[strongSwan] Help debugging IKEv2 connection

Pete Donnell pete at alephnull.uk
Sat Jun 17 12:25:02 CEST 2017


Hi all,

I've run into a bit of a problem with a simple IKEv2 connection, and I 
was hoping someone on here might be able to offer some insight into 
what's up with it.

I've got a StrongSwan VPN set up on a Debian Jessie VM. From most places 
it works fine - I've used it on the road from a variety of homes, 
offices, and mobile data connections. For some reason I can't get it to 
connect from my home ISP. Initially it worked but only after several 
connection attempts, and it would frequently drop the connection. After 
checking error logs and searching online, I added fragmentation=yes to 
ipsec.conf and it worked well for a couple of days. It has since stopped 
working at all, despite me not making any further config changes. My ISP 
assures me that there is nothing wrong with the line, and I haven't had 
any issues connecting to anything else. I can only assume that 
StrongSwan's config doesn't get on with my router/firewall for some 
reason. Please can anyone help me debug?

In case it's relevant, I'm using the stock Debian stable kernel and 
StrongSwan packages, versions 3.16.0 and 5.2.1 respectively. My Linux 
knowledge is pretty solid, but knowledge of networking and VPNs much 
less so.

Here's /etc/ipsec.conf:

     config setup

     conn %default
     	keyexchange=ikev2
     	leftid=host.example.com
     	leftcert=fullchain.pem
     	leftsubnet=0.0.0.0/0
     	right=%any
     	rightsourceip=10.11.12.0/24
     
	rightdns=2001:1608:10:25::1c04:b12f,2001:1608:10:25::9249:d69b,84.200.69.80,84.200.70.40
     	dpdaction=clear

     conn iosuser
     	leftsendcert=always
     	rightauth=eap-mschapv2
     	eap_identity=%identity
     	auto=add
     	fragmentation=yes

Here's /etc/ipsec.secrets:

     include /var/lib/strongswan/ipsec.secrets.inc

      : RSA privkey.pem
     user : EAP "password"

And here's the redacted part of /var/log/syslog relating to a failed 
connection attempt:

     Jun 16 11:03:48 hostname charon: 15[NET] received packet: from 
4.3.2.1[500] to 1.2.3.4[500] (604 bytes)
     Jun 16 11:03:48 hostname charon: 15[ENC] parsed IKE_SA_INIT request 
0 [ SA KE No N(REDIR_SUP) N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) ]
     Jun 16 11:03:48 hostname charon: 15[IKE] 4.3.2.1 is initiating an 
IKE_SA
     Jun 16 11:03:49 hostname charon: 15[IKE] remote host is behind NAT
     Jun 16 11:03:49 hostname charon: 15[ENC] generating IKE_SA_INIT 
response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(MULT_AUTH) 
]
     Jun 16 11:03:49 hostname charon: 15[NET] sending packet: from 
1.2.3.4[500] to 4.3.2.1[500] (448 bytes)
     Jun 16 11:03:49 hostname charon: 06[NET] received packet: from 
4.3.2.1[0] to 1.2.3.4[4500] (512 bytes)
     Jun 16 11:03:49 hostname charon: 06[ENC] unknown attribute type (25)
     Jun 16 11:03:49 hostname charon: 06[ENC] parsed IKE_AUTH request 1 [ 
IDi N(INIT_CONTACT) N(MOBIKE_SUP) IDr CPRQ(ADDR DHCP DNS MASK ADDR6 
DHCP6 DNS6 (25)) N(ESP_TFC_PAD_N) N(NON_FIRST_FRAG) SA TSi TSr ]
     Jun 16 11:03:49 hostname charon: 06[CFG] looking for peer configs 
matching 1.2.3.4[host.example.com]...4.3.2.1[clientdevice]
     Jun 16 11:03:49 hostname charon: 06[CFG] selected peer config 
'iosuser'
     Jun 16 11:03:49 hostname charon: 06[IKE] initiating EAP_IDENTITY 
method (id 0x00)
     Jun 16 11:03:49 hostname charon: 06[IKE] received 
ESP_TFC_PADDING_NOT_SUPPORTED, not using ESPv3 TFC padding
     Jun 16 11:03:49 hostname charon: 06[IKE] peer supports MOBIKE
     Jun 16 11:03:49 hostname charon: 06[IKE] authentication of 
'host.example.com' (myself) with RSA signature successful
     Jun 16 11:03:49 hostname charon: 06[IKE] sending end entity cert 
"CN=host.example.com"
     Jun 16 11:03:49 hostname charon: 06[ENC] generating IKE_AUTH 
response 1 [ IDr CERT AUTH EAP/REQ/ID ]
     Jun 16 11:03:49 hostname charon: 06[ENC] splitting IKE message with 
length of 1664 bytes into 4 fragments
     Jun 16 11:03:49 hostname charon: 06[ENC] payload ENCRYPTED_FRAGMENT 
has no ordering rule in IKE_AUTH response
     Jun 16 11:03:49 hostname charon: 06[ENC] generating IKE_AUTH 
response 1 [ EF ]
     Jun 16 11:03:49 hostname charon: 06[ENC] payload ENCRYPTED_FRAGMENT 
has no ordering rule in IKE_AUTH response
     Jun 16 11:03:49 hostname charon: 06[ENC] generating IKE_AUTH 
response 1 [ EF ]
     Jun 16 11:03:49 hostname charon: 06[ENC] payload ENCRYPTED_FRAGMENT 
has no ordering rule in IKE_AUTH response
     Jun 16 11:03:49 hostname charon: 06[ENC] generating IKE_AUTH 
response 1 [ EF ]
     Jun 16 11:03:49 hostname charon: 06[ENC] payload ENCRYPTED_FRAGMENT 
has no ordering rule in IKE_AUTH response
     Jun 16 11:03:49 hostname charon: 06[ENC] generating IKE_AUTH 
response 1 [ EF ]
     Jun 16 11:03:49 hostname charon: 06[NET] sending packet: from 
1.2.3.4[4500] to 4.3.2.1[0] (532 bytes)
     Jun 16 11:03:49 hostname charon: 10[NET] error writing to socket: 
Invalid argument
     Jun 16 11:03:49 hostname charon: 06[NET] sending packet: from 
1.2.3.4[4500] to 4.3.2.1[0] (532 bytes)
     Jun 16 11:03:49 hostname charon: 10[NET] error writing to socket: 
Invalid argument
     Jun 16 11:03:49 hostname charon: 06[NET] sending packet: from 
1.2.3.4[4500] to 4.3.2.1[0] (532 bytes)
     Jun 16 11:03:49 hostname charon: 10[NET] error writing to socket: 
Invalid argument
     Jun 16 11:03:49 hostname charon: 06[NET] sending packet: from 
1.2.3.4[4500] to 4.3.2.1[0] (276 bytes)
     Jun 16 11:03:49 hostname charon: 10[NET] error writing to socket: 
Invalid argument
     Jun 16 11:03:52 hostname charon: 16[NET] received packet: from 
4.3.2.1[0] to 1.2.3.4[4500] (512 bytes)
     Jun 16 11:03:52 hostname charon: 16[ENC] unknown attribute type (25)
     Jun 16 11:03:52 hostname charon: 16[ENC] parsed IKE_AUTH request 1 [ 
IDi N(INIT_CONTACT) N(MOBIKE_SUP) IDr CPRQ(ADDR DHCP DNS MASK ADDR6 
DHCP6 DNS6 (25)) N(ESP_TFC_PAD_N) N(NON_FIRST_FRAG) SA TSi TSr ]
     Jun 16 11:03:52 hostname charon: 16[IKE] received retransmit of 
request with ID 1, retransmitting response
     Jun 16 11:03:52 hostname charon: 16[NET] sending packet: from 
1.2.3.4[4500] to 4.3.2.1[0] (532 bytes)
     Jun 16 11:03:52 hostname charon: 16[NET] sending packet: from 
1.2.3.4[4500] to 4.3.2.1[0] (532 bytes)
     Jun 16 11:03:52 hostname charon: 16[NET] sending packet: from 
1.2.3.4[4500] to 4.3.2.1[0] (532 bytes)
     Jun 16 11:03:52 hostname charon: 16[NET] sending packet: from 
1.2.3.4[4500] to 4.3.2.1[0] (276 bytes)
     Jun 16 11:03:52 hostname ipsec[4275]: 00[DMN] Starting IKE charon 
daemon (strongSwan 5.2.1, Linux 3.16.0-4-amd64, x86_64)
     Jun 16 11:03:52 hostname ipsec[4275]: 00[CFG] HA config misses 
local/remote address
     Jun 16 11:03:52 hostname ipsec[4275]: 00[LIB] plugin 'ha': failed to 
load - ha_plugin_create returned NULL
     Jun 16 11:03:52 hostname ipsec[4275]: 00[CFG] loading ca 
certificates from '/etc/ipsec.d/cacerts'
     Jun 16 11:03:52 hostname ipsec[4275]: 00[CFG] loading aa 
certificates from '/etc/ipsec.d/aacerts'
     Jun 16 11:03:52 hostname ipsec[4275]: 00[CFG] loading ocsp signer 
certificates from '/etc/ipsec.d/ocspcerts'
     Jun 16 11:03:52 hostname ipsec[4275]: 00[CFG] loading attribute 
certificates from '/etc/ipsec.d/acerts'
     Jun 16 11:03:52 hostname ipsec[4275]: 00[CFG] loading crls from 
'/etc/ipsec.d/crls'
     Jun 16 11:03:52 hostname ipsec[4275]: 00[CFG] loading secrets from 
'/etc/ipsec.secrets'
     Jun 16 11:03:52 hostname ipsec[4275]: 00[CFG] expanding file 
expression '/var/lib/strongswan/ipsec.secrets.inc' failed
     Jun 16 11:03:52 hostname ipsec[4275]: 00[CFG]   loaded RSA private 
key from '/etc/ipsec.d/private/privkey.pem'
     Jun 16 11:03:52 hostname ipsec[4275]: 00[CFG]   loaded EAP secret 
for raoul
     Jun 16 11:03:52 hostname ipsec[4275]: 00[CFG] loaded 0 RADIUS server 
configurations
     Jun 16 11:03:52 hostname ipsec[4275]: 00[LIB] loaded plugins: charon 
aes rc2 sha1 sha2 md5 random nonce x509 revocation constraints pubkey 
pkcs1 pkcs7 pkcs8 pkcs12 pgp dnskey sshkey pem openssl fips-prf gmp 
agent xcbc hmac gcm attr kernel-netlink resolve socket-default farp 
stroke updown eap-identity eap-aka eap-md5 eap-gtc eap-mschapv2 
eap-radius eap-tls eap-ttls eap-tnc xauth-generic xauth-eap xauth-pam 
tnc-tnccs dhcp lookip error-notify certexpire led addrblock unity
     Jun 16 11:03:52 hostname ipsec[4275]: 00[LIB] unable to load 5 
plugin features (5 due to unmet dependencies)
     Jun 16 11:03:52 hostname ipsec[4275]: 00[LIB] dropped capabilities, 
running as uid 0, gid 0
     Jun 16 11:03:52 hostname ipsec[4275]: 00[JOB] spawning 16 worker 
threads
     Jun 16 11:03:52 hostname ipsec[4275]: 12[CFG] received stroke: add 
connection 'iosuser'
     Jun 16 11:03:52 hostname ipsec[4275]: 12[CFG] left nor right host is 
our side, assuming left=local
     Jun 16 11:03:52 hostname ipsec[4275]: 12[CFG] adding virtual IP 
address pool 10.11.12.0/24
     Jun 16 11:03:52 hostname ipsec[4275]: 12[CFG]   loaded certificate 
"CN=host.example.com" from 'fullchain.pem'
     Jun 16 11:03:52 hostname ipsec[4275]: 12[CFG] added configuration 
'iosuser'
     Jun 16 11:03:52 hostname ipsec[4275]: 15[NET] received packet: from 
4.3.2.1[500] to 1.2.3.4[500] (604 bytes)
     Jun 16 11:03:52 hostname ipsec[4275]: 15[ENC] parsed IKE_SA_INIT 
request 0 [ SA KE No N(REDIR_SUP) N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) 
]
     Jun 16 11:03:52 hostname ipsec[4275]: 15[IKE] 4.3.2.1 is initiating 
an IKE_SA
     Jun 16 11:03:52 hostname ipsec[4275]: 15[IKE] remote host is behind 
NAT
     Jun 16 11:03:52 hostname ipsec[4275]: 15[ENC] generating IKE_SA_INIT 
response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(MULT_AUTH) 
]
     Jun 16 11:03:52 hostname charon: 10[NET] error writing to socket: 
Invalid argument
     Jun 16 11:03:52 hostname charon: 10[NET] error writing to socket: 
Invalid argument
     Jun 16 11:03:52 hostname charon: 10[NET] error writing to socket: 
Invalid argument
     Jun 16 11:03:52 hostname charon: 10[NET] error writing to socket: 
Invalid argument
     Jun 16 11:03:52 hostname ipsec[4275]: 15[NET] sending packet: from 
1.2.3.4[500] to 4.3.2.1[500] (448 bytes)
     Jun 16 11:03:52 hostname ipsec[4275]: 06[NET] received packet: from 
4.3.2.1[0] to 1.2.3.4[4500] (512 bytes)
     Jun 16 11:03:52 hostname ipsec[4275]: 06[ENC] unknown attribute type 
(25)
     Jun 16 11:03:52 hostname ipsec[4275]: 06[ENC] parsed IKE_AUTH 
request 1 [ IDi N(INIT_CONTACT) N(MOBIKE_SUP) IDr CPRQ(ADDR DHCP DNS 
MASK ADDR6 DHCP6 DNS6 (25)) N(ESP_TFC_PAD_N) N(NON_FIRST_FRAG) SA TSi 
TSr ]
     Jun 16 11:03:52 hostname ipsec[4275]: 06[CFG] looking for peer 
configs matching 1.2.3.4[host.example.com]...4.3.2.1[clientdevice]
     Jun 16 11:03:52 hostname ipsec[4275]: 06[CFG] selected peer config 
'iosuser'
     Jun 16 11:03:52 hostname ipsec[4275]: 06[IKE] initiating 
EAP_IDENTITY method (id 0x00)
     Jun 16 11:03:52 hostname ipsec[4275]: 06[IKE] received 
ESP_TFC_PADDING_NOT_SUPPORTED, not using ESPv3 TFC padding
     Jun 16 11:03:52 hostname ipsec[4275]: 06[IKE] peer supports MOBIKE
     Jun 16 11:03:52 hostname ipsec[4275]: 06[IKE] authentication of 
'host.example.com' (myself) with RSA signature successful
     Jun 16 11:03:52 hostname ipsec[4275]: 06[IKE] sending end entity 
cert "CN=host.example.com"
     Jun 16 11:03:52 hostname ipsec[4275]: 06[ENC] generating IKE_AUTH 
response 1 [ IDr CERT AUTH EAP/REQ/ID ]
     Jun 16 11:03:52 hostname ipsec[4275]: 06[ENC] splitting IKE message 
with length of 1664 bytes into 4 fragments
     Jun 16 11:03:52 hostname ipsec[4275]: 06[ENC] payload 
ENCRYPTED_FRAGMENT has no ordering rule in IKE_AUTH response
     Jun 16 11:03:52 hostname ipsec[4275]: 06[ENC] generating IKE_AUTH 
response 1 [ EF ]
     Jun 16 11:03:52 hostname ipsec[4275]: 06[ENC] payload 
ENCRYPTED_FRAGMENT has no ordering rule in IKE_AUTH response
     Jun 16 11:03:52 hostname ipsec[4275]: 06[ENC] generating IKE_AUTH 
response 1 [ EF ]
     Jun 16 11:03:52 hostname ipsec[4275]: 06[ENC] payload 
ENCRYPTED_FRAGMENT has no ordering rule in IKE_AUTH response
     Jun 16 11:03:52 hostname ipsec[4275]: 06[ENC] generating IKE_AUTH 
response 1 [ EF ]
     Jun 16 11:03:52 hostname ipsec[4275]: 06[ENC] payload 
ENCRYPTED_FRAGMENT has no ordering rule in IKE_AUTH response
     Jun 16 11:03:52 hostname ipsec[4275]: 06[ENC] generating IKE_AUTH 
response 1 [ EF ]
     Jun 16 11:03:52 hostname ipsec[4275]: 06[NET] sending packet: from 
1.2.3.4[4500] to 4.3.2.1[0] (532 bytes)
     Jun 16 11:03:52 hostname ipsec[4275]: 10[NET] error writing to 
socket: Invalid argument
     Jun 16 11:03:52 hostname ipsec[4275]: 06[NET] sending packet: from 
1.2.3.4[4500] to 4.3.2.1[0] (532 bytes)
     Jun 16 11:03:52 hostname ipsec[4275]: 10[NET] error writing to 
socket: Invalid argument
     Jun 16 11:03:52 hostname ipsec[4275]: 06[NET] sending packet: from 
1.2.3.4[4500] to 4.3.2.1[0] (532 bytes)
     Jun 16 11:03:52 hostname ipsec[4275]: 10[NET] error writing to 
socket: Invalid argument
     Jun 16 11:03:52 hostname ipsec[4275]: 06[NET] sending packet: from 
1.2.3.4[4500] to 4.3.2.1[0] (276 bytes)
     Jun 16 11:03:52 hostname ipsec[4275]: 10[NET] error writing to 
socket: Invalid argument
     Jun 16 11:03:52 hostname ipsec[4275]: 16[NET] received packet: from 
4.3.2.1[0] to 1.2.3.4[4500] (512 bytes)
     Jun 16 11:03:55 hostname charon: 06[NET] received packet: from 
4.3.2.1[0] to 1.2.3.4[4500] (512 bytes)
     Jun 16 11:03:55 hostname charon: 06[ENC] unknown attribute type (25)
     Jun 16 11:03:55 hostname charon: 06[ENC] parsed IKE_AUTH request 1 [ 
IDi N(INIT_CONTACT) N(MOBIKE_SUP) IDr CPRQ(ADDR DHCP DNS MASK ADDR6 
DHCP6 DNS6 (25)) N(ESP_TFC_PAD_N) N(NON_FIRST_FRAG) SA TSi TSr ]
     Jun 16 11:03:55 hostname charon: 06[IKE] received retransmit of 
request with ID 1, retransmitting response
     Jun 16 11:03:55 hostname charon: 06[NET] sending packet: from 
1.2.3.4[4500] to 4.3.2.1[0] (532 bytes)
     Jun 16 11:03:55 hostname charon: 06[NET] sending packet: from 
1.2.3.4[4500] to 4.3.2.1[0] (532 bytes)
     Jun 16 11:03:55 hostname charon: 06[NET] sending packet: from 
1.2.3.4[4500] to 4.3.2.1[0] (532 bytes)
     Jun 16 11:03:55 hostname charon: 06[NET] sending packet: from 
1.2.3.4[4500] to 4.3.2.1[0] (276 bytes)
     Jun 16 11:03:55 hostname charon: 10[NET] error writing to socket: 
Invalid argument
     Jun 16 11:03:55 hostname charon: 10[NET] error writing to socket: 
Invalid argument
     Jun 16 11:03:55 hostname charon: 10[NET] error writing to socket: 
Invalid argument
     Jun 16 11:03:55 hostname charon: 10[NET] error writing to socket: 
Invalid argument
     Jun 16 11:03:58 hostname charon: 05[NET] received packet: from 
4.3.2.1[0] to 1.2.3.4[4500] (512 bytes)
     Jun 16 11:03:58 hostname charon: 05[ENC] unknown attribute type (25)
     Jun 16 11:03:58 hostname charon: 05[ENC] parsed IKE_AUTH request 1 [ 
IDi N(INIT_CONTACT) N(MOBIKE_SUP) IDr CPRQ(ADDR DHCP DNS MASK ADDR6 
DHCP6 DNS6 (25)) N(ESP_TFC_PAD_N) N(NON_FIRST_FRAG) SA TSi TSr ]
     Jun 16 11:03:58 hostname charon: 05[IKE] received retransmit of 
request with ID 1, retransmitting response
     Jun 16 11:03:58 hostname charon: 05[NET] sending packet: from 
1.2.3.4[4500] to 4.3.2.1[0] (532 bytes)
     Jun 16 11:03:58 hostname charon: 05[NET] sending packet: from 
1.2.3.4[4500] to 4.3.2.1[0] (532 bytes)
     Jun 16 11:03:58 hostname charon: 05[NET] sending packet: from 
1.2.3.4[4500] to 4.3.2.1[0] (532 bytes)
     Jun 16 11:03:58 hostname charon: 05[NET] sending packet: from 
1.2.3.4[4500] to 4.3.2.1[0] (276 bytes)
     Jun 16 11:03:58 hostname charon: 10[NET] error writing to socket: 
Invalid argument
     Jun 16 11:03:58 hostname charon: 10[NET] error writing to socket: 
Invalid argument
     Jun 16 11:03:58 hostname charon: 10[NET] error writing to socket: 
Invalid argument
     Jun 16 11:03:58 hostname charon: 10[NET] error writing to socket: 
Invalid argument
     Jun 16 11:04:19 hostname charon: 14[JOB] deleting half open IKE_SA 
after timeout
     Jun 16 11:04:53 hostname charon: 04[KNL] unable to receive from rt 
event socket

Any advice would be gratefully received. Thanks in advance.
Pete


More information about the Users mailing list