Comments (4)
Keep-alives are not DPDs. And according to the status output you don't actually have an SA established (it is getting established there). Without full logs we can't help you.
from strongswan.
What kind of extra logs i need to give ? Main issue that in this config it really re-establish connection only after full service restart.
from strongswan.
The full log that shows the initial connection and what happens until there is no SA anymore. Also, there might be a problem with your network connectivity (or perhaps the peer on the other end if it does not accept the request for some reason), so logs from there might also help.
from strongswan.
This is initial connection what i found strange that at fisrt was selected "IKE:AES_CBC_256/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1536" and for ESP was selected ESP:AES_CBC_256/HMAC_SHA1_96/NO_EXT_SEQ
feb 22 08:11:42 SLOWPC charon-systemd[297897]: received packet: from 2.2.2.2[500] to 10.10.10.38[500] (373 bytes)
feb 22 08:11:42 SLOWPC charon-systemd[297897]: parsed IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) CERTREQ ]
feb 22 08:11:42 SLOWPC charon-systemd[297897]: selected proposal: IKE:AES_CBC_256/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1536
feb 22 08:11:42 SLOWPC charon-systemd[297897]: local host is behind NAT, sending keep alives
feb 22 08:11:42 SLOWPC charon-systemd[297897]: sending cert request for "CN=myCA"
feb 22 08:11:42 SLOWPC charon-systemd[297897]: authentication of '[email protected]' (myself) with RSA signature successful
feb 22 08:11:42 SLOWPC charon-systemd[297897]: sending end entity cert "C=NL, [email protected]"
feb 22 08:11:42 SLOWPC charon-systemd[297897]: establishing CHILD_SA home{1}
feb 22 08:11:42 SLOWPC charon-systemd[297897]: generating IKE_AUTH request 1 [ IDi CERT N(INIT_CONTACT) CERTREQ IDr AUTH CPRQ(ADDR DNS) SA TSi TSr N(EAP_ONLY) N(MSG_ID_SYN_SUP) ]
feb 22 08:11:42 SLOWPC charon-systemd[297897]: splitting IKE message (1516 bytes) into 2 fragments
feb 22 08:11:42 SLOWPC charon-systemd[297897]: generating IKE_AUTH request 1 [ EF(1/2) ]
feb 22 08:11:42 SLOWPC charon-systemd[297897]: generating IKE_AUTH request 1 [ EF(2/2) ]
feb 22 08:11:42 SLOWPC charon-systemd[297897]: sending packet: from 10.10.10.38[4500] to 2.2.2.2[4500] (1248 bytes)
feb 22 08:11:42 SLOWPC charon-systemd[297897]: sending packet: from 10.10.10.38[4500] to 2.2.2.2[4500] (336 bytes)
feb 22 08:11:42 SLOWPC charon-systemd[297897]: received packet: from 2.2.2.2[4500] to 10.10.10.38[4500] (1232 bytes)
feb 22 08:11:42 SLOWPC charon-systemd[297897]: parsed IKE_AUTH response 1 [ EF(1/2) ]
feb 22 08:11:42 SLOWPC charon-systemd[297897]: received fragment #1 of 2, waiting for complete IKE message
feb 22 08:11:42 SLOWPC charon-systemd[297897]: received packet: from 2.2.2.2[4500] to 10.10.10.38[4500] (528 bytes)
feb 22 08:11:42 SLOWPC charon-systemd[297897]: parsed IKE_AUTH response 1 [ EF(2/2) ]
feb 22 08:11:42 SLOWPC charon-systemd[297897]: received fragment #2 of 2, reassembled fragmented IKE message (1468 bytes)
feb 22 08:11:42 SLOWPC charon-systemd[297897]: unknown attribute type INTERNAL_DNS_DOMAIN
feb 22 08:11:42 SLOWPC charon-systemd[297897]: unknown attribute type INTERNAL_DNS_DOMAIN
feb 22 08:11:42 SLOWPC charon-systemd[297897]: parsed IKE_AUTH response 1 [ CERT IDr AUTH N(INIT_CONTACT) CPRP(ADDR MASK SUBNET SUBNET DNS DOMAIN DOMAIN) TSi TSr SA ]
feb 22 08:11:42 SLOWPC charon-systemd[297897]: received end entity cert "C=NL, [email protected]"
feb 22 08:11:42 SLOWPC charon-systemd[297897]: using trusted ca certificate "CN=myCA"
feb 22 08:11:42 SLOWPC charon-systemd[297897]: checking certificate status of "C=NL, [email protected]"
feb 22 08:11:42 SLOWPC charon-systemd[297897]: certificate status is not available
feb 22 08:11:42 SLOWPC charon-systemd[297897]: reached self-signed root ca with a path length of 0
feb 22 08:11:42 SLOWPC charon-systemd[297897]: using trusted certificate "C=NL, [email protected]"
feb 22 08:11:42 SLOWPC charon-systemd[297897]: authentication of '[email protected]' with RSA signature successful
feb 22 08:11:42 SLOWPC charon-systemd[297897]: IKE_SA home[1] established between 10.10.10.38[[email protected]]...2.2.2.2[[email protected]]
feb 22 08:11:42 SLOWPC charon-systemd[297897]: scheduling rekeying in 13362s
feb 22 08:11:42 SLOWPC charon-systemd[297897]: maximum IKE_SA lifetime 14802s
feb 22 08:11:42 SLOWPC charon-systemd[297897]: handling INTERNAL_IP4_NETMASK attribute failed
feb 22 08:11:42 SLOWPC charon-systemd[297897]: handling INTERNAL_IP4_SUBNET attribute failed
feb 22 08:11:42 SLOWPC charon-systemd[297897]: handling INTERNAL_IP4_SUBNET attribute failed
feb 22 08:11:42 SLOWPC charon-systemd[297897]: installing DNS server 10.111.111.1 to /etc/resolv.conf
feb 22 08:11:42 SLOWPC charon-systemd[297897]: handling INTERNAL_DNS_DOMAIN attribute failed
feb 22 08:11:42 SLOWPC charon-systemd[297897]: handling INTERNAL_DNS_DOMAIN attribute failed
feb 22 08:11:42 SLOWPC charon-systemd[297897]: installing new virtual IP 10.111.121.2
feb 22 08:11:42 SLOWPC charon-systemd[297897]: selected proposal: ESP:AES_CBC_256/HMAC_SHA1_96/NO_EXT_SEQ
feb 22 08:11:42 SLOWPC charon-systemd[297897]: CHILD_SA home{1} established with SPIs cdcc4485_i 00d4317d_o and TS 10.111.121.2/32 === 10.111.0.0/16
feb 22 08:12:25 SLOWPC charon-systemd[297897]: sending keep alive to 2.2.2.2[4500]
feb 22 08:12:35 SLOWPC charon-systemd[297897]: sending DPD request
feb 22 08:12:35 SLOWPC charon-systemd[297897]: generating INFORMATIONAL request 2 [ ]
feb 22 08:12:35 SLOWPC charon-systemd[297897]: sending packet: from 10.10.10.38[4500] to 2.2.2.2[4500] (76 bytes)
feb 22 08:12:35 SLOWPC charon-systemd[297897]: received packet: from 2.2.2.2[4500] to 10.10.10.38[4500] (108 bytes)
feb 22 08:12:35 SLOWPC charon-systemd[297897]: parsed INFORMATIONAL response 2 [ ]
feb 22 08:13:39 SLOWPC charon-systemd[297897]: sending keep alive to 2.2.2.2[4500]
feb 22 08:14:35 SLOWPC charon-systemd[297897]: received packet: from 2.2.2.2[4500] to 10.10.10.38[4500] (156 bytes)
feb 22 08:14:35 SLOWPC charon-systemd[297897]: parsed INFORMATIONAL request 0 [ ]
feb 22 08:14:35 SLOWPC charon-systemd[297897]: generating INFORMATIONAL response 0 [ ]
feb 22 08:14:35 SLOWPC charon-systemd[297897]: sending packet: from 10.10.10.38[4500] to 2.2.2.2[4500] (76 bytes)
feb 22 08:14:55 SLOWPC charon-systemd[297897]: sending keep alive to 2.2.2.2[4500]
feb 22 08:16:06 SLOWPC charon-systemd[297897]: sending keep alive to 2.2.2.2[4500]
feb 22 08:16:26 SLOWPC charon-systemd[297897]: sending keep alive to 2.2.2.2[4500]
feb 22 08:16:30 SLOWPC charon-systemd[297897]: sending DPD request
feb 22 08:16:30 SLOWPC charon-systemd[297897]: generating INFORMATIONAL request 3 [ ]
feb 22 08:16:30 SLOWPC charon-systemd[297897]: sending packet: from 10.10.10.38[4500] to 2.2.2.2[4500] (76 bytes)
feb 22 08:16:30 SLOWPC charon-systemd[297897]: received packet: from 2.2.2.2[4500] to 10.10.10.38[4500] (140 bytes)
feb 22 08:16:30 SLOWPC charon-systemd[297897]: parsed INFORMATIONAL response 3 [ ]
feb 22 08:16:54 SLOWPC charon-systemd[297897]: sending keep alive to 2.2.2.2[4500]
feb 22 08:17:00 SLOWPC charon-systemd[297897]: sending DPD request
feb 22 08:17:00 SLOWPC charon-systemd[297897]: generating INFORMATIONAL request 4 [ ]
feb 22 08:17:00 SLOWPC charon-systemd[297897]: sending packet: from 10.10.10.38[4500] to 2.2.2.2[4500] (76 bytes)
feb 22 08:17:00 SLOWPC charon-systemd[297897]: received packet: from 2.2.2.2[4500] to 10.10.10.38[4500] (92 bytes)
feb 22 08:17:00 SLOWPC charon-systemd[297897]: parsed INFORMATIONAL response 4 [ ]
feb 22 08:17:24 SLOWPC charon-systemd[297897]: sending keep alive to 2.2.2.2[4500]
feb 22 08:17:30 SLOWPC charon-systemd[297897]: sending DPD request
feb 22 08:17:30 SLOWPC charon-systemd[297897]: generating INFORMATIONAL request 5 [ ]
feb 22 08:17:30 SLOWPC charon-systemd[297897]: sending packet: from 10.10.10.38[4500] to 2.2.2.2[4500] (76 bytes)
feb 22 08:17:30 SLOWPC charon-systemd[297897]: received packet: from 2.2.2.2[4500] to 10.10.10.38[4500] (124 bytes)
feb 22 08:17:30 SLOWPC charon-systemd[297897]: parsed INFORMATIONAL response 5 [ ]
For a 1st time it was accepted but after a while i see(ie ESP proposal was accepted 1st time and never accepted after ) :
feb 22 08:24:25 SLOWPC charon-systemd[297897]: generating CREATE_CHILD_SA response 4 [ N(NO_PROP) ]
feb 22 08:24:25 SLOWPC charon-systemd[297897]: sending packet: from 10.10.10.38[4500] to 2.2.2.2[4500] (76 bytes)
feb 22 08:24:34 SLOWPC charon-systemd[297897]: received packet: from 2.2.2.2[4500] to 10.10.10.38[4500] (428 bytes)
feb 22 08:24:34 SLOWPC charon-systemd[297897]: parsed CREATE_CHILD_SA request 5 [ No N(REKEY_SA) SA TSi TSr ]
feb 22 08:24:34 SLOWPC charon-systemd[297897]: received proposals: ESP:AES_CBC_256/HMAC_SHA1_96/NO_EXT_SEQ
feb 22 08:24:34 SLOWPC charon-systemd[297897]: configured proposals: ESP:AES_CBC_256/HMAC_SHA1_96/MODP_1536/NO_EXT_SEQ
feb 22 08:24:34 SLOWPC charon-systemd[297897]: no acceptable proposal found
feb 22 08:24:34 SLOWPC charon-systemd[297897]: failed to establish CHILD_SA, keeping IKE_SA
from strongswan.
Related Issues (20)
- swanctl listing wrong data HOT 4
- Running suite 'rsa' hangs HOT 1
- Can't connect to StrongSwan VPN with Android 14 native client
- X509v3 Name Constraints incorrectly required on subordinate CAs in chain HOT 6
- StrongSwan Android 2.5.0 Start/Stop Profile Intent profile not found HOT 5
- Restoring EAP-TTLS (and PEAP) support on Android HOT 9
- F-Droid can't build HOT 6
- SecurityException for SCHEDULE_EXACT_ALARM HOT 3
- build project on CentOS failed
- bad memcpy() in dhcp_socket.c, line 253 HOT 3
- [NET] received packet from on ignored interface
- Start profiles immediately after StrongSwan/Android is started HOT 1
- How to configure strongswan to listen in TCP mode HOT 1
- android11 can't use "IKEv2/IPSec MSCHAPv2" to connect strongswanVPN server
- "<child>.local_ts" Dynamic acquisition of network card IP address HOT 2
- I used a tester to test VPN throughput and found that charon’s memory usage was high and was killed by the kernel. Is there any solution to limit memory usage? HOT 13
- Build of version 5.9.14 fails on alpine (musl) HOT 1
- ubuntu make error
- proposal_keywords.c is excluded by the .gitignore file HOT 2
- charon-nm: only a single CA cert file is loaded from "server certificate" file HOT 3
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from strongswan.