[strongSwan] Strongswan on Ubuntu - Failure to connect from Windows 10 client -error: deleting half open IKE_SA with 154..*.** after timeout

Tue Feb 19 10:40:26 CET 2019

On Tue, Feb 19, 2019, at 12:34 PM, IL Ka wrote:
> 
> On Tue, Feb 19, 2019 at 8:48 AM Kostya Vasilyev <kman at fastmail.com> wrote:
>> Looks like the connection is "almost there" but gets blocked by your firewall (UFW)
>>  
>>  Very end of your log:
>>  
>>  Feb 19 02:10:01 VM-e2b7 charon: 11[NET] sending packet: from 102.1*9.2**.***[4500] to 154.77.***.**[4500] (772 bytes)
>>  Feb 19 02:10:01 VM-e2b7 kernel: [ 2543.189073] [UFW BLOCK] IN=ens3 OUT= MAC=06:97:9c:00:00:8f:00:1d:b5:c0:a7:c0:08:00 SRC=154.77.***.** DST=102.1*9.2**.*** LEN=52 TOS=0x10 PREC=0x20 TTL=116 ID=27223 DF PROTO=TCP SPT=54229 DPT=443 WINDOW=17520 RES=0x00 SYN URGP=0
>>  Feb 19 02:10:30 VM-e2b7 charon: 14[JOB] deleting half open IKE_SA with 154.77.***.** after timeout
> 
> 
> DPT=443 looks like OpenVPN or HTTPS. 
> IKE uses UDP/500 (or UDP/4500 in case of NAT).
> 
> I am not sure this message is somehow connected to problem.
> 

Could be unrelated - good find on the EAP-Identity

But it could also be the client trying to fetch the CA certificate's CRL.

Moses can you check if your CA cert has a CRL?

openssl -text -noout -in your_CA_cert

Is there a CRL? Is it an https:// link?

    X509v3 CRL Distribution Points:

        Full Name:
          URI:https://......

-- K

[strongSwan] Strongswan on Ubuntu - Failure to connect from Windows 10 client -error: deleting half open IKE_SA with 154.**.***.** after timeout

[strongSwan] Strongswan on Ubuntu - Failure to connect from Windows 10 client -error: deleting half open IKE_SA with 154..*.** after timeout