[strongSwan] unable to install policy

RafaƂ Sanocki rafal.sanocki at gmail.com
Fri May 26 10:00:14 CEST 2017


Hello,

I've been trying to configure VPN for windows multiple clients with 
ikev2 and auth by rsasig.
Windows client can connect at first time but when i manually after few 
seconds try to reconnect i have error .
log from strongswan.

May 26 09:41:06 src at px2 charon: 05[IKE] received MS NT5 ISAKMPOAKLEY v9 
vendor ID
May 26 09:41:06 src at px2 charon: 05[IKE] received MS-Negotiation 
Discovery Capable vendor ID
May 26 09:41:06 src at px2 charon: 05[IKE] received Vid-Initial-Contact 
vendor ID
May 26 09:41:06 src at px2 charon: 05[IKE] 78.133.xx.xx is initiating an IKE_SA
May 26 09:41:06 src at px2 charon: 05[IKE] 78.133.xx.xx is initiating an IKE_SA
May 26 09:41:06 src at px2 charon: 05[IKE] remote host is behind NAT
May 26 09:41:06 src at px2 charon: 05[IKE] sending cert request for "C=AA, 
ST=BB, O=CC, OU=DD, CN=Publisher Root Authority, E=admin at test.com"
May 26 09:41:06 src at px2 charon: 05[IKE] sending cert request for "C=AA, 
ST=BB, O=CC, OU=DD, CN=Publisher SEC Root Class 2, E=admin at test.com"
May 26 09:41:07 src at px2 charon: 13[IKE] received cert request for "C=AA, 
ST=BB, O=CC, OU=DD, CN=Publisher SEC Root Class 2, E=admin at test.com"
May 26 09:41:07 src at px2 charon: 13[IKE] received cert request for "C=AA, 
ST=BB, O=CC, OU=DD, CN=Publisher Root Authority, E=admin at test.com"
May 26 09:41:07 src at px2 charon: 13[IKE] received 34 cert requests for an 
unknown ca
May 26 09:41:07 src at px2 charon: 13[IKE] received end entity cert "C=AA, 
ST=BB, O=CC, OU=Sec man, CN=user1.test.com, E=user1 at test.com"
May 26 09:41:07 src at px2 charon: 13[IKE] received issuer cert "C=AA, 
ST=BB, O=CC, OU=DD, CN=Publisher SEC Root Class 2, E=admin at test.com"
May 26 09:41:07 src at px2 charon: 13[CFG] looking for peer configs 
matching 176.xx.xx.xx[%any]...78.133.xx.xx[C=AA, ST=BB, O=CC, OU=Sec 
man, CN=user1.test.com, E=user1 at test.com]
May 26 09:41:07 src at px2 charon: 13[CFG] selected peer config 
'vpn-ikev2-user1'
May 26 09:41:07 src at px2 charon: 13[CFG]   using certificate "C=AA, 
ST=BB, O=CC, OU=Sec man, CN=user1.test.com, E=user1 at test.com"
May 26 09:41:07 src at px2 charon: 13[CFG]   using trusted intermediate ca 
certificate "C=AA, ST=BB, O=CC, OU=DD, CN=Publisher SEC Root Class 2, 
E=admin at test.com"
May 26 09:41:07 src at px2 charon: 13[CFG] checking certificate status of 
"C=AA, ST=BB, O=CC, OU=Sec man, CN=user1.test.com, E=user1 at test.com"
May 26 09:41:07 src at px2 charon: 13[CFG]   using trusted ca certificate 
"C=AA, ST=BB, O=CC, OU=DD, CN=Publisher Root Authority, E=admin at test.com"
May 26 09:41:07 src at px2 charon: 13[CFG] checking certificate status of 
"C=AA, ST=BB, O=CC, OU=DD, CN=Publisher SEC Root Class 2, E=admin at test.com"
May 26 09:41:07 src at px2 charon: 13[CFG]   reached self-signed root ca 
with a path length of 1
May 26 09:41:07 src at px2 charon: 13[IKE] authentication of 'C=AA, ST=BB, 
O=CC, OU=Sec man, CN=user1.test.com, E=user1 at test.com' with RSA 
signature successful
May 26 09:41:07 src at px2 charon: 13[IKE] peer supports MOBIKE
May 26 09:41:07 src at px2 charon: 13[IKE] authentication of 
'proxy.test.com' (myself) with RSA signature successful
May 26 09:41:07 src at px2 charon: 13[IKE] IKE_SA vpn-ikev2-user1[4] 
established between 176.xx.xx.xx[proxy.test.com]...78.133.xx.xx[C=AA, 
ST=BB, O=CC, OU=Sec man, CN=user1.test.com, E=user1 at test.com]
May 26 09:41:07 src at px2 charon: 13[IKE] IKE_SA vpn-ikev2-user1[4] 
established between 176.xx.xx.xx[proxy.test.com]...78.133.xx.xx[C=AA, 
ST=BB, O=CC, OU=Sec man, CN=user1.test.com, E=user1 at test.com]
May 26 09:41:07 src at px2 charon: 13[IKE] scheduling reauthentication in 
10204s
May 26 09:41:07 src at px2 charon: 13[IKE] maximum IKE_SA lifetime 10744s
May 26 09:41:07 src at px2 charon: 13[IKE] sending end entity cert "C=AA, 
ST=BB, O=CC, OU=Sec man, CN=proxy.test.com, E=admin at test.com"
May 26 09:41:07 src at px2 charon: 13[IKE] peer requested virtual IP %any
May 26 09:41:07 src at px2 charon: 13[CFG] reassigning offline lease to 
'C=AA, ST=BB, O=CC, OU=Sec man, CN=user1.test.com, E=user1 at test.com'
May 26 09:41:07 src at px2 charon: 13[IKE] assigning virtual IP 
10.100.1.222 to peer 'C=AA, ST=BB, O=CC, OU=Sec man, CN=user1.test.com, 
E=user1 at test.com'
May 26 09:41:07 src at px2 charon: 13[CFG] unable to install policy 
0.0.0.0/0 === 10.100.1.222/32 out (mark 0/0x00000000) for reqid 3, the 
same policy for reqid 1 exists
May 26 09:41:07 src at px2 charon: 13[CFG] unable to install policy 
10.100.1.222/32 === 0.0.0.0/0 in (mark 0/0x00000000) for reqid 3, the 
same policy for reqid 1 exists
May 26 09:41:07 src at px2 charon: 13[CFG] unable to install policy 
10.100.1.222/32 === 0.0.0.0/0 fwd (mark 0/0x00000000) for reqid 3, the 
same policy for reqid 1 exists
May 26 09:41:07 src at px2 charon: 13[CFG] unable to install policy 
0.0.0.0/0 === 10.100.1.222/32 out (mark 0/0x00000000) for reqid 3, the 
same policy for reqid 1 exists
May 26 09:41:07 src at px2 charon: 13[CFG] unable to install policy 
10.100.1.222/32 === 0.0.0.0/0 in (mark 0/0x00000000) for reqid 3, the 
same policy for reqid 1 exists
May 26 09:41:07 src at px2 charon: 13[CFG] unable to install policy 
10.100.1.222/32 === 0.0.0.0/0 fwd (mark 0/0x00000000) for reqid 3, the 
same policy for reqid 1 exists
May 26 09:41:07 src at px2 charon: 13[IKE] unable to install IPsec policies 
(SPD) in kernel
May 26 09:41:07 src at px2 charon: 13[IKE] failed to establish CHILD_SA, 
keeping IKE_SA
May 26 09:41:07 src at px2 charon: 12[IKE] received DELETE for IKE_SA 
vpn-ikev2-user1[4]
May 26 09:41:07 src at px2 charon: 12[IKE] deleting IKE_SA 
vpn-ikev2-user1[4] between 
176.xx.xx.xx[proxy.test.com]...78.133.xx.xx[C=AA, ST=BB, O=CC, OU=Sec 
man, CN=user1.test.com, E=user1 at test.com]
May 26 09:41:07 src at px2 charon: 12[IKE] deleting IKE_SA 
vpn-ikev2-user1[4] between 
176.xx.xx.xx[proxy.test.com]...78.133.xx.xx[C=AA, ST=BB, O=CC, OU=Sec 
man, CN=user1.test.com, E=user1 at test.com]
May 26 09:41:07 src at px2 charon: 12[IKE] IKE_SA deleted
May 26 09:41:07 src at px2 charon: 12[IKE] IKE_SA deleted
May 26 09:41:07 src at px2 charon: 12[CFG] lease 10.100.1.222 by 'C=AA, 
ST=BB, O=CC, OU=Sec man, CN=user1.test.com, E=user1 at test.com' went offline

ipsec.conf
conn vpn-ikev2-user1
         keyexchange=ikev2
        type=transport
         left=176.xx.xx.xx
         leftcert=proxy.cert
         leftid=@proxy.test.com
         right=%any
rightca=@#a0:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:
         authby=rsasig
         keyingtries=%forever
         leftsubnet=0.0.0.0/0
         rightdns=10.100.1.2
         rightrsasigkey=%cert
         rightid="C=AA, ST=BB, O=CC, OU=Sec man, CN=user1.test.com, 
E=user1 at test.com"
         auto=add
         rightsourceip=10.100.1.222/28


kernel 3.14.5
strongswan version 5.3.5
Any suggestion ??
I was trying with rekey=no and reauth=no without success , client is 
Windows10


Regards
Rafal



More information about the Users mailing list