[strongSwan] Help debugging IKEv2 connection
Pete O'Donall
strongswan at rianne.me.uk
Sun Jun 18 13:29:28 CEST 2017
Hi Noel,
Thanks for taking the time to read my message and send a reply. The
output of `iptables-save` included this line:
-A POSTROUTING -s 10.11.0.0/16 -o eth0 -j MASQUERADE
Replacing it with the line below, to match the netblock of the
rightsourceip value, seems to have fixed the issue:
-A POSTROUTING -s 10.11.12.0/24 -o eth0 -j MASQUERADE
Hope I'm not speaking too soon about it being fixed and that that was
the cause of my problem!
All the best,
Pete
On 2017-06-17 15:44, Noel Kuntze wrote:
> Hello Pete,
>
> You have some kindof problem with your network configuration or the
> kernel:
>> Jun 16 11:03:49 hostname charon: 06[NET] sending packet: from
>> 1.2.3.4[4500] to 4.3.2.1[0] (532 bytes)
>> Jun 16 11:03:49 hostname charon: 10[NET] error writing to socket:
>> Invalid argument
>>> Jun 16 11:04:53 hostname charon: 04[KNL] unable to receive from
>>> rt event socket
>
> Is the IP of the strongSwan host dynamic? Could it be, that it changes
> during the IKE negotiation?
> Any iptables rules? (`iptables-save`)?
>
>
>
> On 17.06.2017 12:32, Pete O'Donall wrote:
>> Hi all,
>>
>> I've run into a bit of a problem with a simple IKEv2 connection, and I
>> was hoping someone on here might be able to offer some insight into
>> what's up with it.
>>
>> I've got a StrongSwan VPN set up on a Debian Jessie VM. From most
>> places it works fine - I've used it on the road from a variety of
>> homes, offices, and mobile data connections. For some reason I can't
>> get it to connect from my home ISP. Initially it worked but only after
>> several connection attempts, and it would frequently drop the
>> connection. After checking error logs and searching online, I added
>> fragmentation=yes to ipsec.conf and it worked well for a couple of
>> days. It has since stopped working at all, despite me not making any
>> further config changes. My ISP assures me that there is nothing wrong
>> with the line, and I haven't had any issues connecting to anything
>> else. I can only assume that StrongSwan's config doesn't get on with
>> my router/firewall for some reason. Please can anyone help me debug?
>>
>> In case it's relevant, I'm using the stock Debian stable kernel and
>> StrongSwan packages, versions 3.16.0 and 5.2.1 respectively. My Linux
>> knowledge is pretty solid, but knowledge of networking and VPNs much
>> less so.
>>
>> Here's /etc/ipsec.conf:
>>
>> config setup
>>
>> conn %default
>> keyexchange=ikev2
>> leftid=host.example.com
>> leftcert=fullchain.pem
>> leftsubnet=0.0.0.0/0
>> right=%any
>> rightsourceip=10.11.12.0/24
>>
>> rightdns=2001:1608:10:25::1c04:b12f,2001:1608:10:25::9249:d69b,84.200.69.80,84.200.70.40
>> dpdaction=clear
>>
>> conn iosuser
>> leftsendcert=always
>> rightauth=eap-mschapv2
>> eap_identity=%identity
>> auto=add
>> fragmentation=yes
>>
>> Here's /etc/ipsec.secrets:
>>
>> include /var/lib/strongswan/ipsec.secrets.inc
>>
>> : RSA privkey.pem
>> user : EAP "password"
>>
>> And here's the redacted part of /var/log/syslog relating to a failed
>> connection attempt:
>>
>> Jun 16 11:03:48 hostname charon: 15[NET] received packet: from
>> 4.3.2.1[500] to 1.2.3.4[500] (604 bytes)
>> Jun 16 11:03:48 hostname charon: 15[ENC] parsed IKE_SA_INIT
>> request 0 [ SA KE No N(REDIR_SUP) N(NATD_S_IP) N(NATD_D_IP)
>> N(FRAG_SUP) ]
>> Jun 16 11:03:48 hostname charon: 15[IKE] 4.3.2.1 is initiating an
>> IKE_SA
>> Jun 16 11:03:49 hostname charon: 15[IKE] remote host is behind NAT
>> Jun 16 11:03:49 hostname charon: 15[ENC] generating IKE_SA_INIT
>> response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP)
>> N(MULT_AUTH) ]
>> Jun 16 11:03:49 hostname charon: 15[NET] sending packet: from
>> 1.2.3.4[500] to 4.3.2.1[500] (448 bytes)
>> Jun 16 11:03:49 hostname charon: 06[NET] received packet: from
>> 4.3.2.1[0] to 1.2.3.4[4500] (512 bytes)
>> Jun 16 11:03:49 hostname charon: 06[ENC] unknown attribute type
>> (25)
>> Jun 16 11:03:49 hostname charon: 06[ENC] parsed IKE_AUTH request 1
>> [ IDi N(INIT_CONTACT) N(MOBIKE_SUP) IDr CPRQ(ADDR DHCP DNS MASK ADDR6
>> DHCP6 DNS6 (25)) N(ESP_TFC_PAD_N) N(NON_FIRST_FRAG) SA TSi TSr ]
>> Jun 16 11:03:49 hostname charon: 06[CFG] looking for peer configs
>> matching 1.2.3.4[host.example.com]...4.3.2.1[clientdevice]
>> Jun 16 11:03:49 hostname charon: 06[CFG] selected peer config
>> 'iosuser'
>> Jun 16 11:03:49 hostname charon: 06[IKE] initiating EAP_IDENTITY
>> method (id 0x00)
>> Jun 16 11:03:49 hostname charon: 06[IKE] received
>> ESP_TFC_PADDING_NOT_SUPPORTED, not using ESPv3 TFC padding
>> Jun 16 11:03:49 hostname charon: 06[IKE] peer supports MOBIKE
>> Jun 16 11:03:49 hostname charon: 06[IKE] authentication of
>> 'host.example.com' (myself) with RSA signature successful
>> Jun 16 11:03:49 hostname charon: 06[IKE] sending end entity cert
>> "CN=host.example.com"
>> Jun 16 11:03:49 hostname charon: 06[ENC] generating IKE_AUTH
>> response 1 [ IDr CERT AUTH EAP/REQ/ID ]
>> Jun 16 11:03:49 hostname charon: 06[ENC] splitting IKE message
>> with length of 1664 bytes into 4 fragments
>> Jun 16 11:03:49 hostname charon: 06[ENC] payload
>> ENCRYPTED_FRAGMENT has no ordering rule in IKE_AUTH response
>> Jun 16 11:03:49 hostname charon: 06[ENC] generating IKE_AUTH
>> response 1 [ EF ]
>> Jun 16 11:03:49 hostname charon: 06[ENC] payload
>> ENCRYPTED_FRAGMENT has no ordering rule in IKE_AUTH response
>> Jun 16 11:03:49 hostname charon: 06[ENC] generating IKE_AUTH
>> response 1 [ EF ]
>> Jun 16 11:03:49 hostname charon: 06[ENC] payload
>> ENCRYPTED_FRAGMENT has no ordering rule in IKE_AUTH response
>> Jun 16 11:03:49 hostname charon: 06[ENC] generating IKE_AUTH
>> response 1 [ EF ]
>> Jun 16 11:03:49 hostname charon: 06[ENC] payload
>> ENCRYPTED_FRAGMENT has no ordering rule in IKE_AUTH response
>> Jun 16 11:03:49 hostname charon: 06[ENC] generating IKE_AUTH
>> response 1 [ EF ]
>> Jun 16 11:03:49 hostname charon: 06[NET] sending packet: from
>> 1.2.3.4[4500] to 4.3.2.1[0] (532 bytes)
>> Jun 16 11:03:49 hostname charon: 10[NET] error writing to socket:
>> Invalid argument
>> Jun 16 11:03:49 hostname charon: 06[NET] sending packet: from
>> 1.2.3.4[4500] to 4.3.2.1[0] (532 bytes)
>> Jun 16 11:03:49 hostname charon: 10[NET] error writing to socket:
>> Invalid argument
>> Jun 16 11:03:49 hostname charon: 06[NET] sending packet: from
>> 1.2.3.4[4500] to 4.3.2.1[0] (532 bytes)
>> Jun 16 11:03:49 hostname charon: 10[NET] error writing to socket:
>> Invalid argument
>> Jun 16 11:03:49 hostname charon: 06[NET] sending packet: from
>> 1.2.3.4[4500] to 4.3.2.1[0] (276 bytes)
>> Jun 16 11:03:49 hostname charon: 10[NET] error writing to socket:
>> Invalid argument
>> Jun 16 11:03:52 hostname charon: 16[NET] received packet: from
>> 4.3.2.1[0] to 1.2.3.4[4500] (512 bytes)
>> Jun 16 11:03:52 hostname charon: 16[ENC] unknown attribute type
>> (25)
>> Jun 16 11:03:52 hostname charon: 16[ENC] parsed IKE_AUTH request 1
>> [ IDi N(INIT_CONTACT) N(MOBIKE_SUP) IDr CPRQ(ADDR DHCP DNS MASK ADDR6
>> DHCP6 DNS6 (25)) N(ESP_TFC_PAD_N) N(NON_FIRST_FRAG) SA TSi TSr ]
>> Jun 16 11:03:52 hostname charon: 16[IKE] received retransmit of
>> request with ID 1, retransmitting response
>> Jun 16 11:03:52 hostname charon: 16[NET] sending packet: from
>> 1.2.3.4[4500] to 4.3.2.1[0] (532 bytes)
>> Jun 16 11:03:52 hostname charon: 16[NET] sending packet: from
>> 1.2.3.4[4500] to 4.3.2.1[0] (532 bytes)
>> Jun 16 11:03:52 hostname charon: 16[NET] sending packet: from
>> 1.2.3.4[4500] to 4.3.2.1[0] (532 bytes)
>> Jun 16 11:03:52 hostname charon: 16[NET] sending packet: from
>> 1.2.3.4[4500] to 4.3.2.1[0] (276 bytes)
>> Jun 16 11:03:52 hostname ipsec[4275]: 00[DMN] Starting IKE charon
>> daemon (strongSwan 5.2.1, Linux 3.16.0-4-amd64, x86_64)
>> Jun 16 11:03:52 hostname ipsec[4275]: 00[CFG] HA config misses
>> local/remote address
>> Jun 16 11:03:52 hostname ipsec[4275]: 00[LIB] plugin 'ha': failed
>> to load - ha_plugin_create returned NULL
>> Jun 16 11:03:52 hostname ipsec[4275]: 00[CFG] loading ca
>> certificates from '/etc/ipsec.d/cacerts'
>> Jun 16 11:03:52 hostname ipsec[4275]: 00[CFG] loading aa
>> certificates from '/etc/ipsec.d/aacerts'
>> Jun 16 11:03:52 hostname ipsec[4275]: 00[CFG] loading ocsp signer
>> certificates from '/etc/ipsec.d/ocspcerts'
>> Jun 16 11:03:52 hostname ipsec[4275]: 00[CFG] loading attribute
>> certificates from '/etc/ipsec.d/acerts'
>> Jun 16 11:03:52 hostname ipsec[4275]: 00[CFG] loading crls from
>> '/etc/ipsec.d/crls'
>> Jun 16 11:03:52 hostname ipsec[4275]: 00[CFG] loading secrets from
>> '/etc/ipsec.secrets'
>> Jun 16 11:03:52 hostname ipsec[4275]: 00[CFG] expanding file
>> expression '/var/lib/strongswan/ipsec.secrets.inc' failed
>> Jun 16 11:03:52 hostname ipsec[4275]: 00[CFG] loaded RSA private
>> key from '/etc/ipsec.d/private/privkey.pem'
>> Jun 16 11:03:52 hostname ipsec[4275]: 00[CFG] loaded EAP secret
>> for raoul
>> Jun 16 11:03:52 hostname ipsec[4275]: 00[CFG] loaded 0 RADIUS
>> server configurations
>> Jun 16 11:03:52 hostname ipsec[4275]: 00[LIB] loaded plugins:
>> charon aes rc2 sha1 sha2 md5 random nonce x509 revocation constraints
>> pubkey pkcs1 pkcs7 pkcs8 pkcs12 pgp dnskey sshkey pem openssl fips-prf
>> gmp agent xcbc hmac gcm attr kernel-netlink resolve socket-default
>> farp stroke updown eap-identity eap-aka eap-md5 eap-gtc eap-mschapv2
>> eap-radius eap-tls eap-ttls eap-tnc xauth-generic xauth-eap xauth-pam
>> tnc-tnccs dhcp lookip error-notify certexpire led addrblock unity
>> Jun 16 11:03:52 hostname ipsec[4275]: 00[LIB] unable to load 5
>> plugin features (5 due to unmet dependencies)
>> Jun 16 11:03:52 hostname ipsec[4275]: 00[LIB] dropped
>> capabilities, running as uid 0, gid 0
>> Jun 16 11:03:52 hostname ipsec[4275]: 00[JOB] spawning 16 worker
>> threads
>> Jun 16 11:03:52 hostname ipsec[4275]: 12[CFG] received stroke: add
>> connection 'iosuser'
>> Jun 16 11:03:52 hostname ipsec[4275]: 12[CFG] left nor right host
>> is our side, assuming left=local
>> Jun 16 11:03:52 hostname ipsec[4275]: 12[CFG] adding virtual IP
>> address pool 10.11.12.0/24
>> Jun 16 11:03:52 hostname ipsec[4275]: 12[CFG] loaded certificate
>> "CN=host.example.com" from 'fullchain.pem'
>> Jun 16 11:03:52 hostname ipsec[4275]: 12[CFG] added configuration
>> 'iosuser'
>> Jun 16 11:03:52 hostname ipsec[4275]: 15[NET] received packet:
>> from 4.3.2.1[500] to 1.2.3.4[500] (604 bytes)
>> Jun 16 11:03:52 hostname ipsec[4275]: 15[ENC] parsed IKE_SA_INIT
>> request 0 [ SA KE No N(REDIR_SUP) N(NATD_S_IP) N(NATD_D_IP)
>> N(FRAG_SUP) ]
>> Jun 16 11:03:52 hostname ipsec[4275]: 15[IKE] 4.3.2.1 is
>> initiating an IKE_SA
>> Jun 16 11:03:52 hostname ipsec[4275]: 15[IKE] remote host is
>> behind NAT
>> Jun 16 11:03:52 hostname ipsec[4275]: 15[ENC] generating
>> IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP)
>> N(FRAG_SUP) N(MULT_AUTH) ]
>> Jun 16 11:03:52 hostname charon: 10[NET] error writing to socket:
>> Invalid argument
>> Jun 16 11:03:52 hostname charon: 10[NET] error writing to socket:
>> Invalid argument
>> Jun 16 11:03:52 hostname charon: 10[NET] error writing to socket:
>> Invalid argument
>> Jun 16 11:03:52 hostname charon: 10[NET] error writing to socket:
>> Invalid argument
>> Jun 16 11:03:52 hostname ipsec[4275]: 15[NET] sending packet: from
>> 1.2.3.4[500] to 4.3.2.1[500] (448 bytes)
>> Jun 16 11:03:52 hostname ipsec[4275]: 06[NET] received packet:
>> from 4.3.2.1[0] to 1.2.3.4[4500] (512 bytes)
>> Jun 16 11:03:52 hostname ipsec[4275]: 06[ENC] unknown attribute
>> type (25)
>> Jun 16 11:03:52 hostname ipsec[4275]: 06[ENC] parsed IKE_AUTH
>> request 1 [ IDi N(INIT_CONTACT) N(MOBIKE_SUP) IDr CPRQ(ADDR DHCP DNS
>> MASK ADDR6 DHCP6 DNS6 (25)) N(ESP_TFC_PAD_N) N(NON_FIRST_FRAG) SA TSi
>> TSr ]
>> Jun 16 11:03:52 hostname ipsec[4275]: 06[CFG] looking for peer
>> configs matching 1.2.3.4[host.example.com]...4.3.2.1[clientdevice]
>> Jun 16 11:03:52 hostname ipsec[4275]: 06[CFG] selected peer config
>> 'iosuser'
>> Jun 16 11:03:52 hostname ipsec[4275]: 06[IKE] initiating
>> EAP_IDENTITY method (id 0x00)
>> Jun 16 11:03:52 hostname ipsec[4275]: 06[IKE] received
>> ESP_TFC_PADDING_NOT_SUPPORTED, not using ESPv3 TFC padding
>> Jun 16 11:03:52 hostname ipsec[4275]: 06[IKE] peer supports MOBIKE
>> Jun 16 11:03:52 hostname ipsec[4275]: 06[IKE] authentication of
>> 'host.example.com' (myself) with RSA signature successful
>> Jun 16 11:03:52 hostname ipsec[4275]: 06[IKE] sending end entity
>> cert "CN=host.example.com"
>> Jun 16 11:03:52 hostname ipsec[4275]: 06[ENC] generating IKE_AUTH
>> response 1 [ IDr CERT AUTH EAP/REQ/ID ]
>> Jun 16 11:03:52 hostname ipsec[4275]: 06[ENC] splitting IKE
>> message with length of 1664 bytes into 4 fragments
>> Jun 16 11:03:52 hostname ipsec[4275]: 06[ENC] payload
>> ENCRYPTED_FRAGMENT has no ordering rule in IKE_AUTH response
>> Jun 16 11:03:52 hostname ipsec[4275]: 06[ENC] generating IKE_AUTH
>> response 1 [ EF ]
>> Jun 16 11:03:52 hostname ipsec[4275]: 06[ENC] payload
>> ENCRYPTED_FRAGMENT has no ordering rule in IKE_AUTH response
>> Jun 16 11:03:52 hostname ipsec[4275]: 06[ENC] generating IKE_AUTH
>> response 1 [ EF ]
>> Jun 16 11:03:52 hostname ipsec[4275]: 06[ENC] payload
>> ENCRYPTED_FRAGMENT has no ordering rule in IKE_AUTH response
>> Jun 16 11:03:52 hostname ipsec[4275]: 06[ENC] generating IKE_AUTH
>> response 1 [ EF ]
>> Jun 16 11:03:52 hostname ipsec[4275]: 06[ENC] payload
>> ENCRYPTED_FRAGMENT has no ordering rule in IKE_AUTH response
>> Jun 16 11:03:52 hostname ipsec[4275]: 06[ENC] generating IKE_AUTH
>> response 1 [ EF ]
>> Jun 16 11:03:52 hostname ipsec[4275]: 06[NET] sending packet: from
>> 1.2.3.4[4500] to 4.3.2.1[0] (532 bytes)
>> Jun 16 11:03:52 hostname ipsec[4275]: 10[NET] error writing to
>> socket: Invalid argument
>> Jun 16 11:03:52 hostname ipsec[4275]: 06[NET] sending packet: from
>> 1.2.3.4[4500] to 4.3.2.1[0] (532 bytes)
>> Jun 16 11:03:52 hostname ipsec[4275]: 10[NET] error writing to
>> socket: Invalid argument
>> Jun 16 11:03:52 hostname ipsec[4275]: 06[NET] sending packet: from
>> 1.2.3.4[4500] to 4.3.2.1[0] (532 bytes)
>> Jun 16 11:03:52 hostname ipsec[4275]: 10[NET] error writing to
>> socket: Invalid argument
>> Jun 16 11:03:52 hostname ipsec[4275]: 06[NET] sending packet: from
>> 1.2.3.4[4500] to 4.3.2.1[0] (276 bytes)
>> Jun 16 11:03:52 hostname ipsec[4275]: 10[NET] error writing to
>> socket: Invalid argument
>> Jun 16 11:03:52 hostname ipsec[4275]: 16[NET] received packet:
>> from 4.3.2.1[0] to 1.2.3.4[4500] (512 bytes)
>> Jun 16 11:03:55 hostname charon: 06[NET] received packet: from
>> 4.3.2.1[0] to 1.2.3.4[4500] (512 bytes)
>> Jun 16 11:03:55 hostname charon: 06[ENC] unknown attribute type
>> (25)
>> Jun 16 11:03:55 hostname charon: 06[ENC] parsed IKE_AUTH request 1
>> [ IDi N(INIT_CONTACT) N(MOBIKE_SUP) IDr CPRQ(ADDR DHCP DNS MASK ADDR6
>> DHCP6 DNS6 (25)) N(ESP_TFC_PAD_N) N(NON_FIRST_FRAG) SA TSi TSr ]
>> Jun 16 11:03:55 hostname charon: 06[IKE] received retransmit of
>> request with ID 1, retransmitting response
>> Jun 16 11:03:55 hostname charon: 06[NET] sending packet: from
>> 1.2.3.4[4500] to 4.3.2.1[0] (532 bytes)
>> Jun 16 11:03:55 hostname charon: 06[NET] sending packet: from
>> 1.2.3.4[4500] to 4.3.2.1[0] (532 bytes)
>> Jun 16 11:03:55 hostname charon: 06[NET] sending packet: from
>> 1.2.3.4[4500] to 4.3.2.1[0] (532 bytes)
>> Jun 16 11:03:55 hostname charon: 06[NET] sending packet: from
>> 1.2.3.4[4500] to 4.3.2.1[0] (276 bytes)
>> Jun 16 11:03:55 hostname charon: 10[NET] error writing to socket:
>> Invalid argument
>> Jun 16 11:03:55 hostname charon: 10[NET] error writing to socket:
>> Invalid argument
>> Jun 16 11:03:55 hostname charon: 10[NET] error writing to socket:
>> Invalid argument
>> Jun 16 11:03:55 hostname charon: 10[NET] error writing to socket:
>> Invalid argument
>> Jun 16 11:03:58 hostname charon: 05[NET] received packet: from
>> 4.3.2.1[0] to 1.2.3.4[4500] (512 bytes)
>> Jun 16 11:03:58 hostname charon: 05[ENC] unknown attribute type
>> (25)
>> Jun 16 11:03:58 hostname charon: 05[ENC] parsed IKE_AUTH request 1
>> [ IDi N(INIT_CONTACT) N(MOBIKE_SUP) IDr CPRQ(ADDR DHCP DNS MASK ADDR6
>> DHCP6 DNS6 (25)) N(ESP_TFC_PAD_N) N(NON_FIRST_FRAG) SA TSi TSr ]
>> Jun 16 11:03:58 hostname charon: 05[IKE] received retransmit of
>> request with ID 1, retransmitting response
>> Jun 16 11:03:58 hostname charon: 05[NET] sending packet: from
>> 1.2.3.4[4500] to 4.3.2.1[0] (532 bytes)
>> Jun 16 11:03:58 hostname charon: 05[NET] sending packet: from
>> 1.2.3.4[4500] to 4.3.2.1[0] (532 bytes)
>> Jun 16 11:03:58 hostname charon: 05[NET] sending packet: from
>> 1.2.3.4[4500] to 4.3.2.1[0] (532 bytes)
>> Jun 16 11:03:58 hostname charon: 05[NET] sending packet: from
>> 1.2.3.4[4500] to 4.3.2.1[0] (276 bytes)
>> Jun 16 11:03:58 hostname charon: 10[NET] error writing to socket:
>> Invalid argument
>> Jun 16 11:03:58 hostname charon: 10[NET] error writing to socket:
>> Invalid argument
>> Jun 16 11:03:58 hostname charon: 10[NET] error writing to socket:
>> Invalid argument
>> Jun 16 11:03:58 hostname charon: 10[NET] error writing to socket:
>> Invalid argument
>> Jun 16 11:04:19 hostname charon: 14[JOB] deleting half open IKE_SA
>> after timeout
>> Jun 16 11:04:53 hostname charon: 04[KNL] unable to receive from rt
>> event socket
>>
>> Any advice would be gratefully received. Thanks in advance.
>> Pete
More information about the Users
mailing list