[strongSwan] Help debugging IKEv2 connection
Noel Kuntze
noel.kuntze+strongswan-users-ml at thermi.consulting
Sat Jun 17 16:44:46 CEST 2017
Hello Pete,
You have some kindof problem with your network configuration or the kernel:
> Jun 16 11:03:49 hostname charon: 06[NET] sending packet: from 1.2.3.4[4500] to 4.3.2.1[0] (532 bytes)
> Jun 16 11:03:49 hostname charon: 10[NET] error writing to socket: Invalid argument
>> Jun 16 11:04:53 hostname charon: 04[KNL] unable to receive from rt event socket
Is the IP of the strongSwan host dynamic? Could it be, that it changes during the IKE negotiation?
Any iptables rules? (`iptables-save`)?
On 17.06.2017 12:32, Pete O'Donall wrote:
> Hi all,
>
> I've run into a bit of a problem with a simple IKEv2 connection, and I was hoping someone on here might be able to offer some insight into what's up with it.
>
> I've got a StrongSwan VPN set up on a Debian Jessie VM. From most places it works fine - I've used it on the road from a variety of homes, offices, and mobile data connections. For some reason I can't get it to connect from my home ISP. Initially it worked but only after several connection attempts, and it would frequently drop the connection. After checking error logs and searching online, I added fragmentation=yes to ipsec.conf and it worked well for a couple of days. It has since stopped working at all, despite me not making any further config changes. My ISP assures me that there is nothing wrong with the line, and I haven't had any issues connecting to anything else. I can only assume that StrongSwan's config doesn't get on with my router/firewall for some reason. Please can anyone help me debug?
>
> In case it's relevant, I'm using the stock Debian stable kernel and StrongSwan packages, versions 3.16.0 and 5.2.1 respectively. My Linux knowledge is pretty solid, but knowledge of networking and VPNs much less so.
>
> Here's /etc/ipsec.conf:
>
> config setup
>
> conn %default
> keyexchange=ikev2
> leftid=host.example.com
> leftcert=fullchain.pem
> leftsubnet=0.0.0.0/0
> right=%any
> rightsourceip=10.11.12.0/24
> rightdns=2001:1608:10:25::1c04:b12f,2001:1608:10:25::9249:d69b,84.200.69.80,84.200.70.40
> dpdaction=clear
>
> conn iosuser
> leftsendcert=always
> rightauth=eap-mschapv2
> eap_identity=%identity
> auto=add
> fragmentation=yes
>
> Here's /etc/ipsec.secrets:
>
> include /var/lib/strongswan/ipsec.secrets.inc
>
> : RSA privkey.pem
> user : EAP "password"
>
> And here's the redacted part of /var/log/syslog relating to a failed connection attempt:
>
> Jun 16 11:03:48 hostname charon: 15[NET] received packet: from 4.3.2.1[500] to 1.2.3.4[500] (604 bytes)
> Jun 16 11:03:48 hostname charon: 15[ENC] parsed IKE_SA_INIT request 0 [ SA KE No N(REDIR_SUP) N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) ]
> Jun 16 11:03:48 hostname charon: 15[IKE] 4.3.2.1 is initiating an IKE_SA
> Jun 16 11:03:49 hostname charon: 15[IKE] remote host is behind NAT
> Jun 16 11:03:49 hostname charon: 15[ENC] generating IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(MULT_AUTH) ]
> Jun 16 11:03:49 hostname charon: 15[NET] sending packet: from 1.2.3.4[500] to 4.3.2.1[500] (448 bytes)
> Jun 16 11:03:49 hostname charon: 06[NET] received packet: from 4.3.2.1[0] to 1.2.3.4[4500] (512 bytes)
> Jun 16 11:03:49 hostname charon: 06[ENC] unknown attribute type (25)
> Jun 16 11:03:49 hostname charon: 06[ENC] parsed IKE_AUTH request 1 [ IDi N(INIT_CONTACT) N(MOBIKE_SUP) IDr CPRQ(ADDR DHCP DNS MASK ADDR6 DHCP6 DNS6 (25)) N(ESP_TFC_PAD_N) N(NON_FIRST_FRAG) SA TSi TSr ]
> Jun 16 11:03:49 hostname charon: 06[CFG] looking for peer configs matching 1.2.3.4[host.example.com]...4.3.2.1[clientdevice]
> Jun 16 11:03:49 hostname charon: 06[CFG] selected peer config 'iosuser'
> Jun 16 11:03:49 hostname charon: 06[IKE] initiating EAP_IDENTITY method (id 0x00)
> Jun 16 11:03:49 hostname charon: 06[IKE] received ESP_TFC_PADDING_NOT_SUPPORTED, not using ESPv3 TFC padding
> Jun 16 11:03:49 hostname charon: 06[IKE] peer supports MOBIKE
> Jun 16 11:03:49 hostname charon: 06[IKE] authentication of 'host.example.com' (myself) with RSA signature successful
> Jun 16 11:03:49 hostname charon: 06[IKE] sending end entity cert "CN=host.example.com"
> Jun 16 11:03:49 hostname charon: 06[ENC] generating IKE_AUTH response 1 [ IDr CERT AUTH EAP/REQ/ID ]
> Jun 16 11:03:49 hostname charon: 06[ENC] splitting IKE message with length of 1664 bytes into 4 fragments
> Jun 16 11:03:49 hostname charon: 06[ENC] payload ENCRYPTED_FRAGMENT has no ordering rule in IKE_AUTH response
> Jun 16 11:03:49 hostname charon: 06[ENC] generating IKE_AUTH response 1 [ EF ]
> Jun 16 11:03:49 hostname charon: 06[ENC] payload ENCRYPTED_FRAGMENT has no ordering rule in IKE_AUTH response
> Jun 16 11:03:49 hostname charon: 06[ENC] generating IKE_AUTH response 1 [ EF ]
> Jun 16 11:03:49 hostname charon: 06[ENC] payload ENCRYPTED_FRAGMENT has no ordering rule in IKE_AUTH response
> Jun 16 11:03:49 hostname charon: 06[ENC] generating IKE_AUTH response 1 [ EF ]
> Jun 16 11:03:49 hostname charon: 06[ENC] payload ENCRYPTED_FRAGMENT has no ordering rule in IKE_AUTH response
> Jun 16 11:03:49 hostname charon: 06[ENC] generating IKE_AUTH response 1 [ EF ]
> Jun 16 11:03:49 hostname charon: 06[NET] sending packet: from 1.2.3.4[4500] to 4.3.2.1[0] (532 bytes)
> Jun 16 11:03:49 hostname charon: 10[NET] error writing to socket: Invalid argument
> Jun 16 11:03:49 hostname charon: 06[NET] sending packet: from 1.2.3.4[4500] to 4.3.2.1[0] (532 bytes)
> Jun 16 11:03:49 hostname charon: 10[NET] error writing to socket: Invalid argument
> Jun 16 11:03:49 hostname charon: 06[NET] sending packet: from 1.2.3.4[4500] to 4.3.2.1[0] (532 bytes)
> Jun 16 11:03:49 hostname charon: 10[NET] error writing to socket: Invalid argument
> Jun 16 11:03:49 hostname charon: 06[NET] sending packet: from 1.2.3.4[4500] to 4.3.2.1[0] (276 bytes)
> Jun 16 11:03:49 hostname charon: 10[NET] error writing to socket: Invalid argument
> Jun 16 11:03:52 hostname charon: 16[NET] received packet: from 4.3.2.1[0] to 1.2.3.4[4500] (512 bytes)
> Jun 16 11:03:52 hostname charon: 16[ENC] unknown attribute type (25)
> Jun 16 11:03:52 hostname charon: 16[ENC] parsed IKE_AUTH request 1 [ IDi N(INIT_CONTACT) N(MOBIKE_SUP) IDr CPRQ(ADDR DHCP DNS MASK ADDR6 DHCP6 DNS6 (25)) N(ESP_TFC_PAD_N) N(NON_FIRST_FRAG) SA TSi TSr ]
> Jun 16 11:03:52 hostname charon: 16[IKE] received retransmit of request with ID 1, retransmitting response
> Jun 16 11:03:52 hostname charon: 16[NET] sending packet: from 1.2.3.4[4500] to 4.3.2.1[0] (532 bytes)
> Jun 16 11:03:52 hostname charon: 16[NET] sending packet: from 1.2.3.4[4500] to 4.3.2.1[0] (532 bytes)
> Jun 16 11:03:52 hostname charon: 16[NET] sending packet: from 1.2.3.4[4500] to 4.3.2.1[0] (532 bytes)
> Jun 16 11:03:52 hostname charon: 16[NET] sending packet: from 1.2.3.4[4500] to 4.3.2.1[0] (276 bytes)
> Jun 16 11:03:52 hostname ipsec[4275]: 00[DMN] Starting IKE charon daemon (strongSwan 5.2.1, Linux 3.16.0-4-amd64, x86_64)
> Jun 16 11:03:52 hostname ipsec[4275]: 00[CFG] HA config misses local/remote address
> Jun 16 11:03:52 hostname ipsec[4275]: 00[LIB] plugin 'ha': failed to load - ha_plugin_create returned NULL
> Jun 16 11:03:52 hostname ipsec[4275]: 00[CFG] loading ca certificates from '/etc/ipsec.d/cacerts'
> Jun 16 11:03:52 hostname ipsec[4275]: 00[CFG] loading aa certificates from '/etc/ipsec.d/aacerts'
> Jun 16 11:03:52 hostname ipsec[4275]: 00[CFG] loading ocsp signer certificates from '/etc/ipsec.d/ocspcerts'
> Jun 16 11:03:52 hostname ipsec[4275]: 00[CFG] loading attribute certificates from '/etc/ipsec.d/acerts'
> Jun 16 11:03:52 hostname ipsec[4275]: 00[CFG] loading crls from '/etc/ipsec.d/crls'
> Jun 16 11:03:52 hostname ipsec[4275]: 00[CFG] loading secrets from '/etc/ipsec.secrets'
> Jun 16 11:03:52 hostname ipsec[4275]: 00[CFG] expanding file expression '/var/lib/strongswan/ipsec.secrets.inc' failed
> Jun 16 11:03:52 hostname ipsec[4275]: 00[CFG] loaded RSA private key from '/etc/ipsec.d/private/privkey.pem'
> Jun 16 11:03:52 hostname ipsec[4275]: 00[CFG] loaded EAP secret for raoul
> Jun 16 11:03:52 hostname ipsec[4275]: 00[CFG] loaded 0 RADIUS server configurations
> Jun 16 11:03:52 hostname ipsec[4275]: 00[LIB] loaded plugins: charon aes rc2 sha1 sha2 md5 random nonce x509 revocation constraints pubkey pkcs1 pkcs7 pkcs8 pkcs12 pgp dnskey sshkey pem openssl fips-prf gmp agent xcbc hmac gcm attr kernel-netlink resolve socket-default farp stroke updown eap-identity eap-aka eap-md5 eap-gtc eap-mschapv2 eap-radius eap-tls eap-ttls eap-tnc xauth-generic xauth-eap xauth-pam tnc-tnccs dhcp lookip error-notify certexpire led addrblock unity
> Jun 16 11:03:52 hostname ipsec[4275]: 00[LIB] unable to load 5 plugin features (5 due to unmet dependencies)
> Jun 16 11:03:52 hostname ipsec[4275]: 00[LIB] dropped capabilities, running as uid 0, gid 0
> Jun 16 11:03:52 hostname ipsec[4275]: 00[JOB] spawning 16 worker threads
> Jun 16 11:03:52 hostname ipsec[4275]: 12[CFG] received stroke: add connection 'iosuser'
> Jun 16 11:03:52 hostname ipsec[4275]: 12[CFG] left nor right host is our side, assuming left=local
> Jun 16 11:03:52 hostname ipsec[4275]: 12[CFG] adding virtual IP address pool 10.11.12.0/24
> Jun 16 11:03:52 hostname ipsec[4275]: 12[CFG] loaded certificate "CN=host.example.com" from 'fullchain.pem'
> Jun 16 11:03:52 hostname ipsec[4275]: 12[CFG] added configuration 'iosuser'
> Jun 16 11:03:52 hostname ipsec[4275]: 15[NET] received packet: from 4.3.2.1[500] to 1.2.3.4[500] (604 bytes)
> Jun 16 11:03:52 hostname ipsec[4275]: 15[ENC] parsed IKE_SA_INIT request 0 [ SA KE No N(REDIR_SUP) N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) ]
> Jun 16 11:03:52 hostname ipsec[4275]: 15[IKE] 4.3.2.1 is initiating an IKE_SA
> Jun 16 11:03:52 hostname ipsec[4275]: 15[IKE] remote host is behind NAT
> Jun 16 11:03:52 hostname ipsec[4275]: 15[ENC] generating IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(MULT_AUTH) ]
> Jun 16 11:03:52 hostname charon: 10[NET] error writing to socket: Invalid argument
> Jun 16 11:03:52 hostname charon: 10[NET] error writing to socket: Invalid argument
> Jun 16 11:03:52 hostname charon: 10[NET] error writing to socket: Invalid argument
> Jun 16 11:03:52 hostname charon: 10[NET] error writing to socket: Invalid argument
> Jun 16 11:03:52 hostname ipsec[4275]: 15[NET] sending packet: from 1.2.3.4[500] to 4.3.2.1[500] (448 bytes)
> Jun 16 11:03:52 hostname ipsec[4275]: 06[NET] received packet: from 4.3.2.1[0] to 1.2.3.4[4500] (512 bytes)
> Jun 16 11:03:52 hostname ipsec[4275]: 06[ENC] unknown attribute type (25)
> Jun 16 11:03:52 hostname ipsec[4275]: 06[ENC] parsed IKE_AUTH request 1 [ IDi N(INIT_CONTACT) N(MOBIKE_SUP) IDr CPRQ(ADDR DHCP DNS MASK ADDR6 DHCP6 DNS6 (25)) N(ESP_TFC_PAD_N) N(NON_FIRST_FRAG) SA TSi TSr ]
> Jun 16 11:03:52 hostname ipsec[4275]: 06[CFG] looking for peer configs matching 1.2.3.4[host.example.com]...4.3.2.1[clientdevice]
> Jun 16 11:03:52 hostname ipsec[4275]: 06[CFG] selected peer config 'iosuser'
> Jun 16 11:03:52 hostname ipsec[4275]: 06[IKE] initiating EAP_IDENTITY method (id 0x00)
> Jun 16 11:03:52 hostname ipsec[4275]: 06[IKE] received ESP_TFC_PADDING_NOT_SUPPORTED, not using ESPv3 TFC padding
> Jun 16 11:03:52 hostname ipsec[4275]: 06[IKE] peer supports MOBIKE
> Jun 16 11:03:52 hostname ipsec[4275]: 06[IKE] authentication of 'host.example.com' (myself) with RSA signature successful
> Jun 16 11:03:52 hostname ipsec[4275]: 06[IKE] sending end entity cert "CN=host.example.com"
> Jun 16 11:03:52 hostname ipsec[4275]: 06[ENC] generating IKE_AUTH response 1 [ IDr CERT AUTH EAP/REQ/ID ]
> Jun 16 11:03:52 hostname ipsec[4275]: 06[ENC] splitting IKE message with length of 1664 bytes into 4 fragments
> Jun 16 11:03:52 hostname ipsec[4275]: 06[ENC] payload ENCRYPTED_FRAGMENT has no ordering rule in IKE_AUTH response
> Jun 16 11:03:52 hostname ipsec[4275]: 06[ENC] generating IKE_AUTH response 1 [ EF ]
> Jun 16 11:03:52 hostname ipsec[4275]: 06[ENC] payload ENCRYPTED_FRAGMENT has no ordering rule in IKE_AUTH response
> Jun 16 11:03:52 hostname ipsec[4275]: 06[ENC] generating IKE_AUTH response 1 [ EF ]
> Jun 16 11:03:52 hostname ipsec[4275]: 06[ENC] payload ENCRYPTED_FRAGMENT has no ordering rule in IKE_AUTH response
> Jun 16 11:03:52 hostname ipsec[4275]: 06[ENC] generating IKE_AUTH response 1 [ EF ]
> Jun 16 11:03:52 hostname ipsec[4275]: 06[ENC] payload ENCRYPTED_FRAGMENT has no ordering rule in IKE_AUTH response
> Jun 16 11:03:52 hostname ipsec[4275]: 06[ENC] generating IKE_AUTH response 1 [ EF ]
> Jun 16 11:03:52 hostname ipsec[4275]: 06[NET] sending packet: from 1.2.3.4[4500] to 4.3.2.1[0] (532 bytes)
> Jun 16 11:03:52 hostname ipsec[4275]: 10[NET] error writing to socket: Invalid argument
> Jun 16 11:03:52 hostname ipsec[4275]: 06[NET] sending packet: from 1.2.3.4[4500] to 4.3.2.1[0] (532 bytes)
> Jun 16 11:03:52 hostname ipsec[4275]: 10[NET] error writing to socket: Invalid argument
> Jun 16 11:03:52 hostname ipsec[4275]: 06[NET] sending packet: from 1.2.3.4[4500] to 4.3.2.1[0] (532 bytes)
> Jun 16 11:03:52 hostname ipsec[4275]: 10[NET] error writing to socket: Invalid argument
> Jun 16 11:03:52 hostname ipsec[4275]: 06[NET] sending packet: from 1.2.3.4[4500] to 4.3.2.1[0] (276 bytes)
> Jun 16 11:03:52 hostname ipsec[4275]: 10[NET] error writing to socket: Invalid argument
> Jun 16 11:03:52 hostname ipsec[4275]: 16[NET] received packet: from 4.3.2.1[0] to 1.2.3.4[4500] (512 bytes)
> Jun 16 11:03:55 hostname charon: 06[NET] received packet: from 4.3.2.1[0] to 1.2.3.4[4500] (512 bytes)
> Jun 16 11:03:55 hostname charon: 06[ENC] unknown attribute type (25)
> Jun 16 11:03:55 hostname charon: 06[ENC] parsed IKE_AUTH request 1 [ IDi N(INIT_CONTACT) N(MOBIKE_SUP) IDr CPRQ(ADDR DHCP DNS MASK ADDR6 DHCP6 DNS6 (25)) N(ESP_TFC_PAD_N) N(NON_FIRST_FRAG) SA TSi TSr ]
> Jun 16 11:03:55 hostname charon: 06[IKE] received retransmit of request with ID 1, retransmitting response
> Jun 16 11:03:55 hostname charon: 06[NET] sending packet: from 1.2.3.4[4500] to 4.3.2.1[0] (532 bytes)
> Jun 16 11:03:55 hostname charon: 06[NET] sending packet: from 1.2.3.4[4500] to 4.3.2.1[0] (532 bytes)
> Jun 16 11:03:55 hostname charon: 06[NET] sending packet: from 1.2.3.4[4500] to 4.3.2.1[0] (532 bytes)
> Jun 16 11:03:55 hostname charon: 06[NET] sending packet: from 1.2.3.4[4500] to 4.3.2.1[0] (276 bytes)
> Jun 16 11:03:55 hostname charon: 10[NET] error writing to socket: Invalid argument
> Jun 16 11:03:55 hostname charon: 10[NET] error writing to socket: Invalid argument
> Jun 16 11:03:55 hostname charon: 10[NET] error writing to socket: Invalid argument
> Jun 16 11:03:55 hostname charon: 10[NET] error writing to socket: Invalid argument
> Jun 16 11:03:58 hostname charon: 05[NET] received packet: from 4.3.2.1[0] to 1.2.3.4[4500] (512 bytes)
> Jun 16 11:03:58 hostname charon: 05[ENC] unknown attribute type (25)
> Jun 16 11:03:58 hostname charon: 05[ENC] parsed IKE_AUTH request 1 [ IDi N(INIT_CONTACT) N(MOBIKE_SUP) IDr CPRQ(ADDR DHCP DNS MASK ADDR6 DHCP6 DNS6 (25)) N(ESP_TFC_PAD_N) N(NON_FIRST_FRAG) SA TSi TSr ]
> Jun 16 11:03:58 hostname charon: 05[IKE] received retransmit of request with ID 1, retransmitting response
> Jun 16 11:03:58 hostname charon: 05[NET] sending packet: from 1.2.3.4[4500] to 4.3.2.1[0] (532 bytes)
> Jun 16 11:03:58 hostname charon: 05[NET] sending packet: from 1.2.3.4[4500] to 4.3.2.1[0] (532 bytes)
> Jun 16 11:03:58 hostname charon: 05[NET] sending packet: from 1.2.3.4[4500] to 4.3.2.1[0] (532 bytes)
> Jun 16 11:03:58 hostname charon: 05[NET] sending packet: from 1.2.3.4[4500] to 4.3.2.1[0] (276 bytes)
> Jun 16 11:03:58 hostname charon: 10[NET] error writing to socket: Invalid argument
> Jun 16 11:03:58 hostname charon: 10[NET] error writing to socket: Invalid argument
> Jun 16 11:03:58 hostname charon: 10[NET] error writing to socket: Invalid argument
> Jun 16 11:03:58 hostname charon: 10[NET] error writing to socket: Invalid argument
> Jun 16 11:04:19 hostname charon: 14[JOB] deleting half open IKE_SA after timeout
> Jun 16 11:04:53 hostname charon: 04[KNL] unable to receive from rt event socket
>
> Any advice would be gratefully received. Thanks in advance.
> Pete
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: OpenPGP digital signature
URL: <http://lists.strongswan.org/pipermail/users/attachments/20170617/6f6a3322/attachment.sig>
More information about the Users
mailing list