Re: [strongSwan] NO_PROPOSAL_CHOSEN when using 5.6.2 on Ubuntu 18.04

[Noel Kuntze]

I'm sorry, I'm at mit wit's end. Try restarting the daemon. Maybe that helps.

Am 12.05.21 um 02:33 schrieb Karuna Sagar Krishna:

Not sure if I fully understand. Did you mean to say - remove `auto=route` from 
default connection and add `auto=add` to each connection section? If yes, I 
made this change manually to ipsec.conf, ran `sudo ipsec update` but the status 
has not changed and I'm not able to ping the nodes.

--karuna


On Tue, May 11, 2021 at 5:13 PM Noel Kuntze  
wrote:

Oh. Right. You need to add auto=add to the configs. In your case, it's 
probably good if you'd change your script to add that to the conns inserted.

Am 12.05.21 um 01:55 schrieb Karuna Sagar Krishna:
> Shortened the connection names and changed the order (attached). Tried 
various orders and shorter names. Each time ran `sudo ipsec update` followed by 
`sudo ipsec statusall`. The status did not change each time; the status still 
shows the old name for established connection. And there is nothing specific to 
this experiment in the logs.
>
> --karuna
>






OpenPGP_signature
Description: OpenPGP digital signature

Re: [strongSwan] NO_PROPOSAL_CHOSEN when using 5.6.2 on Ubuntu 18.04

[Noel Kuntze]

Okay, now we at least know the config line is at actually read.

What happens when you change the order of the config lines or assign them 
shorter names?

Am 12.05.21 um 01:41 schrieb Karuna Sagar Krishna:

Yes, I tried that i.e. added some garbage line to ipsec.conf and issued `sudo 
ipsec update`. And I see the errors in the logs as expected. Later I reverted 
the garbage lines and issued `sudo ipsec update` but the issue remains i.e. no 
errors in the logs but the statusall hasn't changed.

May 11 23:20:03 hn1-kkafka ipsec[4941]: # unknown keyword 'something'
May 11 23:20:03 hn1-kkafka ipsec[4941]: ### 1 parsing error (0 fatal) ###
May 11 23:23:26 hn1-kkafka ipsec[4941]: # unknown keyword 'garbage'
May 11 23:23:26 hn1-kkafka ipsec[4941]: message repeated 8 times: [ # unknown 
keyword 'garbage']
May 11 23:23:26 hn1-kkafka ipsec[4941]: # unknown keyword 'garbage'

--karuna

On Tue, May 11, 2021 at 4:17 PM Noel Kuntze  
wrote:

Hi, please verify that the config file is actually used. For example add a 
deliberate syntax error. Like just garbage on a line. Check if the daemon 
and/or ipsec complains about that.

Am 12.05.21 um 01:15 schrieb Karuna Sagar Krishna:
> Thanks for the quick replies!
>
> Running `sudo ipsec update` or `sudo ipsec reload` is effectively a 
no-op. Captured the terminal output below:
>
>
>
> karkrish@hn1-kkafka:~$ sudo ipsec statusall
> Status of IKE charon daemon (strongSwan 5.6.2, Linux 5.4.0-1046-azure, 
x86_64):
>   uptime: 2 hours, since May 11 20:42:06 2021
>   malloc: sbrk 2703360, mmap 0, used 847536, free 1855824
>   worker threads: 11 of 16 idle, 5/0/0/0 working, job queue: 0/0/0/0, 
scheduled: 2
>   loaded plugins: charon aesni aes rc2 sha2 sha1 md4 md5 mgf1 random 
nonce x509 revocation constraints pubkey pkcs1 pkcs7 pkcs8 pkcs12 pgp dnskey 
sshkey pem openssl fips-prf gmp agent xcbc hmac gcm attr kernel-netlink resolve 
socket-default connmark stroke updown eap-mschapv2 xauth-generic counters
> Listening IP addresses:
>   10.0.0.14
> Connections:
> hn0-kkafka.p0gi1uxxaaeebnlz4hfuq0bvkf.dx.internal.cloudapp.net 
 
>:  
10.0.0.14...10.0.0.15  IKEv2
> hn0-kkafka.p0gi1uxxaaeebnlz4hfuq0bvkf.dx.internal.cloudapp.net 
 
>:   local:  
[CN=IP-37fa1445fc.hdinsight-stable.azure-test.net  
>] uses public key authentication
> hn0-kkafka.p0gi1uxxaaeebnlz4hfuq0bvkf.dx.internal.cloudapp.net 
 
>:    cert:  
"CN=IP-37fa1445fc.hdinsight-stable.azure-test.net  
>"
> hn0-kkafka.p0gi1uxxaaeebnlz4hfuq0bvkf.dx.internal.cloudapp.net 
 
>:   remote: 
[CN=IP-37fa1445fc.hdinsight-stable.azure-test.net  
>] uses public key authentication
> hn0-kkafka.p0gi1uxxaaeebnlz4hfuq0bvkf.dx.internal.cloudapp.net 
 
>:    cert:  
"CN=IP-37fa1445fc.hdinsight-stable.azure-test.net  
>"
> hn0-kkafka.p0gi1uxxaaeebnlz4hfuq0bvkf.dx.internal.cloudapp.net 
 
>:   child:  dynamic 
=== dynamic TRANSPORT
> hn1-kkafka.p0gi1uxxaaeebnlz4hfuq0bvkf.dx.internal.cloudapp.net 

Re: [strongSwan] NO_PROPOSAL_CHOSEN when using 5.6.2 on Ubuntu 18.04

[Noel Kuntze]

Hi, please verify that the config file is actually used. For example add a 
deliberate syntax error. Like just garbage on a line. Check if the daemon 
and/or ipsec complains about that.

Am 12.05.21 um 01:15 schrieb Karuna Sagar Krishna:

Thanks for the quick replies!

Running `sudo ipsec update` or `sudo ipsec reload` is effectively a no-op. 
Captured the terminal output below:



karkrish@hn1-kkafka:~$ sudo ipsec statusall
Status of IKE charon daemon (strongSwan 5.6.2, Linux 5.4.0-1046-azure, x86_64):
  uptime: 2 hours, since May 11 20:42:06 2021
  malloc: sbrk 2703360, mmap 0, used 847536, free 1855824
  worker threads: 11 of 16 idle, 5/0/0/0 working, job queue: 0/0/0/0, 
scheduled: 2
  loaded plugins: charon aesni aes rc2 sha2 sha1 md4 md5 mgf1 random nonce x509 
revocation constraints pubkey pkcs1 pkcs7 pkcs8 pkcs12 pgp dnskey sshkey pem 
openssl fips-prf gmp agent xcbc hmac gcm attr kernel-netlink resolve 
socket-default connmark stroke updown eap-mschapv2 xauth-generic counters
Listening IP addresses:
  10.0.0.14
Connections:
hn0-kkafka.p0gi1uxxaaeebnlz4hfuq0bvkf.dx.internal.cloudapp.net 
:  
10.0.0.14...10.0.0.15  IKEv2
hn0-kkafka.p0gi1uxxaaeebnlz4hfuq0bvkf.dx.internal.cloudapp.net 
:   local:  
[CN=IP-37fa1445fc.hdinsight-stable.azure-test.net 
] uses public key authentication
hn0-kkafka.p0gi1uxxaaeebnlz4hfuq0bvkf.dx.internal.cloudapp.net 
:    cert:  
"CN=IP-37fa1445fc.hdinsight-stable.azure-test.net 
"
hn0-kkafka.p0gi1uxxaaeebnlz4hfuq0bvkf.dx.internal.cloudapp.net 
:   remote: 
[CN=IP-37fa1445fc.hdinsight-stable.azure-test.net 
] uses public key authentication
hn0-kkafka.p0gi1uxxaaeebnlz4hfuq0bvkf.dx.internal.cloudapp.net 
:    cert:  
"CN=IP-37fa1445fc.hdinsight-stable.azure-test.net 
"
hn0-kkafka.p0gi1uxxaaeebnlz4hfuq0bvkf.dx.internal.cloudapp.net 
:   
child:  dynamic === dynamic TRANSPORT
hn1-kkafka.p0gi1uxxaaeebnlz4hfuq0bvkf.dx.internal.cloudapp.net 
:  
10.0.0.14...10.0.0.14  IKEv2
hn1-kkafka.p0gi1uxxaaeebnlz4hfuq0bvkf.dx.internal.cloudapp.net 
:   local:  
[CN=IP-37fa1445fc.hdinsight-stable.azure-test.net 
] uses public key authentication
hn1-kkafka.p0gi1uxxaaeebnlz4hfuq0bvkf.dx.internal.cloudapp.net 
:    cert:  
"CN=IP-37fa1445fc.hdinsight-stable.azure-test.net 
"
hn1-kkafka.p0gi1uxxaaeebnlz4hfuq0bvkf.dx.internal.cloudapp.net 
:   remote: 
[CN=IP-37fa1445fc.hdinsight-stable.azure-test.net 
] uses public key authentication
hn1-kkafka.p0gi1uxxaaeebnlz4hfuq0bvkf.dx.internal.cloudapp.net 
:    cert:  
"CN=IP-37fa1445fc.hdinsight-stable.azure-test.net 
"
hn1-kkafka.p0gi1uxxaaeebnlz4hfuq0bvkf.dx.internal.cloudapp.net 
:   
child:  dynamic === dynamic TRANSPORT
Routed Connections:
hn0-kkafka.p0gi1uxxaaeebnlz4hfuq0bvkf.dx.internal.cloudapp.net 
{5}:  
ROUTED, TRANSPORT, reqid 1
hn0-kkafka.p0gi1uxxaaeebnlz4hfuq0bvkf.dx.internal.cloudapp.net 
{5}: 10.0.0.14/32 
 === 10.0.0.15/32 
hn1-kkafka.p0gi1uxxaaeebnlz4hfuq0bvkf.dx.internal.cloudapp.net 
{2}:  
ROUTED, TRANSPORT, reqid 2
hn1-kkafka.p0gi1uxxaaeebnlz4hfuq0bvkf.dx.internal.cloudapp.net 
{2}: 10.0.0.14/32 
 === 10.0.0.14/32 
Security Associations (1 up, 0 connecting):
hn0-kkafka.p0gi1uxxaaeebnlz4hfuq0bvkf.dx.internal.cloudapp.net 
[11]: ESTABLISHED 2 
hours ago, 10.0.0.14[CN=IP-37fa1445fc.hdinsight-stable.azure-test.net 

Re: [strongSwan] NO_PROPOSAL_CHOSEN when using 5.6.2 on Ubuntu 18.04

[Noel Kuntze]

Alright, found it.

Please verify that it's the actual ipsec.conf that is loaded because there also 
aren't any errors regarding config files logged.
What happens when you run "ipsec update" or "ipsec reload" from the terminal?

Kind regards
Noel

Am 12.05.21 um 01:09 schrieb Noel Kuntze:

Okay, what's your complete ipsec.conf? Can you send it?

Kind regards
Noel

Am 12.05.21 um 00:54 schrieb Karuna Sagar Krishna:

Attaching full charon logs.

Can you help with the ipsec.conf interface. I'll plan to switch to swanctl 
going forward, but currently this is blocking our releases.

--karuna


On Tue, May 11, 2021 at 2:54 PM Noel Kuntze 
 wrote:

    Hi,

    Full logs please, as shown on the HelpRequests[1] page on the wiki.
    Also, it's strongly recommended to use swanctl instead if possible. That's 
the better configuration backend.

    Kind regards
    Noel

    [1] https://wiki.strongswan.org/projects/strongswan/wiki/HelpRequests 


    Am 11.05.21 um 23:50 schrieb Karuna Sagar Krishna:
    > Hi,
    >
    > I'm setting up a IPSec connection between a bunch of Ubuntu 18.04 LTS nodes. I'm using 
Strongswan (Linux strongSwan U5.6.2/K5.4.0-1046-azure) on the Ubuntu nodes. The number of nodes 
is dynamic i.e. there are frequent scale out/ins. So the ipsec.conf file (see attached) is 
updated with additional conn sections and `sudo ipsec update` is used to reload the config 
file. However, I've noticed intermittent network connectivity issues and the syslog shows -> 
"no IKE config found for 10.0.0.14...10.0.0.18, sending NO_PROPOSAL_CHOSEN". Clearly, 
the ipsec status shows that the daemon has not reloaded the config irrespective of issuing 
`sudo ipsec update` multiple times.
    >
    > Can you help understand why the config is not updated and how to fix this 
issue?
    >
    >
    >
    > IPSec status:
    > -
    >
    >  > sudo ipsec statusall
    >
    > Status of IKE charon daemon (strongSwan 5.6.2, Linux 5.4.0-1046-azure, 
x86_64):
    >    uptime: 45 minutes, since May 11 20:42:07 2021
    >    malloc: sbrk 2703360, mmap 0, used 778800, free 1924560
    >    worker threads: 11 of 16 idle, 5/0/0/0 working, job queue: 0/0/0/0, 
scheduled: 2
    >    loaded plugins: charon aesni aes rc2 sha2 sha1 md4 md5 mgf1 random 
nonce x509 revocation constraints pubkey pkcs1 pkcs7 pkcs8 pkcs12 pgp dnskey 
sshkey pem openssl fips-prf gmp agent xcbc hmac gcm attr kernel-netlink resolve 
socket-default connmark stroke updown eap-mschapv2 xauth-generic counters
    > Listening IP addresses:
    >    10.0.0.14
    > Connections:
    > hn0-kkafka.p0gi1uxxaaeebnlz4hfuq0bvkf.dx.internal.cloudapp.net 
 
>:  
10.0.0.14...10.0.0.15  IKEv2
    > hn0-kkafka.p0gi1uxxaaeebnlz4hfuq0bvkf.dx.internal.cloudapp.net 
 
>:   local:  
[CN=IP-37fa1445fc.hdinsight-stable.azure-test.net  
>] uses public key authentication
    > hn0-kkafka.p0gi1uxxaaeebnlz4hfuq0bvkf.dx.internal.cloudapp.net 
 
>:    cert:  
"CN=IP-37fa1445fc.hdinsight-stable.azure-test.net  
>"
    > hn0-kkafka.p0gi1uxxaaeebnlz4hfuq0bvkf.dx.internal.cloudapp.net 
 
>:   remote: 
[CN=IP-37fa1445fc.hdinsight-stable.azure-test.net  
>] uses public key authentication
    > hn0-kkafka.p0gi1uxxaaeebnlz4hfuq0bvkf.dx.internal.cloudapp.net 
 
>:    cert:  
"CN=IP-37fa1445fc.hdinsight-stable.azure-test.net  

Re: [strongSwan] NO_PROPOSAL_CHOSEN when using 5.6.2 on Ubuntu 18.04

[Noel Kuntze]

Okay, what's your complete ipsec.conf? Can you send it?

Kind regards
Noel

Am 12.05.21 um 00:54 schrieb Karuna Sagar Krishna:

Attaching full charon logs.

Can you help with the ipsec.conf interface. I'll plan to switch to swanctl 
going forward, but currently this is blocking our releases.

--karuna


On Tue, May 11, 2021 at 2:54 PM Noel Kuntze 
 wrote:

Hi,

Full logs please, as shown on the HelpRequests[1] page on the wiki.
Also, it's strongly recommended to use swanctl instead if possible. That's 
the better configuration backend.

Kind regards
Noel

[1] https://wiki.strongswan.org/projects/strongswan/wiki/HelpRequests 


Am 11.05.21 um 23:50 schrieb Karuna Sagar Krishna:
> Hi,
>
> I'm setting up a IPSec connection between a bunch of Ubuntu 18.04 LTS nodes. I'm using 
Strongswan (Linux strongSwan U5.6.2/K5.4.0-1046-azure) on the Ubuntu nodes. The number of nodes 
is dynamic i.e. there are frequent scale out/ins. So the ipsec.conf file (see attached) is 
updated with additional conn sections and `sudo ipsec update` is used to reload the config 
file. However, I've noticed intermittent network connectivity issues and the syslog shows -> 
"no IKE config found for 10.0.0.14...10.0.0.18, sending NO_PROPOSAL_CHOSEN". Clearly, 
the ipsec status shows that the daemon has not reloaded the config irrespective of issuing 
`sudo ipsec update` multiple times.
>
> Can you help understand why the config is not updated and how to fix this 
issue?
>
>
>
> IPSec status:
> -
>
>  > sudo ipsec statusall
>
> Status of IKE charon daemon (strongSwan 5.6.2, Linux 5.4.0-1046-azure, 
x86_64):
>    uptime: 45 minutes, since May 11 20:42:07 2021
>    malloc: sbrk 2703360, mmap 0, used 778800, free 1924560
>    worker threads: 11 of 16 idle, 5/0/0/0 working, job queue: 0/0/0/0, 
scheduled: 2
>    loaded plugins: charon aesni aes rc2 sha2 sha1 md4 md5 mgf1 random 
nonce x509 revocation constraints pubkey pkcs1 pkcs7 pkcs8 pkcs12 pgp dnskey 
sshkey pem openssl fips-prf gmp agent xcbc hmac gcm attr kernel-netlink resolve 
socket-default connmark stroke updown eap-mschapv2 xauth-generic counters
> Listening IP addresses:
>    10.0.0.14
> Connections:
> hn0-kkafka.p0gi1uxxaaeebnlz4hfuq0bvkf.dx.internal.cloudapp.net 
 
>:  
10.0.0.14...10.0.0.15  IKEv2
> hn0-kkafka.p0gi1uxxaaeebnlz4hfuq0bvkf.dx.internal.cloudapp.net 
 
>:   local:  
[CN=IP-37fa1445fc.hdinsight-stable.azure-test.net  
>] uses public key authentication
> hn0-kkafka.p0gi1uxxaaeebnlz4hfuq0bvkf.dx.internal.cloudapp.net 
 
>:    cert:  
"CN=IP-37fa1445fc.hdinsight-stable.azure-test.net  
>"
> hn0-kkafka.p0gi1uxxaaeebnlz4hfuq0bvkf.dx.internal.cloudapp.net 
 
>:   remote: 
[CN=IP-37fa1445fc.hdinsight-stable.azure-test.net  
>] uses public key authentication
> hn0-kkafka.p0gi1uxxaaeebnlz4hfuq0bvkf.dx.internal.cloudapp.net 
 
>:    cert:  
"CN=IP-37fa1445fc.hdinsight-stable.azure-test.net  
>"
> hn0-kkafka.p0gi1uxxaaeebnlz4hfuq0bvkf.dx.internal.cloudapp.net 
 

Re: [strongSwan] NO_PROPOSAL_CHOSEN when using 5.6.2 on Ubuntu 18.04

[Noel Kuntze]

Hi,

Full logs please, as shown on the HelpRequests[1] page on the wiki.
Also, it's strongly recommended to use swanctl instead if possible. That's the 
better configuration backend.

Kind regards
Noel

[1] https://wiki.strongswan.org/projects/strongswan/wiki/HelpRequests

Am 11.05.21 um 23:50 schrieb Karuna Sagar Krishna:

Hi,

I'm setting up a IPSec connection between a bunch of Ubuntu 18.04 LTS nodes. I'm using 
Strongswan (Linux strongSwan U5.6.2/K5.4.0-1046-azure) on the Ubuntu nodes. The number of 
nodes is dynamic i.e. there are frequent scale out/ins. So the ipsec.conf file (see 
attached) is updated with additional conn sections and `sudo ipsec update` is used to reload 
the config file. However, I've noticed intermittent network connectivity issues and the 
syslog shows -> "no IKE config found for 10.0.0.14...10.0.0.18, sending 
NO_PROPOSAL_CHOSEN". Clearly, the ipsec status shows that the daemon has not reloaded 
the config irrespective of issuing `sudo ipsec update` multiple times.

Can you help understand why the config is not updated and how to fix this issue?



IPSec status:
-

 > sudo ipsec statusall

Status of IKE charon daemon (strongSwan 5.6.2, Linux 5.4.0-1046-azure, x86_64):
   uptime: 45 minutes, since May 11 20:42:07 2021
   malloc: sbrk 2703360, mmap 0, used 778800, free 1924560
   worker threads: 11 of 16 idle, 5/0/0/0 working, job queue: 0/0/0/0, 
scheduled: 2
   loaded plugins: charon aesni aes rc2 sha2 sha1 md4 md5 mgf1 random nonce 
x509 revocation constraints pubkey pkcs1 pkcs7 pkcs8 pkcs12 pgp dnskey sshkey 
pem openssl fips-prf gmp agent xcbc hmac gcm attr kernel-netlink resolve 
socket-default connmark stroke updown eap-mschapv2 xauth-generic counters
Listening IP addresses:
   10.0.0.14
Connections:
hn0-kkafka.p0gi1uxxaaeebnlz4hfuq0bvkf.dx.internal.cloudapp.net 
:  
10.0.0.14...10.0.0.15  IKEv2
hn0-kkafka.p0gi1uxxaaeebnlz4hfuq0bvkf.dx.internal.cloudapp.net 
:   local:  
[CN=IP-37fa1445fc.hdinsight-stable.azure-test.net 
] uses public key authentication
hn0-kkafka.p0gi1uxxaaeebnlz4hfuq0bvkf.dx.internal.cloudapp.net 
:    cert:  
"CN=IP-37fa1445fc.hdinsight-stable.azure-test.net 
"
hn0-kkafka.p0gi1uxxaaeebnlz4hfuq0bvkf.dx.internal.cloudapp.net 
:   remote: 
[CN=IP-37fa1445fc.hdinsight-stable.azure-test.net 
] uses public key authentication
hn0-kkafka.p0gi1uxxaaeebnlz4hfuq0bvkf.dx.internal.cloudapp.net 
:    cert:  
"CN=IP-37fa1445fc.hdinsight-stable.azure-test.net 
"
hn0-kkafka.p0gi1uxxaaeebnlz4hfuq0bvkf.dx.internal.cloudapp.net 
:   
child:  dynamic === dynamic TRANSPORT
hn1-kkafka.p0gi1uxxaaeebnlz4hfuq0bvkf.dx.internal.cloudapp.net 
:  
10.0.0.14...10.0.0.14  IKEv2
hn1-kkafka.p0gi1uxxaaeebnlz4hfuq0bvkf.dx.internal.cloudapp.net 
:   local:  
[CN=IP-37fa1445fc.hdinsight-stable.azure-test.net 
] uses public key authentication
hn1-kkafka.p0gi1uxxaaeebnlz4hfuq0bvkf.dx.internal.cloudapp.net 
:    cert:  
"CN=IP-37fa1445fc.hdinsight-stable.azure-test.net 
"
hn1-kkafka.p0gi1uxxaaeebnlz4hfuq0bvkf.dx.internal.cloudapp.net 
:   remote: 
[CN=IP-37fa1445fc.hdinsight-stable.azure-test.net 
] uses public key authentication
hn1-kkafka.p0gi1uxxaaeebnlz4hfuq0bvkf.dx.internal.cloudapp.net 
:    cert:  
"CN=IP-37fa1445fc.hdinsight-stable.azure-test.net 
"
hn1-kkafka.p0gi1uxxaaeebnlz4hfuq0bvkf.dx.internal.cloudapp.net 
:   
child:  dynamic === dynamic TRANSPORT
/*Routed Connections:
hn1-kkafka.p0gi1uxxaaeebnlz4hfuq0bvkf.dx.internal.cloudapp.net 
{2}:  
ROUTED, TRANSPORT, reqid 2
hn1-kkafka.p0gi1uxxaaeebnlz4hfuq0bvkf.dx.internal.cloudapp.net 
{2}: 10.0.0.14/32 

Re: [strongSwan] NO_PROPOSAL_CHOSEN when using 5.6.2 on Ubuntu 18.04

[Karuna Sagar Krishna]

Ah ofcourse `sudo ipsec restart` helps. But I'm hesitant to use it since it
breaks existing connections.

Would strace help, pasted it below:

sudo strace ipsec update
execve("/usr/sbin/ipsec", ["ipsec", "update"], 0x7ffebdb60588 /* 20 vars
*/) = 0
brk(NULL)   = 0x55c1e8416000
access("/etc/ld.so.nohwcap", F_OK)  = -1 ENOENT (No such file or
directory)
access("/etc/ld.so.preload", R_OK)  = -1 ENOENT (No such file or
directory)
openat(AT_FDCWD, "/etc/ld.so.cache", O_RDONLY|O_CLOEXEC) = 3
fstat(3, {st_mode=S_IFREG|0644, st_size=47015, ...}) = 0
mmap(NULL, 47015, PROT_READ, MAP_PRIVATE, 3, 0) = 0x7f8447a9f000
close(3)= 0
access("/etc/ld.so.nohwcap", F_OK)  = -1 ENOENT (No such file or
directory)
openat(AT_FDCWD, "/lib/x86_64-linux-gnu/libtinfo.so.5", O_RDONLY|O_CLOEXEC)
= 3
read(3,
"\177ELF\2\1\1\0\0\0\0\0\0\0\0\0\3\0>\0\1\0\0\0\220\311\0\0\0\0\0\0"...,
832) = 832
fstat(3, {st_mode=S_IFREG|0644, st_size=170784, ...}) = 0
mmap(NULL, 8192, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) =
0x7f8447a9d000
mmap(NULL, 2267936, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_DENYWRITE, 3, 0) =
0x7f8447658000
mprotect(0x7f844767d000, 2097152, PROT_NONE) = 0
mmap(0x7f844787d000, 20480, PROT_READ|PROT_WRITE,
MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 3, 0x25000) = 0x7f844787d000
close(3)= 0
access("/etc/ld.so.nohwcap", F_OK)  = -1 ENOENT (No such file or
directory)
openat(AT_FDCWD, "/lib/x86_64-linux-gnu/libdl.so.2", O_RDONLY|O_CLOEXEC) = 3
read(3,
"\177ELF\2\1\1\0\0\0\0\0\0\0\0\0\3\0>\0\1\0\0\0P\16\0\0\0\0\0\0"..., 832) =
832
fstat(3, {st_mode=S_IFREG|0644, st_size=14560, ...}) = 0
mmap(NULL, 2109712, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_DENYWRITE, 3, 0) =
0x7f8447454000
mprotect(0x7f8447457000, 2093056, PROT_NONE) = 0
mmap(0x7f8447656000, 8192, PROT_READ|PROT_WRITE,
MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 3, 0x2000) = 0x7f8447656000
close(3)= 0
access("/etc/ld.so.nohwcap", F_OK)  = -1 ENOENT (No such file or
directory)
openat(AT_FDCWD, "/lib/x86_64-linux-gnu/libc.so.6", O_RDONLY|O_CLOEXEC) = 3
read(3,
"\177ELF\2\1\1\3\0\0\0\0\0\0\0\0\3\0>\0\1\0\0\0\20\35\2\0\0\0\0\0"..., 832)
= 832
fstat(3, {st_mode=S_IFREG|0755, st_size=2030928, ...}) = 0
mmap(NULL, 4131552, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_DENYWRITE, 3, 0) =
0x7f8447063000
mprotect(0x7f844724a000, 2097152, PROT_NONE) = 0
mmap(0x7f844744a000, 24576, PROT_READ|PROT_WRITE,
MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 3, 0x1e7000) = 0x7f844744a000
mmap(0x7f844745, 15072, PROT_READ|PROT_WRITE,
MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0x7f844745
close(3)= 0
mmap(NULL, 12288, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) =
0x7f8447a9a000
arch_prctl(ARCH_SET_FS, 0x7f8447a9a740) = 0
mprotect(0x7f844744a000, 16384, PROT_READ) = 0
mprotect(0x7f8447656000, 4096, PROT_READ) = 0
mprotect(0x7f844787d000, 16384, PROT_READ) = 0
mprotect(0x55c1e668d000, 16384, PROT_READ) = 0
mprotect(0x7f8447aab000, 4096, PROT_READ) = 0
munmap(0x7f8447a9f000, 47015)   = 0
openat(AT_FDCWD, "/dev/tty", O_RDWR|O_NONBLOCK) = 3
close(3)= 0
brk(NULL)   = 0x55c1e8416000
brk(0x55c1e8437000) = 0x55c1e8437000
openat(AT_FDCWD, "/usr/lib/locale/locale-archive", O_RDONLY|O_CLOEXEC) = 3
fstat(3, {st_mode=S_IFREG|0644, st_size=1683056, ...}) = 0
mmap(NULL, 1683056, PROT_READ, MAP_PRIVATE, 3, 0) = 0x7f84478ff000
close(3)= 0
openat(AT_FDCWD, "/usr/share/locale/locale.alias", O_RDONLY|O_CLOEXEC) = 3
fstat(3, {st_mode=S_IFREG|0644, st_size=2995, ...}) = 0
read(3, "# Locale name alias data base.\n#"..., 4096) = 2995
read(3, "", 4096)   = 0
close(3)= 0
openat(AT_FDCWD, "/usr/lib/locale/C.UTF-8/LC_IDENTIFICATION",
O_RDONLY|O_CLOEXEC) = 3
fstat(3, {st_mode=S_IFREG|0644, st_size=252, ...}) = 0
mmap(NULL, 252, PROT_READ, MAP_PRIVATE, 3, 0) = 0x7f8447aaa000
close(3)= 0
openat(AT_FDCWD, "/usr/lib/x86_64-linux-gnu/gconv/gconv-modules.cache",
O_RDONLY) = 3
fstat(3, {st_mode=S_IFREG|0644, st_size=26376, ...}) = 0
mmap(NULL, 26376, PROT_READ, MAP_SHARED, 3, 0) = 0x7f8447aa3000
close(3)= 0
openat(AT_FDCWD, "/usr/lib/locale/C.UTF-8/LC_MEASUREMENT",
O_RDONLY|O_CLOEXEC) = 3
fstat(3, {st_mode=S_IFREG|0644, st_size=23, ...}) = 0
mmap(NULL, 23, PROT_READ, MAP_PRIVATE, 3, 0) = 0x7f8447aa2000
close(3)= 0
openat(AT_FDCWD, "/usr/lib/locale/C.UTF-8/LC_TELEPHONE",
O_RDONLY|O_CLOEXEC) = 3
fstat(3, {st_mode=S_IFREG|0644, st_size=47, ...}) = 0
mmap(NULL, 47, PROT_READ, MAP_PRIVATE, 3, 0) = 0x7f8447aa1000
close(3)= 0
openat(AT_FDCWD, "/usr/lib/locale/C.UTF-8/LC_ADDRESS", O_RDONLY|O_CLOEXEC)
= 3
fstat(3, {st_mode=S_IFREG|0644, st_size=131, ...}) = 0
mmap(NULL, 131, PROT_READ

Re: [strongSwan] NO_PROPOSAL_CHOSEN when using 5.6.2 on Ubuntu 18.04

[Karuna Sagar Krishna]

Thanks for the quick replies!

Running `sudo ipsec update` or `sudo ipsec reload` is effectively a no-op.
Captured the terminal output below:



karkrish@hn1-kkafka:~$ sudo ipsec statusall
Status of IKE charon daemon (strongSwan 5.6.2, Linux 5.4.0-1046-azure,
x86_64):
  uptime: 2 hours, since May 11 20:42:06 2021
  malloc: sbrk 2703360, mmap 0, used 847536, free 1855824
  worker threads: 11 of 16 idle, 5/0/0/0 working, job queue: 0/0/0/0,
scheduled: 2
  loaded plugins: charon aesni aes rc2 sha2 sha1 md4 md5 mgf1 random nonce
x509 revocation constraints pubkey pkcs1 pkcs7 pkcs8 pkcs12 pgp dnskey
sshkey pem openssl fips-prf gmp agent xcbc hmac gcm attr kernel-netlink
resolve socket-default connmark stroke updown eap-mschapv2 xauth-generic
counters
Listening IP addresses:
  10.0.0.14
Connections:
hn0-kkafka.p0gi1uxxaaeebnlz4hfuq0bvkf.dx.internal.cloudapp.net:
 10.0.0.14...10.0.0.15  IKEv2
hn0-kkafka.p0gi1uxxaaeebnlz4hfuq0bvkf.dx.internal.cloudapp.net:   local:
 [CN=IP-37fa1445fc.hdinsight-stable.azure-test.net] uses public key
authentication
hn0-kkafka.p0gi1uxxaaeebnlz4hfuq0bvkf.dx.internal.cloudapp.net:cert:
 "CN=IP-37fa1445fc.hdinsight-stable.azure-test.net"
hn0-kkafka.p0gi1uxxaaeebnlz4hfuq0bvkf.dx.internal.cloudapp.net:   remote:
[CN=IP-37fa1445fc.hdinsight-stable.azure-test.net] uses public key
authentication
hn0-kkafka.p0gi1uxxaaeebnlz4hfuq0bvkf.dx.internal.cloudapp.net:cert:
 "CN=IP-37fa1445fc.hdinsight-stable.azure-test.net"
hn0-kkafka.p0gi1uxxaaeebnlz4hfuq0bvkf.dx.internal.cloudapp.net:   child:
 dynamic === dynamic TRANSPORT
hn1-kkafka.p0gi1uxxaaeebnlz4hfuq0bvkf.dx.internal.cloudapp.net:
 10.0.0.14...10.0.0.14  IKEv2
hn1-kkafka.p0gi1uxxaaeebnlz4hfuq0bvkf.dx.internal.cloudapp.net:   local:
 [CN=IP-37fa1445fc.hdinsight-stable.azure-test.net] uses public key
authentication
hn1-kkafka.p0gi1uxxaaeebnlz4hfuq0bvkf.dx.internal.cloudapp.net:cert:
 "CN=IP-37fa1445fc.hdinsight-stable.azure-test.net"
hn1-kkafka.p0gi1uxxaaeebnlz4hfuq0bvkf.dx.internal.cloudapp.net:   remote:
[CN=IP-37fa1445fc.hdinsight-stable.azure-test.net] uses public key
authentication
hn1-kkafka.p0gi1uxxaaeebnlz4hfuq0bvkf.dx.internal.cloudapp.net:cert:
 "CN=IP-37fa1445fc.hdinsight-stable.azure-test.net"
hn1-kkafka.p0gi1uxxaaeebnlz4hfuq0bvkf.dx.internal.cloudapp.net:   child:
 dynamic === dynamic TRANSPORT
Routed Connections:
hn0-kkafka.p0gi1uxxaaeebnlz4hfuq0bvkf.dx.internal.cloudapp.net{5}:  ROUTED,
TRANSPORT, reqid 1
hn0-kkafka.p0gi1uxxaaeebnlz4hfuq0bvkf.dx.internal.cloudapp.net{5}:
10.0.0.14/32 === 10.0.0.15/32
hn1-kkafka.p0gi1uxxaaeebnlz4hfuq0bvkf.dx.internal.cloudapp.net{2}:  ROUTED,
TRANSPORT, reqid 2
hn1-kkafka.p0gi1uxxaaeebnlz4hfuq0bvkf.dx.internal.cloudapp.net{2}:
10.0.0.14/32 === 10.0.0.14/32
Security Associations (1 up, 0 connecting):
hn0-kkafka.p0gi1uxxaaeebnlz4hfuq0bvkf.dx.internal.cloudapp.net[11]:
ESTABLISHED 2 hours ago, 10.0.0.14[CN=
IP-37fa1445fc.hdinsight-stable.azure-test.net]...10.0.0.15[CN=
IP-37fa1445fc.hdinsight-stable.azure-test.net]
hn0-kkafka.p0gi1uxxaaeebnlz4hfuq0bvkf.dx.internal.cloudapp.net[11]: IKEv2
SPIs: 1536ce9853bef399_i c00b62dfefa5f4ce_r*, public key reauthentication
in 5 hours
hn0-kkafka.p0gi1uxxaaeebnlz4hfuq0bvkf.dx.internal.cloudapp.net[11]: IKE
proposal: AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_2048
hn0-kkafka.p0gi1uxxaaeebnlz4hfuq0bvkf.dx.internal.cloudapp.net{3}:
 INSTALLED, TRANSPORT, reqid 1, ESP SPIs: c73ba254_i c0ffd04a_o
hn0-kkafka.p0gi1uxxaaeebnlz4hfuq0bvkf.dx.internal.cloudapp.net{3}:
 AES_CBC_256/HMAC_SHA2_256_128, 220940 bytes_i (3942 pkts, 0s ago), 891540
bytes_o (2902 pkts, 1444s ago), rekeying in 5 hours
hn0-kkafka.p0gi1uxxaaeebnlz4hfuq0bvkf.dx.internal.cloudapp.net{3}:
10.0.0.14/32 === 10.0.0.15/32

karkrish@hn1-kkafka:~$ sudo ipsec update
Updating strongSwan IPsec configuration...

karkrish@hn1-kkafka:~$ echo $?
0

karkrish@hn1-kkafka:~$ sudo ipsec statusall
Status of IKE charon daemon (strongSwan 5.6.2, Linux 5.4.0-1046-azure,
x86_64):
  uptime: 2 hours, since May 11 20:42:06 2021
  malloc: sbrk 2703360, mmap 0, used 847984, free 1855376
  worker threads: 11 of 16 idle, 5/0/0/0 working, job queue: 0/0/0/0,
scheduled: 2
  loaded plugins: charon aesni aes rc2 sha2 sha1 md4 md5 mgf1 random nonce
x509 revocation constraints pubkey pkcs1 pkcs7 pkcs8 pkcs12 pgp dnskey
sshkey pem openssl fips-prf gmp agent xcbc hmac gcm attr kernel-netlink
resolve socket-default connmark stroke updown eap-mschapv2 xauth-generic
counters
Listening IP addresses:
  10.0.0.14
Connections:
hn0-kkafka.p0gi1uxxaaeebnlz4hfuq0bvkf.dx.internal.cloudapp.net:
 10.0.0.14...10.0.0.15  IKEv2
hn0-kkafka.p0gi1uxxaaeebnlz4hfuq0bvkf.dx.internal.cloudapp.net:   local:
 [CN=IP-37fa1445fc.hdinsight-stable.azure-test.net] uses public key
authentication
hn0-kkafka.p0gi1uxxaaeebnlz4hfuq0bvkf.dx.internal.cloudapp.net:cert:
 "CN=IP-37fa1445fc.hdinsight-stable.azure-test.net"
hn0-kkafka.p0gi1uxxaaeebnlz4hfuq0bvkf.dx.internal.cloudapp.net:   remote:
[CN=IP-37fa1445fc.hdinsight-stable.azure-test.net] uses pub

Re: [strongSwan] NO_PROPOSAL_CHOSEN when using 5.6.2 on Ubuntu 18.04

[Karuna Sagar Krishna]

Oh I thought I had attached it earlier. Sorry about that. Attached here.

--karuna

On Tue, May 11, 2021 at 4:09 PM Noel Kuntze 
wrote:

> Okay, what's your complete ipsec.conf? Can you send it?
>
> Kind regards
> Noel
>
> Am 12.05.21 um 00:54 schrieb Karuna Sagar Krishna:
> > Attaching full charon logs.
> >
> > Can you help with the ipsec.conf interface. I'll plan to switch to
> swanctl going forward, but currently this is blocking our releases.
> >
> > --karuna
> >
> >
> > On Tue, May 11, 2021 at 2:54 PM Noel Kuntze
>  wrote:
> >
> > Hi,
> >
> > Full logs please, as shown on the HelpRequests[1] page on the wiki.
> > Also, it's strongly recommended to use swanctl instead if possible.
> That's the better configuration backend.
> >
> > Kind regards
> > Noel
> >
> > [1]
> https://wiki.strongswan.org/projects/strongswan/wiki/HelpRequests <
> https://wiki.strongswan.org/projects/strongswan/wiki/HelpRequests>
> >
> > Am 11.05.21 um 23:50 schrieb Karuna Sagar Krishna:
> > > Hi,
> > >
> > > I'm setting up a IPSec connection between a bunch of Ubuntu 18.04
> LTS nodes. I'm using Strongswan (Linux strongSwan U5.6.2/K5.4.0-1046-azure)
> on the Ubuntu nodes. The number of nodes is dynamic i.e. there are frequent
> scale out/ins. So the ipsec.conf file (see attached) is updated with
> additional conn sections and `sudo ipsec update` is used to reload the
> config file. However, I've noticed intermittent network connectivity issues
> and the syslog shows -> "no IKE config found for 10.0.0.14...10.0.0.18,
> sending NO_PROPOSAL_CHOSEN". Clearly, the ipsec status shows that the
> daemon has not reloaded the config irrespective of issuing `sudo ipsec
> update` multiple times.
> > >
> > > Can you help understand why the config is not updated and how to
> fix this issue?
> > >
> > >
> > >
> > > IPSec status:
> > > -
> > >
> > >  > sudo ipsec statusall
> > >
> > > Status of IKE charon daemon (strongSwan 5.6.2, Linux
> 5.4.0-1046-azure, x86_64):
> > >uptime: 45 minutes, since May 11 20:42:07 2021
> > >malloc: sbrk 2703360, mmap 0, used 778800, free 1924560
> > >worker threads: 11 of 16 idle, 5/0/0/0 working, job queue:
> 0/0/0/0, scheduled: 2
> > >loaded plugins: charon aesni aes rc2 sha2 sha1 md4 md5 mgf1
> random nonce x509 revocation constraints pubkey pkcs1 pkcs7 pkcs8 pkcs12
> pgp dnskey sshkey pem openssl fips-prf gmp agent xcbc hmac gcm attr
> kernel-netlink resolve socket-default connmark stroke updown eap-mschapv2
> xauth-generic counters
> > > Listening IP addresses:
> > >10.0.0.14
> > > Connections:
> > > hn0-kkafka.p0gi1uxxaaeebnlz4hfuq0bvkf.dx.internal.cloudapp.net <
> http://hn0-kkafka.p0gi1uxxaaeebnlz4hfuq0bvkf.dx.internal.cloudapp.net> <
> http://hn0-kkafka.p0gi1uxxaaeebnlz4hfuq0bvkf.dx.internal.cloudapp.net <
> http://hn0-kkafka.p0gi1uxxaaeebnlz4hfuq0bvkf.dx.internal.cloudapp.net>>:
>  10.0.0.14...10.0.0.15  IKEv2
> > > hn0-kkafka.p0gi1uxxaaeebnlz4hfuq0bvkf.dx.internal.cloudapp.net <
> http://hn0-kkafka.p0gi1uxxaaeebnlz4hfuq0bvkf.dx.internal.cloudapp.net> <
> http://hn0-kkafka.p0gi1uxxaaeebnlz4hfuq0bvkf.dx.internal.cloudapp.net <
> http://hn0-kkafka.p0gi1uxxaaeebnlz4hfuq0bvkf.dx.internal.cloudapp.net>>:
>   local:  [CN=IP-37fa1445fc.hdinsight-stable.azure-test.net <
> http://IP-37fa1445fc.hdinsight-stable.azure-test.net> <
> http://IP-37fa1445fc.hdinsight-stable.azure-test.net <
> http://IP-37fa1445fc.hdinsight-stable.azure-test.net>>] uses public key
> authentication
> > > hn0-kkafka.p0gi1uxxaaeebnlz4hfuq0bvkf.dx.internal.cloudapp.net <
> http://hn0-kkafka.p0gi1uxxaaeebnlz4hfuq0bvkf.dx.internal.cloudapp.net> <
> http://hn0-kkafka.p0gi1uxxaaeebnlz4hfuq0bvkf.dx.internal.cloudapp.net <
> http://hn0-kkafka.p0gi1uxxaaeebnlz4hfuq0bvkf.dx.internal.cloudapp.net>>:
>cert:  "CN=IP-37fa1445fc.hdinsight-stable.azure-test.net <
> http://IP-37fa1445fc.hdinsight-stable.azure-test.net> <
> http://IP-37fa1445fc.hdinsight-stable.azure-test.net <
> http://IP-37fa1445fc.hdinsight-stable.azure-test.net>>"
> > > hn0-kkafka.p0gi1uxxaaeebnlz4hfuq0bvkf.dx.internal.cloudapp.net <
> http://hn0-kkafka.p0gi1uxxaaeebnlz4hfuq0bvkf.dx.internal.cloudapp.net> <
> http://hn0-kkafka.p0gi1uxxaaeebnlz4hfuq0bvkf.dx.internal.cloudapp.net <
> http://hn0-kkafka.p0gi1uxxaaeebnlz4hfuq0bvkf.dx.internal.cloudapp.net>>:
>   remote: [CN=IP-37fa1445fc.hdinsight-stable.azure-test.net <
> http://IP-37fa1445fc.hdinsight-stable.azure-test.net> <
> http://IP-37fa1445fc.hdinsight-stable.azure-test.net <
> http://IP-37fa1445fc.hdinsight-stable.azure-test.net>>] uses public key
> authentication
> > > hn0-kkafka.p0gi1uxxaaeebnlz4hfuq0bvkf.dx.internal.cloudapp.net <
> http://hn0-kkafka.p0gi1uxxaaeebnlz4hfuq0bvkf.dx.internal.cloudapp.net> <
> http://hn0-kkafka.p0gi1uxxaaeebnlz4hfuq0bvkf.dx.internal.cloudapp.net <
> http://hn0-kkafka.p0gi1uxxaaeebnlz4hfuq0bvkf.dx.internal.cloudapp.net>>:
>cert:  

[strongSwan] NO_PROPOSAL_CHOSEN when using 5.6.2 on Ubuntu 18.04

[Karuna Sagar Krishna]

Hi,

I'm setting up a IPSec connection between a bunch of Ubuntu 18.04 LTS
nodes. I'm using Strongswan (Linux strongSwan U5.6.2/K5.4.0-1046-azure) on
the Ubuntu nodes. The number of nodes is dynamic i.e. there are frequent
scale out/ins. So the ipsec.conf file (see attached) is updated with
additional conn sections and `sudo ipsec update` is used to reload the
config file. However, I've noticed intermittent network connectivity issues
and the syslog shows -> "no IKE config found for 10.0.0.14...10.0.0.18,
sending NO_PROPOSAL_CHOSEN". Clearly, the ipsec status shows that the
daemon has not reloaded the config irrespective of issuing `sudo ipsec
update` multiple times.

Can you help understand why the config is not updated and how to fix
this issue?



IPSec status:
-

> sudo ipsec statusall

Status of IKE charon daemon (strongSwan 5.6.2, Linux 5.4.0-1046-azure,
x86_64):
  uptime: 45 minutes, since May 11 20:42:07 2021
  malloc: sbrk 2703360, mmap 0, used 778800, free 1924560
  worker threads: 11 of 16 idle, 5/0/0/0 working, job queue: 0/0/0/0,
scheduled: 2
  loaded plugins: charon aesni aes rc2 sha2 sha1 md4 md5 mgf1 random nonce
x509 revocation constraints pubkey pkcs1 pkcs7 pkcs8 pkcs12 pgp dnskey
sshkey pem openssl fips-prf gmp agent xcbc hmac gcm attr kernel-netlink
resolve socket-default connmark stroke updown eap-mschapv2 xauth-generic
counters
Listening IP addresses:
  10.0.0.14
Connections:
hn0-kkafka.p0gi1uxxaaeebnlz4hfuq0bvkf.dx.internal.cloudapp.net:
 10.0.0.14...10.0.0.15  IKEv2
hn0-kkafka.p0gi1uxxaaeebnlz4hfuq0bvkf.dx.internal.cloudapp.net:   local:
 [CN=IP-37fa1445fc.hdinsight-stable.azure-test.net] uses public key
authentication
hn0-kkafka.p0gi1uxxaaeebnlz4hfuq0bvkf.dx.internal.cloudapp.net:cert:
 "CN=IP-37fa1445fc.hdinsight-stable.azure-test.net"
hn0-kkafka.p0gi1uxxaaeebnlz4hfuq0bvkf.dx.internal.cloudapp.net:   remote:
[CN=IP-37fa1445fc.hdinsight-stable.azure-test.net] uses public key
authentication
hn0-kkafka.p0gi1uxxaaeebnlz4hfuq0bvkf.dx.internal.cloudapp.net:cert:
 "CN=IP-37fa1445fc.hdinsight-stable.azure-test.net"
hn0-kkafka.p0gi1uxxaaeebnlz4hfuq0bvkf.dx.internal.cloudapp.net:   child:
 dynamic === dynamic TRANSPORT
hn1-kkafka.p0gi1uxxaaeebnlz4hfuq0bvkf.dx.internal.cloudapp.net:
 10.0.0.14...10.0.0.14  IKEv2
hn1-kkafka.p0gi1uxxaaeebnlz4hfuq0bvkf.dx.internal.cloudapp.net:   local:
 [CN=IP-37fa1445fc.hdinsight-stable.azure-test.net] uses public key
authentication
hn1-kkafka.p0gi1uxxaaeebnlz4hfuq0bvkf.dx.internal.cloudapp.net:cert:
 "CN=IP-37fa1445fc.hdinsight-stable.azure-test.net"
hn1-kkafka.p0gi1uxxaaeebnlz4hfuq0bvkf.dx.internal.cloudapp.net:   remote:
[CN=IP-37fa1445fc.hdinsight-stable.azure-test.net] uses public key
authentication
hn1-kkafka.p0gi1uxxaaeebnlz4hfuq0bvkf.dx.internal.cloudapp.net:cert:
 "CN=IP-37fa1445fc.hdinsight-stable.azure-test.net"
hn1-kkafka.p0gi1uxxaaeebnlz4hfuq0bvkf.dx.internal.cloudapp.net:   child:
 dynamic === dynamic TRANSPORT




*Routed
Connections:hn1-kkafka.p0gi1uxxaaeebnlz4hfuq0bvkf.dx.internal.cloudapp.net
{2}:
 ROUTED, TRANSPORT, reqid
2hn1-kkafka.p0gi1uxxaaeebnlz4hfuq0bvkf.dx.internal.cloudapp.net
{2}:
  10.0.0.14/32  === 10.0.0.14/32
hn0-kkafka.p0gi1uxxaaeebnlz4hfuq0bvkf.dx.internal.cloudapp.net
{1}:
 ROUTED, TRANSPORT, reqid
1hn0-kkafka.p0gi1uxxaaeebnlz4hfuq0bvkf.dx.internal.cloudapp.net
{1}:
  10.0.0.14/32  === 10.0.0.15/32 *
Security Associations (1 up, 0 connecting):
hn0-kkafka.p0gi1uxxaaeebnlz4hfuq0bvkf.dx.internal.cloudapp.net[11]:
ESTABLISHED 26 minutes ago, 10.0.0.14[CN=
IP-37fa1445fc.hdinsight-stable.azure-test.net]...10.0.0.15[CN=
IP-37fa1445fc.hdinsight-stable.azure-test.net]
hn0-kkafka.p0gi1uxxaaeebnlz4hfuq0bvkf.dx.internal.cloudapp.net[11]: IKEv2
SPIs: 1536ce9853bef399_i c00b62dfefa5f4ce_r*, public key reauthentication
in 7 hours
hn0-kkafka.p0gi1uxxaaeebnlz4hfuq0bvkf.dx.internal.cloudapp.net[11]: IKE
proposal: AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_2048
hn0-kkafka.p0gi1uxxaaeebnlz4hfuq0bvkf.dx.internal.cloudapp.net{3}:
 INSTALLED, TRANSPORT, reqid 1, ESP SPIs: c73ba254_i c0ffd04a_o
hn0-kkafka.p0gi1uxxaaeebnlz4hfuq0bvkf.dx.internal.cloudapp.net{3}:
 AES_CBC_256/HMAC_SHA2_256_128, 44961 bytes_i (822 pkts, 0s ago), 193357
bytes_o (570 pkts, 1557s ago), rekeying in 7 hours
hn0-kkafka.p0gi1uxxaaeebnlz4hfuq0bvkf.dx.internal.cloudapp.net{3}:
10.0.0.14/32 === 10.0.0.15/32


Charon logs:
-

May 11 21:23:20 hn1-kkafka charon: 09[NET] received packet: from
10.0.0.18[500] to 10.0.0.14[500] (536 bytes)
May 11 21:23:20 hn1-kkafka charon: 09[ENC] parsed IKE_SA_INIT request 0 [
SA KE No N(NATD_S_IP) N(NATD_D_IP) V V V V ]
May 11 21:2