Issue #714
Win 7 clients are not able to establish connection (l2tp/ipsec-cert, ikev2-machine_cert, ikev2-eap_mschapv2)
Description
I have Xl2tpd and Strongswan 5.1.2 installed at Ubuntu 14.04 LTS from its repository as Vpn server and Win XP / Win 7 / Android 4.x.x clients (part of them are behind NAT) . Server is not behind NAT.
I set up 3 connection' s types: l2tp/psk, l2tp/ipsec (cert) and ikev2.
Connection of l2tp/psk is successfull both as for Win XP and for win 7.
Connection of l2tp/ipsec (cert) is successfull for Win XP only.
But connections of l2tp/ipsec (cert) and ikev2 doesn' t work for Win 7.
There are interactive logging (made at ipsec --nofork mode) while Win 7 connects to and ipsec.conf for l2tp/ipsec (cert) and for two types of ikev2 procedure.
There is external IP of strongswan server is used at Vpn connection properties.
Server certificate (located at strongswan server) has FQDN and external IP 95.24.95.95 in subjectAltName and CN contents FQDN of strongswan server.
For L2tp/Ipsec with Certificate (Win 7 is connecting to) :
11[IKE] IKE_SA ikev1_l2tp_rsa[1] state change: CONNECTING => ESTABLISHED 11[IKE] DPD not supported by peer, disabled 11[IKE] sending end entity cert "C=RU, ST=North, L=City, O=Org, OU=Main, CN=gate_name.mydomain.net, N=My Server certificate, E=admin at mydomain.net" 11[ENC] generating ID_PROT response 0 [ ID CERT SIG ] 11[NET] sending packet: from 95.24.95.95[4500] to 79.135.235.142[64775] (1484 bytes) 15[NET] received packet: from 79.135.235.142[64775] to 95.24.95.95[4500] (1900 bytes) 15[IKE] received retransmit of request with ID 0, retransmitting response 15[NET] sending packet: from 95.24.95.95[4500] to 79.135.235.142[64775] (1484 bytes) 11[NET] received packet: from 79.135.235.142[64775] to 95.24.95.95[4500] (1900 bytes) 11[IKE] received retransmit of request with ID 0, retransmitting response 11[NET] sending packet: from 95.24.95.95[4500] to 79.135.235.142[64775] (1484 bytes) 12[NET] received packet: from 79.135.235.142[64775] to 95.24.95.95[4500] (1900 bytes) 12[IKE] received retransmit of request with ID 0, retransmitting response 12[NET] sending packet: from 95.24.95.95[4500] to 79.135.235.142[64775] (1484 bytes)
For Ikev2 with machine sited certificate (Win 7 is connecting to) :
14[IKE] CHILD_SA ikev2_machine_cert{2} established with SPIs c8c7c4c5_i333c9d8a_o and TS 0.0.0.0/0 === 10.10.1.2/32
14[ENC] generating IKE_AUTH response 1 [ IDr CERT AUTH CPRP(ADDR DNS NBNS) SA TSi TSr N(MOBIKE_SUP) N(ADD_4_ADDR) ]
14[NET] sending packet: from 95.24.95.95[4500] to 79.135.235.142[64775] (1660 bytes)
05[NET] received packet: from 79.135.235.142[64775] to 95.24.95.95[4500] (2476 bytes)
05[ENC] parsed IKE_AUTH request 1 [ IDi CERT CERTREQ AUTH N(MOBIKE_SUP) CPRQ(ADDR DNS NBNS SRV ADDR6 DNS6 SRV6) SA TSi TSr ]
05[IKE] received retransmit of request with ID 1, retransmitting response
05[NET] sending packet: from 95.24.95.95[4500] to 79.135.235.142[64775] (1660 bytes)
14[IKE] retransmit 2 of request with message ID 0
14[NET] sending packet: from 95.24.95.95[4500] to 79.135.235.142[64775] (76 bytes)
15[NET] received packet: from 79.135.235.142[64775] to 95.24.95.95[4500] (2476 bytes)
15[ENC] parsed IKE_AUTH request 1 [ IDi CERT CERTREQ AUTH N(MOBIKE_SUP) CPRQ(ADDR DNS NBNS SRV ADDR6 DNS6 SRV6) SA TSi TSr ]
15[IKE] received retransmit of request with ID 1, retransmitting response
15[NET] sending packet: from 95.24.95.95[4500] to 79.135.235.142[64775] (1660 bytes)
13[IKE] retransmit 3 of request with message ID 0
13[NET] sending packet: from 95.24.95.95[4500] to 79.135.235.142[64775] (76 bytes)
For Ikev2 with eap-mschap v2 and and certificate (Win 7 is connecting to) :
15[IKE] authentication of '95.24.95.95' (myself) with RSA signature successful 15[IKE] sending end entity cert "C=RU, ST=North, L=City, O=Org, OU=Main, CN=gate_name.mydomain.net, N=My Server certificate, E=admin at mydomain.net" 15[ENC] generating IKE_AUTH response 1 [ IDr CERT AUTH EAP/REQ/ID ] 15[NET] sending packet: from 95.24.95.95[4500] to 79.135.235.142[64775] (1516 bytes) 08[NET] received packet: from 79.135.235.142[64775] to 95.24.95.95[4500] (1340 bytes) 08[ENC] parsed IKE_AUTH request 1 [ IDi CERTREQ N(MOBIKE_SUP) CPRQ(ADDR DNS NBNS SRV ADDR6 DNS6 SRV6) SA TSi TSr ] 08[IKE] received retransmit of request with ID 1, retransmitting response 08[NET] sending packet: from 95.24.95.95[4500] to 79.135.235.142[64775] (1516 bytes) 14[NET] received packet: from 79.135.235.142[64775] to 95.24.95.95[4500] (1340 bytes) 14[ENC] parsed IKE_AUTH request 1 [ IDi CERTREQ N(MOBIKE_SUP) CPRQ(ADDR DNS NBNS SRV ADDR6 DNS6 SRV6) SA TSi TSr ] 14[IKE] received retransmit of request with ID 1, retransmitting response 14[NET] sending packet: from 95.24.95.95[4500] to 79.135.235.142[64775] (1516 bytes)
Ipsec.conf:
conn %default
compress=yes
dpdaction=clear # tried dpdaction=restart
dpddelay=40
dpdtimeout=130
forceencaps=yes
ikelifetime=8h
keyingtries=10
keylife=10800
margintime=15m
conn l2tp_ipsec
auto=add
esp=aes256-sha1!
ike=aes256-sha1-modp1024!
keyexchange=ikev1
keyingtries=2
left=95.24.95.95
leftauth=pubkey
leftcert=/etc/ipsec.d/certs/server.crt
leftid=95.24.95.95
leftprotoport=udp/%any
mobike=no
rekey=no
right=%any
rightauth=pubkey (also tried rsa)
rightsendcert=never
rightsubnet=0.0.0.0/0
type=transport
conn ikev2_eap_mschapv2
auto=add
eap_identity=%any
esp=aes256-sha1!
ike=aes256-sha1-modp1024!
keyexchange=ikev2
left=95.24.95.95
leftauth=pubkey
leftcert=/etc/ipsec.d/certs/server.crt
leftid=95.24.95.95
leftsendcert = always
leftsubnet=0.0.0.0/0
mobike=yes
rekey=no
right=%any
rightauth=eap-mschapv2
rightsourceip=192.168.1.0/24
rightsendcert=never
conn ikev2_machine_cert
auto=add
esp=aes256-sha1!
ike=aes256-sha1-modp1024!
keyexchange=ikev2
left=95.24.95.95
leftcert=/etc/ipsec.d/certs/server.crt
leftid=95.24.95.95
leftsendcert = always
leftsubnet=0.0.0.0/0
mobike=yes
rekey=no
right=%any
rightsourceip=192.168.1.0/24
rightsendcert=never
I think that some trouble is in some connection parameters for especially Win 7, but I don' t suppose which ones.
As I see, 1st phase is successfull, that is certificate is valid and good in all 3 cases.
Can somebody tell where is/are trouble/troubles ?
I will remember:
connection from Win XP accross l2tp/ipsec-cert successed;
connection from Android 4.4.x (Sony Xperia Z2) accross l2tp/ipsec-cert successed;
connection from Win 7 accross l2tp/ipsec-cert, ikev2-machine-cert, ikev2-eap-mschapv2 failed.
Such situation is at 5.1.2 version and up to nightly build 5.2.1dr1 (5.2.1-~10879+53 in Ubuntu repository) downoaded on Sep, 24, 2014.
Related issues
History
#1 Updated by Tobias Brunner almost 11 years ago
- Subject changed from Win 7 clients are not able to establish connection (l2tp/ipsec-cert, ikev2-machine_cert, ikev2-eap_mschapv2) ! to Win 7 clients are not able to establish connection (l2tp/ipsec-cert, ikev2-machine_cert, ikev2-eap_mschapv2)
- Description updated (diff)
- Category changed from windows to interoperability
- Status changed from New to Feedback
- Assignee set to Tobias Brunner
Looking at your logs I see that the messages containing the server certificate get retransmitted.
The reason for this might be IP fragmentation. Due to the certificates the messages get quite large (1484, 1660, 1516 bytes) so these will get fragmented on the IP level. If a router/firewall between the server and the clients drops these fragments the clients won't receive the message and can't continue, so they will continue to retransmit the respective requests. What's odd is that the requests are often larger than the responses (1900, 2476 bytes) and these are received by the server. I'd try to determine where exactly the packets get dropped (e.g. using wireshark).
#2 Updated by Alex Brew almost 11 years ago
I doubt that the reason is not in intermediate routers.
Firstlly, what's odd that the same result was reached from different clients (Win 7) located on different physical nets (different IPS) , and as following behind different NAT/router type.
And secondly, Win XP works.
I'd try to determine where exactly the packets get dropped.
You meant, at intermediate routers, did you ?
And do start wireshark on server or client side ?
How to avoid packet fragmentation, is to reduce server and/or client cert size ?
#3 Updated by Alex Brew almost 11 years ago
More over, I tried l2tp/psk (Strongswan 5.2.1dr1 downloaded on Sep, 24, 2014) with Win 7 from cell phone access point (via bluetooth and 3g/4g) , that is different computer client and connection way and got the following:15[KNL] 208: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 0xafc1facc
15[KNL] 224: 01 00 00 00 02 00 00 20 00 00 00 00 60 00 02 00 ....... ....`...
15[KNL] 240: 64 65 73 33 5F 65 64 65 00 00 00 00 00 00 00 00 des3_ede........
15[KNL] 256: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
15[KNL] 272: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
15[KNL] 288: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
15[KNL] 304: C0 00 00 00 28 73 69 F3 3F 7F CF F5 55 2F F1 1F ....(si.?...U/..
15[KNL] 320: B2 9A D2 6F DE C6 1E 9D 37 41 EE 0E 5C 00 01 00 ...o....7A..\...
15[KNL] 336: 73 68 61 31 00 00 00 00 00 00 00 00 00 00 00 00 sha1............
15[KNL] 352: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
15[KNL] 368: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
15[KNL] 384: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
15[KNL] 400: A0 00 00 00 03 F5 29 B3 B4 61 28 70 67 87 01 FF ......)..a(pg...
15[KNL] 416: 48 45 F2 6F 46 22 98 0C 1C 00 04 00 02 00 47 BB HE.oF"........G.
15[KNL] 432: 11 94 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
15[KNL] 448: 00 00 00 00 ....
15[KNL] adding SAD entry with SPI e03a1060 and reqid {1} (mark 0/0x00000000)
15[KNL] using encryption algorithm 3DES_CBC with key size 192
15[KNL] using integrity algorithm HMAC_SHA1_96 with key size 160
15[KNL] using replay window of 32 packets
15[KNL] sending XFRM_MSG_NEWSA: => 452 bytes
15[KNL] 0: C4 01 00 00 10 00 05 00 FE 00 00 00 61 17 00 00 ............a...
15[KNL] 16: D9 76 4E 68 00 00 00 00 00 00 00 00 00 00 00 00 .vNh............
15[KNL] 32: 5E F2 09 5E 00 00 00 00 00 00 00 00 00 00 00 00 ..............
15[KNL] 48: 00 00 00 00 00 00 00 00 02 00 20 20 00 00 00 00 .......... ....
15[KNL] 64: 00 00 00 00 00 00 00 00 D9 76 4E 68 00 00 00 00 .........vNh....
15[KNL] 80: 00 00 00 00 00 00 00 00 E0 3A 10 60 32 00 00 00 .........:.`2...
15[KNL] 96: 5E F2 09 5E 00 00 00 00 00 00 00 00 00 00 00 00 ..............
15[KNL] 112: FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF ................
15[KNL] 128: FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF ................
15[KNL] 144: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
15[KNL] 160: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
15[KNL] 176: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
15[KNL] 192: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
15[KNL] 208: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
15[KNL] 224: 01 00 00 00 02 00 00 20 00 00 00 00 60 00 02 00 ....... ....`...
15[KNL] 240: 64 65 73 33 5F 65 64 65 00 00 00 00 00 00 00 00 des3_ede........
15[KNL] 256: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
15[KNL] 272: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
15[KNL] 288: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
15[KNL] 304: C0 00 00 00 76 4E DA 28 9D 89 C6 8C FB 2D 51 ED ....vN.(.....-Q.
15[KNL] 320: F0 1F 73 4D BB F5 73 B2 E8 D7 B5 82 5C 00 01 00 ..sM..s.....\...
15[KNL] 336: 73 68 61 31 00 00 00 00 00 00 00 00 00 00 00 00 sha1............
15[KNL] 352: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
15[KNL] 368: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
15[KNL] 384: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
15[KNL] 400: A0 00 00 00 E6 36 03 28 F0 1B CB 70 A0 82 AE 54 .....6.(...p...T
15[KNL] 416: 80 ED 9E 43 F9 EC FE 6B 1C 00 04 00 02 00 11 94 ...C...k........
15[KNL] 432: 47 BB 00 00 00 00 00 00 00 00 00 00 00 00 00 00 G...............
15[KNL] 448: 00 00 00 00 ....
15[KNL] policy 95.24.95.95/32[udp/l2f] === 217.118.78.104/32[udp/l2f] out (mark 0/0x00000000) already exists, increasing refcount
15[KNL] policy 217.118.78.104/32[udp/l2f] === 95.24.95.95/32[udp/l2f] in (mark 0/0x00000000) already exists, increasing refcount
15[KNL] policy 95.24.95.95/32[udp/l2f] === 217.118.78.104/32[udp/l2f] out (mark 0/0x00000000) already exists, increasing refcount
15[KNL] updating policy 95.24.95.95/32[udp/l2f] === 217.118.78.104/32[udp/l2f] out (mark 0/0x00000000)
15[KNL] sending XFRM_MSG_UPDPOLICY: => 248 bytes 0xafc1fa5c 0xafc1fa5c
15[KNL] 0: F8 00 00 00 19 00 05 00 FF 00 00 00 61 17 00 00 ............a...
15[KNL] 16: D9 76 4E 68 00 00 00 00 00 00 00 00 00 00 00 00 .vNh............
15[KNL] 32: 5E F2 09 5E 00 00 00 00 00 00 00 00 00 00 00 00 ^..^............
15[KNL] 48: 06 A5 FF FF 06 A5 FF FF 02 00 20 20 11 00 00 00 .......... ....
15[KNL] 64: 00 00 00 00 00 00 00 00 FF FF FF FF FF FF FF FF ................
15[KNL] 80: FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF ................
15[KNL] 96: FF FF FF FF FF FF FF FF 00 00 00 00 00 00 00 00 ................
15[KNL] 112: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
15[KNL] 128: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
15[KNL] 144: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
15[KNL] 160: 00 00 00 00 00 00 00 00 00 0B 00 00 00 00 00 00 ................
15[KNL] 176: 01 00 00 00 44 00 05 00 00 00 00 00 00 00 00 00 ....D...........
15[KNL] 192: 00 00 00 00 00 00 00 00 00 00 00 00 32 00 00 00 ............2...
15[KNL] 208: 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
15[KNL] 224: 00 00 00 00 01 00 00 00 00 00 00 00 FF FF FF FF ................
15[KNL] 240: FF FF FF FF FF FF FF FF ........
15[KNL] policy 217.118.78.104/32[udp/l2f] === 95.24.95.95/32[udp/l2f] in (mark 0/0x00000000) already exists, increasing refcount
15[KNL] updating policy 217.118.78.104/32[udp/l2f] === 95.24.95.95/32[udp/l2f] in (mark 0/0x00000000)
15[KNL] sending XFRM_MSG_UPDPOLICY: => 248 bytes
15[KNL] 0: F8 00 00 00 19 00 05 00 00 01 00 00 61 17 00 00 ............a...
15[KNL] 16: 5E F2 09 5E 00 00 00 00 00 00 00 00 00 00 00 00 ..............
15[KNL] 32: D9 76 4E 68 00 00 00 00 00 00 00 00 00 00 00 00 .vNh............
15[KNL] 48: 06 A5 FF FF 06 A5 FF FF 02 00 20 20 11 00 00 00 .......... ....
15[KNL] 64: 00 00 00 00 00 00 00 00 FF FF FF FF FF FF FF FF ................
15[KNL] 80: FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF ................
15[KNL] 96: FF FF FF FF FF FF FF FF 00 00 00 00 00 00 00 00 ................
15[KNL] 112: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
15[KNL] 128: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
15[KNL] 144: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
15[KNL] 160: 00 00 00 00 00 00 00 00 00 0B 00 00 00 00 00 00 ................
15[KNL] 176: 00 00 00 00 44 00 05 00 00 00 00 00 00 00 00 00 ....D...........
15[KNL] 192: 00 00 00 00 00 00 00 00 00 00 00 00 32 00 00 00 ............2...
15[KNL] 208: 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
15[KNL] 224: 00 00 00 00 01 00 00 00 00 00 00 00 FF FF FF FF ................
15[KNL] 240: FF FF FF FF FF FF FF FF ........
15[IKE] CHILD_SA ikev1_l2tp_psk{1} established with SPIs ceec8cf2_i e03a1060_o and TS 95.24.95.95/32[udp/l2f] === 217.118.78.104/32[udp/l2f]
04[NET] received packet: from 217.118.78.10418363 to 95.24.95.954500 (76 bytes)
04[ENC] parsed INFORMATIONAL_V1 request 2074276057 [ HASH D ]
04[IKE] received DELETE for ESP CHILD_SA with SPI 66bbe742
04[KNL] querying SAD entry with SPI c12cea01 (mark 0/0x00000000)
04[KNL] sending XFRM_MSG_GETSA: => 40 bytes 0xb542aacc 0xb542aacc
04[KNL] 0: 28 00 00 00 12 00 01 00 01 01 00 00 61 17 00 00 (...........a...
04[KNL] 16: 5E F2 09 5E 00 00 00 00 00 00 00 00 00 00 00 00 ^..^............
04[KNL] 32: C1 2C EA 01 02 00 32 00 .,....2.
04[KNL] querying SAD entry with SPI 66bbe742 (mark 0/0x00000000)
04[KNL] sending XFRM_MSG_GETSA: => 40 bytes
04[KNL] 0: 28 00 00 00 12 00 01 00 02 01 00 00 61 17 00 00 (...........a...
04[KNL] 16: D9 76 4E 68 00 00 00 00 00 00 00 00 00 00 00 00 .vNh............
04[KNL] 32: 66 BB E7 42 02 00 32 00 f..B..2.
04[IKE] closing CHILD_SA ikev1_l2tp_psk{1} with SPIs c12cea01_i (0 bytes) 66bbe742_o (0 bytes) and TS 95.24.95.95/32[udp/l2f] === 217.118.78.104/32[udp/l2f]
04[KNL] deleting SAD entry with SPI c12cea01 (mark 0/0x00000000)
04[KNL] sending XFRM_MSG_DELSA: => 40 bytes 0xb542ab0c 0xb542ab0c
04[KNL] 0: 28 00 00 00 11 00 05 00 03 01 00 00 61 17 00 00 (...........a...
04[KNL] 16: 5E F2 09 5E 00 00 00 00 00 00 00 00 00 00 00 00 ^..^............
04[KNL] 32: C1 2C EA 01 02 00 32 00 .,....2.
04[KNL] deleted SAD entry with SPI c12cea01 (mark 0/0x00000000)
04[KNL] deleting SAD entry with SPI 66bbe742 (mark 0/0x00000000)
04[KNL] sending XFRM_MSG_DELSA: => 40 bytes
04[KNL] 0: 28 00 00 00 11 00 05 00 04 01 00 00 61 17 00 00 (...........a...
04[KNL] 16: D9 76 4E 68 00 00 00 00 00 00 00 00 00 00 00 00 .vNh............
04[KNL] 32: 66 BB E7 42 02 00 32 00 f..B..2.
04[KNL] deleted SAD entry with SPI 66bbe742 (mark 0/0x00000000)
04[KNL] deleting policy 95.24.95.95/32[udp/l2f] === 217.118.78.104/32[udp/l2f] out (mark 0/0x00000000)
04[KNL] policy still used by another CHILD_SA, not removed
04[KNL] updating policy 95.24.95.95/32[udp/l2f] === 217.118.78.104/32[udp/l2f] out (mark 0/0x00000000)
04[KNL] sending XFRM_MSG_UPDPOLICY: => 248 bytes 0xb542a5bc 0xb542a5bc
04[KNL] 0: F8 00 00 00 19 00 05 00 05 01 00 00 61 17 00 00 ............a...
04[KNL] 16: D9 76 4E 68 00 00 00 00 00 00 00 00 00 00 00 00 .vNh............
04[KNL] 32: 5E F2 09 5E 00 00 00 00 00 00 00 00 00 00 00 00 ^..^............
04[KNL] 48: 06 A5 FF FF 06 A5 FF FF 02 00 20 20 11 00 00 00 .......... ....
04[KNL] 64: 00 00 00 00 00 00 00 00 FF FF FF FF FF FF FF FF ................
04[KNL] 80: FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF ................
04[KNL] 96: FF FF FF FF FF FF FF FF 00 00 00 00 00 00 00 00 ................
04[KNL] 112: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
04[KNL] 128: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
04[KNL] 144: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
04[KNL] 160: 00 00 00 00 00 00 00 00 00 0B 00 00 00 00 00 00 ................
04[KNL] 176: 01 00 00 00 44 00 05 00 00 00 00 00 00 00 00 00 ....D...........
04[KNL] 192: 00 00 00 00 00 00 00 00 00 00 00 00 32 00 00 00 ............2...
04[KNL] 208: 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
04[KNL] 224: 00 00 00 00 01 00 00 00 00 00 00 00 FF FF FF FF ................
04[KNL] 240: FF FF FF FF FF FF FF FF ........
04[KNL] deleting policy 217.118.78.104/32[udp/l2f] === 95.24.95.95/32[udp/l2f] in (mark 0/0x00000000)
04[KNL] policy still used by another CHILD_SA, not removed
04[KNL] updating policy 217.118.78.104/32[udp/l2f] === 95.24.95.95/32[udp/l2f] in (mark 0/0x00000000)
04[KNL] sending XFRM_MSG_UPDPOLICY: => 248 bytes
04[KNL] 0: F8 00 00 00 19 00 05 00 06 01 00 00 61 17 00 00 ............a...
04[KNL] 16: 5E F2 09 5E 00 00 00 00 00 00 00 00 00 00 00 00 ..............
04[KNL] 32: D9 76 4E 68 00 00 00 00 00 00 00 00 00 00 00 00 .vNh............
04[KNL] 48: 06 A5 FF FF 06 A5 FF FF 02 00 20 20 11 00 00 00 .......... ....
04[KNL] 64: 00 00 00 00 00 00 00 00 FF FF FF FF FF FF FF FF ................
04[KNL] 80: FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF ................
04[KNL] 96: FF FF FF FF FF FF FF FF 00 00 00 00 00 00 00 00 ................
04[KNL] 112: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
04[KNL] 128: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
04[KNL] 144: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
04[KNL] 160: 00 00 00 00 00 00 00 00 00 0B 00 00 00 00 00 00 ................
04[KNL] 176: 00 00 00 00 44 00 05 00 00 00 00 00 00 00 00 00 ....D...........
04[KNL] 192: 00 00 00 00 00 00 00 00 00 00 00 00 32 00 00 00 ............2...
04[KNL] 208: 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
04[KNL] 224: 00 00 00 00 01 00 00 00 00 00 00 00 FF FF FF FF ................
04[KNL] 240: FF FF FF FF FF FF FF FF ........
04[KNL] deleting policy 95.24.95.95/32[udp/l2f] === 217.118.78.104/32[udp/l2f] out (mark 0/0x00000000)
04[KNL] policy still used by another CHILD_SA, not removed
04[KNL] deleting policy 217.118.78.104/32[udp/l2f] === 95.24.95.95/32[udp/l2f] in (mark 0/0x00000000)
04[KNL] policy still used by another CHILD_SA, not removed
14[NET] received packet: from 217.118.78.10418363 to 95.24.95.954500 (76 bytes)
14[ENC] parsed INFORMATIONAL_V1 request 2155258099 [ HASH D ]
14[IKE] received DELETE for ESP CHILD_SA with SPI e03a1060
14[KNL] querying SAD entry with SPI ceec8cf2 (mark 0/0x00000000)
14[KNL] sending XFRM_MSG_GETSA: => 40 bytes 0xb0420acc 0xb0420acc
14[KNL] 0: 28 00 00 00 12 00 01 00 07 01 00 00 61 17 00 00 (...........a...
14[KNL] 16: 5E F2 09 5E 00 00 00 00 00 00 00 00 00 00 00 00 ^..^............
14[KNL] 32: CE EC 8C F2 02 00 32 00 ......2.
14[KNL] querying SAD entry with SPI e03a1060 (mark 0/0x00000000)
14[KNL] sending XFRM_MSG_GETSA: => 40 bytes
14[KNL] 0: 28 00 00 00 12 00 01 00 08 01 00 00 61 17 00 00 (...........a...
14[KNL] 16: D9 76 4E 68 00 00 00 00 00 00 00 00 00 00 00 00 .vNh............
14[KNL] 32: E0 3A 10 60 02 00 32 00 .:.`..2.
14[IKE] closing CHILD_SA ikev1_l2tp_psk{1} with SPIs ceec8cf2_i (0 bytes) e03a1060_o (0 bytes) and TS 95.24.95.95/32[udp/l2f] === 217.118.78.104/32[udp/l2f]
14[KNL] deleting SAD entry with SPI ceec8cf2 (mark 0/0x00000000)
14[KNL] sending XFRM_MSG_DELSA: => 40 bytes 0xb0420b0c 0xb0420b0c
14[KNL] 0: 28 00 00 00 11 00 05 00 09 01 00 00 61 17 00 00 (...........a...
14[KNL] 16: 5E F2 09 5E 00 00 00 00 00 00 00 00 00 00 00 00 ^..^............
14[KNL] 32: CE EC 8C F2 02 00 32 00 ......2.
14[KNL] deleted SAD entry with SPI ceec8cf2 (mark 0/0x00000000)
14[KNL] deleting SAD entry with SPI e03a1060 (mark 0/0x00000000)
14[KNL] sending XFRM_MSG_DELSA: => 40 bytes
14[KNL] 0: 28 00 00 00 11 00 05 00 0A 01 00 00 61 17 00 00 (...........a...
14[KNL] 16: D9 76 4E 68 00 00 00 00 00 00 00 00 00 00 00 00 .vNh............
14[KNL] 32: E0 3A 10 60 02 00 32 00 .:.`..2.
14[KNL] deleted SAD entry with SPI e03a1060 (mark 0/0x00000000)
14[KNL] deleting policy 95.24.95.95/32[udp/l2f] === 217.118.78.104/32[udp/l2f] out (mark 0/0x00000000)
14[KNL] policy still used by another CHILD_SA, not removed
14[KNL] updating policy 95.24.95.95/32[udp/l2f] === 217.118.78.104/32[udp/l2f] out (mark 0/0x00000000)
14[KNL] sending XFRM_MSG_UPDPOLICY: => 180 bytes 0xb04205bc 0xb04205bc
14[KNL] 0: B4 00 00 00 19 00 05 00 0B 01 00 00 61 17 00 00 ............a...
14[KNL] 16: D9 76 4E 68 00 00 00 00 00 00 00 00 00 00 00 00 .vNh............
14[KNL] 32: 5E F2 09 5E 00 00 00 00 00 00 00 00 00 00 00 00 ^..^............
14[KNL] 48: 06 A5 FF FF 06 A5 FF FF 02 00 20 20 11 00 00 00 .......... ....
14[KNL] 64: 00 00 00 00 00 00 00 00 FF FF FF FF FF FF FF FF ................
14[KNL] 80: FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF ................
14[KNL] 96: FF FF FF FF FF FF FF FF 00 00 00 00 00 00 00 00 ................
14[KNL] 112: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
14[KNL] 128: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
14[KNL] 144: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
14[KNL] 160: 00 00 00 00 00 00 00 00 00 2F 00 00 00 00 00 00 ........./......
14[KNL] 176: 01 01 00 00 ....
14[KNL] deleting policy 217.118.78.104/32[udp/l2f] === 95.24.95.95/32[udp/l2f] in (mark 0/0x00000000)
14[KNL] policy still used by another CHILD_SA, not removed
14[KNL] updating policy 217.118.78.104/32[udp/l2f] === 95.24.95.95/32[udp/l2f] in (mark 0/0x00000000)
14[KNL] sending XFRM_MSG_UPDPOLICY: => 180 bytes
14[KNL] 0: B4 00 00 00 19 00 05 00 0C 01 00 00 61 17 00 00 ............a...
14[KNL] 16: 5E F2 09 5E 00 00 00 00 00 00 00 00 00 00 00 00 ..............
14[KNL] 32: D9 76 4E 68 00 00 00 00 00 00 00 00 00 00 00 00 .vNh............
14[KNL] 48: 06 A5 FF FF 06 A5 FF FF 02 00 20 20 11 00 00 00 .......... ....
14[KNL] 64: 00 00 00 00 00 00 00 00 FF FF FF FF FF FF FF FF ................
14[KNL] 80: FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF ................
14[KNL] 96: FF FF FF FF FF FF FF FF 00 00 00 00 00 00 00 00 ................
14[KNL] 112: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
14[KNL] 128: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
14[KNL] 144: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
14[KNL] 160: 00 00 00 00 00 00 00 00 00 2F 00 00 00 00 00 00 ........./......
14[KNL] 176: 00 01 00 00 ....
14[KNL] deleting policy 95.24.95.95/32[udp/l2f] === 217.118.78.104/32[udp/l2f] out (mark 0/0x00000000)
14[KNL] sending XFRM_MSG_DELPOLICY: => 80 bytes 0xb0420acc 0xb0420acc
14[KNL] 0: 50 00 00 00 14 00 05 00 0D 01 00 00 61 17 00 00 P...........a...
14[KNL] 16: D9 76 4E 68 00 00 00 00 00 00 00 00 00 00 00 00 .vNh............
14[KNL] 32: 5E F2 09 5E 00 00 00 00 00 00 00 00 00 00 00 00 ^..^............
14[KNL] 48: 06 A5 FF FF 06 A5 FF FF 02 00 20 20 11 00 00 00 .......... ....
14[KNL] 64: 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 00 ................
14[KNL] deleting policy 217.118.78.104/32[udp/l2f] === 95.24.95.95/32[udp/l2f] in (mark 0/0x00000000)
14[KNL] sending XFRM_MSG_DELPOLICY: => 80 bytes
14[KNL] 0: 50 00 00 00 14 00 05 00 0E 01 00 00 61 17 00 00 P...........a...
14[KNL] 16: 5E F2 09 5E 00 00 00 00 00 00 00 00 00 00 00 00 ..............
14[KNL] 32: D9 76 4E 68 00 00 00 00 00 00 00 00 00 00 00 00 .vNh............
14[KNL] 48: 06 A5 FF FF 06 A5 FF FF 02 00 20 20 11 00 00 00 .......... ....
14[KNL] 64: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
15[NET] received packet: from 217.118.78.10418363 to 95.24.95.954500 (92 bytes)
15[ENC] parsed INFORMATIONAL_V1 request 1655262153 [ HASH D ]
15[IKE] received DELETE for IKE_SA ikev1_l2tp_psk1
15[IKE] deleting IKE_SA ikev1_l2tp_psk1 between 95.24.95.95[95.24.95.95]...217.118.78.104[192.168.44.110]
15[IKE] IKE_SA ikev1_l2tp_psk1 state change: ESTABLISHED => DELETING
15[IKE] IKE_SA ikev1_l2tp_psk1 state change: DELETING => DELETING
15[IKE] IKE_SA ikev1_l2tp_psk1 state change: DELETING => DESTROYING@
And there couldn' t be connection established.
But I stopped Strongswan, Xl2tpd and started SoftEther at the same server machine.
And it worked with SoftEther.
From all that I made a conclusion that reason/reasons is/are at Strongswan itself.
#4 Updated by Alex Brew almost 11 years ago
I tested one Win 7 client PC via other cell carrier access.
There was failed to connect using as l2tp/psk as l2tp/ipsec-cert and policy still used by another child_sa not removed was got.
I tried to switch off firewall (Kaspersky Endpoint Security 10) but there were not any diffiriencies.
Strongswan 5.2.1dr1 from Sep, 24, was used.
Regarding ikev2 13801 error was got.
Regarding Win XP, connection l2tp/psk and l2tp/ipsec-cert from Win XP sited behind NAT worked but in the same time connection from Win 7 sited behind the same NAT using l2tp/ipsec-cert failed.
#5 Updated by Alex Brew almost 11 years ago
I have reached working connection from Win XP and Win 7 with l2tp/psk and l2tp/cert.
There is one more important condition except right configuration at conf files and right certificate what has to be met to that it would start work.
If it is interesting I will put it here. Shortly, there is necessary to set up one registry value.
So, different size of packets posted below was got without the value set up. With this value all is ok.
More over, SoftEther worked without setting up this Win registry value fine and correctly with l2tp/psk (it doesn' t support l2tp/cert as I know) and worked with the same clients behind the same Nats (which tested and didn' t work with Strongswan without set up registry value) .
As following, the reason was and is not at Nat device but at Strongswan in it own, that is as I assume packets size doesn' t matter in some way for SoftEther while it handles it or it handles it in different manner (there is user space IPSec module or stack as I know) .
Moreover as I wrote Softether supports multiple connections from Win clients behind the same Nat at the same time, at least using l2tp/psk.
May be Strongswan developer team will increase attention to this case.
P. S.: To this I couldn' t still get working Win 7 with ikev2-machine-cert or ikev2-mscahpv2.
#6 Updated by Tobias Brunner almost 11 years ago
If it is interesting I will put it here. Shortly, there is necessary to set up one registry value.
Please post information about the actual registry key here, might be useful for other users.
May be Strongswan developer team will increase attention to this case.
No, we currently have no interest in putting any efforts into the L2TP use case. See #365-1 for a description of the underlying problem with multiple clients behind the same NAT.
#7 Updated by Alex Brew almost 11 years ago
To get working l2tp/psk and l2tp/cert connections from Win XP/7 clients (I tested it at those OSes, didn' t test at Win 8 yet) sited behind Nat, except right configurated Strongswan and right issued certificate you have to set up dword 'AssumeUDPEncapsulationContextOnSendRule' key in Win registry:
- for Win XP
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\IPSec
- for Win 7:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\PolicyAgent
to value 2.
I don't know if it is affected to ikev2 or not.
I don' t get yet ikev2 working case without it or with the registy value.
Regarding link you posted, I have one thing to say - But with SoftEther it works.
That is it is possible at all and there are no troubles with the same policy, the same port and so on. More over, I assigned two different users different IPs and both clients connected fine and it had as following 2 different IPs (Win XP and Win 7) .
May be you will add such ability for some fee, do you ?
#8 Updated by Alex Brew almost 11 years ago
Regarding IKEv2 with Win 7 displays teh following result with certificate Win XP/7 works with :
10[IKE] no virtual IP found for %any6 requested by 'C=RU, ST=NW, L=City, O=My, OU=Main, CN=client.my.net, N=Clients, E=admin@my.net' 0xb2412b6c
10[IKE] building INTERNAL_IP4_DNS attribute
10[IKE] building INTERNAL_IP4_NBNS attribute
10[IKE] building INTERNAL_IP4_DNS attribute
10[IKE] building INTERNAL_IP4_NBNS attribute
10[KNL] getting SPI for reqid {1}
10[KNL] sending XFRM_MSG_ALLOCSPI: => 244 bytes
10[KNL] 0: F4 00 00 00 16 00 01 00 C9 00 00 00 39 20 00 00 ............9 ..
10[KNL] 16: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
10[KNL] 32: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
10[KNL] 48: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
10[KNL] 64: 00 00 00 00 00 00 00 00 5E F2 09 5E 00 00 00 00 ........^..^....
10[KNL] 80: 00 00 00 00 00 00 00 00 00 00 00 00 32 00 00 00 ............2...
10[KNL] 96: 05 12 62 35 00 00 00 00 00 00 00 00 00 00 00 00 ..b5............
10[KNL] 112: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
10[KNL] 128: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
10[KNL] 144: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
10[KNL] 160: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
10[KNL] 176: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
10[KNL] 192: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
10[KNL] 208: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
10[KNL] 224: 01 00 00 00 02 00 01 00 00 00 00 00 00 00 00 C0 ................
10[KNL] 240: FF FF FF CF ....
10[KNL] got SPI c1b86622 for reqid {1}
10[KNL] adding SAD entry with SPI c1b86622 and reqid {1} (mark 0/0x00000000)
10[KNL] using encryption algorithm AES_CBC with key size 256
10[KNL] using integrity algorithm HMAC_SHA1_96 with key size 160
10[KNL] using replay window of 32 packets
10[KNL] sending XFRM_MSG_UPDSA: => 460 bytes 0xb2412adc'...........L.
10[KNL] 0: CC 01 00 00 1A 00 05 00 CA 00 00 00 39 20 00 00 ............9 ..
10[KNL] 16: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
10[KNL] 32: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
10[KNL] 48: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
10[KNL] 64: 00 00 00 00 00 00 00 00 5E F2 09 5E 00 00 00 00 ........^..^....
10[KNL] 80: 00 00 00 00 00 00 00 00 C1 B8 66 22 32 00 00 00 ..........f"2...
10[KNL] 96: 05 12 62 35 00 00 00 00 00 00 00 00 00 00 00 00 ..b5............
10[KNL] 112: FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF ................
10[KNL] 128: FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF ................
10[KNL] 144: 7C 26 00 00 00 00 00 00 30 2A 00 00 00 00 00 00 |&......0*......
10[KNL] 160: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
10[KNL] 176: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
10[KNL] 192: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
10[KNL] 208: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
10[KNL] 224: 01 00 00 00 02 00 01 20 20 00 00 00 68 00 02 00 ....... ...h...
10[KNL] 240: 61 65 73 00 00 00 00 00 00 00 00 00 00 00 00 00 aes.............
10[KNL] 256: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
10[KNL] 272: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
10[KNL] 288: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
10[KNL] 304: 00 01 00 00 E3 0D 6D EE B2 A3 DC F2 88 2E AC 81 ......m.........
10[KNL] 320: E7 40 27 ED B6 EA E4 F6 C7 DD 04 80 1D 1F 4C B4 .
10[KNL] 336: 1A 02 84 72 5C 00 01 00 73 68 61 31 00 00 00 00 ...r\...sha1....
10[KNL] 352: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
10[KNL] 368: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
10[KNL] 384: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
10[KNL] 400: 00 00 00 00 00 00 00 00 A0 00 00 00 50 84 B4 58 ............P..X
10[KNL] 416: 01 2E 1F EE 74 9D E3 B2 FD 93 5D 26 43 E7 D5 DA ....t.....]&C...
10[KNL] 432: 1C 00 04 00 02 00 11 94 11 94 00 00 00 00 00 00 ................
10[KNL] 448: 00 00 00 00 00 00 00 00 00 00 00 00 ............
10[KNL] adding SAD entry with SPI 04a6de9f and reqid {1} (mark 0/0x00000000)
10[KNL] using encryption algorithm AES_CBC with key size 256
10[KNL] using integrity algorithm HMAC_SHA1_96 with key size 160
10[KNL] using replay window of 32 packets
10[KNL] sending XFRM_MSG_NEWSA: => 460 bytes 0xb2412adc..
10[KNL] 0: CC 01 00 00 10 00 05 00 CB 00 00 00 39 20 00 00 ............9 ..
10[KNL] 16: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
10[KNL] 32: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
10[KNL] 48: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
10[KNL] 64: 00 00 00 00 00 00 00 00 05 12 62 35 00 00 00 00 ..........b5....
10[KNL] 80: 00 00 00 00 00 00 00 00 04 A6 DE 9F 32 00 00 00 ............2...
10[KNL] 96: 5E F2 09 5E 00 00 00 00 00 00 00 00 00 00 00 00 ^..^............
10[KNL] 112: FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF ................
10[KNL] 128: FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF ................
10[KNL] 144: DE 23 00 00 00 00 00 00 30 2A 00 00 00 00 00 00 .#......0*......
10[KNL] 160: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
10[KNL] 176: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
10[KNL] 192: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
10[KNL] 208: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
10[KNL] 224: 01 00 00 00 02 00 01 20 20 00 00 00 68 00 02 00 ....... ...h...
10[KNL] 240: 61 65 73 00 00 00 00 00 00 00 00 00 00 00 00 00 aes.............
10[KNL] 256: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
10[KNL] 272: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
10[KNL] 288: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
10[KNL] 304: 00 01 00 00 0C DE 6E 1E E3 5C 81 D6 FF 93 EB 8E ......n..\......
10[KNL] 320: AC 21 C0 4D 1B 29 2D 48 22 A7 E2 3E 1D 1B E4 F4 .!.M.)-H"..>....
10[KNL] 336: 98 B8 3C 8C 5C 00 01 00 73 68 61 31 00 00 00 00 ..<.\...sha1....
10[KNL] 352: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
10[KNL] 368: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
10[KNL] 384: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
10[KNL] 400: 00 00 00 00 00 00 00 00 A0 00 00 00 60 40 B4 EB ............`
10[KNL] 416: 16 9D 4C 71 C0 DB B3 8A 69 CE 4F 7F 6F 21 B8 75 ..Lq....i.O.o!.u
10[KNL] 432: 1C 00 04 00 02 00 11 94 11 94 00 00 00 00 00 00 ................
10[KNL] 448: 00 00 00 00 00 00 00 00 00 00 00 00 ............
10[KNL] adding policy 10.10.2.0/24 === 10.10.2.20/32 out (mark 0/0x00000000)
10[KNL] sending XFRM_MSG_NEWPOLICY: => 180 bytes 0xb2412a7c 0xb2412a7c
10[KNL] 0: B4 00 00 00 13 00 05 00 CC 00 00 00 39 20 00 00 ............9 ..
10[KNL] 16: 0A 0A 02 14 00 00 00 00 00 00 00 00 00 00 00 00 ................
10[KNL] 32: 0A 0A 02 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
10[KNL] 48: 00 00 00 00 00 00 00 00 02 00 20 18 00 00 00 00 .......... .....
10[KNL] 64: 00 00 00 00 00 00 00 00 FF FF FF FF FF FF FF FF ................
10[KNL] 80: FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF ................
10[KNL] 96: FF FF FF FF FF FF FF FF 00 00 00 00 00 00 00 00 ................
10[KNL] 112: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
10[KNL] 128: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
10[KNL] 144: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
10[KNL] 160: 00 00 00 00 00 00 00 00 23 1F 00 00 00 00 00 00 ........#.......
10[KNL] 176: 01 01 00 00 ....
10[KNL] adding policy 10.10.2.20/32 === 10.10.2.0/24 in (mark 0/0x00000000)
10[KNL] sending XFRM_MSG_NEWPOLICY: => 180 bytes
10[KNL] 0: B4 00 00 00 13 00 05 00 CD 00 00 00 39 20 00 00 ............9 ..
10[KNL] 16: 0A 0A 02 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
10[KNL] 32: 0A 0A 02 14 00 00 00 00 00 00 00 00 00 00 00 00 ................
10[KNL] 48: 00 00 00 00 00 00 00 00 02 00 18 20 00 00 00 00 ........... ....
10[KNL] 64: 00 00 00 00 00 00 00 00 FF FF FF FF FF FF FF FF ................
10[KNL] 80: FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF ................
10[KNL] 96: FF FF FF FF FF FF FF FF 00 00 00 00 00 00 00 00 ................
10[KNL] 112: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
10[KNL] 128: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
10[KNL] 144: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
10[KNL] 160: 00 00 00 00 00 00 00 00 23 1F 00 00 00 00 00 00 ........#.......
10[KNL] 176: 00 01 00 00 ....
10[KNL] adding policy 10.10.2.20/32 === 10.10.2.0/24 fwd (mark 0/0x00000000)
10[KNL] sending XFRM_MSG_NEWPOLICY: => 180 bytes 0xb2412a7c 0xb2412a7c
10[KNL] 0: B4 00 00 00 13 00 05 00 CE 00 00 00 39 20 00 00 ............9 ..
10[KNL] 16: 0A 0A 02 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
10[KNL] 32: 0A 0A 02 14 00 00 00 00 00 00 00 00 00 00 00 00 ................
10[KNL] 48: 00 00 00 00 00 00 00 00 02 00 18 20 00 00 00 00 ........... ....
10[KNL] 64: 00 00 00 00 00 00 00 00 FF FF FF FF FF FF FF FF ................
10[KNL] 80: FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF ................
10[KNL] 96: FF FF FF FF FF FF FF FF 00 00 00 00 00 00 00 00 ................
10[KNL] 112: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
10[KNL] 128: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
10[KNL] 144: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
10[KNL] 160: 00 00 00 00 00 00 00 00 23 1F 00 00 00 00 00 00 ........#.......
10[KNL] 176: 02 01 00 00 ....
10[KNL] getting a local address in traffic selector 10.10.2.0/24
10[KNL] no local address found in traffic selector 10.10.2.0/24
10[KNL] policy 10.10.2.0/24 === 10.10.2.20/32 out (mark 0/0x00000000) already exists, increasing refcount
10[KNL] updating policy 10.10.2.0/24 === 10.10.2.20/32 out (mark 0/0x00000000)
10[KNL] sending XFRM_MSG_UPDPOLICY: => 248 bytes
10[KNL] 0: F8 00 00 00 19 00 05 00 CF 00 00 00 39 20 00 00 ............9 ..
10[KNL] 16: 0A 0A 02 14 00 00 00 00 00 00 00 00 00 00 00 00 ................
10[KNL] 32: 0A 0A 02 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
10[KNL] 48: 00 00 00 00 00 00 00 00 02 00 20 18 00 00 00 00 .......... .....
10[KNL] 64: 00 00 00 00 00 00 00 00 FF FF FF FF FF FF FF FF ................
10[KNL] 80: FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF ................
10[KNL] 96: FF FF FF FF FF FF FF FF 00 00 00 00 00 00 00 00 ................
10[KNL] 112: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
10[KNL] 128: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
10[KNL] 144: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
10[KNL] 160: 00 00 00 00 00 00 00 00 23 07 00 00 00 00 00 00 ........#.......
10[KNL] 176: 01 00 00 00 44 00 05 00 05 12 62 35 00 00 00 00 ....D.....b5....
10[KNL] 192: 00 00 00 00 00 00 00 00 00 00 00 00 32 00 00 00 ............2...
10[KNL] 208: 02 00 00 00 5E F2 09 5E 00 00 00 00 00 00 00 00 ....^..^........
10[KNL] 224: 00 00 00 00 01 00 00 00 01 00 00 00 FF FF FF FF ................
10[KNL] 240: FF FF FF FF FF FF FF FF ........
10[KNL] policy 10.10.2.20/32 === 10.10.2.0/24 in (mark 0/0x00000000) already exists, increasing refcount
10[KNL] updating policy 10.10.2.20/32 === 10.10.2.0/24 in (mark 0/0x00000000)
10[KNL] sending XFRM_MSG_UPDPOLICY: => 248 bytes 0xb2412a7c 0xb2412a7c
10[KNL] 0: F8 00 00 00 19 00 05 00 D0 00 00 00 39 20 00 00 ............9 ..
10[KNL] 16: 0A 0A 02 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
10[KNL] 32: 0A 0A 02 14 00 00 00 00 00 00 00 00 00 00 00 00 ................
10[KNL] 48: 00 00 00 00 00 00 00 00 02 00 18 20 00 00 00 00 ........... ....
10[KNL] 64: 00 00 00 00 00 00 00 00 FF FF FF FF FF FF FF FF ................
10[KNL] 80: FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF ................
10[KNL] 96: FF FF FF FF FF FF FF FF 00 00 00 00 00 00 00 00 ................
10[KNL] 112: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
10[KNL] 128: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
10[KNL] 144: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
10[KNL] 160: 00 00 00 00 00 00 00 00 23 07 00 00 00 00 00 00 ........#.......
10[KNL] 176: 00 00 00 00 44 00 05 00 5E F2 09 5E 00 00 00 00 ....D...^..^....
10[KNL] 192: 00 00 00 00 00 00 00 00 00 00 00 00 32 00 00 00 ............2...
10[KNL] 208: 02 00 00 00 05 12 62 35 00 00 00 00 00 00 00 00 ......b5........
10[KNL] 224: 00 00 00 00 01 00 00 00 01 00 00 00 FF FF FF FF ................
10[KNL] 240: FF FF FF FF FF FF FF FF ........
10[KNL] policy 10.10.2.20/32 === 10.10.2.0/24 fwd (mark 0/0x00000000) already exists, increasing refcount
10[KNL] updating policy 10.10.2.20/32 === 10.10.2.0/24 fwd (mark 0/0x00000000)
10[KNL] sending XFRM_MSG_UPDPOLICY: => 248 bytes
10[KNL] 0: F8 00 00 00 19 00 05 00 D1 00 00 00 39 20 00 00 ............9 ..
10[KNL] 16: 0A 0A 02 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
10[KNL] 32: 0A 0A 02 14 00 00 00 00 00 00 00 00 00 00 00 00 ................
10[KNL] 48: 00 00 00 00 00 00 00 00 02 00 18 20 00 00 00 00 ........... ....
10[KNL] 64: 00 00 00 00 00 00 00 00 FF FF FF FF FF FF FF FF ................
10[KNL] 80: FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF ................
10[KNL] 96: FF FF FF FF FF FF FF FF 00 00 00 00 00 00 00 00 ................
10[KNL] 112: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
10[KNL] 128: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
10[KNL] 144: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
10[KNL] 160: 00 00 00 00 00 00 00 00 23 07 00 00 00 00 00 00 ........#.......
10[KNL] 176: 02 00 00 00 44 00 05 00 5E F2 09 5E 00 00 00 00 ....D...^..^....
10[KNL] 192: 00 00 00 00 00 00 00 00 00 00 00 00 32 00 00 00 ............2...
10[KNL] 208: 02 00 00 00 05 12 62 35 00 00 00 00 00 00 00 00 ......b5........
10[KNL] 224: 00 00 00 00 01 00 00 00 01 00 00 00 FF FF FF FF ................
10[KNL] 240: FF FF FF FF FF FF FF FF ........
10[KNL] getting a local address in traffic selector 10.10.2.0/24
10[KNL] no local address found in traffic selector 10.10.2.0/24
10[IKE] CHILD_SA ikev2_machine_cert{1} established with SPIs c1b86622_i 04a6de9f_o and TS 10.10.2.0/24 === 10.10.2.20/32
10[KNL] 95.95.9.95 is on interface wan0
10[ENC] generating IKE_AUTH response 1 [ IDr CERT AUTH CPRP SA TSi TSr N(AUTH_LFT) N(MOBIKE_SUP) N(ADD_4_ADDR) ]
10[NET] sending packet: from 95.95.9.954500 to 5.18.98.534500 (1500 bytes)
@
Where can reason be that connection is not be established ?
#9 Updated by Tobias Brunner almost 11 years ago
- Status changed from Feedback to Closed
#10 Updated by Tobias Brunner almost 11 years ago
- Related to Issue #744: I 'won' Strongswan 5.1.2, now Win XP works with l2tp/cert, Win7 works with l2tp/cert, ikev2/machine, ikev2/eap-mschapv2 with the same certificate ! added