[Swan] Second OSX client troubleshooting
Mr. Jan Walter
hopping_hol at yahoo.com
Thu Jan 31 15:53:10 UTC 2019
Okay, so I sent off a user certificate and the CA cert to a colleague on the other coast, and he's having issues connecting to the config that worked for me with my Macbook and my Win10 machine here.
Thoughts?
Cliff's notes:
No IKE SA means?
On the client side, the complaint is "Failed to process IKE AUTH packet"
It looks to me like the client can't figure out what certificate to use, or there is something missing. The client has the CA cert only, and the client cert with a private key. That should be enough.
Log on the server:Jan 31 03:26:05 ip-10-0-0-194 pluto[18497]: "ikev2-cp"[28] 12.11.11.11: constructed local IKE proposals for ikev2-cp (IKE SA responder matching remote proposals): 1:IKE:ENCR=AEJan 31 03:26:05 ip-10-0-0-194 pluto[18497]: "ikev2-cp"[28] 12.11.11.11 #370: proposal 10:IKE:ENCR=AES_CBC_256;PRF=HMAC_SHA1;INTEG=HMAC_SHA1_96;DH=MODP1024 chosen from remote prJan 31 03:26:05 ip-10-0-0-194 pluto[18497]: "ikev2-cp"[28] 12.11.11.11 #370: STATE_PARENT_R1: received v2I1, sent v2R1 {auth=IKEv2 cipher=AES_CBC_256 integ=HMAC_SHA1_96 prf=HMAJan 31 03:26:05 ip-10-0-0-194 pluto[18497]: "ikev2-cp"[28] 12.11.11.11 #371: proposal 10:IKE:ENCR=AES_CBC_256;PRF=HMAC_SHA1;INTEG=HMAC_SHA1_96;DH=MODP1024 chosen from remote prJan 31 03:26:05 ip-10-0-0-194 pluto[18497]: "ikev2-cp"[28] 12.11.11.11 #371: STATE_PARENT_R1: received v2I1, sent v2R1 {auth=IKEv2 cipher=AES_CBC_256 integ=HMAC_SHA1_96 prf=HMAJan 31 03:26:05 ip-10-0-0-194 pluto[18497]: packet from 12.11.11.11:500: INFORMATIONAL message request has no corresponding IKE SAJan 31 03:29:25 ip-10-0-0-194 pluto[18497]: "ikev2-cp"[28] 12.11.11.11 #370: deleting incomplete state after 200.000 secondsJan 31 03:29:25 ip-10-0-0-194 pluto[18497]: "ikev2-cp"[28] 12.11.11.11 #370: deleting state (STATE_PARENT_R1) aged 200.016s and NOT sending notificationJan 31 03:29:25 ip-10-0-0-194 pluto[18497]: "ikev2-cp"[28] 12.11.11.11 #371: deleting incomplete state after 200.000 secondsJan 31 03:29:25 ip-10-0-0-194 pluto[18497]: "ikev2-cp"[28] 12.11.11.11 #371: deleting state (STATE_PARENT_R1) aged 200.000s and NOT sending notificationJan 31 03:29:25 ip-10-0-0-194 pluto[18497]: deleting connection "ikev2-cp"[28] 12.11.11.11 instance with peer 12.11.11.11 {isakmp=#0/ipsec=#0}Jan 31 03:29:40 ip-10-0-0-194 pluto[18497]: "ikev2-cp"[29] 12.11.11.11: constructed local IKE proposals for ikev2-cp (IKE SA responder matching remote proposals): 1:IKE:ENCR=AEJan 31 03:29:40 ip-10-0-0-194 pluto[18497]: "ikev2-cp"[29] 12.11.11.11 #372: proposal 10:IKE:ENCR=AES_CBC_256;PRF=HMAC_SHA1;INTEG=HMAC_SHA1_96;DH=MODP1024 chosen from remote prJan 31 03:29:40 ip-10-0-0-194 pluto[18497]: "ikev2-cp"[29] 12.11.11.11 #372: STATE_PARENT_R1: received v2I1, sent v2R1 {auth=IKEv2 cipher=AES_CBC_256 integ=HMAC_SHA1_96 prf=HMAJan 31 03:29:40 ip-10-0-0-194 pluto[18497]: "ikev2-cp"[29] 12.11.11.11 #373: proposal 10:IKE:ENCR=AES_CBC_256;PRF=HMAC_SHA1;INTEG=HMAC_SHA1_96;DH=MODP1024 chosen from remote prJan 31 03:29:40 ip-10-0-0-194 pluto[18497]: "ikev2-cp"[29] 12.11.11.11 #373: STATE_PARENT_R1: received v2I1, sent v2R1 {auth=IKEv2 cipher=AES_CBC_256 integ=HMAC_SHA1_96 prf=HMAJan 31 03:29:40 ip-10-0-0-194 pluto[18497]: packet from 12.11.11.11:500: INFORMATIONAL message request has no corresponding IKE SAJan 31 03:33:00 ip-10-0-0-194 pluto[18497]: "ikev2-cp"[29] 12.11.11.11 #372: deleting incomplete state after 200.000 secondsJan 31 03:33:00 ip-10-0-0-194 pluto[18497]: "ikev2-cp"[29] 12.11.11.11 #372: deleting state (STATE_PARENT_R1) aged 200.009s and NOT sending notificationJan 31 03:33:00 ip-10-0-0-194 pluto[18497]: "ikev2-cp"[29] 12.11.11.11 #373: deleting incomplete state after 200.000 secondsJan 31 03:33:00 ip-10-0-0-194 pluto[18497]: "ikev2-cp"[29] 12.11.11.11 #373: deleting state (STATE_PARENT_R1) aged 200.002s and NOT sending notificationJan 31 03:33:00 ip-10-0-0-194 pluto[18497]: deleting connection "ikev2-cp"[29] 12.11.11.11 instance with peer 12.11.11.11 {isakmp=#0/ipsec=#0}
Certificates made and exported with:
certutil -S -c "ca.zzz.net" -n "westcoastfriend.zzz.net" -s "O=westcoastfriend,CN=westcoastfriend.zzz.net" -k rsa -v 12 -d sql:${HOME}/ca -t ",," -1 -6 -8 "westcoastfriend.zzz.net"pk12util -o westcoastfriend.osx.p12 -n westcoastfriend.zzz.net -d sql:${HOME}/ca
Client-side logs:
2019-01-30 16:00:11.135379-0800 0x2d08 Activity 0x5a34 731 0 neagent: (NetworkExtension) IKEv2 processing socket read event2019-01-30 16:00:11.135470-0800 0x2d09 Error 0x0 731 0 neagent: (NetworkExtension) [com.apple.networkextension:] Auth initiator received notify error: Error (Invalid Syntax)2019-01-30 16:00:11.135471-0800 0x2d09 Error 0x0 731 0 neagent: (NetworkExtension) [com.apple.networkextension:] Failed to process IKE Auth packet (connect)2019-01-30 16:00:11.136192-0800 0x238d Default 0x0 611 0 nesessionmanager: [com.apple.networkextension:] NESMIKEv2VPNSession[VPN (IKEv2):D2185DAA-2D0D-4B56-BFD0-F673A0D8D1F2]: status changed to disconnecting2019-01-30 16:00:11.136233-0800 0x238d Default 0x0 611 0 nesessionmanager: [com.apple.networkextension:] NESMIKEv2VPNSession[VPN (IKEv2):D2185DAA-2D0D-4B56-BFD0-F673A0D8D1F2]: Updated network agent (inactive)2019-01-30 16:00:11.136245-0800 0x2cec Activity 0x48c6 271 0 SystemUIServer: (libsystem_networkextension.dylib) SessionClient processing get connection request2019-01-30 16:00:11.136251-0800 0x2d12 Activity 0x4df6 659 0 com.apple.preference.network.remoteservice: (libsystem_networkextension.dylib) SessionClient processing get connection request2019-01-30 16:00:11.136276-0800 0x2d15 Activity 0x5a49 55 0 configd: processing network kernel events2019-01-30 16:00:11.136339-0800 0x2cfa Default 0x0 42 0 UserEventAgent: (NetworkExtension) [com.apple.networkextension:] Current file handles for com.apple.networkextension.file-descriptor-maintainer: ( "Network Agent Registration socket (114) D2185DAA-2D0D-4B56-BFD0-F673A0D8D1F2 97B30DB5-276E-4B23-9E7C-67F527967CB0 1", "Policy Session socket (115)")2019-01-30 16:00:11.136352-0800 0x2cfa Default 0x0 42 0 UserEventAgent: (com.apple.networkextension) [com.apple.networkextension:] File Handle Maintainer listening for readable events on Network Agent Registration socket (114) D2185DAA-2D0D-4B56-BFD0-F673A0D8D1F2 97B30DB5-276E-4B23-9E7C-67F527967CB0 12019-01-30 16:00:11.136523-0800 0x2cfa Default 0x0 42 0 UserEventAgent: (NetworkExtension) [com.apple.networkextension:] Current file handles for com.apple.networkextension.file-descriptor-maintainer: ( "Network Agent Registration socket (115) D2185DAA-2D0D-4B56-BFD0-F673A0D8D1F2 97B30DB5-276E-4B23-9E7C-67F527967CB0 1", "Policy Session socket (114)")2019-01-30 16:00:11.136539-0800 0x2cfa Default 0x0 42 0 UserEventAgent: (com.apple.networkextension) [com.apple.networkextension:] File Handle Maintainer listening for readable events on Network Agent Registration socket (115) D2185DAA-2D0D-4B56-BFD0-F673A0D8D1F2 97B30DB5-276E-4B23-9E7C-67F527967CB0 12019-01-30 16:00:11.137294-0800 0x2d15 Activity 0x5a4a 55 0 configd: processing network kernel events2019-01-30 16:00:11.137325-0800 0x2d15 Activity 0x5a4b 55 0 configd: processing network kernel events2019-01-30 16:00:11.137536-0800 0x2cfa Default 0x0 42 0 UserEventAgent: (NetworkExtension) [com.apple.networkextension:] Current file handles for com.apple.networkextension.file-descriptor-maintainer: ( "Network Agent Registration socket (114) D2185DAA-2D0D-4B56-BFD0-F673A0D8D1F2 97B30DB5-276E-4B23-9E7C-67F527967CB0 1", "Policy Session socket (115)")2019-01-30 16:00:11.137552-0800 0x2cfa Default 0x0 42 0 UserEventAgent: (com.apple.networkextension) [com.apple.networkextension:] File Handle Maintainer listening for readable events on Network Agent Registration socket (114) D2185DAA-2D0D-4B56-BFD0-F673A0D8D1F2 97B30DB5-276E-4B23-9E7C-67F527967CB0 12019-01-30 16:00:11.138400-0800 0x2d0d Default 0x0 0 0 kernel: SIOCPROTODETACH_IN6: ipsec0 error=62019-01-30 16:00:11.138426-0800 0x2d15 Activity 0x5a4c 55 0 configd: processing network kernel events2019-01-30 16:00:11.138582-0800 0x2cfe Activity 0x4512 611 0 nesessionmanager: NESM processing NEAgent exit event2019-01-30 16:00:11.138935-0800 0x2cfe Default 0x4512 611 0 nesessionmanager: [com.apple.networkextension:] NESMIKEv2VPNSession[VPN (IKEv2):D2185DAA-2D0D-4B56-BFD0-F673A0D8D1F2]: status changed to disconnected, last stop reason Plugin failed
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.libreswan.org/pipermail/swan/attachments/20190131/94b97d2b/attachment.html>
More information about the Swan
mailing list