On 8/11/2020 1:16 AM, TomK wrote:
On 8/9/2020 8:10 PM, TomK wrote:
On 6/30/2020 4:41 AM, Tobias Brunner wrote:
Hi Tom,
What I meant to say, is that would confirm all proper kernel modules
were already in place to allow the communication would it not?
Anything
else I could try to, in the least, confirm if the packet was
successfully forwarded to the Azure VPN Gateway end?
I know the packet arrives at the IPSec ipsec0 interface however,
checking just now, I don't see any traffic change on the WAN interface
of the on-prem StrongSwan VPN GW.
As explained in previous emails, with kernel-libipsec you are not using
any of the IPsec-related kernel modules. IPsec processing happens in
userland via ipsec0 TUN device (see [1] for more on this plugin).
rp_filter could be an issue when using it.
To check traffic, use packet counters (strongSwan's status output,
firewall etc.) or traffic captures on the respective hosts to see if
e.g. ESP packets are exchanged.
Regards,
Tobias
[1] https://wiki.strongswan.org/projects/strongswan/wiki/kernel-libipsec
Hey All,
So I've given up on DD-WRT for the time being and decided instead to
use an old Raspberry PI 2 and OpenWRT.
The topology I'll reference is available on the below OpenWRT forum.
For the sake of not replicating all the content (and partially due to
a touch of laziness), here is the link:
Aug 9th post:
https://forum.openwrt.org/t/openwrt-support-for-quagga-ospf-strongswan-ipsecv2-1-openvpn-firewalld-ssh-ddns-dnsmasquerade/69528/18
I'm effectively running into this error:
Aug 9 17:04:06 OWRT01 : 14[IKE] initiating IKE_SA AZURE[1] to
123.123.123.123
Aug 9 17:04:06 OWRT01 : 14[ENC] generating IKE_SA_INIT request 0 [ SA
KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG) N(REDIR_SUP) ]
Aug 9 17:04:06 OWRT01 : 14[NET] sending packet: from
100.100.100.100[500] to 123.123.123.123[500] (1188 bytes)
Aug 9 17:04:06 OWRT01 : 04[NET] error writing to socket: Network
unreachable
Aug 9 17:04:10 OWRT01 : 14[IKE] retransmit 1 of request with message
ID 0
This time, XFRM modules are loaded:
root@OWRT01:~# lsmod|grep xfrm
tunnel4 12288 2 sit,xfrm4_tunnel
tunnel6 12288 1 xfrm6_tunnel
xfrm_algo 12288 7
esp6,ah6,esp4,ah4,xfrm_user,xfrm_ipcomp,af_key
xfrm_ipcomp 12288 2 ipcomp6,ipcomp
xfrm_user 28672 0
xfrm4_mode_beet 12288 0
xfrm4_mode_transport 12288 0
xfrm4_mode_tunnel 12288 0
xfrm4_tunnel 12288 0
xfrm6_mode_beet 12288 0
xfrm6_mode_transport 12288 0
xfrm6_mode_tunnel 12288 0
xfrm6_tunnel 12288 1 ipcomp6
root@OWRT01:~#
However, from the OpenWRT post, you can see that packets arent' even
making it out of the ipsec0 interface, nor from the br-lan iterface.
Made it past the above issue. Had to set:
left=192.168.0.12
type=passthrough
since this is a device behind the main router. My bad!.
Now I'm receiving a reply back:
root@DD-WRT-INTERNET-ASUS:~# tcpdump -n | grep -Ei "123.123.123.123"
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth0, link-type EN10MB (Ethernet), capture size 262144 bytes
21:42:10.410556 IP 192.168.0.12.500 > 123.123.123.123.500: isakmp:
parent_sa ikev2_init[I]
21:42:10.414404 IP 123.123.123.123.500 > 192.168.0.12.500: isakmp:
parent_sa ikev2_init[R]
However the result is this error:
received NO_PROPOSAL_CHOSEN notify error
I've gone and searched the above error but nothing worked so far. Tried
different settings for ike= and esp= but no luck either.
Perhaps I'm missing something here a trained eye won't? Any help is
appreciated.
---------------------------------------------------------
Full session:
Aug 11 00:41:57 OWRT01 : 00[DMN] signal of type SIGINT received.
Shutting down
Aug 11 00:42:00 OWRT01 : 00[DMN] Starting IKE charon daemon (strongSwan
5.8.2, Linux 4.14.180, armv7l)
Aug 11 00:42:00 OWRT01 : 00[CFG] PKCS11 module '<name>' lacks library path
Aug 11 00:42:01 OWRT01 : 00[LIB] curl SSL backend 'mbedTLS/2.16.6' not
supported, https:// disabled
Aug 11 00:42:01 OWRT01 : 00[CFG] disabling load-tester plugin, not
configured
Aug 11 00:42:01 OWRT01 : 00[LIB] plugin 'load-tester': failed to load -
load_tester_plugin_create returned NULL
Aug 11 00:42:01 OWRT01 : 00[LIB] created TUN device: ipsec0
Aug 11 00:42:01 OWRT01 : 00[LIB] plugin 'uci' failed to load: Error
relocating /usr/lib/ipsec/plugins/libstrongswan-uci.so: uci_lookup:
symbol not found
Aug 11 00:42:01 OWRT01 : 00[CFG] attr-sql plugin: database URI not set
Aug 11 00:42:01 OWRT01 : 00[NET] using forecast interface br-lan
Aug 11 00:42:01 OWRT01 : 00[CFG] joining forecast multicast groups:
224.0.0.1,224.0.0.22,224.0.0.251,224.0.0.252,239.255.255.250
Aug 11 00:42:01 OWRT01 : 00[CFG] loading ca certificates from
'/etc/ipsec.d/cacerts'
Aug 11 00:42:01 OWRT01 : 00[CFG] loading aa certificates from
'/etc/ipsec.d/aacerts'
Aug 11 00:42:01 OWRT01 : 00[CFG] loading ocsp signer certificates from
'/etc/ipsec.d/ocspcerts'
Aug 11 00:42:01 OWRT01 : 00[CFG] loading attribute certificates from
'/etc/ipsec.d/acerts'
Aug 11 00:42:01 OWRT01 : 00[CFG] loading crls from '/etc/ipsec.d/crls'
Aug 11 00:42:01 OWRT01 : 00[CFG] loading secrets from '/etc/ipsec.secrets'
Aug 11 00:42:01 OWRT01 : 00[CFG] loaded IKE secret for 192.168.0.12
123.123.123.123
Aug 11 00:42:01 OWRT01 : 00[CFG] sql plugin: database URI not set
Aug 11 00:42:01 OWRT01 : 00[CFG] loaded 0 RADIUS server configurations
Aug 11 00:42:01 OWRT01 : 00[CFG] HA config misses local/remote address
Aug 11 00:42:01 OWRT01 : 00[CFG] coupling file path unspecified
Aug 11 00:42:01 OWRT01 : 00[LIB] loaded plugins: charon test-vectors
ldap pkcs11 aes des blowfish rc2 sha2 sha1 md4 md5 random nonce x509
revocation constraints pubkey pkcs1 pkcs7 pkcs8 pkcs12 pgp dnskey sshkey
pem openssl gcrypt af-alg fips-prf gmp gmpdh curve25519 agent xcbc cmac
hmac ctr ccm gcm curl mysql sqlite attr kernel-libipsec kernel-netlink
resolve socket-default socket-dynamic connmark forecast farp stroke vici
smp updown eap-identity eap-md5 eap-mschapv2 eap-radius eap-tls
xauth-generic xauth-eap dhcp whitelist led duplicheck addrblock unity
Aug 11 00:42:01 OWRT01 : 00[JOB] spawning 16 worker threads
Aug 11 00:42:01 OWRT01 : 13[CFG] received stroke: add connection 'AZURE'
Aug 11 00:42:01 OWRT01 : 13[CFG] added configuration 'AZURE'
Aug 11 00:42:01 OWRT01 : 15[CFG] received stroke: initiate 'AZURE'
Aug 11 00:42:01 OWRT01 : 15[IKE] initiating IKE_SA AZURE[1] to
123.123.123.123
Aug 11 00:42:01 OWRT01 : 15[ENC] generating IKE_SA_INIT request 0 [ SA
KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG) N(REDIR_SUP) ]
Aug 11 00:42:01 OWRT01 : 15[NET] sending packet: from 192.168.0.12[500]
to 123.123.123.123[500] (336 bytes)
Aug 11 00:42:01 OWRT01 : 10[NET] received packet: from 192.168.0.6[500]
to 192.168.0.12[500] (336 bytes)
Aug 11 00:42:01 OWRT01 : 10[ENC] parsed IKE_SA_INIT request 0 [ SA KE No
N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG) N(REDIR_SUP) ]
Aug 11 00:42:01 OWRT01 : 10[IKE] no IKE config found for
192.168.0.12...192.168.0.6, sending NO_PROPOSAL_CHOSEN
Aug 11 00:42:01 OWRT01 : 10[ENC] generating IKE_SA_INIT response 0 [
N(NO_PROP) ]
Aug 11 00:42:01 OWRT01 : 10[NET] sending packet: from 192.168.0.12[500]
to 192.168.0.6[500] (36 bytes)
Aug 11 00:42:01 OWRT01 : 11[NET] received packet: from
123.123.123.123[500] to 192.168.0.12[500] (36 bytes)
Aug 11 00:42:01 OWRT01 : 11[ENC] parsed IKE_SA_INIT response 0 [
N(NO_PROP) ]
Aug 11 00:42:01 OWRT01 : 11[IKE] received NO_PROPOSAL_CHOSEN notify error
root@OWRT01:~# ipsec restart
Stopping strongSwan IPsec...
Starting strongSwan 5.8.2 IPsec [starter]...
root@OWRT01:~# cat /etc/ipsec.conf
# ipsec.conf - strongSwan IPsec configuration file
# basic configuration
config setup
# strictcrlpolicy=yes
# uniqueids = no
conn AZURE
authby=secret
auto=start
type=passthrough
keyexchange=ikev2
keylife=3600s
ikelifetime=28800s
left=192.168.0.12
leftsubnet=0.0.0.0/0
right=123.123.123.123
rightsubnet=0.0.0.0/0
ike=aes256-sha2_256-modp1024
esp=aes256-sha2_256
root@OWRT01:~#
root@OWRT01:~# cat /etc/strongswan.conf
# strongswan.conf - strongSwan configuration file
#
# Refer to the strongswan.conf(5) manpage for details
#
# Configuration changes should be made in the included files
# Verbosity levels
# -1: Absolutely silent
# 0: Very basic auditing logs, (e.g. SA up/SA down)
# 1: Generic control flow with errors, a good default to see whats going on
# 2: More detailed debugging control flow
# 3: Including RAW data dumps in Hex
# 4: Also include sensitive material in dumps, e.g. keys
charon {
load_modular = yes
plugins {
include strongswan.d/charon/*.conf
}
filelog {
charon {
path = /var/log/charon.log
time_format = %b %e %T
append = no
default = 0 # in case troubleshoot is required
switch this to 2
}
stderr {
ike = 0 # in case troubleshoot is required
switch this to 2
knl = 0 # in case troubleshoot is required
switch this to 3
ike_name = yes
}
}
syslog {
# enable logging to LOG_DAEMON, use defaults
daemon {
}
# minimalistic IKE auditing logging to LOG_AUTHPRIV
auth {
default = 0 # in case troubleshoot is required
switch this to 2
ike = 0 # in case troubleshoot is required
switch this to 2
}
}
}
include strongswan.d/*.conf
root@OWRT01:~#
Given the below:
Azure VPN Gateway (123.123.123.123) -> DD-WRT (On Site PUB IP
100.100.100.100, Local Router IP 192.168.0.6: Port Forwarding 500, 4500
to Raspberry Pi 2) -> Raspberry Pi 2 OpenWRT (OWRT01, 192.168.0.12)
Am I correct in thinking that due to this statement in the logs:
Aug 16 01:00:06 OWRT01 : 11[ENC] parsed IKE_SA_INIT request 0 [ SA KE No
N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG) N(REDIR_SUP) ]
Aug 16 01:00:06 OWRT01 : 11[IKE] no IKE config found for
192.168.0.12...192.168.0.6, sending NO_PROPOSAL_CHOSEN
I now also need an ipsec policy between the DD-WRT router and the
OpenWRT Raspberry Pi 2? Thank you for taking a look.
My config and logs:
root@OWRT01:~# cat /etc/ipsec.conf
config setup
conn azure
authby=secret
auto=start
type=passthrough
left=192.168.0.12
leftsubnet=0.0.0.0/0
right=123.123.123.123
rightsubnet=0.0.0.0/0
ike=aes128gcm16-prfsha256-ecp256,aes256gcm16-prfsha384-ecp384
esp=aes128gcm16-ecp256,aes256gcm16-ecp384
root@OWRT01:~#
Aug 16 01:00:00 OWRT01 : 00[DMN] signal of type SIGINT received.
Shutting down
Aug 16 01:00:04 OWRT01 : 00[DMN] Starting IKE charon daemon (strongSwan
5.8.2, Linux 4.14.180, armv7l)
Aug 16 01:00:04 OWRT01 : 00[CFG] PKCS11 module '<name>' lacks library path
Aug 16 01:00:05 OWRT01 : 00[LIB] curl SSL backend 'mbedTLS/2.16.6' not
supported, https:// disabled
Aug 16 01:00:05 OWRT01 : 00[CFG] disabling load-tester plugin, not
configured
Aug 16 01:00:05 OWRT01 : 00[LIB] plugin 'load-tester': failed to load -
load_tester_plugin_create returned NULL
Aug 16 01:00:05 OWRT01 : 00[LIB] created TUN device: ipsec0
Aug 16 01:00:05 OWRT01 : 00[LIB] plugin 'uci' failed to load: Error
relocating /usr/lib/ipsec/plugins/libstrongswan-uci.so: uci_lookup:
symbol not found
Aug 16 01:00:05 OWRT01 : 00[CFG] attr-sql plugin: database URI not set
Aug 16 01:00:05 OWRT01 : 00[NET] using forecast interface br-lan
Aug 16 01:00:05 OWRT01 : 00[CFG] joining forecast multicast groups:
224.0.0.1,224.0.0.22,224.0.0.251,224.0.0.252,239.255.255.250
Aug 16 01:00:05 OWRT01 : 00[CFG] loading ca certificates from
'/etc/ipsec.d/cacerts'
Aug 16 01:00:05 OWRT01 : 00[CFG] loading aa certificates from
'/etc/ipsec.d/aacerts'
Aug 16 01:00:05 OWRT01 : 00[CFG] loading ocsp signer certificates from
'/etc/ipsec.d/ocspcerts'
Aug 16 01:00:05 OWRT01 : 00[CFG] loading attribute certificates from
'/etc/ipsec.d/acerts'
Aug 16 01:00:05 OWRT01 : 00[CFG] loading crls from '/etc/ipsec.d/crls'
Aug 16 01:00:05 OWRT01 : 00[CFG] loading secrets from '/etc/ipsec.secrets'
Aug 16 01:00:05 OWRT01 : 00[CFG] loaded IKE secret for 192.168.0.12
123.123.123.123
Aug 16 01:00:05 OWRT01 : 00[CFG] sql plugin: database URI not set
Aug 16 01:00:05 OWRT01 : 00[CFG] loaded 0 RADIUS server configurations
Aug 16 01:00:05 OWRT01 : 00[CFG] HA config misses local/remote address
Aug 16 01:00:05 OWRT01 : 00[CFG] coupling file path unspecified
Aug 16 01:00:05 OWRT01 : 00[LIB] loaded plugins: charon test-vectors
ldap pkcs11 aes des blowfish rc2 sha2 sha1 md4 md5 random nonce x509
revocation constraints pubkey pkcs1 pkcs7 pkcs8 pkcs12 pgp dnskey sshkey
pem openssl gcrypt af-alg fips-prf gmp gmpdh curve25519 agent xcbc cmac
hmac ctr ccm gcm curl mysql sqlite attr kernel-libipsec kernel-netlink
resolve socket-default socket-dynamic connmark forecast farp stroke vici
smp updown eap-identity eap-md5 eap-mschapv2 eap-radius eap-tls
xauth-generic xauth-eap dhcp whitelist led duplicheck addrblock unity
Aug 16 01:00:05 OWRT01 : 00[JOB] spawning 16 worker threads
Aug 16 01:00:05 OWRT01 : 09[CFG] received stroke: add connection 'azure'
Aug 16 01:00:05 OWRT01 : 09[CFG] added configuration 'azure'
Aug 16 01:00:05 OWRT01 : 12[CFG] received stroke: initiate 'azure'
Aug 16 01:00:05 OWRT01 : 12[IKE] initiating IKE_SA azure[1] to
123.123.123.123
Aug 16 01:00:05 OWRT01 : 12[ENC] generating IKE_SA_INIT request 0 [ SA
KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG) N(REDIR_SUP) ]
Aug 16 01:00:05 OWRT01 : 12[NET] sending packet: from 192.168.0.12[500]
to 123.123.123.123[500] (1152 bytes)
Aug 16 01:00:05 OWRT01 : 11[NET] received packet: from 192.168.0.6[26]
to 192.168.0.12[500] (1152 bytes)
Aug 16 01:00:06 OWRT01 : 11[ENC] parsed IKE_SA_INIT request 0 [ SA KE No
N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG) N(REDIR_SUP) ]
Aug 16 01:00:06 OWRT01 : 11[IKE] no IKE config found for
192.168.0.12...192.168.0.6, sending NO_PROPOSAL_CHOSEN
Aug 16 01:00:06 OWRT01 : 11[ENC] generating IKE_SA_INIT response 0 [
N(NO_PROP) ]
Aug 16 01:00:06 OWRT01 : 11[NET] sending packet: from 192.168.0.12[500]
to 192.168.0.6[26] (36 bytes)
Aug 16 01:00:06 OWRT01 : 14[NET] received packet: from
123.123.123.123[500] to 192.168.0.12[500] (36 bytes)
Aug 16 01:00:06 OWRT01 : 14[ENC] parsed IKE_SA_INIT response 0 [
N(NO_PROP) ]
Aug 16 01:00:06 OWRT01 : 14[IKE] received NO_PROPOSAL_CHOSEN notify error
Aug 16 01:00:06 OWRT01 : 03[NET] received packet: from 192.168.0.6[500]
to 192.168.0.12[500] (620 bytes)
Aug 16 01:00:06 OWRT01 : 03[ENC] parsed IKE_SA_INIT request 0 [ SA KE No
N(NATD_S_IP) N(NATD_D_IP) V V V V ]
Aug 16 01:00:06 OWRT01 : 03[IKE] no IKE config found for
192.168.0.12...192.168.0.6, sending NO_PROPOSAL_CHOSEN
Aug 16 01:00:06 OWRT01 : 03[ENC] generating IKE_SA_INIT response 0 [
N(NO_PROP) ]
Aug 16 01:00:06 OWRT01 : 03[NET] sending packet: from 192.168.0.12[500]
to 192.168.0.6[500] (36 bytes)
Aug 16 01:00:05 11[ENC] parsing rule 0 U_INT_8
Aug 16 01:00:05 11[ENC] parsing rule 1 RESERVED_BYTE
Aug 16 01:00:05 11[ENC] parsing rule 2 PAYLOAD_LENGTH
Aug 16 01:00:05 11[ENC] parsing rule 3 U_INT_8
Aug 16 01:00:05 11[ENC] parsing rule 4 RESERVED_BYTE
Aug 16 01:00:05 11[ENC] parsing rule 5 U_INT_16
Aug 16 01:00:05 11[ENC] parsing rule 6 (1262)
Aug 16 01:00:05 11[ENC] 4 bytes left, parsing recursively
TRANSFORM_ATTRIBUTE
Aug 16 01:00:05 11[ENC] parsing TRANSFORM_ATTRIBUTE payload, 388 bytes left
Aug 16 01:00:05 11[ENC] parsing rule 0 ATTRIBUTE_FORMAT
Aug 16 01:00:05 11[ENC] parsing rule 1 ATTRIBUTE_TYPE
Aug 16 01:00:05 11[ENC] parsing rule 2 ATTRIBUTE_LENGTH_OR_VALUE
Aug 16 01:00:05 11[ENC] parsing rule 3 ATTRIBUTE_VALUE
Aug 16 01:00:05 11[ENC] parsing TRANSFORM_ATTRIBUTE payload finished
Aug 16 01:00:05 11[ENC] parsing TRANSFORM_SUBSTRUCTURE payload finished
Aug 16 01:00:05 11[ENC] 152 bytes left, parsing recursively
TRANSFORM_SUBSTRUCTURE
Aug 16 01:00:05 11[ENC] parsing TRANSFORM_SUBSTRUCTURE payload, 384
bytes left
Aug 16 01:00:05 11[ENC] parsing rule 0 U_INT_8
Aug 16 01:00:05 11[ENC] parsing rule 1 RESERVED_BYTE
Aug 16 01:00:05 11[ENC] parsing rule 2 PAYLOAD_LENGTH
Aug 16 01:00:05 11[ENC] parsing rule 3 U_INT_8
Aug 16 01:00:05 11[ENC] parsing rule 4 RESERVED_BYTE
Aug 16 01:00:05 11[ENC] parsing rule 5 U_INT_16
Aug 16 01:00:05 11[ENC] parsing rule 6 (1262)
Aug 16 01:00:05 11[ENC] parsing TRANSFORM_SUBSTRUCTURE payload finished
Aug 16 01:00:05 11[ENC] 144 bytes left, parsing recursively
TRANSFORM_SUBSTRUCTURE
.
.
.
.
.
.
.
.
Aug 16 01:00:06 11[ENC] parsing NOTIFY payload finished
Aug 16 01:00:06 11[ENC] verifying payload of type NOTIFY
Aug 16 01:00:06 11[ENC] NOTIFY payload verified, adding to payload list
Aug 16 01:00:06 11[ENC] starting parsing a NOTIFY payload
Aug 16 01:00:06 11[ENC] parsing NOTIFY payload, 8 bytes left
Aug 16 01:00:06 11[ENC] parsing rule 0 U_INT_8
Aug 16 01:00:06 11[ENC] parsing rule 1 FLAG
Aug 16 01:00:06 11[ENC] parsing rule 2 RESERVED_BIT
Aug 16 01:00:06 11[ENC] parsing rule 3 RESERVED_BIT
Aug 16 01:00:06 11[ENC] parsing rule 4 RESERVED_BIT
Aug 16 01:00:06 11[ENC] parsing rule 5 RESERVED_BIT
Aug 16 01:00:06 11[ENC] parsing rule 6 RESERVED_BIT
Aug 16 01:00:06 11[ENC] parsing rule 7 RESERVED_BIT
Aug 16 01:00:06 11[ENC] parsing rule 8 RESERVED_BIT
Aug 16 01:00:06 11[ENC] parsing rule 9 PAYLOAD_LENGTH
Aug 16 01:00:06 11[ENC] parsing rule 10 U_INT_8
Aug 16 01:00:06 11[ENC] parsing rule 11 SPI_SIZE
Aug 16 01:00:06 11[ENC] parsing rule 12 U_INT_16
Aug 16 01:00:06 11[ENC] parsing rule 13 SPI
Aug 16 01:00:06 11[ENC] parsing rule 14 CHUNK_DATA
Aug 16 01:00:06 11[ENC] parsing NOTIFY payload finished
Aug 16 01:00:06 11[ENC] verifying payload of type NOTIFY
Aug 16 01:00:06 11[ENC] NOTIFY payload verified, adding to payload list
Aug 16 01:00:06 11[ENC] process payload of type SECURITY_ASSOCIATION
Aug 16 01:00:06 11[ENC] process payload of type KEY_EXCHANGE
Aug 16 01:00:06 11[ENC] process payload of type NONCE
Aug 16 01:00:06 11[ENC] process payload of type NOTIFY
Aug 16 01:00:06 11[ENC] process payload of type NOTIFY
Aug 16 01:00:06 11[ENC] process payload of type NOTIFY
Aug 16 01:00:06 11[ENC] process payload of type NOTIFY
Aug 16 01:00:06 11[ENC] process payload of type NOTIFY
Aug 16 01:00:06 11[ENC] verifying message structure
Aug 16 01:00:06 11[ENC] found payload of type NOTIFY
Aug 16 01:00:06 11[ENC] found payload of type NOTIFY
Aug 16 01:00:06 11[ENC] found payload of type NOTIFY
Aug 16 01:00:06 11[ENC] found payload of type NOTIFY
Aug 16 01:00:06 11[ENC] found payload of type NOTIFY
Aug 16 01:00:06 11[ENC] found payload of type SECURITY_ASSOCIATION
Aug 16 01:00:06 11[ENC] found payload of type KEY_EXCHANGE
Aug 16 01:00:06 11[ENC] found payload of type NONCE
Aug 16 01:00:06 11[ENC] parsed IKE_SA_INIT request 0 [ SA KE No
N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG) N(REDIR_SUP) ]
Aug 16 01:00:06 11[CFG] looking for an IKEv2 config for
192.168.0.12...192.168.0.6
Aug 16 01:00:06 11[IKE] no IKE config found for
192.168.0.12...192.168.0.6, sending NO_PROPOSAL_CHOSEN
Aug 16 01:00:06 11[ENC] added payload of type NOTIFY to message
Aug 16 01:00:06 11[ENC] order payloads in message
Aug 16 01:00:06 11[ENC] added payload of type NOTIFY to message
Aug 16 01:00:06 11[ENC] generating IKE_SA_INIT response 0 [ N(NO_PROP) ]
Aug 16 01:00:06 11[ENC] not encrypting payloads
Aug 16 01:00:06 11[ENC] generating payload of type HEADER
Aug 16 01:00:06 11[ENC] generating rule 0 IKE_SPI
Aug 16 01:00:06 11[ENC] generating rule 1 IKE_SPI
Aug 16 01:00:06 11[ENC] generating rule 2 U_INT_8
Aug 16 01:00:06 11[ENC] generating rule 3 U_INT_4
Aug 16 01:00:06 11[ENC] generating rule 4 U_INT_4
Aug 16 01:00:06 11[ENC] generating rule 5 U_INT_8
Aug 16 01:00:06 11[ENC] generating rule 6 RESERVED_BIT
Aug 16 01:00:06 11[ENC] generating rule 7 RESERVED_BIT
Aug 16 01:00:06 11[ENC] generating rule 8 FLAG
Aug 16 01:00:06 11[ENC] generating rule 9 FLAG
Aug 16 01:00:06 11[ENC] generating rule 10 FLAG
Aug 16 01:00:06 11[ENC] generating rule 11 FLAG
Aug 16 01:00:06 11[ENC] generating rule 12 FLAG
Aug 16 01:00:06 11[ENC] generating rule 13 FLAG
Aug 16 01:00:06 11[ENC] generating rule 14 U_INT_32
Aug 16 01:00:06 11[ENC] generating rule 15 HEADER_LENGTH
Aug 16 01:00:06 11[ENC] generating HEADER payload finished
Aug 16 01:00:06 11[ENC] generating payload of type NOTIFY
Aug 16 01:00:06 11[ENC] generating rule 0 U_INT_8
Aug 16 01:00:06 11[ENC] generating rule 1 FLAG
Aug 16 01:00:06 11[ENC] generating rule 2 RESERVED_BIT
Aug 16 01:00:06 11[ENC] generating rule 3 RESERVED_BIT
Aug 16 01:00:06 11[ENC] generating rule 4 RESERVED_BIT
Aug 16 01:00:06 11[ENC] generating rule 5 RESERVED_BIT
Aug 16 01:00:06 11[ENC] generating rule 6 RESERVED_BIT
Aug 16 01:00:06 11[ENC] generating rule 7 RESERVED_BIT
Aug 16 01:00:06 11[ENC] generating rule 8 RESERVED_BIT
Aug 16 01:00:06 11[ENC] generating rule 9 PAYLOAD_LENGTH
Aug 16 01:00:06 11[ENC] generating rule 10 U_INT_8
Aug 16 01:00:06 11[ENC] generating rule 11 SPI_SIZE
Aug 16 01:00:06 11[ENC] generating rule 12 U_INT_16
Aug 16 01:00:06 11[ENC] generating rule 13 SPI
Aug 16 01:00:06 11[ENC] generating rule 14 CHUNK_DATA
Aug 16 01:00:06 11[ENC] generating NOTIFY payload finished
Aug 16 01:00:06 11[NET] sending packet: from 192.168.0.12[500] to
192.168.0.6[26] (36 bytes)
Aug 16 01:00:06 11[MGR] checkin and destroy IKE_SA (unnamed)[2]
Aug 16 01:00:06 16[NET] sending packet: from 192.168.0.12[500] to
192.168.0.6[26]
Aug 16 01:00:06 11[IKE] IKE_SA (unnamed)[2] state change: CREATED =>
DESTROYING
Aug 16 01:00:06 11[MGR] checkin and destroy of IKE_SA successful
Aug 16 01:00:06 04[NET] received packet: from 123.123.123.123[500] to
192.168.0.12[500]
Aug 16 01:00:06 04[ENC] parsing header of message
Aug 16 01:00:06 04[ENC] parsing HEADER payload, 36 bytes left
Aug 16 01:00:06 04[ENC] parsing rule 0 IKE_SPI
Aug 16 01:00:06 04[ENC] parsing rule 1 IKE_SPI
Aug 16 01:00:06 04[ENC] parsing rule 2 U_INT_8
Aug 16 01:00:06 04[ENC] parsing rule 3 U_INT_4
Aug 16 01:00:06 04[ENC] parsing rule 4 U_INT_4
Aug 16 01:00:06 04[ENC] parsing rule 5 U_INT_8
Aug 16 01:00:06 04[ENC] parsing rule 6 RESERVED_BIT
Aug 16 01:00:06 04[ENC] parsing rule 7 RESERVED_BIT
Aug 16 01:00:06 04[ENC] parsing rule 8 FLAG
Aug 16 01:00:06 04[ENC] parsing rule 9 FLAG
Aug 16 01:00:06 04[ENC] parsing rule 10 FLAG
Aug 16 01:00:06 04[ENC] parsing rule 11 FLAG
Aug 16 01:00:06 04[ENC] parsing rule 12 FLAG
Aug 16 01:00:06 04[ENC] parsing rule 13 FLAG
Aug 16 01:00:06 04[ENC] parsing rule 14 U_INT_32
Aug 16 01:00:06 04[ENC] parsing rule 15 HEADER_LENGTH
Aug 16 01:00:06 04[ENC] parsing HEADER payload finished
Aug 16 01:00:06 04[ENC] parsed a IKE_SA_INIT response header
Aug 16 01:00:06 04[NET] waiting for data on sockets
Aug 16 01:00:06 14[MGR] checkout IKEv2 SA by message with SPIs
5d4dbd5514ee8ae1_i 7e6ea225251f2a77_r
Aug 16 01:00:06 14[MGR] IKE_SA azure[1] successfully checked out
Aug 16 01:00:06 14[NET] received packet: from 123.123.123.123[500] to
192.168.0.12[500] (36 bytes)
Aug 16 01:00:06 14[ENC] parsing body of message, first payload is NOTIFY
Aug 16 01:00:06 14[ENC] starting parsing a NOTIFY payload
Aug 16 01:00:06 14[ENC] parsing NOTIFY payload, 8 bytes left
Aug 16 01:00:06 14[ENC] parsing rule 0 U_INT_8
Aug 16 01:00:06 14[ENC] parsing rule 1 FLAG
Aug 16 01:00:06 14[ENC] parsing rule 2 RESERVED_BIT
Aug 16 01:00:06 14[ENC] parsing rule 3 RESERVED_BIT
Aug 16 01:00:06 14[ENC] parsing rule 4 RESERVED_BIT
Aug 16 01:00:06 14[ENC] parsing rule 5 RESERVED_BIT
Aug 16 01:00:06 14[ENC] parsing rule 6 RESERVED_BIT
Aug 16 01:00:06 14[ENC] parsing rule 7 RESERVED_BIT
Aug 16 01:00:06 14[ENC] parsing rule 8 RESERVED_BIT
Aug 16 01:00:06 14[ENC] parsing rule 9 PAYLOAD_LENGTH
Aug 16 01:00:06 14[ENC] parsing rule 10 U_INT_8
Aug 16 01:00:06 14[ENC] parsing rule 11 SPI_SIZE
Aug 16 01:00:06 14[ENC] parsing rule 12 U_INT_16
Aug 16 01:00:06 14[ENC] parsing rule 13 SPI
Aug 16 01:00:06 14[ENC] parsing rule 14 CHUNK_DATA
Aug 16 01:00:06 14[ENC] parsing NOTIFY payload finished
Aug 16 01:00:06 14[ENC] verifying payload of type NOTIFY
Aug 16 01:00:06 14[ENC] NOTIFY payload verified, adding to payload list
Aug 16 01:00:06 14[ENC] process payload of type NOTIFY
Aug 16 01:00:06 14[ENC] verifying message structure
Aug 16 01:00:06 14[ENC] found payload of type NOTIFY
Aug 16 01:00:06 14[ENC] parsed IKE_SA_INIT response 0 [ N(NO_PROP) ]
Aug 16 01:00:06 14[IKE] received NO_PROPOSAL_CHOSEN notify error
Aug 16 01:00:06 14[CFG] configured proposals:
IKE:AES_GCM_16_128/PRF_HMAC_SHA2_256/ECP_256,
IKE:AES_GCM_16_256/PRF_HMAC_SHA2_384/ECP_384,
IKE:AES_CBC_128/AES_CBC_192/AES_CBC_256/AES_CTR_128/AES_CTR_192/AES_CTR_256/CAMELLIA_CTR_128/CAMELLIA_CTR_192/CAMELLIA_CTR_256/CAMELLIA_CBC_128/CAMELLIA_CBC_192/CAMELLIA_CBC_256/3DES_CBC/HMAC_SHA2_256_128/HMAC_SHA2_384_192/HMAC_SHA2_512_256/HMAC_SHA1_96/AES_XCBC_96/AES_CMAC_96/PRF_HMAC_SHA2_256/PRF_HMAC_SHA2_384/PRF_HMAC_SHA2_512/PRF_AES128_XCBC/PRF_AES128_CMAC/PRF_HMAC_SHA1/ECP_256/ECP_384/ECP_521/ECP_256_BP/ECP_384_BP/ECP_512_BP/CURVE_25519/CURVE_448/MODP_3072/MODP_4096/MODP_6144/MODP_8192/MODP_2048,
IKE:AES_GCM_16_128/AES_GCM_16_192/AES_GCM_16_256/CHACHA20_POLY1305/AES_CCM_16_128/AES_CCM_16_192/AES_CCM_16_256/CAMELLIA_CCM_16_128/CAMELLIA_CCM_16_192/CAMELLIA_CCM_16_256/AES_GCM_12_128/AES_GCM_12_192/AES_GCM_12_256/AES_GCM_8_128/AES_GCM_8_192/AES_GCM_8_256/AES_CCM_8_128/AES_CCM_8_192/AES_CCM_8_256/AES_CCM_12_128/AES_CCM_12_192/AES_CCM_12_256/CAMELLIA_CCM_8_128/CAMELLIA_CCM_8_192/CAMELLIA_CCM_8_256/CAMELLIA_CCM_12_128/CAMELLIA_CCM_12_192/CAMELLIA_CCM_12_256/PRF_HMAC_SHA2_256/PRF_HMAC_SHA2_384/PRF_HMAC_SHA2_512/PRF_AES128_XCBC/PRF_AES128_CMAC/PRF_HMAC_SHA1/ECP_256/ECP_384/ECP_521/ECP_256_BP/ECP_384_BP/ECP_512_BP/CURVE_25519/CURVE_448/MODP_3072/MODP_4096/MODP_6144/MODP_8192/MODP_2048
Aug 16 01:00:06 14[MGR] checkin and destroy IKE_SA azure[1]
Aug 16 01:00:06 14[IKE] IKE_SA azure[1] state change: CONNECTING =>
DESTROYING
Aug 16 01:00:06 14[MGR] checkin and destroy of IKE_SA successful
Aug 16 01:00:06 08[ESP] no matching outbound IPsec policy for
fe80::f44e:e17a:fbc2:3cc3 == ff02::16 [58]
Aug 16 01:00:06 04[NET] received packet: from 192.168.0.6[500] to
192.168.0.12[500]
Aug 16 01:00:06 04[ENC] parsing header of message
Aug 16 01:00:06 04[ENC] parsing HEADER payload, 620 bytes left
Aug 16 01:00:06 04[ENC] parsing rule 0 IKE_SPI
Aug 16 01:00:06 04[ENC] parsing rule 1 IKE_SPI
Aug 16 01:00:06 04[ENC] parsing rule 2 U_INT_8
Aug 16 01:00:06 04[ENC] parsing rule 3 U_INT_4
Aug 16 01:00:06 04[ENC] parsing rule 4 U_INT_4
Aug 16 01:00:06 04[ENC] parsing rule 5 U_INT_8
Aug 16 01:00:06 04[ENC] parsing rule 6 RESERVED_BIT
Aug 16 01:00:06 04[ENC] parsing rule 7 RESERVED_BIT
Aug 16 01:00:06 04[ENC] parsing rule 8 FLAG
Aug 16 01:00:06 04[ENC] parsing rule 9 FLAG
Aug 16 01:00:06 04[ENC] parsing rule 10 FLAG
Aug 16 01:00:06 04[ENC] parsing rule 11 FLAG
Aug 16 01:00:06 04[ENC] parsing rule 12 FLAG
Aug 16 01:00:06 04[ENC] parsing rule 13 FLAG
Aug 16 01:00:06 04[ENC] parsing rule 14 U_INT_32
Aug 16 01:00:06 04[ENC] parsing rule 15 HEADER_LENGTH
Aug 16 01:00:06 04[ENC] parsing HEADER payload finished
Aug 16 01:00:06 04[ENC] parsed a IKE_SA_INIT request header
Aug 16 01:00:06 03[MGR] checkout IKEv2 SA by message with SPIs
31219711e858bab2_i 0000000000000000_r
Aug 16 01:00:06 03[MGR] created IKE_SA (unnamed)[3]
Aug 16 01:00:06 03[NET] received packet: from 192.168.0.6[500] to
192.168.0.12[500] (620 bytes)
Aug 16 01:00:06 03[ENC] parsing body of message, first payload is
SECURITY_ASSOCIATION
Aug 16 01:00:06 03[ENC] starting parsing a SECURITY_ASSOCIATION payload
Aug 16 01:00:06 03[ENC] parsing SECURITY_ASSOCIATION payload, 592 bytes left
.
.
.
.
.
.
.
Aug 16 01:02:06 06[ENC] generating rule 12 U_INT_16
Aug 16 01:02:06 06[ENC] generating rule 13 SPI
Aug 16 01:02:06 06[ENC] generating rule 14 CHUNK_DATA
Aug 16 01:02:06 06[ENC] generating NOTIFY payload finished
Aug 16 01:02:06 06[NET] sending packet: from 192.168.0.12[500] to
192.168.0.6[500] (36 bytes)
Aug 16 01:02:06 16[NET] sending packet: from 192.168.0.12[500] to
192.168.0.6[500]
Aug 16 01:02:06 06[MGR] checkin and destroy IKE_SA (unnamed)[4]
Aug 16 01:02:06 06[IKE] IKE_SA (unnamed)[4] state change: CREATED =>
DESTROYING
Aug 16 01:02:06 06[MGR] checkin and destroy of IKE_SA successful
On the Azure side:
--
Thx,
TK.
