[strongSwan] Connecting but not connected
Stephen Feyrer
stephen.feyrer at greensill.com
Fri Aug 16 16:17:46 CEST 2019
Hi Tobias,
Apologies! I have amended the config as you described (below are the charon_debug logs). I have already advised the team that Aggressive mode with psk is unsafe.
$ sudo ipsec statusall
[sudo] password for user:
Status of IKE charon daemon (weakSwan 5.6.2, Linux 5.0.0-23-generic, x86_64):
uptime: 17 seconds, since Aug 16 14:48:24 2019
malloc: sbrk 2568192, mmap 0, used 605376, free 1962816
worker threads: 10 of 16 idle, 6/0/0/0 working, job queue: 0/0/0/0, scheduled: 4
loaded plugins: charon aes rc2 sha2 sha1 md4 md5 mgf1 random nonce x509 revocation constraints pubkey pkcs1 pkcs7 pkcs8 pkcs12 pgp dnskey sshkey pem openssl fips-prf gmp agent xcbc hmac gcm attr kernel-netlink resolve socket-default connmark stroke vici updown eap-mschapv2 xauth-generic counters
Listening IP addresses:
10.0.0.3
Connections:
officeVPN: %any...50.45.0.51 IKEv1 Aggressive
officeVPN: local: [10.0.0.3] uses pre-shared key authentication
officeVPN: local: uses XAuth authentication: any with XAuth identity 'user'
officeVPN: remote: [196.198.128.64] uses pre-shared key authentication
officeVPN: child: dynamic[udp/l2f] === 192.168.50.0/24[udp/l2f] TUNNEL
Security Associations (1 up, 0 connecting):
officeVPN[1]: ESTABLISHED 11 seconds ago, 10.0.0.3[10.0.0.3]...50.45.0.51[196.198.128.64]
officeVPN[1]: IKEv1 SPIs: <SANITISED VALUE>_i* <SANITISED VALUE>_r, pre-shared key+XAuth reauthentication in 2 hours
officeVPN[1]: IKE proposal: AES_CBC_128/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_2048
officeVPN[1]: Tasks active: QUICK_MODE
$ sudo ipsec up officeVPN
initiating Aggressive Mode IKE_SA officeVPN[1] to 50.45.0.51
generating AGGRESSIVE request 0 [ SA KE No ID V V V V V ]
sending packet: from 10.0.0.3[500] to 50.45.0.51[500] (548 bytes)
received packet: from 50.45.0.51[500] to 10.0.0.3[500] (564 bytes)
parsed AGGRESSIVE response 0 [ SA KE No ID HASH V NAT-D NAT-D V V V V V ]
received NAT-T (RFC 3947) vendor ID
received DPD vendor ID
received XAuth vendor ID
received unknown vendor ID: <SANITISED VALUE>
received FRAGMENTATION vendor ID
received FRAGMENTATION vendor ID
local host is behind NAT, sending keep alives
remote host is behind NAT
generating AGGRESSIVE request 0 [ HASH NAT-D NAT-D ]
sending packet: from 10.0.0.3[4500] to 50.45.0.51[4500] (108 bytes)
received packet: from 50.45.0.51[4500] to 10.0.0.3[4500] (76 bytes)
parsed TRANSACTION request 3304699073 [ HASH CPRQ(X_TYPE X_USER X_PWD) ]
generating TRANSACTION response 3304699073 [ HASH CPRP(X_USER X_PWD) ]
sending packet: from 10.0.0.3[4500] to 50.45.0.51[4500] (92 bytes)
received packet: from 50.45.0.51[4500] to 10.0.0.3[4500] (76 bytes)
parsed TRANSACTION request 2630756780 [ HASH CPS(X_STATUS) ]
XAuth authentication of 'stephen.feyrer' (myself) successful
IKE_SA officeVPN[1] established between 10.0.0.3[10.0.0.3]...50.45.0.51[196.198.128.64]
scheduling reauthentication in 9872s
maximum IKE_SA lifetime 10412s
generating TRANSACTION response 2630756780 [ HASH CPA(X_STATUS) ]
sending packet: from 10.0.0.3[4500] to 50.45.0.51[4500] (76 bytes)
generating QUICK_MODE request 4038947095 [ HASH SA No ID ID ]
sending packet: from 10.0.0.3[4500] to 50.45.0.51[4500] (204 bytes)
sending retransmit 1 of request message ID 4038947095, seq 3
sending packet: from 10.0.0.3[4500] to 50.45.0.51[4500] (204 bytes)
sending retransmit 2 of request message ID 4038947095, seq 3
sending packet: from 10.0.0.3[4500] to 50.45.0.51[4500] (204 bytes)
conn officeVPN
aggressive=yes
keyexchange=ikev1
type=tunnel
authby=xauthpsk
ike=aes128-sha1-modp2048
esp=aes-sha1
left=%defaultroute
leftprotoport=udp/l2tp
right=50.45.0.51
rightsubnet=192.168.50.0/24
rightprotoport=udp/l2tp
rightid=196.198.128.64
rightfirewall=yes
auto=add
xauth_identity=user
Logs:
Fri, 2019-08-16 14:48 00[DMN] signal of type SIGINT received. Shutting down
Fri, 2019-08-16 14:48 00[CHD] <officeVPN|1> CHILD_SA officeVPN{1} state change: CREATED => DESTROYING
Fri, 2019-08-16 14:48 00[KNL] <officeVPN|1> deleting SAD entry with SPI c450b604
Fri, 2019-08-16 14:48 00[KNL] <officeVPN|1> deleted SAD entry with SPI c450b604
Fri, 2019-08-16 14:48 00[IKE] <officeVPN|1> queueing ISAKMP_DELETE task
Fri, 2019-08-16 14:48 00[IKE] <officeVPN|1> activating new tasks
Fri, 2019-08-16 14:48 00[IKE] <officeVPN|1> activating ISAKMP_DELETE task
Fri, 2019-08-16 14:48 00[IKE] <officeVPN|1> deleting IKE_SA officeVPN[1] between 10.0.0.3[10.0.0.3]...50.45.0.51[196.198.128.64]
Fri, 2019-08-16 14:48 00[IKE] <officeVPN|1> sending DELETE for IKE_SA officeVPN[1]
Fri, 2019-08-16 14:48 00[IKE] <officeVPN|1> IKE_SA officeVPN[1] state change: ESTABLISHED => DELETING
Fri, 2019-08-16 14:48 00[ENC] <officeVPN|1> generating INFORMATIONAL_V1 request 2677532462 [ HASH D ]
Fri, 2019-08-16 14:48 00[NET] <officeVPN|1> sending packet: from 10.0.0.3[4500] to 50.45.0.51[4500] (92 bytes)
Fri, 2019-08-16 14:48 00[IKE] <officeVPN|1> IKE_SA officeVPN[1] state change: DELETING => DESTROYING
tail: /var/log/charon_debug.log: file truncated
Fri, 2019-08-16 14:48 00[DMN] Starting IKE charon daemon (strongSwan 5.6.2, Linux 5.0.0-23-generic, x86_64)
Fri, 2019-08-16 14:48 00[LIB] plugin 'aesni': loaded successfully
Fri, 2019-08-16 14:48 00[LIB] plugin 'aes': loaded successfully
Fri, 2019-08-16 14:48 00[LIB] plugin 'rc2': loaded successfully
Fri, 2019-08-16 14:48 00[LIB] plugin 'sha2': loaded successfully
Fri, 2019-08-16 14:48 00[LIB] plugin 'sha1': loaded successfully
Fri, 2019-08-16 14:48 00[LIB] plugin 'md4': loaded successfully
Fri, 2019-08-16 14:48 00[LIB] plugin 'md5': loaded successfully
Fri, 2019-08-16 14:48 00[LIB] plugin 'mgf1': loaded successfully
Fri, 2019-08-16 14:48 00[LIB] plugin 'random': loaded successfully
Fri, 2019-08-16 14:48 00[LIB] plugin 'nonce': loaded successfully
Fri, 2019-08-16 14:48 00[LIB] plugin 'x509': loaded successfully
Fri, 2019-08-16 14:48 00[LIB] plugin 'revocation': loaded successfully
Fri, 2019-08-16 14:48 00[LIB] plugin 'constraints': loaded successfully
Fri, 2019-08-16 14:48 00[LIB] plugin 'pubkey': loaded successfully
Fri, 2019-08-16 14:48 00[LIB] plugin 'pkcs1': loaded successfully
Fri, 2019-08-16 14:48 00[LIB] plugin 'pkcs7': loaded successfully
Fri, 2019-08-16 14:48 00[LIB] plugin 'pkcs8': loaded successfully
Fri, 2019-08-16 14:48 00[LIB] plugin 'pkcs12': loaded successfully
Fri, 2019-08-16 14:48 00[LIB] plugin 'pgp': loaded successfully
Fri, 2019-08-16 14:48 00[LIB] plugin 'dnskey': loaded successfully
Fri, 2019-08-16 14:48 00[LIB] plugin 'sshkey': loaded successfully
Fri, 2019-08-16 14:48 00[LIB] plugin 'pem': loaded successfully
Fri, 2019-08-16 14:48 00[LIB] plugin 'openssl': loaded successfully
Fri, 2019-08-16 14:48 00[LIB] plugin 'fips-prf': loaded successfully
Fri, 2019-08-16 14:48 00[LIB] plugin 'gmp': loaded successfully
Fri, 2019-08-16 14:48 00[LIB] plugin 'agent': loaded successfully
Fri, 2019-08-16 14:48 00[LIB] plugin 'xcbc': loaded successfully
Fri, 2019-08-16 14:48 00[LIB] plugin 'hmac': loaded successfully
Fri, 2019-08-16 14:48 00[LIB] plugin 'gcm': loaded successfully
Fri, 2019-08-16 14:48 00[LIB] plugin 'attr': loaded successfully
Fri, 2019-08-16 14:48 00[LIB] plugin 'kernel-netlink': loaded successfully
Fri, 2019-08-16 14:48 00[LIB] plugin 'resolve': loaded successfully
Fri, 2019-08-16 14:48 00[LIB] plugin 'socket-default': loaded successfully
Fri, 2019-08-16 14:48 00[LIB] plugin 'connmark': loaded successfully
Fri, 2019-08-16 14:48 00[LIB] plugin 'stroke': loaded successfully
Fri, 2019-08-16 14:48 00[LIB] plugin 'vici': loaded successfully
Fri, 2019-08-16 14:48 00[LIB] plugin 'updown': loaded successfully
Fri, 2019-08-16 14:48 00[LIB] plugin 'eap-mschapv2': loaded successfully
Fri, 2019-08-16 14:48 00[LIB] plugin 'xauth-generic': loaded successfully
Fri, 2019-08-16 14:48 00[LIB] plugin 'counters': loaded successfully
Fri, 2019-08-16 14:48 00[KNL] known interfaces and IP addresses:
Fri, 2019-08-16 14:48 00[KNL] lo
Fri, 2019-08-16 14:48 00[KNL] 127.0.0.1
Fri, 2019-08-16 14:48 00[KNL] ::1
Fri, 2019-08-16 14:48 00[KNL] enp4s0
Fri, 2019-08-16 14:48 00[KNL] wlp2s0
Fri, 2019-08-16 14:48 00[KNL] 10.0.0.3
Fri, 2019-08-16 14:48 00[KNL] fe80::9b8c:8041:bcd6:da78
Fri, 2019-08-16 14:48 00[LIB] feature PUBKEY:ED25519 in plugin 'pem' has unmet dependency: PUBKEY:ED25519
Fri, 2019-08-16 14:48 00[LIB] feature PUBKEY:BLISS in plugin 'pem' has unmet dependency: PUBKEY:BLISS
Fri, 2019-08-16 14:48 00[LIB] feature PUBKEY:DSA in plugin 'pem' has unmet dependency: PUBKEY:DSA
Fri, 2019-08-16 14:48 00[LIB] feature PRIVKEY:DSA in plugin 'pem' has unmet dependency: PRIVKEY:DSA
Fri, 2019-08-16 14:48 00[LIB] feature PRIVKEY:BLISS in plugin 'pem' has unmet dependency: PRIVKEY:BLISS
Fri, 2019-08-16 14:48 00[LIB] feature CERT_DECODE:OCSP_REQUEST in plugin 'pem' has unmet dependency: CERT_DECODE:OCSP_REQUEST
Fri, 2019-08-16 14:48 00[LIB] feature PRIVKEY_SIGN:RSA_EMSA_PKCS1_SHA3_224 in plugin 'gmp' has unmet dependency: HASHER:HASH_SHA3_224
Fri, 2019-08-16 14:48 00[LIB] feature PRIVKEY_SIGN:RSA_EMSA_PKCS1_SHA3_256 in plugin 'gmp' has unmet dependency: HASHER:HASH_SHA3_256
Fri, 2019-08-16 14:48 00[LIB] feature PRIVKEY_SIGN:RSA_EMSA_PKCS1_SHA3_384 in plugin 'gmp' has unmet dependency: HASHER:HASH_SHA3_384
Fri, 2019-08-16 14:48 00[LIB] feature PRIVKEY_SIGN:RSA_EMSA_PKCS1_SHA3_512 in plugin 'gmp' has unmet dependency: HASHER:HASH_SHA3_512
Fri, 2019-08-16 14:48 00[LIB] feature PUBKEY_VERIFY:RSA_EMSA_PKCS1_SHA3_224 in plugin 'gmp' has unmet dependency: HASHER:HASH_SHA3_224
Fri, 2019-08-16 14:48 00[LIB] feature PUBKEY_VERIFY:RSA_EMSA_PKCS1_SHA3_256 in plugin 'gmp' has unmet dependency: HASHER:HASH_SHA3_256
Fri, 2019-08-16 14:48 00[LIB] feature PUBKEY_VERIFY:RSA_EMSA_PKCS1_SHA3_384 in plugin 'gmp' has unmet dependency: HASHER:HASH_SHA3_384
Fri, 2019-08-16 14:48 00[LIB] feature PUBKEY_VERIFY:RSA_EMSA_PKCS1_SHA3_512 in plugin 'gmp' has unmet dependency: HASHER:HASH_SHA3_512
Fri, 2019-08-16 14:48 00[CFG] loading ca certificates from '/etc/ipsec.d/cacerts'
Fri, 2019-08-16 14:48 00[CFG] loading aa certificates from '/etc/ipsec.d/aacerts'
Fri, 2019-08-16 14:48 00[CFG] loading ocsp signer certificates from '/etc/ipsec.d/ocspcerts'
Fri, 2019-08-16 14:48 00[CFG] loading attribute certificates from '/etc/ipsec.d/acerts'
Fri, 2019-08-16 14:48 00[CFG] loading crls from '/etc/ipsec.d/crls'
Fri, 2019-08-16 14:48 00[CFG] loading secrets from '/etc/ipsec.secrets'
Fri, 2019-08-16 14:48 00[CFG] loaded IKE secret for 50.45.0.51 %any
Fri, 2019-08-16 14:48 00[CFG] loaded EAP secret for user %any
Fri, 2019-08-16 14:48 00[CFG] loading secrets from '/etc/ipsec.d/nm-l2tp-ipsec-ee18db9c-522d-4da5-8a69-d3dcb8d23097.secrets'
Fri, 2019-08-16 14:48 00[CFG] loaded IKE secret for 50.45.0.51
Fri, 2019-08-16 14:48 00[LIB] unloading plugin 'aesni' without loaded features
Fri, 2019-08-16 14:48 00[LIB] loaded plugins: charon aes rc2 sha2 sha1 md4 md5 mgf1 random nonce x509 revocation constraints pubkey pkcs1 pkcs7 pkcs8 pkcs12 pgp dnskey sshkey pem openssl fips-prf gmp agent xcbc hmac gcm attr kernel-netlink resolve socket-default connmark stroke vici updown eap-mschapv2 xauth-generic counters
Fri, 2019-08-16 14:48 00[LIB] unable to load 14 plugin features (14 due to unmet dependencies)
Fri, 2019-08-16 14:48 00[LIB] dropped capabilities, running as uid 0, gid 0
Fri, 2019-08-16 14:48 00[JOB] spawning 16 worker threads
Fri, 2019-08-16 14:48 01[LIB] created thread 01 [5753]
Fri, 2019-08-16 14:48 02[LIB] created thread 02 [5754]
Fri, 2019-08-16 14:48 03[LIB] created thread 03 [5755]
Fri, 2019-08-16 14:48 04[LIB] created thread 04 [5756]
Fri, 2019-08-16 14:48 10[LIB] created thread 10 [5762]
Fri, 2019-08-16 14:48 06[LIB] created thread 06 [5758]
Fri, 2019-08-16 14:48 07[LIB] created thread 07 [5759]
Fri, 2019-08-16 14:48 08[LIB] created thread 08 [5760]
Fri, 2019-08-16 14:48 12[LIB] created thread 12 [5765]
Fri, 2019-08-16 14:48 05[LIB] created thread 05 [5757]
Fri, 2019-08-16 14:48 11[LIB] created thread 11 [5764]
Fri, 2019-08-16 14:48 09[LIB] created thread 09 [5761]
Fri, 2019-08-16 14:48 13[LIB] created thread 13 [5766]
Fri, 2019-08-16 14:48 14[LIB] created thread 14 [5763]
Fri, 2019-08-16 14:48 15[LIB] created thread 15 [5767]
Fri, 2019-08-16 14:48 16[LIB] created thread 16 [5768]
Fri, 2019-08-16 14:48 10[CFG] received stroke: add connection 'officeVPN'
Fri, 2019-08-16 14:48 10[CFG] conn officeVPN
Fri, 2019-08-16 14:48 10[CFG] left=%any
Fri, 2019-08-16 14:48 10[CFG] leftauth=psk
Fri, 2019-08-16 14:48 10[CFG] leftauth2=xauth
Fri, 2019-08-16 14:48 10[CFG] right=50.45.0.51
Fri, 2019-08-16 14:48 10[CFG] rightsubnet=192.168.50.0/24
Fri, 2019-08-16 14:48 10[CFG] rightauth=psk
Fri, 2019-08-16 14:48 10[CFG] rightid=196.198.128.64
Fri, 2019-08-16 14:48 10[CFG] rightupdown=ipsec _updown iptables
Fri, 2019-08-16 14:48 10[CFG] xauth_identity=user
Fri, 2019-08-16 14:48 10[CFG] ike=aes128-sha1-modp2048
Fri, 2019-08-16 14:48 10[CFG] esp=aes-sha1
Fri, 2019-08-16 14:48 10[CFG] dpddelay=30
Fri, 2019-08-16 14:48 10[CFG] dpdtimeout=150
Fri, 2019-08-16 14:48 10[CFG] sha256_96=no
Fri, 2019-08-16 14:48 10[CFG] mediation=no
Fri, 2019-08-16 14:48 10[CFG] keyexchange=ikev1
Fri, 2019-08-16 14:48 10[KNL] 50.45.0.51 is not a local address or the interface is down
Fri, 2019-08-16 14:48 10[CFG] added configuration 'officeVPN'
Fri, 2019-08-16 14:48 07[CFG] received stroke: initiate 'officeVPN'
Fri, 2019-08-16 14:48 08[KNL] <officeVPN|1> using 10.0.0.3 as address to reach 50.45.0.51/32
Fri, 2019-08-16 14:48 08[IKE] <officeVPN|1> queueing ISAKMP_VENDOR task
Fri, 2019-08-16 14:48 08[IKE] <officeVPN|1> queueing ISAKMP_CERT_PRE task
Fri, 2019-08-16 14:48 08[IKE] <officeVPN|1> queueing AGGRESSIVE_MODE task
Fri, 2019-08-16 14:48 08[IKE] <officeVPN|1> queueing ISAKMP_CERT_POST task
Fri, 2019-08-16 14:48 08[IKE] <officeVPN|1> queueing ISAKMP_NATD task
Fri, 2019-08-16 14:48 08[IKE] <officeVPN|1> queueing QUICK_MODE task
Fri, 2019-08-16 14:48 08[IKE] <officeVPN|1> activating new tasks
Fri, 2019-08-16 14:48 08[IKE] <officeVPN|1> activating ISAKMP_VENDOR task
Fri, 2019-08-16 14:48 08[IKE] <officeVPN|1> activating ISAKMP_CERT_PRE task
Fri, 2019-08-16 14:48 08[IKE] <officeVPN|1> activating AGGRESSIVE_MODE task
Fri, 2019-08-16 14:48 08[IKE] <officeVPN|1> activating ISAKMP_CERT_POST task
Fri, 2019-08-16 14:48 08[IKE] <officeVPN|1> activating ISAKMP_NATD task
Fri, 2019-08-16 14:48 08[IKE] <officeVPN|1> sending XAuth vendor ID
Fri, 2019-08-16 14:48 08[IKE] <officeVPN|1> sending DPD vendor ID
Fri, 2019-08-16 14:48 08[IKE] <officeVPN|1> sending FRAGMENTATION vendor ID
Fri, 2019-08-16 14:48 08[IKE] <officeVPN|1> sending NAT-T (RFC 3947) vendor ID
Fri, 2019-08-16 14:48 08[IKE] <officeVPN|1> sending draft-ietf-ipsec-nat-t-ike-02\n vendor ID
Fri, 2019-08-16 14:48 08[IKE] <officeVPN|1> initiating Aggressive Mode IKE_SA officeVPN[1] to 50.45.0.51
Fri, 2019-08-16 14:48 08[IKE] <officeVPN|1> IKE_SA officeVPN[1] state change: CREATED => CONNECTING
Fri, 2019-08-16 14:48 08[CFG] <officeVPN|1> configured proposals: IKE:AES_CBC_128/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_2048, IKE:AES_CBC_128/AES_CBC_192/AES_CBC_256/CAMELLIA_CBC_128/CAMELLIA_CBC_192/CAMELLIA_CBC_256/3DES_CBC/HMAC_SHA2_256_128/HMAC_SHA2_384_192/HMAC_SHA2_512_256/HMAC_SHA1_96/AES_XCBC_96/PRF_HMAC_SHA2_256/PRF_HMAC_SHA2_384/PRF_HMAC_SHA2_512/PRF_AES128_XCBC/PRF_HMAC_SHA1/ECP_256/ECP_384/ECP_521/ECP_256_BP/ECP_384_BP/ECP_512_BP/MODP_3072/MODP_4096/MODP_6144/MODP_8192/MODP_2048, IKE:AES_GCM_16_128/AES_GCM_16_192/AES_GCM_16_256/AES_GCM_12_128/AES_GCM_12_192/AES_GCM_12_256/AES_GCM_8_128/AES_GCM_8_192/AES_GCM_8_256/PRF_HMAC_SHA2_256/PRF_HMAC_SHA2_384/PRF_HMAC_SHA2_512/PRF_AES128_XCBC/PRF_HMAC_SHA1/ECP_256/ECP_384/ECP_521/ECP_256_BP/ECP_384_BP/ECP_512_BP/MODP_3072/MODP_4096/MODP_6144/MODP_8192/MODP_2048
Fri, 2019-08-16 14:48 08[LIB] <officeVPN|1> size of DH secret exponent: 2047 bits
Fri, 2019-08-16 14:48 08[ENC] <officeVPN|1> generating AGGRESSIVE request 0 [ SA KE No ID V V V V V ]
Fri, 2019-08-16 14:48 08[NET] <officeVPN|1> sending packet: from 10.0.0.3[500] to 50.45.0.51[500] (548 bytes)
Fri, 2019-08-16 14:48 12[NET] <officeVPN|1> received packet: from 50.45.0.51[500] to 10.0.0.3[500] (564 bytes)
Fri, 2019-08-16 14:48 12[ENC] <officeVPN|1> parsed AGGRESSIVE response 0 [ SA KE No ID HASH V NAT-D NAT-D V V V V V ]
Fri, 2019-08-16 14:48 12[IKE] <officeVPN|1> received NAT-T (RFC 3947) vendor ID
Fri, 2019-08-16 14:48 12[IKE] <officeVPN|1> received DPD vendor ID
Fri, 2019-08-16 14:48 12[IKE] <officeVPN|1> received XAuth vendor ID
Fri, 2019-08-16 14:48 12[ENC] <officeVPN|1> received unknown vendor ID: 82:99:03:17:57:a3:60:82:c6:a6:21:de:00:00:00:00
Fri, 2019-08-16 14:48 12[IKE] <officeVPN|1> received FRAGMENTATION vendor ID
Fri, 2019-08-16 14:48 12[IKE] <officeVPN|1> received FRAGMENTATION vendor ID
Fri, 2019-08-16 14:48 12[CFG] <officeVPN|1> selecting proposal:
Fri, 2019-08-16 14:48 12[CFG] <officeVPN|1> proposal matches
Fri, 2019-08-16 14:48 12[CFG] <officeVPN|1> received proposals: IKE:AES_CBC_128/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_2048
Fri, 2019-08-16 14:48 12[CFG] <officeVPN|1> configured proposals: IKE:AES_CBC_128/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_2048, IKE:AES_CBC_128/AES_CBC_192/AES_CBC_256/CAMELLIA_CBC_128/CAMELLIA_CBC_192/CAMELLIA_CBC_256/3DES_CBC/HMAC_SHA2_256_128/HMAC_SHA2_384_192/HMAC_SHA2_512_256/HMAC_SHA1_96/AES_XCBC_96/PRF_HMAC_SHA2_256/PRF_HMAC_SHA2_384/PRF_HMAC_SHA2_512/PRF_AES128_XCBC/PRF_HMAC_SHA1/ECP_256/ECP_384/ECP_521/ECP_256_BP/ECP_384_BP/ECP_512_BP/MODP_3072/MODP_4096/MODP_6144/MODP_8192/MODP_2048, IKE:AES_GCM_16_128/AES_GCM_16_192/AES_GCM_16_256/AES_GCM_12_128/AES_GCM_12_192/AES_GCM_12_256/AES_GCM_8_128/AES_GCM_8_192/AES_GCM_8_256/PRF_HMAC_SHA2_256/PRF_HMAC_SHA2_384/PRF_HMAC_SHA2_512/PRF_AES128_XCBC/PRF_HMAC_SHA1/ECP_256/ECP_384/ECP_521/ECP_256_BP/ECP_384_BP/ECP_512_BP/MODP_3072/MODP_4096/MODP_6144/MODP_8192/MODP_2048
Fri, 2019-08-16 14:48 12[CFG] <officeVPN|1> selected proposal: IKE:AES_CBC_128/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_2048
Fri, 2019-08-16 14:48 12[IKE] <officeVPN|1> local host is behind NAT, sending keep alives
Fri, 2019-08-16 14:48 12[IKE] <officeVPN|1> remote host is behind NAT
Fri, 2019-08-16 14:48 12[IKE] <officeVPN|1> reinitiating already active tasks
Fri, 2019-08-16 14:48 12[IKE] <officeVPN|1> ISAKMP_VENDOR task
Fri, 2019-08-16 14:48 12[IKE] <officeVPN|1> AGGRESSIVE_MODE task
Fri, 2019-08-16 14:48 12[ENC] <officeVPN|1> generating AGGRESSIVE request 0 [ HASH NAT-D NAT-D ]
Fri, 2019-08-16 14:48 12[NET] <officeVPN|1> sending packet: from 10.0.0.3[4500] to 50.45.0.51[4500] (108 bytes)
Fri, 2019-08-16 14:48 12[IKE] <officeVPN|1> activating new tasks
Fri, 2019-08-16 14:48 12[IKE] <officeVPN|1> nothing to initiate
Fri, 2019-08-16 14:48 05[NET] <officeVPN|1> received packet: from 50.45.0.51[4500] to 10.0.0.3[4500] (76 bytes)
Fri, 2019-08-16 14:48 05[ENC] <officeVPN|1> parsed TRANSACTION request 3304699073 [ HASH CPRQ(X_TYPE X_USER X_PWD) ]
Fri, 2019-08-16 14:48 05[ENC] <officeVPN|1> generating TRANSACTION response 3304699073 [ HASH CPRP(X_USER X_PWD) ]
Fri, 2019-08-16 14:48 05[NET] <officeVPN|1> sending packet: from 10.0.0.3[4500] to 50.45.0.51[4500] (92 bytes)
Fri, 2019-08-16 14:48 11[NET] <officeVPN|1> received packet: from 50.45.0.51[4500] to 10.0.0.3[4500] (76 bytes)
Fri, 2019-08-16 14:48 11[ENC] <officeVPN|1> parsed TRANSACTION request 2630756780 [ HASH CPS(X_STATUS) ]
Fri, 2019-08-16 14:48 11[IKE] <officeVPN|1> XAuth authentication of 'user' (myself) successful
Fri, 2019-08-16 14:48 11[IKE] <officeVPN|1> IKE_SA officeVPN[1] established between 10.0.0.3[10.0.0.3]...50.45.0.51[196.198.128.64]
Fri, 2019-08-16 14:48 11[IKE] <officeVPN|1> IKE_SA officeVPN[1] state change: CONNECTING => ESTABLISHED
Fri, 2019-08-16 14:48 11[IKE] <officeVPN|1> scheduling reauthentication in 9872s
Fri, 2019-08-16 14:48 11[IKE] <officeVPN|1> maximum IKE_SA lifetime 10412s
Fri, 2019-08-16 14:48 11[ENC] <officeVPN|1> generating TRANSACTION response 2630756780 [ HASH CPA(X_STATUS) ]
Fri, 2019-08-16 14:48 11[NET] <officeVPN|1> sending packet: from 10.0.0.3[4500] to 50.45.0.51[4500] (76 bytes)
Fri, 2019-08-16 14:48 11[IKE] <officeVPN|1> activating new tasks
Fri, 2019-08-16 14:48 11[IKE] <officeVPN|1> activating QUICK_MODE task
Fri, 2019-08-16 14:48 11[CFG] <officeVPN|1> configured proposals: ESP:AES_CBC_128/HMAC_SHA1_96/NO_EXT_SEQ, ESP:AES_CBC_128/AES_CBC_192/AES_CBC_256/HMAC_SHA2_256_128/HMAC_SHA2_384_192/HMAC_SHA2_512_256/HMAC_SHA1_96/AES_XCBC_96/NO_EXT_SEQ
Fri, 2019-08-16 14:48 11[KNL] <officeVPN|1> got SPI cddb140c
Fri, 2019-08-16 14:48 11[CFG] <officeVPN|1> configured proposals: ESP:AES_CBC_128/HMAC_SHA1_96/NO_EXT_SEQ, ESP:AES_CBC_128/AES_CBC_192/AES_CBC_256/HMAC_SHA2_256_128/HMAC_SHA2_384_192/HMAC_SHA2_512_256/HMAC_SHA1_96/AES_XCBC_96/NO_EXT_SEQ
Fri, 2019-08-16 14:48 11[CFG] <officeVPN|1> proposing traffic selectors for us:
Fri, 2019-08-16 14:48 11[CFG] <officeVPN|1> 10.0.0.3/32[udp/l2f]
Fri, 2019-08-16 14:48 11[CFG] <officeVPN|1> proposing traffic selectors for other:
Fri, 2019-08-16 14:48 11[CFG] <officeVPN|1> 192.168.50.0/24[udp/l2f]
Fri, 2019-08-16 14:48 11[ENC] <officeVPN|1> generating QUICK_MODE request 4038947095 [ HASH SA No ID ID ]
Fri, 2019-08-16 14:48 11[NET] <officeVPN|1> sending packet: from 10.0.0.3[4500] to 50.45.0.51[4500] (204 bytes)
Fri, 2019-08-16 14:48 04[IKE] <officeVPN|1> sending retransmit 1 of request message ID 4038947095, seq 3
Fri, 2019-08-16 14:48 04[NET] <officeVPN|1> sending packet: from 10.0.0.3[4500] to 50.45.0.51[4500] (204 bytes)
Fri, 2019-08-16 14:48 14[IKE] <officeVPN|1> sending retransmit 2 of request message ID 4038947095, seq 3
Fri, 2019-08-16 14:48 14[NET] <officeVPN|1> sending packet: from 10.0.0.3[4500] to 50.45.0.51[4500] (204 bytes)
Fri, 2019-08-16 14:48 15[CFG] proposing traffic selectors for us:
Fri, 2019-08-16 14:48 15[CFG] dynamic[udp/l2f]
Fri, 2019-08-16 14:48 15[CFG] proposing traffic selectors for other:
Fri, 2019-08-16 14:48 15[CFG] 192.168.50.0/24[udp/l2f]
Thank you.
--
Kind regards
Stephen Feyrer
________________________________
From: Tobias Brunner <tobias at strongswan.org>
Sent: 16 August 2019 14:42
To: Stephen Feyrer <stephen.feyrer at greensill.com>; strongSwan Users-Mailinglist <users at lists.strongswan.org>
Subject: Re: [strongSwan] Connecting but not connected
This message was sent from outside of Greensill Capital. Please do not open attachments or click on links unless you recognise the source of this email and are certain the content is safe.
Hi Stephen,
> Here are the details in full:
That fist log you posted is useless. It's not the daemon's log (you
configured logging to a separate file yourself in strongswan.conf).
Your problem now is the `authby` setting. Since the peer wants to do
XAuth you have to set it to `xauthpsk` (which is very unsafe with
aggressive mode [1]).
Regards,
Tobias
[1] https://wiki.strongswan.org/projects/strongswan/wiki/FAQ#Aggressive-Mode
This message is for the designated recipient only and may contain privileged, proprietary or otherwise confidential information. If you have received this in error, please contact the sender immediately and delete the original. Any other use of this e-mail by you is prohibited. If we collect and use your personal data we will use it in accordance with our privacy policy<http://www.greensill.com/privacy/>. Greensill Capital (UK) Limited. Registered in England and Wales. Registered Number: 8126173. Registered Office: One Southampton Street, Covent Garden, London, WC2R 0LR, United Kingdom. Greensill Capital Pty Limited. Australian Company Number: 154 088 132. Registered Office: 62 -66 Woondooma Street, Bundaberg, Queensland 4670, Australia.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20190816/dcfd0fff/attachment-0001.html>
More information about the Users
mailing list