[strongSwan] Mac OS X Widget and High Sierra

Dan Diman dan.diman at certifi.net
Mon Sep 25 22:52:12 CEST 2017 

Back in 2014 when Yosemite came out, I wrote an almost identical e-mail to this one, and now it’s history repeating.

After several years (and several OS upgrades) the OS X widget again reports “No common traffic selectors found” when attempting to start up my strongSwan VPN.

In 2014, Martin W. created a version of the app that “included a short delay before callinggetifaddrs() on the RTM_IFINFO event” to give the kernel a slightly longer chance to get the new tunnel address ready before getifaddrs tried to enumerate it.  That was a practical workaround in the absence of better support from the kernel, but it’s workaround that seems to no longer be working (around?).

In looking at the OS X page on the strongSwan wiki, I notice a new homebrew version of strongSwan is available, and it can be built “with Suite B support (does not use the IPsec implementation provided by the kernel”.  Should I take the plunge into trying to get the config files right for my road warrior machine and abandon the widget?  Can others confirm or deny problems with High Sierra and the widget?

Thanks in advance for any advice/help.  The log file from a connection attempt is provided below.

-Dan


initiating IKE_SA VPC VPN[2] to x.x.x.x
generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(HASH_ALG) ]
sending packet: from 192.168.0.5[55919] to x.x.x.x [4500] (1124 bytes)
received packet: from x.x.x.x [4500] to 192.168.0.5[55919] (38 bytes)
parsed IKE_SA_INIT response 0 [ N(INVAL_KE) ]
peer didn't accept DH group MODP_2048, it requested MODP_1024
initiating IKE_SA VPC VPN[2] to x.x.x.x
generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(HASH_ALG) ]
sending packet: from 192.168.0.5[55919] to x.x.x.x[4500] (996 bytes)
received packet: from x.x.x.x[4500] to 192.168.0.5[55919] (312 bytes)
parsed IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(MULT_AUTH) ]
local host is behind NAT, sending keep alives
remote host is behind NAT
establishing CHILD_SA VPC VPN
generating IKE_AUTH request 1 [ IDi N(INIT_CONTACT) CPRQ(ADDR DNS) SA TSi TSr N(MOBIKE_SUP) N(ADD_4_ADDR) N(MULT_AUTH) N(EAP_ONLY) ]
sending packet: from 192.168.0.5[49633] to x.x.x.x[4500] (380 bytes)
received packet: from x.x.x.x[4500] to 192.168.0.5[49633] (1196 bytes)
parsed IKE_AUTH response 1 [ IDr CERT AUTH EAP/REQ/ID ]
received end entity cert "C=CH, O=Coname, CN=vpn.myco.com"
  using certificate "C=CH, O=Coname, CN=vpn.myco.com"
  using trusted ca certificate "C=CH, O=Coname, CN=Coname MN"
  reached self-signed root ca with a path length of 0
authentication of 'vpn.myco.com' with RSA signature successful
server requested EAP_IDENTITY (id 0x00), sending 'myname'
generating IKE_AUTH request 2 [ EAP/RES/ID ]
sending packet: from 192.168.0.5[49633] to x.x.x.x[4500] (76 bytes)
received packet: from x.x.x.x[4500] to 192.168.0.5[49633] (108 bytes)
parsed IKE_AUTH response 2 [ EAP/REQ/MSCHAPV2 ]
server requested EAP_MSCHAPV2 authentication (id 0x33)
generating IKE_AUTH request 3 [ EAP/RES/MSCHAPV2 ]
sending packet: from 192.168.0.5[49633] to x.x.x.x[4500] (140 bytes)
received packet: from x.x.x.x[4500] to 192.168.0.5[49633] (140 bytes)
parsed IKE_AUTH response 3 [ EAP/REQ/MSCHAPV2 ]
EAP-MS-CHAPv2 succeeded: 'Welcome2strongSwan'
generating IKE_AUTH request 4 [ EAP/RES/MSCHAPV2 ]
sending packet: from 192.168.0.5[49633] to x.x.x.x[4500] (76 bytes)
received packet: from x.x.x.x[4500] to 192.168.0.5[49633] (76 bytes)
parsed IKE_AUTH response 4 [ EAP/SUCC ]
EAP method EAP_MSCHAPV2 succeeded, MSK established
authentication of 'myname' (myself) with EAP
generating IKE_AUTH request 5 [ AUTH ]
sending packet: from 192.168.0.5[49633] to x.x.x.x[4500] (92 bytes)
received packet: from x.x.x.x[4500] to 192.168.0.5[49633] (252 bytes)
parsed IKE_AUTH response 5 [ AUTH CPRP(ADDR DNS) SA TSi TSr N(MOBIKE_SUP) N(ADD_4_ADDR) N(ADD_4_ADDR) N(ADD_4_ADDR) ]
authentication of 'vpn.myco.com' with EAP successful
IKE_SA VPC VPN[2] established between 192.168.0.5[myname]...x.x.x.x[vpn.myco.com]
scheduling rekeying in 35578s
maximum IKE_SA lifetime 36178s
installing 192.168.100.5 as DNS server
installing new virtual IP 10.100.255.4
created TUN device: utun4
virtual IP 10.100.255.4 did not appear on utun4
installing virtual IP 10.100.255.4 failed
no acceptable traffic selectors found
closing IKE_SA due CHILD_SA setup failure
peer supports MOBIKE
sending DELETE for ESP CHILD_SA with SPI 1f89bd98
generating INFORMATIONAL request 6 [ D ]
sending packet: from 192.168.0.5[49633] to x.x.x.x[4500] (76 bytes)
received packet: from x.x.x.x[4500] to 192.168.0.5[49633] (76 bytes)
parsed INFORMATIONAL response 6 [ D ]
deleting IKE_SA VPC VPN[2] between 192.168.0.5[myname]...x.x.x.x[vpn.myco.com]
sending DELETE for IKE_SA VPC VPN[2]
generating INFORMATIONAL request 7 [ D ]
sending packet: from 192.168.0.5[49633] to x.x.x.x[4500] (76 bytes)
received packet: from x.x.x.x[4500] to 192.168.0.5[49633] (76 bytes)
parsed INFORMATIONAL response 7 [ ]
IKE_SA deleted


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20170925/fe248c2d/attachment-0001.html>

More information about the Users mailing list