[Swan] IKEv2 connection from Android drops after a few minutes
Beat Zahnd
beat.zahnd at gmail.com
Wed Mar 11 19:39:26 UTC 2020
Only one step more
Mar 11 20:34:23 core pluto[29856]: "ikev2-cp"[13] 178.197.x.x #10: STATE_PARENT_R1: received v2I1, sent v2R1 {auth=IKEv2 cipher=AES_GCM_16_256 integ=n/a prf=HMAC_SHA2_512 group=MODP2048}
Mar 11 20:34:23 core pluto[29856]: "ikev2-cp"[13] 178.197.x.x #10: processing decrypted IKE_AUTH request: SK{IDi,CERT,N,CERTREQ,AUTH,CP,N,SA,TSi,TSr,N,N,N,N}
Mar 11 20:34:23 core pluto[29856]: "ikev2-cp"[13] 178.197.x.x #10: certificate verified OK: CN=bz
Mar 11 20:34:23 core pluto[29856]: "ikev2-cp"[13] 178.197.x.x #10: certificate subjectAltName extension does not match ID_IPV4_ADDR '178.197.x.x'
Mar 11 20:34:23 core pluto[29856]: "ikev2-cp"[13] 178.197.x.x #10: Peer CERT payload SubjectAltName does not match peer ID for this connection
Mar 11 20:34:23 core pluto[29856]: "ikev2-cp"[13] 178.197.x.x #10: X509: connection allows unmatched IKE ID and certificate SAN
Mar 11 20:34:23 core pluto[29856]: "ikev2-cp"[13] 178.197.x.x #10: switched from "ikev2-cp"[13] 178.197.x.x to "ikev2-cp"
Mar 11 20:34:23 core pluto[29856]: "ikev2-cp"[14] 178.197.x.x #10: deleting connection "ikev2-cp"[13] 178.197.x.x instance with peer 178.197.x.x {isakmp=#0/ipsec=#0}
Mar 11 20:34:23 core pluto[29856]: "ikev2-cp"[14] 178.197.x.x #10: IKEv2 mode peer ID is ID_DER_ASN1_DN: 'CN=bz'
Mar 11 20:34:23 core pluto[29856]: "ikev2-cp"[14] 178.197.x.x #10: No acceptable ECDSA/RSA-PSS ASN.1 signature hash proposal included for rsasig in I2 Auth Payload
Mar 11 20:34:23 core pluto[29856]: "ikev2-cp"[14] 178.197.x.x #10: responding to IKE_AUTH message (ID 1) from 178.197.x.x:41103 with encrypted notification AUTHENTICATION_FAILED
Mar 11 20:34:23 core pluto[29856]: "ikev2-cp"[14] 178.197.x.x #10: encountered fatal error in state STATE_PARENT_R1
Mar 11 20:34:23 core pluto[29856]: "ikev2-cp"[14] 178.197.x.x #10: deleting state (STATE_PARENT_R1) aged 0.494s and NOT sending notification
Mar 11 20:34:23 core pluto[29856]: #10: deleting connection "ikev2-cp"[14] 178.197.x.x instance with peer 178.197.x.x {isakmp=#0/ipsec=#0}
> On 11 Mar 2020, at 20:29, Paul Wouters <paul at nohats.ca> wrote:
>
> Your certificates are not properly generated, add require-id-on-certificate=no
What the hell is missing in the certs?
More information about the Swan
mailing list