[Swan] iOS IKEv2 "ISAKMP_v2_IKE_SA_INIT message received on 172.31.2.1:500 but no suitable connection found with IKEv2 policy"r
Heting Wang
meow at imlibra.me
Sun Jul 23 03:05:50 EEST 2023
I collected more information using plutodebug=tmi
Jul 22 22:57:17.604354: | spent 0 (0.00387) milliseconds in udp_read_packet() calling
check_incoming_msg_errqueue()
Jul 22 22:57:17.604463: | newref struct msg_digest at 0xaaab12db4748(0->1) (udp_read_pack
et() +249 /programs/pluto/iface_udp.c)
Jul 22 22:57:17.604478: | addref struct iface_endpoint at 0xaaab12db2218(1->2) (udp_read_
packet() +249 /programs/pluto/iface_udp.c)
Jul 22 22:57:17.604484: | newref alloc logger at 0xaaab12db1b08(0->1) (udp_read_packet()
+249 /programs/pluto/iface_udp.c)
Jul 22 22:57:17.604493: | *received 604 bytes from 114.246.198.250:500 on eth1 172.31.
2.1:500 using UDP
Jul 22 22:57:17.604498: | 8d 17 53 51 9c da 09 e3 00 00 00 00 00 00 00 00 ..SQ.
...........
Jul 22 22:57:17.604502: | 21 20 22 08 00 00 00 00 00 00 02 5c 22 00 00 dc ! "..
......\"...
Jul 22 22:57:17.604505: | 02 00 00 2c 01 01 00 04 03 00 00 0c 01 00 00 0c ...,.
...........
Jul 22 22:57:17.604509: | 80 0e 01 00 03 00 00 08 02 00 00 05 03 00 00 08 .....
...........
Jul 22 22:57:17.604513: | 03 00 00 0c 00 00 00 08 04 00 00 0e 02 00 00 2c .....
..........,
Jul 22 22:57:17.604517: | 02 01 00 04 03 00 00 0c 01 00 00 0c 80 0e 01 00 .....
...........
Jul 22 22:57:17.604521: | 03 00 00 08 02 00 00 05 03 00 00 08 03 00 00 0c .....
...........
Jul 22 22:57:17.604524: | 00 00 00 08 04 00 00 13 02 00 00 2c 03 01 00 04 .....
......,....
Jul 22 22:57:17.604528: | 03 00 00 0c 01 00 00 0c 80 0e 01 00 03 00 00 08 .....
...........
Jul 22 22:57:17.604532: | 02 00 00 05 03 00 00 08 03 00 00 0c 00 00 00 08 .....
...........
Jul 22 22:57:17.604535: | 04 00 00 05 02 00 00 2c 04 01 00 04 03 00 00 0c .....
..,........
Jul 22 22:57:17.604539: | 01 00 00 0c 80 0e 00 80 03 00 00 08 02 00 00 02 .....
...........
Jul 22 22:57:17.604543: | 03 00 00 08 03 00 00 02 00 00 00 08 04 00 00 02 .....
...........
Jul 22 22:57:17.604547: | 00 00 00 28 05 01 00 04 03 00 00 08 01 00 00 03 ...(.
...........
Jul 22 22:57:17.604550: | 03 00 00 08 02 00 00 02 03 00 00 08 03 00 00 02 .....
...........
Jul 22 22:57:17.604579: | 00 00 00 08 04 00 00 02 28 00 01 08 00 0e 00 00 .....
...(.......
Jul 22 22:57:17.604584: | 7f f6 54 bc e0 27 21 8e 15 8a 84 93 e3 65 75 fa ..T..
'!......eu.
Jul 22 22:57:17.604588: | c2 f8 52 83 39 d5 ca 20 7a f7 b5 af 18 d0 29 14 ..R.9
.. z.....).
Jul 22 22:57:17.604592: | 95 92 2d 5f 90 10 76 21 cb de 00 1c c4 83 13 45 ..-_.
.v!.......E
Jul 22 22:57:17.604596: | a4 6c 41 68 db 60 ff e5 80 7f 7b 61 9f cf 23 ff .lAh.
`....{a..#.
Jul 22 22:57:17.604600: | 8a 4a 9a bf e5 07 9d 42 16 5e 98 d4 87 3c 8e ca .J...
..B.^...<..
Jul 22 22:57:17.604604: | 7a 9e dd 29 7e 70 48 7f c6 fe db 12 ac 84 d1 5d z..)~
pH........]
Jul 22 22:57:17.604608: | 58 29 5c 36 46 23 c7 a2 04 a5 f8 1c b7 2a 93 89 X)\6F
#.......*..
Jul 22 22:57:17.604612: | e9 0b de 67 ab b9 23 af 9f 44 1d 26 88 5a 96 1e ...g.
.#..D.&.Z..
Jul 22 22:57:17.604616: | 92 9e 1b 38 26 b9 e2 ff 26 8c e0 b3 eb 8c 08 53 ...8&
...&......S
Jul 22 22:57:17.604620: | e2 eb 79 5b ae b2 d4 0d 36 2e 42 da 5e cc 01 8a ..y[.
...6.B.^...
Jul 22 22:57:17.604624: | 37 3c 75 32 d8 97 3f f6 f5 77 db f9 2b b2 84 b3 7<u2.
.?..w..+...
Jul 22 22:57:17.604627: | 54 12 1c ba 83 05 8a bd c7 a2 8c e1 51 dc 4d 9e T....
.......Q.M.
Jul 22 22:57:17.604631: | fa 49 04 51 48 f3 a0 fe d6 98 ca 00 e4 66 b7 30 .I.QH
........f.0
Jul 22 22:57:17.604635: | 93 55 9d 8f 90 98 73 05 4e fa 61 45 7e a7 70 07 .U...
.s.N.aE~.p.
Jul 22 22:57:17.604639: | 2f e7 b6 3b 8a 0a 96 09 e6 f6 a4 8c 4a 66 ee 69 /..;.
.......Jf.i
Jul 22 22:57:17.604643: | 96 91 db 63 5d 78 41 cd 15 47 38 8a 1e 99 4b bb ...c]
xA..G8...K.
Jul 22 22:57:17.604647: | 29 00 00 14 30 db 69 b7 91 82 5f 58 34 83 38 2b )...0
.i..._X4.8+
Jul 22 22:57:17.604651: | f2 0e 9b 4c 29 00 00 08 00 00 40 16 29 00 00 1c ...L)
..... at .)...
Jul 22 22:57:17.604655: | 00 00 40 04 57 01 71 05 23 fa 6e 2b 9b e9 34 38 .. at .W
.q.#.n+..48
Jul 22 22:57:17.604659: | 8c 3b f9 a9 54 03 2e 7e 29 00 00 1c 00 00 40 05 .;..T
..~)..... at .
Jul 22 22:57:17.604663: | 11 65 00 28 62 f1 de ad eb cf a3 3d e3 f9 68 12 .e.(b
......=..h.
Jul 22 22:57:17.604667: | e3 39 c4 5c 00 00 00 08 00 00 40 2e .9.\.
..... at .
Jul 22 22:57:17.604674: | **parse ISAKMP Message:
Jul 22 22:57:17.604681: | initiator SPI: 8d 17 53 51 9c da 09 e3
Jul 22 22:57:17.604686: | responder SPI: 00 00 00 00 00 00 00 00
Jul 22 22:57:17.604691: | next payload type: ISAKMP_NEXT_v2SA (0x21)
Jul 22 22:57:17.604695: | ISAKMP version: IKEv2 version 2.0 (rfc4306/rfc5996) (0x20
)
Jul 22 22:57:17.604699: | exchange type: ISAKMP_v2_IKE_SA_INIT (0x22)
Jul 22 22:57:17.604704: | flags: ISAKMP_FLAG_v2_IKE_INIT (0x8)
Jul 22 22:57:17.604709: | Message ID: 0 (00 00 00 00)
Jul 22 22:57:17.604714: | length: 604 (00 00 02 5c)
Jul 22 22:57:17.604719: | processing version=2.0 packet with exchange type=ISAKMP_v2_
IKE_SA_INIT (34)
Jul 22 22:57:17.604724: | I am the IKE SA Original Responder receiving an IKEv2 IKE_SA
_INIT request
Jul 22 22:57:17.604730: | State DB: IKEv2 state not found (find_v2_ike_sa_by_initiator
_spi)
Jul 22 22:57:17.604735: | Now let's proceed with payload (ISAKMP_NEXT_v2SA)
Jul 22 22:57:17.604740: | ***parse IKEv2 Security Association Payload:
Jul 22 22:57:17.604744: | next payload type: ISAKMP_NEXT_v2KE (0x22)
Jul 22 22:57:17.604748: | flags: none (0x0)
Jul 22 22:57:17.604752: | length: 220 (00 dc)
Jul 22 22:57:17.604756: | processing payload: ISAKMP_NEXT_v2SA (len=216)
Jul 22 22:57:17.604760: | Now let's proceed with payload (ISAKMP_NEXT_v2KE)
Jul 22 22:57:17.604765: | ***parse IKEv2 Key Exchange Payload:
Jul 22 22:57:17.604769: | next payload type: ISAKMP_NEXT_v2Ni (0x28)
Jul 22 22:57:17.604773: | flags: none (0x0)
Jul 22 22:57:17.604777: | length: 264 (01 08)
Jul 22 22:57:17.604781: | DH group: OAKLEY_GROUP_MODP2048 (0xe)
Jul 22 22:57:17.604785: | processing payload: ISAKMP_NEXT_v2KE (len=256)
Jul 22 22:57:17.604789: | Now let's proceed with payload (ISAKMP_NEXT_v2Ni)
Jul 22 22:57:17.604798: | ***parse IKEv2 Nonce Payload:
Jul 22 22:57:17.604803: | next payload type: ISAKMP_NEXT_v2N (0x29)
Jul 22 22:57:17.604807: | flags: none (0x0)
Jul 22 22:57:17.604812: | length: 20 (00 14)
Jul 22 22:57:17.604816: | processing payload: ISAKMP_NEXT_v2Ni (len=16)
Jul 22 22:57:17.604820: | Now let's proceed with payload (ISAKMP_NEXT_v2N)
Jul 22 22:57:17.604824: | ***parse IKEv2 Notify Payload:
Jul 22 22:57:17.604828: | next payload type: ISAKMP_NEXT_v2N (0x29)
Jul 22 22:57:17.604832: | flags: none (0x0)
Jul 22 22:57:17.604837: | length: 8 (00 08)
Jul 22 22:57:17.604841: | Protocol ID: IKEv2_SEC_PROTO_NONE (0x0)
Jul 22 22:57:17.604845: | SPI size: 0 (00)
Jul 22 22:57:17.604850: | Notify Message Type: v2N_REDIRECT_SUPPORTED (0x4016)
Jul 22 22:57:17.604854: | processing payload: ISAKMP_NEXT_v2N (len=0)
Jul 22 22:57:17.604859: | status notification v2N_REDIRECT_SUPPORTED saved
Jul 22 22:57:17.604863: | Now let's proceed with payload (ISAKMP_NEXT_v2N)
Jul 22 22:57:17.604867: | ***parse IKEv2 Notify Payload:
Jul 22 22:57:17.604871: | next payload type: ISAKMP_NEXT_v2N (0x29)
Jul 22 22:57:17.604875: | flags: none (0x0)
Jul 22 22:57:17.604879: | length: 28 (00 1c)
Jul 22 22:57:17.604883: | Protocol ID: IKEv2_SEC_PROTO_NONE (0x0)
Jul 22 22:57:17.604887: | SPI size: 0 (00)
Jul 22 22:57:17.604892: | Notify Message Type: v2N_NAT_DETECTION_SOURCE_IP (0x4004)
Jul 22 22:57:17.604896: | processing payload: ISAKMP_NEXT_v2N (len=20)
Jul 22 22:57:17.604900: | status notification v2N_NAT_DETECTION_SOURCE_IP saved
Jul 22 22:57:17.604904: | Now let's proceed with payload (ISAKMP_NEXT_v2N)
Jul 22 22:57:17.604908: | ***parse IKEv2 Notify Payload:
Jul 22 22:57:17.604912: | next payload type: ISAKMP_NEXT_v2N (0x29)
Jul 22 22:57:17.604916: | flags: none (0x0)
Jul 22 22:57:17.604920: | length: 28 (00 1c)
Jul 22 22:57:17.604924: | Protocol ID: IKEv2_SEC_PROTO_NONE (0x0)
Jul 22 22:57:17.604928: | SPI size: 0 (00)
Jul 22 22:57:17.604932: | Notify Message Type: v2N_NAT_DETECTION_DESTINATION_IP (0x
4005)
Jul 22 22:57:17.604937: | processing payload: ISAKMP_NEXT_v2N (len=20)
Jul 22 22:57:17.604940: | status notification v2N_NAT_DETECTION_DESTINATION_IP saved
Jul 22 22:57:17.604944: | Now let's proceed with payload (ISAKMP_NEXT_v2N)
Jul 22 22:57:17.604948: | ***parse IKEv2 Notify Payload:
Jul 22 22:57:17.604953: | next payload type: ISAKMP_NEXT_v2NONE (0x0)
Jul 22 22:57:17.604957: | flags: none (0x0)
Jul 22 22:57:17.604961: | length: 8 (00 08)
Jul 22 22:57:17.604965: | Protocol ID: IKEv2_SEC_PROTO_NONE (0x0)
Jul 22 22:57:17.604969: | SPI size: 0 (00)
Jul 22 22:57:17.604973: | Notify Message Type: v2N_IKEV2_FRAGMENTATION_SUPPORTED (0
x402e)
Jul 22 22:57:17.604977: | processing payload: ISAKMP_NEXT_v2N (len=0)
Jul 22 22:57:17.604981: | status notification v2N_IKEV2_FRAGMENTATION_SUPPORTED saved
Jul 22 22:57:17.604986: | DDOS disabled and no cookie sent, continuing
Jul 22 22:57:17.604993: | looking for transition from PARENT_R0 matching IKE_SA_INIT r
equest: SA,KE,Ni,N(REDIRECT_SUPPORTED),N(NAT_DETECTION_SOURCE_IP),N(NAT_DETECTION_DEST
INATION_IP),N(IKEV2_FRAGMENTATION_SUPPORTED)
Jul 22 22:57:17.604997: | trying: Respond to IKE_SA_INIT
Jul 22 22:57:17.605002: | unsecured message matched
Jul 22 22:57:17.605009: | ikev2_find_host_connection() 114.246.198.250->172.31.2.1 rem
ote_authby=ECDSA
Jul 22 22:57:17.605015: | FOR_EACH_HOST_PAIR_CONNECTION(114.246.198.250->172.31.2.1) i
n (ikev2_find_host_connection() +126 /programs/pluto/ikev2_host_pair.c)
Jul 22 22:57:17.605021: | FOR_EACH_HOST_PAIR_CONNECTION(<unset-address>->172.31.2.1) i
n (ikev2_find_host_connection() +181 /programs/pluto/ikev2_host_pair.c)
Jul 22 22:57:17.605027: | ISAKMP_v2_IKE_SA_INIT message received on 172.31.2.1:500 but
no connection has been authorized with policy ECDSA
Jul 22 22:57:17.605032: | ikev2_find_host_connection() 114.246.198.250->172.31.2.1 rem
ote_authby=RSASIG
Jul 22 22:57:17.605037: | FOR_EACH_HOST_PAIR_CONNECTION(114.246.198.250->172.31.2.1) i
n (ikev2_find_host_connection() +126 /programs/pluto/ikev2_host_pair.c)
Jul 22 22:57:17.605047: | FOR_EACH_HOST_PAIR_CONNECTION(<unset-address>->172.31.2.1) i
n (ikev2_find_host_connection() +181 /programs/pluto/ikev2_host_pair.c)
Jul 22 22:57:17.605052: | ISAKMP_v2_IKE_SA_INIT message received on 172.31.2.1:500 but
no connection has been authorized with policy RSASIG
Jul 22 22:57:17.605058: | ikev2_find_host_connection() 114.246.198.250->172.31.2.1 rem
ote_authby=RSASIG_v1_5
Jul 22 22:57:17.605063: | FOR_EACH_HOST_PAIR_CONNECTION(114.246.198.250->172.31.2.1) i
n (ikev2_find_host_connection() +126 /programs/pluto/ikev2_host_pair.c)
Jul 22 22:57:17.605068: | FOR_EACH_HOST_PAIR_CONNECTION(<unset-address>->172.31.2.1) i
n (ikev2_find_host_connection() +181 /programs/pluto/ikev2_host_pair.c)
Jul 22 22:57:17.605073: | ISAKMP_v2_IKE_SA_INIT message received on 172.31.2.1:500 but
no connection has been authorized with policy RSASIG_v1_5
Jul 22 22:57:17.605079: | ikev2_find_host_connection() 114.246.198.250->172.31.2.1 rem
ote_authby=PSK
Jul 22 22:57:17.605084: | FOR_EACH_HOST_PAIR_CONNECTION(114.246.198.250->172.31.2.1) i
n (ikev2_find_host_connection() +126 /programs/pluto/ikev2_host_pair.c)
Jul 22 22:57:17.605089: | FOR_EACH_HOST_PAIR_CONNECTION(<unset-address>->172.31.2.1) i
n (ikev2_find_host_connection() +181 /programs/pluto/ikev2_host_pair.c)
Jul 22 22:57:17.605094: | ISAKMP_v2_IKE_SA_INIT message received on 172.31.2.1:500 but
no connection has been authorized with policy PSK
Jul 22 22:57:17.605099: | ikev2_find_host_connection() 114.246.198.250->172.31.2.1 rem
ote_authby=AUTH_NULL
Jul 22 22:57:17.605104: | FOR_EACH_HOST_PAIR_CONNECTION(114.246.198.250->172.31.2.1) i
n (ikev2_find_host_connection() +126 /programs/pluto/ikev2_host_pair.c)
Jul 22 22:57:17.605109: | FOR_EACH_HOST_PAIR_CONNECTION(<unset-address>->172.31.2.1) i
n (ikev2_find_host_connection() +181 /programs/pluto/ikev2_host_pair.c)
Jul 22 22:57:17.605114: | ISAKMP_v2_IKE_SA_INIT message received on 172.31.2.1:500 but
no connection has been authorized with policy AUTH_NULL
Jul 22 22:57:17.605121: packet from 114.246.198.250:500: ISAKMP_v2_IKE_SA_INIT message
received on 172.31.2.1:500 but no suitable connection found with IKEv2 policy
Jul 22 22:57:17.605128: packet from 114.246.198.250:500: responding to IKE_SA_INIT (34
) message (Message ID 0) with unencrypted notification NO_PROPOSAL_CHOSEN
Jul 22 22:57:17.605132: | opening output PBS unencrypted notification response
Jul 22 22:57:17.605137: | **emit ISAKMP Message:
Jul 22 22:57:17.605142: | initiator SPI: 8d 17 53 51 9c da 09 e3
Jul 22 22:57:17.605147: | responder SPI: 00 00 00 00 00 00 00 00
Jul 22 22:57:17.605152: | next payload type: ISAKMP_NEXT_NONE (0x0)
Jul 22 22:57:17.605156: | ISAKMP version: IKEv2 version 2.0 (rfc4306/rfc5996) (0x20
)
Jul 22 22:57:17.605160: | exchange type: ISAKMP_v2_IKE_SA_INIT (0x22)
Jul 22 22:57:17.605164: | flags: ISAKMP_FLAG_v2_MSG_RESPONSE (0x20)
Jul 22 22:57:17.605169: | Message ID: 0 (00 00 00 00)
Jul 22 22:57:17.605173: | out_struct: 0 initiator SPI
Jul 22 22:57:17.605177: | out_struct: 8 responder SPI
Jul 22 22:57:17.605199: | out_struct: 16 next payload type
Jul 22 22:57:17.605203: | next payload chain: saving message location 'ISAKMP Message'
.'next payload type'
Jul 22 22:57:17.605207: | out_struct: 17 ISAKMP version
Jul 22 22:57:17.605211: | out_struct: 18 exchange type
Jul 22 22:57:17.605215: | out_struct: 19 flags
Jul 22 22:57:17.605219: | out_struct: 20 Message ID
Jul 22 22:57:17.605223: | out_struct: 24 length
Jul 22 22:57:17.605228: | out_struct: 28 <end>
Jul 22 22:57:17.605232: | adding a v2N Payload
Jul 22 22:57:17.605236: | ***emit IKEv2 Notify Payload:
Jul 22 22:57:17.605240: | next payload type: ISAKMP_NEXT_v2NONE (0x0)
Jul 22 22:57:17.605244: | flags: none (0x0)
Jul 22 22:57:17.605248: | Protocol ID: IKEv2_SEC_PROTO_NONE (0x0)
Jul 22 22:57:17.605253: | SPI size: 0 (00)
Jul 22 22:57:17.605257: | Notify Message Type: v2N_NO_PROPOSAL_CHOSEN (0xe)
Jul 22 22:57:17.605261: | out_struct: 0 next payload type
Jul 22 22:57:17.605265: | next payload chain: setting previous 'ISAKMP Message'.'next
payload type' to current IKEv2 Notify Payload (41:ISAKMP_NEXT_v2N)
Jul 22 22:57:17.605275: | next payload chain: saving location 'IKEv2 Notify Payload'.'
next payload type' in 'unencrypted notification response'
Jul 22 22:57:17.605279: | out_struct: 1 flags
Jul 22 22:57:17.605283: | out_struct: 2 length
Jul 22 22:57:17.605287: | out_struct: 4 Protocol ID
Jul 22 22:57:17.605291: | out_struct: 5 SPI size
Jul 22 22:57:17.605295: | out_struct: 6 Notify Message Type
Jul 22 22:57:17.605299: | out_struct: 8 <end>
Jul 22 22:57:17.605304: | emitting 0 raw bytes of Notify data into IKEv2 Notify Payload
Jul 22 22:57:17.605308: | Notify data:
Jul 22 22:57:17.605312: | emitting length of IKEv2 Notify Payload: 8
Jul 22 22:57:17.605317: | emitting length of ISAKMP Message: 36
Jul 22 22:57:17.605324: | sending 36 bytes for v2 notify through eth1 from 172.31.2.1:500 to 114.246.198.250:500 using UDP (for #0)
Jul 22 22:57:17.605328: | 8d 17 53 51 9c da 09 e3 00 00 00 00 00 00 00 00 ..SQ............
Jul 22 22:57:17.605332: | 29 20 22 20 00 00 00 00 00 00 00 24 00 00 00 08 ) " .......$....
Jul 22 22:57:17.605336: | 00 00 00 0e ....
Jul 22 22:57:17.605365: | delref struct msg_digest at 0xaaab12db4748(1->0) (process_iface_packet() +295 /programs/pluto/demux.c)
Jul 22 22:57:17.605372: | releasing whack fd@(nil) for (process_iface_packet() +295 /programs/pluto/demux.c)
Jul 22 22:57:17.605377: | delref fd at NULL (process_iface_packet() +295 /programs/pluto/demux.c)
Jul 22 22:57:17.605385: | delref fd at NULL (process_iface_packet() +295 /programs/pluto/demux.c)
Jul 22 22:57:17.605390: | delref logger at 0xaaab12db1b08(1->0) (process_iface_packet() +295 /programs/pluto/demux.c)
Jul 22 22:57:17.605395: | delref struct iface_endpoint at 0xaaab12db2218(2->1) (process_iface_packet() +295 /programs/pluto/demux.c)
Jul 22 22:57:17.605403: | spent 1.01 (1.06) milliseconds in process_iface_packet() reading and processing packet
> On Jul 23, 2023, at 6:49 AM, Heting Wang <meow at imlibra.me> wrote:
>
> Hello,
>
> It’s listening, I tried "ipsec whack —listen" many times but it’s still the same:
>
>
> Jul 22 22:38:36.582586: "cert": added IKEv2 connection
> Jul 22 22:38:36.582671: listening for IKE messages
> Jul 22 22:38:36.582748: Kernel supports NIC esp-hw-offload
> Jul 22 22:38:36.582865: adding UDP interface docker0 172.17.0.1:500
> Jul 22 22:38:36.583132: adding UDP interface docker0 172.17.0.1:4500
> Jul 22 22:38:36.583173: adding UDP interface eth1 172.31.2.1:500
> Jul 22 22:38:36.583197: adding UDP interface eth1 172.31.2.1:4500
> Jul 22 22:38:36.583223: adding UDP interface eth0 172.31.1.1:500
> Jul 22 22:38:36.583247: adding UDP interface eth0 172.31.1.1:4500
> Jul 22 22:38:36.583270: adding UDP interface lo 127.0.0.1:500
> Jul 22 22:38:36.583295: adding UDP interface lo 127.0.0.1:4500
> Jul 22 22:38:36.583324: adding UDP interface lo [::1]:500
> Jul 22 22:38:36.583352: adding UDP interface lo [::1]:4500
> Jul 22 22:38:36.583378: adding UDP interface eth0 [2406:da14:5db:f400::e60]:500
> Jul 22 22:38:36.583401: adding UDP interface eth0 [2406:da14:5db:f400::e60]:4500
> Jul 22 22:38:36.583423: adding UDP interface eth0 [2406:da14:5db:f400:abcd::]:500
> Jul 22 22:38:36.583460: adding UDP interface eth0 [2406:da14:5db:f400:abcd::]:4500
> Jul 22 22:38:36.583484: adding UDP interface eth0 [2406:da14:5db:f400:e9d7:64ca:b008:4182]:500
> Jul 22 22:38:36.583508: adding UDP interface eth0 [2406:da14:5db:f400:e9d7:64ca:b008:4182]:4500
> Jul 22 22:38:36.583535: adding UDP interface eth1 [2406:da14:5db:f400:810a:b1ea:b7d5:47bd]:500
> Jul 22 22:38:36.583561: adding UDP interface eth1 [2406:da14:5db:f400:810a:b1ea:b7d5:47bd]:4500
> Jul 22 22:38:36.585769: loading secrets from "/etc/ipsec.secrets"
> Jul 22 22:38:36.585812: no secrets filename matched "/etc/ipsec.d/*.secrets"
> Jul 22 22:39:24.962183: listening for IKE messages
> Jul 22 22:39:24.962393: loading secrets from "/etc/ipsec.secrets"
> Jul 22 22:39:24.962423: no secrets filename matched "/etc/ipsec.d/*.secrets"
> Jul 22 22:40:14.605540: listening for IKE messages
> Jul 22 22:40:14.605798: loading secrets from "/etc/ipsec.secrets"
> Jul 22 22:40:14.605840: no secrets filename matched "/etc/ipsec.d/*.secrets"
> Jul 22 22:40:27.791023: listening for IKE messages
> Jul 22 22:40:27.791184: loading secrets from "/etc/ipsec.secrets"
> Jul 22 22:40:27.791215: no secrets filename matched "/etc/ipsec.d/*.secrets"
> Jul 22 22:42:11.073335: listening for IKE messages
> Jul 22 22:42:11.073494: loading secrets from "/etc/ipsec.secrets"
> Jul 22 22:42:11.073523: no secrets filename matched "/etc/ipsec.d/*.secrets"
> Jul 22 22:42:16.885759: packet from 114.246.198.250:500: ISAKMP_v2_IKE_SA_INIT message received on 172.31.2.1:500 but no suitable connection found with IKEv2 policy
> Jul 22 22:42:16.885784: packet from 114.246.198.250:500: responding to IKE_SA_INIT (34) message (Message ID 0) with unencrypted notification NO_PROPOSAL_CHOSEN
> Jul 22 22:42:17.855101: packet from 114.246.198.250:500: ISAKMP_v2_IKE_SA_INIT message received on 172.31.2.1:500 but no suitable connection found with IKEv2 policy
> Jul 22 22:42:17.855131: packet from 114.246.198.250:500: responding to IKE_SA_INIT (34) message (Message ID 0) with unencrypted notification NO_PROPOSAL_CHOSEN
>
>>> On Jul 23, 2023, at 5:01 AM, Paul Wouters <paul at nohats.ca> wrote:
>>> On Sat, 22 Jul 2023, Heting Wang wrote:
>>> I’m now migrating from StrongSwan to LibreSwan, it seems like it will never work with iOS
>> Your error is not related to iOS.
>>> conn cert
>>> ikev2=insist
>>> left=%defaultroute
>>> tail -f /var/log/pluto.log
>>> Jul 22 19:49:36.532020: adding UDP interface eth0 [2406:da14:5db:f400::e60]:500
>>> Jul 22 19:49:36.532049: adding UDP interface eth0 [2406:da14:5db:f400::e60]:4500
>>> Jul 22 19:49:36.532072: adding UDP interface eth0 [2406:da14:5db:f400🔡:]:500
>>> Jul 22 19:49:36.532096: adding UDP interface eth0 [2406:da14:5db:f400🔡:]:4500
>>> Jul 22 19:49:36.532119: adding UDP interface eth0 [2406:da14:5db:f400:e9d7:64ca:b008:4182]:500
>>> Jul 22 19:49:36.532142: adding UDP interface eth0 [2406:da14:5db:f400:e9d7:64ca:b008:4182]:4500
>>> Jul 22 19:49:36.532165: adding UDP interface eth1 [2406:da14:5db:f400:810a:b1ea:b7d5:47bd]:500
>>> Jul 22 19:49:36.532188: adding UDP interface eth1 [2406:da14:5db:f400:810a:b1ea:b7d5:47bd]:4500
>> It seems you are not listening on IPv4 IP addresses. Meaning libreswan
>> got started before the IP 172.31.2.1 was configured on the system?
>>> Jul 22 19:50:03.652462: packet from 114.246.198.250:500: ISAKMP_v2_IKE_SA_INIT message received on 172.31.2.1:500 but no suitable connection found with
>>> IKEv2 policy
>>> Jul 22 19:50:03.652512: packet from 114.246.198.250:500: responding to IKE_SA_INIT (34) message (Message ID 0) with unencrypted notification
>>> NO_PROPOSAL_CHOSEN
>> As a workaround, you can try after the boot to issue "ipsec whack --listen" which should redo the IP
>> binding and pick up the now added 172.31.2.1 IP.
>> Paul
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 2244 bytes
Desc: not available
URL: <https://lists.libreswan.org/pipermail/swan/attachments/20230723/dcc74dee/attachment-0001.p7s>
More information about the Swan
mailing list