Having trouble trying to understand why VPN would suddenly stop allowing
traffic to the internet (despite no changes to the server and was working fine
for months). Devices can connect to the VPN and logs show they connect.
However, they no longer get traffic to the internet or to the server itself.
Unfortunately I don’t understand the logs enough to know the direct reason, but
I’ve included some connection logs after the config. Any help that can lead to
a fix would be appreciated.
Here’s the config:
config setup
charondebug ="dmn 1,mgr 1,ike 1,chd 1,job 1,cfg 1,knl 1,net 1,tls
1,lib 1,enc 1,tnc 1"
uniqueids =no
conn %default
# ike =aes256-sha1-modp1024,3des-sha1-modp1024!
# esp =aes256-sha1,3des-sha1!
fragmentation =yes
auto =add
dpdaction =clear
dpddelay =40
dpdtimeout =130
ikelifetime =1h
lifetime =1h
margintime =9m
rekeyfuzz =100%
# rekey =yes
aggressive =no
forceencaps =yes
left =%any
leftid =(serverIP)
leftcert =(link to cert)
leftsendcert =always
leftsubnet =0.0.0.0/0,::/0
right =%any
rightid =%any
# rightauth =eap-mschapv2
rightdns
=45.76.254.23,172.98.193.62,2001:19f0:5401:2a4a:5400:03ff:fe2b:271f
rightsourceip =10.10.10.1/24
rightsubnet =%dynamic
#conn mac
# keyexchange =ikev1
# authby =xauthpsk
# xauth =server
# reauth =yes
conn ios
ike =aes256-sha1-modp1024,3des-sha1-modp1024!
esp =aes256-sha1,3des-sha1!
keyexchange =ikev1
mobike =yes
reauth =yes
rekey =yes
leftallowany =yes
lefthostaccess =yes
leftfirewall =yes
leftauth =pubkey
rightallowany =yes
rightauth =pubkey
rightauth2 =xauth
rightfirewall =yes
rightcert =(link to cert)
conn ikev2-vpn
ike
=chacha20poly1305-sha512-curve25519-prfsha512,aes256gcm16-sha384-prfsha384-ecp384,aes128-sha1-modp1024,aes256-sha1-modp1024,3d>
esp
=chacha20poly1305-sha512,aes256gcm16-ecp384,aes256-sha256,aes256-sha1,3des-sha1!
keyexchange =ikev2
type =tunnel
compress =no
rekey =no
rightauth =eap-mschapv2
rightsendcert =never
eap_identity =%identity
Here’s the Log:
Aug 2 12:13:34 jodywhitesides charon-custom: 06[NET] received packet: from [IP
of Device][500] to [IP of Server][500] (848 bytes)
Aug 2 12:13:34 jodywhitesides charon-custom: 06[ENC] parsed ID_PROT request 0
[ SA V V V V V V V V V V V V V V ]
Aug 2 12:13:34 jodywhitesides charon-custom: 06[IKE] received NAT-T (RFC 3947)
vendor ID
Aug 2 12:13:34 jodywhitesides charon-custom: 06[IKE] received
draft-ietf-ipsec-nat-t-ike vendor ID
Aug 2 12:13:34 jodywhitesides charon-custom: 06[IKE] received
draft-ietf-ipsec-nat-t-ike-08 vendor ID
Aug 2 12:13:34 jodywhitesides charon-custom: 06[IKE] received
draft-ietf-ipsec-nat-t-ike-07 vendor ID
Aug 2 12:13:34 jodywhitesides charon-custom: 06[IKE] received
draft-ietf-ipsec-nat-t-ike-06 vendor ID
Aug 2 12:13:34 jodywhitesides charon-custom: 06[IKE] received
draft-ietf-ipsec-nat-t-ike-05 vendor ID
Aug 2 12:13:34 jodywhitesides charon-custom: 06[IKE] received
draft-ietf-ipsec-nat-t-ike-04 vendor ID
Aug 2 12:13:34 jodywhitesides charon-custom: 06[IKE] received
draft-ietf-ipsec-nat-t-ike-03 vendor ID
Aug 2 12:13:34 jodywhitesides charon-custom: 06[IKE] received
draft-ietf-ipsec-nat-t-ike-02 vendor ID
Aug 2 12:13:34 jodywhitesides charon-custom: 06[IKE] received
draft-ietf-ipsec-nat-t-ike-02\n vendor ID
Aug 2 12:13:34 jodywhitesides charon-custom: 06[IKE] received XAuth vendor ID
Aug 2 12:13:34 jodywhitesides charon-custom: 06[IKE] received Cisco Unity
vendor ID
Aug 2 12:13:34 jodywhitesides charon-custom: 06[IKE] received FRAGMENTATION
vendor ID
Aug 2 12:13:34 jodywhitesides charon-custom: 06[IKE] received DPD vendor ID
Aug 2 12:13:34 jodywhitesides charon-custom: 06[IKE] [IP of Device] is
initiating a Main Mode IKE_SA
Aug 2 12:13:34 jodywhitesides charon-custom: 06[CFG] selected proposal:
IKE:AES_CBC_256/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024
Aug 2 12:13:34 jodywhitesides charon-custom: 06[ENC] generating ID_PROT
response 0 [ SA V V V V ]
Aug 2 12:13:34 jodywhitesides charon-custom: 06[NET] sending packet: from [IP
of Server][500] to [IP of Device][500] (160 bytes)
Aug 2 12:13:34 jodywhitesides charon-custom: 04[NET] received packet: from [IP
of Device][500] to [IP of Server][500] (228 bytes)
Aug 2 12:13:34 jodywhitesides charon-custom: 04[ENC] parsed ID_PROT request 0
[ KE No NAT-D NAT-D ]
Aug 2 12:13:34 jodywhitesides charon-custom: 04[IKE] remote host is behind NAT
Aug 2 12:13:34 jodywhitesides charon-custom: 04[IKE] sending cert request for
"C=US, O=JW Server VPN, CN=[IP of Server] Root CA"
Aug 2 12:13:34 jodywhitesides charon-custom: 04[ENC] generating ID_PROT
response 0 [ KE No CERTREQ NAT-D NAT-D ]
Aug 2 12:13:34 jodywhitesides charon-custom: 04[NET] sending packet: from [IP
of Server][500] to [IP of Device][500] (321 bytes)
Aug 2 12:13:34 jodywhitesides charon-custom: 12[NET] received packet: from [IP
of Device][38463] to [IP of Server][4500] (1280 bytes)
Aug 2 12:13:34 jodywhitesides charon-custom: 12[ENC] parsed ID_PROT request 0
[ FRAG(1) ]
Aug 2 12:13:34 jodywhitesides charon-custom: 12[ENC] received fragment #1,
waiting for complete IKE message
Aug 2 12:13:34 jodywhitesides charon-custom: 11[NET] received packet: from [IP
of Device][38463] to [IP of Server][4500] (804 bytes)
Aug 2 12:13:34 jodywhitesides charon-custom: 11[ENC] parsed ID_PROT request 0
[ FRAG(2/2) ]
Aug 2 12:13:34 jodywhitesides charon-custom: 11[ENC] received fragment #2,
reassembled fragmented IKE message (2012 bytes)
Aug 2 12:13:34 jodywhitesides charon-custom: 11[NET] received packet: from [IP
of Device][38463] to [IP of Server][4500] (2012 bytes)
Aug 2 12:13:34 jodywhitesides charon-custom: 11[ENC] parsed ID_PROT request 0
[ ID CERT SIG CERTREQ N(INITIAL_CONTACT) ]
Aug 2 12:13:34 jodywhitesides charon-custom: 11[IKE] ignoring certificate
request without data
Aug 2 12:13:34 jodywhitesides charon-custom: 11[IKE] received end entity cert
"C=US, O=JW Server VPN, CN=[IP of Server]"
Aug 2 12:13:34 jodywhitesides charon-custom: 11[CFG] looking for XAuthInitRSA
peer configs matching [IP of Server]...[IP of Device][C=US, O=JW Server VPN,
CN=[IP of Server]]
Aug 2 12:13:34 jodywhitesides charon-custom: 11[CFG] selected peer config "ios"
Aug 2 12:13:34 jodywhitesides charon-custom: 11[CFG] using trusted ca
certificate "C=US, O=JW Server VPN, CN=[IP of Server] Root CA"
Aug 2 12:13:34 jodywhitesides charon-custom: 11[CFG] checking certificate
status of "C=US, O=JW Server VPN, CN=[IP of Server]"
Aug 2 12:13:34 jodywhitesides charon-custom: 11[CFG] certificate status is not
available
Aug 2 12:13:34 jodywhitesides charon-custom: 11[CFG] reached self-signed
root ca with a path length of 0
Aug 2 12:13:34 jodywhitesides charon-custom: 11[CFG] using trusted
certificate "C=US, O=JW Server VPN, CN=[IP of Server]"
Aug 2 12:13:34 jodywhitesides charon-custom: 11[IKE] authentication of 'C=US,
O=JW Server VPN, CN=[IP of Server]' with RSA_EMSA_PKCS1_NULL successful
Aug 2 12:13:34 jodywhitesides charon-custom: 11[IKE] authentication of '[IP of
Server]' (myself) successful
Aug 2 12:13:34 jodywhitesides charon-custom: 11[IKE] sending end entity cert
"C=US, O=JW Server VPN, CN=[IP of Server]"
Aug 2 12:13:34 jodywhitesides charon-custom: 11[ENC] generating ID_PROT
response 0 [ ID CERT SIG ]
Aug 2 12:13:34 jodywhitesides charon-custom: 11[ENC] splitting IKE message
(1948 bytes) into 2 fragments
Aug 2 12:13:34 jodywhitesides charon-custom: 11[ENC] generating ID_PROT
response 0 [ FRAG(1) ]
Aug 2 12:13:34 jodywhitesides charon-custom: 11[ENC] generating ID_PROT
response 0 [ FRAG(2/2) ]
Aug 2 12:13:34 jodywhitesides charon-custom: 11[NET] sending packet: from [IP
of Server][4500] to [IP of Device][38463] (1248 bytes)
Aug 2 12:13:34 jodywhitesides charon-custom: 11[NET] sending packet: from [IP
of Server][4500] to [IP of Device][38463] (772 bytes)
Aug 2 12:13:34 jodywhitesides charon-custom: 11[ENC] generating TRANSACTION
request 434236087 [ HASH CPRQ(X_USER X_PWD) ]
Aug 2 12:13:34 jodywhitesides charon-custom: 11[NET] sending packet: from [IP
of Server][4500] to [IP of Device][38463] (76 bytes)
Aug 2 12:13:34 jodywhitesides charon-custom: 14[NET] received packet: from [IP
of Device][38463] to [IP of Server][4500] (108 bytes)
Aug 2 12:13:34 jodywhitesides charon-custom: 14[ENC] parsed TRANSACTION
response 434236087 [ HASH CPRP(X_USER X_PWD) ]
Aug 2 12:13:34 jodywhitesides charon-custom: 14[IKE] XAuth authentication of
'JodyiPhone' successful
Aug 2 12:13:34 jodywhitesides charon-custom: 14[ENC] generating TRANSACTION
request 2649355397 [ HASH CPS(X_STATUS) ]
Aug 2 12:13:34 jodywhitesides charon-custom: 14[NET] sending packet: from [IP
of Server][4500] to [IP of Device][38463] (76 bytes)
Aug 2 12:13:34 jodywhitesides charon-custom: 08[NET] received packet: from [IP
of Device][38463] to [IP of Server][4500] (76 bytes)
Aug 2 12:13:34 jodywhitesides charon-custom: 08[ENC] parsed TRANSACTION
response 2649355397 [ HASH CPA(X_STATUS) ]
Aug 2 12:13:34 jodywhitesides charon-custom: 08[IKE] IKE_SA ios[32]
established between [IP of Server][[IP of Server]]...[IP of Device][C=US, O=JW
Server VPN, CN=[IP of Server]]
Aug 2 12:13:34 jodywhitesides charon-custom: 08[IKE] scheduling
reauthentication in 2712s
Aug 2 12:13:34 jodywhitesides charon-custom: 08[IKE] maximum IKE_SA lifetime
3252s
Aug 2 12:13:34 jodywhitesides charon-custom: 06[NET] received packet: from [IP
of Device][38463] to [IP of Server][4500] (172 bytes)
Aug 2 12:13:34 jodywhitesides charon-custom: 06[ENC] unknown attribute type
(28683)
Aug 2 12:13:34 jodywhitesides charon-custom: 06[ENC] parsed TRANSACTION
request 1724246389 [ HASH CPRQ(ADDR MASK DNS NBNS EXP VER U_BANNER U_DEFDOM
U_SPLITDNS U_SPLITINC U_LOCALLAN U_PFS U_SAVEPWD U_FWTYPE U_BKPSRV (28683)) ]
Aug 2 12:13:34 jodywhitesides charon-custom: 06[IKE] peer requested virtual IP
%any
Aug 2 12:13:34 jodywhitesides charon-custom: 06[CFG] reassigning offline lease
to 'JodyiPhone'
Aug 2 12:13:34 jodywhitesides charon-custom: 06[IKE] assigning virtual IP
10.10.10.1 to peer 'JodyiPhone'
Aug 2 12:13:34 jodywhitesides charon-custom: 06[ENC] generating TRANSACTION
response 1724246389 [ HASH CPRP(ADDR DNS DNS DNS6) ]
Aug 2 12:13:34 jodywhitesides charon-custom: 06[NET] sending packet: from [IP
of Server][4500] to [IP of Device][38463] (108 bytes)
Aug 2 12:13:34 jodywhitesides charon-custom: 04[NET] received packet: from [IP
of Device][38463] to [IP of Server][4500] (380 bytes)
Aug 2 12:13:34 jodywhitesides charon-custom: 04[ENC] parsed QUICK_MODE request
3533799051 [ HASH SA No ID ID ]
Aug 2 12:13:34 jodywhitesides charon-custom: 04[CFG] selected proposal:
ESP:AES_CBC_256/HMAC_SHA1_96/NO_EXT_SEQ
Aug 2 12:13:34 jodywhitesides charon-custom: 04[ENC] generating QUICK_MODE
response 3533799051 [ HASH SA No ID ID ]
Aug 2 12:13:34 jodywhitesides charon-custom: 04[NET] sending packet: from [IP
of Server][4500] to [IP of Device][38463] (172 bytes)
Aug 2 12:13:34 jodywhitesides charon-custom: 12[NET] received packet: from [IP
of Device][38463] to [IP of Server][4500] (60 bytes)
Aug 2 12:13:34 jodywhitesides charon-custom: 12[ENC] parsed QUICK_MODE request
3533799051 [ HASH ]
Aug 2 12:13:34 jodywhitesides charon-custom: 12[IKE] CHILD_SA ios{32}
established with SPIs faff7197_i 04ef441d_o and TS 0.0.0.0/0 ::/0 ===
10.10.10.1/32
Aug 2 12:13:56 jodywhitesides charon-custom: 06[NET] received packet: from [IP
of Device][38463] to [IP of Server][4500] (92 bytes)
Aug 2 12:13:56 jodywhitesides charon-custom: 06[ENC] parsed INFORMATIONAL_V1
request 1330296429 [ HASH N(DPD) ]
Aug 2 12:13:56 jodywhitesides charon-custom: 06[ENC] generating
INFORMATIONAL_V1 request 2584453767 [ HASH N(DPD_ACK) ]
Aug 2 12:13:56 jodywhitesides charon-custom: 06[NET] sending packet: from [IP
of Server][4500] to [IP of Device][38463] (92 bytes)
Aug 2 12:14:11 jodywhitesides charon-custom: 12[NET] received packet: from [IP
of Device][41517] to [IP of Server][4500] (92 bytes)
Aug 2 12:14:11 jodywhitesides charon-custom: 12[ENC] parsed INFORMATIONAL_V1
request 2338576608 [ HASH N(DPD) ]
Aug 2 12:14:11 jodywhitesides charon-custom: 12[ENC] generating
INFORMATIONAL_V1 request 117146712 [ HASH N(DPD_ACK) ]
Aug 2 12:14:11 jodywhitesides charon-custom: 12[NET] sending packet: from [IP
of Server][4500] to [IP of Device][41517] (92 bytes)
Aug 2 12:14:18 jodywhitesides charon-custom: 08[NET] received packet: from [IP
of Device][38463] to [IP of Server][4500] (92 bytes)
Aug 2 12:14:18 jodywhitesides charon-custom: 08[ENC] parsed INFORMATIONAL_V1
request 96203116 [ HASH N(DPD) ]
Aug 2 12:14:18 jodywhitesides charon-custom: 08[ENC] generating
INFORMATIONAL_V1 request 183741560 [ HASH N(DPD_ACK) ]
Aug 2 12:14:18 jodywhitesides charon-custom: 08[NET] sending packet: from [IP
of Server][4500] to [IP of Device][38463] (92 bytes)
Aug 2 12:14:31 jodywhitesides charon-custom: 05[NET] received packet: from [IP
of Device][41517] to [IP of Server][4500] (92 bytes)
Aug 2 12:14:31 jodywhitesides charon-custom: 05[ENC] parsed INFORMATIONAL_V1
request 1541247232 [ HASH N(DPD) ]
Aug 2 12:14:31 jodywhitesides charon-custom: 05[ENC] generating
INFORMATIONAL_V1 request 1626504577 [ HASH N(DPD_ACK) ]
Aug 2 12:14:31 jodywhitesides charon-custom: 05[NET] sending packet: from [IP
of Server][4500] to [IP of Device][41517] (92 bytes)
Aug 2 12:14:40 jodywhitesides charon-custom: 06[NET] received packet: from [IP
of Device][38463] to [IP of Server][4500] (92 bytes)
Aug 2 12:14:40 jodywhitesides charon-custom: 06[ENC] parsed INFORMATIONAL_V1
request 2847095602 [ HASH N(DPD) ]
Aug 2 12:14:40 jodywhitesides charon-custom: 06[ENC] generating
INFORMATIONAL_V1 request 2905827564 [ HASH N(DPD_ACK) ]
Aug 2 12:14:40 jodywhitesides charon-custom: 06[NET] sending packet: from [IP
of Server][4500] to [IP of Device][38463] (92 bytes)
Aug 2 12:15:15 jodywhitesides charon-custom: 14[NET] received packet: from [IP
of Device][41517] to [IP of Server][4500] (92 bytes)
Aug 2 12:15:15 jodywhitesides charon-custom: 14[ENC] parsed INFORMATIONAL_V1
request 401695110 [ HASH N(DPD) ]
Aug 2 12:15:15 jodywhitesides charon-custom: 14[ENC] generating
INFORMATIONAL_V1 request 1418410180 [ HASH N(DPD_ACK) ]
Aug 2 12:15:15 jodywhitesides charon-custom: 14[NET] sending packet: from [IP
of Server][4500] to [IP of Device][41517] (92 bytes)
Aug 2 12:15:36 jodywhitesides charon-custom: 05[IKE] sending DPD request
Aug 2 12:15:36 jodywhitesides charon-custom: 05[ENC] generating
INFORMATIONAL_V1 request 1331469902 [ HASH N(DPD) ]
Aug 2 12:15:36 jodywhitesides charon-custom: 05[NET] sending packet: from [IP
of Server][4500] to [IP of Device][38463] (92 bytes)
Aug 2 12:15:37 jodywhitesides charon-custom: 06[NET] received packet: from [IP
of Device][38463] to [IP of Server][4500] (92 bytes)
Aug 2 12:15:37 jodywhitesides charon-custom: 06[ENC] parsed INFORMATIONAL_V1
request 3915774072 [ HASH N(DPD_ACK) ]
Aug 2 12:15:37 jodywhitesides charon-custom: 01[NET] received packet: from [IP
of Device][38463] to [IP of Server][4500] (76 bytes)
Aug 2 12:15:37 jodywhitesides charon-custom: 01[ENC] parsed INFORMATIONAL_V1
request 2720218620 [ HASH D ]
Aug 2 12:15:37 jodywhitesides charon-custom: 01[IKE] received DELETE for ESP
CHILD_SA with SPI 04ef441d
Aug 2 12:15:37 jodywhitesides charon-custom: 01[IKE] closing CHILD_SA ios{32}
with SPIs faff7197_i (6281 bytes) 04ef441d_o (0 bytes) and TS 0.0.0.0/0 ::/0
=== 10.10.10.1/32
Aug 2 12:15:37 jodywhitesides charon-custom: 04[NET] received packet: from [IP
of Device][38463] to [IP of Server][4500] (92 bytes)
Aug 2 12:15:37 jodywhitesides charon-custom: 04[ENC] parsed INFORMATIONAL_V1
request 234101309 [ HASH D ]
Aug 2 12:15:37 jodywhitesides charon-custom: 04[IKE] received DELETE for
IKE_SA ios[32]
Aug 2 12:15:37 jodywhitesides charon-custom: 04[IKE] deleting IKE_SA ios[32]
between [IP of Server][[IP of Server]]...[IP of Device][C=US, O=JW Server VPN,
CN=[IP of Server]]
Aug 2 12:15:37 jodywhitesides charon-custom: 04[CFG] lease 10.10.10.1 by
'JodyiPhone' went offline
Thank you,
Jody
