Hello,
I am trying to establish an ikev2/cert connection between a strongswan
vpnclient on android(4.1.) and a
strongswan server (4.5.2). The ipsec SA appears to be in place, but traffic
does not flow through the tunnel. The vpn client log indicates "no matching
outbound IPsec policy" for any traffic sent when leftsubnet=0.0.0.0/0 in
the server's ipsec.conf. The client vpn status counts indicate packets
sent, but none received and packets are not seen on the network. If
leftsubnet is narrowed, any packets with destinations outside of
leftsubnetare sent outside of the tunnel.
The server (192.168.50.101) is nat-ed behind the router 192.168.1.2. The
client is on the router's local network at 192.168.1.141 and gets a virtual
IP (192.168.47.1) from the server. The behavior is the same if both the
client and server are nat-ed. The intended behavior is for all traffic from
the client to pass through the tunnel.
I suspect the configuration is wrong on the server, but I have not found
what prevents the client from installing a policy for traffic through the
tunnel. The attached file includes configuration and logs. Any assistance
is greatly appreciated.
-gs
------------------------------------
Server ipsec.conf
config setup
# plutodebug=control
nat_traversal=yes
charonstart=yes
charondebug= "default 1, ike 3, cfg 3"
crlcheckinterval=180
strictcrlpolicy=no
plutostart=no
ca sample
cacert=sampleCAcert.pem
auto=add
conn %default
type=tunnel
keyexchange=ikev2
reauth=no
rekey=no
authby=rsa
pfs=no
keyingtries=3
conn IPSEC-VPN-NAT
left=192.168.50.101
leftsubnet=0.0.0.0/0
leftprotoport=17/1701
leftcert=serverdnsandipCert.pem
leftid=serverdnsandipKey.der
leftfirewall=yes
right=%any
rightprotoport=17/%any
rightsourceip=192.168.47.0/24
rightid=%any
auto=add
---------------------------------
server ipsec.secrets
#include /var/lib/strongswan/ipsec.secrets.inc
: RSA serverdnsandipKey.der "xxxx"
-----------------------------------
>> ipsec listcerts
List of X.509 End Entity Certificates:
altNames: vpn.sample.org, 192.168.1.2
subject: "C=US, O=Sample, CN=vpn.sample.org, [email protected]"
issuer: "C=US, O=Sample, OU=Sample CA, CN=ca.sample.org,
[email protected]"
serial: 20:24
validity: not before Feb 01 09:34:48 2013, ok
not after Feb 01 09:34:48 2015, ok
pubkey: RSA 2048 bits, has private key
keyid: 75:75:4f:b2:02:28:16:80:a6:6c:fa:87:cd:10:5d:28:04:f1:77:4f
subjkey: 8b:55:0c:eb:d7:60:97:02:ea:81:96:d0:bf:86:5f:34:d7:54:8c:3f
authkey: 50:86:71:86:aa:c3:25:08:12:22:5a:12:c6:a7:90:9b:cf:0b:7b:71
test@VPN:~$
>> ipsec statusall
Status of IKEv2 charon daemon (strongSwan 4.5.2):
uptime: 5 minutes, since Feb 01 11:15:56 2013
malloc: sbrk 282624, mmap 0, used 232168, free 50456
worker threads: 6 idle of 16, job queue load: 0, scheduled events: 0
loaded plugins: test-vectors curl ldap aes des sha1 sha2 md5 random x509
revocation constraints pubkey pkcs1 pgp pem openssl fips-prf gmp agent pkcs11
xcbc hmac ctr ccm gcm attr kernel-netlink resolve socket-raw farp stroke updown
eap-identity eap-aka eap-md5 eap-gtc eap-mschapv2 eap-radius eap-tls eap-ttls
eap-tnc nm dhcp led addrblock
Virtual IP pools (size/online/offline):
IPSEC-VPN-NAT: 255/0/0
Listening IP addresses:
192.168.50.101
Connections:
IPSEC-VPN-NAT: 192.168.50.101...%any
IPSEC-VPN-NAT: local: [C=US, O=Sample, CN=vpn.sample.org,
[email protected]] uses public key authentication
IPSEC-VPN-NAT: cert: "C=US, O=Sample, CN=vpn.sample.org,
[email protected]"
IPSEC-VPN-NAT: remote: [%any] uses any authentication
IPSEC-VPN-NAT: child: 0.0.0.0/0[udp/l2f] === dynamic[udp]
Security Associations:
none
>> ipsec status
Security Associations:
IPSEC-VPN-NAT[1]: ESTABLISHED 7 seconds ago, 192.168.50.101[C=US, O=Sample,
CN=vpn.sample.org, [email protected]]...192.168.1.141[C=US, O=Sample,
CN=rw.sample.org, [email protected]]
IPSEC-VPN-NAT{1}: INSTALLED, TUNNEL, ESP in UDP SPIs: c7e346d6_i 5dd3d9e2_o
IPSEC-VPN-NAT{1}: 0.0.0.0/0[udp/l2f] === 192.168.47.1/32[udp]
test@VPN:~$
sudo
---------------------------------------
server syslog
Feb 1 11:15:55 VPN charon: 00[DMN] Starting IKEv2 charon daemon (strongSwan
4.5.2)
Feb 1 11:15:55 VPN charon: 00[LIB] Padlock not found, CPU is GenuineIntel
Feb 1 11:15:55 VPN charon: 00[LIB] plugin 'padlock': failed to load -
padlock_plugin_create returned NULL
Feb 1 11:15:55 VPN charon: 00[KNL] listening on interfaces:
Feb 1 11:15:55 VPN charon: 00[KNL] eth2
Feb 1 11:15:55 VPN charon: 00[KNL] 192.168.50.101
Feb 1 11:15:55 VPN charon: 00[KNL] fe80::20b:abff:fe4b:782
Feb 1 11:15:55 VPN charon: 00[CFG] loading ca certificates from
'/etc/ipsec.d/cacerts'
Feb 1 11:15:55 VPN charon: 00[CFG] loaded ca certificate "C=US, O=Sample,
OU=Sample CA, CN=ca.sample.org, [email protected]" from
'/etc/ipsec.d/cacerts/sampleCAcert.pem'
Feb 1 11:15:55 VPN charon: 00[CFG] loaded ca certificate "C=US, O=Sample,
OU=Sample CA, CN=ca.sample.org, [email protected]" from
'/etc/ipsec.d/cacerts/sampleCAcert.der'
Feb 1 11:15:55 VPN charon: 00[CFG] loading aa certificates from
'/etc/ipsec.d/aacerts'
Feb 1 11:15:55 VPN charon: 00[CFG] loading ocsp signer certificates from
'/etc/ipsec.d/ocspcerts'
Feb 1 11:15:55 VPN charon: 00[CFG] loading attribute certificates from
'/etc/ipsec.d/acerts'
Feb 1 11:15:55 VPN charon: 00[CFG] loading crls from '/etc/ipsec.d/crls'
Feb 1 11:15:55 VPN charon: 00[CFG] loading secrets from '/etc/ipsec.secrets'
Feb 1 11:15:55 VPN charon: 00[CFG] loaded RSA private key from
'/etc/ipsec.d/private/serverdnsandipKey.der'
Feb 1 11:15:55 VPN charon: 00[CFG] sql plugin: database URI not set
Feb 1 11:15:55 VPN charon: 00[LIB] plugin 'sql': failed to load -
sql_plugin_create returned NULL
Feb 1 11:15:55 VPN charon: 00[CFG] loaded 0 RADIUS server configurations
Feb 1 11:15:55 VPN charon: 00[LIB] plugin 'medsrv' failed to load:
/usr/lib/ipsec/plugins/libstrongswan-medsrv.so: cannot open shared object file:
No such file or directory
Feb 1 11:15:55 VPN charon: 00[CFG] mediation client database URI not defined,
skipped
Feb 1 11:15:55 VPN charon: 00[LIB] plugin 'medcli': failed to load -
medcli_plugin_create returned NULL
Feb 1 11:15:55 VPN charon: 00[CFG] HA config misses local/remote address
Feb 1 11:15:55 VPN charon: 00[LIB] plugin 'ha': failed to load -
ha_plugin_create returned NULL
Feb 1 11:15:55 VPN charon: 00[DMN] loaded plugins: test-vectors curl ldap aes
des sha1 sha2 md5 random x509 revocation constraints pubkey pkcs1 pgp pem
openssl fips-prf gmp agent pkcs11 xcbc hmac ctr ccm gcm attr kernel-netlink
resolve socket-raw farp stroke updown eap-identity eap-aka eap-md5 eap-gtc
eap-mschapv2 eap-radius eap-tls eap-ttls eap-tnc nm dhcp led addrblock
Feb 1 11:15:55 VPN charon: 00[JOB] spawning 16 worker threads
Feb 1 11:15:55 VPN charon: 04[CFG] received stroke: add ca 'sample'
Feb 1 11:15:55 VPN charon: 04[CFG] added ca 'sample'
Feb 1 11:15:55 VPN charon: 10[CFG] received stroke: add connection
'IPSEC-VPN-NAT'
Feb 1 11:15:55 VPN charon: 10[CFG] loaded certificate "C=US, O=Sample,
CN=vpn.sample.org, [email protected]" from 'serverdnsandipCert.pem'
Feb 1 11:15:55 VPN charon: 10[CFG] id 'serverdnsandipKey.der' not confirmed
by certificate, defaulting to 'C=US, O=Sample, CN=vpn.sample.org,
[email protected]'
Feb 1 11:15:55 VPN charon: 10[CFG] added configuration 'IPSEC-VPN-NAT'
Feb 1 11:15:55 VPN charon: 10[CFG] adding virtual IP address pool
'IPSEC-VPN-NAT': 192.168.47.0/24
Feb 1 11:16:53 VPN charon: 15[CFG] rereading secrets
Feb 1 11:16:53 VPN charon: 15[CFG] loading secrets from '/etc/ipsec.secrets'
Feb 1 11:16:53 VPN charon: 15[CFG] loaded RSA private key from
'/etc/ipsec.d/private/serverdnsandipKey.der'
Feb 1 11:17:01 VPN CRON[32219]: (root) CMD ( cd / && run-parts --report
/etc/cron.hourly)
Feb 1 11:22:28 VPN charon: 11[NET] received packet: from 192.168.1.141[47081]
to 192.168.50.101[500]
Feb 1 11:22:28 VPN charon: 11[ENC] parsed IKE_SA_INIT request 0 [ SA KE No
N(NATD_S_IP) N(NATD_D_IP) ]
Feb 1 11:22:28 VPN charon: 11[IKE] 192.168.1.141 is initiating an IKE_SA
Feb 1 11:22:28 VPN charon: 11[IKE] local host is behind NAT, sending keep
alives
Feb 1 11:22:28 VPN charon: 11[IKE] remote host is behind NAT
Feb 1 11:22:28 VPN charon: 11[IKE] sending cert request for "C=US, O=Sample,
OU=Sample CA, CN=ca.sample.org, [email protected]"
Feb 1 11:22:28 VPN charon: 11[ENC] generating IKE_SA_INIT response 0 [ SA KE
No N(NATD_S_IP) N(NATD_D_IP) CERTREQ N(MULT_AUTH) ]
Feb 1 11:22:28 VPN charon: 11[NET] sending packet: from 192.168.50.101[500] to
192.168.1.141[47081]
Feb 1 11:22:29 VPN charon: 13[NET] received packet: from 192.168.1.141[36761]
to 192.168.50.101[4500]
Feb 1 11:22:29 VPN charon: 13[ENC] parsed IKE_AUTH request 1 [ IDi CERT
N(INIT_CONTACT) CERTREQ AUTH CP(ADDR DNS) SA TSi TSr N(MOBIKE_SUP)
N(NO_ADD_ADDR) N(MULT_AUTH) N(EAP_ONLY) ]
Feb 1 11:22:29 VPN charon: 13[IKE] received cert request for "C=US, O=Sample,
OU=Sample CA, CN=ca.sample.org, [email protected]"
Feb 1 11:22:29 VPN charon: 13[IKE] received end entity cert "C=US, O=Sample,
CN=rw.sample.org, [email protected]"
Feb 1 11:22:29 VPN charon: 13[CFG] looking for peer configs matching
192.168.50.101[%any]...192.168.1.141[C=US, O=Sample, CN=rw.sample.org,
[email protected]]
Feb 1 11:22:29 VPN charon: 13[CFG] selected peer config 'IPSEC-VPN-NAT'
Feb 1 11:22:29 VPN charon: 13[CFG] using certificate "C=US, O=Sample,
CN=rw.sample.org, [email protected]"
Feb 1 11:22:29 VPN charon: 13[CFG] using trusted ca certificate "C=US,
O=Sample, OU=Sample CA, CN=ca.sample.org, [email protected]"
Feb 1 11:22:29 VPN charon: 13[CFG] checking certificate status of "C=US,
O=Sample, CN=rw.sample.org, [email protected]"
Feb 1 11:22:29 VPN charon: 13[CFG] certificate status is not available
Feb 1 11:22:29 VPN charon: 13[CFG] reached self-signed root ca with a path
length of 0
Feb 1 11:22:29 VPN charon: 13[IKE] authentication of 'C=US, O=Sample,
CN=rw.sample.org, [email protected]' with RSA signature successful
Feb 1 11:22:29 VPN charon: 13[IKE] peer supports MOBIKE
Feb 1 11:22:29 VPN charon: 13[IKE] authentication of 'C=US, O=Sample,
CN=vpn.sample.org, [email protected]' (myself) with RSA signature successful
Feb 1 11:22:29 VPN charon: 13[IKE] IKE_SA IPSEC-VPN-NAT[1] established between
192.168.50.101[C=US, O=Sample, CN=vpn.sample.org,
[email protected]]...192.168.1.141[C=US, O=Sample, CN=rw.sample.org,
[email protected]]
Feb 1 11:22:29 VPN charon: 13[IKE] sending end entity cert "C=US, O=Sample,
CN=vpn.sample.org, [email protected]"
Feb 1 11:22:29 VPN charon: 13[IKE] peer requested virtual IP %any
Feb 1 11:22:29 VPN charon: 13[CFG] assigning new lease to 'C=US, O=Sample,
CN=rw.sample.org, [email protected]'
Feb 1 11:22:29 VPN charon: 13[IKE] assigning virtual IP 192.168.47.1 to peer
'C=US, O=Sample, CN=rw.sample.org, [email protected]'
Feb 1 11:22:29 VPN charon: 13[IKE] CHILD_SA IPSEC-VPN-NAT{1} established with
SPIs c7e346d6_i 5dd3d9e2_o and TS 0.0.0.0/0[udp/l2f] === 192.168.47.1/32[udp]
Feb 1 11:22:29 VPN vpn: + C=US, O=Sample, CN=rw.sample.org, [email protected]
192.168.47.1/32 == 192.168.1.141 -- 192.168.50.101 == 0.0.0.0/0
Feb 1 11:22:29 VPN charon: 13[ENC] generating IKE_AUTH response 1 [ IDr CERT
AUTH CP(ADDR) SA TSi TSr N(MOBIKE_SUP) N(ADD_4_ADDR) N(ADD_4_ADDR)
N(ADD_4_ADDR) ]
Feb 1 11:22:29 VPN charon: 13[NET] sending packet: from 192.168.50.101[4500]
to 192.168.1.141[36761]
Feb 1 11:22:49 VPN charon: 10[IKE] sending keep alive
Feb 1 11:22:49 VPN charon: 10[NET] sending packet: from 192.168.50.101[4500]
to 192.168.1.141[36761]
... Disconnected from client at this point
Feb 1 11:28:54 VPN charon: 04[NET] received packet: from 192.168.1.141[36761]
to 192.168.50.101[4500]
Feb 1 11:28:54 VPN charon: 04[ENC] parsed INFORMATIONAL request 2 [ D ]
Feb 1 11:28:54 VPN charon: 04[IKE] received DELETE for IKE_SA IPSEC-VPN-NAT[1]
Feb 1 11:28:54 VPN charon: 04[IKE] deleting IKE_SA IPSEC-VPN-NAT[1] between
192.168.50.101[C=US, O=Sample, CN=vpn.sample.org,
[email protected]]...192.168.1.141[C=US, O=Sample, CN=rw.sample.org,
[email protected]]
Feb 1 11:28:54 VPN charon: 04[IKE] IKE_SA deleted
Feb 1 11:28:54 VPN vpn: - C=US, O=Sample, CN=rw.sample.org, [email protected]
192.168.47.1/32 == 192.168.1.141 -- 192.168.50.101 == 0.0.0.0/0
Feb 1 11:28:54 VPN charon: 04[ENC] generating INFORMATIONAL response 2 [ ]
Feb 1 11:28:54 VPN charon: 04[NET] sending packet: from 192.168.50.101[4500]
to 192.168.1.141[36761]
Feb 1 11:28:54 VPN charon: 04[CFG] lease 192.168.47.1 by 'C=US, O=Sample,
CN=rw.sample.org, [email protected]' went offline
--------------------------
server auth.log
Feb 1 11:15:55 VPN ipsec_starter[32161]: Starting strongSwan 4.5.2 IPsec
[starter]...
Feb 1 11:22:28 VPN charon: 11[IKE] 192.168.1.141 is initiating an IKE_SA
Feb 1 11:22:29 VPN charon: 13[IKE] IKE_SA IPSEC-VPN-NAT[1] established between
192.168.50.101
[C=US, O=Sample, CN=vpn.sample.org, [email protected]]...
192.168.1.141[C=US, O=Sample, CN=rw.sample.org, [email protected]]
Feb 1 11:22:29 VPN charon: 13[IKE] CHILD_SA IPSEC-VPN-NAT{1} established with
SPIs c7e346d6_i 5dd3d9e2_o and TS 0.0.0.0/0[udp/l2f] ===
192.168.47.1/32[udp]
Feb 1 11:28:54 VPN charon: 04[IKE] deleting IKE_SA IPSEC-VPN-NAT[1] between
192.168.50.101
[C=US, O=Sample, CN=vpn.sample.org, [email protected]]...
192.168.1.141[C=US, O=Sample, CN=rw.sample.org, [email protected]]
Feb 1 11:28:54 VPN charon: 04[IKE] IKE_SA deleted
------------------------------
client log
Feb 1 11:21:13 00[DMN] Starting IKE charon daemon (strongSwan 5.0.2dr4, Linux
3.0.31-381038, armv7l)
Feb 1 11:21:13 00[DMN] loaded plugins: androidbridge charon android-log
openssl fips-prf random nonce pubkey pkcs1 pkcs8 pem xcbc hmac socket-default
eap-identity eap-mschapv2 eap-md5 eap-gtc
Feb 1 11:21:13 00[JOB] spawning 16 worker threads
Feb 1 11:21:13 12[CFG] loaded user certificate 'C=US, O=Sample,
CN=rw.sample.org, [email protected]' and private key
Feb 1 11:21:13 12[CFG] loaded CA certificate 'C=US, O=Sample, OU=Sample CA,
CN=ca.sample.org, [email protected]'
Feb 1 11:21:13 12[IKE] initiating IKE_SA android[31] to 192.168.1.2
Feb 1 11:21:13 12[ENC] generating IKE_SA_INIT request 0 [ SA KE No
N(NATD_S_IP) N(NATD_D_IP) ]
Feb 1 11:21:13 12[NET] sending packet: from 192.168.1.141[47081] to
192.168.1.2[500]
Feb 1 11:21:15 14[IKE] retransmit 1 of request with message ID 0
Feb 1 11:21:15 14[NET] sending packet: from 192.168.1.141[47081] to
192.168.1.2[500]
Feb 1 11:21:16 15[NET] received packet: from 192.168.1.2[500] to
192.168.1.141[47081]
Feb 1 11:21:16 15[ENC] parsed IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP)
N(NATD_D_IP) CERTREQ N(MULT_AUTH) ]
Feb 1 11:21:16 15[IKE] remote host is behind NAT
Feb 1 11:21:16 15[IKE] received cert request for "C=US, O=Sample, OU=Sample
CA, CN=ca.sample.org, [email protected]"
Feb 1 11:21:16 15[IKE] sending cert request for "C=US, O=Sample, OU=Sample CA,
CN=ca.sample.org, [email protected]"
Feb 1 11:21:16 15[IKE] authentication of 'C=US, O=Sample, CN=rw.sample.org,
[email protected]' (myself) with RSA signature successful
Feb 1 11:21:16 15[IKE] sending end entity cert "C=US, O=Sample,
CN=rw.sample.org, [email protected]"
Feb 1 11:21:16 15[IKE] establishing CHILD_SA android
Feb 1 11:21:16 15[ENC] generating IKE_AUTH request 1 [ IDi CERT
N(INIT_CONTACT) CERTREQ AUTH CP(ADDR DNS) SA TSi TSr N(MOBIKE_SUP)
N(NO_ADD_ADDR) N(MULT_AUTH) N(EAP_ONLY) ]
Feb 1 11:21:16 15[NET] sending packet: from 192.168.1.141[36761] to
192.168.1.2[4500]
Feb 1 11:21:16 16[NET] received packet: from 192.168.1.2[4500] to
192.168.1.141[36761]
Feb 1 11:21:16 16[ENC] parsed IKE_AUTH response 1 [ IDr CERT AUTH CP(ADDR) SA
TSi TSr N(MOBIKE_SUP) N(ADD_4_ADDR) N(ADD_4_ADDR) N(ADD_4_ADDR) ]
Feb 1 11:21:16 16[IKE] received end entity cert "C=US, O=Sample,
CN=vpn.sample.org, [email protected]"
Feb 1 11:21:16 16[CFG] using certificate "C=US, O=Sample, CN=vpn.sample.org,
[email protected]"
Feb 1 11:21:16 16[CFG] using trusted ca certificate "C=US, O=Sample,
OU=Sample CA, CN=ca.sample.org, [email protected]"
Feb 1 11:21:16 16[CFG] reached self-signed root ca with a path length of 0
Feb 1 11:21:16 16[IKE] authentication of 'C=US, O=Sample, CN=vpn.sample.org,
[email protected]' with RSA signature successful
Feb 1 11:21:16 16[IKE] IKE_SA android[31] established between
192.168.1.141[C=US, O=Sample, CN=rw.sample.org,
[email protected]]...192.168.1.2[C=US, O=Sample, CN=vpn.sample.org,
[email protected]]
Feb 1 11:21:16 16[IKE] scheduling rekeying in 35884s
Feb 1 11:21:16 16[IKE] maximum IKE_SA lifetime 36484s
Feb 1 11:21:16 16[IKE] installing new virtual IP 192.168.47.1
Feb 1 11:21:16 16[IKE] CHILD_SA android{26} established with SPIs 5dd3d9e2_i
c7e346d6_o and TS 192.168.47.1/32[17] === 0.0.0.0/0[17/1701]
Feb 1 11:21:16 16[DMN] setting up TUN device for CHILD_SA android{26}
Feb 1 11:21:16 16[DMN] successfully created TUN device
Feb 1 11:21:16 16[IKE] peer supports MOBIKE
Feb 1 11:23:13 11[ESP] no matching outbound IPsec policy for 192.168.47.1 ==
10.0.0.8
Feb 1 11:23:14 11[ESP] no matching outbound IPsec policy for 192.168.47.1 ==
10.0.0.8
Feb 1 11:23:15 11[ESP] no matching outbound IPsec policy for 192.168.47.1 ==
10.0.0.8
Feb 1 11:23:16 11[ESP] no matching outbound IPsec policy for 192.168.47.1 ==
10.0.0.8
Disconnect Requested from Client UI
Feb 1 11:27:42 00[IKE] deleting IKE_SA android[31] between 192.168.1.141[C=US,
O=Sample, CN=rw.sample.org, [email protected]]...192.168.1.2[C=US, O=Sample,
CN=vpn.sample.org, [email protected]]
Feb 1 11:27:42 00[IKE] sending DELETE for IKE_SA android[31]
Feb 1 11:27:42 00[ENC] generating INFORMATIONAL request 2 [ D ]
Feb 1 11:27:42 00[NET] sending packet: from 192.168.1.141[36761] to
192.168.1.2[4500]_______________________________________________
Users mailing list
[email protected]
https://lists.strongswan.org/mailman/listinfo/users
