[strongSwan] failed to establish CHILD_SA -- but this used to work!
Falsafi, Aram
Aram.Falsafi3 at T-Mobile.com
Thu May 9 17:24:38 CEST 2019
We have a test setup with strongSwan U5.5.3/K4.9.80 on a Raspberry Pi initiating an IPSec tunnel to strongSwan U5.3.5/K4.15.0-46-generic on Ubuntu/x86.
This used to work, but we lost the R-Pi configuration, and when we tried to re-create it we are getting a strange error. The responder has not changed at all.
The outer subnet is 192.168.29.0/24 and the responder uses dnsmasq to assign an IP address from 192.168.3.0/24 for the inner (encrypted) traffic.
The current config files, and the log files (from both old working session and current broken session) are below.
The first difference is that the successful log had this (IP address listed is "leftsourceip" value from responder config file):
Mar 27 15:21:59 femto-ipsec charon: 16[CFG] looking for a child config for 192.168.3.0/24 === 0.0.0.0/0
But the failed log has this (IP address listed is the outer IP address of the physical interface and "left" value from responder config file):
May 8 13:50:52 femto-ipsec charon: 06[CFG] looking for a child config for 192.168.29.110/32 === 0.0.0.0/0
If this is my problem, I don't understand why the same configuration results in different behavior now.
The next difference I see is that the successful attempt has this:
Mar 27 15:21:59 femto-ipsec charon: 16[CFG] candidate "IPSec-IKEv2" with prio 5+1
Mar 27 15:21:59 femto-ipsec charon: 16[CFG] found matching child config "IPSec-IKEv2" with prio 6
Mar 27 15:21:59 femto-ipsec charon: 16[CFG] selecting proposal:
Mar 27 15:21:59 femto-ipsec charon: 16[CFG] proposal matches
While the failed attempt has this (again note outer IP address used):
May 8 13:50:52 femto-ipsec charon: 06[IKE] traffic selectors 192.168.29.110/32 === 0.0.0.0/0 inacceptable
May 8 13:50:52 femto-ipsec charon: 06[IKE] failed to establish CHILD_SA, keeping IKE_SA
May 8 13:50:52 femto-ipsec charon: 06[ENC] generating IKE_AUTH response 1 [ IDr CERT AUTH CPRP(ADDR DNS) N(MOBIKE_SUP) N(ADD_4_ADDR) N(TS_UNACCEPT) ]
I suspect this second difference is caused by the first difference?
Thanks,
Aram
---------------------------------------------
Initiator configuration:
# ipsec.conf - strongSwan IPsec configuration file
config setup
# uniqueids = never
charondebug="cfg 3, dmn 2, ike 2, net 2"
conn %default
keyexchange=ikev2
ike=aes256-sha256-modp4096!
esp=aes256-sha256-modp4096!
dpdaction=clear
dpddelay=300s
rekey=no
conn hydra
type=tunnel
auto=start
leftcert=MatthewClientCert.pem
left=%defaultroute
leftsourceip=%config
right=192.168.29.110
---------------------------------------------
Responder configuration:
# ipsec.conf - strongSwan IPsec configuration file
config setup
# uniqueids=never
charondebug="cfg 2, dmn 2, ike 2, net 2"
conn %default
keyexchange=ikev2
ike=aes256-sha256-modp4096!
esp=aes256-sha256-modp4096!
dpdaction=clear
dpddelay=300s
rekey=no
left=192.168.29.110
leftsubnet=192.168.3.0/24
leftcert=MatthewVPNHostCert.pem
leftdns=8.8.8.8,8.8.4.4
rightsourceip=%dhcp
conn IPSec-IKEv2
keyexchange=ikev2
auto=add
right=%any
conn IPSec-IKEv2-EAP
also="IPSec-IKEv2"
rightauth=eap-mschapv2
rightsendcert=never
eap_identity=%any
conn CiscoIPSec
keyexchange=ikev1
# forceencaps=yes
rightauth=pubkey
rightauth2=xauth
auto=add
---------------------------------------------
Responder log from when it worked:
Mar 27 15:21:56 femto-ipsec charon: 16[IKE] IKE_SA IPSec-IKEv2[5] established between 192.168.29.110[192.168.29.110]...192.168.29.217[C=CH, O=strongSwan, CN=mdavis at denaliai.com<mailto:CN=mdavis at denaliai.com>]
Mar 27 15:21:56 femto-ipsec charon: 16[IKE] IKE_SA IPSec-IKEv2[5] state change: CONNECTING => ESTABLISHED
Mar 27 15:21:56 femto-ipsec charon: 16[IKE] sending end entity cert "C=CH, O=strongSwan, CN=192.168.29.110"
Mar 27 15:21:56 femto-ipsec charon: 16[IKE] peer requested virtual IP %any
Mar 27 15:21:56 femto-ipsec charon: 16[CFG] sending DHCP DISCOVER to 192.168.3.255
Mar 27 15:21:57 femto-ipsec charon: 16[CFG] sending DHCP DISCOVER to 192.168.3.255
Mar 27 15:21:59 femto-ipsec dnsmasq-dhcp[1058]: DHCPDISCOVER(ens4) 7a:a7:7c:ec:48:ba
Mar 27 15:21:59 femto-ipsec dnsmasq-dhcp[1058]: DHCPOFFER(ens4) 192.168.3.76 7a:a7:7c:ec:48:ba
Mar 27 15:21:59 femto-ipsec dnsmasq-dhcp[1058]: DHCPDISCOVER(ens4) 7a:a7:7c:ec:48:ba
Mar 27 15:21:59 femto-ipsec dnsmasq-dhcp[1058]: DHCPOFFER(ens4) 192.168.3.76 7a:a7:7c:ec:48:ba
Mar 27 15:21:59 femto-ipsec charon: 07[CFG] received DHCP OFFER 192.168.3.76 from 192.168.3.1
Mar 27 15:21:59 femto-ipsec charon: 16[CFG] sending DHCP REQUEST for 192.168.3.76 to 192.168.3.1
Mar 27 15:21:59 femto-ipsec dnsmasq-dhcp[1058]: DHCPREQUEST(ens4) 192.168.3.76 7a:a7:7c:ec:48:ba
Mar 27 15:21:59 femto-ipsec dnsmasq-dhcp[1058]: DHCPACK(ens4) 192.168.3.76 7a:a7:7c:ec:48:ba
Mar 27 15:21:59 femto-ipsec charon: 12[CFG] received DHCP ACK for 192.168.3.76
Mar 27 15:21:59 femto-ipsec charon: 16[IKE] assigning virtual IP 192.168.3.76 to peer 'C=CH, O=strongSwan, CN=mdavis at denaliai.com<mailto:CN=mdavis at denaliai.com>'
Mar 27 15:21:59 femto-ipsec charon: 16[IKE] building INTERNAL_IP4_DNS attribute
Mar 27 15:21:59 femto-ipsec charon: 16[CFG] looking for a child config for 192.168.3.0/24 === 0.0.0.0/0
Mar 27 15:21:59 femto-ipsec charon: 16[CFG] proposing traffic selectors for us:
Mar 27 15:21:59 femto-ipsec charon: 16[CFG] 192.168.3.0/24
Mar 27 15:21:59 femto-ipsec charon: 16[CFG] proposing traffic selectors for other:
Mar 27 15:21:59 femto-ipsec charon: 16[CFG] 192.168.3.76/32
Mar 27 15:21:59 femto-ipsec charon: 16[CFG] candidate "IPSec-IKEv2" with prio 5+1
Mar 27 15:21:59 femto-ipsec charon: 16[CFG] found matching child config "IPSec-IKEv2" with prio 6
Mar 27 15:21:59 femto-ipsec charon: 16[CFG] selecting proposal:
Mar 27 15:21:59 femto-ipsec charon: 16[CFG] proposal matches
Mar 27 15:21:59 femto-ipsec charon: 16[CFG] received proposals: ESP:AES_CBC_256/HMAC_SHA2_256_128/NO_EXT_SEQ
Mar 27 15:21:59 femto-ipsec charon: 16[CFG] configured proposals: ESP:AES_CBC_256/HMAC_SHA2_256_128/MODP_4096/NO_EXT_SEQ
Mar 27 15:21:59 femto-ipsec charon: 16[CFG] selected proposal: ESP:AES_CBC_256/HMAC_SHA2_256_128/NO_EXT_SEQ
Mar 27 15:21:59 femto-ipsec charon: 16[CFG] selecting traffic selectors for us:
Mar 27 15:21:59 femto-ipsec charon: 16[CFG] config: 192.168.3.0/24, received: 192.168.3.0/24 => match: 192.168.3.0/24
Mar 27 15:21:59 femto-ipsec charon: 16[CFG] selecting traffic selectors for other:
Mar 27 15:21:59 femto-ipsec charon: 16[CFG] config: 192.168.3.76/32, received: 0.0.0.0/0 => match: 192.168.3.76/32
Mar 27 15:21:59 femto-ipsec charon: 16[IKE] CHILD_SA IPSec-IKEv2{4} established with SPIs c9f96d14_i c41fd9d5_o and TS 192.168.3.0/24 === 192.168.3.76/32
Mar 27 15:21:59 femto-ipsec charon: 16[ENC] generating IKE_AUTH response 1 [ IDr CERT AUTH CPRP(ADDR DNS) SA TSi TSr N(MOBIKE_SUP) N(ADD_4_ADDR) ]
Mar 27 15:21:59 femto-ipsec charon: 16[NET] sending packet: from 192.168.29.110[4500] to 192.168.29.217[4500] (1616 bytes)
Mar 27 15:21:59 femto-ipsec charon: 05[NET] sending packet: from 192.168.29.110[4500] to 192.168.29.217[4500]
---------------------------------------------
Current responder log (not working):
May 8 13:50:49 femto-ipsec charon: 06[IKE] IKE_SA IPSec-IKEv2[5] established between 192.168.29.110[192.168.29.110]...192.168.29.217[C=CH, O=strongSwan, CN=mdavis at denaliai.com<mailto:CN=mdavis at denaliai.com>]
May 8 13:50:49 femto-ipsec charon: 06[IKE] IKE_SA IPSec-IKEv2[5] state change: CONNECTING => ESTABLISHED
May 8 13:50:49 femto-ipsec charon: 06[IKE] sending end entity cert "C=CH, O=strongSwan, CN=192.168.29.110"
May 8 13:50:49 femto-ipsec charon: 06[IKE] peer requested virtual IP %any
May 8 13:50:49 femto-ipsec charon: 06[CFG] sending DHCP DISCOVER to 192.168.3.255
May 8 13:50:50 femto-ipsec charon: 06[CFG] sending DHCP DISCOVER to 192.168.3.255
May 8 13:50:52 femto-ipsec dnsmasq-dhcp[1080]: DHCPDISCOVER(ens4) 7a:a7:7b:bb:3d:b6
May 8 13:50:52 femto-ipsec dnsmasq-dhcp[1080]: DHCPOFFER(ens4) 192.168.3.52 7a:a7:7b:bb:3d:b6
May 8 13:50:52 femto-ipsec dnsmasq-dhcp[1080]: DHCPDISCOVER(ens4) 7a:a7:7b:bb:3d:b6
May 8 13:50:52 femto-ipsec dnsmasq-dhcp[1080]: DHCPOFFER(ens4) 192.168.3.52 7a:a7:7b:bb:3d:b6
May 8 13:50:52 femto-ipsec charon: 05[CFG] received DHCP OFFER 192.168.3.52 from 192.168.3.1
May 8 13:50:52 femto-ipsec charon: 06[CFG] sending DHCP REQUEST for 192.168.3.52 to 192.168.3.1
May 8 13:50:52 femto-ipsec dnsmasq-dhcp[1080]: DHCPREQUEST(ens4) 192.168.3.52 7a:a7:7b:bb:3d:b6
May 8 13:50:52 femto-ipsec dnsmasq-dhcp[1080]: DHCPACK(ens4) 192.168.3.52 7a:a7:7b:bb:3d:b6
May 8 13:50:52 femto-ipsec charon: 01[CFG] received DHCP ACK for 192.168.3.52
May 8 13:50:52 femto-ipsec charon: 06[IKE] assigning virtual IP 192.168.3.52 to peer 'C=CH, O=strongSwan, CN=mdavis at denaliai.com<mailto:CN=mdavis at denaliai.com>'
May 8 13:50:52 femto-ipsec charon: 06[IKE] building INTERNAL_IP4_DNS attribute
May 8 13:50:52 femto-ipsec charon: 06[CFG] looking for a child config for 192.168.29.110/32 === 0.0.0.0/0
May 8 13:50:52 femto-ipsec charon: 06[CFG] proposing traffic selectors for us:
May 8 13:50:52 femto-ipsec charon: 06[CFG] 192.168.3.0/24
May 8 13:50:52 femto-ipsec charon: 06[CFG] proposing traffic selectors for other:
May 8 13:50:52 femto-ipsec charon: 06[CFG] 192.168.3.52/32
May 8 13:50:52 femto-ipsec charon: 06[IKE] traffic selectors 192.168.29.110/32 === 0.0.0.0/0 inacceptable
May 8 13:50:52 femto-ipsec charon: 06[IKE] failed to establish CHILD_SA, keeping IKE_SA
May 8 13:50:52 femto-ipsec charon: 06[ENC] generating IKE_AUTH response 1 [ IDr CERT AUTH CPRP(ADDR DNS) N(MOBIKE_SUP) N(ADD_4_ADDR) N(TS_UNACCEPT) ]
May 8 13:50:52 femto-ipsec charon: 06[NET] sending packet: from 192.168.29.110[4500] to 192.168.29.217[4500] (1536 bytes)
May 8 13:50:52 femto-ipsec charon: 15[NET] sending packet: from 192.168.29.110[4500] to 192.168.29.217[4500]
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20190509/eaf9c547/attachment-0001.html>
More information about the Users
mailing list