[GitHub] cloudstack issue #872: Strongswan vpn feature

[swill]

Github user swill commented on the issue:

    https://github.com/apache/cloudstack/pull/872
  
    I have not been able to make the `Remote Access VPN` work with Mac.  I have 
tried both `L2TP over IPSec` and `Cisco IPSec` (bare ipsec I believe), neither 
work.
    
    I am getting the same problems that Rohit had above.  I have tested in 3 
different network environments.  From the office, from home and over 3G by 
creating a wireless hotspot and I get the same results in all situations.
    
    I have run the following command on the VR to enable more detailed logging 
`ipsec stroke loglevel cfg 2`.
    
    Here is a dump of the logs when attempting to connect.  It looks like the 
connection is established, but there seems to be an issue doing the final 
negotiation.  I have been trying different configurations to see if I can find 
one that works, but I have not been able to find a config that works yet.  I 
have also flushed my iptables to be sure it is not an issue with the firewall.
    
    Here are the logs:
    ```
    Oct  6 15:56:03 r-1968-VM charon: 02[NET] received packet: from 
24.114.xx.yy[13429] to 74.121.ww.zz[500] (788 bytes)
    Oct  6 15:56:03 r-1968-VM charon: 02[ENC] parsed ID_PROT request 0 [ SA V V 
V V V V V V V V V V ]
    Oct  6 15:56:03 r-1968-VM charon: 02[CFG] looking for an ike config for 
74.121.ww.zz...24.114.xx.yy
    Oct  6 15:56:03 r-1968-VM charon: 02[CFG]   candidate: 74.121.ww.zz...%any, 
prio 1052
    Oct  6 15:56:03 r-1968-VM charon: 02[CFG] found matching ike config: 
74.121.ww.zz...%any with prio 1052
    Oct  6 15:56:03 r-1968-VM charon: 02[IKE] received NAT-T (RFC 3947) vendor 
ID
    Oct  6 15:56:03 r-1968-VM charon: 02[IKE] received 
draft-ietf-ipsec-nat-t-ike vendor ID
    Oct  6 15:56:03 r-1968-VM charon: 02[IKE] received 
draft-ietf-ipsec-nat-t-ike-08 vendor ID
    Oct  6 15:56:03 r-1968-VM charon: 02[IKE] received 
draft-ietf-ipsec-nat-t-ike-07 vendor ID
    Oct  6 15:56:03 r-1968-VM charon: 02[IKE] received 
draft-ietf-ipsec-nat-t-ike-06 vendor ID
    Oct  6 15:56:03 r-1968-VM charon: 02[IKE] received 
draft-ietf-ipsec-nat-t-ike-05 vendor ID
    Oct  6 15:56:03 r-1968-VM charon: 02[IKE] received 
draft-ietf-ipsec-nat-t-ike-04 vendor ID
    Oct  6 15:56:03 r-1968-VM charon: 02[IKE] received 
draft-ietf-ipsec-nat-t-ike-03 vendor ID
    Oct  6 15:56:03 r-1968-VM charon: 02[IKE] received 
draft-ietf-ipsec-nat-t-ike-02 vendor ID
    Oct  6 15:56:03 r-1968-VM charon: 02[IKE] received 
draft-ietf-ipsec-nat-t-ike-02\n vendor ID
    Oct  6 15:56:03 r-1968-VM charon: 02[IKE] received FRAGMENTATION vendor ID
    Oct  6 15:56:03 r-1968-VM charon: 02[IKE] received DPD vendor ID
    Oct  6 15:56:03 r-1968-VM charon: 02[IKE] 24.114.xx.yy is initiating a Main 
Mode IKE_SA
    Oct  6 15:56:03 r-1968-VM charon: 02[CFG] selecting proposal:
    Oct  6 15:56:03 r-1968-VM charon: 02[CFG]   no acceptable 
ENCRYPTION_ALGORITHM found
    Oct  6 15:56:03 r-1968-VM charon: 02[CFG] selecting proposal:
    Oct  6 15:56:03 r-1968-VM charon: 02[CFG]   no acceptable 
ENCRYPTION_ALGORITHM found
    Oct  6 15:56:03 r-1968-VM charon: 02[CFG] selecting proposal:
    Oct  6 15:56:03 r-1968-VM charon: 02[CFG]   no acceptable 
ENCRYPTION_ALGORITHM found
    Oct  6 15:56:03 r-1968-VM charon: 02[CFG] selecting proposal:
    Oct  6 15:56:03 r-1968-VM charon: 02[CFG]   no acceptable 
ENCRYPTION_ALGORITHM found
    Oct  6 15:56:03 r-1968-VM charon: 02[CFG] selecting proposal:
    Oct  6 15:56:03 r-1968-VM charon: 02[CFG]   no acceptable 
ENCRYPTION_ALGORITHM found
    Oct  6 15:56:03 r-1968-VM charon: 02[CFG] selecting proposal:
    Oct  6 15:56:03 r-1968-VM charon: 02[CFG]   no acceptable 
ENCRYPTION_ALGORITHM found
    Oct  6 15:56:03 r-1968-VM charon: 02[CFG] selecting proposal:
    Oct  6 15:56:03 r-1968-VM charon: 02[CFG]   no acceptable 
ENCRYPTION_ALGORITHM found
    Oct  6 15:56:03 r-1968-VM charon: 02[CFG] selecting proposal:
    Oct  6 15:56:03 r-1968-VM charon: 02[CFG]   no acceptable 
ENCRYPTION_ALGORITHM found
    Oct  6 15:56:03 r-1968-VM charon: 02[CFG] selecting proposal:
    Oct  6 15:56:03 r-1968-VM charon: 02[CFG]   no acceptable 
ENCRYPTION_ALGORITHM found
    Oct  6 15:56:03 r-1968-VM charon: 02[CFG] selecting proposal:
    Oct  6 15:56:03 r-1968-VM charon: 02[CFG]   no acceptable 
ENCRYPTION_ALGORITHM found
    Oct  6 15:56:03 r-1968-VM charon: 02[CFG] selecting proposal:
    Oct  6 15:56:03 r-1968-VM charon: 02[CFG]   no acceptable 
DIFFIE_HELLMAN_GROUP found
    Oct  6 15:56:03 r-1968-VM charon: 02[CFG] selecting proposal:
    Oct  6 15:56:03 r-1968-VM charon: 02[CFG]   no acceptable 
PSEUDO_RANDOM_FUNCTION found
    Oct  6 15:56:03 r-1968-VM charon: 02[CFG] selecting proposal:
    Oct  6 15:56:03 r-1968-VM charon: 02[CFG]   no acceptable 
ENCRYPTION_ALGORITHM found
    Oct  6 15:56:03 r-1968-VM charon: 02[CFG] selecting proposal:
    Oct  6 15:56:03 r-1968-VM charon: 02[CFG]   no acceptable 
ENCRYPTION_ALGORITHM found
    Oct  6 15:56:03 r-1968-VM charon: 02[CFG] selecting proposal:
    Oct  6 15:56:03 r-1968-VM charon: 02[CFG]   no acceptable 
ENCRYPTION_ALGORITHM found
    Oct  6 15:56:03 r-1968-VM charon: 02[CFG] selecting proposal:
    Oct  6 15:56:03 r-1968-VM charon: 02[CFG]   no acceptable 
ENCRYPTION_ALGORITHM found
    Oct  6 15:56:03 r-1968-VM charon: 02[CFG] selecting proposal:
    Oct  6 15:56:03 r-1968-VM charon: 02[CFG]   no acceptable 
ENCRYPTION_ALGORITHM found
    Oct  6 15:56:03 r-1968-VM charon: 02[CFG] selecting proposal:
    Oct  6 15:56:03 r-1968-VM charon: 02[CFG]   no acceptable 
ENCRYPTION_ALGORITHM found
    Oct  6 15:56:03 r-1968-VM charon: 02[CFG] selecting proposal:
    Oct  6 15:56:03 r-1968-VM charon: 02[CFG]   no acceptable 
ENCRYPTION_ALGORITHM found
    Oct  6 15:56:03 r-1968-VM charon: 02[CFG] selecting proposal:
    Oct  6 15:56:03 r-1968-VM charon: 02[CFG]   no acceptable 
ENCRYPTION_ALGORITHM found
    Oct  6 15:56:03 r-1968-VM charon: 02[CFG] selecting proposal:
    Oct  6 15:56:03 r-1968-VM charon: 02[CFG]   no acceptable 
ENCRYPTION_ALGORITHM found
    Oct  6 15:56:03 r-1968-VM charon: 02[CFG] selecting proposal:
    Oct  6 15:56:03 r-1968-VM charon: 02[CFG]   no acceptable 
ENCRYPTION_ALGORITHM found
    Oct  6 15:56:03 r-1968-VM charon: 02[CFG] selecting proposal:
    Oct  6 15:56:03 r-1968-VM charon: 02[CFG]   no acceptable 
ENCRYPTION_ALGORITHM found
    Oct  6 15:56:03 r-1968-VM charon: 02[CFG] selecting proposal:
    Oct  6 15:56:03 r-1968-VM charon: 02[CFG]   no acceptable 
ENCRYPTION_ALGORITHM found
    Oct  6 15:56:03 r-1968-VM charon: 02[CFG] selecting proposal:
    Oct  6 15:56:03 r-1968-VM charon: 02[CFG]   no acceptable 
ENCRYPTION_ALGORITHM found
    Oct  6 15:56:03 r-1968-VM charon: 02[CFG] selecting proposal:
    Oct  6 15:56:03 r-1968-VM charon: 02[CFG]   no acceptable 
ENCRYPTION_ALGORITHM found
    Oct  6 15:56:03 r-1968-VM charon: 02[CFG] selecting proposal:
    Oct  6 15:56:03 r-1968-VM charon: 02[CFG]   no acceptable 
DIFFIE_HELLMAN_GROUP found
    Oct  6 15:56:03 r-1968-VM charon: 02[CFG] selecting proposal:
    Oct  6 15:56:03 r-1968-VM charon: 02[CFG]   no acceptable 
PSEUDO_RANDOM_FUNCTION found
    Oct  6 15:56:03 r-1968-VM charon: 02[CFG] selecting proposal:
    Oct  6 15:56:03 r-1968-VM charon: 02[CFG]   proposal matches
    Oct  6 15:56:03 r-1968-VM charon: 02[CFG] received proposals: 
IKE:AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_2048, 
IKE:AES_CBC_256/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_2048, 
IKE:AES_CBC_256/HMAC_MD5_96/PRF_HMAC_MD5/MODP_2048, 
IKE:AES_CBC_256/HMAC_SHA2_512_256/PRF_HMAC_SHA2_512/MODP_2048, 
IKE:AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_1536, 
IKE:AES_CBC_256/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1536, 
IKE:AES_CBC_256/HMAC_MD5_96/PRF_HMAC_MD5/MODP_1536, 
IKE:AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_1024, 
IKE:AES_CBC_256/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024, 
IKE:AES_CBC_256/HMAC_MD5_96/PRF_HMAC_MD5/MODP_1024, 
IKE:AES_CBC_128/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024, 
IKE:AES_CBC_128/HMAC_MD5_96/PRF_HMAC_MD5/MODP_1024, 
IKE:3DES_CBC/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024, 
IKE:3DES_CBC/HMAC_MD5_96/PRF_HMAC_MD5/MODP_1024
    Oct  6 15:56:03 r-1968-VM charon: 02[CFG] configured proposals: 
IKE:AES_CBC_128/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_2048, 
IKE:3DES_CBC/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1536, 
IKE:AES_CBC_128/AES_CBC_192/AES_CBC_256/3DES_CBC/AES_CTR_128/AES_CTR_192/AES_CTR_256/CAMELLIA_CTR_128/CAMELLIA_CTR_192/CAMELLIA_CTR_256/CAMELLIA_CBC_128/CAMELLIA_CBC_192/CAMELLIA_CBC_256/HMAC_SHA1_96/HMAC_SHA2_256_128/HMAC_MD5_96/HMAC_SHA2_384_192/HMAC_SHA2_512_256/AES_XCBC_96/AES_CMAC_96/PRF_HMAC_SHA1/PRF_HMAC_SHA2_256/PRF_HMAC_MD5/PRF_HMAC_SHA2_384/PRF_HMAC_SHA2_512/PRF_AES128_XCBC/PRF_AES128_CMAC/MODP_2048/MODP_2048_224/MODP_2048_256/MODP_1536/MODP_3072/MODP_4096/MODP_8192/MODP_1024/MODP_1024_160,
 
IKE:AES_CCM_8_128/AES_CCM_8_192/AES_CCM_8_256/AES_CCM_12_128/AES_CCM_12_192/AES_CCM_12_256/AES_CCM_16_128/AES_CCM_16_192/AES_CCM_16_256/CAMELLIA_CCM_8_128/CAMELLIA_CCM_8_192/CAMELLIA_CCM_8_256/CAMELLIA_CCM_12_128/CAMELLIA_CCM_12_192/CAMELLIA_CCM_12_256/CAMELLIA_CCM_16_128/CAMELLIA_CCM_16_192/CAMELLIA_CCM_16_256/PRF_HM
 
AC_SHA1/PRF_HMAC_SHA2_256/PRF_HMAC_MD5/PRF_HMAC_SHA2_384/PRF_HMAC_SHA2_512/PRF_AES128_XCBC/PRF_AES128_CMAC/MODP_2048/MODP_2048_224/MODP_2048_256/MODP_1536/MODP_3072/MODP_4096/MODP_8192/MODP_1024/MODP_1024_160
    Oct  6 15:56:03 r-1968-VM charon: 02[CFG] selected proposal: 
IKE:AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_2048
    Oct  6 15:56:03 r-1968-VM charon: 02[ENC] generating ID_PROT response 0 [ 
SA V V V ]
    Oct  6 15:56:03 r-1968-VM charon: 02[NET] sending packet: from 
74.121.ww.zz[500] to 24.114.xx.yy[13429] (136 bytes)
    Oct  6 15:56:03 r-1968-VM charon: 01[NET] received packet: from 
24.114.xx.yy[13429] to 74.121.ww.zz[500] (380 bytes)
    Oct  6 15:56:03 r-1968-VM charon: 01[ENC] parsed ID_PROT request 0 [ KE No 
NAT-D NAT-D ]
    Oct  6 15:56:03 r-1968-VM charon: 01[IKE] remote host is behind NAT
    Oct  6 15:56:03 r-1968-VM charon: 01[ENC] generating ID_PROT response 0 [ 
KE No NAT-D NAT-D ]
    Oct  6 15:56:03 r-1968-VM charon: 01[NET] sending packet: from 
74.121.ww.zz[500] to 24.114.xx.yy[13429] (396 bytes)
    Oct  6 15:56:03 r-1968-VM charon: 03[NET] received packet: from 
24.114.xx.yy[13430] to 74.121.ww.zz[4500] (108 bytes)
    Oct  6 15:56:03 r-1968-VM charon: 03[ENC] parsed ID_PROT request 0 [ ID 
HASH N(INITIAL_CONTACT) ]
    Oct  6 15:56:03 r-1968-VM charon: 03[CFG] looking for pre-shared key peer 
configs matching 74.121.ww.zz...24.114.xx.yy[192.168.43.66]
    Oct  6 15:56:03 r-1968-VM charon: 03[CFG]   candidate "L2TP-PSK", match: 
1/1/1052 (me/other/ike)
    Oct  6 15:56:03 r-1968-VM charon: 03[CFG] selected peer config "L2TP-PSK"
    Oct  6 15:56:03 r-1968-VM charon: 03[IKE] IKE_SA L2TP-PSK[6] established 
between 74.121.ww.zz[74.121.ww.zz]...24.114.xx.yy[192.168.43.66]
    Oct  6 15:56:03 r-1968-VM charon: 03[ENC] generating ID_PROT response 0 [ 
ID HASH ]
    Oct  6 15:56:03 r-1968-VM charon: 03[NET] sending packet: from 
74.121.ww.zz[4500] to 24.114.xx.yy[13430] (92 bytes)
    Oct  6 15:56:04 r-1968-VM charon: 14[NET] received packet: from 
24.114.xx.yy[13430] to 74.121.ww.zz[4500] (332 bytes)
    Oct  6 15:56:04 r-1968-VM charon: 14[ENC] parsed QUICK_MODE request 
4086740468 [ HASH SA No ID ID NAT-OA NAT-OA ]
    Oct  6 15:56:04 r-1968-VM charon: 14[CFG] looking for a child config for 
74.121.ww.zz/32[udp/l2f] === 24.114.xx.yy/32[udp/53141] 
    Oct  6 15:56:04 r-1968-VM charon: 14[CFG] proposing traffic selectors for 
us:
    Oct  6 15:56:04 r-1968-VM charon: 14[CFG]  74.121.ww.zz/32[udp/l2f]
    Oct  6 15:56:04 r-1968-VM charon: 14[CFG] proposing traffic selectors for 
other:
    Oct  6 15:56:04 r-1968-VM charon: 14[CFG]  0.0.0.0/0[udp]
    Oct  6 15:56:04 r-1968-VM charon: 14[CFG]   candidate "L2TP-PSK" with prio 
5+1
    Oct  6 15:56:04 r-1968-VM charon: 14[CFG] found matching child config 
"L2TP-PSK" with prio 6
    Oct  6 15:56:04 r-1968-VM charon: 14[CFG] selecting traffic selectors for 
other:
    Oct  6 15:56:04 r-1968-VM charon: 14[CFG]  config: 0.0.0.0/0[udp], 
received: 24.114.xx.yy/32[udp/53141] => match: 24.114.xx.yy/32[udp/53141]
    Oct  6 15:56:04 r-1968-VM charon: 14[CFG] selecting traffic selectors for 
us:
    Oct  6 15:56:04 r-1968-VM charon: 14[CFG]  config: 
74.121.ww.zz/32[udp/l2f], received: 74.121.ww.zz/32[udp/l2f] => match: 
74.121.ww.zz/32[udp/l2f]
    Oct  6 15:56:04 r-1968-VM charon: 14[IKE] no matching CHILD_SA config found
    Oct  6 15:56:04 r-1968-VM charon: 14[ENC] generating INFORMATIONAL_V1 
request 3901559225 [ HASH N(INVAL_ID) ]
    Oct  6 15:56:04 r-1968-VM charon: 14[NET] sending packet: from 
74.121.ww.zz[4500] to 24.114.xx.yy[13430] (92 bytes)
    Oct  6 15:56:07 r-1968-VM charon: 07[NET] received packet: from 
24.114.xx.yy[13430] to 74.121.ww.zz[4500] (332 bytes)
    Oct  6 15:56:07 r-1968-VM charon: 07[IKE] received retransmit of request 
with ID 4086740468, but no response to retransmit
    Oct  6 15:56:10 r-1968-VM charon: 08[NET] received packet: from 
24.114.xx.yy[13430] to 74.121.ww.zz[4500] (332 bytes)
    Oct  6 15:56:10 r-1968-VM charon: 08[IKE] received retransmit of request 
with ID 4086740468, but no response to retransmit
    Oct  6 15:56:14 r-1968-VM charon: 06[NET] received packet: from 
24.114.xx.yy[13430] to 74.121.ww.zz[4500] (332 bytes)
    Oct  6 15:56:14 r-1968-VM charon: 06[IKE] received retransmit of request 
with ID 4086740468, but no response to retransmit
    Oct  6 15:56:17 r-1968-VM charon: 01[NET] received packet: from 
24.114.xx.yy[13430] to 74.121.ww.zz[4500] (332 bytes)
    Oct  6 15:56:17 r-1968-VM charon: 01[IKE] received retransmit of request 
with ID 4086740468, but no response to retransmit
    Oct  6 15:56:20 r-1968-VM charon: 15[NET] received packet: from 
24.114.xx.yy[13430] to 74.121.ww.zz[4500] (332 bytes)
    Oct  6 15:56:20 r-1968-VM charon: 15[IKE] received retransmit of request 
with ID 4086740468, but no response to retransmit
    Oct  6 15:56:24 r-1968-VM charon: 08[NET] received packet: from 
24.114.xx.yy[13430] to 74.121.ww.zz[4500] (332 bytes)
    Oct  6 15:56:24 r-1968-VM charon: 08[IKE] received retransmit of request 
with ID 4086740468, but no response to retransmit
    Oct  6 15:56:27 r-1968-VM charon: 12[NET] received packet: from 
24.114.xx.yy[13430] to 74.121.ww.zz[4500] (332 bytes)
    Oct  6 15:56:27 r-1968-VM charon: 12[IKE] received retransmit of request 
with ID 4086740468, but no response to retransmit
    Oct  6 15:56:30 r-1968-VM charon: 06[NET] received packet: from 
24.114.xx.yy[13430] to 74.121.ww.zz[4500] (332 bytes)
    Oct  6 15:56:30 r-1968-VM charon: 06[IKE] received retransmit of request 
with ID 4086740468, but no response to retransmit
    Oct  6 15:56:34 r-1968-VM charon: 02[NET] received packet: from 
24.114.xx.yy[13430] to 74.121.ww.zz[4500] (332 bytes)
    Oct  6 15:56:34 r-1968-VM charon: 02[IKE] received retransmit of request 
with ID 4086740468, but no response to retransmit
    Oct  6 15:56:34 r-1968-VM charon: 01[NET] received packet: from 
24.114.xx.yy[13430] to 74.121.ww.zz[4500] (108 bytes)
    Oct  6 15:56:34 r-1968-VM charon: 01[ENC] parsed INFORMATIONAL_V1 request 
4023936214 [ HASH D ]
    Oct  6 15:56:34 r-1968-VM charon: 01[IKE] received DELETE for IKE_SA 
L2TP-PSK[6]
    Oct  6 15:56:34 r-1968-VM charon: 01[IKE] deleting IKE_SA L2TP-PSK[6] 
between 74.121.ww.zz[74.121.ww.zz]...24.114.xx.yy[192.168.43.66]
    ```


---
If your project is set up for it, you can reply to this email and have your
reply appear on GitHub as well. If your project does not have this feature
enabled and wishes so, or if the feature is enabled but not working, please
contact infrastructure at infrastruct...@apache.org or file a JIRA ticket
with INFRA.
---