Post Reply
RPIZW
Posts: 63
Joined: Sat Sep 28, 2019 5:54 pm

StrongSwan fail to establish IKEv2

Mon Mar 02, 2020 3:44 pm

Hi all,

I have few RPI in few locations and they all work well for quite a long time.

recently I've realised that I cannot establish IKEv2 to one of them. the only think I've done with this one is
apt update & upgrade

it just fail to connect with "unexpected" message on the client side.

Thanks in advance for any offered help

a bit information about the device:

Code: Select all

uname -a
Linux srv1-rpi-rvt 4.19.106-v8+ #1297 SMP PREEMPT Tue Feb 25 13:31:10 GMT 2020 aarch64 GNU/Linux

ipsec version
Linux strongSwan U5.7.2/K4.19.106-v8+

sudo service strongswan status
● strongswan.service - strongSwan IPsec IKEv1/IKEv2 daemon using ipsec.conf
   Loaded: loaded (/lib/systemd/system/strongswan.service; enabled; vendor preset: enabled)
   Active: active (running) since Mon 2020-03-02 17:24:28 IST; 11min ago
 Main PID: 4820 (starter)
    Tasks: 18 (limit: 1089)
   Memory: 3.5M
   CGroup: /system.slice/strongswan.service
           ├─4820 /usr/lib/ipsec/starter --daemon charon --nofork
           └─4837 /usr/lib/ipsec/charon

Mar 02 17:30:45 srv1-rpi-rvt ipsec[4820]: 16[IKE] destroying duplicate IKE_SA for peer 'londonclient', received INITIAL_CONTACT
Mar 02 17:30:45 srv1-rpi-rvt ipsec[4820]: 16[CFG] sending DHCP RELEASE for 192.168.1.72 to 192.168.1.1
Mar 02 17:30:45 srv1-rpi-rvt ipsec[4820]: 16[IKE] IKE_SA iOS-IKEV2[3] established between 192.168.1.100[prob1-rpi-rvt]...82.x.x.225[RVT-VPN]
Mar 02 17:30:45 srv1-rpi-rvt ipsec[4820]: 16[IKE] scheduling reauthentication in 9748s
Mar 02 17:30:45 srv1-rpi-rvt ipsec[4820]: 16[IKE] maximum IKE_SA lifetime 10288s
Mar 02 17:30:45 srv1-rpi-rvt ipsec[4820]: 16[IKE] peer requested virtual IP %any
Mar 02 17:30:45 srv1-rpi-rvt ipsec[4820]: 16[CFG] sending DHCP DISCOVER to 255.255.255.255
Mar 02 17:30:45 srv1-rpi-rvt ipsec[4820]: 06[CFG] received DHCP OFFER 192.168.1.73 from 192.168.1.1
Mar 02 17:30:45 srv1-rpi-rvt ipsec[4820]: 16[CFG] sending DHCP REQUEST for 192.168.1.73 to 192.168.1.1
Mar 02 17:30:45 srv1-rpi-rvt ipsec[4820]: 16[CFG] sending DHCP REQUEST for 192.168.1.73 to 192.168.1.1
Public IP has been hidden

so when I try to establish connection, strongSwan is still active:
sudo service strongswan status
● strongswan.service - strongSwan IPsec IKEv1/IKEv2 daemon using ipsec.conf
Loaded: loaded (/lib/systemd/system/strongswan.service; enabled; vendor preset: enabled)
Active: active (running) since Mon 2020-03-02 17:24:28 IST; 14min ago
Main PID: 4820 (starter)
Tasks: 18 (limit: 1089)
Memory: 3.5M
CGroup: /system.slice/strongswan.service
├─4820 /usr/lib/ipsec/starter --daemon charon --nofork
└─4837 /usr/lib/ipsec/charon

Mar 02 17:39:17 srv1-rpi-rvt ipsec[4820]: 06[ENC] parsed IKE_SA_INIT request 0 [ SA KE No N(REDIR_SUP) N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) ]
Mar 02 17:39:17 srv1-rpi-rvt ipsec[4820]: 06[IKE] received retransmit of request with ID 0, retransmitting response
Mar 02 17:39:17 srv1-rpi-rvt ipsec[4820]: 06[NET] sending packet: from 192.168.1.100[500] to 82.x.x.225[500] (448 bytes)
Mar 02 17:39:17 srv1-rpi-rvt ipsec[4820]: 05[NET] received packet: from 82.x.x.225[4500] to 192.168.1.100[4500] (352 bytes)
Mar 02 17:39:17 srv1-rpi-rvt ipsec[4820]: 05[ENC] unknown attribute type (25)
Mar 02 17:39:17 srv1-rpi-rvt ipsec[4820]: 05[ENC] parsed IKE_AUTH request 1 [ IDi N(INIT_CONTACT) IDr CPRQ(ADDR MASK DHCP DNS ADDR6 DHCP6 DNS6 (25)) N(ESP_TFC_PAD_N) N(NON_FIRST_FRAG) SA TSi TSr N(MOBIKE_SUP) ]
Mar 02 17:39:17 srv1-rpi-rvt ipsec[4820]: 05[CFG] looking for peer configs matching 192.168.1.100[prob1-rpi-rvt]...82.x.x.225[RVT-VPN]
Mar 02 17:39:17 srv1-rpi-rvt ipsec[4820]: 05[CFG] selected peer config 'iOS-IKEV2'
Mar 02 17:39:17 srv1-rpi-rvt ipsec[4820]: 05[IKE] initiating EAP_IDENTITY method (id 0x00)
Mar 02 17:39:17 srv1-rpi-rvt ipsec[4820]: 05[IKE] received ESP_TFC_PADDING_NOT_SUPPORTED, not using ESPv3 TFC padding
some more logs:
Mar 02 17:39:17 srv1-rpi-rvt ipsec[4820]: 09[MGR] ignoring request with ID 5, already processing
Mar 02 17:39:17 srv1-rpi-rvt ipsec[4820]: 10[CFG] received DHCP ACK for 192.168.1.73
Mar 02 17:39:17 srv1-rpi-rvt ipsec[4820]: 16[IKE] assigning virtual IP 192.168.1.73 to peer 'mnayman'
Mar 02 17:39:17 srv1-rpi-rvt ipsec[4820]: 16[IKE] peer requested virtual IP %any6
Mar 02 17:39:17 srv1-rpi-rvt ipsec[4820]: 16[IKE] no virtual IP found for %any6 requested by 'mnayman'
Mar 02 17:39:17 srv1-rpi-rvt ipsec[4820]: 16[CFG] selected proposal: ESP:AES_CBC_128/HMAC_SHA2_256_128/NO_EXT_SEQ
Mar 02 17:39:17 srv1-rpi-rvt ipsec[4820]: 16[KNL] allocating SPI failed: Operation not supported (95)
Mar 02 17:39:17 srv1-rpi-rvt ipsec[4820]: 16[KNL] unable to get SPI
Mar 02 17:39:17 srv1-rpi-rvt ipsec[4820]: 16[IKE] allocating SPI failed
Mar 02 17:39:17 srv1-rpi-rvt ipsec[4820]: 16[IKE] failed to establish CHILD_SA, keeping IKE_SA
Mar 02 17:39:17 srv1-rpi-rvt ipsec[4820]: 16[ENC] generating IKE_AUTH response 5 [ AUTH CPRP(ADDR DNS DNS DNS DNS DNS DNS) N(AUTH_LFT) N(MOBIKE_SUP) N(ADD_4_ADDR) N(NO_PROP) ]
Mar 02 17:39:17 srv1-rpi-rvt ipsec[4820]: 16[NET] sending packet: from 192.168.1.100[4500] to 82.21.23.225[4500] (224 bytes)
Mar 02 17:39:17 srv1-rpi-rvt ipsec[4820]: 06[IKE] sending keep alive to 82.21.23.225[4500]
Mar 02 17:39:17 srv1-rpi-rvt ipsec[4820]: 13[IKE] sending keep alive to 82.21.23.225[4500]
Mar 02 17:39:17 srv1-rpi-rvt ipsec[4820]: 08[IKE] sending keep alive to 82.21.23.225[4500]
Mar 02 17:39:17 srv1-rpi-rvt ipsec[4820]: 10[IKE] sending keep alive to 82.21.23.225[4500]
Mar 02 17:39:17 srv1-rpi-rvt ipsec[4820]: 07[IKE] sending keep alive to 82.21.23.225[4500]
Mar 02 17:39:17 srv1-rpi-rvt ipsec[4820]: 14[IKE] sending keep alive to 82.21.23.225[4500]
Mar 02 17:39:17 srv1-rpi-rvt ipsec[4820]: 06[IKE] sending keep alive to 82.21.23.225[4500]
Mar 02 17:39:17 srv1-rpi-rvt ipsec[4820]: 05[IKE] sending keep alive to 82.21.23.225[4500]
Mar 02 17:39:17 srv1-rpi-rvt ipsec[4820]: 13[IKE] sending keep alive to 82.21.23.225[4500]
Mar 02 17:39:17 srv1-rpi-rvt ipsec[4820]: 09[IKE] sending keep alive to 82.21.23.225[4500]
Mar 02 17:39:17 srv1-rpi-rvt ipsec[4820]: 07[IKE] sending keep alive to 82.21.23.225[4500]
Mar 02 17:39:17 srv1-rpi-rvt ipsec[4820]: 14[IKE] sending keep alive to 82.21.23.225[4500]
Mar 02 17:39:17 srv1-rpi-rvt ipsec[4820]: 06[IKE] sending keep alive to 82.21.23.225[4500]
Mar 02 17:39:17 srv1-rpi-rvt ipsec[4820]: 13[IKE] sending keep alive to 82.21.23.225[4500]
Mar 02 17:39:17 srv1-rpi-rvt ipsec[4820]: 09[IKE] sending DPD request
Mar 02 17:39:17 srv1-rpi-rvt ipsec[4820]: 09[ENC] generating INFORMATIONAL request 0 [ ]
Mar 02 17:39:17 srv1-rpi-rvt ipsec[4820]: 09[NET] sending packet: from 192.168.1.100[4500] to 82.21.23.225[4500] (80 bytes)
Mar 02 17:39:17 srv1-rpi-rvt ipsec[4820]: 16[IKE] retransmit 1 of request with message ID 0
Mar 02 17:39:17 srv1-rpi-rvt ipsec[4820]: 16[NET] sending packet: from 192.168.1.100[4500] to 82.21.23.225[4500] (80 bytes)
Mar 02 17:39:17 srv1-rpi-rvt ipsec[4820]: 12[IKE] retransmit 2 of request with message ID 0
Mar 02 17:39:17 srv1-rpi-rvt ipsec[4820]: 12[NET] sending packet: from 192.168.1.100[4500] to 82.21.23.225[4500] (80 bytes)
Mar 02 17:39:17 srv1-rpi-rvt ipsec[4820]: 06[IKE] retransmit 3 of request with message ID 0
Mar 02 17:39:17 srv1-rpi-rvt ipsec[4820]: 06[NET] sending packet: from 192.168.1.100[4500] to 82.21.23.225[4500] (80 bytes)
Mar 02 17:39:17 srv1-rpi-rvt ipsec[4820]: 08[IKE] sending keep alive to 82.21.23.225[4500]
Mar 02 17:39:17 srv1-rpi-rvt ipsec[4820]: 09[IKE] retransmit 4 of request with message ID 0
Mar 02 17:39:17 srv1-rpi-rvt ipsec[4820]: 09[NET] sending packet: from 192.168.1.100[4500] to 82.21.23.225[4500] (80 bytes)
Mar 02 17:39:17 srv1-rpi-rvt ipsec[4820]: 11[IKE] sending keep alive to 82.21.23.225[4500]
Mar 02 17:39:17 srv1-rpi-rvt ipsec[4820]: 12[IKE] sending keep alive to 82.21.23.225[4500]
Mar 02 17:39:17 srv1-rpi-rvt ipsec[4820]: 07[IKE] retransmit 5 of request with message ID 0
Mar 02 17:39:17 srv1-rpi-rvt ipsec[4820]: 07[NET] sending packet: from 192.168.1.100[4500] to 82.21.23.225[4500] (80 bytes)
Mar 02 17:39:17 srv1-rpi-rvt ipsec[4820]: 15[IKE] sending keep alive to 82.21.23.225[4500]
Mar 02 17:39:17 srv1-rpi-rvt ipsec[4820]: 08[IKE] sending keep alive to 82.21.23.225[4500]
Mar 02 17:39:17 srv1-rpi-rvt ipsec[4820]: 11[IKE] sending keep alive to 82.21.23.225[4500]
Mar 02 17:39:17 srv1-rpi-rvt ipsec[4820]: 12[IKE] giving up after 5 retransmits
Mar 02 17:39:17 srv1-rpi-rvt ipsec[4820]: 12[CFG] sending DHCP RELEASE for 192.168.1.73 to 192.168.1.1
Mar 02 17:39:17 srv1-rpi-rvt ipsec[4820]: 15[NET] received packet: from 82.21.23.225[500] to 192.168.1.100[500] (432 bytes)
Mar 02 17:39:17 srv1-rpi-rvt ipsec[4820]: 15[ENC] parsed IKE_SA_INIT request 0 [ SA KE No N(REDIR_SUP) N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) ]
Mar 02 17:39:17 srv1-rpi-rvt ipsec[4820]: 15[IKE] 82.21.23.225 is initiating an IKE_SA
Mar 02 17:39:17 srv1-rpi-rvt ipsec[4820]: 15[CFG] selected proposal: IKE:AES_CBC_128/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_2048
Mar 02 17:39:17 srv1-rpi-rvt ipsec[4820]: 15[IKE] local host is behind NAT, sending keep alives
Mar 02 17:39:17 srv1-rpi-rvt ipsec[4820]: 15[IKE] remote host is behind NAT
Mar 02 17:39:17 srv1-rpi-rvt ipsec[4820]: 15[ENC] generating IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(MULT_AUTH) ]
Mar 02 17:39:17 srv1-rpi-rvt ipsec[4820]: 15[NET] sending packet: from 192.168.1.100[500] to 82.21.23.225[500] (448 bytes)
Mar 02 17:39:17 srv1-rpi-rvt ipsec[4820]: 06[NET] received packet: from 82.21.23.225[500] to 192.168.1.100[500] (432 bytes)
Mar 02 17:39:17 srv1-rpi-rvt ipsec[4820]: 06[ENC] parsed IKE_SA_INIT request 0 [ SA KE No N(REDIR_SUP) N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) ]
Mar 02 17:39:17 srv1-rpi-rvt ipsec[4820]: 06[IKE] received retransmit of request with ID 0, retransmitting response
Mar 02 17:39:17 srv1-rpi-rvt ipsec[4820]: 06[NET] sending packet: from 192.168.1.100[500] to 82.21.23.225[500] (448 bytes)
Mar 02 17:39:17 srv1-rpi-rvt ipsec[4820]: 05[NET] received packet: from 82.21.23.225[4500] to 192.168.1.100[4500] (352 bytes)
Mar 02 17:39:17 srv1-rpi-rvt ipsec[4820]: 05[ENC] unknown attribute type (25)
Mar 02 17:39:17 srv1-rpi-rvt ipsec[4820]: 05[ENC] parsed IKE_AUTH request 1 [ IDi N(INIT_CONTACT) IDr CPRQ(ADDR MASK DHCP DNS ADDR6 DHCP6 DNS6 (25)) N(ESP_TFC_PAD_N) N(NON_FIRST_FRAG) SA TSi TSr N(MOBIKE_SUP) ]
Mar 02 17:39:17 srv1-rpi-rvt ipsec[4820]: 05[CFG] looking for peer configs matching 192.168.1.100[prob1-rpi-rvt]...82.21.23.225[RVT-VPN]
Mar 02 17:39:17 srv1-rpi-rvt ipsec[4820]: 05[CFG] selected peer config 'iOS-IKEV2'
Mar 02 17:39:17 srv1-rpi-rvt ipsec[4820]: 05[IKE] initiating EAP_IDENTITY method (id 0x00)
Mar 02 17:39:17 srv1-rpi-rvt ipsec[4820]: 05[IKE] received ESP_TFC_PADDING_NOT_SUPPORTED, not using ESPv3 TFC padding
bls
Posts: 640
Joined: Mon Oct 22, 2018 11:25 pm
Location: Seattle, WA
Contact: Twitter

Re: StrongSwan fail to establish IKEv2

Mon Mar 02, 2020 11:50 pm

I am one of what appears to be a small number of people in this forum that use strongSwan. Looks like you're using a) the strongSwan package that comes with Raspbian, which is old, and b) you're using the "legacy" ipsec.conf connection definitions, rather than the new, and now default, swanctl.conf

I moved to swanctl.conf quite a while ago, and have built a tool (plus installer) that makes strongSwan configuration and management MUCH easier. But, it requires a newer version of strongSwan (5.8 or later). The installer automatically downloads and installs the latest strongSwan for you. If you're interested, you can check it out at https://github.com/gitbls/pistrong

I suspect you might get better answers for your issue from the strongSwan mailing list https://lists.strongswan.org/pipermail/users/.
Pi tools:
RPi SD Card Image Manager: https://github.com/gitbls/sdm
Lightweight Virtual VNC Config: https://github.com/gitbls/RPiVNCHowTo
Easy VPN installer/manager: https://github.com/gitbls/pistrong
DNS/DHCP manager:https://github.com/gitbls/ndm
RPIZW
Posts: 63
Joined: Sat Sep 28, 2019 5:54 pm

Re: StrongSwan fail to establish IKEv2

Tue Mar 03, 2020 4:47 pm

Nice! I'll look surely look at your tool and I truly appreciate your help.

I'm a bit of 'freak' maybe, but I tried to avoid github as possible, especially because I want to keep and learn the hard way rather than using a ready made tools - sorry about that

BTW i resolved the issue: strongswan.d was corrupted
bls
Posts: 640
Joined: Mon Oct 22, 2018 11:25 pm
Location: Seattle, WA
Contact: Twitter

Re: StrongSwan fail to establish IKEv2

Tue Mar 03, 2020 5:52 pm

RPIZW wrote:
Tue Mar 03, 2020 4:47 pm
 Nice! I'll look surely look at your tool and I truly appreciate your help.

I'm a bit of 'freak' maybe, but I tried to avoid github as possible, especially because I want to keep and learn the hard way rather than using a ready made tools - sorry about that

BTW i resolved the issue: strongswan.d was corrupted
Glad you resolved it. No worries if you opt to roll your own. Just know it's there if you ever want an easier mechanism. I rebuild my VPN server regularly and this has saved my mental health MANY times :lol:
Pi tools:
RPi SD Card Image Manager: https://github.com/gitbls/sdm
Lightweight Virtual VNC Config: https://github.com/gitbls/RPiVNCHowTo
Easy VPN installer/manager: https://github.com/gitbls/pistrong
DNS/DHCP manager:https://github.com/gitbls/ndm
Post Reply

Return to “Troubleshooting”