[strongSwan] unable to install policy
RafaĆ Sanocki
rafal.sanocki at gmail.com
Fri May 26 10:00:14 CEST 2017
Hello,
I've been trying to configure VPN for windows multiple clients with
ikev2 and auth by rsasig.
Windows client can connect at first time but when i manually after few
seconds try to reconnect i have error .
log from strongswan.
May 26 09:41:06 src at px2 charon: 05[IKE] received MS NT5 ISAKMPOAKLEY v9
vendor ID
May 26 09:41:06 src at px2 charon: 05[IKE] received MS-Negotiation
Discovery Capable vendor ID
May 26 09:41:06 src at px2 charon: 05[IKE] received Vid-Initial-Contact
vendor ID
May 26 09:41:06 src at px2 charon: 05[IKE] 78.133.xx.xx is initiating an IKE_SA
May 26 09:41:06 src at px2 charon: 05[IKE] 78.133.xx.xx is initiating an IKE_SA
May 26 09:41:06 src at px2 charon: 05[IKE] remote host is behind NAT
May 26 09:41:06 src at px2 charon: 05[IKE] sending cert request for "C=AA,
ST=BB, O=CC, OU=DD, CN=Publisher Root Authority, E=admin at test.com"
May 26 09:41:06 src at px2 charon: 05[IKE] sending cert request for "C=AA,
ST=BB, O=CC, OU=DD, CN=Publisher SEC Root Class 2, E=admin at test.com"
May 26 09:41:07 src at px2 charon: 13[IKE] received cert request for "C=AA,
ST=BB, O=CC, OU=DD, CN=Publisher SEC Root Class 2, E=admin at test.com"
May 26 09:41:07 src at px2 charon: 13[IKE] received cert request for "C=AA,
ST=BB, O=CC, OU=DD, CN=Publisher Root Authority, E=admin at test.com"
May 26 09:41:07 src at px2 charon: 13[IKE] received 34 cert requests for an
unknown ca
May 26 09:41:07 src at px2 charon: 13[IKE] received end entity cert "C=AA,
ST=BB, O=CC, OU=Sec man, CN=user1.test.com, E=user1 at test.com"
May 26 09:41:07 src at px2 charon: 13[IKE] received issuer cert "C=AA,
ST=BB, O=CC, OU=DD, CN=Publisher SEC Root Class 2, E=admin at test.com"
May 26 09:41:07 src at px2 charon: 13[CFG] looking for peer configs
matching 176.xx.xx.xx[%any]...78.133.xx.xx[C=AA, ST=BB, O=CC, OU=Sec
man, CN=user1.test.com, E=user1 at test.com]
May 26 09:41:07 src at px2 charon: 13[CFG] selected peer config
'vpn-ikev2-user1'
May 26 09:41:07 src at px2 charon: 13[CFG] using certificate "C=AA,
ST=BB, O=CC, OU=Sec man, CN=user1.test.com, E=user1 at test.com"
May 26 09:41:07 src at px2 charon: 13[CFG] using trusted intermediate ca
certificate "C=AA, ST=BB, O=CC, OU=DD, CN=Publisher SEC Root Class 2,
E=admin at test.com"
May 26 09:41:07 src at px2 charon: 13[CFG] checking certificate status of
"C=AA, ST=BB, O=CC, OU=Sec man, CN=user1.test.com, E=user1 at test.com"
May 26 09:41:07 src at px2 charon: 13[CFG] using trusted ca certificate
"C=AA, ST=BB, O=CC, OU=DD, CN=Publisher Root Authority, E=admin at test.com"
May 26 09:41:07 src at px2 charon: 13[CFG] checking certificate status of
"C=AA, ST=BB, O=CC, OU=DD, CN=Publisher SEC Root Class 2, E=admin at test.com"
May 26 09:41:07 src at px2 charon: 13[CFG] reached self-signed root ca
with a path length of 1
May 26 09:41:07 src at px2 charon: 13[IKE] authentication of 'C=AA, ST=BB,
O=CC, OU=Sec man, CN=user1.test.com, E=user1 at test.com' with RSA
signature successful
May 26 09:41:07 src at px2 charon: 13[IKE] peer supports MOBIKE
May 26 09:41:07 src at px2 charon: 13[IKE] authentication of
'proxy.test.com' (myself) with RSA signature successful
May 26 09:41:07 src at px2 charon: 13[IKE] IKE_SA vpn-ikev2-user1[4]
established between 176.xx.xx.xx[proxy.test.com]...78.133.xx.xx[C=AA,
ST=BB, O=CC, OU=Sec man, CN=user1.test.com, E=user1 at test.com]
May 26 09:41:07 src at px2 charon: 13[IKE] IKE_SA vpn-ikev2-user1[4]
established between 176.xx.xx.xx[proxy.test.com]...78.133.xx.xx[C=AA,
ST=BB, O=CC, OU=Sec man, CN=user1.test.com, E=user1 at test.com]
May 26 09:41:07 src at px2 charon: 13[IKE] scheduling reauthentication in
10204s
May 26 09:41:07 src at px2 charon: 13[IKE] maximum IKE_SA lifetime 10744s
May 26 09:41:07 src at px2 charon: 13[IKE] sending end entity cert "C=AA,
ST=BB, O=CC, OU=Sec man, CN=proxy.test.com, E=admin at test.com"
May 26 09:41:07 src at px2 charon: 13[IKE] peer requested virtual IP %any
May 26 09:41:07 src at px2 charon: 13[CFG] reassigning offline lease to
'C=AA, ST=BB, O=CC, OU=Sec man, CN=user1.test.com, E=user1 at test.com'
May 26 09:41:07 src at px2 charon: 13[IKE] assigning virtual IP
10.100.1.222 to peer 'C=AA, ST=BB, O=CC, OU=Sec man, CN=user1.test.com,
E=user1 at test.com'
May 26 09:41:07 src at px2 charon: 13[CFG] unable to install policy
0.0.0.0/0 === 10.100.1.222/32 out (mark 0/0x00000000) for reqid 3, the
same policy for reqid 1 exists
May 26 09:41:07 src at px2 charon: 13[CFG] unable to install policy
10.100.1.222/32 === 0.0.0.0/0 in (mark 0/0x00000000) for reqid 3, the
same policy for reqid 1 exists
May 26 09:41:07 src at px2 charon: 13[CFG] unable to install policy
10.100.1.222/32 === 0.0.0.0/0 fwd (mark 0/0x00000000) for reqid 3, the
same policy for reqid 1 exists
May 26 09:41:07 src at px2 charon: 13[CFG] unable to install policy
0.0.0.0/0 === 10.100.1.222/32 out (mark 0/0x00000000) for reqid 3, the
same policy for reqid 1 exists
May 26 09:41:07 src at px2 charon: 13[CFG] unable to install policy
10.100.1.222/32 === 0.0.0.0/0 in (mark 0/0x00000000) for reqid 3, the
same policy for reqid 1 exists
May 26 09:41:07 src at px2 charon: 13[CFG] unable to install policy
10.100.1.222/32 === 0.0.0.0/0 fwd (mark 0/0x00000000) for reqid 3, the
same policy for reqid 1 exists
May 26 09:41:07 src at px2 charon: 13[IKE] unable to install IPsec policies
(SPD) in kernel
May 26 09:41:07 src at px2 charon: 13[IKE] failed to establish CHILD_SA,
keeping IKE_SA
May 26 09:41:07 src at px2 charon: 12[IKE] received DELETE for IKE_SA
vpn-ikev2-user1[4]
May 26 09:41:07 src at px2 charon: 12[IKE] deleting IKE_SA
vpn-ikev2-user1[4] between
176.xx.xx.xx[proxy.test.com]...78.133.xx.xx[C=AA, ST=BB, O=CC, OU=Sec
man, CN=user1.test.com, E=user1 at test.com]
May 26 09:41:07 src at px2 charon: 12[IKE] deleting IKE_SA
vpn-ikev2-user1[4] between
176.xx.xx.xx[proxy.test.com]...78.133.xx.xx[C=AA, ST=BB, O=CC, OU=Sec
man, CN=user1.test.com, E=user1 at test.com]
May 26 09:41:07 src at px2 charon: 12[IKE] IKE_SA deleted
May 26 09:41:07 src at px2 charon: 12[IKE] IKE_SA deleted
May 26 09:41:07 src at px2 charon: 12[CFG] lease 10.100.1.222 by 'C=AA,
ST=BB, O=CC, OU=Sec man, CN=user1.test.com, E=user1 at test.com' went offline
ipsec.conf
conn vpn-ikev2-user1
keyexchange=ikev2
type=transport
left=176.xx.xx.xx
leftcert=proxy.cert
leftid=@proxy.test.com
right=%any
rightca=@#a0:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:
authby=rsasig
keyingtries=%forever
leftsubnet=0.0.0.0/0
rightdns=10.100.1.2
rightrsasigkey=%cert
rightid="C=AA, ST=BB, O=CC, OU=Sec man, CN=user1.test.com,
E=user1 at test.com"
auto=add
rightsourceip=10.100.1.222/28
kernel 3.14.5
strongswan version 5.3.5
Any suggestion ??
I was trying with rekey=no and reauth=no without success , client is
Windows10
Regards
Rafal
More information about the Users
mailing list