[strongSwan] certificate only vpn connection with mac

Cindy Moore ctmoore at cs.ucsd.edu
Sat Dec 13 15:55:49 CET 2014


I imported the root certificate, host certificate, and client
key/certificate into the System keychain and marked the root
certificate as always trusted.  I have only login, System, and System
Roots listed under Keychains, but the mac doesn't let me import
anything into the last one.

On Sat, Dec 13, 2014 at 5:58 AM, Christian Huldt <christian at solvare.se> wrote:
>
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> AFAIK you have to import the (at least some of) certificates into the right
> keychain
>
>
> On 12/13/2014 04:59 AM, Cindy Moore wrote:
>> OK, so on the mac client, system.log shows:
>>
>> Dec 12 18:28:17 minerva pppd[2349]: L2TP connecting to server
>> 'vpn.example.com' ([vpn ip])...
>> Dec 12 18:28:17 minerva pppd[2349]: IPSec connection started
>> Dec 12 18:28:17 minerva racoon[2350]: Connecting.
>> Dec 12 18:28:17 minerva racoon[2350]: IKE Packet: transmit success.
>> (Initiator, Main-Mode message 1).
>> Dec 12 18:28:17 minerva racoon[2350]: IKE Packet: receive success.
>> (Initiator, Main-Mode message 2).
>> Dec 12 18:28:17 minerva racoon[2350]: IKE Packet: transmit success.
>> (Initiator, Main-Mode message 3).
>> Dec 12 18:28:17 minerva racoon[2350]: IKE Packet: receive success.
>> (Initiator, Main-Mode message 4).
>> Dec 12 18:28:18 minerva racoon[2350]: IKE Packet: transmit success.
>> (Initiator, Main-Mode message 5).
>> Dec 12 18:28:18 minerva racoon[2350]: IKEv1 Phase1 AUTH: failed.
>> (Initiator, Main-Mode Message 6).
>> Dec 12 18:28:18 minerva racoon[2350]: IKE Packet: transmit success.
>> (Information message).
>> Dec 12 18:28:18 minerva racoon[2350]: IKEv1 Information-Notice:
>> transmit success. (ISAKMP-SA).
>> Dec 12 18:28:18 minerva racoon[2350]: IKE Packet: receive failed.
>> (Initiator, Main-Mode Message 6).
>> Dec 12 18:28:18 minerva pppd[2349]: IPSec connection failed <IKE Error
>> 22 (0x16) Invalid cert authority>
>> Dec 12 18:28:18 minerva configd[14]: SCNCController: Disconnecting.
>> (Connection tried to negotiate for, 1 seconds).
>> Dec 12 18:28:18 minerva racoon[2350]: Disconnecting. (Connection tried
>> to negotiate for, 0.735722 seconds).
>> Dec 12 18:28:18 minerva racoon[2350]: IKE Packets Receive Failure-Rate
>> Statistic. (Failure-Rate = 50.000).
>> Dec 12 18:28:18 minerva racoon[2350]: IKE Phase1 Authentication
>> Failure-Rate Statistic. (Failure-Rate = 100.000).
>>
>> So it seems pretty clear something is hinky with the certificate.  I'm
>> not entirely sure where to look for this.  The pem versions of the
>> certificates work just fine from my linux client.  The certificates
>> look okay on the mac when I display them from the keychain, although
>> as I mentioned, i can't seem to pull up the vpnHost certificate when
>> setting up the vpn. Any suggestions as to what I can look at to try
>> and figure out what exactly is going wrong with the certificates?  I
>> created the p12 files using openssl:
>>
>> # openssl pkcs12 -export -in certs/vpnHostCert.pem -nokeys -nodes -out
>> exports/vpnHost.p12
>> # openssl pkcs12 -export -in cacerts/strongswanCert.pem -nokeys -nodes
>> -out exports/strongSwan.p12
>>
>> and
>>
>>  openssl pkcs12 -export -inkey private/cindyKey.pem \
>>> -in certs/cindyCert.pem -name "Cindy's VPN Certificate" \
>>> -certfile cacerts/strongswanCert.pem \
>>> -caname "strongSwan Root CA" \
>>> -out exports/cindy.p12
>>
>> I would appreciate any suggestions at all.
>>
>> Thanks,
>> Cindy
>>
>> On Fri, Dec 12, 2014 at 2:46 PM, Cindy Moore <ctmoore at cs.ucsd.edu> wrote:
>>> I wonder if it's the noauth.  I commented that out, just to be sure
>>> that various changes were "taking" (the authby is completely ignored
>>> in the ipsec restart output in /var/log/syslog, so I changed something
>>> else in order to make sure the restarts were reflecting changes in the
>>> ipsec.conf).  If I remove the xauth-noauth, then I get
>>>
>>> Dec 12 14:39:08 vpn charon: 13[IKE] received end entity cert "C=US,
>>> O=ThatsUs, CN=ctmoore at example.com"
>>> Dec 12 14:39:08 vpn charon: 13[CFG] looking for RSA signature peer
>>> configs matching [vpn ip]...[client ip][C=US, O=ThatsUs,
>>> CN=ctmoore at example.com]
>>> Dec 12 14:39:08 vpn charon: 13[CFG]   candidate "roadwarrior-ikev1",
>>> match: 1/1/1052 (me/other/ike)
>>> Dec 12 14:39:08 vpn charon: 13[CFG] selected peer config
>>> "roadwarrior-ikev1"
>>> Dec 12 14:39:08 vpn charon: 13[CFG]   using certificate "C=US,
>>> O=ThatsUs, CN=ctmoore at example.com"
>>> Dec 12 14:39:08 vpn charon: 13[CFG]   certificate "C=US, O=ThatsUs,
>>> CN=ctmoore at example.com" key: 2048 bit RSA
>>> Dec 12 14:39:08 vpn charon: 13[CFG]   using trusted ca certificate
>>> "C=US, O=ThatsUs, CN=strongSwan Root CA"
>>> Dec 12 14:39:08 vpn charon: 13[CFG] checking certificate status of
>>> "C=US, O=ThatsUs, CN=ctmoore at example.com"
>>> Dec 12 14:39:08 vpn charon: 13[CFG] ocsp check skipped, no ocsp found
>>> Dec 12 14:39:08 vpn charon: 13[CFG] certificate status is not available
>>> Dec 12 14:39:08 vpn charon: 13[CFG]   certificate "C=US, O=ThatsUs,
>>> CN=strongSwan Root CA" key: 4096 bit RSA
>>> Dec 12 14:39:08 vpn charon: 13[CFG]   reached self-signed root ca with
>>> a path length of 0
>>> Dec 12 14:39:08 vpn charon: 13[IKE] authentication of 'C=US,
>>> O=ThatsUs, CN=ctmoore at example.com' with RSA successful
>>> Dec 12 14:39:08 vpn charon: 13[IKE] authentication of 'C=US,
>>> O=ThatsUs, CN=vpn.example.com' (myself) successful
>>> Dec 12 14:39:08 vpn charon: 13[IKE] IKE_SA roadwarrior-ikev1[1]
>>> established between [vpn ip][C=US, O=ThatsUs,
>>> CN=vpn.example.com]...[client ip][C=US, O=ThatsUs,
>>> CN=ctmoore at example.com]
>>> Dec 12 14:39:08 vpn charon: 13[IKE] IKE_SA roadwarrior-ikev1[1] state
>>> change: CONNECTING => ESTABLISHED
>>> Dec 12 14:39:08 vpn charon: 13[IKE] scheduling reauthentication in 3271s
>>> Dec 12 14:39:08 vpn charon: 13[IKE] maximum IKE_SA lifetime 3451s
>>> Dec 12 14:39:08 vpn charon: 13[IKE] sending end entity cert "C=US,
>>> O=ThatsUs, CN=vpn.example.com"
>>> Dec 12 14:39:08 vpn charon: 13[ENC] generating ID_PROT response 0 [ ID
>>> CERT SIG ]
>>> Dec 12 14:39:08 vpn charon: 13[NET] sending packet: from [vpn
>>> ip][4500] to [client ip][45779] (1484 bytes)
>>> Dec 12 14:39:08 vpn charon: 03[NET] sending packet: from [vpn
>>> ip][4500] to [client ip][45779]
>>> Dec 12 14:39:08 vpn charon: 01[NET] received packet: from [client
>>> ip][45779] to [vpn ip][4500]
>>> Dec 12 14:39:08 vpn charon: 01[NET] waiting for data on sockets
>>> Dec 12 14:39:08 vpn charon: 15[NET] received packet: from [client
>>> ip][45779] to [vpn ip][4500] (68 bytes)
>>> Dec 12 14:39:08 vpn charon: 15[ENC] invalid HASH_V1 payload length,
>>> decryption failed?
>>> Dec 12 14:39:08 vpn charon: 15[ENC] could not decrypt payloads
>>> Dec 12 14:39:08 vpn charon: 15[IKE] message parsing failed
>>> Dec 12 14:39:08 vpn charon: 15[IKE] ignore malformed INFORMATIONAL
>>> request
>>> Dec 12 14:39:08 vpn charon: 15[IKE] INFORMATIONAL_V1 request with
>>> message ID 3172758586 processing failed
>>>
>>> On Fri, Dec 12, 2014 at 2:39 PM, Cindy Moore <ctmoore at cs.ucsd.edu> wrote:
>>>> Thought authby was deprecated long before Strongswan 5.2.1 (which is
>>>> what I'm using)?  In any case, I tested it out, but that didn't make a
>>>> difference).
>>>>
>>>> On Fri, Dec 12, 2014 at 2:30 PM, Noel Kuntze <noel at familie-kuntze.de>
>>>> wrote:
>>>>>
>> Hello,
>>
>> Judging from the manpage, using "authby=xauthrsasig" is the same as your
>> configuration with leftauth and rightauth parameters.
>> Maybe try that? I don't know if it helps. *shrugs*
>>
>> Mit freundlichen Grüßen/Regards,
>> Noel Kuntze
>>
>> GPG Key ID: 0x63EC6658
>> Fingerprint: 23CA BB60 2146 05E7 7278 6592 3839 298F 63EC 6658
>>
>> Am 12.12.2014 um 23:19 schrieb Cindy Moore:
>> >>>>> I'm really at a loss over this one.  I can get the connections going
>> >>>>> with other clients, for example Network Manager on a Ubuntu 14.04
>> >>>>> has
>> >>>>> no difficulties connecting with my strongswan server.
>> >>>>>
>> >>>>> This seems to be a possible clue:
>> >>>>> Dec 11 12:47:54 vpn charon: 10[IKE] found 1 matching config, but
>> >>>>> none
>> >>>>> allows RSA signature authentication using Main Mode
>> >>>>>
>> >>>>> But I'm not sure how to interpret it, or begin to address it.
>> >>>>>
>> >>>>> I'm also unsure about how the mac's vpn connection should be
>> >>>>> configured (I haven't found an equivalent to
>> >>>>> https://wiki.strongswan.org/projects/strongswan/wiki/NetworkManager
>> >>>>> under the Howto's for a Mac VPN setup, so I don't know if its some
>> >>>>> kind of problem that I can't select the vpn host certificate from
>> >>>>> the
>> >>>>> vpn setup dialog even though it shows up just fine in the system
>> >>>>> keychain.  Any thoughts?
>> >>>>>
>> >>>>> On Thu, Dec 11, 2014 at 1:20 PM, Cindy Moore <ctmoore at cs.ucsd.edu>
>> >>>>> wrote:
>> >>>>>> I'm trying to get a basic connection going with a mac os x client
>> >>>>>> to
>> >>>>>> strongswan (latest) installed on ubuntu (14.04 lts).  I'm not
>> >>>>>> entirely
>> >>>>>> certain what is going on.  It seems like the client isn't sending
>> >>>>>> the
>> >>>>>> desired certificate.  in the log file, vpnHostCert doesn't seem to
>> >>>>>> play a part at all which i find unexpected.
>> >>>>>>
>> >>>>>> When I set up the mac I sent the p12 packages over to the mac,
>> >>>>>> added
>> >>>>>> the three of them (root, vpnHost, cindy) to the system keychain.
>> >>>>>> What's weird though, is that I can only seem to select, for both
>> >>>>>> User
>> >>>>>> Authentication certificate & Machine Authentication certificate,
>> >>>>>> the
>> >>>>>> one identified with ctmoore at example.com (I had expected to select
>> >>>>>> that
>> >>>>>> for User Auth, and the vpn.example.com for Machine Auth -- all
>> >>>>>> three
>> >>>>>> (root, vpn, cindy) certificates are visible in the system keychain,
>> >>>>>> but only the cindy one appears in the list of options when
>> >>>>>> selecting
>> >>>>>> User/Machine Auth in setting up a vpn connection on the mac.  I set
>> >>>>>> the strongswan root up as a trusted cert, and authorized the use of
>> >>>>>> all three in any kind of setting.
>> >>>>>>
>> >>>>>>
>> >>>>>> Overview of setup (syslog copy at end)
>> >>>>>>
>> >>>>>>
>> >>>>>> Created the certificates.  Sorry, my email program is eating tabs.
>> >>>>>>
>> >>>>>> ========
>> >>>>>> "root":
>> >>>>>> ipsec pki --gen --type rsa --size 4096 \
>> >>>>>> --outform pem \
>> >>>>>>> private/strongswanKey.pem
>> >>>>>> chmod 600 private/strongswanKey.pem
>> >>>>>> ipsec pki --self --ca --lifetime 3650 \
>> >>>>>> --in private/strongswanKey.pem --type rsa \
>> >>>>>> --dn "C=US, O=ThatsUs, CN=strongSwan Root CA" \
>> >>>>>> --outform pem \
>> >>>>>>> cacerts/strongswanCert.pem
>> >>>>>>
>> >>>>>> ========
>> >>>>>> host:
>> >>>>>> ipsec pki --gen --type rsa --size 2048 \
>> >>>>>> --outform pem \
>> >>>>>>> private/vpnHostKey.pem
>> >>>>>> chmod 600 private/vpnHostKey.pem
>> >>>>>> ipsec pki --pub --in private/vpnHostKey.pem --type rsa | \
>> >>>>>> ipsec pki --issue --lifetime 730 \
>> >>>>>> --cacert cacerts/strongswanCert.pem \
>> >>>>>> --cakey private/strongswanKey.pem \
>> >>>>>> --dn "C=US, O=ThatsUs, CN=vpn.example.com" \
>> >>>>>> --san vpn.example.com \
>> >>>>>> --flag serverAuth --flag ikeIntermediate \
>> >>>>>> --outform pem > certs/vpnHostCert.pem
>> >>>>>>
>> >>>>>> ipsec pki --print looks okay for both
>> >>>>>>
>> >>>>>> ========
>> >>>>>> created p12 packages
>> >>>>>> # openssl pkcs12 -export -in certs/vpnHostCert.pem -nokeys -nodes
>> >>>>>> -out
>> >>>>>> exports/vpnHost.p12
>> >>>>>> Enter Export Password:
>> >>>>>> Verifying - Enter Export Password:
>> >>>>>>
>> >>>>>> # openssl pkcs12 -export -in cacerts/strongswanCert.pem -nokeys
>> >>>>>> -nodes
>> >>>>>> -out exports/strongSwan.p12
>> >>>>>> Enter Export Password:
>> >>>>>> Verifying - Enter Export Password:
>> >>>>>>
>> >>>>>> ========
>> >>>>>> client certificate
>> >>>>>> ipsec pki --gen --type rsa --size 2048 \
>> >>>>>> --outform pem \
>> >>>>>>> private/cindyKey.pem
>> >>>>>> chmod 600 private/cindyKey.pem
>> >>>>>> ipsec pki --pub --in private/cindyKey.pem --type rsa | \
>> >>>>>> ipsec pki --issue --lifetime 730 \
>> >>>>>> --cacert cacerts/strongswanCert.pem \
>> >>>>>> --cakey private/strongswanKey.pem \
>> >>>>>> --dn "C=US, O=ThatsUs, CN=ctmoore at example.com" \
>> >>>>>> --san ctmoore at example.com \
>> >>>>>> --outform pem > certs/cindyCert.pem
>> >>>>>>
>> >>>>>> (plus p12 packaging)
>> >>>>>>
>> >>>>>> ========
>> >>>>>> ipsec.secrets
>> >>>>>> : RSA vpnHostKey.pem
>> >>>>>>
>> >>>>>> =========
>> >>>>>> ipsec.conf
>> >>>>>>
>> >>>>>> conn %default
>> >>>>>>         ikelifetime=60m
>> >>>>>>         keylife=60m
>> >>>>>>         rekeymargin=3m
>> >>>>>>         keyingtries=1
>> >>>>>>         #vpn server
>> >>>>>>         left=[vpn ip]
>> >>>>>>         leftcert=vpnHostCert.pem
>> >>>>>>         # certificate based ID
>> >>>>>>         leftid="C=US, O=strongSwan, CN=vpn.example.com"
>> >>>>>>         #allow full tunneling
>> >>>>>>         leftsubnet=0.0.0.0/0
>> >>>>>>         #assign ip addr from this pool
>> >>>>>>         rightsourceip=[...]
>> >>>>>>         # assign dns servers once connected
>> >>>>>>         rightdns=[...]
>> >>>>>>
>> >>>>>> ca %default
>> >>>>>>         cacert=strongswanCert.pem
>> >>>>>>
>> >>>>>> # certificate only
>> >>>>>> conn roadwarrior-ikev2
>> >>>>>>         keyexchange=ikev2
>> >>>>>>         leftauth=pubkey
>> >>>>>>         right=%any
>> >>>>>>         rightid=%any
>> >>>>>>         rightauth=pubkey
>> >>>>>>         auto=add
>> >>>>>>
>> >>>>>> # certificate only, fakeout on xauth (for eg Mac/iOS that must do
>> >>>>>> xauth. and ikev1 for that matter)
>> >>>>>> conn roadwarrior-ikev1
>> >>>>>>         keyexchange=ikev1
>> >>>>>>         leftauth=pubkey
>> >>>>>>         right=%any
>> >>>>>>         rightid=%any
>> >>>>>>         rightauth=pubkey
>> >>>>>>         rightauth2=xauth-noauth
>> >>>>>>         auto=add
>> >>>>>>
>> >>>>>>
>> >>>>>> ========
>> >>>>>>
>> >>>>>>
>> >>>>>> Using the same ctmoore cert on User/Machine auth in the mac vpn and
>> >>>>>> connect anyway, I get the following in the syslog
>> >>>>>>
>> >>>>>> I find the
>> >>>>>> Dec 11 12:47:54 vpn charon: 10[IKE] found 1 matching config, but
>> >>>>>> none
>> >>>>>> allows RSA signature authentication using Main Mode
>> >>>>>> entry interesting, but I don't know if that's the issue, and if it
>> >>>>>> is,
>> >>>>>> what I can do about it.
>> >>>>>>
>> >>>>>>
>> >>>>>> /var/log/syslog
>> >>>>>> ========
>> >>>>>> Dec 11 12:47:54 vpn charon: 02[NET] received packet: from [client
>> >>>>>> ip][500] to [vpn ip][500]
>> >>>>>> Dec 11 12:47:54 vpn charon: 02[NET] waiting for data on sockets
>> >>>>>> Dec 11 12:47:54 vpn charon: 04[NET] received packet: from [client
>> >>>>>> ip][500] to [vpn ip][500] (300 bytes)
>> >>>>>> Dec 11 12:47:54 vpn charon: 04[ENC] parsed ID_PROT request 0 [ SA V
>> >>>>>> V
>> >>>>>> V V V V V V V V V ]
>> >>>>>> Dec 11 12:47:54 vpn charon: 04[CFG] looking for an ike config for
>> >>>>>> [vpn
>> >>>>>> ip]...[client ip]
>> >>>>>> Dec 11 12:47:54 vpn charon: 04[CFG]   candidate: [vpn ip]...%any,
>> >>>>>> prio 1052
>> >>>>>> Dec 11 12:47:54 vpn charon: 04[CFG] found matching ike config: [vpn
>> >>>>>> ip]...%any with prio 1052
>> >>>>>> Dec 11 12:47:54 vpn charon: 04[IKE] received NAT-T (RFC 3947)
>> >>>>>> vendor ID
>> >>>>>> Dec 11 12:47:54 vpn charon: 04[IKE] received
>> >>>>>> draft-ietf-ipsec-nat-t-ike vendor ID
>> >>>>>> Dec 11 12:47:54 vpn charon: 04[IKE] received
>> >>>>>> draft-ietf-ipsec-nat-t-ike-08 vendor ID
>> >>>>>> Dec 11 12:47:54 vpn charon: 04[IKE] received
>> >>>>>> draft-ietf-ipsec-nat-t-ike-07 vendor ID
>> >>>>>> Dec 11 12:47:54 vpn charon: 04[IKE] received
>> >>>>>> draft-ietf-ipsec-nat-t-ike-06 vendor ID
>> >>>>>> Dec 11 12:47:54 vpn charon: 04[IKE] received
>> >>>>>> draft-ietf-ipsec-nat-t-ike-05 vendor ID
>> >>>>>> Dec 11 12:47:54 vpn charon: 04[IKE] received
>> >>>>>> draft-ietf-ipsec-nat-t-ike-04 vendor ID
>> >>>>>> Dec 11 12:47:54 vpn charon: 04[IKE] received
>> >>>>>> draft-ietf-ipsec-nat-t-ike-03 vendor ID
>> >>>>>> Dec 11 12:47:54 vpn charon: 04[IKE] received
>> >>>>>> draft-ietf-ipsec-nat-t-ike-02 vendor ID
>> >>>>>> Dec 11 12:47:54 vpn charon: 04[IKE] received
>> >>>>>> draft-ietf-ipsec-nat-t-ike-02\n vendor ID
>> >>>>>> Dec 11 12:47:54 vpn charon: 04[IKE] received DPD vendor ID
>> >>>>>> Dec 11 12:47:54 vpn charon: 04[IKE] [client ip] is initiating a
>> >>>>>> Main Mode IKE_SA
>> >>>>>> Dec 11 12:47:54 vpn charon: 04[IKE] IKE_SA (unnamed)[3] state
>> >>>>>> change:
>> >>>>>> CREATED => CONNECTING
>> >>>>>> Dec 11 12:47:54 vpn charon: 04[CFG] selecting proposal:
>> >>>>>> Dec 11 12:47:54 vpn charon: 04[CFG]   no acceptable
>> >>>>>> ENCRYPTION_ALGORITHM found
>> >>>>>> Dec 11 12:47:54 vpn charon: 04[CFG] selecting proposal:
>> >>>>>> Dec 11 12:47:54 vpn charon: 04[CFG]   no acceptable
>> >>>>>> DIFFIE_HELLMAN_GROUP found
>> >>>>>> Dec 11 12:47:54 vpn charon: 04[CFG] selecting proposal:
>> >>>>>> Dec 11 12:47:54 vpn charon: 04[CFG]   proposal matches
>> >>>>>> Dec 11 12:47:54 vpn charon: 04[CFG] received proposals:
>> >>>>>> IKE:3DES_CBC/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024
>> >>>>>> Dec 11 12:47:54 vpn charon: 04[CFG] configured proposals:
>> >>>>>> IKE:AES_CBC_128/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_2048,
>> >>>>>> IKE:3DES_CBC/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1536,
>> >>>>>>
>> >>>>>> IKE:AES_CBC_128/AES_CBC_192/AES_CBC_256/3DES_CBC/AES_XCBC_96/AES_CMAC_96/HMAC_SHA1_96/HMAC_MD5_96/HMAC_SHA2_256_128/HMAC_SHA2_384_192/HMAC_SHA2_512_256/PRF_AES128_XCBC/PRF_AES128_CMAC/PRF_HMAC_SHA1/PRF_HMAC_MD5/PRF_HMAC_SHA2_256/PRF_HMAC_SHA2_384/PRF_HMAC_SHA2_512/MODP_2048/MODP_2048_224/MODP_2048_256/MODP_1536/MODP_3072/MODP_4096/MODP_8192/MODP_1024/MODP_1024_160
>> >>>>>> Dec 11 12:47:54 vpn charon: 04[CFG] selected proposal:
>> >>>>>> IKE:3DES_CBC/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024
>> >>>>>> Dec 11 12:47:54 vpn charon: 04[IKE] sending XAuth vendor ID
>> >>>>>> Dec 11 12:47:54 vpn charon: 04[IKE] sending DPD vendor ID
>> >>>>>> Dec 11 12:47:54 vpn charon: 04[IKE] sending NAT-T (RFC 3947) vendor
>> >>>>>> ID
>> >>>>>> Dec 11 12:47:54 vpn charon: 04[ENC] generating ID_PROT response 0 [
>> >>>>>> SA V V V ]
>> >>>>>> Dec 11 12:47:54 vpn charon: 04[NET] sending packet: from [vpn
>> >>>>>> ip][500]
>> >>>>>> to [client ip][500] (132 bytes)
>> >>>>>> Dec 11 12:47:54 vpn charon: 03[NET] sending packet: from [vpn
>> >>>>>> ip][500]
>> >>>>>> to [client ip][500]
>> >>>>>> Dec 11 12:47:54 vpn charon: 02[NET] received packet: from [client
>> >>>>>> ip][500] to [vpn ip][500]
>> >>>>>> Dec 11 12:47:54 vpn charon: 02[NET] waiting for data on sockets
>> >>>>>> Dec 11 12:47:54 vpn charon: 09[NET] received packet: from [client
>> >>>>>> ip][500] to [vpn ip][500] (228 bytes)
>> >>>>>> Dec 11 12:47:54 vpn charon: 09[ENC] parsed ID_PROT request 0 [ KE
>> >>>>>> No
>> >>>>>> NAT-D NAT-D ]
>> >>>>>> Dec 11 12:47:54 vpn charon: 09[IKE] sending cert request for "C=US,
>> >>>>>> O=ThatsUs, CN=strongSwan Root CA"
>> >>>>>> Dec 11 12:47:54 vpn charon: 09[ENC] generating ID_PROT response 0 [
>> >>>>>> KE
>> >>>>>> No CERTREQ NAT-D NAT-D ]
>> >>>>>> Dec 11 12:47:54 vpn charon: 09[NET] sending packet: from [vpn
>> >>>>>> ip][500]
>> >>>>>> to [client ip][500] (310 bytes)
>> >>>>>> Dec 11 12:47:54 vpn charon: 03[NET] sending packet: from [vpn
>> >>>>>> ip][500]
>> >>>>>> to [client ip][500]
>> >>>>>> Dec 11 12:47:54 vpn charon: 02[NET] received packet: from [client
>> >>>>>> ip][500] to [vpn ip][500]
>> >>>>>> Dec 11 12:47:54 vpn charon: 02[NET] waiting for data on sockets
>> >>>>>> Dec 11 12:47:54 vpn charon: 10[NET] received packet: from [client
>> >>>>>> ip][500] to [vpn ip][500] (1492 bytes)
>> >>>>>> Dec 11 12:47:54 vpn charon: 10[ENC] parsed ID_PROT request 0 [ ID
>> >>>>>> CERT
>> >>>>>> SIG CERTREQ N(INITIAL_CONTACT) ]
>> >>>>>> Dec 11 12:47:54 vpn charon: 10[IKE] ignoring certificate request
>> >>>>>> without data
>> >>>>>> Dec 11 12:47:54 vpn charon: 10[IKE] received end entity cert "C=US,
>> >>>>>> O=ThatsUs, CN=ctmoore at example.com"
>> >>>>>> Dec 11 12:47:54 vpn charon: 10[CFG] looking for RSA signature peer
>> >>>>>> configs matching [vpn ip]...[client ip][C=US, O=ThatsUs,
>> >>>>>> CN=ctmoore at example.com]
>> >>>>>> Dec 11 12:47:54 vpn charon: 10[CFG]   candidate
>> >>>>>> "roadwarrior-ikev1",
>> >>>>>> match: 1/1/1052 (me/other/ike)
>> >>>>>> Dec 11 12:47:54 vpn charon: 10[IKE] found 1 matching config, but
>> >>>>>> none
>> >>>>>> allows RSA signature authentication using Main Mode
>> >>>>>> Dec 11 12:47:54 vpn charon: 10[IKE] queueing INFORMATIONAL task
>> >>>>>> Dec 11 12:47:54 vpn charon: 10[IKE] activating new tasks
>> >>>>>> Dec 11 12:47:54 vpn charon: 10[IKE]   activating INFORMATIONAL task
>> >>>>>> Dec 11 12:47:54 vpn charon: 10[ENC] generating INFORMATIONAL_V1
>> >>>>>> request 2651689082 [ HASH N(AUTH_FAILED) ]
>> >>>>>> Dec 11 12:47:54 vpn charon: 10[NET] sending packet: from [vpn
>> >>>>>> ip][500]
>> >>>>>> to [client ip][500] (84 bytes)
>> >>>>>> Dec 11 12:47:54 vpn charon: 10[IKE] IKE_SA (unnamed)[3] state
>> >>>>>> change:
>> >>>>>> CONNECTING => DESTROYING
>> >>>>>> Dec 11 12:47:54 vpn charon: 03[NET] sending packet: from [vpn
>> >>>>>> ip][500]
>> >>>>>> to [client ip][500]
>> >>>>>> Dec 11 12:47:57 vpn charon: 02[NET] received packet: from [client
>> >>>>>> ip][500] to [vpn ip][500]
>> >>>>>> Dec 11 12:47:57 vpn charon: 02[NET] waiting for data on sockets
>> >>>>>> Dec 11 12:48:00 vpn charon: 02[NET] received packet: from [client
>> >>>>>> ip][500] to [vpn ip][500]
>> >>>>>> Dec 11 12:48:00 vpn charon: 02[NET] waiting for data on sockets
>> >>>>>> Dec 11 12:48:03 vpn charon: 02[NET] received packet: from [client
>> >>>>>> ip][500] to [vpn ip][500]
>> >>>>>> Dec 11 12:48:03 vpn charon: 02[NET] waiting for data on sockets
>> >>>>>> Dec 11 12:48:06 vpn charon: 02[NET] received packet: from [client
>> >>>>>> ip][500] to [vpn ip][500]
>> >>>>>> Dec 11 12:48:06 vpn charon: 02[NET] waiting for data on sockets
>> >>>>>> Dec 11 12:48:09 vpn charon: 02[NET] received packet: from [client
>> >>>>>> ip][500] to [vpn ip][500]
>> >>>>>> Dec 11 12:48:09 vpn charon: 02[NET] waiting for data on sockets
>> >>>>>> Dec 11 12:48:16 vpn charon: 02[NET] received packet: from [client
>> >>>>>> ip][500] to [vpn ip][500]
>> >>>>>> Dec 11 12:48:16 vpn charon: 02[NET] waiting for data on sockets
>> >>>>>> Dec 11 12:48:19 vpn charon: 02[NET] received packet: from [client
>> >>>>>> ip][500] to [vpn ip][500]
>> >>>>>> Dec 11 12:48:19 vpn charon: 02[NET] waiting for data on sockets
>> >>>>>> Dec 11 12:48:22 vpn charon: 02[NET] received packet: from [client
>> >>>>>> ip][500] to [vpn ip][500]
>> >>>>>> Dec 11 12:48:22 vpn charon: 02[NET] waiting for data on sockets
>> >>>>>> Dec 11 12:48:24 vpn charon: 02[NET] received packet: from [client
>> >>>>>> ip][500] to [vpn ip][500]
>> >>>>>> Dec 11 12:48:24 vpn charon: 02[NET] waiting for data on sockets
>> >>>>>> Dec 11 12:48:24 vpn charon: 04[NET] received packet: from [client
>> >>>>>> ip][500] to [vpn ip][500] (300 bytes)
>> >>>>>> Dec 11 12:48:24 vpn charon: 04[ENC] parsed ID_PROT request 0 [ SA V
>> >>>>>> V
>> >>>>>> V V V V V V V V V ]
>> >>>>>> Dec 11 12:48:24 vpn charon: 04[CFG] looking for an ike config for
>> >>>>>> [vpn
>> >>>>>> ip]...[client ip]
>> >>>>>> Dec 11 12:48:24 vpn charon: 04[CFG]   candidate: [vpn ip]...%any,
>> >>>>>> prio 1052
>> >>>>>> Dec 11 12:48:24 vpn charon: 04[CFG] found matching ike config: [vpn
>> >>>>>> ip]...%any with prio 1052
>> >>>>>> Dec 11 12:48:24 vpn charon: 04[IKE] received NAT-T (RFC 3947)
>> >>>>>> vendor ID
>> >>>>>> Dec 11 12:48:24 vpn charon: 04[IKE] received
>> >>>>>> draft-ietf-ipsec-nat-t-ike vendor ID
>> >>>>>> Dec 11 12:48:24 vpn charon: 04[IKE] received
>> >>>>>> draft-ietf-ipsec-nat-t-ike-08 vendor ID
>> >>>>>> Dec 11 12:48:24 vpn charon: 04[IKE] received
>> >>>>>> draft-ietf-ipsec-nat-t-ike-07 vendor ID
>> >>>>>> Dec 11 12:48:24 vpn charon: 04[IKE] received
>> >>>>>> draft-ietf-ipsec-nat-t-ike-06 vendor ID
>> >>>>>> Dec 11 12:48:24 vpn charon: 04[IKE] received
>> >>>>>> draft-ietf-ipsec-nat-t-ike-05 vendor ID
>> >>>>>> Dec 11 12:48:24 vpn charon: 04[IKE] received
>> >>>>>> draft-ietf-ipsec-nat-t-ike-04 vendor ID
>> >>>>>> Dec 11 12:48:24 vpn charon: 04[IKE] received
>> >>>>>> draft-ietf-ipsec-nat-t-ike-03 vendor ID
>> >>>>>> Dec 11 12:48:24 vpn charon: 04[IKE] received
>> >>>>>> draft-ietf-ipsec-nat-t-ike-02 vendor ID
>> >>>>>> Dec 11 12:48:24 vpn charon: 04[IKE] received
>> >>>>>> draft-ietf-ipsec-nat-t-ike-02\n vendor ID
>> >>>>>> Dec 11 12:48:24 vpn charon: 04[IKE] received DPD vendor ID
>> >>>>>> Dec 11 12:48:24 vpn charon: 04[IKE] [client ip] is initiating a
>> >>>>>> Main Mode IKE_SA
>> >>>>>> Dec 11 12:48:24 vpn charon: 04[IKE] IKE_SA (unnamed)[4] state
>> >>>>>> change:
>> >>>>>> CREATED => CONNECTING
>> >>>>>> Dec 11 12:48:24 vpn charon: 04[CFG] selecting proposal:
>> >>>>>> Dec 11 12:48:24 vpn charon: 04[CFG]   no acceptable
>> >>>>>> ENCRYPTION_ALGORITHM found
>> >>>>>> Dec 11 12:48:24 vpn charon: 04[CFG] selecting proposal:
>> >>>>>> Dec 11 12:48:24 vpn charon: 04[CFG]   no acceptable
>> >>>>>> DIFFIE_HELLMAN_GROUP found
>> >>>>>> Dec 11 12:48:24 vpn charon: 04[CFG] selecting proposal:
>> >>>>>> Dec 11 12:48:24 vpn charon: 04[CFG]   proposal matches
>> >>>>>> Dec 11 12:48:24 vpn charon: 04[CFG] received proposals:
>> >>>>>> IKE:3DES_CBC/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024
>> >>>>>> Dec 11 12:48:24 vpn charon: 04[CFG] configured proposals:
>> >>>>>> IKE:AES_CBC_128/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_2048,
>> >>>>>> IKE:3DES_CBC/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1536,
>> >>>>>>
>> >>>>>> IKE:AES_CBC_128/AES_CBC_192/AES_CBC_256/3DES_CBC/AES_XCBC_96/AES_CMAC_96/HMAC_SHA1_96/HMAC_MD5_96/HMAC_SHA2_256_128/HMAC_SHA2_384_192/HMAC_SHA2_512_256/PRF_AES128_XCBC/PRF_AES128_CMAC/PRF_HMAC_SHA1/PRF_HMAC_MD5/PRF_HMAC_SHA2_256/PRF_HMAC_SHA2_384/PRF_HMAC_SHA2_512/MODP_2048/MODP_2048_224/MODP_2048_256/MODP_1536/MODP_3072/MODP_4096/MODP_8192/MODP_1024/MODP_1024_160
>> >>>>>> Dec 11 12:48:24 vpn charon: 04[CFG] selected proposal:
>> >>>>>> IKE:3DES_CBC/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024
>> >>>>>> Dec 11 12:48:24 vpn charon: 04[IKE] sending XAuth vendor ID
>> >>>>>> Dec 11 12:48:24 vpn charon: 04[IKE] sending DPD vendor ID
>> >>>>>> Dec 11 12:48:24 vpn charon: 04[IKE] sending NAT-T (RFC 3947) vendor
>> >>>>>> ID
>> >>>>>> Dec 11 12:48:24 vpn charon: 04[ENC] generating ID_PROT response 0 [
>> >>>>>> SA V V V ]
>> >>>>>> Dec 11 12:48:24 vpn charon: 04[NET] sending packet: from [vpn
>> >>>>>> ip][500]
>> >>>>>> to [client ip][500] (132 bytes)
>> >>>>>> Dec 11 12:48:24 vpn charon: 03[NET] sending packet: from [vpn
>> >>>>>> ip][500]
>> >>>>>> to [client ip][500]
>> >>>>>> Dec 11 12:48:24 vpn charon: 02[NET] received packet: from [client
>> >>>>>> ip][500] to [vpn ip][500]
>> >>>>>> Dec 11 12:48:24 vpn charon: 02[NET] waiting for data on sockets
>> >>>>>> Dec 11 12:48:24 vpn charon: 09[NET] received packet: from [client
>> >>>>>> ip][500] to [vpn ip][500] (228 bytes)
>> >>>>>> Dec 11 12:48:24 vpn charon: 09[ENC] parsed ID_PROT request 0 [ KE
>> >>>>>> No
>> >>>>>> NAT-D NAT-D ]
>> >>>>>> Dec 11 12:48:24 vpn charon: 09[IKE] sending cert request for "C=US,
>> >>>>>> O=ThatsUs, CN=strongSwan Root CA"
>> >>>>>> Dec 11 12:48:24 vpn charon: 09[ENC] generating ID_PROT response 0 [
>> >>>>>> KE
>> >>>>>> No CERTREQ NAT-D NAT-D ]
>> >>>>>> Dec 11 12:48:24 vpn charon: 09[NET] sending packet: from [vpn
>> >>>>>> ip][500]
>> >>>>>> to [client ip][500] (310 bytes)
>> >>>>>> Dec 11 12:48:24 vpn charon: 03[NET] sending packet: from [vpn
>> >>>>>> ip][500]
>> >>>>>> to [client ip][500]
>> >>>>>> Dec 11 12:48:54 vpn charon: 10[JOB] deleting half open IKE_SA after
>> >>>>>> timeout
>> >>>>>> Dec 11 12:48:54 vpn charon: 10[IKE] IKE_SA (unnamed)[4] state
>> >>>>>> change:
>> >>>>>> CONNECTING => DESTROYING
>> >>>>> _______________________________________________
>> >>>>> Users mailing list
>> >>>>> Users at lists.strongswan.org
>> >>>>> https://lists.strongswan.org/mailman/listinfo/users
>>
>>>>>
>>>>> _______________________________________________
>>>>> Users mailing list
>>>>> Users at lists.strongswan.org
>>>>> https://lists.strongswan.org/mailman/listinfo/users
>> _______________________________________________
>> Users mailing list
>> Users at lists.strongswan.org
>> https://lists.strongswan.org/mailman/listinfo/users
>
>
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v2.0.22 (GNU/Linux)
>
> iQEcBAEBAgAGBQJUjEYVAAoJEOB3m+uCZjRDBwIIAJXX12I5i6kTieOY5NEIxHqk
> oXE3NrJqTzOYKNUF3Hqeoy6BybqAtUui5taZoWveWCrV3dhXhTc50rsbQvLTNBZm
> R2s+OwWfm+/C0QJfkrS0GusqXO1Cod6LsWl6uEwDRrHJdbA711IjqPSgQvuJpwso
> uJkW5H4KCOCtkFHzJ5QEV3DPh12kmoXXClcyEKpz8lMydNAcK2DfXiPemW9irWzs
> GjoVRYoS9T635cWvaTf75Bf6W7tSrHnX7ohJJATH0In0/wAEwVNnQdLW04ofhdd4
> 209PyDiyogbMKv1CDiLSxexw6Q1ewnBP5AP+HjF37pxl42VE5LPoUDPO65R29KA=
> =Ff9N
> -----END PGP SIGNATURE-----
>
>
> _______________________________________________
> Users mailing list
> Users at lists.strongswan.org
> https://lists.strongswan.org/mailman/listinfo/users


More information about the Users mailing list