Project

General

Profile

Issue #1026

IKEv2 VPN fails when connecting via WAN

Added by Duncan Murray over 5 years ago. Updated about 5 years ago.

Status:
Closed
Priority:
Normal
Assignee:
-
Category:
-
Affected version:
5.3.2
Resolution:
No feedback

Description

I have set up an IKEv2 VPN which authenticates via RADIUS and I am able to connect without issues when on the local LAN pointing directly to the server, which is 192.168.1.10

I have had the connection working through the internet at which point I can disconnect and reconnect without issues for a few minutes however something changes and I am unable to connect again. I have a DNS resolver pointing to the WAN ip of the router, which resolves without issues. I have tried testing this through a tethered phone connection as pointing the VPN connection to the WAN IP address from within the local network fails. Restarting ipsec makes no difference.

I am receiving a windows error 809 , which indicates a firewall issue. It had worked when I had the DMZ on the router pass all traffic through to the PFSense firewall, which lets ports 500, 4500 and ESP protocol through. I haven't changed anything but it is now not working. I have also tried pointing the DMZ to the strongswan server but get the same result. Using the FQDN worked for a short while but when I restarted ipsec to remove the --nofork flag I was using for debugging, the 809 error returned. The only thing I had done from it working to producing the 809 error was to restart ipsec. Even while it is producing the 809 error I am able to connect to its LAN IP without issues (192.168.1.10)

Thanks in advance.

/etc/ipsec.conf

config setup
        # uniqueids=never
        charondebug="cfg 2, dmn 2, ike 2, net 2" 

conn %default
        keyexchange=ikev2
        ike=aes128-sha256-ecp256,aes256-sha384-ecp384,aes128-sha256-modp2048,aes128-sha1-modp2048,aes256-sha384-modp4096,aes256-sha256-modp4096,aes256-sha1-modp4096,aes128-sha256-modp1536,aes128-sha1-modp1536,aes256-sha384-modp2048,aes256-sha256-modp2048,aes256-sha1-modp2048,aes128-sha256-modp1024,aes128-sha1-modp1024,aes256-sha384-modp1536,aes256-sha256-modp1536,aes256-sha1-modp1536,aes256-sha384-modp1024,aes256-sha256-modp1024,aes256-sha1-modp1024!
        esp=aes128gcm16-ecp256,aes256gcm16-ecp384,aes128-sha256-ecp256,aes256-sha384-ecp384,aes128-sha256-modp2048,aes128-sha1-modp2048,aes256-sha384-modp4096,aes256-sha256-modp4096,aes256-sha1-modp4096,aes128-sha256-modp1536,aes128-sha1-modp1536,aes256-sha384-modp2048,aes256-sha256-modp2048,aes256-sha1-modp2048,aes128-sha256-modp1024,aes128-sha1-modp1024,aes256-sha384-modp1536,aes256-sha256-modp1536,aes256-sha1-modp1536,aes256-sha384-modp1024,aes256-sha256-modp1024,aes256-sha1-modp1024,aes128gcm16,aes256gcm16,aes128-sha256,aes128-sha1,aes256-sha384,aes256-sha256,aes256-sha1!
        dpdaction=clear
        dpddelay=300s
        rekey=no
        left=%any
        leftsubnet=0.0.0.0/0
        leftcert=vpnHostCert.pem
        leftfirewall=yes
        right=%any
        rightsourceip=192.168.1.20/24
        rightdns=192.168.1.10,8.8.4.4

conn IPSec-IKEv2
        keyexchange=ikev2
        auto=add

conn IPSec-IKEv2-EAP
        also="IPSec-IKEv2" 
        #rightauth=eap-radius
        rightauth=eap-radius
        rightsendcert=never
        eap_identity=%any

/etc/strongswan.conf

charon {
        load_modular = yes

        plugins {
                include strongswan.d/charon/*.conf
                eap-radius{
                   class_group = yes
                   eap_start = no
                   servers {
                      primary {
                          address = 127.0.0.1
                          secret = Redacted
                          sockets = 20
                          # use secondary only if overloaded/non-responsive
                          preference = 99
                        }
                   }
                }
        }
}

include strongswan.d/*.conf

root@apsserver:/home/administrator# iptables -L
Chain INPUT (policy ACCEPT)
target     prot opt source               destination
ACCEPT     udp  --  anywhere             anywhere             udp dpt:ipsec-nat-t
ACCEPT     udp  --  anywhere             anywhere             udp dpt:isakmp
ACCEPT     esp  --  anywhere             anywhere
ACCEPT     udp  --  anywhere             anywhere             udp spt:isakmp dpt:isakmp
ACCEPT     esp  --  anywhere             anywhere
ACCEPT     udp  --  anywhere             anywhere             udp spt:ipsec-nat-t dpt:ipsec-nat-t
ACCEPT     esp  --  anywhere             anywhere
ACCEPT     esp  --  anywhere             anywhere
ACCEPT     udp  --  anywhere             anywhere             udp dpt:isakmp
ACCEPT     udp  --  anywhere             anywhere             udp dpt:ipsec-nat-t
ACCEPT     esp  --  anywhere             anywhere
ACCEPT     esp  --  anywhere             anywhere

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination
TCPMSS     tcp  --  anywhere             anywhere             tcp flags:SYN,RST/SYN TCPMSS clamp to PMTU
TCPMSS     tcp  --  anywhere             anywhere             tcp flags:SYN,RST/SYN TCPMSS clamp to PMTU
TCPMSS     tcp  --  anywhere             anywhere             tcp flags:SYN,RST/SYN TCPMSS clamp to PMTU

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination
ACCEPT     esp  --  anywhere             anywhere
ACCEPT     udp  --  anywhere             anywhere             udp spt:isakmp dpt:isakmp
ACCEPT     esp  --  anywhere             anywhere
ACCEPT     udp  --  anywhere             anywhere             udp spt:ipsec-nat-t dpt:ipsec-nat-t
ACCEPT     esp  --  anywhere             anywhere
ACCEPT     udp  --  anywhere             anywhere             udp dpt:isakmp
ACCEPT     udp  --  anywhere             anywhere             udp dpt:ipsec-nat-t
ACCEPT     esp  --  anywhere             anywhere
root@apsserver:/home/administrator# ipsec version
Linux strongSwan U5.3.2/K3.16.0-4-amd64
Institute for Internet Technologies and Applications
University of Applied Sciences Rapperswil, Switzerland

root@apsserver:/home/administrator# ipsec start --nofork
Starting strongSwan 5.3.2 IPsec [starter]...
00[DMN] Starting IKE charon daemon (strongSwan 5.3.2, Linux 3.16.0-4-amd64, x86_64)
00[CFG] loading ca certificates from '/etc/ipsec.d/cacerts'
00[CFG]   loaded ca certificate "Redacted" from '/etc/ipsec.d/cacerts/cacert.pem'
00[CFG] loading aa certificates from '/etc/ipsec.d/aacerts'
00[CFG] loading ocsp signer certificates from '/etc/ipsec.d/ocspcerts'
00[CFG] loading attribute certificates from '/etc/ipsec.d/acerts'
00[CFG] loading crls from '/etc/ipsec.d/crls'
00[CFG] loading secrets from '/etc/ipsec.secrets'
00[CFG] expanding file expression '/var/lib/strongswan/ipsec.secrets.inc' failed
00[CFG]   loaded RSA private key from '/etc/ipsec.d/private/vpnHostKey.pem'
00[CFG]   loaded EAP secret for user1
00[CFG] loaded 1 RADIUS server configuration
00[CFG] HA config misses local/remote address
00[LIB] loaded plugins: charon test-vectors ldap pkcs11 aes rc2 sha1 sha2 md5 random nonce x509 revocation constraints pubkey pkcs1 pkcs7 pkcs8 pkcs12 pgp dnskey sshkey pem openssl gcrypt af-alg fips-prf gmp agent xcbc cmac hmac ctr ccm gcm curl attr kernel-netlink resolve socket-default farp stroke updown eap-identity eap-aka eap-md5 eap-gtc eap-mschapv2 eap-radius eap-tls eap-ttls eap-tnc xauth-generic xauth-eap xauth-pam tnc-tnccs dhcp lookip error-notify certexpire led addrblock unity
00[LIB] dropped capabilities, running as uid 0, gid 0
00[JOB] spawning 16 worker threads
14[NET] waiting for data on sockets
charon (1435) started after 80 ms
09[CFG] received stroke: add connection 'IPSec-IKEv2'
09[CFG] conn IPSec-IKEv2
09[CFG]   left=%any
09[CFG]   leftsubnet=0.0.0.0/0
09[CFG]   leftcert=vpnHostCert.pem
09[CFG]   leftupdown=ipsec _updown iptables
09[CFG]   right=%any
09[CFG]   rightsourceip=192.168.1.20/24
09[CFG]   rightdns=192.168.1.10,8.8.4.4
09[CFG]   ike=aes128-sha256-ecp256,aes256-sha384-ecp384,aes128-sha256-modp2048,aes128-sha1-modp2048,aes256-sha384-modp4096,aes256-sha256-modp4096,aes256-sha1-modp4096,aes128-sha256-modp1536,aes128-sha1-modp1536,aes256-sha384-modp2048,aes256-sha256-modp2048,aes256-sha1-modp2048,aes128-sha256-modp1024,aes128-sha1-modp1024,aes256-sha384-modp1536,aes256-sha256-modp1536,aes256-sha1-modp1536,aes256-sha384-modp1024,aes256-sha256-modp1024,aes256-sha1-modp1024!
09[CFG]   esp=aes128gcm16-ecp256,aes256gcm16-ecp384,aes128-sha256-ecp256,aes256-sha384-ecp384,aes128-sha256-modp2048,aes128-sha1-modp2048,aes256-sha384-modp4096,aes256-sha256-modp4096,aes256-sha1-modp4096,aes128-sha256-modp1536,aes128-sha1-modp1536,aes256-sha384-modp2048,aes256-sha256-modp2048,aes256-sha1-modp2048,aes128-sha256-modp1024,aes128-sha1-modp1024,aes256-sha384-modp1536,aes256-sha256-modp1536,aes256-sha1-modp1536,aes256-sha384-modp1024,aes256-sha256-modp1024,aes256-sha1-modp1024,aes128gcm16,aes256gcm16,aes128-sha256,aes128-sha1,aes256-sha384,aes256-sha256,aes256-sha1!
09[CFG]   dpddelay=300
09[CFG]   dpdtimeout=150
09[CFG]   dpdaction=1
09[CFG]   mediation=no
09[CFG]   keyexchange=ikev2
09[CFG] left nor right host is our side, assuming left=local
09[CFG] adding virtual IP address pool 192.168.1.20/24
09[CFG]   loaded certificate "Redacted 'vpnHostCert.pem'
09[CFG]   id '%any' not confirmed by certificate, defaulting to 'Redacted'
09[CFG] added configuration 'IPSec-IKEv2'
11[CFG] received stroke: add connection 'IPSec-IKEv2-EAP'
11[CFG] conn IPSec-IKEv2-EAP
11[CFG]   left=%any
11[CFG]   leftsubnet=0.0.0.0/0
11[CFG]   leftcert=vpnHostCert.pem
11[CFG]   leftupdown=ipsec _updown iptables
11[CFG]   right=%any
11[CFG]   rightsourceip=192.168.1.20/24
11[CFG]   rightdns=192.168.1.10,8.8.4.4
11[CFG]   rightauth=eap-radius
11[CFG]   eap_identity=%any
11[CFG]   ike=aes128-sha256-ecp256,aes256-sha384-ecp384,aes128-sha256-modp2048,aes128-sha1-modp2048,aes256-sha384-modp4096,aes256-sha256-modp4096,aes256-sha1-modp4096,aes128-sha256-modp1536,aes128-sha1-modp1536,aes256-sha384-modp2048,aes256-sha256-modp2048,aes256-sha1-modp2048,aes128-sha256-modp1024,aes128-sha1-modp1024,aes256-sha384-modp1536,aes256-sha256-modp1536,aes256-sha1-modp1536,aes256-sha384-modp1024,aes256-sha256-modp1024,aes256-sha1-modp1024!
11[CFG]   esp=aes128gcm16-ecp256,aes256gcm16-ecp384,aes128-sha256-ecp256,aes256-sha384-ecp384,aes128-sha256-modp2048,aes128-sha1-modp2048,aes256-sha384-modp4096,aes256-sha256-modp4096,aes256-sha1-modp4096,aes128-sha256-modp1536,aes128-sha1-modp1536,aes256-sha384-modp2048,aes256-sha256-modp2048,aes256-sha1-modp2048,aes128-sha256-modp1024,aes128-sha1-modp1024,aes256-sha384-modp1536,aes256-sha256-modp1536,aes256-sha1-modp1536,aes256-sha384-modp1024,aes256-sha256-modp1024,aes256-sha1-modp1024,aes128gcm16,aes256gcm16,aes128-sha256,aes128-sha1,aes256-sha384,aes256-sha256,aes256-sha1!
11[CFG]   dpddelay=300
11[CFG]   dpdtimeout=150
11[CFG]   dpdaction=1
11[CFG]   mediation=no
11[CFG]   keyexchange=ikev2
11[CFG] left nor right host is our side, assuming left=local
11[CFG] reusing virtual IP address pool 192.168.1.20/24
11[CFG]   loaded certificate "Redacted" from 'vpnHostCert.pem'
11[CFG]   id '%any' not confirmed by certificate, defaulting to 'Redacted'
11[CFG] added configuration 'IPSec-IKEv2-EAP'

Here is the output from ipsec start --nofork when the connection fails and gives me an 809 error.

06[NET] received packet: from 1.136.91.153[500] to 192.168.1.10[500]
06[NET] waiting for data on sockets
02[NET] received packet: from 1.136.91.153[500] to 192.168.1.10[500] (616 bytes)
02[ENC] parsed IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) V V V V ]
02[CFG] looking for an ike config for 192.168.1.10...1.136.91.153
02[CFG]   candidate: %any...%any, prio 28
02[CFG]   candidate: %any...%any, prio 28
02[CFG] found matching ike config: %any...%any with prio 28
02[IKE] received MS NT5 ISAKMPOAKLEY v9 vendor ID
02[IKE] received MS-Negotiation Discovery Capable vendor ID
02[IKE] received Vid-Initial-Contact vendor ID
02[ENC] received unknown vendor ID: 01:52:8b:bb:c0:06:96:12:18:49:ab:9a:1c:5b:2a:51:00:00:00:02
02[IKE] 1.136.91.153 is initiating an IKE_SA
02[IKE] IKE_SA (unnamed)[3] state change: CREATED => CONNECTING
02[CFG] selecting proposal:
02[CFG]   no acceptable ENCRYPTION_ALGORITHM found
....

....
02[CFG] selecting proposal:
02[CFG]   proposal matches
02[CFG] received proposals: IKE:3DES_CBC/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024, IKE:AES_CBC_256/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024, IKE:3DES_CBC/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_1024, IKE:AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_1024, IKE:3DES_CBC/HMAC_SHA2_384_192/PRF_HMAC_SHA2_384/MODP_1024, IKE:AES_CBC_256/HMAC_SHA2_384_192/PRF_HMAC_SHA2_384/MODP_1024
02[CFG] configured proposals: IKE:AES_CBC_128/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/ECP_256, IKE:AES_CBC_256/HMAC_SHA2_384_192/PRF_HMAC_SHA2_384/ECP_384, IKE:AES_CBC_128/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_2048, IKE:AES_CBC_128/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_2048, IKE:AES_CBC_256/HMAC_SHA2_384_192/PRF_HMAC_SHA2_384/MODP_4096, IKE:AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_4096, IKE:AES_CBC_256/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_4096, IKE:AES_CBC_128/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_1536, IKE:AES_CBC_128/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1536, IKE:AES_CBC_256/HMAC_SHA2_384_192/PRF_HMAC_SHA2_384/MODP_2048, IKE:AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_2048, IKE:AES_CBC_256/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_2048, IKE:AES_CBC_128/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_1024, IKE:AES_CBC_128/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024, IKE:AES_CBC_256/HMAC_SHA2_384_192/PRF_HMAC_SHA2_384/MODP_1536, IKE:AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_1536, IKE:AES_CBC_256/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1536, IKE:AES_CBC_256/HMAC_SHA2_384_192/PRF_HMAC_SHA2_384/MODP_1024, IKE:AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_1024, IKE:AES_CBC_256/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024
02[CFG] selected proposal: IKE:AES_CBC_256/HMAC_SHA2_384_192/PRF_HMAC_SHA2_384/MODP_1024
02[IKE] local host is behind NAT, sending keep alives
02[IKE] remote host is behind NAT
02[IKE] sending cert request for "Redacted" 
02[ENC] generating IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) CERTREQ N(MULT_AUTH) ]
02[NET] sending packet: from 192.168.1.10[500] to 1.136.91.153[500] (337 bytes)
08[NET] sending packet: from 192.168.1.10[500] to 1.136.91.153[500]
06[NET] received packet: from 1.136.91.153[500] to 192.168.1.10[500]
06[NET] waiting for data on sockets
11[NET] received packet: from 1.136.91.153[500] to 192.168.1.10[500] (616 bytes)
11[ENC] parsed IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) V V V V ]
11[IKE] received retransmit of request with ID 0, retransmitting response
11[NET] sending packet: from 192.168.1.10[500] to 1.136.91.153[500] (337 bytes)
08[NET] sending packet: from 192.168.1.10[500] to 1.136.91.153[500]
13[IKE] sending keep alive to 1.136.91.153[500]
08[NET] sending packet: from 192.168.1.10[500] to 1.136.91.153[500]
01[JOB] deleting half open IKE_SA after timeout
01[IKE] IKE_SA (unnamed)[3] state change: CONNECTING => DESTROYING

This is the ipsec start --nofork from a LAN connection and it connects in <1 second.

01[NET] received packet: from 192.168.1.2[500] to 192.168.1.10[500]
01[NET] waiting for data on sockets
11[NET] received packet: from 192.168.1.2[500] to 192.168.1.10[500] (616 bytes)
11[ENC] parsed IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) V V V V ]
11[CFG] looking for an ike config for 192.168.1.10...192.168.1.2
11[CFG]   candidate: %any...%any, prio 28
11[CFG]   candidate: %any...%any, prio 28
11[CFG] found matching ike config: %any...%any with prio 28
11[IKE] received MS NT5 ISAKMPOAKLEY v9 vendor ID
11[IKE] received MS-Negotiation Discovery Capable vendor ID
11[IKE] received Vid-Initial-Contact vendor ID
11[ENC] received unknown vendor ID: 01:52:8b:bb:c0:06:96:12:18:49:ab:9a:1c:5b:2a:51:00:00:00:02
11[IKE] 192.168.1.2 is initiating an IKE_SA
11[IKE] IKE_SA (unnamed)[3] state change: CREATED => CONNECTING
11[CFG] selecting proposal:
.......

.......
11[CFG]   no acceptable ENCRYPTION_ALGORITHM found
11[CFG] selecting proposal:
11[CFG]   proposal matches
11[CFG] received proposals: IKE:3DES_CBC/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024, IKE:AES_CBC_256/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024, IKE:3DES_CBC/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_1024, IKE:AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_1024, IKE:3DES_CBC/HMAC_SHA2_384_192/PRF_HMAC_SHA2_384/MODP_1024, IKE:AES_CBC_256/HMAC_SHA2_384_192/PRF_HMAC_SHA2_384/MODP_1024
11[CFG] configured proposals: IKE:AES_CBC_128/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/ECP_256, IKE:AES_CBC_256/HMAC_SHA2_384_192/PRF_HMAC_SHA2_384/ECP_384, IKE:AES_CBC_128/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_2048, IKE:AES_CBC_128/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_2048, IKE:AES_CBC_256/HMAC_SHA2_384_192/PRF_HMAC_SHA2_384/MODP_4096, IKE:AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_4096, IKE:AES_CBC_256/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_4096, IKE:AES_CBC_128/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_1536, IKE:AES_CBC_128/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1536, IKE:AES_CBC_256/HMAC_SHA2_384_192/PRF_HMAC_SHA2_384/MODP_2048, IKE:AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_2048, IKE:AES_CBC_256/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_2048, IKE:AES_CBC_128/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_1024, IKE:AES_CBC_128/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024, IKE:AES_CBC_256/HMAC_SHA2_384_192/PRF_HMAC_SHA2_384/MODP_1536, IKE:AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_1536, IKE:AES_CBC_256/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1536, IKE:AES_CBC_256/HMAC_SHA2_384_192/PRF_HMAC_SHA2_384/MODP_1024, IKE:AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_1024, IKE:AES_CBC_256/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024
11[CFG] selected proposal: IKE:AES_CBC_256/HMAC_SHA2_384_192/PRF_HMAC_SHA2_384/MODP_1024
11[IKE] remote host is behind NAT
11[IKE] sending cert request for "Redacted" 
11[ENC] generating IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) CERTREQ N(MULT_AUTH) ]
11[NET] sending packet: from 192.168.1.10[500] to 192.168.1.2[500] (337 bytes)
12[NET] sending packet: from 192.168.1.10[500] to 192.168.1.2[500]
01[NET] received packet: from 192.168.1.2[4500] to 192.168.1.10[4500]
01[NET] waiting for data on sockets
09[NET] received packet: from 192.168.1.2[4500] to 192.168.1.10[4500] (712 bytes)
09[ENC] parsed IKE_AUTH request 1 [ IDi CERTREQ N(MOBIKE_SUP) CPRQ(ADDR DNS NBNS SRV ADDR6 DNS6 SRV6) SA TSi TSr ]
....
09[IKE] received cert request for "Redacted" 
....
09[IKE] received 17 cert requests for an unknown ca
09[CFG] looking for peer configs matching 192.168.1.10[%any]...192.168.1.2[192.168.1.74]
09[CFG]   candidate "IPSec-IKEv2", match: 1/1/28 (me/other/ike)
09[CFG]   candidate "IPSec-IKEv2-EAP", match: 1/1/28 (me/other/ike)
09[CFG] selected peer config 'IPSec-IKEv2'
09[IKE] peer requested EAP, config inacceptable
09[CFG] switching to peer config 'IPSec-IKEv2-EAP'
09[IKE] initiating EAP_IDENTITY method (id 0x00)
09[IKE] processing INTERNAL_IP4_ADDRESS attribute
09[IKE] processing INTERNAL_IP4_DNS attribute
09[IKE] processing INTERNAL_IP4_NBNS attribute
09[IKE] processing INTERNAL_IP4_SERVER attribute
09[IKE] processing INTERNAL_IP6_ADDRESS attribute
09[IKE] processing INTERNAL_IP6_DNS attribute
09[IKE] processing INTERNAL_IP6_SERVER attribute
09[IKE] peer supports MOBIKE
09[IKE] authentication of 'Redacted' (myself) with RSA signature successful
09[IKE] sending end entity cert "Redacted" 
09[ENC] generating IKE_AUTH response 1 [ IDr CERT AUTH EAP/REQ/ID ]
09[NET] sending packet: from 192.168.1.10[4500] to 192.168.1.2[4500] (1368 bytes)
12[NET] sending packet: from 192.168.1.10[4500] to 192.168.1.2[4500]
01[NET] received packet: from 192.168.1.2[4500] to 192.168.1.10[4500]
01[NET] waiting for data on sockets
06[NET] received packet: from 192.168.1.2[4500] to 192.168.1.10[4500] (104 bytes)
06[ENC] parsed IKE_AUTH request 2 [ EAP/RES/ID ]
06[IKE] received EAP identity 'administrator'
06[CFG] RADIUS server 'primary' is candidate: 309
06[CFG] sending RADIUS Access-Request to server 'primary'
06[CFG] received RADIUS Access-Challenge from server 'primary'
06[IKE] initiating EAP_PEAP method (id 0x01)
06[ENC] generating IKE_AUTH response 2 [ EAP/REQ/PEAP ]
06[NET] sending packet: from 192.168.1.10[4500] to 192.168.1.2[4500] (88 bytes)
12[NET] sending packet: from 192.168.1.10[4500] to 192.168.1.2[4500]
01[NET] received packet: from 192.168.1.2[4500] to 192.168.1.10[4500]
01[NET] waiting for data on sockets
16[NET] received packet: from 192.168.1.2[4500] to 192.168.1.10[4500] (232 bytes)
16[ENC] parsed IKE_AUTH request 3 [ EAP/RES/PEAP ]
16[CFG] sending RADIUS Access-Request to server 'primary'
16[CFG] received RADIUS Access-Challenge from server 'primary'
16[ENC] generating IKE_AUTH response 3 [ EAP/REQ/PEAP ]
16[NET] sending packet: from 192.168.1.10[4500] to 192.168.1.2[4500] (1096 bytes)
12[NET] sending packet: from 192.168.1.10[4500] to 192.168.1.2[4500]
01[NET] received packet: from 192.168.1.2[4500] to 192.168.1.10[4500]
01[NET] waiting for data on sockets
04[NET] received packet: from 192.168.1.2[4500] to 192.168.1.10[4500] (88 bytes)
04[ENC] parsed IKE_AUTH request 4 [ EAP/RES/PEAP ]
04[CFG] sending RADIUS Access-Request to server 'primary'
04[CFG] received RADIUS Access-Challenge from server 'primary'
04[ENC] generating IKE_AUTH response 4 [ EAP/REQ/PEAP ]
04[NET] sending packet: from 192.168.1.10[4500] to 192.168.1.2[4500] (1080 bytes)
12[NET] sending packet: from 192.168.1.10[4500] to 192.168.1.2[4500]
01[NET] received packet: from 192.168.1.2[4500] to 192.168.1.10[4500]
01[NET] waiting for data on sockets
02[NET] received packet: from 192.168.1.2[4500] to 192.168.1.10[4500] (88 bytes)
02[ENC] parsed IKE_AUTH request 5 [ EAP/RES/PEAP ]
02[CFG] sending RADIUS Access-Request to server 'primary'
02[CFG] received RADIUS Access-Challenge from server 'primary'
02[ENC] generating IKE_AUTH response 5 [ EAP/REQ/PEAP ]
02[NET] sending packet: from 192.168.1.10[4500] to 192.168.1.2[4500] (296 bytes)
12[NET] sending packet: from 192.168.1.10[4500] to 192.168.1.2[4500]
01[NET] received packet: from 192.168.1.2[4500] to 192.168.1.10[4500]
01[NET] waiting for data on sockets
07[NET] received packet: from 192.168.1.2[4500] to 192.168.1.10[4500] (424 bytes)
07[ENC] parsed IKE_AUTH request 6 [ EAP/RES/PEAP ]
07[CFG] sending RADIUS Access-Request to server 'primary'
07[CFG] received RADIUS Access-Challenge from server 'primary'
07[ENC] generating IKE_AUTH response 6 [ EAP/REQ/PEAP ]
07[NET] sending packet: from 192.168.1.10[4500] to 192.168.1.2[4500] (152 bytes)
12[NET] sending packet: from 192.168.1.10[4500] to 192.168.1.2[4500]
01[NET] received packet: from 192.168.1.2[4500] to 192.168.1.10[4500]
01[NET] waiting for data on sockets
03[NET] received packet: from 192.168.1.2[4500] to 192.168.1.10[4500] (88 bytes)
03[ENC] parsed IKE_AUTH request 7 [ EAP/RES/PEAP ]
03[CFG] sending RADIUS Access-Request to server 'primary'
03[CFG] received RADIUS Access-Challenge from server 'primary'
03[ENC] generating IKE_AUTH response 7 [ EAP/REQ/PEAP ]
03[NET] sending packet: from 192.168.1.10[4500] to 192.168.1.2[4500] (120 bytes)
12[NET] sending packet: from 192.168.1.10[4500] to 192.168.1.2[4500]
01[NET] received packet: from 192.168.1.2[4500] to 192.168.1.10[4500]
01[NET] waiting for data on sockets
14[NET] received packet: from 192.168.1.2[4500] to 192.168.1.10[4500] (152 bytes)
14[ENC] parsed IKE_AUTH request 8 [ EAP/RES/PEAP ]
14[CFG] sending RADIUS Access-Request to server 'primary'
14[CFG] received RADIUS Access-Challenge from server 'primary'
14[ENC] generating IKE_AUTH response 8 [ EAP/REQ/PEAP ]
14[NET] sending packet: from 192.168.1.10[4500] to 192.168.1.2[4500] (152 bytes)
12[NET] sending packet: from 192.168.1.10[4500] to 192.168.1.2[4500]
01[NET] received packet: from 192.168.1.2[4500] to 192.168.1.10[4500]
01[NET] waiting for data on sockets
05[NET] received packet: from 192.168.1.2[4500] to 192.168.1.10[4500] (200 bytes)
05[ENC] parsed IKE_AUTH request 9 [ EAP/RES/PEAP ]
05[CFG] sending RADIUS Access-Request to server 'primary'
05[CFG] received RADIUS Access-Challenge from server 'primary'
05[ENC] generating IKE_AUTH response 9 [ EAP/REQ/PEAP ]
05[NET] sending packet: from 192.168.1.10[4500] to 192.168.1.2[4500] (168 bytes)
12[NET] sending packet: from 192.168.1.10[4500] to 192.168.1.2[4500]
01[NET] received packet: from 192.168.1.2[4500] to 192.168.1.10[4500]
01[NET] waiting for data on sockets
13[NET] received packet: from 192.168.1.2[4500] to 192.168.1.10[4500] (136 bytes)
13[ENC] parsed IKE_AUTH request 10 [ EAP/RES/PEAP ]
13[CFG] sending RADIUS Access-Request to server 'primary'
13[CFG] received RADIUS Access-Challenge from server 'primary'
13[ENC] generating IKE_AUTH response 10 [ EAP/REQ/PEAP ]
13[NET] sending packet: from 192.168.1.10[4500] to 192.168.1.2[4500] (120 bytes)
12[NET] sending packet: from 192.168.1.10[4500] to 192.168.1.2[4500]
01[NET] received packet: from 192.168.1.2[4500] to 192.168.1.10[4500]
01[NET] waiting for data on sockets
11[NET] received packet: from 192.168.1.2[4500] to 192.168.1.10[4500] (136 bytes)
11[ENC] parsed IKE_AUTH request 11 [ EAP/RES/PEAP ]
11[CFG] sending RADIUS Access-Request to server 'primary'
11[CFG] received RADIUS Access-Accept from server 'primary'
11[IKE] RADIUS authentication of 'administrator' successful
11[IKE] EAP method EAP_PEAP succeeded, MSK established
11[ENC] generating IKE_AUTH response 11 [ EAP/SUCC ]
11[NET] sending packet: from 192.168.1.10[4500] to 192.168.1.2[4500] (88 bytes)
12[NET] sending packet: from 192.168.1.10[4500] to 192.168.1.2[4500]
01[NET] received packet: from 192.168.1.2[4500] to 192.168.1.10[4500]
01[NET] waiting for data on sockets
09[NET] received packet: from 192.168.1.2[4500] to 192.168.1.10[4500] (136 bytes)
09[ENC] parsed IKE_AUTH request 12 [ AUTH ]
09[IKE] authentication of '192.168.1.74' with EAP successful
09[IKE] authentication of 'Redacted' (myself) with EAP
09[IKE] IKE_SA IPSec-IKEv2-EAP[3] established between 192.168.1.10[Redacted]...192.168.1.2[192.168.1.74]
09[IKE] IKE_SA IPSec-IKEv2-EAP[3] state change: CONNECTING => ESTABLISHED
09[IKE] peer requested virtual IP %any
09[CFG] assigning new lease to 'administrator'
09[IKE] assigning virtual IP 192.168.1.20 to peer 'administrator'
09[IKE] peer requested virtual IP %any6
09[IKE] no virtual IP found for %any6 requested by 'administrator'
09[IKE] building INTERNAL_IP4_DNS attribute
09[IKE] building INTERNAL_IP4_DNS attribute
09[CFG] looking for a child config for ::/0 0.0.0.0/0 === ::/0 0.0.0.0/0
09[CFG] proposing traffic selectors for us:
09[CFG]  0.0.0.0/0
09[CFG] proposing traffic selectors for other:
09[CFG]  192.168.1.20/32
09[CFG]   candidate "IPSec-IKEv2-EAP" with prio 5+1
09[CFG] found matching child config "IPSec-IKEv2-EAP" with prio 6
09[CFG] selecting proposal:
09[CFG]   no acceptable ENCRYPTION_ALGORITHM found
........

........
09[CFG] selecting proposal:
09[CFG]   proposal matches
09[CFG] received proposals: ESP:AES_CBC_256/HMAC_SHA1_96/NO_EXT_SEQ, ESP:3DES_CBC/HMAC_SHA1_96/NO_EXT_SEQ
09[CFG] configured proposals: ESP:AES_GCM_16_128/ECP_256/NO_EXT_SEQ, ESP:AES_GCM_16_256/ECP_384/NO_EXT_SEQ, ESP:AES_CBC_128/HMAC_SHA2_256_128/ECP_256/NO_EXT_SEQ, ESP:AES_CBC_256/HMAC_SHA2_384_192/ECP_384/NO_EXT_SEQ, ESP:AES_CBC_128/HMAC_SHA2_256_128/MODP_2048/NO_EXT_SEQ, ESP:AES_CBC_128/HMAC_SHA1_96/MODP_2048/NO_EXT_SEQ, ESP:AES_CBC_256/HMAC_SHA2_384_192/MODP_4096/NO_EXT_SEQ, ESP:AES_CBC_256/HMAC_SHA2_256_128/MODP_4096/NO_EXT_SEQ, ESP:AES_CBC_256/HMAC_SHA1_96/MODP_4096/NO_EXT_SEQ, ESP:AES_CBC_128/HMAC_SHA2_256_128/MODP_1536/NO_EXT_SEQ, ESP:AES_CBC_128/HMAC_SHA1_96/MODP_1536/NO_EXT_SEQ, ESP:AES_CBC_256/HMAC_SHA2_384_192/MODP_2048/NO_EXT_SEQ, ESP:AES_CBC_256/HMAC_SHA2_256_128/MODP_2048/NO_EXT_SEQ, ESP:AES_CBC_256/HMAC_SHA1_96/MODP_2048/NO_EXT_SEQ, ESP:AES_CBC_128/HMAC_SHA2_256_128/MODP_1024/NO_EXT_SEQ, ESP:AES_CBC_128/HMAC_SHA1_96/MODP_1024/NO_EXT_SEQ, ESP:AES_CBC_256/HMAC_SHA2_384_192/MODP_1536/NO_EXT_SEQ, ESP:AES_CBC_256/HMAC_SHA2_256_128/MODP_1536/NO_EXT_SEQ, ESP:AES_CBC_256/HMAC_SHA1_96/MODP_1536/NO_EXT_SEQ, ESP:AES_CBC_256/HMAC_SHA2_384_192/MODP_1024/NO_EXT_SEQ, ESP:AES_CBC_256/HMAC_SHA2_256_128/MODP_1024/NO_EXT_SEQ, ESP:AES_CBC_256/HMAC_SHA1_96/MODP_1024/NO_EXT_SEQ, ESP:AES_GCM_16_128/NO_EXT_SEQ, ESP:AES_GCM_16_256/NO_EXT_SEQ, ESP:AES_CBC_128/HMAC_SHA2_256_128/NO_EXT_SEQ, ESP:AES_CBC_128/HMAC_SHA1_96/NO_EXT_SEQ, ESP:AES_CBC_256/HMAC_SHA2_384_192/NO_EXT_SEQ, ESP:AES_CBC_256/HMAC_SHA2_256_128/NO_EXT_SEQ, ESP:AES_CBC_256/HMAC_SHA1_96/NO_EXT_SEQ
09[CFG] selected proposal: ESP:AES_CBC_256/HMAC_SHA1_96/NO_EXT_SEQ
09[CFG] selecting traffic selectors for us:
09[CFG]  config: 0.0.0.0/0, received: ::/0 => no match
09[CFG]  config: 0.0.0.0/0, received: 0.0.0.0/0 => match: 0.0.0.0/0
09[CFG] selecting traffic selectors for other:
09[CFG]  config: 192.168.1.20/32, received: ::/0 => no match
09[CFG]  config: 192.168.1.20/32, received: 0.0.0.0/0 => match: 192.168.1.20/32
09[IKE] CHILD_SA IPSec-IKEv2-EAP{1} established with SPIs c09a4928_i 832b297e_o and TS 0.0.0.0/0 === 192.168.1.20/32
09[ENC] generating IKE_AUTH response 12 [ AUTH CPRP(ADDR DNS DNS) SA TSi TSr N(MOBIKE_SUP) N(NO_ADD_ADDR) ]
09[NET] sending packet: from 192.168.1.10[4500] to 192.168.1.2[4500] (280 bytes)
12[NET] sending packet: from 192.168.1.10[4500] to 192.168.1.2[4500]
05[IKE] sending keep alive to 1.136.91.153[500]
12[NET] sending packet: from 192.168.1.10[500] to 1.136.91.153[500]
16[JOB] deleting half open IKE_SA after timeout
16[IKE] IKE_SA (unnamed)[1] state change: CONNECTING => DESTROYING
15[JOB] deleting half open IKE_SA after timeout
15[IKE] IKE_SA (unnamed)[2] state change: CONNECTING => DESTROYING

Related issues

Is duplicate of Issue #965: Windows 8.1 cannot connect to strongSwan on IKEv2 error 809Closed

History

#1 Updated by Tobias Brunner over 5 years ago

  • Is duplicate of Issue #965: Windows 8.1 cannot connect to strongSwan on IKEv2 error 809 added

#2 Updated by Tobias Brunner over 5 years ago

  • Description updated (diff)
  • Status changed from New to Feedback

From the log it looks like the client might attempt to send an IKE_AUTH request, which never reaches the server. Whether that's the case you could check by running e.g. Wireshark on the client.

The reason for this is often IP fragmentation (check the size of the IKE_AUTH request), see related issue.

#3 Updated by Tobias Brunner about 5 years ago

  • Status changed from Feedback to Closed
  • Resolution set to No feedback

Also available in: Atom PDF