Last active
August 29, 2015 14:06
-
-
Save shlevy/2e6a9496c0cf7d5d8619 to your computer and use it in GitHub Desktop.
Accepting connections from anyone with a cert
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
conn inbound | |
left=%any | |
right=%any | |
rightid=%any | |
auto=add | |
type=transport | |
leftcert=/etc/x509/strongswan.crt | |
conn outbound | |
left=%any | |
right=192.168.56.102 | |
auto=route | |
type=transport | |
leftcert=/etc/x509/strongswan.crt | |
ca all | |
cacert=/nix/store/lnyyzrbnk8gf2kdalny59vvg1iq76ska-zalora-ca.crt |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
%any : RSA /etc/x509/strongswan.pem |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sep 19 19:13:46 machine1 systemd[1]: Starting Strongswan ipsec keying daemon... | |
Sep 19 19:13:46 machine1 systemd[1]: Started Strongswan ipsec keying daemon. | |
Sep 19 19:13:46 machine1 starter[1221]: Starting strongSwan 5.2.0 IPsec [starter]... | |
Sep 19 19:13:46 machine1 ipsec_starter[1221]: Starting strongSwan 5.2.0 IPsec [starter]... | |
Sep 19 19:13:46 machine1 ipsec_starter[1221]: no netkey IPsec stack detected | |
Sep 19 19:13:46 machine1 starter[1221]: no netkey IPsec stack detected | |
Sep 19 19:13:46 machine1 ipsec_starter[1221]: no KLIPS IPsec stack detected | |
Sep 19 19:13:46 machine1 ipsec_starter[1221]: no known IPsec stack detected, ignoring! | |
Sep 19 19:13:46 machine1 starter[1221]: no KLIPS IPsec stack detected | |
Sep 19 19:13:46 machine1 starter[1221]: no known IPsec stack detected, ignoring! | |
Sep 19 19:13:46 machine1 charon[1224]: 00[DMN] Starting IKE charon daemon (strongSwan 5.2.0, Linux 3.12.28, x86_64) | |
Sep 19 19:13:46 machine1 charon[1224]: 00[KNL] received netlink error: Address family not supported by protocol (97) | |
Sep 19 19:13:46 machine1 charon[1224]: 00[KNL] unable to create IPv6 routing table rule | |
Sep 19 19:13:46 machine1 charon[1224]: 00[CFG] loading ca certificates from '/etc/ipsec.d/cacerts' | |
Sep 19 19:13:46 machine1 charon[1224]: 00[LIB] opening directory '/etc/ipsec.d/cacerts' failed: No such file or directory | |
Sep 19 19:13:46 machine1 charon[1224]: 00[CFG] reading directory failed | |
Sep 19 19:13:46 machine1 charon[1224]: 00[CFG] loading aa certificates from '/etc/ipsec.d/aacerts' | |
Sep 19 19:13:46 machine1 charon[1224]: 00[LIB] opening directory '/etc/ipsec.d/aacerts' failed: No such file or directory | |
Sep 19 19:13:46 machine1 charon[1224]: 00[CFG] reading directory failed | |
Sep 19 19:13:46 machine1 charon[1224]: 00[CFG] loading ocsp signer certificates from '/etc/ipsec.d/ocspcerts' | |
Sep 19 19:13:46 machine1 charon[1224]: 00[LIB] opening directory '/etc/ipsec.d/ocspcerts' failed: No such file or directory | |
Sep 19 19:13:46 machine1 charon[1224]: 00[CFG] reading directory failed | |
Sep 19 19:13:46 machine1 charon[1224]: 00[CFG] loading attribute certificates from '/etc/ipsec.d/acerts' | |
Sep 19 19:13:46 machine1 charon[1224]: 00[LIB] opening directory '/etc/ipsec.d/acerts' failed: No such file or directory | |
Sep 19 19:13:46 machine1 charon[1224]: 00[CFG] reading directory failed | |
Sep 19 19:13:46 machine1 charon[1224]: 00[CFG] loading crls from '/etc/ipsec.d/crls' | |
Sep 19 19:13:46 machine1 charon[1224]: 00[LIB] opening directory '/etc/ipsec.d/crls' failed: No such file or directory | |
Sep 19 19:13:46 machine1 charon[1224]: 00[CFG] reading directory failed | |
Sep 19 19:13:46 machine1 charon[1224]: 00[CFG] loading secrets from '/etc/ipsec.secrets' | |
Sep 19 19:13:46 machine1 charon[1224]: 00[CFG] loaded RSA private key from '/etc/x509/strongswan.pem' | |
Sep 19 19:13:46 machine1 charon[1224]: 00[LIB] loaded plugins: charon aes des rc2 sha1 sha2 md5 random nonce x509 revocation constraints pubkey pkcs1 pkcs7 pkcs8 pkcs12 pgp dnskey sshkey pem fips-prf gmp xcbc cmac hmac attr kernel-netlink resolve socket-default stroke updown xauth-generic | |
Sep 19 19:13:46 machine1 charon[1224]: 00[LIB] unable to load 6 plugin features (6 due to unmet dependencies) | |
Sep 19 19:13:46 machine1 charon[1224]: 00[JOB] spawning 16 worker threads | |
Sep 19 19:13:46 machine1 ipsec_starter[1221]: charon (1224) started after 40 ms | |
Sep 19 19:13:46 machine1 starter[1221]: charon (1224) started after 40 ms | |
Sep 19 19:13:46 machine1 charon[1224]: 09[CFG] received stroke: add connection 'inbound' | |
Sep 19 19:13:46 machine1 charon[1224]: 09[CFG] left nor right host is our side, assuming left=local | |
Sep 19 19:13:46 machine1 charon[1224]: 09[CFG] loaded certificate "C=SG, ST=Singapore, O=Zalora, OU=DevOps, CN=strongswan-06d36f30e8d64567875c4c411ddbd8c2, E=it-services@zalora.com" from '/etc/x509/strongswan.crt' | |
Sep 19 19:13:46 machine1 charon[1224]: 09[CFG] id '%any' not confirmed by certificate, defaulting to 'C=SG, ST=Singapore, O=Zalora, OU=DevOps, CN=strongswan-06d36f30e8d64567875c4c411ddbd8c2, E=it-services@zalora.com' | |
Sep 19 19:13:46 machine1 charon[1224]: 09[CFG] added configuration 'inbound' | |
Sep 19 19:13:46 machine1 charon[1224]: 10[CFG] received stroke: add connection 'outbound' | |
Sep 19 19:13:46 machine1 charon[1224]: 10[CFG] left nor right host is our side, assuming left=local | |
Sep 19 19:13:46 machine1 charon[1224]: 10[CFG] loaded certificate "C=SG, ST=Singapore, O=Zalora, OU=DevOps, CN=strongswan-06d36f30e8d64567875c4c411ddbd8c2, E=it-services@zalora.com" from '/etc/x509/strongswan.crt' | |
Sep 19 19:13:46 machine1 charon[1224]: 10[CFG] id '%any' not confirmed by certificate, defaulting to 'C=SG, ST=Singapore, O=Zalora, OU=DevOps, CN=strongswan-06d36f30e8d64567875c4c411ddbd8c2, E=it-services@zalora.com' | |
Sep 19 19:13:46 machine1 charon[1224]: 10[CFG] added configuration 'outbound' | |
Sep 19 19:13:46 machine1 charon[1224]: 03[CFG] received stroke: route 'outbound' | |
Sep 19 19:13:46 machine1 ipsec_starter[1221]: 'outbound' routed | |
Sep 19 19:13:46 machine1 ipsec_starter[1221]: | |
Sep 19 19:13:46 machine1 starter[1221]: 'outbound' routed | |
Sep 19 19:13:48 machine1 charon[1224]: 13[KNL] creating acquire job for policy 192.168.56.101/32[tcp] === 192.168.56.102/32[tcp/http] with reqid {1} | |
Sep 19 19:13:48 machine1 charon[1224]: 13[IKE] initiating IKE_SA outbound[1] to 192.168.56.102 | |
Sep 19 19:13:48 machine1 charon[1224]: 13[IKE] initiating IKE_SA outbound[1] to 192.168.56.102 | |
Sep 19 19:13:48 machine1 charon[1224]: 13[ENC] generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) ] | |
Sep 19 19:13:48 machine1 charon[1224]: 13[NET] sending packet: from 192.168.56.101[500] to 192.168.56.102[500] (708 bytes) | |
Sep 19 19:13:48 machine1 charon[1224]: 16[NET] received packet: from 192.168.56.102[500] to 192.168.56.101[500] (440 bytes) | |
Sep 19 19:13:48 machine1 charon[1224]: 16[ENC] parsed IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(MULT_AUTH) ] | |
Sep 19 19:13:48 machine1 charon[1224]: 16[IKE] authentication of 'C=SG, ST=Singapore, O=Zalora, OU=DevOps, CN=strongswan-06d36f30e8d64567875c4c411ddbd8c2, E=it-services@zalora.com' (myself) with RSA signature successful | |
Sep 19 19:13:48 machine1 charon[1224]: 16[IKE] establishing CHILD_SA outbound{1} | |
Sep 19 19:13:48 machine1 charon[1224]: 16[IKE] establishing CHILD_SA outbound{1} | |
Sep 19 19:13:48 machine1 charon[1224]: 16[ENC] generating IKE_AUTH request 1 [ IDi N(INIT_CONTACT) IDr AUTH N(USE_TRANSP) SA TSi TSr N(MOBIKE_SUP) N(ADD_4_ADDR) N(MULT_AUTH) N(EAP_ONLY) ] | |
Sep 19 19:13:48 machine1 charon[1224]: 16[NET] sending packet: from 192.168.56.101[4500] to 192.168.56.102[4500] (828 bytes) | |
Sep 19 19:13:48 machine1 charon[1224]: 15[NET] received packet: from 192.168.56.102[4500] to 192.168.56.101[4500] (76 bytes) | |
Sep 19 19:13:48 machine1 charon[1224]: 15[ENC] parsed IKE_AUTH response 1 [ N(AUTH_FAILED) ] | |
Sep 19 19:13:48 machine1 charon[1224]: 15[IKE] received AUTHENTICATION_FAILED notify error |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
charon { | |
user = strongswan | |
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
conn inbound | |
left=%any | |
right=%any | |
rightid=%any | |
auto=add | |
type=transport | |
leftcert=/etc/x509/strongswan.crt | |
ca all | |
cacert=/nix/store/lnyyzrbnk8gf2kdalny59vvg1iq76ska-zalora-ca.crt |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
%any : RSA /etc/x509/strongswan.pem |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sep 19 19:13:27 machine2 systemd[1]: Starting Strongswan ipsec keying daemon... | |
Sep 19 19:13:27 machine2 systemd[1]: Started Strongswan ipsec keying daemon. | |
Sep 19 19:13:28 machine2 starter[1032]: 10[CFG] id '%any' not confirmed by certificate, defaulting to 'C=SG, ST=Singapore, O=Zalora, OU=DevOps, CN=strongswan-d7ff7b25fe2b43a3be8a8fa19f2ed2a6, E=it-services@zalora.com" from '/etc/x509/strongswan.crt' | |
Sep 19 19:13:28 machine2 starter[1032]: 10[CFG] added configuration 'inbound' | |
Sep 19 19:13:28 machine2 starter[1032]: 14[KNL] 192.168.56.102 appeared on enp0s8v1 | |
Sep 19 19:13:28 machine2 starter[1032]: 02[KNL] 10.0.2.15 appeared on enp0s3 | |
Sep 19 19:13:28 machine2 starter[1032]: 00[DMN] signal of type SIGINT received. Shutting down | |
Sep 19 19:13:28 machine2 starter[1032]: charon stopped after 200 ms | |
Sep 19 19:13:28 machine2 starter[1032]: received netlink error: Address family not supported by protocol (97) | |
Sep 19 19:13:28 machine2 starter[1032]: unable to create IPv6 routing table rule | |
Sep 19 19:13:28 machine2 starter[1032]: received netlink error: Address family not supported by protocol (97) | |
Sep 19 19:13:28 machine2 starter[1032]: ipsec starter stopped | |
Sep 19 19:13:28 machine2 starter[1212]: Starting strongSwan 5.2.0 IPsec [starter]... | |
Sep 19 19:13:28 machine2 ipsec_starter[1212]: Starting strongSwan 5.2.0 IPsec [starter]... | |
Sep 19 19:13:28 machine2 ipsec_starter[1212]: no netkey IPsec stack detected | |
Sep 19 19:13:28 machine2 starter[1212]: no netkey IPsec stack detected | |
Sep 19 19:13:28 machine2 ipsec_starter[1212]: no KLIPS IPsec stack detected | |
Sep 19 19:13:28 machine2 ipsec_starter[1212]: no known IPsec stack detected, ignoring! | |
Sep 19 19:13:28 machine2 starter[1212]: no KLIPS IPsec stack detected | |
Sep 19 19:13:28 machine2 starter[1212]: no known IPsec stack detected, ignoring! | |
Sep 19 19:13:28 machine2 charon[1215]: 00[DMN] Starting IKE charon daemon (strongSwan 5.2.0, Linux 3.12.28, x86_64) | |
Sep 19 19:13:28 machine2 charon[1215]: 00[KNL] received netlink error: Address family not supported by protocol (97) | |
Sep 19 19:13:28 machine2 charon[1215]: 00[KNL] unable to create IPv6 routing table rule | |
Sep 19 19:13:28 machine2 charon[1215]: 00[CFG] loading ca certificates from '/etc/ipsec.d/cacerts' | |
Sep 19 19:13:28 machine2 charon[1215]: 00[LIB] opening directory '/etc/ipsec.d/cacerts' failed: No such file or directory | |
Sep 19 19:13:28 machine2 charon[1215]: 00[CFG] reading directory failed | |
Sep 19 19:13:28 machine2 charon[1215]: 00[CFG] loading aa certificates from '/etc/ipsec.d/aacerts' | |
Sep 19 19:13:28 machine2 charon[1215]: 00[LIB] opening directory '/etc/ipsec.d/aacerts' failed: No such file or directory | |
Sep 19 19:13:28 machine2 charon[1215]: 00[CFG] reading directory failed | |
Sep 19 19:13:28 machine2 charon[1215]: 00[CFG] loading ocsp signer certificates from '/etc/ipsec.d/ocspcerts' | |
Sep 19 19:13:28 machine2 charon[1215]: 00[LIB] opening directory '/etc/ipsec.d/ocspcerts' failed: No such file or directory | |
Sep 19 19:13:28 machine2 charon[1215]: 00[CFG] reading directory failed | |
Sep 19 19:13:28 machine2 charon[1215]: 00[CFG] loading attribute certificates from '/etc/ipsec.d/acerts' | |
Sep 19 19:13:28 machine2 charon[1215]: 00[LIB] opening directory '/etc/ipsec.d/acerts' failed: No such file or directory | |
Sep 19 19:13:28 machine2 charon[1215]: 00[CFG] reading directory failed | |
Sep 19 19:13:28 machine2 charon[1215]: 00[CFG] loading crls from '/etc/ipsec.d/crls' | |
Sep 19 19:13:28 machine2 charon[1215]: 00[LIB] opening directory '/etc/ipsec.d/crls' failed: No such file or directory | |
Sep 19 19:13:28 machine2 charon[1215]: 00[CFG] reading directory failed | |
Sep 19 19:13:28 machine2 charon[1215]: 00[CFG] loading secrets from '/etc/ipsec.secrets' | |
Sep 19 19:13:28 machine2 charon[1215]: 00[CFG] loaded RSA private key from '/etc/x509/strongswan.pem' | |
Sep 19 19:13:28 machine2 charon[1215]: 00[LIB] loaded plugins: charon aes des rc2 sha1 sha2 md5 random nonce x509 revocation constraints pubkey pkcs1 pkcs7 pkcs8 pkcs12 pgp dnskey sshkey pem fips-prf gmp xcbc cmac hmac attr kernel-netlink resolve socket-default stroke updown xauth-generic | |
Sep 19 19:13:28 machine2 charon[1215]: 00[LIB] unable to load 6 plugin features (6 due to unmet dependencies) | |
Sep 19 19:13:28 machine2 charon[1215]: 00[JOB] spawning 16 worker threads | |
Sep 19 19:13:28 machine2 ipsec_starter[1212]: charon (1215) started after 20 ms | |
Sep 19 19:13:28 machine2 starter[1212]: charon (1215) started after 20 ms | |
Sep 19 19:13:28 machine2 charon[1215]: 05[CFG] received stroke: add connection 'inbound' | |
Sep 19 19:13:28 machine2 charon[1215]: 05[CFG] left nor right host is our side, assuming left=local | |
Sep 19 19:13:28 machine2 charon[1215]: 05[CFG] loaded certificate "C=SG, ST=Singapore, O=Zalora, OU=DevOps, CN=strongswan-d7ff7b25fe2b43a3be8a8fa19f2ed2a6, E=it-services@zalora.com" from '/etc/x509/strongswan.crt' | |
Sep 19 19:13:28 machine2 charon[1215]: 05[CFG] id '%any' not confirmed by certificate, defaulting to 'C=SG, ST=Singapore, O=Zalora, OU=DevOps, CN=strongswan-d7ff7b25fe2b43a3be8a8fa19f2ed2a6, E=it-services@zalora.com' | |
Sep 19 19:13:28 machine2 charon[1215]: 05[CFG] added configuration 'inbound' | |
Sep 19 19:13:48 machine2 charon[1215]: 05[NET] received packet: from 192.168.56.101[500] to 192.168.56.102[500] (708 bytes) | |
Sep 19 19:13:48 machine2 charon[1215]: 05[ENC] parsed IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) ] | |
Sep 19 19:13:48 machine2 charon[1215]: 05[IKE] 192.168.56.101 is initiating an IKE_SA | |
Sep 19 19:13:48 machine2 charon[1215]: 05[IKE] 192.168.56.101 is initiating an IKE_SA | |
Sep 19 19:13:48 machine2 charon[1215]: 05[ENC] generating IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(MULT_AUTH) ] | |
Sep 19 19:13:48 machine2 charon[1215]: 05[NET] sending packet: from 192.168.56.102[500] to 192.168.56.101[500] (440 bytes) | |
Sep 19 19:13:48 machine2 charon[1215]: 10[NET] received packet: from 192.168.56.101[4500] to 192.168.56.102[4500] (828 bytes) | |
Sep 19 19:13:48 machine2 charon[1215]: 10[ENC] parsed IKE_AUTH request 1 [ IDi N(INIT_CONTACT) IDr AUTH N(USE_TRANSP) SA TSi TSr N(MOBIKE_SUP) N(ADD_4_ADDR) N(MULT_AUTH) N(EAP_ONLY) ] | |
Sep 19 19:13:48 machine2 charon[1215]: 10[CFG] looking for peer configs matching 192.168.56.102[192.168.56.102]...192.168.56.101[C=SG, ST=Singapore, O=Zalora, OU=DevOps, CN=strongswan-06d36f30e8d64567875c4c411ddbd8c2, E=it-services@zalora.com] | |
Sep 19 19:13:48 machine2 charon[1215]: 10[CFG] no matching peer config found | |
Sep 19 19:13:48 machine2 charon[1215]: 10[IKE] peer supports MOBIKE | |
Sep 19 19:13:48 machine2 charon[1215]: 10[ENC] generating IKE_AUTH response 1 [ N(AUTH_FAILED) ] | |
Sep 19 19:13:48 machine2 charon[1215]: 10[NET] sending packet: from 192.168.56.102[4500] to 192.168.56.101[4500] (76 bytes) |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
charon { | |
user = strongswan | |
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
16[NET] received packet: from 192.168.56.101[500] to 192.168.56.102[500] (708 bytes) | |
watcher got notification, rebuilding | |
watching 7 for reading | |
watcher going to select() | |
watched FD 7 ready to read | |
watcher going to select() | |
16[ENC] parsed IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) ] | |
watcher got notification, rebuilding | |
watching 7 for reading | |
watcher going to select() | |
watched FD 7 ready to read | |
watcher going to select() | |
16[IKE] 192.168.56.101 is initiating an IKE_SA | |
watcher got notification, rebuilding | |
watching 7 for reading | |
watcher going to select() | |
watched FD 7 ready to read | |
watcher going to select() | |
16[ENC] generating IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(MULT_AUTH) ] | |
watcher got notification, rebuilding | |
watching 7 for reading | |
watcher going to select() | |
watched FD 7 ready to read | |
watcher going to select() | |
16[NET] sending packet: from 192.168.56.102[500] to 192.168.56.101[500] (440 bytes) | |
watcher got notification, rebuilding | |
watching 7 for reading | |
watcher going to select() | |
watched FD 7 ready to read | |
watcher going to select() | |
13[NET] received packet: from 192.168.56.101[4500] to 192.168.56.102[4500] (828 bytes) | |
watcher got notification, rebuilding | |
watching 7 for reading | |
watcher going to select() | |
watched FD 7 ready to read | |
watcher going to select() | |
13[ENC] parsed IKE_AUTH request 1 [ IDi N(INIT_CONTACT) IDr AUTH N(USE_TRANSP) SA TSi TSr N(MOBIKE_SUP) N(ADD_4_ADDR) N(MULT_AUTH) N(EAP_ONLY) ] | |
watcher got notification, rebuilding | |
watching 7 for reading | |
watcher going to select() | |
watched FD 7 ready to read | |
watcher going to select() | |
13[CFG] looking for peer configs matching 192.168.56.102[192.168.56.102]...192.168.56.101[C=SG, ST=Singapore, O=Zalora, OU=DevOps, CN=strongswan-06d36f30e8d64567875c4c411ddbd8c2, E=it-services@zalora.com] | |
watcher got notification, rebuilding | |
watching 7 for reading | |
watcher going to select() | |
watched FD 7 ready to read | |
watcher going to select() | |
13[CFG] no matching peer config found | |
watcher got notification, rebuilding | |
watching 7 for reading | |
watcher going to select() | |
watched FD 7 ready to read | |
watcher going to select() | |
13[IKE] peer supports MOBIKE | |
watcher got notification, rebuilding | |
watching 7 for reading | |
watcher going to select() | |
watched FD 7 ready to read | |
watcher going to select() | |
13[ENC] generating IKE_AUTH response 1 [ N(AUTH_FAILED) ] | |
watcher got notification, rebuilding | |
watching 7 for reading | |
watcher going to select() | |
watched FD 7 ready to read | |
watcher going to select() | |
13[NET] sending packet: from 192.168.56.102[4500] to 192.168.56.101[4500] (76 bytes) | |
watcher got notification, rebuilding | |
watching 7 for reading | |
watcher going to select() |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment