[strongSwan] Help debugging IKEv2 connection
Pete Donnell
pete at alephnull.uk
Sat Jun 17 12:25:02 CEST 2017
Hi all,
I've run into a bit of a problem with a simple IKEv2 connection, and I
was hoping someone on here might be able to offer some insight into
what's up with it.
I've got a StrongSwan VPN set up on a Debian Jessie VM. From most places
it works fine - I've used it on the road from a variety of homes,
offices, and mobile data connections. For some reason I can't get it to
connect from my home ISP. Initially it worked but only after several
connection attempts, and it would frequently drop the connection. After
checking error logs and searching online, I added fragmentation=yes to
ipsec.conf and it worked well for a couple of days. It has since stopped
working at all, despite me not making any further config changes. My ISP
assures me that there is nothing wrong with the line, and I haven't had
any issues connecting to anything else. I can only assume that
StrongSwan's config doesn't get on with my router/firewall for some
reason. Please can anyone help me debug?
In case it's relevant, I'm using the stock Debian stable kernel and
StrongSwan packages, versions 3.16.0 and 5.2.1 respectively. My Linux
knowledge is pretty solid, but knowledge of networking and VPNs much
less so.
Here's /etc/ipsec.conf:
config setup
conn %default
keyexchange=ikev2
leftid=host.example.com
leftcert=fullchain.pem
leftsubnet=0.0.0.0/0
right=%any
rightsourceip=10.11.12.0/24
rightdns=2001:1608:10:25::1c04:b12f,2001:1608:10:25::9249:d69b,84.200.69.80,84.200.70.40
dpdaction=clear
conn iosuser
leftsendcert=always
rightauth=eap-mschapv2
eap_identity=%identity
auto=add
fragmentation=yes
Here's /etc/ipsec.secrets:
include /var/lib/strongswan/ipsec.secrets.inc
: RSA privkey.pem
user : EAP "password"
And here's the redacted part of /var/log/syslog relating to a failed
connection attempt:
Jun 16 11:03:48 hostname charon: 15[NET] received packet: from
4.3.2.1[500] to 1.2.3.4[500] (604 bytes)
Jun 16 11:03:48 hostname charon: 15[ENC] parsed IKE_SA_INIT request
0 [ SA KE No N(REDIR_SUP) N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) ]
Jun 16 11:03:48 hostname charon: 15[IKE] 4.3.2.1 is initiating an
IKE_SA
Jun 16 11:03:49 hostname charon: 15[IKE] remote host is behind NAT
Jun 16 11:03:49 hostname charon: 15[ENC] generating IKE_SA_INIT
response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(MULT_AUTH)
]
Jun 16 11:03:49 hostname charon: 15[NET] sending packet: from
1.2.3.4[500] to 4.3.2.1[500] (448 bytes)
Jun 16 11:03:49 hostname charon: 06[NET] received packet: from
4.3.2.1[0] to 1.2.3.4[4500] (512 bytes)
Jun 16 11:03:49 hostname charon: 06[ENC] unknown attribute type (25)
Jun 16 11:03:49 hostname charon: 06[ENC] parsed IKE_AUTH request 1 [
IDi N(INIT_CONTACT) N(MOBIKE_SUP) IDr CPRQ(ADDR DHCP DNS MASK ADDR6
DHCP6 DNS6 (25)) N(ESP_TFC_PAD_N) N(NON_FIRST_FRAG) SA TSi TSr ]
Jun 16 11:03:49 hostname charon: 06[CFG] looking for peer configs
matching 1.2.3.4[host.example.com]...4.3.2.1[clientdevice]
Jun 16 11:03:49 hostname charon: 06[CFG] selected peer config
'iosuser'
Jun 16 11:03:49 hostname charon: 06[IKE] initiating EAP_IDENTITY
method (id 0x00)
Jun 16 11:03:49 hostname charon: 06[IKE] received
ESP_TFC_PADDING_NOT_SUPPORTED, not using ESPv3 TFC padding
Jun 16 11:03:49 hostname charon: 06[IKE] peer supports MOBIKE
Jun 16 11:03:49 hostname charon: 06[IKE] authentication of
'host.example.com' (myself) with RSA signature successful
Jun 16 11:03:49 hostname charon: 06[IKE] sending end entity cert
"CN=host.example.com"
Jun 16 11:03:49 hostname charon: 06[ENC] generating IKE_AUTH
response 1 [ IDr CERT AUTH EAP/REQ/ID ]
Jun 16 11:03:49 hostname charon: 06[ENC] splitting IKE message with
length of 1664 bytes into 4 fragments
Jun 16 11:03:49 hostname charon: 06[ENC] payload ENCRYPTED_FRAGMENT
has no ordering rule in IKE_AUTH response
Jun 16 11:03:49 hostname charon: 06[ENC] generating IKE_AUTH
response 1 [ EF ]
Jun 16 11:03:49 hostname charon: 06[ENC] payload ENCRYPTED_FRAGMENT
has no ordering rule in IKE_AUTH response
Jun 16 11:03:49 hostname charon: 06[ENC] generating IKE_AUTH
response 1 [ EF ]
Jun 16 11:03:49 hostname charon: 06[ENC] payload ENCRYPTED_FRAGMENT
has no ordering rule in IKE_AUTH response
Jun 16 11:03:49 hostname charon: 06[ENC] generating IKE_AUTH
response 1 [ EF ]
Jun 16 11:03:49 hostname charon: 06[ENC] payload ENCRYPTED_FRAGMENT
has no ordering rule in IKE_AUTH response
Jun 16 11:03:49 hostname charon: 06[ENC] generating IKE_AUTH
response 1 [ EF ]
Jun 16 11:03:49 hostname charon: 06[NET] sending packet: from
1.2.3.4[4500] to 4.3.2.1[0] (532 bytes)
Jun 16 11:03:49 hostname charon: 10[NET] error writing to socket:
Invalid argument
Jun 16 11:03:49 hostname charon: 06[NET] sending packet: from
1.2.3.4[4500] to 4.3.2.1[0] (532 bytes)
Jun 16 11:03:49 hostname charon: 10[NET] error writing to socket:
Invalid argument
Jun 16 11:03:49 hostname charon: 06[NET] sending packet: from
1.2.3.4[4500] to 4.3.2.1[0] (532 bytes)
Jun 16 11:03:49 hostname charon: 10[NET] error writing to socket:
Invalid argument
Jun 16 11:03:49 hostname charon: 06[NET] sending packet: from
1.2.3.4[4500] to 4.3.2.1[0] (276 bytes)
Jun 16 11:03:49 hostname charon: 10[NET] error writing to socket:
Invalid argument
Jun 16 11:03:52 hostname charon: 16[NET] received packet: from
4.3.2.1[0] to 1.2.3.4[4500] (512 bytes)
Jun 16 11:03:52 hostname charon: 16[ENC] unknown attribute type (25)
Jun 16 11:03:52 hostname charon: 16[ENC] parsed IKE_AUTH request 1 [
IDi N(INIT_CONTACT) N(MOBIKE_SUP) IDr CPRQ(ADDR DHCP DNS MASK ADDR6
DHCP6 DNS6 (25)) N(ESP_TFC_PAD_N) N(NON_FIRST_FRAG) SA TSi TSr ]
Jun 16 11:03:52 hostname charon: 16[IKE] received retransmit of
request with ID 1, retransmitting response
Jun 16 11:03:52 hostname charon: 16[NET] sending packet: from
1.2.3.4[4500] to 4.3.2.1[0] (532 bytes)
Jun 16 11:03:52 hostname charon: 16[NET] sending packet: from
1.2.3.4[4500] to 4.3.2.1[0] (532 bytes)
Jun 16 11:03:52 hostname charon: 16[NET] sending packet: from
1.2.3.4[4500] to 4.3.2.1[0] (532 bytes)
Jun 16 11:03:52 hostname charon: 16[NET] sending packet: from
1.2.3.4[4500] to 4.3.2.1[0] (276 bytes)
Jun 16 11:03:52 hostname ipsec[4275]: 00[DMN] Starting IKE charon
daemon (strongSwan 5.2.1, Linux 3.16.0-4-amd64, x86_64)
Jun 16 11:03:52 hostname ipsec[4275]: 00[CFG] HA config misses
local/remote address
Jun 16 11:03:52 hostname ipsec[4275]: 00[LIB] plugin 'ha': failed to
load - ha_plugin_create returned NULL
Jun 16 11:03:52 hostname ipsec[4275]: 00[CFG] loading ca
certificates from '/etc/ipsec.d/cacerts'
Jun 16 11:03:52 hostname ipsec[4275]: 00[CFG] loading aa
certificates from '/etc/ipsec.d/aacerts'
Jun 16 11:03:52 hostname ipsec[4275]: 00[CFG] loading ocsp signer
certificates from '/etc/ipsec.d/ocspcerts'
Jun 16 11:03:52 hostname ipsec[4275]: 00[CFG] loading attribute
certificates from '/etc/ipsec.d/acerts'
Jun 16 11:03:52 hostname ipsec[4275]: 00[CFG] loading crls from
'/etc/ipsec.d/crls'
Jun 16 11:03:52 hostname ipsec[4275]: 00[CFG] loading secrets from
'/etc/ipsec.secrets'
Jun 16 11:03:52 hostname ipsec[4275]: 00[CFG] expanding file
expression '/var/lib/strongswan/ipsec.secrets.inc' failed
Jun 16 11:03:52 hostname ipsec[4275]: 00[CFG] loaded RSA private
key from '/etc/ipsec.d/private/privkey.pem'
Jun 16 11:03:52 hostname ipsec[4275]: 00[CFG] loaded EAP secret
for raoul
Jun 16 11:03:52 hostname ipsec[4275]: 00[CFG] loaded 0 RADIUS server
configurations
Jun 16 11:03:52 hostname ipsec[4275]: 00[LIB] loaded plugins: charon
aes rc2 sha1 sha2 md5 random nonce x509 revocation constraints pubkey
pkcs1 pkcs7 pkcs8 pkcs12 pgp dnskey sshkey pem openssl fips-prf gmp
agent xcbc hmac gcm attr kernel-netlink resolve socket-default farp
stroke updown eap-identity eap-aka eap-md5 eap-gtc eap-mschapv2
eap-radius eap-tls eap-ttls eap-tnc xauth-generic xauth-eap xauth-pam
tnc-tnccs dhcp lookip error-notify certexpire led addrblock unity
Jun 16 11:03:52 hostname ipsec[4275]: 00[LIB] unable to load 5
plugin features (5 due to unmet dependencies)
Jun 16 11:03:52 hostname ipsec[4275]: 00[LIB] dropped capabilities,
running as uid 0, gid 0
Jun 16 11:03:52 hostname ipsec[4275]: 00[JOB] spawning 16 worker
threads
Jun 16 11:03:52 hostname ipsec[4275]: 12[CFG] received stroke: add
connection 'iosuser'
Jun 16 11:03:52 hostname ipsec[4275]: 12[CFG] left nor right host is
our side, assuming left=local
Jun 16 11:03:52 hostname ipsec[4275]: 12[CFG] adding virtual IP
address pool 10.11.12.0/24
Jun 16 11:03:52 hostname ipsec[4275]: 12[CFG] loaded certificate
"CN=host.example.com" from 'fullchain.pem'
Jun 16 11:03:52 hostname ipsec[4275]: 12[CFG] added configuration
'iosuser'
Jun 16 11:03:52 hostname ipsec[4275]: 15[NET] received packet: from
4.3.2.1[500] to 1.2.3.4[500] (604 bytes)
Jun 16 11:03:52 hostname ipsec[4275]: 15[ENC] parsed IKE_SA_INIT
request 0 [ SA KE No N(REDIR_SUP) N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP)
]
Jun 16 11:03:52 hostname ipsec[4275]: 15[IKE] 4.3.2.1 is initiating
an IKE_SA
Jun 16 11:03:52 hostname ipsec[4275]: 15[IKE] remote host is behind
NAT
Jun 16 11:03:52 hostname ipsec[4275]: 15[ENC] generating IKE_SA_INIT
response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(MULT_AUTH)
]
Jun 16 11:03:52 hostname charon: 10[NET] error writing to socket:
Invalid argument
Jun 16 11:03:52 hostname charon: 10[NET] error writing to socket:
Invalid argument
Jun 16 11:03:52 hostname charon: 10[NET] error writing to socket:
Invalid argument
Jun 16 11:03:52 hostname charon: 10[NET] error writing to socket:
Invalid argument
Jun 16 11:03:52 hostname ipsec[4275]: 15[NET] sending packet: from
1.2.3.4[500] to 4.3.2.1[500] (448 bytes)
Jun 16 11:03:52 hostname ipsec[4275]: 06[NET] received packet: from
4.3.2.1[0] to 1.2.3.4[4500] (512 bytes)
Jun 16 11:03:52 hostname ipsec[4275]: 06[ENC] unknown attribute type
(25)
Jun 16 11:03:52 hostname ipsec[4275]: 06[ENC] parsed IKE_AUTH
request 1 [ IDi N(INIT_CONTACT) N(MOBIKE_SUP) IDr CPRQ(ADDR DHCP DNS
MASK ADDR6 DHCP6 DNS6 (25)) N(ESP_TFC_PAD_N) N(NON_FIRST_FRAG) SA TSi
TSr ]
Jun 16 11:03:52 hostname ipsec[4275]: 06[CFG] looking for peer
configs matching 1.2.3.4[host.example.com]...4.3.2.1[clientdevice]
Jun 16 11:03:52 hostname ipsec[4275]: 06[CFG] selected peer config
'iosuser'
Jun 16 11:03:52 hostname ipsec[4275]: 06[IKE] initiating
EAP_IDENTITY method (id 0x00)
Jun 16 11:03:52 hostname ipsec[4275]: 06[IKE] received
ESP_TFC_PADDING_NOT_SUPPORTED, not using ESPv3 TFC padding
Jun 16 11:03:52 hostname ipsec[4275]: 06[IKE] peer supports MOBIKE
Jun 16 11:03:52 hostname ipsec[4275]: 06[IKE] authentication of
'host.example.com' (myself) with RSA signature successful
Jun 16 11:03:52 hostname ipsec[4275]: 06[IKE] sending end entity
cert "CN=host.example.com"
Jun 16 11:03:52 hostname ipsec[4275]: 06[ENC] generating IKE_AUTH
response 1 [ IDr CERT AUTH EAP/REQ/ID ]
Jun 16 11:03:52 hostname ipsec[4275]: 06[ENC] splitting IKE message
with length of 1664 bytes into 4 fragments
Jun 16 11:03:52 hostname ipsec[4275]: 06[ENC] payload
ENCRYPTED_FRAGMENT has no ordering rule in IKE_AUTH response
Jun 16 11:03:52 hostname ipsec[4275]: 06[ENC] generating IKE_AUTH
response 1 [ EF ]
Jun 16 11:03:52 hostname ipsec[4275]: 06[ENC] payload
ENCRYPTED_FRAGMENT has no ordering rule in IKE_AUTH response
Jun 16 11:03:52 hostname ipsec[4275]: 06[ENC] generating IKE_AUTH
response 1 [ EF ]
Jun 16 11:03:52 hostname ipsec[4275]: 06[ENC] payload
ENCRYPTED_FRAGMENT has no ordering rule in IKE_AUTH response
Jun 16 11:03:52 hostname ipsec[4275]: 06[ENC] generating IKE_AUTH
response 1 [ EF ]
Jun 16 11:03:52 hostname ipsec[4275]: 06[ENC] payload
ENCRYPTED_FRAGMENT has no ordering rule in IKE_AUTH response
Jun 16 11:03:52 hostname ipsec[4275]: 06[ENC] generating IKE_AUTH
response 1 [ EF ]
Jun 16 11:03:52 hostname ipsec[4275]: 06[NET] sending packet: from
1.2.3.4[4500] to 4.3.2.1[0] (532 bytes)
Jun 16 11:03:52 hostname ipsec[4275]: 10[NET] error writing to
socket: Invalid argument
Jun 16 11:03:52 hostname ipsec[4275]: 06[NET] sending packet: from
1.2.3.4[4500] to 4.3.2.1[0] (532 bytes)
Jun 16 11:03:52 hostname ipsec[4275]: 10[NET] error writing to
socket: Invalid argument
Jun 16 11:03:52 hostname ipsec[4275]: 06[NET] sending packet: from
1.2.3.4[4500] to 4.3.2.1[0] (532 bytes)
Jun 16 11:03:52 hostname ipsec[4275]: 10[NET] error writing to
socket: Invalid argument
Jun 16 11:03:52 hostname ipsec[4275]: 06[NET] sending packet: from
1.2.3.4[4500] to 4.3.2.1[0] (276 bytes)
Jun 16 11:03:52 hostname ipsec[4275]: 10[NET] error writing to
socket: Invalid argument
Jun 16 11:03:52 hostname ipsec[4275]: 16[NET] received packet: from
4.3.2.1[0] to 1.2.3.4[4500] (512 bytes)
Jun 16 11:03:55 hostname charon: 06[NET] received packet: from
4.3.2.1[0] to 1.2.3.4[4500] (512 bytes)
Jun 16 11:03:55 hostname charon: 06[ENC] unknown attribute type (25)
Jun 16 11:03:55 hostname charon: 06[ENC] parsed IKE_AUTH request 1 [
IDi N(INIT_CONTACT) N(MOBIKE_SUP) IDr CPRQ(ADDR DHCP DNS MASK ADDR6
DHCP6 DNS6 (25)) N(ESP_TFC_PAD_N) N(NON_FIRST_FRAG) SA TSi TSr ]
Jun 16 11:03:55 hostname charon: 06[IKE] received retransmit of
request with ID 1, retransmitting response
Jun 16 11:03:55 hostname charon: 06[NET] sending packet: from
1.2.3.4[4500] to 4.3.2.1[0] (532 bytes)
Jun 16 11:03:55 hostname charon: 06[NET] sending packet: from
1.2.3.4[4500] to 4.3.2.1[0] (532 bytes)
Jun 16 11:03:55 hostname charon: 06[NET] sending packet: from
1.2.3.4[4500] to 4.3.2.1[0] (532 bytes)
Jun 16 11:03:55 hostname charon: 06[NET] sending packet: from
1.2.3.4[4500] to 4.3.2.1[0] (276 bytes)
Jun 16 11:03:55 hostname charon: 10[NET] error writing to socket:
Invalid argument
Jun 16 11:03:55 hostname charon: 10[NET] error writing to socket:
Invalid argument
Jun 16 11:03:55 hostname charon: 10[NET] error writing to socket:
Invalid argument
Jun 16 11:03:55 hostname charon: 10[NET] error writing to socket:
Invalid argument
Jun 16 11:03:58 hostname charon: 05[NET] received packet: from
4.3.2.1[0] to 1.2.3.4[4500] (512 bytes)
Jun 16 11:03:58 hostname charon: 05[ENC] unknown attribute type (25)
Jun 16 11:03:58 hostname charon: 05[ENC] parsed IKE_AUTH request 1 [
IDi N(INIT_CONTACT) N(MOBIKE_SUP) IDr CPRQ(ADDR DHCP DNS MASK ADDR6
DHCP6 DNS6 (25)) N(ESP_TFC_PAD_N) N(NON_FIRST_FRAG) SA TSi TSr ]
Jun 16 11:03:58 hostname charon: 05[IKE] received retransmit of
request with ID 1, retransmitting response
Jun 16 11:03:58 hostname charon: 05[NET] sending packet: from
1.2.3.4[4500] to 4.3.2.1[0] (532 bytes)
Jun 16 11:03:58 hostname charon: 05[NET] sending packet: from
1.2.3.4[4500] to 4.3.2.1[0] (532 bytes)
Jun 16 11:03:58 hostname charon: 05[NET] sending packet: from
1.2.3.4[4500] to 4.3.2.1[0] (532 bytes)
Jun 16 11:03:58 hostname charon: 05[NET] sending packet: from
1.2.3.4[4500] to 4.3.2.1[0] (276 bytes)
Jun 16 11:03:58 hostname charon: 10[NET] error writing to socket:
Invalid argument
Jun 16 11:03:58 hostname charon: 10[NET] error writing to socket:
Invalid argument
Jun 16 11:03:58 hostname charon: 10[NET] error writing to socket:
Invalid argument
Jun 16 11:03:58 hostname charon: 10[NET] error writing to socket:
Invalid argument
Jun 16 11:04:19 hostname charon: 14[JOB] deleting half open IKE_SA
after timeout
Jun 16 11:04:53 hostname charon: 04[KNL] unable to receive from rt
event socket
Any advice would be gratefully received. Thanks in advance.
Pete
More information about the Users
mailing list