[strongSwan] Help debugging IKEv2 connection
Pete O'Donall
strongswan at rianne.me.uk
Mon Jun 19 12:52:54 CEST 2017
Hi again Noel,
Fair enough! As you can probably guess, I'm trying to set this up based
just on online tutorials, and they don't do much of a job explaining
things. I'm trying to keep the setup as simple as possible. To answer
your questions:
The host is on a static IP and never changes.
`sysctl -a` shows that net.ipv4.ip_nonlocal_bind = 0.
`iptables-save` output:
# Generated by iptables-save v1.4.21 on Mon Jun 19 11:49:34 2017
*filter
:INPUT ACCEPT [3888624:1721536797]
:FORWARD ACCEPT [7762075:7900195613]
:OUTPUT ACCEPT [9835285:10094306772]
-A INPUT -p udp -m udp --dport 500 -j ACCEPT
-A INPUT -p udp -m udp --dport 4500 -j ACCEPT
-A INPUT -p esp -j ACCEPT
-A INPUT -p ah -j ACCEPT
-A INPUT -p tcp -m tcp --dport 111 -j REJECT --reject-with
icmp-port-unreachable
COMMIT
# Completed on Mon Jun 19 11:49:34 2017
# Generated by iptables-save v1.4.21 on Mon Jun 19 11:49:34 2017
*nat
:PREROUTING ACCEPT [142309:8123439]
:INPUT ACCEPT [5708:532381]
:OUTPUT ACCEPT [782:53104]
:POSTROUTING ACCEPT [782:53104]
-A POSTROUTING -s 10.11.12.0/24 -o eth0 -j MASQUERADE
COMMIT
# Completed on Mon Jun 19 11:49:34 2017
Once again, I appreciate you taking the time to help.
Thanks,
Pete
On 2017-06-18 21:05, Noel Kuntze wrote:
> Hello Pete,
>
> The rightsourceip value does not pertain this problem and neither does
> the MASQUERADE rule.
> It is coincidence that it didn't happen now. Anyway, just blindling
> SNATing all the connections
> from your clients isn't a smart thing to do. You only have to NAT
> traffic to the internet, not to
> any private IP space and you shouldn't do it, if there's an IPsec
> tunnel that can transport
> the client's traffic to another destination. Just to make sure not to
> cause problems in the future.
>
> The success of your "solution" depends on what the actual problem was.
> For answering this question,
> it is vital that all the questions that I asked are answered. Writing
> to an UDP socket
> to a connection whose local IP isn't bound to a local interface
> anymore will cause "Invalid argument"(,
> if net.ipv4.ip_nonlocal_bind isn't set. DON'T SET IT. IT IS NOT THE
> SOLUTION).
>
> Kind regards
>
> Noel
>
> On 18.06.2017 13:29, Pete O'Donall wrote:
>> Hi Noel,
>>
>> Thanks for taking the time to read my message and send a reply. The
>> output of `iptables-save` included this line:
>>
>> -A POSTROUTING -s 10.11.0.0/16 -o eth0 -j MASQUERADE
>>
>> Replacing it with the line below, to match the netblock of the
>> rightsourceip value, seems to have fixed the issue:
>>
>> -A POSTROUTING -s 10.11.12.0/24 -o eth0 -j MASQUERADE
>>
>> Hope I'm not speaking too soon about it being fixed and that that was
>> the cause of my problem!
>>
>> All the best,
>> Pete
>>
>>
>> On 2017-06-17 15:44, Noel Kuntze wrote:
>>> Hello Pete,
>>>
>>> You have some kindof problem with your network configuration or the
>>> kernel:
>>>> Jun 16 11:03:49 hostname charon: 06[NET] sending packet: from
>>>> 1.2.3.4[4500] to 4.3.2.1[0] (532 bytes)
>>>> Jun 16 11:03:49 hostname charon: 10[NET] error writing to
>>>> socket: Invalid argument
>>>>> Jun 16 11:04:53 hostname charon: 04[KNL] unable to receive from
>>>>> rt event socket
>>>
>>> Is the IP of the strongSwan host dynamic? Could it be, that it
>>> changes
>>> during the IKE negotiation?
>>> Any iptables rules? (`iptables-save`)?
>>>
>>>
>>>
>>> On 17.06.2017 12:32, Pete O'Donall wrote:
>>>> Hi all,
>>>>
>>>> I've run into a bit of a problem with a simple IKEv2 connection, and
>>>> I was hoping someone on here might be able to offer some insight
>>>> into what's up with it.
>>>>
>>>> I've got a StrongSwan VPN set up on a Debian Jessie VM. From most
>>>> places it works fine - I've used it on the road from a variety of
>>>> homes, offices, and mobile data connections. For some reason I can't
>>>> get it to connect from my home ISP. Initially it worked but only
>>>> after several connection attempts, and it would frequently drop the
>>>> connection. After checking error logs and searching online, I added
>>>> fragmentation=yes to ipsec.conf and it worked well for a couple of
>>>> days. It has since stopped working at all, despite me not making any
>>>> further config changes. My ISP assures me that there is nothing
>>>> wrong with the line, and I haven't had any issues connecting to
>>>> anything else. I can only assume that StrongSwan's config doesn't
>>>> get on with my router/firewall for some reason. Please can anyone
>>>> help me debug?
>>>>
>>>> In case it's relevant, I'm using the stock Debian stable kernel and
>>>> StrongSwan packages, versions 3.16.0 and 5.2.1 respectively. My
>>>> Linux knowledge is pretty solid, but knowledge of networking and
>>>> VPNs much less so.
>>>>
>>>> Here's /etc/ipsec.conf:
>>>>
>>>> config setup
>>>>
>>>> conn %default
>>>> keyexchange=ikev2
>>>> leftid=host.example.com
>>>> leftcert=fullchain.pem
>>>> leftsubnet=0.0.0.0/0
>>>> right=%any
>>>> rightsourceip=10.11.12.0/24
>>>>
>>>> rightdns=2001:1608:10:25::1c04:b12f,2001:1608:10:25::9249:d69b,84.200.69.80,84.200.70.40
>>>> dpdaction=clear
>>>>
>>>> conn iosuser
>>>> leftsendcert=always
>>>> rightauth=eap-mschapv2
>>>> eap_identity=%identity
>>>> auto=add
>>>> fragmentation=yes
>>>>
>>>> Here's /etc/ipsec.secrets:
>>>>
>>>> include /var/lib/strongswan/ipsec.secrets.inc
>>>>
>>>> : RSA privkey.pem
>>>> user : EAP "password"
>>>>
>>>> And here's the redacted part of /var/log/syslog relating to a failed
>>>> connection attempt:
>>>>
>>>> Jun 16 11:03:48 hostname charon: 15[NET] received packet: from
>>>> 4.3.2.1[500] to 1.2.3.4[500] (604 bytes)
>>>> Jun 16 11:03:48 hostname charon: 15[ENC] parsed IKE_SA_INIT
>>>> request 0 [ SA KE No N(REDIR_SUP) N(NATD_S_IP) N(NATD_D_IP)
>>>> N(FRAG_SUP) ]
>>>> Jun 16 11:03:48 hostname charon: 15[IKE] 4.3.2.1 is initiating
>>>> an IKE_SA
>>>> Jun 16 11:03:49 hostname charon: 15[IKE] remote host is behind
>>>> NAT
>>>> Jun 16 11:03:49 hostname charon: 15[ENC] generating IKE_SA_INIT
>>>> response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP)
>>>> N(MULT_AUTH) ]
>>>> Jun 16 11:03:49 hostname charon: 15[NET] sending packet: from
>>>> 1.2.3.4[500] to 4.3.2.1[500] (448 bytes)
>>>> Jun 16 11:03:49 hostname charon: 06[NET] received packet: from
>>>> 4.3.2.1[0] to 1.2.3.4[4500] (512 bytes)
>>>> Jun 16 11:03:49 hostname charon: 06[ENC] unknown attribute type
>>>> (25)
>>>> Jun 16 11:03:49 hostname charon: 06[ENC] parsed IKE_AUTH request
>>>> 1 [ IDi N(INIT_CONTACT) N(MOBIKE_SUP) IDr CPRQ(ADDR DHCP DNS MASK
>>>> ADDR6 DHCP6 DNS6 (25)) N(ESP_TFC_PAD_N) N(NON_FIRST_FRAG) SA TSi TSr
>>>> ]
>>>> Jun 16 11:03:49 hostname charon: 06[CFG] looking for peer
>>>> configs matching 1.2.3.4[host.example.com]...4.3.2.1[clientdevice]
>>>> Jun 16 11:03:49 hostname charon: 06[CFG] selected peer config
>>>> 'iosuser'
>>>> Jun 16 11:03:49 hostname charon: 06[IKE] initiating EAP_IDENTITY
>>>> method (id 0x00)
>>>> Jun 16 11:03:49 hostname charon: 06[IKE] received
>>>> ESP_TFC_PADDING_NOT_SUPPORTED, not using ESPv3 TFC padding
>>>> Jun 16 11:03:49 hostname charon: 06[IKE] peer supports MOBIKE
>>>> Jun 16 11:03:49 hostname charon: 06[IKE] authentication of
>>>> 'host.example.com' (myself) with RSA signature successful
>>>> Jun 16 11:03:49 hostname charon: 06[IKE] sending end entity cert
>>>> "CN=host.example.com"
>>>> Jun 16 11:03:49 hostname charon: 06[ENC] generating IKE_AUTH
>>>> response 1 [ IDr CERT AUTH EAP/REQ/ID ]
>>>> Jun 16 11:03:49 hostname charon: 06[ENC] splitting IKE message
>>>> with length of 1664 bytes into 4 fragments
>>>> Jun 16 11:03:49 hostname charon: 06[ENC] payload
>>>> ENCRYPTED_FRAGMENT has no ordering rule in IKE_AUTH response
>>>> Jun 16 11:03:49 hostname charon: 06[ENC] generating IKE_AUTH
>>>> response 1 [ EF ]
>>>> Jun 16 11:03:49 hostname charon: 06[ENC] payload
>>>> ENCRYPTED_FRAGMENT has no ordering rule in IKE_AUTH response
>>>> Jun 16 11:03:49 hostname charon: 06[ENC] generating IKE_AUTH
>>>> response 1 [ EF ]
>>>> Jun 16 11:03:49 hostname charon: 06[ENC] payload
>>>> ENCRYPTED_FRAGMENT has no ordering rule in IKE_AUTH response
>>>> Jun 16 11:03:49 hostname charon: 06[ENC] generating IKE_AUTH
>>>> response 1 [ EF ]
>>>> Jun 16 11:03:49 hostname charon: 06[ENC] payload
>>>> ENCRYPTED_FRAGMENT has no ordering rule in IKE_AUTH response
>>>> Jun 16 11:03:49 hostname charon: 06[ENC] generating IKE_AUTH
>>>> response 1 [ EF ]
>>>> Jun 16 11:03:49 hostname charon: 06[NET] sending packet: from
>>>> 1.2.3.4[4500] to 4.3.2.1[0] (532 bytes)
>>>> Jun 16 11:03:49 hostname charon: 10[NET] error writing to
>>>> socket: Invalid argument
>>>> Jun 16 11:03:49 hostname charon: 06[NET] sending packet: from
>>>> 1.2.3.4[4500] to 4.3.2.1[0] (532 bytes)
>>>> Jun 16 11:03:49 hostname charon: 10[NET] error writing to
>>>> socket: Invalid argument
>>>> Jun 16 11:03:49 hostname charon: 06[NET] sending packet: from
>>>> 1.2.3.4[4500] to 4.3.2.1[0] (532 bytes)
>>>> Jun 16 11:03:49 hostname charon: 10[NET] error writing to
>>>> socket: Invalid argument
>>>> Jun 16 11:03:49 hostname charon: 06[NET] sending packet: from
>>>> 1.2.3.4[4500] to 4.3.2.1[0] (276 bytes)
>>>> Jun 16 11:03:49 hostname charon: 10[NET] error writing to
>>>> socket: Invalid argument
>>>> Jun 16 11:03:52 hostname charon: 16[NET] received packet: from
>>>> 4.3.2.1[0] to 1.2.3.4[4500] (512 bytes)
>>>> Jun 16 11:03:52 hostname charon: 16[ENC] unknown attribute type
>>>> (25)
>>>> Jun 16 11:03:52 hostname charon: 16[ENC] parsed IKE_AUTH request
>>>> 1 [ IDi N(INIT_CONTACT) N(MOBIKE_SUP) IDr CPRQ(ADDR DHCP DNS MASK
>>>> ADDR6 DHCP6 DNS6 (25)) N(ESP_TFC_PAD_N) N(NON_FIRST_FRAG) SA TSi TSr
>>>> ]
>>>> Jun 16 11:03:52 hostname charon: 16[IKE] received retransmit of
>>>> request with ID 1, retransmitting response
>>>> Jun 16 11:03:52 hostname charon: 16[NET] sending packet: from
>>>> 1.2.3.4[4500] to 4.3.2.1[0] (532 bytes)
>>>> Jun 16 11:03:52 hostname charon: 16[NET] sending packet: from
>>>> 1.2.3.4[4500] to 4.3.2.1[0] (532 bytes)
>>>> Jun 16 11:03:52 hostname charon: 16[NET] sending packet: from
>>>> 1.2.3.4[4500] to 4.3.2.1[0] (532 bytes)
>>>> Jun 16 11:03:52 hostname charon: 16[NET] sending packet: from
>>>> 1.2.3.4[4500] to 4.3.2.1[0] (276 bytes)
>>>> Jun 16 11:03:52 hostname ipsec[4275]: 00[DMN] Starting IKE
>>>> charon daemon (strongSwan 5.2.1, Linux 3.16.0-4-amd64, x86_64)
>>>> Jun 16 11:03:52 hostname ipsec[4275]: 00[CFG] HA config misses
>>>> local/remote address
>>>> Jun 16 11:03:52 hostname ipsec[4275]: 00[LIB] plugin 'ha':
>>>> failed to load - ha_plugin_create returned NULL
>>>> Jun 16 11:03:52 hostname ipsec[4275]: 00[CFG] loading ca
>>>> certificates from '/etc/ipsec.d/cacerts'
>>>> Jun 16 11:03:52 hostname ipsec[4275]: 00[CFG] loading aa
>>>> certificates from '/etc/ipsec.d/aacerts'
>>>> Jun 16 11:03:52 hostname ipsec[4275]: 00[CFG] loading ocsp
>>>> signer certificates from '/etc/ipsec.d/ocspcerts'
>>>> Jun 16 11:03:52 hostname ipsec[4275]: 00[CFG] loading attribute
>>>> certificates from '/etc/ipsec.d/acerts'
>>>> Jun 16 11:03:52 hostname ipsec[4275]: 00[CFG] loading crls from
>>>> '/etc/ipsec.d/crls'
>>>> Jun 16 11:03:52 hostname ipsec[4275]: 00[CFG] loading secrets
>>>> from '/etc/ipsec.secrets'
>>>> Jun 16 11:03:52 hostname ipsec[4275]: 00[CFG] expanding file
>>>> expression '/var/lib/strongswan/ipsec.secrets.inc' failed
>>>> Jun 16 11:03:52 hostname ipsec[4275]: 00[CFG] loaded RSA
>>>> private key from '/etc/ipsec.d/private/privkey.pem'
>>>> Jun 16 11:03:52 hostname ipsec[4275]: 00[CFG] loaded EAP
>>>> secret for raoul
>>>> Jun 16 11:03:52 hostname ipsec[4275]: 00[CFG] loaded 0 RADIUS
>>>> server configurations
>>>> Jun 16 11:03:52 hostname ipsec[4275]: 00[LIB] loaded plugins:
>>>> charon aes rc2 sha1 sha2 md5 random nonce x509 revocation
>>>> constraints pubkey pkcs1 pkcs7 pkcs8 pkcs12 pgp dnskey sshkey pem
>>>> openssl fips-prf gmp agent xcbc hmac gcm attr kernel-netlink resolve
>>>> socket-default farp stroke updown eap-identity eap-aka eap-md5
>>>> eap-gtc eap-mschapv2 eap-radius eap-tls eap-ttls eap-tnc
>>>> xauth-generic xauth-eap xauth-pam tnc-tnccs dhcp lookip error-notify
>>>> certexpire led addrblock unity
>>>> Jun 16 11:03:52 hostname ipsec[4275]: 00[LIB] unable to load 5
>>>> plugin features (5 due to unmet dependencies)
>>>> Jun 16 11:03:52 hostname ipsec[4275]: 00[LIB] dropped
>>>> capabilities, running as uid 0, gid 0
>>>> Jun 16 11:03:52 hostname ipsec[4275]: 00[JOB] spawning 16 worker
>>>> threads
>>>> Jun 16 11:03:52 hostname ipsec[4275]: 12[CFG] received stroke:
>>>> add connection 'iosuser'
>>>> Jun 16 11:03:52 hostname ipsec[4275]: 12[CFG] left nor right
>>>> host is our side, assuming left=local
>>>> Jun 16 11:03:52 hostname ipsec[4275]: 12[CFG] adding virtual IP
>>>> address pool 10.11.12.0/24
>>>> Jun 16 11:03:52 hostname ipsec[4275]: 12[CFG] loaded
>>>> certificate "CN=host.example.com" from 'fullchain.pem'
>>>> Jun 16 11:03:52 hostname ipsec[4275]: 12[CFG] added
>>>> configuration 'iosuser'
>>>> Jun 16 11:03:52 hostname ipsec[4275]: 15[NET] received packet:
>>>> from 4.3.2.1[500] to 1.2.3.4[500] (604 bytes)
>>>> Jun 16 11:03:52 hostname ipsec[4275]: 15[ENC] parsed IKE_SA_INIT
>>>> request 0 [ SA KE No N(REDIR_SUP) N(NATD_S_IP) N(NATD_D_IP)
>>>> N(FRAG_SUP) ]
>>>> Jun 16 11:03:52 hostname ipsec[4275]: 15[IKE] 4.3.2.1 is
>>>> initiating an IKE_SA
>>>> Jun 16 11:03:52 hostname ipsec[4275]: 15[IKE] remote host is
>>>> behind NAT
>>>> Jun 16 11:03:52 hostname ipsec[4275]: 15[ENC] generating
>>>> IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP)
>>>> N(FRAG_SUP) N(MULT_AUTH) ]
>>>> Jun 16 11:03:52 hostname charon: 10[NET] error writing to
>>>> socket: Invalid argument
>>>> Jun 16 11:03:52 hostname charon: 10[NET] error writing to
>>>> socket: Invalid argument
>>>> Jun 16 11:03:52 hostname charon: 10[NET] error writing to
>>>> socket: Invalid argument
>>>> Jun 16 11:03:52 hostname charon: 10[NET] error writing to
>>>> socket: Invalid argument
>>>> Jun 16 11:03:52 hostname ipsec[4275]: 15[NET] sending packet:
>>>> from 1.2.3.4[500] to 4.3.2.1[500] (448 bytes)
>>>> Jun 16 11:03:52 hostname ipsec[4275]: 06[NET] received packet:
>>>> from 4.3.2.1[0] to 1.2.3.4[4500] (512 bytes)
>>>> Jun 16 11:03:52 hostname ipsec[4275]: 06[ENC] unknown attribute
>>>> type (25)
>>>> Jun 16 11:03:52 hostname ipsec[4275]: 06[ENC] parsed IKE_AUTH
>>>> request 1 [ IDi N(INIT_CONTACT) N(MOBIKE_SUP) IDr CPRQ(ADDR DHCP DNS
>>>> MASK ADDR6 DHCP6 DNS6 (25)) N(ESP_TFC_PAD_N) N(NON_FIRST_FRAG) SA
>>>> TSi TSr ]
>>>> Jun 16 11:03:52 hostname ipsec[4275]: 06[CFG] looking for peer
>>>> configs matching 1.2.3.4[host.example.com]...4.3.2.1[clientdevice]
>>>> Jun 16 11:03:52 hostname ipsec[4275]: 06[CFG] selected peer
>>>> config 'iosuser'
>>>> Jun 16 11:03:52 hostname ipsec[4275]: 06[IKE] initiating
>>>> EAP_IDENTITY method (id 0x00)
>>>> Jun 16 11:03:52 hostname ipsec[4275]: 06[IKE] received
>>>> ESP_TFC_PADDING_NOT_SUPPORTED, not using ESPv3 TFC padding
>>>> Jun 16 11:03:52 hostname ipsec[4275]: 06[IKE] peer supports
>>>> MOBIKE
>>>> Jun 16 11:03:52 hostname ipsec[4275]: 06[IKE] authentication of
>>>> 'host.example.com' (myself) with RSA signature successful
>>>> Jun 16 11:03:52 hostname ipsec[4275]: 06[IKE] sending end entity
>>>> cert "CN=host.example.com"
>>>> Jun 16 11:03:52 hostname ipsec[4275]: 06[ENC] generating
>>>> IKE_AUTH response 1 [ IDr CERT AUTH EAP/REQ/ID ]
>>>> Jun 16 11:03:52 hostname ipsec[4275]: 06[ENC] splitting IKE
>>>> message with length of 1664 bytes into 4 fragments
>>>> Jun 16 11:03:52 hostname ipsec[4275]: 06[ENC] payload
>>>> ENCRYPTED_FRAGMENT has no ordering rule in IKE_AUTH response
>>>> Jun 16 11:03:52 hostname ipsec[4275]: 06[ENC] generating
>>>> IKE_AUTH response 1 [ EF ]
>>>> Jun 16 11:03:52 hostname ipsec[4275]: 06[ENC] payload
>>>> ENCRYPTED_FRAGMENT has no ordering rule in IKE_AUTH response
>>>> Jun 16 11:03:52 hostname ipsec[4275]: 06[ENC] generating
>>>> IKE_AUTH response 1 [ EF ]
>>>> Jun 16 11:03:52 hostname ipsec[4275]: 06[ENC] payload
>>>> ENCRYPTED_FRAGMENT has no ordering rule in IKE_AUTH response
>>>> Jun 16 11:03:52 hostname ipsec[4275]: 06[ENC] generating
>>>> IKE_AUTH response 1 [ EF ]
>>>> Jun 16 11:03:52 hostname ipsec[4275]: 06[ENC] payload
>>>> ENCRYPTED_FRAGMENT has no ordering rule in IKE_AUTH response
>>>> Jun 16 11:03:52 hostname ipsec[4275]: 06[ENC] generating
>>>> IKE_AUTH response 1 [ EF ]
>>>> Jun 16 11:03:52 hostname ipsec[4275]: 06[NET] sending packet:
>>>> from 1.2.3.4[4500] to 4.3.2.1[0] (532 bytes)
>>>> Jun 16 11:03:52 hostname ipsec[4275]: 10[NET] error writing to
>>>> socket: Invalid argument
>>>> Jun 16 11:03:52 hostname ipsec[4275]: 06[NET] sending packet:
>>>> from 1.2.3.4[4500] to 4.3.2.1[0] (532 bytes)
>>>> Jun 16 11:03:52 hostname ipsec[4275]: 10[NET] error writing to
>>>> socket: Invalid argument
>>>> Jun 16 11:03:52 hostname ipsec[4275]: 06[NET] sending packet:
>>>> from 1.2.3.4[4500] to 4.3.2.1[0] (532 bytes)
>>>> Jun 16 11:03:52 hostname ipsec[4275]: 10[NET] error writing to
>>>> socket: Invalid argument
>>>> Jun 16 11:03:52 hostname ipsec[4275]: 06[NET] sending packet:
>>>> from 1.2.3.4[4500] to 4.3.2.1[0] (276 bytes)
>>>> Jun 16 11:03:52 hostname ipsec[4275]: 10[NET] error writing to
>>>> socket: Invalid argument
>>>> Jun 16 11:03:52 hostname ipsec[4275]: 16[NET] received packet:
>>>> from 4.3.2.1[0] to 1.2.3.4[4500] (512 bytes)
>>>> Jun 16 11:03:55 hostname charon: 06[NET] received packet: from
>>>> 4.3.2.1[0] to 1.2.3.4[4500] (512 bytes)
>>>> Jun 16 11:03:55 hostname charon: 06[ENC] unknown attribute type
>>>> (25)
>>>> Jun 16 11:03:55 hostname charon: 06[ENC] parsed IKE_AUTH request
>>>> 1 [ IDi N(INIT_CONTACT) N(MOBIKE_SUP) IDr CPRQ(ADDR DHCP DNS MASK
>>>> ADDR6 DHCP6 DNS6 (25)) N(ESP_TFC_PAD_N) N(NON_FIRST_FRAG) SA TSi TSr
>>>> ]
>>>> Jun 16 11:03:55 hostname charon: 06[IKE] received retransmit of
>>>> request with ID 1, retransmitting response
>>>> Jun 16 11:03:55 hostname charon: 06[NET] sending packet: from
>>>> 1.2.3.4[4500] to 4.3.2.1[0] (532 bytes)
>>>> Jun 16 11:03:55 hostname charon: 06[NET] sending packet: from
>>>> 1.2.3.4[4500] to 4.3.2.1[0] (532 bytes)
>>>> Jun 16 11:03:55 hostname charon: 06[NET] sending packet: from
>>>> 1.2.3.4[4500] to 4.3.2.1[0] (532 bytes)
>>>> Jun 16 11:03:55 hostname charon: 06[NET] sending packet: from
>>>> 1.2.3.4[4500] to 4.3.2.1[0] (276 bytes)
>>>> Jun 16 11:03:55 hostname charon: 10[NET] error writing to
>>>> socket: Invalid argument
>>>> Jun 16 11:03:55 hostname charon: 10[NET] error writing to
>>>> socket: Invalid argument
>>>> Jun 16 11:03:55 hostname charon: 10[NET] error writing to
>>>> socket: Invalid argument
>>>> Jun 16 11:03:55 hostname charon: 10[NET] error writing to
>>>> socket: Invalid argument
>>>> Jun 16 11:03:58 hostname charon: 05[NET] received packet: from
>>>> 4.3.2.1[0] to 1.2.3.4[4500] (512 bytes)
>>>> Jun 16 11:03:58 hostname charon: 05[ENC] unknown attribute type
>>>> (25)
>>>> Jun 16 11:03:58 hostname charon: 05[ENC] parsed IKE_AUTH request
>>>> 1 [ IDi N(INIT_CONTACT) N(MOBIKE_SUP) IDr CPRQ(ADDR DHCP DNS MASK
>>>> ADDR6 DHCP6 DNS6 (25)) N(ESP_TFC_PAD_N) N(NON_FIRST_FRAG) SA TSi TSr
>>>> ]
>>>> Jun 16 11:03:58 hostname charon: 05[IKE] received retransmit of
>>>> request with ID 1, retransmitting response
>>>> Jun 16 11:03:58 hostname charon: 05[NET] sending packet: from
>>>> 1.2.3.4[4500] to 4.3.2.1[0] (532 bytes)
>>>> Jun 16 11:03:58 hostname charon: 05[NET] sending packet: from
>>>> 1.2.3.4[4500] to 4.3.2.1[0] (532 bytes)
>>>> Jun 16 11:03:58 hostname charon: 05[NET] sending packet: from
>>>> 1.2.3.4[4500] to 4.3.2.1[0] (532 bytes)
>>>> Jun 16 11:03:58 hostname charon: 05[NET] sending packet: from
>>>> 1.2.3.4[4500] to 4.3.2.1[0] (276 bytes)
>>>> Jun 16 11:03:58 hostname charon: 10[NET] error writing to
>>>> socket: Invalid argument
>>>> Jun 16 11:03:58 hostname charon: 10[NET] error writing to
>>>> socket: Invalid argument
>>>> Jun 16 11:03:58 hostname charon: 10[NET] error writing to
>>>> socket: Invalid argument
>>>> Jun 16 11:03:58 hostname charon: 10[NET] error writing to
>>>> socket: Invalid argument
>>>> Jun 16 11:04:19 hostname charon: 14[JOB] deleting half open
>>>> IKE_SA after timeout
>>>> Jun 16 11:04:53 hostname charon: 04[KNL] unable to receive from
>>>> rt event socket
>>>>
>>>> Any advice would be gratefully received. Thanks in advance.
>>>> Pete
More information about the Users
mailing list