[strongSwan] Help debugging IKEv2 connection

Pete O'Donall strongswan at rianne.me.uk
Mon Jun 19 12:52:54 CEST 2017


Hi again Noel,

Fair enough! As you can probably guess, I'm trying to set this up based 
just on online tutorials, and they don't do much of a job explaining 
things. I'm trying to keep the setup as simple as possible. To answer 
your questions:

The host is on a static IP and never changes.

`sysctl -a` shows that net.ipv4.ip_nonlocal_bind = 0.

`iptables-save` output:

# Generated by iptables-save v1.4.21 on Mon Jun 19 11:49:34 2017
*filter
:INPUT ACCEPT [3888624:1721536797]
:FORWARD ACCEPT [7762075:7900195613]
:OUTPUT ACCEPT [9835285:10094306772]
-A INPUT -p udp -m udp --dport 500 -j ACCEPT
-A INPUT -p udp -m udp --dport 4500 -j ACCEPT
-A INPUT -p esp -j ACCEPT
-A INPUT -p ah -j ACCEPT
-A INPUT -p tcp -m tcp --dport 111 -j REJECT --reject-with 
icmp-port-unreachable
COMMIT
# Completed on Mon Jun 19 11:49:34 2017
# Generated by iptables-save v1.4.21 on Mon Jun 19 11:49:34 2017
*nat
:PREROUTING ACCEPT [142309:8123439]
:INPUT ACCEPT [5708:532381]
:OUTPUT ACCEPT [782:53104]
:POSTROUTING ACCEPT [782:53104]
-A POSTROUTING -s 10.11.12.0/24 -o eth0 -j MASQUERADE
COMMIT
# Completed on Mon Jun 19 11:49:34 2017

Once again, I appreciate you taking the time to help.

Thanks,
Pete

On 2017-06-18 21:05, Noel Kuntze wrote:
> Hello Pete,
> 
> The rightsourceip value does not pertain this problem and neither does
> the MASQUERADE rule.
> It is coincidence that it didn't happen now. Anyway, just blindling
> SNATing all the connections
> from your clients isn't a smart thing to do. You only have to NAT
> traffic to the internet, not to
> any private IP space and you shouldn't do it, if there's an IPsec
> tunnel that can transport
> the client's traffic to another destination. Just to make sure not to
> cause problems in the future.
> 
> The success of your "solution" depends on what the actual problem was.
> For answering this question,
> it is vital that all the questions that I asked are answered. Writing
> to an UDP socket
> to a connection whose local IP isn't bound to a local interface
> anymore will cause "Invalid argument"(,
> if net.ipv4.ip_nonlocal_bind isn't set. DON'T SET IT. IT IS NOT THE 
> SOLUTION).
> 
> Kind regards
> 
> Noel
> 
> On 18.06.2017 13:29, Pete O'Donall wrote:
>> Hi Noel,
>> 
>> Thanks for taking the time to read my message and send a reply. The 
>> output of `iptables-save` included this line:
>> 
>> -A POSTROUTING -s 10.11.0.0/16 -o eth0 -j MASQUERADE
>> 
>> Replacing it with the line below, to match the netblock of the 
>> rightsourceip value, seems to have fixed the issue:
>> 
>> -A POSTROUTING -s 10.11.12.0/24 -o eth0 -j MASQUERADE
>> 
>> Hope I'm not speaking too soon about it being fixed and that that was 
>> the cause of my problem!
>> 
>> All the best,
>> Pete
>> 
>> 
>> On 2017-06-17 15:44, Noel Kuntze wrote:
>>> Hello Pete,
>>> 
>>> You have some kindof problem with your network configuration or the 
>>> kernel:
>>>>     Jun 16 11:03:49 hostname charon: 06[NET] sending packet: from 
>>>> 1.2.3.4[4500] to 4.3.2.1[0] (532 bytes)
>>>>     Jun 16 11:03:49 hostname charon: 10[NET] error writing to 
>>>> socket: Invalid argument
>>>>>     Jun 16 11:04:53 hostname charon: 04[KNL] unable to receive from 
>>>>> rt event socket
>>> 
>>> Is the IP of the strongSwan host dynamic? Could it be, that it 
>>> changes
>>> during the IKE negotiation?
>>> Any iptables rules? (`iptables-save`)?
>>> 
>>> 
>>> 
>>> On 17.06.2017 12:32, Pete O'Donall wrote:
>>>> Hi all,
>>>> 
>>>> I've run into a bit of a problem with a simple IKEv2 connection, and 
>>>> I was hoping someone on here might be able to offer some insight 
>>>> into what's up with it.
>>>> 
>>>> I've got a StrongSwan VPN set up on a Debian Jessie VM. From most 
>>>> places it works fine - I've used it on the road from a variety of 
>>>> homes, offices, and mobile data connections. For some reason I can't 
>>>> get it to connect from my home ISP. Initially it worked but only 
>>>> after several connection attempts, and it would frequently drop the 
>>>> connection. After checking error logs and searching online, I added 
>>>> fragmentation=yes to ipsec.conf and it worked well for a couple of 
>>>> days. It has since stopped working at all, despite me not making any 
>>>> further config changes. My ISP assures me that there is nothing 
>>>> wrong with the line, and I haven't had any issues connecting to 
>>>> anything else. I can only assume that StrongSwan's config doesn't 
>>>> get on with my router/firewall for some reason. Please can anyone 
>>>> help me debug?
>>>> 
>>>> In case it's relevant, I'm using the stock Debian stable kernel and 
>>>> StrongSwan packages, versions 3.16.0 and 5.2.1 respectively. My 
>>>> Linux knowledge is pretty solid, but knowledge of networking and 
>>>> VPNs much less so.
>>>> 
>>>> Here's /etc/ipsec.conf:
>>>> 
>>>>     config setup
>>>> 
>>>>     conn %default
>>>>         keyexchange=ikev2
>>>>         leftid=host.example.com
>>>>         leftcert=fullchain.pem
>>>>         leftsubnet=0.0.0.0/0
>>>>         right=%any
>>>>         rightsourceip=10.11.12.0/24
>>>>         
>>>> rightdns=2001:1608:10:25::1c04:b12f,2001:1608:10:25::9249:d69b,84.200.69.80,84.200.70.40
>>>>         dpdaction=clear
>>>> 
>>>>     conn iosuser
>>>>         leftsendcert=always
>>>>         rightauth=eap-mschapv2
>>>>         eap_identity=%identity
>>>>         auto=add
>>>>         fragmentation=yes
>>>> 
>>>> Here's /etc/ipsec.secrets:
>>>> 
>>>>     include /var/lib/strongswan/ipsec.secrets.inc
>>>> 
>>>>      : RSA privkey.pem
>>>>     user : EAP "password"
>>>> 
>>>> And here's the redacted part of /var/log/syslog relating to a failed 
>>>> connection attempt:
>>>> 
>>>>     Jun 16 11:03:48 hostname charon: 15[NET] received packet: from 
>>>> 4.3.2.1[500] to 1.2.3.4[500] (604 bytes)
>>>>     Jun 16 11:03:48 hostname charon: 15[ENC] parsed IKE_SA_INIT 
>>>> request 0 [ SA KE No N(REDIR_SUP) N(NATD_S_IP) N(NATD_D_IP) 
>>>> N(FRAG_SUP) ]
>>>>     Jun 16 11:03:48 hostname charon: 15[IKE] 4.3.2.1 is initiating 
>>>> an IKE_SA
>>>>     Jun 16 11:03:49 hostname charon: 15[IKE] remote host is behind 
>>>> NAT
>>>>     Jun 16 11:03:49 hostname charon: 15[ENC] generating IKE_SA_INIT 
>>>> response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) 
>>>> N(MULT_AUTH) ]
>>>>     Jun 16 11:03:49 hostname charon: 15[NET] sending packet: from 
>>>> 1.2.3.4[500] to 4.3.2.1[500] (448 bytes)
>>>>     Jun 16 11:03:49 hostname charon: 06[NET] received packet: from 
>>>> 4.3.2.1[0] to 1.2.3.4[4500] (512 bytes)
>>>>     Jun 16 11:03:49 hostname charon: 06[ENC] unknown attribute type 
>>>> (25)
>>>>     Jun 16 11:03:49 hostname charon: 06[ENC] parsed IKE_AUTH request 
>>>> 1 [ IDi N(INIT_CONTACT) N(MOBIKE_SUP) IDr CPRQ(ADDR DHCP DNS MASK 
>>>> ADDR6 DHCP6 DNS6 (25)) N(ESP_TFC_PAD_N) N(NON_FIRST_FRAG) SA TSi TSr 
>>>> ]
>>>>     Jun 16 11:03:49 hostname charon: 06[CFG] looking for peer 
>>>> configs matching 1.2.3.4[host.example.com]...4.3.2.1[clientdevice]
>>>>     Jun 16 11:03:49 hostname charon: 06[CFG] selected peer config 
>>>> 'iosuser'
>>>>     Jun 16 11:03:49 hostname charon: 06[IKE] initiating EAP_IDENTITY 
>>>> method (id 0x00)
>>>>     Jun 16 11:03:49 hostname charon: 06[IKE] received 
>>>> ESP_TFC_PADDING_NOT_SUPPORTED, not using ESPv3 TFC padding
>>>>     Jun 16 11:03:49 hostname charon: 06[IKE] peer supports MOBIKE
>>>>     Jun 16 11:03:49 hostname charon: 06[IKE] authentication of 
>>>> 'host.example.com' (myself) with RSA signature successful
>>>>     Jun 16 11:03:49 hostname charon: 06[IKE] sending end entity cert 
>>>> "CN=host.example.com"
>>>>     Jun 16 11:03:49 hostname charon: 06[ENC] generating IKE_AUTH 
>>>> response 1 [ IDr CERT AUTH EAP/REQ/ID ]
>>>>     Jun 16 11:03:49 hostname charon: 06[ENC] splitting IKE message 
>>>> with length of 1664 bytes into 4 fragments
>>>>     Jun 16 11:03:49 hostname charon: 06[ENC] payload 
>>>> ENCRYPTED_FRAGMENT has no ordering rule in IKE_AUTH response
>>>>     Jun 16 11:03:49 hostname charon: 06[ENC] generating IKE_AUTH 
>>>> response 1 [ EF ]
>>>>     Jun 16 11:03:49 hostname charon: 06[ENC] payload 
>>>> ENCRYPTED_FRAGMENT has no ordering rule in IKE_AUTH response
>>>>     Jun 16 11:03:49 hostname charon: 06[ENC] generating IKE_AUTH 
>>>> response 1 [ EF ]
>>>>     Jun 16 11:03:49 hostname charon: 06[ENC] payload 
>>>> ENCRYPTED_FRAGMENT has no ordering rule in IKE_AUTH response
>>>>     Jun 16 11:03:49 hostname charon: 06[ENC] generating IKE_AUTH 
>>>> response 1 [ EF ]
>>>>     Jun 16 11:03:49 hostname charon: 06[ENC] payload 
>>>> ENCRYPTED_FRAGMENT has no ordering rule in IKE_AUTH response
>>>>     Jun 16 11:03:49 hostname charon: 06[ENC] generating IKE_AUTH 
>>>> response 1 [ EF ]
>>>>     Jun 16 11:03:49 hostname charon: 06[NET] sending packet: from 
>>>> 1.2.3.4[4500] to 4.3.2.1[0] (532 bytes)
>>>>     Jun 16 11:03:49 hostname charon: 10[NET] error writing to 
>>>> socket: Invalid argument
>>>>     Jun 16 11:03:49 hostname charon: 06[NET] sending packet: from 
>>>> 1.2.3.4[4500] to 4.3.2.1[0] (532 bytes)
>>>>     Jun 16 11:03:49 hostname charon: 10[NET] error writing to 
>>>> socket: Invalid argument
>>>>     Jun 16 11:03:49 hostname charon: 06[NET] sending packet: from 
>>>> 1.2.3.4[4500] to 4.3.2.1[0] (532 bytes)
>>>>     Jun 16 11:03:49 hostname charon: 10[NET] error writing to 
>>>> socket: Invalid argument
>>>>     Jun 16 11:03:49 hostname charon: 06[NET] sending packet: from 
>>>> 1.2.3.4[4500] to 4.3.2.1[0] (276 bytes)
>>>>     Jun 16 11:03:49 hostname charon: 10[NET] error writing to 
>>>> socket: Invalid argument
>>>>     Jun 16 11:03:52 hostname charon: 16[NET] received packet: from 
>>>> 4.3.2.1[0] to 1.2.3.4[4500] (512 bytes)
>>>>     Jun 16 11:03:52 hostname charon: 16[ENC] unknown attribute type 
>>>> (25)
>>>>     Jun 16 11:03:52 hostname charon: 16[ENC] parsed IKE_AUTH request 
>>>> 1 [ IDi N(INIT_CONTACT) N(MOBIKE_SUP) IDr CPRQ(ADDR DHCP DNS MASK 
>>>> ADDR6 DHCP6 DNS6 (25)) N(ESP_TFC_PAD_N) N(NON_FIRST_FRAG) SA TSi TSr 
>>>> ]
>>>>     Jun 16 11:03:52 hostname charon: 16[IKE] received retransmit of 
>>>> request with ID 1, retransmitting response
>>>>     Jun 16 11:03:52 hostname charon: 16[NET] sending packet: from 
>>>> 1.2.3.4[4500] to 4.3.2.1[0] (532 bytes)
>>>>     Jun 16 11:03:52 hostname charon: 16[NET] sending packet: from 
>>>> 1.2.3.4[4500] to 4.3.2.1[0] (532 bytes)
>>>>     Jun 16 11:03:52 hostname charon: 16[NET] sending packet: from 
>>>> 1.2.3.4[4500] to 4.3.2.1[0] (532 bytes)
>>>>     Jun 16 11:03:52 hostname charon: 16[NET] sending packet: from 
>>>> 1.2.3.4[4500] to 4.3.2.1[0] (276 bytes)
>>>>     Jun 16 11:03:52 hostname ipsec[4275]: 00[DMN] Starting IKE 
>>>> charon daemon (strongSwan 5.2.1, Linux 3.16.0-4-amd64, x86_64)
>>>>     Jun 16 11:03:52 hostname ipsec[4275]: 00[CFG] HA config misses 
>>>> local/remote address
>>>>     Jun 16 11:03:52 hostname ipsec[4275]: 00[LIB] plugin 'ha': 
>>>> failed to load - ha_plugin_create returned NULL
>>>>     Jun 16 11:03:52 hostname ipsec[4275]: 00[CFG] loading ca 
>>>> certificates from '/etc/ipsec.d/cacerts'
>>>>     Jun 16 11:03:52 hostname ipsec[4275]: 00[CFG] loading aa 
>>>> certificates from '/etc/ipsec.d/aacerts'
>>>>     Jun 16 11:03:52 hostname ipsec[4275]: 00[CFG] loading ocsp 
>>>> signer certificates from '/etc/ipsec.d/ocspcerts'
>>>>     Jun 16 11:03:52 hostname ipsec[4275]: 00[CFG] loading attribute 
>>>> certificates from '/etc/ipsec.d/acerts'
>>>>     Jun 16 11:03:52 hostname ipsec[4275]: 00[CFG] loading crls from 
>>>> '/etc/ipsec.d/crls'
>>>>     Jun 16 11:03:52 hostname ipsec[4275]: 00[CFG] loading secrets 
>>>> from '/etc/ipsec.secrets'
>>>>     Jun 16 11:03:52 hostname ipsec[4275]: 00[CFG] expanding file 
>>>> expression '/var/lib/strongswan/ipsec.secrets.inc' failed
>>>>     Jun 16 11:03:52 hostname ipsec[4275]: 00[CFG]   loaded RSA 
>>>> private key from '/etc/ipsec.d/private/privkey.pem'
>>>>     Jun 16 11:03:52 hostname ipsec[4275]: 00[CFG]   loaded EAP 
>>>> secret for raoul
>>>>     Jun 16 11:03:52 hostname ipsec[4275]: 00[CFG] loaded 0 RADIUS 
>>>> server configurations
>>>>     Jun 16 11:03:52 hostname ipsec[4275]: 00[LIB] loaded plugins: 
>>>> charon aes rc2 sha1 sha2 md5 random nonce x509 revocation 
>>>> constraints pubkey pkcs1 pkcs7 pkcs8 pkcs12 pgp dnskey sshkey pem 
>>>> openssl fips-prf gmp agent xcbc hmac gcm attr kernel-netlink resolve 
>>>> socket-default farp stroke updown eap-identity eap-aka eap-md5 
>>>> eap-gtc eap-mschapv2 eap-radius eap-tls eap-ttls eap-tnc 
>>>> xauth-generic xauth-eap xauth-pam tnc-tnccs dhcp lookip error-notify 
>>>> certexpire led addrblock unity
>>>>     Jun 16 11:03:52 hostname ipsec[4275]: 00[LIB] unable to load 5 
>>>> plugin features (5 due to unmet dependencies)
>>>>     Jun 16 11:03:52 hostname ipsec[4275]: 00[LIB] dropped 
>>>> capabilities, running as uid 0, gid 0
>>>>     Jun 16 11:03:52 hostname ipsec[4275]: 00[JOB] spawning 16 worker 
>>>> threads
>>>>     Jun 16 11:03:52 hostname ipsec[4275]: 12[CFG] received stroke: 
>>>> add connection 'iosuser'
>>>>     Jun 16 11:03:52 hostname ipsec[4275]: 12[CFG] left nor right 
>>>> host is our side, assuming left=local
>>>>     Jun 16 11:03:52 hostname ipsec[4275]: 12[CFG] adding virtual IP 
>>>> address pool 10.11.12.0/24
>>>>     Jun 16 11:03:52 hostname ipsec[4275]: 12[CFG]   loaded 
>>>> certificate "CN=host.example.com" from 'fullchain.pem'
>>>>     Jun 16 11:03:52 hostname ipsec[4275]: 12[CFG] added 
>>>> configuration 'iosuser'
>>>>     Jun 16 11:03:52 hostname ipsec[4275]: 15[NET] received packet: 
>>>> from 4.3.2.1[500] to 1.2.3.4[500] (604 bytes)
>>>>     Jun 16 11:03:52 hostname ipsec[4275]: 15[ENC] parsed IKE_SA_INIT 
>>>> request 0 [ SA KE No N(REDIR_SUP) N(NATD_S_IP) N(NATD_D_IP) 
>>>> N(FRAG_SUP) ]
>>>>     Jun 16 11:03:52 hostname ipsec[4275]: 15[IKE] 4.3.2.1 is 
>>>> initiating an IKE_SA
>>>>     Jun 16 11:03:52 hostname ipsec[4275]: 15[IKE] remote host is 
>>>> behind NAT
>>>>     Jun 16 11:03:52 hostname ipsec[4275]: 15[ENC] generating 
>>>> IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) 
>>>> N(FRAG_SUP) N(MULT_AUTH) ]
>>>>     Jun 16 11:03:52 hostname charon: 10[NET] error writing to 
>>>> socket: Invalid argument
>>>>     Jun 16 11:03:52 hostname charon: 10[NET] error writing to 
>>>> socket: Invalid argument
>>>>     Jun 16 11:03:52 hostname charon: 10[NET] error writing to 
>>>> socket: Invalid argument
>>>>     Jun 16 11:03:52 hostname charon: 10[NET] error writing to 
>>>> socket: Invalid argument
>>>>     Jun 16 11:03:52 hostname ipsec[4275]: 15[NET] sending packet: 
>>>> from 1.2.3.4[500] to 4.3.2.1[500] (448 bytes)
>>>>     Jun 16 11:03:52 hostname ipsec[4275]: 06[NET] received packet: 
>>>> from 4.3.2.1[0] to 1.2.3.4[4500] (512 bytes)
>>>>     Jun 16 11:03:52 hostname ipsec[4275]: 06[ENC] unknown attribute 
>>>> type (25)
>>>>     Jun 16 11:03:52 hostname ipsec[4275]: 06[ENC] parsed IKE_AUTH 
>>>> request 1 [ IDi N(INIT_CONTACT) N(MOBIKE_SUP) IDr CPRQ(ADDR DHCP DNS 
>>>> MASK ADDR6 DHCP6 DNS6 (25)) N(ESP_TFC_PAD_N) N(NON_FIRST_FRAG) SA 
>>>> TSi TSr ]
>>>>     Jun 16 11:03:52 hostname ipsec[4275]: 06[CFG] looking for peer 
>>>> configs matching 1.2.3.4[host.example.com]...4.3.2.1[clientdevice]
>>>>     Jun 16 11:03:52 hostname ipsec[4275]: 06[CFG] selected peer 
>>>> config 'iosuser'
>>>>     Jun 16 11:03:52 hostname ipsec[4275]: 06[IKE] initiating 
>>>> EAP_IDENTITY method (id 0x00)
>>>>     Jun 16 11:03:52 hostname ipsec[4275]: 06[IKE] received 
>>>> ESP_TFC_PADDING_NOT_SUPPORTED, not using ESPv3 TFC padding
>>>>     Jun 16 11:03:52 hostname ipsec[4275]: 06[IKE] peer supports 
>>>> MOBIKE
>>>>     Jun 16 11:03:52 hostname ipsec[4275]: 06[IKE] authentication of 
>>>> 'host.example.com' (myself) with RSA signature successful
>>>>     Jun 16 11:03:52 hostname ipsec[4275]: 06[IKE] sending end entity 
>>>> cert "CN=host.example.com"
>>>>     Jun 16 11:03:52 hostname ipsec[4275]: 06[ENC] generating 
>>>> IKE_AUTH response 1 [ IDr CERT AUTH EAP/REQ/ID ]
>>>>     Jun 16 11:03:52 hostname ipsec[4275]: 06[ENC] splitting IKE 
>>>> message with length of 1664 bytes into 4 fragments
>>>>     Jun 16 11:03:52 hostname ipsec[4275]: 06[ENC] payload 
>>>> ENCRYPTED_FRAGMENT has no ordering rule in IKE_AUTH response
>>>>     Jun 16 11:03:52 hostname ipsec[4275]: 06[ENC] generating 
>>>> IKE_AUTH response 1 [ EF ]
>>>>     Jun 16 11:03:52 hostname ipsec[4275]: 06[ENC] payload 
>>>> ENCRYPTED_FRAGMENT has no ordering rule in IKE_AUTH response
>>>>     Jun 16 11:03:52 hostname ipsec[4275]: 06[ENC] generating 
>>>> IKE_AUTH response 1 [ EF ]
>>>>     Jun 16 11:03:52 hostname ipsec[4275]: 06[ENC] payload 
>>>> ENCRYPTED_FRAGMENT has no ordering rule in IKE_AUTH response
>>>>     Jun 16 11:03:52 hostname ipsec[4275]: 06[ENC] generating 
>>>> IKE_AUTH response 1 [ EF ]
>>>>     Jun 16 11:03:52 hostname ipsec[4275]: 06[ENC] payload 
>>>> ENCRYPTED_FRAGMENT has no ordering rule in IKE_AUTH response
>>>>     Jun 16 11:03:52 hostname ipsec[4275]: 06[ENC] generating 
>>>> IKE_AUTH response 1 [ EF ]
>>>>     Jun 16 11:03:52 hostname ipsec[4275]: 06[NET] sending packet: 
>>>> from 1.2.3.4[4500] to 4.3.2.1[0] (532 bytes)
>>>>     Jun 16 11:03:52 hostname ipsec[4275]: 10[NET] error writing to 
>>>> socket: Invalid argument
>>>>     Jun 16 11:03:52 hostname ipsec[4275]: 06[NET] sending packet: 
>>>> from 1.2.3.4[4500] to 4.3.2.1[0] (532 bytes)
>>>>     Jun 16 11:03:52 hostname ipsec[4275]: 10[NET] error writing to 
>>>> socket: Invalid argument
>>>>     Jun 16 11:03:52 hostname ipsec[4275]: 06[NET] sending packet: 
>>>> from 1.2.3.4[4500] to 4.3.2.1[0] (532 bytes)
>>>>     Jun 16 11:03:52 hostname ipsec[4275]: 10[NET] error writing to 
>>>> socket: Invalid argument
>>>>     Jun 16 11:03:52 hostname ipsec[4275]: 06[NET] sending packet: 
>>>> from 1.2.3.4[4500] to 4.3.2.1[0] (276 bytes)
>>>>     Jun 16 11:03:52 hostname ipsec[4275]: 10[NET] error writing to 
>>>> socket: Invalid argument
>>>>     Jun 16 11:03:52 hostname ipsec[4275]: 16[NET] received packet: 
>>>> from 4.3.2.1[0] to 1.2.3.4[4500] (512 bytes)
>>>>     Jun 16 11:03:55 hostname charon: 06[NET] received packet: from 
>>>> 4.3.2.1[0] to 1.2.3.4[4500] (512 bytes)
>>>>     Jun 16 11:03:55 hostname charon: 06[ENC] unknown attribute type 
>>>> (25)
>>>>     Jun 16 11:03:55 hostname charon: 06[ENC] parsed IKE_AUTH request 
>>>> 1 [ IDi N(INIT_CONTACT) N(MOBIKE_SUP) IDr CPRQ(ADDR DHCP DNS MASK 
>>>> ADDR6 DHCP6 DNS6 (25)) N(ESP_TFC_PAD_N) N(NON_FIRST_FRAG) SA TSi TSr 
>>>> ]
>>>>     Jun 16 11:03:55 hostname charon: 06[IKE] received retransmit of 
>>>> request with ID 1, retransmitting response
>>>>     Jun 16 11:03:55 hostname charon: 06[NET] sending packet: from 
>>>> 1.2.3.4[4500] to 4.3.2.1[0] (532 bytes)
>>>>     Jun 16 11:03:55 hostname charon: 06[NET] sending packet: from 
>>>> 1.2.3.4[4500] to 4.3.2.1[0] (532 bytes)
>>>>     Jun 16 11:03:55 hostname charon: 06[NET] sending packet: from 
>>>> 1.2.3.4[4500] to 4.3.2.1[0] (532 bytes)
>>>>     Jun 16 11:03:55 hostname charon: 06[NET] sending packet: from 
>>>> 1.2.3.4[4500] to 4.3.2.1[0] (276 bytes)
>>>>     Jun 16 11:03:55 hostname charon: 10[NET] error writing to 
>>>> socket: Invalid argument
>>>>     Jun 16 11:03:55 hostname charon: 10[NET] error writing to 
>>>> socket: Invalid argument
>>>>     Jun 16 11:03:55 hostname charon: 10[NET] error writing to 
>>>> socket: Invalid argument
>>>>     Jun 16 11:03:55 hostname charon: 10[NET] error writing to 
>>>> socket: Invalid argument
>>>>     Jun 16 11:03:58 hostname charon: 05[NET] received packet: from 
>>>> 4.3.2.1[0] to 1.2.3.4[4500] (512 bytes)
>>>>     Jun 16 11:03:58 hostname charon: 05[ENC] unknown attribute type 
>>>> (25)
>>>>     Jun 16 11:03:58 hostname charon: 05[ENC] parsed IKE_AUTH request 
>>>> 1 [ IDi N(INIT_CONTACT) N(MOBIKE_SUP) IDr CPRQ(ADDR DHCP DNS MASK 
>>>> ADDR6 DHCP6 DNS6 (25)) N(ESP_TFC_PAD_N) N(NON_FIRST_FRAG) SA TSi TSr 
>>>> ]
>>>>     Jun 16 11:03:58 hostname charon: 05[IKE] received retransmit of 
>>>> request with ID 1, retransmitting response
>>>>     Jun 16 11:03:58 hostname charon: 05[NET] sending packet: from 
>>>> 1.2.3.4[4500] to 4.3.2.1[0] (532 bytes)
>>>>     Jun 16 11:03:58 hostname charon: 05[NET] sending packet: from 
>>>> 1.2.3.4[4500] to 4.3.2.1[0] (532 bytes)
>>>>     Jun 16 11:03:58 hostname charon: 05[NET] sending packet: from 
>>>> 1.2.3.4[4500] to 4.3.2.1[0] (532 bytes)
>>>>     Jun 16 11:03:58 hostname charon: 05[NET] sending packet: from 
>>>> 1.2.3.4[4500] to 4.3.2.1[0] (276 bytes)
>>>>     Jun 16 11:03:58 hostname charon: 10[NET] error writing to 
>>>> socket: Invalid argument
>>>>     Jun 16 11:03:58 hostname charon: 10[NET] error writing to 
>>>> socket: Invalid argument
>>>>     Jun 16 11:03:58 hostname charon: 10[NET] error writing to 
>>>> socket: Invalid argument
>>>>     Jun 16 11:03:58 hostname charon: 10[NET] error writing to 
>>>> socket: Invalid argument
>>>>     Jun 16 11:04:19 hostname charon: 14[JOB] deleting half open 
>>>> IKE_SA after timeout
>>>>     Jun 16 11:04:53 hostname charon: 04[KNL] unable to receive from 
>>>> rt event socket
>>>> 
>>>> Any advice would be gratefully received. Thanks in advance.
>>>> Pete


More information about the Users mailing list