Re: [strongSwan] StrongSwan and EAP (FreeRadius)
I have changed both configs to 127.0.0.1 and restarted both StrongSwan and FreeRadius but I got the same error message. Then I changed them both to 0.0.0.0 and restarted both servers, and I still get the same error message. Any idea what this could be? On Wed, Nov 15, 2017 at 9:01 AM, Michael Schwartzkopffwrote: > Am 15.11.2017 um 09:58 schrieb Houman: > > Hallo Michael, > > > > > > Thanks for your reply. Indeed I should have checked the radius log. It > > seems the shared secret is incorrect, but there do match in configs as > > pasted below. > > Where else could the secret have been used that I have missed? Thanks > > > > *vim /var/log/freeradius/radius.log* > > > > Wed Nov 15 08:49:50 2017 : Info: rlm_sql (sql): Attempting to connect to > > database "radius" > > Wed Nov 15 08:49:50 2017 : Info: rlm_sql (sql): Opening additional > > connection (0), 1 of 32 pending slots used > > Wed Nov 15 08:49:50 2017 : Info: rlm_sql (sql): Opening additional > > connection (1), 1 of 31 pending slots used > > Wed Nov 15 08:49:50 2017 : Info: rlm_sql (sql): Opening additional > > connection (2), 1 of 30 pending slots used > > Wed Nov 15 08:49:50 2017 : Info: rlm_sql (sql): Opening additional > > connection (3), 1 of 29 pending slots used > > Wed Nov 15 08:49:50 2017 : Info: rlm_sql (sql): Opening additional > > connection (4), 1 of 28 pending slots used > > Wed Nov 15 08:49:50 2017 : Info: Need 5 more connections to reach 10 > spares > > Wed Nov 15 08:49:50 2017 : Info: rlm_sql (sql): Opening additional > > connection (5), 1 of 27 pending slots used > > Wed Nov 15 08:49:50 2017 : Info: Loaded virtual server > > Wed Nov 15 08:49:50 2017 : Warning: Ignoring "ldap" (see > > raddb/mods-available/README.rst) > > Wed Nov 15 08:49:50 2017 : Info: Loaded virtual server default > > Wed Nov 15 08:49:50 2017 : Info: # Skipping contents of 'if' as it is > > always 'false' -- /etc/freeradius/sites-enabled/inner-tunnel:331 > > Wed Nov 15 08:49:50 2017 : Info: Loaded virtual server inner-tunnel > > Wed Nov 15 08:49:50 2017 : Info: Ready to process requests > > Wed Nov 15 08:49:57 2017 : Info: Dropping packet without response because > > of error: Received packet from 127.0.0.1 with invalid > > Message-Authenticator! (Shared secret is incorrect.) > > > > > > > > *vim /etc/strongswan.conf* > > > > charon { > > load_modular = yes > > compress = yes > > plugins { > > include strongswan.d/charon/*.conf > >eap-radius { > > servers { > > server-a { > > accounting = yes > > secret = 123456 > > address = 127.0.0.1 > > auth_port = 1812 > > acct_port = 1813 > > } > > } > > } > > } > > include strongswan.d/*.conf > > } > > > > > > > > *vim /etc/freeradius/clients.conf* > > > > client 0.0.0.0 { > > secret = 123456 > > nas_type= other > > shortname = 0.0.0.0 > > require_message_authenticator = no > > } > > > > > > > > On Wed, Nov 15, 2017 at 7:55 AM, Michael Schwartzkopff > wrote: > > > >> Am 15.11.2017 um 08:24 schrieb Houman: > >>> Hi, > >>> > >>> I'm new to the concept of EAP and might be misunderstanding something. > >>> Apologies up front. > >>> > >>> I have finally been able to install FreeRadius and enable the SQL > module. > >>> I have created a user in the database and was hoping to establish a VPN > >>> connection via that user. > >>> > >>> INSERT INTO radcheck (username,attribute,op,VALUE) VALUES > >>> ('houman','Cleartext-Password',':=','test123'); > >>> > >>> > >>> When I try to connect from my MacBook into the StrongSwan server I get > >> this > >>> log. It looks promising but eventually, it says initiating EAP_RADIUS > >>> method failed. > >>> > >>> I'm not quite sure if this has failed due a bad configuration on my > side > >> or > >>> it is for other reasons that I don't quite understand how EAP should > >> work. > >>> Please be so kind and advise, > >>> Thanks, > >>> Houman > >>> > >>> > >>> Nov 15 07:13:21 ip-172-31-9-51 charon: 13[NET] received packet: from > >>> 88.98.201.107[51247] to 172.31.9.51[500] (300 bytes) > >>> Nov 15 07:13:21 ip-172-31-9-51 charon: 13[ENC] parsed IKE_SA_INIT > >> request 0 > >>> [ SA KE No N(REDIR_SUP) N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) ] > >>> Nov 15 07:13:21 ip-172-31-9-51 charon: 13[IKE] 88.98.201.107 is > >> initiating > >>> an IKE_SA > >>> Nov 15 07:13:21 ip-172-31-9-51 charon: 13[IKE] local host is behind > NAT, > >>> sending keep alives > >>> Nov 15 07:13:21 ip-172-31-9-51 charon: 13[IKE] remote host is behind > NAT > >>> Nov 15 07:13:21 ip-172-31-9-51 charon: 13[ENC] generating IKE_SA_INIT > >>> response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) > N(MULT_AUTH) > >> ] > >>> Nov 15 07:13:21
Re: [strongSwan] StrongSwan and EAP (FreeRadius)
Am 15.11.2017 um 09:58 schrieb Houman: > Hallo Michael, > > > Thanks for your reply. Indeed I should have checked the radius log. It > seems the shared secret is incorrect, but there do match in configs as > pasted below. > Where else could the secret have been used that I have missed? Thanks > > *vim /var/log/freeradius/radius.log* > > Wed Nov 15 08:49:50 2017 : Info: rlm_sql (sql): Attempting to connect to > database "radius" > Wed Nov 15 08:49:50 2017 : Info: rlm_sql (sql): Opening additional > connection (0), 1 of 32 pending slots used > Wed Nov 15 08:49:50 2017 : Info: rlm_sql (sql): Opening additional > connection (1), 1 of 31 pending slots used > Wed Nov 15 08:49:50 2017 : Info: rlm_sql (sql): Opening additional > connection (2), 1 of 30 pending slots used > Wed Nov 15 08:49:50 2017 : Info: rlm_sql (sql): Opening additional > connection (3), 1 of 29 pending slots used > Wed Nov 15 08:49:50 2017 : Info: rlm_sql (sql): Opening additional > connection (4), 1 of 28 pending slots used > Wed Nov 15 08:49:50 2017 : Info: Need 5 more connections to reach 10 spares > Wed Nov 15 08:49:50 2017 : Info: rlm_sql (sql): Opening additional > connection (5), 1 of 27 pending slots used > Wed Nov 15 08:49:50 2017 : Info: Loaded virtual server > Wed Nov 15 08:49:50 2017 : Warning: Ignoring "ldap" (see > raddb/mods-available/README.rst) > Wed Nov 15 08:49:50 2017 : Info: Loaded virtual server default > Wed Nov 15 08:49:50 2017 : Info: # Skipping contents of 'if' as it is > always 'false' -- /etc/freeradius/sites-enabled/inner-tunnel:331 > Wed Nov 15 08:49:50 2017 : Info: Loaded virtual server inner-tunnel > Wed Nov 15 08:49:50 2017 : Info: Ready to process requests > Wed Nov 15 08:49:57 2017 : Info: Dropping packet without response because > of error: Received packet from 127.0.0.1 with invalid > Message-Authenticator! (Shared secret is incorrect.) > > > > *vim /etc/strongswan.conf* > > charon { > load_modular = yes > compress = yes > plugins { > include strongswan.d/charon/*.conf >eap-radius { > servers { > server-a { > accounting = yes > secret = 123456 > address = 127.0.0.1 > auth_port = 1812 > acct_port = 1813 > } > } > } > } > include strongswan.d/*.conf > } > > > > *vim /etc/freeradius/clients.conf* > > client 0.0.0.0 { > secret = 123456 > nas_type= other > shortname = 0.0.0.0 > require_message_authenticator = no > } > > > > On Wed, Nov 15, 2017 at 7:55 AM, Michael Schwartzkopffwrote: > >> Am 15.11.2017 um 08:24 schrieb Houman: >>> Hi, >>> >>> I'm new to the concept of EAP and might be misunderstanding something. >>> Apologies up front. >>> >>> I have finally been able to install FreeRadius and enable the SQL module. >>> I have created a user in the database and was hoping to establish a VPN >>> connection via that user. >>> >>> INSERT INTO radcheck (username,attribute,op,VALUE) VALUES >>> ('houman','Cleartext-Password',':=','test123'); >>> >>> >>> When I try to connect from my MacBook into the StrongSwan server I get >> this >>> log. It looks promising but eventually, it says initiating EAP_RADIUS >>> method failed. >>> >>> I'm not quite sure if this has failed due a bad configuration on my side >> or >>> it is for other reasons that I don't quite understand how EAP should >> work. >>> Please be so kind and advise, >>> Thanks, >>> Houman >>> >>> >>> Nov 15 07:13:21 ip-172-31-9-51 charon: 13[NET] received packet: from >>> 88.98.201.107[51247] to 172.31.9.51[500] (300 bytes) >>> Nov 15 07:13:21 ip-172-31-9-51 charon: 13[ENC] parsed IKE_SA_INIT >> request 0 >>> [ SA KE No N(REDIR_SUP) N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) ] >>> Nov 15 07:13:21 ip-172-31-9-51 charon: 13[IKE] 88.98.201.107 is >> initiating >>> an IKE_SA >>> Nov 15 07:13:21 ip-172-31-9-51 charon: 13[IKE] local host is behind NAT, >>> sending keep alives >>> Nov 15 07:13:21 ip-172-31-9-51 charon: 13[IKE] remote host is behind NAT >>> Nov 15 07:13:21 ip-172-31-9-51 charon: 13[ENC] generating IKE_SA_INIT >>> response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(MULT_AUTH) >> ] >>> Nov 15 07:13:21 ip-172-31-9-51 charon: 13[NET] sending packet: from >>> 172.31.9.51[500] to 88.98.201.107[51247] (316 bytes) >>> Nov 15 07:13:21 ip-172-31-9-51 charon: 14[NET] received packet: from >>> 88.98.201.107[51248] to 172.31.9.51[4500] (344 bytes) >>> Nov 15 07:13:21 ip-172-31-9-51 charon: 14[ENC] unknown attribute type >> (25) >>> Nov 15 07:13:21 ip-172-31-9-51 charon: 14[ENC] parsed IKE_AUTH request 1 >> [ >>> IDi N(INIT_CONTACT) N(MOBIKE_SUP) IDr CPRQ(ADDR DHCP DNS MASK ADDR6 DHCP6 >>> DNS6 (25)) N(ESP_TFC_PAD_N) N(NON_FIRST_FRAG) SA TSi TSr ] >>> Nov 15 07:13:21 ip-172-31-9-51
Re: [strongSwan] StrongSwan and EAP (FreeRadius)
Hallo Michael, Thanks for your reply. Indeed I should have checked the radius log. It seems the shared secret is incorrect, but there do match in configs as pasted below. Where else could the secret have been used that I have missed? Thanks *vim /var/log/freeradius/radius.log* Wed Nov 15 08:49:50 2017 : Info: rlm_sql (sql): Attempting to connect to database "radius" Wed Nov 15 08:49:50 2017 : Info: rlm_sql (sql): Opening additional connection (0), 1 of 32 pending slots used Wed Nov 15 08:49:50 2017 : Info: rlm_sql (sql): Opening additional connection (1), 1 of 31 pending slots used Wed Nov 15 08:49:50 2017 : Info: rlm_sql (sql): Opening additional connection (2), 1 of 30 pending slots used Wed Nov 15 08:49:50 2017 : Info: rlm_sql (sql): Opening additional connection (3), 1 of 29 pending slots used Wed Nov 15 08:49:50 2017 : Info: rlm_sql (sql): Opening additional connection (4), 1 of 28 pending slots used Wed Nov 15 08:49:50 2017 : Info: Need 5 more connections to reach 10 spares Wed Nov 15 08:49:50 2017 : Info: rlm_sql (sql): Opening additional connection (5), 1 of 27 pending slots used Wed Nov 15 08:49:50 2017 : Info: Loaded virtual server Wed Nov 15 08:49:50 2017 : Warning: Ignoring "ldap" (see raddb/mods-available/README.rst) Wed Nov 15 08:49:50 2017 : Info: Loaded virtual server default Wed Nov 15 08:49:50 2017 : Info: # Skipping contents of 'if' as it is always 'false' -- /etc/freeradius/sites-enabled/inner-tunnel:331 Wed Nov 15 08:49:50 2017 : Info: Loaded virtual server inner-tunnel Wed Nov 15 08:49:50 2017 : Info: Ready to process requests Wed Nov 15 08:49:57 2017 : Info: Dropping packet without response because of error: Received packet from 127.0.0.1 with invalid Message-Authenticator! (Shared secret is incorrect.) *vim /etc/strongswan.conf* charon { load_modular = yes compress = yes plugins { include strongswan.d/charon/*.conf eap-radius { servers { server-a { accounting = yes secret = 123456 address = 127.0.0.1 auth_port = 1812 acct_port = 1813 } } } } include strongswan.d/*.conf } *vim /etc/freeradius/clients.conf* client 0.0.0.0 { secret = 123456 nas_type= other shortname = 0.0.0.0 require_message_authenticator = no } On Wed, Nov 15, 2017 at 7:55 AM, Michael Schwartzkopffwrote: > Am 15.11.2017 um 08:24 schrieb Houman: > > Hi, > > > > I'm new to the concept of EAP and might be misunderstanding something. > > Apologies up front. > > > > I have finally been able to install FreeRadius and enable the SQL module. > > I have created a user in the database and was hoping to establish a VPN > > connection via that user. > > > > INSERT INTO radcheck (username,attribute,op,VALUE) VALUES > > ('houman','Cleartext-Password',':=','test123'); > > > > > > When I try to connect from my MacBook into the StrongSwan server I get > this > > log. It looks promising but eventually, it says initiating EAP_RADIUS > > method failed. > > > > I'm not quite sure if this has failed due a bad configuration on my side > or > > it is for other reasons that I don't quite understand how EAP should > work. > > > > Please be so kind and advise, > > Thanks, > > Houman > > > > > > Nov 15 07:13:21 ip-172-31-9-51 charon: 13[NET] received packet: from > > 88.98.201.107[51247] to 172.31.9.51[500] (300 bytes) > > Nov 15 07:13:21 ip-172-31-9-51 charon: 13[ENC] parsed IKE_SA_INIT > request 0 > > [ SA KE No N(REDIR_SUP) N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) ] > > Nov 15 07:13:21 ip-172-31-9-51 charon: 13[IKE] 88.98.201.107 is > initiating > > an IKE_SA > > Nov 15 07:13:21 ip-172-31-9-51 charon: 13[IKE] local host is behind NAT, > > sending keep alives > > Nov 15 07:13:21 ip-172-31-9-51 charon: 13[IKE] remote host is behind NAT > > Nov 15 07:13:21 ip-172-31-9-51 charon: 13[ENC] generating IKE_SA_INIT > > response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(MULT_AUTH) > ] > > Nov 15 07:13:21 ip-172-31-9-51 charon: 13[NET] sending packet: from > > 172.31.9.51[500] to 88.98.201.107[51247] (316 bytes) > > Nov 15 07:13:21 ip-172-31-9-51 charon: 14[NET] received packet: from > > 88.98.201.107[51248] to 172.31.9.51[4500] (344 bytes) > > Nov 15 07:13:21 ip-172-31-9-51 charon: 14[ENC] unknown attribute type > (25) > > Nov 15 07:13:21 ip-172-31-9-51 charon: 14[ENC] parsed IKE_AUTH request 1 > [ > > IDi N(INIT_CONTACT) N(MOBIKE_SUP) IDr CPRQ(ADDR DHCP DNS MASK ADDR6 DHCP6 > > DNS6 (25)) N(ESP_TFC_PAD_N) N(NON_FIRST_FRAG) SA TSi TSr ] > > Nov 15 07:13:21 ip-172-31-9-51 charon: 14[CFG] looking for peer configs > > matching 172.31.9.51[vpn2.t.com]...88.98.201.107[vpn2.t.com] > > Nov 15 07:13:21 ip-172-31-9-51 charon: 14[CFG] selected peer config > >
Re: [strongSwan] StrongSwan and EAP (FreeRadius)
Am 15.11.2017 um 08:24 schrieb Houman: > Hi, > > I'm new to the concept of EAP and might be misunderstanding something. > Apologies up front. > > I have finally been able to install FreeRadius and enable the SQL module. > I have created a user in the database and was hoping to establish a VPN > connection via that user. > > INSERT INTO radcheck (username,attribute,op,VALUE) VALUES > ('houman','Cleartext-Password',':=','test123'); > > > When I try to connect from my MacBook into the StrongSwan server I get this > log. It looks promising but eventually, it says initiating EAP_RADIUS > method failed. > > I'm not quite sure if this has failed due a bad configuration on my side or > it is for other reasons that I don't quite understand how EAP should work. > > Please be so kind and advise, > Thanks, > Houman > > > Nov 15 07:13:21 ip-172-31-9-51 charon: 13[NET] received packet: from > 88.98.201.107[51247] to 172.31.9.51[500] (300 bytes) > Nov 15 07:13:21 ip-172-31-9-51 charon: 13[ENC] parsed IKE_SA_INIT request 0 > [ SA KE No N(REDIR_SUP) N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) ] > Nov 15 07:13:21 ip-172-31-9-51 charon: 13[IKE] 88.98.201.107 is initiating > an IKE_SA > Nov 15 07:13:21 ip-172-31-9-51 charon: 13[IKE] local host is behind NAT, > sending keep alives > Nov 15 07:13:21 ip-172-31-9-51 charon: 13[IKE] remote host is behind NAT > Nov 15 07:13:21 ip-172-31-9-51 charon: 13[ENC] generating IKE_SA_INIT > response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(MULT_AUTH) ] > Nov 15 07:13:21 ip-172-31-9-51 charon: 13[NET] sending packet: from > 172.31.9.51[500] to 88.98.201.107[51247] (316 bytes) > Nov 15 07:13:21 ip-172-31-9-51 charon: 14[NET] received packet: from > 88.98.201.107[51248] to 172.31.9.51[4500] (344 bytes) > Nov 15 07:13:21 ip-172-31-9-51 charon: 14[ENC] unknown attribute type (25) > Nov 15 07:13:21 ip-172-31-9-51 charon: 14[ENC] parsed IKE_AUTH request 1 [ > IDi N(INIT_CONTACT) N(MOBIKE_SUP) IDr CPRQ(ADDR DHCP DNS MASK ADDR6 DHCP6 > DNS6 (25)) N(ESP_TFC_PAD_N) N(NON_FIRST_FRAG) SA TSi TSr ] > Nov 15 07:13:21 ip-172-31-9-51 charon: 14[CFG] looking for peer configs > matching 172.31.9.51[vpn2.t.com]...88.98.201.107[vpn2.t.com] > Nov 15 07:13:21 ip-172-31-9-51 charon: 14[CFG] selected peer config > 'roadwarrior' > Nov 15 07:13:21 ip-172-31-9-51 charon: 14[IKE] initiating EAP_IDENTITY > method (id 0x00) > Nov 15 07:13:21 ip-172-31-9-51 charon: 14[IKE] received > ESP_TFC_PADDING_NOT_SUPPORTED, not using ESPv3 TFC padding > Nov 15 07:13:21 ip-172-31-9-51 charon: 14[IKE] peer supports MOBIKE > Nov 15 07:13:21 ip-172-31-9-51 charon: 14[IKE] authentication of 'vpn2.t.com' > (myself) with RSA signature successful > Nov 15 07:13:21 ip-172-31-9-51 charon: 14[IKE] sending end entity cert "CN= > vpn2.t.com" > Nov 15 07:13:21 ip-172-31-9-51 charon: 14[IKE] sending issuer cert "C=US, > O=Let's Encrypt, CN=Let's Encrypt Authority X3" > Nov 15 07:13:21 ip-172-31-9-51 charon: 14[ENC] generating IKE_AUTH response > 1 [ IDr CERT CERT AUTH EAP/REQ/ID ] > Nov 15 07:13:21 ip-172-31-9-51 charon: 14[ENC] splitting IKE message with > length of 3334 bytes into 7 fragments > Nov 15 07:13:21 ip-172-31-9-51 charon: 14[ENC] generating IKE_AUTH response > 1 [ EF(1/7) ] > Nov 15 07:13:21 ip-172-31-9-51 charon: 14[ENC] generating IKE_AUTH response > 1 [ EF(2/7) ] > Nov 15 07:13:21 ip-172-31-9-51 charon: 14[ENC] generating IKE_AUTH response > 1 [ EF(3/7) ] > Nov 15 07:13:21 ip-172-31-9-51 charon: 14[ENC] generating IKE_AUTH response > 1 [ EF(4/7) ] > Nov 15 07:13:21 ip-172-31-9-51 charon: 14[ENC] generating IKE_AUTH response > 1 [ EF(5/7) ] > Nov 15 07:13:21 ip-172-31-9-51 charon: 14[ENC] generating IKE_AUTH response > 1 [ EF(6/7) ] > Nov 15 07:13:21 ip-172-31-9-51 charon: 14[ENC] generating IKE_AUTH response > 1 [ EF(7/7) ] > Nov 15 07:13:21 ip-172-31-9-51 charon: 14[NET] sending packet: from > 172.31.9.51[4500] to 88.98.201.107[51248] (544 bytes) > Nov 15 07:13:21 ip-172-31-9-51 charon: message repeated 5 times: [ 14[NET] > sending packet: from 172.31.9.51[4500] to 88.98.201.107[51248] (544 bytes)] > Nov 15 07:13:21 ip-172-31-9-51 charon: 14[NET] sending packet: from > 172.31.9.51[4500] to 88.98.201.107[51248] (440 bytes) > Nov 15 07:13:21 ip-172-31-9-51 charon: 15[NET] received packet: from > 88.98.201.107[51248] to 172.31.9.51[4500] (80 bytes) > Nov 15 07:13:21 ip-172-31-9-51 charon: 15[ENC] parsed IKE_AUTH request 2 [ > EAP/RES/ID ] > Nov 15 07:13:21 ip-172-31-9-51 charon: 15[IKE] received EAP identity > 'houman' > Nov 15 07:13:21 ip-172-31-9-51 charon: 15[CFG] sending RADIUS > Access-Request to server 'server-a' > Nov 15 07:13:23 ip-172-31-9-51 charon: 15[CFG] retransmit 1 of RADIUS > Access-Request (timeout: 2.8s) > Nov 15 07:13:24 ip-172-31-9-51 charon: 06[MGR] ignoring request with ID 2, > already processing > Nov 15 07:13:26 ip-172-31-9-51 charon: 15[CFG] retransmit 2 of RADIUS > Access-Request (timeout: 3.9s) > Nov 15 07:13:27 ip-172-31-9-51 charon: 05[MGR] ignoring request with ID 2, > already processing > Nov 15
[strongSwan] StrongSwan and EAP (FreeRadius)
Hi, I'm new to the concept of EAP and might be misunderstanding something. Apologies up front. I have finally been able to install FreeRadius and enable the SQL module. I have created a user in the database and was hoping to establish a VPN connection via that user. INSERT INTO radcheck (username,attribute,op,VALUE) VALUES ('houman','Cleartext-Password',':=','test123'); When I try to connect from my MacBook into the StrongSwan server I get this log. It looks promising but eventually, it says initiating EAP_RADIUS method failed. I'm not quite sure if this has failed due a bad configuration on my side or it is for other reasons that I don't quite understand how EAP should work. Please be so kind and advise, Thanks, Houman Nov 15 07:13:21 ip-172-31-9-51 charon: 13[NET] received packet: from 88.98.201.107[51247] to 172.31.9.51[500] (300 bytes) Nov 15 07:13:21 ip-172-31-9-51 charon: 13[ENC] parsed IKE_SA_INIT request 0 [ SA KE No N(REDIR_SUP) N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) ] Nov 15 07:13:21 ip-172-31-9-51 charon: 13[IKE] 88.98.201.107 is initiating an IKE_SA Nov 15 07:13:21 ip-172-31-9-51 charon: 13[IKE] local host is behind NAT, sending keep alives Nov 15 07:13:21 ip-172-31-9-51 charon: 13[IKE] remote host is behind NAT Nov 15 07:13:21 ip-172-31-9-51 charon: 13[ENC] generating IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(MULT_AUTH) ] Nov 15 07:13:21 ip-172-31-9-51 charon: 13[NET] sending packet: from 172.31.9.51[500] to 88.98.201.107[51247] (316 bytes) Nov 15 07:13:21 ip-172-31-9-51 charon: 14[NET] received packet: from 88.98.201.107[51248] to 172.31.9.51[4500] (344 bytes) Nov 15 07:13:21 ip-172-31-9-51 charon: 14[ENC] unknown attribute type (25) Nov 15 07:13:21 ip-172-31-9-51 charon: 14[ENC] parsed IKE_AUTH request 1 [ IDi N(INIT_CONTACT) N(MOBIKE_SUP) IDr CPRQ(ADDR DHCP DNS MASK ADDR6 DHCP6 DNS6 (25)) N(ESP_TFC_PAD_N) N(NON_FIRST_FRAG) SA TSi TSr ] Nov 15 07:13:21 ip-172-31-9-51 charon: 14[CFG] looking for peer configs matching 172.31.9.51[vpn2.t.com]...88.98.201.107[vpn2.t.com] Nov 15 07:13:21 ip-172-31-9-51 charon: 14[CFG] selected peer config 'roadwarrior' Nov 15 07:13:21 ip-172-31-9-51 charon: 14[IKE] initiating EAP_IDENTITY method (id 0x00) Nov 15 07:13:21 ip-172-31-9-51 charon: 14[IKE] received ESP_TFC_PADDING_NOT_SUPPORTED, not using ESPv3 TFC padding Nov 15 07:13:21 ip-172-31-9-51 charon: 14[IKE] peer supports MOBIKE Nov 15 07:13:21 ip-172-31-9-51 charon: 14[IKE] authentication of 'vpn2.t.com' (myself) with RSA signature successful Nov 15 07:13:21 ip-172-31-9-51 charon: 14[IKE] sending end entity cert "CN= vpn2.t.com" Nov 15 07:13:21 ip-172-31-9-51 charon: 14[IKE] sending issuer cert "C=US, O=Let's Encrypt, CN=Let's Encrypt Authority X3" Nov 15 07:13:21 ip-172-31-9-51 charon: 14[ENC] generating IKE_AUTH response 1 [ IDr CERT CERT AUTH EAP/REQ/ID ] Nov 15 07:13:21 ip-172-31-9-51 charon: 14[ENC] splitting IKE message with length of 3334 bytes into 7 fragments Nov 15 07:13:21 ip-172-31-9-51 charon: 14[ENC] generating IKE_AUTH response 1 [ EF(1/7) ] Nov 15 07:13:21 ip-172-31-9-51 charon: 14[ENC] generating IKE_AUTH response 1 [ EF(2/7) ] Nov 15 07:13:21 ip-172-31-9-51 charon: 14[ENC] generating IKE_AUTH response 1 [ EF(3/7) ] Nov 15 07:13:21 ip-172-31-9-51 charon: 14[ENC] generating IKE_AUTH response 1 [ EF(4/7) ] Nov 15 07:13:21 ip-172-31-9-51 charon: 14[ENC] generating IKE_AUTH response 1 [ EF(5/7) ] Nov 15 07:13:21 ip-172-31-9-51 charon: 14[ENC] generating IKE_AUTH response 1 [ EF(6/7) ] Nov 15 07:13:21 ip-172-31-9-51 charon: 14[ENC] generating IKE_AUTH response 1 [ EF(7/7) ] Nov 15 07:13:21 ip-172-31-9-51 charon: 14[NET] sending packet: from 172.31.9.51[4500] to 88.98.201.107[51248] (544 bytes) Nov 15 07:13:21 ip-172-31-9-51 charon: message repeated 5 times: [ 14[NET] sending packet: from 172.31.9.51[4500] to 88.98.201.107[51248] (544 bytes)] Nov 15 07:13:21 ip-172-31-9-51 charon: 14[NET] sending packet: from 172.31.9.51[4500] to 88.98.201.107[51248] (440 bytes) Nov 15 07:13:21 ip-172-31-9-51 charon: 15[NET] received packet: from 88.98.201.107[51248] to 172.31.9.51[4500] (80 bytes) Nov 15 07:13:21 ip-172-31-9-51 charon: 15[ENC] parsed IKE_AUTH request 2 [ EAP/RES/ID ] Nov 15 07:13:21 ip-172-31-9-51 charon: 15[IKE] received EAP identity 'houman' Nov 15 07:13:21 ip-172-31-9-51 charon: 15[CFG] sending RADIUS Access-Request to server 'server-a' Nov 15 07:13:23 ip-172-31-9-51 charon: 15[CFG] retransmit 1 of RADIUS Access-Request (timeout: 2.8s) Nov 15 07:13:24 ip-172-31-9-51 charon: 06[MGR] ignoring request with ID 2, already processing Nov 15 07:13:26 ip-172-31-9-51 charon: 15[CFG] retransmit 2 of RADIUS Access-Request (timeout: 3.9s) Nov 15 07:13:27 ip-172-31-9-51 charon: 05[MGR] ignoring request with ID 2, already processing Nov 15 07:13:30 ip-172-31-9-51 charon: 15[CFG] retransmit 3 of RADIUS Access-Request (timeout: 5.5s) Nov 15 07:13:30 ip-172-31-9-51 charon: 04[MGR] ignoring request with ID 2, already processing Nov 15 07:13:35 ip-172-31-9-51 charon: