[strongSwan] IKEv2 not able to get past server keep alive?

Jody Whitesides jody at jodywhitesides.com
Sat Oct 30 01:19:39 CEST 2021 

Trying to figure out why VPN is dropping the connection before it get going. It apparently can see the authentication and says it’s good, but the client never gets fully connected.

syslog:

Oct 29 17:12:09 homebridge ipsec[2314]: Starting strongSwan 5.7.2 IPsec [starter]...
Oct 29 17:12:09 homebridge charon-custom: 00[DMN] Starting IKE charon daemon (strongSwan 5.7.2, Linux 5.10.63+, armv6l)
Oct 29 17:12:09 homebridge charon-custom: 00[CFG] loading ca certificates from '/etc/ipsec.d/cacerts'
Oct 29 17:12:09 homebridge charon-custom: 00[CFG]   loaded ca certificate "C=US, O=jodywhitesidespi, CN=serverIP Root CA" from '/etc/ipsec.d/cacerts/strongswanCert.pem'
Oct 29 17:12:09 homebridge charon-custom: 00[CFG] loading aa certificates from '/etc/ipsec.d/aacerts'
Oct 29 17:12:09 homebridge charon-custom: 00[CFG] loading ocsp signer certificates from '/etc/ipsec.d/ocspcerts'
Oct 29 17:12:09 homebridge charon-custom: 00[CFG] loading attribute certificates from '/etc/ipsec.d/acerts'
Oct 29 17:12:10 homebridge charon-custom: 00[CFG] loading crls from '/etc/ipsec.d/crls'
Oct 29 17:12:10 homebridge charon-custom: 00[CFG] loading secrets from '/etc/ipsec.secrets'
Oct 29 17:12:10 homebridge charon-custom: 00[CFG]   loaded RSA private key from '/etc/ipsec.d/private/jwVPNKey.pem'
Oct 29 17:12:10 homebridge charon-custom: 00[CFG]   loaded IKE secret for 192.168.0.40 %any
Oct 29 17:12:10 homebridge charon-custom: 00[CFG]   loaded EAP secret for JodyLappy
Oct 29 17:12:10 homebridge charon-custom: 00[CFG]   loaded EAP secret for JodyiPhone
Oct 29 17:12:10 homebridge charon-custom: 00[CFG] loaded 0 RADIUS server configurations
Oct 29 17:12:10 homebridge ipsec[2314]: charon (2328) started after 920 ms
Oct 29 17:12:10 homebridge charon-custom: 00[CFG] HA config misses local/remote address
Oct 29 17:12:10 homebridge charon-custom: 00[LIB] loaded plugins: charon aes rc2 sha2 sha1 md5 mgf1 random nonce x509 revocation constraints pubkey pkcs1 pkcs7 pkcs8 pkcs12 pgp dnskey sshkey pem openssl fips-prf gmp ag$
Oct 29 17:12:10 homebridge charon-custom: 00[LIB] dropped capabilities, running as uid 0, gid 0
Oct 29 17:12:10 homebridge charon-custom: 00[JOB] spawning 16 worker threads
Oct 29 17:12:10 homebridge charon-custom: 05[CFG] received stroke: add connection 'ikev2-vpn'
Oct 29 17:12:10 homebridge charon-custom: 05[CFG] adding virtual IP address pool 10.10.10.1/24
Oct 29 17:12:10 homebridge charon-custom: 05[CFG]   loaded certificate "C=US, O=jodywhitesidespi, CN=serverIP" from '/etc/ipsec.d/certs/jwVPNCert.pem'
Oct 29 17:12:10 homebridge charon-custom: 06[IKE] installed bypass policy for 192.168.0.0/16
Oct 29 17:12:10 homebridge charon-custom: 05[CFG] added configuration 'ikev2-vpn'
Oct 29 17:12:10 homebridge charon-custom: 06[KNL] received netlink error: Invalid argument (22)
Oct 29 17:12:10 homebridge charon-custom: 06[KNL] unable to install source route for %any6
Oct 29 17:12:10 homebridge charon-custom: 06[IKE] installed bypass policy for ::1/128
Oct 29 17:12:10 homebridge charon-custom: 06[IKE] installed bypass policy for 2601:681:4d00:154d::/64
Oct 29 17:12:10 homebridge charon-custom: 06[IKE] installed bypass policy for fd03:98a8:45eb:1::/64
Oct 29 17:12:10 homebridge charon-custom: 06[IKE] installed bypass policy for fe80::/64
Oct 29 17:12:17 homebridge charon-custom: 10[NET] received packet: from serverIP[2] to 192.168.0.40[500] (604 bytes)
Oct 29 17:12:17 homebridge charon-custom: 10[ENC] parsed IKE_SA_INIT request 0 [ SA KE No N(REDIR_SUP) N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) ]
Oct 29 17:12:17 homebridge charon-custom: 10[IKE] serverIP is initiating an IKE_SA
Oct 29 17:12:17 homebridge charon-custom: 10[CFG] selected proposal: IKE:AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_2048
Oct 29 17:12:17 homebridge charon-custom: 10[IKE] local host is behind NAT, sending keep alives
Oct 29 17:12:17 homebridge charon-custom: 10[IKE] remote host is behind NAT
Oct 29 17:12:17 homebridge charon-custom: 10[ENC] generating IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(MULT_AUTH) ]
Oct 29 17:12:17 homebridge charon-custom: 10[NET] sending packet: from 192.168.0.40[500] to serverIP[2] (448 bytes)
Oct 29 17:12:18 homebridge charon-custom: 11[NET] received packet: from serverIP[1025] to 192.168.0.40[4500] (496 bytes)
Oct 29 17:12:18 homebridge charon-custom: 11[ENC] unknown attribute type (25)
Oct 29 17:12:18 homebridge charon-custom: 11[ENC] parsed IKE_AUTH request 1 [ IDi N(INIT_CONTACT) IDr CPRQ(ADDR MASK DHCP DNS ADDR6 DHCP6 DNS6 (25)) N(ESP_TFC_PAD_N) N(NON_FIRST_FRAG) SA TSi TSr N(MOBIKE_SUP) ]
Oct 29 17:12:18 homebridge charon-custom: 11[CFG] looking for peer configs matching 192.168.0.40[serverIP]...serverIP[192.168.0.22]
Oct 29 17:12:18 homebridge charon-custom: 11[CFG] selected peer config 'ikev2-vpn'
Oct 29 17:12:18 homebridge charon-custom: 11[IKE] initiating EAP_IDENTITY method (id 0x00)
Oct 29 17:12:18 homebridge charon-custom: 11[IKE] received ESP_TFC_PADDING_NOT_SUPPORTED, not using ESPv3 TFC padding
Oct 29 17:12:18 homebridge charon-custom: 11[IKE] peer supports MOBIKE
Oct 29 17:12:18 homebridge charon-custom: 11[IKE] authentication of 'serverIP' (myself) with RSA signature successful
Oct 29 17:12:18 homebridge charon-custom: 11[IKE] sending end entity cert "C=US, O=jodywhitesidespi, CN=serverIP"
Oct 29 17:12:18 homebridge charon-custom: 11[ENC] generating IKE_AUTH response 1 [ IDr CERT AUTH EAP/REQ/ID ]
Oct 29 17:12:18 homebridge charon-custom: 11[ENC] splitting IKE message (1456 bytes) into 2 fragments
Oct 29 17:12:18 homebridge charon-custom: 11[ENC] generating IKE_AUTH response 1 [ EF(1/2) ]
Oct 29 17:12:18 homebridge charon-custom: 11[ENC] generating IKE_AUTH response 1 [ EF(2/2) ]
Oct 29 17:12:18 homebridge charon-custom: 11[NET] sending packet: from 192.168.0.40[4500] to serverIP[1025] (1236 bytes)
Oct 29 17:12:18 homebridge charon-custom: 11[NET] sending packet: from 192.168.0.40[4500] to serverIP[1025] (292 bytes)
Oct 29 17:12:18 homebridge charon-custom: 12[NET] received packet: from serverIP[2] to 192.168.0.40[500] (604 bytes)
Oct 29 17:12:18 homebridge charon-custom: 12[ENC] parsed IKE_SA_INIT request 0 [ SA KE No N(REDIR_SUP) N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) ]
Oct 29 17:12:18 homebridge charon-custom: 12[IKE] serverIP is initiating an IKE_SA
Oct 29 17:12:18 homebridge charon-custom: 12[CFG] selected proposal: IKE:AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_2048
Oct 29 17:12:19 homebridge charon-custom: 13[MGR] ignoring request with ID 0, already processing
Oct 29 17:12:20 homebridge charon-custom: 12[IKE] local host is behind NAT, sending keep alives
Oct 29 17:12:20 homebridge charon-custom: 12[IKE] remote host is behind NAT
Oct 29 17:12:20 homebridge charon-custom: 12[ENC] generating IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(MULT_AUTH) ]
Oct 29 17:12:20 homebridge charon-custom: 12[NET] sending packet: from 192.168.0.40[500] to serverIP[2] (448 bytes)
Oct 29 17:12:20 homebridge charon-custom: 15[NET] received packet: from serverIP[1025] to 192.168.0.40[4500] (496 bytes)
Oct 29 17:12:20 homebridge charon-custom: 15[ENC] unknown attribute type (25)
Oct 29 17:12:20 homebridge charon-custom: 15[ENC] parsed IKE_AUTH request 1 [ IDi N(INIT_CONTACT) IDr CPRQ(ADDR MASK DHCP DNS ADDR6 DHCP6 DNS6 (25)) N(ESP_TFC_PAD_N) N(NON_FIRST_FRAG) SA TSi TSr N(MOBIKE_SUP) ]
Oct 29 17:12:20 homebridge charon-custom: 15[CFG] looking for peer configs matching 192.168.0.40[serverIP]...serverIP[192.168.0.22]
Oct 29 17:12:20 homebridge charon-custom: 15[CFG] selected peer config 'ikev2-vpn'
Oct 29 17:12:20 homebridge charon-custom: 15[IKE] initiating EAP_IDENTITY method (id 0x00)
Oct 29 17:12:20 homebridge charon-custom: 15[IKE] received ESP_TFC_PADDING_NOT_SUPPORTED, not using ESPv3 TFC padding
Oct 29 17:12:20 homebridge charon-custom: 15[IKE] peer supports MOBIKE
Oct 29 17:12:20 homebridge charon-custom: 15[IKE] authentication of 'serverIP' (myself) with RSA signature successful
Oct 29 17:12:20 homebridge charon-custom: 15[IKE] sending end entity cert "C=US, O=jodywhitesidespi, CN=serverIP"
Oct 29 17:12:20 homebridge charon-custom: 15[ENC] generating IKE_AUTH response 1 [ IDr CERT AUTH EAP/REQ/ID ]
Oct 29 17:12:20 homebridge charon-custom: 15[ENC] splitting IKE message (1456 bytes) into 2 fragments
Oct 29 17:12:20 homebridge charon-custom: 15[ENC] generating IKE_AUTH response 1 [ EF(1/2) ]
Oct 29 17:12:20 homebridge charon-custom: 15[ENC] generating IKE_AUTH response 1 [ EF(2/2) ]
Oct 29 17:12:20 homebridge charon-custom: 15[NET] sending packet: from 192.168.0.40[4500] to serverIP[1025] (1236 bytes)
Oct 29 17:12:20 homebridge charon-custom: 15[NET] sending packet: from 192.168.0.40[4500] to serverIP[1025] (292 bytes)
Oct 29 17:12:37 homebridge charon-custom: 05[IKE] sending keep alive to serverIP[1025]
Oct 29 17:12:41 homebridge charon-custom: 06[IKE] sending keep alive to serverIP[1025]
Oct 29 17:12:47 homebridge charon-custom: 10[JOB] deleting half open IKE_SA with serverIP after timeout
Oct 29 17:12:50 homebridge charon-custom: 11[JOB] deleting half open IKE_SA with serverIP after timeout

IPSec setup:

config setup
        charondebug     ="dmn 0,mgr 0,ike 0,chd 0,job 0,cfg 0,knl 0,net 0,tls 0,lib 0,enc 0,tnc 0"
        uniqueids       =no

conn %default
        fragmentation   =yes
        auto            =add
        dpdaction       =clear
        dpddelay        =300s
        dpdtimeout      =130
        ikelifetime     =1h
        lifetime        =1h
        margintime      =9m
        rekeyfuzz       =100%
        aggressive      =no
        forceencaps     =yes
        left            =%any
        leftid          =serverIP
        leftcert        =/etc/ipsec.d/certs/jwVPNCert.pem
        leftsendcert    =always
        leftsubnet      =0.0.0.0/0
        right           =%any
        rightid         =%any
        rightdns        =192.3.165.37,159.89.120.99,2001:470:1f07:ed6::,2a03:4000:28:365::1
        rightsourceip   =10.10.10.1/24
        rightsubnet     =%dynamic

conn ikev2-vpn
        ike             =aes256-sha384-modp2048,aes256-sha256-modp2048,aes256-sha1-modp2048!
        esp             =aes128-sha256-modp2048,aes128-sha1-modp2048,aes256-sha384-modp2048,aes256-sha256-modp2048,aes256-sha1-modp2048!
        keyexchange     =ikev2
        type            =tunnel
        compress        =no
        rekey           =no
        rightauth       =eap-mschapv2
        rightsendcert   =never
        eap_identity    =%identity

Can anyone see what it is that isn’t going right?

Jody





-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20211029/e73e9ab3/attachment-0001.html>

More information about the Users mailing list