I'm currently trying to get IKEv2 to auth properly and having... issues.
First, I need to find out if this sort of thing is possible. I have
attached the relevant (scrubbed/redacted) conn profiles, pools, etc. for
the responder (the requester, in my test cases, is the Android
Strongswan app) along with logs of the responder and requester.
If it IS possible, what am I doing incorrectly?
The responder and requester both have certificates signed by the same CA
(an intermediate, in this case, but the chain is configured correctly as
far as I can tell).
Upon receiving a request with a valid certificate for a requestor, the
requester would then face a second auth round of EAP-Radius for a
username/password... except I get these errors on the responder:
Jul 12 22:01:08 fqdn.domain.tld charon-systemd[18204]: constraint check
failed: EAP identity '%any' required
Jul 12 22:01:08 fqdn.domain.tld charon-systemd[18204]: selected peer
config 'ikev2_fb_responder' unacceptable: non-matching authentication done
I feel like this is definitely possible, and I seem to recall an example
config that even demonstrates it, but I'm not sure what's going on.
Note that the eap-radius phase doesn't seem to even initiate as there's
nothing in the RADIUS logs.
In the attached files:
- the requester IP has been changed to 203.0.113.2
-- the requester's LAN IP has been changed to 192.0.2.2
- the responder IP has been changed to 198.51.100.2
- the FQDN of the responder has been changed to fqdn.domain.tld (and
the relevant domain references have been changed to domain.tld as such)
- the org name has been changed (certificates, etc.) to FooBar
########################################################################
# #
# THIS FILE IS MANAGED BY SALT - DO NOT EDIT #
# #
# The contents of this file are managed by Salt. Any changes to this #
# file may be overwritten automatically and without warning. #
########################################################################
ikev1_responder {
version = 1
local_addrs = 198.51.100.2/32,2001:DB8:000F:1/128
#pull = no
encap = yes
dpd_delay = 35s
dpd_timeout = 200s
reauth_time = 0
rekey_time = 0
pools = responder_ipv4,responder_ipv6_ula
proposals = aes256-sha512-sha2_384-prfsha384-modp1024,
aes256gcm16-aes256gcm12-aes128gcm16-aes128gcm12-aesxcbc-sha256-sha1-modp4096-modp2048-modp1024,
aes256-aes128-sha256-sha1-modp4096-modp2048, default
local {
auth = psk
id = %any
}
remote {
auth = psk
round = 0
}
remote {
auth = xauth-radius
round = 1
}
children {
net {
esp_proposals =
aes128gcm12-aes128gcm16-aes256gcm12-aes256gcm16-modp4096-modp2048-modp1024,
aes128-aes256-sha1-sha256-modp4096-modp2048-modp1024, default
local_ts = 0.0.0.0/0,::/0
}
}
}
ikev2_fb_responder {
version = 2
local_addrs = 198.51.100.2/32,2001:DB8:000F:1/128
send_cert = always
fragmentation = yes
pools = responder_ipv4,responder_ipv6_ula
proposals = aes256-sha2_384-sha512-prfsha384-modp1024,
aes256gcm16-aes256gcm12-aes128gcm16-aes128gcm12-aesxcbc-sha256-sha1-modp4096-modp2048-modp1024,
aes256-aes128-sha256-sha1-modp4096-modp2048, default
encap = yes
dpd_delay = 35s
dpd_timeout = 200s
send_certreq = yes
reauth_time = 0
rekey_time = 0
local {
auth = pubkey
certs = /etc/pki/tls/certs/fb_responder.pem
#id = O=FooBar (https://foobar.tld/), OU=nodes,
CN=fqdn.domain.tld
id = @fqdn.domain.tld
}
remote {
auth = pubkey
id = O=FooBar (https://foobar.tld/), OU=nodes, CN=*
cacerts =
/etc/pki/ca-trust/source/anchors/FooBar_CA.pem,/etc/pki/ca-trust/source/anchors/FooBar_Intermediate.pem
round = 0
}
remote {
auth = eap-radius
eap_id = %any
round = 1
}
children {
net {
esp_proposals =
aes128gcm12-aes128gcm16-aes256gcm12-aes256gcm16-modp4096-modp2048-modp1024,
aes128-aes256-sha1-sha256-modp4096-modp2048-modp1024, default
local_ts = 0.0.0.0/0,::/0
rekey_time = 0
}
}
}
ikev2_le_responder {
version = 2
local_addrs = 198.51.100.2/32,2001:DB8:000F:1/128
send_cert = always
pools = responder_ipv4,responder_ipv6_ula
proposals = aes256-sha2_384-sha512-prfsha384-modp1024,
aes256gcm16-aes256gcm12-aes128gcm16-aes128gcm12-aesxcbc-sha256-sha1-modp4096-modp2048-modp1024,
aes256-aes128-sha256-sha1-modp4096-modp2048, default
encap = yes
dpd_delay = 35s
dpd_timeout = 200s
send_certreq = no
reauth_time = 0
rekey_time = 0
local {
auth = pubkey
certs = /etc/letsencrypt/live/fqdn.domain.tld/fullchain.pem
#id = CN=fqdn.domain.tld
id = @fqdn.domain.tld
}
remote {
auth = eap-radius
eap_id = %any
}
children {
net {
esp_proposals =
aes128gcm12-aes128gcm16-aes256gcm12-aes256gcm16-modp4096-modp2048-modp1024,
aes128-aes256-sha1-sha256-modp4096-modp2048-modp1024, default
local_ts = 0.0.0.0/0,::/0
rekey_time = 0
}
}
}
responder_ipv4 {
addrs = 10.9.0.0/24
dns = 9.9.9.10,149.112.112.10
}
responder_ipv6_ula {
addrs = fc00:1:beef:cafe::/64
dns = 9.9.9.10,149.112.112.10
}
# This is not used anywhere/anyhow, but can theoretically be used to
directly assign addresses to clients in a
# GRE-like fashion.
#responder_ipv6_pub {
# addrs = 2001:DB8:000F:1/128
# dns = 2620:fe::10,2620:fe::fe:10
#}
Jul 13 13:43:50 00[DMN] +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
Jul 13 13:43:50 00[DMN] Starting IKE service (strongSwan 5.9.1rc1, Android 8.1.0 - lineage_star2lte-userdebug 8.1.0 OPM7.181205.001 24c4061e41/2019-05-05, SM-G965F - samsung/lineage_star2lte/samsung, Linux 4.9.133+, aarch64)
Jul 13 13:43:50 00[LIB] loaded plugins: androidbridge charon android-log openssl fips-prf random nonce pubkey chapoly curve25519 pkcs1 pkcs8 pem xcbc hmac socket-default revocation eap-identity eap-mschapv2 eap-md5 eap-gtc eap-tls x509
Jul 13 13:43:50 00[JOB] spawning 16 worker threads
Jul 13 13:43:50 00[LIB] all OCSP validation disabled
Jul 13 13:43:50 00[LIB] all CRL validation disabled
Jul 13 13:43:50 05[CFG] loaded user certificate 'O=FooBar (https://foobar.tld/), OU=nodes, CN=userName' and private key
Jul 13 13:43:50 05[CFG] loaded CA certificate 'O=FooBar (https://foobar.tld/), OU=nodes, CN=FooBar Intermediate Authority'
Jul 13 13:43:50 05[CFG] loaded CA certificate 'O=FooBar (https://foobar.tld/), OU=nodes, CN=FooBar Root CA'
Jul 13 13:43:50 05[IKE] initiating IKE_SA android[3] to 198.51.100.2
Jul 13 13:43:50 05[ENC] generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG) N(REDIR_SUP) ]
Jul 13 13:43:50 05[NET] sending packet: from 192.0.2.2[49681] to 198.51.100.2[500] (716 bytes)
Jul 13 13:43:50 07[NET] received packet: from 198.51.100.2[500] to 192.0.2.2[49681] (38 bytes)
Jul 13 13:43:50 07[ENC] parsed IKE_SA_INIT response 0 [ N(INVAL_KE) ]
Jul 13 13:43:50 07[IKE] peer didn't accept DH group ECP_256, it requested MODP_4096
Jul 13 13:43:50 07[IKE] initiating IKE_SA android[3] to 198.51.100.2
Jul 13 13:43:50 07[ENC] generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG) N(REDIR_SUP) ]
Jul 13 13:43:50 07[NET] sending packet: from 192.0.2.2[49681] to 198.51.100.2[500] (1164 bytes)
Jul 13 13:43:50 08[NET] received packet: from 198.51.100.2[500] to 192.0.2.2[49681] (745 bytes)
Jul 13 13:43:50 08[ENC] parsed IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) CERTREQ N(FRAG_SUP) N(HASH_ALG) N(CHDLESS_SUP) N(MULT_AUTH) ]
Jul 13 13:43:50 08[CFG] selected proposal: IKE:AES_GCM_16_256/PRF_AES128_XCBC/MODP_4096
Jul 13 13:43:50 08[IKE] local host is behind NAT, sending keep alives
Jul 13 13:43:50 08[IKE] remote host is behind NAT
Jul 13 13:43:50 08[IKE] received cert request for "O=FooBar (https://foobar.tld/), OU=nodes, CN=FooBar Root CA"
Jul 13 13:43:50 08[IKE] sending cert request for "C=HU, L=Budapest, O=Microsec Ltd., CN=Microsec e-Szigno Root CA 2009, E=i...@e-szigno.hu"
Jul 13 13:43:50 08[IKE] sending cert request for "C=BM, O=QuoVadis Limited, CN=QuoVadis Root CA 2"
Jul 13 13:43:50 08[IKE] sending cert request for "C=TW, O=TAIWAN-CA, OU=Root CA, CN=TWCA Root Certification Authority"
Jul 13 13:43:50 08[IKE] sending cert request for "C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert High Assurance EV Root CA"
Jul 13 13:43:50 08[IKE] sending cert request for "C=JP, O=SECOM Trust.net, OU=Security Communication RootCA1"
Jul 13 13:43:50 08[IKE] sending cert request for "C=TR, L=Gebze - Kocaeli, O=T??rkiye Bilimsel ve Teknolojik Ara??t??rma Kurumu - T??B??TAK, OU=Ulusal Elektronik ve Kriptoloji Ara??t??rma Enstit??s?? - UEKAE, OU=Kamu Sertifikasyon Merkezi, CN=T??B??TAK UEKAE K??k Sertifika Hizmet Sa??lay??c??s?? - S??r??m 3"
Jul 13 13:43:50 08[IKE] sending cert request for "C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert Assured ID Root CA"
Jul 13 13:43:50 08[IKE] sending cert request for "C=NL, O=Staat der Nederlanden, CN=Staat der Nederlanden EV Root CA"
Jul 13 13:43:50 08[IKE] sending cert request for "C=US, O=thawte, Inc., OU=(c) 2007 thawte, Inc. - For authorized use only, CN=thawte Primary Root CA - G2"
Jul 13 13:43:50 08[IKE] sending cert request for "C=US, OU=www.xrampsecurity.com, O=XRamp Security Services Inc, CN=XRamp Global Certification Authority"
Jul 13 13:43:50 08[IKE] sending cert request for "C=BM, O=QuoVadis Limited, CN=QuoVadis Root CA 3 G3"
Jul 13 13:43:50 08[IKE] sending cert request for "C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert Assured ID Root G3"
Jul 13 13:43:50 08[IKE] sending cert request for "C=CH, O=SwissSign AG, CN=SwissSign Silver CA - G2"
Jul 13 13:43:50 08[IKE] sending cert request for "C=CN, O=China Financial Certification Authority, CN=CFCA EV ROOT"
Jul 13 13:43:50 08[IKE] sending cert request for "C=SK, L=Bratislava, O=Disig a.s., CN=CA Disig Root R1"
Jul 13 13:43:50 08[IKE] sending cert request for "C=JP, O=SECOM Trust Systems CO.,LTD., OU=Security Communication RootCA2"
Jul 13 13:43:50 08[IKE] sending cert request for "O=Cybertrust, Inc, CN=Cybertrust Global Root"
Jul 13 13:43:50 08[IKE] sending cert request for "C=US, O=AffirmTrust, CN=AffirmTrust Premium ECC"
Jul 13 13:43:50 08[IKE] sending cert request for "C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert Trusted Root G4"
Jul 13 13:43:50 08[IKE] sending cert request for "C=EU, O=AC Camerfirma SA CIF A82743287, OU=http://www.chambersign.org, CN=Chambers of Commerce Root"
Jul 13 13:43:50 08[IKE] sending cert request for "C=PL, O=Krajowa Izba Rozliczeniowa S.A., CN=SZAFIR ROOT CA2"
Jul 13 13:43:50 08[IKE] sending cert request for "C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert Global Root G3"
Jul 13 13:43:50 08[IKE] sending cert request for "C=IT, L=Milan, O=Actalis S.p.A./03358520967, CN=Actalis Authentication Root CA"
Jul 13 13:43:50 08[IKE] sending cert request for "C=US, O=SecureTrust Corporation, CN=Secure Global CA"
Jul 13 13:43:50 08[IKE] sending cert request for "C=PL, O=Unizeto Technologies S.A., OU=Certum Certification Authority, CN=Certum Trusted Network CA 2"
Jul 13 13:43:50 08[IKE] sending cert request for "OU=GlobalSign Root CA - R2, O=GlobalSign, CN=GlobalSign"
Jul 13 13:43:50 08[IKE] sending cert request for "C=US, O=Entrust, Inc., OU=See www.entrust.net/legal-terms, OU=(c) 2012 Entrust, Inc. - for authorized use only, CN=Entrust Root Certification Authority - EC1"
Jul 13 13:43:50 08[IKE] sending cert request for "C=NL, O=Staat der Nederlanden, CN=Staat der Nederlanden Root CA - G3"
Jul 13 13:43:50 08[IKE] sending cert request for "C=US, O=GeoTrust Inc., CN=GeoTrust Global CA"
Jul 13 13:43:50 08[IKE] sending cert request for "C=US, O=GeoTrust Inc., CN=GeoTrust Primary Certification Authority"
Jul 13 13:43:50 08[IKE] sending cert request for "C=US, O=IdenTrust, CN=IdenTrust Commercial Root CA 1"
Jul 13 13:43:50 08[IKE] sending cert request for "C=NL, O=Staat der Nederlanden, CN=Staat der Nederlanden Root CA - G2"
Jul 13 13:43:50 08[IKE] sending cert request for "C=US, O=Network Solutions L.L.C., CN=Network Solutions Certificate Authority"
Jul 13 13:43:50 08[IKE] sending cert request for "C=US, O=thawte, Inc., OU=Certification Services Division, OU=(c) 2008 thawte, Inc. - For authorized use only, CN=thawte Primary Root CA - G3"
Jul 13 13:43:50 08[IKE] sending cert request for "C=US, ST=Arizona, L=Scottsdale, O=GoDaddy.com, Inc., CN=Go Daddy Root Certificate Authority - G2"
Jul 13 13:43:50 08[IKE] sending cert request for "C=SK, L=Bratislava, O=Disig a.s., CN=CA Disig Root R2"
Jul 13 13:43:50 08[IKE] sending cert request for "C=TW, O=Government Root Certification Authority"
Jul 13 13:43:50 08[IKE] sending cert request for "C=DE, O=Deutsche Telekom AG, OU=T-TeleSec Trust Center, CN=Deutsche Telekom Root CA 2"
Jul 13 13:43:50 08[IKE] sending cert request for "C=TR, L=Ankara, O=E-Tu??ra EBG Bili??im Teknolojileri ve Hizmetleri A.??., OU=E-Tugra Sertifikasyon Merkezi, CN=E-Tugra Certification Authority"
Jul 13 13:43:50 08[IKE] sending cert request for "C=EU, O=AC Camerfirma SA CIF A82743287, OU=http://www.chambersign.org, CN=Global Chambersign Root"
Jul 13 13:43:50 08[IKE] sending cert request for "C=PL, O=Unizeto Sp. z o.o., CN=Certum CA"
Jul 13 13:43:50 08[IKE] sending cert request for "C=US, O=AffirmTrust, CN=AffirmTrust Premium"
Jul 13 13:43:50 08[IKE] sending cert request for "C=US, O=GeoTrust Inc., CN=GeoTrust Universal CA"
Jul 13 13:43:50 08[IKE] sending cert request for "C=FR, O=OpenTrust, CN=OpenTrust Root CA G1"
Jul 13 13:43:50 08[IKE] sending cert request for "C=US, O=Amazon, CN=Amazon Root CA 2"
Jul 13 13:43:50 08[IKE] sending cert request for "C=US, O=Let's Encrypt, CN=Let's Encrypt Authority X3"
Jul 13 13:43:50 08[IKE] sending cert request for "C=US, O=SecureTrust Corporation, CN=SecureTrust CA"
Jul 13 13:43:50 08[IKE] sending cert request for "OU=GlobalSign ECC Root CA - R4, O=GlobalSign, CN=GlobalSign"
Jul 13 13:43:50 08[IKE] sending cert request for "C=NO, O=Buypass AS-983163327, CN=Buypass Class 2 Root CA"
Jul 13 13:43:50 08[IKE] sending cert request for "C=BM, O=QuoVadis Limited, CN=QuoVadis Root CA 1 G3"
Jul 13 13:43:50 08[IKE] sending cert request for "O=TeliaSonera, CN=TeliaSonera Root CA v1"
Jul 13 13:43:50 08[IKE] sending cert request for "C=BE, O=GlobalSign nv-sa, OU=Root CA, CN=GlobalSign Root CA"
Jul 13 13:43:50 08[IKE] sending cert request for "C=CH, O=SwissSign AG, CN=SwissSign Gold CA - G2"
Jul 13 13:43:50 08[IKE] sending cert request for "C=EU, L=Madrid (see current address at www.camerfirma.com/address), SN=A82743287, O=AC Camerfirma S.A., CN=Chambers of Commerce Root - 2008"
Jul 13 13:43:50 08[IKE] sending cert request for "C=LU, O=LuxTrust S.A., CN=LuxTrust Global Root 2"
Jul 13 13:43:50 08[IKE] sending cert request for "C=US, O=VISA, OU=Visa International Service Association, CN=Visa eCommerce Root"
Jul 13 13:43:50 08[IKE] sending cert request for "C=FR, O=Certplus, CN=Class 2 Primary CA"
Jul 13 13:43:50 08[IKE] sending cert request for "CN=ACEDICOM Root, OU=PKI, O=EDICOM, C=ES"
Jul 13 13:43:50 08[IKE] sending cert request for "C=TW, O=Chunghwa Telecom Co., Ltd., OU=ePKI Root Certification Authority"
Jul 13 13:43:50 08[IKE] sending cert request for "C=US, O=Amazon, CN=Amazon Root CA 1"
Jul 13 13:43:50 08[IKE] sending cert request for "OU=GlobalSign ECC Root CA - R5, O=GlobalSign, CN=GlobalSign"
Jul 13 13:43:50 08[IKE] sending cert request for "C=US, O=AffirmTrust, CN=AffirmTrust Networking"
Jul 13 13:43:50 08[IKE] sending cert request for "C=HK, O=Hongkong Post, CN=Hongkong Post Root CA 1"
Jul 13 13:43:50 08[IKE] sending cert request for "O=Entrust.net, OU=www.entrust.net/CPS_2048 incorp. by ref. (limits liab.), OU=(c) 1999 Entrust.net Limited, CN=Entrust.net Certification Authority (2048)"
Jul 13 13:43:50 08[IKE] sending cert request for "C=FR, O=Dhimyotis, CN=Certigna"
Jul 13 13:43:50 08[IKE] sending cert request for "C=FR, O=Certplus, CN=Certplus Root CA G1"
Jul 13 13:43:50 08[IKE] sending cert request for "C=US, O=Amazon, CN=Amazon Root CA 3"
Jul 13 13:43:50 08[IKE] sending cert request for "C=PL, O=Unizeto Technologies S.A., OU=Certum Certification Authority, CN=Certum Trusted Network CA"
Jul 13 13:43:50 08[IKE] sending cert request for "C=US, O=Starfield Technologies, Inc., OU=Starfield Class 2 Certification Authority"
Jul 13 13:43:50 08[IKE] sending cert request for "CN=Atos TrustedRoot 2011, O=Atos, C=DE"
Jul 13 13:43:50 08[IKE] sending cert request for "OU=GlobalSign Root CA - R3, O=GlobalSign, CN=GlobalSign"
Jul 13 13:43:50 08[IKE] sending cert request for "C=DE, O=T-Systems Enterprise Services GmbH, OU=T-Systems Trust Center, CN=T-TeleSec GlobalRoot Class 2"
Jul 13 13:43:50 08[IKE] sending cert request for "C=TR, L=Gebze - Kocaeli, O=Turkiye Bilimsel ve Teknolojik Arastirma Kurumu - TUBITAK, OU=Kamu Sertifikasyon Merkezi - Kamu SM, CN=TUBITAK Kamu SM SSL Kok Sertifikasi - Surum 1"
Jul 13 13:43:50 08[IKE] sending cert request for "C=CH, O=WISeKey, OU=Copyright (c) 2005, OU=OISTE Foundation Endorsed, CN=OISTE WISeKey Global Root GA CA"
Jul 13 13:43:50 08[IKE] sending cert request for "C=GR, O=Hellenic Academic and Research Institutions Cert. Authority, CN=Hellenic Academic and Research Institutions RootCA 2011"
Jul 13 13:43:50 08[IKE] sending cert request for "C=IE, O=Baltimore, OU=CyberTrust, CN=Baltimore CyberTrust Root"
Jul 13 13:43:50 08[IKE] sending cert request for "C=FI, O=Sonera, CN=Sonera Class2 CA"
Jul 13 13:43:50 08[IKE] sending cert request for "C=ES, CN=Autoridad de Certificacion Firmaprofesional CIF A62634068"
Jul 13 13:43:50 08[IKE] sending cert request for "C=GB, ST=Greater Manchester, L=Salford, O=COMODO CA Limited, CN=COMODO Certification Authority"
Jul 13 13:43:50 08[IKE] sending cert request for "C=BM, O=QuoVadis Limited, CN=QuoVadis Root CA 2 G3"
Jul 13 13:43:50 08[IKE] sending cert request for "C=US, O=GeoTrust Inc., OU=(c) 2007 GeoTrust Inc. - For authorized use only, CN=GeoTrust Primary Certification Authority - G2"
Jul 13 13:43:50 08[IKE] sending cert request for "C=CH, O=WISeKey, OU=OISTE Foundation Endorsed, CN=OISTE WISeKey Global Root GB CA"
Jul 13 13:43:50 08[IKE] sending cert request for "C=FR, O=OpenTrust, CN=OpenTrust Root CA G2"
Jul 13 13:43:50 08[IKE] sending cert request for "CN=ACCVRAIZ1, OU=PKIACCV, O=ACCV, C=ES"
Jul 13 13:43:50 08[IKE] sending cert request for "C=US, O=GeoTrust Inc., CN=GeoTrust Universal CA 2"
Jul 13 13:43:50 08[IKE] sending cert request for "C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=(c) 2007 VeriSign, Inc. - For authorized use only, CN=VeriSign Class 3 Public Primary Certification Authority - G4"
Jul 13 13:43:50 08[IKE] sending cert request for "C=US, ST=New Jersey, L=Jersey City, O=The USERTRUST Network, CN=USERTrust ECC Certification Authority"
Jul 13 13:43:50 08[IKE] sending cert request for "C=US, O=Internet Security Research Group, CN=ISRG Root X1"
Jul 13 13:43:50 08[IKE] sending cert request for "C=GB, ST=Greater Manchester, L=Salford, O=COMODO CA Limited, CN=COMODO ECC Certification Authority"
Jul 13 13:43:50 08[IKE] sending cert request for "C=BM, O=QuoVadis Limited, OU=Root Certification Authority, CN=QuoVadis Root Certification Authority"
Jul 13 13:43:50 08[IKE] sending cert request for "C=US, O=Amazon, CN=Amazon Root CA 4"
Jul 13 13:43:50 08[IKE] sending cert request for "C=US, O=IdenTrust, CN=IdenTrust Public Sector Root CA 1"
Jul 13 13:43:50 08[IKE] sending cert request for "C=US, O=Entrust, Inc., OU=www.entrust.net/CPS is incorporated by reference, OU=(c) 2006 Entrust, Inc., CN=Entrust Root Certification Authority"
Jul 13 13:43:50 08[IKE] sending cert request for "C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=(c) 2006 VeriSign, Inc. - For authorized use only, CN=VeriSign Class 3 Public Primary Certification Authority - G5"
Jul 13 13:43:50 08[IKE] sending cert request for "C=US, O=thawte, Inc., OU=Certification Services Division, OU=(c) 2006 thawte, Inc. - For authorized use only, CN=thawte Primary Root CA"
Jul 13 13:43:50 08[IKE] sending cert request for "C=GB, ST=Greater Manchester, L=Salford, O=COMODO CA Limited, CN=COMODO RSA Certification Authority"
Jul 13 13:43:50 08[IKE] sending cert request for "C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=(c) 2008 VeriSign, Inc. - For authorized use only, CN=VeriSign Universal Root Certification Authority"
Jul 13 13:43:50 08[IKE] sending cert request for "C=DE, O=T-Systems Enterprise Services GmbH, OU=T-Systems Trust Center, CN=T-TeleSec GlobalRoot Class 3"
Jul 13 13:43:50 08[IKE] sending cert request for "C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert Global Root CA"
Jul 13 13:43:50 08[IKE] sending cert request for "C=FR, O=Certplus, CN=Certplus Root CA G2"
Jul 13 13:43:50 08[IKE] sending cert request for "CN=T??RKTRUST Elektronik Sertifika Hizmet Sa??lay??c??s??, C=TR, L=Ankara, O=T??RKTRUST Bilgi ??leti??im ve Bili??im G??venli??i Hizmetleri A.??. (c) Aral??k 2007"
Jul 13 13:43:50 08[IKE] sending cert request for "C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert Global Root G2"
Jul 13 13:43:50 08[IKE] sending cert request for "C=FR, O=OpenTrust, CN=OpenTrust Root CA G3"
Jul 13 13:43:50 08[IKE] sending cert request for "C=DE, O=D-Trust GmbH, CN=D-TRUST Root Class 3 CA 2 EV 2009"
Jul 13 13:43:50 08[IKE] sending cert request for "C=US, ST=New Jersey, L=Jersey City, O=The USERTRUST Network, CN=USERTrust RSA Certification Authority"
Jul 13 13:43:50 08[IKE] sending cert request for "C=EU, L=Madrid (see current address at www.camerfirma.com/address), SN=A82743287, O=AC Camerfirma S.A., CN=Global Chambersign Root - 2008"
Jul 13 13:43:50 08[IKE] sending cert request for "C=BM, O=QuoVadis Limited, CN=QuoVadis Root CA 3"
Jul 13 13:43:50 08[IKE] sending cert request for "C=US, O=The Go Daddy Group, Inc., OU=Go Daddy Class 2 Certification Authority"
Jul 13 13:43:50 08[IKE] sending cert request for "C=ES, O=IZENPE S.A., CN=Izenpe.com"
Jul 13 13:43:50 08[IKE] sending cert request for "C=EE, O=AS Sertifitseerimiskeskus, CN=EE Certification Centre Root CA, E=p...@sk.ee"
Jul 13 13:43:50 08[IKE] sending cert request for "C=US, O=Let's Encrypt, CN=R3"
Jul 13 13:43:50 08[IKE] sending cert request for "C=HU, L=Budapest, O=NetLock Kft., OU=Tan??s??tv??nykiad??k (Certification Services), CN=NetLock Arany (Class Gold) F??tan??s??tv??ny"
Jul 13 13:43:50 08[IKE] sending cert request for "O=Digital Signature Trust Co., CN=DST Root CA X3"
Jul 13 13:43:50 08[IKE] sending cert request for "C=ES, O=Agencia Catalana de Certificacio (NIF Q-0801176-I), OU=Serveis Publics de Certificacio, OU=Vegeu https://www.catcert.net/verarrel (c)03, OU=Jerarquia Entitats de Certificacio Catalanes, CN=EC-ACC"
Jul 13 13:43:50 08[IKE] sending cert request for "C=GB, O=Trustis Limited, OU=Trustis FPS Root CA"
Jul 13 13:43:50 08[IKE] sending cert request for "C=NO, O=Buypass AS-983163327, CN=Buypass Class 3 Root CA"
Jul 13 13:43:50 08[IKE] sending cert request for "C=JP, O=SECOM Trust Systems CO.,LTD., OU=Security Communication EV RootCA1"
Jul 13 13:43:50 08[IKE] sending cert request for "C=ES, O=FNMT-RCM, OU=AC RAIZ FNMT-RCM"
Jul 13 13:43:50 08[IKE] sending cert request for "C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert Assured ID Root G2"
Jul 13 13:43:50 08[IKE] sending cert request for "C=TR, L=Ankara, O=T??RKTRUST Bilgi ??leti??im ve Bili??im G??venli??i Hizmetleri A.??., CN=T??RKTRUST Elektronik Sertifika Hizmet Sa??lay??c??s?? H5"
Jul 13 13:43:50 08[IKE] sending cert request for "C=GR, L=Athens, O=Hellenic Academic and Research Institutions Cert. Authority, CN=Hellenic Academic and Research Institutions ECC RootCA 2015"
Jul 13 13:43:50 08[IKE] sending cert request for "C=FR, O=Certinomis, OU=0002 433998903, CN=Certinomis - Root CA"
Jul 13 13:43:50 08[IKE] sending cert request for "C=US, O=GeoTrust Inc., OU=(c) 2008 GeoTrust Inc. - For authorized use only, CN=GeoTrust Primary Certification Authority - G3"
Jul 13 13:43:50 08[IKE] sending cert request for "C=US, O=Entrust, Inc., OU=See www.entrust.net/legal-terms, OU=(c) 2009 Entrust, Inc. - for authorized use only, CN=Entrust Root Certification Authority - G2"
Jul 13 13:43:50 08[IKE] sending cert request for "C=RO, O=certSIGN, OU=certSIGN ROOT CA"
Jul 13 13:43:50 08[IKE] sending cert request for "C=GB, ST=Greater Manchester, L=Salford, O=Comodo CA Limited, CN=AAA Certificate Services"
Jul 13 13:43:50 08[IKE] sending cert request for "C=US, O=Digital Signature Trust, OU=DST ACES, CN=DST ACES CA X6"
Jul 13 13:43:50 08[IKE] sending cert request for "C=US, ST=Arizona, L=Scottsdale, O=Starfield Technologies, Inc., CN=Starfield Root Certificate Authority - G2"
Jul 13 13:43:50 08[IKE] sending cert request for "C=TW, O=TAIWAN-CA, OU=Root CA, CN=TWCA Global Root CA"
Jul 13 13:43:50 08[IKE] sending cert request for "C=DE, O=D-Trust GmbH, CN=D-TRUST Root Class 3 CA 2 2009"
Jul 13 13:43:50 08[IKE] sending cert request for "C=US, O=AffirmTrust, CN=AffirmTrust Commercial"
Jul 13 13:43:50 08[IKE] sending cert request for "C=FR, O=Certinomis, OU=0002 433998903, CN=Certinomis - Autorit?? Racine"
Jul 13 13:43:50 08[IKE] sending cert request for "C=JP, O=Japan Certification Services, Inc., CN=SecureSign RootCA11"
Jul 13 13:43:50 08[IKE] sending cert request for "C=GR, L=Athens, O=Hellenic Academic and Research Institutions Cert. Authority, CN=Hellenic Academic and Research Institutions RootCA 2015"
Jul 13 13:43:50 08[IKE] sending cert request for "C=SE, O=AddTrust AB, OU=AddTrust External TTP Network, CN=AddTrust External CA Root"
Jul 13 13:43:50 08[IKE] sending cert request for "C=US, ST=Arizona, L=Scottsdale, O=Starfield Technologies, Inc., CN=Starfield Services Root Certificate Authority - G2"
Jul 13 13:43:50 08[IKE] sending cert request for "O=FooBar (https://foobar.tld/), OU=nodes, CN=FooBar Root CA"
Jul 13 13:43:50 08[IKE] sending cert request for "O=FooBar (https://foobar.tld/), OU=nodes, CN=FooBar Intermediate Authority"
Jul 13 13:43:50 08[IKE] authentication of 'O=FooBar (https://foobar.tld/), OU=nodes, CN=userName' (myself) with RSA_EMSA_PKCS1_SHA2_384 successful
Jul 13 13:43:50 08[IKE] sending end entity cert "O=FooBar (https://foobar.tld/), OU=nodes, CN=userName"
Jul 13 13:43:50 08[IKE] sending issuer cert "O=FooBar (https://foobar.tld/), OU=nodes, CN=FooBar Intermediate Authority"
Jul 13 13:43:50 08[IKE] establishing CHILD_SA android{3}
Jul 13 13:43:50 08[ENC] generating IKE_AUTH request 1 [ IDi CERT CERT N(INIT_CONTACT) CERTREQ AUTH CPRQ(ADDR ADDR6 DNS DNS6) N(ESP_TFC_PAD_N) SA TSi TSr N(MOBIKE_SUP) N(NO_ADD_ADDR) N(MULT_AUTH) N(EAP_ONLY) N(MSG_ID_SYN_SUP) N(AUTH_FOLLOWS) ]
Jul 13 13:43:50 08[ENC] splitting IKE message (6945 bytes) into 6 fragments
Jul 13 13:43:50 08[ENC] generating IKE_AUTH request 1 [ EF(1/6) ]
Jul 13 13:43:50 08[ENC] generating IKE_AUTH request 1 [ EF(2/6) ]
Jul 13 13:43:50 08[ENC] generating IKE_AUTH request 1 [ EF(3/6) ]
Jul 13 13:43:50 08[ENC] generating IKE_AUTH request 1 [ EF(4/6) ]
Jul 13 13:43:50 08[ENC] generating IKE_AUTH request 1 [ EF(5/6) ]
Jul 13 13:43:50 08[ENC] generating IKE_AUTH request 1 [ EF(6/6) ]
Jul 13 13:43:50 08[NET] sending packet: from 192.0.2.2[53801] to 198.51.100.2[4500] (1368 bytes)
Jul 13 13:43:50 08[NET] sending packet: from 192.0.2.2[53801] to 198.51.100.2[4500] (1368 bytes)
Jul 13 13:43:50 08[NET] sending packet: from 192.0.2.2[53801] to 198.51.100.2[4500] (1368 bytes)
Jul 13 13:43:50 08[NET] sending packet: from 192.0.2.2[53801] to 198.51.100.2[4500] (1368 bytes)
Jul 13 13:43:50 08[NET] sending packet: from 192.0.2.2[53801] to 198.51.100.2[4500] (1368 bytes)
Jul 13 13:43:50 08[NET] sending packet: from 192.0.2.2[53801] to 198.51.100.2[4500] (414 bytes)
Jul 13 13:43:52 13[IKE] retransmit 1 of request with message ID 1
Jul 13 13:43:52 13[NET] sending packet: from 192.0.2.2[53801] to 198.51.100.2[4500] (1368 bytes)
Jul 13 13:43:52 13[NET] sending packet: from 192.0.2.2[53801] to 198.51.100.2[4500] (1368 bytes)
Jul 13 13:43:52 13[NET] sending packet: from 192.0.2.2[53801] to 198.51.100.2[4500] (1368 bytes)
Jul 13 13:43:52 13[NET] sending packet: from 192.0.2.2[53801] to 198.51.100.2[4500] (1368 bytes)
Jul 13 13:43:52 13[NET] sending packet: from 192.0.2.2[53801] to 198.51.100.2[4500] (1368 bytes)
Jul 13 13:43:52 13[NET] sending packet: from 192.0.2.2[53801] to 198.51.100.2[4500] (414 bytes)
Jul 13 13:43:55 14[IKE] retransmit 2 of request with message ID 1
Jul 13 13:43:55 14[NET] sending packet: from 192.0.2.2[53801] to 198.51.100.2[4500] (1368 bytes)
Jul 13 13:43:55 14[NET] sending packet: from 192.0.2.2[53801] to 198.51.100.2[4500] (1368 bytes)
Jul 13 13:43:55 14[NET] sending packet: from 192.0.2.2[53801] to 198.51.100.2[4500] (1368 bytes)
Jul 13 13:43:55 14[NET] sending packet: from 192.0.2.2[53801] to 198.51.100.2[4500] (1368 bytes)
Jul 13 13:43:55 14[NET] sending packet: from 192.0.2.2[53801] to 198.51.100.2[4500] (1368 bytes)
Jul 13 13:43:55 14[NET] sending packet: from 192.0.2.2[53801] to 198.51.100.2[4500] (414 bytes)
Jul 13 13:43:59 15[IKE] retransmit 3 of request with message ID 1
Jul 13 13:43:59 15[NET] sending packet: from 192.0.2.2[53801] to 198.51.100.2[4500] (1368 bytes)
Jul 13 13:43:59 15[NET] sending packet: from 192.0.2.2[53801] to 198.51.100.2[4500] (1368 bytes)
Jul 13 13:43:59 15[NET] sending packet: from 192.0.2.2[53801] to 198.51.100.2[4500] (1368 bytes)
Jul 13 13:43:59 15[NET] sending packet: from 192.0.2.2[53801] to 198.51.100.2[4500] (1368 bytes)
Jul 13 13:43:59 15[NET] sending packet: from 192.0.2.2[53801] to 198.51.100.2[4500] (1368 bytes)
Jul 13 13:43:59 15[NET] sending packet: from 192.0.2.2[53801] to 198.51.100.2[4500] (414 bytes)
Jul 13 13:44:01 05[NET] received packet: from 198.51.100.2[4500] to 192.0.2.2[53801] (65 bytes)
Jul 13 13:44:01 05[ENC] parsed IKE_AUTH response 1 [ N(AUTH_FAILED) ]
Jul 13 13:44:01 05[IKE] received AUTHENTICATION_FAILED notify error
Jul 13 17:33:57 fqdn.domain.tld charon-systemd[18204]: received packet: from 203.0.113.2[60614] to 198.51.100.2[500] (716 bytes)
Jul 13 17:33:57 fqdn.domain.tld charon-systemd[18204]: parsed IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG) N(REDIR_SUP) ]
Jul 13 17:33:57 fqdn.domain.tld charon-systemd[18204]: 203.0.113.2 is initiating an IKE_SA
Jul 13 17:33:57 fqdn.domain.tld charon-systemd[18204]: selected proposal: IKE:AES_GCM_16_256/PRF_AES128_XCBC/MODP_4096
Jul 13 17:33:57 fqdn.domain.tld charon-systemd[18204]: remote host is behind NAT
Jul 13 17:33:57 fqdn.domain.tld charon-systemd[18204]: DH group ECP_256 unacceptable, requesting MODP_4096
Jul 13 17:33:57 fqdn.domain.tld charon-systemd[18204]: generating IKE_SA_INIT response 0 [ N(INVAL_KE) ]
Jul 13 17:33:57 fqdn.domain.tld charon-systemd[18204]: sending packet: from 198.51.100.2[500] to 203.0.113.2[60614] (38 bytes)
Jul 13 17:33:57 fqdn.domain.tld charon-systemd[18204]: received packet: from 203.0.113.2[60614] to 198.51.100.2[500] (1164 bytes)
Jul 13 17:33:57 fqdn.domain.tld charon-systemd[18204]: parsed IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG) N(REDIR_SUP) ]
Jul 13 17:33:57 fqdn.domain.tld charon-systemd[18204]: 203.0.113.2 is initiating an IKE_SA
Jul 13 17:33:57 fqdn.domain.tld charon-systemd[18204]: selected proposal: IKE:AES_GCM_16_256/PRF_AES128_XCBC/MODP_4096
Jul 13 17:33:57 fqdn.domain.tld charon-systemd[18204]: remote host is behind NAT
Jul 13 17:33:57 fqdn.domain.tld charon-systemd[18204]: sending cert request for "O=FooBar (https://foobar.tld/), OU=nodes, CN=FooBar Root CA"
Jul 13 17:33:57 fqdn.domain.tld charon-systemd[18204]: generating IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) CERTREQ N(FRAG_SUP) N(HASH_ALG) N(CHDLESS_SUP) N(MULT_AUTH) ]
Jul 13 17:33:57 fqdn.domain.tld charon-systemd[18204]: sending packet: from 198.51.100.2[500] to 203.0.113.2[60614] (745 bytes)
Jul 13 17:33:58 fqdn.domain.tld charon-systemd[18204]: received packet: from 203.0.113.2[35812] to 198.51.100.2[4500] (1368 bytes)
Jul 13 17:33:58 fqdn.domain.tld charon-systemd[18204]: parsed IKE_AUTH request 1 [ EF(1/6) ]
Jul 13 17:33:58 fqdn.domain.tld charon-systemd[18204]: received fragment #1 of 6, waiting for complete IKE message
Jul 13 17:33:58 fqdn.domain.tld charon-systemd[18204]: received packet: from 203.0.113.2[35812] to 198.51.100.2[4500] (1368 bytes)
Jul 13 17:33:58 fqdn.domain.tld charon-systemd[18204]: parsed IKE_AUTH request 1 [ EF(2/6) ]
Jul 13 17:33:58 fqdn.domain.tld charon-systemd[18204]: received fragment #2 of 6, waiting for complete IKE message
Jul 13 17:33:58 fqdn.domain.tld charon-systemd[18204]: received packet: from 203.0.113.2[35812] to 198.51.100.2[4500] (1368 bytes)
Jul 13 17:33:58 fqdn.domain.tld charon-systemd[18204]: parsed IKE_AUTH request 1 [ EF(3/6) ]
Jul 13 17:33:58 fqdn.domain.tld charon-systemd[18204]: received fragment #3 of 6, waiting for complete IKE message
Jul 13 17:33:58 fqdn.domain.tld charon-systemd[18204]: received packet: from 203.0.113.2[35812] to 198.51.100.2[4500] (1368 bytes)
Jul 13 17:33:58 fqdn.domain.tld charon-systemd[18204]: parsed IKE_AUTH request 1 [ EF(4/6) ]
Jul 13 17:33:58 fqdn.domain.tld charon-systemd[18204]: received fragment #4 of 6, waiting for complete IKE message
Jul 13 17:33:58 fqdn.domain.tld charon-systemd[18204]: received packet: from 203.0.113.2[35812] to 198.51.100.2[4500] (1368 bytes)
Jul 13 17:33:58 fqdn.domain.tld charon-systemd[18204]: parsed IKE_AUTH request 1 [ EF(5/6) ]
Jul 13 17:33:58 fqdn.domain.tld charon-systemd[18204]: received fragment #5 of 6, waiting for complete IKE message
Jul 13 17:33:58 fqdn.domain.tld charon-systemd[18204]: received packet: from 203.0.113.2[35812] to 198.51.100.2[4500] (414 bytes)
Jul 13 17:33:58 fqdn.domain.tld charon-systemd[18204]: parsed IKE_AUTH request 1 [ EF(6/6) ]
Jul 13 17:33:58 fqdn.domain.tld charon-systemd[18204]: received fragment #6 of 6, reassembled fragmented IKE message (6945 bytes)
Jul 13 17:33:58 fqdn.domain.tld charon-systemd[18204]: parsed IKE_AUTH request 1 [ IDi CERT CERT N(INIT_CONTACT) CERTREQ AUTH CPRQ(ADDR ADDR6 DNS DNS6) N(ESP_TFC_PAD_N) SA TSi TSr N(MOBIKE_SUP) N(NO_ADD_ADDR) N(MULT_AUTH) N(EAP_ONLY) N(MSG_ID_SYN_SUP) N(AUTH_FOLLOWS) ]
Jul 13 17:33:58 fqdn.domain.tld charon-systemd[18204]: received cert request for "O=FooBar (https://foobar.tld/), OU=nodes, CN=FooBar Root CA"
Jul 13 17:33:58 fqdn.domain.tld charon-systemd[18204]: received 137 cert requests for an unknown ca
Jul 13 17:33:58 fqdn.domain.tld charon-systemd[18204]: received end entity cert "O=FooBar (https://foobar.tld/), OU=nodes, CN=userName"
Jul 13 17:33:58 fqdn.domain.tld charon-systemd[18204]: received issuer cert "O=FooBar (https://foobar.tld/), OU=nodes, CN=FooBar Intermediate Authority"
Jul 13 17:33:58 fqdn.domain.tld charon-systemd[18204]: looking for peer configs matching 198.51.100.2[%any]...203.0.113.2[O=FooBar (https://foobar.tld/), OU=nodes, CN=userName]
Jul 13 17:33:58 fqdn.domain.tld charon-systemd[18204]: selected peer config 'ikev2_fb_responder'
Jul 13 17:33:58 fqdn.domain.tld charon-systemd[18204]: using certificate "O=FooBar (https://foobar.tld/), OU=nodes, CN=userName"
Jul 13 17:33:58 fqdn.domain.tld charon-systemd[18204]: using untrusted intermediate certificate "O=FooBar (https://foobar.tld/), OU=nodes, CN=FooBar Intermediate Authority"
Jul 13 17:33:58 fqdn.domain.tld charon-systemd[18204]: checking certificate status of "O=FooBar (https://foobar.tld/), OU=nodes, CN=userName"
Jul 13 17:33:58 fqdn.domain.tld charon-systemd[18204]: fetching crl from 'https://ca.foobar.tld/crl/node' ...
Jul 13 17:34:03 fqdn.domain.tld charon-systemd[18204]: libcurl request failed [7]: Failed to connect to ca.foobar.tld port 443: Connection timed out
Jul 13 17:34:03 fqdn.domain.tld charon-systemd[18204]: crl fetching failed
Jul 13 17:34:03 fqdn.domain.tld charon-systemd[18204]: certificate status is not available
Jul 13 17:34:03 fqdn.domain.tld charon-systemd[18204]: using trusted ca certificate "O=FooBar (https://foobar.tld/), OU=nodes, CN=FooBar Root CA"
Jul 13 17:34:03 fqdn.domain.tld charon-systemd[18204]: checking certificate status of "O=FooBar (https://foobar.tld/), OU=nodes, CN=FooBar Intermediate Authority"
Jul 13 17:34:03 fqdn.domain.tld charon-systemd[18204]: fetching crl from 'https://ca.foobar.tld/crl/node_ca' ...
Jul 13 17:34:08 fqdn.domain.tld charon-systemd[18204]: libcurl request failed [7]: Failed to connect to ca.foobar.tld port 443: Connection timed out
Jul 13 17:34:08 fqdn.domain.tld charon-systemd[18204]: crl fetching failed
Jul 13 17:34:08 fqdn.domain.tld charon-systemd[18204]: certificate status is not available
Jul 13 17:34:08 fqdn.domain.tld charon-systemd[18204]: reached self-signed root ca with a path length of 1
Jul 13 17:34:08 fqdn.domain.tld charon-systemd[18204]: authentication of 'O=FooBar (https://foobar.tld/), OU=nodes, CN=userName' with RSA_EMSA_PKCS1_SHA2_384 successful
Jul 13 17:34:08 fqdn.domain.tld charon-systemd[18204]: constraint check failed: EAP identity '%any' required
Jul 13 17:34:08 fqdn.domain.tld charon-systemd[18204]: selected peer config 'ikev2_fb_responder' unacceptable: non-matching authentication done
Jul 13 17:34:08 fqdn.domain.tld charon-systemd[18204]: switching to peer config 'ikev2_le_responder'
Jul 13 17:34:08 fqdn.domain.tld charon-systemd[18204]: constraint check failed: EAP identity '%any' required
Jul 13 17:34:08 fqdn.domain.tld charon-systemd[18204]: selected peer config 'ikev2_le_responder' unacceptable: non-matching authentication done
Jul 13 17:34:08 fqdn.domain.tld charon-systemd[18204]: no alternative config found
Jul 13 17:34:08 fqdn.domain.tld charon-systemd[18204]: received ESP_TFC_PADDING_NOT_SUPPORTED, not using ESPv3 TFC padding
Jul 13 17:34:08 fqdn.domain.tld charon-systemd[18204]: peer supports MOBIKE
Jul 13 17:34:08 fqdn.domain.tld charon-systemd[18204]: generating IKE_AUTH response 1 [ N(AUTH_FAILED) ]
Jul 13 17:34:08 fqdn.domain.tld charon-systemd[18204]: sending packet: from 198.51.100.2[4500] to 203.0.113.2[35812] (65 bytes)
ike_responder {
secret = foobar
# id = %any
id = responder_ikev1
}
private_le_responder {
file = /etc/strongswan/swanctl/private/le_responder.pem
}
private_pki_responder {
file = /etc/strongswan/swanctl/private/fb_responder.pem
}
