[strongSwan] Can't connect to Strongswan
Alexander v. Below
Alex at vonBelow.Com
Wed Jul 18 15:22:28 CEST 2018
Hello,
I have set up strongswan, but I can’t connect from either Linux nor macOS
Interestingly enough, there are different error messages. When connecting with Linux, the key parts of the log seem to be:
Jul 18 15:05:56 below charon: 07[ENC] parsed ID_PROT request 0 [ SA V V V V V ]
Jul 18 15:05:56 below charon: 07[CFG] looking for an ike config for 46.4.163.72...80.152.52.195
Jul 18 15:05:56 below charon: 07[IKE] no IKE config found for 46.4.163.72...80.152.52.195, sending NO_PROPOSAL_CHOSEN
Jul 18 15:05:56 below charon: 07[ENC] generating INFORMATIONAL_V1 request 1522692232 [ N(NO_PROP) ]
When connecting with macOS, I don’t even see where the process is failing. There is a good deal of communication, and finally
Jul 18 15:01:35 below charon: 08[IKE] received ESP_TFC_PADDING_NOT_SUPPORTED, not using ESPv3 TFC padding
Jul 18 15:01:35 below charon: 08[IKE] peer supports MOBIKE
Jul 18 15:01:35 below charon: 08[ENC] generating IKE_AUTH response 1 [ N(AUTH_FAILED) ]
Any tips, pointers, help is appreciated.
Thanks a lot
Alex
// Linux
Jul 18 15:05:56 below charon: 01[NET] received packet: from 80.152.52.195[61176] to 46.4.163.72[500]
Jul 18 15:05:56 below charon: 01[NET] waiting for data on sockets
Jul 18 15:05:56 below charon: 07[NET] received packet: from 80.152.52.195[61176] to 46.4.163.72[500] (184 bytes)
Jul 18 15:05:56 below charon: 07[ENC] parsed ID_PROT request 0 [ SA V V V V V ]
Jul 18 15:05:56 below charon: 07[CFG] looking for an ike config for 46.4.163.72...80.152.52.195
Jul 18 15:05:56 below charon: 07[IKE] no IKE config found for 46.4.163.72...80.152.52.195, sending NO_PROPOSAL_CHOSEN
Jul 18 15:05:56 below charon: 07[ENC] generating INFORMATIONAL_V1 request 1522692232 [ N(NO_PROP) ]
Jul 18 15:05:56 below charon: 07[NET] sending packet: from 46.4.163.72[500] to 80.152.52.195[61176] (40 bytes)
Jul 18 15:05:56 below charon: 07[IKE] IKE_SA (unnamed)[65] state change: CREATED => DESTROYING
Jul 18 15:05:56 below charon: 03[NET] sending packet: from 46.4.163.72[500] to 80.152.52.195[61176]
Jul 18 15:06:06 below charon: 01[NET] received packet: from 80.152.52.195[61176] to 46.4.163.72[500]
Jul 18 15:06:06 below charon: 01[NET] waiting for data on sockets
Jul 18 15:06:06 below charon: 09[NET] received packet: from 80.152.52.195[61176] to 46.4.163.72[500] (184 bytes)
Jul 18 15:06:06 below charon: 09[ENC] parsed ID_PROT request 0 [ SA V V V V V ]
Jul 18 15:06:06 below charon: 09[CFG] looking for an ike config for 46.4.163.72...80.152.52.195
Jul 18 15:06:06 below charon: 09[IKE] no IKE config found for 46.4.163.72...80.152.52.195, sending NO_PROPOSAL_CHOSEN
Jul 18 15:06:06 below charon: 09[ENC] generating INFORMATIONAL_V1 request 196744391 [ N(NO_PROP) ]
Jul 18 15:06:06 below charon: 09[NET] sending packet: from 46.4.163.72[500] to 80.152.52.195[61176] (40 bytes)
Jul 18 15:06:06 below charon: 09[IKE] IKE_SA (unnamed)[66] state change: CREATED => DESTROYING
Jul 18 15:06:06 below charon: 03[NET] sending packet: from 46.4.163.72[500] to 80.152.52.195[61176]
// MacOS
Jul 18 14:54:41 below charon: 01[NET] received packet: from 80.152.52.195[500] to 46.4.163.72[500]
Jul 18 14:54:41 below charon: 01[NET] waiting for data on sockets
Jul 18 14:54:41 below charon: 05[NET] received packet: from 80.152.52.195[500] to 46.4.163.72[500] (184 bytes)
Jul 18 14:54:41 below charon: 05[ENC] parsed ID_PROT request 0 [ SA V V V V V ]
Jul 18 14:54:41 below charon: 05[CFG] looking for an ike config for 46.4.163.72...80.152.52.195
Jul 18 14:54:41 below charon: 05[IKE] no IKE config found for 46.4.163.72...80.152.52.195, sending NO_PROPOSAL_CHOSEN
Jul 18 14:54:41 below charon: 05[ENC] generating INFORMATIONAL_V1 request 675425918 [ N(NO_PROP) ]
Jul 18 14:54:41 below charon: 05[NET] sending packet: from 46.4.163.72[500] to 80.152.52.195[500] (40 bytes)
Jul 18 14:54:41 below charon: 05[IKE] IKE_SA (unnamed)[63] state change: CREATED => DESTROYING
Jul 18 14:54:41 below charon: 03[NET] sending packet: from 46.4.163.72[500] to 80.152.52.195[500]
Jul 18 15:01:35 below charon: 01[NET] received packet: from 80.152.52.195[500] to 46.4.163.72[500]
Jul 18 15:01:35 below charon: 01[NET] waiting for data on sockets
Jul 18 15:01:35 below charon: 04[NET] received packet: from 80.152.52.195[500] to 46.4.163.72[500] (604 bytes)
Jul 18 15:01:35 below charon: 04[ENC] parsed IKE_SA_INIT request 0 [ SA KE No N(REDIR_SUP) N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) ]
Jul 18 15:01:35 below charon: 04[CFG] looking for an ike config for 46.4.163.72...80.152.52.195
Jul 18 15:01:35 below charon: 04[CFG] candidate: 46.4.163.72...%any, prio 1052
Jul 18 15:01:35 below charon: 04[CFG] found matching ike config: 46.4.163.72...%any with prio 1052
Jul 18 15:01:35 below charon: 04[IKE] 80.152.52.195 is initiating an IKE_SA
Jul 18 15:01:35 below charon: 04[IKE] IKE_SA (unnamed)[64] state change: CREATED => CONNECTING
Jul 18 15:01:35 below charon: 04[CFG] selecting proposal:
Jul 18 15:01:35 below charon: 04[CFG] no acceptable ENCRYPTION_ALGORITHM found
Jul 18 15:01:35 below charon: 04[CFG] selecting proposal:
Jul 18 15:01:35 below charon: 04[CFG] no acceptable ENCRYPTION_ALGORITHM found
Jul 18 15:01:35 below charon: 04[CFG] selecting proposal:
Jul 18 15:01:35 below charon: 04[CFG] no acceptable ENCRYPTION_ALGORITHM found
Jul 18 15:01:35 below charon: 04[CFG] selecting proposal:
Jul 18 15:01:35 below charon: 04[CFG] no acceptable PSEUDO_RANDOM_FUNCTION found
Jul 18 15:01:35 below charon: 04[CFG] selecting proposal:
Jul 18 15:01:35 below charon: 04[CFG] no acceptable ENCRYPTION_ALGORITHM found
Jul 18 15:01:35 below charon: 04[CFG] selecting proposal:
Jul 18 15:01:35 below charon: 04[CFG] proposal matches
Jul 18 15:01:35 below charon: 04[CFG] received proposals: IKE:AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_2048, IKE:AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/ECP_256, IKE:AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_1536, IKE:AES_CBC_128/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024, IKE:3DES_CBC/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024
Jul 18 15:01:35 below charon: 04[CFG] configured proposals: IKE:AES_CBC_128/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/ECP_256, IKE:AES_CBC_128/AES_CBC_192/AES_CBC_256/3DES_CBC/CAMELLIA_CBC_128/CAMELLIA_CBC_192/CAMELLIA_CBC_256/HMAC_MD5_96/HMAC_SHA1_96/HMAC_SHA2_256_128/HMAC_SHA2_384_192/HMAC_SHA2_512_256/AES_XCBC_96/PRF_HMAC_MD5/PRF_HMAC_SHA1/PRF_HMAC_SHA2_256/PRF_HMAC_SHA2_384/PRF_HMAC_SHA2_512/PRF_AES128_XCBC/MODP_2048/MODP_2048_224/MODP_2048_256/MODP_1536/MODP_3072/MODP_4096/MODP_8192/MODP_1024/MODP_1024_160/ECP_256/ECP_384/ECP_521/ECP_224/ECP_192/ECP_224_BP/ECP_256_BP/ECP_384_BP/ECP_512_BP, IKE:AES_GCM_8_128/AES_GCM_8_192/AES_GCM_8_256/AES_GCM_12_128/AES_GCM_12_192/AES_GCM_12_256/AES_GCM_16_128/AES_GCM_16_192/AES_GCM_16_256/PRF_HMAC_MD5/PRF_HMAC_SHA1/PRF_HMAC_SHA2_256/PRF_HMAC_SHA2_384/PRF_HMAC_SHA2_512/PRF_AES128_XCBC/MODP_2048/MODP_2048_224/MODP_2048_256/MODP_1536/MODP_3072/MODP_4096/MODP_8192/MODP_1024/MODP_1024_160/ECP_256/ECP_384/ECP_521/ECP_224/ECP_192/ECP_224_BP/ECP_256_BP/ECP_384_BP/ECP_512_BP
Jul 18 15:01:35 below charon: 04[CFG] selected proposal: IKE:AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_2048
Jul 18 15:01:35 below charon: 04[IKE] remote host is behind NAT
Jul 18 15:01:35 below charon: 04[IKE] sending cert request for "C=CH, O=strongSwan, CN=strongSwan Root CA"
Jul 18 15:01:35 below charon: 04[ENC] generating IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) CERTREQ N(FRAG_SUP) N(MULT_AUTH) ]
Jul 18 15:01:35 below charon: 04[NET] sending packet: from 46.4.163.72[500] to 80.152.52.195[500] (473 bytes)
Jul 18 15:01:35 below charon: 03[NET] sending packet: from 46.4.163.72[500] to 80.152.52.195[500]
Jul 18 15:01:35 below charon: 01[NET] received packet: from 80.152.52.195[4500] to 46.4.163.72[4500]
Jul 18 15:01:35 below charon: 01[NET] waiting for data on sockets
Jul 18 15:01:35 below charon: 08[NET] received packet: from 80.152.52.195[4500] to 46.4.163.72[4500] (496 bytes)
Jul 18 15:01:35 below charon: 08[ENC] unknown attribute type (25)
Jul 18 15:01:35 below charon: 08[ENC] parsed IKE_AUTH request 1 [ IDi N(INIT_CONTACT) N(MOBIKE_SUP) IDr CPRQ(ADDR DHCP DNS MASK ADDR6 DHCP6 DNS6 (25)) N(ESP_TFC_PAD_N) N(NON_FIRST_FRAG) SA TSi TSr ]
Jul 18 15:01:35 below charon: 08[CFG] looking for peer configs matching 46.4.163.72[46.4.163.72]...80.152.52.195[Client_Key]
Jul 18 15:01:35 below charon: 08[CFG] candidate "IKEv2", match: 20/1/1052 (me/other/ike)
Jul 18 15:01:35 below charon: 08[CFG] selected peer config 'IKEv2'
Jul 18 15:01:35 below charon: 08[IKE] peer requested EAP, config inacceptable
Jul 18 15:01:35 below charon: 08[CFG] no alternative config found
Jul 18 15:01:35 below charon: 08[IKE] processing INTERNAL_IP4_ADDRESS attribute
Jul 18 15:01:35 below charon: 08[IKE] processing INTERNAL_IP4_DHCP attribute
Jul 18 15:01:35 below charon: 08[IKE] processing INTERNAL_IP4_DNS attribute
Jul 18 15:01:35 below charon: 08[IKE] processing INTERNAL_IP4_NETMASK attribute
Jul 18 15:01:35 below charon: 08[IKE] processing INTERNAL_IP6_ADDRESS attribute
Jul 18 15:01:35 below charon: 08[IKE] processing INTERNAL_IP6_DHCP attribute
Jul 18 15:01:35 below charon: 08[IKE] processing INTERNAL_IP6_DNS attribute
Jul 18 15:01:35 below charon: 08[IKE] processing (25) attribute
Jul 18 15:01:35 below charon: 08[IKE] received ESP_TFC_PADDING_NOT_SUPPORTED, not using ESPv3 TFC padding
Jul 18 15:01:35 below charon: 08[IKE] peer supports MOBIKE
Jul 18 15:01:35 below charon: 08[ENC] generating IKE_AUTH response 1 [ N(AUTH_FAILED) ]
Jul 18 15:01:35 below charon: 08[NET] sending packet: from 46.4.163.72[4500] to 80.152.52.195[4500] (80 bytes)
Jul 18 15:01:35 below charon: 08[IKE] IKE_SA IKEv2[64] state change: CONNECTING => DESTROYING
Jul 18 15:01:35 below charon: 03[NET] sending packet: from 46.4.163.72[4500] to 80.152.52.195[4500]
More information about the Users
mailing list