[strongSwan] Problem after upgrade 5.5.0->5.5.1

Dusan Ilic dusan at comhem.se
Thu Apr 13 18:32:47 CEST 2017


Hi everyone!

I have some issues since upgrading Strongswan from 5.5.0 to 5.5.1.
My S2S tunnels are working, but remote access clients cannot connect any 
longer. Tried both with Strongswan Android client and built in IKEv2 
Windows 10 client.
I'm using a certificate from Lets Encrypt to authenticate server side, a 
PFX-file, I have also tried just using the certificates manually in 
respective folder. Below is the logfile.

Apr 13 18:25:32 15[IKE] received end entity cert "CN=example.com"
Apr 13 18:25:32 15[IKE] received issuer cert "C=US, O=Let's Encrypt, CN=Let's Encrypt Authority X3"
Apr 13 18:25:32 15[CFG]   using certificate "CN=example.com
"
Apr 13 18:25:32 15[CFG]   using untrusted intermediate certificate "C=US, O=Let's Encrypt, CN=Let's Encrypt Authority X3"
Apr 13 18:25:32 15[CFG]   using trusted ca certificate "O=Digital Signature Trust Co., CN=DST Root CA X3"
Apr 13 18:25:32 15[CFG]   reached self-signed root ca with a path length of 1
Apr 13 18:25:32 15[IKE] authentication of 'vpn.example.com
' with RSA_EMSA_PKCS1_SHA2_384 successful
Apr 13 18:25:32 15[IKE] server requested EAP_IDENTITY (id 0x00), sending 'user1'
Apr 13 18:25:32 15[ENC] generating IKE_AUTH request 2 [ EAP/RES/ID ]
Apr 13 18:25:32 15[NET] sending packet: from 10.4.90.238[41574] to 85.24.240.96[4500] (96 bytes)
Apr 13 18:25:32 12[NET] received packet: from 85.24.240.96[4500] to 10.4.90.238[41574] (112 bytes)
Apr 13 18:25:32 12[ENC] parsed IKE_AUTH response 2 [ EAP/REQ/MSCHAPV2 ]
Apr 13 18:25:32 12[IKE] server requested EAP_MSCHAPV2 authentication (id 0x75)
Apr 13 18:25:32 12[ENC] generating IKE_AUTH request 3 [ EAP/RES/MSCHAPV2 ]
Apr 13 18:25:32 12[NET] sending packet: from 10.4.90.238[41574] to 85.24.240.96[4500] (144 bytes)
Apr 13 18:25:32 08[NET] received packet: from 85.24.240.96[4500] to 10.4.90.238[41574] (144 bytes)
Apr 13 18:25:32 08[ENC] parsed IKE_AUTH response 3 [ EAP/REQ/MSCHAPV2 ]
Apr 13 18:25:32 08[IKE] EAP-MS-CHAPv2 succeeded: 'Welcome2strongSwan'
Apr 13 18:25:32 08[ENC] generating IKE_AUTH request 4 [ EAP/RES/MSCHAPV2 ]
Apr 13 18:25:32 08[NET] sending packet: from 10.4.90.238[41574] to 85.24.240.96[4500] (80 bytes)
Apr 13 18:25:33 06[NET] received packet: from 85.24.240.96[4500] to 10.4.90.238[41574] (80 bytes)
Apr 13 18:25:33 06[ENC] parsed IKE_AUTH response 4 [ EAP/SUCC ]
Apr 13 18:25:33 06[IKE] EAP method EAP_MSCHAPV2 succeeded, MSK established
Apr 13 18:25:33 06[IKE] authentication of 'user1' (myself) with EAP
Apr 13 18:25:33 06[ENC] generating IKE_AUTH request 5 [ AUTH ]
Apr 13 18:25:33 06[NET] sending packet: from 10.4.90.238[41574] to 85.24.240.96[4500] (112 bytes)
Apr 13 18:25:35 14[IKE] retransmit 1 of request with message ID 5
Apr 13 18:25:35 14[NET] sending packet: from 10.4.90.238[41574] to 85.24.240.96[4500] (112 bytes)
Apr 13 18:25:37 13[IKE] retransmit 2 of request with message ID 5
Apr 13 18:25:37 13[NET] sending packet: from 10.4.90.238[41574] to 85.24.240.96[4500] (112 bytes)
Apr 13 18:25:41 15[IKE] retransmit 3 of request with message ID 5
Apr 13 18:25:41 15[NET] sending packet: from 10.4.90.238[41574] to 85.24.240.96[4500] (112 bytes)
Apr 13 18:25:47 12[IKE] giving up after 3 retransmits
Apr 13 18:25:47 12[IKE] peer not responding, trying again (2/0)
Apr 13 18:25:47 12[IKE] initiating IKE_SA android[13] to 85.24.240.96
Apr 13 18:25:47 12[ENC] generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG) N(REDIR_SUP) ]
Apr 13 18:25:47 12[NET] sending packet: from 10.4.90.238[60924] to 85.24.240.96[500] (746 bytes)
Apr 13 18:25:47 06[IKE] destroying IKE_SA in state CONNECTING without notification




More information about the Users mailing list