I collected more information using plutodebug=tmi
Jul 22 22:57:17.604354: | spent 0 (0.00387) milliseconds in udp_read_packet()
calling
check_incoming_msg_errqueue()
Jul 22 22:57:17.604463: | newref struct msg_digest@0xaaab12db4748(0->1)
(udp_read_pack
et() +249 /programs/pluto/iface_udp.c)
Jul 22 22:57:17.604478: | addref struct iface_endpoint@0xaaab12db2218(1->2)
(udp_read_
packet() +249 /programs/pluto/iface_udp.c)
Jul 22 22:57:17.604484: | newref alloc logger@0xaaab12db1b08(0->1)
(udp_read_packet()
+249 /programs/pluto/iface_udp.c)
Jul 22 22:57:17.604493: | *received 604 bytes from 114.246.198.250:500 on eth1
172.31.
2.1:500 using UDP
Jul 22 22:57:17.604498: | 8d 17 53 51 9c da 09 e3 00 00 00 00 00 00 00 00
..SQ.
...........
Jul 22 22:57:17.604502: | 21 20 22 08 00 00 00 00 00 00 02 5c 22 00 00 dc
! "..
......\"...
Jul 22 22:57:17.604505: | 02 00 00 2c 01 01 00 04 03 00 00 0c 01 00 00 0c
...,.
...........
Jul 22 22:57:17.604509: | 80 0e 01 00 03 00 00 08 02 00 00 05 03 00 00 08
.....
...........
Jul 22 22:57:17.604513: | 03 00 00 0c 00 00 00 08 04 00 00 0e 02 00 00 2c
.....
..........,
Jul 22 22:57:17.604517: | 02 01 00 04 03 00 00 0c 01 00 00 0c 80 0e 01 00
.....
...........
Jul 22 22:57:17.604521: | 03 00 00 08 02 00 00 05 03 00 00 08 03 00 00 0c
.....
...........
Jul 22 22:57:17.604524: | 00 00 00 08 04 00 00 13 02 00 00 2c 03 01 00 04
.....
......,....
Jul 22 22:57:17.604528: | 03 00 00 0c 01 00 00 0c 80 0e 01 00 03 00 00 08
.....
...........
Jul 22 22:57:17.604532: | 02 00 00 05 03 00 00 08 03 00 00 0c 00 00 00 08
.....
...........
Jul 22 22:57:17.604535: | 04 00 00 05 02 00 00 2c 04 01 00 04 03 00 00 0c
.....
..,........
Jul 22 22:57:17.604539: | 01 00 00 0c 80 0e 00 80 03 00 00 08 02 00 00 02
.....
...........
Jul 22 22:57:17.604543: | 03 00 00 08 03 00 00 02 00 00 00 08 04 00 00 02
.....
...........
Jul 22 22:57:17.604547: | 00 00 00 28 05 01 00 04 03 00 00 08 01 00 00 03
...(.
...........
Jul 22 22:57:17.604550: | 03 00 00 08 02 00 00 02 03 00 00 08 03 00 00 02
.....
...........
Jul 22 22:57:17.604579: | 00 00 00 08 04 00 00 02 28 00 01 08 00 0e 00 00
.....
...(.......
Jul 22 22:57:17.604584: | 7f f6 54 bc e0 27 21 8e 15 8a 84 93 e3 65 75 fa
..T..
'!......eu.
Jul 22 22:57:17.604588: | c2 f8 52 83 39 d5 ca 20 7a f7 b5 af 18 d0 29 14
..R.9
.. z.....).
Jul 22 22:57:17.604592: | 95 92 2d 5f 90 10 76 21 cb de 00 1c c4 83 13 45
..-_.
.v!.......E
Jul 22 22:57:17.604596: | a4 6c 41 68 db 60 ff e5 80 7f 7b 61 9f cf 23 ff
.lAh.
`....{a..#.
Jul 22 22:57:17.604600: | 8a 4a 9a bf e5 07 9d 42 16 5e 98 d4 87 3c 8e ca
.J...
..B.^...<..
Jul 22 22:57:17.604604: | 7a 9e dd 29 7e 70 48 7f c6 fe db 12 ac 84 d1 5d
z..)~
pH........]
Jul 22 22:57:17.604608: | 58 29 5c 36 46 23 c7 a2 04 a5 f8 1c b7 2a 93 89
X)\6F
#.......*..
Jul 22 22:57:17.604612: | e9 0b de 67 ab b9 23 af 9f 44 1d 26 88 5a 96 1e
...g.
.#..D.&.Z..
Jul 22 22:57:17.604616: | 92 9e 1b 38 26 b9 e2 ff 26 8c e0 b3 eb 8c 08 53
...8&
...&......S
Jul 22 22:57:17.604620: | e2 eb 79 5b ae b2 d4 0d 36 2e 42 da 5e cc 01 8a
..y[.
...6.B.^...
Jul 22 22:57:17.604624: | 37 3c 75 32 d8 97 3f f6 f5 77 db f9 2b b2 84 b3
7<u2.
.?..w..+...
Jul 22 22:57:17.604627: | 54 12 1c ba 83 05 8a bd c7 a2 8c e1 51 dc 4d 9e
T....
.......Q.M.
Jul 22 22:57:17.604631: | fa 49 04 51 48 f3 a0 fe d6 98 ca 00 e4 66 b7 30
.I.QH
........f.0
Jul 22 22:57:17.604635: | 93 55 9d 8f 90 98 73 05 4e fa 61 45 7e a7 70 07
.U...
.s.N.aE~.p.
Jul 22 22:57:17.604639: | 2f e7 b6 3b 8a 0a 96 09 e6 f6 a4 8c 4a 66 ee 69
/..;.
.......Jf.i
Jul 22 22:57:17.604643: | 96 91 db 63 5d 78 41 cd 15 47 38 8a 1e 99 4b bb
...c]
xA..G8...K.
Jul 22 22:57:17.604647: | 29 00 00 14 30 db 69 b7 91 82 5f 58 34 83 38 2b
)...0
.i..._X4.8+
Jul 22 22:57:17.604651: | f2 0e 9b 4c 29 00 00 08 00 00 40 16 29 00 00 1c
...L)
.....@.)...
Jul 22 22:57:17.604655: | 00 00 40 04 57 01 71 05 23 fa 6e 2b 9b e9 34 38
[email protected]
.q.#.n+..48
Jul 22 22:57:17.604659: | 8c 3b f9 a9 54 03 2e 7e 29 00 00 1c 00 00 40 05
.;..T
..~).....@.
Jul 22 22:57:17.604663: | 11 65 00 28 62 f1 de ad eb cf a3 3d e3 f9 68 12
.e.(b
......=..h.
Jul 22 22:57:17.604667: | e3 39 c4 5c 00 00 00 08 00 00 40 2e
.9.\.
.....@.
Jul 22 22:57:17.604674: | **parse ISAKMP Message:
Jul 22 22:57:17.604681: | initiator SPI: 8d 17 53 51 9c da 09 e3
Jul 22 22:57:17.604686: | responder SPI: 00 00 00 00 00 00 00 00
Jul 22 22:57:17.604691: | next payload type: ISAKMP_NEXT_v2SA (0x21)
Jul 22 22:57:17.604695: | ISAKMP version: IKEv2 version 2.0
(rfc4306/rfc5996) (0x20
)
Jul 22 22:57:17.604699: | exchange type: ISAKMP_v2_IKE_SA_INIT (0x22)
Jul 22 22:57:17.604704: | flags: ISAKMP_FLAG_v2_IKE_INIT (0x8)
Jul 22 22:57:17.604709: | Message ID: 0 (00 00 00 00)
Jul 22 22:57:17.604714: | length: 604 (00 00 02 5c)
Jul 22 22:57:17.604719: | processing version=2.0 packet with exchange
type=ISAKMP_v2_
IKE_SA_INIT (34)
Jul 22 22:57:17.604724: | I am the IKE SA Original Responder receiving an IKEv2
IKE_SA
_INIT request
Jul 22 22:57:17.604730: | State DB: IKEv2 state not found
(find_v2_ike_sa_by_initiator
_spi)
Jul 22 22:57:17.604735: | Now let's proceed with payload (ISAKMP_NEXT_v2SA)
Jul 22 22:57:17.604740: | ***parse IKEv2 Security Association Payload:
Jul 22 22:57:17.604744: | next payload type: ISAKMP_NEXT_v2KE (0x22)
Jul 22 22:57:17.604748: | flags: none (0x0)
Jul 22 22:57:17.604752: | length: 220 (00 dc)
Jul 22 22:57:17.604756: | processing payload: ISAKMP_NEXT_v2SA (len=216)
Jul 22 22:57:17.604760: | Now let's proceed with payload (ISAKMP_NEXT_v2KE)
Jul 22 22:57:17.604765: | ***parse IKEv2 Key Exchange Payload:
Jul 22 22:57:17.604769: | next payload type: ISAKMP_NEXT_v2Ni (0x28)
Jul 22 22:57:17.604773: | flags: none (0x0)
Jul 22 22:57:17.604777: | length: 264 (01 08)
Jul 22 22:57:17.604781: | DH group: OAKLEY_GROUP_MODP2048 (0xe)
Jul 22 22:57:17.604785: | processing payload: ISAKMP_NEXT_v2KE (len=256)
Jul 22 22:57:17.604789: | Now let's proceed with payload (ISAKMP_NEXT_v2Ni)
Jul 22 22:57:17.604798: | ***parse IKEv2 Nonce Payload:
Jul 22 22:57:17.604803: | next payload type: ISAKMP_NEXT_v2N (0x29)
Jul 22 22:57:17.604807: | flags: none (0x0)
Jul 22 22:57:17.604812: | length: 20 (00 14)
Jul 22 22:57:17.604816: | processing payload: ISAKMP_NEXT_v2Ni (len=16)
Jul 22 22:57:17.604820: | Now let's proceed with payload (ISAKMP_NEXT_v2N)
Jul 22 22:57:17.604824: | ***parse IKEv2 Notify Payload:
Jul 22 22:57:17.604828: | next payload type: ISAKMP_NEXT_v2N (0x29)
Jul 22 22:57:17.604832: | flags: none (0x0)
Jul 22 22:57:17.604837: | length: 8 (00 08)
Jul 22 22:57:17.604841: | Protocol ID: IKEv2_SEC_PROTO_NONE (0x0)
Jul 22 22:57:17.604845: | SPI size: 0 (00)
Jul 22 22:57:17.604850: | Notify Message Type: v2N_REDIRECT_SUPPORTED
(0x4016)
Jul 22 22:57:17.604854: | processing payload: ISAKMP_NEXT_v2N (len=0)
Jul 22 22:57:17.604859: | status notification v2N_REDIRECT_SUPPORTED saved
Jul 22 22:57:17.604863: | Now let's proceed with payload (ISAKMP_NEXT_v2N)
Jul 22 22:57:17.604867: | ***parse IKEv2 Notify Payload:
Jul 22 22:57:17.604871: | next payload type: ISAKMP_NEXT_v2N (0x29)
Jul 22 22:57:17.604875: | flags: none (0x0)
Jul 22 22:57:17.604879: | length: 28 (00 1c)
Jul 22 22:57:17.604883: | Protocol ID: IKEv2_SEC_PROTO_NONE (0x0)
Jul 22 22:57:17.604887: | SPI size: 0 (00)
Jul 22 22:57:17.604892: | Notify Message Type: v2N_NAT_DETECTION_SOURCE_IP
(0x4004)
Jul 22 22:57:17.604896: | processing payload: ISAKMP_NEXT_v2N (len=20)
Jul 22 22:57:17.604900: | status notification v2N_NAT_DETECTION_SOURCE_IP saved
Jul 22 22:57:17.604904: | Now let's proceed with payload (ISAKMP_NEXT_v2N)
Jul 22 22:57:17.604908: | ***parse IKEv2 Notify Payload:
Jul 22 22:57:17.604912: | next payload type: ISAKMP_NEXT_v2N (0x29)
Jul 22 22:57:17.604916: | flags: none (0x0)
Jul 22 22:57:17.604920: | length: 28 (00 1c)
Jul 22 22:57:17.604924: | Protocol ID: IKEv2_SEC_PROTO_NONE (0x0)
Jul 22 22:57:17.604928: | SPI size: 0 (00)
Jul 22 22:57:17.604932: | Notify Message Type:
v2N_NAT_DETECTION_DESTINATION_IP (0x
4005)
Jul 22 22:57:17.604937: | processing payload: ISAKMP_NEXT_v2N (len=20)
Jul 22 22:57:17.604940: | status notification v2N_NAT_DETECTION_DESTINATION_IP
saved
Jul 22 22:57:17.604944: | Now let's proceed with payload (ISAKMP_NEXT_v2N)
Jul 22 22:57:17.604948: | ***parse IKEv2 Notify Payload:
Jul 22 22:57:17.604953: | next payload type: ISAKMP_NEXT_v2NONE (0x0)
Jul 22 22:57:17.604957: | flags: none (0x0)
Jul 22 22:57:17.604961: | length: 8 (00 08)
Jul 22 22:57:17.604965: | Protocol ID: IKEv2_SEC_PROTO_NONE (0x0)
Jul 22 22:57:17.604969: | SPI size: 0 (00)
Jul 22 22:57:17.604973: | Notify Message Type:
v2N_IKEV2_FRAGMENTATION_SUPPORTED (0
x402e)
Jul 22 22:57:17.604977: | processing payload: ISAKMP_NEXT_v2N (len=0)
Jul 22 22:57:17.604981: | status notification v2N_IKEV2_FRAGMENTATION_SUPPORTED
saved
Jul 22 22:57:17.604986: | DDOS disabled and no cookie sent, continuing
Jul 22 22:57:17.604993: | looking for transition from PARENT_R0 matching
IKE_SA_INIT r
equest:
SA,KE,Ni,N(REDIRECT_SUPPORTED),N(NAT_DETECTION_SOURCE_IP),N(NAT_DETECTION_DEST
INATION_IP),N(IKEV2_FRAGMENTATION_SUPPORTED)
Jul 22 22:57:17.604997: | trying: Respond to IKE_SA_INIT
Jul 22 22:57:17.605002: | unsecured message matched
Jul 22 22:57:17.605009: | ikev2_find_host_connection()
114.246.198.250->172.31.2.1 rem
ote_authby=ECDSA
Jul 22 22:57:17.605015: |
FOR_EACH_HOST_PAIR_CONNECTION(114.246.198.250->172.31.2.1) i
n (ikev2_find_host_connection() +126 /programs/pluto/ikev2_host_pair.c)
Jul 22 22:57:17.605021: |
FOR_EACH_HOST_PAIR_CONNECTION(<unset-address>->172.31.2.1) i
n (ikev2_find_host_connection() +181 /programs/pluto/ikev2_host_pair.c)
Jul 22 22:57:17.605027: | ISAKMP_v2_IKE_SA_INIT message received on
172.31.2.1:500 but
no connection has been authorized with policy ECDSA
Jul 22 22:57:17.605032: | ikev2_find_host_connection()
114.246.198.250->172.31.2.1 rem
ote_authby=RSASIG
Jul 22 22:57:17.605037: |
FOR_EACH_HOST_PAIR_CONNECTION(114.246.198.250->172.31.2.1) i
n (ikev2_find_host_connection() +126 /programs/pluto/ikev2_host_pair.c)
Jul 22 22:57:17.605047: |
FOR_EACH_HOST_PAIR_CONNECTION(<unset-address>->172.31.2.1) i
n (ikev2_find_host_connection() +181 /programs/pluto/ikev2_host_pair.c)
Jul 22 22:57:17.605052: | ISAKMP_v2_IKE_SA_INIT message received on
172.31.2.1:500 but
no connection has been authorized with policy RSASIG
Jul 22 22:57:17.605058: | ikev2_find_host_connection()
114.246.198.250->172.31.2.1 rem
ote_authby=RSASIG_v1_5
Jul 22 22:57:17.605063: |
FOR_EACH_HOST_PAIR_CONNECTION(114.246.198.250->172.31.2.1) i
n (ikev2_find_host_connection() +126 /programs/pluto/ikev2_host_pair.c)
Jul 22 22:57:17.605068: |
FOR_EACH_HOST_PAIR_CONNECTION(<unset-address>->172.31.2.1) i
n (ikev2_find_host_connection() +181 /programs/pluto/ikev2_host_pair.c)
Jul 22 22:57:17.605073: | ISAKMP_v2_IKE_SA_INIT message received on
172.31.2.1:500 but
no connection has been authorized with policy RSASIG_v1_5
Jul 22 22:57:17.605079: | ikev2_find_host_connection()
114.246.198.250->172.31.2.1 rem
ote_authby=PSK
Jul 22 22:57:17.605084: |
FOR_EACH_HOST_PAIR_CONNECTION(114.246.198.250->172.31.2.1) i
n (ikev2_find_host_connection() +126 /programs/pluto/ikev2_host_pair.c)
Jul 22 22:57:17.605089: |
FOR_EACH_HOST_PAIR_CONNECTION(<unset-address>->172.31.2.1) i
n (ikev2_find_host_connection() +181 /programs/pluto/ikev2_host_pair.c)
Jul 22 22:57:17.605094: | ISAKMP_v2_IKE_SA_INIT message received on
172.31.2.1:500 but
no connection has been authorized with policy PSK
Jul 22 22:57:17.605099: | ikev2_find_host_connection()
114.246.198.250->172.31.2.1 rem
ote_authby=AUTH_NULL
Jul 22 22:57:17.605104: |
FOR_EACH_HOST_PAIR_CONNECTION(114.246.198.250->172.31.2.1) i
n (ikev2_find_host_connection() +126 /programs/pluto/ikev2_host_pair.c)
Jul 22 22:57:17.605109: |
FOR_EACH_HOST_PAIR_CONNECTION(<unset-address>->172.31.2.1) i
n (ikev2_find_host_connection() +181 /programs/pluto/ikev2_host_pair.c)
Jul 22 22:57:17.605114: | ISAKMP_v2_IKE_SA_INIT message received on
172.31.2.1:500 but
no connection has been authorized with policy AUTH_NULL
Jul 22 22:57:17.605121: packet from 114.246.198.250:500: ISAKMP_v2_IKE_SA_INIT
message
received on 172.31.2.1:500 but no suitable connection found with IKEv2 policy
Jul 22 22:57:17.605128: packet from 114.246.198.250:500: responding to
IKE_SA_INIT (34
) message (Message ID 0) with unencrypted notification NO_PROPOSAL_CHOSEN
Jul 22 22:57:17.605132: | opening output PBS unencrypted notification response
Jul 22 22:57:17.605137: | **emit ISAKMP Message:
Jul 22 22:57:17.605142: | initiator SPI: 8d 17 53 51 9c da 09 e3
Jul 22 22:57:17.605147: | responder SPI: 00 00 00 00 00 00 00 00
Jul 22 22:57:17.605152: | next payload type: ISAKMP_NEXT_NONE (0x0)
Jul 22 22:57:17.605156: | ISAKMP version: IKEv2 version 2.0
(rfc4306/rfc5996) (0x20
)
Jul 22 22:57:17.605160: | exchange type: ISAKMP_v2_IKE_SA_INIT (0x22)
Jul 22 22:57:17.605164: | flags: ISAKMP_FLAG_v2_MSG_RESPONSE (0x20)
Jul 22 22:57:17.605169: | Message ID: 0 (00 00 00 00)
Jul 22 22:57:17.605173: | out_struct: 0 initiator SPI
Jul 22 22:57:17.605177: | out_struct: 8 responder SPI
Jul 22 22:57:17.605199: | out_struct: 16 next payload type
Jul 22 22:57:17.605203: | next payload chain: saving message location 'ISAKMP
Message'
.'next payload type'
Jul 22 22:57:17.605207: | out_struct: 17 ISAKMP version
Jul 22 22:57:17.605211: | out_struct: 18 exchange type
Jul 22 22:57:17.605215: | out_struct: 19 flags
Jul 22 22:57:17.605219: | out_struct: 20 Message ID
Jul 22 22:57:17.605223: | out_struct: 24 length
Jul 22 22:57:17.605228: | out_struct: 28 <end>
Jul 22 22:57:17.605232: | adding a v2N Payload
Jul 22 22:57:17.605236: | ***emit IKEv2 Notify Payload:
Jul 22 22:57:17.605240: | next payload type: ISAKMP_NEXT_v2NONE (0x0)
Jul 22 22:57:17.605244: | flags: none (0x0)
Jul 22 22:57:17.605248: | Protocol ID: IKEv2_SEC_PROTO_NONE (0x0)
Jul 22 22:57:17.605253: | SPI size: 0 (00)
Jul 22 22:57:17.605257: | Notify Message Type: v2N_NO_PROPOSAL_CHOSEN (0xe)
Jul 22 22:57:17.605261: | out_struct: 0 next payload type
Jul 22 22:57:17.605265: | next payload chain: setting previous 'ISAKMP
Message'.'next
payload type' to current IKEv2 Notify Payload (41:ISAKMP_NEXT_v2N)
Jul 22 22:57:17.605275: | next payload chain: saving location 'IKEv2 Notify
Payload'.'
next payload type' in 'unencrypted notification response'
Jul 22 22:57:17.605279: | out_struct: 1 flags
Jul 22 22:57:17.605283: | out_struct: 2 length
Jul 22 22:57:17.605287: | out_struct: 4 Protocol ID
Jul 22 22:57:17.605291: | out_struct: 5 SPI size
Jul 22 22:57:17.605295: | out_struct: 6 Notify Message Type
Jul 22 22:57:17.605299: | out_struct: 8 <end>
Jul 22 22:57:17.605304: | emitting 0 raw bytes of Notify data into IKEv2 Notify
Payload
Jul 22 22:57:17.605308: | Notify data:
Jul 22 22:57:17.605312: | emitting length of IKEv2 Notify Payload: 8
Jul 22 22:57:17.605317: | emitting length of ISAKMP Message: 36
Jul 22 22:57:17.605324: | sending 36 bytes for v2 notify through eth1 from
172.31.2.1:500 to 114.246.198.250:500 using UDP (for #0)
Jul 22 22:57:17.605328: | 8d 17 53 51 9c da 09 e3 00 00 00 00 00 00 00 00
..SQ............
Jul 22 22:57:17.605332: | 29 20 22 20 00 00 00 00 00 00 00 24 00 00 00 08
) " .......$....
Jul 22 22:57:17.605336: | 00 00 00 0e
....
Jul 22 22:57:17.605365: | delref struct msg_digest@0xaaab12db4748(1->0)
(process_iface_packet() +295 /programs/pluto/demux.c)
Jul 22 22:57:17.605372: | releasing whack fd@(nil) for (process_iface_packet()
+295 /programs/pluto/demux.c)
Jul 22 22:57:17.605377: | delref fd@NULL (process_iface_packet() +295
/programs/pluto/demux.c)
Jul 22 22:57:17.605385: | delref fd@NULL (process_iface_packet() +295
/programs/pluto/demux.c)
Jul 22 22:57:17.605390: | delref logger@0xaaab12db1b08(1->0)
(process_iface_packet() +295 /programs/pluto/demux.c)
Jul 22 22:57:17.605395: | delref struct iface_endpoint@0xaaab12db2218(2->1)
(process_iface_packet() +295 /programs/pluto/demux.c)
Jul 22 22:57:17.605403: | spent 1.01 (1.06) milliseconds in
process_iface_packet() reading and processing packet> On Jul 23, 2023, at 6:49 AM, Heting Wang <[email protected]> wrote: > > Hello, > > It’s listening, I tried "ipsec whack —listen" many times but it’s still the > same: > > > Jul 22 22:38:36.582586: "cert": added IKEv2 connection > Jul 22 22:38:36.582671: listening for IKE messages > Jul 22 22:38:36.582748: Kernel supports NIC esp-hw-offload > Jul 22 22:38:36.582865: adding UDP interface docker0 172.17.0.1:500 > Jul 22 22:38:36.583132: adding UDP interface docker0 172.17.0.1:4500 > Jul 22 22:38:36.583173: adding UDP interface eth1 172.31.2.1:500 > Jul 22 22:38:36.583197: adding UDP interface eth1 172.31.2.1:4500 > Jul 22 22:38:36.583223: adding UDP interface eth0 172.31.1.1:500 > Jul 22 22:38:36.583247: adding UDP interface eth0 172.31.1.1:4500 > Jul 22 22:38:36.583270: adding UDP interface lo 127.0.0.1:500 > Jul 22 22:38:36.583295: adding UDP interface lo 127.0.0.1:4500 > Jul 22 22:38:36.583324: adding UDP interface lo [::1]:500 > Jul 22 22:38:36.583352: adding UDP interface lo [::1]:4500 > Jul 22 22:38:36.583378: adding UDP interface eth0 > [2406:da14:5db:f400::e60]:500 > Jul 22 22:38:36.583401: adding UDP interface eth0 > [2406:da14:5db:f400::e60]:4500 > Jul 22 22:38:36.583423: adding UDP interface eth0 > [2406:da14:5db:f400:abcd::]:500 > Jul 22 22:38:36.583460: adding UDP interface eth0 > [2406:da14:5db:f400:abcd::]:4500 > Jul 22 22:38:36.583484: adding UDP interface eth0 > [2406:da14:5db:f400:e9d7:64ca:b008:4182]:500 > Jul 22 22:38:36.583508: adding UDP interface eth0 > [2406:da14:5db:f400:e9d7:64ca:b008:4182]:4500 > Jul 22 22:38:36.583535: adding UDP interface eth1 > [2406:da14:5db:f400:810a:b1ea:b7d5:47bd]:500 > Jul 22 22:38:36.583561: adding UDP interface eth1 > [2406:da14:5db:f400:810a:b1ea:b7d5:47bd]:4500 > Jul 22 22:38:36.585769: loading secrets from "/etc/ipsec.secrets" > Jul 22 22:38:36.585812: no secrets filename matched "/etc/ipsec.d/*.secrets" > Jul 22 22:39:24.962183: listening for IKE messages > Jul 22 22:39:24.962393: loading secrets from "/etc/ipsec.secrets" > Jul 22 22:39:24.962423: no secrets filename matched "/etc/ipsec.d/*.secrets" > Jul 22 22:40:14.605540: listening for IKE messages > Jul 22 22:40:14.605798: loading secrets from "/etc/ipsec.secrets" > Jul 22 22:40:14.605840: no secrets filename matched "/etc/ipsec.d/*.secrets" > Jul 22 22:40:27.791023: listening for IKE messages > Jul 22 22:40:27.791184: loading secrets from "/etc/ipsec.secrets" > Jul 22 22:40:27.791215: no secrets filename matched "/etc/ipsec.d/*.secrets" > Jul 22 22:42:11.073335: listening for IKE messages > Jul 22 22:42:11.073494: loading secrets from "/etc/ipsec.secrets" > Jul 22 22:42:11.073523: no secrets filename matched "/etc/ipsec.d/*.secrets" > Jul 22 22:42:16.885759: packet from 114.246.198.250:500: > ISAKMP_v2_IKE_SA_INIT message received on 172.31.2.1:500 but no suitable > connection found with IKEv2 policy > Jul 22 22:42:16.885784: packet from 114.246.198.250:500: responding to > IKE_SA_INIT (34) message (Message ID 0) with unencrypted notification > NO_PROPOSAL_CHOSEN > Jul 22 22:42:17.855101: packet from 114.246.198.250:500: > ISAKMP_v2_IKE_SA_INIT message received on 172.31.2.1:500 but no suitable > connection found with IKEv2 policy > Jul 22 22:42:17.855131: packet from 114.246.198.250:500: responding to > IKE_SA_INIT (34) message (Message ID 0) with unencrypted notification > NO_PROPOSAL_CHOSEN > >>> On Jul 23, 2023, at 5:01 AM, Paul Wouters <[email protected]> wrote: >>> On Sat, 22 Jul 2023, Heting Wang wrote: >>> I’m now migrating from StrongSwan to LibreSwan, it seems like it will never >>> work with iOS >> Your error is not related to iOS. >>> conn cert >>> ikev2=insist >>> left=%defaultroute >>> tail -f /var/log/pluto.log >>> Jul 22 19:49:36.532020: adding UDP interface eth0 >>> [2406:da14:5db:f400::e60]:500 >>> Jul 22 19:49:36.532049: adding UDP interface eth0 >>> [2406:da14:5db:f400::e60]:4500 >>> Jul 22 19:49:36.532072: adding UDP interface eth0 [2406:da14:5db:f400🔡:]:500 >>> Jul 22 19:49:36.532096: adding UDP interface eth0 >>> [2406:da14:5db:f400🔡:]:4500 >>> Jul 22 19:49:36.532119: adding UDP interface eth0 >>> [2406:da14:5db:f400:e9d7:64ca:b008:4182]:500 >>> Jul 22 19:49:36.532142: adding UDP interface eth0 >>> [2406:da14:5db:f400:e9d7:64ca:b008:4182]:4500 >>> Jul 22 19:49:36.532165: adding UDP interface eth1 >>> [2406:da14:5db:f400:810a:b1ea:b7d5:47bd]:500 >>> Jul 22 19:49:36.532188: adding UDP interface eth1 >>> [2406:da14:5db:f400:810a:b1ea:b7d5:47bd]:4500 >> It seems you are not listening on IPv4 IP addresses. Meaning libreswan >> got started before the IP 172.31.2.1 was configured on the system? >>> Jul 22 19:50:03.652462: packet from 114.246.198.250:500: >>> ISAKMP_v2_IKE_SA_INIT message received on 172.31.2.1:500 but no suitable >>> connection found with >>> IKEv2 policy >>> Jul 22 19:50:03.652512: packet from 114.246.198.250:500: responding to >>> IKE_SA_INIT (34) message (Message ID 0) with unencrypted notification >>> NO_PROPOSAL_CHOSEN >> As a workaround, you can try after the boot to issue "ipsec whack --listen" >> which should redo the IP >> binding and pick up the now added 172.31.2.1 IP. >> Paul
smime.p7s
Description: S/MIME cryptographic signature
_______________________________________________ Swan mailing list [email protected] https://lists.libreswan.org/mailman/listinfo/swan
