[strongSwan] Strongswan on Ubuntu - Failure to connect from Windows 10 client -error: deleting half open IKE_SA with 154.**.***.** after timeout

MOSES KARIUKI kariukims at gmail.com
Tue Feb 19 14:02:08 CET 2019


Thanks a lot. Let me load the WIndows logs.

On Tue, Feb 19, 2019 at 4:00 PM Kostya Vasilyev <kman at fastmail.com> wrote:

>
> On Tue, Feb 19, 2019, at 3:56 PM, MOSES KARIUKI wrote:
>
> Hello Vasilyev,
>
> I can't get this to work.  *openssl -noout -text -in ca-key.pem. *I have
> tried Googling but this also gives nothing.
>         openssl x509 -noout -text -in ca-key.pem
>
> Any ideas. Sorry I am a newbie on this one.
>
>
> You want to do this with the certificate - not its key.
>
> But like I said it could be a red herring too - as Il Ka just wrote, it
> could be that Windows client tries several protos including PPTP/GRE, L2TP
> and so on ...
>
> ... which is a reason to make sure that Windows it's not trying to use
> some other protocol like PPTP or L2TP, and that you're not trying to use
> OpenVPN or some such.
>
> Tom Rymes just suggested you check your Windows connection properties. I
> second this.
>
> -- K
>
>
>
> On Tue, Feb 19, 2019 at 12:40 PM Kostya Vasilyev <kman at fastmail.com>
> wrote:
>
>
> On Tue, Feb 19, 2019, at 12:34 PM, IL Ka wrote:
> >
> > On Tue, Feb 19, 2019 at 8:48 AM Kostya Vasilyev <kman at fastmail.com>
> wrote:
> >> Looks like the connection is "almost there" but gets blocked by your
> firewall (UFW)
> >>
> >>  Very end of your log:
> >>
> >>  Feb 19 02:10:01 VM-e2b7 charon: 11[NET] sending packet: from
> 102.1*9.2**.***[4500] to 154.77.***.**[4500] (772 bytes)
> >>  Feb 19 02:10:01 VM-e2b7 kernel: [ 2543.189073] [UFW BLOCK] IN=ens3
> OUT= MAC=06:97:9c:00:00:8f:00:1d:b5:c0:a7:c0:08:00 SRC=154.77.***.**
> DST=102.1*9.2**.*** LEN=52 TOS=0x10 PREC=0x20 TTL=116 ID=27223 DF PROTO=TCP
> SPT=54229 DPT=443 WINDOW=17520 RES=0x00 SYN URGP=0
> >>  Feb 19 02:10:30 VM-e2b7 charon: 14[JOB] deleting half open IKE_SA with
> 154.77.***.** after timeout
> >
> >
> > DPT=443 looks like OpenVPN or HTTPS.
> > IKE uses UDP/500 (or UDP/4500 in case of NAT).
> >
> > I am not sure this message is somehow connected to problem.
> >
>
> Could be unrelated - good find on the EAP-Identity
>
> But it could also be the client trying to fetch the CA certificate's CRL.
>
> Moses can you check if your CA cert has a CRL?
>
> openssl -text -noout -in your_CA_cert
>
> Is there a CRL? Is it an https:// link?
>
>     X509v3 CRL Distribution Points:
>
>         Full Name:
>           URI:https://......
>
> -- K
>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20190219/80cfdf20/attachment-0001.html>


More information about the Users mailing list