Project

General

Profile

Issue #3238

Host-to-host Windows 10 Linux

Added by kle kle about 1 month ago. Updated 11 days ago.

Status:
Closed
Priority:
Normal
Category:
configuration
Affected version:
5.7.2
Resolution:
No change required

Description

Hello,

i tried to connect 2 hosts in the same private subnet with IPsec.
Linux host = 172.16.100.10
Windows 10 host = 172.16.100.30
I followed the Authentication using X.509 Machine Certificates as i saw in the wiki.

When i tried to connect from my windows 10 host, it refused. The error message is "IKE authentication information is not acceptable".

As follwoing, it's the ipsec.conf file

conn %default 
    keyexchange=ikev2
    ike=aes256-sha1-modp1024!
    esp=aes256-sha1!
    forceencaps=yes
conn win10
    left=172.16.100.10
    leftcert=certificate_wago.pem
    right=172.16.100.30
    rightid="C=FR, ST=Bretagne, O=SPIE, OU=PSR, CN=kle-w10-wago-05" 
    auto=add

Here is the log from my linux

Oct 31 09:40:34 PFC100-4136B4 charon: 00[DMN] signal of type SIGINT received. Shutting down
Oct 31 09:40:34 PFC100-4136B4 ipsec_starter[3458]: charon stopped after 200 ms
Oct 31 09:40:34 PFC100-4136B4 ipsec_starter[3458]: ipsec starter stopped
Oct 31 09:40:37 PFC100-4136B4 ipsec_starter[3789]: Starting strongSwan 5.7.2 IPsec [starter]...
Oct 31 09:40:37 PFC100-4136B4 ipsec_starter[3789]: # deprecated keyword 'plutostart' in config setup
Oct 31 09:40:37 PFC100-4136B4 ipsec_starter[3789]: ### 1 parsing error (0 fatal) ###
Oct 31 09:40:37 PFC100-4136B4 charon: 00[DMN] Starting IKE charon daemon (strongSwan 5.7.2, Linux 4.9.146-rt125, armv7l)
Oct 31 09:40:37 PFC100-4136B4 charon: 00[CFG] loading ca certificates from '/etc/ipsec.d/cacerts'
Oct 31 09:40:37 PFC100-4136B4 charon: 00[CFG]   loaded ca certificate "C=FR, ST=Bretagne, L=Rennes, O=SPIE, OU=PSR, CN=cert_CA" from '/etc/ipsec.d/cacerts/ca.crt'
Oct 31 09:40:37 PFC100-4136B4 charon: 00[LIB]   file coded in unknown format, discarded
Oct 31 09:40:37 PFC100-4136B4 charon: 00[LIB] building CRED_CERTIFICATE - X509 failed, tried 3 builders
Oct 31 09:40:37 PFC100-4136B4 charon: 00[CFG]   loading ca certificate from '/etc/ipsec.d/cacerts/ca.srl' failed
Oct 31 09:40:37 PFC100-4136B4 charon: 00[CFG]   loaded ca certificate "C=FR, ST=Bretagne, L=Rennes, O=Spie, OU=PSR, CN=WAGO" from '/etc/ipsec.d/cacerts/certificate_wago.pem'
Oct 31 09:40:37 PFC100-4136B4 charon: 00[CFG] loading aa certificates from '/etc/ipsec.d/aacerts'
Oct 31 09:40:37 PFC100-4136B4 charon: 00[CFG] loading ocsp signer certificates from '/etc/ipsec.d/ocspcerts'
Oct 31 09:40:37 PFC100-4136B4 charon: 00[CFG] loading attribute certificates from '/etc/ipsec.d/acerts'
Oct 31 09:40:37 PFC100-4136B4 charon: 00[CFG] loading crls from '/etc/ipsec.d/crls'
Oct 31 09:40:37 PFC100-4136B4 charon: 00[CFG] loading secrets from '/etc/ipsec.secrets'
Oct 31 09:40:37 PFC100-4136B4 charon: 00[CFG]   loaded RSA private key from '/etc/ipsec.d/private/privatekey_wago.pem'
Oct 31 09:40:37 PFC100-4136B4 charon: 00[LIB] loaded plugins: charon aes sha2 sha1 random nonce x509 revocation constraints pubkey pkcs1 pkcs7 pkcs8 pgp dnskey pem af-alg fips-prf gmp xcbc cmac hmac gcm curl attr kernel-netlink resolve socket-default stroke updown xauth-generic
Oct 31 09:40:37 PFC100-4136B4 charon: 00[JOB] spawning 16 worker threads
Oct 31 09:40:37 PFC100-4136B4 ipsec_starter[3807]: charon (3808) started after 460 ms
Oct 31 09:40:37 PFC100-4136B4 charon: 05[CFG] received stroke: add connection 'win10'
Oct 31 09:40:37 PFC100-4136B4 charon: 05[CFG]   loaded certificate "C=FR, ST=Bretagne, L=Rennes, O=Spie, OU=PSR, CN=WAGO" from 'certificate_wago.pem'
Oct 31 09:40:37 PFC100-4136B4 charon: 05[CFG]   id '172.16.100.10' not confirmed by certificate, defaulting to 'C=FR, ST=Bretagne, L=Rennes, O=Spie, OU=PSR, CN=WAGO'
Oct 31 09:40:37 PFC100-4136B4 charon: 05[CFG] added configuration 'win10'
Oct 31 09:41:13 PFC100-4136B4 charon: 07[NET] received packet: from 172.16.100.30[500] to 172.16.100.10[500] (624 bytes)
Oct 31 09:41:13 PFC100-4136B4 charon: 07[ENC] parsed IKE_SA_INIT request 0 [ SA KE No N(FRAG_SUP) N(NATD_S_IP) N(NATD_D_IP) V V V V ]
Oct 31 09:41:13 PFC100-4136B4 charon: 07[IKE] received MS NT5 ISAKMPOAKLEY v9 vendor ID
Oct 31 09:41:13 PFC100-4136B4 charon: 07[IKE] received MS-Negotiation Discovery Capable vendor ID
Oct 31 09:41:13 PFC100-4136B4 charon: 07[IKE] received Vid-Initial-Contact vendor ID
Oct 31 09:41:13 PFC100-4136B4 charon: 07[ENC] received unknown vendor ID: 01:52:8b:bb:c0:06:96:12:18:49:ab:9a:1c:5b:2a:51:00:00:00:02
Oct 31 09:41:13 PFC100-4136B4 charon: 07[IKE] 172.16.100.30 is initiating an IKE_SA
Oct 31 09:41:13 PFC100-4136B4 charon[25688]: Last message '07[IKE] 172.16.100.3' repeated 1 times, suppressed by syslog-ng on PFC100-4136B4.localdomain.lan
Oct 31 09:41:13 PFC100-4136B4 charon: 07[CFG] selected proposal: IKE:AES_CBC_256/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024
Oct 31 09:41:13 PFC100-4136B4 charon: 07[IKE] faking NAT situation to enforce UDP encapsulation
Oct 31 09:41:13 PFC100-4136B4 charon: 07[IKE] sending cert request for "C=FR, ST=Bretagne, L=Rennes, O=Spie, OU=PSR, CN=WAGO" 
Oct 31 09:41:13 PFC100-4136B4 charon: 07[IKE] sending cert request for "C=FR, ST=Bretagne, L=Rennes, O=SPIE, OU=PSR, CN=cert_CA" 
Oct 31 09:41:13 PFC100-4136B4 charon: 07[IKE] sending cert request for "C=FR, ST=Bretagne, L=Rennes, O=Spie, OU=PSR, CN=WAGO" 
Oct 31 09:41:13 PFC100-4136B4 charon: 07[ENC] generating IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) CERTREQ N(FRAG_SUP) N(MULT_AUTH) ]
Oct 31 09:41:13 PFC100-4136B4 charon: 07[NET] sending packet: from 172.16.100.10[500] to 172.16.100.30[500] (385 bytes)
Oct 31 09:41:13 PFC100-4136B4 charon: 08[NET] received packet: from 172.16.100.30[4500] to 172.16.100.10[4500] (576 bytes)
Oct 31 09:41:13 PFC100-4136B4 charon: 08[ENC] parsed IKE_AUTH request 1 [ EF(1/4) ]
Oct 31 09:41:13 PFC100-4136B4 charon: 08[ENC] received fragment #1 of 4, waiting for complete IKE message
Oct 31 09:41:13 PFC100-4136B4 charon: 06[NET] received packet: from 172.16.100.30[4500] to 172.16.100.10[4500] (576 bytes)
Oct 31 09:41:13 PFC100-4136B4 charon: 06[ENC] parsed IKE_AUTH request 1 [ EF(2/4) ]
Oct 31 09:41:13 PFC100-4136B4 charon: 06[ENC] received fragment #2 of 4, waiting for complete IKE message
Oct 31 09:41:13 PFC100-4136B4 charon: 09[NET] received packet: from 172.16.100.30[4500] to 172.16.100.10[4500] (576 bytes)
Oct 31 09:41:13 PFC100-4136B4 charon: 09[ENC] parsed IKE_AUTH request 1 [ EF(3/4) ]
Oct 31 09:41:13 PFC100-4136B4 charon: 09[ENC] received fragment #3 of 4, waiting for complete IKE message
Oct 31 09:41:13 PFC100-4136B4 charon: 10[NET] received packet: from 172.16.100.30[4500] to 172.16.100.10[4500] (352 bytes)
Oct 31 09:41:13 PFC100-4136B4 charon: 10[ENC] parsed IKE_AUTH request 1 [ EF(4/4) ]
Oct 31 09:41:13 PFC100-4136B4 charon: 10[ENC] received fragment #4 of 4, reassembled fragmented IKE message (1836 bytes)
Oct 31 09:41:13 PFC100-4136B4 charon: 10[ENC] parsed IKE_AUTH request 1 [ IDi CERT CERTREQ AUTH CPRQ(ADDR DNS NBNS SRV ADDR6 DNS6 SRV6) SA TSi TSr ]
Oct 31 09:41:13 PFC100-4136B4 charon: 10[IKE] received cert request for "C=FR, ST=Bretagne, L=Rennes, O=SPIE, OU=PSR, CN=cert_CA" 
Oct 31 09:41:13 PFC100-4136B4 charon: 10[IKE] received 14 cert requests for an unknown ca
Oct 31 09:41:13 PFC100-4136B4 charon: 10[IKE] received end entity cert "C=FR, ST=Bretagne, L=Rennes, O=SPIE, OU=PSR, CN=kle-w10-wago-05" 
Oct 31 09:41:13 PFC100-4136B4 charon: 10[CFG] looking for peer configs matching 172.16.100.10[%any]...172.16.100.30[C=FR, ST=Bretagne, L=Rennes, O=SPIE, OU=PSR, CN=kle-w10-wago-05]
Oct 31 09:41:13 PFC100-4136B4 charon: 10[CFG] no matching peer config found
Oct 31 09:41:13 PFC100-4136B4 charon: 10[ENC] generating IKE_AUTH response 1 [ N(AUTH_FAILED) ]
Oct 31 09:41:13 PFC100-4136B4 charon: 10[NET] sending packet: from 172.16.100.10[4500] to 172.16.100.30[4500] (76 bytes)

I saw the line "no matching peer config found" but i don't see where is the problem.

Have you got an idea please ?

History

#1 Updated by Tobias Brunner about 1 month ago

  • Category changed from windows to configuration
  • Status changed from New to Feedback

I saw the line "no matching peer config found" but i don't see where is the problem.

Have you got an idea please ?

As the log says, there is no match to the identity you configured:

Client/Cert  : C=FR, ST=Bretagne, L=Rennes, O=SPIE, OU=PSR, CN=kle-w10-wago-05
Configuration: C=FR, ST=Bretagne, O=SPIE, OU=PSR, CN=kle-w10-wago-05

#2 Updated by kle kle about 1 month ago

Thanks for your fast response.

It's a stupid misktake.

I modified my ipsec.conf file as following :

conn %default 
    keyexchange=ikev2
    ike=aes256-sha1-modp1024!
    esp=aes256-sha1!
    forceencaps=yes
conn win10
    left=172.16.100.10
    leftcert=certificate_wago.pem
    right=172.16.100.30
    rightid="C=FR, ST=Bretagne, L=Rennes, O=SPIE, OU=PSR, CN=kle-w10-wago-05" 
    auto=add

Now the log tell "No virtual IP found". I don't know why it ask a virtual IP ?

Oct 31 11:32:54 PFC100-4136B4 charon: 08[NET] received packet: from 172.16.100.30[500] to 172.16.100.10[500] (624 bytes)
Oct 31 11:32:54 PFC100-4136B4 charon: 08[ENC] parsed IKE_SA_INIT request 0 [ SA KE No N(FRAG_SUP) N(NATD_S_IP) N(NATD_D_IP) V V V V ]
Oct 31 11:32:54 PFC100-4136B4 charon: 08[IKE] received MS NT5 ISAKMPOAKLEY v9 vendor ID
Oct 31 11:32:54 PFC100-4136B4 charon: 08[IKE] received MS-Negotiation Discovery Capable vendor ID
Oct 31 11:32:54 PFC100-4136B4 charon: 08[IKE] received Vid-Initial-Contact vendor ID
Oct 31 11:32:54 PFC100-4136B4 charon: 08[ENC] received unknown vendor ID: 01:52:8b:bb:c0:06:96:12:18:49:ab:9a:1c:5b:2a:51:00:00:00:02
Oct 31 11:32:54 PFC100-4136B4 charon: 08[IKE] 172.16.100.30 is initiating an IKE_SA
Oct 31 11:32:54 PFC100-4136B4 charon[25688]: Last message '08[IKE] 172.16.100.3' repeated 1 times, suppressed by syslog-ng on PFC100-4136B4.localdomain.lan
Oct 31 11:32:54 PFC100-4136B4 charon: 08[CFG] selected proposal: IKE:AES_CBC_256/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024
Oct 31 11:32:54 PFC100-4136B4 charon: 08[IKE] faking NAT situation to enforce UDP encapsulation
Oct 31 11:32:54 PFC100-4136B4 charon: 08[IKE] sending cert request for "C=FR, ST=Bretagne, L=Rennes, O=Spie, OU=PSR, CN=WAGO" 
Oct 31 11:32:54 PFC100-4136B4 charon: 08[IKE] sending cert request for "C=FR, ST=Bretagne, L=Rennes, O=SPIE, OU=PSR, CN=cert_CA" 
Oct 31 11:32:54 PFC100-4136B4 charon: 08[IKE] sending cert request for "C=FR, ST=Bretagne, L=Rennes, O=Spie, OU=PSR, CN=WAGO" 
Oct 31 11:32:54 PFC100-4136B4 charon: 08[ENC] generating IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) CERTREQ N(FRAG_SUP) N(MULT_AUTH) ]
Oct 31 11:32:54 PFC100-4136B4 charon: 08[NET] sending packet: from 172.16.100.10[500] to 172.16.100.30[500] (385 bytes)
Oct 31 11:32:54 PFC100-4136B4 charon: 09[NET] received packet: from 172.16.100.30[4500] to 172.16.100.10[4500] (576 bytes)
Oct 31 11:32:54 PFC100-4136B4 charon: 09[ENC] parsed IKE_AUTH request 1 [ EF(1/4) ]
Oct 31 11:32:54 PFC100-4136B4 charon: 09[ENC] received fragment #1 of 4, waiting for complete IKE message
Oct 31 11:32:54 PFC100-4136B4 charon: 10[NET] received packet: from 172.16.100.30[4500] to 172.16.100.10[4500] (576 bytes)
Oct 31 11:32:54 PFC100-4136B4 charon: 10[ENC] parsed IKE_AUTH request 1 [ EF(2/4) ]
Oct 31 11:32:54 PFC100-4136B4 charon: 10[ENC] received fragment #2 of 4, waiting for complete IKE message
Oct 31 11:32:54 PFC100-4136B4 charon: 11[NET] received packet: from 172.16.100.30[4500] to 172.16.100.10[4500] (576 bytes)
Oct 31 11:32:54 PFC100-4136B4 charon: 11[ENC] parsed IKE_AUTH request 1 [ EF(3/4) ]
Oct 31 11:32:54 PFC100-4136B4 charon: 11[ENC] received fragment #3 of 4, waiting for complete IKE message
Oct 31 11:32:54 PFC100-4136B4 charon: 12[NET] received packet: from 172.16.100.30[4500] to 172.16.100.10[4500] (352 bytes)
Oct 31 11:32:54 PFC100-4136B4 charon: 12[ENC] parsed IKE_AUTH request 1 [ EF(4/4) ]
Oct 31 11:32:54 PFC100-4136B4 charon: 12[ENC] received fragment #4 of 4, reassembled fragmented IKE message (1836 bytes)
Oct 31 11:32:54 PFC100-4136B4 charon: 12[ENC] parsed IKE_AUTH request 1 [ IDi CERT CERTREQ AUTH CPRQ(ADDR DNS NBNS SRV ADDR6 DNS6 SRV6) SA TSi TSr ]
Oct 31 11:32:55 PFC100-4136B4 charon: 12[IKE] received cert request for "C=FR, ST=Bretagne, L=Rennes, O=SPIE, OU=PSR, CN=cert_CA" 
Oct 31 11:32:55 PFC100-4136B4 charon: 12[IKE] received 14 cert requests for an unknown ca
Oct 31 11:32:55 PFC100-4136B4 charon: 12[IKE] received end entity cert "C=FR, ST=Bretagne, L=Rennes, O=SPIE, OU=PSR, CN=kle-w10-wago-05" 
Oct 31 11:32:55 PFC100-4136B4 charon: 12[CFG] looking for peer configs matching 172.16.100.10[%any]...172.16.100.30[C=FR, ST=Bretagne, L=Rennes, O=SPIE, OU=PSR, CN=kle-w10-wago-05]
Oct 31 11:32:55 PFC100-4136B4 charon: 12[CFG] selected peer config 'win10'
Oct 31 11:32:55 PFC100-4136B4 charon: 12[CFG]   using certificate "C=FR, ST=Bretagne, L=Rennes, O=SPIE, OU=PSR, CN=kle-w10-wago-05" 
Oct 31 11:32:55 PFC100-4136B4 charon: 12[CFG]   using trusted ca certificate "C=FR, ST=Bretagne, L=Rennes, O=SPIE, OU=PSR, CN=cert_CA" 
Oct 31 11:32:55 PFC100-4136B4 charon: 12[CFG] checking certificate status of "C=FR, ST=Bretagne, L=Rennes, O=SPIE, OU=PSR, CN=kle-w10-wago-05" 
Oct 31 11:32:55 PFC100-4136B4 charon: 12[CFG] certificate status is not available
Oct 31 11:32:55 PFC100-4136B4 charon: 12[CFG]   reached self-signed root ca with a path length of 0
Oct 31 11:32:55 PFC100-4136B4 charon: 12[IKE] authentication of 'C=FR, ST=Bretagne, L=Rennes, O=SPIE, OU=PSR, CN=kle-w10-wago-05' with RSA signature successful
Oct 31 11:32:55 PFC100-4136B4 charon: 12[IKE] authentication of 'C=FR, ST=Bretagne, L=Rennes, O=Spie, OU=PSR, CN=WAGO' (myself) with RSA signature successful
Oct 31 11:32:55 PFC100-4136B4 charon: 12[IKE] IKE_SA win10[1] established between 172.16.100.10[C=FR, ST=Bretagne, L=Rennes, O=Spie, OU=PSR, CN=WAGO]...172.16.100.30[C=FR, ST=Bretagne, L=Rennes, O=SPIE, OU=PSR, CN=kle-w10-wago-05]
Oct 31 11:32:55 PFC100-4136B4 charon[25688]: Last message '12[IKE] IKE_SA win10' repeated 1 times, suppressed by syslog-ng on PFC100-4136B4.localdomain.lan
Oct 31 11:32:55 PFC100-4136B4 charon: 12[IKE] scheduling reauthentication in 9724s
Oct 31 11:32:55 PFC100-4136B4 charon: 12[IKE] maximum IKE_SA lifetime 10264s
Oct 31 11:32:55 PFC100-4136B4 charon: 12[IKE] sending end entity cert "C=FR, ST=Bretagne, L=Rennes, O=Spie, OU=PSR, CN=WAGO" 
Oct 31 11:32:55 PFC100-4136B4 charon: 12[IKE] peer requested virtual IP %any
Oct 31 11:32:55 PFC100-4136B4 charon: 12[IKE] no virtual IP found for %any requested by 'C=FR, ST=Bretagne, L=Rennes, O=SPIE, OU=PSR, CN=kle-w10-wago-05'
Oct 31 11:32:55 PFC100-4136B4 charon: 12[IKE] peer requested virtual IP %any6
Oct 31 11:32:55 PFC100-4136B4 charon: 12[IKE] no virtual IP found for %any6 requested by 'C=FR, ST=Bretagne, L=Rennes, O=SPIE, OU=PSR, CN=kle-w10-wago-05'
Oct 31 11:32:55 PFC100-4136B4 charon: 12[IKE] no virtual IP found, sending INTERNAL_ADDRESS_FAILURE
Oct 31 11:32:55 PFC100-4136B4 charon: 12[IKE] configuration payload negotiation failed, no CHILD_SA built
Oct 31 11:32:55 PFC100-4136B4 charon: 12[IKE] failed to establish CHILD_SA, keeping IKE_SA
Oct 31 11:32:55 PFC100-4136B4 charon: 12[ENC] generating IKE_AUTH response 1 [ IDr CERT AUTH N(AUTH_LFT) N(INT_ADDR_FAIL) ]
Oct 31 11:32:55 PFC100-4136B4 charon: 12[ENC] splitting IKE message (1372 bytes) into 2 fragments
Oct 31 11:32:55 PFC100-4136B4 charon: 12[ENC] generating IKE_AUTH response 1 [ EF(1/2) ]
Oct 31 11:32:55 PFC100-4136B4 charon: 12[ENC] generating IKE_AUTH response 1 [ EF(2/2) ]
Oct 31 11:32:55 PFC100-4136B4 charon: 12[NET] sending packet: from 172.16.100.10[4500] to 172.16.100.30[4500] (1248 bytes)
Oct 31 11:32:55 PFC100-4136B4 charon: 12[NET] sending packet: from 172.16.100.10[4500] to 172.16.100.30[4500] (192 bytes)

#3 Updated by Tobias Brunner about 1 month ago

Now the log tell "No virtual IP found". I don't know why it ask a virtual IP ?

That's what the Windows client does (like many others). You have to provide one (as e.g. the example config you referred to does).

#4 Updated by kle kle about 1 month ago

Ok thanks.
If i understand, it's the ip address of the other side of tunnel ?
I added "rightsourceip=172.16.100.35"
Should this ip address be in the same subnet? I think yes because there is no routing.

When i tried to connect from windows client, I still have this error message "IKE authentication information is not acceptable".

But in log, i don't see any error.

conn %default 
    keyexchange=ikev2
    ike=aes256-sha1-modp1024!
    esp=aes256-sha1!
    forceencaps=yes
conn win10
    left=172.16.100.10
    leftcert=certificate_wago.pem
    right=172.16.100.30
    rightsourceip=172.16.100.35
    rightid="C=FR, ST=Bretagne, L=Rennes, O=SPIE, OU=PSR, CN=kle-w10-wago-05" 
    auto=add
Oct 31 13:56:18 PFC100-4136B4 ipsec_starter[15563]: charon stopped after 200 ms
Oct 31 13:56:18 PFC100-4136B4 ipsec_starter[15563]: ipsec starter stopped
Oct 31 13:56:20 PFC100-4136B4 ipsec_starter[16176]: Starting strongSwan 5.7.2 IPsec [starter]...
Oct 31 13:56:20 PFC100-4136B4 ipsec_starter[16176]: # deprecated keyword 'plutostart' in config setup
Oct 31 13:56:20 PFC100-4136B4 ipsec_starter[16176]: ### 1 parsing error (0 fatal) ###
Oct 31 13:56:21 PFC100-4136B4 charon: 00[DMN] Starting IKE charon daemon (strongSwan 5.7.2, Linux 4.9.146-rt125, armv7l)
Oct 31 13:56:21 PFC100-4136B4 charon: 00[CFG] loading ca certificates from '/etc/ipsec.d/cacerts'
Oct 31 13:56:21 PFC100-4136B4 charon: 00[CFG]   loaded ca certificate "C=FR, ST=Bretagne, L=Rennes, O=SPIE, OU=PSR, CN=cert_CA" from '/etc/ipsec.d/cacerts/ca.crt'
Oct 31 13:56:21 PFC100-4136B4 charon: 00[LIB]   file coded in unknown format, discarded
Oct 31 13:56:21 PFC100-4136B4 charon: 00[LIB] building CRED_CERTIFICATE - X509 failed, tried 3 builders
Oct 31 13:56:21 PFC100-4136B4 charon: 00[CFG]   loading ca certificate from '/etc/ipsec.d/cacerts/ca.srl' failed
Oct 31 13:56:21 PFC100-4136B4 charon: 00[CFG]   loaded ca certificate "C=FR, ST=Bretagne, L=Rennes, O=Spie, OU=PSR, CN=WAGO" from '/etc/ipsec.d/cacerts/certificate_wago.pem'
Oct 31 13:56:21 PFC100-4136B4 charon: 00[CFG] loading aa certificates from '/etc/ipsec.d/aacerts'
Oct 31 13:56:21 PFC100-4136B4 charon: 00[CFG] loading ocsp signer certificates from '/etc/ipsec.d/ocspcerts'
Oct 31 13:56:21 PFC100-4136B4 charon: 00[CFG] loading attribute certificates from '/etc/ipsec.d/acerts'
Oct 31 13:56:21 PFC100-4136B4 charon: 00[CFG] loading crls from '/etc/ipsec.d/crls'
Oct 31 13:56:21 PFC100-4136B4 charon: 00[CFG] loading secrets from '/etc/ipsec.secrets'
Oct 31 13:56:21 PFC100-4136B4 charon: 00[CFG]   loaded RSA private key from '/etc/ipsec.d/private/privatekey_wago.pem'
Oct 31 13:56:21 PFC100-4136B4 charon: 00[LIB] loaded plugins: charon aes sha2 sha1 random nonce x509 revocation constraints pubkey pkcs1 pkcs7 pkcs8 pgp dnskey pem af-alg fips-prf gmp xcbc cmac hmac gcm curl attr kernel-netlink resolve socket-default stroke updown xauth-generic
Oct 31 13:56:21 PFC100-4136B4 charon: 00[JOB] spawning 16 worker threads
Oct 31 13:56:21 PFC100-4136B4 ipsec_starter[16194]: charon (16195) started after 460 ms
Oct 31 13:56:21 PFC100-4136B4 charon: 05[CFG] received stroke: add connection 'win10'
Oct 31 13:56:21 PFC100-4136B4 charon: 05[CFG] adding virtual IP address pool 172.16.100.35
Oct 31 13:56:21 PFC100-4136B4 charon: 05[CFG]   loaded certificate "C=FR, ST=Bretagne, L=Rennes, O=Spie, OU=PSR, CN=WAGO" from 'certificate_wago.pem'
Oct 31 13:56:21 PFC100-4136B4 charon: 05[CFG]   id '172.16.100.10' not confirmed by certificate, defaulting to 'C=FR, ST=Bretagne, L=Rennes, O=Spie, OU=PSR, CN=WAGO'
Oct 31 13:56:21 PFC100-4136B4 charon: 05[CFG] added configuration 'win10'
Oct 31 13:56:36 PFC100-4136B4 charon: 07[NET] received packet: from 172.16.100.30[500] to 172.16.100.10[500] (624 bytes)
Oct 31 13:56:36 PFC100-4136B4 charon: 07[ENC] parsed IKE_SA_INIT request 0 [ SA KE No N(FRAG_SUP) N(NATD_S_IP) N(NATD_D_IP) V V V V ]
Oct 31 13:56:36 PFC100-4136B4 charon: 07[IKE] received MS NT5 ISAKMPOAKLEY v9 vendor ID
Oct 31 13:56:36 PFC100-4136B4 charon: 07[IKE] received MS-Negotiation Discovery Capable vendor ID
Oct 31 13:56:36 PFC100-4136B4 charon: 07[IKE] received Vid-Initial-Contact vendor ID
Oct 31 13:56:36 PFC100-4136B4 charon: 07[ENC] received unknown vendor ID: 01:52:8b:bb:c0:06:96:12:18:49:ab:9a:1c:5b:2a:51:00:00:00:02
Oct 31 13:56:36 PFC100-4136B4 charon: 07[IKE] 172.16.100.30 is initiating an IKE_SA
Oct 31 13:56:36 PFC100-4136B4 charon[10525]: Last message '07[IKE] 172.16.100.3' repeated 1 times, suppressed by syslog-ng on PFC100-4136B4.localdomain.lan
Oct 31 13:56:36 PFC100-4136B4 charon: 07[CFG] selected proposal: IKE:AES_CBC_256/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024
Oct 31 13:56:36 PFC100-4136B4 charon: 07[IKE] faking NAT situation to enforce UDP encapsulation
Oct 31 13:56:36 PFC100-4136B4 charon: 07[IKE] sending cert request for "C=FR, ST=Bretagne, L=Rennes, O=Spie, OU=PSR, CN=WAGO" 
Oct 31 13:56:36 PFC100-4136B4 charon: 07[IKE] sending cert request for "C=FR, ST=Bretagne, L=Rennes, O=SPIE, OU=PSR, CN=cert_CA" 
Oct 31 13:56:36 PFC100-4136B4 charon: 07[IKE] sending cert request for "C=FR, ST=Bretagne, L=Rennes, O=Spie, OU=PSR, CN=WAGO" 
Oct 31 13:56:36 PFC100-4136B4 charon: 07[ENC] generating IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) CERTREQ N(FRAG_SUP) N(MULT_AUTH) ]
Oct 31 13:56:36 PFC100-4136B4 charon: 07[NET] sending packet: from 172.16.100.10[500] to 172.16.100.30[500] (385 bytes)
Oct 31 13:56:36 PFC100-4136B4 charon: 08[NET] received packet: from 172.16.100.30[4500] to 172.16.100.10[4500] (576 bytes)
Oct 31 13:56:36 PFC100-4136B4 charon: 08[ENC] parsed IKE_AUTH request 1 [ EF(1/4) ]
Oct 31 13:56:36 PFC100-4136B4 charon: 08[ENC] received fragment #1 of 4, waiting for complete IKE message
Oct 31 13:56:36 PFC100-4136B4 charon: 09[NET] received packet: from 172.16.100.30[4500] to 172.16.100.10[4500] (576 bytes)
Oct 31 13:56:36 PFC100-4136B4 charon: 09[ENC] parsed IKE_AUTH request 1 [ EF(2/4) ]
Oct 31 13:56:36 PFC100-4136B4 charon: 09[ENC] received fragment #2 of 4, waiting for complete IKE message
Oct 31 13:56:36 PFC100-4136B4 charon: 10[NET] received packet: from 172.16.100.30[4500] to 172.16.100.10[4500] (576 bytes)
Oct 31 13:56:36 PFC100-4136B4 charon: 10[ENC] parsed IKE_AUTH request 1 [ EF(3/4) ]
Oct 31 13:56:36 PFC100-4136B4 charon: 10[ENC] received fragment #3 of 4, waiting for complete IKE message
Oct 31 13:56:36 PFC100-4136B4 charon: 11[NET] received packet: from 172.16.100.30[4500] to 172.16.100.10[4500] (368 bytes)
Oct 31 13:56:36 PFC100-4136B4 charon: 11[ENC] parsed IKE_AUTH request 1 [ EF(4/4) ]
Oct 31 13:56:36 PFC100-4136B4 charon: 11[ENC] received fragment #4 of 4, reassembled fragmented IKE message (1852 bytes)
Oct 31 13:56:36 PFC100-4136B4 charon: 11[ENC] parsed IKE_AUTH request 1 [ IDi CERT CERTREQ AUTH N(MOBIKE_SUP) CPRQ(ADDR DNS NBNS SRV ADDR6 DNS6 SRV6) SA TSi TSr ]
Oct 31 13:56:36 PFC100-4136B4 charon: 11[IKE] received cert request for "C=FR, ST=Bretagne, L=Rennes, O=SPIE, OU=PSR, CN=cert_CA" 
Oct 31 13:56:36 PFC100-4136B4 charon: 11[IKE] received 14 cert requests for an unknown ca
Oct 31 13:56:36 PFC100-4136B4 charon: 11[IKE] received end entity cert "C=FR, ST=Bretagne, L=Rennes, O=SPIE, OU=PSR, CN=kle-w10-wago-05" 
Oct 31 13:56:36 PFC100-4136B4 charon: 11[CFG] looking for peer configs matching 172.16.100.10[%any]...172.16.100.30[C=FR, ST=Bretagne, L=Rennes, O=SPIE, OU=PSR, CN=kle-w10-wago-05]
Oct 31 13:56:36 PFC100-4136B4 charon: 11[CFG] selected peer config 'win10'
Oct 31 13:56:36 PFC100-4136B4 charon: 11[CFG]   using certificate "C=FR, ST=Bretagne, L=Rennes, O=SPIE, OU=PSR, CN=kle-w10-wago-05" 
Oct 31 13:56:36 PFC100-4136B4 charon: 11[CFG]   using trusted ca certificate "C=FR, ST=Bretagne, L=Rennes, O=SPIE, OU=PSR, CN=cert_CA" 
Oct 31 13:56:36 PFC100-4136B4 charon: 11[CFG] checking certificate status of "C=FR, ST=Bretagne, L=Rennes, O=SPIE, OU=PSR, CN=kle-w10-wago-05" 
Oct 31 13:56:36 PFC100-4136B4 charon: 11[CFG] certificate status is not available
Oct 31 13:56:36 PFC100-4136B4 charon: 11[CFG]   reached self-signed root ca with a path length of 0
Oct 31 13:56:36 PFC100-4136B4 charon: 11[IKE] authentication of 'C=FR, ST=Bretagne, L=Rennes, O=SPIE, OU=PSR, CN=kle-w10-wago-05' with RSA signature successful
Oct 31 13:56:36 PFC100-4136B4 charon: 11[IKE] peer supports MOBIKE
Oct 31 13:56:36 PFC100-4136B4 charon: 11[IKE] authentication of 'C=FR, ST=Bretagne, L=Rennes, O=Spie, OU=PSR, CN=WAGO' (myself) with RSA signature successful
Oct 31 13:56:36 PFC100-4136B4 charon: 11[IKE] IKE_SA win10[1] established between 172.16.100.10[C=FR, ST=Bretagne, L=Rennes, O=Spie, OU=PSR, CN=WAGO]...172.16.100.30[C=FR, ST=Bretagne, L=Rennes, O=SPIE, OU=PSR, CN=kle-w10-wago-05]
Oct 31 13:56:36 PFC100-4136B4 charon[10525]: Last message '11[IKE] IKE_SA win10' repeated 1 times, suppressed by syslog-ng on PFC100-4136B4.localdomain.lan
Oct 31 13:56:36 PFC100-4136B4 charon: 11[IKE] scheduling reauthentication in 9835s
Oct 31 13:56:36 PFC100-4136B4 charon: 11[IKE] maximum IKE_SA lifetime 10375s
Oct 31 13:56:36 PFC100-4136B4 charon: 11[IKE] sending end entity cert "C=FR, ST=Bretagne, L=Rennes, O=Spie, OU=PSR, CN=WAGO" 
Oct 31 13:56:36 PFC100-4136B4 charon: 11[IKE] peer requested virtual IP %any
Oct 31 13:56:36 PFC100-4136B4 charon: 11[CFG] assigning new lease to 'C=FR, ST=Bretagne, L=Rennes, O=SPIE, OU=PSR, CN=kle-w10-wago-05'
Oct 31 13:56:36 PFC100-4136B4 charon: 11[IKE] assigning virtual IP 172.16.100.35 to peer 'C=FR, ST=Bretagne, L=Rennes, O=SPIE, OU=PSR, CN=kle-w10-wago-05'
Oct 31 13:56:36 PFC100-4136B4 charon: 11[IKE] peer requested virtual IP %any6
Oct 31 13:56:36 PFC100-4136B4 charon: 11[IKE] no virtual IP found for %any6 requested by 'C=FR, ST=Bretagne, L=Rennes, O=SPIE, OU=PSR, CN=kle-w10-wago-05'
Oct 31 13:56:36 PFC100-4136B4 charon: 11[CFG] selected proposal: ESP:AES_CBC_256/HMAC_SHA1_96/NO_EXT_SEQ
Oct 31 13:56:36 PFC100-4136B4 charon: 11[IKE] CHILD_SA win10{1} established with SPIs c14cc81f_i b900cc30_o and TS 172.16.100.10/32 === 172.16.100.35/32
Oct 31 13:56:36 PFC100-4136B4 charon[10525]: Last message '11[IKE] CHILD_SA win' repeated 1 times, suppressed by syslog-ng on PFC100-4136B4.localdomain.lan
Oct 31 13:56:36 PFC100-4136B4 charon: 11[ENC] generating IKE_AUTH response 1 [ IDr CERT AUTH CPRP(ADDR DNS NBNS) SA TSi TSr N(AUTH_LFT) N(MOBIKE_SUP) N(NO_ADD_ADDR) ]
Oct 31 13:56:36 PFC100-4136B4 charon: 11[ENC] splitting IKE message (1500 bytes) into 2 fragments
Oct 31 13:56:36 PFC100-4136B4 charon: 11[ENC] generating IKE_AUTH response 1 [ EF(1/2) ]
Oct 31 13:56:36 PFC100-4136B4 charon: 11[ENC] generating IKE_AUTH response 1 [ EF(2/2) ]
Oct 31 13:56:36 PFC100-4136B4 charon: 11[NET] sending packet: from 172.16.100.10[4500] to 172.16.100.30[4500] (1248 bytes)
Oct 31 13:56:36 PFC100-4136B4 charon: 11[NET] sending packet: from 172.16.100.10[4500] to 172.16.100.30[4500] (320 bytes)

#5 Updated by Tobias Brunner about 1 month ago

If i understand, it's the ip address of the other side of tunnel ?

Yes, an IP address used inside the tunnel.

Should this ip address be in the same subnet?

As the client? No. See ForwardingAndSplitTunneling for details. By the way, Windows doesn't send traffic for the subnet it is connected to through the VPN. You can't use the client you are using for host-host tunnels, it's intended for roadwarrior scenarios. For host-host connections you'd have to use the client in the advanced firewall (I think that's still limited to IKEv1, though).

When i tried to connect from windows client, I still have this error message "IKE authentication information is not acceptable".

Maybe it doesn't trust the server certificate. Make sure the certificate complies to the requirements and the CA certificate that signed it is correctly installed on the client. It's also possible it doesn't like the assigned virtual IP.

#6 Updated by kle kle 16 days ago

Thanks for your advice.

I tried to use the advanced firewall as you tell me (yes it still limited to ikev1) and i recreated all of certificates with the requirements.
It's working fine ! This is my configuration file for other person that have the same problem.

conn win10
     ike=aes128-sha-modp1024!
     leftcert=linuxCert.der
     left=172.16.100.10
     rightsubnet=172.16.100.0/24
     rightsourceip=172.16.100.35
     rightid="C=FR, O=SPIE, CN=kle-w10-wago-05" 
     right=172.16.100.30
     keyexchange=ikev1
     auto=start

Last problem, i noticed that i can't access to the right host if i initialise the connection from the left host (172.16.100.10 to 172.16.100.30). I see ICMP echo request clearly in wireshark.
If i start my connection from the other direction (172.16.100.30 to 172.16.100.10), i have not problem.

I don't see log problem, have you got an idea ?

Nov 28 16:23:59 PFC100-4136B4 charon: 00[DMN] Starting IKE charon daemon (strongSwan 5.7.2, Linux 4.9.146-rt125, armv7l)
Nov 28 16:24:00 PFC100-4136B4 charon: 00[CFG] loading ca certificates from '/etc/ipsec.d/cacerts'
Nov 28 16:24:00 PFC100-4136B4 charon: 00[CFG]   loaded ca certificate "C=FR, O=SPIE, CN=strongSwan CA" from '/etc/ipsec.d/cacerts/caCert.der'
Nov 28 16:24:00 PFC100-4136B4 charon: 00[CFG]   ca certificate "C=FR, O=SPIE, CN=wago" lacks ca basic constraint, discarded
Nov 28 16:24:00 PFC100-4136B4 charon: 00[CFG]   loading ca certificate from '/etc/ipsec.d/cacerts/wagoCert.der' failed
Nov 28 16:24:00 PFC100-4136B4 charon: 00[CFG]   loaded ca certificate "C=FR, ST=Bretagne, L=Rennes, O=SPIE, OU=PSR, CN=cert_CA" from '/etc/ipsec.d/cacerts/ca.crt'
Nov 28 16:24:00 PFC100-4136B4 charon: 00[LIB]   file coded in unknown format, discarded
Nov 28 16:24:00 PFC100-4136B4 charon: 00[LIB] building CRED_CERTIFICATE - X509 failed, tried 3 builders
Nov 28 16:24:00 PFC100-4136B4 charon: 00[CFG]   loading ca certificate from '/etc/ipsec.d/cacerts/ca.srl' failed
Nov 28 16:24:00 PFC100-4136B4 charon: 00[CFG]   ca certificate "C=FR, O=SPIE, CN=kle-Virtual-Machine" lacks ca basic constraint, discarded
Nov 28 16:24:00 PFC100-4136B4 charon: 00[CFG]   loading ca certificate from '/etc/ipsec.d/cacerts/linuxCert.der' failed
Nov 28 16:24:00 PFC100-4136B4 charon: 00[CFG]   loaded ca certificate "C=FR, ST=Bretagne, L=Rennes, O=Spie, OU=PSR, CN=WAGO" from '/etc/ipsec.d/cacerts/certificate_wago.pem'
Nov 28 16:24:00 PFC100-4136B4 charon: 00[CFG] loading aa certificates from '/etc/ipsec.d/aacerts'
Nov 28 16:24:00 PFC100-4136B4 charon: 00[CFG] loading ocsp signer certificates from '/etc/ipsec.d/ocspcerts'
Nov 28 16:24:00 PFC100-4136B4 charon: 00[CFG] loading attribute certificates from '/etc/ipsec.d/acerts'
Nov 28 16:24:00 PFC100-4136B4 charon: 00[CFG] loading crls from '/etc/ipsec.d/crls'
Nov 28 16:24:00 PFC100-4136B4 charon: 00[CFG] loading secrets from '/etc/ipsec.secrets'
Nov 28 16:24:00 PFC100-4136B4 charon: 00[CFG]   loaded RSA private key from '/etc/ipsec.d/private/wagoKey.der'
Nov 28 16:24:00 PFC100-4136B4 charon: 00[LIB] loaded plugins: charon aes sha2 sha1 random nonce x509 revocation constraints pubkey pkcs1 pkcs7 pkcs8 pgp dnskey pem af-alg fips-prf gmp xcbc cmac hmac gcm curl attr kernel-netlink resolve socket-default stroke updown xauth-generic
Nov 28 16:24:00 PFC100-4136B4 charon: 00[JOB] spawning 16 worker threads
Nov 28 16:24:00 PFC100-4136B4 ipsec_starter[25616]: charon (25617) started after 560 ms
Nov 28 16:24:00 PFC100-4136B4 charon: 03[CFG] received stroke: add connection 'win10'
Nov 28 16:24:00 PFC100-4136B4 charon: 03[CFG] adding virtual IP address pool 172.16.100.35
Nov 28 16:24:00 PFC100-4136B4 charon: 03[CFG]   loaded certificate "C=FR, O=SPIE, CN=wago" from 'wagoCert.der'
Nov 28 16:24:00 PFC100-4136B4 charon: 03[CFG]   id '172.16.100.10' not confirmed by certificate, defaulting to 'C=FR, O=SPIE, CN=wago'
Nov 28 16:24:00 PFC100-4136B4 charon: 03[CFG] added configuration 'win10'
Nov 28 16:24:00 PFC100-4136B4 charon: 06[CFG] received stroke: initiate 'win10'
Nov 28 16:24:00 PFC100-4136B4 charon: 06[IKE] initiating Main Mode IKE_SA win10[1] to 172.16.100.30
Nov 28 16:24:00 PFC100-4136B4 charon[19676]: Last message '06[IKE] initiating M' repeated 1 times, suppressed by syslog-ng on PFC100-4136B4.localdomain.lan
Nov 28 16:24:00 PFC100-4136B4 charon: 06[ENC] generating ID_PROT request 0 [ SA V V V V V ]
Nov 28 16:24:00 PFC100-4136B4 charon: 06[NET] sending packet: from 172.16.100.10[500] to 172.16.100.30[500] (180 bytes)
Nov 28 16:24:00 PFC100-4136B4 charon: 08[NET] received packet: from 172.16.100.30[500] to 172.16.100.10[500] (212 bytes)
Nov 28 16:24:00 PFC100-4136B4 charon: 08[ENC] parsed ID_PROT response 0 [ SA V V V V V V ]
Nov 28 16:24:00 PFC100-4136B4 charon: 08[IKE] received MS NT5 ISAKMPOAKLEY vendor ID
Nov 28 16:24:00 PFC100-4136B4 charon: 08[IKE] received NAT-T (RFC 3947) vendor ID
Nov 28 16:24:00 PFC100-4136B4 charon: 08[IKE] received draft-ietf-ipsec-nat-t-ike-02\n vendor ID
Nov 28 16:24:00 PFC100-4136B4 charon: 08[IKE] received FRAGMENTATION vendor ID
Nov 28 16:24:00 PFC100-4136B4 charon: 08[ENC] received unknown vendor ID: fb:1d:e3:cd:f3:41:b7:ea:16:b7:e5:be:08:55:f1:20
Nov 28 16:24:00 PFC100-4136B4 charon: 08[ENC] received unknown vendor ID: e3:a5:96:6a:76:37:9f:e7:07:22:82:31:e5:ce:86:52
Nov 28 16:24:00 PFC100-4136B4 charon: 08[CFG] selected proposal: IKE:AES_CBC_128/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024
Nov 28 16:24:00 PFC100-4136B4 charon: 08[ENC] generating ID_PROT request 0 [ KE No NAT-D NAT-D ]
Nov 28 16:24:00 PFC100-4136B4 charon: 08[NET] sending packet: from 172.16.100.10[500] to 172.16.100.30[500] (244 bytes)
Nov 28 16:24:00 PFC100-4136B4 charon: 09[NET] received packet: from 172.16.100.30[500] to 172.16.100.10[500] (319 bytes)
Nov 28 16:24:00 PFC100-4136B4 charon: 09[ENC] parsed ID_PROT response 0 [ KE No CERTREQ NAT-D NAT-D ]
Nov 28 16:24:00 PFC100-4136B4 charon: 09[IKE] received cert request for 'C=FR, O=SPIE, CN=strongSwan CA'
Nov 28 16:24:00 PFC100-4136B4 charon: 09[IKE] faking NAT situation to enforce UDP encapsulation
Nov 28 16:24:00 PFC100-4136B4 charon: 09[IKE] sending cert request for "C=FR, O=SPIE, CN=strongSwan CA" 
Nov 28 16:24:00 PFC100-4136B4 charon: 09[IKE] sending cert request for "C=FR, ST=Bretagne, L=Rennes, O=SPIE, OU=PSR, CN=cert_CA" 
Nov 28 16:24:00 PFC100-4136B4 charon: 09[IKE] sending cert request for "C=FR, ST=Bretagne, L=Rennes, O=Spie, OU=PSR, CN=WAGO" 
Nov 28 16:24:01 PFC100-4136B4 charon: 09[IKE] authentication of 'C=FR, O=SPIE, CN=wago' (myself) successful
Nov 28 16:24:01 PFC100-4136B4 charon: 09[IKE] sending end entity cert "C=FR, O=SPIE, CN=wago" 
Nov 28 16:24:01 PFC100-4136B4 charon: 09[ENC] generating ID_PROT request 0 [ ID CERT SIG CERTREQ CERTREQ CERTREQ N(INITIAL_CONTACT) ]
Nov 28 16:24:01 PFC100-4136B4 charon: 09[ENC] splitting IKE message (1452 bytes) into 2 fragments
Nov 28 16:24:01 PFC100-4136B4 charon: 09[ENC] generating ID_PROT request 0 [ FRAG(1) ]
Nov 28 16:24:01 PFC100-4136B4 charon: 09[ENC] generating ID_PROT request 0 [ FRAG(2/2) ]
Nov 28 16:24:01 PFC100-4136B4 charon: 09[NET] sending packet: from 172.16.100.10[4500] to 172.16.100.30[4500] (1248 bytes)
Nov 28 16:24:01 PFC100-4136B4 charon: 09[NET] sending packet: from 172.16.100.10[4500] to 172.16.100.30[4500] (276 bytes)
Nov 28 16:24:01 PFC100-4136B4 charon: 10[NET] received packet: from 172.16.100.30[4500] to 172.16.100.10[4500] (548 bytes)
Nov 28 16:24:01 PFC100-4136B4 charon: 10[ENC] parsed ID_PROT response 0 [ FRAG(1) ]
Nov 28 16:24:01 PFC100-4136B4 charon: 10[ENC] received fragment #1, waiting for complete IKE message
Nov 28 16:24:01 PFC100-4136B4 charon: 11[NET] received packet: from 172.16.100.30[4500] to 172.16.100.10[4500] (548 bytes)
Nov 28 16:24:01 PFC100-4136B4 charon: 11[ENC] parsed ID_PROT response 0 [ FRAG(2) ]
Nov 28 16:24:01 PFC100-4136B4 charon: 11[ENC] received fragment #2, waiting for complete IKE message
Nov 28 16:24:01 PFC100-4136B4 charon: 12[NET] received packet: from 172.16.100.30[4500] to 172.16.100.10[4500] (192 bytes)
Nov 28 16:24:01 PFC100-4136B4 charon: 12[ENC] parsed ID_PROT response 0 [ FRAG(3/3) ]
Nov 28 16:24:01 PFC100-4136B4 charon: 12[ENC] received fragment #3, reassembled fragmented IKE message (1180 bytes)
Nov 28 16:24:01 PFC100-4136B4 charon: 12[NET] received packet: from 172.16.100.30[4500] to 172.16.100.10[4500] (1180 bytes)
Nov 28 16:24:01 PFC100-4136B4 charon: 12[ENC] parsed ID_PROT response 0 [ ID CERT SIG ]
Nov 28 16:24:01 PFC100-4136B4 charon: 12[IKE] received end entity cert "C=FR, O=SPIE, CN=kle-w10-wago-05" 
Nov 28 16:24:01 PFC100-4136B4 charon: 12[CFG]   using certificate "C=FR, O=SPIE, CN=kle-w10-wago-05" 
Nov 28 16:24:01 PFC100-4136B4 charon: 12[CFG]   using trusted ca certificate "C=FR, O=SPIE, CN=strongSwan CA" 
Nov 28 16:24:01 PFC100-4136B4 charon: 12[CFG] checking certificate status of "C=FR, O=SPIE, CN=kle-w10-wago-05" 
Nov 28 16:24:01 PFC100-4136B4 charon: 12[CFG] certificate status is not available
Nov 28 16:24:01 PFC100-4136B4 charon: 12[CFG]   reached self-signed root ca with a path length of 0
Nov 28 16:24:01 PFC100-4136B4 charon: 12[IKE] authentication of 'C=FR, O=SPIE, CN=kle-w10-wago-05' with RSA_EMSA_PKCS1_NULL successful
Nov 28 16:24:01 PFC100-4136B4 charon: 12[IKE] IKE_SA win10[1] established between 172.16.100.10[C=FR, O=SPIE, CN=wago]...172.16.100.30[C=FR, O=SPIE, CN=kle-w10-wago-05]
Nov 28 16:24:01 PFC100-4136B4 charon[19676]: Last message '12[IKE] IKE_SA win10' repeated 1 times, suppressed by syslog-ng on PFC100-4136B4.localdomain.lan
Nov 28 16:24:01 PFC100-4136B4 charon: 12[IKE] scheduling reauthentication in 9904s
Nov 28 16:24:01 PFC100-4136B4 charon: 12[IKE] maximum IKE_SA lifetime 10444s

#7 Updated by Tobias Brunner 16 days ago

I don't see log problem, have you got an idea ?

Well, rightsourceip makes no sense for a host-to-host connection (see VirtualIP for an explanation of what the option does), neither does setting rightsubnet to anything larger than /32 (actually, you don't have to specify it at all, it defaults to the remote IP address anyway).

#8 Updated by Noel Kuntze 16 days ago

And then there's you using auto=start instead of auto=route.

#9 Updated by kle kle 16 days ago

What fast response ! Thanks !

Ok i removed rightsourceip and rightsubnet because these addresses are dynamically defined.

I changed the parameter auto to route.

When i tried to ping, i see this log. I can see "NO_PROPOSAL_CHOSEN". But i don't see where is the problem.

Nov 28 17:29:09 PFC100-4136B4 charon: 01[KNL] creating acquire job for policy 172.16.100.10/32[icmp/8] === 172.16.100.30/32[icmp/8] with reqid {1}
Nov 28 17:29:09 PFC100-4136B4 charon: 09[IKE] initiating Main Mode IKE_SA win10[1] to 172.16.100.30
Nov 28 17:29:09 PFC100-4136B4 charon[19676]: Last message '09[IKE] initiating M' repeated 1 times, suppressed by syslog-ng on PFC100-4136B4.localdomain.lan
Nov 28 17:29:09 PFC100-4136B4 charon: 09[ENC] generating ID_PROT request 0 [ SA V V V V V ]
Nov 28 17:29:09 PFC100-4136B4 charon: 09[NET] sending packet: from 172.16.100.10[500] to 172.16.100.30[500] (180 bytes)
Nov 28 17:29:13 PFC100-4136B4 charon: 11[IKE] sending retransmit 1 of request message ID 0, seq 1
Nov 28 17:29:13 PFC100-4136B4 charon: 11[NET] sending packet: from 172.16.100.10[500] to 172.16.100.30[500] (180 bytes)
Nov 28 17:29:13 PFC100-4136B4 charon: 13[NET] received packet: from 172.16.100.30[500] to 172.16.100.10[500] (212 bytes)
Nov 28 17:29:13 PFC100-4136B4 charon: 13[ENC] parsed ID_PROT response 0 [ SA V V V V V V ]
Nov 28 17:29:13 PFC100-4136B4 charon: 13[IKE] received MS NT5 ISAKMPOAKLEY vendor ID
Nov 28 17:29:13 PFC100-4136B4 charon: 13[IKE] received NAT-T (RFC 3947) vendor ID
Nov 28 17:29:13 PFC100-4136B4 charon: 13[IKE] received draft-ietf-ipsec-nat-t-ike-02\n vendor ID
Nov 28 17:29:13 PFC100-4136B4 charon: 13[IKE] received FRAGMENTATION vendor ID
Nov 28 17:29:13 PFC100-4136B4 charon: 13[ENC] received unknown vendor ID: fb:1d:e3:cd:f3:41:b7:ea:16:b7:e5:be:08:55:f1:20
Nov 28 17:29:13 PFC100-4136B4 charon: 13[ENC] received unknown vendor ID: e3:a5:96:6a:76:37:9f:e7:07:22:82:31:e5:ce:86:52
Nov 28 17:29:13 PFC100-4136B4 charon: 13[CFG] selected proposal: IKE:AES_CBC_128/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024
Nov 28 17:29:13 PFC100-4136B4 charon: 13[ENC] generating ID_PROT request 0 [ KE No NAT-D NAT-D ]
Nov 28 17:29:13 PFC100-4136B4 charon: 13[NET] sending packet: from 172.16.100.10[500] to 172.16.100.30[500] (244 bytes)
Nov 28 17:29:13 PFC100-4136B4 charon: 14[NET] received packet: from 172.16.100.30[500] to 172.16.100.10[500] (319 bytes)
Nov 28 17:29:13 PFC100-4136B4 charon: 14[ENC] parsed ID_PROT response 0 [ KE No CERTREQ NAT-D NAT-D ]
Nov 28 17:29:13 PFC100-4136B4 charon: 14[IKE] received cert request for 'C=FR, O=SPIE, CN=strongSwan CA'
Nov 28 17:29:13 PFC100-4136B4 charon: 14[IKE] faking NAT situation to enforce UDP encapsulation
Nov 28 17:29:13 PFC100-4136B4 charon: 14[IKE] sending cert request for "C=FR, O=SPIE, CN=strongSwan CA" 
Nov 28 17:29:13 PFC100-4136B4 charon: 14[IKE] sending cert request for "C=FR, ST=Bretagne, L=Rennes, O=SPIE, OU=PSR, CN=cert_CA" 
Nov 28 17:29:13 PFC100-4136B4 charon: 14[IKE] sending cert request for "C=FR, ST=Bretagne, L=Rennes, O=Spie, OU=PSR, CN=WAGO" 
Nov 28 17:29:13 PFC100-4136B4 charon: 14[IKE] authentication of 'C=FR, O=SPIE, CN=wago' (myself) successful
Nov 28 17:29:13 PFC100-4136B4 charon: 14[IKE] sending end entity cert "C=FR, O=SPIE, CN=wago" 
Nov 28 17:29:13 PFC100-4136B4 charon: 14[ENC] generating ID_PROT request 0 [ ID CERT SIG CERTREQ CERTREQ CERTREQ N(INITIAL_CONTACT) ]
Nov 28 17:29:13 PFC100-4136B4 charon: 14[ENC] splitting IKE message (1452 bytes) into 2 fragments
Nov 28 17:29:13 PFC100-4136B4 charon: 14[ENC] generating ID_PROT request 0 [ FRAG(1) ]
Nov 28 17:29:13 PFC100-4136B4 charon: 14[ENC] generating ID_PROT request 0 [ FRAG(2/2) ]
Nov 28 17:29:13 PFC100-4136B4 charon: 14[NET] sending packet: from 172.16.100.10[4500] to 172.16.100.30[4500] (1248 bytes)
Nov 28 17:29:13 PFC100-4136B4 charon: 14[NET] sending packet: from 172.16.100.10[4500] to 172.16.100.30[4500] (276 bytes)
Nov 28 17:29:13 PFC100-4136B4 charon: 15[NET] received packet: from 172.16.100.30[4500] to 172.16.100.10[4500] (548 bytes)
Nov 28 17:29:13 PFC100-4136B4 charon: 15[ENC] parsed ID_PROT response 0 [ FRAG(1) ]
Nov 28 17:29:13 PFC100-4136B4 charon: 15[ENC] received fragment #1, waiting for complete IKE message
Nov 28 17:29:13 PFC100-4136B4 charon: 16[NET] received packet: from 172.16.100.30[4500] to 172.16.100.10[4500] (548 bytes)
Nov 28 17:29:13 PFC100-4136B4 charon: 16[ENC] parsed ID_PROT response 0 [ FRAG(2) ]
Nov 28 17:29:13 PFC100-4136B4 charon: 16[ENC] received fragment #2, waiting for complete IKE message
Nov 28 17:29:13 PFC100-4136B4 charon: 06[NET] received packet: from 172.16.100.30[4500] to 172.16.100.10[4500] (192 bytes)
Nov 28 17:29:13 PFC100-4136B4 charon: 06[ENC] parsed ID_PROT response 0 [ FRAG(3/3) ]
Nov 28 17:29:13 PFC100-4136B4 charon: 06[ENC] received fragment #3, reassembled fragmented IKE message (1180 bytes)
Nov 28 17:29:13 PFC100-4136B4 charon: 06[NET] received packet: from 172.16.100.30[4500] to 172.16.100.10[4500] (1180 bytes)
Nov 28 17:29:13 PFC100-4136B4 charon: 06[ENC] parsed ID_PROT response 0 [ ID CERT SIG ]
Nov 28 17:29:13 PFC100-4136B4 charon: 06[IKE] received end entity cert "C=FR, O=SPIE, CN=kle-w10-wago-05" 
Nov 28 17:29:13 PFC100-4136B4 charon: 06[CFG]   using certificate "C=FR, O=SPIE, CN=kle-w10-wago-05" 
Nov 28 17:29:13 PFC100-4136B4 charon: 06[CFG]   using trusted ca certificate "C=FR, O=SPIE, CN=strongSwan CA" 
Nov 28 17:29:13 PFC100-4136B4 charon: 06[CFG] checking certificate status of "C=FR, O=SPIE, CN=kle-w10-wago-05" 
Nov 28 17:29:13 PFC100-4136B4 charon: 06[CFG] certificate status is not available
Nov 28 17:29:13 PFC100-4136B4 charon: 06[CFG]   reached self-signed root ca with a path length of 0
Nov 28 17:29:13 PFC100-4136B4 charon: 06[IKE] authentication of 'C=FR, O=SPIE, CN=kle-w10-wago-05' with RSA_EMSA_PKCS1_NULL successful
Nov 28 17:29:13 PFC100-4136B4 charon: 06[IKE] IKE_SA win10[1] established between 172.16.100.10[C=FR, O=SPIE, CN=wago]...172.16.100.30[C=FR, O=SPIE, CN=kle-w10-wago-05]
Nov 28 17:29:13 PFC100-4136B4 charon[19676]: Last message '06[IKE] IKE_SA win10' repeated 1 times, suppressed by syslog-ng on PFC100-4136B4.localdomain.lan
Nov 28 17:29:13 PFC100-4136B4 charon: 06[IKE] scheduling reauthentication in 9897s
Nov 28 17:29:13 PFC100-4136B4 charon: 06[IKE] maximum IKE_SA lifetime 10437s
Nov 28 17:29:13 PFC100-4136B4 charon: 06[ENC] generating QUICK_MODE request 3592001373 [ HASH SA No ID ID ]
Nov 28 17:29:13 PFC100-4136B4 charon: 06[NET] sending packet: from 172.16.100.10[4500] to 172.16.100.30[4500] (172 bytes)
Nov 28 17:29:13 PFC100-4136B4 charon: 05[NET] received packet: from 172.16.100.30[4500] to 172.16.100.10[4500] (76 bytes)
Nov 28 17:29:13 PFC100-4136B4 charon: 05[ENC] parsed INFORMATIONAL_V1 request 2394178862 [ HASH N(NO_PROP) ]
Nov 28 17:29:13 PFC100-4136B4 charon: 05[IKE] received NO_PROPOSAL_CHOSEN error notify

#10 Updated by Tobias Brunner 16 days ago

I can see "NO_PROPOSAL_CHOSEN". But i don't see where is the problem.

Only the other peer knows for sure. But it's probably the ESP proposal (esp=).

#11 Updated by kle kle 11 days ago

I added an esp proposal and it's working fine from the two side.

esp=aes128-sha1!

Thanks for all, this website is very helpfull

#12 Updated by Tobias Brunner 11 days ago

  • Status changed from Feedback to Closed
  • Assignee set to Tobias Brunner
  • Resolution set to No change required

Also available in: Atom PDF