[Swan] Second OSX client troubleshooting

Mr. Jan Walter hopping_hol at yahoo.com
Thu Jan 31 15:53:10 UTC 2019 

Okay, so I sent off a user certificate and the CA cert to a colleague on the other coast, and he's having issues connecting to the config that worked for me with my Macbook and my Win10 machine here.
Thoughts?
Cliff's notes: 
No IKE SA means?
On the client side, the complaint is "Failed to process IKE AUTH packet"
It looks to me like the client can't figure out what certificate to use, or there is something missing. The client has the CA cert only, and the client cert with a private key. That should be enough.
Log on the server:Jan 31 03:26:05 ip-10-0-0-194 pluto[18497]: "ikev2-cp"[28] 12.11.11.11: constructed local IKE proposals for ikev2-cp (IKE SA responder matching remote proposals): 1:IKE:ENCR=AEJan 31 03:26:05 ip-10-0-0-194 pluto[18497]: "ikev2-cp"[28] 12.11.11.11 #370: proposal 10:IKE:ENCR=AES_CBC_256;PRF=HMAC_SHA1;INTEG=HMAC_SHA1_96;DH=MODP1024 chosen from remote prJan 31 03:26:05 ip-10-0-0-194 pluto[18497]: "ikev2-cp"[28] 12.11.11.11 #370: STATE_PARENT_R1: received v2I1, sent v2R1 {auth=IKEv2 cipher=AES_CBC_256 integ=HMAC_SHA1_96 prf=HMAJan 31 03:26:05 ip-10-0-0-194 pluto[18497]: "ikev2-cp"[28] 12.11.11.11 #371: proposal 10:IKE:ENCR=AES_CBC_256;PRF=HMAC_SHA1;INTEG=HMAC_SHA1_96;DH=MODP1024 chosen from remote prJan 31 03:26:05 ip-10-0-0-194 pluto[18497]: "ikev2-cp"[28] 12.11.11.11 #371: STATE_PARENT_R1: received v2I1, sent v2R1 {auth=IKEv2 cipher=AES_CBC_256 integ=HMAC_SHA1_96 prf=HMAJan 31 03:26:05 ip-10-0-0-194 pluto[18497]: packet from 12.11.11.11:500: INFORMATIONAL message request has no corresponding IKE SAJan 31 03:29:25 ip-10-0-0-194 pluto[18497]: "ikev2-cp"[28] 12.11.11.11 #370: deleting incomplete state after 200.000 secondsJan 31 03:29:25 ip-10-0-0-194 pluto[18497]: "ikev2-cp"[28] 12.11.11.11 #370: deleting state (STATE_PARENT_R1) aged 200.016s and NOT sending notificationJan 31 03:29:25 ip-10-0-0-194 pluto[18497]: "ikev2-cp"[28] 12.11.11.11 #371: deleting incomplete state after 200.000 secondsJan 31 03:29:25 ip-10-0-0-194 pluto[18497]: "ikev2-cp"[28] 12.11.11.11 #371: deleting state (STATE_PARENT_R1) aged 200.000s and NOT sending notificationJan 31 03:29:25 ip-10-0-0-194 pluto[18497]: deleting connection "ikev2-cp"[28] 12.11.11.11 instance with peer 12.11.11.11 {isakmp=#0/ipsec=#0}Jan 31 03:29:40 ip-10-0-0-194 pluto[18497]: "ikev2-cp"[29] 12.11.11.11: constructed local IKE proposals for ikev2-cp (IKE SA responder matching remote proposals): 1:IKE:ENCR=AEJan 31 03:29:40 ip-10-0-0-194 pluto[18497]: "ikev2-cp"[29] 12.11.11.11 #372: proposal 10:IKE:ENCR=AES_CBC_256;PRF=HMAC_SHA1;INTEG=HMAC_SHA1_96;DH=MODP1024 chosen from remote prJan 31 03:29:40 ip-10-0-0-194 pluto[18497]: "ikev2-cp"[29] 12.11.11.11 #372: STATE_PARENT_R1: received v2I1, sent v2R1 {auth=IKEv2 cipher=AES_CBC_256 integ=HMAC_SHA1_96 prf=HMAJan 31 03:29:40 ip-10-0-0-194 pluto[18497]: "ikev2-cp"[29] 12.11.11.11 #373: proposal 10:IKE:ENCR=AES_CBC_256;PRF=HMAC_SHA1;INTEG=HMAC_SHA1_96;DH=MODP1024 chosen from remote prJan 31 03:29:40 ip-10-0-0-194 pluto[18497]: "ikev2-cp"[29] 12.11.11.11 #373: STATE_PARENT_R1: received v2I1, sent v2R1 {auth=IKEv2 cipher=AES_CBC_256 integ=HMAC_SHA1_96 prf=HMAJan 31 03:29:40 ip-10-0-0-194 pluto[18497]: packet from 12.11.11.11:500: INFORMATIONAL message request has no corresponding IKE SAJan 31 03:33:00 ip-10-0-0-194 pluto[18497]: "ikev2-cp"[29] 12.11.11.11 #372: deleting incomplete state after 200.000 secondsJan 31 03:33:00 ip-10-0-0-194 pluto[18497]: "ikev2-cp"[29] 12.11.11.11 #372: deleting state (STATE_PARENT_R1) aged 200.009s and NOT sending notificationJan 31 03:33:00 ip-10-0-0-194 pluto[18497]: "ikev2-cp"[29] 12.11.11.11 #373: deleting incomplete state after 200.000 secondsJan 31 03:33:00 ip-10-0-0-194 pluto[18497]: "ikev2-cp"[29] 12.11.11.11 #373: deleting state (STATE_PARENT_R1) aged 200.002s and NOT sending notificationJan 31 03:33:00 ip-10-0-0-194 pluto[18497]: deleting connection "ikev2-cp"[29] 12.11.11.11 instance with peer 12.11.11.11 {isakmp=#0/ipsec=#0}
Certificates made and exported with:
certutil -S -c "ca.zzz.net" -n "westcoastfriend.zzz.net" -s "O=westcoastfriend,CN=westcoastfriend.zzz.net" -k rsa -v 12 -d sql:${HOME}/ca -t ",," -1 -6 -8 "westcoastfriend.zzz.net"pk12util -o westcoastfriend.osx.p12 -n westcoastfriend.zzz.net -d sql:${HOME}/ca
Client-side logs:
2019-01-30 16:00:11.135379-0800 0x2d08     Activity    0x5a34               731    0    neagent: (NetworkExtension) IKEv2 processing socket read event2019-01-30 16:00:11.135470-0800 0x2d09     Error       0x0                  731    0    neagent: (NetworkExtension) [com.apple.networkextension:] Auth initiator received notify error: Error (Invalid Syntax)2019-01-30 16:00:11.135471-0800 0x2d09     Error       0x0                  731    0    neagent: (NetworkExtension) [com.apple.networkextension:] Failed to process IKE Auth packet (connect)2019-01-30 16:00:11.136192-0800 0x238d     Default     0x0                  611    0    nesessionmanager: [com.apple.networkextension:] NESMIKEv2VPNSession[VPN (IKEv2):D2185DAA-2D0D-4B56-BFD0-F673A0D8D1F2]: status changed to disconnecting2019-01-30 16:00:11.136233-0800 0x238d     Default     0x0                  611    0    nesessionmanager: [com.apple.networkextension:] NESMIKEv2VPNSession[VPN (IKEv2):D2185DAA-2D0D-4B56-BFD0-F673A0D8D1F2]: Updated network agent (inactive)2019-01-30 16:00:11.136245-0800 0x2cec     Activity    0x48c6               271    0    SystemUIServer: (libsystem_networkextension.dylib) SessionClient processing get connection request2019-01-30 16:00:11.136251-0800 0x2d12     Activity    0x4df6               659    0    com.apple.preference.network.remoteservice: (libsystem_networkextension.dylib) SessionClient processing get connection request2019-01-30 16:00:11.136276-0800 0x2d15     Activity    0x5a49               55     0    configd: processing network kernel events2019-01-30 16:00:11.136339-0800 0x2cfa     Default     0x0                  42     0    UserEventAgent: (NetworkExtension) [com.apple.networkextension:] Current file handles for com.apple.networkextension.file-descriptor-maintainer: (    "Network Agent Registration socket (114) D2185DAA-2D0D-4B56-BFD0-F673A0D8D1F2 97B30DB5-276E-4B23-9E7C-67F527967CB0 1",    "Policy Session socket (115)")2019-01-30 16:00:11.136352-0800 0x2cfa     Default     0x0                  42     0    UserEventAgent: (com.apple.networkextension) [com.apple.networkextension:] File Handle Maintainer listening for readable events on Network Agent Registration socket (114) D2185DAA-2D0D-4B56-BFD0-F673A0D8D1F2 97B30DB5-276E-4B23-9E7C-67F527967CB0 12019-01-30 16:00:11.136523-0800 0x2cfa     Default     0x0                  42     0    UserEventAgent: (NetworkExtension) [com.apple.networkextension:] Current file handles for com.apple.networkextension.file-descriptor-maintainer: (    "Network Agent Registration socket (115) D2185DAA-2D0D-4B56-BFD0-F673A0D8D1F2 97B30DB5-276E-4B23-9E7C-67F527967CB0 1",    "Policy Session socket (114)")2019-01-30 16:00:11.136539-0800 0x2cfa     Default     0x0                  42     0    UserEventAgent: (com.apple.networkextension) [com.apple.networkextension:] File Handle Maintainer listening for readable events on Network Agent Registration socket (115) D2185DAA-2D0D-4B56-BFD0-F673A0D8D1F2 97B30DB5-276E-4B23-9E7C-67F527967CB0 12019-01-30 16:00:11.137294-0800 0x2d15     Activity    0x5a4a               55     0    configd: processing network kernel events2019-01-30 16:00:11.137325-0800 0x2d15     Activity    0x5a4b               55     0    configd: processing network kernel events2019-01-30 16:00:11.137536-0800 0x2cfa     Default     0x0                  42     0    UserEventAgent: (NetworkExtension) [com.apple.networkextension:] Current file handles for com.apple.networkextension.file-descriptor-maintainer: (    "Network Agent Registration socket (114) D2185DAA-2D0D-4B56-BFD0-F673A0D8D1F2 97B30DB5-276E-4B23-9E7C-67F527967CB0 1",    "Policy Session socket (115)")2019-01-30 16:00:11.137552-0800 0x2cfa     Default     0x0                  42     0    UserEventAgent: (com.apple.networkextension) [com.apple.networkextension:] File Handle Maintainer listening for readable events on Network Agent Registration socket (114) D2185DAA-2D0D-4B56-BFD0-F673A0D8D1F2 97B30DB5-276E-4B23-9E7C-67F527967CB0 12019-01-30 16:00:11.138400-0800 0x2d0d     Default     0x0                  0      0    kernel: SIOCPROTODETACH_IN6: ipsec0 error=62019-01-30 16:00:11.138426-0800 0x2d15     Activity    0x5a4c               55     0    configd: processing network kernel events2019-01-30 16:00:11.138582-0800 0x2cfe     Activity    0x4512               611    0    nesessionmanager: NESM processing NEAgent exit event2019-01-30 16:00:11.138935-0800 0x2cfe     Default     0x4512               611    0    nesessionmanager: [com.apple.networkextension:] NESMIKEv2VPNSession[VPN (IKEv2):D2185DAA-2D0D-4B56-BFD0-F673A0D8D1F2]: status changed to disconnected, last stop reason Plugin failed
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.libreswan.org/pipermail/swan/attachments/20190131/94b97d2b/attachment.html>

More information about the Swan mailing list