[strongSwan] FreeBSD 13.1-STABLE / StrongSwan 5.9?

Karl Denninger karl at denninger.net
Mon Oct 10 19:08:24 CEST 2022


Uh, this looks new and bad.... My Android phone, which has worked 
forever, suddenly stopped when I updated the kernel on my gateway box, 
and this appears to be related to the reason:

.....

Oct 10 11:28:36 IpGw charon[1586]: 01[IKE] received cert request for 
"C=US, ST=F
lorida, L=Niceville, O=Cuda Systems LLC, OU=Cuda Systems CA, CN=Cuda 
Systems LLC
  2017 CA"
Oct 10 11:28:36 IpGw charon[1586]: 01[IKE] received cert request for 
"C=US, ST=F
lorida, O=Cuda Systems LLC, OU=Cuda Systems CA, CN=Cuda Systems LLC 2017 
Int CA"
Oct 10 11:28:36 IpGw charon[1586]: 01[IKE] received 129 cert requests 
for an unk
nown ca
Oct 10 11:28:36 IpGw charon[1586]: 01[IKE] received end entity cert 
"C=US, ST=Te
nnessee, CN=Karl Denninger"
Oct 10 11:28:36 IpGw charon[1586]: 01[CFG] looking for peer configs 
matching 97.
81.26.48[%any]...172.58.146.200[C=US, ST=Tennessee, CN=Karl Denninger]
Oct 10 11:28:36 IpGw charon[1586]: 01[CFG] selected peer config 
'WinUserCert'
Oct 10 11:28:36 IpGw charon[1586]: 01[CFG]   using certificate "C=US, 
ST=Tenness
ee, CN=Karl Denninger"
Oct 10 11:28:36 IpGw charon[1586]: 01[CFG]   using trusted intermediate 
ca certi
ficate "C=US, ST=Florida, O=Cuda Systems LLC, OU=Cuda Systems CA, 
CN=Cuda System
s LLC 2017 Int CA"
Oct 10 11:28:36 IpGw charon[1586]: 01[CFG] checking certificate status 
of "C=US,
  ST=Tennessee, CN=Karl Denninger"
Oct 10 11:28:36 IpGw charon[1586]: 01[CFG]   ocsp response correctly 
signed by "
C=US, ST=Florida, O=Cuda Systems LLC, CN=ocsp.cudasystems.net, 
E=info at cudasystem
s.net"
Oct 10 11:28:36 IpGw charon[1586]: 01[CFG]   ocsp response is stale: 
since Oct 1
0 11:27:09 2022
Oct 10 11:28:36 IpGw charon[1586]: 01[CFG]   requesting ocsp status from 
'http:/
/ocsp.cudasystems.net:8888' ...
Oct 10 11:28:36 IpGw charon[1586]: 01[CFG]   ocsp response correctly 
signed by "
C=US, ST=Florida, O=Cuda Systems LLC, CN=ocsp.cudasystems.net, 
E=info at cudasystem
s.net"
Oct 10 11:28:36 IpGw charon[1586]: 01[LIB]   certificate from Oct 10 
11:28:36 20
22 is newer - existing certificate from Oct 10 11:26:39 2022 replaced
Oct 10 11:28:36 IpGw charon[1586]: 01[CFG]   ocsp response is valid: 
until Oct 1
0 11:29:06 2022
Oct 10 11:28:36 IpGw charon[1586]: 01[CFG] certificate status is good
Oct 10 11:28:36 IpGw charon[1586]: 01[CFG]   using trusted ca 
certificate "C=US,
  ST=Florida, L=Niceville, O=Cuda Systems LLC, OU=Cuda Systems CA, 
CN=Cuda System
s LLC 2017 CA"
Oct 10 11:28:36 IpGw charon[1586]: 01[CFG] checking certificate status 
of "C=US,
  ST=Florida, O=Cuda Systems LLC, OU=Cuda Systems CA, CN=Cuda Systems 
LLC 2017 In
t CA"
Oct 10 11:28:36 IpGw charon[1586]: 01[CFG]   ocsp response correctly 
signed by "
C=US, ST=Florida, O=Cuda Systems LLC, CN=ocsp.cudasystems.net, 
E=info at cudasystem
s.net"
Oct 10 11:28:36 IpGw charon[1586]: 01[CFG]   ocsp response contains no 
status on
  our certificate
Oct 10 11:28:36 IpGw charon[1586]: 01[CFG]   ocsp response correctly 
signed by "
C=US, ST=Florida, O=Cuda Systems LLC, CN=ocsp.cudasystems.net, 
E=info at cudasystem
s.net"
Oct 10 11:28:36 IpGw charon[1586]: 01[CFG]   ocsp response contains no 
status on
  our certificate
Oct 10 11:28:36 IpGw charon[1586]: 01[CFG] certificate status is not 
available
Oct 10 11:28:36 IpGw charon[1586]: 01[CFG]   reached self-signed root ca 
with a
path length of 1
*Oct 10 11:28:36 IpGw charon[1586]: 01[IKE] authentication of 'C=US, 
ST=Tennessee**
**, CN=Karl Denninger' with RSA_EMSA_PKCS1_SHA2_384 successful*
Oct 10 11:28:36 IpGw charon[1586]: 01[CFG] constraint check failed: EAP 
identity
  '%any' required
Oct 10 11:28:36 IpGw charon[1586]: 01[CFG] selected peer config 
'WinUserCert' un
acceptable: non-matching authentication done
Oct 10 11:28:36 IpGw charon[1586]: 01[CFG] switching to peer config 
'StrongSwan'
Oct 10 11:28:36 IpGw charon[1586]: 01[IKE] received 
ESP_TFC_PADDING_NOT_SUPPORTE
D, not using ESPv3 TFC padding
Oct 10 11:28:36 IpGw charon[1586]: 01[IKE] peer supports MOBIKE
Oct 10 11:28:36 IpGw charon[1586]: 01[IKE] authentication of 
'ipgw.denninger.net
' (myself) with ECDSA_WITH_SHA384_DER successful
Oct 10 11:28:36 IpGw charon[1586]: 01[IKE] IKE_SA StrongSwan[4] 
established betw
een 97.81.26.48[ipgw.denninger.net]...172.58.146.200[C=US, ST=Tennessee, 
CN=Karl
  Denninger]
Oct 10 11:28:36 IpGw charon[1586]: 01[IKE] scheduling reauthentication 
in 9977s
Oct 10 11:28:36 IpGw charon[1586]: 01[IKE] maximum IKE_SA lifetime 10517s
Oct 10 11:28:36 IpGw charon[1586]: 01[IKE] sending end entity cert 
"C=US, ST=Flo
rida, O=Cuda Systems LLC, CN=ipgw.denninger.net"
Oct 10 11:28:36 IpGw charon[1586]: 01[IKE] peer requested virtual IP %any
Oct 10 11:28:36 IpGw charon[1586]: 01[CFG] reassigning offline lease to 
'C=US, S
T=Tennessee, CN=Karl Denninger'
Oct 10 11:28:36 IpGw charon[1586]: 01[IKE] assigning virtual IP 
192.168.2.1 to p
eer 'C=US, ST=Tennessee, CN=Karl Denninger'
Oct 10 11:28:36 IpGw charon[1586]: 01[IKE] peer requested virtual IP %any6
Oct 10 11:28:36 IpGw charon[1586]: 01[IKE] no virtual IP found for %any6 
request
ed by 'C=US, ST=Tennessee, CN=Karl Denninger'
Oct 10 11:28:36 IpGw charon[1586]: 01[CFG] selected proposal: 
ESP:AES_CBC_128/HM
AC_SHA2_256_128/NO_EXT_SEQ
*Oct 10 11:28:36 IpGw charon[1586]: 01[KNL] unable to add SAD entry with 
SPI c1be**
**56e1: Invalid argument (22)**
**Oct 10 11:28:36 IpGw charon[1586]: 01[KNL] unable to add SAD entry 
with SPI 9526**
**f1c1: Invalid argument (22)*
Oct 10 11:28:36 IpGw charon[1586]: 01[IKE] unable to install inbound and 
outboun
d IPsec SA (SAD) in kernel
Oct 10 11:28:36 IpGw charon[1586]: 01[IKE] failed to establish CHILD_SA, 
keeping
  IKE_SA
Oct 10 11:28:36 IpGw charon[1586]: 01[KNL] deleting policy 
192.168.2.1/32 === 0.
0.0.0/0 in failed, not found
Oct 10 11:28:36 IpGw charon[1586]: 01[KNL] unable to delete SAD entry 
with SPI c
1be56e1: No such process (3)
Oct 10 11:28:36 IpGw charon[1586]: 01[KNL] unable to delete SAD entry 
with SPI 9
526f1c1: No such process (3)

......

The client on the Android phone says it cannot validate the user, but 
the above looks like it DID validate it on the server side but did not 
add the encryption entries for the client into the kernel, and that's 
why its failing.  I am running GENERIC on the gateway as the docs say 
that's now ok; I used to run a custom kernel for other reasons (mostly 
PPS which I don't use anymore as I no longer have a local NTP clock) and 
the only material difference I can see is that the 12.2-STABLE custom 
kernel has the "enc" driver included in it ("device    enc") while 
GENERIC does not.

-- 
Karl Denninger
karl at denninger.net
/The Market Ticker/
/[S/MIME encrypted email preferred]/
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20221010/7bfa9ced/attachment-0001.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4864 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://lists.strongswan.org/pipermail/users/attachments/20221010/7bfa9ced/attachment-0001.bin>


More information about the Users mailing list