[strongSwan] questions on syslog output; linux server/mac client RSA certificate auth

Cindy Moore ctmoore at cs.ucsd.edu
Thu Dec 18 03:29:02 CET 2014


You know, the only way I seem to be able to avoid the RSA in Main Mode
error is if the conn the mac os is matching too has only left/right
auth set to pubkey.
*Anything* else, and that error returns.  I seem to be stuck at the
virtual ip address assignment.  Is this a mac os x 10.6 thing?

Frankly, our system already has a perfectly functional LDAP server;
what I really want is to just set up a vpn connection, drop in the
ldap credentials and assign virtual IP addresses (for nfs exports
within our system).

But I can't seem to escape the certification portion of the vpn
connection in the mac os (which many of our users have; it's entirely
reasonable to assume I'm going to get everything from 10.6 to 10.9)
and I can't even simply *add* rightauth2 xauth-pam to the conn above
(that gets past this) without going straight back to no RSA in Main
Mode errors. I can't make any other choice in the vpn setup on the
client side under user authentication except "RSA SecureID" without
getting the Main Mode error again.

I tried all this with a mac os x 10.7 as well.  The VPN client setup
is the same, btw -- no options for asking for a virtual ip.  Doesn't
the Mac os x do this at all?  It doesn't connect either, though the
error is different while everything about the setup other than
10.6=>10.7 is the same.


On Wed, Dec 17, 2014 at 4:59 PM, Cindy Moore <ctmoore at cs.ucsd.edu> wrote:
> Yes, that's the public ip address of the client.
>
> I went in and added
> rightsourceip=
> to the ipsec.conf (but that doesn't reflect in the syslog after doing
> an ipsec restart)
>
> I can't find anything in the vpn connection setup dialog on the mac.
> I tried checking "send all traffic thru vpn" but there was nothing
> about requesting a virtual ip.
> I also checked "more logging" but the system.log output on the mac
> client looks pretty much the same.  The relevant bits on server side
> changed a little bit:
>
> Dec 17 16:50:55 vpn charon: 03[CFG] looking for a child config for
> [vpn ip]/32[udp/l2f] === [public client ip]/32[udp/51055]
> Dec 17 16:50:55 vpn charon: 03[CFG] proposing traffic selectors for us:
> Dec 17 16:50:55 vpn charon: 03[CFG]  0.0.0.0/0
> Dec 17 16:50:55 vpn charon: 03[CFG] proposing traffic selectors for other:
> Dec 17 16:50:55 vpn charon: 03[CFG]  [public client ip]/32
> Dec 17 16:50:55 vpn charon: 03[CFG]   candidate "roadwarrior-ikev1"
> with prio 1+1
> Dec 17 16:50:55 vpn charon: 03[CFG] found matching child config
> "roadwarrior-ikev1" with prio 2
> Dec 17 16:50:55 vpn charon: 03[CFG]  config: [public client ip]/32,
> received: [public client ip]/32[udp/51055] => match: [public client
> ip]/32[udp/51055]
> Dec 17 16:50:55 vpn charon: 03[CFG] selecting traffic selectors for us:
> Dec 17 16:50:55 vpn charon: 03[CFG]  config: 0.0.0.0/0, received: [vpn
> ip]/32[udp/l2f] => match: [vpn ip]/32[udp/l2f]
> Dec 17 16:50:55 vpn charon: 03[IKE] no matching CHILD_SA config found
>
>
>
> On Wed, Dec 17, 2014 at 1:26 PM, Noel Kuntze <noel at familie-kuntze.de> wrote:
>>
>> -----BEGIN PGP SIGNED MESSAGE-----
>> Hash: SHA256
>>
>> Hello Cindy,
>>
>> Does that client_ip in [1] represent the exchanged virtual ip or
>> the public IP of the client? If it does, then it doesn't work together with
>> rightsourceip. Please unset it by specifying an empty value ("rightsourceip= ")
>> and test it again.
>> You might also want to look at the client settings to see if you can somehow
>> make your client request a virtual IP.
>>
>> [1] Dec 17 07:33:46 vpn charon: 15[CFG] looking for a child config for vpn_ip/32[udp/l2f] === client_ip/32[udp/62338]
>>
>> Mit freundlichen Grüßen/Regards,
>> Noel Kuntze
>>
>> GPG Key ID: 0x63EC6658
>> Fingerprint: 23CA BB60 2146 05E7 7278 6592 3839 298F 63EC 6658
>>
>> Am 17.12.2014 um 21:36 schrieb Cindy Moore:
>>> OK, ipsec.conf, strongswan.conf and mods:
>>> https://bpaste.net/show/b25f29e5f4d0
>>>
>>> On Wed, Dec 17, 2014 at 12:24 PM, Noel Kuntze <noel at familie-kuntze.de> wrote:
>>>>
>>> Hello Cindy,
>>>
>>> Well, paste your ipsec.conf and strongswan.conf, as well as any files
>>> you modified in /etc/strongswan.d/ to a pastebin service.
>>> (bpaste.net for example).
>>>
>>> Mit freundlichen Grüßen/Regards,
>>> Noel Kuntze
>>>
>>> GPG Key ID: 0x63EC6658
>>> Fingerprint: 23CA BB60 2146 05E7 7278 6592 3839 298F 63EC 6658
>>>
>>> Am 17.12.2014 um 21:25 schrieb Cindy Moore:
>>> >>> Not at all... what's the best way to show you that?  Eg ipsec listall?
>>> >>>  The strongswan.conf just pulls in everything from strongswan.d/, I
>>> >>> can list those.  Let me know.
>>> >>>
>>> >>> On Wed, Dec 17, 2014 at 12:19 PM, Noel Kuntze <noel at familie-kuntze.de> wrote:
>>> >>>>
>>> >>> Hello Cindy,
>>> >>>
>>> >>> Yes, I'm talking about setting up a daemon on the server.
>>> >>> Do you mind posting the current configuration of strongSwan
>>> >>> on the server?
>>> >>>
>>> >>> Mit freundlichen Grüßen/Regards,
>>> >>> Noel Kuntze
>>> >>>
>>> >>> GPG Key ID: 0x63EC6658
>>> >>> Fingerprint: 23CA BB60 2146 05E7 7278 6592 3839 298F 63EC 6658
>>> >>>
>>> >>> Am 17.12.2014 um 21:08 schrieb Cindy Moore:
>>> >>>>>> Hm, I have leftsubnet=0.0.0.0/0
>>> >>>>>> But since it's a roadwarrior configuration, I haven't set the
>>> >>>>>> rightsubnet at all (on the server).
>>> >>>>>> Are you talking about configuring xl2tp or another l2tp daemon on the
>>> >>>>>> server or on the client?
>>> >>>>>>
>>> >>>>>> Thanks,
>>> >>>>>> --Cindy
>>> >>>>>>
>>> >>>>>> On Wed, Dec 17, 2014 at 12:00 PM, Noel Kuntze <noel at familie-kuntze.de> wrote:
>>> >>>>>>>
>>> >>>>>> Hello Cindy,
>>> >>>>>>
>>> >>>>>> I think the client wants to negotiate a TS covering only the IPs with the udp port for l2tp
>>> >>>>>> on the left and udp port 62338 on the other side. Make sure your configured
>>> >>>>>> leftsubnet and rightsubnet contain that combination. It seems you'll probably also have to fiddle around
>>> >>>>>> with xl2tp or another l2tp daemon to make your Mac OSX configuration work.
>>> >>>>>>
>>> >>>>>> Mit freundlichen Grüßen/Regards,
>>> >>>>>> Noel Kuntze
>>> >>>>>>
>>> >>>>>> GPG Key ID: 0x63EC6658
>>> >>>>>> Fingerprint: 23CA BB60 2146 05E7 7278 6592 3839 298F 63EC 6658
>>> >>>>>>
>>> >>>>>> Am 17.12.2014 um 19:30 schrieb Cindy Moore:
>>> >>>>>>>>> Hm, can this portion be explained in a bit more detail?
>>> >>>>>>>>>
>>> >>>>>>>>> Dec 17 07:33:46 vpn charon: 15[ENC] parsed QUICK_MODE request
>>> >>>>>>>>> 4114711345 [ HASH SA No ID ID NAT-OA NAT-OA ]
>>> >>>>>>>>> Dec 17 07:33:46 vpn charon: 15[IKE] changing received traffic
>>> >>>>>>>>> selectors 10.0.1.32/32[udp/62338]=== vpn_ip/32[udp/l2f] due to NAT
>>> >>>>>>>>> Dec 17 07:33:46 vpn charon: 15[CFG] looking for a child config for
>>> >>>>>>>>> vpn_ip/32[udp/l2f] === client_ip/32[udp/62338]
>>> >>>>>>>>> Dec 17 07:33:46 vpn charon: 15[CFG] proposing traffic selectors for us:
>>> >>>>>>>>> Dec 17 07:33:46 vpn charon: 15[CFG]  0.0.0.0/0
>>> >>>>>>>>> Dec 17 07:33:46 vpn charon: 15[CFG] proposing traffic selectors for other:
>>> >>>>>>>>> Dec 17 07:33:46 vpn charon: 15[CFG]  dynamic
>>> >>>>>>>>> Dec 17 07:33:46 vpn charon: 15[IKE] no matching CHILD_SA config found
>>> >>>>>>>>>
>>> >>>>>>>>> Looks for a child config, doesn't find one, what's going on here?
>>> >>>>>>>>>
>>> >>>>>>>>> On Wed, Dec 17, 2014 at 7:57 AM, Cindy Moore <ctmoore at cs.ucsd.edu> wrote:
>>> >>>>>>>>>> Maybe I'm just being dense, but what is "Main Mode"?
>>> >>>>>>>>>>
>>> >>>>>>>>>> OK, the reason I have xauth-noauth is that I was under the impression
>>> >>>>>>>>>> mac os X *required* xauth because of ikev1. So removing this, I get
>>> >>>>>>>>>>
>>> >>>>>>>>>> Maybe I'm just being dense, but what is "Main Mode"?
>>> >>>>>>>>>>
>>> >>>>>>>>>> OK, the reason I had xauth-noauth is that I was under the impression
>>> >>>>>>>>>> mac os X *required* xauth because of ikev1. So removing that line from
>>> >>>>>>>>>> the conn, I get this.  It looks more successful on the server side
>>> >>>>>>>>>> (I'm not seeing the messages I was asking about last time), and the
>>> >>>>>>>>>> same on the client side.  At this point, it looks like they connect up
>>> >>>>>>>>>> but then don't "hear" each other.  Any thoughts?
>>> >>>>>>>>>>
>>> >>>>>>>>>> (on linux server, /var/log/syslog)
>>> >>>>>>>>>> Dec 17 07:33:45 vpn charon: 12[NET] received packet: from
>>> >>>>>>>>>> client_ip[500] to vpn_ip[500] (300 bytes)
>>> >>>>>>>>>> Dec 17 07:33:45 vpn charon: 12[ENC] parsed ID_PROT request 0 [ SA V V
>>> >>>>>>>>>> V V V V V V V V V ]
>>> >>>>>>>>>> Dec 17 07:33:45 vpn charon: 12[CFG] looking for an ike confi for
>>> >>>>>>>>>> vpn_ip...client_ip
>>> >>>>>>>>>> Dec 17 07:33:45 vpn charon: 12[CFG]   candidate: vpn_ip...%any, prio 1052
>>> >>>>>>>>>> Dec 17 07:33:45 vpn charon: 12[CFG]   candidate: vpn_ip...%any, prio 1052
>>> >>>>>>>>>> Dec 17 07:33:45 vpn charon: 12[CFG] found matching ike config:
>>> >>>>>>>>>> vpn_ip...%any with prio 1052
>>> >>>>>>>>>> Dec 17 07:33:45 vpn charon: 12[IKE] received NAT-T (RFC 3947) vendor ID
>>> >>>>>>>>>> Dec 17 07:33:45 vpn charon: 12[IKE] received
>>> >>>>>>>>>> draft-ietf-ipsec-nat-t-ike vendor ID
>>> >>>>>>>>>> Dec 17 07:33:45 vpn charon: 12[IKE] received
>>> >>>>>>>>>> draft-ietf-ipsec-nat-t-ike-08 vendor ID
>>> >>>>>>>>>> Dec 17 07:33:45 vpn charon: 12[IKE] received
>>> >>>>>>>>>> draft-ietf-ipsec-nat-t-ike-07 vendor ID
>>> >>>>>>>>>> Dec 17 07:33:45 vpn charon: 12[IKE] received
>>> >>>>>>>>>> draft-ietf-ipsec-nat-t-ike-06 vendor ID
>>> >>>>>>>>>> Dec 17 07:33:45 vpn charon: 12[IKE] received
>>> >>>>>>>>>> draft-ietf-ipsec-nat-t-ike-05 vendor ID
>>> >>>>>>>>>> Dec 17 07:33:45 vpn charon: 12[IKE] received
>>> >>>>>>>>>> draft-ietf-ipsec-nat-t-ike-04 vendor ID
>>> >>>>>>>>>> Dec 17 07:33:45 vpn charon: 12[IKE] received
>>> >>>>>>>>>> draft-ietf-ipsec-nat-t-ike-03 vendor ID
>>> >>>>>>>>>> Dec 17 07:33:45 vpn charon: 12[IKE] received
>>> >>>>>>>>>> draft-ietf-ipsec-nat-t-ike-02 vendor ID
>>> >>>>>>>>>> Dec 17 07:33:45 vpn charon: 12[IKE] received
>>> >>>>>>>>>> draft-ietf-ipsec-nat-t-ike-02\n vendor ID
>>> >>>>>>>>>> Dec 17 07:33:45 vpn charon: 12[IKE] received DPD vendor ID
>>> >>>>>>>>>> Dec 17 07:33:45 vpn charon: 12[IKE] client_ip is initiating a Main Mode IKE_SA
>>> >>>>>>>>>> Dec 17 07:33:45 vpn charon: 12[IKE] IKE_SA (unnamed)[1] state change:
>>> >>>>>>>>>> CREATED => CONNECTING
>>> >>>>>>>>>> Dec 17 07:33:45 vpn charon: 12[CFG] selecting proposal:
>>> >>>>>>>>>> Dec 17 07:33:45 vpn charon: 12[CFG]   no acceptable ENCRYPTION_ALGORITHM found
>>> >>>>>>>>>> Dec 17 07:33:45 vpn charon: 12[CFG] selecting proposal:
>>> >>>>>>>>>> Dec 17 07:33:45 vpn charon: 12[CFG]   no acceptable DIFFIE_HELLMAN_GROUP found
>>> >>>>>>>>>> Dec 17 07:33:45 vpn charon: 12[CFG] selecting proposal:
>>> >>>>>>>>>> Dec 17 07:33:45 vpn charon: 12[CFG]   proposal matches
>>> >>>>>>>>>> Dec 17 07:33:45 vpn charon: 12[CFG] received proposals:
>>> >>>>>>>>>> IKE:3DES_CBC/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024
>>> >>>>>>>>>> Dec 17 07:33:45 vpn charon: 12[CFG] configured proposals:
>>> >>>>>>>>>> IKE:AES_CBC_128/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_2048,
>>> >>>>>>>>>> IKE:3DES_CBC/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1536,
>>> >>>>>>>>>> IKE:AES_CBC_128/AES_CBC_192/AES_CBC_256/3DES_CBC/AES_XCBC_96/AES_CMAC_96/HMAC_SHA1_96/HMAC_MD5_96/HMAC_SHA2_256_128/HMAC_SHA2_384_192/HMAC_SHA2_512_256/PRF_AES128_XCBC/PRF_AES128_CMAC/PRF_HMAC_SHA1/PRF_HMAC_MD5/PRF_HMAC_SHA2_256/PRF_HMAC_SHA2_384/PRF_HMAC_SHA2_512/MODP_2048/MODP_2048_224/MODP_2048_256/MODP_1536/MODP_3072/MODP_4096/MODP_8192/MODP_1024/MODP_1024_160
>>> >>>>>>>>>> Dec 17 07:33:45 vpn charon: 12[CFG] selected proposal:
>>> >>>>>>>>>> IKE:3DES_CBC/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024
>>> >>>>>>>>>> Dec 17 07:33:45 vpn charon: 12[IKE] sending XAuth vendor ID
>>> >>>>>>>>>> Dec 17 07:33:45 vpn charon: 12[IKE] sending DPD vendor ID
>>> >>>>>>>>>> Dec 17 07:33:45 vpn charon: 12[IKE] sending NAT-T (RFC 3947) vendor ID
>>> >>>>>>>>>> Dec 17 07:33:45 vpn charon: 12[ENC] generating ID_PROT response 0 [ SA V V V ]
>>> >>>>>>>>>> Dec 17 07:33:45 vpn charon: 12[NET] sending packet: from vpn_ip[500]
>>> >>>>>>>>>> to client_ip[500] (132 bytes)
>>> >>>>>>>>>> Dec 17 07:33:45 vpn charon: 03[NET] sending packet: from vpn_ip[500]
>>> >>>>>>>>>> to client_ip[500]
>>> >>>>>>>>>> Dec 17 07:33:45 vpn charon: 01[NET] received packet: from
>>> >>>>>>>>>> client_ip[500] to vpn_ip[500]
>>> >>>>>>>>>> Dec 17 07:33:45 vpn charon: 01[NET] waiting for data on sockets
>>> >>>>>>>>>> Dec 17 07:33:45 vpn charon: 04[NET] received packet: from
>>> >>>>>>>>>> client_ip[500] to vpn_ip[500] (228 bytes)
>>> >>>>>>>>>> Dec 17 07:33:45 vpn charon: 04[ENC] parsed ID_PROT request 0 [ KE No
>>> >>>>>>>>>> NAT-D NAT-D ]
>>> >>>>>>>>>> Dec 17 07:33:45 vpn charon: 04[IKE] remote host is behind NAT
>>> >>>>>>>>>> Dec 17 07:33:45 vpn charon: 04[IKE] sending cert request for "C=US,
>>> >>>>>>>>>> O=ThatsUs, CN=strongSwan Root CA"
>>> >>>>>>>>>> Dec 17 07:33:45 vpn charon: 04[ENC] generating ID_PROT response 0 [ KE
>>> >>>>>>>>>> No CERTREQ NAT-D NAT-D ]
>>> >>>>>>>>>> Dec 17 07:33:45 vpn charon: 04[NET] sending packet: from vpn_ip[500]
>>> >>>>>>>>>> to client_ip[500] (310 bytes)
>>> >>>>>>>>>> Dec 17 07:33:45 vpn charon: 03[NET] sending packet: from vpn_ip[500]
>>> >>>>>>>>>> to client_ip[500]
>>> >>>>>>>>>> Dec 17 07:33:45 vpn charon: 01[NET] received packet: from
>>> >>>>>>>>>> client_ip[38391] to vpn_ip[4500]
>>> >>>>>>>>>> Dec 17 07:33:45 vpn charon: 01[NET] waiting for data on sockets
>>> >>>>>>>>>> Dec 17 07:33:45 vpn charon: 13[NET] received packet: from
>>> >>>>>>>>>> client_ip[38391] to vpn_ip[4500] (1492 bytes)
>>> >>>>>>>>>> Dec 17 07:33:45 vpn charon: 13[ENC] parsed ID_PROT request 0 [ ID CERT
>>> >>>>>>>>>> SIG CERTREQ N(INITIAL_CONTACT) ]
>>> >>>>>>>>>> Dec 17 07:33:45 vpn charon: 13[IKE] ignoring certificate request without data
>>> >>>>>>>>>> Dec 17 07:33:45 vpn charon: 13[IKE] received end entity cert "C=US,
>>> >>>>>>>>>> O=ThatsUs, CN=cindy at example.com"
>>> >>>>>>>>>> Dec 17 07:33:45 vpn charon: 13[CFG] looking for RSA signature peer
>>> >>>>>>>>>> configs matching vpn_ip...client_ip[C=US, O=ThatsUs,
>>> >>>>>>>>>> CN=cindy at example.com]
>>> >>>>>>>>>> Dec 17 07:33:45 vpn charon: 13[CFG]   candidate "roadwarrior-ikev1",
>>> >>>>>>>>>> match: 1/1/1052 (me/other/ike)
>>> >>>>>>>>>> Dec 17 07:33:45 vpn charon: 13[CFG]   candidate "rw-ctmoore", match:
>>> >>>>>>>>>> 1/20/1052 (me/other/ike)
>>> >>>>>>>>>> Dec 17 07:33:45 vpn charon: 13[CFG] selected peer config "roadwarrior-ikev1"
>>> >>>>>>>>>> Dec 17 07:33:45 vpn charon: 13[CFG]   using certificate "C=US,
>>> >>>>>>>>>> O=ThatsUs, CN=cindy at example.com"
>>> >>>>>>>>>> Dec 17 07:33:45 vpn charon: 13[CFG]   certificate "C=US, O=ThatsUs,
>>> >>>>>>>>>> CN=cindy at example.com" key: 2048 bit RSA
>>> >>>>>>>>>> Dec 17 07:33:45 vpn charon: 13[CFG]   using trusted ca certificate
>>> >>>>>>>>>> "C=US, O=ThatsUs, CN=strongSwan Root CA"
>>> >>>>>>>>>> Dec 17 07:33:45 vpn charon: 13[CFG] checking certificate status of
>>> >>>>>>>>>> "C=US, O=ThatsUs, CN=cindy at example.com"
>>> >>>>>>>>>> Dec 17 07:33:45 vpn charon: 13[CFG] ocsp check skipped, no ocsp found
>>> >>>>>>>>>> Dec 17 07:33:45 vpn charon: 13[CFG] certificate status is not available
>>> >>>>>>>>>> Dec 17 07:33:45 vpn charon: 13[CFG]   certificate "C=US, O=ThatsUs,
>>> >>>>>>>>>> CN=strongSwan Root CA" key: 4096 bit RSA
>>> >>>>>>>>>> Dec 17 07:33:45 vpn charon: 13[CFG]   reached self-signed root ca with
>>> >>>>>>>>>> a path length of 0
>>> >>>>>>>>>> Dec 17 07:33:45 vpn charon: 13[IKE] authentication of 'C=US,
>>> >>>>>>>>>> O=ThatsUs, CN=cindy at example.com' with RSA successful
>>> >>>>>>>>>> Dec 17 07:33:45 vpn charon: 13[IKE] authentication of 'C=US,
>>> >>>>>>>>>> O=ThatsUs, CN=vpn.example.com' (myself) successful
>>> >>>>>>>>>> Dec 17 07:33:45 vpn charon: 13[IKE] IKE_SA roadwarrior-ikev1[1]
>>> >>>>>>>>>> established between vpn_ip[C=US, O=ThatsUs,
>>> >>>>>>>>>> CN=vpn.example.com]...client_ip[C=US, O=ThatsUs, CN=cindy at example.com]
>>> >>>>>>>>>> Dec 17 07:33:45 vpn charon: 13[IKE] IKE_SA roadwarrior-ikev1[1] state
>>> >>>>>>>>>> change: CONNECTING => ESTABLISHED
>>> >>>>>>>>>> Dec 17 07:33:45 vpn charon: 13[IKE] scheduling reauthentication in 3293s
>>> >>>>>>>>>> Dec 17 07:33:45 vpn charon: 13[IKE] maximum IKE_SA lifetime 3473s
>>> >>>>>>>>>> Dec 17 07:33:45 vpn charon: 13[IKE] sending end entity cert "C=US,
>>> >>>>>>>>>> O=ThatsUs, CN=vpn.example.com"
>>> >>>>>>>>>> Dec 17 07:33:45 vpn charon: 13[ENC] generating ID_PROT response 0 [ ID
>>> >>>>>>>>>> CERT SIG ]
>>> >>>>>>>>>> Dec 17 07:33:45 vpn charon: 13[NET] sending packet: from vpn_ip[4500]
>>> >>>>>>>>>> to client_ip[38391] (1484 bytes)
>>> >>>>>>>>>> Dec 17 07:33:45 vpn charon: 03[NET] sending packet: from vpn_ip[4500]
>>> >>>>>>>>>> to client_ip[38391]
>>> >>>>>>>>>> Dec 17 07:33:46 vpn charon: 01[NET] received packet: from
>>> >>>>>>>>>> client_ip[38391] to vpn_ip[4500]
>>> >>>>>>>>>> Dec 17 07:33:46 vpn charon: 01[NET] waiting for data on sockets
>>> >>>>>>>>>> Dec 17 07:33:46 vpn charon: 15[NET] received packet: from
>>> >>>>>>>>>> client_ip[38391] to vpn_ip[4500] (252 bytes)
>>> >>>>>>>>>> Dec 17 07:33:46 vpn charon: 15[ENC] parsed QUICK_MODE request
>>> >>>>>>>>>> 4114711345 [ HASH SA No ID ID NAT-OA NAT-OA ]
>>> >>>>>>>>>> Dec 17 07:33:46 vpn charon: 15[IKE] changing received traffic
>>> >>>>>>>>>> selectors 10.0.1.32/32[udp/62338]=== vpn_ip/32[udp/l2f] due to NAT
>>> >>>>>>>>>> Dec 17 07:33:46 vpn charon: 15[CFG] looking for a child config for
>>> >>>>>>>>>> vpn_ip/32[udp/l2f] === client_ip/32[udp/62338]
>>> >>>>>>>>>> Dec 17 07:33:46 vpn charon: 15[CFG] proposing traffic selectors for us:
>>> >>>>>>>>>> Dec 17 07:33:46 vpn charon: 15[CFG]  0.0.0.0/0
>>> >>>>>>>>>> Dec 17 07:33:46 vpn charon: 15[CFG] proposing traffic selectors for other:
>>> >>>>>>>>>> Dec 17 07:33:46 vpn charon: 15[CFG]  dynamic
>>> >>>>>>>>>> Dec 17 07:33:46 vpn charon: 15[IKE] no matching CHILD_SA config found
>>> >>>>>>>>>> Dec 17 07:33:46 vpn charon: 15[IKE] queueing INFORMATIONAL task
>>> >>>>>>>>>> Dec 17 07:33:46 vpn charon: 15[IKE] activating new tasks
>>> >>>>>>>>>> Dec 17 07:33:46 vpn charon: 15[IKE]   activating INFORMATIONAL task
>>> >>>>>>>>>> Dec 17 07:33:46 vpn charon: 15[ENC] generating INFORMATIONAL_V1
>>> >>>>>>>>>> request 2161614569 [ HASH N(INVAL_ID) ]
>>> >>>>>>>>>> Dec 17 07:33:46 vpn charon: 15[NET] sending packet: from vpn_ip[4500]
>>> >>>>>>>>>> to client_ip[38391] (76 bytes)
>>> >>>>>>>>>> Dec 17 07:33:46 vpn charon: 15[IKE] activating new tasks
>>> >>>>>>>>>> Dec 17 07:33:46 vpn charon: 15[IKE] nothing to initiate
>>> >>>>>>>>>> Dec 17 07:33:46 vpn charon: 03[NET] sending packet: from vpn_ip[4500]
>>> >>>>>>>>>> to client_ip[38391]
>>> >>>>>>>>>> Dec 17 07:33:49 vpn charon: 01[NET] received packet: from
>>> >>>>>>>>>> client_ip[38391] to vpn_ip[4500]
>>> >>>>>>>>>> Dec 17 07:33:49 vpn charon: 01[NET] waiting for data on sockets
>>> >>>>>>>>>> Dec 17 07:33:49 vpn charon: 05[NET] received packet: from
>>> >>>>>>>>>> client_ip[38391] to vpn_ip[4500] (252 bytes)
>>> >>>>>>>>>> Dec 17 07:33:49 vpn charon: 05[IKE] received retransmit of request
>>> >>>>>>>>>> with ID 4114711345, but no response to retransmit
>>> >>>>>>>>>> Dec 17 07:33:52 vpn charon: 01[NET] received packet: from
>>> >>>>>>>>>> client_ip[38391] to vpn_ip[4500]
>>> >>>>>>>>>> Dec 17 07:33:52 vpn charon: 01[NET] waiting for data on sockets
>>> >>>>>>>>>> Dec 17 07:33:52 vpn charon: 06[NET] received packet: from
>>> >>>>>>>>>> client_ip[38391] to vpn_ip[4500] (252 bytes)
>>> >>>>>>>>>> Dec 17 07:33:52 vpn charon: 06[IKE] received retransmit of request
>>> >>>>>>>>>> with ID 4114711345, but no response to retransmit
>>> >>>>>>>>>> Dec 17 07:33:55 vpn charon: 01[NET] received packet: from
>>> >>>>>>>>>> client_ip[38391] to vpn_ip[4500]
>>> >>>>>>>>>> Dec 17 07:33:55 vpn charon: 01[NET] waiting for data on sockets
>>> >>>>>>>>>> Dec 17 07:33:55 vpn charon: 07[NET] received packet: from
>>> >>>>>>>>>> client_ip[38391] to vpn_ip[4500] (252 bytes)
>>> >>>>>>>>>> Dec 17 07:33:55 vpn charon: 07[IKE] received retransmit of request
>>> >>>>>>>>>> with ID 4114711345, but no response to retransmit
>>> >>>>>>>>>> Dec 17 07:33:58 vpn charon: 01[NET] received packet: from
>>> >>>>>>>>>> client_ip[38391] to vpn_ip[4500]
>>> >>>>>>>>>> Dec 17 07:33:58 vpn charon: 01[NET] waiting for data on sockets
>>> >>>>>>>>>> Dec 17 07:33:58 vpn charon: 08[NET] received packet: from
>>> >>>>>>>>>> client_ip[38391] to vpn_ip[4500] (252 bytes)
>>> >>>>>>>>>> Dec 17 07:33:58 vpn charon: 08[IKE] received retransmit of request
>>> >>>>>>>>>> with ID 4114711345, but no response to retransmit
>>> >>>>>>>>>> Dec 17 07:34:01 vpn charon: 01[NET] received packet: from
>>> >>>>>>>>>> client_ip[38391] to vpn_ip[4500]
>>> >>>>>>>>>> Dec 17 07:34:01 vpn charon: 01[NET] waiting for data on sockets
>>> >>>>>>>>>> Dec 17 07:34:01 vpn charon: 09[NET] received packet: from
>>> >>>>>>>>>> client_ip[38391] to vpn_ip[4500] (252 bytes)
>>> >>>>>>>>>> Dec 17 07:34:01 vpn charon: 09[IKE] received retransmit of request
>>> >>>>>>>>>> with ID 4114711345, but no response to retransmit
>>> >>>>>>>>>> Dec 17 07:34:04 vpn charon: 01[NET] received packet: from
>>> >>>>>>>>>> client_ip[38391] to vpn_ip[4500]
>>> >>>>>>>>>> Dec 17 07:34:04 vpn charon: 01[NET] waiting for data on sockets
>>> >>>>>>>>>> Dec 17 07:34:04 vpn charon: 10[NET] received packet: from
>>> >>>>>>>>>> client_ip[38391] to vpn_ip[4500] (252 bytes)
>>> >>>>>>>>>> Dec 17 07:34:04 vpn charon: 10[IKE] received retransmit of request
>>> >>>>>>>>>> with ID 4114711345, but no response to retransmit
>>> >>>>>>>>>> Dec 17 07:34:07 vpn charon: 01[NET] received packet: from
>>> >>>>>>>>>> client_ip[38391] to vpn_ip[4500]
>>> >>>>>>>>>> Dec 17 07:34:07 vpn charon: 01[NET] waiting for data on sockets
>>> >>>>>>>>>> Dec 17 07:34:07 vpn charon: 11[NET] received packet: from
>>> >>>>>>>>>> client_ip[38391] to vpn_ip[4500] (252 bytes)
>>> >>>>>>>>>> Dec 17 07:34:07 vpn charon: 11[IKE] received retransmit of request
>>> >>>>>>>>>> with ID 4114711345, but no response to retransmit
>>> >>>>>>>>>> Dec 17 07:34:10 vpn charon: 01[NET] received packet: from
>>> >>>>>>>>>> client_ip[38391] to vpn_ip[4500]
>>> >>>>>>>>>> Dec 17 07:34:10 vpn charon: 01[NET] waiting for data on sockets
>>> >>>>>>>>>> Dec 17 07:34:10 vpn charon: 12[NET] received packet: from
>>> >>>>>>>>>> client_ip[38391] to vpn_ip[4500] (252 bytes)
>>> >>>>>>>>>> Dec 17 07:34:10 vpn charon: 12[IKE] received retransmit of request
>>> >>>>>>>>>> with ID 4114711345, but no response to retransmit
>>> >>>>>>>>>> Dec 17 07:34:13 vpn charon: 01[NET] received packet: from
>>> >>>>>>>>>> client_ip[38391] to vpn_ip[4500]
>>> >>>>>>>>>> Dec 17 07:34:13 vpn charon: 01[NET] waiting for data on sockets
>>> >>>>>>>>>> Dec 17 07:34:13 vpn charon: 04[NET] received packet: from
>>> >>>>>>>>>> client_ip[38391] to vpn_ip[4500] (252 bytes)
>>> >>>>>>>>>> Dec 17 07:34:13 vpn charon: 04[IKE] received retransmit of request
>>> >>>>>>>>>> with ID 4114711345, but no response to retransmit
>>> >>>>>>>>>> Dec 17 07:34:16 vpn charon: 01[NET] received packet: from
>>> >>>>>>>>>> client_ip[38391] to vpn_ip[4500]
>>> >>>>>>>>>> Dec 17 07:34:16 vpn charon: 01[NET] waiting for data on sockets
>>> >>>>>>>>>> Dec 17 07:34:16 vpn charon: 14[NET] received packet: from
>>> >>>>>>>>>> client_ip[38391] to vpn_ip[4500] (84 bytes)
>>> >>>>>>>>>> Dec 17 07:34:16 vpn charon: 14[ENC] parsed INFORMATIONAL_V1 request
>>> >>>>>>>>>> 2185990223 [ HASH D ]
>>> >>>>>>>>>> Dec 17 07:34:16 vpn charon: 14[IKE] received DELETE for IKE_SA
>>> >>>>>>>>>> roadwarrior-ikev1[1]
>>> >>>>>>>>>> Dec 17 07:34:16 vpn charon: 14[IKE] deleting IKE_SA
>>> >>>>>>>>>> roadwarrior-ikev1[1] between vpn_ip[C=US, O=ThatsUs,
>>> >>>>>>>>>> CN=vpn.example.com]...client_ip[C=US, O=ThatsUs, CN=cindy at example.com]
>>> >>>>>>>>>> Dec 17 07:34:16 vpn charon: 14[IKE] IKE_SA roadwarrior-ikev1[1] state
>>> >>>>>>>>>> change: ESTABLISHED => DELETING
>>> >>>>>>>>>> Dec 17 07:34:16 vpn charon: 14[IKE] IKE_SA roadwarrior-ikev1[1] state
>>> >>>>>>>>>> change: DELETING => DELETING
>>> >>>>>>>>>> Dec 17 07:34:16 vpn charon: 14[IKE] IKE_SA roadwarrior-ikev1[1] state
>>> >>>>>>>>>> change: DELETING => DESTROYING
>>> >>>>>>>>>>
>>> >>>>>>>>>>
>>> >>>>>>>>>> (on mac client, /var/log/system.log)
>>> >>>>>>>>>> Dec 17 07:33:44 macbook pro pppd[4619]: pppd 2.4.2 (Apple version
>>> >>>>>>>>>> 412.5.70) started by mac_owner, uid 501
>>> >>>>>>>>>> Dec 17 07:33:44 macbook pro pppd[4619]: L2TP connecting to server
>>> >>>>>>>>>> 'vpn.example.com' (vpn_ip)...
>>> >>>>>>>>>> Dec 17 07:33:44 macbook pro pppd[4619]: IPSec connection started
>>> >>>>>>>>>> Dec 17 07:33:45 macbook pro racoon[4620]: Connecting.
>>> >>>>>>>>>> Dec 17 07:33:45 macbook pro racoon[4620]: IKE Packet: transmit
>>> >>>>>>>>>> success. (Initiator, Main-Mode message 1).
>>> >>>>>>>>>> Dec 17 07:33:45 macbook pro racoon[4620]: IKE Packet: receive success.
>>> >>>>>>>>>> (Initiator, Main-Mode message 2).
>>> >>>>>>>>>> Dec 17 07:33:45 macbook pro racoon[4620]: IKE Packet: transmit
>>> >>>>>>>>>> success. (Initiator, Main-Mode message 3).
>>> >>>>>>>>>> Dec 17 07:33:45 macbook pro racoon[4620]: IKE Packet: receive success.
>>> >>>>>>>>>> (Initiator, Main-Mode message 4).
>>> >>>>>>>>>> Dec 17 07:33:45 macbook pro racoon[4620]: IKE Packet: transmit
>>> >>>>>>>>>> success. (Initiator, Main-Mode message 5).
>>> >>>>>>>>>> Dec 17 07:33:45 macbook pro racoon[4620]: IKEv1 Phase1 AUTH: success.
>>> >>>>>>>>>> (Initiator, Main-Mode Message 6).
>>> >>>>>>>>>> Dec 17 07:33:45 macbook pro racoon[4620]: IKE Packet: receive success.
>>> >>>>>>>>>> (Initiator, Main-Mode message 6).
>>> >>>>>>>>>> Dec 17 07:33:45 macbook pro racoon[4620]: IKEv1 Phase1 Initiator:
>>> >>>>>>>>>> success. (Initiator, Main-Mode).
>>> >>>>>>>>>> Dec 17 07:33:46 macbook pro racoon[4620]: IKE Packet: transmit
>>> >>>>>>>>>> success. (Initiator, Quick-Mode message 1).
>>> >>>>>>>>>> Dec 17 07:33:46 macbook pro racoon[4620]: IKE Packet: receive success.
>>> >>>>>>>>>> (Information message).
>>> >>>>>>>>>> Dec 17 07:33:49 macbook pro racoon[4620]: IKE Packet: transmit
>>> >>>>>>>>>> success. (Phase2 Retransmit).
>>> >>>>>>>>>> Dec 17 07:33:55 macbook pro racoon[4620]: IKE Packet: transmit
>>> >>>>>>>>>> success. (Phase2 Retransmit).
>>> >>>>>>>>>> Dec 17 07:34:04 macbook pro racoon[4620]: IKE Packet: transmit
>>> >>>>>>>>>> success. (Phase2 Retransmit).
>>> >>>>>>>>>> Dec 17 07:34:13 macbook pro racoon[4620]: IKE Packet: transmit
>>> >>>>>>>>>> success. (Phase2 Retransmit).
>>> >>>>>>>>>> Dec 17 07:34:16 macbook pro pppd[4619]: IPSec connection failed
>>> >>>>>>>>>> Dec 17 07:34:16 macbook pro racoon[4620]: IKE Packet: transmit
>>> >>>>>>>>>> success. (Information message).
>>> >>>>>>>>>> Dec 17 07:34:16 macbook pro racoon[4620]: IKEv1 Information-Notice:
>>> >>>>>>>>>> transmit success. (Delete ISAKMP-SA).
>>> >>>>>>>>>> Dec 17 07:34:16 macbook pro racoon[4620]: Disconnecting. (Connection
>>> >>>>>>>>>> tried to negotiate for, 31.608495 seconds).
>>> >>>>>>>>>>
>>> >>>>>>>>>>
>>> >>>>>>>>>>
>>> >>>>>>>>>> On Wed, Dec 17, 2014 at 1:08 AM, Martin Willi <martin at strongswan.org> wrote:
>>> >>>>>>>>>>> Cindy,
>>> >>>>>>>>>>>
>>> >>>>>>>>>>>> 14[CFG] looking for RSA signature peer configs matching vpn_ip...client_ip[C=US, O=ThatsUs, CN=myemailaddr]
>>> >>>>>>>>>>>>
>>> >>>>>>>>>>>> Would this be as expected?  I can't figure out why it isn't trying to
>>> >>>>>>>>>>>> match to the vpn host certificate.
>>> >>>>>>>>>>>
>>> >>>>>>>>>>> Before looking for certificates, strongSwan looks for a configuration
>>> >>>>>>>>>>> that matches the proposed identities and authentication method.
>>> >>>>>>>>>>>
>>> >>>>>>>>>>>> 14[IKE] found 1 matching config, but none allows RSA signature authentication using Main Mode
>>> >>>>>>>>>>>>
>>> >>>>>>>>>>>> Can anyone tell me what this means?
>>> >>>>>>>>>>>
>>> >>>>>>>>>>> It means that the daemon couldn't find a configuration for that client
>>> >>>>>>>>>>> that uses RSA authentication with Main Mode.
>>> >>>>>>>>>>>
>>> >>>>>>>>>>>> 07[CFG]   rightauth=pubkey
>>> >>>>>>>>>>>> 07[CFG]   rightauth2=xauth-noauth
>>> >>>>>>>>>>>
>>> >>>>>>>>>>> Your config uses XAuth, that is RSA followed by username/password
>>> >>>>>>>>>>> authentication. This is not the same as the client expects, try to
>>> >>>>>>>>>>> remove the rightauth2 line to use RSA authentication only.
>>> >>>>>>>>>>>
>>> >>>>>>>>>>> Regards
>>> >>>>>>>>>>> Martin
>>> >>>>>>>>>>>
>>> >>>>>>>>> _______________________________________________
>>> >>>>>>>>> Users mailing list
>>> >>>>>>>>> Users at lists.strongswan.org
>>> >>>>>>>>> https://lists.strongswan.org/mailman/listinfo/users
>>> >>>>>>
>>> >>>>>>>
>>> >>>>>>>
>>> >>>>>>> _______________________________________________
>>> >>>>>>> Users mailing list
>>> >>>>>>> Users at lists.strongswan.org
>>> >>>>>>> https://lists.strongswan.org/mailman/listinfo/users
>>> >>>
>>> >>>>
>>>
>>>>
>>
>> -----BEGIN PGP SIGNATURE-----
>> Version: GnuPG v2
>>
>> iQIcBAEBCAAGBQJUkfTzAAoJEDg5KY9j7GZYy6YP/2iHBRl6UtKtAW03q+AyStvP
>> h8Z69vRJqmnXJP77zAKedUK9zQ1W2Qh2r4uTpR1hVHyZkGLw0bJAaBXqQN1QYDiN
>> 7jT2HQVtent2/pvj1RPECN6hMAICbrr6sNZ3viFi7sKG/WoIGimbw6l/DUX5d95d
>> L7jNoRuqb+xnba5vCZkz0Pkwow+5feKyaPhYNW+2bn+LJUoG1LQRy0Or6/j9ksew
>> ueotzyyYoIO2INO/1NoetKuYwom0oSAvPT8UWQARvGH5bGlG5prZSZVQSBsP6TGW
>> f/yCNo5nQ76MWJ9/bZjJI01HDo5847Kry/lsBiRmZOECI+nT+ZLa29iEZfFvoQy0
>> H/2lSgneWsXb5eCO4jKEvzjAbFUFOpFq4bhyUjsQGY85oi3n265QfsM47iuPfa6m
>> HSMXIOjGJGvJmbLin88Mh1TK+LHUj33VNTpOLaBQQk0NZJzmYqGBU9HpRrDEK3fE
>> h0gOcrNAF8JmV/22rA/4F6/yA2ZEKoalok8uLHW6rJDRSTXnhP6spOkFoQIEB7gC
>> 4GoQmUKU5wWDmGg2Ybl7k3Eioqg5vjtJ8Fk8/DMMkyDU7vTTFZGw6kewwstQ/aHr
>> hHcn6xVG07Evwn/ipF2Pvo2NH3jgtbhyYdcTHeZ7Qc/kKzDW1bPNFKOzKsfIyUiX
>> lIg+LhWxIBb+kZzlqlPn
>> =/TyF
>> -----END PGP SIGNATURE-----
>>


More information about the Users mailing list