>>>>> Dec 11 12:47:54 vpn charon: 04[CFG] proposal matches
> >>>>>> Dec 11 12:47:54 vpn charon: 04[CFG] received proposals:
> >>>>>> IKE:3DES_CBC/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024
> >>>>>> Dec 11 12:47:54 vpn charon: 04[CFG] configured proposals:
> >>>>>> IKE:AES_CBC_128/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_2048,
> >>>>>> IKE:3DES_CBC/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1536,
> >>>>>>
IKE:AES_CBC_128/AES_CBC_192/AES_CBC_256/3DES_CBC/AES_XCBC_96/AES_CMAC_96/HMAC_SHA1_96/HMAC_MD5_96/HMAC_SHA2_256_128/HMAC_SHA2_384_192/HMAC_SHA2_512_256/PRF_AES128_XCBC/PRF_AES128_CMAC/PRF_HMAC_SHA1/PRF_HMAC_MD5/PRF_HMAC_SHA2_256/PRF_HMAC_SHA2_384/PRF_HMAC_SHA2_512/MODP_2048/MODP_2048_224/MODP_2048_256/MODP_1536/MODP_3072/MODP_4096/MODP_8192/MODP_1024/MODP_1024_160
> >>>>>> Dec 11 12:47:54 vpn charon: 04[CFG] selected proposal:
> >>>>>> IKE:3DES_CBC/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024
> >>>>>> Dec 11 12:47:54 vpn charon: 04[IKE] sending XAuth vendor ID
> >>>>>> Dec 11 12:47:54 vpn charon: 04[IKE] sending DPD vendor ID
> >>>>>> Dec 11 12:47:54 vpn charon: 04[IKE] sending NAT-T (RFC 3947)
vendor ID
> >>>>>> Dec 11 12:47:54 vpn charon: 04[ENC] generating ID_PROT response
0 [ SA V V V ]
> >>>>>> Dec 11 12:47:54 vpn charon: 04[NET] sending packet: from [vpn
ip][500]
> >>>>>> to [client ip][500] (132 bytes)
> >>>>>> Dec 11 12:47:54 vpn charon: 03[NET] sending packet: from [vpn
ip][500]
> >>>>>> to [client ip][500]
> >>>>>> Dec 11 12:47:54 vpn charon: 02[NET] received packet: from [client
> >>>>>> ip][500] to [vpn ip][500]
> >>>>>> Dec 11 12:47:54 vpn charon: 02[NET] waiting for data on sockets
> >>>>>> Dec 11 12:47:54 vpn charon: 09[NET] received packet: from [client
> >>>>>> ip][500] to [vpn ip][500] (228 bytes)
> >>>>>> Dec 11 12:47:54 vpn charon: 09[ENC] parsed ID_PROT request 0 [
KE No
> >>>>>> NAT-D NAT-D ]
> >>>>>> Dec 11 12:47:54 vpn charon: 09[IKE] sending cert request for "C=US,
> >>>>>> O=ThatsUs, CN=strongSwan Root CA"
> >>>>>> Dec 11 12:47:54 vpn charon: 09[ENC] generating ID_PROT response
0 [ KE
> >>>>>> No CERTREQ NAT-D NAT-D ]
> >>>>>> Dec 11 12:47:54 vpn charon: 09[NET] sending packet: from [vpn
ip][500]
> >>>>>> to [client ip][500] (310 bytes)
> >>>>>> Dec 11 12:47:54 vpn charon: 03[NET] sending packet: from [vpn
ip][500]
> >>>>>> to [client ip][500]
> >>>>>> Dec 11 12:47:54 vpn charon: 02[NET] received packet: from [client
> >>>>>> ip][500] to [vpn ip][500]
> >>>>>> Dec 11 12:47:54 vpn charon: 02[NET] waiting for data on sockets
> >>>>>> Dec 11 12:47:54 vpn charon: 10[NET] received packet: from [client
> >>>>>> ip][500] to [vpn ip][500] (1492 bytes)
> >>>>>> Dec 11 12:47:54 vpn charon: 10[ENC] parsed ID_PROT request 0 [
ID CERT
> >>>>>> SIG CERTREQ N(INITIAL_CONTACT) ]
> >>>>>> Dec 11 12:47:54 vpn charon: 10[IKE] ignoring certificate
request without data
> >>>>>> Dec 11 12:47:54 vpn charon: 10[IKE] received end entity cert "C=US,
> >>>>>> O=ThatsUs, CN=ctmoore at example.com"
> >>>>>> Dec 11 12:47:54 vpn charon: 10[CFG] looking for RSA signature peer
> >>>>>> configs matching [vpn ip]...[client ip][C=US, O=ThatsUs,
> >>>>>> CN=ctmoore at example.com]
> >>>>>> Dec 11 12:47:54 vpn charon: 10[CFG] candidate
"roadwarrior-ikev1",
> >>>>>> match: 1/1/1052 (me/other/ike)
> >>>>>> Dec 11 12:47:54 vpn charon: 10[IKE] found 1 matching config,
but none
> >>>>>> allows RSA signature authentication using Main Mode
> >>>>>> Dec 11 12:47:54 vpn charon: 10[IKE] queueing INFORMATIONAL task
> >>>>>> Dec 11 12:47:54 vpn charon: 10[IKE] activating new tasks
> >>>>>> Dec 11 12:47:54 vpn charon: 10[IKE] activating INFORMATIONAL task
> >>>>>> Dec 11 12:47:54 vpn charon: 10[ENC] generating INFORMATIONAL_V1
> >>>>>> request 2651689082 [ HASH N(AUTH_FAILED) ]
> >>>>>> Dec 11 12:47:54 vpn charon: 10[NET] sending packet: from [vpn
ip][500]
> >>>>>> to [client ip][500] (84 bytes)
> >>>>>> Dec 11 12:47:54 vpn charon: 10[IKE] IKE_SA (unnamed)[3] state
change:
> >>>>>> CONNECTING => DESTROYING
> >>>>>> Dec 11 12:47:54 vpn charon: 03[NET] sending packet: from [vpn
ip][500]
> >>>>>> to [client ip][500]
> >>>>>> Dec 11 12:47:57 vpn charon: 02[NET] received packet: from [client
> >>>>>> ip][500] to [vpn ip][500]
> >>>>>> Dec 11 12:47:57 vpn charon: 02[NET] waiting for data on sockets
> >>>>>> Dec 11 12:48:00 vpn charon: 02[NET] received packet: from [client
> >>>>>> ip][500] to [vpn ip][500]
> >>>>>> Dec 11 12:48:00 vpn charon: 02[NET] waiting for data on sockets
> >>>>>> Dec 11 12:48:03 vpn charon: 02[NET] received packet: from [client
> >>>>>> ip][500] to [vpn ip][500]
> >>>>>> Dec 11 12:48:03 vpn charon: 02[NET] waiting for data on sockets
> >>>>>> Dec 11 12:48:06 vpn charon: 02[NET] received packet: from [client
> >>>>>> ip][500] to [vpn ip][500]
> >>>>>> Dec 11 12:48:06 vpn charon: 02[NET] waiting for data on sockets
> >>>>>> Dec 11 12:48:09 vpn charon: 02[NET] received packet: from [client
> >>>>>> ip][500] to [vpn ip][500]
> >>>>>> Dec 11 12:48:09 vpn charon: 02[NET] waiting for data on sockets
> >>>>>> Dec 11 12:48:16 vpn charon: 02[NET] received packet: from [client
> >>>>>> ip][500] to [vpn ip][500]
> >>>>>> Dec 11 12:48:16 vpn charon: 02[NET] waiting for data on sockets
> >>>>>> Dec 11 12:48:19 vpn charon: 02[NET] received packet: from [client
> >>>>>> ip][500] to [vpn ip][500]
> >>>>>> Dec 11 12:48:19 vpn charon: 02[NET] waiting for data on sockets
> >>>>>> Dec 11 12:48:22 vpn charon: 02[NET] received packet: from [client
> >>>>>> ip][500] to [vpn ip][500]
> >>>>>> Dec 11 12:48:22 vpn charon: 02[NET] waiting for data on sockets
> >>>>>> Dec 11 12:48:24 vpn charon: 02[NET] received packet: from [client
> >>>>>> ip][500] to [vpn ip][500]
> >>>>>> Dec 11 12:48:24 vpn charon: 02[NET] waiting for data on sockets
> >>>>>> Dec 11 12:48:24 vpn charon: 04[NET] received packet: from [client
> >>>>>> ip][500] to [vpn ip][500] (300 bytes)
> >>>>>> Dec 11 12:48:24 vpn charon: 04[ENC] parsed ID_PROT request 0 [
SA V V
> >>>>>> V V V V V V V V V ]
> >>>>>> Dec 11 12:48:24 vpn charon: 04[CFG] looking for an ike config
for [vpn
> >>>>>> ip]...[client ip]
> >>>>>> Dec 11 12:48:24 vpn charon: 04[CFG] candidate: [vpn
ip]...%any, prio 1052
> >>>>>> Dec 11 12:48:24 vpn charon: 04[CFG] found matching ike config: [vpn
> >>>>>> ip]...%any with prio 1052
> >>>>>> Dec 11 12:48:24 vpn charon: 04[IKE] received NAT-T (RFC 3947)
vendor ID
> >>>>>> Dec 11 12:48:24 vpn charon: 04[IKE] received
> >>>>>> draft-ietf-ipsec-nat-t-ike vendor ID
> >>>>>> Dec 11 12:48:24 vpn charon: 04[IKE] received
> >>>>>> draft-ietf-ipsec-nat-t-ike-08 vendor ID
> >>>>>> Dec 11 12:48:24 vpn charon: 04[IKE] received
> >>>>>> draft-ietf-ipsec-nat-t-ike-07 vendor ID
> >>>>>> Dec 11 12:48:24 vpn charon: 04[IKE] received
> >>>>>> draft-ietf-ipsec-nat-t-ike-06 vendor ID
> >>>>>> Dec 11 12:48:24 vpn charon: 04[IKE] received
> >>>>>> draft-ietf-ipsec-nat-t-ike-05 vendor ID
> >>>>>> Dec 11 12:48:24 vpn charon: 04[IKE] received
> >>>>>> draft-ietf-ipsec-nat-t-ike-04 vendor ID
> >>>>>> Dec 11 12:48:24 vpn charon: 04[IKE] received
> >>>>>> draft-ietf-ipsec-nat-t-ike-03 vendor ID
> >>>>>> Dec 11 12:48:24 vpn charon: 04[IKE] received
> >>>>>> draft-ietf-ipsec-nat-t-ike-02 vendor ID
> >>>>>> Dec 11 12:48:24 vpn charon: 04[IKE] received
> >>>>>> draft-ietf-ipsec-nat-t-ike-02\n vendor ID
> >>>>>> Dec 11 12:48:24 vpn charon: 04[IKE] received DPD vendor ID
> >>>>>> Dec 11 12:48:24 vpn charon: 04[IKE] [client ip] is initiating a
Main Mode IKE_SA
> >>>>>> Dec 11 12:48:24 vpn charon: 04[IKE] IKE_SA (unnamed)[4] state
change:
> >>>>>> CREATED => CONNECTING
> >>>>>> Dec 11 12:48:24 vpn charon: 04[CFG] selecting proposal:
> >>>>>> Dec 11 12:48:24 vpn charon: 04[CFG] no acceptable
ENCRYPTION_ALGORITHM found
> >>>>>> Dec 11 12:48:24 vpn charon: 04[CFG] selecting proposal:
> >>>>>> Dec 11 12:48:24 vpn charon: 04[CFG] no acceptable
DIFFIE_HELLMAN_GROUP found
> >>>>>> Dec 11 12:48:24 vpn charon: 04[CFG] selecting proposal:
> >>>>>> Dec 11 12:48:24 vpn charon: 04[CFG] proposal matches
> >>>>>> Dec 11 12:48:24 vpn charon: 04[CFG] received proposals:
> >>>>>> IKE:3DES_CBC/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024
> >>>>>> Dec 11 12:48:24 vpn charon: 04[CFG] configured proposals:
> >>>>>> IKE:AES_CBC_128/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_2048,
> >>>>>> IKE:3DES_CBC/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1536,
> >>>>>>
IKE:AES_CBC_128/AES_CBC_192/AES_CBC_256/3DES_CBC/AES_XCBC_96/AES_CMAC_96/HMAC_SHA1_96/HMAC_MD5_96/HMAC_SHA2_256_128/HMAC_SHA2_384_192/HMAC_SHA2_512_256/PRF_AES128_XCBC/PRF_AES128_CMAC/PRF_HMAC_SHA1/PRF_HMAC_MD5/PRF_HMAC_SHA2_256/PRF_HMAC_SHA2_384/PRF_HMAC_SHA2_512/MODP_2048/MODP_2048_224/MODP_2048_256/MODP_1536/MODP_3072/MODP_4096/MODP_8192/MODP_1024/MODP_1024_160
> >>>>>> Dec 11 12:48:24 vpn charon: 04[CFG] selected proposal:
> >>>>>> IKE:3DES_CBC/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024
> >>>>>> Dec 11 12:48:24 vpn charon: 04[IKE] sending XAuth vendor ID
> >>>>>> Dec 11 12:48:24 vpn charon: 04[IKE] sending DPD vendor ID
> >>>>>> Dec 11 12:48:24 vpn charon: 04[IKE] sending NAT-T (RFC 3947)
vendor ID
> >>>>>> Dec 11 12:48:24 vpn charon: 04[ENC] generating ID_PROT response
0 [ SA V V V ]
> >>>>>> Dec 11 12:48:24 vpn charon: 04[NET] sending packet: from [vpn
ip][500]
> >>>>>> to [client ip][500] (132 bytes)
> >>>>>> Dec 11 12:48:24 vpn charon: 03[NET] sending packet: from [vpn
ip][500]
> >>>>>> to [client ip][500]
> >>>>>> Dec 11 12:48:24 vpn charon: 02[NET] received packet: from [client
> >>>>>> ip][500] to [vpn ip][500]
> >>>>>> Dec 11 12:48:24 vpn charon: 02[NET] waiting for data on sockets
> >>>>>> Dec 11 12:48:24 vpn charon: 09[NET] received packet: from [client
> >>>>>> ip][500] to [vpn ip][500] (228 bytes)
> >>>>>> Dec 11 12:48:24 vpn charon: 09[ENC] parsed ID_PROT request 0 [
KE No
> >>>>>> NAT-D NAT-D ]
> >>>>>> Dec 11 12:48:24 vpn charon: 09[IKE] sending cert request for "C=US,
> >>>>>> O=ThatsUs, CN=strongSwan Root CA"
> >>>>>> Dec 11 12:48:24 vpn charon: 09[ENC] generating ID_PROT response
0 [ KE
> >>>>>> No CERTREQ NAT-D NAT-D ]
> >>>>>> Dec 11 12:48:24 vpn charon: 09[NET] sending packet: from [vpn
ip][500]
> >>>>>> to [client ip][500] (310 bytes)
> >>>>>> Dec 11 12:48:24 vpn charon: 03[NET] sending packet: from [vpn
ip][500]
> >>>>>> to [client ip][500]
> >>>>>> Dec 11 12:48:54 vpn charon: 10[JOB] deleting half open IKE_SA
after timeout
> >>>>>> Dec 11 12:48:54 vpn charon: 10[IKE] IKE_SA (unnamed)[4] state
change:
> >>>>>> CONNECTING => DESTROYING
> >>>>> _______________________________________________
> >>>>> Users mailing list
> >>>>> Users at lists.strongswan.org
> >>>>> https://lists.strongswan.org/mailman/listinfo/users
>
>>>>
>>>> _______________________________________________
>>>> Users mailing list
>>>> Users at lists.strongswan.org
>>>> https://lists.strongswan.org/mailman/listinfo/users
> _______________________________________________
> Users mailing list
> Users at lists.strongswan.org
> https://lists.strongswan.org/mailman/listinfo/users
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.22 (GNU/Linux)
iQEcBAEBAgAGBQJUjEYVAAoJEOB3m+uCZjRDBwIIAJXX12I5i6kTieOY5NEIxHqk
oXE3NrJqTzOYKNUF3Hqeoy6BybqAtUui5taZoWveWCrV3dhXhTc50rsbQvLTNBZm
R2s+OwWfm+/C0QJfkrS0GusqXO1Cod6LsWl6uEwDRrHJdbA711IjqPSgQvuJpwso
uJkW5H4KCOCtkFHzJ5QEV3DPh12kmoXXClcyEKpz8lMydNAcK2DfXiPemW9irWzs
GjoVRYoS9T635cWvaTf75Bf6W7tSrHnX7ohJJATH0In0/wAEwVNnQdLW04ofhdd4
209PyDiyogbMKv1CDiLSxexw6Q1ewnBP5AP+HjF37pxl42VE5LPoUDPO65R29KA=
=Ff9N
-----END PGP SIGNATURE-----
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20141213/a2e3feb1/attachment-0001.html>
More information about the Users
mailing list