cloudstack-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From swill <...@git.apache.org>
Subject [GitHub] cloudstack issue #872: Strongswan vpn feature
Date Thu, 06 Oct 2016 17:27:59 GMT
Github user swill commented on the issue:

    https://github.com/apache/cloudstack/pull/872
  
    I have not been able to make the `Remote Access VPN` work with Mac.  I have tried both
`L2TP over IPSec` and `Cisco IPSec` (bare ipsec I believe), neither work.
    
    I am getting the same problems that Rohit had above.  I have tested in 3 different network
environments.  From the office, from home and over 3G by creating a wireless hotspot and I
get the same results in all situations.
    
    I have run the following command on the VR to enable more detailed logging `ipsec stroke
loglevel cfg 2`.
    
    Here is a dump of the logs when attempting to connect.  It looks like the connection is
established, but there seems to be an issue doing the final negotiation.  I have been trying
different configurations to see if I can find one that works, but I have not been able to
find a config that works yet.  I have also flushed my iptables to be sure it is not an issue
with the firewall.
    
    Here are the logs:
    ```
    Oct  6 15:56:03 r-1968-VM charon: 02[NET] received packet: from 24.114.xx.yy[13429] to
74.121.ww.zz[500] (788 bytes)
    Oct  6 15:56:03 r-1968-VM charon: 02[ENC] parsed ID_PROT request 0 [ SA V V V V V V V
V V V V V ]
    Oct  6 15:56:03 r-1968-VM charon: 02[CFG] looking for an ike config for 74.121.ww.zz...24.114.xx.yy
    Oct  6 15:56:03 r-1968-VM charon: 02[CFG]   candidate: 74.121.ww.zz...%any, prio 1052
    Oct  6 15:56:03 r-1968-VM charon: 02[CFG] found matching ike config: 74.121.ww.zz...%any
with prio 1052
    Oct  6 15:56:03 r-1968-VM charon: 02[IKE] received NAT-T (RFC 3947) vendor ID
    Oct  6 15:56:03 r-1968-VM charon: 02[IKE] received draft-ietf-ipsec-nat-t-ike vendor ID
    Oct  6 15:56:03 r-1968-VM charon: 02[IKE] received draft-ietf-ipsec-nat-t-ike-08 vendor
ID
    Oct  6 15:56:03 r-1968-VM charon: 02[IKE] received draft-ietf-ipsec-nat-t-ike-07 vendor
ID
    Oct  6 15:56:03 r-1968-VM charon: 02[IKE] received draft-ietf-ipsec-nat-t-ike-06 vendor
ID
    Oct  6 15:56:03 r-1968-VM charon: 02[IKE] received draft-ietf-ipsec-nat-t-ike-05 vendor
ID
    Oct  6 15:56:03 r-1968-VM charon: 02[IKE] received draft-ietf-ipsec-nat-t-ike-04 vendor
ID
    Oct  6 15:56:03 r-1968-VM charon: 02[IKE] received draft-ietf-ipsec-nat-t-ike-03 vendor
ID
    Oct  6 15:56:03 r-1968-VM charon: 02[IKE] received draft-ietf-ipsec-nat-t-ike-02 vendor
ID
    Oct  6 15:56:03 r-1968-VM charon: 02[IKE] received draft-ietf-ipsec-nat-t-ike-02\n vendor
ID
    Oct  6 15:56:03 r-1968-VM charon: 02[IKE] received FRAGMENTATION vendor ID
    Oct  6 15:56:03 r-1968-VM charon: 02[IKE] received DPD vendor ID
    Oct  6 15:56:03 r-1968-VM charon: 02[IKE] 24.114.xx.yy is initiating a Main Mode IKE_SA
    Oct  6 15:56:03 r-1968-VM charon: 02[CFG] selecting proposal:
    Oct  6 15:56:03 r-1968-VM charon: 02[CFG]   no acceptable ENCRYPTION_ALGORITHM found
    Oct  6 15:56:03 r-1968-VM charon: 02[CFG] selecting proposal:
    Oct  6 15:56:03 r-1968-VM charon: 02[CFG]   no acceptable ENCRYPTION_ALGORITHM found
    Oct  6 15:56:03 r-1968-VM charon: 02[CFG] selecting proposal:
    Oct  6 15:56:03 r-1968-VM charon: 02[CFG]   no acceptable ENCRYPTION_ALGORITHM found
    Oct  6 15:56:03 r-1968-VM charon: 02[CFG] selecting proposal:
    Oct  6 15:56:03 r-1968-VM charon: 02[CFG]   no acceptable ENCRYPTION_ALGORITHM found
    Oct  6 15:56:03 r-1968-VM charon: 02[CFG] selecting proposal:
    Oct  6 15:56:03 r-1968-VM charon: 02[CFG]   no acceptable ENCRYPTION_ALGORITHM found
    Oct  6 15:56:03 r-1968-VM charon: 02[CFG] selecting proposal:
    Oct  6 15:56:03 r-1968-VM charon: 02[CFG]   no acceptable ENCRYPTION_ALGORITHM found
    Oct  6 15:56:03 r-1968-VM charon: 02[CFG] selecting proposal:
    Oct  6 15:56:03 r-1968-VM charon: 02[CFG]   no acceptable ENCRYPTION_ALGORITHM found
    Oct  6 15:56:03 r-1968-VM charon: 02[CFG] selecting proposal:
    Oct  6 15:56:03 r-1968-VM charon: 02[CFG]   no acceptable ENCRYPTION_ALGORITHM found
    Oct  6 15:56:03 r-1968-VM charon: 02[CFG] selecting proposal:
    Oct  6 15:56:03 r-1968-VM charon: 02[CFG]   no acceptable ENCRYPTION_ALGORITHM found
    Oct  6 15:56:03 r-1968-VM charon: 02[CFG] selecting proposal:
    Oct  6 15:56:03 r-1968-VM charon: 02[CFG]   no acceptable ENCRYPTION_ALGORITHM found
    Oct  6 15:56:03 r-1968-VM charon: 02[CFG] selecting proposal:
    Oct  6 15:56:03 r-1968-VM charon: 02[CFG]   no acceptable DIFFIE_HELLMAN_GROUP found
    Oct  6 15:56:03 r-1968-VM charon: 02[CFG] selecting proposal:
    Oct  6 15:56:03 r-1968-VM charon: 02[CFG]   no acceptable PSEUDO_RANDOM_FUNCTION found
    Oct  6 15:56:03 r-1968-VM charon: 02[CFG] selecting proposal:
    Oct  6 15:56:03 r-1968-VM charon: 02[CFG]   no acceptable ENCRYPTION_ALGORITHM found
    Oct  6 15:56:03 r-1968-VM charon: 02[CFG] selecting proposal:
    Oct  6 15:56:03 r-1968-VM charon: 02[CFG]   no acceptable ENCRYPTION_ALGORITHM found
    Oct  6 15:56:03 r-1968-VM charon: 02[CFG] selecting proposal:
    Oct  6 15:56:03 r-1968-VM charon: 02[CFG]   no acceptable ENCRYPTION_ALGORITHM found
    Oct  6 15:56:03 r-1968-VM charon: 02[CFG] selecting proposal:
    Oct  6 15:56:03 r-1968-VM charon: 02[CFG]   no acceptable ENCRYPTION_ALGORITHM found
    Oct  6 15:56:03 r-1968-VM charon: 02[CFG] selecting proposal:
    Oct  6 15:56:03 r-1968-VM charon: 02[CFG]   no acceptable ENCRYPTION_ALGORITHM found
    Oct  6 15:56:03 r-1968-VM charon: 02[CFG] selecting proposal:
    Oct  6 15:56:03 r-1968-VM charon: 02[CFG]   no acceptable ENCRYPTION_ALGORITHM found
    Oct  6 15:56:03 r-1968-VM charon: 02[CFG] selecting proposal:
    Oct  6 15:56:03 r-1968-VM charon: 02[CFG]   no acceptable ENCRYPTION_ALGORITHM found
    Oct  6 15:56:03 r-1968-VM charon: 02[CFG] selecting proposal:
    Oct  6 15:56:03 r-1968-VM charon: 02[CFG]   no acceptable ENCRYPTION_ALGORITHM found
    Oct  6 15:56:03 r-1968-VM charon: 02[CFG] selecting proposal:
    Oct  6 15:56:03 r-1968-VM charon: 02[CFG]   no acceptable ENCRYPTION_ALGORITHM found
    Oct  6 15:56:03 r-1968-VM charon: 02[CFG] selecting proposal:
    Oct  6 15:56:03 r-1968-VM charon: 02[CFG]   no acceptable ENCRYPTION_ALGORITHM found
    Oct  6 15:56:03 r-1968-VM charon: 02[CFG] selecting proposal:
    Oct  6 15:56:03 r-1968-VM charon: 02[CFG]   no acceptable ENCRYPTION_ALGORITHM found
    Oct  6 15:56:03 r-1968-VM charon: 02[CFG] selecting proposal:
    Oct  6 15:56:03 r-1968-VM charon: 02[CFG]   no acceptable ENCRYPTION_ALGORITHM found
    Oct  6 15:56:03 r-1968-VM charon: 02[CFG] selecting proposal:
    Oct  6 15:56:03 r-1968-VM charon: 02[CFG]   no acceptable ENCRYPTION_ALGORITHM found
    Oct  6 15:56:03 r-1968-VM charon: 02[CFG] selecting proposal:
    Oct  6 15:56:03 r-1968-VM charon: 02[CFG]   no acceptable ENCRYPTION_ALGORITHM found
    Oct  6 15:56:03 r-1968-VM charon: 02[CFG] selecting proposal:
    Oct  6 15:56:03 r-1968-VM charon: 02[CFG]   no acceptable DIFFIE_HELLMAN_GROUP found
    Oct  6 15:56:03 r-1968-VM charon: 02[CFG] selecting proposal:
    Oct  6 15:56:03 r-1968-VM charon: 02[CFG]   no acceptable PSEUDO_RANDOM_FUNCTION found
    Oct  6 15:56:03 r-1968-VM charon: 02[CFG] selecting proposal:
    Oct  6 15:56:03 r-1968-VM charon: 02[CFG]   proposal matches
    Oct  6 15:56:03 r-1968-VM charon: 02[CFG] received proposals: IKE:AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_2048,
IKE:AES_CBC_256/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_2048, IKE:AES_CBC_256/HMAC_MD5_96/PRF_HMAC_MD5/MODP_2048,
IKE:AES_CBC_256/HMAC_SHA2_512_256/PRF_HMAC_SHA2_512/MODP_2048, IKE:AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_1536,
IKE:AES_CBC_256/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1536, IKE:AES_CBC_256/HMAC_MD5_96/PRF_HMAC_MD5/MODP_1536,
IKE:AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_1024, IKE:AES_CBC_256/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024,
IKE:AES_CBC_256/HMAC_MD5_96/PRF_HMAC_MD5/MODP_1024, IKE:AES_CBC_128/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024,
IKE:AES_CBC_128/HMAC_MD5_96/PRF_HMAC_MD5/MODP_1024, IKE:3DES_CBC/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024,
IKE:3DES_CBC/HMAC_MD5_96/PRF_HMAC_MD5/MODP_1024
    Oct  6 15:56:03 r-1968-VM charon: 02[CFG] configured proposals: IKE:AES_CBC_128/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_2048,
IKE:3DES_CBC/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1536, IKE:AES_CBC_128/AES_CBC_192/AES_CBC_256/3DES_CBC/AES_CTR_128/AES_CTR_192/AES_CTR_256/CAMELLIA_CTR_128/CAMELLIA_CTR_192/CAMELLIA_CTR_256/CAMELLIA_CBC_128/CAMELLIA_CBC_192/CAMELLIA_CBC_256/HMAC_SHA1_96/HMAC_SHA2_256_128/HMAC_MD5_96/HMAC_SHA2_384_192/HMAC_SHA2_512_256/AES_XCBC_96/AES_CMAC_96/PRF_HMAC_SHA1/PRF_HMAC_SHA2_256/PRF_HMAC_MD5/PRF_HMAC_SHA2_384/PRF_HMAC_SHA2_512/PRF_AES128_XCBC/PRF_AES128_CMAC/MODP_2048/MODP_2048_224/MODP_2048_256/MODP_1536/MODP_3072/MODP_4096/MODP_8192/MODP_1024/MODP_1024_160,
IKE:AES_CCM_8_128/AES_CCM_8_192/AES_CCM_8_256/AES_CCM_12_128/AES_CCM_12_192/AES_CCM_12_256/AES_CCM_16_128/AES_CCM_16_192/AES_CCM_16_256/CAMELLIA_CCM_8_128/CAMELLIA_CCM_8_192/CAMELLIA_CCM_8_256/CAMELLIA_CCM_12_128/CAMELLIA_CCM_12_192/CAMELLIA_CCM_12_256/CAMELLIA_CCM_16_128/CAMELLIA_CCM_16_192/CAMELLIA_CCM_16_256/PRF_HM
 AC_SHA1/PRF_HMAC_SHA2_256/PRF_HMAC_MD5/PRF_HMAC_SHA2_384/PRF_HMAC_SHA2_512/PRF_AES128_XCBC/PRF_AES128_CMAC/MODP_2048/MODP_2048_224/MODP_2048_256/MODP_1536/MODP_3072/MODP_4096/MODP_8192/MODP_1024/MODP_1024_160
    Oct  6 15:56:03 r-1968-VM charon: 02[CFG] selected proposal: IKE:AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_2048
    Oct  6 15:56:03 r-1968-VM charon: 02[ENC] generating ID_PROT response 0 [ SA V V V ]
    Oct  6 15:56:03 r-1968-VM charon: 02[NET] sending packet: from 74.121.ww.zz[500] to 24.114.xx.yy[13429]
(136 bytes)
    Oct  6 15:56:03 r-1968-VM charon: 01[NET] received packet: from 24.114.xx.yy[13429] to
74.121.ww.zz[500] (380 bytes)
    Oct  6 15:56:03 r-1968-VM charon: 01[ENC] parsed ID_PROT request 0 [ KE No NAT-D NAT-D
]
    Oct  6 15:56:03 r-1968-VM charon: 01[IKE] remote host is behind NAT
    Oct  6 15:56:03 r-1968-VM charon: 01[ENC] generating ID_PROT response 0 [ KE No NAT-D
NAT-D ]
    Oct  6 15:56:03 r-1968-VM charon: 01[NET] sending packet: from 74.121.ww.zz[500] to 24.114.xx.yy[13429]
(396 bytes)
    Oct  6 15:56:03 r-1968-VM charon: 03[NET] received packet: from 24.114.xx.yy[13430] to
74.121.ww.zz[4500] (108 bytes)
    Oct  6 15:56:03 r-1968-VM charon: 03[ENC] parsed ID_PROT request 0 [ ID HASH N(INITIAL_CONTACT)
]
    Oct  6 15:56:03 r-1968-VM charon: 03[CFG] looking for pre-shared key peer configs matching
74.121.ww.zz...24.114.xx.yy[192.168.43.66]
    Oct  6 15:56:03 r-1968-VM charon: 03[CFG]   candidate "L2TP-PSK", match: 1/1/1052 (me/other/ike)
    Oct  6 15:56:03 r-1968-VM charon: 03[CFG] selected peer config "L2TP-PSK"
    Oct  6 15:56:03 r-1968-VM charon: 03[IKE] IKE_SA L2TP-PSK[6] established between 74.121.ww.zz[74.121.ww.zz]...24.114.xx.yy[192.168.43.66]
    Oct  6 15:56:03 r-1968-VM charon: 03[ENC] generating ID_PROT response 0 [ ID HASH ]
    Oct  6 15:56:03 r-1968-VM charon: 03[NET] sending packet: from 74.121.ww.zz[4500] to 24.114.xx.yy[13430]
(92 bytes)
    Oct  6 15:56:04 r-1968-VM charon: 14[NET] received packet: from 24.114.xx.yy[13430] to
74.121.ww.zz[4500] (332 bytes)
    Oct  6 15:56:04 r-1968-VM charon: 14[ENC] parsed QUICK_MODE request 4086740468 [ HASH
SA No ID ID NAT-OA NAT-OA ]
    Oct  6 15:56:04 r-1968-VM charon: 14[CFG] looking for a child config for 74.121.ww.zz/32[udp/l2f]
=== 24.114.xx.yy/32[udp/53141] 
    Oct  6 15:56:04 r-1968-VM charon: 14[CFG] proposing traffic selectors for us:
    Oct  6 15:56:04 r-1968-VM charon: 14[CFG]  74.121.ww.zz/32[udp/l2f]
    Oct  6 15:56:04 r-1968-VM charon: 14[CFG] proposing traffic selectors for other:
    Oct  6 15:56:04 r-1968-VM charon: 14[CFG]  0.0.0.0/0[udp]
    Oct  6 15:56:04 r-1968-VM charon: 14[CFG]   candidate "L2TP-PSK" with prio 5+1
    Oct  6 15:56:04 r-1968-VM charon: 14[CFG] found matching child config "L2TP-PSK" with
prio 6
    Oct  6 15:56:04 r-1968-VM charon: 14[CFG] selecting traffic selectors for other:
    Oct  6 15:56:04 r-1968-VM charon: 14[CFG]  config: 0.0.0.0/0[udp], received: 24.114.xx.yy/32[udp/53141]
=> match: 24.114.xx.yy/32[udp/53141]
    Oct  6 15:56:04 r-1968-VM charon: 14[CFG] selecting traffic selectors for us:
    Oct  6 15:56:04 r-1968-VM charon: 14[CFG]  config: 74.121.ww.zz/32[udp/l2f], received:
74.121.ww.zz/32[udp/l2f] => match: 74.121.ww.zz/32[udp/l2f]
    Oct  6 15:56:04 r-1968-VM charon: 14[IKE] no matching CHILD_SA config found
    Oct  6 15:56:04 r-1968-VM charon: 14[ENC] generating INFORMATIONAL_V1 request 3901559225
[ HASH N(INVAL_ID) ]
    Oct  6 15:56:04 r-1968-VM charon: 14[NET] sending packet: from 74.121.ww.zz[4500] to 24.114.xx.yy[13430]
(92 bytes)
    Oct  6 15:56:07 r-1968-VM charon: 07[NET] received packet: from 24.114.xx.yy[13430] to
74.121.ww.zz[4500] (332 bytes)
    Oct  6 15:56:07 r-1968-VM charon: 07[IKE] received retransmit of request with ID 4086740468,
but no response to retransmit
    Oct  6 15:56:10 r-1968-VM charon: 08[NET] received packet: from 24.114.xx.yy[13430] to
74.121.ww.zz[4500] (332 bytes)
    Oct  6 15:56:10 r-1968-VM charon: 08[IKE] received retransmit of request with ID 4086740468,
but no response to retransmit
    Oct  6 15:56:14 r-1968-VM charon: 06[NET] received packet: from 24.114.xx.yy[13430] to
74.121.ww.zz[4500] (332 bytes)
    Oct  6 15:56:14 r-1968-VM charon: 06[IKE] received retransmit of request with ID 4086740468,
but no response to retransmit
    Oct  6 15:56:17 r-1968-VM charon: 01[NET] received packet: from 24.114.xx.yy[13430] to
74.121.ww.zz[4500] (332 bytes)
    Oct  6 15:56:17 r-1968-VM charon: 01[IKE] received retransmit of request with ID 4086740468,
but no response to retransmit
    Oct  6 15:56:20 r-1968-VM charon: 15[NET] received packet: from 24.114.xx.yy[13430] to
74.121.ww.zz[4500] (332 bytes)
    Oct  6 15:56:20 r-1968-VM charon: 15[IKE] received retransmit of request with ID 4086740468,
but no response to retransmit
    Oct  6 15:56:24 r-1968-VM charon: 08[NET] received packet: from 24.114.xx.yy[13430] to
74.121.ww.zz[4500] (332 bytes)
    Oct  6 15:56:24 r-1968-VM charon: 08[IKE] received retransmit of request with ID 4086740468,
but no response to retransmit
    Oct  6 15:56:27 r-1968-VM charon: 12[NET] received packet: from 24.114.xx.yy[13430] to
74.121.ww.zz[4500] (332 bytes)
    Oct  6 15:56:27 r-1968-VM charon: 12[IKE] received retransmit of request with ID 4086740468,
but no response to retransmit
    Oct  6 15:56:30 r-1968-VM charon: 06[NET] received packet: from 24.114.xx.yy[13430] to
74.121.ww.zz[4500] (332 bytes)
    Oct  6 15:56:30 r-1968-VM charon: 06[IKE] received retransmit of request with ID 4086740468,
but no response to retransmit
    Oct  6 15:56:34 r-1968-VM charon: 02[NET] received packet: from 24.114.xx.yy[13430] to
74.121.ww.zz[4500] (332 bytes)
    Oct  6 15:56:34 r-1968-VM charon: 02[IKE] received retransmit of request with ID 4086740468,
but no response to retransmit
    Oct  6 15:56:34 r-1968-VM charon: 01[NET] received packet: from 24.114.xx.yy[13430] to
74.121.ww.zz[4500] (108 bytes)
    Oct  6 15:56:34 r-1968-VM charon: 01[ENC] parsed INFORMATIONAL_V1 request 4023936214 [
HASH D ]
    Oct  6 15:56:34 r-1968-VM charon: 01[IKE] received DELETE for IKE_SA L2TP-PSK[6]
    Oct  6 15:56:34 r-1968-VM charon: 01[IKE] deleting IKE_SA L2TP-PSK[6] between 74.121.ww.zz[74.121.ww.zz]...24.114.xx.yy[192.168.43.66]
    ```


---
If your project is set up for it, you can reply to this email and have your
reply appear on GitHub as well. If your project does not have this feature
enabled and wishes so, or if the feature is enabled but not working, please
contact infrastructure at infrastructure@apache.org or file a JIRA ticket
with INFRA.
---

Mime
View raw message