[strongSwan] FreeBSD 13.1-STABLE / StrongSwan 5.9?

Mon, 10 Oct 2022 10:09:09 -0700

Uh, this looks new and bad.... My Android phone, which has worked forever, suddenly stopped when I updated the kernel on my gateway box, and this appears to be related to the reason: 

.....
Oct 10 11:28:36 IpGw charon[1586]: 01[IKE] received cert request for "C=US, ST=F lorida, L=Niceville, O=Cuda Systems LLC, OU=Cuda Systems CA, CN=Cuda Systems LLC 
 2017 CA"
Oct 10 11:28:36 IpGw charon[1586]: 01[IKE] received cert request for "C=US, ST=F lorida, O=Cuda Systems LLC, OU=Cuda Systems CA, CN=Cuda Systems LLC 2017 Int CA" Oct 10 11:28:36 IpGw charon[1586]: 01[IKE] received 129 cert requests for an unk 
nown ca
Oct 10 11:28:36 IpGw charon[1586]: 01[IKE] received end entity cert "C=US, ST=Te 
nnessee, CN=Karl Denninger"
Oct 10 11:28:36 IpGw charon[1586]: 01[CFG] looking for peer configs matching 97. 
81.26.48[%any]...172.58.146.200[C=US, ST=Tennessee, CN=Karl Denninger]
Oct 10 11:28:36 IpGw charon[1586]: 01[CFG] selected peer config 'WinUserCert' Oct 10 11:28:36 IpGw charon[1586]: 01[CFG]   using certificate "C=US, ST=Tenness 
ee, CN=Karl Denninger"
Oct 10 11:28:36 IpGw charon[1586]: 01[CFG]   using trusted intermediate ca certi ficate "C=US, ST=Florida, O=Cuda Systems LLC, OU=Cuda Systems CA, CN=Cuda System 
s LLC 2017 Int CA"
Oct 10 11:28:36 IpGw charon[1586]: 01[CFG] checking certificate status of "C=US, 
 ST=Tennessee, CN=Karl Denninger"
Oct 10 11:28:36 IpGw charon[1586]: 01[CFG]   ocsp response correctly signed by " C=US, ST=Florida, O=Cuda Systems LLC, CN=ocsp.cudasystems.net, E=info@cudasystem 
s.net"
Oct 10 11:28:36 IpGw charon[1586]: 01[CFG]   ocsp response is stale: since Oct 1 
0 11:27:09 2022
Oct 10 11:28:36 IpGw charon[1586]: 01[CFG]   requesting ocsp status from 'http:/ 
/ocsp.cudasystems.net:8888' ...
Oct 10 11:28:36 IpGw charon[1586]: 01[CFG]   ocsp response correctly signed by " C=US, ST=Florida, O=Cuda Systems LLC, CN=ocsp.cudasystems.net, E=info@cudasystem 
s.net"
Oct 10 11:28:36 IpGw charon[1586]: 01[LIB]   certificate from Oct 10 11:28:36 20 
22 is newer - existing certificate from Oct 10 11:26:39 2022 replaced
Oct 10 11:28:36 IpGw charon[1586]: 01[CFG]   ocsp response is valid: until Oct 1 
0 11:29:06 2022
Oct 10 11:28:36 IpGw charon[1586]: 01[CFG] certificate status is good
Oct 10 11:28:36 IpGw charon[1586]: 01[CFG]   using trusted ca certificate "C=US,  ST=Florida, L=Niceville, O=Cuda Systems LLC, OU=Cuda Systems CA, CN=Cuda System 
s LLC 2017 CA"
Oct 10 11:28:36 IpGw charon[1586]: 01[CFG] checking certificate status of "C=US,  ST=Florida, O=Cuda Systems LLC, OU=Cuda Systems CA, CN=Cuda Systems LLC 2017 In 
t CA"
Oct 10 11:28:36 IpGw charon[1586]: 01[CFG]   ocsp response correctly signed by " C=US, ST=Florida, O=Cuda Systems LLC, CN=ocsp.cudasystems.net, E=info@cudasystem 
s.net"
Oct 10 11:28:36 IpGw charon[1586]: 01[CFG]   ocsp response contains no status on 
 our certificate
Oct 10 11:28:36 IpGw charon[1586]: 01[CFG]   ocsp response correctly signed by " C=US, ST=Florida, O=Cuda Systems LLC, CN=ocsp.cudasystems.net, E=info@cudasystem 
s.net"
Oct 10 11:28:36 IpGw charon[1586]: 01[CFG]   ocsp response contains no status on 
 our certificate
Oct 10 11:28:36 IpGw charon[1586]: 01[CFG] certificate status is not available Oct 10 11:28:36 IpGw charon[1586]: 01[CFG]   reached self-signed root ca with a 
path length of 1
*Oct 10 11:28:36 IpGw charon[1586]: 01[IKE] authentication of 'C=US, ST=Tennessee** 
**, CN=Karl Denninger' with RSA_EMSA_PKCS1_SHA2_384 successful*
Oct 10 11:28:36 IpGw charon[1586]: 01[CFG] constraint check failed: EAP identity 
 '%any' required
Oct 10 11:28:36 IpGw charon[1586]: 01[CFG] selected peer config 'WinUserCert' un 
acceptable: non-matching authentication done
Oct 10 11:28:36 IpGw charon[1586]: 01[CFG] switching to peer config 'StrongSwan' Oct 10 11:28:36 IpGw charon[1586]: 01[IKE] received ESP_TFC_PADDING_NOT_SUPPORTE 
D, not using ESPv3 TFC padding
Oct 10 11:28:36 IpGw charon[1586]: 01[IKE] peer supports MOBIKE
Oct 10 11:28:36 IpGw charon[1586]: 01[IKE] authentication of 'ipgw.denninger.net 
' (myself) with ECDSA_WITH_SHA384_DER successful
Oct 10 11:28:36 IpGw charon[1586]: 01[IKE] IKE_SA StrongSwan[4] established betw een 97.81.26.48[ipgw.denninger.net]...172.58.146.200[C=US, ST=Tennessee, CN=Karl 
 Denninger]
Oct 10 11:28:36 IpGw charon[1586]: 01[IKE] scheduling reauthentication in 9977s 
Oct 10 11:28:36 IpGw charon[1586]: 01[IKE] maximum IKE_SA lifetime 10517s
Oct 10 11:28:36 IpGw charon[1586]: 01[IKE] sending end entity cert "C=US, ST=Flo 
rida, O=Cuda Systems LLC, CN=ipgw.denninger.net"
Oct 10 11:28:36 IpGw charon[1586]: 01[IKE] peer requested virtual IP %any
Oct 10 11:28:36 IpGw charon[1586]: 01[CFG] reassigning offline lease to 'C=US, S 
T=Tennessee, CN=Karl Denninger'
Oct 10 11:28:36 IpGw charon[1586]: 01[IKE] assigning virtual IP 192.168.2.1 to p 
eer 'C=US, ST=Tennessee, CN=Karl Denninger'
Oct 10 11:28:36 IpGw charon[1586]: 01[IKE] peer requested virtual IP %any6
Oct 10 11:28:36 IpGw charon[1586]: 01[IKE] no virtual IP found for %any6 request 
ed by 'C=US, ST=Tennessee, CN=Karl Denninger'
Oct 10 11:28:36 IpGw charon[1586]: 01[CFG] selected proposal: ESP:AES_CBC_128/HM 
AC_SHA2_256_128/NO_EXT_SEQ
*Oct 10 11:28:36 IpGw charon[1586]: 01[KNL] unable to add SAD entry with SPI c1be** 
**56e1: Invalid argument (22)**
**Oct 10 11:28:36 IpGw charon[1586]: 01[KNL] unable to add SAD entry with SPI 9526** 
**f1c1: Invalid argument (22)*
Oct 10 11:28:36 IpGw charon[1586]: 01[IKE] unable to install inbound and outboun 
d IPsec SA (SAD) in kernel
Oct 10 11:28:36 IpGw charon[1586]: 01[IKE] failed to establish CHILD_SA, keeping 
 IKE_SA
Oct 10 11:28:36 IpGw charon[1586]: 01[KNL] deleting policy 192.168.2.1/32 === 0. 
0.0.0/0 in failed, not found
Oct 10 11:28:36 IpGw charon[1586]: 01[KNL] unable to delete SAD entry with SPI c 
1be56e1: No such process (3)
Oct 10 11:28:36 IpGw charon[1586]: 01[KNL] unable to delete SAD entry with SPI 9 
526f1c1: No such process (3)

......
The client on the Android phone says it cannot validate the user, but the above looks like it DID validate it on the server side but did not add the encryption entries for the client into the kernel, and that's why its failing.  I am running GENERIC on the gateway as the docs say that's now ok; I used to run a custom kernel for other reasons (mostly PPS which I don't use anymore as I no longer have a local NTP clock) and the only material difference I can see is that the 12.2-STABLE custom kernel has the "enc" driver included in it ("device    enc") while GENERIC does not. 

--
Karl Denninger
k...@denninger.net
/The Market Ticker/
/[S/MIME encrypted email preferred]/

Attachment: smime.p7s
Description: S/MIME Cryptographic Signature

Reply via email to