Issue #1063
Unable to establish a connection w/ECDSA Certs
Status:
Closed
Priority:
Normal
Assignee:
-
Category:
-
Affected version:
5.3.2
Resolution:
No feedback
Description
Hello. I've attempted to create ECDSA certs/keys with the following commands:
ipsec pki --gen --type ecdsa --size 384 \
--outform pem \
> private/strongswanKey.pem
chmod 600 private/strongswanKey.pem
ipsec pki --self --ca --lifetime 3650 \
--in private/strongswanKey.pem --type ecdsa \
--dn "C=CH, O=strongSwan, CN=strongSwan Root CA" \
--outform pem \
> cacerts/strongswanCert.pem
ipsec pki --gen --type ecdsa --size 256 \
--outform pem \
> private/vpnHostKey.pem
chmod 600 private/vpnHostKey.pem
ipsec pki --pub --in private/vpnHostKey.pem --type ecdsa | \
ipsec pki --issue --lifetime 730 \
--cacert cacerts/strongswanCert.pem \
--cakey private/strongswanKey.pem \
--dn "C=CH, O=strongSwan, CN=SERVER.IP" \
--san SERVER.IP \
--flag serverAuth --flag ikeIntermediate \
--outform pem > certs/vpnHostCert.pem
ipsec pki --gen --type ecdsa --size 256 \
--outform pem \
> private/ClientKey.pem
chmod 600 private/ClientKey.pem
ipsec pki --pub --in private/ClientKey.pem --type ecdsa | \
ipsec pki --issue --lifetime 730 \
--cacert cacerts/strongswanCert.pem \
--cakey private/strongswanKey.pem \
--dn "C=CH, O=strongSwan, CN=Client Key" \
--san Client_Key \
--outform pem > certs/ClientCert.pem
openssl pkcs12 -export -inkey private/ClientKey.pem \
-in certs/ClientCert.pem -name "Client's VPN Certificate" \
-certfile cacerts/strongswanCert.pem \
-caname "strongSwan Root CA" \
-out Client.p12
However, when I attempt to use these new certs/keys, I get this in the logs:
Aug 9 03:07:05 retro charon: 03[NET] received packet: from 172.56.2.244[56289] to 10.0.0.9[500] Aug 9 03:07:05 retro charon: 03[NET] waiting for data on sockets Aug 9 03:07:05 retro charon: 12[NET] received packet: from 172.56.2.244[56289] to 10.0.0.9[500] (668 bytes) Aug 9 03:07:05 retro charon: 12[ENC] parsed ID_PROT request 0 [ SA V V V V V V V V V V V V V V ] Aug 9 03:07:05 retro charon: 12[CFG] looking for an ike config for 10.0.0.9...172.56.2.244 Aug 9 03:07:05 retro charon: 12[CFG] candidate: %any...%any, prio 28 Aug 9 03:07:05 retro charon: 12[CFG] found matching ike config: %any...%any with prio 28 Aug 9 03:07:05 retro charon: 12[IKE] received NAT-T (RFC 3947) vendor ID Aug 9 03:07:05 retro charon: 12[IKE] received draft-ietf-ipsec-nat-t-ike vendor ID Aug 9 03:07:05 retro charon: 12[IKE] received draft-ietf-ipsec-nat-t-ike-08 vendor ID Aug 9 03:07:05 retro charon: 12[IKE] received draft-ietf-ipsec-nat-t-ike-07 vendor ID Aug 9 03:07:05 retro charon: 12[IKE] received draft-ietf-ipsec-nat-t-ike-06 vendor ID Aug 9 03:07:05 retro charon: 12[IKE] received draft-ietf-ipsec-nat-t-ike-05 vendor ID Aug 9 03:07:05 retro charon: 12[IKE] received draft-ietf-ipsec-nat-t-ike-04 vendor ID Aug 9 03:07:05 retro charon: 12[IKE] received draft-ietf-ipsec-nat-t-ike-03 vendor ID Aug 9 03:07:05 retro charon: 12[IKE] received draft-ietf-ipsec-nat-t-ike-02 vendor ID Aug 9 03:07:05 retro charon: 12[IKE] received draft-ietf-ipsec-nat-t-ike-02\n vendor ID Aug 9 03:07:05 retro charon: 12[IKE] received XAuth vendor ID Aug 9 03:07:05 retro charon: 12[IKE] received Cisco Unity vendor ID Aug 9 03:07:05 retro charon: 12[IKE] received FRAGMENTATION vendor ID Aug 9 03:07:05 retro charon: 12[IKE] received DPD vendor ID Aug 9 03:07:05 retro charon: 12[IKE] 172.56.2.244 is initiating a Main Mode IKE_SA Aug 9 03:07:05 retro charon: 12[IKE] IKE_SA (unnamed)[4] state change: CREATED => CONNECTING Aug 9 03:07:05 retro charon: 12[CFG] selecting proposal: Aug 9 03:07:05 retro charon: 12[CFG] no acceptable ENCRYPTION_ALGORITHM found Aug 9 03:07:05 retro charon: 12[CFG] selecting proposal: Aug 9 03:07:05 retro charon: 12[CFG] no acceptable ENCRYPTION_ALGORITHM found Aug 9 03:07:05 retro charon: 12[CFG] selecting proposal: Aug 9 03:07:05 retro charon: 12[CFG] no acceptable PSEUDO_RANDOM_FUNCTION found Aug 9 03:07:05 retro charon: 12[CFG] selecting proposal: Aug 9 03:07:05 retro charon: 12[CFG] no acceptable ENCRYPTION_ALGORITHM found Aug 9 03:07:05 retro charon: 12[CFG] selecting proposal: Aug 9 03:07:05 retro charon: 12[CFG] no acceptable ENCRYPTION_ALGORITHM found Aug 9 03:07:05 retro charon: 12[CFG] selecting proposal: Aug 9 03:07:05 retro charon: 12[CFG] no acceptable PSEUDO_RANDOM_FUNCTION found Aug 9 03:07:05 retro charon: 12[CFG] selecting proposal: Aug 9 03:07:05 retro charon: 12[CFG] no acceptable ENCRYPTION_ALGORITHM found Aug 9 03:07:05 retro charon: 12[CFG] selecting proposal: Aug 9 03:07:05 retro charon: 12[CFG] no acceptable ENCRYPTION_ALGORITHM found Aug 9 03:07:05 retro charon: 12[CFG] selecting proposal: Aug 9 03:07:05 retro charon: 12[CFG] no acceptable ENCRYPTION_ALGORITHM found Aug 9 03:07:05 retro charon: 12[CFG] selecting proposal: Aug 9 03:07:05 retro charon: 12[CFG] no acceptable ENCRYPTION_ALGORITHM found Aug 9 03:07:05 retro charon: 12[CFG] selecting proposal: Aug 9 03:07:05 retro charon: 12[CFG] no acceptable PSEUDO_RANDOM_FUNCTION found Aug 9 03:07:05 retro charon: 12[CFG] selecting proposal: Aug 9 03:07:05 retro charon: 12[CFG] no acceptable PSEUDO_RANDOM_FUNCTION found Aug 9 03:07:05 retro charon: 12[CFG] selecting proposal: Aug 9 03:07:05 retro charon: 12[CFG] no acceptable ENCRYPTION_ALGORITHM found Aug 9 03:07:05 retro charon: 12[CFG] selecting proposal: Aug 9 03:07:05 retro charon: 12[CFG] no acceptable PSEUDO_RANDOM_FUNCTION found Aug 9 03:07:05 retro charon: 12[CFG] selecting proposal: Aug 9 03:07:05 retro charon: 12[CFG] no acceptable PSEUDO_RANDOM_FUNCTION found Aug 9 03:07:05 retro charon: 12[CFG] selecting proposal: Aug 9 03:07:05 retro charon: 12[CFG] no acceptable ENCRYPTION_ALGORITHM found Aug 9 03:07:05 retro charon: 12[CFG] selecting proposal: Aug 9 03:07:05 retro charon: 12[CFG] no acceptable ENCRYPTION_ALGORITHM found Aug 9 03:07:05 retro charon: 12[CFG] selecting proposal: Aug 9 03:07:05 retro charon: 12[CFG] no acceptable ENCRYPTION_ALGORITHM found Aug 9 03:07:05 retro charon: 12[CFG] selecting proposal: Aug 9 03:07:05 retro charon: 12[CFG] no acceptable ENCRYPTION_ALGORITHM found Aug 9 03:07:05 retro charon: 12[CFG] selecting proposal: Aug 9 03:07:05 retro charon: 12[CFG] no acceptable ENCRYPTION_ALGORITHM found Aug 9 03:07:05 retro charon: 12[CFG] selecting proposal: Aug 9 03:07:05 retro charon: 12[CFG] no acceptable ENCRYPTION_ALGORITHM found Aug 9 03:07:05 retro charon: 12[CFG] selecting proposal: Aug 9 03:07:05 retro charon: 12[CFG] no acceptable ENCRYPTION_ALGORITHM found Aug 9 03:07:05 retro charon: 12[CFG] selecting proposal: Aug 9 03:07:05 retro charon: 12[CFG] no acceptable PSEUDO_RANDOM_FUNCTION found Aug 9 03:07:05 retro charon: 12[CFG] selecting proposal: Aug 9 03:07:05 retro charon: 12[CFG] no acceptable ENCRYPTION_ALGORITHM found Aug 9 03:07:05 retro charon: 12[CFG] selecting proposal: Aug 9 03:07:05 retro charon: 12[CFG] no acceptable ENCRYPTION_ALGORITHM found Aug 9 03:07:05 retro charon: 12[CFG] selecting proposal: Aug 9 03:07:05 retro charon: 12[CFG] no acceptable PSEUDO_RANDOM_FUNCTION found Aug 9 03:07:05 retro charon: 12[CFG] selecting proposal: Aug 9 03:07:05 retro charon: 12[CFG] no acceptable ENCRYPTION_ALGORITHM found Aug 9 03:07:05 retro charon: 12[CFG] selecting proposal: Aug 9 03:07:05 retro charon: 12[CFG] no acceptable ENCRYPTION_ALGORITHM found Aug 9 03:07:05 retro charon: 12[CFG] selecting proposal: Aug 9 03:07:05 retro charon: 12[CFG] no acceptable ENCRYPTION_ALGORITHM found Aug 9 03:07:05 retro charon: 12[CFG] selecting proposal: Aug 9 03:07:05 retro charon: 12[CFG] no acceptable ENCRYPTION_ALGORITHM found Aug 9 03:07:05 retro charon: 12[CFG] selecting proposal: Aug 9 03:07:05 retro charon: 12[CFG] no acceptable ENCRYPTION_ALGORITHM found Aug 9 03:07:05 retro charon: 12[CFG] selecting proposal: Aug 9 03:07:05 retro charon: 12[CFG] no acceptable ENCRYPTION_ALGORITHM found Aug 9 03:07:05 retro charon: 12[CFG] selecting proposal: Aug 9 03:07:05 retro charon: 12[CFG] no acceptable DIFFIE_HELLMAN_GROUP found Aug 9 03:07:05 retro charon: 12[CFG] selecting proposal: Aug 9 03:07:05 retro charon: 12[CFG] no acceptable ENCRYPTION_ALGORITHM found Aug 9 03:07:05 retro charon: 12[CFG] selecting proposal: Aug 9 03:07:05 retro charon: 12[CFG] no acceptable ENCRYPTION_ALGORITHM found Aug 9 03:07:05 retro charon: 12[CFG] selecting proposal: Aug 9 03:07:05 retro charon: 12[CFG] no acceptable PSEUDO_RANDOM_FUNCTION found Aug 9 03:07:05 retro charon: 12[CFG] selecting proposal: Aug 9 03:07:05 retro charon: 12[CFG] no acceptable ENCRYPTION_ALGORITHM found Aug 9 03:07:05 retro charon: 12[CFG] selecting proposal: Aug 9 03:07:05 retro charon: 12[CFG] no acceptable ENCRYPTION_ALGORITHM found Aug 9 03:07:05 retro charon: 12[CFG] selecting proposal: Aug 9 03:07:05 retro charon: 12[CFG] no acceptable ENCRYPTION_ALGORITHM found Aug 9 03:07:05 retro charon: 12[CFG] selecting proposal: Aug 9 03:07:05 retro charon: 12[CFG] no acceptable ENCRYPTION_ALGORITHM found Aug 9 03:07:05 retro charon: 12[CFG] selecting proposal: Aug 9 03:07:05 retro charon: 12[CFG] no acceptable PSEUDO_RANDOM_FUNCTION found Aug 9 03:07:05 retro charon: 12[CFG] selecting proposal: Aug 9 03:07:05 retro charon: 12[CFG] no acceptable PSEUDO_RANDOM_FUNCTION found Aug 9 03:07:05 retro charon: 12[CFG] selecting proposal: Aug 9 03:07:05 retro charon: 12[CFG] no acceptable ENCRYPTION_ALGORITHM found Aug 9 03:07:05 retro charon: 12[CFG] selecting proposal: Aug 9 03:07:05 retro charon: 12[CFG] no acceptable PSEUDO_RANDOM_FUNCTION found Aug 9 03:07:05 retro charon: 12[CFG] selecting proposal: Aug 9 03:07:05 retro charon: 12[CFG] no acceptable PSEUDO_RANDOM_FUNCTION found Aug 9 03:07:05 retro charon: 12[CFG] selecting proposal: Aug 9 03:07:05 retro charon: 12[CFG] no acceptable ENCRYPTION_ALGORITHM found Aug 9 03:07:05 retro charon: 12[CFG] selecting proposal: Aug 9 03:07:05 retro charon: 12[CFG] no acceptable ENCRYPTION_ALGORITHM found Aug 9 03:07:05 retro charon: 12[CFG] selecting proposal: Aug 9 03:07:05 retro charon: 12[CFG] no acceptable ENCRYPTION_ALGORITHM found Aug 9 03:07:05 retro charon: 12[CFG] selecting proposal: Aug 9 03:07:05 retro charon: 12[CFG] no acceptable ENCRYPTION_ALGORITHM found Aug 9 03:07:05 retro charon: 12[CFG] selecting proposal: Aug 9 03:07:05 retro charon: 12[CFG] no acceptable ENCRYPTION_ALGORITHM found Aug 9 03:07:05 retro charon: 12[CFG] selecting proposal: Aug 9 03:07:05 retro charon: 12[CFG] no acceptable PSEUDO_RANDOM_FUNCTION found Aug 9 03:07:05 retro charon: 12[CFG] selecting proposal: Aug 9 03:07:05 retro charon: 12[CFG] no acceptable PSEUDO_RANDOM_FUNCTION found Aug 9 03:07:05 retro charon: 12[CFG] selecting proposal: Aug 9 03:07:05 retro charon: 12[CFG] no acceptable ENCRYPTION_ALGORITHM found Aug 9 03:07:05 retro charon: 12[CFG] selecting proposal: Aug 9 03:07:05 retro charon: 12[CFG] no acceptable PSEUDO_RANDOM_FUNCTION found Aug 9 03:07:05 retro charon: 12[CFG] selecting proposal: Aug 9 03:07:05 retro charon: 12[CFG] no acceptable PSEUDO_RANDOM_FUNCTION found Aug 9 03:07:05 retro charon: 12[CFG] selecting proposal: Aug 9 03:07:05 retro charon: 12[CFG] no acceptable ENCRYPTION_ALGORITHM found Aug 9 03:07:05 retro charon: 12[CFG] selecting proposal: Aug 9 03:07:05 retro charon: 12[CFG] no acceptable ENCRYPTION_ALGORITHM found Aug 9 03:07:05 retro charon: 12[CFG] selecting proposal: Aug 9 03:07:05 retro charon: 12[CFG] no acceptable ENCRYPTION_ALGORITHM found Aug 9 03:07:05 retro charon: 12[CFG] selecting proposal: Aug 9 03:07:05 retro charon: 12[CFG] no acceptable ENCRYPTION_ALGORITHM found Aug 9 03:07:05 retro charon: 12[CFG] selecting proposal: Aug 9 03:07:05 retro charon: 12[CFG] no acceptable ENCRYPTION_ALGORITHM found Aug 9 03:07:05 retro charon: 12[CFG] selecting proposal: Aug 9 03:07:05 retro charon: 12[CFG] no acceptable DIFFIE_HELLMAN_GROUP found Aug 9 03:07:05 retro charon: 12[CFG] selecting proposal: Aug 9 03:07:05 retro charon: 12[CFG] no acceptable DIFFIE_HELLMAN_GROUP found Aug 9 03:07:05 retro charon: 12[CFG] selecting proposal: Aug 9 03:07:05 retro charon: 12[CFG] no acceptable ENCRYPTION_ALGORITHM found Aug 9 03:07:05 retro charon: 12[CFG] selecting proposal: Aug 9 03:07:05 retro charon: 12[CFG] no acceptable PSEUDO_RANDOM_FUNCTION found Aug 9 03:07:05 retro charon: 12[CFG] selecting proposal: Aug 9 03:07:05 retro charon: 12[CFG] no acceptable PSEUDO_RANDOM_FUNCTION found Aug 9 03:07:05 retro charon: 12[CFG] selecting proposal: Aug 9 03:07:05 retro charon: 12[CFG] no acceptable ENCRYPTION_ALGORITHM found Aug 9 03:07:05 retro charon: 12[CFG] selecting proposal: Aug 9 03:07:05 retro charon: 12[CFG] no acceptable ENCRYPTION_ALGORITHM found Aug 9 03:07:05 retro charon: 12[CFG] selecting proposal: Aug 9 03:07:05 retro charon: 12[CFG] no acceptable ENCRYPTION_ALGORITHM found Aug 9 03:07:05 retro charon: 12[CFG] selecting proposal: Aug 9 03:07:05 retro charon: 12[CFG] no acceptable ENCRYPTION_ALGORITHM found Aug 9 03:07:05 retro charon: 12[CFG] selecting proposal: Aug 9 03:07:05 retro charon: 12[CFG] no acceptable ENCRYPTION_ALGORITHM found Aug 9 03:07:05 retro charon: 12[CFG] selecting proposal: Aug 9 03:07:05 retro charon: 12[CFG] no acceptable ENCRYPTION_ALGORITHM found Aug 9 03:07:05 retro charon: 12[CFG] selecting proposal: Aug 9 03:07:05 retro charon: 12[CFG] no acceptable ENCRYPTION_ALGORITHM found Aug 9 03:07:05 retro charon: 12[CFG] selecting proposal: Aug 9 03:07:05 retro charon: 12[CFG] no acceptable PSEUDO_RANDOM_FUNCTION found Aug 9 03:07:05 retro charon: 12[CFG] selecting proposal: Aug 9 03:07:05 retro charon: 12[CFG] no acceptable ENCRYPTION_ALGORITHM found Aug 9 03:07:05 retro charon: 12[CFG] selecting proposal: Aug 9 03:07:05 retro charon: 12[CFG] no acceptable ENCRYPTION_ALGORITHM found Aug 9 03:07:05 retro charon: 12[CFG] selecting proposal: Aug 9 03:07:05 retro charon: 12[CFG] no acceptable PSEUDO_RANDOM_FUNCTION found Aug 9 03:07:05 retro charon: 12[CFG] selecting proposal: Aug 9 03:07:05 retro charon: 12[CFG] no acceptable ENCRYPTION_ALGORITHM found Aug 9 03:07:05 retro charon: 12[CFG] selecting proposal: Aug 9 03:07:05 retro charon: 12[CFG] no acceptable ENCRYPTION_ALGORITHM found Aug 9 03:07:05 retro charon: 12[CFG] selecting proposal: Aug 9 03:07:05 retro charon: 12[CFG] no acceptable ENCRYPTION_ALGORITHM found Aug 9 03:07:05 retro charon: 12[CFG] selecting proposal: Aug 9 03:07:05 retro charon: 12[CFG] no acceptable ENCRYPTION_ALGORITHM found Aug 9 03:07:05 retro charon: 12[CFG] selecting proposal: Aug 9 03:07:05 retro charon: 12[CFG] no acceptable ENCRYPTION_ALGORITHM found Aug 9 03:07:05 retro charon: 12[CFG] selecting proposal: Aug 9 03:07:05 retro charon: 12[CFG] no acceptable ENCRYPTION_ALGORITHM found Aug 9 03:07:05 retro charon: 12[CFG] selecting proposal: Aug 9 03:07:05 retro charon: 12[CFG] no acceptable DIFFIE_HELLMAN_GROUP found Aug 9 03:07:05 retro charon: 12[CFG] selecting proposal: Aug 9 03:07:05 retro charon: 12[CFG] no acceptable ENCRYPTION_ALGORITHM found Aug 9 03:07:05 retro charon: 12[CFG] selecting proposal: Aug 9 03:07:05 retro charon: 12[CFG] no acceptable ENCRYPTION_ALGORITHM found Aug 9 03:07:05 retro charon: 12[CFG] selecting proposal: Aug 9 03:07:05 retro charon: 12[CFG] no acceptable PSEUDO_RANDOM_FUNCTION found Aug 9 03:07:05 retro charon: 12[CFG] selecting proposal: Aug 9 03:07:05 retro charon: 12[CFG] no acceptable ENCRYPTION_ALGORITHM found Aug 9 03:07:05 retro charon: 12[CFG] selecting proposal: Aug 9 03:07:05 retro charon: 12[CFG] no acceptable ENCRYPTION_ALGORITHM found Aug 9 03:07:05 retro rsyslogd-2177: imuxsock begins to drop messages from pid 18539 due to rate-limiting Aug 9 03:07:11 retro rsyslogd-2177: imuxsock lost 128 messages from pid 18539 due to rate-limiting Aug 9 03:07:11 retro charon: 03[NET] received packet: from 172.56.2.244[22689] to 10.0.0.9[4500] Aug 9 03:07:11 retro charon: 03[NET] waiting for data on sockets Aug 9 03:07:14 retro charon: 03[NET] received packet: from 172.56.2.244[22689] to 10.0.0.9[4500] Aug 9 03:07:14 retro charon: 03[NET] waiting for data on sockets Aug 9 03:07:17 retro charon: 03[NET] received packet: from 172.56.2.244[22689] to 10.0.0.9[4500] Aug 9 03:07:17 retro charon: 03[NET] waiting for data on sockets Aug 9 03:07:30 retro charon: 03[NET] received packet: from 172.56.2.244[22689] to 10.0.0.9[4500] Aug 9 03:07:30 retro charon: 03[NET] waiting for data on sockets
My config file
config setup uniqueids=never charondebug="cfg 2, dmn 2, ike 2, net 2" conn %default keyexchange=ikev2 ike=aes128-sha256-ecp256,aes256-sha384-ecp384,aes128-sha256-modp2048,aes128-sha1-modp2048,aes256-sha384-modp4096,aes256-sha256-modp4096,aes256-sha1-modp4096,aes128-sha256-modp1536,aes128-sha1-modp1536,aes256-sha384-modp2048,aes256-sha256-modp2048,aes256-sha1-modp2048,aes128-sha256-modp1024,aes128-sha1-modp1024,aes256-sha384-modp1536,aes256-sha256-modp1536,aes256-sha1-modp1536,aes256-sha384-modp1024,aes256-sha256-modp1024,aes256-sha1-modp1024! esp=aes128gcm16-ecp256,aes256gcm16-ecp384,aes128-sha256-ecp256,aes256-sha384-ecp384,aes128-sha256-modp2048,aes128-sha1-modp2048,aes256-sha384-modp4096,aes256-sha256-modp4096,aes256-sha1-modp4096,aes128-sha256-modp1536,aes128-sha1-modp1536,aes256-sha384-modp2048,aes256-sha256-modp2048,aes256-sha1-modp2048,aes128-sha256-modp1024,aes128-sha1-modp1024,aes256-sha384-modp1536,aes256-sha256-modp1536,aes256-sha1-modp1536,aes256-sha384-modp1024,aes256-sha256-modp1024,aes256-sha1-modp1024,aes128gcm16,aes256gcm16,aes128-sha256,aes128-sha1,aes256-sha384,aes256-sha256,aes256-sha1! dpdaction=clear dpddelay=300s dpdtimeout = 5s ## very important for iOS; reconnection issues without this! fragmentation=yes rekey=no left=%any leftid=SERVER.IP leftsubnet=0.0.0.0/0 leftcert=vpnHostCert.pem leftsendcert=always right=%any rightdns=208.67.222.222,208.67.220.220 rightsourceip=10.0.0.100/24 conn IKEv2 keyexchange=ikev2 auto=add rightauth=eap-mschapv2 eap_identity=%any conn IPSec keyexchange=ikev1 # forceencaps=yes rightauth=pubkey rightauth2=xauth auto=add
Related issues
History
#1 Updated by Tobias Brunner about 10 years ago
- Status changed from New to Feedback
Aug 9 03:07:05 retro rsyslogd-2177: imuxsock begins to drop messages from pid 18539 due to rate-limiting Aug 9 03:07:11 retro rsyslogd-2177: imuxsock lost 128 messages from pid 18539 due to rate-limiting
Your log is incomplete because your syslog daemon is dropping messages due to the rate limiting. So we don't see if there is actually any problem.
Please reduce the log level, use a file logger or change the syslog daemon's config.
#2 Updated by Aiden A about 10 years ago
I was able to disable rate-limiting and was able to get this:
Aug 11 01:38:47 retro charon: 02[NET] received packet: from 172.56.18.4[38147] to 10.0.0.9[500] Aug 11 01:38:47 retro charon: 02[NET] waiting for data on sockets Aug 11 01:38:47 retro charon: 05[NET] received packet: from 172.56.18.4[38147] to 10.0.0.9[500] (668 bytes) Aug 11 01:38:47 retro charon: 05[ENC] parsed ID_PROT request 0 [ SA V V V V V V V V V V V V V V ] Aug 11 01:38:47 retro charon: 05[CFG] looking for an ike config for 10.0.0.9...172.56.18.4 Aug 11 01:38:47 retro charon: 05[CFG] candidate: %any...%any, prio 28 Aug 11 01:38:47 retro charon: 05[CFG] found matching ike config: %any...%any with prio 28 Aug 11 01:38:47 retro charon: 05[IKE] received NAT-T (RFC 3947) vendor ID Aug 11 01:38:47 retro charon: 05[IKE] received draft-ietf-ipsec-nat-t-ike vendor ID Aug 11 01:38:47 retro charon: 05[IKE] received draft-ietf-ipsec-nat-t-ike-08 vendor ID Aug 11 01:38:47 retro charon: 05[IKE] received draft-ietf-ipsec-nat-t-ike-07 vendor ID Aug 11 01:38:47 retro charon: 05[IKE] received draft-ietf-ipsec-nat-t-ike-06 vendor ID Aug 11 01:38:47 retro charon: 05[IKE] received draft-ietf-ipsec-nat-t-ike-05 vendor ID Aug 11 01:38:47 retro charon: 05[IKE] received draft-ietf-ipsec-nat-t-ike-04 vendor ID Aug 11 01:38:47 retro charon: 05[IKE] received draft-ietf-ipsec-nat-t-ike-03 vendor ID Aug 11 01:38:47 retro charon: 05[IKE] received draft-ietf-ipsec-nat-t-ike-02 vendor ID Aug 11 01:38:47 retro charon: 05[IKE] received draft-ietf-ipsec-nat-t-ike-02\n vendor ID Aug 11 01:38:47 retro charon: 05[IKE] received XAuth vendor ID Aug 11 01:38:47 retro charon: 05[IKE] received Cisco Unity vendor ID Aug 11 01:38:47 retro charon: 05[IKE] received FRAGMENTATION vendor ID Aug 11 01:38:47 retro charon: 05[IKE] received DPD vendor ID Aug 11 01:38:47 retro charon: 05[IKE] 172.56.18.4 is initiating a Main Mode IKE_SA Aug 11 01:38:47 retro charon: 05[IKE] IKE_SA (unnamed)[1] state change: CREATED => CONNECTING Aug 11 01:38:47 retro charon: 05[CFG] selecting proposal: Aug 11 01:38:47 retro charon: 05[CFG] no acceptable ENCRYPTION/_ALGORITHM/PSEUDO_RANDOM_FUNCTION/DIFFIE_HELLMAN_GROUP found Aug 11 01:38:47 retro charon: 05[CFG] selecting proposal: Aug 11 01:38:47 retro charon: 05[CFG] proposal matches Aug 11 01:38:47 retro charon: 05[CFG] received proposals: IKE:AES_CBC_256/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1536, IKE:AES_CBC_256/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024, IKE:AES_CBC_128/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024, IKE:AES_CBC_256/HMAC_MD5_96/PRF_HMAC_MD5/MODP_1536, IKE:AES_CBC_256/HMAC_MD5_96/PRF_HMAC_MD5/MODP_1024, IKE:AES_CBC_128/HMAC_MD5_96/PRF_HMAC_MD5/MODP_1024, IKE:3DES_CBC/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024, IKE:3DES_CBC/HMAC_MD5_96/PRF_HMAC_MD5/MODP_1024, IKE:DES_CBC/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024, IKE:DES_CBC/HMAC_MD5_96/PRF_HMAC_MD5/MODP_1024 Aug 11 01:38:47 retro charon: 05[CFG] configured proposals: IKE:AES_CBC_128/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/ECP_256, IKE:AES_CBC_256/HMAC_SHA2_384_192/PRF_HMAC_SHA2_384/ECP_384, IKE:AES_CBC_128/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_2048, IKE:AES_CBC_128/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_2048, IKE:AES_CBC_256/HMAC_SHA2_384_192/PRF_HMAC_SHA2_384/MODP_4096, IKE:AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_4096, IKE:AES_CBC_256/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_4096, IKE:AES_CBC_128/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_1536, IKE:AES_CBC_128/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1536, IKE:AES_CBC_256/HMAC_SHA2_384_192/PRF_HMAC_SHA2_384/MODP_2048, IKE:AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_2048, IKE:AES_CBC_256/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_2048, IKE:AES_CBC_128/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_1024, IKE:AES_CBC_128/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024, IKE:AES_CBC_256/HMAC_SHA2_384_192/PRF_HMAC_SHA2_384/MODP_1536, IKE:AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_1536, IKE:AES_CBC_256/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1536, IKE:AES_CBC_256/HMAC_SHA2_384_192/PRF_HMAC_SHA2_384/MODP_1024, IKE:AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_1024, IKE:AES_CBC_256/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024 Aug 11 01:38:47 retro charon: 05[CFG] selected proposal: IKE:AES_CBC_128/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024 Aug 11 01:38:47 retro charon: 05[IKE] sending XAuth vendor ID Aug 11 01:38:47 retro charon: 05[IKE] sending DPD vendor ID Aug 11 01:38:47 retro charon: 05[IKE] sending FRAGMENTATION vendor ID Aug 11 01:38:47 retro charon: 05[IKE] sending NAT-T (RFC 3947) vendor ID Aug 11 01:38:47 retro charon: 05[ENC] generating ID_PROT response 0 [ SA V V V V ] Aug 11 01:38:47 retro charon: 05[NET] sending packet: from 10.0.0.9[500] to 172.56.18.4[38147] (160 bytes) Aug 11 01:38:47 retro charon: 03[NET] sending packet: from 10.0.0.9[500] to 172.56.18.4[38147] Aug 11 01:38:47 retro charon: 02[NET] received packet: from 172.56.18.4[38147] to 10.0.0.9[500] Aug 11 01:38:47 retro charon: 02[NET] waiting for data on sockets Aug 11 01:38:47 retro charon: 08[NET] received packet: from 172.56.18.4[38147] to 10.0.0.9[500] (228 bytes) Aug 11 01:38:47 retro charon: 08[ENC] parsed ID_PROT request 0 [ KE No NAT-D NAT-D ] Aug 11 01:38:47 retro charon: 08[IKE] local host is behind NAT, sending keep alives Aug 11 01:38:47 retro charon: 08[IKE] remote host is behind NAT Aug 11 01:38:47 retro charon: 08[IKE] sending cert request for "C=CH, O=strongSwan, CN=strongSwan Root CA" Aug 11 01:38:47 retro charon: 08[ENC] generating ID_PROT response 0 [ KE No CERTREQ NAT-D NAT-D ] Aug 11 01:38:47 retro charon: 08[NET] sending packet: from 10.0.0.9[500] to 172.56.18.4[38147] (314 bytes) Aug 11 01:38:47 retro charon: 03[NET] sending packet: from 10.0.0.9[500] to 172.56.18.4[38147] Aug 11 01:38:48 retro charon: 02[NET] received packet: from 172.56.18.4[29038] to 10.0.0.9[4500] Aug 11 01:38:48 retro charon: 02[NET] waiting for data on sockets Aug 11 01:38:48 retro charon: 07[NET] received packet: from 172.56.18.4[29038] to 10.0.0.9[4500] (668 bytes) Aug 11 01:38:48 retro charon: 07[ENC] parsed ID_PROT request 0 [ ID CERT SIG CERTREQ N(INITIAL_CONTACT) ] Aug 11 01:38:48 retro charon: 07[IKE] ignoring certificate request without data Aug 11 01:38:48 retro charon: 07[IKE] received end entity cert "C=CH, O=strongSwan, CN=Client Key" Aug 11 01:38:48 retro charon: 07[CFG] looking for XAuthInitRSA peer configs matching 10.0.0.9...172.56.18.4[C=CH, O=strongSwan, CN=Client Key] Aug 11 01:38:48 retro charon: 07[CFG] candidate "IPSec", match: 1/1/28 (me/other/ike) Aug 11 01:38:48 retro charon: 07[CFG] selected peer config "IPSec" Aug 11 01:38:48 retro charon: 07[IKE] no trusted RSA public key found for 'C=CH, O=strongSwan, CN=Client Key' Aug 11 01:38:48 retro charon: 07[CFG] no alternative config found Aug 11 01:38:48 retro charon: 07[IKE] queueing INFORMATIONAL task Aug 11 01:38:48 retro charon: 07[IKE] activating new tasks Aug 11 01:38:48 retro charon: 07[IKE] activating INFORMATIONAL task Aug 11 01:38:48 retro charon: 07[ENC] generating INFORMATIONAL_V1 request 3247710638 [ HASH N(AUTH_FAILED) ] Aug 11 01:38:48 retro charon: 07[NET] sending packet: from 10.0.0.9[4500] to 172.56.18.4[29038] (92 bytes) Aug 11 01:38:48 retro charon: 07[IKE] IKE_SA IPSec[1] state change: CONNECTING => DESTROYING Aug 11 01:38:48 retro charon: 03[NET] sending packet: from 10.0.0.9[4500] to 172.56.18.4[29038] Aug 11 01:38:51 retro charon: 02[NET] received packet: from 172.56.18.4[29038] to 10.0.0.9[4500] Aug 11 01:38:51 retro charon: 02[NET] waiting for data on sockets Aug 11 01:38:54 retro charon: 02[NET] received packet: from 172.56.18.4[29038] to 10.0.0.9[4500] Aug 11 01:38:54 retro charon: 02[NET] waiting for data on sockets Aug 11 01:38:57 retro charon: 02[NET] received packet: from 172.56.18.4[29038] to 10.0.0.9[4500] Aug 11 01:38:57 retro charon: 02[NET] waiting for data on sockets Aug 11 01:39:09 retro charon: 02[NET] received packet: from 172.56.18.4[29038] to 10.0.0.9[4500] Aug 11 01:39:09 retro charon: 02[NET] waiting for data on sockets
#3 Updated by Tobias Brunner about 10 years ago
Aug 11 01:38:48 retro charon: 07[IKE] no trusted RSA public key found for 'C=CH, O=strongSwan, CN=Client Key'
Looks like the client's certificate can't be verified. Is the CA certificate installed and loaded? Check with ipsec listcacerts.
#4 Updated by Aiden A about 10 years ago
List of X.509 CA Certificates:
subject: "C=CH, O=strongSwan, CN=strongSwan Root CA"
issuer: "C=CH, O=strongSwan, CN=strongSwan Root CA"
serial: 6c:8d:51:3e:89:c1:19:40
validity: not before Aug 10 12:21:58 2015, ok
not after Aug 07 12:21:58 2025, ok
pubkey: ECDSA 384 bits
keyid: 70:c3:5b:e7:48:d8:3e:e8:56:04:9b:cb:35:0a:67:30:ab:a2:ad:28
subjkey: 67:a6:c5:c9:14:a1:0f:c6:ad:27:11:c0:54:0a:33:09:ce:66:e2:ba
#5 Updated by Tobias Brunner about 10 years ago
OK, and the client certificate definitely was issued by that CA (check the authkeyId in the output of pki --print)? And is that the certificate actually installed on the client? Increasing the log level for the cfg subsystem to 3 will also show what type of identity the client sends (in case that might be an issue).
#6 Updated by Aiden A about 10 years ago
cfg lvl 3
Aug 11 12:53:06 retro charon: 02[NET] received packet: from 107.188.2.76[52225] to 10.0.0.9[500] Aug 11 12:53:06 retro charon: 02[NET] waiting for data on sockets Aug 11 12:53:06 retro charon: 13[NET] received packet: from 107.188.2.76[52225] to 10.0.0.9[500] (668 bytes) Aug 11 12:53:06 retro charon: 13[ENC] parsed ID_PROT request 0 [ SA V V V V V V V V V V V V V V ] Aug 11 12:53:06 retro charon: 13[CFG] looking for an ike config for 10.0.0.9...107.188.2.76 Aug 11 12:53:06 retro charon: 13[CFG] ike config match: 0 (10.0.0.9 107.188.2.76 IKEv1) Aug 11 12:53:06 retro charon: 13[CFG] ike config match: 28 (10.0.0.9 107.188.2.76 IKEv1) Aug 11 12:53:06 retro charon: 13[CFG] candidate: %any...%any, prio 28 Aug 11 12:53:06 retro charon: 13[CFG] found matching ike config: %any...%any with prio 28 Aug 11 12:53:06 retro charon: 13[IKE] received NAT-T (RFC 3947) vendor ID Aug 11 12:53:06 retro charon: 13[IKE] received draft-ietf-ipsec-nat-t-ike vendor ID Aug 11 12:53:06 retro charon: 13[IKE] received draft-ietf-ipsec-nat-t-ike-08 vendor ID Aug 11 12:53:06 retro charon: 13[IKE] received draft-ietf-ipsec-nat-t-ike-07 vendor ID Aug 11 12:53:06 retro charon: 13[IKE] received draft-ietf-ipsec-nat-t-ike-06 vendor ID Aug 11 12:53:06 retro charon: 13[IKE] received draft-ietf-ipsec-nat-t-ike-05 vendor ID Aug 11 12:53:06 retro charon: 13[IKE] received draft-ietf-ipsec-nat-t-ike-04 vendor ID Aug 11 12:53:06 retro charon: 13[IKE] received draft-ietf-ipsec-nat-t-ike-03 vendor ID Aug 11 12:53:06 retro charon: 13[IKE] received draft-ietf-ipsec-nat-t-ike-02 vendor ID Aug 11 12:53:06 retro charon: 13[IKE] received draft-ietf-ipsec-nat-t-ike-02\n vendor ID Aug 11 12:53:06 retro charon: 13[IKE] received XAuth vendor ID Aug 11 12:53:06 retro charon: 13[IKE] received Cisco Unity vendor ID Aug 11 12:53:06 retro charon: 13[IKE] received FRAGMENTATION vendor ID Aug 11 12:53:06 retro charon: 13[IKE] received DPD vendor ID Aug 11 12:53:06 retro charon: 13[IKE] 107.188.2.76 is initiating a Main Mode IKE_SA Aug 11 12:53:06 retro charon: 13[IKE] IKE_SA (unnamed)[5] state change: CREATED => CONNECTING Aug 11 12:53:06 retro charon: 13[CFG] selecting proposal: Aug 11 12:53:06 retro charon: 13[CFG] no acceptable ENCRYPTION_ALGORITHM/PSEUDO_RANDOM_FUNCTION/DIFFIE_HELLMAN_GROUP found Aug 11 12:53:06 retro charon: 13[CFG] selecting proposal: Aug 11 12:53:06 retro charon: 13[CFG] proposal matches Aug 11 12:53:06 retro charon: 13[CFG] received proposals: IKE:AES_CBC_256/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1536, IKE:AES_CBC_256/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024, IKE:AES_CBC_128/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024, IKE:AES_CBC_256/HMAC_MD5_96/PRF_HMAC_MD5/MODP_1536, IKE:AES_CBC_256/HMAC_MD5_96/PRF_HMAC_MD5/MODP_1024, IKE:AES_CBC_128/HMAC_MD5_96/PRF_HMAC_MD5/MODP_1024, IKE:3DES_CBC/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024, IKE:3DES_CBC/HMAC_MD5_96/PRF_HMAC_MD5/MODP_1024, IKE:DES_CBC/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024, IKE:DES_CBC/HMAC_MD5_96/PRF_HMAC_MD5/MODP_1024 Aug 11 12:53:06 retro charon: 13[CFG] configured proposals: IKE:AES_CBC_128/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/ECP_256, IKE:AES_CBC_256/HMAC_SHA2_384_192/PRF_HMAC_SHA2_384/ECP_384, IKE:AES_CBC_128/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_2048, IKE:AES_CBC_128/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_2048, IKE:AES_CBC_256/HMAC_SHA2_384_192/PRF_HMAC_SHA2_384/MODP_4096, IKE:AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_4096, IKE:AES_CBC_256/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_4096, IKE:AES_CBC_128/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_1536, IKE:AES_CBC_128/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1536, IKE:AES_CBC_256/HMAC_SHA2_384_192/PRF_HMAC_SHA2_384/MODP_2048, IKE:AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_2048, IKE:AES_CBC_256/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_2048, IKE:AES_CBC_128/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_1024, IKE:AES_CBC_128/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024, IKE:AES_CBC_256/HMAC_SHA2_384_192/PRF_HMAC_SHA2_384/MODP_1536, IKE:AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_1536, IKE:AES_CBC_256/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1536, IKE:AES_CBC_256/HMAC_SHA2_384_192/PRF_HMAC_SHA2_384/MODP_1024, IKE:AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_1024, IKE:AES_CBC_256/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024 Aug 11 12:53:06 retro charon: 13[CFG] selected proposal: IKE:AES_CBC_128/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024 Aug 11 12:53:06 retro charon: 13[IKE] sending XAuth vendor ID Aug 11 12:53:06 retro charon: 13[IKE] sending DPD vendor ID Aug 11 12:53:06 retro charon: 13[IKE] sending FRAGMENTATION vendor ID Aug 11 12:53:06 retro charon: 13[IKE] sending NAT-T (RFC 3947) vendor ID Aug 11 12:53:06 retro charon: 13[ENC] generating ID_PROT response 0 [ SA V V V V ] Aug 11 12:53:06 retro charon: 13[NET] sending packet: from 10.0.0.9[500] to 107.188.2.76[52225] (160 bytes) Aug 11 12:53:06 retro charon: 03[NET] sending packet: from 10.0.0.9[500] to 107.188.2.76[52225] Aug 11 12:53:06 retro charon: 02[NET] received packet: from 107.188.2.76[52225] to 10.0.0.9[500] Aug 11 12:53:06 retro charon: 02[NET] waiting for data on sockets Aug 11 12:53:06 retro charon: 06[NET] received packet: from 107.188.2.76[52225] to 10.0.0.9[500] (228 bytes) Aug 11 12:53:06 retro charon: 06[ENC] parsed ID_PROT request 0 [ KE No NAT-D NAT-D ] Aug 11 12:53:06 retro charon: 06[IKE] local host is behind NAT, sending keep alives Aug 11 12:53:06 retro charon: 06[IKE] remote host is behind NAT Aug 11 12:53:06 retro charon: 06[IKE] sending cert request for "C=CH, O=strongSwan, CN=strongSwan Root CA" Aug 11 12:53:06 retro charon: 06[ENC] generating ID_PROT response 0 [ KE No CERTREQ NAT-D NAT-D ] Aug 11 12:53:06 retro charon: 06[NET] sending packet: from 10.0.0.9[500] to 107.188.2.76[52225] (314 bytes) Aug 11 12:53:06 retro charon: 03[NET] sending packet: from 10.0.0.9[500] to 107.188.2.76[52225] Aug 11 12:53:07 retro charon: 02[NET] received packet: from 107.188.2.76[52226] to 10.0.0.9[4500] Aug 11 12:53:07 retro charon: 02[NET] waiting for data on sockets Aug 11 12:53:07 retro charon: 05[NET] received packet: from 107.188.2.76[52226] to 10.0.0.9[4500] (668 bytes) Aug 11 12:53:07 retro charon: 05[ENC] parsed ID_PROT request 0 [ ID CERT SIG CERTREQ N(INITIAL_CONTACT) ] Aug 11 12:53:07 retro charon: 05[IKE] ignoring certificate request without data Aug 11 12:53:07 retro charon: 05[IKE] received end entity cert "C=CH, O=strongSwan, CN=Client Key" Aug 11 12:53:07 retro charon: 05[CFG] looking for XAuthInitRSA peer configs matching 10.0.0.9...107.188.2.76[C=CH, O=strongSwan, CN=Client Key] Aug 11 12:53:07 retro charon: 05[CFG] peer config match local: 1 (ID_ANY) Aug 11 12:53:07 retro charon: 05[CFG] peer config match remote: 1 (ID_DER_ASN1_DN -> 30:37:31:0b:30:09:06:03:55:04:06:13:02:43:48:31:13:30:11:06:03:55:04:0a:13:0a:73:74:72:6f:6e:67:53:77:61:6e:31:13:30:11:06:03:55:04:03:13:0a:43:6c:69:65:6e:74:20:4b:65:79) Aug 11 12:53:07 retro charon: 05[CFG] ike config match: 0 (10.0.0.9 107.188.2.76 IKEv1) Aug 11 12:53:07 retro charon: 05[CFG] peer config match local: 1 (ID_ANY) Aug 11 12:53:07 retro charon: 05[CFG] peer config match remote: 1 (ID_DER_ASN1_DN -> 30:37:31:0b:30:09:06:03:55:04:06:13:02:43:48:31:13:30:11:06:03:55:04:0a:13:0a:73:74:72:6f:6e:67:53:77:61:6e:31:13:30:11:06:03:55:04:03:13:0a:43:6c:69:65:6e:74:20:4b:65:79) Aug 11 12:53:07 retro charon: 05[CFG] ike config match: 28 (10.0.0.9 107.188.2.76 IKEv1) Aug 11 12:53:07 retro charon: 05[CFG] candidate "IPSec", match: 1/1/28 (me/other/ike) Aug 11 12:53:07 retro charon: 05[CFG] selected peer config "IPSec" Aug 11 12:53:07 retro charon: 05[IKE] no trusted RSA public key found for 'C=CH, O=strongSwan, CN=Client Key' Aug 11 12:53:07 retro charon: 05[CFG] no alternative config found Aug 11 12:53:07 retro charon: 05[IKE] queueing INFORMATIONAL task Aug 11 12:53:07 retro charon: 05[IKE] activating new tasks Aug 11 12:53:07 retro charon: 05[IKE] activating INFORMATIONAL task Aug 11 12:53:07 retro charon: 05[ENC] generating INFORMATIONAL_V1 request 2644362964 [ HASH N(AUTH_FAILED) ] Aug 11 12:53:07 retro charon: 05[NET] sending packet: from 10.0.0.9[4500] to 107.188.2.76[52226] (92 bytes) Aug 11 12:53:07 retro charon: 05[IKE] IKE_SA IPSec[5] state change: CONNECTING => DESTROYING Aug 11 12:53:07 retro charon: 03[NET] sending packet: from 10.0.0.9[4500] to 107.188.2.76[52226] Aug 11 12:53:10 retro charon: 02[NET] received packet: from 107.188.2.76[52226] to 10.0.0.9[4500] Aug 11 12:53:10 retro charon: 02[NET] waiting for data on sockets Aug 11 12:53:13 retro charon: 02[NET] received packet: from 107.188.2.76[52226] to 10.0.0.9[4500] Aug 11 12:53:13 retro charon: 02[NET] waiting for data on sockets Aug 11 12:53:16 retro charon: 02[NET] received packet: from 107.188.2.76[52226] to 10.0.0.9[4500] Aug 11 12:53:16 retro charon: 02[NET] waiting for data on sockets Aug 11 12:53:28 retro charon: 02[NET] received packet: from 107.188.2.76[52226] to 10.0.0.9[4500] Aug 11 12:53:28 retro charon: 02[NET] waiting for data on sockets
At the moment, using the command sudo pki --print doesn't give me any output.
#7 Updated by Tobias Brunner about 10 years ago
Log looks fine, the client sends a proper DN. How did you call pki --print? You have to either pass --in <path to cert> or pipe the certificate's content into it. Make sure it really is the client certificate (i.e. the one actually installed on the client).
#8 Updated by Aiden A about 10 years ago
My bad. Was literally typing only pki --print in the command line.
ipsec pki --print --in cacerts/strongswanCert.pem
cert: X509
subject: "C=CH, O=strongSwan, CN=strongSwan Root CA"
issuer: "C=CH, O=strongSwan, CN=strongSwan Root CA"
validity: not before Aug 10 12:21:58 2015, ok
not after Aug 07 12:21:58 2025, ok (expires in 3648 days)
serial: 6c:8d:51:3e:89:c1:19:40
flags: CA CRLSign self-signed
subjkeyId: 67:a6:c5:c9:14:a1:0f:c6:ad:27:11:c0:54:0a:33:09:ce:66:e2:ba
pubkey: ECDSA 384 bits
keyid: 70:c3:5b:e7:48:d8:3e:e8:56:04:9b:cb:35:0a:67:30:ab:a2:ad:28
subjkey: 67:a6:c5:c9:14:a1:0f:c6:ad:27:11:c0:54:0a:33:09:ce:66:e2:ba
The client cert is installed
#9 Updated by Tobias Brunner about 10 years ago
That's the CA cert, how about the client's cert.
#10 Updated by Aiden A about 10 years ago
ipsec pki --print --in certs/ClientCert.pem
cert: X509
subject: "C=CH, O=strongSwan, CN=Client Key"
issuer: "C=CH, O=strongSwan, CN=strongSwan Root CA"
validity: not before Aug 10 12:21:59 2015, ok
not after Aug 09 12:21:59 2017, ok (expires in 728 days)
serial: 2c:45:ee:20:09:2e:31:40
altNames: Client_Key
flags:
authkeyId: 67:a6:c5:c9:14:a1:0f:c6:ad:27:11:c0:54:0a:33:09:ce:66:e2:ba
subjkeyId: 50:f1:b6:bc:87:c0:ce:cc:73:e2:8a:a7:b9:91:36:59:26:e2:b2:c5
pubkey: ECDSA 256 bits
keyid: 15:36:c8:b4:31:67:ce:b5:79:2e:f1:41:75:bd:5a:49:05:01:e0:24
subjkey: 50:f1:b6:bc:87:c0:ce:cc:73:e2:8a:a7:b9:91:36:59:26:e2:b2:c5
#11 Updated by Tobias Brunner about 10 years ago
Looks fine.
Aug 11 12:53:07 retro charon: 05[IKE] no trusted RSA public key found for 'C=CH, O=strongSwan, CN=Client Key'
Sorry for not noticing this before. But it looks like the daemon is actually explicitly looking for an RSA key. That's because you use IKEv1 with XAuth/RSA <---. With that scheme the daemon creates a pubkey authenticator limited to RSA (the ECDSA schemes defined in RFC 4754, on the other hand, will force the authenticator to look for ECDSA public keys). Using ECDSA with XAuth/RSA seems incorrect, however, there is currently no XAuth/ECDSA and the client explicitly sets the authentication method to XAuth/RSA. What client are you using?
I suppose we could look for any kind of key with a matching identity (at least for the XAuth schemes), but that might not always result in the right certificate getting selected either (e.g. when a server has an RSA and an ECDSA key with the same identity to use in different connections).
#12 Updated by Aiden A about 10 years ago
The client I'm using is a MacBook running Yosemite (10.10.4)
#13 Updated by Tobias Brunner about 10 years ago
The client I'm using is a MacBook running Yosemite (10.10.4)
Hm, OK. Apple often does strange stuff. You could try the attached patch, not sure if we are going to apply it upstream though, as it could lead to the wrong key getting selected if multiple keys of different types share the same identity.
#14 Updated by Aiden A about 10 years ago
Do you know how and where I should be applying the patch?
#15 Updated by Tobias Brunner about 10 years ago
Do you know how and where I should be applying the patch?
Download the patch then apply it to the strongSwan sources with patch -p1 < search-for-any-key-for-xauthrsa.patch or if you checked out the sources via Git with git apply search-for-any-key-for-xauthrsa.patch. InstallationDocumentation has more on building from sources.
#16 Updated by Aiden A about 10 years ago
I've tried to apply the patch using the following command, but I got this:
can't find file to patch at input line 5 Perhaps you used the wrong -p or --strip option? The text leading up to this was: -------------------------- |diff --git a/src/libcharon/sa/authenticator.c b/src/libcharon/sa/authenticator.c |index 6c3681a2d2d3..8f825969d08c 100644 |--- a/src/libcharon/sa/authenticator.c |+++ b/src/libcharon/sa/authenticator.c -------------------------- File to patch:
#17 Updated by Tobias Brunner about 10 years ago
Did you run this in the top-level source directory (you should see a src subdirectory) and with -p1?
#18 Updated by Aiden A about 10 years ago
I tried running the patch in usr/src/ but thats where I get that output in my last post.
#19 Updated by Tobias Brunner about 10 years ago
Why in /usr/src? I was referring to the strongSwan sources, did you check InstallationDocumentation?
#20 Updated by Noel Kuntze over 7 years ago
- Status changed from Feedback to Closed
- Resolution set to No feedback
#21 Updated by Tobias Brunner almost 5 years ago
- Related to Issue #3631: Unable to establish a connection w/ECDSA Certs (Follow up #1063) added