[strongSwan] Strongswan on Ubuntu - Failure to connect from Windows 10 client -error: deleting half open IKE_SA with 154.**.***.** after timeout

Kostya Vasilyev kman at fastmail.com
Tue Feb 19 06:48:25 CET 2019


Looks like the connection is "almost there" but gets blocked by your firewall (UFW)

Very end of your log:

Feb 19 02:10:01 VM-e2b7 charon: 11[NET] sending packet: from 102.1*9.2**.***[4500] to 154.77.***.**[4500] (772 bytes)
Feb 19 02:10:01 VM-e2b7 kernel: [ 2543.189073] [UFW BLOCK] IN=ens3 OUT= MAC=06:97:9c:00:00:8f:00:1d:b5:c0:a7:c0:08:00 SRC=154.77.***.** DST=102.1*9.2**.*** LEN=52 TOS=0x10 PREC=0x20 TTL=116 ID=27223 DF PROTO=TCP SPT=54229 DPT=443 WINDOW=17520 RES=0x00 SYN URGP=0
Feb 19 02:10:30 VM-e2b7 charon: 14[JOB] deleting half open IKE_SA with 154.77.***.** after timeout

1 - 02:10:01 - strongSwan sends a packet to client

3 - 02:10:30 - there is no response from client in 30 seconds, the SA is deleted

2 - 02:10:01 - something coming from client IP and going to server IP was blocked by the firewall

FWIW, these are my UFW rules on the strongSwan server:

ufw allow in from 89.0.0.1 proto gre
ufw allow in from 89.0.0.1 proto ah
ufw allow in from 89.0.0.1 proto esp
ufw allow in proto udp from 89.0.0.1 port 500
ufw allow in proto udp from 89.0.0.1 port 4500

where 89.0.0.1 is the client's address.

My tunnel is for GRE, not sure if yours is - if not you won't need the "proto gre" rule but I think you'll need another rule to allow *your* traffic.

You could also try a "broad" rule allowing anything and everything from the client's IP (and tighten it later):

ufw allow in from client_ip_here

--

Kostya Vasilyev
kman at fastmail.com



On Tue, Feb 19, 2019, at 2:43 AM, MOSES KARIUKI wrote:
> Dear Team,
> 
> I have been having long days trying to configure Strongswan on Ubuntu 18.04. I am not able to connect to the VPN from Windows 10 client, after following the instructions on this link : 
> https://www.digitalocean.com/community/tutorials/how-to-set-up-an-ikev2-vpn-server-with-strongswan-on-ubuntu-18-04-2
> and setting up windows for modp_2048 following these instructions here :
> https://wiki.strongswan.org/projects/strongswan/wiki/WindowsClients#AES-256-CBC-and-MODP2048
> 
> See below my settings
> 
> **ipsec statusall**
> Status of IKE charon daemon (strongSwan 5.6.2, Linux 4.15.0-45-generic, x86_64):
>   uptime: 45 minutes, since Feb 19 01:27:59 2019
>   malloc: sbrk 2568192, mmap 0, used 664784, free 1903408
>   worker threads: 11 of 16 idle, 5/0/0/0 working, job queue: 0/0/0/0, scheduled: 0
>   loaded plugins: charon aesni aes rc2 sha2 sha1 md4 md5 mgf1 random nonce x509 revocation constraints pubkey pkcs1 pkcs7 pkcs8 pkcs12 pgp dnskey sshkey pem openssl fips-prf gmp agent xcbc hmac gcm attr kernel-netlink resolve socket-default connmark stroke updown eap-mschapv2 xauth-generic counters
> Virtual IP pools (size/online/offline):
>   10.10.10.0/24: 254/0/0
> Listening IP addresses:
>   102.1*9.2**.***
> Connections:
>    ikev2-vpn:  %any...%any  IKEv2, dpddelay=300s
>    ikev2-vpn:   local:  [102.1*9.2**.***] uses public key authentication
>    ikev2-vpn:    cert:  "CN=102.1*9.2**.***"
>    ikev2-vpn:   remote: uses EAP_MSCHAPV2 authentication with EAP identity '%any'
>    ikev2-vpn:   child:  0.0.0.0/0 === dynamic TUNNEL, dpdaction=clear
> Security Associations (0 up, 0 connecting):
>   none
> 
> **vi /etc/ipsec.conf**
> config setup
>     charondebug="ike 1, knl 1, cfg 2"
>     uniqueids=no
> 
> conn ikev2-vpn
>     auto=add
>     compress=no
>     type=tunnel
>     keyexchange=ikev2
>     fragmentation=yes
>     forceencaps=yes
>     dpdaction=clear
>     dpddelay=300s
>     rekey=no
>     left=%any
>     leftid=102.1*9.2**.***
>     leftcert=server-cert.pem
>     leftsendcert=always
>     leftsubnet=0.0.0.0/0
>     right=%any
>     rightid=%any
>     rightauth=eap-mschapv2
>     rightsourceip=10.10.10.0/24
>     rightdns=8.8.8.8,8.8.4.4
>     rightsendcert=never
>     eap_identity=%identity
>     ike=aes256-sha1-modp1024,aes128-sha1-modp1024,3des-sha1-modp1024,aes256-sha256-modp2048,aes128-sha256-modp2048,aes256-sha1-modp2048,aes128-sha1-modp2048
>     esp=aes256-sha256,aes256-sha1,3des-sha1,aes256-sha256-modp2048,aes128-sha256-modp2048,aes256-sha1-modp2048,aes128-sha1-modp2048
> 
> Below is the log :
> 
> Feb 19 02:10:00 VM-e2b7 charon: 07[NET] received packet: from 154.77.***.**[500] to 102.1*9.2**.***[500] (632 bytes)
> Feb 19 02:10:00 VM-e2b7 charon: 07[ENC] parsed IKE_SA_INIT request 0 [ SA KE No N(FRAG_SUP) N(NATD_S_IP) N(NATD_D_IP) V V V V ]
> Feb 19 02:10:00 VM-e2b7 ipsec[1011]: 11[CFG] configured proposals: IKE:AES_CBC_256/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024, IKE:AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_2048,
> ....
> Feb 19 02:10:00 VM-e2b7 ipsec[1011]: 11[CFG] selected proposal: IKE:AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_2048
> Feb 19 02:10:00 VM-e2b7 ipsec[1011]: 11[IKE] remote host is behind NAT
> Feb 19 02:10:00 VM-e2b7 ipsec[1011]: 11[ENC] generating IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(MULT_AUTH) ]
> Feb 19 02:10:00 VM-e2b7 ipsec[1011]: 11[NET] sending packet: from 102.1*9.2**.***[500] to 154.77.***.**[500] (448 bytes)
> Feb 19 02:10:00 VM-e2b7 ipsec[1011]: 12[NET] received packet: from 154.77.***.**[4500] to 102.1*9.2**.***[4500] (580 bytes)
> Feb 19 02:10:00 VM-e2b7 ipsec[1011]: 12[ENC] parsed IKE_AUTH request 1 [ EF(1/3) ]
> Feb 19 02:10:00 VM-e2b7 ipsec[1011]: 12[ENC] received fragment #1 of 3, waiting for complete IKE message
> Feb 19 02:10:00 VM-e2b7 ipsec[1011]: 12[NET] received packet: from 154.77.***.**[4500] to 102.1*9.2**.***[4500] (532 bytes)
> Feb 19 02:10:00 VM-e2b7 ipsec[1011]: 12[ENC] parsed IKE_AUTH request 1 [ EF(3/3) ]
> Feb 19 02:10:00 VM-e2b7 ipsec[1011]: 12[ENC] received fragment #3 of 3, waiting for complete IKE message
> Feb 19 02:10:00 VM-e2b7 charon: 07[CFG] looking for an ike config for 102.1*9.2**.***...154.77.***.**
> Feb 19 02:10:00 VM-e2b7 ipsec[1011]: 12[NET] received packet: from 154.77.***.**[4500] to 102.1*9.2**.***[4500] (580 bytes)
> Feb 19 02:10:00 VM-e2b7 ipsec[1011]: 12[ENC] parsed IKE_AUTH request 1 [ EF(2/3) ]
> Feb 19 02:10:00 VM-e2b7 ipsec[1011]: 12[ENC] received fragment #2 of 3, reassembling fragmented IKE message
> Feb 19 02:10:00 VM-e2b7 ipsec[1011]: 12[ENC] parsed IKE_AUTH request 1 [ IDi CERTREQ N(MOBIKE_SUP) CPRQ(ADDR DNS NBNS SRV ADDR6 DNS6 SRV6) SA TSi TSr ]
> Feb 19 02:10:00 VM-e2b7 ipsec[1011]: 12[IKE] received 53 cert requests for an unknown ca
> Feb 19 02:10:00 VM-e2b7 ipsec[1011]: 12[CFG] looking for peer configs matching 102.1*9.2**.***[%any]...154.77.***.**[192.168.43.156]
> Feb 19 02:10:00 VM-e2b7 ipsec[1011]: 12[CFG]   candidate "ikev2-vpn", match: 1/1/28 (me/other/ike)
> Feb 19 02:10:00 VM-e2b7 ipsec[1011]: 12[CFG] selected peer config 'ikev2-vpn'
> Feb 19 02:10:00 VM-e2b7 ipsec[1011]: 12[IKE] EAP-Identity request configured, but not supported
> Feb 19 02:10:00 VM-e2b7 ipsec[1011]: 12[IKE] initiating EAP_MSCHAPV2 method (id 0x81)
> Feb 19 02:10:00 VM-e2b7 ipsec[1011]: 12[IKE] peer supports MOBIKE
> Feb 19 02:10:00 VM-e2b7 ipsec[1011]: 12[IKE] authentication of '102.1*9.2**.***' (myself) with RSA signature successful
> Feb 19 02:10:00 VM-e2b7 ipsec[1011]: 12[IKE] sending end entity cert "CN=102.1*9.2**.***"
> Feb 19 02:10:00 VM-e2b7 ipsec[1011]: 12[ENC] generating IKE_AUTH response 1 [ IDr CERT AUTH EAP/REQ/MSCHAPV2 ]
> Feb 19 02:10:00 VM-e2b7 ipsec[1011]: 12[ENC] splitting IKE message with length of 1936 bytes into 2 fragments
> Feb 19 02:10:00 VM-e2b7 ipsec[1011]: 12[ENC] generating IKE_AUTH response 1 [ EF(1/2) ]
> Feb 19 02:10:00 VM-e2b7 ipsec[1011]: 12[ENC] generating IKE_AUTH response 1 [ EF(2/2) ]
> Feb 19 02:10:00 VM-e2b7 ipsec[1011]: 12[NET] sending packet: from 102.1*9.2**.***[4500] to 154.77.***.**[4500] (1236 bytes)
> Feb 19 02:10:00 VM-e2b7 ipsec[1011]: 12[NET] sending packet: from 102.1*9.2**.***[4500] to 154.77.***.**[4500] (772 bytes)
> Feb 19 02:10:00 VM-e2b7 ipsec[1011]: 15[JOB] deleting half open IKE_SA with 154.77.***.** after timeout
> Feb 19 02:10:00 VM-e2b7 ipsec[1011]: 06[CFG] proposing traffic selectors for us:
> Feb 19 02:10:00 VM-e2b7 ipsec[1011]: 06[CFG]  0.0.0.0/0
> Feb 19 02:10:00 VM-e2b7 ipsec[1011]: 06[CFG] proposing traffic selectors for other:
> Feb 19 02:10:00 VM-e2b7 ipsec[1011]: 06[CFG]  dynamic
> Feb 19 02:10:00 VM-e2b7 ipsec[1011]: 05[CFG] proposing traffic selectors for us:
> Feb 19 02:10:00 VM-e2b7 ipsec[1011]: 05[CFG]  0.0.0.0/0
> Feb 19 02:10:00 VM-e2b7 ipsec[1011]: 05[CFG] proposing traffic selectors for other:
> Feb 19 02:10:00 VM-e2b7 ipsec[1011]: 05[CFG]  dynamic
> Feb 19 02:10:00 VM-e2b7 ipsec[1011]: 07[NET] received packet: from 154.77.***.**[500] to 102.1*9.2**.***[500] (632 bytes)
> Feb 19 02:10:00 VM-e2b7 ipsec[1011]: 07[ENC] parsed IKE_SA_INIT request 0 [ SA KE No N(FRAG_SUP) N(NATD_S_IP) N(NATD_D_IP) V V V V ]
> Feb 19 02:10:00 VM-e2b7 ipsec[1011]: 07[CFG] looking for an ike config for 102.1*9.2**.***...154.77.***.**
> Feb 19 02:10:00 VM-e2b7 ipsec[1011]: 07[CFG]   candidate: %any...%any, prio 28
> Feb 19 02:10:00 VM-e2b7 ipsec[1011]: 07[CFG] found matching ike config: %any...%any with prio 28
> Feb 19 02:10:00 VM-e2b7 ipsec[1011]: 07[IKE] received MS NT5 ISAKMPOAKLEY v9 vendor ID
> Feb 19 02:10:00 VM-e2b7 ipsec[1011]: 07[IKE] received MS-Negotiation Discovery Capable vendor ID
> Feb 19 02:10:00 VM-e2b7 charon: 07[CFG]   candidate: %any...%any, prio 28
> Feb 19 02:10:00 VM-e2b7 ipsec[1011]: 07[IKE] received Vid-Initial-Contact vendor ID
> Feb 19 02:10:00 VM-e2b7 ipsec[1011]: 07[ENC] received unknown vendor ID: 01:52:8b:bb:c0:06:96:12:18:49:ab:9a:1c:5b:2a:51:00:00:00:02
> Feb 19 02:10:00 VM-e2b7 ipsec[1011]: 07[IKE] 154.77.***.** is initiating an IKE_SA
> Feb 19 02:10:00 VM-e2b7 ipsec[1011]: 07[CFG] selecting proposal:
> Feb 19 02:10:00 VM-e2b7 charon: 07[CFG] found matching ike config: %any...%any with prio 28
> Feb 19 02:10:00 VM-e2b7 charon: 07[IKE] received MS NT5 ISAKMPOAKLEY v9 vendor ID
> Feb 19 02:10:00 VM-e2b7 charon: 07[IKE] received MS-Negotiation Discovery Capable vendor ID
> Feb 19 02:10:00 VM-e2b7 charon: 07[IKE] received Vid-Initial-Contact vendor ID
> Feb 19 02:10:00 VM-e2b7 charon: 07[ENC] received unknown vendor ID: 01:52:8b:bb:c0:06:96:12:18:49:ab:9a:1c:5b:2a:51:00:00:00:02
> Feb 19 02:10:00 VM-e2b7 charon: 07[IKE] 154.77.***.** is initiating an IKE_SA
> Feb 19 02:10:00 VM-e2b7 charon: 07[CFG] selecting proposal:
> Feb 19 02:10:00 VM-e2b7 charon: 07[CFG] selecting proposal:
> Feb 19 02:10:00 VM-e2b7 charon: 07[CFG]   proposal matches
> Feb 19 02:10:00 VM-e2b7 charon: 07[CFG] received proposals: IKE:AES_CBC_256/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_2048, IKE:AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_2048, IKE:AES_CBC_256/HMAC_SHA2_384_192/PRF_HMAC_SHA2_384/MODP_2048
> Feb 19 02:10:00 VM-e2b7 charon: 07[CFG] configured proposals: IKE:AES_CBC_256/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024, IKE:AES_CBC_128/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024, IKE:3DES_CBC/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024, IKE:AES_CBC_256/
> HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_2048, IKE:AES_CBC_128/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_2048, IKE:AES_CBC_256/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_2048, IKE:AES_CBC_128/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_2048
> Feb 19 02:10:00 VM-e2b7 charon: 07[CFG] selected proposal: IKE:AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_2048
> Feb 19 02:10:00 VM-e2b7 charon: 07[IKE] remote host is behind NAT
> Feb 19 02:10:00 VM-e2b7 charon: 07[ENC] generating IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(MULT_AUTH) ]
> Feb 19 02:10:00 VM-e2b7 charon: 07[NET] sending packet: from 102.1*9.2**.***[500] to 154.77.***.**[500] (448 bytes)
> Feb 19 02:10:00 VM-e2b7 charon: 09[NET] received packet: from 154.77.***.**[4500] to 102.1*9.2**.***[4500] (580 bytes)
> Feb 19 02:10:00 VM-e2b7 charon: 09[ENC] parsed IKE_AUTH request 1 [ EF(1/3) ]
> Feb 19 02:10:00 VM-e2b7 charon: 09[ENC] received fragment #1 of 3, waiting for complete IKE message
> Feb 19 02:10:00 VM-e2b7 charon: 10[NET] received packet: from 154.77.***.**[4500] to 102.1*9.2**.***[4500] (580 bytes)
> Feb 19 02:10:00 VM-e2b7 charon: 10[ENC] parsed IKE_AUTH request 1 [ EF(2/3) ]
> Feb 19 02:10:00 VM-e2b7 charon: 10[ENC] received fragment #2 of 3, waiting for complete IKE message
> Feb 19 02:10:01 VM-e2b7 charon: 11[NET] received packet: from 154.77.***.**[4500] to 102.1*9.2**.***[4500] (532 bytes)
> Feb 19 02:10:01 VM-e2b7 charon: 11[ENC] parsed IKE_AUTH request 1 [ EF(3/3) ]
> Feb 19 02:10:01 VM-e2b7 charon: 11[ENC] received fragment #3 of 3, reassembling fragmented IKE message
> Feb 19 02:10:01 VM-e2b7 charon: 11[ENC] parsed IKE_AUTH request 1 [ IDi CERTREQ N(MOBIKE_SUP) CPRQ(ADDR DNS NBNS SRV ADDR6 DNS6 SRV6) SA TSi TSr ]
> Feb 19 02:10:01 VM-e2b7 charon: 11[IKE] received 53 cert requests for an unknown ca
> Feb 19 02:10:01 VM-e2b7 charon: 11[CFG] looking for peer configs matching 102.1*9.2**.***[%any]...154.77.***.**[192.168.43.156]
> Feb 19 02:10:01 VM-e2b7 charon: 11[CFG]   candidate "ikev2-vpn", match: 1/1/28 (me/other/ike)
> Feb 19 02:10:01 VM-e2b7 charon: 11[CFG] selected peer config 'ikev2-vpn'
> Feb 19 02:10:01 VM-e2b7 charon: 11[IKE] EAP-Identity request configured, but not supported
> Feb 19 02:10:01 VM-e2b7 charon: 11[IKE] initiating EAP_MSCHAPV2 method (id 0x64)
> Feb 19 02:10:01 VM-e2b7 charon: 11[IKE] peer supports MOBIKE
> Feb 19 02:10:01 VM-e2b7 charon: 11[IKE] authentication of '102.1*9.2**.***' (myself) with RSA signature successful
> Feb 19 02:10:01 VM-e2b7 charon: 11[IKE] sending end entity cert "CN=102.1*9.2**.***"
> Feb 19 02:10:01 VM-e2b7 ipsec[1011]: 07[CFG] received proposals: IKE:AES_CBC_256/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_2048, IKE:AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_2048, IKE:AES_CBC_256/HMAC_SHA2_384_192/PRF_HMAC_SHA2_384/MODP_2048
> Feb 19 02:10:01 VM-e2b7 charon: 11[ENC] generating IKE_AUTH response 1 [ IDr CERT AUTH EAP/REQ/MSCHAPV2 ]
> Feb 19 02:10:01 VM-e2b7 ipsec[1011]: 07[CFG] configured proposals: IKE:AES_CBC_256/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024...
> Feb 19 02:10:01 VM-e2b7 ipsec[1011]: 07[CFG] selected proposal: IKE:AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_2048
> Feb 19 02:10:01 VM-e2b7 ipsec[1011]: 07[IKE] remote host is behind NAT
> Feb 19 02:10:01 VM-e2b7 ipsec[1011]: 07[ENC] generating IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(MULT_AUTH) ]
> Feb 19 02:10:01 VM-e2b7 ipsec[1011]: 07[NET] sending packet: from 102.1*9.2**.***[500] to 154.77.***.**[500] (448 bytes)
> Feb 19 02:10:01 VM-e2b7 ipsec[1011]: 09[NET] received packet: from 154.77.***.**[4500] to 102.1*9.2**.***[4500] (580 bytes)
> Feb 19 02:10:01 VM-e2b7 ipsec[1011]: 09[ENC] parsed IKE_AUTH request 1 [ EF(1/3) ]
> Feb 19 02:10:01 VM-e2b7 ipsec[1011]: 09[ENC] received fragment #1 of 3, waiting for complete IKE message
> Feb 19 02:10:01 VM-e2b7 ipsec[1011]: 10[NET] received packet: from 154.77.***.**[4500] to 102.1*9.2**.***[4500] (580 bytes)
> Feb 19 02:10:01 VM-e2b7 ipsec[1011]: 10[ENC] parsed IKE_AUTH request 1 [ EF(2/3) ]
> Feb 19 02:10:01 VM-e2b7 ipsec[1011]: 10[ENC] received fragment #2 of 3, waiting for complete IKE message
> Feb 19 02:10:01 VM-e2b7 charon: 11[ENC] splitting IKE message with length of 1936 bytes into 2 fragments
> Feb 19 02:10:01 VM-e2b7 ipsec[1011]: 11[NET] received packet: from 154.77.***.**[4500] to 102.1*9.2**.***[4500] (532 bytes)
> Feb 19 02:10:01 VM-e2b7 ipsec[1011]: 11[ENC] parsed IKE_AUTH request 1 [ EF(3/3) ]
> Feb 19 02:10:01 VM-e2b7 ipsec[1011]: 11[ENC] received fragment #3 of 3, reassembling fragmented IKE message
> Feb 19 02:10:01 VM-e2b7 ipsec[1011]: 11[ENC] parsed IKE_AUTH request 1 [ IDi CERTREQ N(MOBIKE_SUP) CPRQ(ADDR DNS NBNS SRV ADDR6 DNS6 SRV6) SA TSi TSr ]
> Feb 19 02:10:01 VM-e2b7 ipsec[1011]: 11[IKE] received 53 cert requests for an unknown ca
> Feb 19 02:10:01 VM-e2b7 ipsec[1011]: 11[CFG] looking for peer configs matching 102.1*9.2**.***[%any]...154.77.***.**[192.168.43.156]
> Feb 19 02:10:01 VM-e2b7 ipsec[1011]: 11[CFG]   candidate "ikev2-vpn", match: 1/1/28 (me/other/ike)
> Feb 19 02:10:01 VM-e2b7 ipsec[1011]: 11[CFG] selected peer config 'ikev2-vpn'
> Feb 19 02:10:01 VM-e2b7 ipsec[1011]: 11[IKE] EAP-Identity request configured, but not supported
> Feb 19 02:10:01 VM-e2b7 ipsec[1011]: 11[IKE] initiating EAP_MSCHAPV2 method (id 0x64)
> Feb 19 02:10:01 VM-e2b7 ipsec[1011]: 11[IKE] peer supports MOBIKE
> Feb 19 02:10:01 VM-e2b7 ipsec[1011]: 11[IKE] authentication of '102.1*9.2**.***' (myself) with RSA signature successful
> Feb 19 02:10:01 VM-e2b7 ipsec[1011]: 11[IKE] sending end entity cert "CN=102.1*9.2**.***"
> Feb 19 02:10:01 VM-e2b7 ipsec[1011]: 11[ENC] generating IKE_AUTH response 1 [ IDr CERT AUTH EAP/REQ/MSCHAPV2 ]
> Feb 19 02:10:01 VM-e2b7 ipsec[1011]: 11[ENC] splitting IKE message with length of 1936 bytes into 2 fragments
> Feb 19 02:10:01 VM-e2b7 charon: 11[ENC] generating IKE_AUTH response 1 [ EF(1/2) ]
> Feb 19 02:10:01 VM-e2b7 charon: 11[ENC] generating IKE_AUTH response 1 [ EF(2/2) ]
> Feb 19 02:10:01 VM-e2b7 charon: 11[NET] sending packet: from 102.1*9.2**.***[4500] to 154.77.***.**[4500] (1236 bytes)
> Feb 19 02:10:01 VM-e2b7 charon: 11[NET] sending packet: from 102.1*9.2**.***[4500] to 154.77.***.**[4500] (772 bytes)
> Feb 19 02:10:01 VM-e2b7 kernel: [ 2543.189073] [UFW BLOCK] IN=ens3 OUT= MAC=06:97:9c:00:00:8f:00:1d:b5:c0:a7:c0:08:00 SRC=154.77.***.** DST=102.1*9.2**.*** LEN=52 TOS=0x10 PREC=0x20 TTL=116 ID=27223 DF PROTO=TCP SPT=54229 DPT=443 WINDOW=17520 RES=0x00 SYN URGP=0
> Feb 19 02:10:30 VM-e2b7 charon: 14[JOB] deleting half open IKE_SA with 154.77.***.** after timeout
> Feb 19 02:13:28 VM-e2b7 charon: 13[CFG] proposing traffic selectors for us:
> Feb 19 02:13:28 VM-e2b7 charon: 13[CFG]  0.0.0.0/0
> Feb 19 02:13:28 VM-e2b7 charon: 13[CFG] proposing traffic selectors for other:
> Feb 19 02:13:28 VM-e2b7 charon: 13[CFG]  dynamic
> 
> Please assist with this. I am almost there. 
> 
> Thanks in advance.
> 
> regards,
> Moses K


More information about the Users mailing list