[strongSwan] Mac OS X Widget Yosemite Issues

Dan Diman dan.diman at certifi.net
Thu Oct 23 18:30:59 CEST 2014


I’m using the Mac OS X strongSwan widget and after upgrading to Yosemite, I am receiving the error "No common traffic selectors found” very frequently, but not 100% of the time.  Something like 95% of the time.  Prior to the upgrade this would happen only occasionally (twice a month or so) and quitting and restarting the strongSwan widget would always allow me to connect.  Now it can take upwards of 20 to 30 attempts with no reassurance that it will ever connect.  :-(

The root of the trouble seems to be these lines in the log (full log included below):

Installing new virtual IP 10.100.255.1
created TUN device: utun1
virtual IP 10.100.255.1 did not appear on utun1
installing virtual IP 10.100.255.1 failed
no acceptable traffic selectors found

I found some discussion from 2013 about  this error (https://lists.strongswan.org/pipermail/users/2013-September/005213.html) and later in that thread Martin linked a 5.1.0 (4) version of the widget, which I tried, but it didn’t resolve the issue.

Any advice?  Any other Mac OS X folks having this problem?  This is causing me some significant trouble as a remote employee who depends on resources on this VPN.

Thanks in advance,

-Dan

Dan Diman
dan.diman at certifi.net



===================Full log file================================

initiating IKE_SA Certifi VPC[8] to x.x.x.x
generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) ]
sending packet: from 192.168.0.8[55139] to x.x.x.x[4500] (1108 bytes)
received packet: from x.x.x.x[4500] to 192.168.0.8[55139] (38 bytes)
parsed IKE_SA_INIT response 0 [ N(INVAL_KE) ]
peer didn't accept DH group MODP_2048, it requested MODP_1024
initiating IKE_SA Certifi VPC[8] to x.x.x.x
generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) ]
sending packet: from 192.168.0.8[55139] to x.x.x.x[4500] (980 bytes)
received packet: from x.x.x.x[4500] to 192.168.0.8[55139] (312 bytes)
parsed IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(MULT_AUTH) ]
local host is behind NAT, sending keep alives
remote host is behind NAT
establishing CHILD_SA Certifi VPC
generating IKE_AUTH request 1 [ IDi N(INIT_CONTACT) CPRQ(ADDR DNS) SA TSi TSr N(MOBIKE_SUP) N(ADD_4_ADDR) N(MULT_AUTH) N(EAP_ONLY) ]
sending packet: from 192.168.0.8[58559] to x.x.x.x[4500] (380 bytes)
received packet: from x.x.x.x[4500] to 192.168.0.8[58559] (1212 bytes)
parsed IKE_AUTH response 1 [ IDr CERT AUTH EAP/REQ/ID ]
received end entity cert "C=CH, O=Certifi, CN=vpn.enrfin.com"
  using certificate "C=CH, O=Certifi, CN=vpn.enrfin.com"
  using trusted ca certificate "C=CH, O=Certifi, CN=Certifi MN"
  reached self-signed root ca with a path length of 0
authentication of 'vpn.enrfin.com' with RSA signature successful
server requested EAP_IDENTITY (id 0x00), sending 'ddiman'
generating IKE_AUTH request 2 [ EAP/RES/ID ]
sending packet: from 192.168.0.8[58559] to x.x.x.x[4500] (76 bytes)
received packet: from x.x.x.x[4500] to 192.168.0.8[58559] (108 bytes)
parsed IKE_AUTH response 2 [ EAP/REQ/MSCHAPV2 ]
server requested EAP_MSCHAPV2 authentication (id 0xE4)
generating IKE_AUTH request 3 [ EAP/RES/MSCHAPV2 ]
sending packet: from 192.168.0.8[58559] to x.x.x.x[4500] (140 bytes)
received packet: from x.x.x.x[4500] to 192.168.0.8[58559] (140 bytes)
parsed IKE_AUTH response 3 [ EAP/REQ/MSCHAPV2 ]
EAP-MS-CHAPv2 succeeded: 'Welcome2strongSwan'
generating IKE_AUTH request 4 [ EAP/RES/MSCHAPV2 ]
sending packet: from 192.168.0.8[58559] to x.x.x.x[4500] (76 bytes)
received packet: from x.x.x.x[4500] to 192.168.0.8[58559] (76 bytes)
parsed IKE_AUTH response 4 [ EAP/SUCC ]
EAP method EAP_MSCHAPV2 succeeded, MSK established
authentication of 'ddiman' (myself) with EAP
generating IKE_AUTH request 5 [ AUTH ]
sending packet: from 192.168.0.8[58559] to x.x.x.x[4500] (92 bytes)
received packet: from x.x.x.x[4500] to 192.168.0.8[58559] (252 bytes)
parsed IKE_AUTH response 5 [ AUTH CPRP(ADDR DNS) SA TSi TSr N(MOBIKE_SUP) N(ADD_4_ADDR) N(ADD_4_ADDR) ]
authentication of 'vpn.enrfin.com' with EAP successful
IKE_SA Certifi VPC[8] established between 192.168.0.8[ddiman]…x.x.x.x[vpn.enrfin.com]
scheduling rekeying in 35788s
maximum IKE_SA lifetime 36388s
installing 192.168.101.170 as DNS server
installing new virtual IP 10.100.255.1
created TUN device: utun1
virtual IP 10.100.255.1 did not appear on utun1
installing virtual IP 10.100.255.1 failed
no acceptable traffic selectors found
closing IKE_SA due CHILD_SA setup failure
peer supports MOBIKE
sending DELETE for ESP CHILD_SA with SPI 1ab6354c
generating INFORMATIONAL request 6 [ D ]
sending packet: from 192.168.0.8[58559] to x.x.x.x[4500] (76 bytes)
sending address list update using MOBIKE
received packet: from x.x.x.x[4500] to 192.168.0.8[58559] (76 bytes)
parsed INFORMATIONAL response 6 [ D ]
generating INFORMATIONAL request 7 [ N(ADD_4_ADDR) ]
sending packet: from 192.168.0.8[58559] to x.x.x.x[4500] (76 bytes)
received packet: from x.x.x.x[4500] to 192.168.0.8[58559] (76 bytes)
parsed INFORMATIONAL response 7 [ ]
deleting IKE_SA Certifi VPC[8] between 192.168.0.8[ddiman]…x.x.x.x[vpn.enrfin.com]
sending DELETE for IKE_SA Certifi VPC[8]
generating INFORMATIONAL request 8 [ D ]
sending packet: from 192.168.0.8[58559] to x.x.x.x[4500] (76 bytes)
received packet: from x.x.x.x[4500] to 192.168.0.8[58559] (76 bytes)
parsed INFORMATIONAL response 8 [ ]
IKE_SA deleted

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20141023/017a27a2/attachment.html>


More information about the Users mailing list