Project

General

Profile

strongSwan Connection Status and Log Information

With ipsec start the charon IKEv2 daemon is started, the win7 connection definition is loaded, and the win7 virtual IP address pool consisting of 255 addresses is created.

May 12 05:49:37 koala charon: 01[DMN] starting charon (strongSwan Version 4.3.1rc2) 
May 12 05:49:37 koala charon: 01[CFG] loading ca certificates from '/etc/ipsec.d/cacerts' 
May 12 05:49:37 koala charon: 01[LIB]   loaded certificate file '/etc/ipsec.d/cacerts/strongswan-2009Cert.pem' 
May 12 05:49:37 koala charon: 01[CFG] loading aa certificates from '/etc/ipsec.d/aacerts' 
May 12 05:49:37 koala charon: 01[CFG] loading ocsp signer certificates from '/etc/ipsec.d/ocspcerts' 
May 12 05:49:37 koala charon: 01[CFG] loading attribute certificates from '/etc/ipsec.d/acerts' 
May 12 05:49:37 koala charon: 01[CFG] loading crls from '/etc/ipsec.d/crls' 
May 12 05:49:37 koala charon: 01[CFG] loading secrets from '/etc/ipsec.secrets' 
May 12 05:49:37 koala charon: 01[CFG]   loaded private key file '/etc/ipsec.d/private/vpnKey.pem' 
May 12 05:49:37 koala charon: 01[CFG]   loaded EAP secret for carol 
May 12 05:49:37 koala charon: 01[CFG]   loaded EAP secret for dave  
May 12 05:49:37 koala charon: 01[DMN] loaded plugins: curl aes des sha1 sha2 md4 md5 random x509 pubkey xcbc hmac gmp kernel-netlink stroke eapidentity eapmschapv2   
May 12 05:49:37 koala charon: 01[KNL] listening on interfaces: 
May 12 05:49:37 koala charon: 01[KNL]   eth1 
May 12 05:49:37 koala charon: 01[KNL]     10.10.0.1 
May 12 05:49:37 koala charon: 01[KNL]     fe80::20d:88ff:fe3c:30fc 
May 12 05:49:37 koala charon: 01[KNL]   eth2 
May 12 05:49:37 koala charon: 01[KNL]     10.10.1.1 
May 12 05:49:37 koala charon: 01[KNL]     fe80::20d:88ff:fe3c:30f9 
May 12 05:49:37 koala charon: 01[KNL]   eth0 
May 12 05:49:37 koala charon: 01[KNL]     77.56.157.148 
May 12 05:49:37 koala charon: 01[KNL]     fe80::219:99ff:fe47:f06c 
May 12 05:49:37 koala charon: 01[JOB] spawning 16 worker threads 
May 12 05:49:37 koala charon: 03[CFG] received stroke: add connection 'win7' 
May 12 05:49:37 koala charon: 03[CFG] left nor right host is our side, assuming left=local 
May 12 05:49:37 koala charon: 03[LIB]   loaded certificate file '/etc/ipsec.d/certs/vpnCert.pem' 
May 12 05:49:37 koala charon: 03[CFG] added configuration 'win7' 
May 12 05:49:37 koala charon: 03[CFG] adding virtual IP address pool 'win7': 10.10.3.0/24 

On the Windows 7 client the VPN connection is started by pressing the Connect button which causes a login window to appearprompting for User name, Password, and optional Domain. The strongSwan log shows the Windows 7 client announcingMOBIKE support and the rather lengthy ensuing EAP-MSCHAP v2 protocol.

May 12 05:49:55 koala charon: 12[NET] received packet: from 10.10.0.6[500] to 10.10.0.1[500] 
May 12 05:49:55 koala charon: 12[ENC] parsed IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) ] 
May 12 05:49:55 koala charon: 12[IKE] 10.10.0.6 is initiating an IKE_SA 
May 12 05:49:56 koala charon: 12[ENC] generating IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(MULT_AUTH) ] 
May 12 05:49:56 koala charon: 12[NET] sending packet: from 10.10.0.1[500] to 10.10.0.6[500] 
May 12 05:49:56 koala charon: 13[NET] received packet: from 10.10.0.6[4500] to 10.10.0.1[4500] 
May 12 05:49:56 koala charon: 13[ENC] unknown attribute type INTERNAL_IP4_SERVER 
May 12 05:49:56 koala charon: 13[ENC] unknown attribute type INTERNAL_IP6_SERVER 
May 12 05:49:56 koala charon: 13[ENC] parsed IKE_AUTH request 1 [ IDi CERTREQ N(MOBIKE_SUP) CP SA TSi TSr ] 
May 12 05:49:56 koala charon: 13[IKE] received cert request for unknown ca with keyid 0e:ac:82:60:40:56:27:97:e5:25:13:fc:2a:e1:0a:53:95:59:e4:a4 
May 12 05:49:56 koala charon: 13[IKE] received cert request for unknown ca with keyid dd:bc:bd:86:9c:3f:07:ed:40:e3:1b:08:ef:ce:c4:d1:88:cd:3b:15 
May 12 05:49:56 koala charon: 13[IKE] received cert request for unknown ca with keyid 4a:5c:75:22:aa:46:bf:a4:08:9d:39:97:4e:bd:b4:a3:60:f7:a0:1d 
May 12 05:49:56 koala charon: 13[IKE] received cert request for unknown ca with keyid 01:f0:33:4c:1a:a1:d9:ee:5b:7b:a9:de:43:bc:02:7d:57:09:33:fb 
May 12 05:49:56 koala charon: 13[IKE] received cert request for "C=CH, O=strongSwan Project, CN=strongSwan 2009 CA" 
May 12 05:49:56 koala charon: 13[IKE] received cert request for unknown ca with keyid 34:4f:30:2d:25:69:31:91:ea:f7:73:5c:ab:f5:86:8d:37:82:40:ec 
May 12 05:49:56 koala charon: 13[IKE] received cert request for unknown ca with keyid 3e:df:29:0c:c1:f5:cc:73:2c:eb:3d:24:e1:7e:52:da:bd:27:e2:f0 
May 12 05:49:56 koala charon: 13[IKE] received cert request for unknown ca with keyid 59:79:12:de:61:75:d6:6f:c4:23:b7:77:13:74:c7:96:de:6f:88:72 
May 12 05:49:56 koala charon: 13[IKE] received cert request for unknown ca with keyid 55:e4:81:d1:11:80:be:d8:89:b9:08:a3:31:f9:a1:24:09:16:b9:70 
May 12 05:49:56 koala charon: 13[IKE] received cert request for unknown ca with keyid e2:7f:7b:d8:77:d5:df:9e:0a:3f:9e:b4:cb:0e:2e:a9:ef:db:69:77 
May 12 05:49:56 koala charon: 13[IKE] received cert request for unknown ca with keyid 5f:f3:24:6c:8f:91:24:af:9b:5f:3e:b0:34:6a:f4:2d:5c:a8:5d:cc 
May 12 05:49:56 koala charon: 13[IKE] received cert request for unknown ca with keyid e2:7f:7b:d8:77:d5:df:9e:0a:3f:9e:b4:cb:0e:2e:a9:ef:db:69:77 
May 12 05:49:56 koala charon: 13[CFG] looking for peer configs matching 10.10.0.1[%any]...10.10.0.6[10.10.0.6] 
May 12 05:49:56 koala charon: 13[CFG] selected peer config 'win7' 
May 12 05:49:56 koala charon: 13[IKE] initiating EAP-Identity request 
May 12 05:49:56 koala charon: 13[IKE] peer supports MOBIKE 
May 12 05:49:56 koala charon: 13[IKE] authentication of 'vpn.strongswan.org' (myself) with RSA signature successful 
May 12 05:49:56 koala charon: 13[IKE] sending end entity cert "C=CH, O=strongSwan Project, CN=vpn.strongswan.org" 
May 12 05:49:56 koala charon: 13[ENC] generating IKE_AUTH response 1 [ IDr CERT AUTH EAP ] 
May 12 05:49:56 koala charon: 13[NET] sending packet: from 10.10.0.1[4500] to 10.10.0.6[4500] 
May 12 05:49:56 koala charon: 14[NET] received packet: from 10.10.0.6[4500] to 10.10.0.1[4500] 
May 12 05:49:56 koala charon: 14[ENC] parsed IKE_AUTH request 2 [ EAP ] 
May 12 05:49:56 koala charon: 14[IKE] received EAP identity 'carol' 
May 12 05:49:56 koala charon: 14[IKE] initiating EAP_MSCHAPV2 
May 12 05:49:56 koala charon: 14[ENC] generating IKE_AUTH response 2 [ EAP ] 
May 12 05:49:56 koala charon: 14[NET] sending packet: from 10.10.0.1[4500] to 10.10.0.6[4500] 
May 12 05:49:56 koala charon: 15[NET] received packet: from 10.10.0.6[4500] to 10.10.0.1[4500] 
May 12 05:49:56 koala charon: 15[ENC] parsed IKE_AUTH request 3 [ EAP ] 
May 12 05:49:56 koala charon: 15[ENC] generating IKE_AUTH response 3 [ EAP ] 
May 12 05:49:56 koala charon: 15[NET] sending packet: from 10.10.0.1[4500] to 10.10.0.6[4500] 
May 12 05:49:56 koala charon: 16[NET] received packet: from 10.10.0.6[4500] to 10.10.0.1[4500] 
May 12 05:49:56 koala charon: 16[ENC] parsed IKE_AUTH request 4 [ EAP ] 
May 12 05:49:56 koala charon: 16[IKE] EAP method EAP_MSCHAPV2 succeeded, MSK established 
May 12 05:49:56 koala charon: 16[ENC] generating IKE_AUTH response 4 [ EAP ] 
May 12 05:49:56 koala charon: 16[NET] sending packet: from 10.10.0.1[4500] to 10.10.0.6[4500] 
May 12 05:49:56 koala charon: 09[NET] received packet: from 10.10.0.6[4500] to 10.10.0.1[4500] 
May 12 05:49:56 koala charon: 09[ENC] parsed IKE_AUTH request 5 [ AUTH ] 
May 12 05:49:56 koala charon: 09[IKE] authentication of '10.10.0.6' with EAP successful 
May 12 05:49:56 koala charon: 09[IKE] authentication of 'vpn.strongswan.org' (myself) with EAP 
May 12 05:49:56 koala charon: 09[IKE] IKE_SA win7[1] established between 10.10.0.1[vpn.strongswan.org]...10.10.0.6[10.10.0.6] 
May 12 05:49:56 koala charon: 09[IKE] peer requested virtual IP %any6 
May 12 05:49:56 koala charon: 09[CFG] assigning new lease to '10.10.0.6' 
May 12 05:49:56 koala charon: 09[IKE] assigning virtual IP 10.10.3.1 to peer 
May 12 05:49:56 koala charon: 09[IKE] CHILD_SA win7{1} established with SPIs cabf4a31_i 13cad44e_o and TS 0.0.0.0/0 === 10.10.3.1/32  
May 12 05:49:56 koala charon: 09[ENC] generating IKE_AUTH response 5 [ AUTH CP SA TSi TSr N(MOBIKE_SUP) N(ADD_4_ADDR) N(ADD_4_ADDR) ] 
May 12 05:49:56 koala charon: 09[NET] sending packet: from 10.10.0.1[4500] to 10.10.0.6[4500] 

As seen above the IKE_AUTH response contains two ADD_4_ADDR notifications which tell the Windows 7 client about the additionalnetwork interfaces 10.10.1.6 and 77.56.157.148. The output of ipsec statusall on the strongSwan VPN gateway looks as follows

Performance:
  uptime: 29 seconds, since May 12 05:49:37 2009
  worker threads: 8 idle of 16, job queue load: 0, scheduled events: 2
  loaded plugins: curl aes des sha1 sha2 md4 md5 random x509 pubkey xcbc hmac gmp kernel-netlink stroke eapidentity eapmschapv2 
Virtual IP pools (size/online/offline):
  win7: 255/1/0
Listening IP addresses:
  10.10.0.1
  10.10.1.1
  77.56.157.148
Connections:
        win7:  %any...%any, dpddelay=300s
        win7:   local:  [vpn.strongswan.org] uses public key authentication
        win7:    cert:  "C=CH, O=strongSwan Project, CN=vpn.strongswan.org" 
        win7:   remote: [%any] uses EAP_MSCHAPV2 authentication with EAP identity '%any'
        win7:   child:  0.0.0.0/0 === dynamic , dpdaction=clear
Routed Connections:
Security Associations:
        win7[1]: ESTABLISHED 10 seconds ago, 10.10.0.1[vpn.strongswan.org]...10.10.0.6[10.10.0.6]
        win7[1]: IKE SPIs: 4716d086c000c223_i abff915f8916d257_r*, rekeying disabled
        win7[1]: IKE proposal: AES_CBC-256/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024_BIT
        win7{1}:  INSTALLED, TUNNEL, ESP SPIs: cabf4a31_i 13cad44e_o
        win7{1}:  AES_CBC-256/HMAC_SHA1_96, rekeying in 10 seconds, last use: 1s_i 1s_o 
        win7{1}:   0.0.0.0/0 === 10.10.3.1/32 

The command ip xfrm state shows the corresponding IPsec Security Associations installed in the kernel.

src 10.10.0.1 dst 10.10.0.6
    proto esp spi 0x13cad44e reqid 1 mode tunnel
    replay-window 32 flag 20
    auth hmac(sha1) 0x17fb0213ee9f79599a616e46f6856cc1a2369b1c
    enc cbc(aes) 0x60dc0af06fac32cc8538ed477e7800bae9fe31148277a3b3829520326cb78457

src 10.10.0.6 dst 10.10.0.1
    proto esp spi 0xcabf4a31 reqid 1 mode tunnel
    replay-window 32 flag 20
    auth hmac(sha1) 0x917e262c292ec77dccbfbcaea0efe9b91b7b14be
    enc cbc(aes) 0xf4f71dbccd2c1b07bce4e63b4c31be4c3038ff01f2cb9ed0a3250c728a2e5411

The Windows 7 client is currently connected with the IP address 10.10.0.6 to the WLAN 10.10.0.0/24. We now connect to the LAN 10.10.1.0/24 via the LAN interface 10.10.1.6 and disconnect from the WLAN. The IKEv2 MOBIKE protocol automatically reconnects with the VPN gateway by sending an UPDATE_SA_ADDR notification and the existing IPsec tunnel gets adapted to the new IP address.

May 12 06:06:31 koala charon: 03[NET] received packet: from 10.10.1.6[4500] to 10.10.0.1[4500] 
May 12 06:06:31 koala charon: 03[ENC] parsed INFORMATIONAL request 6 [ N(UPD_SA_ADDR) N(NATD_S_IP) N(NATD_D_IP) N(COOKIE2) ] 
May 12 06:06:31 koala charon: 03[ENC] generating INFORMATIONAL response 6 [ ] 
May 12 06:06:31 koala charon: 03[NET] sending packet: from 10.10.0.1[4500] to 10.10.1.6[4500] 

ipsec statusall shows that the IPsec SA was successfully migrated from 10.10.0.6 to 10.10.1.6.

Performance:
  uptime: 17 minutes, since May 12 05:49:37 2009
  worker threads: 8 idle of 16, job queue load: 0, scheduled events: 1
  loaded plugins: curl aes des sha1 sha2 md4 md5 random x509 pubkey xcbc hmac gmp kernel-netlink stroke eapidentity eapmschapv2
Virtual IP pools (size/online/offline):
  win7: 255/1/0
Listening IP addresses:
  10.10.0.1
  10.10.1.1
  77.56.157.148
Connections:
        win7:  %any...%any, dpddelay=300s
        win7:   local:  [vpn.strongswan.org] uses public key authentication
        win7:    cert:  "C=CH, O=strongSwan Project, CN=vpn.strongswan.org" 
        win7:   remote: [%any] uses EAP_MSCHAPV2 authentication with EAP identity '%any'
        win7:   child:  0.0.0.0/0 === dynamic , dpdaction=clear
Routed Connections:
Security Associations:
        win7[1]: ESTABLISHED 16 minutes ago, 10.10.1.1[vpn.strongswan.org]...10.10.1.6[10.10.0.6]
        win7[1]: IKE SPIs: 4716d086c000c223_i abff915f8916d257_r*, rekeying disabled
        win7[1]: IKE proposal: AES_CBC-256/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024_BIT
        win7{1}:  INSTALLED, TUNNEL, ESP SPIs: cabf4a31_i 13cad44e_o
        win7{1}:  AES_CBC-256/HMAC_SHA1_96, rekeying in 16 minutes, last use: 0s_i 0s_o 
        win7{1}:   0.0.0.0/0 === 10.10.3.1/32 

This is also mirrored in the kernel as ipsec xfrm state shows

src 10.10.1.1 dst 10.10.1.6
    proto esp spi 0x13cad44e reqid 1 mode tunnel
    replay-window 32 flag 20
    auth hmac(sha1) 0x17fb0213ee9f79599a616e46f6856cc1a2369b1c
    enc cbc(aes) 0x60dc0af06fac32cc8538ed477e7800bae9fe31148277a3b3829520326cb78457

src 10.10.1.6 dst 10.10.1.1
    proto esp spi 0xcabf4a31 reqid 1 mode tunnel
    replay-window 32 flag 20
    auth hmac(sha1) 0x917e262c292ec77dccbfbcaea0efe9b91b7b14be
    enc cbc(aes) 0xf4f71dbccd2c1b07bce4e63b4c31be4c3038ff01f2cb9ed0a3250c728a2e5411