> But it could also be the client trying to fetch the CA certificate's CRL. I now think you are right.
Client tries to fetch whole cert chain and fails to do so. It explains both: packet with DST=443 and client timeout. Whole chain must be installed on Win10 to sovle it <http://www.avg.com/email-signature?utm_medium=email&utm_source=link&utm_campaign=sig-email&utm_content=webmail> Без вирусов. www.avg.com <http://www.avg.com/email-signature?utm_medium=email&utm_source=link&utm_campaign=sig-email&utm_content=webmail> <#DAB4FAD8-2DD7-40BB-A1B8-4E2AA1F9FDF2> On Tue, Feb 19, 2019 at 12:40 PM Kostya Vasilyev <[email protected]> wrote: > > On Tue, Feb 19, 2019, at 12:34 PM, IL Ka wrote: > > > > On Tue, Feb 19, 2019 at 8:48 AM Kostya Vasilyev <[email protected]> > wrote: > >> Looks like the connection is "almost there" but gets blocked by your > firewall (UFW) > >> > >> Very end of your log: > >> > >> Feb 19 02:10:01 VM-e2b7 charon: 11[NET] sending packet: from > 102.1*9.2**.***[4500] to 154.77.***.**[4500] (772 bytes) > >> Feb 19 02:10:01 VM-e2b7 kernel: [ 2543.189073] [UFW BLOCK] IN=ens3 > OUT= MAC=06:97:9c:00:00:8f:00:1d:b5:c0:a7:c0:08:00 SRC=154.77.***.** > DST=102.1*9.2**.*** LEN=52 TOS=0x10 PREC=0x20 TTL=116 ID=27223 DF PROTO=TCP > SPT=54229 DPT=443 WINDOW=17520 RES=0x00 SYN URGP=0 > >> Feb 19 02:10:30 VM-e2b7 charon: 14[JOB] deleting half open IKE_SA with > 154.77.***.** after timeout > > > > > > DPT=443 looks like OpenVPN or HTTPS. > > IKE uses UDP/500 (or UDP/4500 in case of NAT). > > > > I am not sure this message is somehow connected to problem. > > > > Could be unrelated - good find on the EAP-Identity > > But it could also be the client trying to fetch the CA certificate's CRL. > > Moses can you check if your CA cert has a CRL? > > openssl -text -noout -in your_CA_cert > > Is there a CRL? Is it an https:// link? > > X509v3 CRL Distribution Points: > > Full Name: > URI:https://...... > > -- K >
