[strongSwan] NO_PROPOSAL_CHOSEN when using 5.6.2 on Ubuntu 18.04

Karuna Sagar Krishna karunasagark at gmail.com
Wed May 12 01:15:39 CEST 2021


Thanks for the quick replies!

Running `sudo ipsec update` or `sudo ipsec reload` is effectively a no-op.
Captured the terminal output below:



karkrish at hn1-kkafka:~$ sudo ipsec statusall
Status of IKE charon daemon (strongSwan 5.6.2, Linux 5.4.0-1046-azure,
x86_64):
  uptime: 2 hours, since May 11 20:42:06 2021
  malloc: sbrk 2703360, mmap 0, used 847536, free 1855824
  worker threads: 11 of 16 idle, 5/0/0/0 working, job queue: 0/0/0/0,
scheduled: 2
  loaded plugins: charon aesni aes rc2 sha2 sha1 md4 md5 mgf1 random nonce
x509 revocation constraints pubkey pkcs1 pkcs7 pkcs8 pkcs12 pgp dnskey
sshkey pem openssl fips-prf gmp agent xcbc hmac gcm attr kernel-netlink
resolve socket-default connmark stroke updown eap-mschapv2 xauth-generic
counters
Listening IP addresses:
  10.0.0.14
Connections:
hn0-kkafka.p0gi1uxxaaeebnlz4hfuq0bvkf.dx.internal.cloudapp.net:
 10.0.0.14...10.0.0.15  IKEv2
hn0-kkafka.p0gi1uxxaaeebnlz4hfuq0bvkf.dx.internal.cloudapp.net:   local:
 [CN=IP-37fa1445fc.hdinsight-stable.azure-test.net] uses public key
authentication
hn0-kkafka.p0gi1uxxaaeebnlz4hfuq0bvkf.dx.internal.cloudapp.net:    cert:
 "CN=IP-37fa1445fc.hdinsight-stable.azure-test.net"
hn0-kkafka.p0gi1uxxaaeebnlz4hfuq0bvkf.dx.internal.cloudapp.net:   remote:
[CN=IP-37fa1445fc.hdinsight-stable.azure-test.net] uses public key
authentication
hn0-kkafka.p0gi1uxxaaeebnlz4hfuq0bvkf.dx.internal.cloudapp.net:    cert:
 "CN=IP-37fa1445fc.hdinsight-stable.azure-test.net"
hn0-kkafka.p0gi1uxxaaeebnlz4hfuq0bvkf.dx.internal.cloudapp.net:   child:
 dynamic === dynamic TRANSPORT
hn1-kkafka.p0gi1uxxaaeebnlz4hfuq0bvkf.dx.internal.cloudapp.net:
 10.0.0.14...10.0.0.14  IKEv2
hn1-kkafka.p0gi1uxxaaeebnlz4hfuq0bvkf.dx.internal.cloudapp.net:   local:
 [CN=IP-37fa1445fc.hdinsight-stable.azure-test.net] uses public key
authentication
hn1-kkafka.p0gi1uxxaaeebnlz4hfuq0bvkf.dx.internal.cloudapp.net:    cert:
 "CN=IP-37fa1445fc.hdinsight-stable.azure-test.net"
hn1-kkafka.p0gi1uxxaaeebnlz4hfuq0bvkf.dx.internal.cloudapp.net:   remote:
[CN=IP-37fa1445fc.hdinsight-stable.azure-test.net] uses public key
authentication
hn1-kkafka.p0gi1uxxaaeebnlz4hfuq0bvkf.dx.internal.cloudapp.net:    cert:
 "CN=IP-37fa1445fc.hdinsight-stable.azure-test.net"
hn1-kkafka.p0gi1uxxaaeebnlz4hfuq0bvkf.dx.internal.cloudapp.net:   child:
 dynamic === dynamic TRANSPORT
Routed Connections:
hn0-kkafka.p0gi1uxxaaeebnlz4hfuq0bvkf.dx.internal.cloudapp.net{5}:  ROUTED,
TRANSPORT, reqid 1
hn0-kkafka.p0gi1uxxaaeebnlz4hfuq0bvkf.dx.internal.cloudapp.net{5}:
10.0.0.14/32 === 10.0.0.15/32
hn1-kkafka.p0gi1uxxaaeebnlz4hfuq0bvkf.dx.internal.cloudapp.net{2}:  ROUTED,
TRANSPORT, reqid 2
hn1-kkafka.p0gi1uxxaaeebnlz4hfuq0bvkf.dx.internal.cloudapp.net{2}:
10.0.0.14/32 === 10.0.0.14/32
Security Associations (1 up, 0 connecting):
hn0-kkafka.p0gi1uxxaaeebnlz4hfuq0bvkf.dx.internal.cloudapp.net[11]:
ESTABLISHED 2 hours ago, 10.0.0.14[CN=
IP-37fa1445fc.hdinsight-stable.azure-test.net]...10.0.0.15[CN=
IP-37fa1445fc.hdinsight-stable.azure-test.net]
hn0-kkafka.p0gi1uxxaaeebnlz4hfuq0bvkf.dx.internal.cloudapp.net[11]: IKEv2
SPIs: 1536ce9853bef399_i c00b62dfefa5f4ce_r*, public key reauthentication
in 5 hours
hn0-kkafka.p0gi1uxxaaeebnlz4hfuq0bvkf.dx.internal.cloudapp.net[11]: IKE
proposal: AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_2048
hn0-kkafka.p0gi1uxxaaeebnlz4hfuq0bvkf.dx.internal.cloudapp.net{3}:
 INSTALLED, TRANSPORT, reqid 1, ESP SPIs: c73ba254_i c0ffd04a_o
hn0-kkafka.p0gi1uxxaaeebnlz4hfuq0bvkf.dx.internal.cloudapp.net{3}:
 AES_CBC_256/HMAC_SHA2_256_128, 220940 bytes_i (3942 pkts, 0s ago), 891540
bytes_o (2902 pkts, 1444s ago), rekeying in 5 hours
hn0-kkafka.p0gi1uxxaaeebnlz4hfuq0bvkf.dx.internal.cloudapp.net{3}:
10.0.0.14/32 === 10.0.0.15/32

karkrish at hn1-kkafka:~$ sudo ipsec update
Updating strongSwan IPsec configuration...

karkrish at hn1-kkafka:~$ echo $?
0

karkrish at hn1-kkafka:~$ sudo ipsec statusall
Status of IKE charon daemon (strongSwan 5.6.2, Linux 5.4.0-1046-azure,
x86_64):
  uptime: 2 hours, since May 11 20:42:06 2021
  malloc: sbrk 2703360, mmap 0, used 847984, free 1855376
  worker threads: 11 of 16 idle, 5/0/0/0 working, job queue: 0/0/0/0,
scheduled: 2
  loaded plugins: charon aesni aes rc2 sha2 sha1 md4 md5 mgf1 random nonce
x509 revocation constraints pubkey pkcs1 pkcs7 pkcs8 pkcs12 pgp dnskey
sshkey pem openssl fips-prf gmp agent xcbc hmac gcm attr kernel-netlink
resolve socket-default connmark stroke updown eap-mschapv2 xauth-generic
counters
Listening IP addresses:
  10.0.0.14
Connections:
hn0-kkafka.p0gi1uxxaaeebnlz4hfuq0bvkf.dx.internal.cloudapp.net:
 10.0.0.14...10.0.0.15  IKEv2
hn0-kkafka.p0gi1uxxaaeebnlz4hfuq0bvkf.dx.internal.cloudapp.net:   local:
 [CN=IP-37fa1445fc.hdinsight-stable.azure-test.net] uses public key
authentication
hn0-kkafka.p0gi1uxxaaeebnlz4hfuq0bvkf.dx.internal.cloudapp.net:    cert:
 "CN=IP-37fa1445fc.hdinsight-stable.azure-test.net"
hn0-kkafka.p0gi1uxxaaeebnlz4hfuq0bvkf.dx.internal.cloudapp.net:   remote:
[CN=IP-37fa1445fc.hdinsight-stable.azure-test.net] uses public key
authentication
hn0-kkafka.p0gi1uxxaaeebnlz4hfuq0bvkf.dx.internal.cloudapp.net:    cert:
 "CN=IP-37fa1445fc.hdinsight-stable.azure-test.net"
hn0-kkafka.p0gi1uxxaaeebnlz4hfuq0bvkf.dx.internal.cloudapp.net:   child:
 dynamic === dynamic TRANSPORT
hn1-kkafka.p0gi1uxxaaeebnlz4hfuq0bvkf.dx.internal.cloudapp.net:
 10.0.0.14...10.0.0.14  IKEv2
hn1-kkafka.p0gi1uxxaaeebnlz4hfuq0bvkf.dx.internal.cloudapp.net:   local:
 [CN=IP-37fa1445fc.hdinsight-stable.azure-test.net] uses public key
authentication
hn1-kkafka.p0gi1uxxaaeebnlz4hfuq0bvkf.dx.internal.cloudapp.net:    cert:
 "CN=IP-37fa1445fc.hdinsight-stable.azure-test.net"
hn1-kkafka.p0gi1uxxaaeebnlz4hfuq0bvkf.dx.internal.cloudapp.net:   remote:
[CN=IP-37fa1445fc.hdinsight-stable.azure-test.net] uses public key
authentication
hn1-kkafka.p0gi1uxxaaeebnlz4hfuq0bvkf.dx.internal.cloudapp.net:    cert:
 "CN=IP-37fa1445fc.hdinsight-stable.azure-test.net"
hn1-kkafka.p0gi1uxxaaeebnlz4hfuq0bvkf.dx.internal.cloudapp.net:   child:
 dynamic === dynamic TRANSPORT
Routed Connections:
hn0-kkafka.p0gi1uxxaaeebnlz4hfuq0bvkf.dx.internal.cloudapp.net{5}:  ROUTED,
TRANSPORT, reqid 1
hn0-kkafka.p0gi1uxxaaeebnlz4hfuq0bvkf.dx.internal.cloudapp.net{5}:
10.0.0.14/32 === 10.0.0.15/32
hn1-kkafka.p0gi1uxxaaeebnlz4hfuq0bvkf.dx.internal.cloudapp.net{2}:  ROUTED,
TRANSPORT, reqid 2
hn1-kkafka.p0gi1uxxaaeebnlz4hfuq0bvkf.dx.internal.cloudapp.net{2}:
10.0.0.14/32 === 10.0.0.14/32
Security Associations (1 up, 0 connecting):
hn0-kkafka.p0gi1uxxaaeebnlz4hfuq0bvkf.dx.internal.cloudapp.net[11]:
ESTABLISHED 2 hours ago, 10.0.0.14[CN=
IP-37fa1445fc.hdinsight-stable.azure-test.net]...10.0.0.15[CN=
IP-37fa1445fc.hdinsight-stable.azure-test.net]
hn0-kkafka.p0gi1uxxaaeebnlz4hfuq0bvkf.dx.internal.cloudapp.net[11]: IKEv2
SPIs: 1536ce9853bef399_i c00b62dfefa5f4ce_r*, public key reauthentication
in 5 hours
hn0-kkafka.p0gi1uxxaaeebnlz4hfuq0bvkf.dx.internal.cloudapp.net[11]: IKE
proposal: AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_2048
hn0-kkafka.p0gi1uxxaaeebnlz4hfuq0bvkf.dx.internal.cloudapp.net{3}:
 INSTALLED, TRANSPORT, reqid 1, ESP SPIs: c73ba254_i c0ffd04a_o
hn0-kkafka.p0gi1uxxaaeebnlz4hfuq0bvkf.dx.internal.cloudapp.net{3}:
 AES_CBC_256/HMAC_SHA2_256_128, 226680 bytes_i (4045 pkts, 0s ago), 900068
bytes_o (2959 pkts, 1455s ago), rekeying in 5 hours
hn0-kkafka.p0gi1uxxaaeebnlz4hfuq0bvkf.dx.internal.cloudapp.net{3}:
10.0.0.14/32 === 10.0.0.15/32

karkrish at hn1-kkafka:~$ sudo ipsec reload
Reloading strongSwan IPsec configuration...

karkrish at hn1-kkafka:~$ echo $?
0

karkrish at hn1-kkafka:~$ sudo ipsec statusall
Status of IKE charon daemon (strongSwan 5.6.2, Linux 5.4.0-1046-azure,
x86_64):
  uptime: 2 hours, since May 11 20:42:06 2021
  malloc: sbrk 2703360, mmap 0, used 847840, free 1855520
  worker threads: 11 of 16 idle, 5/0/0/0 working, job queue: 0/0/0/0,
scheduled: 2
  loaded plugins: charon aesni aes rc2 sha2 sha1 md4 md5 mgf1 random nonce
x509 revocation constraints pubkey pkcs1 pkcs7 pkcs8 pkcs12 pgp dnskey
sshkey pem openssl fips-prf gmp agent xcbc hmac gcm attr kernel-netlink
resolve socket-default connmark stroke updown eap-mschapv2 xauth-generic
counters
Listening IP addresses:
  10.0.0.14
Connections:
hn0-kkafka.p0gi1uxxaaeebnlz4hfuq0bvkf.dx.internal.cloudapp.net:
 10.0.0.14...10.0.0.15  IKEv2
hn0-kkafka.p0gi1uxxaaeebnlz4hfuq0bvkf.dx.internal.cloudapp.net:   local:
 [CN=IP-37fa1445fc.hdinsight-stable.azure-test.net] uses public key
authentication
hn0-kkafka.p0gi1uxxaaeebnlz4hfuq0bvkf.dx.internal.cloudapp.net:    cert:
 "CN=IP-37fa1445fc.hdinsight-stable.azure-test.net"
hn0-kkafka.p0gi1uxxaaeebnlz4hfuq0bvkf.dx.internal.cloudapp.net:   remote:
[CN=IP-37fa1445fc.hdinsight-stable.azure-test.net] uses public key
authentication
hn0-kkafka.p0gi1uxxaaeebnlz4hfuq0bvkf.dx.internal.cloudapp.net:    cert:
 "CN=IP-37fa1445fc.hdinsight-stable.azure-test.net"
hn0-kkafka.p0gi1uxxaaeebnlz4hfuq0bvkf.dx.internal.cloudapp.net:   child:
 dynamic === dynamic TRANSPORT
hn1-kkafka.p0gi1uxxaaeebnlz4hfuq0bvkf.dx.internal.cloudapp.net:
 10.0.0.14...10.0.0.14  IKEv2
hn1-kkafka.p0gi1uxxaaeebnlz4hfuq0bvkf.dx.internal.cloudapp.net:   local:
 [CN=IP-37fa1445fc.hdinsight-stable.azure-test.net] uses public key
authentication
hn1-kkafka.p0gi1uxxaaeebnlz4hfuq0bvkf.dx.internal.cloudapp.net:    cert:
 "CN=IP-37fa1445fc.hdinsight-stable.azure-test.net"
hn1-kkafka.p0gi1uxxaaeebnlz4hfuq0bvkf.dx.internal.cloudapp.net:   remote:
[CN=IP-37fa1445fc.hdinsight-stable.azure-test.net] uses public key
authentication
hn1-kkafka.p0gi1uxxaaeebnlz4hfuq0bvkf.dx.internal.cloudapp.net:    cert:
 "CN=IP-37fa1445fc.hdinsight-stable.azure-test.net"
hn1-kkafka.p0gi1uxxaaeebnlz4hfuq0bvkf.dx.internal.cloudapp.net:   child:
 dynamic === dynamic TRANSPORT
Routed Connections:
hn0-kkafka.p0gi1uxxaaeebnlz4hfuq0bvkf.dx.internal.cloudapp.net{5}:  ROUTED,
TRANSPORT, reqid 1
hn0-kkafka.p0gi1uxxaaeebnlz4hfuq0bvkf.dx.internal.cloudapp.net{5}:
10.0.0.14/32 === 10.0.0.15/32
hn1-kkafka.p0gi1uxxaaeebnlz4hfuq0bvkf.dx.internal.cloudapp.net{2}:  ROUTED,
TRANSPORT, reqid 2
hn1-kkafka.p0gi1uxxaaeebnlz4hfuq0bvkf.dx.internal.cloudapp.net{2}:
10.0.0.14/32 === 10.0.0.14/32
Security Associations (1 up, 0 connecting):
hn0-kkafka.p0gi1uxxaaeebnlz4hfuq0bvkf.dx.internal.cloudapp.net[11]:
ESTABLISHED 2 hours ago, 10.0.0.14[CN=
IP-37fa1445fc.hdinsight-stable.azure-test.net]...10.0.0.15[CN=
IP-37fa1445fc.hdinsight-stable.azure-test.net]
hn0-kkafka.p0gi1uxxaaeebnlz4hfuq0bvkf.dx.internal.cloudapp.net[11]: IKEv2
SPIs: 1536ce9853bef399_i c00b62dfefa5f4ce_r*, public key reauthentication
in 5 hours
hn0-kkafka.p0gi1uxxaaeebnlz4hfuq0bvkf.dx.internal.cloudapp.net[11]: IKE
proposal: AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_2048
hn0-kkafka.p0gi1uxxaaeebnlz4hfuq0bvkf.dx.internal.cloudapp.net{3}:
 INSTALLED, TRANSPORT, reqid 1, ESP SPIs: c73ba254_i c0ffd04a_o
hn0-kkafka.p0gi1uxxaaeebnlz4hfuq0bvkf.dx.internal.cloudapp.net{3}:
 AES_CBC_256/HMAC_SHA2_256_128, 234876 bytes_i (4189 pkts, 0s ago), 910520
bytes_o (3037 pkts, 1474s ago), rekeying in 5 hours
hn0-kkafka.p0gi1uxxaaeebnlz4hfuq0bvkf.dx.internal.cloudapp.net{3}:
10.0.0.14/32 === 10.0.0.15/32

On Tue, May 11, 2021 at 4:11 PM Noel Kuntze <noel.kuntze at thermi.consulting>
wrote:

> Alright, found it.
>
> Please verify that it's the actual ipsec.conf that is loaded because there
> also aren't any errors regarding config files logged.
> What happens when you run "ipsec update" or "ipsec reload" from the
> terminal?
>
> Kind regards
> Noel
>
> Am 12.05.21 um 01:09 schrieb Noel Kuntze:
> > Okay, what's your complete ipsec.conf? Can you send it?
> >
> > Kind regards
> > Noel
> >
> > Am 12.05.21 um 00:54 schrieb Karuna Sagar Krishna:
> >> Attaching full charon logs.
> >>
> >> Can you help with the ipsec.conf interface. I'll plan to switch to
> swanctl going forward, but currently this is blocking our releases.
> >>
> >> --karuna
> >>
> >>
> >> On Tue, May 11, 2021 at 2:54 PM Noel Kuntze
> <noel.kuntze+strongswan-users-ml at thermi.consulting> wrote:
> >>
> >>     Hi,
> >>
> >>     Full logs please, as shown on the HelpRequests[1] page on the wiki.
> >>     Also, it's strongly recommended to use swanctl instead if possible.
> That's the better configuration backend.
> >>
> >>     Kind regards
> >>     Noel
> >>
> >>     [1]
> https://wiki.strongswan.org/projects/strongswan/wiki/HelpRequests <
> https://wiki.strongswan.org/projects/strongswan/wiki/HelpRequests>
> >>
> >>     Am 11.05.21 um 23:50 schrieb Karuna Sagar Krishna:
> >>     > Hi,
> >>     >
> >>     > I'm setting up a IPSec connection between a bunch of Ubuntu 18.04
> LTS nodes. I'm using Strongswan (Linux strongSwan U5.6.2/K5.4.0-1046-azure)
> on the Ubuntu nodes. The number of nodes is dynamic i.e. there are frequent
> scale out/ins. So the ipsec.conf file (see attached) is updated with
> additional conn sections and `sudo ipsec update` is used to reload the
> config file. However, I've noticed intermittent network connectivity issues
> and the syslog shows -> "no IKE config found for 10.0.0.14...10.0.0.18,
> sending NO_PROPOSAL_CHOSEN". Clearly, the ipsec status shows that the
> daemon has not reloaded the config irrespective of issuing `sudo ipsec
> update` multiple times.
> >>     >
> >>     > Can you help understand why the config is not updated and how to
> fix this issue?
> >>     >
> >>     >
> >>     >
> >>     > IPSec status:
> >>     > -----------------
> >>     >
> >>     >  > sudo ipsec statusall
> >>     >
> >>     > Status of IKE charon daemon (strongSwan 5.6.2, Linux
> 5.4.0-1046-azure, x86_64):
> >>     >    uptime: 45 minutes, since May 11 20:42:07 2021
> >>     >    malloc: sbrk 2703360, mmap 0, used 778800, free 1924560
> >>     >    worker threads: 11 of 16 idle, 5/0/0/0 working, job queue:
> 0/0/0/0, scheduled: 2
> >>     >    loaded plugins: charon aesni aes rc2 sha2 sha1 md4 md5 mgf1
> random nonce x509 revocation constraints pubkey pkcs1 pkcs7 pkcs8 pkcs12
> pgp dnskey sshkey pem openssl fips-prf gmp agent xcbc hmac gcm attr
> kernel-netlink resolve socket-default connmark stroke updown eap-mschapv2
> xauth-generic counters
> >>     > Listening IP addresses:
> >>     >    10.0.0.14
> >>     > Connections:
> >>     > hn0-kkafka.p0gi1uxxaaeebnlz4hfuq0bvkf.dx.internal.cloudapp.net <
> http://hn0-kkafka.p0gi1uxxaaeebnlz4hfuq0bvkf.dx.internal.cloudapp.net> <
> http://hn0-kkafka.p0gi1uxxaaeebnlz4hfuq0bvkf.dx.internal.cloudapp.net <
> http://hn0-kkafka.p0gi1uxxaaeebnlz4hfuq0bvkf.dx.internal.cloudapp.net>>:
>  10.0.0.14...10.0.0.15  IKEv2
> >>     > hn0-kkafka.p0gi1uxxaaeebnlz4hfuq0bvkf.dx.internal.cloudapp.net <
> http://hn0-kkafka.p0gi1uxxaaeebnlz4hfuq0bvkf.dx.internal.cloudapp.net> <
> http://hn0-kkafka.p0gi1uxxaaeebnlz4hfuq0bvkf.dx.internal.cloudapp.net <
> http://hn0-kkafka.p0gi1uxxaaeebnlz4hfuq0bvkf.dx.internal.cloudapp.net>>:
>   local:  [CN=IP-37fa1445fc.hdinsight-stable.azure-test.net <
> http://IP-37fa1445fc.hdinsight-stable.azure-test.net> <
> http://IP-37fa1445fc.hdinsight-stable.azure-test.net <
> http://IP-37fa1445fc.hdinsight-stable.azure-test.net>>] uses public key
> authentication
> >>     > hn0-kkafka.p0gi1uxxaaeebnlz4hfuq0bvkf.dx.internal.cloudapp.net <
> http://hn0-kkafka.p0gi1uxxaaeebnlz4hfuq0bvkf.dx.internal.cloudapp.net> <
> http://hn0-kkafka.p0gi1uxxaaeebnlz4hfuq0bvkf.dx.internal.cloudapp.net <
> http://hn0-kkafka.p0gi1uxxaaeebnlz4hfuq0bvkf.dx.internal.cloudapp.net>>:
>    cert:  "CN=IP-37fa1445fc.hdinsight-stable.azure-test.net <
> http://IP-37fa1445fc.hdinsight-stable.azure-test.net> <
> http://IP-37fa1445fc.hdinsight-stable.azure-test.net <
> http://IP-37fa1445fc.hdinsight-stable.azure-test.net>>"
> >>     > hn0-kkafka.p0gi1uxxaaeebnlz4hfuq0bvkf.dx.internal.cloudapp.net <
> http://hn0-kkafka.p0gi1uxxaaeebnlz4hfuq0bvkf.dx.internal.cloudapp.net> <
> http://hn0-kkafka.p0gi1uxxaaeebnlz4hfuq0bvkf.dx.internal.cloudapp.net <
> http://hn0-kkafka.p0gi1uxxaaeebnlz4hfuq0bvkf.dx.internal.cloudapp.net>>:
>   remote: [CN=IP-37fa1445fc.hdinsight-stable.azure-test.net <
> http://IP-37fa1445fc.hdinsight-stable.azure-test.net> <
> http://IP-37fa1445fc.hdinsight-stable.azure-test.net <
> http://IP-37fa1445fc.hdinsight-stable.azure-test.net>>] uses public key
> authentication
> >>     > hn0-kkafka.p0gi1uxxaaeebnlz4hfuq0bvkf.dx.internal.cloudapp.net <
> http://hn0-kkafka.p0gi1uxxaaeebnlz4hfuq0bvkf.dx.internal.cloudapp.net> <
> http://hn0-kkafka.p0gi1uxxaaeebnlz4hfuq0bvkf.dx.internal.cloudapp.net <
> http://hn0-kkafka.p0gi1uxxaaeebnlz4hfuq0bvkf.dx.internal.cloudapp.net>>:
>    cert:  "CN=IP-37fa1445fc.hdinsight-stable.azure-test.net <
> http://IP-37fa1445fc.hdinsight-stable.azure-test.net> <
> http://IP-37fa1445fc.hdinsight-stable.azure-test.net <
> http://IP-37fa1445fc.hdinsight-stable.azure-test.net>>"
> >>     > hn0-kkafka.p0gi1uxxaaeebnlz4hfuq0bvkf.dx.internal.cloudapp.net <
> http://hn0-kkafka.p0gi1uxxaaeebnlz4hfuq0bvkf.dx.internal.cloudapp.net> <
> http://hn0-kkafka.p0gi1uxxaaeebnlz4hfuq0bvkf.dx.internal.cloudapp.net <
> http://hn0-kkafka.p0gi1uxxaaeebnlz4hfuq0bvkf.dx.internal.cloudapp.net>>:
>   child:  dynamic === dynamic TRANSPORT
> >>     > hn1-kkafka.p0gi1uxxaaeebnlz4hfuq0bvkf.dx.internal.cloudapp.net <
> http://hn1-kkafka.p0gi1uxxaaeebnlz4hfuq0bvkf.dx.internal.cloudapp.net> <
> http://hn1-kkafka.p0gi1uxxaaeebnlz4hfuq0bvkf.dx.internal.cloudapp.net <
> http://hn1-kkafka.p0gi1uxxaaeebnlz4hfuq0bvkf.dx.internal.cloudapp.net>>:
>  10.0.0.14...10.0.0.14  IKEv2
> >>     > hn1-kkafka.p0gi1uxxaaeebnlz4hfuq0bvkf.dx.internal.cloudapp.net <
> http://hn1-kkafka.p0gi1uxxaaeebnlz4hfuq0bvkf.dx.internal.cloudapp.net> <
> http://hn1-kkafka.p0gi1uxxaaeebnlz4hfuq0bvkf.dx.internal.cloudapp.net <
> http://hn1-kkafka.p0gi1uxxaaeebnlz4hfuq0bvkf.dx.internal.cloudapp.net>>:
>   local:  [CN=IP-37fa1445fc.hdinsight-stable.azure-test.net <
> http://IP-37fa1445fc.hdinsight-stable.azure-test.net> <
> http://IP-37fa1445fc.hdinsight-stable.azure-test.net <
> http://IP-37fa1445fc.hdinsight-stable.azure-test.net>>] uses public key
> authentication
> >>     > hn1-kkafka.p0gi1uxxaaeebnlz4hfuq0bvkf.dx.internal.cloudapp.net <
> http://hn1-kkafka.p0gi1uxxaaeebnlz4hfuq0bvkf.dx.internal.cloudapp.net> <
> http://hn1-kkafka.p0gi1uxxaaeebnlz4hfuq0bvkf.dx.internal.cloudapp.net <
> http://hn1-kkafka.p0gi1uxxaaeebnlz4hfuq0bvkf.dx.internal.cloudapp.net>>:
>    cert:  "CN=IP-37fa1445fc.hdinsight-stable.azure-test.net <
> http://IP-37fa1445fc.hdinsight-stable.azure-test.net> <
> http://IP-37fa1445fc.hdinsight-stable.azure-test.net <
> http://IP-37fa1445fc.hdinsight-stable.azure-test.net>>"
> >>     > hn1-kkafka.p0gi1uxxaaeebnlz4hfuq0bvkf.dx.internal.cloudapp.net <
> http://hn1-kkafka.p0gi1uxxaaeebnlz4hfuq0bvkf.dx.internal.cloudapp.net> <
> http://hn1-kkafka.p0gi1uxxaaeebnlz4hfuq0bvkf.dx.internal.cloudapp.net <
> http://hn1-kkafka.p0gi1uxxaaeebnlz4hfuq0bvkf.dx.internal.cloudapp.net>>:
>   remote: [CN=IP-37fa1445fc.hdinsight-stable.azure-test.net <
> http://IP-37fa1445fc.hdinsight-stable.azure-test.net> <
> http://IP-37fa1445fc.hdinsight-stable.azure-test.net <
> http://IP-37fa1445fc.hdinsight-stable.azure-test.net>>] uses public key
> authentication
> >>     > hn1-kkafka.p0gi1uxxaaeebnlz4hfuq0bvkf.dx.internal.cloudapp.net <
> http://hn1-kkafka.p0gi1uxxaaeebnlz4hfuq0bvkf.dx.internal.cloudapp.net> <
> http://hn1-kkafka.p0gi1uxxaaeebnlz4hfuq0bvkf.dx.internal.cloudapp.net <
> http://hn1-kkafka.p0gi1uxxaaeebnlz4hfuq0bvkf.dx.internal.cloudapp.net>>:
>    cert:  "CN=IP-37fa1445fc.hdinsight-stable.azure-test.net <
> http://IP-37fa1445fc.hdinsight-stable.azure-test.net> <
> http://IP-37fa1445fc.hdinsight-stable.azure-test.net <
> http://IP-37fa1445fc.hdinsight-stable.azure-test.net>>"
> >>     > hn1-kkafka.p0gi1uxxaaeebnlz4hfuq0bvkf.dx.internal.cloudapp.net <
> http://hn1-kkafka.p0gi1uxxaaeebnlz4hfuq0bvkf.dx.internal.cloudapp.net> <
> http://hn1-kkafka.p0gi1uxxaaeebnlz4hfuq0bvkf.dx.internal.cloudapp.net <
> http://hn1-kkafka.p0gi1uxxaaeebnlz4hfuq0bvkf.dx.internal.cloudapp.net>>:
>   child:  dynamic === dynamic TRANSPORT
> >>     > /*Routed Connections:
> >>     > hn1-kkafka.p0gi1uxxaaeebnlz4hfuq0bvkf.dx.internal.cloudapp.net <
> http://hn1-kkafka.p0gi1uxxaaeebnlz4hfuq0bvkf.dx.internal.cloudapp.net> <
> http://hn1-kkafka.p0gi1uxxaaeebnlz4hfuq0bvkf.dx.internal.cloudapp.net <
> http://hn1-kkafka.p0gi1uxxaaeebnlz4hfuq0bvkf.dx.internal.cloudapp.net>>{2}:
>  ROUTED, TRANSPORT, reqid 2
> >>     > hn1-kkafka.p0gi1uxxaaeebnlz4hfuq0bvkf.dx.internal.cloudapp.net <
> http://hn1-kkafka.p0gi1uxxaaeebnlz4hfuq0bvkf.dx.internal.cloudapp.net> <
> http://hn1-kkafka.p0gi1uxxaaeebnlz4hfuq0bvkf.dx.internal.cloudapp.net <
> http://hn1-kkafka.p0gi1uxxaaeebnlz4hfuq0bvkf.dx.internal.cloudapp.net>>{2}:
> 10.0.0.14/32 <http://10.0.0.14/32> <http://10.0.0.14/32 <
> http://10.0.0.14/32>> === 10.0.0.14/32 <http://10.0.0.14/32> <
> http://10.0.0.14/32 <http://10.0.0.14/32>>
> >>     > hn0-kkafka.p0gi1uxxaaeebnlz4hfuq0bvkf.dx.internal.cloudapp.net <
> http://hn0-kkafka.p0gi1uxxaaeebnlz4hfuq0bvkf.dx.internal.cloudapp.net> <
> http://hn0-kkafka.p0gi1uxxaaeebnlz4hfuq0bvkf.dx.internal.cloudapp.net <
> http://hn0-kkafka.p0gi1uxxaaeebnlz4hfuq0bvkf.dx.internal.cloudapp.net>>{1}:
>  ROUTED, TRANSPORT, reqid 1
> >>     > hn0-kkafka.p0gi1uxxaaeebnlz4hfuq0bvkf.dx.internal.cloudapp.net <
> http://hn0-kkafka.p0gi1uxxaaeebnlz4hfuq0bvkf.dx.internal.cloudapp.net> <
> http://hn0-kkafka.p0gi1uxxaaeebnlz4hfuq0bvkf.dx.internal.cloudapp.net <
> http://hn0-kkafka.p0gi1uxxaaeebnlz4hfuq0bvkf.dx.internal.cloudapp.net>>{1}:
> 10.0.0.14/32 <http://10.0.0.14/32> <http://10.0.0.14/32 <
> http://10.0.0.14/32>> === 10.0.0.15/32 <http://10.0.0.15/32> <
> http://10.0.0.15/32 <http://10.0.0.15/32>>*/
> >>     > Security Associations (1 up, 0 connecting):
> >>     > hn0-kkafka.p0gi1uxxaaeebnlz4hfuq0bvkf.dx.internal.cloudapp.net <
> http://hn0-kkafka.p0gi1uxxaaeebnlz4hfuq0bvkf.dx.internal.cloudapp.net> <
> http://hn0-kkafka.p0gi1uxxaaeebnlz4hfuq0bvkf.dx.internal.cloudapp.net <
> http://hn0-kkafka.p0gi1uxxaaeebnlz4hfuq0bvkf.dx.internal.cloudapp.net>>[11]:
> ESTABLISHED 26 minutes ago, 10.0.0.14[CN=
> IP-37fa1445fc.hdinsight-stable.azure-test.net <
> http://IP-37fa1445fc.hdinsight-stable.azure-test.net> <
> http://IP-37fa1445fc.hdinsight-stable.azure-test.net <
> http://IP-37fa1445fc.hdinsight-stable.azure-test.net>>]...10.0.0.15[CN=
> IP-37fa1445fc.hdinsight-stable.azure-test.net <
> http://IP-37fa1445fc.hdinsight-stable.azure-test.net> <
> http://IP-37fa1445fc.hdinsight-stable.azure-test.net <
> http://IP-37fa1445fc.hdinsight-stable.azure-test.net>>]
> >>     > hn0-kkafka.p0gi1uxxaaeebnlz4hfuq0bvkf.dx.internal.cloudapp.net <
> http://hn0-kkafka.p0gi1uxxaaeebnlz4hfuq0bvkf.dx.internal.cloudapp.net> <
> http://hn0-kkafka.p0gi1uxxaaeebnlz4hfuq0bvkf.dx.internal.cloudapp.net <
> http://hn0-kkafka.p0gi1uxxaaeebnlz4hfuq0bvkf.dx.internal.cloudapp.net>>[11]:
> IKEv2 SPIs: 1536ce9853bef399_i c00b62dfefa5f4ce_r*, public key
> reauthentication in 7 hours
> >>     > hn0-kkafka.p0gi1uxxaaeebnlz4hfuq0bvkf.dx.internal.cloudapp.net <
> http://hn0-kkafka.p0gi1uxxaaeebnlz4hfuq0bvkf.dx.internal.cloudapp.net> <
> http://hn0-kkafka.p0gi1uxxaaeebnlz4hfuq0bvkf.dx.internal.cloudapp.net <
> http://hn0-kkafka.p0gi1uxxaaeebnlz4hfuq0bvkf.dx.internal.cloudapp.net>>[11]:
> IKE proposal: AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_2048
> >>     > hn0-kkafka.p0gi1uxxaaeebnlz4hfuq0bvkf.dx.internal.cloudapp.net <
> http://hn0-kkafka.p0gi1uxxaaeebnlz4hfuq0bvkf.dx.internal.cloudapp.net> <
> http://hn0-kkafka.p0gi1uxxaaeebnlz4hfuq0bvkf.dx.internal.cloudapp.net <
> http://hn0-kkafka.p0gi1uxxaaeebnlz4hfuq0bvkf.dx.internal.cloudapp.net>>{3}:
>  INSTALLED, TRANSPORT, reqid 1, ESP SPIs: c73ba254_i c0ffd04a_o
> >>     > hn0-kkafka.p0gi1uxxaaeebnlz4hfuq0bvkf.dx.internal.cloudapp.net <
> http://hn0-kkafka.p0gi1uxxaaeebnlz4hfuq0bvkf.dx.internal.cloudapp.net> <
> http://hn0-kkafka.p0gi1uxxaaeebnlz4hfuq0bvkf.dx.internal.cloudapp.net <
> http://hn0-kkafka.p0gi1uxxaaeebnlz4hfuq0bvkf.dx.internal.cloudapp.net>>{3}:
>  AES_CBC_256/HMAC_SHA2_256_128, 44961 bytes_i (822 pkts, 0s ago), 193357
> bytes_o (570 pkts, 1557s ago), rekeying in 7 hours
> >>     > hn0-kkafka.p0gi1uxxaaeebnlz4hfuq0bvkf.dx.internal.cloudapp.net <
> http://hn0-kkafka.p0gi1uxxaaeebnlz4hfuq0bvkf.dx.internal.cloudapp.net> <
> http://hn0-kkafka.p0gi1uxxaaeebnlz4hfuq0bvkf.dx.internal.cloudapp.net <
> http://hn0-kkafka.p0gi1uxxaaeebnlz4hfuq0bvkf.dx.internal.cloudapp.net>>{3}:
> 10.0.0.14/32 <http://10.0.0.14/32> <http://10.0.0.14/32 <
> http://10.0.0.14/32>> === 10.0.0.15/32 <http://10.0.0.15/32> <
> http://10.0.0.15/32 <http://10.0.0.15/32>>
> >>     >
> >>     >
> >>     > Charon logs:
> >>     > -----------------
> >>     >
> >>     > May 11 21:23:20 hn1-kkafka charon: 09[NET] received packet: from
> 10.0.0.18[500] to 10.0.0.14[500] (536 bytes)
> >>     > May 11 21:23:20 hn1-kkafka charon: 09[ENC] parsed IKE_SA_INIT
> request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) V V V V ]
> >>     > May 11 21:23:20 hn1-kkafka charon: 09[IKE] /*no IKE config found
> for 10.0.0.14...10.0.0.18, sending NO_PROPOSAL_CHOSEN*/
> >>     > May 11 21:23:20 hn1-kkafka charon: 09[ENC] generating IKE_SA_INIT
> response 0 [ N(NO_PROP) ]
> >>     > May 11 21:23:20 hn1-kkafka charon: 09[NET] sending packet: from
> 10.0.0.14[500] to 10.0.0.18[500] (36 bytes)
> >>     >
> >>     > --karuna
> >>     >
> >>
> >
> >
>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20210511/da6b24e7/attachment-0001.html>


More information about the Users mailing list