[strongSwan] Tunnels with dynamic IP and another route issue

Noel Kuntze noel.kuntze+strongswan-users-ml at thermi.consulting
Sat Apr 29 17:28:26 CEST 2017


I just tested it with two hosts running strongSwan 5.5.2 and it works just fine.
This is a problem with the fortigate, which resolves its configured ID to an IP address.
Try to find a way to turn that off.

Here are the two configurations I used (one with ipsec.conf, one with swanctl.conf). They are functionally identical.

Instead of starting the FQDN in "left" or "right", you can also set "leftallowany" and "rightallowany2".
There are no such options for swanctl, so adding 0.0.0.0/0 and ::/0 to left and right allows any. It behaves identical.

--- configurations ---

--- legacy ipsec.conf format ---

--- on vms.thermicorp.lan ---

--- ipsec.conf ---
conn vms-test
        left = %vms.thermicorp.lan
        leftid = vms.thermicorp.lan
        leftauth = psk
        leftsubnet = 172.16.0.2
        right = %thermi-pc.thermicorp.lan
        rightid = thermi-pc.thermicorp.lan
        rightauth = psk
        rightsubnet = 172.16.0.1
        ike = chacha20poly1305-prfsha256-newhope128
        esp = chacha20poly1305-newhope128, chacha20poly1305
        keyexchange = ikev2
        auto = add

--- ipsec.secrets ---

thermi-pc.thermicorp.lan : PSK test123

--- on thermi-pc.thermicorp.lan ---

None, used equivalent swanctl.conf configuration.
You could just use the configuration from vms.thermicorp.lan, because the peer could figure out
that his side is "right" now, when the FQDN defined in "right" resolves to a local IP.

--- modern swanctl.conf format ---

--- on vms.thermicorp.lan ---

--- swanctl.conf ---

connections {
        vms-test {
                version = 2
                remote_addrs = thermi-pc.thermicorp.lan
                local_addrs = vms.thermicorp.lan
                local {
                        auth = psk
                        id = vms.thermicorp.lan
                }
                remote {
                        auth = psk
                        id = thermi-pc.thermicorp.lan
                }
                children {
                        vms-test-esp {
                                local_ts = 172.16.0.2
                                remote_ts = 172.16.0.1
                                esp_proposals = chacha20poly1305-newhope128, chacha20poly1305
                        }
                }
        }
}

secrets {
        ike-vms-test {
                id = thermi-pc.thermicorp.lan
                secret = test123
        }
}

--- on thermi-pc.thermicorp.lan ---

--- swanctl.conf ---

connections {
        vms-test {
                version = 2
                local_addrs = thermi-pc.thermicorp.lan, %any
                remote_addrs = vms.thermicorp.lan, %any
                proposals = chacha20poly1305-prfsha256-newhope128
                local {
                        auth = psk
                        id = thermi-pc.thermicorp.lan
                }
                remote {
                        auth = psk
                        id = vms.thermicorp.lan
                }
                children {
                        vms-test-esp {
                                local_ts = 172.16.0.1
                                remote_ts = 172.16.0.2
                                esp_proposals = chacha20poly1305-newhope128, chacha20poly1305
                        }
                }
        }
}

secrets {
        ike-vms-test {
                id = vms.thermicorp.lan
                secret = test123
        }
}


--- Logs ---

Attached.


On 29.04.2017 14:29, Dusan Ilic wrote:
>
> For the Fortigate connection if I add in both locla and remote ID, instead of only remote ID, i get the following:
>
> authentication of '85.230.x.x' with pre-shared key successful
> constraint check failed: identity 'remote.example' required
> selected peer config 'site2site' inacceptable: constraint checking failed
> no alternative config found
>
> Only remote ID as you suggested
>
> parsed IKE_AUTH response 1 [ IDr AUTH SA TSi TSr ]
> no shared key found for 'local.example' - '85.230.x.x'
> generating INFORMATIONAL request 2 [ N(AUTH_FAILED) ]
>
>
> Den 2017-04-29 kl. 13:26, skrev Dusan Ilic:
>>
>> no shared key found for 'local.example' - '137.135.x.x'
>> generating INFORMATIONAL request 2 [ N(AUTH_FAILED) ]
>>
>> The remote side is a Fortigate firewall, so I can't configure it the same. I can just choose local interface (ie wan) and remote gateway IP or Dynamic DNS, I have chosen Dynamic DNS.
>> It logs "peer SA proposal not match local policy".
>>
>> If I change to IP adresses it works, but that won't work for very long unfortunately.
>>
>>
>> Den 2017-04-29 kl. 02:49, skrev Noel Kuntze:
>>> Hello Dusan,
>>>
>>> On 29.04.2017 02:25, Dusan Ilic wrote:
>>>> Hi Noel,
>>>>
>>>> Okey, if I don't set "left" and initiate the connection it takes the wrong route (multiple WAN-interfaces) and the remote peer don't expect that source IP. Probably works better if the remote peer is initiating connection instead.
>>>>
>>>> If I set "left=%local.example" and "right" / "rightid" as you suggest I get the following output n logfile:
>>>>
>>>> Apr 29 00:10:51 R6250 daemon.info charon: 10[IKE] tried 1 shared key for 'local.example' - '137.135.x.x', but MAC mismatched
>>>> Apr 29 00:10:51 R6250 daemon.info charon: 10[ENC] generating INFORMATIONAL request 2 [ N(AUTH_FAILED) ]
>>>>
>>>> If i fiddle in ipsec.secrets a bit, i get this instead:
>>>>
>>>> authentication of '137.135.x.x' with pre-shared key successful
>>>> constraint check failed: identity 'remote.example' required
>>>> selected peer config 'site2site' inacceptable: constraint checking failed
>>>> no alternative config found
>>>>
>>> Alright. Try the following
>>> left=%local.example
>>> leftid=local.example
>>> right=%remote.example
>>> rightid=remote.example
>>>
>>> remote.example : PSK "PSKGOESHERE"
>>>
>>> Do it vice versa on the remote peer.
>>>
>>> Kind regards,
>>> Noel
>>>
>>
>

-------------- next part --------------
Sat, 2017-04-29 16:49 14[CFG] received stroke: initiate 'vms-test'
Sat, 2017-04-29 16:49 16[IKE] <vms-test|1> queueing IKE_VENDOR task
Sat, 2017-04-29 16:49 16[IKE] <vms-test|1> queueing IKE_INIT task
Sat, 2017-04-29 16:49 16[IKE] <vms-test|1> queueing IKE_NATD task
Sat, 2017-04-29 16:49 16[IKE] <vms-test|1> queueing IKE_CERT_PRE task
Sat, 2017-04-29 16:49 16[IKE] <vms-test|1> queueing IKE_AUTH task
Sat, 2017-04-29 16:49 16[IKE] <vms-test|1> queueing IKE_CERT_POST task
Sat, 2017-04-29 16:49 16[IKE] <vms-test|1> queueing IKE_CONFIG task
Sat, 2017-04-29 16:49 16[IKE] <vms-test|1> queueing IKE_AUTH_LIFETIME task
Sat, 2017-04-29 16:49 16[IKE] <vms-test|1> queueing IKE_MOBIKE task
Sat, 2017-04-29 16:49 16[IKE] <vms-test|1> queueing CHILD_CREATE task
Sat, 2017-04-29 16:49 16[IKE] <vms-test|1> activating new tasks
Sat, 2017-04-29 16:49 16[IKE] <vms-test|1>   activating IKE_VENDOR task
Sat, 2017-04-29 16:49 16[IKE] <vms-test|1>   activating IKE_INIT task
Sat, 2017-04-29 16:49 16[IKE] <vms-test|1>   activating IKE_NATD task
Sat, 2017-04-29 16:49 16[IKE] <vms-test|1>   activating IKE_CERT_PRE task
Sat, 2017-04-29 16:49 16[IKE] <vms-test|1>   activating IKE_AUTH task
Sat, 2017-04-29 16:49 16[IKE] <vms-test|1>   activating IKE_CERT_POST task
Sat, 2017-04-29 16:49 16[IKE] <vms-test|1>   activating IKE_CONFIG task
Sat, 2017-04-29 16:49 16[IKE] <vms-test|1>   activating CHILD_CREATE task
Sat, 2017-04-29 16:49 16[IKE] <vms-test|1>   activating IKE_AUTH_LIFETIME task
Sat, 2017-04-29 16:49 16[IKE] <vms-test|1>   activating IKE_MOBIKE task
Sat, 2017-04-29 16:49 16[IKE] <vms-test|1> sending strongSwan vendor ID
Sat, 2017-04-29 16:49 16[IKE] <vms-test|1> initiating IKE_SA vms-test[1] to 192.168.178.43
Sat, 2017-04-29 16:49 16[IKE] <vms-test|1> IKE_SA vms-test[1] state change: CREATED => CONNECTING
Sat, 2017-04-29 16:49 16[CFG] <vms-test|1> configured proposals: IKE:CHACHA20_POLY1305_256/PRF_HMAC_SHA2_256/NEWHOPE_128, IKE:AES_CBC_128/AES_CBC_192/AES_CBC_256/CAMELLIA_CBC_128/CAMELLIA_CBC_192/CAMELLIA_CBC_256/3DES_CBC/HMAC_SHA2_256_128/HMAC_SHA2_384_192/HMAC_SHA2_512_256/HMAC_MD5_96/HMAC_SHA1_96/AES_XCBC_96/AES_CMAC_96/PRF_HMAC_SHA2_256/PRF_HMAC_SHA2_384/PRF_HMAC_SHA2_512/PRF_AES128_XCBC/PRF_AES128_CMAC/PRF_HMAC_MD5/PRF_HMAC_SHA1/ECP_256/ECP_384/ECP_521/ECP_256_BP/ECP_384_BP/ECP_512_BP/CURVE_25519/NTRU_128/NTRU_192/NTRU_256/NEWHOPE_128/MODP_3072/MODP_4096/MODP_8192/MODP_2048/MODP_1024, IKE:AES_GCM_16_128/AES_GCM_16_192/AES_GCM_16_256/CHACHA20_POLY1305_256/AES_GCM_12_128/AES_GCM_12_192/AES_GCM_12_256/AES_GCM_8_128/AES_GCM_8_192/AES_GCM_8_256/PRF_HMAC_SHA2_256/PRF_HMAC_SHA2_384/PRF_HMAC_SHA2_512/PRF_AES128_XCBC/PRF_AES128_CMAC/PRF_HMAC_MD5/PRF_HMAC_SHA1/ECP_256/ECP_384/ECP_521/ECP_256_BP/ECP_384_BP/ECP_512_BP/CURVE_25519/NTRU_128/NTRU_192/NTRU_256/NEWHOPE_128/MODP_3072/MODP_4096/MODP_8192/MODP_2048/MODP_1024
Sat, 2017-04-29 16:49 16[CFG] <vms-test|1> sending supported signature hash algorithms: sha1 sha256 sha384 sha512 identity
Sat, 2017-04-29 16:49 16[ENC] <vms-test|1> generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG) N(REDIR_SUP) V ]
Sat, 2017-04-29 16:49 16[NET] <vms-test|1> sending packet: from 192.168.178.48[500] to 192.168.178.43[500] (2686 bytes)
Sat, 2017-04-29 16:49 06[NET] <vms-test|1> received packet: from 192.168.178.43[500] to 192.168.178.48[500] (2333 bytes)
Sat, 2017-04-29 16:49 06[ENC] <vms-test|1> parsed IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) CERTREQ N(FRAG_SUP) N(HASH_ALG) N(MULT_AUTH) V ]
Sat, 2017-04-29 16:49 06[IKE] <vms-test|1> received strongSwan vendor ID
Sat, 2017-04-29 16:49 06[IKE] <vms-test|1> received FRAGMENTATION_SUPPORTED notify
Sat, 2017-04-29 16:49 06[IKE] <vms-test|1> received SIGNATURE_HASH_ALGORITHMS notify
Sat, 2017-04-29 16:49 06[CFG] <vms-test|1> selecting proposal:
Sat, 2017-04-29 16:49 06[CFG] <vms-test|1>   proposal matches
Sat, 2017-04-29 16:49 06[CFG] <vms-test|1> received proposals: IKE:CHACHA20_POLY1305_256/PRF_HMAC_SHA2_256/NEWHOPE_128
Sat, 2017-04-29 16:49 06[CFG] <vms-test|1> configured proposals: IKE:CHACHA20_POLY1305_256/PRF_HMAC_SHA2_256/NEWHOPE_128, IKE:AES_CBC_128/AES_CBC_192/AES_CBC_256/CAMELLIA_CBC_128/CAMELLIA_CBC_192/CAMELLIA_CBC_256/3DES_CBC/HMAC_SHA2_256_128/HMAC_SHA2_384_192/HMAC_SHA2_512_256/HMAC_MD5_96/HMAC_SHA1_96/AES_XCBC_96/AES_CMAC_96/PRF_HMAC_SHA2_256/PRF_HMAC_SHA2_384/PRF_HMAC_SHA2_512/PRF_AES128_XCBC/PRF_AES128_CMAC/PRF_HMAC_MD5/PRF_HMAC_SHA1/ECP_256/ECP_384/ECP_521/ECP_256_BP/ECP_384_BP/ECP_512_BP/CURVE_25519/NTRU_128/NTRU_192/NTRU_256/NEWHOPE_128/MODP_3072/MODP_4096/MODP_8192/MODP_2048/MODP_1024, IKE:AES_GCM_16_128/AES_GCM_16_192/AES_GCM_16_256/CHACHA20_POLY1305_256/AES_GCM_12_128/AES_GCM_12_192/AES_GCM_12_256/AES_GCM_8_128/AES_GCM_8_192/AES_GCM_8_256/PRF_HMAC_SHA2_256/PRF_HMAC_SHA2_384/PRF_HMAC_SHA2_512/PRF_AES128_XCBC/PRF_AES128_CMAC/PRF_HMAC_MD5/PRF_HMAC_SHA1/ECP_256/ECP_384/ECP_521/ECP_256_BP/ECP_384_BP/ECP_512_BP/CURVE_25519/NTRU_128/NTRU_192/NTRU_256/NEWHOPE_128/MODP_3072/MODP_4096/MODP_8192/MODP_2048/MODP_1024
Sat, 2017-04-29 16:49 06[CFG] <vms-test|1> selected proposal: IKE:CHACHA20_POLY1305_256/PRF_HMAC_SHA2_256/NEWHOPE_128
Sat, 2017-04-29 16:49 06[CFG] <vms-test|1> received supported signature hash algorithms: sha1 sha256 sha384 sha512
Sat, 2017-04-29 16:49 06[IKE] <vms-test|1> received cert request for "censored"
Sat, 2017-04-29 16:49 06[IKE] <vms-test|1> received cert request for "censored"
Sat, 2017-04-29 16:49 06[IKE] <vms-test|1> received cert request for "censored"
Sat, 2017-04-29 16:49 06[IKE] <vms-test|1> reinitiating already active tasks
Sat, 2017-04-29 16:49 06[IKE] <vms-test|1>   IKE_CERT_PRE task
Sat, 2017-04-29 16:49 06[IKE] <vms-test|1>   IKE_AUTH task
Sat, 2017-04-29 16:49 06[IKE] <vms-test|1> sending cert request for "censored"
Sat, 2017-04-29 16:49 06[IKE] <vms-test|1> sending cert request for "censored"
Sat, 2017-04-29 16:49 06[IKE] <vms-test|1> sending cert request for "censored"
Sat, 2017-04-29 16:49 06[IKE] <vms-test|1> authentication of 'vms.thermicorp.lan' (myself) with pre-shared key
Sat, 2017-04-29 16:49 06[IKE] <vms-test|1> successfully created shared key MAC
Sat, 2017-04-29 16:49 06[IKE] <vms-test|1> establishing CHILD_SA vms-test
Sat, 2017-04-29 16:49 06[CFG] <vms-test|1> proposing traffic selectors for us:
Sat, 2017-04-29 16:49 06[CFG] <vms-test|1>  172.16.0.2/32
Sat, 2017-04-29 16:49 06[CFG] <vms-test|1> proposing traffic selectors for other:
Sat, 2017-04-29 16:49 06[CFG] <vms-test|1>  172.16.0.1/32
Sat, 2017-04-29 16:49 06[CFG] <vms-test|1> configured proposals: ESP:CHACHA20_POLY1305_256/NO_EXT_SEQ, ESP:AES_CBC_128/AES_CBC_192/AES_CBC_256/3DES_CBC/BLOWFISH_CBC_256/HMAC_SHA2_256_128/HMAC_SHA2_384_192/HMAC_SHA2_512_256/HMAC_SHA1_96/AES_XCBC_96/HMAC_MD5_96/NO_EXT_SEQ
Sat, 2017-04-29 16:49 06[ENC] <vms-test|1> generating IKE_AUTH request 1 [ IDi N(INIT_CONTACT) CERTREQ IDr AUTH SA TSi TSr N(MOBIKE_SUP) N(ADD_4_ADDR) N(ADD_4_ADDR) N(ADD_4_ADDR) N(ADD_6_ADDR) N(ADD_6_ADDR) N(MULT_AUTH) N(EAP_ONLY) N(MSG_ID_SYN_SUP) ]
Sat, 2017-04-29 16:49 06[NET] <vms-test|1> sending packet: from 192.168.178.48[4500] to 192.168.178.43[4500] (552 bytes)
Sat, 2017-04-29 16:49 05[NET] <vms-test|1> received packet: from 192.168.178.43[4500] to 192.168.178.48[4500] (281 bytes)
Sat, 2017-04-29 16:49 05[ENC] <vms-test|1> parsed IKE_AUTH response 1 [ IDr AUTH SA TSi TSr N(MOBIKE_SUP) N(ADD_4_ADDR) N(ADD_6_ADDR) N(ADD_6_ADDR) ]
Sat, 2017-04-29 16:49 05[IKE] <vms-test|1> authentication of 'thermi-pc.thermicorp.lan' with pre-shared key successful
Sat, 2017-04-29 16:49 05[IKE] <vms-test|1> IKE_SA vms-test[1] established between 192.168.178.48[vms.thermicorp.lan]...192.168.178.43[thermi-pc.thermicorp.lan]
Sat, 2017-04-29 16:49 05[IKE] <vms-test|1> IKE_SA vms-test[1] state change: CONNECTING => ESTABLISHED
Sat, 2017-04-29 16:49 05[IKE] <vms-test|1> scheduling reauthentication in 9938s
Sat, 2017-04-29 16:49 05[IKE] <vms-test|1> maximum IKE_SA lifetime 10478s
Sat, 2017-04-29 16:49 05[CFG] <vms-test|1> selecting proposal:
Sat, 2017-04-29 16:49 05[CFG] <vms-test|1>   proposal matches
Sat, 2017-04-29 16:49 05[CFG] <vms-test|1> received proposals: ESP:CHACHA20_POLY1305_256/NO_EXT_SEQ
Sat, 2017-04-29 16:49 05[CFG] <vms-test|1> configured proposals: ESP:CHACHA20_POLY1305_256/NEWHOPE_128/NO_EXT_SEQ, ESP:CHACHA20_POLY1305_256/NO_EXT_SEQ, ESP:AES_CBC_128/AES_CBC_192/AES_CBC_256/3DES_CBC/BLOWFISH_CBC_256/HMAC_SHA2_256_128/HMAC_SHA2_384_192/HMAC_SHA2_512_256/HMAC_SHA1_96/AES_XCBC_96/HMAC_MD5_96/NO_EXT_SEQ
Sat, 2017-04-29 16:49 05[CFG] <vms-test|1> selected proposal: ESP:CHACHA20_POLY1305_256/NO_EXT_SEQ
Sat, 2017-04-29 16:49 05[CFG] <vms-test|1> selecting traffic selectors for us:
Sat, 2017-04-29 16:49 05[CFG] <vms-test|1>  config: 172.16.0.2/32, received: 172.16.0.2/32 => match: 172.16.0.2/32
Sat, 2017-04-29 16:49 05[CFG] <vms-test|1> selecting traffic selectors for other:
Sat, 2017-04-29 16:49 05[CFG] <vms-test|1>  config: 172.16.0.1/32, received: 172.16.0.1/32 => match: 172.16.0.1/32
Sat, 2017-04-29 16:49 05[CHD] <vms-test|1>   using CHACHA20_POLY1305 for encryption
Sat, 2017-04-29 16:49 05[CHD] <vms-test|1> adding inbound ESP SA
Sat, 2017-04-29 16:49 05[CHD] <vms-test|1>   SPI 0xc94ba6e5, src 192.168.178.43 dst 192.168.178.48
Sat, 2017-04-29 16:49 05[CHD] <vms-test|1> adding outbound ESP SA
Sat, 2017-04-29 16:49 05[CHD] <vms-test|1>   SPI 0xcb6449a5, src 192.168.178.48 dst 192.168.178.43
Sat, 2017-04-29 16:49 05[IKE] <vms-test|1> CHILD_SA vms-test{1} established with SPIs c94ba6e5_i cb6449a5_o and TS 172.16.0.2/32 === 172.16.0.1/32
Sat, 2017-04-29 16:49 05[IKE] <vms-test|1> peer supports MOBIKE
Sat, 2017-04-29 16:49 05[IKE] <vms-test|1> got additional MOBIKE peer address: 192.168.180.43
Sat, 2017-04-29 16:49 05[IKE] <vms-test|1> got additional MOBIKE peer address: censored
Sat, 2017-04-29 16:49 05[IKE] <vms-test|1> got additional MOBIKE peer address: censored
Sat, 2017-04-29 16:49 05[IKE] <vms-test|1> activating new tasks
Sat, 2017-04-29 16:49 05[IKE] <vms-test|1> nothing to initiate
Sat, 2017-04-29 17:06 08[NET] <vms-test|1> received packet: from 192.168.178.43[4500] to 192.168.178.48[4500] (65 bytes)
Sat, 2017-04-29 17:06 08[ENC] <vms-test|1> parsed INFORMATIONAL request 0 [ D ]
Sat, 2017-04-29 17:06 08[IKE] <vms-test|1> received DELETE for IKE_SA vms-test[1]
Sat, 2017-04-29 17:06 08[IKE] <vms-test|1> deleting IKE_SA vms-test[1] between 192.168.178.48[vms.thermicorp.lan]...192.168.178.43[thermi-pc.thermicorp.lan]
Sat, 2017-04-29 17:06 08[IKE] <vms-test|1> IKE_SA vms-test[1] state change: ESTABLISHED => DELETING
Sat, 2017-04-29 17:06 08[IKE] <vms-test|1> IKE_SA deleted
Sat, 2017-04-29 17:06 08[ENC] <vms-test|1> generating INFORMATIONAL response 0 [ ]
Sat, 2017-04-29 17:06 08[NET] <vms-test|1> sending packet: from 192.168.178.48[4500] to 192.168.178.43[4500] (57 bytes)
Sat, 2017-04-29 17:06 08[IKE] <vms-test|1> IKE_SA vms-test[1] state change: DELETING => DESTROYING
Sat, 2017-04-29 17:06 06[NET] <2> received packet: from 192.168.178.43[500] to 192.168.178.48[500] (2044 bytes)
Sat, 2017-04-29 17:06 06[ENC] <2> parsed IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG) N(REDIR_SUP) V ]
Sat, 2017-04-29 17:06 06[CFG] <2> looking for an ike config for 192.168.178.48...192.168.178.43
Sat, 2017-04-29 17:06 18[LIB] created thread 18 [6004]
Sat, 2017-04-29 17:06 06[CFG] <2>   candidate: vms.thermicorp.lan,0.0.0.0/0,::/0...thermi-pc.thermicorp.lan, prio 3100
Sat, 2017-04-29 17:06 06[CFG] <2> found matching ike config: vms.thermicorp.lan,0.0.0.0/0,::/0...thermi-pc.thermicorp.lan with prio 3100
Sat, 2017-04-29 17:06 06[IKE] <2> received strongSwan vendor ID
Sat, 2017-04-29 17:06 06[IKE] <2> 192.168.178.43 is initiating an IKE_SA
Sat, 2017-04-29 17:06 06[IKE] <2> IKE_SA (unnamed)[2] state change: CREATED => CONNECTING
Sat, 2017-04-29 17:06 06[CFG] <2> selecting proposal:
Sat, 2017-04-29 17:06 06[CFG] <2>   proposal matches
Sat, 2017-04-29 17:06 06[CFG] <2> received proposals: IKE:CHACHA20_POLY1305_256/PRF_HMAC_SHA2_256/NEWHOPE_128
Sat, 2017-04-29 17:06 06[CFG] <2> configured proposals: IKE:CHACHA20_POLY1305_256/PRF_HMAC_SHA2_256/NEWHOPE_128, IKE:AES_CBC_128/AES_CBC_192/AES_CBC_256/CAMELLIA_CBC_128/CAMELLIA_CBC_192/CAMELLIA_CBC_256/3DES_CBC/HMAC_SHA2_256_128/HMAC_SHA2_384_192/HMAC_SHA2_512_256/HMAC_MD5_96/HMAC_SHA1_96/AES_XCBC_96/AES_CMAC_96/PRF_HMAC_SHA2_256/PRF_HMAC_SHA2_384/PRF_HMAC_SHA2_512/PRF_AES128_XCBC/PRF_AES128_CMAC/PRF_HMAC_MD5/PRF_HMAC_SHA1/ECP_256/ECP_384/ECP_521/ECP_256_BP/ECP_384_BP/ECP_512_BP/CURVE_25519/NTRU_128/NTRU_192/NTRU_256/NEWHOPE_128/MODP_3072/MODP_4096/MODP_8192/MODP_2048/MODP_1024, IKE:AES_GCM_16_128/AES_GCM_16_192/AES_GCM_16_256/CHACHA20_POLY1305_256/AES_GCM_12_128/AES_GCM_12_192/AES_GCM_12_256/AES_GCM_8_128/AES_GCM_8_192/AES_GCM_8_256/PRF_HMAC_SHA2_256/PRF_HMAC_SHA2_384/PRF_HMAC_SHA2_512/PRF_AES128_XCBC/PRF_AES128_CMAC/PRF_HMAC_MD5/PRF_HMAC_SHA1/ECP_256/ECP_384/ECP_521/ECP_256_BP/ECP_384_BP/ECP_512_BP/CURVE_25519/NTRU_128/NTRU_192/NTRU_256/NEWHOPE_128/MODP_3072/MODP_4096/MODP_8192/MODP_2048/MODP_1024
Sat, 2017-04-29 17:06 06[CFG] <2> selected proposal: IKE:CHACHA20_POLY1305_256/PRF_HMAC_SHA2_256/NEWHOPE_128
Sat, 2017-04-29 17:06 06[CFG] <2> received supported signature hash algorithms: sha1 sha256 sha384 sha512
Sat, 2017-04-29 17:06 06[IKE] <2> sending strongSwan vendor ID
Sat, 2017-04-29 17:06 06[CFG] <2> sending supported signature hash algorithms: sha1 sha256 sha384 sha512 identity
Sat, 2017-04-29 17:06 06[IKE] <2> sending cert request for "censored"
Sat, 2017-04-29 17:06 06[IKE] <2> sending cert request for "censored"
Sat, 2017-04-29 17:06 06[IKE] <2> sending cert request for "censored"
Sat, 2017-04-29 17:06 06[ENC] <2> generating IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) CERTREQ N(FRAG_SUP) N(HASH_ALG) N(MULT_AUTH) V ]
Sat, 2017-04-29 17:06 06[NET] <2> sending packet: from 192.168.178.48[500] to 192.168.178.43[500] (2335 bytes)
Sat, 2017-04-29 17:06 14[NET] <2> received packet: from 192.168.178.43[4500] to 192.168.178.48[4500] (396 bytes)
Sat, 2017-04-29 17:06 14[ENC] <2> parsed IKE_AUTH request 1 [ IDi CERTREQ IDr AUTH SA TSi TSr N(MOBIKE_SUP) N(ADD_4_ADDR) N(ADD_6_ADDR) N(ADD_6_ADDR) N(MULT_AUTH) N(EAP_ONLY) N(MSG_ID_SYN_SUP) ]
Sat, 2017-04-29 17:06 14[IKE] <2> received cert request for "censored"
Sat, 2017-04-29 17:06 14[IKE] <2> received cert request for "censored"
Sat, 2017-04-29 17:06 14[IKE] <2> received cert request for "censored"
Sat, 2017-04-29 17:06 14[CFG] <2> looking for peer configs matching 192.168.178.48[vms.thermicorp.lan]...192.168.178.43[thermi-pc.thermicorp.lan]
Sat, 2017-04-29 17:06 14[CFG] <2>   candidate "vms-test", match: 20/20/3100 (me/other/ike)
Sat, 2017-04-29 17:06 14[CFG] <vms-test|2> selected peer config 'vms-test'
Sat, 2017-04-29 17:06 14[IKE] <vms-test|2> authentication of 'thermi-pc.thermicorp.lan' with pre-shared key successful
Sat, 2017-04-29 17:06 14[IKE] <vms-test|2> peer supports MOBIKE
Sat, 2017-04-29 17:06 14[IKE] <vms-test|2> got additional MOBIKE peer address: 192.168.180.43
Sat, 2017-04-29 17:06 14[IKE] <vms-test|2> got additional MOBIKE peer address: censored
Sat, 2017-04-29 17:06 14[IKE] <vms-test|2> got additional MOBIKE peer address: censored
Sat, 2017-04-29 17:06 14[IKE] <vms-test|2> authentication of 'vms.thermicorp.lan' (myself) with pre-shared key
Sat, 2017-04-29 17:06 14[IKE] <vms-test|2> successfully created shared key MAC
Sat, 2017-04-29 17:06 14[IKE] <vms-test|2> IKE_SA vms-test[2] established between 192.168.178.48[vms.thermicorp.lan]...192.168.178.43[thermi-pc.thermicorp.lan]
Sat, 2017-04-29 17:06 14[IKE] <vms-test|2> IKE_SA vms-test[2] state change: CONNECTING => ESTABLISHED
Sat, 2017-04-29 17:06 14[IKE] <vms-test|2> scheduling reauthentication in 9908s
Sat, 2017-04-29 17:06 14[IKE] <vms-test|2> maximum IKE_SA lifetime 10448s
Sat, 2017-04-29 17:06 14[CFG] <vms-test|2> looking for a child config for 172.16.0.2/32 === 172.16.0.1/32
Sat, 2017-04-29 17:06 14[CFG] <vms-test|2> proposing traffic selectors for us:
Sat, 2017-04-29 17:06 14[CFG] <vms-test|2>  172.16.0.2/32
Sat, 2017-04-29 17:06 14[CFG] <vms-test|2> proposing traffic selectors for other:
Sat, 2017-04-29 17:06 14[CFG] <vms-test|2>  172.16.0.1/32
Sat, 2017-04-29 17:06 14[CFG] <vms-test|2>   candidate "vms-test" with prio 5+5
Sat, 2017-04-29 17:06 14[CFG] <vms-test|2> found matching child config "vms-test" with prio 10
Sat, 2017-04-29 17:06 14[CFG] <vms-test|2> selecting proposal:
Sat, 2017-04-29 17:06 14[CFG] <vms-test|2>   proposal matches
Sat, 2017-04-29 17:06 14[CFG] <vms-test|2> received proposals: ESP:CHACHA20_POLY1305_256/NO_EXT_SEQ
Sat, 2017-04-29 17:06 14[CFG] <vms-test|2> configured proposals: ESP:CHACHA20_POLY1305_256/NEWHOPE_128/NO_EXT_SEQ, ESP:CHACHA20_POLY1305_256/NO_EXT_SEQ, ESP:AES_CBC_128/AES_CBC_192/AES_CBC_256/3DES_CBC/BLOWFISH_CBC_256/HMAC_SHA2_256_128/HMAC_SHA2_384_192/HMAC_SHA2_512_256/HMAC_SHA1_96/AES_XCBC_96/HMAC_MD5_96/NO_EXT_SEQ
Sat, 2017-04-29 17:06 14[CFG] <vms-test|2> selected proposal: ESP:CHACHA20_POLY1305_256/NO_EXT_SEQ
Sat, 2017-04-29 17:06 14[CFG] <vms-test|2> selecting traffic selectors for us:
Sat, 2017-04-29 17:06 14[CFG] <vms-test|2>  config: 172.16.0.2/32, received: 172.16.0.2/32 => match: 172.16.0.2/32
Sat, 2017-04-29 17:06 14[CFG] <vms-test|2> selecting traffic selectors for other:
Sat, 2017-04-29 17:06 14[CFG] <vms-test|2>  config: 172.16.0.1/32, received: 172.16.0.1/32 => match: 172.16.0.1/32
Sat, 2017-04-29 17:06 14[CHD] <vms-test|2>   using CHACHA20_POLY1305 for encryption
Sat, 2017-04-29 17:06 14[CHD] <vms-test|2> adding inbound ESP SA
Sat, 2017-04-29 17:06 14[CHD] <vms-test|2>   SPI 0xcbab5261, src 192.168.178.43 dst 192.168.178.48
Sat, 2017-04-29 17:06 14[CHD] <vms-test|2> adding outbound ESP SA
Sat, 2017-04-29 17:06 14[CHD] <vms-test|2>   SPI 0xcd9b9236, src 192.168.178.48 dst 192.168.178.43
Sat, 2017-04-29 17:06 14[IKE] <vms-test|2> CHILD_SA vms-test{2} established with SPIs cbab5261_i cd9b9236_o and TS 172.16.0.2/32 === 172.16.0.1/32
Sat, 2017-04-29 17:06 14[ENC] <vms-test|2> generating IKE_AUTH response 1 [ IDr AUTH SA TSi TSr N(AUTH_LFT) N(MOBIKE_SUP) N(ADD_4_ADDR) N(ADD_4_ADDR) N(ADD_4_ADDR) N(ADD_6_ADDR) N(ADD_6_ADDR) ]
Sat, 2017-04-29 17:06 14[NET] <vms-test|2> sending packet: from 192.168.178.48[4500] to 192.168.178.43[4500] (311 bytes)
-------------- next part --------------
9[NET] <15> received packet: from 192.168.178.48[500] to 192.168.178.43[500] (2686 bytes)
29[ENC] <15> parsed IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG) N(REDIR_SUP) V ]
29[CFG] <15> looking for an ike config for 192.168.178.43...192.168.178.48
29[CFG] <15>   candidate: %any...192.168.178.48, prio 2076
29[CFG] <15>   candidate: %any...%any, prio 28
136[LIB] created thread 136 [11092]
29[CFG] <15>   candidate: thermi-pc.thermicorp.lan, %any...vms.thermicorp.lan, %any, prio 3100
29[CFG] <15> found matching ike config: thermi-pc.thermicorp.lan, %any...vms.thermicorp.lan, %any with prio 3100
29[IKE] <15> received strongSwan vendor ID
29[IKE] <15> 192.168.178.48 is initiating an IKE_SA
29[CFG] <15> selecting proposal:
29[CFG] <15>   proposal matches
29[CFG] <15> received proposals: IKE:CHACHA20_POLY1305_256/PRF_HMAC_SHA2_256/NEWHOPE_128, IKE:AES_CBC_128/AES_CBC_192/AES_CBC_256/CAMELLIA_CBC_128/CAMELLIA_CBC_192/CAMELLIA_CBC_256/3DES_CBC/
HMAC_SHA2_256_128/HMAC_SHA2_384_192/HMAC_SHA2_512_256/HMAC_MD5_96/HMAC_SHA1_96/AES_XCBC_96/AES_CMAC_96/PRF_HMAC_SHA2_256/PRF_HMAC_SHA2_384/PRF_HMAC_SHA2_512/PRF_AES128_XCBC/PRF_AES128_CMAC/P
RF_HMAC_MD5/PRF_HMAC_SHA1/ECP_256/ECP_384/ECP_521/ECP_256_BP/ECP_384_BP/ECP_512_BP/CURVE_25519/NTRU_128/NTRU_192/NTRU_256/NEWHOPE_128/MODP_3072/MODP_4096/MODP_8192/MODP_2048/MODP_1024, IKE:A
ES_GCM_16_128/AES_GCM_16_192/AES_GCM_16_256/CHACHA20_POLY1305_256/AES_GCM_12_128/AES_GCM_12_192/AES_GCM_12_256/AES_GCM_8_128/AES_GCM_8_192/AES_GCM_8_256/PRF_HMAC_SHA2_256/PRF_HMAC_SHA2_384/P
RF_HMAC_SHA2_512/PRF_AES128_XCBC/PRF_AES128_CMAC/PRF_HMAC_MD5/PRF_HMAC_SHA1/ECP_256/ECP_384/ECP_521/ECP_256_BP/ECP_384_BP/ECP_512_BP/CURVE_25519/NTRU_128/NTRU_192/NTRU_256/NEWHOPE_128/MODP_3
072/MODP_4096/MODP_8192/MODP_2048/MODP_1024
29[CFG] <15> configured proposals: IKE:CHACHA20_POLY1305_256/PRF_HMAC_SHA2_256/NEWHOPE_128
29[CFG] <15> selected proposal: IKE:CHACHA20_POLY1305_256/PRF_HMAC_SHA2_256/NEWHOPE_128
29[CFG] <15> received supported signature hash algorithms: sha1 sha256 sha384 sha512 identity
29[CFG] <15> sending supported signature hash algorithms: sha1 sha256 sha384 sha512
29[IKE] <15> sending cert request for "censored"
29[IKE] <15> sending cert request for "censored"
29[IKE] <15> sending cert request for "censored"
29[ENC] <15> generating IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) CERTREQ N(FRAG_SUP) N(HASH_ALG) N(MULT_AUTH) V ]
29[NET] <15> sending packet: from 192.168.178.43[500] to 192.168.178.48[500] (2333 bytes)
22[NET] <15> received packet: from 192.168.178.48[4500] to 192.168.178.43[4500] (552 bytes)
22[ENC] <15> parsed IKE_AUTH request 1 [ IDi N(INIT_CONTACT) CERTREQ IDr AUTH SA TSi TSr N(MOBIKE_SUP) N(ADD_4_ADDR) N(ADD_4_ADDR) N(ADD_4_ADDR) N(ADD_6_ADDR) N(ADD_6_ADDR) N(MULT_AUTH) N(EA
P_ONLY) N(MSG_ID_SYN_SUP) ]
22[IKE] <15> received cert request for "censored"
22[IKE] <15> received cert request for "censored"
22[IKE] <15> received cert request for "censored"
22[CFG] <15> looking for peer configs matching 192.168.178.43[thermi-pc.thermicorp.lan]...192.168.178.48[vms.thermicorp.lan]
22[CFG] <15>   candidate "vms-test", match: 20/20/3100 (me/other/ike)
22[CFG] <vms-test|15> selected peer config 'vms-test'
22[IKE] <vms-test|15> authentication of 'vms.thermicorp.lan' with pre-shared key successful
22[IKE] <vms-test|15> peer supports MOBIKE
22[IKE] <vms-test|15> authentication of 'thermi-pc.thermicorp.lan' (myself) with pre-shared key
22[IKE] <vms-test|15> IKE_SA vms-test[15] established between 192.168.178.43[thermi-pc.thermicorp.lan]...192.168.178.48[vms.thermicorp.lan]
22[IKE] <vms-test|15> scheduling rekeying in 13392s
22[IKE] <vms-test|15> maximum IKE_SA lifetime 14832s
22[CFG] <vms-test|15> looking for a child config for 172.16.0.1/32 === 172.16.0.2/32
22[CFG] <vms-test|15> proposing traffic selectors for us:
22[CFG] <vms-test|15>  172.16.0.1/32
22[CFG] <vms-test|15> proposing traffic selectors for other:
22[CFG] <vms-test|15>  172.16.0.2/32
22[CFG] <vms-test|15>   candidate "vms-test-esp" with prio 5+5
22[CFG] <vms-test|15> found matching child config "vms-test-esp" with prio 10
22[CFG] <vms-test|15> selecting proposal:
22[CFG] <vms-test|15>   proposal matches
22[CFG] <vms-test|15> received proposals: ESP:CHACHA20_POLY1305_256/NO_EXT_SEQ, ESP:AES_CBC_128/AES_CBC_192/AES_CBC_256/3DES_CBC/BLOWFISH_CBC_256/HMAC_SHA2_256_128/HMAC_SHA2_384_192/HMAC_SHA
2_512_256/HMAC_SHA1_96/AES_XCBC_96/HMAC_MD5_96/NO_EXT_SEQ
22[CFG] <vms-test|15> configured proposals: ESP:CHACHA20_POLY1305_256/NEWHOPE_128/NO_EXT_SEQ, ESP:CHACHA20_POLY1305_256/NO_EXT_SEQ
22[CFG] <vms-test|15> selected proposal: ESP:CHACHA20_POLY1305_256/NO_EXT_SEQ
22[KNL] <vms-test|15> got SPI ca156091
22[CFG] <vms-test|15> selecting traffic selectors for us:
22[CFG] <vms-test|15>  config: 172.16.0.1/32, received: 172.16.0.1/32 => match: 172.16.0.1/32
22[CFG] <vms-test|15> selecting traffic selectors for other:
22[CFG] <vms-test|15>  config: 172.16.0.2/32, received: 172.16.0.2/32 => match: 172.16.0.2/32
22[KNL] <vms-test|15> adding SAD entry with SPI ca156091 and reqid {6}
22[KNL] <vms-test|15>   using encryption algorithm CHACHA20_POLY1305 with key size 288
22[KNL] <vms-test|15>   using replay window of 32 packets
22[KNL] <vms-test|15> adding SAD entry with SPI c62ecf9a and reqid {6}
22[KNL] <vms-test|15>   using encryption algorithm CHACHA20_POLY1305 with key size 288
22[KNL] <vms-test|15>   using replay window of 0 packets
22[KNL] <vms-test|15> adding policy 172.16.0.1/32 === 172.16.0.2/32 out [priority 567231, refcount 1]
22[KNL] <vms-test|15> adding policy 172.16.0.2/32 === 172.16.0.1/32 in [priority 567231, refcount 1]
22[KNL] <vms-test|15> adding policy 172.16.0.2/32 === 172.16.0.1/32 fwd [priority 567231, refcount 1]
22[KNL] <vms-test|15> policy 172.16.0.1/32 === 172.16.0.2/32 out already exists, increasing refcount
22[KNL] <vms-test|15> updating policy 172.16.0.1/32 === 172.16.0.2/32 out [priority 367231, refcount 2]
22[KNL] <vms-test|15> getting a local address in traffic selector 172.16.0.1/32
22[KNL] <vms-test|15> no local address found in traffic selector 172.16.0.1/32
22[KNL] <vms-test|15> policy 172.16.0.2/32 === 172.16.0.1/32 in already exists, increasing refcount
22[KNL] <vms-test|15> updating policy 172.16.0.2/32 === 172.16.0.1/32 in [priority 367231, refcount 2]
22[KNL] <vms-test|15> policy 172.16.0.2/32 === 172.16.0.1/32 fwd already exists, increasing refcount
22[KNL] <vms-test|15> updating policy 172.16.0.2/32 === 172.16.0.1/32 fwd [priority 367231, refcount 2]
22[IKE] <vms-test|15> CHILD_SA vms-test-esp{17} established with SPIs ca156091_i c62ecf9a_o and TS 172.16.0.1/32 === 172.16.0.2/32
22[ENC] <vms-test|15> generating IKE_AUTH response 1 [ IDr AUTH SA TSi TSr N(MOBIKE_SUP) N(ADD_4_ADDR) N(ADD_6_ADDR) N(ADD_6_ADDR) ]
22[NET] <vms-test|15> sending packet: from 192.168.178.43[4500] to 192.168.178.48[4500] (281 bytes)
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: OpenPGP digital signature
URL: <http://lists.strongswan.org/pipermail/users/attachments/20170429/c4d7c80d/attachment-0001.sig>


More information about the Users mailing list