Re: [strongSwan] VPN client (l2tp) is failed to reconnect

2015-10-28 Thread Jayapal Reddy 
Hi,

Any help on this please ??

-Jayapal

On Tue, Oct 27, 2015 at 12:27 PM, Jayapal Reddy 
wrote:

> Hi,
>
> I am using the strongswan ipsec. I have the remote access vpn setup and
> windows7 client behind NAT got connected successfully.
> The problem comes on restart of ipsec device or configuration update of
> the ipsec. After restarting my ipsec device vpn client is failed to
> reconnect. If restart ipsec or down the connection it is able to reconnect.
>
> On restart or config update I am using the 'ipsec down L2TP-PSK' to down
> the existing connections.
>
> I am giving the ipsec config and logs below.
> Is this problem from the strongswan ipsec or configuration issue ?
>
> ipsec version:
> # ipsec --version
> Linux strongSwan U4.5.2/K3.2.0-4-amd64
> Institute for Internet Technologies and Applications
> University of Applied Sciences Rapperswil, Switzerland
> See 'ipsec --copyright' for copyright information.
>
>
>  . /var/log/auth.log
>
> Oct 27 06:45:13 r-49-QA pluto[8032]: packet from 10.147.52.104:4500:
> ignoring Vendor ID payload [Vid-Initial-Contact]
> Oct 27 06:45:13 r-49-QA pluto[8032]: packet from 10.147.52.104:4500:
> ignoring Vendor ID payload [IKE CGA version 1]
> Oct 27 06:45:13 r-49-QA pluto[8032]: "L2TP-PSK"[1] 10.147.52.104:4500 #3:
> responding to Main Mode from unknown peer 10.147.52.104:4500
> Oct 27 06:45:13 r-49-QA pluto[8032]: "L2TP-PSK"[1] 10.147.52.104:4500 #3:
> NAT-Traversal: Result using RFC 3947: peer is NATed
> Oct 27 06:45:13 r-49-QA pluto[8032]: "L2TP-PSK"[1] 10.147.52.104:4500 #3:
> Peer ID is ID_IPV4_ADDR: '10.1.1.237'
> Oct 27 06:45:13 r-49-QA pluto[8032]: "L2TP-PSK"[2] 10.147.52.104:4500 #3:
> deleting connection "L2TP-PSK" instance with peer 10.147.52.104
> {isakmp=#0/ipsec=#0}
> Oct 27 06:45:13 r-49-QA pluto[8032]: "L2TP-PSK"[2] 10.147.52.104:4500 #3:
> sent MR3, ISAKMP SA established
> Oct 27 06:45:13 r-49-QA pluto[8032]: "L2TP-PSK"[2] 10.147.52.104:4500 #4:
> NAT-Traversal: received 2 NAT-OA. using first, ignoring others
> Oct 27 06:45:13 r-49-QA pluto[8032]: "L2TP-PSK"[2] 10.147.52.104:4500 #4:
> responding to Quick Mode
> Oct 27 06:45:13 r-49-QA pluto[8032]: "L2TP-PSK"[2] 10.147.52.104:4500 #4:
> IPsec SA established {ESP=>0x9bf54461 <0xce23acb0 NATOA=10.1.1.237}
>
>
>
>
>
> Oct 27 06:47:51 r-49-QA pluto[8032]: packet from 10.147.52.104:500:
> received Vendor ID payload [MS NT5 ISAKMPOAKLEY 0008]
> Oct 27 06:47:51 r-49-QA pluto[8032]: packet from 10.147.52.104:500:
> received Vendor ID payload [RFC 3947]
> Oct 27 06:47:51 r-49-QA pluto[8032]: packet from 10.147.52.104:500:
> ignoring Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02_n]
> Oct 27 06:47:51 r-49-QA pluto[8032]: packet from 10.147.52.104:500:
> ignoring Vendor ID payload [FRAGMENTATION]
> Oct 27 06:47:51 r-49-QA pluto[8032]: packet from 10.147.52.104:500:
> ignoring Vendor ID payload [MS-Negotiation Discovery Capable]
> Oct 27 06:47:51 r-49-QA pluto[8032]: packet from 10.147.52.104:500:
> ignoring Vendor ID payload [Vid-Initial-Contact]
> Oct 27 06:47:51 r-49-QA pluto[8032]: packet from 10.147.52.104:500:
> ignoring Vendor ID payload [IKE CGA version 1]
> Oct 27 06:47:51 r-49-QA pluto[8032]: "L2TP-PSK"[3] 10.147.52.104 #5:
> responding to Main Mode from unknown peer 10.147.52.104
> Oct 27 06:47:51 r-49-QA pluto[8032]: "L2TP-PSK"[3] 10.147.52.104 #5:
> NAT-Traversal: Result using RFC 3947: peer is NATed
> Oct 27 06:47:51 r-49-QA pluto[8032]: "L2TP-PSK"[3] 10.147.52.104 #5: Peer
> ID is ID_IPV4_ADDR: '10.1.1.237'
> Oct 27 06:47:51 r-49-QA pluto[8032]: "L2TP-PSK"[4] 10.147.52.104 #5:
> deleting connection "L2TP-PSK" instance with peer 10.147.52.104
> {isakmp=#0/ipsec=#0}
> Oct 27 06:47:51 r-49-QA pluto[8032]: | NAT-T: new mapping
> 10.147.52.104:500/4500)
> Oct 27 06:47:51 r-49-QA pluto[8032]: "L2TP-PSK"[4] 10.147.52.104:4500 #5:
> sent MR3, ISAKMP SA established
> Oct 27 06:47:51 r-49-QA pluto[8032]: "L2TP-PSK"[4] 10.147.52.104:4500 #6:
> NAT-Traversal: received 2 NAT-OA. using first, ignoring others
> Oct 27 06:47:51 r-49-QA pluto[8032]: "L2TP-PSK"[4] 10.147.52.104:4500 #6:
> responding to Quick Mode
> *Oct 27 06:47:51 r-49-QA pluto[8032]: "L2TP-PSK"[4] 10.147.52.104:4500
>  #6: cannot install eroute -- it is in use for
> "L2TP-PSK"[2] 10.147.52.104:4500  *#4
> *Oct 27 06:47:52 r-49-QA pluto[8032]: "L2TP-PSK"[4] 10.147.52.104:4500
>  #5: Quick Mode I1 message is unacceptable
> because it uses a previously used Message ID 0x0100 (perhaps this is a
> duplicated packet)*
> Oct 27 06:47:52 r-49-QA pluto[8032]: "L2TP-PSK"[4] 10.147.52.104:4500 #5:
> sending encrypted notification INVALID_MESSAGE_ID to 10.147.52.104:4500
> Oct 27 06:47:52 r-49-QA sshd[8410]: Accepted publickey for root from
> 169.254.0.1 port 46419 ssh2
> Oct 27 06:47:52 r-49-QA sshd[8410]: pam_unix(sshd:session): session opened
> for user root by (uid=0)
> Oct 27 06:47:53 r-49-QA sshd[8410]: pam_unix(sshd:session):

Re: [strongSwan] charon says "DH group MODP_1024 inacceptable, requesting MODP_1536"

2015-10-28 Thread Roger Skjetlein 
I found out that this combination works with of the devices out there:
ike = 3des-sha1-modp1024
esp = aes256-sha1,aes192-sha1,aes128-sha1

windows 7 to 10, os x 10.11, ios 8 and 9, android...

On Wed, Oct 28, 2015 at 2:50 AM, Rayson Zhu  wrote:

> I met this issue too. I have to change my cipher suite to
> aes128-sha-1-modp1024 to connect IOS devices.
>
>
> On Tuesday, October 27, 2015, Tobias Brunner 
> wrote:
>
>> Hi Harald,
>>
>> > If I got you correctly I would have to move back to DH2, just to make
>> > the iphone users happy.
>>
>> Correct, or you use a configuration profile with DiffieHellmanGroup set
>> to one of the other groups Apple claims to support (I don't know which
>> of them actually work, though): 2 (Default), 5, 14, 15, 16, 17, or 18.
>>
>> > Do you know of any commitments from Apple to fix this?
>>
>> No idea.  I wasn't the one adding that information to the wiki.  But you
>> could report the bug to Apple to get a rough idea when it is fixed.  In
>> this case they will close your bug report and mark it as duplicate and
>> you won't get any direct status updates etc. but you can see whether the
>> original ticket is still open or not.
>>
>> Regards,
>> Tobias
>>
>> ___
>> Users mailing list
>> Users@lists.strongswan.org
>> https://lists.strongswan.org/mailman/listinfo/users
>>
>
> ___
> Users mailing list
> Users@lists.strongswan.org
> https://lists.strongswan.org/mailman/listinfo/users
>



-- 
"Over vidden flyger renen;
efter den i vind og væde! -
Bedre det, end bryde stenen
op af fattig jord dernede!"
___
Users mailing list
Users@lists.strongswan.org
https://lists.strongswan.org/mailman/listinfo/users

Re: [strongSwan] charon says "DH group MODP_1024 inacceptable, requesting MODP_1536"

2015-10-28 Thread Dirk Hartmann 



--On Wednesday, October 28, 2015 05:18:28 PM +0800 Rayson Zhu 
 wrote:



yes, but only if you don't use high encryption.
so sad.

On Wed, Oct 28, 2015 at 4:56 PM, Roger Skjetlein
 wrote:


I found out that this combination works with of the devices out
there: ike = 3des-sha1-modp1024
esp = aes256-sha1,aes192-sha1,aes128-sha1


ike=aes256-sha2_512-modp2048,aes256-sha1-modp1024
esp=aes256-sha2_512,aes256-sha1,aes128-sha1

should work too but you still would have the dangerous modp1024 for 
Win7 etc.



windows 7 to 10, os x 10.11, ios 8 and 9, android...

On Wed, Oct 28, 2015 at 2:50 AM, Rayson Zhu  wrote:


I met this issue too. I have to change my cipher suite to
aes128-sha-1-modp1024 to connect IOS devices.


On Tuesday, October 27, 2015, Tobias Brunner 
wrote:


Hi Harald,

> If I got you correctly I would have to move back to DH2, just to
> make the iphone users happy.

Correct, or you use a configuration profile with
DiffieHellmanGroup set to one of the other groups Apple claims to
support (I don't know which of them actually work, though): 2
(Default), 5, 14, 15, 16, 17, or 18.

> Do you know of any commitments from Apple to fix this?

No idea.  I wasn't the one adding that information to the wiki.
But you could report the bug to Apple to get a rough idea when it
is fixed.  In this case they will close your bug report and mark
it as duplicate and you won't get any direct status updates etc.
but you can see whether the original ticket is still open or not.


___
Users mailing list
Users@lists.strongswan.org
https://lists.strongswan.org/mailman/listinfo/users

Re: [strongSwan] charon says "DH group MODP_1024 inacceptable, requesting MODP_1536"

2015-10-28 Thread Rayson Zhu 
yes, but only if you don't use high encryption.
so sad.

On Wed, Oct 28, 2015 at 4:56 PM, Roger Skjetlein 
wrote:

> I found out that this combination works with of the devices out there:
> ike = 3des-sha1-modp1024
> esp = aes256-sha1,aes192-sha1,aes128-sha1
>
> windows 7 to 10, os x 10.11, ios 8 and 9, android...
>
> On Wed, Oct 28, 2015 at 2:50 AM, Rayson Zhu  wrote:
>
>> I met this issue too. I have to change my cipher suite to
>> aes128-sha-1-modp1024 to connect IOS devices.
>>
>>
>> On Tuesday, October 27, 2015, Tobias Brunner 
>> wrote:
>>
>>> Hi Harald,
>>>
>>> > If I got you correctly I would have to move back to DH2, just to make
>>> > the iphone users happy.
>>>
>>> Correct, or you use a configuration profile with DiffieHellmanGroup set
>>> to one of the other groups Apple claims to support (I don't know which
>>> of them actually work, though): 2 (Default), 5, 14, 15, 16, 17, or 18.
>>>
>>> > Do you know of any commitments from Apple to fix this?
>>>
>>> No idea.  I wasn't the one adding that information to the wiki.  But you
>>> could report the bug to Apple to get a rough idea when it is fixed.  In
>>> this case they will close your bug report and mark it as duplicate and
>>> you won't get any direct status updates etc. but you can see whether the
>>> original ticket is still open or not.
>>>
>>> Regards,
>>> Tobias
>>>
>>> ___
>>> Users mailing list
>>> Users@lists.strongswan.org
>>> https://lists.strongswan.org/mailman/listinfo/users
>>>
>>
>> ___
>> Users mailing list
>> Users@lists.strongswan.org
>> https://lists.strongswan.org/mailman/listinfo/users
>>
>
>
>
> --
> "Over vidden flyger renen;
> efter den i vind og væde! -
> Bedre det, end bryde stenen
> op af fattig jord dernede!"
>
___
Users mailing list
Users@lists.strongswan.org
https://lists.strongswan.org/mailman/listinfo/users

[strongSwan] show issuer for "no trusted RSA public key found for 'peer.example.com'" in the log file?

2015-10-28 Thread Harald Dunkel 
Hi folks,

AFAIK a log file message like

no trusted RSA public key found for 'peer.example.com'

means that the issuer for peer's certificate is not trusted.
Wouldn't it be helpful if the issuer of the "bad" certificate
is shown in the log file as well?


Just a suggestion, of course. Regards
Harri
___
Users mailing list
Users@lists.strongswan.org
https://lists.strongswan.org/mailman/listinfo/users