Post-quantum strongSwan # ---------------------------------------- # Installation # Doc of "strongX509" with "liboqs" -> https://github.com/strongX509/docker/blob/master/pq-strongswan/Dockerfile # My doc here : https://www.debian-fr.org/t/network-ipv6-ipsec-strongswan-modern-security-communication/89528/2#installation-1 # ---------------------------------------- # Configure cd /strongswan-build/strongswan-6.0.0beta6/ make clean ./configure --prefix=/usr --sysconfdir=/etc --with-systemdsystemunitdir=/lib/systemd/system --disable-ikev1 --enable-constraints --enable-openssl --enable-frodo --enable-oqs --enable-silent-rules --enable-eap-identity --enable-eap-md5 --enable-eap-mschapv2 --enable-eap-tls --enable-eap-ttls --enable-eap-peap --enable-eap-tnc --enable-eap-dynamic --enable-eap-radius --enable-xauth-eap --enable-dhcp --enable-addrblock --enable-unity --enable-certexpire --enable-radattr # strongSwan will be built with the following plugins # ----------------------------------------------------- # libstrongswan: random nonce x509 revocation pubkey pkcs1 pkcs7 pgp dnskey sshkey pem openssl pkcs8 xcbc cmac kdf frodo oqs drbg # libcharon: attr kernel-libipsec kernel-netlink resolve socket-default vici updown eap-identity eap-md5 eap-mschapv2 eap-dynamic eap-radius eap-tls eap-ttls eap-peap eap-tnc xauth-eap dhcp certexpire radattr addrblock unity # libtnccs: tnc-tnccs # libtpmtss: # ---------------------------------------- # Installation make all && make install # ---------------------------------------- --enable-aesni --enable-aes --enable-des --enable-rc2 --enable-sha2 --enable-sha3 --enable-sha1 --enable-md5 --enable-random --enable-nonce --enable-x509 --enable-revocation --enable-constraints --enable-pubkey --enable-pkcs1 --enable-pkcs7 --enable-pkcs12 --enable-pgp --enable-dnskey --enable-sshkey --enable-dnscert --enable-openssl --enable-pkcs8 --enable-fips-prf --enable-gmp --enable-curve25519 --enable-agent --enable-chapoly --enable-xcbc --enable-cmac --enable-hmac --enable-kdf --enable-gcm --enable-ntru --enable-drbg --enable-newhope --enable-bliss --enable-curl --enable-mysql --enable-openxpki --enable-sqlite --enable-attr --enable-attr-sql --enable-kernel-netlink --enable-resolve --enable-socket-default --enable-bypass-lan --enable-connmark --enable-forecast --enable-farp --enable-stroke --enable-vici --enable-sql --enable-updown --enable-eap-identity --enable-eap-sim --enable-eap-sim-file --enable-eap-aka --enable-eap-aka-3gpp2 --enable-eap-simaka-pseudonym --enable-eap-simaka-reauth --enable-eap-md5 --enable-eap-gtc --enable-eap-mschapv2 --enable-eap-dynamic --enable-eap-radius --enable-eap-tls --enable-eap-ttls --enable-eap-peap --enable-xauth-generic --enable-xauth-eap --enable-xauth-pam --enable-xauth-noauth --enable-dhcp --enable-ha --enable-ext-auth --enable-radattr --enable-unity --enable-counters // PKI OCSP Plugins OpenXKPI -> https://github.com/strongswan/strongswan/discussions/2513 // 5.9.14: test suite fails -> https://github.com/strongswan/strongswan/issues/2523 %configure \ CPPFLAGS="-DSTARTER_ALLOW_NON_ROOT" \ --bindir=%{_libexecdir}/strongswan \ --disable-static \ --enable-acert \ --enable-aikgen \ --enable-bypass-lan \ --enable-ccm \ --enable-chapoly \ --enable-cmd \ --enable-ctr \ --enable-curl \ --enable-dhcp \ --enable-duplicheck \ --enable-eap-aka \ --enable-eap-aka-3gpp \ --enable-eap-aka-3gpp2 \ --enable-eap-dynamic \ --enable-eap-gtc \ --enable-eap-identity \ --enable-eap-md5 \ --enable-eap-mschapv2 \ --enable-eap-peap \ --enable-eap-radius \ --enable-eap-sim \ --enable-eap-sim-file \ --enable-eap-tls \ --enable-eap-tnc \ --enable-eap-ttls \ --enable-ext-auth \ --enable-farp \ --enable-gcm \ --enable-gcrypt \ --enable-ha \ --enable-imc-attestation \ --enable-imc-hcd \ --enable-imc-os \ --enable-imc-scanner \ --enable-imc-swid \ --enable-imc-swima \ --enable-imc-test \ --enable-imv-attestation \ --enable-imv-hcd \ --enable-imv-os \ --enable-imv-scanner \ --enable-imv-swid \ --enable-imv-swima \ --enable-imv-test \ --enable-ipseckey \ --enable-led \ --enable-md4 \ --enable-newhope \ --enable-nm \ --enable-openssl \ --enable-pkcs11 \ --enable-sql \ --enable-sqlite \ --enable-swanctl \ --enable-systemd \ --enable-tnccs-11 \ --enable-tnccs-20 \ --enable-tnccs-dynamic \ --enable-tnc-ifmap \ --enable-tnc-imc \ --enable-tnc-imv \ --enable-tnc-pdp \ --enable-tpm \ --enable-tss-tss2 \ --enable-unity \ --enable-vici \ --enable-xauth-eap \ --enable-xauth-noauth \ --enable-xauth-pam \ --sysconfdir=%{_sysconfdir}/strongswan \ --with-capabilities=libcap \ --with-fips-mode=2 \ --with-ipsecdir=%{_libexecdir}/strongswan \ --with-ipseclibdir=%{_libdir}/strongswan \ --with-ipsec-script=strongswan \ --with-piddir=%{_rundir}/strongswan \ %ifarch x86_64 %{ix86} --enable-aesni \ %endif --enable-kernel-libipsec \ %{nil} # ---------------------------------------- # Start strongSwan /usr/libexec/ipsec/charon # tail -f /var/log/charon.log Nov 6 16:57:09 00[DMN] Starting IKE charon daemon (strongSwan 6.0.0beta6, Linux 5.4.203-1-pve, x86_64) Nov 6 16:57:09 00[CFG] install DNS servers in '/etc/resolv.conf' Nov 6 16:57:09 00[KNL] unable to create IPv4 routing table rule Nov 6 16:57:09 00[KNL] unable to create IPv6 routing table rule Nov 6 16:57:09 00[CFG] loaded 0 RADIUS server configurations 16:57:09 00[LIB] loaded plugins: charon random nonce x509 revocation pubkey pkcs1 pkcs7 pgp dnskey sshkey pem openssl pkcs8 xcbc cmac kdf frodo oqs drbg attr kernel-netlink resolve socket-default vici updown eap-identity eap-md5 eap-mschapv2 eap-dynamic eap-radius eap-tls eap-ttls eap-peap eap-tnc xauth-eap tnc-tnccs dhcp certexpire radattr addrblock unity 11:53:27 00[LIB] loaded plugins: charon-systemd ldap pkcs11 aesni aes des rc2 sha2 sha3 sha1 md5 mgf1 random nonce x509 revocation constraints pubkey pkcs1 pkcs7 pkcs12 pgp dnskey sshkey pem openssl pkcs8 fips-prf gmp curve25519 agent chapoly xcbc cmac hmac kdf gcm ntru drbg newhope bliss curl sqlite attr kernel-netlink resolve socket-default bypass-lan connmark forecast farp stroke vici updown eap-identity eap-sim eap-aka eap-aka-3gpp2 eap-simaka-pseudonym eap-simaka-reauth eap-md5 eap-gtc eap-mschapv2 eap-dynamic eap-radius eap-tls eap-ttls eap-peap xauth-generic xauth-eap xauth-pam xauth-noauth dhcp radattr unity counters charon random nonce x509 revocation pubkey pkcs1 pkcs7 pgp dnskey sshkey pem openssl pkcs8 xcbc cmac kdf frodo oqs drbg attr kernel-netlink resolve socket-default vici updown eap-identity eap-md5 eap-mschapv2 eap-dynamic eap-radius eap-tls eap-ttls eap-peap eap-tnc xauth-eap tnc-tnccs dhcp certexpire radattr addrblock unity Nov 6 16:57:09 00[DMN] removing pidfile '/var/run/charon.pid', process not running Nov 6 16:57:09 00[JOB] spawning 16 worker threads Nov 6 16:57:09 00[DMN] executing start script 'creds' (swanctl --load-creds) Nov 6 16:57:09 08[CFG] loaded certificate 'C=FR, O=LAB3W, CN=vps.de.ipv10.net' Nov 6 16:57:09 13[CFG] loaded certificate 'C=FR, O=LAB3W, CN=srv.ca.lab3w.com' Nov 6 16:57:09 05[CFG] loaded certificate 'C=FR, O=LAB3W, CN=orj@lab3w.fr' Nov 6 16:57:09 09[CFG] loaded certificate 'C=FR, O=LAB3W, CN=srv.ca.lab3w.com' Nov 6 16:57:09 13[CFG] loaded certificate 'C=FR, O=LAB3W, CN=vps.uk.ipv10.net' Nov 6 16:57:09 15[CFG] loaded certificate 'C=FR, O=LAB3W, CN=srv.fr.lab3w.com' Nov 6 16:57:09 08[CFG] loaded certificate 'C=FR, O=LAB3W, CN=ZW3B Cyber Root CA : rsa_3072' Nov 6 16:57:09 11[CFG] loaded certificate 'C=FR, O=LAB3W, CN=ZW3B Cyber Root CA : rsa_3072' Nov 6 16:57:09 05[CFG] loaded Falcon1024 private key Nov 6 16:57:09 09[CFG] loaded Falcon1024 private key Nov 6 16:57:09 12[CFG] loaded Falcon1024 private key Nov 6 16:57:09 05[CFG] loaded Falcon1024 private key Nov 6 16:57:09 07[CFG] loaded RSA private key Nov 6 16:57:09 11[CFG] loaded RSA private key Nov 6 16:57:09 15[CFG] loaded RSA private key Nov 6 16:57:09 09[CFG] loaded EAP shared key with id 'eap-1' for: 'orj@lab3w.fr' Nov 6 16:57:09 00[DMN] creds: loaded certificate from '/etc/swanctl/x509/vps.de.ipv10.net-Cert-falcon1024-sign_ca-rsa_3072.pem' Nov 6 16:57:09 00[DMN] creds: loaded certificate from '/etc/swanctl/x509/srv.ca.lab3w.com-Cert-rsa_3072-sign_ca-rsa_3072.pem' Nov 6 16:57:09 00[DMN] creds: loaded certificate from '/etc/swanctl/x509/orj-Cert-rsa_3072-sign_ca-rsa_3072.pem' Nov 6 16:57:09 00[DMN] creds: loaded certificate from '/etc/swanctl/x509/srv.ca.lab3w.com-Cert-falcon1024-sign_ca-rsa_3072.pem' Nov 6 16:57:09 00[DMN] creds: loaded certificate from '/etc/swanctl/x509/vps.uk.ipv10.net-Cert-falcon1024-sign_ca-rsa_3072.pem' Nov 6 16:57:09 00[DMN] creds: loaded certificate from '/etc/swanctl/x509/srv.fr.lab3w.com-Cert-falcon1024-sign_ca-rsa_3072.pem' Nov 6 16:57:09 00[DMN] creds: loaded certificate from '/etc/swanctl/x509ca/LAB3W_ZW3B-caCert-rsa_3072.der' Nov 6 16:57:09 00[DMN] creds: loaded certificate from '/etc/swanctl/x509ca/LAB3W_ZW3B-caCert-rsa_3072.pem' Nov 6 16:57:09 00[DMN] creds: loaded Falcon1024 key from '/etc/swanctl/private/vps.de.ipv10.net-Key-falcon1024.pem' Nov 6 16:57:09 00[DMN] creds: loaded Falcon1024 key from '/etc/swanctl/private/vps.uk.ipv10.net-Key-falcon1024.pem' Nov 6 16:57:09 00[DMN] creds: loaded Falcon1024 key from '/etc/swanctl/private/srv.ca.lab3w.com-Key-falcon1024.pem' Nov 6 16:57:09 00[DMN] creds: loaded Falcon1024 key from '/etc/swanctl/private/srv.fr.lab3w.com-Key-falcon1024.pem' Nov 6 16:57:09 00[DMN] creds: loaded RSA key from '/etc/swanctl/private/orj-Key-rsa_3072.pem' Nov 6 16:57:09 00[DMN] creds: loaded RSA key from '/etc/swanctl/private/LAB3W_ZW3B-caKey-rsa_3072.pem' Nov 6 16:57:09 00[DMN] creds: loaded RSA key from '/etc/swanctl/private/srv.ca.lab3w.com-Key-rsa_3072.pem' Nov 6 16:57:09 00[DMN] creds: loaded eap secret 'eap-1' # ---------------------------------------- # strongSwan Docs > Usable Examples configurations > Roadwarrior scenario # https://wiki.strongswan.org/projects/strongswan/wiki/UsableExamples#Roadwarrior-scenario # ----- # ---------------------------------------- # /etc/strongswan.conf # ----- charon { # two defined file loggers filelog { charon { # path to the log file, specify this as section name in versions prior to 5.7.0 path = /var/log/charon.log # add a timestamp prefix time_format = %b %e %T # prepend connection name, simplifies grepping ike_name = yes # overwrite existing files append = no # increase default loglevel for all daemon subsystems default = 1 #2 # flush each line to disk flush_line = yes } stderr { # more detailed loglevel for a specific subsystem, overriding the # default loglevel. ike = 2 #2 knl = -1 #3 } } # and two loggers using syslog syslog { # prefix for each log message identifier = charon-custom # use default settings to log to the LOG_DAEMON facility daemon { } # very minimalistic IKE auditing logs to LOG_AUTHPRIV auth { default = -1 ike = 0 } } load_modular = yes plugins { include strongswan.d/charon/*.conf eap-dynamic { prefer_user = yes preferred = eap-tls, eap-mschapv2, eap-md5 # preferred = tls, mschapv2, md5 } eap-tls { fragment_size = 512 } } start-scripts { creds = swanctl --load-creds conns = swanctl --load-conns pools = swanctl --load-pools } # send_vendor_id = yes # prefer_configured_proposals = no # fragment_size = 1480 # max_packet = 30000 } include strongswan.d/*.conf pki { } # for strongSwan 5.9 libtls { version_max = 1.3 suites = TLS_AES_128_GCM_SHA256,TLS_AES_256_GCM_SHA384 } # ---------------------------------------- # /etc/swanctl/swanctl.conf # ----- connections { include conf.d/ca-fr.conf # include conf.d/ca-uk.conf # include conf.d/ca-de.conf include conf.d/ikev2-pubkey.conf include conf.d/ikev2-eap.conf include conf.d/ikev2-eap-tls-asymmetric.conf include conf.d/ikev2-eap-tls-symmetric.conf include conf.d/ikev2-eap-mschapv2.conf } authorities { strongswan { cacert = LAB3W_ZW3B-caCert-rsa_3072.pem } } pools { # ROADWARRIORS rw_pool { addrs = 172.16.8.100-172.16.8.110 dns = 10.105.150.1, 8.8.8.8 # split_exclude = 172.16.0.0/12 } rw_pool-v6 { # addrs = fec0::/120 addrs = fec0::eeee:1ab3:00ca:d000-fec0::eeee:1ab3:00ca:d0ff dns = fc00::15:2:a:1000, 2001:4860:4860::8844 } # IP HOME v6-lab3w_home { addrs = fec1::1/16 } # IP VPS v6_vps-uk { addrs = fec2::1/128 } v6_vps-de { addrs = fec3::1/128 } } secrets { # Pre-Shared Key ike-1 { id = nomade secret = 1234 } # Extensible Authentication Protocol eap-1 { id = orj@lab3w.fr secret = 1234 } } # ---------------------------------------- # /etc/swanctl/conf.d/ikev2-pubkey.conf # ----- # ----- # OK -- # strongSwan VPN client for Android 12 # ----- # KO -- # Native VPN client for Android 7 # Native VPN client for Android 12 # ----- ikev2-pubkey { version = 2 proposals = aes192gcm16-aes128gcm16-prfsha256-ecp256-ecp521, aes192-sha256-modp3072, default rekey_time = 0s pools = rw_pool, rw_pool-v6 fragmentation = yes dpd_delay = 30s # dpd_timeout doesn't do anything for IKEv2. The general IKEv2 packet timeouts are used. local-1 { certs = srv.ca.lab3w.com-Cert-rsa_3072-sign_ca-rsa_3072.pem id = srv.ca.lab3w.com } remote-1 { # defaults are fine. } children { ikev2-pubkey { local_ts = 0.0.0.0/0,::/0 rekey_time = 0s dpd_action = clear esp_proposals = aes192gcm16-aes128gcm16-prfsha256-ecp256-modp3072, aes192-sha256-ecp256-modp3072, default } } } # ---------------------------------------- # /etc/swanctl/conf.d/ikev2-eap.conf # ----- ikev2-eap { version = 2 pools = rw_pool, rw_pool-v6 send_cert = always rekey_time = 0s fragmentation = yes dpd_delay = 30s # IKE ciphers proposals = default local { auth = pubkey # certs = srv.ca.lab3w.com-Cert-falcon1024-sign_ca-rsa_3072.pem certs = srv.ca.lab3w.com-Cert-rsa_3072-sign_ca-rsa_3072.pem id = srv.ca.lab3w.com } remote { # auth = eap-dynamic eap_id = %any } children { ikev2-eap { local_ts = 0.0.0.0/0,::/0 esp_proposals = default rekey_time = 0s dpd_action = clear start_action = none close_action = none } } } # ---------------------------------------- # /etc/swanctl/conf.d/ikev2-eap-tls-asymmetric.conf # ----- ikev2-eap-tls-asymmetric { version = 2 pools = rw_pool, rw_pool-v6 send_cert = always rekey_time = 0s fragmentation = yes dpd_delay = 30s # IKE ciphers proposals = default local { auth = pubkey # certs = srv.ca.lab3w.com-Cert-falcon1024-sign_ca-rsa_3072.pem certs = srv.ca.lab3w.com-Cert-rsa_3072-sign_ca-rsa_3072.pem id = srv.ca.lab3w.com } remote { auth = eap-tls # auth = pubkey # va demander au client son identité eap. eap_id = %any } children { ikev2-eap-tls-asymmetric { local_ts = 0.0.0.0/0,::/0 esp_proposals = default rekey_time = 0s dpd_action = clear start_action = none close_action = none } } } # ---------------------------------------- # /etc/swanctl/conf.d/ikev2-eap-tls-symmetric.conf # ----- ikev2-eap-tls-symmetric { version = 2 proposals = aes192gcm16-aes128gcm16-prfsha256-ecp256-ecp521, aes192-sha256-modp3072, chacha20poly1305-sha512-curve25519-prfsha512, aes256gcm16-sha384-prfsha384-ecp384, aes256-sha1-modp1024, default rekey_time = 0s pools = rw_pools, rw_pools-ipv6 fragmentation = yes dpd_delay = 30s # dpd_timeout doesn't do anything for IKEv2. The general IKEv2 packet timeouts are used. local-1 { certs = srv.ca.lab3w.com-Cert-rsa_3072-sign_ca-rsa_3072.pem id = srv.ca.lab3w.com auth = eap-tls } remote-1 { auth = eap-tls # go ask the client for its eap identity. eap_id = %any } children { ikev2-eap-tls-symmetric { local_ts = 0.0.0.0/0,::/0 rekey_time = 0s dpd_action = clear esp_proposals = aes192gcm16-aes128gcm16-prfsha256-ecp256-modp3072, aes192-sha256-ecp256-modp3072, chacha20poly1305-sha512-curve25519-prfsha512, aes256gcm16-sha384-prfsha384-ecp384, aes256-sha1-modp1024, default } } } # ---------------------------------------- # /etc/swanctl/conf.d/ikev2-eap-mschapv2.conf # ----- # ----- # OK -- # strongSwan VPN client for Android 12 # ----- # KO -- # Native VPN client for Android 7 # Native VPN client for Android 12 # ----- ikev2-eap-mschapv2__________________ { version = 2 pools = rw_pool, rw_pool-v6 send_cert = always rekey_time = 0s fragmentation = yes dpd_delay = 30s # IKE ciphers proposals = default local { auth = pubkey # certs = srv.ca.lab3w.com-Cert-falcon1024-sign_ca-rsa_3072.pem certs = srv.ca.lab3w.com-Cert-rsa_3072-sign_ca-rsa_3072.pem id = srv.ca.lab3w.com } remote { auth = eap-mschapv2 eap_id = %any } children { ikev2-eap-mschapv2 { local_ts = 0.0.0.0/0,::/0 esp_proposals = default rekey_time = 0s dpd_action = clear start_action = none close_action = none } } } ikev2-eap-mschapv2 { version = 2 pools = rw_pool, rw_pool-v6 send_cert = always rekey_time = 0s fragmentation = yes dpd_delay = 30s # ------------------------------------------------ # IKE ciphers algo (phase 1) # ---- # AES_CBC-128/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/ECP_256 # proposals = default # proposals = aes192gcm16-aes128gcm16-prfsha256-ecp256-modp3072, aes192-sha256-ecp256-modp3072, chacha20poly1305-sha512-curve25519-prfsha512, aes256gcm16-sha384-prfsha384-ecp384, aes256-sha1-modp1024, default proposals = chacha20poly1305-sha512-curve25519-prfsha512, aes256gcm16-sha384-prfsha384-ecp384, aes192gcm16-aes128gcm16-prfsha256-ecp256-modp3072, aes192-sha256-ecp256-modp3072, aes256-sha1-modp1024, aes128-sha256-ecp256, default # AES_CBC-128/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/ECP_256 # proposals = aes128-sha256-ecp256 # proposals = aes256gcm16-prfsha384-ecp384, aes128gcm16-prfsha256-ecp256 # proposals = aes256-sha384-ecp384, aes128-sha256-ecp256 # CLient Windows received proposals unacceptable # Client Windows authentication of 'srv.ca.lab3w.com' (myself) with RSA signature successful # proposals = aes256-sha384-prfsha384-modp1024 # Client Windows selected proposal: IKE:AES_CBC_256/HMAC_SHA2_384_192/PRF_HMAC_SHA2_384/MODP_1024 # proposals = aes256-sha384-x448-ke4_hqc5-ke4_none, aes256-sha384-x448-ke2_bike3-ke2_hqc3, aes256-sha256-x25519-ke1_kyber3-ke1_frodoa3, aes256gcm16-prfsha384-ecp384, aes128gcm16-prfsha256-ecp256, aes256-sha384-ecp384, aes128-sha256-ecp256, aes256-sha384-prfsha384-modp1024 # ko auth - strongSwan VPN Client 2.5.2 for Android 12 # proposals = aes256-sha384-ecp384 # ko auth - strongSwan VPN Client 2.5.2 for Android 12 # proposals = aes256-sha384-x448 # ko auth - strongSwan VPN Client 2.5.2 for Android 12 # proposals = aes256-sha384-ecp384-x448 # AES_CBC-256/HMAC_SHA2_384_192/PRF_HMAC_SHA2_384/CURVE_448/KE4_HQC_L5 # proposals = aes256-sha384-x448-ke4_hqc5-ke4_none # AES_CBC-256/HMAC_SHA2_384_192/PRF_HMAC_SHA2_384/CURVE_448/KE2_BIKE_L3 # proposals = aes256-sha384-x448-ke2_bike3-ke2_hqc3 # AES_CBC-256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/CURVE_25519/KE1_KYBER_L3 # proposals = aes256-sha256-x25519-ke1_kyber3-ke1_frodoa3 # AES_GCM_16-256/PRF_HMAC_SHA2_384/ECP_384 # proposals = aes256gcm16-prfsha384-ecp384 # ---- # integrity and confidentiality # proposals = aes256gcm16-prfsha384-ecp384, aes128gcm16-prfsha256-ecp256 # integrity # proposals = aes256-sha384-ecp384, aes128-sha256-ecp256 # ---- # ESP Integrity Protection and Confidentiality https://docs.strongswan.org/docs/5.9/config/IKEv2CipherSuites.html#_esp_integrity_protection_and_confidentiality # IKE proposals = aes128gcm16-prfsha256-ecp256 # IKE proposals = aes256gcm16-prfsha384-ecp384 # ESP Integrity Protection Only https://docs.strongswan.org/docs/5.9/config/IKEv2CipherSuites.html#_esp_integrity_protection_only # IKE proposals = aes128-sha256-ecp256 # IKE proposals = aes256-sha384-ecp384 # ---- # IKE ciphers algo (phase 1) # ------------------------------------------------ local { auth = pubkey # certs = srv.ca.lab3w.com-Cert-falcon1024-sign_ca-rsa_3072.pem certs = srv.ca.lab3w.com-Cert-rsa_3072-sign_ca-rsa_3072.pem id = srv.ca.lab3w.com } remote { auth = eap-mschapv2 eap_id = %any } children { ikev2-eap-mschapv2 { local_ts = 0.0.0.0/0,::/0 # ------------------------------------------------ # ESP ciphers algo (phase 2) # ---- # AES_GCM_16-256 # esp_proposals = default # AES_GCM_16-256 # esp_proposals = aes256gcm16 # CHACHA20_POLY1305 # esp_proposals = chacha20poly1305, default # selected proposal: ESP:CHACHA20_POLY1305/NO_EXT_SEQ # esp_proposals = chacha20poly1305, aes256gcm16-ecp384, aes128gcm16-ecp256, aes256gmac-ecp384, aes128gmac-ecp256, aes192gcm16-aes128gcm16-prfsha256-ecp256-modp3072, aes192-sha256-ecp256-modp3072, default # esp_proposals = aes192gcm16-aes128gcm16-prfsha256-ecp256-modp3072, aes192-sha256-ecp256-modp3072, chacha20poly1305-sha512-curve25519-prfsha512, aes256gcm16-sha384-prfsha384-ecp384, aes256-sha1-modp1024, default esp_proposals = chacha20poly1305-sha512-curve25519-prfsha512, aes256gcm16-sha384-prfsha384-ecp384, aes192gcm16-aes128gcm16-prfsha256-ecp256-modp3072, aes192-sha256-ecp256-modp3072, aes256-sha1-modp1024, aes256gcm16, default # esp_proposals = aes256-sha256-x25519-ke1_kyber3-ke2_bike3-ke3_hqc3-ke3_none-ke4_hqc5-ke4_none # https://github.com/strongswan/strongswan/discussions/1224 # esp_proposals = aes256gcm16-aes192gcm16-aes128gcm16-chacha20poly1305-aes256ccm16-prfsha512-prfsha384-prfsha256-prfaesxcbc-ecp512bp-ecp521-ecp384bp # ---- # ESP Integrity Protection and Confidentiality https://docs.strongswan.org/docs/5.9/config/IKEv2CipherSuites.html#_esp_integrity_protection_and_confidentiality # esp_proposals = aes128gcm16-ecp256 # esp_proposals = aes256gcm16-ecp384 # ESP Integrity Protection Only https://docs.strongswan.org/docs/5.9/config/IKEv2CipherSuites.html#_esp_integrity_protection_only # esp_proposals = aes128gmac-ecp256 # esp_proposals = aes256gmac-ecp384 # ---- # ---- # ESP ciphers algo (phase 2) # ------------------------------------------------ rekey_time = 0s dpd_action = clear start_action = none close_action = none } } } # ---- ca-fr { remote_addrs = 109.210.56.240 # remote_addrs = 2a01:cb1d:12:1c00::1 pools = v6-lab3w_home #-------------------------------- # IKE #------- version = 2 dpd_delay = 30s # DEFAULT : no cipher config # selected proposal: IKE:AES_CBC_128/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/ECP_256 # ok IKE_SA home[1] established # proposals = aes256-sha256-x25519-ke1_kyber3-ke1_frodoa3-ke2_bike3-ke2_hqc3-ke3_hqc3-ke3_none-ke4_hqc5-ke4_none # selected proposal: IKE:AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/CURVE_25519/KE1_KYBER_L3/KE2_BIKE_L3/KE3_HQC_L3/KE4_HQC_L5 # AES_CBC-128/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/ECP_256 # proposals = default proposals = aes256-sha384-x448-ke4_hqc5-ke4_none, aes256-sha384-x448-ke2_bike3-ke2_hqc3, aes256-sha256-x25519-ke1_kyber3-ke1_frodoa3, aes256gcm16-prfsha384-ecp384 # AES_CBC-256/HMAC_SHA2_384_192/PRF_HMAC_SHA2_384/CURVE_448/KE4_HQC_L5 # proposals = aes256-sha384-x448-ke4_hqc5-ke4_none # AES_CBC-256/HMAC_SHA2_384_192/PRF_HMAC_SHA2_384/CURVE_448/KE2_BIKE_L3 # proposals = aes256-sha384-x448-ke2_bike3-ke2_hqc3 # AES_CBC-256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/CURVE_25519/KE1_KYBER_L3 # proposals = aes256-sha256-x25519-ke1_kyber3-ke1_frodoa3 # AES_GCM_16-256/PRF_HMAC_SHA2_384/ECP_384 # proposals = aes256gcm16-prfsha384-ecp384 # test # proposals = aes256-sha256-x25519 # proposals = aes256-sha256-x25519-ke1_kyber3-ke2_bike3-ke3_hqc3 # proposals = aes256-sha256-x25519-modp3072-ke1_kyber3-ke1_frodoa3-ke2_bike3-ke2_hqc3-ke3_hqc3-ke3_none-ke4_hqc5-ke4_none #-------------------------------- local { auth = pubkey certs = srv.ca.lab3w.com-Cert-falcon1024-sign_ca-rsa_3072.pem id = srv.ca.lab3w.com } remote { auth = pubkey id = srv.fr.lab3w.com } children { ca-fr { # mode = transport # local_ts = fec0::0/16, fc00:5300:60:9389::/64, fc00:5300:60:9389:15:1:0:0/104, fc00:5300:60:9389:15:1:a:0/112, fc00:5300:60:9389:15:2:0:0/104, fc00:5300:60:9389:15:2:a:0/112 # CA-SWAN_HOST, CA-ULA_HOST, UK-SWAN_HOST, UK-ULA_HOST, DE-SWAN_HOST, DE-ULA_HOST local_ts = fec0::1/16, fc00:5300:60:9389::/64, fec2::1/128, fc00:41d0:801:2000::/64, fec3::1/128, fc00:41d0:701:1100::/64 # FR-SWAN_HOST, FR-ULA_HOST remote_ts = fec1::1/16, fc01::10:106:42:0/104, fc01::10:126:42:0/112, fc01::172:16:0:0/104, fc01::192:168:8:0/104 start_action = trap #-------------------------------- # ESP #------- # DEFAUT : no cipher # selected proposal: ESP:AES_GCM_16_128/NO_EXT_SEQ # My Config ciphers list # ok CHILD_SA net{1} established # esp_proposals = aes256-sha256-x25519-ke1_kyber3-ke2_bike3-ke3_hqc3 # selected proposal: ESP:AES_CBC_256/HMAC_SHA2_256_128/NO_EXT_SEQ # ok CHILD_SA net{1} established esp_proposals = aes256-sha256-x25519-ke1_kyber3-ke2_bike3-ke3_hqc3-ke3_none-ke4_hqc5-ke4_none # selected proposal: ESP:AES_CBC_256/HMAC_SHA2_256_128/NO_EXT_SEQ #--------------------------------- rekey_time = 5400 # 90min # rekey_time = 180 # 3min rekey_bytes = 500000000 rekey_packets = 1000000 } } } # ---------------------------------------- # strongSwan VPN CLient for Android # ----- # tail -f /var/log/charon.log # strongSwan VPN CLient 2.5.2 for Android 12.1 - Connexion type : IKEv2 EAP-TLS (Certificate) -> KO Nov 6 15:09:16 15[NET] <1> received packet: from 37.174.197.79[29609] to 158.69.126.137[500] (948 bytes) Nov 6 15:09:16 15[ENC] <1> parsed IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG) N(REDIR_SUP) ] Nov 6 15:09:16 15[IKE] <1> 37.174.197.79 is initiating an IKE_SA Nov 6 15:09:16 15[CFG] <1> selected proposal: IKE:AES_CBC_128/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/ECP_256 Nov 6 15:09:16 15[IKE] <1> remote host is behind NAT Nov 6 15:09:16 15[IKE] <1> sending cert request for "C=FR, O=LAB3W, CN=ZW3B Cyber Root CA : rsa_3072" Nov 6 15:09:16 15[ENC] <1> generating IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) CERTREQ N(FRAG_SUP) N(HASH_ALG) N(CHDLESS_SUP) N(MULT_AUTH) V ] Nov 6 15:09:16 15[NET] <1> sending packet: from 158.69.126.137[500] to 37.174.197.79[29609] (325 bytes) Nov 6 15:09:16 13[NET] <1> received packet: from 37.174.197.79[29610] to 158.69.126.137[4500] (528 bytes) Nov 6 15:09:16 13[ENC] <1> parsed IKE_AUTH request 1 [ IDi N(INIT_CONTACT) CERTREQ IDr CPRQ(ADDR ADDR6 DNS DNS6) SA TSi TSr N(MOBIKE_SUP) N(NO_ADD_ADDR) N(MULT_AUTH) N(EAP_ONLY) N(MSG_ID_SYN_SUP) ] Nov 6 15:09:16 13[IKE] <1> received cert request for "C=FR, O=LAB3W, CN=ZW3B Cyber Root CA : rsa_3072" Nov 6 15:09:16 13[CFG] <1> looking for peer configs matching 158.69.126.137[srv.ca.lab3w.com]...37.174.197.79[C=FR, O=LAB3W, CN=orj@lab3w.fr] Nov 6 15:09:16 13[CFG] selected peer config 'ikev2-eap' Nov 6 15:09:16 13[IKE] peer requested EAP, config unacceptable Nov 6 15:09:16 13[CFG] switching to peer config 'ikev2-eap-mschapv2' Nov 6 15:09:16 13[IKE] initiating EAP_IDENTITY method (id 0x00) Nov 6 15:09:16 13[IKE] peer supports MOBIKE Nov 6 15:09:16 13[IKE] authentication of 'srv.ca.lab3w.com' (myself) with RSA_EMSA_PSS_SHA2_256_SALT_32 successful Nov 6 15:09:16 13[IKE] sending end entity cert "C=FR, O=LAB3W, CN=srv.ca.lab3w.com" Nov 6 15:09:16 13[ENC] generating IKE_AUTH response 1 [ IDr CERT AUTH EAP/REQ/ID ] Nov 6 15:09:16 13[ENC] splitting IKE message (1760 bytes) into 2 fragments Nov 6 15:09:16 13[ENC] generating IKE_AUTH response 1 [ EF(1/2) ] Nov 6 15:09:16 13[ENC] generating IKE_AUTH response 1 [ EF(2/2) ] Nov 6 15:09:16 13[NET] sending packet: from 158.69.126.137[4500] to 37.174.197.79[29610] (1444 bytes) Nov 6 15:09:16 13[NET] sending packet: from 158.69.126.137[4500] to 37.174.197.79[29610] (388 bytes) Nov 6 15:09:17 16[NET] received packet: from 37.174.197.79[29610] to 158.69.126.137[4500] (128 bytes) Nov 6 15:09:17 16[ENC] parsed IKE_AUTH request 2 [ EAP/RES/ID ] Nov 6 15:09:17 16[IKE] received EAP identity 'C=FR, O=LAB3W, CN=orj@lab3w.fr' Nov 6 15:09:17 16[IKE] EAP_TLS method selected Nov 6 15:09:17 16[IKE] initiating EAP_TLS method (id 0xE8) Nov 6 15:09:17 16[ENC] generating IKE_AUTH response 2 [ EAP/REQ/TLS ] Nov 6 15:09:17 16[NET] sending packet: from 158.69.126.137[4500] to 37.174.197.79[29610] (80 bytes) Nov 6 15:09:17 01[NET] received packet: from 37.174.197.79[29610] to 158.69.126.137[4500] (304 bytes) Nov 6 15:09:17 01[ENC] parsed IKE_AUTH request 3 [ EAP/RES/TLS ] Nov 6 15:09:17 01[TLS] proposed version TLS 1.2 not supported Nov 6 15:09:17 01[TLS] sending fatal TLS alert 'protocol version' Nov 6 15:09:17 01[ENC] generating IKE_AUTH response 3 [ EAP/REQ/TLS ] Nov 6 15:09:17 01[NET] sending packet: from 158.69.126.137[4500] to 37.174.197.79[29610] (96 bytes) Nov 6 15:09:17 09[NET] received packet: from 37.174.197.79[29610] to 158.69.126.137[4500] (80 bytes) Nov 6 15:09:17 09[ENC] parsed INFORMATIONAL request 4 [ N(AUTH_FAILED) ] Nov 6 15:09:17 09[ENC] generating INFORMATIONAL response 4 [ ] Nov 6 15:09:17 09[NET] sending packet: from 158.69.126.137[4500] to 37.174.197.79[29610] (80 bytes) # strongSwan VPN CLient 2.5.2 for Android 12.1 - Connexion type : IKEv2 EAP (Username/Password) -> OK Connected Nov 6 17:00:17 10[NET] <1> received packet: from 37.166.197.227[3740] to 158.69.126.137[500] (948 bytes) Nov 6 17:00:17 10[ENC] <1> parsed IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG) N(REDIR_SUP) ] Nov 6 17:00:17 10[IKE] <1> 37.166.197.227 is initiating an IKE_SA Nov 6 17:00:17 10[CFG] <1> selected proposal: IKE:AES_CBC_128/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/ECP_256 Nov 6 17:00:17 10[IKE] <1> remote host is behind NAT Nov 6 17:00:17 10[IKE] <1> sending cert request for "C=FR, O=LAB3W, CN=ZW3B Cyber Root CA : rsa_3072" Nov 6 17:00:17 10[ENC] <1> generating IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) CERTREQ N(FRAG_SUP) N(HASH_ALG) N(CHDLESS_SUP) N(MULT_AUTH) V ] Nov 6 17:00:17 10[NET] <1> sending packet: from 158.69.126.137[500] to 37.166.197.227[3740] (325 bytes) Nov 6 17:00:17 12[NET] <1> received packet: from 37.166.197.227[3741] to 158.69.126.137[4500] (480 bytes) Nov 6 17:00:17 12[ENC] <1> parsed IKE_AUTH request 1 [ IDi N(INIT_CONTACT) CERTREQ IDr CPRQ(ADDR ADDR6 DNS DNS6) SA TSi TSr N(MOBIKE_SUP) N(NO_ADD_ADDR) N(MULT_AUTH) N(EAP_ONLY) N(MSG_ID_SYN_SUP) ] Nov 6 17:00:17 12[IKE] <1> received cert request for "C=FR, O=LAB3W, CN=ZW3B Cyber Root CA : rsa_3072" Nov 6 17:00:17 12[CFG] <1> looking for peer configs matching 158.69.126.137[srv.ca.lab3w.com]...37.166.197.227[orj@lab3w.fr] Nov 6 17:00:17 12[CFG] selected peer config 'ikev2-eap' Nov 6 17:00:17 12[IKE] peer requested EAP, config unacceptable Nov 6 17:00:17 12[CFG] switching to peer config 'ikev2-eap-mschapv2' Nov 6 17:00:17 12[IKE] initiating EAP_IDENTITY method (id 0x00) Nov 6 17:00:17 12[IKE] peer supports MOBIKE Nov 6 17:00:17 12[IKE] authentication of 'srv.ca.lab3w.com' (myself) with RSA_EMSA_PSS_SHA2_256_SALT_32 successful Nov 6 17:00:17 12[IKE] sending end entity cert "C=FR, O=LAB3W, CN=srv.ca.lab3w.com" Nov 6 17:00:17 12[ENC] generating IKE_AUTH response 1 [ IDr CERT AUTH EAP/REQ/ID ] Nov 6 17:00:17 12[ENC] splitting IKE message (1760 bytes) into 2 fragments Nov 6 17:00:17 12[ENC] generating IKE_AUTH response 1 [ EF(1/2) ] Nov 6 17:00:17 12[ENC] generating IKE_AUTH response 1 [ EF(2/2) ] Nov 6 17:00:17 12[NET] sending packet: from 158.69.126.137[4500] to 37.166.197.227[3741] (1444 bytes) Nov 6 17:00:17 12[NET] sending packet: from 158.69.126.137[4500] to 37.166.197.227[3741] (388 bytes) Nov 6 17:00:17 11[NET] received packet: from 37.166.197.227[3741] to 158.69.126.137[4500] (96 bytes) Nov 6 17:00:17 11[ENC] parsed IKE_AUTH request 2 [ EAP/RES/ID ] Nov 6 17:00:17 11[IKE] received EAP identity 'orj@lab3w.fr' Nov 6 17:00:17 11[IKE] initiating EAP_MSCHAPV2 method (id 0xBA) Nov 6 17:00:17 11[ENC] generating IKE_AUTH response 2 [ EAP/REQ/MSCHAPV2 ] Nov 6 17:00:17 11[NET] sending packet: from 158.69.126.137[4500] to 37.166.197.227[3741] (112 bytes) Nov 6 17:00:18 07[NET] received packet: from 37.166.197.227[3741] to 158.69.126.137[4500] (144 bytes) Nov 6 17:00:18 07[ENC] parsed IKE_AUTH request 3 [ EAP/RES/MSCHAPV2 ] Nov 6 17:00:18 07[ENC] generating IKE_AUTH response 3 [ EAP/REQ/MSCHAPV2 ] Nov 6 17:00:18 07[NET] sending packet: from 158.69.126.137[4500] to 37.166.197.227[3741] (144 bytes) Nov 6 17:00:18 13[NET] received packet: from 37.166.197.227[3741] to 158.69.126.137[4500] (80 bytes) Nov 6 17:00:18 13[ENC] parsed IKE_AUTH request 4 [ EAP/RES/MSCHAPV2 ] Nov 6 17:00:18 13[IKE] EAP method EAP_MSCHAPV2 succeeded, MSK established Nov 6 17:00:18 13[ENC] generating IKE_AUTH response 4 [ EAP/SUCC ] Nov 6 17:00:18 13[NET] sending packet: from 158.69.126.137[4500] to 37.166.197.227[3741] (80 bytes) Nov 6 17:00:18 14[NET] received packet: from 37.166.197.227[3741] to 158.69.126.137[4500] (112 bytes) Nov 6 17:00:18 14[ENC] parsed IKE_AUTH request 5 [ AUTH ] Nov 6 17:00:18 14[IKE] authentication of 'orj@lab3w.fr' with EAP successful Nov 6 17:00:18 14[IKE] authentication of 'srv.ca.lab3w.com' (myself) with EAP Nov 6 17:00:18 14[IKE] peer requested virtual IP %any Nov 6 17:00:18 14[CFG] assigning new lease to 'orj@lab3w.fr' Nov 6 17:00:18 14[IKE] assigning virtual IP 172.16.1.100 to peer 'orj@lab3w.fr' Nov 6 17:00:18 14[IKE] peer requested virtual IP %any6 Nov 6 17:00:18 14[CFG] assigning new lease to 'orj@lab3w.fr' Nov 6 17:00:18 14[IKE] assigning virtual IP 2607:5300:60:938e::1 to peer 'orj@lab3w.fr' Nov 6 17:00:18 14[IKE] IKE_SA ikev2-eap-mschapv2[1] established between 158.69.126.137[srv.ca.lab3w.com]...37.166.197.227[orj@lab3w.fr] Nov 6 17:00:18 14[CFG] selected proposal: ESP:AES_GCM_16_256/NO_EXT_SEQ Nov 6 17:00:18 14[KNL] policy already exists, try to update it Nov 6 17:00:18 14[KNL] policy already exists, try to update it Nov 6 17:00:18 14[KNL] policy already exists, try to update it Nov 6 17:00:18 14[KNL] policy already exists, try to update it Nov 6 17:00:18 14[KNL] policy already exists, try to update it Nov 6 17:00:18 14[KNL] policy already exists, try to update it Nov 6 17:00:18 14[IKE] CHILD_SA ikev2-eap-mschapv2{4} established with SPIs c4087200_i ae73be92_o and TS 0.0.0.0/0 ::/0 === 172.16.1.100/32 2607:5300:60:938e::1/128 Nov 6 17:00:18 14[ENC] generating IKE_AUTH response 5 [ AUTH CPRP(ADDR ADDR6) SA TSi TSr N(MOBIKE_SUP) N(ADD_4_ADDR) N(ADD_4_ADDR) N(ADD_6_ADDR) N(ADD_6_ADDR) N(ADD_6_ADDR) N(ADD_6_ADDR) N(ADD_6_ADDR) N(ADD_6_ADDR) ] Nov 6 17:00:18 14[NET] sending packet: from 158.69.126.137[4500] to 37.166.197.227[3741] (496 bytes) # diconnect Nov 6 16:41:20 09[NET] received packet: from 37.166.197.227[4361] to 158.69.126.137[4500] (80 bytes) Nov 6 16:41:20 09[ENC] parsed INFORMATIONAL request 6 [ D ] Nov 6 16:41:20 09[IKE] received DELETE for IKE_SA ikev2-eap-mschapv2[2] Nov 6 16:41:20 09[IKE] deleting IKE_SA ikev2-eap-mschapv2[2] between 158.69.126.137[srv.ca.lab3w.com]...37.166.197.227[orj@lab3w.fr] Nov 6 16:41:20 09[IKE] IKE_SA deleted Nov 6 16:41:20 09[ENC] generating INFORMATIONAL response 6 [ ] Nov 6 16:41:20 09[NET] sending packet: from 158.69.126.137[4500] to 37.166.197.227[4361] (80 bytes) Nov 6 16:41:20 09[CFG] lease 2607:5300:60:938e::1 by 'orj@lab3w.fr' went offline Nov 6 16:41:20 09[CFG] lease 172.16.1.100 by 'orj@lab3w.fr' went offline # strongSwan VPN CLient 2.5.2 for Android 12.1 - Connexion type : IKEv2 Certificate + EAP (Username/Password) -> KO Nov 6 15:12:27 09[NET] <3> received packet: from 37.174.197.79[29687] to 158.69.126.137[500] (948 bytes) Nov 6 15:12:27 09[ENC] <3> parsed IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG) N(REDIR_SUP) ] Nov 6 15:12:27 09[IKE] <3> 37.174.197.79 is initiating an IKE_SA Nov 6 15:12:27 09[CFG] <3> selected proposal: IKE:AES_CBC_128/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/ECP_256 Nov 6 15:12:27 09[IKE] <3> remote host is behind NAT Nov 6 15:12:27 09[IKE] <3> sending cert request for "C=FR, O=LAB3W, CN=ZW3B Cyber Root CA : rsa_3072" Nov 6 15:12:27 09[ENC] <3> generating IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) CERTREQ N(FRAG_SUP) N(HASH_ALG) N(CHDLESS_SUP) N(MULT_AUTH) V ] Nov 6 15:12:27 09[NET] <3> sending packet: from 158.69.126.137[500] to 37.174.197.79[29687] (325 bytes) Nov 6 15:12:27 10[NET] <3> received packet: from 37.174.197.79[29694] to 158.69.126.137[4500] (1364 bytes) Nov 6 15:12:27 10[ENC] <3> parsed IKE_AUTH request 1 [ EF(1/2) ] Nov 6 15:12:27 10[ENC] <3> received fragment #1 of 2, waiting for complete IKE message Nov 6 15:12:27 11[NET] <3> received packet: from 37.174.197.79[29694] to 158.69.126.137[4500] (900 bytes) Nov 6 15:12:27 11[ENC] <3> parsed IKE_AUTH request 1 [ EF(2/2) ] Nov 6 15:12:27 11[ENC] <3> received fragment #2 of 2, reassembled fragmented IKE message (2192 bytes) Nov 6 15:12:27 11[ENC] <3> parsed IKE_AUTH request 1 [ IDi CERT N(INIT_CONTACT) CERTREQ IDr AUTH CPRQ(ADDR ADDR6 DNS DNS6) SA TSi TSr N(MOBIKE_SUP) N(NO_ADD_ADDR) N(MULT_AUTH) N(EAP_ONLY) N(MSG_ID_SYN_SUP) N(AUTH_FOLLOWS) ] Nov 6 15:12:27 11[IKE] <3> received cert request for "C=FR, O=LAB3W, CN=ZW3B Cyber Root CA : rsa_3072" Nov 6 15:12:27 11[IKE] <3> received end entity cert "C=FR, O=LAB3W, CN=orj@lab3w.fr" Nov 6 15:12:27 11[CFG] <3> looking for peer configs matching 158.69.126.137[srv.ca.lab3w.com]...37.174.197.79[C=FR, O=LAB3W, CN=orj@lab3w.fr] Nov 6 15:12:27 11[CFG] selected peer config 'ikev2-eap' Nov 6 15:12:27 11[CFG] using trusted certificate "C=FR, O=LAB3W, CN=orj@lab3w.fr" Nov 6 15:12:27 11[CFG] using trusted ca certificate "C=FR, O=LAB3W, CN=ZW3B Cyber Root CA : rsa_3072" Nov 6 15:12:27 11[CFG] reached self-signed root ca with a path length of 0 Nov 6 15:12:27 11[CFG] checking certificate status of "C=FR, O=LAB3W, CN=orj@lab3w.fr" Nov 6 15:12:27 11[CFG] certificate status is not available Nov 6 15:12:27 11[IKE] authentication of 'C=FR, O=LAB3W, CN=orj@lab3w.fr' with RSA_EMSA_PSS_SHA2_256_SALT_32 successful Nov 6 15:12:27 11[CFG] constraint check failed: EAP identity '%any' (ID_ANY) required Nov 6 15:12:27 11[CFG] selected peer config 'ikev2-eap' unacceptable: non-matching authentication done Nov 6 15:12:27 11[CFG] switching to peer config 'ikev2-eap-mschapv2' Nov 6 15:12:27 11[CFG] constraint check failed: EAP identity '%any' (ID_ANY) required Nov 6 15:12:27 11[CFG] selected peer config 'ikev2-eap-mschapv2' unacceptable: non-matching authentication done Nov 6 15:12:27 11[CFG] switching to peer config 'ikev2-eap-tls-asymmetric' Nov 6 15:12:27 11[CFG] constraint check failed: EAP identity '%any' (ID_ANY) required Nov 6 15:12:27 11[CFG] selected peer config 'ikev2-eap-tls-asymmetric' unacceptable: non-matching authentication done Nov 6 15:12:27 11[CFG] no alternative config found Nov 6 15:12:27 11[IKE] peer supports MOBIKE Nov 6 15:12:27 11[ENC] generating IKE_AUTH response 1 [ N(AUTH_FAILED) ] Nov 6 15:12:27 11[NET] sending packet: from 158.69.126.137[4500] to 37.174.197.79[29694] (80 bytes) Nov 13 13:10:35 08[NET] <255> received packet: from 109.210.56.240[39279] to 158.69.126.137[500] (948 bytes) Nov 13 13:10:35 08[ENC] <255> parsed IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG) N(REDIR_SUP) ] Nov 13 13:10:35 08[IKE] <255> 109.210.56.240 is initiating an IKE_SA Nov 13 13:10:35 08[CFG] <255> selected proposal: IKE:AES_CBC_256/HMAC_SHA2_384_192/PRF_HMAC_SHA2_384/CURVE_448 Nov 13 13:10:35 08[IKE] <255> key exchange method in received payload ECP_256 doesn't match negotiated CURVE_448 Nov 13 13:10:35 08[IKE] <255> remote host is behind NAT Nov 13 13:10:35 08[IKE] <255> DH group ECP_256 unacceptable, requesting CURVE_448 Nov 13 13:10:35 08[ENC] <255> generating IKE_SA_INIT response 0 [ N(INVAL_KE) V ] Nov 13 13:10:35 08[NET] <255> sending packet: from 158.69.126.137[500] to 109.210.56.240[39279] (58 bytes) Nov 13 13:10:35 07[NET] <256> received packet: from 109.210.56.240[39279] to 158.69.126.137[500] (940 bytes) Nov 13 13:10:35 07[ENC] <256> parsed IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG) N(REDIR_SUP) ] Nov 13 13:10:35 07[IKE] <256> 109.210.56.240 is initiating an IKE_SA Nov 13 13:10:35 07[CFG] <256> selected proposal: IKE:AES_CBC_256/HMAC_SHA2_384_192/PRF_HMAC_SHA2_384/CURVE_448 Nov 13 13:10:35 07[IKE] <256> remote host is behind NAT Nov 13 13:10:35 07[IKE] <256> sending cert request for "C=FR, O=LAB3W, CN=ZW3B Cyber Root CA : rsa_3072" Nov 13 13:10:35 07[ENC] <256> generating IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) CERTREQ N(FRAG_SUP) N(HASH_ALG) N(CHDLESS_SUP) N(MULT_AUTH) V ] Nov 13 13:10:35 07[NET] <256> sending packet: from 158.69.126.137[500] to 109.210.56.240[39279] (317 bytes) Nov 13 13:10:35 16[NET] <256> received packet: from 109.210.56.240[42792] to 158.69.126.137[4500] (892 bytes) Nov 13 13:10:35 16[ENC] <256> parsed IKE_AUTH request 1 [ EF(2/2) ] Nov 13 13:10:35 16[ENC] <256> received fragment #2 of 2, waiting for complete IKE message Nov 13 13:10:35 14[NET] <256> received packet: from 109.210.56.240[42792] to 158.69.126.137[4500] (1356 bytes) Nov 13 13:10:35 14[ENC] <256> parsed IKE_AUTH request 1 [ EF(1/2) ] Nov 13 13:10:35 14[ENC] <256> received fragment #1 of 2, reassembled fragmented IKE message (2168 bytes) Nov 13 13:10:35 14[ENC] <256> parsed IKE_AUTH request 1 [ IDi CERT N(INIT_CONTACT) CERTREQ IDr AUTH CPRQ(ADDR ADDR6 DNS DNS6) SA TSi TSr N(MOBIKE_SUP) N(NO_ADD_ADDR) N(MULT_AUTH) N(EAP_ONLY) N(MSG_ID_SYN_SUP) N(AUTH_FOLLOWS) ] Nov 13 13:10:35 14[IKE] <256> received cert request for "C=FR, O=LAB3W, CN=ZW3B Cyber Root CA : rsa_3072" Nov 13 13:10:35 14[IKE] <256> received end entity cert "C=FR, O=LAB3W, CN=orj@lab3w.fr" Nov 13 13:10:35 14[CFG] <256> looking for peer configs matching 158.69.126.137[srv.ca.lab3w.com]...109.210.56.240[orj@lab3w.fr] Nov 13 13:10:35 14[CFG] selected peer config 'ikev2-eap' Nov 13 13:10:35 14[CFG] using trusted certificate "C=FR, O=LAB3W, CN=orj@lab3w.fr" Nov 13 13:10:35 14[CFG] using trusted ca certificate "C=FR, O=LAB3W, CN=ZW3B Cyber Root CA : rsa_3072" Nov 13 13:10:35 14[CFG] reached self-signed root ca with a path length of 0 Nov 13 13:10:35 14[CFG] checking certificate status of "C=FR, O=LAB3W, CN=orj@lab3w.fr" Nov 13 13:10:35 14[CFG] certificate status is not available Nov 13 13:10:35 14[IKE] authentication of 'orj@lab3w.fr' with RSA_EMSA_PSS_SHA2_256_SALT_32 successful Nov 13 13:10:35 14[CFG] constraint check failed: EAP identity '%any' (ID_ANY) required Nov 13 13:10:35 14[CFG] selected peer config 'ikev2-eap' unacceptable: non-matching authentication done Nov 13 13:10:35 14[CFG] switching to peer config 'ikev2-eap-mschapv2' Nov 13 13:10:35 14[CFG] constraint check failed: EAP identity '%any' (ID_ANY) required Nov 13 13:10:35 14[CFG] selected peer config 'ikev2-eap-mschapv2' unacceptable: non-matching authentication done Nov 13 13:10:35 14[CFG] switching to peer config 'ikev2-eap-tls-asymmetric' Nov 13 13:10:35 14[CFG] constraint check failed: EAP identity '%any' (ID_ANY) required Nov 13 13:10:35 14[CFG] selected peer config 'ikev2-eap-tls-asymmetric' unacceptable: non-matching authentication done Nov 13 13:10:35 14[CFG] switching to peer config 'ikev2-pubkey' Nov 13 13:10:35 14[IKE] peer supports MOBIKE Nov 13 13:10:35 14[IKE] authentication of 'srv.ca.lab3w.com' (myself) with RSA_EMSA_PSS_SHA2_256_SALT_32 successful Nov 13 13:10:35 14[IKE] sending end entity cert "C=FR, O=LAB3W, CN=srv.ca.lab3w.com" Nov 13 13:10:35 14[ENC] generating IKE_AUTH response 1 [ IDr CERT AUTH ] Nov 13 13:10:35 14[ENC] splitting IKE message (1752 bytes) into 2 fragments Nov 13 13:10:35 14[ENC] generating IKE_AUTH response 1 [ EF(1/2) ] Nov 13 13:10:35 14[ENC] generating IKE_AUTH response 1 [ EF(2/2) ] Nov 13 13:10:35 14[NET] sending packet: from 158.69.126.137[4500] to 109.210.56.240[42792] (1436 bytes) Nov 13 13:10:35 14[NET] sending packet: from 158.69.126.137[4500] to 109.210.56.240[42792] (396 bytes) Nov 13 13:10:35 11[NET] received packet: from 109.210.56.240[42792] to 158.69.126.137[4500] (104 bytes) Nov 13 13:10:35 11[ENC] parsed IKE_AUTH request 2 [ IDi ] Nov 13 13:10:35 11[IKE] peer requested EAP, config unacceptable Nov 13 13:10:35 11[CFG] switching to peer config 'ikev2-eap-tls-symmetric' Nov 13 13:10:35 11[CFG] constraint check failed: EAP identity '%any' (ID_ANY) required Nov 13 13:10:35 11[CFG] selected peer config 'ikev2-eap-tls-symmetric' unacceptable: non-matching authentication done Nov 13 13:10:35 11[CFG] no alternative config found Nov 13 13:10:35 11[ENC] generating IKE_AUTH response 2 [ N(AUTH_FAILED) ] Nov 13 13:10:35 11[NET] sending packet: from 158.69.126.137[4500] to 109.210.56.240[42792] (88 bytes) # strongSwan VPN CLient 2.5.2 for Android 12.1 - Connexion type : IKEv2 EAP-TNS (Username/Password) -> KO Nov 13 05:39:14 12[NET] <141> received packet: from 109.210.56.240[38942] to 158.69.126.137[500] (948 bytes) Nov 13 05:39:14 12[ENC] <141> parsed IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG) N(REDIR_SUP) ] Nov 13 05:39:14 12[IKE] <141> 109.210.56.240 is initiating an IKE_SA Nov 13 05:39:14 12[CFG] <141> selected proposal: IKE:AES_CBC_256/HMAC_SHA2_384_192/PRF_HMAC_SHA2_384/CURVE_448 Nov 13 05:39:14 12[IKE] <141> key exchange method in received payload ECP_256 doesn't match negotiated CURVE_448 Nov 13 05:39:14 12[IKE] <141> remote host is behind NAT Nov 13 05:39:14 12[IKE] <141> DH group ECP_256 unacceptable, requesting CURVE_448 Nov 13 05:39:14 12[ENC] <141> generating IKE_SA_INIT response 0 [ N(INVAL_KE) V ] Nov 13 05:39:14 12[NET] <141> sending packet: from 158.69.126.137[500] to 109.210.56.240[38942] (58 bytes) Nov 13 05:39:14 09[NET] <142> received packet: from 109.210.56.240[38942] to 158.69.126.137[500] (940 bytes) Nov 13 05:39:14 09[ENC] <142> parsed IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG) N(REDIR_SUP) ] Nov 13 05:39:14 09[IKE] <142> 109.210.56.240 is initiating an IKE_SA Nov 13 05:39:14 09[CFG] <142> selected proposal: IKE:AES_CBC_256/HMAC_SHA2_384_192/PRF_HMAC_SHA2_384/CURVE_448 Nov 13 05:39:14 09[IKE] <142> remote host is behind NAT Nov 13 05:39:14 09[IKE] <142> sending cert request for "C=FR, O=LAB3W, CN=ZW3B Cyber Root CA : rsa_3072" Nov 13 05:39:14 09[ENC] <142> generating IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) CERTREQ N(FRAG_SUP) N(HASH_ALG) N(CHDLESS_SUP) N(MULT_AUTH) V ] Nov 13 05:39:14 09[NET] <142> sending packet: from 158.69.126.137[500] to 109.210.56.240[38942] (317 bytes) Nov 13 05:39:15 06[NET] <142> received packet: from 109.210.56.240[39218] to 158.69.126.137[4500] (472 bytes) Nov 13 05:39:15 06[ENC] <142> parsed IKE_AUTH request 1 [ IDi N(INIT_CONTACT) IDr CPRQ(ADDR ADDR6 DNS DNS6) SA TSi TSr N(MOBIKE_SUP) N(NO_ADD_ADDR) N(MULT_AUTH) N(EAP_ONLY) N(MSG_ID_SYN_SUP) ] Nov 13 05:39:15 06[CFG] <142> looking for peer configs matching 158.69.126.137[srv.ca.lab3w.com]...109.210.56.240[orj@lab3w.fr] Nov 13 05:39:15 06[CFG] selected peer config 'ikev2-eap' Nov 13 05:39:15 06[IKE] peer requested EAP, config unacceptable Nov 13 05:39:15 06[CFG] switching to peer config 'ikev2-eap-mschapv2' Nov 13 05:39:15 06[IKE] initiating EAP_IDENTITY method (id 0x00) Nov 13 05:39:15 06[IKE] peer supports MOBIKE Nov 13 05:39:15 06[IKE] authentication of 'srv.ca.lab3w.com' (myself) with RSA_EMSA_PSS_SHA2_256_SALT_32 successful Nov 13 05:39:15 06[IKE] sending end entity cert "C=FR, O=LAB3W, CN=srv.ca.lab3w.com" Nov 13 05:39:15 06[ENC] generating IKE_AUTH response 1 [ IDr CERT AUTH EAP/REQ/ID ] Nov 13 05:39:15 06[ENC] splitting IKE message (1768 bytes) into 2 fragments Nov 13 05:39:15 06[ENC] generating IKE_AUTH response 1 [ EF(1/2) ] Nov 13 05:39:15 06[ENC] generating IKE_AUTH response 1 [ EF(2/2) ] Nov 13 05:39:15 06[NET] sending packet: from 158.69.126.137[4500] to 109.210.56.240[39218] (1436 bytes) Nov 13 05:39:15 06[NET] sending packet: from 158.69.126.137[4500] to 109.210.56.240[39218] (412 bytes) Nov 13 05:39:15 08[NET] received packet: from 109.210.56.240[39218] to 158.69.126.137[4500] (104 bytes) Nov 13 05:39:15 08[ENC] parsed IKE_AUTH request 2 [ EAP/RES/ID ] Nov 13 05:39:15 08[IKE] received EAP identity 'orj@lab3w.fr' Nov 13 05:39:15 08[IKE] initiating EAP_MSCHAPV2 method (id 0x03) Nov 13 05:39:15 08[ENC] generating IKE_AUTH response 2 [ EAP/REQ/MSCHAPV2 ] Nov 13 05:39:15 08[NET] sending packet: from 158.69.126.137[4500] to 109.210.56.240[39218] (120 bytes) Nov 13 05:39:15 10[NET] received packet: from 109.210.56.240[39218] to 158.69.126.137[4500] (88 bytes) Nov 13 05:39:15 10[ENC] parsed IKE_AUTH request 3 [ EAP/RES/NAK ] Nov 13 05:39:15 10[IKE] received EAP_NAK, sending EAP_FAILURE Nov 13 05:39:15 10[ENC] generating IKE_AUTH response 3 [ EAP/FAIL ] Nov 13 05:39:15 10[NET] sending packet: from 158.69.126.137[4500] to 109.210.56.240[39218] (88 bytes) # strongSwan VPN CLient 2.5.2 for Android 12.1 - Connexion type : IKEv2 Certificate -> OK Connected (Nov 13 13:09:01) Nov 13 12:17:12 09[NET] <197> received packet: from 109.210.56.240[37624] to 158.69.126.137[500] (948 bytes) Nov 13 12:17:12 09[ENC] <197> parsed IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG) N(REDIR_SUP) ] Nov 13 12:17:12 09[IKE] <197> 109.210.56.240 is initiating an IKE_SA Nov 13 12:17:12 09[CFG] <197> selected proposal: IKE:AES_CBC_256/HMAC_SHA2_384_192/PRF_HMAC_SHA2_384/CURVE_448 Nov 13 12:17:12 09[IKE] <197> key exchange method in received payload ECP_256 doesn't match negotiated CURVE_448 Nov 13 12:17:12 09[IKE] <197> remote host is behind NAT Nov 13 12:17:12 09[IKE] <197> DH group ECP_256 unacceptable, requesting CURVE_448 Nov 13 12:17:12 09[ENC] <197> generating IKE_SA_INIT response 0 [ N(INVAL_KE) V ] Nov 13 12:17:12 09[NET] <197> sending packet: from 158.69.126.137[500] to 109.210.56.240[37624] (58 bytes) Nov 13 12:17:12 10[NET] <198> received packet: from 109.210.56.240[37624] to 158.69.126.137[500] (940 bytes) Nov 13 12:17:12 10[ENC] <198> parsed IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG) N(REDIR_SUP) ] Nov 13 12:17:12 10[IKE] <198> 109.210.56.240 is initiating an IKE_SA Nov 13 12:17:12 10[CFG] <198> selected proposal: IKE:AES_CBC_256/HMAC_SHA2_384_192/PRF_HMAC_SHA2_384/CURVE_448 Nov 13 12:17:12 10[IKE] <198> remote host is behind NAT Nov 13 12:17:12 10[IKE] <198> sending cert request for "C=FR, O=LAB3W, CN=ZW3B Cyber Root CA : rsa_3072" Nov 13 12:17:12 10[ENC] <198> generating IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) CERTREQ N(FRAG_SUP) N(HASH_ALG) N(CHDLESS_SUP) N(MULT_AUTH) V ] Nov 13 12:17:12 10[NET] <198> sending packet: from 158.69.126.137[500] to 109.210.56.240[37624] (317 bytes) Nov 13 12:17:13 14[NET] <198> received packet: from 109.210.56.240[38411] to 158.69.126.137[4500] (1356 bytes) Nov 13 12:17:13 14[ENC] <198> parsed IKE_AUTH request 1 [ EF(1/2) ] Nov 13 12:17:13 14[ENC] <198> received fragment #1 of 2, waiting for complete IKE message Nov 13 12:17:13 05[NET] <198> received packet: from 109.210.56.240[38411] to 158.69.126.137[4500] (796 bytes) Nov 13 12:17:13 05[ENC] <198> parsed IKE_AUTH request 1 [ EF(2/2) ] Nov 13 12:17:13 05[ENC] <198> received fragment #2 of 2, reassembled fragmented IKE message (2072 bytes) Nov 13 12:17:13 05[ENC] <198> parsed IKE_AUTH request 1 [ IDi CERT N(INIT_CONTACT) IDr AUTH CPRQ(ADDR ADDR6 DNS DNS6) SA TSi TSr N(MOBIKE_SUP) N(NO_ADD_ADDR) N(MULT_AUTH) N(EAP_ONLY) N(MSG_ID_SYN_SUP) ] Nov 13 12:17:13 05[IKE] <198> received end entity cert "C=FR, O=LAB3W, CN=orj@lab3w.fr" Nov 13 12:17:13 05[CFG] <198> looking for peer configs matching 158.69.126.137[srv.ca.lab3w.com]...109.210.56.240[orj@lab3w.com] Nov 13 12:17:13 05[CFG] selected peer config 'ikev2-eap' Nov 13 12:17:13 05[CFG] using trusted certificate "C=FR, O=LAB3W, CN=orj@lab3w.fr" Nov 13 12:17:13 05[CFG] using trusted ca certificate "C=FR, O=LAB3W, CN=ZW3B Cyber Root CA : rsa_3072" Nov 13 12:17:13 05[CFG] reached self-signed root ca with a path length of 0 Nov 13 12:17:13 05[CFG] checking certificate status of "C=FR, O=LAB3W, CN=orj@lab3w.fr" Nov 13 12:17:13 05[CFG] certificate status is not available Nov 13 12:17:13 05[IKE] authentication of 'orj@lab3w.com' with RSA_EMSA_PKCS1_SHA2_256 successful Nov 13 12:17:13 05[CFG] constraint check failed: EAP identity '%any' (ID_ANY) required Nov 13 12:17:13 05[CFG] selected peer config 'ikev2-eap' unacceptable: non-matching authentication done Nov 13 12:17:13 05[CFG] switching to peer config 'ikev2-eap-mschapv2' Nov 13 12:17:13 05[CFG] constraint check failed: EAP identity '%any' (ID_ANY) required Nov 13 12:17:13 05[CFG] selected peer config 'ikev2-eap-mschapv2' unacceptable: non-matching authentication done Nov 13 12:17:13 05[CFG] switching to peer config 'ikev2-eap-tls-asymmetric' Nov 13 12:17:13 05[CFG] constraint check failed: EAP identity '%any' (ID_ANY) required Nov 13 12:17:13 05[CFG] selected peer config 'ikev2-eap-tls-asymmetric' unacceptable: non-matching authentication done Nov 13 12:17:13 05[CFG] switching to peer config 'ikev2-pubkey' Nov 13 12:17:13 05[IKE] peer supports MOBIKE Nov 13 12:17:13 05[IKE] authentication of 'srv.ca.lab3w.com' (myself) with RSA_EMSA_PSS_SHA2_256_SALT_32 successful Nov 13 12:17:13 05[IKE] peer requested virtual IP %any Nov 13 12:17:13 05[CFG] assigning new lease to 'orj@lab3w.com' Nov 13 12:17:13 05[IKE] assigning virtual IP 172.16.8.101 to peer 'orj@lab3w.com' Nov 13 12:17:13 05[IKE] peer requested virtual IP %any6 Nov 13 12:17:13 05[CFG] assigning new lease to 'orj@lab3w.com' Nov 13 12:17:13 05[IKE] assigning virtual IP fec0::eeee:1ab3:ca:d001 to peer 'orj@lab3w.com' Nov 13 12:17:13 05[IKE] IKE_SA ikev2-pubkey[198] established between 158.69.126.137[srv.ca.lab3w.com]...109.210.56.240[orj@lab3w.com] Nov 13 12:17:13 05[CFG] selected proposal: ESP:AES_GCM_16_128/NO_EXT_SEQ Nov 13 12:17:13 05[IKE] CHILD_SA ikev2-pubkey{511} established with SPIs ca4f0e6d_i 1736be90_o and TS 0.0.0.0/0 ::/0 === 172.16.8.101/32 fec0::eeee:1ab3:ca:d001/128 Nov 13 12:17:13 05[ENC] generating IKE_AUTH response 1 [ IDr AUTH CPRP(ADDR ADDR6 DNS DNS DNS6 DNS6) SA TSi TSr N(MOBIKE_SUP) N(ADD_4_ADDR) N(ADD_6_ADDR) N(ADD_6_ADDR) N(ADD_6_ADDR) N(ADD_6_ADDR) N(ADD_6_ADDR) N(ADD_6_ADDR) N(ADD_6_ADDR) ] Nov 13 12:17:13 05[NET] sending packet: from 158.69.126.137[4500] to 109.210.56.240[38411] (1016 bytes) Nov 13 12:17:13 08[NET] received packet: from 109.210.56.240[38411] to 158.69.126.137[4500] (88 bytes) Nov 13 12:17:13 08[ENC] parsed INFORMATIONAL request 2 [ N(AUTH_FAILED) ] Nov 13 12:17:13 08[IKE] received DELETE for IKE_SA ikev2-pubkey[198] Nov 13 12:17:13 08[IKE] deleting IKE_SA ikev2-pubkey[198] between 158.69.126.137[srv.ca.lab3w.com]...109.210.56.240[orj@lab3w.com] Nov 13 12:17:13 08[IKE] IKE_SA deleted Nov 13 12:17:13 08[ENC] generating INFORMATIONAL response 2 [ ] Nov 13 12:17:13 08[NET] sending packet: from 158.69.126.137[4500] to 109.210.56.240[38411] (88 bytes) Nov 13 12:17:13 08[CFG] lease fec0::eeee:1ab3:ca:d001 by 'orj@lab3w.com' went offline Nov 13 12:17:13 08[CFG] lease 172.16.8.101 by 'orj@lab3w.com' went offline Nov 13 13:09:01 15[NET] received packet: from 109.210.56.240[4500] to 158.69.126.137[4500] (136 bytes) Nov 13 13:09:01 15[ENC] parsed INFORMATIONAL request 177 [ N(NATD_S_IP) N(NATD_D_IP) ] Nov 13 13:09:01 15[ENC] generating INFORMATIONAL response 177 [ N(NATD_S_IP) N(NATD_D_IP) ] Nov 13 13:09:01 15[NET] sending packet: from 158.69.126.137[4500] to 109.210.56.240[4500] (136 bytes) Nov 13 13:09:01 09[NET] <253> received packet: from 109.210.56.240[37216] to 158.69.126.137[500] (948 bytes) Nov 13 13:09:01 09[ENC] <253> parsed IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG) N(REDIR_SUP) ] Nov 13 13:09:01 09[IKE] <253> 109.210.56.240 is initiating an IKE_SA Nov 13 13:09:01 09[CFG] <253> selected proposal: IKE:AES_CBC_256/HMAC_SHA2_384_192/PRF_HMAC_SHA2_384/CURVE_448 Nov 13 13:09:01 09[IKE] <253> key exchange method in received payload ECP_256 doesn't match negotiated CURVE_448 Nov 13 13:09:01 09[IKE] <253> remote host is behind NAT Nov 13 13:09:01 09[IKE] <253> DH group ECP_256 unacceptable, requesting CURVE_448 Nov 13 13:09:01 09[ENC] <253> generating IKE_SA_INIT response 0 [ N(INVAL_KE) V ] Nov 13 13:09:01 09[NET] <253> sending packet: from 158.69.126.137[500] to 109.210.56.240[37216] (58 bytes) Nov 13 13:09:01 13[NET] <254> received packet: from 109.210.56.240[37216] to 158.69.126.137[500] (940 bytes) Nov 13 13:09:01 13[ENC] <254> parsed IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG) N(REDIR_SUP) ] Nov 13 13:09:01 13[IKE] <254> 109.210.56.240 is initiating an IKE_SA Nov 13 13:09:01 13[CFG] <254> selected proposal: IKE:AES_CBC_256/HMAC_SHA2_384_192/PRF_HMAC_SHA2_384/CURVE_448 Nov 13 13:09:01 13[IKE] <254> remote host is behind NAT Nov 13 13:09:01 13[IKE] <254> sending cert request for "C=FR, O=LAB3W, CN=ZW3B Cyber Root CA : rsa_3072" Nov 13 13:09:01 13[ENC] <254> generating IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) CERTREQ N(FRAG_SUP) N(HASH_ALG) N(CHDLESS_SUP) N(MULT_AUTH) V ] Nov 13 13:09:01 13[NET] <254> sending packet: from 158.69.126.137[500] to 109.210.56.240[37216] (317 bytes) Nov 13 13:09:01 05[NET] <254> received packet: from 109.210.56.240[43976] to 158.69.126.137[4500] (1356 bytes) Nov 13 13:09:01 05[ENC] <254> parsed IKE_AUTH request 1 [ EF(1/2) ] Nov 13 13:09:01 05[ENC] <254> received fragment #1 of 2, waiting for complete IKE message Nov 13 13:09:01 08[NET] <254> received packet: from 109.210.56.240[43976] to 158.69.126.137[4500] (828 bytes) Nov 13 13:09:01 08[ENC] <254> parsed IKE_AUTH request 1 [ EF(2/2) ] Nov 13 13:09:01 08[ENC] <254> received fragment #2 of 2, reassembled fragmented IKE message (2104 bytes) Nov 13 13:09:01 08[ENC] <254> parsed IKE_AUTH request 1 [ IDi CERT N(INIT_CONTACT) CERTREQ IDr AUTH CPRQ(ADDR ADDR6 DNS DNS6) SA TSi TSr N(MOBIKE_SUP) N(NO_ADD_ADDR) N(MULT_AUTH) N(EAP_ONLY) N(MSG_ID_SYN_SUP) ] Nov 13 13:09:01 08[IKE] <254> received cert request for "C=FR, O=LAB3W, CN=ZW3B Cyber Root CA : rsa_3072" Nov 13 13:09:01 08[IKE] <254> received end entity cert "C=FR, O=LAB3W, CN=orj@lab3w.fr" Nov 13 13:09:01 08[CFG] <254> looking for peer configs matching 158.69.126.137[srv.ca.lab3w.com]...109.210.56.240[orj@lab3w.com] Nov 13 13:09:01 08[CFG] selected peer config 'ikev2-eap' Nov 13 13:09:01 08[CFG] using trusted certificate "C=FR, O=LAB3W, CN=orj@lab3w.fr" Nov 13 13:09:01 08[CFG] using trusted ca certificate "C=FR, O=LAB3W, CN=ZW3B Cyber Root CA : rsa_3072" Nov 13 13:09:01 08[CFG] reached self-signed root ca with a path length of 0 Nov 13 13:09:01 08[CFG] checking certificate status of "C=FR, O=LAB3W, CN=orj@lab3w.fr" Nov 13 13:09:01 08[CFG] certificate status is not available Nov 13 13:09:01 08[IKE] authentication of 'orj@lab3w.com' with RSA_EMSA_PKCS1_SHA2_256 successful Nov 13 13:09:01 08[CFG] constraint check failed: EAP identity '%any' (ID_ANY) required Nov 13 13:09:01 08[CFG] selected peer config 'ikev2-eap' unacceptable: non-matching authentication done Nov 13 13:09:01 08[CFG] switching to peer config 'ikev2-eap-mschapv2' Nov 13 13:09:01 08[CFG] constraint check failed: EAP identity '%any' (ID_ANY) required Nov 13 13:09:01 08[CFG] selected peer config 'ikev2-eap-mschapv2' unacceptable: non-matching authentication done Nov 13 13:09:01 08[CFG] switching to peer config 'ikev2-eap-tls-asymmetric' Nov 13 13:09:01 08[CFG] constraint check failed: EAP identity '%any' (ID_ANY) required Nov 13 13:09:01 08[CFG] selected peer config 'ikev2-eap-tls-asymmetric' unacceptable: non-matching authentication done Nov 13 13:09:01 08[CFG] switching to peer config 'ikev2-pubkey' Nov 13 13:09:01 08[IKE] peer supports MOBIKE Nov 13 13:09:01 08[IKE] authentication of 'srv.ca.lab3w.com' (myself) with RSA_EMSA_PSS_SHA2_256_SALT_32 successful Nov 13 13:09:01 08[IKE] sending end entity cert "C=FR, O=LAB3W, CN=srv.ca.lab3w.com" Nov 13 13:09:01 08[IKE] peer requested virtual IP %any Nov 13 13:09:01 08[CFG] reassigning offline lease to 'orj@lab3w.com' Nov 13 13:09:01 08[IKE] assigning virtual IP 172.16.8.101 to peer 'orj@lab3w.com' Nov 13 13:09:01 08[IKE] peer requested virtual IP %any6 Nov 13 13:09:01 08[CFG] reassigning offline lease to 'orj@lab3w.com' Nov 13 13:09:01 08[IKE] assigning virtual IP fec0::eeee:1ab3:ca:d001 to peer 'orj@lab3w.com' Nov 13 13:09:01 08[IKE] IKE_SA ikev2-pubkey[254] established between 158.69.126.137[srv.ca.lab3w.com]...109.210.56.240[orj@lab3w.com] Nov 13 13:09:01 08[CFG] selected proposal: ESP:AES_GCM_16_128/NO_EXT_SEQ Nov 13 13:09:01 08[IKE] CHILD_SA ikev2-pubkey{541} established with SPIs c25da7c9_i ecb83137_o and TS 0.0.0.0/0 ::/0 === 172.16.8.101/32 fec0::eeee:1ab3:ca:d001/128 Nov 13 13:09:01 08[ENC] generating IKE_AUTH response 1 [ IDr CERT AUTH CPRP(ADDR ADDR6 DNS DNS DNS6 DNS6) SA TSi TSr N(MOBIKE_SUP) N(ADD_4_ADDR) N(ADD_6_ADDR) N(ADD_6_ADDR) N(ADD_6_ADDR) N(ADD_6_ADDR) N(ADD_6_ADDR) N(ADD_6_ADDR) N(ADD_6_ADDR) ] Nov 13 13:09:01 08[ENC] splitting IKE message (2200 bytes) into 2 fragments Nov 13 13:09:01 08[ENC] generating IKE_AUTH response 1 [ EF(1/2) ] Nov 13 13:09:01 08[ENC] generating IKE_AUTH response 1 [ EF(2/2) ] Nov 13 13:09:01 08[NET] sending packet: from 158.69.126.137[4500] to 109.210.56.240[43976] (1436 bytes) Nov 13 13:09:01 08[NET] sending packet: from 158.69.126.137[4500] to 109.210.56.240[43976] (844 bytes) # strongSwan VPN CLient 2.5.2 for Android 12.1 - Connexion type : IKEv2 Certificate + EAP (Username/Password) -> KO Nov 13 12:18:54 11[NET] <199> received packet: from 109.210.56.240[48428] to 158.69.126.137[500] (948 bytes) Nov 13 12:18:54 11[ENC] <199> parsed IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG) N(REDIR_SUP) ] Nov 13 12:18:54 11[IKE] <199> 109.210.56.240 is initiating an IKE_SA Nov 13 12:18:54 11[CFG] <199> selected proposal: IKE:AES_CBC_256/HMAC_SHA2_384_192/PRF_HMAC_SHA2_384/CURVE_448 Nov 13 12:18:54 11[IKE] <199> key exchange method in received payload ECP_256 doesn't match negotiated CURVE_448 Nov 13 12:18:54 11[IKE] <199> remote host is behind NAT Nov 13 12:18:54 11[IKE] <199> DH group ECP_256 unacceptable, requesting CURVE_448 Nov 13 12:18:54 11[ENC] <199> generating IKE_SA_INIT response 0 [ N(INVAL_KE) V ] Nov 13 12:18:54 11[NET] <199> sending packet: from 158.69.126.137[500] to 109.210.56.240[48428] (58 bytes) Nov 13 12:18:56 07[NET] <200> received packet: from 109.210.56.240[48428] to 158.69.126.137[500] (948 bytes) Nov 13 12:18:56 07[ENC] <200> parsed IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG) N(REDIR_SUP) ] Nov 13 12:18:56 07[IKE] <200> 109.210.56.240 is initiating an IKE_SA Nov 13 12:18:56 07[CFG] <200> selected proposal: IKE:AES_CBC_256/HMAC_SHA2_384_192/PRF_HMAC_SHA2_384/CURVE_448 Nov 13 12:18:56 07[IKE] <200> key exchange method in received payload ECP_256 doesn't match negotiated CURVE_448 Nov 13 12:18:56 07[IKE] <200> remote host is behind NAT Nov 13 12:18:56 07[IKE] <200> DH group ECP_256 unacceptable, requesting CURVE_448 Nov 13 12:18:56 07[ENC] <200> generating IKE_SA_INIT response 0 [ N(INVAL_KE) V ] Nov 13 12:18:56 07[NET] <200> sending packet: from 158.69.126.137[500] to 109.210.56.240[48428] (58 bytes) Nov 13 12:18:56 08[NET] <201> received packet: from 109.210.56.240[48428] to 158.69.126.137[500] (940 bytes) Nov 13 12:18:56 08[ENC] <201> parsed IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG) N(REDIR_SUP) ] Nov 13 12:18:56 08[IKE] <201> 109.210.56.240 is initiating an IKE_SA Nov 13 12:18:56 08[CFG] <201> selected proposal: IKE:AES_CBC_256/HMAC_SHA2_384_192/PRF_HMAC_SHA2_384/CURVE_448 Nov 13 12:18:56 08[IKE] <201> remote host is behind NAT Nov 13 12:18:56 08[IKE] <201> sending cert request for "C=FR, O=LAB3W, CN=ZW3B Cyber Root CA : rsa_3072" Nov 13 12:18:56 08[ENC] <201> generating IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) CERTREQ N(FRAG_SUP) N(HASH_ALG) N(CHDLESS_SUP) N(MULT_AUTH) V ] Nov 13 12:18:56 08[NET] <201> sending packet: from 158.69.126.137[500] to 109.210.56.240[48428] (317 bytes) Nov 13 12:18:57 10[NET] <201> received packet: from 109.210.56.240[44566] to 158.69.126.137[4500] (1356 bytes) Nov 13 12:18:57 10[ENC] <201> parsed IKE_AUTH request 1 [ EF(1/2) ] Nov 13 12:18:57 10[ENC] <201> received fragment #1 of 2, waiting for complete IKE message Nov 13 12:18:57 15[NET] <201> received packet: from 109.210.56.240[44566] to 158.69.126.137[4500] (892 bytes) Nov 13 12:18:57 15[ENC] <201> parsed IKE_AUTH request 1 [ EF(2/2) ] Nov 13 12:18:57 15[ENC] <201> received fragment #2 of 2, reassembled fragmented IKE message (2168 bytes) Nov 13 12:18:57 15[ENC] <201> parsed IKE_AUTH request 1 [ IDi CERT N(INIT_CONTACT) CERTREQ IDr AUTH CPRQ(ADDR ADDR6 DNS DNS6) SA TSi TSr N(MOBIKE_SUP) N(NO_ADD_ADDR) N(MULT_AUTH) N(EAP_ONLY) N(MSG_ID_SYN_SUP) N(AUTH_FOLLOWS) ] Nov 13 12:18:57 15[IKE] <201> received cert request for "C=FR, O=LAB3W, CN=ZW3B Cyber Root CA : rsa_3072" Nov 13 12:18:57 15[IKE] <201> received end entity cert "C=FR, O=LAB3W, CN=orj@lab3w.fr" Nov 13 12:18:57 15[CFG] <201> looking for peer configs matching 158.69.126.137[srv.ca.lab3w.com]...109.210.56.240[orj@lab3w.fr] Nov 13 12:18:57 15[CFG] selected peer config 'ikev2-eap' Nov 13 12:18:57 15[CFG] using trusted certificate "C=FR, O=LAB3W, CN=orj@lab3w.fr" Nov 13 12:18:57 15[CFG] using trusted ca certificate "C=FR, O=LAB3W, CN=ZW3B Cyber Root CA : rsa_3072" Nov 13 12:18:57 15[CFG] reached self-signed root ca with a path length of 0 Nov 13 12:18:57 15[CFG] checking certificate status of "C=FR, O=LAB3W, CN=orj@lab3w.fr" Nov 13 12:18:57 15[CFG] certificate status is not available Nov 13 12:18:57 15[IKE] authentication of 'orj@lab3w.fr' with RSA_EMSA_PSS_SHA2_256_SALT_32 successful Nov 13 12:18:57 15[CFG] constraint check failed: EAP identity '%any' (ID_ANY) required Nov 13 12:18:57 15[CFG] selected peer config 'ikev2-eap' unacceptable: non-matching authentication done Nov 13 12:18:57 15[CFG] switching to peer config 'ikev2-eap-mschapv2' Nov 13 12:18:57 15[CFG] constraint check failed: EAP identity '%any' (ID_ANY) required Nov 13 12:18:57 15[CFG] selected peer config 'ikev2-eap-mschapv2' unacceptable: non-matching authentication done Nov 13 12:18:57 15[CFG] switching to peer config 'ikev2-eap-tls-asymmetric' Nov 13 12:18:57 15[CFG] constraint check failed: EAP identity '%any' (ID_ANY) required Nov 13 12:18:57 15[CFG] selected peer config 'ikev2-eap-tls-asymmetric' unacceptable: non-matching authentication done Nov 13 12:18:57 15[CFG] switching to peer config 'ikev2-pubkey' Nov 13 12:18:57 15[IKE] peer supports MOBIKE Nov 13 12:18:57 15[IKE] authentication of 'srv.ca.lab3w.com' (myself) with RSA_EMSA_PSS_SHA2_256_SALT_32 successful Nov 13 12:18:57 15[IKE] sending end entity cert "C=FR, O=LAB3W, CN=srv.ca.lab3w.com" Nov 13 12:18:57 15[ENC] generating IKE_AUTH response 1 [ IDr CERT AUTH ] Nov 13 12:18:57 15[ENC] splitting IKE message (1752 bytes) into 2 fragments Nov 13 12:18:57 15[ENC] generating IKE_AUTH response 1 [ EF(1/2) ] Nov 13 12:18:57 15[ENC] generating IKE_AUTH response 1 [ EF(2/2) ] Nov 13 12:18:57 15[NET] sending packet: from 158.69.126.137[4500] to 109.210.56.240[44566] (1436 bytes) Nov 13 12:18:57 15[NET] sending packet: from 158.69.126.137[4500] to 109.210.56.240[44566] (396 bytes) Nov 13 12:18:57 09[NET] received packet: from 109.210.56.240[44566] to 158.69.126.137[4500] (104 bytes) Nov 13 12:18:57 09[ENC] parsed IKE_AUTH request 2 [ IDi ] Nov 13 12:18:57 09[IKE] peer requested EAP, config unacceptable Nov 13 12:18:57 09[CFG] no alternative config found Nov 13 12:18:57 09[ENC] generating IKE_AUTH response 2 [ N(AUTH_FAILED) ] Nov 13 12:18:57 09[NET] sending packet: from 158.69.126.137[4500] to 109.210.56.240[44566] (88 bytes) # ---------------------------------------- # Client Samsung 6 - Android 7 - Kernel 3.10.61-13830439 # Native VPN CLient for Android 7.0 - Connexion type : IKEv2 PSK (IPSec Pre-Shared Password + ID IPSec) -> KO Nov 13 11:48:20 07[NET] <168> received packet: from 109.210.56.240[46329] to 158.69.126.137[500] (652 bytes) Nov 13 11:48:20 07[ENC] <168> parsed IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(HASH_ALG) N(REDIR_SUP) ] Nov 13 11:48:20 07[IKE] <168> 109.210.56.240 is initiating an IKE_SA Nov 13 11:48:20 07[CFG] <168> selected proposal: IKE:AES_GCM_16_256/PRF_HMAC_SHA2_384/ECP_384 Nov 13 11:48:20 07[IKE] <168> key exchange method in received payload MODP_2048_256 doesn't match negotiated ECP_384 Nov 13 11:48:20 07[IKE] <168> remote host is behind NAT Nov 13 11:48:20 07[IKE] <168> DH group MODP_2048_256 unacceptable, requesting ECP_384 Nov 13 11:48:20 07[ENC] <168> generating IKE_SA_INIT response 0 [ N(INVAL_KE) V ] Nov 13 11:48:20 07[NET] <168> sending packet: from 158.69.126.137[500] to 109.210.56.240[46329] (58 bytes) Nov 13 11:48:20 10[NET] <169> received packet: from 109.210.56.240[46329] to 158.69.126.137[500] (492 bytes) Nov 13 11:48:20 10[ENC] <169> parsed IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(HASH_ALG) N(REDIR_SUP) ] Nov 13 11:48:20 10[IKE] <169> 109.210.56.240 is initiating an IKE_SA Nov 13 11:48:20 10[CFG] <169> selected proposal: IKE:AES_GCM_16_256/PRF_HMAC_SHA2_384/ECP_384 Nov 13 11:48:20 10[IKE] <169> remote host is behind NAT Nov 13 11:48:20 10[IKE] <169> sending cert request for "C=FR, O=LAB3W, CN=ZW3B Cyber Root CA : rsa_3072" Nov 13 11:48:20 10[ENC] <169> generating IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) CERTREQ N(HASH_ALG) N(CHDLESS_SUP) N(MULT_AUTH) V ] Nov 13 11:48:20 10[NET] <169> sending packet: from 158.69.126.137[500] to 109.210.56.240[46329] (341 bytes) Nov 13 11:48:20 11[NET] <169> received packet: from 109.210.56.240[54548] to 158.69.126.137[4500] (395 bytes) Nov 13 11:48:20 11[ENC] <169> parsed IKE_AUTH request 1 [ IDi N(INIT_CONTACT) AUTH CPRQ(ADDR DNS) SA TSi TSr N(MOBIKE_SUP) N(ADD_6_ADDR) N(ADD_6_ADDR) N(MULT_AUTH) N(EAP_ONLY) ] Nov 13 11:48:20 11[CFG] <169> looking for peer configs matching 158.69.126.137[%any]...109.210.56.240[nomade] Nov 13 11:48:20 11[CFG] selected peer config 'ikev2-eap' Nov 13 11:48:20 11[IKE] no shared key found for '%any' - 'nomade' Nov 13 11:48:20 11[IKE] peer supports MOBIKE Nov 13 11:48:20 11[ENC] generating IKE_AUTH response 1 [ N(AUTH_FAILED) ] Nov 13 11:48:20 11[NET] sending packet: from 158.69.126.137[4500] to 109.210.56.240[54548] (65 bytes) # Native VPN CLient for Android 7.0 - Connexion type : IKEv2 RSA (Certificate) -> KO Nov 13 11:57:05 13[NET] <170> received packet: from 109.210.56.240[60175] to 158.69.126.137[500] (660 bytes) Nov 13 11:57:05 13[ENC] <170> parsed IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG) N(REDIR_SUP) ] Nov 13 11:57:05 13[IKE] <170> 109.210.56.240 is initiating an IKE_SA Nov 13 11:57:05 13[CFG] <170> selected proposal: IKE:AES_GCM_16_256/PRF_HMAC_SHA2_384/ECP_384 Nov 13 11:57:05 13[IKE] <170> key exchange method in received payload MODP_2048_256 doesn't match negotiated ECP_384 Nov 13 11:57:05 13[IKE] <170> remote host is behind NAT Nov 13 11:57:05 13[IKE] <170> DH group MODP_2048_256 unacceptable, requesting ECP_384 Nov 13 11:57:05 13[ENC] <170> generating IKE_SA_INIT response 0 [ N(INVAL_KE) V ] Nov 13 11:57:05 13[NET] <170> sending packet: from 158.69.126.137[500] to 109.210.56.240[60175] (58 bytes) Nov 13 11:57:05 08[NET] <171> received packet: from 109.210.56.240[60175] to 158.69.126.137[500] (500 bytes) Nov 13 11:57:05 08[ENC] <171> parsed IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG) N(REDIR_SUP) ] Nov 13 11:57:05 08[IKE] <171> 109.210.56.240 is initiating an IKE_SA Nov 13 11:57:05 08[CFG] <171> selected proposal: IKE:AES_GCM_16_256/PRF_HMAC_SHA2_384/ECP_384 Nov 13 11:57:05 08[IKE] <171> remote host is behind NAT Nov 13 11:57:05 08[IKE] <171> sending cert request for "C=FR, O=LAB3W, CN=ZW3B Cyber Root CA : rsa_3072" Nov 13 11:57:05 08[ENC] <171> generating IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) CERTREQ N(FRAG_SUP) N(HASH_ALG) N(CHDLESS_SUP) N(MULT_AUTH) V ] Nov 13 11:57:05 08[NET] <171> sending packet: from 158.69.126.137[500] to 109.210.56.240[60175] (349 bytes) Nov 13 11:57:06 16[NET] <171> received packet: from 109.210.56.240[54319] to 158.69.126.137[4500] (1248 bytes) Nov 13 11:57:06 16[ENC] <171> parsed IKE_AUTH request 1 [ EF(1/2) ] Nov 13 11:57:06 16[ENC] <171> received fragment #1 of 2, waiting for complete IKE message Nov 13 11:57:06 10[NET] <171> received packet: from 109.210.56.240[54319] to 158.69.126.137[4500] (837 bytes) Nov 13 11:57:06 10[ENC] <171> parsed IKE_AUTH request 1 [ EF(2/2) ] Nov 13 11:57:06 10[ENC] <171> received fragment #2 of 2, reassembled fragmented IKE message (2020 bytes) Nov 13 11:57:06 10[ENC] <171> parsed IKE_AUTH request 1 [ IDi CERT N(INIT_CONTACT) CERTREQ AUTH CPRQ(ADDR DNS) SA TSi TSr N(MOBIKE_SUP) N(ADD_6_ADDR) N(ADD_6_ADDR) N(MULT_AUTH) N(EAP_ONLY) ] Nov 13 11:57:06 10[IKE] <171> received cert request for "C=FR, O=LAB3W, CN=ZW3B Cyber Root CA : rsa_3072" Nov 13 11:57:06 10[IKE] <171> received end entity cert "C=FR, O=LAB3W, CN=orj@lab3w.fr" Nov 13 11:57:06 10[CFG] <171> looking for peer configs matching 158.69.126.137[%any]...109.210.56.240[C=FR, O=LAB3W, CN=orj@lab3w.fr] Nov 13 11:57:06 10[CFG] selected peer config 'ikev2-eap' Nov 13 11:57:06 10[CFG] using trusted certificate "C=FR, O=LAB3W, CN=orj@lab3w.fr" Nov 13 11:57:06 10[CFG] using trusted ca certificate "C=FR, O=LAB3W, CN=ZW3B Cyber Root CA : rsa_3072" Nov 13 11:57:06 10[CFG] reached self-signed root ca with a path length of 0 Nov 13 11:57:06 10[CFG] checking certificate status of "C=FR, O=LAB3W, CN=orj@lab3w.fr" Nov 13 11:57:06 10[CFG] certificate status is not available Nov 13 11:57:06 10[IKE] authentication of 'C=FR, O=LAB3W, CN=orj@lab3w.fr' with RSA_EMSA_PKCS1_SHA2_256 successful Nov 13 11:57:06 10[CFG] constraint check failed: EAP identity '%any' (ID_ANY) required Nov 13 11:57:06 10[CFG] selected peer config 'ikev2-eap' unacceptable: non-matching authentication done Nov 13 11:57:06 10[CFG] switching to peer config 'ikev2-eap-mschapv2' Nov 13 11:57:06 10[CFG] constraint check failed: EAP identity '%any' (ID_ANY) required Nov 13 11:57:06 10[CFG] selected peer config 'ikev2-eap-mschapv2' unacceptable: non-matching authentication done Nov 13 11:57:06 10[CFG] switching to peer config 'ikev2-eap-tls-asymmetric' Nov 13 11:57:06 10[CFG] constraint check failed: EAP identity '%any' (ID_ANY) required Nov 13 11:57:06 10[CFG] selected peer config 'ikev2-eap-tls-asymmetric' unacceptable: non-matching authentication done Nov 13 11:57:06 10[CFG] no alternative config found Nov 13 11:57:06 10[IKE] peer supports MOBIKE Nov 13 11:57:06 10[ENC] generating IKE_AUTH response 1 [ N(AUTH_FAILED) ] Nov 13 11:57:06 10[NET] sending packet: from 158.69.126.137[4500] to 109.210.56.240[54319] (65 bytes) Nov 13 13:04:27 15[NET] <251> received packet: from 109.210.56.240[57202] to 158.69.126.137[500] (660 bytes) Nov 13 13:04:27 15[ENC] <251> parsed IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG) N(REDIR_SUP) ] Nov 13 13:04:27 15[IKE] <251> 109.210.56.240 is initiating an IKE_SA Nov 13 13:04:27 15[CFG] <251> selected proposal: IKE:AES_GCM_16_256/PRF_HMAC_SHA2_384/ECP_384 Nov 13 13:04:27 15[IKE] <251> key exchange method in received payload MODP_2048_256 doesn't match negotiated ECP_384 Nov 13 13:04:27 15[IKE] <251> remote host is behind NAT Nov 13 13:04:27 15[IKE] <251> DH group MODP_2048_256 unacceptable, requesting ECP_384 Nov 13 13:04:27 15[ENC] <251> generating IKE_SA_INIT response 0 [ N(INVAL_KE) V ] Nov 13 13:04:27 15[NET] <251> sending packet: from 158.69.126.137[500] to 109.210.56.240[57202] (58 bytes) Nov 13 13:04:27 06[NET] <252> received packet: from 109.210.56.240[57202] to 158.69.126.137[500] (500 bytes) Nov 13 13:04:27 06[ENC] <252> parsed IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG) N(REDIR_SUP) ] Nov 13 13:04:27 06[IKE] <252> 109.210.56.240 is initiating an IKE_SA Nov 13 13:04:27 06[CFG] <252> selected proposal: IKE:AES_GCM_16_256/PRF_HMAC_SHA2_384/ECP_384 Nov 13 13:04:27 06[IKE] <252> remote host is behind NAT Nov 13 13:04:27 06[IKE] <252> sending cert request for "C=FR, O=LAB3W, CN=ZW3B Cyber Root CA : rsa_3072" Nov 13 13:04:27 06[ENC] <252> generating IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) CERTREQ N(FRAG_SUP) N(HASH_ALG) N(CHDLESS_SUP) N(MULT_AUTH) V ] Nov 13 13:04:27 06[NET] <252> sending packet: from 158.69.126.137[500] to 109.210.56.240[57202] (349 bytes) Nov 13 13:04:27 10[NET] <252> received packet: from 109.210.56.240[45795] to 158.69.126.137[4500] (1248 bytes) Nov 13 13:04:27 10[ENC] <252> parsed IKE_AUTH request 1 [ EF(1/2) ] Nov 13 13:04:27 10[ENC] <252> received fragment #1 of 2, waiting for complete IKE message Nov 13 13:04:27 13[NET] <252> received packet: from 109.210.56.240[45795] to 158.69.126.137[4500] (837 bytes) Nov 13 13:04:27 13[ENC] <252> parsed IKE_AUTH request 1 [ EF(2/2) ] Nov 13 13:04:27 13[ENC] <252> received fragment #2 of 2, reassembled fragmented IKE message (2020 bytes) Nov 13 13:04:27 13[ENC] <252> parsed IKE_AUTH request 1 [ IDi CERT N(INIT_CONTACT) CERTREQ AUTH CPRQ(ADDR DNS) SA TSi TSr N(MOBIKE_SUP) N(ADD_6_ADDR) N(ADD_6_ADDR) N(MULT_AUTH) N(EAP_ONLY) ] Nov 13 13:04:27 13[IKE] <252> received cert request for "C=FR, O=LAB3W, CN=ZW3B Cyber Root CA : rsa_3072" Nov 13 13:04:27 13[IKE] <252> received end entity cert "C=FR, O=LAB3W, CN=orj@lab3w.fr" Nov 13 13:04:27 13[CFG] <252> looking for peer configs matching 158.69.126.137[%any]...109.210.56.240[C=FR, O=LAB3W, CN=orj@lab3w.fr] Nov 13 13:04:27 13[CFG] selected peer config 'ikev2-eap' Nov 13 13:04:27 13[CFG] using trusted certificate "C=FR, O=LAB3W, CN=orj@lab3w.fr" Nov 13 13:04:27 13[CFG] using trusted ca certificate "C=FR, O=LAB3W, CN=ZW3B Cyber Root CA : rsa_3072" Nov 13 13:04:27 13[CFG] reached self-signed root ca with a path length of 0 Nov 13 13:04:27 13[CFG] checking certificate status of "C=FR, O=LAB3W, CN=orj@lab3w.fr" Nov 13 13:04:27 13[CFG] certificate status is not available Nov 13 13:04:27 13[IKE] authentication of 'C=FR, O=LAB3W, CN=orj@lab3w.fr' with RSA_EMSA_PKCS1_SHA2_256 successful Nov 13 13:04:27 13[CFG] constraint check failed: EAP identity '%any' (ID_ANY) required Nov 13 13:04:27 13[CFG] selected peer config 'ikev2-eap' unacceptable: non-matching authentication done Nov 13 13:04:27 13[CFG] switching to peer config 'ikev2-eap-mschapv2' Nov 13 13:04:27 13[CFG] constraint check failed: EAP identity '%any' (ID_ANY) required Nov 13 13:04:27 13[CFG] selected peer config 'ikev2-eap-mschapv2' unacceptable: non-matching authentication done Nov 13 13:04:27 13[CFG] switching to peer config 'ikev2-eap-tls-asymmetric' Nov 13 13:04:27 13[CFG] constraint check failed: EAP identity '%any' (ID_ANY) required Nov 13 13:04:27 13[CFG] selected peer config 'ikev2-eap-tls-asymmetric' unacceptable: non-matching authentication done Nov 13 13:04:27 13[CFG] switching to peer config 'ikev2-pubkey' Nov 13 13:04:27 13[IKE] peer supports MOBIKE Nov 13 13:04:27 13[IKE] authentication of 'srv.ca.lab3w.com' (myself) with RSA_EMSA_PSS_SHA2_256_SALT_32 successful Nov 13 13:04:27 13[IKE] sending end entity cert "C=FR, O=LAB3W, CN=srv.ca.lab3w.com" Nov 13 13:04:27 13[IKE] peer requested virtual IP %any Nov 13 13:04:27 13[CFG] reassigning offline lease to 'C=FR, O=LAB3W, CN=orj@lab3w.fr' Nov 13 13:04:27 13[IKE] assigning virtual IP 172.16.8.102 to peer 'C=FR, O=LAB3W, CN=orj@lab3w.fr' Nov 13 13:04:27 13[IKE] IKE_SA ikev2-pubkey[252] established between 158.69.126.137[srv.ca.lab3w.com]...109.210.56.240[C=FR, O=LAB3W, CN=orj@lab3w.fr] Nov 13 13:04:27 13[CFG] selected proposal: ESP:AES_GCM_16_128/NO_EXT_SEQ Nov 13 13:04:27 13[IKE] CHILD_SA ikev2-pubkey{538} established with SPIs c0f23ae1_i cf5155af_o and TS 0.0.0.0/0 === 172.16.8.102/32 Nov 13 13:04:27 13[ENC] generating IKE_AUTH response 1 [ IDr CERT AUTH CPRP(ADDR DNS DNS) SA TSi TSr N(MOBIKE_SUP) N(ADD_4_ADDR) N(ADD_6_ADDR) N(ADD_6_ADDR) N(ADD_6_ADDR) N(ADD_6_ADDR) N(ADD_6_ADDR) N(ADD_6_ADDR) N(ADD_6_ADDR) ] Nov 13 13:04:27 13[ENC] splitting IKE message (2038 bytes) into 2 fragments Nov 13 13:04:27 13[ENC] generating IKE_AUTH response 1 [ EF(1/2) ] Nov 13 13:04:27 13[ENC] generating IKE_AUTH response 1 [ EF(2/2) ] Nov 13 13:04:27 13[NET] sending packet: from 158.69.126.137[4500] to 109.210.56.240[45795] (1448 bytes) Nov 13 13:04:27 13[NET] sending packet: from 158.69.126.137[4500] to 109.210.56.240[45795] (655 bytes) Nov 13 13:04:28 05[NET] received packet: from 109.210.56.240[45795] to 158.69.126.137[4500] (65 bytes) Nov 13 13:04:28 05[ENC] parsed INFORMATIONAL request 2 [ N(AUTH_FAILED) ] Nov 13 13:04:28 05[IKE] received DELETE for IKE_SA ikev2-pubkey[252] Nov 13 13:04:28 05[IKE] deleting IKE_SA ikev2-pubkey[252] between 158.69.126.137[srv.ca.lab3w.com]...109.210.56.240[C=FR, O=LAB3W, CN=orj@lab3w.fr] Nov 13 13:04:28 05[IKE] IKE_SA deleted Nov 13 13:04:28 05[ENC] generating INFORMATIONAL response 2 [ ] Nov 13 13:04:28 05[NET] sending packet: from 158.69.126.137[4500] to 109.210.56.240[45795] (57 bytes) Nov 13 13:04:28 05[CFG] lease 172.16.8.102 by 'C=FR, O=LAB3W, CN=orj@lab3w.fr' went offline # ----------------------------------------