[strongSwan] Connecting but not connected

Stephen Feyrer stephen.feyrer at greensill.com
Fri Aug 16 15:33:52 CEST 2019 

Hi Tobias,

Here are the details in full:

Aug 16 14:03:11 Ubuntu-18 sudo[5311]:  user : TTY=pts/0 ; PWD=/home/user ; USER=root ; COMMAND=/usr/sbin/ipsec restart
Aug 16 14:03:11 Ubuntu-18 sudo[5311]: pam_unix(sudo:session): session opened for user root by (uid=0)
Aug 16 14:03:11 Ubuntu-18 ipsec_starter[5280]: charon stopped after 200 ms
Aug 16 14:03:11 Ubuntu-18 ipsec_starter[5280]: ipsec starter stopped
Aug 16 14:03:13 Ubuntu-18 ipsec_starter[5312]: Starting weakSwan 5.6.2 IPsec [starter]...
Aug 16 14:03:13 Ubuntu-18 sudo[5311]: pam_unix(sudo:session): session closed for user root
Aug 16 14:03:13 Ubuntu-18 audit[5337]: AVC apparmor="ALLOWED" operation="open" profile="/usr/lib/ipsec/charon" name="/var/log/charon_debug.log" pid=5337 comm="charon" requested_mask="wc" denied_mask="wc" fsuid=0 ouid=0
Aug 16 14:03:13 Ubuntu-18 audit[5337]: AVC apparmor="ALLOWED" operation="truncate" profile="/usr/lib/ipsec/charon" name="/var/log/charon_debug.log" pid=5337 comm="charon" requested_mask="w" denied_mask="w" fsuid=0 ouid=0
Aug 16 14:03:13 Ubuntu-18 kernel: audit: type=1400 audit(1565960593.541:132): apparmor="ALLOWED" operation="open" profile="/usr/lib/ipsec/charon" name="/var/log/charon_debug.log" pid=5337 comm="charon" requested_mask="wc" denied_mask="wc" fsuid=0 ouid=0
Aug 16 14:03:13 Ubuntu-18 kernel: audit: type=1400 audit(1565960593.541:133): apparmor="ALLOWED" operation="truncate" profile="/usr/lib/ipsec/charon" name="/var/log/charon_debug.log" pid=5337 comm="charon" requested_mask="w" denied_mask="w" fsuid=0 ouid=0
Aug 16 14:03:13 Ubuntu-18 ipsec_starter[5336]: charon (5337) started after 40 ms
Aug 16 14:03:17 Ubuntu-18 sudo[5354]:  user : TTY=pts/0 ; PWD=/home/user ; USER=root ; COMMAND=/usr/sbin/ipsec up officeVPN


$ sudo ipsec statusall
Status of IKE charon daemon (weakSwan 5.6.2, Linux 5.0.0-23-generic, x86_64):
  uptime: 18 seconds, since Aug 16 14:03:14 2019
  malloc: sbrk 2703360, mmap 0, used 598688, free 2104672
  worker threads: 10 of 16 idle, 6/0/0/0 working, job queue: 0/0/0/0, scheduled: 3
  loaded plugins: charon aes rc2 sha2 sha1 md4 md5 mgf1 random nonce x509 revocation constraints pubkey pkcs1 pkcs7 pkcs8 pkcs12 pgp dnskey sshkey pem openssl fips-prf gmp agent xcbc hmac gcm attr kernel-netlink resolve socket-default connmark stroke vici updown eap-mschapv2 xauth-generic counters
Listening IP addresses:
  10.0.0.3
Connections:
officeVPN:  %any...50.45.0.51  IKEv1 Aggressive
officeVPN:   local:  [10.0.0.3] uses pre-shared key authentication
officeVPN:   remote: [196.198.128.64] uses pre-shared key authentication
officeVPN:   child:  dynamic[udp/l2f] === 192.168.50.0/24[udp/l2f] TUNNEL
Security Associations (1 up, 0 connecting):
officeVPN[1]: ESTABLISHED 14 seconds ago, 10.0.0.3[10.0.0.3]...50.45.0.51[196.198.128.64]
officeVPN[1]: IKEv1 SPIs: <SANITISED VALUE>_i* <SANITISED VALUE>_r, pre-shared key reauthentication in 2 hours
officeVPN[1]: IKE proposal: AES_CBC_128/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_2048
officeVPN[1]: Tasks active: QUICK_MODE


$ sudo ipsec up officeVPN
initiating Aggressive Mode IKE_SA officeVPN[1] to 50.45.0.51
generating AGGRESSIVE request 0 [ SA KE No ID V V V V V ]
sending packet: from 10.0.0.3[500] to 50.45.0.51[500] (548 bytes)
received packet: from 50.45.0.51[500] to 10.0.0.3[500] (564 bytes)
parsed AGGRESSIVE response 0 [ SA KE No ID HASH V NAT-D NAT-D V V V V V ]
received NAT-T (RFC 3947) vendor ID
received DPD vendor ID
received XAuth vendor ID
received unknown vendor ID: <SANITISED VALUE>
received FRAGMENTATION vendor ID
received FRAGMENTATION vendor ID
local host is behind NAT, sending keep alives
remote host is behind NAT
IKE_SA officeVPN[1] established between 10.0.0.3[10.0.0.3]...50.45.0.51[196.198.128.64]
scheduling reauthentication in 9927s
maximum IKE_SA lifetime 10467s
generating AGGRESSIVE request 0 [ HASH NAT-D NAT-D ]
sending packet: from 10.0.0.3[4500] to 50.45.0.51[4500] (108 bytes)
generating QUICK_MODE request 3107105294 [ HASH SA No ID ID ]
sending packet: from 10.0.0.3[4500] to 50.45.0.51[4500] (204 bytes)
received packet: from 50.45.0.51[4500] to 10.0.0.3[4500] (76 bytes)
queueing TRANSACTION request as tasks still active
received packet: from 50.45.0.51[4500] to 10.0.0.3[4500] (76 bytes)
ignoring TRANSACTION request, queue full
sending retransmit 1 of request message ID 3107105294, seq 3
sending packet: from 10.0.0.3[4500] to 50.45.0.51[4500] (204 bytes)
received packet: from 50.45.0.51[4500] to 10.0.0.3[4500] (76 bytes)
ignoring TRANSACTION request, queue full
sending retransmit 2 of request message ID 3107105294, seq 3
sending packet: from 10.0.0.3[4500] to 50.45.0.51[4500] (204 bytes)
received packet: from 50.45.0.51[4500] to 10.0.0.3[4500] (76 bytes)
ignoring TRANSACTION request, queue full


conn officeVPN
    aggressive=yes
    keyexchange=ikev1
    type=tunnel
    authby=secret
    ike=aes128-sha1-modp2048
    left=%defaultroute
    leftprotoport=udp/l2tp
    right=50.45.0.51
    rightsubnet=192.168.50.0/24
    rightprotoport=udp/l2tp
    rightid=196.198.128.64
    rightfirewall=yes
    auto=add
    xauth_identity=user


I have been provided some details from the Windows client that may be relevant:

Phase 1,
IKE version 1, Aggressive, Mode Config, Dead Peer Detection, NAT Traversal
IKE Proposal AES128 SHA1
             AES256 SHA256

Phase 2,
Enable Replay Detection
IKE Proposal AES128 SHA1
             AES256 SHA1

DH Group 5

The responder is a FortiGate NVA appliance.

Thank you.
________________________________
From: Tobias Brunner <tobias at strongswan.org>
Sent: 16 August 2019 14:00
To: Stephen Feyrer <stephen.feyrer at greensill.com>; strongSwan Users-Mailinglist <users at lists.strongswan.org>
Subject: Re: [strongSwan] Connecting but not connected

This message was sent from outside of Greensill Capital. Please do not open attachments or click on links unless you recognise the source of this email and are certain the content is safe.

Hi Stephen,

> I have tried with:
>
> #    leftsourceip=%config
>     modeconfig=pull

Leave both enabled to use a virtual IP.  Comment both (as you tried) to
not use one.

> These both result with:

Please post the full logs.

Regards,
Tobias

This message is for the designated recipient only and may contain privileged, proprietary or otherwise confidential information. If you have received this in error, please contact the sender immediately and delete the original. Any other use of this e-mail by you is prohibited. If we collect and use your personal data we will use it in accordance with our privacy policy<http://www.greensill.com/privacy/>. Greensill Capital (UK) Limited. Registered in England and Wales. Registered Number: 8126173. Registered Office: One Southampton Street, Covent Garden, London, WC2R 0LR, United Kingdom. Greensill Capital Pty Limited. Australian Company Number: 154 088 132. Registered Office: 62 -66 Woondooma Street, Bundaberg, Queensland 4670, Australia.

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20190816/da533351/attachment-0001.html>

More information about the Users mailing list