[strongSwan] VPN Disconnects, no obvious error message

Thomas J. Webb thomas at thomaswebb.net
Sun Nov 19 23:28:03 CET 2017 

I figured out earlier issues I mentioned. I had to use the Apple
Configurator to get around a bug that still persists in iOS and Mac OS X
where it tries to connect using EAP even if you specify a certificate.
Anyway, when I connect now, I don't see anything that looks like an error
to me in the log (I knocked the level down to 1 to be easier for me to
read). But on the client side, it immediately disconnects. After a long
enough wait, I see more messages, which look to me like the server's trying
to reconnect. As before, I search and replaced the actual domains and ip
addresses with dummy values (example.com, 1.2.3.4, 5.6.7.8)

Nov 20 07:17:23 ik1-327-23579 charon: 16[NET] received packet: from
5.6.7.8[500] to 1.2.3.4[500] (432 bytes)
Nov 20 07:17:23 ik1-327-23579 charon: 16[ENC] parsed IKE_SA_INIT request 0
[ SA KE No N(REDIR_SUP) N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) ]
Nov 20 07:17:23 ik1-327-23579 charon: 16[IKE] 5.6.7.8 is initiating an
IKE_SA
Nov 20 07:17:23 ik1-327-23579 charon: 16[IKE] remote host is behind NAT
Nov 20 07:17:23 ik1-327-23579 charon: 16[IKE] sending cert request for
"C=NL, O=Example Company, CN=strongSwan Root CA"
Nov 20 07:17:23 ik1-327-23579 charon: 16[ENC] generating IKE_SA_INIT
response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) CERTREQ N(MULT_AUTH) ]
Nov 20 07:17:23 ik1-327-23579 charon: 16[NET] sending packet: from
1.2.3.4[500] to 5.6.7.8[500] (465 bytes)
Nov 20 07:17:23 ik1-327-23579 charon: 01[NET] received packet: from
5.6.7.8[1027] to 1.2.3.4[4500] (1772 bytes)
Nov 20 07:17:23 ik1-327-23579 charon: 01[ENC] unknown attribute type (25)
Nov 20 07:17:23 ik1-327-23579 charon: 01[ENC] parsed IKE_AUTH request 1 [
IDi N(INIT_CONTACT) N(MOBIKE_SUP) IDr AUTH CERT CPRQ(ADDR DHCP DNS MASK
ADDR6 DHCP6 DNS6 (25)) N(ESP_TFC_PAD_N) N(NON_FIRST_FRAG) SA TSi TSr ]
Nov 20 07:17:23 ik1-327-23579 charon: 01[IKE] received end entity cert
"C=NL, O=Example Company, CN=thomas at example.com"
Nov 20 07:17:23 ik1-327-23579 charon: 01[CFG] looking for peer configs
matching 1.2.3.4[vpn.example.com]...5.6.7.8[thomas at example.com]
Nov 20 07:17:23 ik1-327-23579 charon: 01[CFG] selected peer config
'IPSec-IKEv2'
Nov 20 07:17:23 ik1-327-23579 charon: 01[CFG]   using certificate "C=NL,
O=Example Company, CN=thomas at example.com"
Nov 20 07:17:23 ik1-327-23579 charon: 01[CFG]   using trusted ca
certificate "C=NL, O=Example Company, CN=strongSwan Root CA"
Nov 20 07:17:23 ik1-327-23579 charon: 01[CFG] checking certificate status
of "C=NL, O=Example Company, CN=thomas at example.com"
Nov 20 07:17:23 ik1-327-23579 charon: 01[CFG] certificate status is not
available
Nov 20 07:17:23 ik1-327-23579 charon: 01[CFG]   reached self-signed root ca
with a path length of 0
Nov 20 07:17:23 ik1-327-23579 charon: 01[IKE] authentication of '
thomas at example.com' with RSA signature successful
Nov 20 07:17:23 ik1-327-23579 charon: 01[IKE] received
ESP_TFC_PADDING_NOT_SUPPORTED, not using ESPv3 TFC padding
Nov 20 07:17:23 ik1-327-23579 charon: 01[IKE] peer supports MOBIKE
Nov 20 07:17:23 ik1-327-23579 charon: 01[IKE] authentication of '
vpn.example.com' (myself) with RSA signature successful
Nov 20 07:17:23 ik1-327-23579 charon: 01[IKE] IKE_SA IPSec-IKEv2[2]
established between 1.2.3.4[vpn.example.com]...5.6.7.8[thomas at example.com]
Nov 20 07:17:23 ik1-327-23579 charon: 01[IKE] sending end entity cert
"C=NL, O=Example Company, CN=vpn.example.com"
Nov 20 07:17:23 ik1-327-23579 charon: 01[IKE] peer requested virtual IP %any
Nov 20 07:17:23 ik1-327-23579 charon: 01[CFG] reassigning offline lease to '
thomas at example.com'
Nov 20 07:17:23 ik1-327-23579 charon: 01[IKE] assigning virtual IP
10.42.42.1 to peer 'thomas at example.com'
Nov 20 07:17:23 ik1-327-23579 charon: 01[IKE] peer requested virtual IP
%any6
Nov 20 07:17:23 ik1-327-23579 charon: 01[CFG] reassigning offline lease to '
thomas at example.com'
Nov 20 07:17:23 ik1-327-23579 charon: 01[IKE] assigning virtual IP
2002:25f7:7489:3::1 to peer 'thomas at example.com'
Nov 20 07:17:23 ik1-327-23579 charon: 01[IKE] CHILD_SA IPSec-IKEv2{2}
established with SPIs c2da4666_i 03030c57_o and TS 0.0.0.0/0 ===
10.42.42.1/32 2002:25f7:7489:3::1/128
Nov 20 07:17:23 ik1-327-23579 charon: 01[ENC] generating IKE_AUTH response
1 [ IDr CERT AUTH CPRP(ADDR ADDR6 DNS DNS6) SA TSi TSr N(MOBIKE_SUP)
N(ADD_6_ADDR) ]
Nov 20 07:17:23 ik1-327-23579 charon: 01[NET] sending packet: from
1.2.3.4[4500] to 5.6.7.8[1027] (2252 bytes)

After a long delay:

Nov 20 07:22:23 ik1-327-23579 charon: 12[IKE] sending DPD request
Nov 20 07:22:23 ik1-327-23579 charon: 12[ENC] generating INFORMATIONAL
request 0 [ ]
Nov 20 07:22:23 ik1-327-23579 charon: 12[NET] sending packet: from
1.2.3.4[4500] to 5.6.7.8[1027] (76 bytes)
Nov 20 07:22:27 ik1-327-23579 charon: 04[IKE] retransmit 1 of request with
message ID 0
Nov 20 07:22:27 ik1-327-23579 charon: 04[NET] sending packet: from
1.2.3.4[4500] to 5.6.7.8[1027] (76 bytes)
Nov 20 07:22:34 ik1-327-23579 charon: 14[IKE] retransmit 2 of request with
message ID 0
Nov 20 07:22:34 ik1-327-23579 charon: 14[NET] sending packet: from
1.2.3.4[4500] to 5.6.7.8[1027] (76 bytes)
Nov 20 07:22:47 ik1-327-23579 charon: 12[IKE] retransmit 3 of request with
message ID 0
Nov 20 07:22:47 ik1-327-23579 charon: 12[NET] sending packet: from
1.2.3.4[4500] to 5.6.7.8[1027] (76 bytes)
Nov 20 07:23:10 ik1-327-23579 charon: 13[IKE] retransmit 4 of request with
message ID 0
Nov 20 07:23:10 ik1-327-23579 charon: 13[NET] sending packet: from
1.2.3.4[4500] to 5.6.7.8[1027] (76 bytes)
Nov 20 07:23:52 ik1-327-23579 charon: 01[IKE] retransmit 5 of request with
message ID 0
Nov 20 07:23:52 ik1-327-23579 charon: 01[NET] sending packet: from
1.2.3.4[4500] to 5.6.7.8[1027] (76 bytes)
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20171119/c5e898c8/attachment.html>

More information about the Users mailing list