On Tue, Feb 19, 2019, at 12:50 PM, IL Ka wrote: > > But it could also be the client trying to fetch the CA certificate's CRL. > I now think you are right. > > Client tries to fetch whole cert chain and fails to do so. > It explains both: packet with DST=443 and client timeout.
The missing EAP-identity support could also be an issue - there can be two problems at once not one. But this sequence - connection almost up, server sends packet to client, UFW blocks packet from client to server port 443 - has occurred twice, in *two* of Moses' logs. Feb 19: Feb 19 02:10:01 VM-e2b7 charon: 11[NET] sending packet: from 102.1*9.2**.***[4500] to 154.77.***.**[4500] (772 bytes) Feb 19 02:10:01 VM-e2b7 kernel: [ 2543.189073] [UFW BLOCK] IN=ens3 OUT= MAC=06:97:9c:00:00:8f:00:1d:b5:c0:a7:c0:08:00 SRC=154.77.***.** DST=102.1*9.2**.*** LEN=52 TOS=0x10 PREC=0x20 TTL=116 ID=27223 DF PROTO=TCP SPT=54229 DPT=443 WINDOW=17520 RES=0x00 SYN URGP=0 Feb 19 02:10:30 VM-e2b7 charon: 14[JOB] deleting half open IKE_SA with 154.77.***.** after timeout Feb 15: Feb 15 20:13:11 VM-e2b7eaee-4c52-4455-8364-c1977c8afa6a charon: 08[NET] sending packet: from 102.1*9.2*9.** [500] to 154.76.***.1*1 [500] (36 bytes) Feb 15 20:13:12 VM-e2b7eaee-4c52-4455-8364-c1977c8afa6a kernel: [ 1898.916216] [UFW BLOCK] IN=ens3 OUT= MAC=06:97:9c:00:00:8f:00:1d:b5:c0:a7:c0:08:00 SRC=154.76.122.161 DST=102.129.249.173 LEN=52 TOS=0x10 PREC=0x20 TTL=115 ID=24830 DF PROTO=TCP SPT=57716 DPT=443 WINDOW=17520 RES=0x00 SYN URGP=0 Unfortunately this log is cut off short, there is no "deleting half open connection" here. But the server sending a UDP packet followed immediately by UFW BLOCK is. Moses - I would also consider getting things to work using the basic PSK auth method and only then switching to certs and EAP. It just might be easier to solve problems one at a time. -- K > > Whole chain must be installed on Win10 to sovle it > [http://www.avg.com/email-signature?utm_medium=email&utm_source=link&utm_campaign=sig-email&utm_content=webmail] > Без вирусов. > www.avg.com[http://www.avg.com/email-signature?utm_medium=email&utm_source=link&utm_campaign=sig-email&utm_content=webmail] [https://www.fastmail.com/mail/compose?u=c414417f#DAB4FAD8-2DD7-40BB-A1B8-4E2AA1F9FDF2] > > On Tue, Feb 19, 2019 at 12:40 PM Kostya Vasilyev <[email protected]> wrote: >> >> On Tue, Feb 19, 2019, at 12:34 PM, IL Ka wrote: >> > >> > On Tue, Feb 19, 2019 at 8:48 AM Kostya Vasilyev <[email protected]> wrote: >> >> Looks like the connection is "almost there" but gets blocked by your >> firewall (UFW) >> >> >> >> Very end of your log: >> >> >> >> Feb 19 02:10:01 VM-e2b7 charon: 11[NET] sending packet: from >> 102.1*9.2**.***[4500] to 154.77.***.**[4500] (772 bytes) >> >> Feb 19 02:10:01 VM-e2b7 kernel: [ 2543.189073] [UFW BLOCK] IN=ens3 OUT= >> MAC=06:97:9c:00:00:8f:00:1d:b5:c0:a7:c0:08:00 SRC=154.77.***.** >> DST=102.1*9.2**.*** LEN=52 TOS=0x10 PREC=0x20 TTL=116 ID=27223 DF PROTO=TCP >> SPT=54229 DPT=443 WINDOW=17520 RES=0x00 SYN URGP=0 >> >> Feb 19 02:10:30 VM-e2b7 charon: 14[JOB] deleting half open IKE_SA with >> 154.77.***.** after timeout >> > >> > >> > DPT=443 looks like OpenVPN or HTTPS. >> > IKE uses UDP/500 (or UDP/4500 in case of NAT). >> > >> > I am not sure this message is somehow connected to problem. >> > >> >> Could be unrelated - good find on the EAP-Identity >> >> But it could also be the client trying to fetch the CA certificate's CRL. >> >> Moses can you check if your CA cert has a CRL? >> >> openssl -text -noout -in your_CA_cert >> >> Is there a CRL? Is it an https:// link? >> >> X509v3 CRL Distribution Points: >> >> Full Name: >> URI:https://...... >> >> -- K
