[strongSwan] questions on syslog output; linux server/mac client RSA certificate auth

Noel Kuntze noel at familie-kuntze.de
Wed Dec 17 22:26:14 CET 2014


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Hello Cindy,

Does that client_ip in [1] represent the exchanged virtual ip or
the public IP of the client? If it does, then it doesn't work together with
rightsourceip. Please unset it by specifying an empty value ("rightsourceip= ")
and test it again.
You might also want to look at the client settings to see if you can somehow
make your client request a virtual IP.

[1] Dec 17 07:33:46 vpn charon: 15[CFG] looking for a child config for vpn_ip/32[udp/l2f] === client_ip/32[udp/62338]

Mit freundlichen Grüßen/Regards,
Noel Kuntze

GPG Key ID: 0x63EC6658
Fingerprint: 23CA BB60 2146 05E7 7278 6592 3839 298F 63EC 6658

Am 17.12.2014 um 21:36 schrieb Cindy Moore:
> OK, ipsec.conf, strongswan.conf and mods:
> https://bpaste.net/show/b25f29e5f4d0
>
> On Wed, Dec 17, 2014 at 12:24 PM, Noel Kuntze <noel at familie-kuntze.de> wrote:
>>
> Hello Cindy,
>
> Well, paste your ipsec.conf and strongswan.conf, as well as any files
> you modified in /etc/strongswan.d/ to a pastebin service.
> (bpaste.net for example).
>
> Mit freundlichen Grüßen/Regards,
> Noel Kuntze
>
> GPG Key ID: 0x63EC6658
> Fingerprint: 23CA BB60 2146 05E7 7278 6592 3839 298F 63EC 6658
>
> Am 17.12.2014 um 21:25 schrieb Cindy Moore:
> >>> Not at all... what's the best way to show you that?  Eg ipsec listall?
> >>>  The strongswan.conf just pulls in everything from strongswan.d/, I
> >>> can list those.  Let me know.
> >>>
> >>> On Wed, Dec 17, 2014 at 12:19 PM, Noel Kuntze <noel at familie-kuntze.de> wrote:
> >>>>
> >>> Hello Cindy,
> >>>
> >>> Yes, I'm talking about setting up a daemon on the server.
> >>> Do you mind posting the current configuration of strongSwan
> >>> on the server?
> >>>
> >>> Mit freundlichen Grüßen/Regards,
> >>> Noel Kuntze
> >>>
> >>> GPG Key ID: 0x63EC6658
> >>> Fingerprint: 23CA BB60 2146 05E7 7278 6592 3839 298F 63EC 6658
> >>>
> >>> Am 17.12.2014 um 21:08 schrieb Cindy Moore:
> >>>>>> Hm, I have leftsubnet=0.0.0.0/0
> >>>>>> But since it's a roadwarrior configuration, I haven't set the
> >>>>>> rightsubnet at all (on the server).
> >>>>>> Are you talking about configuring xl2tp or another l2tp daemon on the
> >>>>>> server or on the client?
> >>>>>>
> >>>>>> Thanks,
> >>>>>> --Cindy
> >>>>>>
> >>>>>> On Wed, Dec 17, 2014 at 12:00 PM, Noel Kuntze <noel at familie-kuntze.de> wrote:
> >>>>>>>
> >>>>>> Hello Cindy,
> >>>>>>
> >>>>>> I think the client wants to negotiate a TS covering only the IPs with the udp port for l2tp
> >>>>>> on the left and udp port 62338 on the other side. Make sure your configured
> >>>>>> leftsubnet and rightsubnet contain that combination. It seems you'll probably also have to fiddle around
> >>>>>> with xl2tp or another l2tp daemon to make your Mac OSX configuration work.
> >>>>>>
> >>>>>> Mit freundlichen Grüßen/Regards,
> >>>>>> Noel Kuntze
> >>>>>>
> >>>>>> GPG Key ID: 0x63EC6658
> >>>>>> Fingerprint: 23CA BB60 2146 05E7 7278 6592 3839 298F 63EC 6658
> >>>>>>
> >>>>>> Am 17.12.2014 um 19:30 schrieb Cindy Moore:
> >>>>>>>>> Hm, can this portion be explained in a bit more detail?
> >>>>>>>>>
> >>>>>>>>> Dec 17 07:33:46 vpn charon: 15[ENC] parsed QUICK_MODE request
> >>>>>>>>> 4114711345 [ HASH SA No ID ID NAT-OA NAT-OA ]
> >>>>>>>>> Dec 17 07:33:46 vpn charon: 15[IKE] changing received traffic
> >>>>>>>>> selectors 10.0.1.32/32[udp/62338]=== vpn_ip/32[udp/l2f] due to NAT
> >>>>>>>>> Dec 17 07:33:46 vpn charon: 15[CFG] looking for a child config for
> >>>>>>>>> vpn_ip/32[udp/l2f] === client_ip/32[udp/62338]
> >>>>>>>>> Dec 17 07:33:46 vpn charon: 15[CFG] proposing traffic selectors for us:
> >>>>>>>>> Dec 17 07:33:46 vpn charon: 15[CFG]  0.0.0.0/0
> >>>>>>>>> Dec 17 07:33:46 vpn charon: 15[CFG] proposing traffic selectors for other:
> >>>>>>>>> Dec 17 07:33:46 vpn charon: 15[CFG]  dynamic
> >>>>>>>>> Dec 17 07:33:46 vpn charon: 15[IKE] no matching CHILD_SA config found
> >>>>>>>>>
> >>>>>>>>> Looks for a child config, doesn't find one, what's going on here?
> >>>>>>>>>
> >>>>>>>>> On Wed, Dec 17, 2014 at 7:57 AM, Cindy Moore <ctmoore at cs.ucsd.edu> wrote:
> >>>>>>>>>> Maybe I'm just being dense, but what is "Main Mode"?
> >>>>>>>>>>
> >>>>>>>>>> OK, the reason I have xauth-noauth is that I was under the impression
> >>>>>>>>>> mac os X *required* xauth because of ikev1. So removing this, I get
> >>>>>>>>>>
> >>>>>>>>>> Maybe I'm just being dense, but what is "Main Mode"?
> >>>>>>>>>>
> >>>>>>>>>> OK, the reason I had xauth-noauth is that I was under the impression
> >>>>>>>>>> mac os X *required* xauth because of ikev1. So removing that line from
> >>>>>>>>>> the conn, I get this.  It looks more successful on the server side
> >>>>>>>>>> (I'm not seeing the messages I was asking about last time), and the
> >>>>>>>>>> same on the client side.  At this point, it looks like they connect up
> >>>>>>>>>> but then don't "hear" each other.  Any thoughts?
> >>>>>>>>>>
> >>>>>>>>>> (on linux server, /var/log/syslog)
> >>>>>>>>>> Dec 17 07:33:45 vpn charon: 12[NET] received packet: from
> >>>>>>>>>> client_ip[500] to vpn_ip[500] (300 bytes)
> >>>>>>>>>> Dec 17 07:33:45 vpn charon: 12[ENC] parsed ID_PROT request 0 [ SA V V
> >>>>>>>>>> V V V V V V V V V ]
> >>>>>>>>>> Dec 17 07:33:45 vpn charon: 12[CFG] looking for an ike confi for
> >>>>>>>>>> vpn_ip...client_ip
> >>>>>>>>>> Dec 17 07:33:45 vpn charon: 12[CFG]   candidate: vpn_ip...%any, prio 1052
> >>>>>>>>>> Dec 17 07:33:45 vpn charon: 12[CFG]   candidate: vpn_ip...%any, prio 1052
> >>>>>>>>>> Dec 17 07:33:45 vpn charon: 12[CFG] found matching ike config:
> >>>>>>>>>> vpn_ip...%any with prio 1052
> >>>>>>>>>> Dec 17 07:33:45 vpn charon: 12[IKE] received NAT-T (RFC 3947) vendor ID
> >>>>>>>>>> Dec 17 07:33:45 vpn charon: 12[IKE] received
> >>>>>>>>>> draft-ietf-ipsec-nat-t-ike vendor ID
> >>>>>>>>>> Dec 17 07:33:45 vpn charon: 12[IKE] received
> >>>>>>>>>> draft-ietf-ipsec-nat-t-ike-08 vendor ID
> >>>>>>>>>> Dec 17 07:33:45 vpn charon: 12[IKE] received
> >>>>>>>>>> draft-ietf-ipsec-nat-t-ike-07 vendor ID
> >>>>>>>>>> Dec 17 07:33:45 vpn charon: 12[IKE] received
> >>>>>>>>>> draft-ietf-ipsec-nat-t-ike-06 vendor ID
> >>>>>>>>>> Dec 17 07:33:45 vpn charon: 12[IKE] received
> >>>>>>>>>> draft-ietf-ipsec-nat-t-ike-05 vendor ID
> >>>>>>>>>> Dec 17 07:33:45 vpn charon: 12[IKE] received
> >>>>>>>>>> draft-ietf-ipsec-nat-t-ike-04 vendor ID
> >>>>>>>>>> Dec 17 07:33:45 vpn charon: 12[IKE] received
> >>>>>>>>>> draft-ietf-ipsec-nat-t-ike-03 vendor ID
> >>>>>>>>>> Dec 17 07:33:45 vpn charon: 12[IKE] received
> >>>>>>>>>> draft-ietf-ipsec-nat-t-ike-02 vendor ID
> >>>>>>>>>> Dec 17 07:33:45 vpn charon: 12[IKE] received
> >>>>>>>>>> draft-ietf-ipsec-nat-t-ike-02\n vendor ID
> >>>>>>>>>> Dec 17 07:33:45 vpn charon: 12[IKE] received DPD vendor ID
> >>>>>>>>>> Dec 17 07:33:45 vpn charon: 12[IKE] client_ip is initiating a Main Mode IKE_SA
> >>>>>>>>>> Dec 17 07:33:45 vpn charon: 12[IKE] IKE_SA (unnamed)[1] state change:
> >>>>>>>>>> CREATED => CONNECTING
> >>>>>>>>>> Dec 17 07:33:45 vpn charon: 12[CFG] selecting proposal:
> >>>>>>>>>> Dec 17 07:33:45 vpn charon: 12[CFG]   no acceptable ENCRYPTION_ALGORITHM found
> >>>>>>>>>> Dec 17 07:33:45 vpn charon: 12[CFG] selecting proposal:
> >>>>>>>>>> Dec 17 07:33:45 vpn charon: 12[CFG]   no acceptable DIFFIE_HELLMAN_GROUP found
> >>>>>>>>>> Dec 17 07:33:45 vpn charon: 12[CFG] selecting proposal:
> >>>>>>>>>> Dec 17 07:33:45 vpn charon: 12[CFG]   proposal matches
> >>>>>>>>>> Dec 17 07:33:45 vpn charon: 12[CFG] received proposals:
> >>>>>>>>>> IKE:3DES_CBC/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024
> >>>>>>>>>> Dec 17 07:33:45 vpn charon: 12[CFG] configured proposals:
> >>>>>>>>>> IKE:AES_CBC_128/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_2048,
> >>>>>>>>>> IKE:3DES_CBC/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1536,
> >>>>>>>>>> IKE:AES_CBC_128/AES_CBC_192/AES_CBC_256/3DES_CBC/AES_XCBC_96/AES_CMAC_96/HMAC_SHA1_96/HMAC_MD5_96/HMAC_SHA2_256_128/HMAC_SHA2_384_192/HMAC_SHA2_512_256/PRF_AES128_XCBC/PRF_AES128_CMAC/PRF_HMAC_SHA1/PRF_HMAC_MD5/PRF_HMAC_SHA2_256/PRF_HMAC_SHA2_384/PRF_HMAC_SHA2_512/MODP_2048/MODP_2048_224/MODP_2048_256/MODP_1536/MODP_3072/MODP_4096/MODP_8192/MODP_1024/MODP_1024_160
> >>>>>>>>>> Dec 17 07:33:45 vpn charon: 12[CFG] selected proposal:
> >>>>>>>>>> IKE:3DES_CBC/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024
> >>>>>>>>>> Dec 17 07:33:45 vpn charon: 12[IKE] sending XAuth vendor ID
> >>>>>>>>>> Dec 17 07:33:45 vpn charon: 12[IKE] sending DPD vendor ID
> >>>>>>>>>> Dec 17 07:33:45 vpn charon: 12[IKE] sending NAT-T (RFC 3947) vendor ID
> >>>>>>>>>> Dec 17 07:33:45 vpn charon: 12[ENC] generating ID_PROT response 0 [ SA V V V ]
> >>>>>>>>>> Dec 17 07:33:45 vpn charon: 12[NET] sending packet: from vpn_ip[500]
> >>>>>>>>>> to client_ip[500] (132 bytes)
> >>>>>>>>>> Dec 17 07:33:45 vpn charon: 03[NET] sending packet: from vpn_ip[500]
> >>>>>>>>>> to client_ip[500]
> >>>>>>>>>> Dec 17 07:33:45 vpn charon: 01[NET] received packet: from
> >>>>>>>>>> client_ip[500] to vpn_ip[500]
> >>>>>>>>>> Dec 17 07:33:45 vpn charon: 01[NET] waiting for data on sockets
> >>>>>>>>>> Dec 17 07:33:45 vpn charon: 04[NET] received packet: from
> >>>>>>>>>> client_ip[500] to vpn_ip[500] (228 bytes)
> >>>>>>>>>> Dec 17 07:33:45 vpn charon: 04[ENC] parsed ID_PROT request 0 [ KE No
> >>>>>>>>>> NAT-D NAT-D ]
> >>>>>>>>>> Dec 17 07:33:45 vpn charon: 04[IKE] remote host is behind NAT
> >>>>>>>>>> Dec 17 07:33:45 vpn charon: 04[IKE] sending cert request for "C=US,
> >>>>>>>>>> O=ThatsUs, CN=strongSwan Root CA"
> >>>>>>>>>> Dec 17 07:33:45 vpn charon: 04[ENC] generating ID_PROT response 0 [ KE
> >>>>>>>>>> No CERTREQ NAT-D NAT-D ]
> >>>>>>>>>> Dec 17 07:33:45 vpn charon: 04[NET] sending packet: from vpn_ip[500]
> >>>>>>>>>> to client_ip[500] (310 bytes)
> >>>>>>>>>> Dec 17 07:33:45 vpn charon: 03[NET] sending packet: from vpn_ip[500]
> >>>>>>>>>> to client_ip[500]
> >>>>>>>>>> Dec 17 07:33:45 vpn charon: 01[NET] received packet: from
> >>>>>>>>>> client_ip[38391] to vpn_ip[4500]
> >>>>>>>>>> Dec 17 07:33:45 vpn charon: 01[NET] waiting for data on sockets
> >>>>>>>>>> Dec 17 07:33:45 vpn charon: 13[NET] received packet: from
> >>>>>>>>>> client_ip[38391] to vpn_ip[4500] (1492 bytes)
> >>>>>>>>>> Dec 17 07:33:45 vpn charon: 13[ENC] parsed ID_PROT request 0 [ ID CERT
> >>>>>>>>>> SIG CERTREQ N(INITIAL_CONTACT) ]
> >>>>>>>>>> Dec 17 07:33:45 vpn charon: 13[IKE] ignoring certificate request without data
> >>>>>>>>>> Dec 17 07:33:45 vpn charon: 13[IKE] received end entity cert "C=US,
> >>>>>>>>>> O=ThatsUs, CN=cindy at example.com"
> >>>>>>>>>> Dec 17 07:33:45 vpn charon: 13[CFG] looking for RSA signature peer
> >>>>>>>>>> configs matching vpn_ip...client_ip[C=US, O=ThatsUs,
> >>>>>>>>>> CN=cindy at example.com]
> >>>>>>>>>> Dec 17 07:33:45 vpn charon: 13[CFG]   candidate "roadwarrior-ikev1",
> >>>>>>>>>> match: 1/1/1052 (me/other/ike)
> >>>>>>>>>> Dec 17 07:33:45 vpn charon: 13[CFG]   candidate "rw-ctmoore", match:
> >>>>>>>>>> 1/20/1052 (me/other/ike)
> >>>>>>>>>> Dec 17 07:33:45 vpn charon: 13[CFG] selected peer config "roadwarrior-ikev1"
> >>>>>>>>>> Dec 17 07:33:45 vpn charon: 13[CFG]   using certificate "C=US,
> >>>>>>>>>> O=ThatsUs, CN=cindy at example.com"
> >>>>>>>>>> Dec 17 07:33:45 vpn charon: 13[CFG]   certificate "C=US, O=ThatsUs,
> >>>>>>>>>> CN=cindy at example.com" key: 2048 bit RSA
> >>>>>>>>>> Dec 17 07:33:45 vpn charon: 13[CFG]   using trusted ca certificate
> >>>>>>>>>> "C=US, O=ThatsUs, CN=strongSwan Root CA"
> >>>>>>>>>> Dec 17 07:33:45 vpn charon: 13[CFG] checking certificate status of
> >>>>>>>>>> "C=US, O=ThatsUs, CN=cindy at example.com"
> >>>>>>>>>> Dec 17 07:33:45 vpn charon: 13[CFG] ocsp check skipped, no ocsp found
> >>>>>>>>>> Dec 17 07:33:45 vpn charon: 13[CFG] certificate status is not available
> >>>>>>>>>> Dec 17 07:33:45 vpn charon: 13[CFG]   certificate "C=US, O=ThatsUs,
> >>>>>>>>>> CN=strongSwan Root CA" key: 4096 bit RSA
> >>>>>>>>>> Dec 17 07:33:45 vpn charon: 13[CFG]   reached self-signed root ca with
> >>>>>>>>>> a path length of 0
> >>>>>>>>>> Dec 17 07:33:45 vpn charon: 13[IKE] authentication of 'C=US,
> >>>>>>>>>> O=ThatsUs, CN=cindy at example.com' with RSA successful
> >>>>>>>>>> Dec 17 07:33:45 vpn charon: 13[IKE] authentication of 'C=US,
> >>>>>>>>>> O=ThatsUs, CN=vpn.example.com' (myself) successful
> >>>>>>>>>> Dec 17 07:33:45 vpn charon: 13[IKE] IKE_SA roadwarrior-ikev1[1]
> >>>>>>>>>> established between vpn_ip[C=US, O=ThatsUs,
> >>>>>>>>>> CN=vpn.example.com]...client_ip[C=US, O=ThatsUs, CN=cindy at example.com]
> >>>>>>>>>> Dec 17 07:33:45 vpn charon: 13[IKE] IKE_SA roadwarrior-ikev1[1] state
> >>>>>>>>>> change: CONNECTING => ESTABLISHED
> >>>>>>>>>> Dec 17 07:33:45 vpn charon: 13[IKE] scheduling reauthentication in 3293s
> >>>>>>>>>> Dec 17 07:33:45 vpn charon: 13[IKE] maximum IKE_SA lifetime 3473s
> >>>>>>>>>> Dec 17 07:33:45 vpn charon: 13[IKE] sending end entity cert "C=US,
> >>>>>>>>>> O=ThatsUs, CN=vpn.example.com"
> >>>>>>>>>> Dec 17 07:33:45 vpn charon: 13[ENC] generating ID_PROT response 0 [ ID
> >>>>>>>>>> CERT SIG ]
> >>>>>>>>>> Dec 17 07:33:45 vpn charon: 13[NET] sending packet: from vpn_ip[4500]
> >>>>>>>>>> to client_ip[38391] (1484 bytes)
> >>>>>>>>>> Dec 17 07:33:45 vpn charon: 03[NET] sending packet: from vpn_ip[4500]
> >>>>>>>>>> to client_ip[38391]
> >>>>>>>>>> Dec 17 07:33:46 vpn charon: 01[NET] received packet: from
> >>>>>>>>>> client_ip[38391] to vpn_ip[4500]
> >>>>>>>>>> Dec 17 07:33:46 vpn charon: 01[NET] waiting for data on sockets
> >>>>>>>>>> Dec 17 07:33:46 vpn charon: 15[NET] received packet: from
> >>>>>>>>>> client_ip[38391] to vpn_ip[4500] (252 bytes)
> >>>>>>>>>> Dec 17 07:33:46 vpn charon: 15[ENC] parsed QUICK_MODE request
> >>>>>>>>>> 4114711345 [ HASH SA No ID ID NAT-OA NAT-OA ]
> >>>>>>>>>> Dec 17 07:33:46 vpn charon: 15[IKE] changing received traffic
> >>>>>>>>>> selectors 10.0.1.32/32[udp/62338]=== vpn_ip/32[udp/l2f] due to NAT
> >>>>>>>>>> Dec 17 07:33:46 vpn charon: 15[CFG] looking for a child config for
> >>>>>>>>>> vpn_ip/32[udp/l2f] === client_ip/32[udp/62338]
> >>>>>>>>>> Dec 17 07:33:46 vpn charon: 15[CFG] proposing traffic selectors for us:
> >>>>>>>>>> Dec 17 07:33:46 vpn charon: 15[CFG]  0.0.0.0/0
> >>>>>>>>>> Dec 17 07:33:46 vpn charon: 15[CFG] proposing traffic selectors for other:
> >>>>>>>>>> Dec 17 07:33:46 vpn charon: 15[CFG]  dynamic
> >>>>>>>>>> Dec 17 07:33:46 vpn charon: 15[IKE] no matching CHILD_SA config found
> >>>>>>>>>> Dec 17 07:33:46 vpn charon: 15[IKE] queueing INFORMATIONAL task
> >>>>>>>>>> Dec 17 07:33:46 vpn charon: 15[IKE] activating new tasks
> >>>>>>>>>> Dec 17 07:33:46 vpn charon: 15[IKE]   activating INFORMATIONAL task
> >>>>>>>>>> Dec 17 07:33:46 vpn charon: 15[ENC] generating INFORMATIONAL_V1
> >>>>>>>>>> request 2161614569 [ HASH N(INVAL_ID) ]
> >>>>>>>>>> Dec 17 07:33:46 vpn charon: 15[NET] sending packet: from vpn_ip[4500]
> >>>>>>>>>> to client_ip[38391] (76 bytes)
> >>>>>>>>>> Dec 17 07:33:46 vpn charon: 15[IKE] activating new tasks
> >>>>>>>>>> Dec 17 07:33:46 vpn charon: 15[IKE] nothing to initiate
> >>>>>>>>>> Dec 17 07:33:46 vpn charon: 03[NET] sending packet: from vpn_ip[4500]
> >>>>>>>>>> to client_ip[38391]
> >>>>>>>>>> Dec 17 07:33:49 vpn charon: 01[NET] received packet: from
> >>>>>>>>>> client_ip[38391] to vpn_ip[4500]
> >>>>>>>>>> Dec 17 07:33:49 vpn charon: 01[NET] waiting for data on sockets
> >>>>>>>>>> Dec 17 07:33:49 vpn charon: 05[NET] received packet: from
> >>>>>>>>>> client_ip[38391] to vpn_ip[4500] (252 bytes)
> >>>>>>>>>> Dec 17 07:33:49 vpn charon: 05[IKE] received retransmit of request
> >>>>>>>>>> with ID 4114711345, but no response to retransmit
> >>>>>>>>>> Dec 17 07:33:52 vpn charon: 01[NET] received packet: from
> >>>>>>>>>> client_ip[38391] to vpn_ip[4500]
> >>>>>>>>>> Dec 17 07:33:52 vpn charon: 01[NET] waiting for data on sockets
> >>>>>>>>>> Dec 17 07:33:52 vpn charon: 06[NET] received packet: from
> >>>>>>>>>> client_ip[38391] to vpn_ip[4500] (252 bytes)
> >>>>>>>>>> Dec 17 07:33:52 vpn charon: 06[IKE] received retransmit of request
> >>>>>>>>>> with ID 4114711345, but no response to retransmit
> >>>>>>>>>> Dec 17 07:33:55 vpn charon: 01[NET] received packet: from
> >>>>>>>>>> client_ip[38391] to vpn_ip[4500]
> >>>>>>>>>> Dec 17 07:33:55 vpn charon: 01[NET] waiting for data on sockets
> >>>>>>>>>> Dec 17 07:33:55 vpn charon: 07[NET] received packet: from
> >>>>>>>>>> client_ip[38391] to vpn_ip[4500] (252 bytes)
> >>>>>>>>>> Dec 17 07:33:55 vpn charon: 07[IKE] received retransmit of request
> >>>>>>>>>> with ID 4114711345, but no response to retransmit
> >>>>>>>>>> Dec 17 07:33:58 vpn charon: 01[NET] received packet: from
> >>>>>>>>>> client_ip[38391] to vpn_ip[4500]
> >>>>>>>>>> Dec 17 07:33:58 vpn charon: 01[NET] waiting for data on sockets
> >>>>>>>>>> Dec 17 07:33:58 vpn charon: 08[NET] received packet: from
> >>>>>>>>>> client_ip[38391] to vpn_ip[4500] (252 bytes)
> >>>>>>>>>> Dec 17 07:33:58 vpn charon: 08[IKE] received retransmit of request
> >>>>>>>>>> with ID 4114711345, but no response to retransmit
> >>>>>>>>>> Dec 17 07:34:01 vpn charon: 01[NET] received packet: from
> >>>>>>>>>> client_ip[38391] to vpn_ip[4500]
> >>>>>>>>>> Dec 17 07:34:01 vpn charon: 01[NET] waiting for data on sockets
> >>>>>>>>>> Dec 17 07:34:01 vpn charon: 09[NET] received packet: from
> >>>>>>>>>> client_ip[38391] to vpn_ip[4500] (252 bytes)
> >>>>>>>>>> Dec 17 07:34:01 vpn charon: 09[IKE] received retransmit of request
> >>>>>>>>>> with ID 4114711345, but no response to retransmit
> >>>>>>>>>> Dec 17 07:34:04 vpn charon: 01[NET] received packet: from
> >>>>>>>>>> client_ip[38391] to vpn_ip[4500]
> >>>>>>>>>> Dec 17 07:34:04 vpn charon: 01[NET] waiting for data on sockets
> >>>>>>>>>> Dec 17 07:34:04 vpn charon: 10[NET] received packet: from
> >>>>>>>>>> client_ip[38391] to vpn_ip[4500] (252 bytes)
> >>>>>>>>>> Dec 17 07:34:04 vpn charon: 10[IKE] received retransmit of request
> >>>>>>>>>> with ID 4114711345, but no response to retransmit
> >>>>>>>>>> Dec 17 07:34:07 vpn charon: 01[NET] received packet: from
> >>>>>>>>>> client_ip[38391] to vpn_ip[4500]
> >>>>>>>>>> Dec 17 07:34:07 vpn charon: 01[NET] waiting for data on sockets
> >>>>>>>>>> Dec 17 07:34:07 vpn charon: 11[NET] received packet: from
> >>>>>>>>>> client_ip[38391] to vpn_ip[4500] (252 bytes)
> >>>>>>>>>> Dec 17 07:34:07 vpn charon: 11[IKE] received retransmit of request
> >>>>>>>>>> with ID 4114711345, but no response to retransmit
> >>>>>>>>>> Dec 17 07:34:10 vpn charon: 01[NET] received packet: from
> >>>>>>>>>> client_ip[38391] to vpn_ip[4500]
> >>>>>>>>>> Dec 17 07:34:10 vpn charon: 01[NET] waiting for data on sockets
> >>>>>>>>>> Dec 17 07:34:10 vpn charon: 12[NET] received packet: from
> >>>>>>>>>> client_ip[38391] to vpn_ip[4500] (252 bytes)
> >>>>>>>>>> Dec 17 07:34:10 vpn charon: 12[IKE] received retransmit of request
> >>>>>>>>>> with ID 4114711345, but no response to retransmit
> >>>>>>>>>> Dec 17 07:34:13 vpn charon: 01[NET] received packet: from
> >>>>>>>>>> client_ip[38391] to vpn_ip[4500]
> >>>>>>>>>> Dec 17 07:34:13 vpn charon: 01[NET] waiting for data on sockets
> >>>>>>>>>> Dec 17 07:34:13 vpn charon: 04[NET] received packet: from
> >>>>>>>>>> client_ip[38391] to vpn_ip[4500] (252 bytes)
> >>>>>>>>>> Dec 17 07:34:13 vpn charon: 04[IKE] received retransmit of request
> >>>>>>>>>> with ID 4114711345, but no response to retransmit
> >>>>>>>>>> Dec 17 07:34:16 vpn charon: 01[NET] received packet: from
> >>>>>>>>>> client_ip[38391] to vpn_ip[4500]
> >>>>>>>>>> Dec 17 07:34:16 vpn charon: 01[NET] waiting for data on sockets
> >>>>>>>>>> Dec 17 07:34:16 vpn charon: 14[NET] received packet: from
> >>>>>>>>>> client_ip[38391] to vpn_ip[4500] (84 bytes)
> >>>>>>>>>> Dec 17 07:34:16 vpn charon: 14[ENC] parsed INFORMATIONAL_V1 request
> >>>>>>>>>> 2185990223 [ HASH D ]
> >>>>>>>>>> Dec 17 07:34:16 vpn charon: 14[IKE] received DELETE for IKE_SA
> >>>>>>>>>> roadwarrior-ikev1[1]
> >>>>>>>>>> Dec 17 07:34:16 vpn charon: 14[IKE] deleting IKE_SA
> >>>>>>>>>> roadwarrior-ikev1[1] between vpn_ip[C=US, O=ThatsUs,
> >>>>>>>>>> CN=vpn.example.com]...client_ip[C=US, O=ThatsUs, CN=cindy at example.com]
> >>>>>>>>>> Dec 17 07:34:16 vpn charon: 14[IKE] IKE_SA roadwarrior-ikev1[1] state
> >>>>>>>>>> change: ESTABLISHED => DELETING
> >>>>>>>>>> Dec 17 07:34:16 vpn charon: 14[IKE] IKE_SA roadwarrior-ikev1[1] state
> >>>>>>>>>> change: DELETING => DELETING
> >>>>>>>>>> Dec 17 07:34:16 vpn charon: 14[IKE] IKE_SA roadwarrior-ikev1[1] state
> >>>>>>>>>> change: DELETING => DESTROYING
> >>>>>>>>>>
> >>>>>>>>>>
> >>>>>>>>>> (on mac client, /var/log/system.log)
> >>>>>>>>>> Dec 17 07:33:44 macbook pro pppd[4619]: pppd 2.4.2 (Apple version
> >>>>>>>>>> 412.5.70) started by mac_owner, uid 501
> >>>>>>>>>> Dec 17 07:33:44 macbook pro pppd[4619]: L2TP connecting to server
> >>>>>>>>>> 'vpn.example.com' (vpn_ip)...
> >>>>>>>>>> Dec 17 07:33:44 macbook pro pppd[4619]: IPSec connection started
> >>>>>>>>>> Dec 17 07:33:45 macbook pro racoon[4620]: Connecting.
> >>>>>>>>>> Dec 17 07:33:45 macbook pro racoon[4620]: IKE Packet: transmit
> >>>>>>>>>> success. (Initiator, Main-Mode message 1).
> >>>>>>>>>> Dec 17 07:33:45 macbook pro racoon[4620]: IKE Packet: receive success.
> >>>>>>>>>> (Initiator, Main-Mode message 2).
> >>>>>>>>>> Dec 17 07:33:45 macbook pro racoon[4620]: IKE Packet: transmit
> >>>>>>>>>> success. (Initiator, Main-Mode message 3).
> >>>>>>>>>> Dec 17 07:33:45 macbook pro racoon[4620]: IKE Packet: receive success.
> >>>>>>>>>> (Initiator, Main-Mode message 4).
> >>>>>>>>>> Dec 17 07:33:45 macbook pro racoon[4620]: IKE Packet: transmit
> >>>>>>>>>> success. (Initiator, Main-Mode message 5).
> >>>>>>>>>> Dec 17 07:33:45 macbook pro racoon[4620]: IKEv1 Phase1 AUTH: success.
> >>>>>>>>>> (Initiator, Main-Mode Message 6).
> >>>>>>>>>> Dec 17 07:33:45 macbook pro racoon[4620]: IKE Packet: receive success.
> >>>>>>>>>> (Initiator, Main-Mode message 6).
> >>>>>>>>>> Dec 17 07:33:45 macbook pro racoon[4620]: IKEv1 Phase1 Initiator:
> >>>>>>>>>> success. (Initiator, Main-Mode).
> >>>>>>>>>> Dec 17 07:33:46 macbook pro racoon[4620]: IKE Packet: transmit
> >>>>>>>>>> success. (Initiator, Quick-Mode message 1).
> >>>>>>>>>> Dec 17 07:33:46 macbook pro racoon[4620]: IKE Packet: receive success.
> >>>>>>>>>> (Information message).
> >>>>>>>>>> Dec 17 07:33:49 macbook pro racoon[4620]: IKE Packet: transmit
> >>>>>>>>>> success. (Phase2 Retransmit).
> >>>>>>>>>> Dec 17 07:33:55 macbook pro racoon[4620]: IKE Packet: transmit
> >>>>>>>>>> success. (Phase2 Retransmit).
> >>>>>>>>>> Dec 17 07:34:04 macbook pro racoon[4620]: IKE Packet: transmit
> >>>>>>>>>> success. (Phase2 Retransmit).
> >>>>>>>>>> Dec 17 07:34:13 macbook pro racoon[4620]: IKE Packet: transmit
> >>>>>>>>>> success. (Phase2 Retransmit).
> >>>>>>>>>> Dec 17 07:34:16 macbook pro pppd[4619]: IPSec connection failed
> >>>>>>>>>> Dec 17 07:34:16 macbook pro racoon[4620]: IKE Packet: transmit
> >>>>>>>>>> success. (Information message).
> >>>>>>>>>> Dec 17 07:34:16 macbook pro racoon[4620]: IKEv1 Information-Notice:
> >>>>>>>>>> transmit success. (Delete ISAKMP-SA).
> >>>>>>>>>> Dec 17 07:34:16 macbook pro racoon[4620]: Disconnecting. (Connection
> >>>>>>>>>> tried to negotiate for, 31.608495 seconds).
> >>>>>>>>>>
> >>>>>>>>>>
> >>>>>>>>>>
> >>>>>>>>>> On Wed, Dec 17, 2014 at 1:08 AM, Martin Willi <martin at strongswan.org> wrote:
> >>>>>>>>>>> Cindy,
> >>>>>>>>>>>
> >>>>>>>>>>>> 14[CFG] looking for RSA signature peer configs matching vpn_ip...client_ip[C=US, O=ThatsUs, CN=myemailaddr]
> >>>>>>>>>>>>
> >>>>>>>>>>>> Would this be as expected?  I can't figure out why it isn't trying to
> >>>>>>>>>>>> match to the vpn host certificate.
> >>>>>>>>>>>
> >>>>>>>>>>> Before looking for certificates, strongSwan looks for a configuration
> >>>>>>>>>>> that matches the proposed identities and authentication method.
> >>>>>>>>>>>
> >>>>>>>>>>>> 14[IKE] found 1 matching config, but none allows RSA signature authentication using Main Mode
> >>>>>>>>>>>>
> >>>>>>>>>>>> Can anyone tell me what this means?
> >>>>>>>>>>>
> >>>>>>>>>>> It means that the daemon couldn't find a configuration for that client
> >>>>>>>>>>> that uses RSA authentication with Main Mode.
> >>>>>>>>>>>
> >>>>>>>>>>>> 07[CFG]   rightauth=pubkey
> >>>>>>>>>>>> 07[CFG]   rightauth2=xauth-noauth
> >>>>>>>>>>>
> >>>>>>>>>>> Your config uses XAuth, that is RSA followed by username/password
> >>>>>>>>>>> authentication. This is not the same as the client expects, try to
> >>>>>>>>>>> remove the rightauth2 line to use RSA authentication only.
> >>>>>>>>>>>
> >>>>>>>>>>> Regards
> >>>>>>>>>>> Martin
> >>>>>>>>>>>
> >>>>>>>>> _______________________________________________
> >>>>>>>>> Users mailing list
> >>>>>>>>> Users at lists.strongswan.org
> >>>>>>>>> https://lists.strongswan.org/mailman/listinfo/users
> >>>>>>
> >>>>>>>
> >>>>>>>
> >>>>>>> _______________________________________________
> >>>>>>> Users mailing list
> >>>>>>> Users at lists.strongswan.org
> >>>>>>> https://lists.strongswan.org/mailman/listinfo/users
> >>>
> >>>>
>
>>

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2

iQIcBAEBCAAGBQJUkfTzAAoJEDg5KY9j7GZYy6YP/2iHBRl6UtKtAW03q+AyStvP
h8Z69vRJqmnXJP77zAKedUK9zQ1W2Qh2r4uTpR1hVHyZkGLw0bJAaBXqQN1QYDiN
7jT2HQVtent2/pvj1RPECN6hMAICbrr6sNZ3viFi7sKG/WoIGimbw6l/DUX5d95d
L7jNoRuqb+xnba5vCZkz0Pkwow+5feKyaPhYNW+2bn+LJUoG1LQRy0Or6/j9ksew
ueotzyyYoIO2INO/1NoetKuYwom0oSAvPT8UWQARvGH5bGlG5prZSZVQSBsP6TGW
f/yCNo5nQ76MWJ9/bZjJI01HDo5847Kry/lsBiRmZOECI+nT+ZLa29iEZfFvoQy0
H/2lSgneWsXb5eCO4jKEvzjAbFUFOpFq4bhyUjsQGY85oi3n265QfsM47iuPfa6m
HSMXIOjGJGvJmbLin88Mh1TK+LHUj33VNTpOLaBQQk0NZJzmYqGBU9HpRrDEK3fE
h0gOcrNAF8JmV/22rA/4F6/yA2ZEKoalok8uLHW6rJDRSTXnhP6spOkFoQIEB7gC
4GoQmUKU5wWDmGg2Ybl7k3Eioqg5vjtJ8Fk8/DMMkyDU7vTTFZGw6kewwstQ/aHr
hHcn6xVG07Evwn/ipF2Pvo2NH3jgtbhyYdcTHeZ7Qc/kKzDW1bPNFKOzKsfIyUiX
lIg+LhWxIBb+kZzlqlPn
=/TyF
-----END PGP SIGNATURE-----



More information about the Users mailing list