> server-to-aws: 10.100.15.1...y.y.y.y IKEv1, dpddelay=15s > I ended up adding an interface for 10.100.15.1 as that what appears to be > required.
The conn is configured for x.x.x.x, not 10.100.15.1. strongSwan doesn't need such an address. Set left=x.x.x.x. Am 25.03.20 um 15:47 schrieb Dafydd Tomos: > Status output and debug below (anonymised, but consistent) > > > Status of IKE charon daemon (strongSwan 5.5.1, Linux 4.9.0-11-amd64, x86_64): > uptime: 4 seconds, since Mar 25 14:45:06 2020 > malloc: sbrk 1892352, mmap 0, used 417440, free 1474912 > worker threads: 11 of 16 idle, 5/0/0/0 working, job queue: 0/0/0/0, > scheduled: 1 > loaded plugins: charon aesni aes rc2 sha2 sha1 md5 random nonce x509 > revocation constraints pubkey pkcs1 pkcs7 pkcs8 pkcs12 p > gp dnskey sshkey pem openssl fips-prf gmp agent xcbc hmac gcm attr > kernel-netlink resolve socket-default connmark stroke updown > Listening IP addresses: > x.x.x.x > 10.100.15.1 > Connections: > server-to-aws: 10.100.15.1...y.y.y.y IKEv1, dpddelay=15s > server-to-aws: local: [server] uses pre-shared key authentication > server-to-aws: remote: [aws] uses pre-shared key authentication > server-to-aws: child: 10.100.15.0/24 === 172.21.0.0/16 172.22.0.0/16 > TUNNEL, dpdaction=restart > Security Associations (0 up, 1 connecting): > server-to-aws[1]: CONNECTING, 10.100.15.1[%any]...y.y.y.y[%any] > server-to-aws[1]: IKEv1 SPIs: f8ad92b2d16ea9a4_i* 0000000000000000_r > server-to-aws[1]: Tasks queued: QUICK_MODE > server-to-aws[1]: Tasks active: ISAKMP_VENDOR ISAKMP_CERT_PRE MAIN_MODE > ISAKMP_CERT_POST ISAKMP_NATD > > > Wed, 2020-03-25 14:41 00[DMN] Starting IKE charon daemon (strongSwan 5.5.1, > Linux 4.9.0-11-amd64, x86_64) > Wed, 2020-03-25 14:41 00[LIB] plugin 'aesni': loaded successfully > Wed, 2020-03-25 14:41 00[LIB] plugin 'aes': loaded successfully > Wed, 2020-03-25 14:41 00[LIB] plugin 'rc2': loaded successfully > Wed, 2020-03-25 14:41 00[LIB] plugin 'sha2': loaded successfully > Wed, 2020-03-25 14:41 00[LIB] plugin 'sha1': loaded successfully > Wed, 2020-03-25 14:41 00[LIB] plugin 'md5': loaded successfully > Wed, 2020-03-25 14:41 00[LIB] plugin 'random': loaded successfully > Wed, 2020-03-25 14:41 00[LIB] plugin 'nonce': loaded successfully > Wed, 2020-03-25 14:41 00[LIB] plugin 'x509': loaded successfully > Wed, 2020-03-25 14:41 00[LIB] plugin 'revocation': loaded successfully > Wed, 2020-03-25 14:41 00[LIB] plugin 'constraints': loaded successfully > Wed, 2020-03-25 14:41 00[LIB] plugin 'pubkey': loaded successfully > Wed, 2020-03-25 14:41 00[LIB] plugin 'pkcs1': loaded successfully > Wed, 2020-03-25 14:41 00[LIB] plugin 'pkcs7': loaded successfully > Wed, 2020-03-25 14:41 00[LIB] plugin 'pkcs8': loaded successfully > Wed, 2020-03-25 14:41 00[LIB] plugin 'pkcs12': loaded successfully > Wed, 2020-03-25 14:41 00[LIB] plugin 'pgp': loaded successfully > Wed, 2020-03-25 14:41 00[LIB] plugin 'dnskey': loaded successfully > Wed, 2020-03-25 14:41 00[LIB] plugin 'sshkey': loaded successfully > Wed, 2020-03-25 14:41 00[LIB] plugin 'pem': loaded successfully > Wed, 2020-03-25 14:41 00[LIB] plugin 'openssl': loaded successfully > Wed, 2020-03-25 14:41 00[LIB] plugin 'fips-prf': loaded successfully > Wed, 2020-03-25 14:41 00[LIB] plugin 'gmp': loaded successfully > Wed, 2020-03-25 14:41 00[LIB] plugin 'agent': loaded successfully > Wed, 2020-03-25 14:41 00[LIB] plugin 'xcbc': loaded successfully > Wed, 2020-03-25 14:41 00[LIB] plugin 'hmac': loaded successfully > Wed, 2020-03-25 14:41 00[LIB] plugin 'gcm': loaded successfully > Wed, 2020-03-25 14:41 00[LIB] plugin 'attr': loaded successfully > Wed, 2020-03-25 14:41 00[LIB] plugin 'kernel-netlink': loaded successfully > Wed, 2020-03-25 14:41 00[LIB] plugin 'resolve': loaded successfully > Wed, 2020-03-25 14:41 00[LIB] plugin 'socket-default': loaded successfully > Wed, 2020-03-25 14:41 00[LIB] plugin 'connmark': loaded successfully > Wed, 2020-03-25 14:41 00[LIB] plugin 'stroke': loaded successfully > Wed, 2020-03-25 14:41 00[LIB] plugin 'updown': loaded successfully > Wed, 2020-03-25 14:41 00[KNL] known interfaces and IP addresses: > Wed, 2020-03-25 14:41 00[KNL] lo > Wed, 2020-03-25 14:41 00[KNL] 127.0.0.1 > Wed, 2020-03-25 14:41 00[KNL] ::1 > Wed, 2020-03-25 14:41 00[KNL] eth0 > Wed, 2020-03-25 14:41 00[KNL] eth1 > Wed, 2020-03-25 14:41 00[KNL] bond0 > Wed, 2020-03-25 14:41 00[KNL] x.x.x.x > Wed, 2020-03-25 14:41 00[KNL] 10.100.15.1 > Wed, 2020-03-25 14:41 00[LIB] feature PUBKEY:DSA in plugin 'pem' has unmet > dependency: PUBKEY:DSA > Wed, 2020-03-25 14:41 00[LIB] feature PRIVKEY:DSA in plugin 'pem' has unmet > dependency: PRIVKEY:DSA > Wed, 2020-03-25 14:41 00[LIB] feature PRIVKEY:BLISS in plugin 'pem' has unmet > dependency: PRIVKEY:BLISS > Wed, 2020-03-25 14:41 00[LIB] feature CERT_DECODE:OCSP_REQUEST in plugin > 'pem' has unmet dependency: CERT_DECODE:OCSP_REQUEST > Wed, 2020-03-25 14:41 00[LIB] feature PRIVKEY_SIGN:RSA_EMSA_PKCS1_SHA3_224 in > plugin 'gmp' has unmet dependency: HASHER:HASH_SHA3_224 > Wed, 2020-03-25 14:41 00[LIB] feature PRIVKEY_SIGN:RSA_EMSA_PKCS1_SHA3_256 in > plugin 'gmp' has unmet dependency: HASHER:HASH_SHA3_256 > Wed, 2020-03-25 14:41 00[LIB] feature PRIVKEY_SIGN:RSA_EMSA_PKCS1_SHA3_384 in > plugin 'gmp' has unmet dependency: HASHER:HASH_SHA3_384 > Wed, 2020-03-25 14:41 00[LIB] feature PRIVKEY_SIGN:RSA_EMSA_PKCS1_SHA3_512 in > plugin 'gmp' has unmet dependency: HASHER:HASH_SHA3_512 > Wed, 2020-03-25 14:41 00[LIB] feature PUBKEY_VERIFY:RSA_EMSA_PKCS1_SHA3_224 > in plugin 'gmp' has unmet dependency: HASHER:HASH_SHA3_224 > Wed, 2020-03-25 14:41 00[LIB] feature PUBKEY_VERIFY:RSA_EMSA_PKCS1_SHA3_256 > in plugin 'gmp' has unmet dependency: HASHER:HASH_SHA3_256 > Wed, 2020-03-25 14:41 00[LIB] feature PUBKEY_VERIFY:RSA_EMSA_PKCS1_SHA3_384 > in plugin 'gmp' has unmet dependency: HASHER:HASH_SHA3_384 > Wed, 2020-03-25 14:41 00[LIB] feature PUBKEY_VERIFY:RSA_EMSA_PKCS1_SHA3_512 > in plugin 'gmp' has unmet dependency: HASHER:HASH_SHA3_512 > Wed, 2020-03-25 14:41 00[CFG] loading ca certificates from > '/etc/ipsec.d/cacerts' > Wed, 2020-03-25 14:41 00[CFG] loading aa certificates from > '/etc/ipsec.d/aacerts' > Wed, 2020-03-25 14:41 00[CFG] loading ocsp signer certificates from > '/etc/ipsec.d/ocspcerts' > Wed, 2020-03-25 14:41 00[CFG] loading attribute certificates from > '/etc/ipsec.d/acerts' > Wed, 2020-03-25 14:41 00[CFG] loading crls from '/etc/ipsec.d/crls' > Wed, 2020-03-25 14:41 00[CFG] loading secrets from '/etc/ipsec.secrets' > Wed, 2020-03-25 14:41 00[CFG] expanding file expression > '/var/lib/strongswan/ipsec.secrets.inc' failed > Wed, 2020-03-25 14:41 00[CFG] loaded IKE secret for 10.100.15.1 y.y.y.y > Wed, 2020-03-25 14:41 00[CFG] loaded IKE secret for x.x.x.x y.y.y.y > Wed, 2020-03-25 14:41 00[LIB] loaded plugins: charon aesni aes rc2 sha2 sha1 > md5 random nonce x509 revocation constraints pubkey pkcs1 pkcs7 pkcs8 pkcs12 > pgp dnskey sshkey pem openssl fips-prf gmp agent xcbc hmac gcm attr > kernel-netlink resolve socket-default connmark stroke updown > Wed, 2020-03-25 14:41 00[LIB] unable to load 12 plugin features (12 due to > unmet dependencies) > Wed, 2020-03-25 14:41 00[LIB] dropped capabilities, running as uid 0, gid 0 > Wed, 2020-03-25 14:41 00[JOB] spawning 16 worker threads > Wed, 2020-03-25 14:41 01[LIB] created thread 01 [8989] > Wed, 2020-03-25 14:41 02[LIB] created thread 02 [8990] > Wed, 2020-03-25 14:41 03[LIB] created thread 03 [8991] > Wed, 2020-03-25 14:41 04[LIB] created thread 04 [8992] > Wed, 2020-03-25 14:41 05[LIB] created thread 05 [8993] > Wed, 2020-03-25 14:41 06[LIB] created thread 06 [8994] > Wed, 2020-03-25 14:41 07[LIB] created thread 07 [8995] > Wed, 2020-03-25 14:41 08[LIB] created thread 08 [8996] > Wed, 2020-03-25 14:41 09[LIB] created thread 09 [8997] > Wed, 2020-03-25 14:41 10[LIB] created thread 10 [8998] > Wed, 2020-03-25 14:41 11[LIB] created thread 11 [8999] > Wed, 2020-03-25 14:41 12[LIB] created thread 12 [9000] > Wed, 2020-03-25 14:41 13[LIB] created thread 13 [9001] > Wed, 2020-03-25 14:41 14[LIB] created thread 14 [9003] > Wed, 2020-03-25 14:41 15[LIB] created thread 15 [9002] > Wed, 2020-03-25 14:41 16[LIB] created thread 16 [9004] > Wed, 2020-03-25 14:41 04[CFG] received stroke: add connection 'server-to-aws' > Wed, 2020-03-25 14:41 04[CFG] conn server-to-aws > Wed, 2020-03-25 14:41 04[CFG] left=10.100.15.1 > Wed, 2020-03-25 14:41 04[CFG] leftsubnet=10.100.15.0/24 > Wed, 2020-03-25 14:41 04[CFG] leftauth=psk > Wed, 2020-03-25 14:41 04[CFG] leftid=server > Wed, 2020-03-25 14:41 04[CFG] right=y.y.y.y > Wed, 2020-03-25 14:41 04[CFG] rightsubnet=172.21.0.0/16, 172.22.0.0/16 > Wed, 2020-03-25 14:41 04[CFG] rightauth=psk > Wed, 2020-03-25 14:41 04[CFG] rightid=aws > Wed, 2020-03-25 14:41 04[CFG] ike=aes256-sha256-modp1536 > Wed, 2020-03-25 14:41 04[CFG] esp=aes256-sha256-modp1536 > Wed, 2020-03-25 14:41 04[CFG] dpddelay=15 > Wed, 2020-03-25 14:41 04[CFG] dpdtimeout=30 > Wed, 2020-03-25 14:41 04[CFG] dpdaction=3 > Wed, 2020-03-25 14:41 04[CFG] mediation=no > Wed, 2020-03-25 14:41 04[CFG] keyexchange=ikev1 > Wed, 2020-03-25 14:41 04[KNL] y.y.y.y is not a local address or the interface > is down > Wed, 2020-03-25 14:41 04[CFG] added configuration 'server-to-aws' > Wed, 2020-03-25 14:41 06[CFG] received stroke: initiate 'server-to-aws' > Wed, 2020-03-25 14:41 06[IKE] <server-to-aws|1> queueing ISAKMP_VENDOR task > Wed, 2020-03-25 14:41 06[IKE] <server-to-aws|1> queueing ISAKMP_CERT_PRE task > Wed, 2020-03-25 14:41 06[IKE] <server-to-aws|1> queueing MAIN_MODE task > Wed, 2020-03-25 14:41 06[IKE] <server-to-aws|1> queueing ISAKMP_CERT_POST task > Wed, 2020-03-25 14:41 06[IKE] <server-to-aws|1> queueing ISAKMP_NATD task > Wed, 2020-03-25 14:41 06[IKE] <server-to-aws|1> queueing QUICK_MODE task > Wed, 2020-03-25 14:41 06[IKE] <server-to-aws|1> activating new tasks > Wed, 2020-03-25 14:41 06[IKE] <server-to-aws|1> activating ISAKMP_VENDOR > task > Wed, 2020-03-25 14:41 06[IKE] <server-to-aws|1> activating ISAKMP_CERT_PRE > task > Wed, 2020-03-25 14:41 06[IKE] <server-to-aws|1> activating MAIN_MODE task > Wed, 2020-03-25 14:41 06[IKE] <server-to-aws|1> activating ISAKMP_CERT_POST > task > Wed, 2020-03-25 14:41 06[IKE] <server-to-aws|1> activating ISAKMP_NATD task > Wed, 2020-03-25 14:41 06[IKE] <server-to-aws|1> sending XAuth vendor ID > Wed, 2020-03-25 14:41 06[IKE] <server-to-aws|1> sending DPD vendor ID > Wed, 2020-03-25 14:41 06[IKE] <server-to-aws|1> sending FRAGMENTATION vendor > ID > Wed, 2020-03-25 14:41 06[IKE] <server-to-aws|1> sending NAT-T (RFC 3947) > vendor ID > Wed, 2020-03-25 14:41 06[IKE] <server-to-aws|1> sending > draft-ietf-ipsec-nat-t-ike-02\n vendor ID > Wed, 2020-03-25 14:41 06[IKE] <server-to-aws|1> initiating Main Mode IKE_SA > server-to-aws[1] to y.y.y.y > Wed, 2020-03-25 14:41 06[IKE] <server-to-aws|1> IKE_SA server-to-aws[1] state > change: CREATED => CONNECTING > Wed, 2020-03-25 14:41 06[CFG] <server-to-aws|1> configured proposals: > IKE:AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_1536, > IKE:AES_CBC_128/AES_CBC_192/AES_CBC_256/AES_CTR_128/AES_CTR_192/AES_CTR_256/CAMELLIA_CBC_128/CAMELLIA_CBC_192/CAMELLIA_CBC_256/3DES_CBC/HMAC_SHA2_256_128/HMAC_SHA2_384_192/HMAC_SHA2_512_256/AES_XCBC_96/AES_CMAC_96/HMAC_MD5_96/HMAC_SHA1_96/PRF_AES128_XCBC/PRF_AES128_CMAC/PRF_HMAC_SHA2_256/PRF_HMAC_SHA2_384/PRF_HMAC_SHA2_512/PRF_HMAC_MD5/PRF_HMAC_SHA1/ECP_256/ECP_384/ECP_521/ECP_256_BP/ECP_384_BP/ECP_512_BP/MODP_3072/MODP_4096/MODP_8192/MODP_2048/MODP_2048_256/MODP_1024, > IKE:AES_CCM_16_128/AES_CCM_16_192/AES_CCM_16_256/AES_GCM_16_128/AES_GCM_16_192/AES_GCM_16_256/AES_CCM_8_128/AES_CCM_8_192/AES_CCM_8_256/AES_CCM_12_128/AES_CCM_12_192/AES_CCM_12_256/AES_GCM_8_128/AES_GCM_8_192/AES_GCM_8_256/AES_GCM_12_128/AES_GCM_12_192/AES_GCM_12_256/PRF_AES128_XCBC/PRF_AES128_CMAC/PRF_HMAC_SHA2_256/PRF_HMAC_SHA2_384/PRF_HMAC_SHA2_512/PRF_HMAC_MD5/PRF_HMAC_SHA1/ECP_256/ECP_384/ECP_521/ECP_256_BP/ECP_384_BP/ECP_512_BP/MODP_3072/MODP_4096/MODP_8192/MODP_2048/MODP_2048_256/MODP_1024 > Wed, 2020-03-25 14:41 06[ENC] <server-to-aws|1> generating ID_PROT request 0 > [ SA V V V V V ] > Wed, 2020-03-25 14:41 06[NET] <server-to-aws|1> sending packet: from > 10.100.15.1[500] to y.y.y.y[500] (252 bytes) > Wed, 2020-03-25 14:41 08[CFG] proposing traffic selectors for us: > Wed, 2020-03-25 14:41 08[CFG] 10.100.15.0/24 > Wed, 2020-03-25 14:41 08[CFG] proposing traffic selectors for other: > Wed, 2020-03-25 14:41 08[CFG] 172.21.0.0/16 > Wed, 2020-03-25 14:41 08[CFG] 172.22.0.0/16 > Wed, 2020-03-25 14:41 10[CFG] proposing traffic selectors for us: > Wed, 2020-03-25 14:41 10[CFG] 10.100.15.0/24 > Wed, 2020-03-25 14:41 10[CFG] proposing traffic selectors for other: > Wed, 2020-03-25 14:41 10[CFG] 172.21.0.0/16 > Wed, 2020-03-25 14:41 10[CFG] 172.22.0.0/16 > Wed, 2020-03-25 14:41 11[NET] <2> received packet: from y.y.y.y[500] to > x.x.x.x[500] (292 bytes) > Wed, 2020-03-25 14:41 11[ENC] <2> parsed ID_PROT request 0 [ SA V V V V V V V > V V V ] > Wed, 2020-03-25 14:41 11[CFG] <2> looking for an ike config for > x.x.x.x...y.y.y.y > Wed, 2020-03-25 14:41 11[IKE] <2> no IKE config found for x.x.x.x...y.y.y.y, > sending NO_PROPOSAL_CHOSEN > Wed, 2020-03-25 14:41 11[ENC] <2> generating INFORMATIONAL_V1 request > 2361685619 [ N(NO_PROP) ] > Wed, 2020-03-25 14:41 11[NET] <2> sending packet: from x.x.x.x[500] to > y.y.y.y[500] (40 bytes) > Wed, 2020-03-25 14:41 11[IKE] <2> IKE_SA (unnamed)[2] state change: CREATED > => DESTROYING > Wed, 2020-03-25 14:41 12[IKE] <server-to-aws|1> sending retransmit 1 of > request message ID 0, seq 1 > Wed, 2020-03-25 14:41 12[NET] <server-to-aws|1> sending packet: from > 10.100.15.1[500] to y.y.y.y[500] (252 bytes) > Wed, 2020-03-25 14:41 15[CFG] proposing traffic selectors for us: > Wed, 2020-03-25 14:41 15[CFG] 10.100.15.0/24 > Wed, 2020-03-25 14:41 15[CFG] proposing traffic selectors for other: > Wed, 2020-03-25 14:41 15[CFG] 172.21.0.0/16 > Wed, 2020-03-25 14:41 15[CFG] 172.22.0.0/16 > Wed, 2020-03-25 14:41 05[CFG] proposing traffic selectors for us: > Wed, 2020-03-25 14:41 05[CFG] 10.100.15.0/24 > Wed, 2020-03-25 14:41 05[CFG] proposing traffic selectors for other: > Wed, 2020-03-25 14:41 05[CFG] 172.21.0.0/16 > Wed, 2020-03-25 14:41 05[CFG] 172.22.0.0/16 > Wed, 2020-03-25 14:41 06[CFG] proposing traffic selectors for us: > Wed, 2020-03-25 14:41 06[CFG] 10.100.15.0/24 > Wed, 2020-03-25 14:41 06[CFG] proposing traffic selectors for other: > Wed, 2020-03-25 14:41 06[CFG] 172.21.0.0/16 > Wed, 2020-03-25 14:41 06[CFG] 172.22.0.0/16 > Wed, 2020-03-25 14:41 09[NET] <3> received packet: from y.y.y.y[500] to > x.x.x.x[500] (292 bytes) > Wed, 2020-03-25 14:41 09[ENC] <3> parsed ID_PROT request 0 [ SA V V V V V V V > V V V ] > Wed, 2020-03-25 14:41 09[CFG] <3> looking for an ike config for > x.x.x.x...y.y.y.y > Wed, 2020-03-25 14:41 09[IKE] <3> no IKE config found for x.x.x.x...y.y.y.y, > sending NO_PROPOSAL_CHOSEN > Wed, 2020-03-25 14:41 09[ENC] <3> generating INFORMATIONAL_V1 request > 3284802983 [ N(NO_PROP) ] > Wed, 2020-03-25 14:41 09[NET] <3> sending packet: from x.x.x.x[500] to > y.y.y.y[500] (40 bytes) > Wed, 2020-03-25 14:41 09[IKE] <3> IKE_SA (unnamed)[3] state change: CREATED > => DESTROYING > Wed, 2020-03-25 14:41 08[CFG] proposing traffic selectors for us: > Wed, 2020-03-25 14:41 08[CFG] 10.100.15.0/24 > Wed, 2020-03-25 14:41 08[CFG] proposing traffic selectors for other: > Wed, 2020-03-25 14:41 08[CFG] 172.21.0.0/16 > Wed, 2020-03-25 14:41 08[CFG] 172.22.0.0/16 > Wed, 2020-03-25 14:41 10[IKE] <server-to-aws|1> sending retransmit 2 of > request message ID 0, seq 1 > Wed, 2020-03-25 14:41 10[NET] <server-to-aws|1> sending packet: from > 10.100.15.1[500] to y.y.y.y[500] (252 bytes) > Wed, 2020-03-25 14:41 11[CFG] proposing traffic selectors for us: > Wed, 2020-03-25 14:41 11[CFG] 10.100.15.0/24 > Wed, 2020-03-25 14:41 11[CFG] proposing traffic selectors for other: > Wed, 2020-03-25 14:41 11[CFG] 172.21.0.0/16 > Wed, 2020-03-25 14:41 11[CFG] 172.22.0.0/16 > Wed, 2020-03-25 14:41 16[CFG] proposing traffic selectors for us: > Wed, 2020-03-25 14:41 16[CFG] 10.100.15.0/24 > Wed, 2020-03-25 14:41 16[CFG] proposing traffic selectors for other: > Wed, 2020-03-25 14:41 16[CFG] 172.21.0.0/16 > Wed, 2020-03-25 14:41 16[CFG] 172.22.0.0/16 > Wed, 2020-03-25 14:41 00[DMN] signal of type SIGINT received. Shutting down > Wed, 2020-03-25 14:41 00[IKE] <server-to-aws|1> destroying IKE_SA in state > CONNECTING without notification > Wed, 2020-03-25 14:41 00[IKE] <server-to-aws|1> IKE_SA server-to-aws[1] state > change: CONNECTING => DESTROYING >
signature.asc
Description: OpenPGP digital signature