[strongSwan] Ubuntu and openswan migration to strongswan

Noel Kuntze noel.kuntze+strongswan-users-ml at thermi.consulting
Mon Feb 18 03:37:35 CET 2019


Hello,

> 7) Changed back to auto=start

Use auto=route. Auto=start is not reliable.

Looks like the other peer does not react to the Quick Mode request for the first pair of subnets.
Ask the admin of the remote peer what kind of problem it has.

> Sun, 2019-02-17 08:38 16[CFG] <2> selected peer config "Conn1"
> Sun, 2019-02-17 08:38 16[IKE] <Conn1|2> IKE_SA Conn1[2] established between 172.x.x.x[52.x.x.x]...196.y.y.y[196.y.y.y]
> Sun, 2019-02-17 08:38 16[IKE] <Conn1|2> IKE_SA Conn1[2] state change: CONNECTING => ESTABLISHED
> *Sun, 2019-02-17 08:38 16[ENC] <Conn1|2> generating ID_PROT response 0 [ ID HASH ]*
> Sun, 2019-02-17 08:38 16[NET] <Conn1|2> sending packet: from 172.x.x.x[500] to 196.y.y.y[500] (68 bytes)
> Sun, 2019-02-17 08:38 02[NET] <Conn1|2> received packet: from 196.y.y.y[500] to 172.x.x.x[500] (84 bytes)
> Sun, 2019-02-17 08:38 02[ENC] <Conn1|2> parsed INFORMATIONAL_V1 request 908762055 [ HASH N(DPD) ]
> Sun, 2019-02-17 08:38 02[IKE] <Conn1|2> queueing ISAKMP_DPD task
> Sun, 2019-02-17 08:38 02[IKE] <Conn1|2> activating new tasks
> Sun, 2019-02-17 08:38 02[IKE] <Conn1|2>   activating ISAKMP_DPD task
> Sun, 2019-02-17 08:38 02[ENC] <Conn1|2> generating INFORMATIONAL_V1 request 3433674651 [ HASH N(DPD_ACK) ]
> Sun, 2019-02-17 08:38 02[NET] <Conn1|2> sending packet: from 172.x.x.x[500] to 196.y.y.y[500] (84 bytes)
> Sun, 2019-02-17 08:38 02[IKE] <Conn1|2> activating new tasks
> Sun, 2019-02-17 08:38 02[IKE] <Conn1|2> nothing to initiate
> *Sun, 2019-02-17 08:38 07[IKE] <Conn1|1> sending retransmit 2 of request message ID 0, seq 1*
> Sun, 2019-02-17 08:38 07[NET] <Conn1|1> sending packet: from 172.x.x.x[500] to 196.y.y.y[500] (236 bytes)
> Sun, 2019-02-17 08:38 11[NET] <Conn1|2> received packet: from 196.y.y.y[500] to 172.x.x.x[500] (84 bytes)
> Sun, 2019-02-17 08:38 11[ENC] <Conn1|2> parsed INFORMATIONAL_V1 request 4267393360 [ HASH N(DPD) ]
> Sun, 2019-02-17 08:38 11[IKE] <Conn1|2> queueing ISAKMP_DPD task
> Sun, 2019-02-17 08:38 11[IKE] <Conn1|2> activating new tasks
> Sun, 2019-02-17 08:38 11[IKE] <Conn1|2>   activating ISAKMP_DPD task
> Sun, 2019-02-17 08:38 11[ENC] <Conn1|2> generating INFORMATIONAL_V1 request 2158128673 [ HASH N(DPD_ACK) ]
> Sun, 2019-02-17 08:38 11[NET] <Conn1|2> sending packet: from 172.x.x.x[500] to 196.y.y.y[500] (84 bytes)
> Sun, 2019-02-17 08:38 11[IKE] <Conn1|2> activating new tasks
> Sun, 2019-02-17 08:38 11[IKE] <Conn1|2> nothing to initiate
> Sun, 2019-02-17 08:39 08[NET] <Conn1|2> received packet: from 196.y.y.y[500] to 172.x.x.x[500] (84 bytes)
> Sun, 2019-02-17 08:39 08[ENC] <Conn1|2> parsed INFORMATIONAL_V1 request 2882714032 [ HASH N(DPD) ]
> Sun, 2019-02-17 08:39 08[IKE] <Conn1|2> queueing ISAKMP_DPD task
> Sun, 2019-02-17 08:39 08[IKE] <Conn1|2> activating new tasks
> Sun, 2019-02-17 08:39 08[IKE] <Conn1|2>   activating ISAKMP_DPD task
> Sun, 2019-02-17 08:39 08[ENC] <Conn1|2> generating INFORMATIONAL_V1 request 2370486549 [ HASH N(DPD_ACK) ]
> Sun, 2019-02-17 08:39 08[NET] <Conn1|2> sending packet: from 172.x.x.x[500] to 196.y.y.y[500] (84 bytes)
> Sun, 2019-02-17 08:39 08[IKE] <Conn1|2> activating new tasks
> Sun, 2019-02-17 08:39 08[IKE] <Conn1|2> nothing to initiate
> *Sun, 2019-02-17 08:39 12[IKE] <Conn1|1> sending retransmit 3 of request message ID 0, seq 1*
> Sun, 2019-02-17 08:39 12[NET] <Conn1|1> sending packet: from 172.x.x.x[500] to 196.y.y.y[500] (236 bytes)
> Sun, 2019-02-17 08:39 09[NET] <Conn1|2> received packet: from 196.y.y.y[500] to 172.x.x.x[500] (84 bytes)
> Sun, 2019-02-17 08:39 09[ENC] <Conn1|2> parsed INFORMATIONAL_V1 request 2027095304 [ HASH N(DPD) ]
> Sun, 2019-02-17 08:39 09[IKE] <Conn1|2> queueing ISAKMP_DPD task


Kind regards

Noel

Am 17.02.19 um 10:04 schrieb Rudi Barnard:
> Thank you for the feedback. Greatly appreciated.
> 
> The rightsubnet was just a typing error when replacing the actual IP with a/b:
> 
> 1) What we use is: rightsubnet=a.a.a.a/32,b.b.b.b/32
> 2) Please see below extract from charon log
> 3) 2x different subnets to access on right. Have read the FAQ and understand Unity is only for roadwarrior (this is site to site). Therefore we need to "define a separate child SA per subnet pair. I assumed the following:
> 
> conn conn1
>         rightsubnet=a.a.a.a/32
> 
> conn conn2
>         also=conn1
>         rightsubnet=b.b.b.b/32
> 
> 4) Yes this connection is ancient. Once we have strongswan up and running, I will propose to customer up the auth and encryption algorithms.
> 5) Yes will disable unity as this is site-to-site
> 6) Changed logging as instructed.
> 7) Changed back to auto=start
> 8) Did a scratch install on Strongswan and using the config files as per the wiki.
> 
> Here are the logs, ipsec statusall and ip xfrm policy
> 
> tail: charon-debug-log: file truncated
> Sun, 2019-02-17 08:38 00[DMN] Starting IKE charon daemon (strongSwan 5.6.2, Linux 4.15.0-45-generic, x86_64)
> Sun, 2019-02-17 08:38 00[LIB] plugin 'test-vectors': loaded successfully
> Sun, 2019-02-17 08:38 00[LIB] plugin 'unbound': loaded successfully
> Sun, 2019-02-17 08:38 00[LIB] plugin 'ldap': loaded successfully
> Sun, 2019-02-17 08:38 00[CFG] PKCS11 module '<name>' lacks library path
> Sun, 2019-02-17 08:38 00[LIB] plugin 'pkcs11': loaded successfully
> Sun, 2019-02-17 08:38 00[LIB] plugin 'tpm': loaded successfully
> Sun, 2019-02-17 08:38 00[LIB] plugin 'aesni': loaded successfully
> Sun, 2019-02-17 08:38 00[LIB] plugin 'aes': loaded successfully
> Sun, 2019-02-17 08:38 00[LIB] plugin 'rc2': loaded successfully
> Sun, 2019-02-17 08:38 00[LIB] plugin 'sha2': loaded successfully
> Sun, 2019-02-17 08:38 00[LIB] plugin 'sha1': loaded successfully
> Sun, 2019-02-17 08:38 00[LIB] plugin 'md4': loaded successfully
> Sun, 2019-02-17 08:38 00[LIB] plugin 'md5': loaded successfully
> Sun, 2019-02-17 08:38 00[LIB] plugin 'mgf1': loaded successfully
> Sun, 2019-02-17 08:38 00[LIB] plugin 'rdrand': loaded successfully
> Sun, 2019-02-17 08:38 00[LIB] detected RDRAND support, enabled
> Sun, 2019-02-17 08:38 00[LIB] plugin 'random': loaded successfully
> Sun, 2019-02-17 08:38 00[LIB] plugin 'nonce': loaded successfully
> Sun, 2019-02-17 08:38 00[LIB] plugin 'x509': loaded successfully
> Sun, 2019-02-17 08:38 00[LIB] plugin 'revocation': loaded successfully
> Sun, 2019-02-17 08:38 00[LIB] plugin 'constraints': loaded successfully
> Sun, 2019-02-17 08:38 00[LIB] plugin 'acert': loaded successfully
> Sun, 2019-02-17 08:38 00[LIB] plugin 'pubkey': loaded successfully
> Sun, 2019-02-17 08:38 00[LIB] plugin 'pkcs1': loaded successfully
> Sun, 2019-02-17 08:38 00[LIB] plugin 'pkcs7': loaded successfully
> Sun, 2019-02-17 08:38 00[LIB] plugin 'pkcs8': loaded successfully
> Sun, 2019-02-17 08:38 00[LIB] plugin 'pkcs12': loaded successfully
> Sun, 2019-02-17 08:38 00[LIB] plugin 'pgp': loaded successfully
> Sun, 2019-02-17 08:38 00[LIB] plugin 'dnskey': loaded successfully
> Sun, 2019-02-17 08:38 00[LIB] plugin 'sshkey': loaded successfully
> Sun, 2019-02-17 08:38 00[LIB] plugin 'dnscert': loaded successfully
> Sun, 2019-02-17 08:38 00[LIB] plugin 'ipseckey': loaded successfully
> Sun, 2019-02-17 08:38 00[LIB] plugin 'pem': loaded successfully
> Sun, 2019-02-17 08:38 00[LIB] plugin 'openssl': loaded successfully
> Sun, 2019-02-17 08:38 00[LIB] plugin 'gcrypt': loaded successfully
> Sun, 2019-02-17 08:38 00[LIB] plugin 'af-alg': loaded successfully
> Sun, 2019-02-17 08:38 00[LIB] plugin 'fips-prf': loaded successfully
> Sun, 2019-02-17 08:38 00[LIB] plugin 'gmp': loaded successfully
> Sun, 2019-02-17 08:38 00[LIB] plugin 'curve25519': loaded successfully
> Sun, 2019-02-17 08:38 00[LIB] plugin 'agent': loaded successfully
> Sun, 2019-02-17 08:38 00[LIB] plugin 'chapoly': loaded successfully
> Sun, 2019-02-17 08:38 00[LIB] plugin 'xcbc': loaded successfully
> Sun, 2019-02-17 08:38 00[LIB] plugin 'cmac': loaded successfully
> Sun, 2019-02-17 08:38 00[LIB] plugin 'hmac': loaded successfully
> Sun, 2019-02-17 08:38 00[LIB] plugin 'ctr': loaded successfully
> Sun, 2019-02-17 08:38 00[LIB] plugin 'ccm': loaded successfully
> Sun, 2019-02-17 08:38 00[LIB] plugin 'gcm': loaded successfully
> Sun, 2019-02-17 08:38 00[LIB] plugin 'ntru': loaded successfully
> Sun, 2019-02-17 08:38 00[LIB] plugin 'bliss': loaded successfully
> Sun, 2019-02-17 08:38 00[LIB] plugin 'curl': loaded successfully
> Sun, 2019-02-17 08:38 00[LIB] plugin 'soup': loaded successfully
> Sun, 2019-02-17 08:38 00[LIB] plugin 'mysql': loaded successfully
> Sun, 2019-02-17 08:38 00[LIB] using SQLite 3.22.0, thread safety 1
> Sun, 2019-02-17 08:38 00[LIB] plugin 'sqlite': loaded successfully
> Sun, 2019-02-17 08:38 00[LIB] plugin 'attr': loaded successfully
> Sun, 2019-02-17 08:38 00[LIB] plugin 'attr-sql': loaded successfully
> Sun, 2019-02-17 08:38 00[CFG] disabling load-tester plugin, not configured
> Sun, 2019-02-17 08:38 00[LIB] plugin 'load-tester': failed to load - load_tester_plugin_create returned NULL
> Sun, 2019-02-17 08:38 00[LIB] plugin 'kernel-netlink': loaded successfully
> Sun, 2019-02-17 08:38 00[LIB] plugin 'resolve': loaded successfully
> Sun, 2019-02-17 08:38 00[LIB] plugin 'socket-default': loaded successfully
> Sun, 2019-02-17 08:38 00[LIB] plugin 'connmark': loaded successfully
> Sun, 2019-02-17 08:38 00[LIB] plugin 'farp': loaded successfully
> Sun, 2019-02-17 08:38 00[LIB] plugin 'stroke': loaded successfully
> Sun, 2019-02-17 08:38 00[LIB] plugin 'vici': loaded successfully
> Sun, 2019-02-17 08:38 00[LIB] plugin 'sql': loaded successfully
> Sun, 2019-02-17 08:38 00[LIB] plugin 'updown': loaded successfully
> Sun, 2019-02-17 08:38 00[LIB] plugin 'eap-identity': loaded successfully
> Sun, 2019-02-17 08:38 00[LIB] plugin 'eap-sim': loaded successfully
> Sun, 2019-02-17 08:38 00[LIB] plugin 'eap-sim-file': loaded successfully
> Sun, 2019-02-17 08:38 00[LIB] plugin 'eap-sim-pcsc': loaded successfully
> Sun, 2019-02-17 08:38 00[LIB] plugin 'eap-aka': loaded successfully
> Sun, 2019-02-17 08:38 00[LIB] plugin 'eap-aka-3gpp2': loaded successfully
> Sun, 2019-02-17 08:38 00[LIB] plugin 'eap-simaka-sql': loaded successfully
> Sun, 2019-02-17 08:38 00[LIB] plugin 'eap-simaka-pseudonym': loaded successfully
> Sun, 2019-02-17 08:38 00[LIB] plugin 'eap-simaka-reauth': loaded successfully
> Sun, 2019-02-17 08:38 00[LIB] plugin 'eap-md5': loaded successfully
> Sun, 2019-02-17 08:38 00[LIB] plugin 'eap-gtc': loaded successfully
> Sun, 2019-02-17 08:38 00[LIB] plugin 'eap-mschapv2': loaded successfully
> Sun, 2019-02-17 08:38 00[LIB] plugin 'eap-dynamic': loaded successfully
> Sun, 2019-02-17 08:38 00[LIB] plugin 'eap-radius': loaded successfully
> Sun, 2019-02-17 08:38 00[LIB] plugin 'eap-tls': loaded successfully
> Sun, 2019-02-17 08:38 00[LIB] plugin 'eap-ttls': loaded successfully
> Sun, 2019-02-17 08:38 00[LIB] plugin 'eap-peap': loaded successfully
> Sun, 2019-02-17 08:38 00[LIB] plugin 'eap-tnc': loaded successfully
> Sun, 2019-02-17 08:38 00[LIB] plugin 'xauth-generic': loaded successfully
> Sun, 2019-02-17 08:38 00[LIB] plugin 'xauth-eap': loaded successfully
> Sun, 2019-02-17 08:38 00[LIB] plugin 'xauth-pam': loaded successfully
> Sun, 2019-02-17 08:38 00[LIB] plugin 'xauth-noauth': loaded successfully
> Sun, 2019-02-17 08:38 00[LIB] plugin 'tnc-tnccs': loaded successfully
> Sun, 2019-02-17 08:38 00[LIB] plugin 'tnccs-20': loaded successfully
> Sun, 2019-02-17 08:38 00[LIB] plugin 'tnccs-11': loaded successfully
> Sun, 2019-02-17 08:38 00[LIB] plugin 'tnccs-dynamic': loaded successfully
> Sun, 2019-02-17 08:38 00[LIB] plugin 'dhcp': loaded successfully
> Sun, 2019-02-17 08:38 00[LIB] plugin 'ha': loaded successfully
> Sun, 2019-02-17 08:38 00[LIB] plugin 'whitelist': loaded successfully
> Sun, 2019-02-17 08:38 00[LIB] plugin 'lookip': loaded successfully
> Sun, 2019-02-17 08:38 00[LIB] plugin 'error-notify': loaded successfully
> Sun, 2019-02-17 08:38 00[LIB] plugin 'certexpire': loaded successfully
> Sun, 2019-02-17 08:38 00[LIB] plugin 'systime-fix': loaded successfully
> Sun, 2019-02-17 08:38 00[LIB] plugin 'led': loaded successfully
> Sun, 2019-02-17 08:38 00[LIB] plugin 'coupling': loaded successfully
> Sun, 2019-02-17 08:38 00[LIB] plugin 'radattr': loaded successfully
> Sun, 2019-02-17 08:38 00[LIB] plugin 'addrblock': loaded successfully
> Sun, 2019-02-17 08:38 00[LIB] plugin 'unity': loaded successfully
> Sun, 2019-02-17 08:38 00[LIB] plugin 'counters': loaded successfully
> Sun, 2019-02-17 08:38 00[KNL] known interfaces and IP addresses:
> Sun, 2019-02-17 08:38 00[KNL]   lo
> Sun, 2019-02-17 08:38 00[KNL]     127.0.0.1
> Sun, 2019-02-17 08:38 00[KNL]     ::1
> Sun, 2019-02-17 08:38 00[KNL]   eth0
> Sun, 2019-02-17 08:38 00[KNL]     172.x.x.x
> Sun, 2019-02-17 08:38 00[KNL]     fe80::4fe:14ff:fe20:3d30
> Sun, 2019-02-17 08:38 00[LIB] feature PUBKEY:DSA in plugin 'pem' has unmet dependency: PUBKEY:DSA
> Sun, 2019-02-17 08:38 00[CFG] loading unbound resolver config from '/etc/resolv.conf'
> Sun, 2019-02-17 08:38 00[CFG] loading unbound trust anchors from '/etc/ipsec.d/dnssec.keys'
> Sun, 2019-02-17 08:38 00[CFG] dnscert plugin is disabled
> Sun, 2019-02-17 08:38 00[CFG] loading unbound resolver config from '/etc/resolv.conf'
> Sun, 2019-02-17 08:38 00[CFG] loading unbound trust anchors from '/etc/ipsec.d/dnssec.keys'
> Sun, 2019-02-17 08:38 00[CFG] ipseckey plugin is disabled
> Sun, 2019-02-17 08:38 00[LIB] feature PRIVKEY:DSA in plugin 'pem' has unmet dependency: PRIVKEY:DSA
> Sun, 2019-02-17 08:38 00[LIB] feature CERT_DECODE:OCSP_REQUEST in plugin 'pem' has unmet dependency: CERT_DECODE:OCSP_REQUEST
> Sun, 2019-02-17 08:38 00[LIB] feature PRIVKEY_SIGN:RSA_EMSA_PKCS1_SHA3_224 in plugin 'gmp' has unmet dependency: HASHER:HASH_SHA3_224
> Sun, 2019-02-17 08:38 00[LIB] feature PRIVKEY_SIGN:RSA_EMSA_PKCS1_SHA3_256 in plugin 'gmp' has unmet dependency: HASHER:HASH_SHA3_256
> Sun, 2019-02-17 08:38 00[LIB] feature PRIVKEY_SIGN:RSA_EMSA_PKCS1_SHA3_384 in plugin 'gmp' has unmet dependency: HASHER:HASH_SHA3_384
> Sun, 2019-02-17 08:38 00[LIB] feature PRIVKEY_SIGN:RSA_EMSA_PKCS1_SHA3_512 in plugin 'gmp' has unmet dependency: HASHER:HASH_SHA3_512
> Sun, 2019-02-17 08:38 00[LIB] feature PUBKEY_VERIFY:RSA_EMSA_PKCS1_SHA3_224 in plugin 'gmp' has unmet dependency: HASHER:HASH_SHA3_224
> Sun, 2019-02-17 08:38 00[LIB] feature PUBKEY_VERIFY:RSA_EMSA_PKCS1_SHA3_256 in plugin 'gmp' has unmet dependency: HASHER:HASH_SHA3_256
> Sun, 2019-02-17 08:38 00[LIB] feature PUBKEY_VERIFY:RSA_EMSA_PKCS1_SHA3_384 in plugin 'gmp' has unmet dependency: HASHER:HASH_SHA3_384
> Sun, 2019-02-17 08:38 00[LIB] feature PUBKEY_VERIFY:RSA_EMSA_PKCS1_SHA3_512 in plugin 'gmp' has unmet dependency: HASHER:HASH_SHA3_512
> Sun, 2019-02-17 08:38 00[LIB] feature PRIVKEY_SIGN:BLISS_WITH_SHA3_256 in plugin 'bliss' has unmet dependency: HASHER:HASH_SHA3_256
> Sun, 2019-02-17 08:38 00[LIB] feature PRIVKEY_SIGN:BLISS_WITH_SHA3_384 in plugin 'bliss' has unmet dependency: HASHER:HASH_SHA3_384
> Sun, 2019-02-17 08:38 00[LIB] feature PRIVKEY_SIGN:BLISS_WITH_SHA3_512 in plugin 'bliss' has unmet dependency: HASHER:HASH_SHA3_512
> Sun, 2019-02-17 08:38 00[LIB] feature PUBKEY_VERIFY:BLISS_WITH_SHA3_256 in plugin 'bliss' has unmet dependency: HASHER:HASH_SHA3_256
> Sun, 2019-02-17 08:38 00[LIB] feature PUBKEY_VERIFY:BLISS_WITH_SHA3_384 in plugin 'bliss' has unmet dependency: HASHER:HASH_SHA3_384
> Sun, 2019-02-17 08:38 00[LIB] feature PUBKEY_VERIFY:BLISS_WITH_SHA3_512 in plugin 'bliss' has unmet dependency: HASHER:HASH_SHA3_512
> Sun, 2019-02-17 08:38 00[CFG] attr-sql plugin: database URI not set
> Sun, 2019-02-17 08:38 00[LIB] feature CUSTOM:attr-sql in plugin 'attr-sql' failed to load
> Sun, 2019-02-17 08:38 00[CFG] loading ca certificates from '/etc/ipsec.d/cacerts'
> Sun, 2019-02-17 08:38 00[CFG] loading aa certificates from '/etc/ipsec.d/aacerts'
> Sun, 2019-02-17 08:38 00[CFG] loading ocsp signer certificates from '/etc/ipsec.d/ocspcerts'
> Sun, 2019-02-17 08:38 00[CFG] loading attribute certificates from '/etc/ipsec.d/acerts'
> Sun, 2019-02-17 08:38 00[CFG] loading crls from '/etc/ipsec.d/crls'
> Sun, 2019-02-17 08:38 00[CFG] loading secrets from '/etc/ipsec.secrets'
> Sun, 2019-02-17 08:38 00[CFG]   loaded IKE secret for 52.x.x.x 196.y.y.y
> Sun, 2019-02-17 08:38 00[CFG] sql plugin: database URI not set
> Sun, 2019-02-17 08:38 00[LIB] feature CUSTOM:sql in plugin 'sql' failed to load
> Sun, 2019-02-17 08:38 00[CFG] opening triplet file /etc/ipsec.d/triplets.dat failed: No such file or directory
> Sun, 2019-02-17 08:38 00[LIB] feature CUSTOM:eap-sim-file-triplets in plugin 'eap-sim-file' failed to load
> Sun, 2019-02-17 08:38 00[LIB] feature CUSTOM:sim-card in plugin 'eap-sim-file' has unmet dependency: CUSTOM:eap-sim-file-triplets
> Sun, 2019-02-17 08:38 00[LIB] feature CUSTOM:sim-provider in plugin 'eap-sim-file' has unmet dependency: CUSTOM:eap-sim-file-triplets
> Sun, 2019-02-17 08:38 00[CFG] eap-simaka-sql database URI missing
> Sun, 2019-02-17 08:38 00[LIB] feature CUSTOM:eap-simaka-sql-db in plugin 'eap-simaka-sql' failed to load
> Sun, 2019-02-17 08:38 00[LIB] feature CUSTOM:aka-card in plugin 'eap-simaka-sql' has unmet dependency: CUSTOM:eap-simaka-sql-db
> Sun, 2019-02-17 08:38 00[LIB] feature CUSTOM:sim-card in plugin 'eap-simaka-sql' has unmet dependency: CUSTOM:eap-simaka-sql-db
> Sun, 2019-02-17 08:38 00[LIB] feature CUSTOM:aka-provider in plugin 'eap-simaka-sql' has unmet dependency: CUSTOM:eap-simaka-sql-db
> Sun, 2019-02-17 08:38 00[LIB] feature CUSTOM:sim-provider in plugin 'eap-simaka-sql' has unmet dependency: CUSTOM:eap-simaka-sql-db
> Sun, 2019-02-17 08:38 00[CFG] loaded 0 RADIUS server configurations
> Sun, 2019-02-17 08:38 00[CFG] HA config misses local/remote address
> Sun, 2019-02-17 08:38 00[LIB] feature CUSTOM:ha in plugin 'ha' failed to load
> Sun, 2019-02-17 08:38 00[CFG] no threshold configured for systime-fix, disabled
> Sun, 2019-02-17 08:38 00[LIB] feature CUSTOM:systime-fix in plugin 'systime-fix' failed to load
> Sun, 2019-02-17 08:38 00[CFG] coupling file path unspecified
> Sun, 2019-02-17 08:38 00[LIB] feature CUSTOM:coupling in plugin 'coupling' failed to load
> Sun, 2019-02-17 08:38 00[LIB] unloading plugin 'attr-sql' without loaded features
> Sun, 2019-02-17 08:38 00[LIB] unloading plugin 'sql' without loaded features
> Sun, 2019-02-17 08:38 00[LIB] unloading plugin 'eap-sim-file' without loaded features
> Sun, 2019-02-17 08:38 00[LIB] unloading plugin 'eap-simaka-sql' without loaded features
> Sun, 2019-02-17 08:38 00[LIB] unloading plugin 'ha' without loaded features
> Sun, 2019-02-17 08:38 00[LIB] unloading plugin 'systime-fix' without loaded features
> Sun, 2019-02-17 08:38 00[LIB] unloading plugin 'coupling' without loaded features
> Sun, 2019-02-17 08:38 00[LIB] loaded plugins: charon test-vectors unbound ldap pkcs11 tpm aesni aes rc2 sha2 sha1 md4 md5 mgf1 rdrand random nonce x509 revocation constraints acert pubkey pkcs1 pkcs7 pkcs8 pkcs12 pgp dnskey sshkey dnscert ipseckey pem openssl gcrypt af-alg fips-prf gmp curve25519 agent chapoly xcbc cmac hmac ctr ccm gcm ntru bliss curl soup mysql sqlite attr kernel-netlink resolve socket-default connmark farp stroke vici updown eap-identity eap-sim eap-sim-pcsc eap-aka eap-aka-3gpp2 eap-simaka-pseudonym eap-simaka-reauth eap-md5 eap-gtc eap-mschapv2 eap-dynamic eap-radius eap-tls eap-ttls eap-peap eap-tnc xauth-generic xauth-eap xauth-pam xauth-noauth tnc-tnccs tnccs-20 tnccs-11 tnccs-dynamic dhcp whitelist lookip error-notify certexpire led radattr addrblock unity counters
> Sun, 2019-02-17 08:38 00[LIB] unable to load 30 plugin features (23 due to unmet dependencies)
> Sun, 2019-02-17 08:38 00[LIB] dropped capabilities, running as uid 0, gid 0
> Sun, 2019-02-17 08:38 00[JOB] spawning 16 worker threads
> Sun, 2019-02-17 08:38 01[LIB] created thread 01 [31726]
> Sun, 2019-02-17 08:38 06[LIB] created thread 06 [31730]
> Sun, 2019-02-17 08:38 03[LIB] created thread 03 [31728]
> Sun, 2019-02-17 08:38 04[LIB] created thread 04 [31729]
> Sun, 2019-02-17 08:38 05[LIB] created thread 05 [31725]
> Sun, 2019-02-17 08:38 02[LIB] created thread 02 [31727]
> Sun, 2019-02-17 08:38 07[LIB] created thread 07 [31731]
> Sun, 2019-02-17 08:38 08[LIB] created thread 08 [31732]
> Sun, 2019-02-17 08:38 09[LIB] created thread 09 [31733]
> Sun, 2019-02-17 08:38 10[LIB] created thread 10 [31724]
> Sun, 2019-02-17 08:38 11[LIB] created thread 11 [31734]
> Sun, 2019-02-17 08:38 12[LIB] created thread 12 [31735]
> Sun, 2019-02-17 08:38 13[LIB] created thread 13 [31723]
> Sun, 2019-02-17 08:38 14[LIB] created thread 14 [31722]
> Sun, 2019-02-17 08:38 15[LIB] created thread 15 [31721]
> Sun, 2019-02-17 08:38 16[LIB] created thread 16 [31720]
> Sun, 2019-02-17 08:38 05[CFG] received stroke: add connection 'Conn1'
> Sun, 2019-02-17 08:38 05[CFG] conn Conn1
> Sun, 2019-02-17 08:38 05[CFG]   left=%any
> Sun, 2019-02-17 08:38 05[CFG]   leftsubnet=52.y.x.y/32
> Sun, 2019-02-17 08:38 05[CFG]   leftauth=psk
> Sun, 2019-02-17 08:38 05[CFG]   leftid=52.x.x.x
> Sun, 2019-02-17 08:38 05[CFG]   right=196.y.y.y
> Sun, 2019-02-17 08:38 05[CFG]   rightsubnet=a.a.a.a/32
> Sun, 2019-02-17 08:38 05[CFG]   rightauth=psk
> Sun, 2019-02-17 08:38 05[CFG]   rightid=196.y.y.y
> Sun, 2019-02-17 08:38 05[CFG]   ike=3des-md5-modp1024
> Sun, 2019-02-17 08:38 05[CFG]   esp=3des-md5-modp1024
> Sun, 2019-02-17 08:38 05[CFG]   dpddelay=300
> Sun, 2019-02-17 08:38 05[CFG]   dpdtimeout=150
> Sun, 2019-02-17 08:38 05[CFG]   dpdaction=1
> Sun, 2019-02-17 08:38 05[CFG]   sha256_96=no
> Sun, 2019-02-17 08:38 05[CFG]   mediation=no
> Sun, 2019-02-17 08:38 05[CFG]   keyexchange=ikev1
> Sun, 2019-02-17 08:38 05[KNL] 196.y.y.y is not a local address or the interface is down
> Sun, 2019-02-17 08:38 05[CFG] added configuration 'Conn1'
> Sun, 2019-02-17 08:38 11[CFG] received stroke: initiate 'Conn1'
> Sun, 2019-02-17 08:38 11[KNL] <Conn1|1> using 172.x.x.x as address to reach 196.y.y.y/32
> Sun, 2019-02-17 08:38 11[IKE] <Conn1|1> queueing ISAKMP_VENDOR task
> Sun, 2019-02-17 08:38 11[IKE] <Conn1|1> queueing ISAKMP_CERT_PRE task
> Sun, 2019-02-17 08:38 11[IKE] <Conn1|1> queueing MAIN_MODE task
> Sun, 2019-02-17 08:38 11[IKE] <Conn1|1> queueing ISAKMP_CERT_POST task
> Sun, 2019-02-17 08:38 11[IKE] <Conn1|1> queueing ISAKMP_NATD task
> Sun, 2019-02-17 08:38 11[IKE] <Conn1|1> queueing QUICK_MODE task
> Sun, 2019-02-17 08:38 11[IKE] <Conn1|1> activating new tasks
> Sun, 2019-02-17 08:38 11[IKE] <Conn1|1>   activating ISAKMP_VENDOR task
> Sun, 2019-02-17 08:38 11[IKE] <Conn1|1>   activating ISAKMP_CERT_PRE task
> Sun, 2019-02-17 08:38 11[IKE] <Conn1|1>   activating MAIN_MODE task
> Sun, 2019-02-17 08:38 11[IKE] <Conn1|1>   activating ISAKMP_CERT_POST task
> Sun, 2019-02-17 08:38 11[IKE] <Conn1|1>   activating ISAKMP_NATD task
> Sun, 2019-02-17 08:38 11[IKE] <Conn1|1> sending XAuth vendor ID
> Sun, 2019-02-17 08:38 11[IKE] <Conn1|1> sending DPD vendor ID
> Sun, 2019-02-17 08:38 11[IKE] <Conn1|1> sending FRAGMENTATION vendor ID
> Sun, 2019-02-17 08:38 11[IKE] <Conn1|1> sending NAT-T (RFC 3947) vendor ID
> Sun, 2019-02-17 08:38 11[IKE] <Conn1|1> sending draft-ietf-ipsec-nat-t-ike-02\n vendor ID
> Sun, 2019-02-17 08:38 11[IKE] <Conn1|1> initiating Main Mode IKE_SA Conn1[1] to 196.y.y.y
> Sun, 2019-02-17 08:38 11[IKE] <Conn1|1> IKE_SA Conn1[1] state change: CREATED => CONNECTING
> Sun, 2019-02-17 08:38 11[CFG] <Conn1|1> configured proposals: IKE:3DES_CBC/HMAC_MD5_96/PRF_HMAC_MD5/MODP_1024, IKE:AES_CBC_128/AES_CBC_192/AES_CBC_256/AES_CTR_128/AES_CTR_192/AES_CTR_256/CAMELLIA_CBC_128/CAMELLIA_CBC_192/CAMELLIA_CBC_256/CAMELLIA_CTR_128/CAMELLIA_CTR_192/CAMELLIA_CTR_256/3DES_CBC/HMAC_SHA2_256_128/HMAC_SHA2_384_192/HMAC_SHA2_512_256/AES_XCBC_96/AES_CMAC_96/HMAC_SHA1_96/PRF_AES128_XCBC/PRF_AES128_CMAC/PRF_HMAC_SHA2_256/PRF_HMAC_SHA2_384/PRF_HMAC_SHA2_512/PRF_HMAC_SHA1/ECP_256/ECP_384/ECP_521/ECP_256_BP/ECP_384_BP/ECP_512_BP/CURVE_25519/NTRU_128/NTRU_192/NTRU_256/MODP_3072/MODP_4096/MODP_6144/MODP_8192/MODP_2048,
> IKE:AES_CCM_16_128/AES_CCM_16_192/AES_CCM_16_256/AES_GCM_16_128/AES_GCM_16_192/AES_GCM_16_256/CHACHA20_POLY1305_256/CAMELLIA_CCM_16_128/CAMELLIA_CCM_16_192/CAMELLIA_CCM_16_256/AES_CCM_8_128/AES_CCM_8_192/AES_CCM_8_256/AES_CCM_12_128/AES_CCM_12_192/AES_CCM_12_256/AES_GCM_8_128/AES_GCM_8_192/AES_GCM_8_256/AES_GCM_12_128/AES_GCM_12_192/AES_GCM_12_256/CAMELLIA_CCM_8_128/CAMELLIA_CCM_8_192/CAMELLIA_CCM_8_256/CAMELLIA_CCM_12_128/CAMELLIA_CCM_12_192/CAMELLIA_CCM_12_256/PRF_AES128_XCBC/PRF_AES128_CMAC/PRF_HMAC_SHA2_256/PRF_HMAC_SHA2_384/PRF_HMAC_SHA2_512/PRF_HMAC_SHA1/ECP_256/ECP_384/ECP_521/ECP_256_BP/ECP_384_BP/ECP_512_BP/CURVE_25519/NTRU_128/NTRU_192/NTRU_256/MODP_3072/MODP_4096/MODP_6144/MODP_8192/MODP_2048
> Sun, 2019-02-17 08:38 11[ENC] <Conn1|1> generating ID_PROT request 0 [ SA V V V V V ]
> Sun, 2019-02-17 08:38 11[NET] <Conn1|1> sending packet: from 172.x.x.x[500] to 196.y.y.y[500] (236 bytes)
> Sun, 2019-02-17 08:38 12[CFG] received stroke: add connection 'Conn1-host2'
> Sun, 2019-02-17 08:38 12[CFG] conn Conn1-host2
> Sun, 2019-02-17 08:38 12[CFG]   left=%any
> Sun, 2019-02-17 08:38 12[CFG]   leftsubnet=52.y.x.y/32
> Sun, 2019-02-17 08:38 12[CFG]   leftauth=psk
> Sun, 2019-02-17 08:38 12[CFG]   leftid=52.x.x.x
> Sun, 2019-02-17 08:38 12[CFG]   right=196.y.y.y
> Sun, 2019-02-17 08:38 12[CFG]   rightsubnet=b.b.b.b/32
> Sun, 2019-02-17 08:38 12[CFG]   rightauth=psk
> Sun, 2019-02-17 08:38 12[CFG]   rightid=196.y.y.y
> Sun, 2019-02-17 08:38 12[CFG]   ike=3des-md5-modp1024
> Sun, 2019-02-17 08:38 12[CFG]   esp=3des-md5-modp1024
> Sun, 2019-02-17 08:38 12[CFG]   dpddelay=300
> Sun, 2019-02-17 08:38 12[CFG]   dpdtimeout=150
> Sun, 2019-02-17 08:38 12[CFG]   dpdaction=1
> Sun, 2019-02-17 08:38 12[CFG]   sha256_96=no
> Sun, 2019-02-17 08:38 12[CFG]   mediation=no
> Sun, 2019-02-17 08:38 12[CFG]   keyexchange=ikev1
> Sun, 2019-02-17 08:38 12[KNL] 196.y.y.y is not a local address or the interface is down
> Sun, 2019-02-17 08:38 12[CFG] added child to existing configuration 'Conn1'
> Sun, 2019-02-17 08:38 09[CFG] received stroke: initiate 'Conn1-host2'
> Sun, 2019-02-17 08:38 09[IKE] <Conn1|1> queueing QUICK_MODE task
> Sun, 2019-02-17 08:38 09[IKE] <Conn1|1> delaying task initiation, ID_PROT exchange in progress
> Sun, 2019-02-17 08:38 13[IKE] <Conn1|1> sending retransmit 1 of request message ID 0, seq 1
> Sun, 2019-02-17 08:38 13[NET] <Conn1|1> sending packet: from 172.x.x.x as9[500] to 196.y.y.y[500] (236 bytes)
> Sun, 2019-02-17 08:38 14[NET] <2> received packet: from 196.y.y.y[500] to 172.x.x.x[500] (168 bytes)
> Sun, 2019-02-17 08:38 14[ENC] <2> parsed ID_PROT request 0 [ SA V V V V ]
> Sun, 2019-02-17 08:38 14[CFG] <2> looking for an ike config for 172.x.x.x...196.y.y.y
> Sun, 2019-02-17 08:38 14[CFG] <2>   candidate: %any...196.y.y.y, prio 2076
> Sun, 2019-02-17 08:38 14[CFG] <2> found matching ike config: %any...196.y.y.y with prio 2076
> Sun, 2019-02-17 08:38 14[IKE] <2> received DPD vendor ID
> Sun, 2019-02-17 08:38 14[IKE] <2> received FRAGMENTATION vendor ID
> Sun, 2019-02-17 08:38 14[IKE] <2> received FRAGMENTATION vendor ID
> Sun, 2019-02-17 08:38 14[ENC] <2> received unknown vendor ID: 82:x:x:x:x:x:x:xe
> Sun, 2019-02-17 08:38 14[IKE] <2> 196.y.y.y is initiating a Main Mode IKE_SA
> Sun, 2019-02-17 08:38 14[IKE] <2> IKE_SA (unnamed)[2] state change: CREATED => CONNECTING
> Sun, 2019-02-17 08:38 14[CFG] <2> selecting proposal:
> Sun, 2019-02-17 08:38 14[CFG] <2>   proposal matches
> Sun, 2019-02-17 08:38 14[CFG] <2> received proposals: IKE:3DES_CBC/HMAC_MD5_96/PRF_HMAC_MD5/MODP_1024
> Sun, 2019-02-17 08:38 14[CFG] <2> configured proposals: IKE:3DES_CBC/HMAC_MD5_96/PRF_HMAC_MD5/MODP_1024, IKE:AES_CBC_128/AES_CBC_192/AES_CBC_256/AES_CTR_128/AES_CTR_192/AES_CTR_256/CAMELLIA_CBC_128/CAMELLIA_CBC_192/CAMELLIA_CBC_256/CAMELLIA_CTR_128/CAMELLIA_CTR_192/CAMELLIA_CTR_256/3DES_CBC/HMAC_SHA2_256_128/HMAC_SHA2_384_192/HMAC_SHA2_512_256/AES_XCBC_96/AES_CMAC_96/HMAC_SHA1_96/PRF_AES128_XCBC/PRF_AES128_CMAC/PRF_HMAC_SHA2_256/PRF_HMAC_SHA2_384/PRF_HMAC_SHA2_512/PRF_HMAC_SHA1/ECP_256/ECP_384/ECP_521/ECP_256_BP/ECP_384_BP/ECP_512_BP/CURVE_25519/NTRU_128/NTRU_192/NTRU_256/MODP_3072/MODP_4096/MODP_6144/MODP_8192/MODP_2048,
> IKE:AES_CCM_16_128/AES_CCM_16_192/AES_CCM_16_256/AES_GCM_16_128/AES_GCM_16_192/AES_GCM_16_256/CHACHA20_POLY1305_256/CAMELLIA_CCM_16_128/CAMELLIA_CCM_16_192/CAMELLIA_CCM_16_256/AES_CCM_8_128/AES_CCM_8_192/AES_CCM_8_256/AES_CCM_12_128/AES_CCM_12_192/AES_CCM_12_256/AES_GCM_8_128/AES_GCM_8_192/AES_GCM_8_256/AES_GCM_12_128/AES_GCM_12_192/AES_GCM_12_256/CAMELLIA_CCM_8_128/CAMELLIA_CCM_8_192/CAMELLIA_CCM_8_256/CAMELLIA_CCM_12_128/CAMELLIA_CCM_12_192/CAMELLIA_CCM_12_256/PRF_AES128_XCBC/PRF_AES128_CMAC/PRF_HMAC_SHA2_256/PRF_HMAC_SHA2_384/PRF_HMAC_SHA2_512/PRF_HMAC_SHA1/ECP_256/ECP_384/ECP_521/ECP_256_BP/ECP_384_BP/ECP_512_BP/CURVE_25519/NTRU_128/NTRU_192/NTRU_256/MODP_3072/MODP_4096/MODP_6144/MODP_8192/MODP_2048
> Sun, 2019-02-17 08:38 14[CFG] <2> selected proposal: IKE:3DES_CBC/HMAC_MD5_96/PRF_HMAC_MD5/MODP_1024
> Sun, 2019-02-17 08:38 14[IKE] <2> sending XAuth vendor ID
> Sun, 2019-02-17 08:38 14[IKE] <2> sending DPD vendor ID
> Sun, 2019-02-17 08:38 14[IKE] <2> sending FRAGMENTATION vendor ID
> Sun, 2019-02-17 08:38 14[ENC] <2> generating ID_PROT response 0 [ SA V V V ]
> Sun, 2019-02-17 08:38 14[NET] <2> sending packet: from 172.x.x.x[500] to 196.y.y.y[500] (140 bytes)
> Sun, 2019-02-17 08:38 15[NET] <2> received packet: from 196.y.y.y[500] to 172.x.x.x[500] (180 bytes)
> Sun, 2019-02-17 08:38 15[ENC] <2> parsed ID_PROT request 0 [ KE No ]
> Sun, 2019-02-17 08:38 15[LIB] <2> size of DH secret exponent: 1023 bits
> Sun, 2019-02-17 08:38 15[CFG] <2>   candidate "Conn1", match: 1/1/2076 (me/other/ike)
> Sun, 2019-02-17 08:38 15[ENC] <2> generating ID_PROT response 0 [ KE No ]
> Sun, 2019-02-17 08:38 15[NET] <2> sending packet: from 172.x.x.x[500] to 196.y.y.y[500] (196 bytes)
> Sun, 2019-02-17 08:38 16[NET] <2> received packet: from 196.y.y.y[500] to 172.x.x.x[500] (92 bytes)
> Sun, 2019-02-17 08:38 16[ENC] <2> parsed ID_PROT request 0 [ ID HASH N(INITIAL_CONTACT) ]
> Sun, 2019-02-17 08:38 16[CFG] <2> looking for pre-shared key peer configs matching 172.x.x.x...196.y.y.y[196.y.y.y]
> Sun, 2019-02-17 08:38 16[CFG] <2>   candidate "Conn1", match: 1/20/2076 (me/other/ike)
> Sun, 2019-02-17 08:38 16[CFG] <2> selected peer config "Conn1"
> Sun, 2019-02-17 08:38 16[IKE] <Conn1|2> IKE_SA Conn1[2] established between 172.x.x.x[52.x.x.x]...196.y.y.y[196.y.y.y]
> Sun, 2019-02-17 08:38 16[IKE] <Conn1|2> IKE_SA Conn1[2] state change: CONNECTING => ESTABLISHED
> Sun, 2019-02-17 08:38 16[ENC] <Conn1|2> generating ID_PROT response 0 [ ID HASH ]
> Sun, 2019-02-17 08:38 16[NET] <Conn1|2> sending packet: from 172.x.x.x[500] to 196.y.y.y[500] (68 bytes)
> Sun, 2019-02-17 08:38 02[NET] <Conn1|2> received packet: from 196.y.y.y[500] to 172.x.x.x[500] (84 bytes)
> Sun, 2019-02-17 08:38 02[ENC] <Conn1|2> parsed INFORMATIONAL_V1 request 908762055 [ HASH N(DPD) ]
> Sun, 2019-02-17 08:38 02[IKE] <Conn1|2> queueing ISAKMP_DPD task
> Sun, 2019-02-17 08:38 02[IKE] <Conn1|2> activating new tasks
> Sun, 2019-02-17 08:38 02[IKE] <Conn1|2>   activating ISAKMP_DPD task
> Sun, 2019-02-17 08:38 02[ENC] <Conn1|2> generating INFORMATIONAL_V1 request 3433674651 [ HASH N(DPD_ACK) ]
> Sun, 2019-02-17 08:38 02[NET] <Conn1|2> sending packet: from 172.x.x.x[500] to 196.y.y.y[500] (84 bytes)
> Sun, 2019-02-17 08:38 02[IKE] <Conn1|2> activating new tasks
> Sun, 2019-02-17 08:38 02[IKE] <Conn1|2> nothing to initiate
> Sun, 2019-02-17 08:38 07[IKE] <Conn1|1> sending retransmit 2 of request message ID 0, seq 1
> Sun, 2019-02-17 08:38 07[NET] <Conn1|1> sending packet: from 172.x.x.x[500] to 196.y.y.y[500] (236 bytes)
> Sun, 2019-02-17 08:38 11[NET] <Conn1|2> received packet: from 196.y.y.y[500] to 172.x.x.x[500] (84 bytes)
> Sun, 2019-02-17 08:38 11[ENC] <Conn1|2> parsed INFORMATIONAL_V1 request 4267393360 [ HASH N(DPD) ]
> Sun, 2019-02-17 08:38 11[IKE] <Conn1|2> queueing ISAKMP_DPD task
> Sun, 2019-02-17 08:38 11[IKE] <Conn1|2> activating new tasks
> Sun, 2019-02-17 08:38 11[IKE] <Conn1|2>   activating ISAKMP_DPD task
> Sun, 2019-02-17 08:38 11[ENC] <Conn1|2> generating INFORMATIONAL_V1 request 2158128673 [ HASH N(DPD_ACK) ]
> Sun, 2019-02-17 08:38 11[NET] <Conn1|2> sending packet: from 172.x.x.x[500] to 196.y.y.y[500] (84 bytes)
> Sun, 2019-02-17 08:38 11[IKE] <Conn1|2> activating new tasks
> Sun, 2019-02-17 08:38 11[IKE] <Conn1|2> nothing to initiate
> Sun, 2019-02-17 08:39 08[NET] <Conn1|2> received packet: from 196.y.y.y[500] to 172.x.x.x[500] (84 bytes)
> Sun, 2019-02-17 08:39 08[ENC] <Conn1|2> parsed INFORMATIONAL_V1 request 2882714032 [ HASH N(DPD) ]
> Sun, 2019-02-17 08:39 08[IKE] <Conn1|2> queueing ISAKMP_DPD task
> Sun, 2019-02-17 08:39 08[IKE] <Conn1|2> activating new tasks
> Sun, 2019-02-17 08:39 08[IKE] <Conn1|2>   activating ISAKMP_DPD task
> Sun, 2019-02-17 08:39 08[ENC] <Conn1|2> generating INFORMATIONAL_V1 request 2370486549 [ HASH N(DPD_ACK) ]
> Sun, 2019-02-17 08:39 08[NET] <Conn1|2> sending packet: from 172.x.x.x[500] to 196.y.y.y[500] (84 bytes)
> Sun, 2019-02-17 08:39 08[IKE] <Conn1|2> activating new tasks
> Sun, 2019-02-17 08:39 08[IKE] <Conn1|2> nothing to initiate
> Sun, 2019-02-17 08:39 12[IKE] <Conn1|1> sending retransmit 3 of request message ID 0, seq 1
> Sun, 2019-02-17 08:39 12[NET] <Conn1|1> sending packet: from 172.x.x.x[500] to 196.y.y.y[500] (236 bytes)
> Sun, 2019-02-17 08:39 09[NET] <Conn1|2> received packet: from 196.y.y.y[500] to 172.x.x.x[500] (84 bytes)
> Sun, 2019-02-17 08:39 09[ENC] <Conn1|2> parsed INFORMATIONAL_V1 request 2027095304 [ HASH N(DPD) ]
> Sun, 2019-02-17 08:39 09[IKE] <Conn1|2> queueing ISAKMP_DPD task
> Sun, 2019-02-17 08:39 09[IKE] <Conn1|2> activating new tasks
> Sun, 2019-02-17 08:39 09[IKE] <Conn1|2>   activating ISAKMP_DPD task
> Sun, 2019-02-17 08:39 09[ENC] <Conn1|2> generating INFORMATIONAL_V1 request 249435543 [ HASH N(DPD_ACK) ]
> Sun, 2019-02-17 08:39 09[NET] <Conn1|2> sending packet: from 172.x.x.x[500] to 196.y.y.y[500] (84 bytes)
> Sun, 2019-02-17 08:39 09[IKE] <Conn1|2> activating new tasks
> Sun, 2019-02-17 08:39 09[IKE] <Conn1|2> nothing to initiate
> 
> ipsec statusall
> 
> Status of IKE charon daemon (strongSwan 5.6.2, Linux 4.15.0-45-generic, x86_64):
>   uptime: 10 minutes, since Feb 17 08:38:41 2019
>   malloc: sbrk 2363392, mmap 532480, used 1495312, free 868080
>   worker threads: 11 of 16 idle, 5/0/0/0 working, job queue: 0/0/0/0, scheduled: 1
>   loaded plugins: charon test-vectors unbound ldap pkcs11 tpm aesni aes rc2 sha2 sha1 md4 md5 mgf1 rdrand random nonce x509 revocation constraints acert pubkey pkcs1 pkcs7 pkcs8 pkcs12 pgp dnskey sshkey dnscert ipseckey pem openssl gcrypt af-alg fips-prf gmp curve25519 agent chapoly xcbc cmac hmac ctr ccm gcm ntru bliss curl soup mysql sqlite attr kernel-netlink resolve socket-default connmark farp stroke vici updown eap-identity eap-sim eap-sim-pcsc eap-aka eap-aka-3gpp2 eap-simaka-pseudonym eap-simaka-reauth eap-md5 eap-gtc eap-mschapv2 eap-dynamic eap-radius eap-tls eap-ttls eap-peap eap-tnc xauth-generic xauth-eap xauth-pam xauth-noauth tnc-tnccs tnccs-20 tnccs-11 tnccs-dynamic dhcp whitelist lookip error-notify certexpire led radattr addrblock unity counters
> Listening IP addresses:
>   172.x.x.x
> Connections:
>  MTC-Namibia:  %any...196.y.y.y  IKEv1, dpddelay=300s
>  MTC-Namibia:   local:  [52.x.x.x] uses pre-shared key authentication
>  MTC-Namibia:   remote: [196.y.y.y] uses pre-shared key authentication
>  MTC-Namibia:   child:  52.y.x.y/32 === a.a.a.a/32 TUNNEL, dpdaction=clear
> MTC-Namibia-host2:   child:  52.y.x.y/32 === b.b.b.b/32 TUNNEL, dpdaction=clear
> Security Associations (1 up, 0 connecting):
>  MTC-Namibia[2]: ESTABLISHED 10 minutes ago, 172.x.x.x[52.x.x.x]...196.y.y.y[196.y.y.y]
>  MTC-Namibia[2]: IKEv1 SPIs: 3e88119e85b0d723_i a89707f016ee42b4_r*, rekeying disabled
>  MTC-Namibia[2]: IKE proposal: 3DES_CBC/HMAC_MD5_96/PRF_HMAC_MD5/MODP_1024
> 
> ip xfrm policy
> src 0.0.0.0/0 <http://0.0.0.0/0> dst 0.0.0.0/0 <http://0.0.0.0/0>
>         socket in priority 0
> src 0.0.0.0/0 <http://0.0.0.0/0> dst 0.0.0.0/0 <http://0.0.0.0/0>
>         socket out priority 0
> src 0.0.0.0/0 <http://0.0.0.0/0> dst 0.0.0.0/0 <http://0.0.0.0/0>
>         socket in priority 0
> src 0.0.0.0/0 <http://0.0.0.0/0> dst 0.0.0.0/0 <http://0.0.0.0/0>
>         socket out priority 0
> src ::/0 dst ::/0
>         socket in priority 0
> src ::/0 dst ::/0
>         socket out priority 0
> src ::/0 dst ::/0
>         socket in priority 0
> src ::/0 dst ::/0
>         socket out priority 0
> 
> ipsec.conf
> 
> # basic configuration
> 
> config setup
> #       strictcrlpolicy=yes
>         uniqueids = no
>         charondebug="ike 1, knl 1, cfg 2"
> 
> # Add connections here.
> conn Conn1
>         auto=start
>         compress=no
>         type=tunnel
>         keyexchange=ikev1
>         fragmentation=yes
>         forceencaps=yes
>         dpdaction=clear
>         dpddelay=300s
>         rekey=no
>         aggressive=no
>         ike=3des-md5-modp1024
>         ikelifetime=86400s
>         esp=3des-md5-modp1024
>         lifetime=3600s
>         leftauth=psk
>         left=%defaultroute
>         leftid=52.x.x.x
>         leftsubnet=52.y.x.y/32
>         rightauth=psk
>         right=196.y.y.y
>         rightid=196.y.y.y
>         rightsubnet=a.a.a.a/32
> 
> conn Conn1-host2
>         also=Conn1
>         rightsubnet=b.b.b.b/32
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> On Sun, Feb 17, 2019 at 12:35 AM Noel Kuntze <noel.kuntze+strongswan-users-ml at thermi.consulting> wrote:
> 
>     Hello,
> 
>     1)
>     > Security Associations (1 up, 0 connecting):
>     >  Conn1[3]: ESTABLISHED 2 seconds ago, 196.y.y.y[52.x.x.x]...196.y.y.y[196.y.y.y]
>     >  Conn1:[3]: IKEv1 SPIs: 003afabcd1191ddf_i f84ca9def5333a82_r*, rekeying disabled
>     >  Conn1:[3]: IKE proposal: 3DES_CBC/HMAC_MD5_96/PRF_HMAC_MD5/MODP_1024
> 
>     That is only an IKE SA, not a CHILD SA. The CHILD SA is the actual tunnel. The IKE SA is only used to manage the CHILD_SAs and to generally communicate between the IKE daemons on the different hosts.
> 
>     2) You provide no logs so it's impossible to tell what exactly goes wrong.
> 
>     Your configuration with
>     >         rightsubnet=a.a.a.a/b.b.b.b/32
>     is INVALID.
> 
>     a.a.a.a/b.b.b.b/32 does NOT represent a valid subnet.
> 
>     3) Your configuration by default does not permit several several different subnets because only one pair of subnets is listed
>        In order to configure a site-to-site tunnel with several subnets and IKEv1, you have to follow the scheme shown in the UsableExamples[1] article or
>        (try to) apply the information shown in the specific article in the FAQ[2].
> 
>     4) All of your configured cryptographic algorithms are deprecated and vulnerable. Every. Single. One. And the way you're using it makes the VPN slow.
>        Transition to secure ones as shown in the UsableExamples article's Site-to-SIte section[3] or pick a secure pair from the IKEv1CipherList[4].
> 
>     5) The Unity plugin is only used when you have a roadwarrior style configuration in which you request a virtual IP from the peer.
>        This is documented on the wiki[5].
> 
>     6) Your logging settings will not write much useful information into any log file or syslog. Always use the the configuration[6] shown in the HelpRequests article.
> 
>     7) The way you configured the tunnel makes it NOT recover on failures. Apply the information from the SecurityRecommendations[7] article.
>     > # Add connections here.
>     > conn Conn1
>     >         auto=start
> 
>     8) There's an article[8] in the FAQ regarding configuration compatibility with FreeS/WAN, Openswan and Libreswan.
>        Quote:
>     > They are not compatible. Although the format of /ipsec.conf/ is identical between the different swans, they files are not compatible, because several options have different meanings and a variety of different
>     > options are absent from some versions and others exist. Do not attempt to reuse configuration files between different swans.
> 
>     Please use the wiki. It exists for a reason. There's even an article regarding getting help[9]. Use it.
> 
>     Kind regards
> 
>     Noel
> 
>     [1] https://wiki.strongswan.org/projects/strongswan/wiki/UsableExamples
>     [2] https://wiki.strongswan.org/projects/strongswan/wiki/FAQ#Multiple-subnets-per-SA
>     [3] https://wiki.strongswan.org/projects/strongswan/wiki/UsableExamples#Site-To-Site-Scenario
>     [4] https://wiki.strongswan.org/projects/strongswan/wiki/IKEv1CipherSuites
>     [5] https://wiki.strongswan.org/projects/strongswan/wiki/UnityPlugin#Configuration
>     [6] https://wiki.strongswan.org/projects/strongswan/wiki/HelpRequests#Configuration-snippets
>     [7] https://wiki.strongswan.org/projects/strongswan/wiki/SecurityRecommendations#Tunnel-Shunting
>     [8] https://wiki.strongswan.org/projects/strongswan/wiki/FAQ#configuration-compatibility-with-FreeSWAN-Openswan-and-Libreswan
>     [9] https://wiki.strongswan.org/projects/strongswan/wiki/HelpRequests
> 
>     Am 16.02.19 um 20:59 schrieb Rudi Barnard:
>     > Issue seems to do with the Cisco Unity plugin as we are trying to connect to multiple right subnets... All the VPNs we are connecting to is Cisco.
>     > Have updated charon.conf and strongswan.conf with cisco_unity=yes but still same issue. Only 1 tunnel comes up bu ip xfrm policy shows no entry.
>     >
>     >
>     >
>     >
>     >
>     >
>     >
>     > On Sat, Feb 16, 2019 at 5:04 PM Kostya Vasilyev <kman at fastmail.com <mailto:kman at fastmail.com> <mailto:kman at fastmail.com <mailto:kman at fastmail.com>>> wrote:
>     >
>     >
>     >     On Sat, Feb 16, 2019, at 10:09 AM, Rudi Barnard wrote:
>     >>     Hi,
>     >>
>     >>     Have been using openswan on Ubuntu 14.04 on AWS EC2 for site to site connections (Ikev1 + PSK).
>     >>     Recently upgraded an image of the Ubuntu EC2 instance from 14.04 to 18.04.
>     >>     Result is that openswan gets replaced with Strongswan. I eventually did a scratch install of strongswan and also installed the Cisco plugin for multiple subnet support.
>     >>
>     >>     Now testing one of the MANY VPNs we have previously setup on openswan.
>     >>     Tunnels are up but ip xfrm policy / state shows no entry and therefore I assume that there is config issue.
>     >>
>     >>     Very new with Strongswan so not sure where to start troubleshooting.
>     >>
>     >>     Thanks.
>     >>
>     >>     [snip]
>     >>
>     >
>     >     I'm a newbie too, but ... anything interesting in the logs?
>     >
>     >     journalctl -f -u strongswan
>     >
>     >     And then force a reconnect from a client.
>     >
>     >     ---
>     >
>     >     By the way, this is like a plague that gets copied from tutorial to tutorial:
>     >
>     >             charondebug="ike 1, knl 1, cfg 0"
>     >
>     >     You may want to set "cfg" log level to 1 or even 2 (and the others too) for troubleshooting.
>     >
>     >     -- K
>     >
> 

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: OpenPGP digital signature
URL: <http://lists.strongswan.org/pipermail/users/attachments/20190218/83812c62/attachment-0001.sig>


More information about the Users mailing list