Issue #360
Updated by Tobias Brunner about 12 years ago
I don't exactly know if this is my final issue. I feel like I've been chasing issues for the last week. I'm running Ubuntu 12.04 and Strongswan 5.0.4. For whatever reason I couldn't get PSK, or XAUTHPSK to connect. But that's in the past. Most recently I couldn't get IPSEC PKI to create certificates appropriately. I believe I've solved that with OPENSSL. Anyway, assuming I have all the packages and configurations needed, here's what I have. Any advice would be hugely appreciated.
*/etc/ipsec.conf*
<pre>
# ipsec.conf - strongSwan IPsec configuration file
config setup
plutostart=yes
nat_traversal=yes
conn ios
keyexchange=ikev1
authby=xauthrsasig
xauth=server
left=%defaultroute
leftsubnet=0.0.0.0/0
leftfirewall=yes
leftcert=server.pem
right=%any
rightsubnet=192.168.0.0/24
rightsourceip=192.168.0.14
rightcert=client.pem
pfs=no
auto=add
</pre>
*/etc/ipsec.secrets*
<pre>
# /etc/ipsec.secrets - strongSwan IPsec secrets file
192.168.0.14 : RSA server.key
ctuser : XAUTH "********"
</pre>
*/etc/strongswan.conf*
<pre>
# strongswan.conf - strongSwan configuration file
charon {
load = x509 pem pkcs1 aes des sha1 sha2 md5 gmp random nonce hmac stroke kernel-netlink socket-default updown
dns1 = 192.168.0.1
filelog {
/var/log/charon.log {
time_format = %b %e %T
append = no
default = 1
flush_line = yes
}
}
}
libstrongswan {
dh_exponent_ansi_x9_42 = no
integrity_test = no
crypto_test {
on_add = yes
}
x509 {
enforce_critical = no
}
}
</pre>
*/var/log/charon.log*
<pre>
Jul 16 16:42:45 00[DMN] Starting IKE charon daemon (strongSwan 5.0.4, Linux 3.2.0-29-generic-pae, i686)
Jul 16 16:42:45 00[LIB] enabled AES_CBC[aes]: no test vectors found
Jul 16 16:42:45 00[LIB] enabled AES_CBC[aes]: no test vectors found
Jul 16 16:42:45 00[LIB] enabled AES_CBC[aes]: no test vectors found
Jul 16 16:42:45 00[LIB] enabled 3DES_CBC[des]: no test vectors found
Jul 16 16:42:45 00[LIB] enabled DES_CBC[des]: no test vectors found
Jul 16 16:42:45 00[LIB] enabled DES_ECB[des]: no test vectors found
Jul 16 16:42:45 00[LIB] enabled HASH_SHA1[sha1]: no test vectors found
Jul 16 16:42:45 00[LIB] enabled PRF_KEYED_SHA1[sha1]: no test vectors found
Jul 16 16:42:45 00[LIB] enabled HASH_SHA224[sha2]: no test vectors found
Jul 16 16:42:45 00[LIB] enabled HASH_SHA256[sha2]: no test vectors found
Jul 16 16:42:45 00[LIB] enabled HASH_SHA384[sha2]: no test vectors found
Jul 16 16:42:45 00[LIB] enabled HASH_SHA512[sha2]: no test vectors found
Jul 16 16:42:45 00[LIB] enabled HASH_MD5[md5]: no test vectors found
Jul 16 16:42:45 00[LIB] enabled RNG_STRONG[random]: no test vectors found
Jul 16 16:42:45 00[LIB] enabled RNG_TRUE[random]: skipping test (disabled by config)
Jul 16 16:42:45 00[LIB] enabled PRF_HMAC_SHA1[hmac]: no test vectors found
Jul 16 16:42:45 00[LIB] enabled PRF_HMAC_MD5[hmac]: no test vectors found
Jul 16 16:42:45 00[LIB] enabled PRF_HMAC_SHA2_256[hmac]: no test vectors found
Jul 16 16:42:45 00[LIB] enabled PRF_HMAC_SHA2_384[hmac]: no test vectors found
Jul 16 16:42:45 00[LIB] enabled PRF_HMAC_SHA2_512[hmac]: no test vectors found
Jul 16 16:42:45 00[LIB] enabled HMAC_SHA1_96[hmac]: no test vectors found
Jul 16 16:42:45 00[LIB] enabled HMAC_SHA1_128[hmac]: no test vectors found
Jul 16 16:42:45 00[LIB] enabled HMAC_SHA1_160[hmac]: no test vectors found
Jul 16 16:42:45 00[LIB] enabled HMAC_MD5_96[hmac]: no test vectors found
Jul 16 16:42:45 00[LIB] enabled HMAC_MD5_128[hmac]: no test vectors found
Jul 16 16:42:45 00[LIB] enabled HMAC_SHA2_256_128[hmac]: no test vectors found
Jul 16 16:42:45 00[LIB] enabled HMAC_SHA2_256_256[hmac]: no test vectors found
Jul 16 16:42:45 00[LIB] enabled HMAC_SHA2_384_192[hmac]: no test vectors found
Jul 16 16:42:45 00[LIB] enabled HMAC_SHA2_384_384[hmac]: no test vectors found
Jul 16 16:42:45 00[LIB] enabled HMAC_SHA2_512_256[hmac]: no test vectors found
Jul 16 16:42:45 00[CFG] loading ca certificates from '/etc/ipsec.d/cacerts'
Jul 16 16:42:45 00[LIB] mapping '/etc/ipsec.d/cacerts/caCert.pem' failed: Invalid argument
Jul 16 16:42:45 00[LIB] building CRED_CERTIFICATE - X509 failed, tried 3 builders
Jul 16 16:42:45 00[CFG] loading ca certificate from '/etc/ipsec.d/cacerts/caCert.pem' failed
Jul 16 16:42:45 00[CFG] loaded ca certificate "C=US, ST=Ohio, L=Cincinnati, O=Columbitech, OU=test, CN=strongswan" from '/etc/ipsec.d/cacerts/ca.pem'
Jul 16 16:42:45 00[CFG] loading aa certificates from '/etc/ipsec.d/aacerts'
Jul 16 16:42:45 00[CFG] loading ocsp signer certificates from '/etc/ipsec.d/ocspcerts'
Jul 16 16:42:45 00[CFG] loading attribute certificates from '/etc/ipsec.d/acerts'
Jul 16 16:42:45 00[CFG] loading crls from '/etc/ipsec.d/crls'
Jul 16 16:42:45 00[CFG] loading secrets from '/etc/ipsec.secrets'
Jul 16 16:42:45 00[CFG] loaded RSA private key from '/etc/ipsec.d/private/server.key'
Jul 16 16:42:45 00[CFG] loaded EAP secret for user
Jul 16 16:42:45 00[DMN] loaded plugins: charon x509 pem pkcs1 aes des sha1 sha2 md5 gmp random nonce hmac stroke kernel-netlink socket-default updown
Jul 16 16:42:45 00[JOB] spawning 16 worker threads
Jul 16 16:42:45 13[CFG] received stroke: add connection 'ios'
Jul 16 16:42:45 13[CFG] left nor right host is our side, assuming left=local
Jul 16 16:42:45 13[CFG] adding virtual IP address pool 192.168.0.14
Jul 16 16:42:45 13[CFG] loaded certificate "C=US, ST=OH, L=Cincinnati, O=Columbitech, CN=demo.columbitech.com" from 'server.pem'
Jul 16 16:42:45 13[CFG] id '%any' not confirmed by certificate, defaulting to 'C=US, ST=OH, L=Cincinnati, O=Columbitech, CN=demo.columbitech.com'
Jul 16 16:42:45 13[CFG] loaded certificate "C=US, ST=OH, L=Cincinnati, O=Columbitech, CN=demo.columbitech.com" from 'client.pem'
Jul 16 16:42:45 13[CFG] id '%any' not confirmed by certificate, defaulting to 'C=US, ST=OH, L=Cincinnati, O=Columbitech, CN=demo.columbitech.com'
Jul 16 16:42:45 13[CFG] added configuration 'ios'
Jul 16 16:42:55 15[NET] received packet: from 71.72.220.100[500] to 192.168.0.14[500] (668 bytes)
Jul 16 16:42:55 15[ENC] parsed ID_PROT request 0 [ SA V V V V V V V V V V V V V V ]
Jul 16 16:42:55 15[IKE] received NAT-T (RFC 3947) vendor ID
Jul 16 16:42:55 15[IKE] received draft-ietf-ipsec-nat-t-ike vendor ID
Jul 16 16:42:55 15[IKE] received draft-ietf-ipsec-nat-t-ike-08 vendor ID
Jul 16 16:42:55 15[IKE] received draft-ietf-ipsec-nat-t-ike-07 vendor ID
Jul 16 16:42:55 15[IKE] received draft-ietf-ipsec-nat-t-ike-06 vendor ID
Jul 16 16:42:55 15[IKE] received draft-ietf-ipsec-nat-t-ike-05 vendor ID
Jul 16 16:42:55 15[IKE] received draft-ietf-ipsec-nat-t-ike-04 vendor ID
Jul 16 16:42:55 15[IKE] received draft-ietf-ipsec-nat-t-ike-03 vendor ID
Jul 16 16:42:55 15[IKE] received draft-ietf-ipsec-nat-t-ike-02 vendor ID
Jul 16 16:42:55 15[IKE] received draft-ietf-ipsec-nat-t-ike-02\n vendor ID
Jul 16 16:42:55 15[IKE] received XAuth vendor ID
Jul 16 16:42:55 15[IKE] received Cisco Unity vendor ID
Jul 16 16:42:55 15[IKE] received FRAGMENTATION vendor ID
Jul 16 16:42:55 15[IKE] received DPD vendor ID
Jul 16 16:42:55 15[IKE] 71.72.220.100 is initiating a Main Mode IKE_SA
Jul 16 16:42:55 15[ENC] generating ID_PROT response 0 [ SA V V V ]
Jul 16 16:42:55 15[NET] sending packet: from 192.168.0.14[500] to 71.72.220.100[500] (136 bytes)
Jul 16 16:42:55 05[NET] received packet: from 71.72.220.100[500] to 192.168.0.14[500] (292 bytes)
Jul 16 16:42:55 05[ENC] parsed ID_PROT request 0 [ KE No NAT-D NAT-D ]
Jul 16 16:42:55 05[IKE] local host is behind NAT, sending keep alives
Jul 16 16:42:55 05[IKE] remote host is behind NAT
Jul 16 16:42:55 05[IKE] sending cert request for "C=US, ST=Ohio, L=Cincinnati, O=Columbitech, OU=test, CN=strongswan"
Jul 16 16:42:55 05[ENC] generating ID_PROT response 0 [ KE No CERTREQ NAT-D NAT-D ]
Jul 16 16:42:55 05[NET] sending packet: from 192.168.0.14[500] to 71.72.220.100[500] (422 bytes)
Jul 16 16:42:56 16[NET] received packet: from 71.72.220.100[4500] to 192.168.0.14[4500] (796 bytes)
Jul 16 16:42:56 16[ENC] parsed ID_PROT request 0 [ ID CERT SIG CERTREQ N(INITIAL_CONTACT) ]
Jul 16 16:42:56 16[IKE] ignoring certificate request without data
Jul 16 16:42:56 16[IKE] received end entity cert "C=US, ST=OH, L=Cincinnati, O=Columbitech, CN=demo.columbitech.com"
Jul 16 16:42:56 16[CFG] looking for XAuthInitRSA peer configs matching 192.168.0.14...71.72.220.100[test]
Jul 16 16:42:56 16[IKE] no peer config found
Jul 16 16:42:56 16[ENC] generating INFORMATIONAL_V1 request 3901007406 [ HASH N(AUTH_FAILED) ]
Jul 16 16:42:56 16[NET] sending packet: from 192.168.0.14[4500] to 71.72.220.100[4500] (92 bytes)
Jul 17 00:17:05 15[NET] received packet: from 175.223.52.165[20423] to 192.168.0.14[500] (968 bytes)
Jul 17 00:17:05 15[ENC] parsed ID_PROT request 0 [ SA V V V V V V V ]
Jul 17 00:17:05 15[ENC] received unknown vendor ID: 2c:18:29:2c:67:5f:bf:1c:9c:ad:0e:9f:ea:7c:05:10
Jul 17 00:17:05 15[IKE] received draft-ietf-ipsec-nat-t-ike-02 vendor ID
Jul 17 00:17:05 15[IKE] received draft-ietf-ipsec-nat-t-ike-02\n vendor ID
Jul 17 00:17:05 15[IKE] received draft-ietf-ipsec-nat-t-ike-03 vendor ID
Jul 17 00:17:05 15[IKE] received NAT-T (RFC 3947) vendor ID
Jul 17 00:17:05 15[IKE] received XAuth vendor ID
Jul 17 00:17:05 15[IKE] received DPD vendor ID
Jul 17 00:17:05 15[IKE] 175.223.52.165 is initiating a Main Mode IKE_SA
Jul 17 00:17:05 15[ENC] generating ID_PROT response 0 [ SA V V V ]
Jul 17 00:17:05 15[NET] sending packet: from 192.168.0.14[500] to 175.223.52.165[20423] (148 bytes)
Jul 17 00:17:05 05[NET] received packet: from 175.223.52.165[20423] to 192.168.0.14[500] (228 bytes)
Jul 17 00:17:05 05[ENC] parsed ID_PROT request 0 [ KE No NAT-D NAT-D ]
Jul 17 00:17:05 05[IKE] local host is behind NAT, sending keep alives
Jul 17 00:17:05 05[IKE] remote host is behind NAT
Jul 17 00:17:05 05[IKE] no shared key found for 'C=US, ST=OH, L=Cincinnati, O=Columbitech, CN=demo.columbitech.com'[192.168.0.14] - 'C=US, ST=OH, L=Cincinnati, O=Columbitech, CN=demo.columbitech.com'[175.223.52.165]
Jul 17 00:17:05 05[IKE] no shared key found for 192.168.0.14 - 175.223.52.165
Jul 17 00:17:05 05[ENC] generating INFORMATIONAL_V1 request 3167107593 [ N(INVAL_KE) ]
Jul 17 00:17:05 05[NET] sending packet: from 192.168.0.14[500] to 175.223.52.165[20423] (56 bytes)
Jul 17 00:17:15 16[NET] received packet: from 175.223.52.165[20423] to 192.168.0.14[500] (968 bytes)
Jul 17 00:17:15 16[ENC] parsed ID_PROT request 0 [ SA V V V V V V V ]
Jul 17 00:17:15 16[ENC] received unknown vendor ID: 2c:18:29:2c:67:5f:bf:1c:9c:ad:0e:9f:ea:7c:05:10
Jul 17 00:17:15 16[IKE] received draft-ietf-ipsec-nat-t-ike-02 vendor ID
Jul 17 00:17:15 16[IKE] received draft-ietf-ipsec-nat-t-ike-02\n vendor ID
Jul 17 00:17:15 16[IKE] received draft-ietf-ipsec-nat-t-ike-03 vendor ID
Jul 17 00:17:15 16[IKE] received NAT-T (RFC 3947) vendor ID
Jul 17 00:17:15 16[IKE] received XAuth vendor ID
Jul 17 00:17:15 16[IKE] received DPD vendor ID
Jul 17 00:17:15 16[IKE] 175.223.52.165 is initiating a Main Mode IKE_SA
Jul 17 00:17:15 16[ENC] generating ID_PROT response 0 [ SA V V V ]
Jul 17 00:17:15 16[NET] sending packet: from 192.168.0.14[500] to 175.223.52.165[20423] (148 bytes)
Jul 17 00:17:15 04[NET] received packet: from 175.223.52.165[20423] to 192.168.0.14[500] (968 bytes)
Jul 17 00:17:15 04[IKE] received retransmit of request with ID 0, retransmitting response
Jul 17 00:17:15 04[NET] sending packet: from 192.168.0.14[500] to 175.223.52.165[20423] (148 bytes)
Jul 17 00:17:15 03[NET] received packet: from 175.223.52.165[20423] to 192.168.0.14[500] (228 bytes)
Jul 17 00:17:15 03[ENC] parsed ID_PROT request 0 [ KE No NAT-D NAT-D ]
Jul 17 00:17:15 03[IKE] local host is behind NAT, sending keep alives
Jul 17 00:17:15 03[IKE] remote host is behind NAT
Jul 17 00:17:15 03[IKE] no shared key found for 'C=US, ST=OH, L=Cincinnati, O=Columbitech, CN=demo.columbitech.com'[192.168.0.14] - 'C=US, ST=OH, L=Cincinnati, O=Columbitech, CN=demo.columbitech.com'[175.223.52.165]
Jul 17 00:17:15 03[IKE] no shared key found for 192.168.0.14 - 175.223.52.165
Jul 17 00:17:15 03[ENC] generating INFORMATIONAL_V1 request 162754795 [ N(INVAL_KE) ]
Jul 17 00:17:15 03[NET] sending packet: from 192.168.0.14[500] to 175.223.52.165[20423] (56 bytes)
Jul 17 08:49:40 15[NET] received packet: from 71.72.220.100[500] to 192.168.0.14[500] (476 bytes)
Jul 17 08:49:40 15[ENC] parsed ID_PROT request 0 [ SA V V V V V V V V ]
Jul 17 08:49:40 15[IKE] received NAT-T (RFC 3947) vendor ID
Jul 17 08:49:40 15[IKE] received draft-ietf-ipsec-nat-t-ike-02 vendor ID
Jul 17 08:49:40 15[IKE] received draft-ietf-ipsec-nat-t-ike-02\n vendor ID
Jul 17 08:49:40 15[IKE] received draft-ietf-ipsec-nat-t-ike-00 vendor ID
Jul 17 08:49:40 15[IKE] received XAuth vendor ID
Jul 17 08:49:40 15[IKE] received Cisco Unity vendor ID
Jul 17 08:49:40 15[IKE] received FRAGMENTATION vendor ID
Jul 17 08:49:40 15[IKE] received DPD vendor ID
Jul 17 08:49:40 15[IKE] 71.72.220.100 is initiating a Main Mode IKE_SA
Jul 17 08:49:40 15[ENC] generating ID_PROT response 0 [ SA V V V ]
Jul 17 08:49:40 15[NET] sending packet: from 192.168.0.14[500] to 71.72.220.100[500] (136 bytes)
Jul 17 08:49:40 05[NET] received packet: from 71.72.220.100[500] to 192.168.0.14[500] (228 bytes)
Jul 17 08:49:40 05[ENC] parsed ID_PROT request 0 [ KE No NAT-D NAT-D ]
Jul 17 08:49:40 05[IKE] local host is behind NAT, sending keep alives
Jul 17 08:49:40 05[IKE] remote host is behind NAT
Jul 17 08:49:40 05[IKE] sending cert request for "C=US, ST=Ohio, L=Cincinnati, O=Columbitech, OU=test, CN=strongswan"
Jul 17 08:49:40 05[ENC] generating ID_PROT response 0 [ KE No CERTREQ NAT-D NAT-D ]
Jul 17 08:49:40 05[NET] sending packet: from 192.168.0.14[500] to 71.72.220.100[500] (358 bytes)
Jul 17 08:49:40 16[NET] received packet: from 71.72.220.100[4500] to 192.168.0.14[4500] (876 bytes)
Jul 17 08:49:40 16[ENC] parsed ID_PROT request 0 [ ID CERT SIG CERTREQ ]
Jul 17 08:49:40 16[IKE] ignoring certificate request without data
Jul 17 08:49:40 16[IKE] received end entity cert "C=US, ST=OH, L=Cincinnati, O=Columbitech, CN=demo.columbitech.com"
Jul 17 08:49:40 16[CFG] looking for XAuthInitRSA peer configs matching 192.168.0.14...71.72.220.100[C=US, ST=OH, L=Cincinnati, O=Columbitech, CN=demo.columbitech.com]
Jul 17 08:49:40 16[CFG] selected peer config "ios"
Jul 17 08:49:40 16[CFG] using trusted ca certificate "C=US, ST=Ohio, L=Cincinnati, O=Columbitech, OU=test, CN=strongswan"
Jul 17 08:49:40 16[CFG] reached self-signed root ca with a path length of 0
Jul 17 08:49:40 16[CFG] using trusted certificate "C=US, ST=OH, L=Cincinnati, O=Columbitech, CN=demo.columbitech.com"
Jul 17 08:49:40 16[IKE] authentication of 'C=US, ST=OH, L=Cincinnati, O=Columbitech, CN=demo.columbitech.com' with RSA successful
Jul 17 08:49:40 16[IKE] authentication of 'C=US, ST=OH, L=Cincinnati, O=Columbitech, CN=demo.columbitech.com' (myself) successful
Jul 17 08:49:40 16[IKE] sending end entity cert "C=US, ST=OH, L=Cincinnati, O=Columbitech, CN=demo.columbitech.com"
Jul 17 08:49:40 16[ENC] generating ID_PROT response 0 [ ID CERT SIG ]
Jul 17 08:49:40 16[NET] sending packet: from 192.168.0.14[4500] to 71.72.220.100[4500] (860 bytes)
Jul 17 08:49:40 16[CFG] no XAuth method found
</pre>
*/etc/ipsec.conf*
<pre>
# ipsec.conf - strongSwan IPsec configuration file
config setup
plutostart=yes
nat_traversal=yes
conn ios
keyexchange=ikev1
authby=xauthrsasig
xauth=server
left=%defaultroute
leftsubnet=0.0.0.0/0
leftfirewall=yes
leftcert=server.pem
right=%any
rightsubnet=192.168.0.0/24
rightsourceip=192.168.0.14
rightcert=client.pem
pfs=no
auto=add
</pre>
*/etc/ipsec.secrets*
<pre>
# /etc/ipsec.secrets - strongSwan IPsec secrets file
192.168.0.14 : RSA server.key
ctuser : XAUTH "********"
</pre>
*/etc/strongswan.conf*
<pre>
# strongswan.conf - strongSwan configuration file
charon {
load = x509 pem pkcs1 aes des sha1 sha2 md5 gmp random nonce hmac stroke kernel-netlink socket-default updown
dns1 = 192.168.0.1
filelog {
/var/log/charon.log {
time_format = %b %e %T
append = no
default = 1
flush_line = yes
}
}
}
libstrongswan {
dh_exponent_ansi_x9_42 = no
integrity_test = no
crypto_test {
on_add = yes
}
x509 {
enforce_critical = no
}
}
</pre>
*/var/log/charon.log*
<pre>
Jul 16 16:42:45 00[DMN] Starting IKE charon daemon (strongSwan 5.0.4, Linux 3.2.0-29-generic-pae, i686)
Jul 16 16:42:45 00[LIB] enabled AES_CBC[aes]: no test vectors found
Jul 16 16:42:45 00[LIB] enabled AES_CBC[aes]: no test vectors found
Jul 16 16:42:45 00[LIB] enabled AES_CBC[aes]: no test vectors found
Jul 16 16:42:45 00[LIB] enabled 3DES_CBC[des]: no test vectors found
Jul 16 16:42:45 00[LIB] enabled DES_CBC[des]: no test vectors found
Jul 16 16:42:45 00[LIB] enabled DES_ECB[des]: no test vectors found
Jul 16 16:42:45 00[LIB] enabled HASH_SHA1[sha1]: no test vectors found
Jul 16 16:42:45 00[LIB] enabled PRF_KEYED_SHA1[sha1]: no test vectors found
Jul 16 16:42:45 00[LIB] enabled HASH_SHA224[sha2]: no test vectors found
Jul 16 16:42:45 00[LIB] enabled HASH_SHA256[sha2]: no test vectors found
Jul 16 16:42:45 00[LIB] enabled HASH_SHA384[sha2]: no test vectors found
Jul 16 16:42:45 00[LIB] enabled HASH_SHA512[sha2]: no test vectors found
Jul 16 16:42:45 00[LIB] enabled HASH_MD5[md5]: no test vectors found
Jul 16 16:42:45 00[LIB] enabled RNG_STRONG[random]: no test vectors found
Jul 16 16:42:45 00[LIB] enabled RNG_TRUE[random]: skipping test (disabled by config)
Jul 16 16:42:45 00[LIB] enabled PRF_HMAC_SHA1[hmac]: no test vectors found
Jul 16 16:42:45 00[LIB] enabled PRF_HMAC_MD5[hmac]: no test vectors found
Jul 16 16:42:45 00[LIB] enabled PRF_HMAC_SHA2_256[hmac]: no test vectors found
Jul 16 16:42:45 00[LIB] enabled PRF_HMAC_SHA2_384[hmac]: no test vectors found
Jul 16 16:42:45 00[LIB] enabled PRF_HMAC_SHA2_512[hmac]: no test vectors found
Jul 16 16:42:45 00[LIB] enabled HMAC_SHA1_96[hmac]: no test vectors found
Jul 16 16:42:45 00[LIB] enabled HMAC_SHA1_128[hmac]: no test vectors found
Jul 16 16:42:45 00[LIB] enabled HMAC_SHA1_160[hmac]: no test vectors found
Jul 16 16:42:45 00[LIB] enabled HMAC_MD5_96[hmac]: no test vectors found
Jul 16 16:42:45 00[LIB] enabled HMAC_MD5_128[hmac]: no test vectors found
Jul 16 16:42:45 00[LIB] enabled HMAC_SHA2_256_128[hmac]: no test vectors found
Jul 16 16:42:45 00[LIB] enabled HMAC_SHA2_256_256[hmac]: no test vectors found
Jul 16 16:42:45 00[LIB] enabled HMAC_SHA2_384_192[hmac]: no test vectors found
Jul 16 16:42:45 00[LIB] enabled HMAC_SHA2_384_384[hmac]: no test vectors found
Jul 16 16:42:45 00[LIB] enabled HMAC_SHA2_512_256[hmac]: no test vectors found
Jul 16 16:42:45 00[CFG] loading ca certificates from '/etc/ipsec.d/cacerts'
Jul 16 16:42:45 00[LIB] mapping '/etc/ipsec.d/cacerts/caCert.pem' failed: Invalid argument
Jul 16 16:42:45 00[LIB] building CRED_CERTIFICATE - X509 failed, tried 3 builders
Jul 16 16:42:45 00[CFG] loading ca certificate from '/etc/ipsec.d/cacerts/caCert.pem' failed
Jul 16 16:42:45 00[CFG] loaded ca certificate "C=US, ST=Ohio, L=Cincinnati, O=Columbitech, OU=test, CN=strongswan" from '/etc/ipsec.d/cacerts/ca.pem'
Jul 16 16:42:45 00[CFG] loading aa certificates from '/etc/ipsec.d/aacerts'
Jul 16 16:42:45 00[CFG] loading ocsp signer certificates from '/etc/ipsec.d/ocspcerts'
Jul 16 16:42:45 00[CFG] loading attribute certificates from '/etc/ipsec.d/acerts'
Jul 16 16:42:45 00[CFG] loading crls from '/etc/ipsec.d/crls'
Jul 16 16:42:45 00[CFG] loading secrets from '/etc/ipsec.secrets'
Jul 16 16:42:45 00[CFG] loaded RSA private key from '/etc/ipsec.d/private/server.key'
Jul 16 16:42:45 00[CFG] loaded EAP secret for user
Jul 16 16:42:45 00[DMN] loaded plugins: charon x509 pem pkcs1 aes des sha1 sha2 md5 gmp random nonce hmac stroke kernel-netlink socket-default updown
Jul 16 16:42:45 00[JOB] spawning 16 worker threads
Jul 16 16:42:45 13[CFG] received stroke: add connection 'ios'
Jul 16 16:42:45 13[CFG] left nor right host is our side, assuming left=local
Jul 16 16:42:45 13[CFG] adding virtual IP address pool 192.168.0.14
Jul 16 16:42:45 13[CFG] loaded certificate "C=US, ST=OH, L=Cincinnati, O=Columbitech, CN=demo.columbitech.com" from 'server.pem'
Jul 16 16:42:45 13[CFG] id '%any' not confirmed by certificate, defaulting to 'C=US, ST=OH, L=Cincinnati, O=Columbitech, CN=demo.columbitech.com'
Jul 16 16:42:45 13[CFG] loaded certificate "C=US, ST=OH, L=Cincinnati, O=Columbitech, CN=demo.columbitech.com" from 'client.pem'
Jul 16 16:42:45 13[CFG] id '%any' not confirmed by certificate, defaulting to 'C=US, ST=OH, L=Cincinnati, O=Columbitech, CN=demo.columbitech.com'
Jul 16 16:42:45 13[CFG] added configuration 'ios'
Jul 16 16:42:55 15[NET] received packet: from 71.72.220.100[500] to 192.168.0.14[500] (668 bytes)
Jul 16 16:42:55 15[ENC] parsed ID_PROT request 0 [ SA V V V V V V V V V V V V V V ]
Jul 16 16:42:55 15[IKE] received NAT-T (RFC 3947) vendor ID
Jul 16 16:42:55 15[IKE] received draft-ietf-ipsec-nat-t-ike vendor ID
Jul 16 16:42:55 15[IKE] received draft-ietf-ipsec-nat-t-ike-08 vendor ID
Jul 16 16:42:55 15[IKE] received draft-ietf-ipsec-nat-t-ike-07 vendor ID
Jul 16 16:42:55 15[IKE] received draft-ietf-ipsec-nat-t-ike-06 vendor ID
Jul 16 16:42:55 15[IKE] received draft-ietf-ipsec-nat-t-ike-05 vendor ID
Jul 16 16:42:55 15[IKE] received draft-ietf-ipsec-nat-t-ike-04 vendor ID
Jul 16 16:42:55 15[IKE] received draft-ietf-ipsec-nat-t-ike-03 vendor ID
Jul 16 16:42:55 15[IKE] received draft-ietf-ipsec-nat-t-ike-02 vendor ID
Jul 16 16:42:55 15[IKE] received draft-ietf-ipsec-nat-t-ike-02\n vendor ID
Jul 16 16:42:55 15[IKE] received XAuth vendor ID
Jul 16 16:42:55 15[IKE] received Cisco Unity vendor ID
Jul 16 16:42:55 15[IKE] received FRAGMENTATION vendor ID
Jul 16 16:42:55 15[IKE] received DPD vendor ID
Jul 16 16:42:55 15[IKE] 71.72.220.100 is initiating a Main Mode IKE_SA
Jul 16 16:42:55 15[ENC] generating ID_PROT response 0 [ SA V V V ]
Jul 16 16:42:55 15[NET] sending packet: from 192.168.0.14[500] to 71.72.220.100[500] (136 bytes)
Jul 16 16:42:55 05[NET] received packet: from 71.72.220.100[500] to 192.168.0.14[500] (292 bytes)
Jul 16 16:42:55 05[ENC] parsed ID_PROT request 0 [ KE No NAT-D NAT-D ]
Jul 16 16:42:55 05[IKE] local host is behind NAT, sending keep alives
Jul 16 16:42:55 05[IKE] remote host is behind NAT
Jul 16 16:42:55 05[IKE] sending cert request for "C=US, ST=Ohio, L=Cincinnati, O=Columbitech, OU=test, CN=strongswan"
Jul 16 16:42:55 05[ENC] generating ID_PROT response 0 [ KE No CERTREQ NAT-D NAT-D ]
Jul 16 16:42:55 05[NET] sending packet: from 192.168.0.14[500] to 71.72.220.100[500] (422 bytes)
Jul 16 16:42:56 16[NET] received packet: from 71.72.220.100[4500] to 192.168.0.14[4500] (796 bytes)
Jul 16 16:42:56 16[ENC] parsed ID_PROT request 0 [ ID CERT SIG CERTREQ N(INITIAL_CONTACT) ]
Jul 16 16:42:56 16[IKE] ignoring certificate request without data
Jul 16 16:42:56 16[IKE] received end entity cert "C=US, ST=OH, L=Cincinnati, O=Columbitech, CN=demo.columbitech.com"
Jul 16 16:42:56 16[CFG] looking for XAuthInitRSA peer configs matching 192.168.0.14...71.72.220.100[test]
Jul 16 16:42:56 16[IKE] no peer config found
Jul 16 16:42:56 16[ENC] generating INFORMATIONAL_V1 request 3901007406 [ HASH N(AUTH_FAILED) ]
Jul 16 16:42:56 16[NET] sending packet: from 192.168.0.14[4500] to 71.72.220.100[4500] (92 bytes)
Jul 17 00:17:05 15[NET] received packet: from 175.223.52.165[20423] to 192.168.0.14[500] (968 bytes)
Jul 17 00:17:05 15[ENC] parsed ID_PROT request 0 [ SA V V V V V V V ]
Jul 17 00:17:05 15[ENC] received unknown vendor ID: 2c:18:29:2c:67:5f:bf:1c:9c:ad:0e:9f:ea:7c:05:10
Jul 17 00:17:05 15[IKE] received draft-ietf-ipsec-nat-t-ike-02 vendor ID
Jul 17 00:17:05 15[IKE] received draft-ietf-ipsec-nat-t-ike-02\n vendor ID
Jul 17 00:17:05 15[IKE] received draft-ietf-ipsec-nat-t-ike-03 vendor ID
Jul 17 00:17:05 15[IKE] received NAT-T (RFC 3947) vendor ID
Jul 17 00:17:05 15[IKE] received XAuth vendor ID
Jul 17 00:17:05 15[IKE] received DPD vendor ID
Jul 17 00:17:05 15[IKE] 175.223.52.165 is initiating a Main Mode IKE_SA
Jul 17 00:17:05 15[ENC] generating ID_PROT response 0 [ SA V V V ]
Jul 17 00:17:05 15[NET] sending packet: from 192.168.0.14[500] to 175.223.52.165[20423] (148 bytes)
Jul 17 00:17:05 05[NET] received packet: from 175.223.52.165[20423] to 192.168.0.14[500] (228 bytes)
Jul 17 00:17:05 05[ENC] parsed ID_PROT request 0 [ KE No NAT-D NAT-D ]
Jul 17 00:17:05 05[IKE] local host is behind NAT, sending keep alives
Jul 17 00:17:05 05[IKE] remote host is behind NAT
Jul 17 00:17:05 05[IKE] no shared key found for 'C=US, ST=OH, L=Cincinnati, O=Columbitech, CN=demo.columbitech.com'[192.168.0.14] - 'C=US, ST=OH, L=Cincinnati, O=Columbitech, CN=demo.columbitech.com'[175.223.52.165]
Jul 17 00:17:05 05[IKE] no shared key found for 192.168.0.14 - 175.223.52.165
Jul 17 00:17:05 05[ENC] generating INFORMATIONAL_V1 request 3167107593 [ N(INVAL_KE) ]
Jul 17 00:17:05 05[NET] sending packet: from 192.168.0.14[500] to 175.223.52.165[20423] (56 bytes)
Jul 17 00:17:15 16[NET] received packet: from 175.223.52.165[20423] to 192.168.0.14[500] (968 bytes)
Jul 17 00:17:15 16[ENC] parsed ID_PROT request 0 [ SA V V V V V V V ]
Jul 17 00:17:15 16[ENC] received unknown vendor ID: 2c:18:29:2c:67:5f:bf:1c:9c:ad:0e:9f:ea:7c:05:10
Jul 17 00:17:15 16[IKE] received draft-ietf-ipsec-nat-t-ike-02 vendor ID
Jul 17 00:17:15 16[IKE] received draft-ietf-ipsec-nat-t-ike-02\n vendor ID
Jul 17 00:17:15 16[IKE] received draft-ietf-ipsec-nat-t-ike-03 vendor ID
Jul 17 00:17:15 16[IKE] received NAT-T (RFC 3947) vendor ID
Jul 17 00:17:15 16[IKE] received XAuth vendor ID
Jul 17 00:17:15 16[IKE] received DPD vendor ID
Jul 17 00:17:15 16[IKE] 175.223.52.165 is initiating a Main Mode IKE_SA
Jul 17 00:17:15 16[ENC] generating ID_PROT response 0 [ SA V V V ]
Jul 17 00:17:15 16[NET] sending packet: from 192.168.0.14[500] to 175.223.52.165[20423] (148 bytes)
Jul 17 00:17:15 04[NET] received packet: from 175.223.52.165[20423] to 192.168.0.14[500] (968 bytes)
Jul 17 00:17:15 04[IKE] received retransmit of request with ID 0, retransmitting response
Jul 17 00:17:15 04[NET] sending packet: from 192.168.0.14[500] to 175.223.52.165[20423] (148 bytes)
Jul 17 00:17:15 03[NET] received packet: from 175.223.52.165[20423] to 192.168.0.14[500] (228 bytes)
Jul 17 00:17:15 03[ENC] parsed ID_PROT request 0 [ KE No NAT-D NAT-D ]
Jul 17 00:17:15 03[IKE] local host is behind NAT, sending keep alives
Jul 17 00:17:15 03[IKE] remote host is behind NAT
Jul 17 00:17:15 03[IKE] no shared key found for 'C=US, ST=OH, L=Cincinnati, O=Columbitech, CN=demo.columbitech.com'[192.168.0.14] - 'C=US, ST=OH, L=Cincinnati, O=Columbitech, CN=demo.columbitech.com'[175.223.52.165]
Jul 17 00:17:15 03[IKE] no shared key found for 192.168.0.14 - 175.223.52.165
Jul 17 00:17:15 03[ENC] generating INFORMATIONAL_V1 request 162754795 [ N(INVAL_KE) ]
Jul 17 00:17:15 03[NET] sending packet: from 192.168.0.14[500] to 175.223.52.165[20423] (56 bytes)
Jul 17 08:49:40 15[NET] received packet: from 71.72.220.100[500] to 192.168.0.14[500] (476 bytes)
Jul 17 08:49:40 15[ENC] parsed ID_PROT request 0 [ SA V V V V V V V V ]
Jul 17 08:49:40 15[IKE] received NAT-T (RFC 3947) vendor ID
Jul 17 08:49:40 15[IKE] received draft-ietf-ipsec-nat-t-ike-02 vendor ID
Jul 17 08:49:40 15[IKE] received draft-ietf-ipsec-nat-t-ike-02\n vendor ID
Jul 17 08:49:40 15[IKE] received draft-ietf-ipsec-nat-t-ike-00 vendor ID
Jul 17 08:49:40 15[IKE] received XAuth vendor ID
Jul 17 08:49:40 15[IKE] received Cisco Unity vendor ID
Jul 17 08:49:40 15[IKE] received FRAGMENTATION vendor ID
Jul 17 08:49:40 15[IKE] received DPD vendor ID
Jul 17 08:49:40 15[IKE] 71.72.220.100 is initiating a Main Mode IKE_SA
Jul 17 08:49:40 15[ENC] generating ID_PROT response 0 [ SA V V V ]
Jul 17 08:49:40 15[NET] sending packet: from 192.168.0.14[500] to 71.72.220.100[500] (136 bytes)
Jul 17 08:49:40 05[NET] received packet: from 71.72.220.100[500] to 192.168.0.14[500] (228 bytes)
Jul 17 08:49:40 05[ENC] parsed ID_PROT request 0 [ KE No NAT-D NAT-D ]
Jul 17 08:49:40 05[IKE] local host is behind NAT, sending keep alives
Jul 17 08:49:40 05[IKE] remote host is behind NAT
Jul 17 08:49:40 05[IKE] sending cert request for "C=US, ST=Ohio, L=Cincinnati, O=Columbitech, OU=test, CN=strongswan"
Jul 17 08:49:40 05[ENC] generating ID_PROT response 0 [ KE No CERTREQ NAT-D NAT-D ]
Jul 17 08:49:40 05[NET] sending packet: from 192.168.0.14[500] to 71.72.220.100[500] (358 bytes)
Jul 17 08:49:40 16[NET] received packet: from 71.72.220.100[4500] to 192.168.0.14[4500] (876 bytes)
Jul 17 08:49:40 16[ENC] parsed ID_PROT request 0 [ ID CERT SIG CERTREQ ]
Jul 17 08:49:40 16[IKE] ignoring certificate request without data
Jul 17 08:49:40 16[IKE] received end entity cert "C=US, ST=OH, L=Cincinnati, O=Columbitech, CN=demo.columbitech.com"
Jul 17 08:49:40 16[CFG] looking for XAuthInitRSA peer configs matching 192.168.0.14...71.72.220.100[C=US, ST=OH, L=Cincinnati, O=Columbitech, CN=demo.columbitech.com]
Jul 17 08:49:40 16[CFG] selected peer config "ios"
Jul 17 08:49:40 16[CFG] using trusted ca certificate "C=US, ST=Ohio, L=Cincinnati, O=Columbitech, OU=test, CN=strongswan"
Jul 17 08:49:40 16[CFG] reached self-signed root ca with a path length of 0
Jul 17 08:49:40 16[CFG] using trusted certificate "C=US, ST=OH, L=Cincinnati, O=Columbitech, CN=demo.columbitech.com"
Jul 17 08:49:40 16[IKE] authentication of 'C=US, ST=OH, L=Cincinnati, O=Columbitech, CN=demo.columbitech.com' with RSA successful
Jul 17 08:49:40 16[IKE] authentication of 'C=US, ST=OH, L=Cincinnati, O=Columbitech, CN=demo.columbitech.com' (myself) successful
Jul 17 08:49:40 16[IKE] sending end entity cert "C=US, ST=OH, L=Cincinnati, O=Columbitech, CN=demo.columbitech.com"
Jul 17 08:49:40 16[ENC] generating ID_PROT response 0 [ ID CERT SIG ]
Jul 17 08:49:40 16[NET] sending packet: from 192.168.0.14[4500] to 71.72.220.100[4500] (860 bytes)
Jul 17 08:49:40 16[CFG] no XAuth method found
</pre>