[strongSwan] Connecting but not connected
Stephen Feyrer
stephen.feyrer at greensill.com
Mon Aug 19 13:10:20 CEST 2019
Hi Tobias,
This looks to me like it has worked but I may be wrong. Is there a quick test to prove success?
For example should 'ip address' offer a 'PPP' interface or something like that?
I am including logs and all just incase there's a gotcha that you may spot that I am missing.
Otherwise, this looks great. Thank you so much!
conn officeVPN
aggressive=yes
keyexchange=ikev1
type=tunnel
authby=xauthpsk
ike=aes128-sha1-modp2048
esp=aes128-sha1-modp2048
left=%defaultroute
leftsourceip=%config
modeconfig=pull
right=50.45.0.51
rightsubnet=0.0.0.0/0
rightid=196.198.128.64
rightfirewall=yes
auto=add
xauth_identity=user
$ sudo ipsec up officeVPN
initiating Aggressive Mode IKE_SA officeVPN[1] to 50.45.0.51
generating AGGRESSIVE request 0 [ SA KE No ID V V V V V ]
sending packet: from 10.0.0.3[500] to 50.45.0.51[500] (548 bytes)
received packet: from 50.45.0.51[500] to 10.0.0.3[500] (564 bytes)
parsed AGGRESSIVE response 0 [ SA KE No ID HASH V NAT-D NAT-D V V V V V ]
received NAT-T (RFC 3947) vendor ID
received DPD vendor ID
received XAuth vendor ID
received unknown vendor ID: <SANITISED VALUE>
received FRAGMENTATION vendor ID
received FRAGMENTATION vendor ID
local host is behind NAT, sending keep alives
remote host is behind NAT
generating AGGRESSIVE request 0 [ HASH NAT-D NAT-D ]
sending packet: from 10.0.0.3[4500] to 50.45.0.51[4500] (108 bytes)
received packet: from 50.45.0.51[4500] to 10.0.0.3[4500] (76 bytes)
parsed TRANSACTION request 3261202525 [ HASH CPRQ(X_TYPE X_USER X_PWD) ]
generating TRANSACTION response 3261202525 [ HASH CPRP(X_USER X_PWD) ]
sending packet: from 10.0.0.3[4500] to 50.45.0.51[4500] (92 bytes)
received packet: from 50.45.0.51[4500] to 10.0.0.3[4500] (76 bytes)
parsed TRANSACTION request 2319880084 [ HASH CPS(X_STATUS) ]
XAuth authentication of 'user' (myself) successful
IKE_SA officeVPN[1] established between 10.0.0.3[10.0.0.3]...50.45.0.51[196.198.128.64]
scheduling reauthentication in 9856s
maximum IKE_SA lifetime 10396s
generating TRANSACTION response 2319880084 [ HASH CPA(X_STATUS) ]
sending packet: from 10.0.0.3[4500] to 50.45.0.51[4500] (76 bytes)
generating TRANSACTION request 983160742 [ HASH CPRQ(ADDR DNS) ]
sending packet: from 10.0.0.3[4500] to 50.45.0.51[4500] (76 bytes)
received packet: from 50.45.0.51[4500] to 10.0.0.3[4500] (92 bytes)
parsed TRANSACTION response 983160742 [ HASH CPRP(ADDR DNS) ]
installing DNS server 8.8.8.8 to /etc/resolv.conf
installing new virtual IP 196.198.128.13
generating QUICK_MODE request 632209231 [ HASH SA No KE ID ID ]
sending packet: from 10.0.0.3[4500] to 50.45.0.51[4500] (444 bytes)
received packet: from 50.45.0.51[4500] to 10.0.0.3[4500] (428 bytes)
parsed QUICK_MODE response 632209231 [ HASH SA No KE ID ID ]
CHILD_SA officeVPN{1} established with SPIs <SANITISED VALUE>_i <SANITISED VALUE>_o and TS 196.198.128.13/32 === 0.0.0.0/0
connection 'officeVPN' established successfully
$ sudo ipsec statusall
Status of IKE charon daemon (weakSwan 5.6.2, Linux 5.0.0-23-generic, x86_64):
uptime: 78 seconds, since Aug 19 11:29:38 2019
malloc: sbrk 2703360, mmap 0, used 628656, free 2074704
worker threads: 11 of 16 idle, 5/0/0/0 working, job queue: 0/0/0/0, scheduled: 2
loaded plugins: charon aes rc2 sha2 sha1 md4 md5 mgf1 random nonce x509 revocation constraints pubkey pkcs1 pkcs7 pkcs8 pkcs12 pgp dnskey sshkey pem openssl fips-prf gmp agent xcbc hmac gcm attr kernel-netlink resolve socket-default connmark stroke vici updown eap-mschapv2 xauth-generic counters
Listening IP addresses:
10.0.0.3
Connections:
officeVPN: %any...50.45.0.51 IKEv1 Aggressive
officeVPN: local: [10.0.0.3] uses pre-shared key authentication
officeVPN: local: uses XAuth authentication: any with XAuth identity 'user'
officeVPN: remote: [196.198.128.64] uses pre-shared key authentication
officeVPN: child: dynamic === 0.0.0.0/0 TUNNEL
Security Associations (1 up, 0 connecting):
officeVPN[1]: ESTABLISHED 62 seconds ago, 10.0.0.3[10.0.0.3]...50.45.0.51[196.198.128.64]
officeVPN[1]: IKEv1 SPIs: <SANITISED VALUE>_i* <SANITISED VALUE>_r, pre-shared key+XAuth reauthentication in 2 hours
officeVPN[1]: IKE proposal: AES_CBC_128/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_2048
officeVPN{1}: INSTALLED, TUNNEL, reqid 1, ESP in UDP SPIs: <SANITISED VALUE>_i <SANITISED VALUE>_o
officeVPN{1}: AES_CBC_128/HMAC_SHA1_96/MODP_2048, 0 bytes_i, 0 bytes_o, rekeying in 41 minutes
officeVPN{1}: 196.198.128.13/32 === 0.0.0.0/0
log:
Mon, 2019-08-19 11:47 00[DMN] signal of type SIGINT received. Shutting down
Mon, 2019-08-19 11:47 00[IKE] <officeVPN|1> queueing ISAKMP_DELETE task
Mon, 2019-08-19 11:47 00[IKE] <officeVPN|1> activating new tasks
Mon, 2019-08-19 11:47 00[IKE] <officeVPN|1> activating ISAKMP_DELETE task
Mon, 2019-08-19 11:47 00[IKE] <officeVPN|1> deleting IKE_SA officeVPN[1] between 10.0.0.3[10.0.0.3]...50.45.0.51[196.198.128.64]
Mon, 2019-08-19 11:47 00[IKE] <officeVPN|1> sending DELETE for IKE_SA officeVPN[1]
Mon, 2019-08-19 11:47 00[IKE] <officeVPN|1> IKE_SA officeVPN[1] state change: ESTABLISHED => DELETING
Mon, 2019-08-19 11:47 00[ENC] <officeVPN|1> generating INFORMATIONAL_V1 request 2909961901 [ HASH D ]
Mon, 2019-08-19 11:47 00[NET] <officeVPN|1> sending packet: from 10.0.0.3[4500] to 50.45.0.51[4500] (92 bytes)
Mon, 2019-08-19 11:47 00[IKE] <officeVPN|1> IKE_SA officeVPN[1] state change: DELETING => DESTROYING
Mon, 2019-08-19 11:47 00[IKE] <officeVPN|1> removing DNS server 8.8.8.8 from /etc/resolv.conf
Mon, 2019-08-19 11:47 00[KNL] <officeVPN|1> deleting virtual IP 196.198.128.13
tail: /var/log/charon_debug.log: file truncated
Mon, 2019-08-19 11:47 00[DMN] Starting IKE charon daemon (strongSwan 5.6.2, Linux 5.0.0-23-generic, x86_64)
Mon, 2019-08-19 11:47 00[LIB] plugin 'aesni': loaded successfully
Mon, 2019-08-19 11:47 00[LIB] plugin 'aes': loaded successfully
Mon, 2019-08-19 11:47 00[LIB] plugin 'rc2': loaded successfully
Mon, 2019-08-19 11:47 00[LIB] plugin 'sha2': loaded successfully
Mon, 2019-08-19 11:47 00[LIB] plugin 'sha1': loaded successfully
Mon, 2019-08-19 11:47 00[LIB] plugin 'md4': loaded successfully
Mon, 2019-08-19 11:47 00[LIB] plugin 'md5': loaded successfully
Mon, 2019-08-19 11:47 00[LIB] plugin 'mgf1': loaded successfully
Mon, 2019-08-19 11:47 00[LIB] plugin 'random': loaded successfully
Mon, 2019-08-19 11:47 00[LIB] plugin 'nonce': loaded successfully
Mon, 2019-08-19 11:47 00[LIB] plugin 'x509': loaded successfully
Mon, 2019-08-19 11:47 00[LIB] plugin 'revocation': loaded successfully
Mon, 2019-08-19 11:47 00[LIB] plugin 'constraints': loaded successfully
Mon, 2019-08-19 11:47 00[LIB] plugin 'pubkey': loaded successfully
Mon, 2019-08-19 11:47 00[LIB] plugin 'pkcs1': loaded successfully
Mon, 2019-08-19 11:47 00[LIB] plugin 'pkcs7': loaded successfully
Mon, 2019-08-19 11:47 00[LIB] plugin 'pkcs8': loaded successfully
Mon, 2019-08-19 11:47 00[LIB] plugin 'pkcs12': loaded successfully
Mon, 2019-08-19 11:47 00[LIB] plugin 'pgp': loaded successfully
Mon, 2019-08-19 11:47 00[LIB] plugin 'dnskey': loaded successfully
Mon, 2019-08-19 11:47 00[LIB] plugin 'sshkey': loaded successfully
Mon, 2019-08-19 11:47 00[LIB] plugin 'pem': loaded successfully
Mon, 2019-08-19 11:47 00[LIB] plugin 'openssl': loaded successfully
Mon, 2019-08-19 11:47 00[LIB] plugin 'fips-prf': loaded successfully
Mon, 2019-08-19 11:47 00[LIB] plugin 'gmp': loaded successfully
Mon, 2019-08-19 11:47 00[LIB] plugin 'agent': loaded successfully
Mon, 2019-08-19 11:47 00[LIB] plugin 'xcbc': loaded successfully
Mon, 2019-08-19 11:47 00[LIB] plugin 'hmac': loaded successfully
Mon, 2019-08-19 11:47 00[LIB] plugin 'gcm': loaded successfully
Mon, 2019-08-19 11:47 00[LIB] plugin 'attr': loaded successfully
Mon, 2019-08-19 11:47 00[LIB] plugin 'kernel-netlink': loaded successfully
Mon, 2019-08-19 11:47 00[LIB] plugin 'resolve': loaded successfully
Mon, 2019-08-19 11:47 00[LIB] plugin 'socket-default': loaded successfully
Mon, 2019-08-19 11:47 00[LIB] plugin 'connmark': loaded successfully
Mon, 2019-08-19 11:47 00[LIB] plugin 'stroke': loaded successfully
Mon, 2019-08-19 11:47 00[LIB] plugin 'vici': loaded successfully
Mon, 2019-08-19 11:47 00[LIB] plugin 'updown': loaded successfully
Mon, 2019-08-19 11:47 00[LIB] plugin 'eap-mschapv2': loaded successfully
Mon, 2019-08-19 11:47 00[LIB] plugin 'xauth-generic': loaded successfully
Mon, 2019-08-19 11:47 00[LIB] plugin 'counters': loaded successfully
Mon, 2019-08-19 11:47 00[KNL] known interfaces and IP addresses:
Mon, 2019-08-19 11:47 00[KNL] lo
Mon, 2019-08-19 11:47 00[KNL] 127.0.0.1
Mon, 2019-08-19 11:47 00[KNL] ::1
Mon, 2019-08-19 11:47 00[KNL] enp4s0
Mon, 2019-08-19 11:47 00[KNL] wlp2s0
Mon, 2019-08-19 11:47 00[KNL] 10.0.0.3
Mon, 2019-08-19 11:47 00[KNL] <SANITISED VALUE>
Mon, 2019-08-19 11:47 00[LIB] feature PUBKEY:ED25519 in plugin 'pem' has unmet dependency: PUBKEY:ED25519
Mon, 2019-08-19 11:47 00[LIB] feature PUBKEY:BLISS in plugin 'pem' has unmet dependency: PUBKEY:BLISS
Mon, 2019-08-19 11:47 00[LIB] feature PUBKEY:DSA in plugin 'pem' has unmet dependency: PUBKEY:DSA
Mon, 2019-08-19 11:47 00[LIB] feature PRIVKEY:DSA in plugin 'pem' has unmet dependency: PRIVKEY:DSA
Mon, 2019-08-19 11:47 00[LIB] feature PRIVKEY:BLISS in plugin 'pem' has unmet dependency: PRIVKEY:BLISS
Mon, 2019-08-19 11:47 00[LIB] feature CERT_DECODE:OCSP_REQUEST in plugin 'pem' has unmet dependency: CERT_DECODE:OCSP_REQUEST
Mon, 2019-08-19 11:47 00[LIB] feature PRIVKEY_SIGN:RSA_EMSA_PKCS1_SHA3_224 in plugin 'gmp' has unmet dependency: HASHER:HASH_SHA3_224
Mon, 2019-08-19 11:47 00[LIB] feature PRIVKEY_SIGN:RSA_EMSA_PKCS1_SHA3_256 in plugin 'gmp' has unmet dependency: HASHER:HASH_SHA3_256
Mon, 2019-08-19 11:47 00[LIB] feature PRIVKEY_SIGN:RSA_EMSA_PKCS1_SHA3_384 in plugin 'gmp' has unmet dependency: HASHER:HASH_SHA3_384
Mon, 2019-08-19 11:47 00[LIB] feature PRIVKEY_SIGN:RSA_EMSA_PKCS1_SHA3_512 in plugin 'gmp' has unmet dependency: HASHER:HASH_SHA3_512
Mon, 2019-08-19 11:47 00[LIB] feature PUBKEY_VERIFY:RSA_EMSA_PKCS1_SHA3_224 in plugin 'gmp' has unmet dependency: HASHER:HASH_SHA3_224
Mon, 2019-08-19 11:47 00[LIB] feature PUBKEY_VERIFY:RSA_EMSA_PKCS1_SHA3_256 in plugin 'gmp' has unmet dependency: HASHER:HASH_SHA3_256
Mon, 2019-08-19 11:47 00[LIB] feature PUBKEY_VERIFY:RSA_EMSA_PKCS1_SHA3_384 in plugin 'gmp' has unmet dependency: HASHER:HASH_SHA3_384
Mon, 2019-08-19 11:47 00[LIB] feature PUBKEY_VERIFY:RSA_EMSA_PKCS1_SHA3_512 in plugin 'gmp' has unmet dependency: HASHER:HASH_SHA3_512
Mon, 2019-08-19 11:47 00[CFG] loading ca certificates from '/etc/ipsec.d/cacerts'
Mon, 2019-08-19 11:47 00[CFG] loading aa certificates from '/etc/ipsec.d/aacerts'
Mon, 2019-08-19 11:47 00[CFG] loading ocsp signer certificates from '/etc/ipsec.d/ocspcerts'
Mon, 2019-08-19 11:47 00[CFG] loading attribute certificates from '/etc/ipsec.d/acerts'
Mon, 2019-08-19 11:47 00[CFG] loading crls from '/etc/ipsec.d/crls'
Mon, 2019-08-19 11:47 00[CFG] loading secrets from '/etc/ipsec.secrets'
Mon, 2019-08-19 11:47 00[CFG] loaded IKE secret for 50.45.0.51 %any
Mon, 2019-08-19 11:47 00[CFG] loaded EAP secret for user %any
Mon, 2019-08-19 11:47 00[CFG] loading secrets from '/etc/ipsec.d/nm-l2tp-ipsec-ee18db9c-522d-4da5-8a69-d3dcb8d23097.secrets'
Mon, 2019-08-19 11:47 00[CFG] loaded IKE secret for 50.45.0.51
Mon, 2019-08-19 11:47 00[LIB] unloading plugin 'aesni' without loaded features
Mon, 2019-08-19 11:47 00[LIB] loaded plugins: charon aes rc2 sha2 sha1 md4 md5 mgf1 random nonce x509 revocation constraints pubkey pkcs1 pkcs7 pkcs8 pkcs12 pgp dnskey sshkey pem openssl fips-prf gmp agent xcbc hmac gcm attr kernel-netlink resolve socket-default connmark stroke vici updown eap-mschapv2 xauth-generic counters
Mon, 2019-08-19 11:47 00[LIB] unable to load 14 plugin features (14 due to unmet dependencies)
Mon, 2019-08-19 11:47 00[LIB] dropped capabilities, running as uid 0, gid 0
Mon, 2019-08-19 11:47 00[JOB] spawning 16 worker threads
Mon, 2019-08-19 11:47 01[LIB] created thread 01 [9477]
Mon, 2019-08-19 11:47 02[LIB] created thread 02 [9476]
Mon, 2019-08-19 11:47 03[LIB] created thread 03 [9478]
Mon, 2019-08-19 11:47 04[LIB] created thread 04 [9479]
Mon, 2019-08-19 11:47 05[LIB] created thread 05 [9480]
Mon, 2019-08-19 11:47 06[LIB] created thread 06 [9481]
Mon, 2019-08-19 11:47 07[LIB] created thread 07 [9482]
Mon, 2019-08-19 11:47 08[LIB] created thread 08 [9483]
Mon, 2019-08-19 11:47 09[LIB] created thread 09 [9485]
Mon, 2019-08-19 11:47 10[LIB] created thread 10 [9484]
Mon, 2019-08-19 11:47 11[LIB] created thread 11 [9486]
Mon, 2019-08-19 11:47 12[LIB] created thread 12 [9487]
Mon, 2019-08-19 11:47 13[LIB] created thread 13 [9488]
Mon, 2019-08-19 11:47 14[LIB] created thread 14 [9490]
Mon, 2019-08-19 11:47 15[LIB] created thread 15 [9491]
Mon, 2019-08-19 11:47 16[LIB] created thread 16 [9489]
Mon, 2019-08-19 11:47 06[CFG] received stroke: add connection 'officeVPN'
Mon, 2019-08-19 11:47 06[CFG] conn officeVPN
Mon, 2019-08-19 11:47 06[CFG] left=%any
Mon, 2019-08-19 11:47 06[CFG] leftsourceip=%config
Mon, 2019-08-19 11:47 06[CFG] leftauth=psk
Mon, 2019-08-19 11:47 06[CFG] leftauth2=xauth
Mon, 2019-08-19 11:47 06[CFG] right=50.45.0.51
Mon, 2019-08-19 11:47 06[CFG] rightsubnet=0.0.0.0/0
Mon, 2019-08-19 11:47 06[CFG] rightauth=psk
Mon, 2019-08-19 11:47 06[CFG] rightid=196.198.128.64
Mon, 2019-08-19 11:47 06[CFG] rightupdown=ipsec _updown iptables
Mon, 2019-08-19 11:47 06[CFG] xauth_identity=user
Mon, 2019-08-19 11:47 06[CFG] ike=aes128-sha1-modp2048
Mon, 2019-08-19 11:47 06[CFG] esp=aes128-sha1-modp2048
Mon, 2019-08-19 11:47 06[CFG] dpddelay=30
Mon, 2019-08-19 11:47 06[CFG] dpdtimeout=150
Mon, 2019-08-19 11:47 06[CFG] sha256_96=no
Mon, 2019-08-19 11:47 06[CFG] mediation=no
Mon, 2019-08-19 11:47 06[CFG] keyexchange=ikev1
Mon, 2019-08-19 11:47 06[KNL] 50.45.0.51 is not a local address or the interface is down
Mon, 2019-08-19 11:47 06[CFG] added configuration 'officeVPN'
Mon, 2019-08-19 11:47 07[CFG] received stroke: initiate 'officeVPN'
Mon, 2019-08-19 11:47 09[KNL] <officeVPN|1> using 10.0.0.3 as address to reach 50.45.0.51/32
Mon, 2019-08-19 11:47 09[IKE] <officeVPN|1> queueing ISAKMP_VENDOR task
Mon, 2019-08-19 11:47 09[IKE] <officeVPN|1> queueing ISAKMP_CERT_PRE task
Mon, 2019-08-19 11:47 09[IKE] <officeVPN|1> queueing AGGRESSIVE_MODE task
Mon, 2019-08-19 11:47 09[IKE] <officeVPN|1> queueing ISAKMP_CERT_POST task
Mon, 2019-08-19 11:47 09[IKE] <officeVPN|1> queueing ISAKMP_NATD task
Mon, 2019-08-19 11:47 09[IKE] <officeVPN|1> queueing QUICK_MODE task
Mon, 2019-08-19 11:47 09[IKE] <officeVPN|1> activating new tasks
Mon, 2019-08-19 11:47 09[IKE] <officeVPN|1> activating ISAKMP_VENDOR task
Mon, 2019-08-19 11:47 09[IKE] <officeVPN|1> activating ISAKMP_CERT_PRE task
Mon, 2019-08-19 11:47 09[IKE] <officeVPN|1> activating AGGRESSIVE_MODE task
Mon, 2019-08-19 11:47 09[IKE] <officeVPN|1> activating ISAKMP_CERT_POST task
Mon, 2019-08-19 11:47 09[IKE] <officeVPN|1> activating ISAKMP_NATD task
Mon, 2019-08-19 11:47 09[IKE] <officeVPN|1> sending XAuth vendor ID
Mon, 2019-08-19 11:47 09[IKE] <officeVPN|1> sending DPD vendor ID
Mon, 2019-08-19 11:47 09[IKE] <officeVPN|1> sending FRAGMENTATION vendor ID
Mon, 2019-08-19 11:47 09[IKE] <officeVPN|1> sending NAT-T (RFC 3947) vendor ID
Mon, 2019-08-19 11:47 09[IKE] <officeVPN|1> sending draft-ietf-ipsec-nat-t-ike-02\n vendor ID
Mon, 2019-08-19 11:47 09[IKE] <officeVPN|1> initiating Aggressive Mode IKE_SA officeVPN[1] to 50.45.0.51
Mon, 2019-08-19 11:47 09[IKE] <officeVPN|1> IKE_SA officeVPN[1] state change: CREATED => CONNECTING
Mon, 2019-08-19 11:47 09[CFG] <officeVPN|1> configured proposals: IKE:AES_CBC_128/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_2048, IKE:AES_CBC_128/AES_CBC_192/AES_CBC_256/CAMELLIA_CBC_128/CAMELLIA_CBC_192/CAMELLIA_CBC_256/3DES_CBC/HMAC_SHA2_256_128/HMAC_SHA2_384_192/HMAC_SHA2_512_256/HMAC_SHA1_96/AES_XCBC_96/PRF_HMAC_SHA2_256/PRF_HMAC_SHA2_384/PRF_HMAC_SHA2_512/PRF_AES128_XCBC/PRF_HMAC_SHA1/ECP_256/ECP_384/ECP_521/ECP_256_BP/ECP_384_BP/ECP_512_BP/MODP_3072/MODP_4096/MODP_6144/MODP_8192/MODP_2048, IKE:AES_GCM_16_128/AES_GCM_16_192/AES_GCM_16_256/AES_GCM_12_128/AES_GCM_12_192/AES_GCM_12_256/AES_GCM_8_128/AES_GCM_8_192/AES_GCM_8_256/PRF_HMAC_SHA2_256/PRF_HMAC_SHA2_384/PRF_HMAC_SHA2_512/PRF_AES128_XCBC/PRF_HMAC_SHA1/ECP_256/ECP_384/ECP_521/ECP_256_BP/ECP_384_BP/ECP_512_BP/MODP_3072/MODP_4096/MODP_6144/MODP_8192/MODP_2048
Mon, 2019-08-19 11:47 09[LIB] <officeVPN|1> size of DH secret exponent: 2047 bits
Mon, 2019-08-19 11:47 09[ENC] <officeVPN|1> generating AGGRESSIVE request 0 [ SA KE No ID V V V V V ]
Mon, 2019-08-19 11:47 09[NET] <officeVPN|1> sending packet: from 10.0.0.3[500] to 50.45.0.51[500] (548 bytes)
Mon, 2019-08-19 11:47 10[NET] <officeVPN|1> received packet: from 50.45.0.51[500] to 10.0.0.3[500] (564 bytes)
Mon, 2019-08-19 11:47 10[ENC] <officeVPN|1> parsed AGGRESSIVE response 0 [ SA KE No ID HASH V NAT-D NAT-D V V V V V ]
Mon, 2019-08-19 11:47 10[IKE] <officeVPN|1> received NAT-T (RFC 3947) vendor ID
Mon, 2019-08-19 11:47 10[IKE] <officeVPN|1> received DPD vendor ID
Mon, 2019-08-19 11:47 10[IKE] <officeVPN|1> received XAuth vendor ID
Mon, 2019-08-19 11:47 10[ENC] <officeVPN|1> received unknown vendor ID: 82:99:03:17:57:a3:60:82:c6:a6:21:de:00:00:00:00
Mon, 2019-08-19 11:47 10[IKE] <officeVPN|1> received FRAGMENTATION vendor ID
Mon, 2019-08-19 11:47 10[IKE] <officeVPN|1> received FRAGMENTATION vendor ID
Mon, 2019-08-19 11:47 10[CFG] <officeVPN|1> selecting proposal:
Mon, 2019-08-19 11:47 10[CFG] <officeVPN|1> proposal matches
Mon, 2019-08-19 11:47 10[CFG] <officeVPN|1> received proposals: IKE:AES_CBC_128/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_2048
Mon, 2019-08-19 11:47 10[CFG] <officeVPN|1> configured proposals: IKE:AES_CBC_128/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_2048, IKE:AES_CBC_128/AES_CBC_192/AES_CBC_256/CAMELLIA_CBC_128/CAMELLIA_CBC_192/CAMELLIA_CBC_256/3DES_CBC/HMAC_SHA2_256_128/HMAC_SHA2_384_192/HMAC_SHA2_512_256/HMAC_SHA1_96/AES_XCBC_96/PRF_HMAC_SHA2_256/PRF_HMAC_SHA2_384/PRF_HMAC_SHA2_512/PRF_AES128_XCBC/PRF_HMAC_SHA1/ECP_256/ECP_384/ECP_521/ECP_256_BP/ECP_384_BP/ECP_512_BP/MODP_3072/MODP_4096/MODP_6144/MODP_8192/MODP_2048, IKE:AES_GCM_16_128/AES_GCM_16_192/AES_GCM_16_256/AES_GCM_12_128/AES_GCM_12_192/AES_GCM_12_256/AES_GCM_8_128/AES_GCM_8_192/AES_GCM_8_256/PRF_HMAC_SHA2_256/PRF_HMAC_SHA2_384/PRF_HMAC_SHA2_512/PRF_AES128_XCBC/PRF_HMAC_SHA1/ECP_256/ECP_384/ECP_521/ECP_256_BP/ECP_384_BP/ECP_512_BP/MODP_3072/MODP_4096/MODP_6144/MODP_8192/MODP_2048
Mon, 2019-08-19 11:47 10[CFG] <officeVPN|1> selected proposal: IKE:AES_CBC_128/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_2048
Mon, 2019-08-19 11:47 10[IKE] <officeVPN|1> local host is behind NAT, sending keep alives
Mon, 2019-08-19 11:47 10[IKE] <officeVPN|1> remote host is behind NAT
Mon, 2019-08-19 11:47 10[IKE] <officeVPN|1> reinitiating already active tasks
Mon, 2019-08-19 11:47 10[IKE] <officeVPN|1> ISAKMP_VENDOR task
Mon, 2019-08-19 11:47 10[IKE] <officeVPN|1> AGGRESSIVE_MODE task
Mon, 2019-08-19 11:47 10[IKE] <officeVPN|1> queueing MODE_CONFIG task
Mon, 2019-08-19 11:47 10[ENC] <officeVPN|1> generating AGGRESSIVE request 0 [ HASH NAT-D NAT-D ]
Mon, 2019-08-19 11:47 10[NET] <officeVPN|1> sending packet: from 10.0.0.3[4500] to 50.45.0.51[4500] (108 bytes)
Mon, 2019-08-19 11:47 10[IKE] <officeVPN|1> activating new tasks
Mon, 2019-08-19 11:47 10[IKE] <officeVPN|1> nothing to initiate
Mon, 2019-08-19 11:47 11[NET] <officeVPN|1> received packet: from 50.45.0.51[4500] to 10.0.0.3[4500] (76 bytes)
Mon, 2019-08-19 11:47 11[ENC] <officeVPN|1> parsed TRANSACTION request 996773552 [ HASH CPRQ(X_TYPE X_USER X_PWD) ]
Mon, 2019-08-19 11:47 11[ENC] <officeVPN|1> generating TRANSACTION response 996773552 [ HASH CPRP(X_USER X_PWD) ]
Mon, 2019-08-19 11:47 11[NET] <officeVPN|1> sending packet: from 10.0.0.3[4500] to 50.45.0.51[4500] (92 bytes)
Mon, 2019-08-19 11:47 12[NET] <officeVPN|1> received packet: from 50.45.0.51[4500] to 10.0.0.3[4500] (76 bytes)
Mon, 2019-08-19 11:47 12[ENC] <officeVPN|1> parsed TRANSACTION request 3040671394 [ HASH CPS(X_STATUS) ]
Mon, 2019-08-19 11:47 12[IKE] <officeVPN|1> XAuth authentication of 'user' (myself) successful
Mon, 2019-08-19 11:47 12[IKE] <officeVPN|1> IKE_SA officeVPN[1] established between 10.0.0.3[10.0.0.3]...50.45.0.51[196.198.128.64]
Mon, 2019-08-19 11:47 12[IKE] <officeVPN|1> IKE_SA officeVPN[1] state change: CONNECTING => ESTABLISHED
Mon, 2019-08-19 11:47 12[IKE] <officeVPN|1> scheduling reauthentication in 9738s
Mon, 2019-08-19 11:47 12[IKE] <officeVPN|1> maximum IKE_SA lifetime 10278s
Mon, 2019-08-19 11:47 12[ENC] <officeVPN|1> generating TRANSACTION response 3040671394 [ HASH CPA(X_STATUS) ]
Mon, 2019-08-19 11:47 12[NET] <officeVPN|1> sending packet: from 10.0.0.3[4500] to 50.45.0.51[4500] (76 bytes)
Mon, 2019-08-19 11:47 12[IKE] <officeVPN|1> activating new tasks
Mon, 2019-08-19 11:47 12[IKE] <officeVPN|1> activating MODE_CONFIG task
Mon, 2019-08-19 11:47 12[ENC] <officeVPN|1> generating TRANSACTION request 2282080261 [ HASH CPRQ(ADDR DNS) ]
Mon, 2019-08-19 11:47 12[NET] <officeVPN|1> sending packet: from 10.0.0.3[4500] to 50.45.0.51[4500] (76 bytes)
Mon, 2019-08-19 11:47 13[NET] <officeVPN|1> received packet: from 50.45.0.51[4500] to 10.0.0.3[4500] (92 bytes)
Mon, 2019-08-19 11:47 13[ENC] <officeVPN|1> parsed TRANSACTION response 2282080261 [ HASH CPRP(ADDR DNS) ]
Mon, 2019-08-19 11:47 13[IKE] <officeVPN|1> processing INTERNAL_IP4_ADDRESS attribute
Mon, 2019-08-19 11:47 13[IKE] <officeVPN|1> processing INTERNAL_IP4_DNS attribute
Mon, 2019-08-19 11:47 13[IKE] <officeVPN|1> installing DNS server 8.8.8.8 to /etc/resolv.conf
Mon, 2019-08-19 11:47 13[KNL] <officeVPN|1> 10.0.0.3 is on interface wlp2s0
Mon, 2019-08-19 11:47 13[IKE] <officeVPN|1> installing new virtual IP 196.198.128.13
Mon, 2019-08-19 11:47 13[KNL] <officeVPN|1> virtual IP 196.198.128.13 installed on wlp2s0
Mon, 2019-08-19 11:47 13[IKE] <officeVPN|1> activating new tasks
Mon, 2019-08-19 11:47 13[IKE] <officeVPN|1> activating QUICK_MODE task
Mon, 2019-08-19 11:47 13[CFG] <officeVPN|1> configured proposals: ESP:AES_CBC_128/HMAC_SHA1_96/MODP_2048/NO_EXT_SEQ, ESP:AES_CBC_128/AES_CBC_192/AES_CBC_256/HMAC_SHA2_256_128/HMAC_SHA2_384_192/HMAC_SHA2_512_256/HMAC_SHA1_96/AES_XCBC_96/NO_EXT_SEQ
Mon, 2019-08-19 11:47 13[KNL] <officeVPN|1> got SPI c6b3f079
Mon, 2019-08-19 11:47 13[CFG] <officeVPN|1> configured proposals: ESP:AES_CBC_128/HMAC_SHA1_96/MODP_2048/NO_EXT_SEQ, ESP:AES_CBC_128/AES_CBC_192/AES_CBC_256/HMAC_SHA2_256_128/HMAC_SHA2_384_192/HMAC_SHA2_512_256/HMAC_SHA1_96/AES_XCBC_96/NO_EXT_SEQ
Mon, 2019-08-19 11:47 13[LIB] <officeVPN|1> size of DH secret exponent: 2047 bits
Mon, 2019-08-19 11:47 13[CFG] <officeVPN|1> proposing traffic selectors for us:
Mon, 2019-08-19 11:47 13[CFG] <officeVPN|1> 196.198.128.13/32
Mon, 2019-08-19 11:47 13[CFG] <officeVPN|1> proposing traffic selectors for other:
Mon, 2019-08-19 11:47 13[CFG] <officeVPN|1> 0.0.0.0/0
Mon, 2019-08-19 11:47 13[ENC] <officeVPN|1> generating QUICK_MODE request 2371115108 [ HASH SA No KE ID ID ]
Mon, 2019-08-19 11:47 13[NET] <officeVPN|1> sending packet: from 10.0.0.3[4500] to 50.45.0.51[4500] (444 bytes)
Mon, 2019-08-19 11:47 05[NET] <officeVPN|1> received packet: from 50.45.0.51[4500] to 10.0.0.3[4500] (428 bytes)
Mon, 2019-08-19 11:47 05[ENC] <officeVPN|1> parsed QUICK_MODE response 2371115108 [ HASH SA No KE ID ID ]
Mon, 2019-08-19 11:47 05[CFG] <officeVPN|1> selecting proposal:
Mon, 2019-08-19 11:47 05[CFG] <officeVPN|1> proposal matches
Mon, 2019-08-19 11:47 05[CFG] <officeVPN|1> received proposals: ESP:AES_CBC_128/HMAC_SHA1_96/MODP_2048/NO_EXT_SEQ
Mon, 2019-08-19 11:47 05[CFG] <officeVPN|1> configured proposals: ESP:AES_CBC_128/HMAC_SHA1_96/MODP_2048/NO_EXT_SEQ, ESP:AES_CBC_128/AES_CBC_192/AES_CBC_256/HMAC_SHA2_256_128/HMAC_SHA2_384_192/HMAC_SHA2_512_256/HMAC_SHA1_96/AES_XCBC_96/NO_EXT_SEQ
Mon, 2019-08-19 11:47 05[CFG] <officeVPN|1> selected proposal: ESP:AES_CBC_128/HMAC_SHA1_96/MODP_2048/NO_EXT_SEQ
Mon, 2019-08-19 11:47 05[CHD] <officeVPN|1> CHILD_SA officeVPN{1} state change: CREATED => INSTALLING
Mon, 2019-08-19 11:47 05[CHD] <officeVPN|1> using AES_CBC for encryption
Mon, 2019-08-19 11:47 05[CHD] <officeVPN|1> using HMAC_SHA1_96 for integrity
Mon, 2019-08-19 11:47 05[CHD] <officeVPN|1> adding inbound ESP SA
Mon, 2019-08-19 11:47 05[CHD] <officeVPN|1> SPI 0xc6b3f079, src 50.45.0.51 dst 10.0.0.3
Mon, 2019-08-19 11:47 05[KNL] <officeVPN|1> adding SAD entry with SPI c6b3f079 and reqid {1}
Mon, 2019-08-19 11:47 05[KNL] <officeVPN|1> using encryption algorithm AES_CBC with key size 128
Mon, 2019-08-19 11:47 05[KNL] <officeVPN|1> using integrity algorithm HMAC_SHA1_96 with key size 160
Mon, 2019-08-19 11:47 05[KNL] <officeVPN|1> using replay window of 32 packets
Mon, 2019-08-19 11:47 05[CHD] <officeVPN|1> adding outbound ESP SA
Mon, 2019-08-19 11:47 05[CHD] <officeVPN|1> SPI 0x9e604960, src 10.0.0.3 dst 50.45.0.51
Mon, 2019-08-19 11:47 05[KNL] <officeVPN|1> adding SAD entry with SPI 9e604960 and reqid {1}
Mon, 2019-08-19 11:47 05[KNL] <officeVPN|1> using encryption algorithm AES_CBC with key size 128
Mon, 2019-08-19 11:47 05[KNL] <officeVPN|1> using integrity algorithm HMAC_SHA1_96 with key size 160
Mon, 2019-08-19 11:47 05[KNL] <officeVPN|1> using replay window of 0 packets
Mon, 2019-08-19 11:47 05[KNL] <officeVPN|1> adding policy 0.0.0.0/0 === 196.198.128.13/32 in [priority 383615, refcount 1]
Mon, 2019-08-19 11:47 05[KNL] <officeVPN|1> adding policy 0.0.0.0/0 === 196.198.128.13/32 fwd [priority 383615, refcount 1]
Mon, 2019-08-19 11:47 05[KNL] <officeVPN|1> adding policy 196.198.128.13/32 === 0.0.0.0/0 out [priority 383615, refcount 1]
Mon, 2019-08-19 11:47 05[KNL] <officeVPN|1> getting a local address in traffic selector 196.198.128.13/32
Mon, 2019-08-19 11:47 05[KNL] <officeVPN|1> using host 196.198.128.13
Mon, 2019-08-19 11:47 05[KNL] <officeVPN|1> getting iface name for index 3
Mon, 2019-08-19 11:47 05[KNL] <officeVPN|1> using 10.0.0.1 as nexthop and wlp2s0 as dev to reach 50.45.0.51/32
Mon, 2019-08-19 11:47 05[KNL] <officeVPN|1> installing route: 0.0.0.0/0 via 10.0.0.1 src 196.198.128.13 dev wlp2s0
Mon, 2019-08-19 11:47 05[KNL] <officeVPN|1> getting iface index for wlp2s0
Mon, 2019-08-19 11:47 05[IKE] <officeVPN|1> CHILD_SA officeVPN{1} established with SPIs c6b3f079_i 9e604960_o and TS 196.198.128.13/32 === 0.0.0.0/0
Mon, 2019-08-19 11:47 05[CHD] <officeVPN|1> CHILD_SA officeVPN{1} state change: INSTALLING => INSTALLED
Mon, 2019-08-19 11:47 05[IKE] <officeVPN|1> reinitiating already active tasks
Mon, 2019-08-19 11:47 05[IKE] <officeVPN|1> QUICK_MODE task
Mon, 2019-08-19 11:47 05[ENC] <officeVPN|1> generating QUICK_MODE request 2371115108 [ HASH ]
Mon, 2019-08-19 11:47 05[NET] <officeVPN|1> sending packet: from 10.0.0.3[4500] to 50.45.0.51[4500] (60 bytes)
Mon, 2019-08-19 11:47 05[IKE] <officeVPN|1> activating new tasks
Mon, 2019-08-19 11:47 05[IKE] <officeVPN|1> nothing to initiate
Mon, 2019-08-19 11:49 07[NET] <officeVPN|1> received packet: from 50.45.0.51[4500] to 10.0.0.3[4500] (92 bytes)
Mon, 2019-08-19 11:49 07[ENC] <officeVPN|1> parsed INFORMATIONAL_V1 request 3449164663 [ HASH N(DPD) ]
Mon, 2019-08-19 11:49 07[IKE] <officeVPN|1> queueing ISAKMP_DPD task
Mon, 2019-08-19 11:49 07[IKE] <officeVPN|1> activating new tasks
Mon, 2019-08-19 11:49 07[IKE] <officeVPN|1> activating ISAKMP_DPD task
Mon, 2019-08-19 11:49 07[ENC] <officeVPN|1> generating INFORMATIONAL_V1 request 1814674566 [ HASH N(DPD_ACK) ]
Mon, 2019-08-19 11:49 07[NET] <officeVPN|1> sending packet: from 10.0.0.3[4500] to 50.45.0.51[4500] (92 bytes)
Mon, 2019-08-19 11:49 07[IKE] <officeVPN|1> activating new tasks
Mon, 2019-08-19 11:49 07[IKE] <officeVPN|1> nothing to initiate
Mon, 2019-08-19 11:50 09[NET] <officeVPN|1> received packet: from 50.45.0.51[4500] to 10.0.0.3[4500] (92 bytes)
Mon, 2019-08-19 11:50 09[ENC] <officeVPN|1> parsed INFORMATIONAL_V1 request 1546570273 [ HASH N(DPD) ]
Mon, 2019-08-19 11:50 09[IKE] <officeVPN|1> queueing ISAKMP_DPD task
Mon, 2019-08-19 11:50 09[IKE] <officeVPN|1> activating new tasks
Mon, 2019-08-19 11:50 09[IKE] <officeVPN|1> activating ISAKMP_DPD task
Mon, 2019-08-19 11:50 09[ENC] <officeVPN|1> generating INFORMATIONAL_V1 request 4044055820 [ HASH N(DPD_ACK) ]
Mon, 2019-08-19 11:50 09[NET] <officeVPN|1> sending packet: from 10.0.0.3[4500] to 50.45.0.51[4500] (92 bytes)
Mon, 2019-08-19 11:50 09[IKE] <officeVPN|1> activating new tasks
--
Kind regards
Stephen Feyrer
________________________________
From: Tobias Brunner <tobias at strongswan.org>
Sent: 19 August 2019 11:16
To: Stephen Feyrer <stephen.feyrer at greensill.com>; strongSwan Users-Mailinglist <users at lists.strongswan.org>
Subject: Re: [strongSwan] Connecting but not connected
This message was sent from outside of Greensill Capital. Please do not open attachments or click on links unless you recognise the source of this email and are certain the content is safe.
Hi Stephen,
> I
> will send updates for push and pull separately. Sorry for all the emails...
Don't bother with `push`, it's definitely not the way to go.
The problem now are your either the ESP algorithm proposals and/or the
traffic selectors (`left|rightsubnet`). Start with
`rightsubnet=0.0.0.0/0` as that's what's usually used for roadwarriors
(if L2TP should be used you can experiment with restricting the
ports/protocols too). If you still get a NO_PROPOSAL_CHOSEN notify try
adding `esp=aes128-sha1-modp2048` (that matches the IKE proposal,
however, if you actually have more specific information regarding the
ESP/IPsec proposal from your admin, use that).
Regards,
Tobias
This message is for the designated recipient only and may contain privileged, proprietary or otherwise confidential information. If you have received this in error, please contact the sender immediately and delete the original. Any other use of this e-mail by you is prohibited. If we collect and use your personal data we will use it in accordance with our privacy policy<http://www.greensill.com/privacy/>. Greensill Capital (UK) Limited. Registered in England and Wales. Registered Number: 8126173. Registered Office: One Southampton Street, Covent Garden, London, WC2R 0LR, United Kingdom. Greensill Capital Pty Limited. Australian Company Number: 154 088 132. Registered Office: 62 -66 Woondooma Street, Bundaberg, Queensland 4670, Australia.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20190819/63df9d03/attachment-0001.html>
More information about the Users
mailing list