search

trailofbits / algo

Set up a personal VPN in the cloud
https://blog.trailofbits.com/2016/12/12/meet-algo-the-vpn-that-works/
GNU Affero General Public License v3.0
28.98k stars 2.32k forks source link

Failed to establish VPN: Verifying server authentication failed #845

Closed bassel999 closed 6 years ago

bassel999 commented 6 years ago

OS / Environment

Ubuntu 16.04.4 x64 from)

Cloud Provider (where do you deploy Algo to)

digitalocean

Summary of the problem

I created the first server without any problem using digitalocean when I install the same Algo to a new server on digitalocean i started to get this error on strongswan:
 "Failed to establish VPN: Verifying server authentication failed"

Full log


  What provider would you like to use?
    1. DigitalOcean
    2. Amazon Lightsail
    3. Amazon EC2
    4. Microsoft Azure
    5. Google Compute Engine
    6. Scaleway
    7. OpenStack (DreamCompute optimised)
    8. Install to existing Ubuntu 16.04 server

Enter the number of your desired provider
: 1

Enter your API token. The token must have read and write permissions (https://cloud.digitalocean.com/settings/api/tokens):
[pasted values will not be displayed]
:

Name the vpn server:
[algo.local]: vpn1

  What region should the server be located in?
    1.  Amsterdam        (Datacenter 2)
    2.  Amsterdam        (Datacenter 3)
    3.  Frankfurt
    4.  London
    5.  New York         (Datacenter 1)
    6.  New York         (Datacenter 2)
    7.  New York         (Datacenter 3)
    8.  San Francisco    (Datacenter 1)
    9.  San Francisco    (Datacenter 2)
    10. Singapore
    11. Toronto
    12. Bangalore
Enter the number of your desired region:
[7]: 7

Do you want macOS/iOS clients to enable "VPN On Demand" when connected to cellular networks?
[y/N]: y

Do you want macOS/iOS clients to enable "VPN On Demand" when connected to Wi-Fi?
[y/N]: y

List the names of trusted Wi-Fi networks (if any) that macOS/iOS clients exclude from using the VPN (e.g., your home network. Comma-separated value, e.g., HomeNet,OfficeWifi,AlgoWiFi)
:

Do you want to install a DNS resolver on this VPN server, to block ads while surfing?
[y/N]: y

Do you want each user to have their own account for SSH tunneling?
[y/N]: y

Do you want the VPN to support Windows 10 or Linux Desktop clients? (enables compatible ciphers and key exchange, less secure)
[y/N]: y

Do you want to retain the CA key? (required to add users in the future, but less secure)
[y/N]: c

PLAY [Configure the server] ********************************************************************************************

TASK [Gathering Facts] *************************************************************************************************
ok: [localhost]

TASK [Local pre-tasks] *************************************************************************************************
included: /home/Bassel/algo/playbooks/local.yml for localhost

TASK [Generate the SSH private key] ************************************************************************************
ok: [localhost]

TASK [Generate the SSH public key] *************************************************************************************
ok: [localhost]

TASK [Change mode for the SSH private key] *****************************************************************************
ok: [localhost]

TASK [Ensure the dynamic inventory exists] *****************************************************************************
ok: [localhost]

TASK [cloud-digitalocean : Set the DigitalOcean Access Token fact] *****************************************************
ok: [localhost]

TASK [cloud-digitalocean : Delete the existing Algo SSH keys] **********************************************************
FAILED - RETRYING: Delete the existing Algo SSH keys (10 retries left).
ok: [localhost]

TASK [cloud-digitalocean : Upload the SSH key] *************************************************************************
changed: [localhost]

TASK [cloud-digitalocean : Creating a droplet...] **********************************************************************
changed: [localhost]

TASK [cloud-digitalocean : Add the droplet to an inventory group] ******************************************************
changed: [localhost]

TASK [cloud-digitalocean : set_fact] ***********************************************************************************
ok: [localhost]

TASK [cloud-digitalocean : Tag the droplet] ****************************************************************************
changed: [localhost]

TASK [cloud-digitalocean : Get droplets] *******************************************************************************
ok: [localhost]

TASK [cloud-digitalocean : Ensure the group digitalocean exists in the dynamic inventory file] *************************
ok: [localhost]

TASK [cloud-digitalocean : Populate the dynamic inventory] *************************************************************
ok: [localhost] => (item={u'status': u'active', u'kernel': None, u'volume_ids': [], u'locked': False, u'name': u'vpn2', u'backup_ids': [], u'created_at': u'2018-03-23T21:24:08Z', u'snapshot_ids': [], u'size_slug': u's-1vcpu-1gb', u'id': 86933944, u'next_backup_window': None, u'vcpus': 1, u'features': [u'ipv6'], u'image': {u'min_disk_size': 20, u'name': u'16.04.4 x64', u'created_at': u'2018-03-11T00:41:44Z', u'slug': u'ubuntu-16-04-x64', u'regions': [u'nyc1', u'sfo1', u'nyc2', u'ams2', u'sgp1', u'lon1', u'nyc3', u'ams3', u'fra1', u'tor1', u'sfo2', u'blr1'], u'public': True, u'distribution': u'Ubuntu', u'type': u'snapshot', u'id': 32481995, u'size_gigabytes': 0.3}, u'memory': 1024, u'region': {u'available': True, u'features': [u'private_networking', u'backups', u'ipv6', u'metadata', u'install_agent', u'storage'], u'slug': u'nyc1', u'name': u'New York 1', u'sizes': [u'32gb', u'16gb', u'2gb', u'1gb', u'4gb', u'8gb', u'512mb', u'64gb', u'48gb', u'c-16', u's-1vcpu-3gb', u'c-32', u'c-2', u'c-4', u'c-8', u'm-1vcpu-8gb', u'm-16gb', u'm-32gb', u'm-64gb', u'm-128gb', u'm-224gb', u's-1vcpu-1gb', u's-1vcpu-2gb', u's-2vcpu-2gb', u's-3vcpu-1gb', u's-2vcpu-4gb', u's-4vcpu-8gb', u's-6vcpu-16gb', u's-8vcpu-32gb', u's-12vcpu-48gb', u's-16vcpu-64gb', u's-20vcpu-96gb']}, u'disk': 25, u'networks': {u'v4': [{u'ip_address': u'67.207.93.208', u'netmask': u'255.255.240.0', u'type': u'public', u'gateway': u'67.207.80.1'}], u'v6': [{u'ip_address': u'2604:A880:0400:00D0:0000:0000:15F8:0001', u'netmask': 64, u'type': u'public', u'gateway': u'2604:A880:0400:00D0:0000:0000:0000:0001'}]}, u'tags': [u'Environment:Algo'], u'size': {u'price_monthly': 5.0, u'available': True, u'transfer': 1.0, u'price_hourly': 0.00744, u'regions': [u'ams2', u'ams3', u'blr1', u'fra1', u'lon1', u'nyc1', u'nyc2', u'nyc3', u'sfo1', u'sfo2', u'sgp1', u'tor1'], u'vcpus': 1, u'memory': 1024, u'disk': 25, u'slug': u's-1vcpu-1gb'}})
changed: [localhost] => (item={u'status': u'active', u'kernel': None, u'volume_ids': [], u'locked': False, u'name': u'vpn1', u'backup_ids': [], u'created_at': u'2018-03-24T00:13:48Z', u'snapshot_ids': [], u'size_slug': u's-1vcpu-1gb', u'id': 86947418, u'next_backup_window': None, u'vcpus': 1, u'features': [u'ipv6'], u'image': {u'min_disk_size': 20, u'name': u'16.04.4 x64', u'created_at': u'2018-03-11T00:41:44Z', u'slug': u'ubuntu-16-04-x64', u'regions': [u'nyc1', u'sfo1', u'nyc2', u'ams2', u'sgp1', u'lon1', u'nyc3', u'ams3', u'fra1', u'tor1', u'sfo2', u'blr1'], u'public': True, u'distribution': u'Ubuntu', u'type': u'snapshot', u'id': 32481995, u'size_gigabytes': 0.3}, u'memory': 1024, u'region': {u'available': True, u'features': [u'private_networking', u'backups', u'ipv6', u'metadata', u'install_agent', u'storage'], u'slug': u'nyc3', u'name': u'New York 3', u'sizes': [u'32gb', u'16gb', u'2gb', u'1gb', u'4gb', u'8gb', u'512mb', u'64gb', u'48gb', u'c-16', u's-1vcpu-3gb', u'c-32', u'c-2', u'c-4', u'c-8', u'm-1vcpu-8gb', u'm-16gb', u'm-32gb', u'm-64gb', u'm-128gb', u'm-224gb', u's-1vcpu-1gb', u's-1vcpu-2gb', u's-2vcpu-2gb', u's-3vcpu-1gb', u's-2vcpu-4gb', u's-4vcpu-8gb', u's-6vcpu-16gb', u's-8vcpu-32gb', u's-12vcpu-48gb', u's-16vcpu-64gb', u's-20vcpu-96gb']}, u'disk': 25, u'networks': {u'v4': [{u'ip_address': u'167.99.59.205', u'netmask': u'255.255.240.0', u'type': u'public', u'gateway': u'167.99.48.1'}], u'v6': [{u'ip_address': u'2604:A880:0800:00A1:0000:0000:1577:5001', u'netmask': 64, u'type': u'public', u'gateway': u'2604:A880:0800:00A1:0000:0000:0000:0001'}]}, u'tags': [u'Environment:Algo'], u'size': {u'price_monthly': 5.0, u'available': True, u'transfer': 1.0, u'price_hourly': 0.00744, u'regions': [u'ams2', u'ams3', u'blr1', u'fra1', u'lon1', u'nyc1', u'nyc2', u'nyc3', u'sfo1', u'sfo2', u'sgp1', u'tor1'], u'vcpus': 1, u'memory': 1024, u'disk': 25, u'slug': u's-1vcpu-1gb'}})

TASK [cloud-digitalocean : Delete the new Algo SSH key] ****************************************************************
FAILED - RETRYING: Delete the new Algo SSH key (10 retries left).
ok: [localhost]

TASK [Local post-tasks] ************************************************************************************************
included: /home/Bassel/algo/playbooks/post.yml for localhost

TASK [Wait until SSH becomes ready...] *********************************************************************************
ok: [localhost]

TASK [A short pause, in order to be sure the instance is ready] ********************************************************
Pausing for 20 seconds
(ctrl+C then 'C' = continue early, ctrl+C then 'A' = abort)
ok: [localhost]

TASK [include_tasks] ***************************************************************************************************
included: /home/Bassel/algo/playbooks/local_ssh.yml for localhost

TASK [Ensure the local ssh directory is exist] *************************************************************************
ok: [localhost]

TASK [Copy the algo ssh key to the local ssh directory] ****************************************************************
ok: [localhost]

PLAY [Configure the server and install required software] **************************************************************

TASK [Common pre-tasks] ************************************************************************************************
included: /home/Bassel/algo/playbooks/common.yml for 167.99.59.205

TASK [Check the system] ************************************************************************************************
changed: [167.99.59.205]

TASK [Ubuntu pre-tasks] ************************************************************************************************
included: /home/Bassel/algo/playbooks/ubuntu.yml for 167.99.59.205

TASK [Ubuntu | Install prerequisites] **********************************************************************************
changed: [167.99.59.205]

TASK [Ubuntu | Configure defaults] *************************************************************************************
changed: [167.99.59.205]

TASK [FreeBSD pre-tasks] ***********************************************************************************************
skipping: [167.99.59.205]

TASK [include_tasks] ***************************************************************************************************
included: /home/Bassel/algo/playbooks/facts/main.yml for 167.99.59.205

TASK [Gather Facts] ****************************************************************************************************
ok: [167.99.59.205]

TASK [Ensure the algo ssh key exist on the server] *********************************************************************
ok: [167.99.59.205]

TASK [Enable IPv6] *****************************************************************************************************
ok: [167.99.59.205]

TASK [Set facts if the deployment in a cloud] **************************************************************************
ok: [167.99.59.205]

TASK [Generate password for the CA key] ********************************************************************************
changed: [167.99.59.205 -> localhost]

TASK [Generate p12 export password] ************************************************************************************
changed: [167.99.59.205 -> localhost]

TASK [Define password facts] *******************************************************************************************
ok: [167.99.59.205]

TASK [Define the commonName] *******************************************************************************************
ok: [167.99.59.205]

TASK [common : include_tasks] ******************************************************************************************
included: /home/Bassel/algo/roles/common/tasks/ubuntu.yml for 167.99.59.205

TASK [common : Install software updates] *******************************************************************************
changed: [167.99.59.205]

TASK [common : Check if reboot is required] ****************************************************************************
changed: [167.99.59.205]

TASK [common : Reboot] *************************************************************************************************
skipping: [167.99.59.205]

TASK [common : Wait until SSH becomes ready...] ************************************************************************
skipping: [167.99.59.205]

TASK [common : Include unatteded upgrades configuration] ***************************************************************
included: /home/Bassel/algo/roles/common/tasks/unattended-upgrades.yml for 167.99.59.205

TASK [common : Install unattended-upgrades] ****************************************************************************
ok: [167.99.59.205]

TASK [common : Configure unattended-upgrades] **************************************************************************
changed: [167.99.59.205]

TASK [common : Periodic upgrades configured] ***************************************************************************
changed: [167.99.59.205]

TASK [common : Disable MOTD on login and SSHD] *************************************************************************
changed: [167.99.59.205] => (item={u'regexp': u'^session.*optional.*pam_motd.so.*', u'line': u'# MOTD DISABLED', u'file': u'/etc/pam.d/login'})
changed: [167.99.59.205] => (item={u'regexp': u'^session.*optional.*pam_motd.so.*', u'line': u'# MOTD DISABLED', u'file': u'/etc/pam.d/sshd'})

TASK [common : Install system specific tools] **************************************************************************
ok: [167.99.59.205] => (item=ifupdown)

TASK [common : Ensure the interfaces directory exists] *****************************************************************
ok: [167.99.59.205]

TASK [common : Loopback for services configured] ***********************************************************************
changed: [167.99.59.205]

TASK [common : Loopback included into the network config] **************************************************************
changed: [167.99.59.205]

RUNNING HANDLER [common : restart loopback] ****************************************************************************
changed: [167.99.59.205]

TASK [common : Check apparmor support] *********************************************************************************
changed: [167.99.59.205]

TASK [common : set_fact] ***********************************************************************************************
ok: [167.99.59.205]

TASK [common : set_fact] ***********************************************************************************************
ok: [167.99.59.205]

TASK [common : include_tasks] ******************************************************************************************
skipping: [167.99.59.205]

TASK [common : Install tools] ******************************************************************************************
ok: [167.99.59.205] => (item=git)
ok: [167.99.59.205] => (item=screen)
changed: [167.99.59.205] => (item=apparmor-utils)
ok: [167.99.59.205] => (item=uuid-runtime)
ok: [167.99.59.205] => (item=coreutils)
changed: [167.99.59.205] => (item=iptables-persistent)
changed: [167.99.59.205] => (item=cgroup-tools)
ok: [167.99.59.205] => (item=openssl)

TASK [common : Sysctl tuning] ******************************************************************************************
changed: [167.99.59.205] => (item={u'item': u'net.ipv4.ip_forward', u'value': 1})
changed: [167.99.59.205] => (item={u'item': u'net.ipv4.conf.all.forwarding', u'value': 1})
changed: [167.99.59.205] => (item={u'item': u'net.ipv6.conf.all.forwarding', u'value': 1})

TASK [dns_adblocking : The DNS tag is defined] *************************************************************************
ok: [167.99.59.205]

TASK [dns_adblocking : Dnsmasq installed] ******************************************************************************
changed: [167.99.59.205]

TASK [dns_adblocking : Ensure that the dnsmasq user exist] *************************************************************
changed: [167.99.59.205]

TASK [dns_adblocking : The dnsmasq directory created] ******************************************************************
changed: [167.99.59.205]

TASK [dns_adblocking : include_tasks] **********************************************************************************
included: /home/Bassel/algo/roles/dns_adblocking/tasks/ubuntu.yml for 167.99.59.205

TASK [dns_adblocking : Ubuntu | Dnsmasq profile for apparmor configured] ***********************************************
changed: [167.99.59.205]

TASK [dns_adblocking : Ubuntu | Enforce the dnsmasq AppArmor policy] ***************************************************
changed: [167.99.59.205]

TASK [dns_adblocking : Ubuntu | Ensure that the dnsmasq service directory exist] ***************************************
changed: [167.99.59.205]

TASK [dns_adblocking : Ubuntu | Setup the cgroup limitations for the ipsec daemon] *************************************
changed: [167.99.59.205]

TASK [dns_adblocking : include_tasks] **********************************************************************************
skipping: [167.99.59.205]

TASK [dns_adblocking : Dnsmasq configured] *****************************************************************************
changed: [167.99.59.205]

TASK [dns_adblocking : Adblock script created] *************************************************************************
changed: [167.99.59.205]

TASK [dns_adblocking : Adblock script added to cron] *******************************************************************
changed: [167.99.59.205]

TASK [dns_adblocking : Update adblock hosts] ***************************************************************************
changed: [167.99.59.205]

RUNNING HANDLER [dns_adblocking : restart dnsmasq] *********************************************************************
changed: [167.99.59.205]

RUNNING HANDLER [vpn : daemon-reload] **********************************************************************************
changed: [167.99.59.205]

TASK [dns_adblocking : Dnsmasq enabled and started] ********************************************************************
ok: [167.99.59.205]

TASK [ssh_tunneling : Ensure that the sshd_config file has desired options] ********************************************
changed: [167.99.59.205]

TASK [ssh_tunneling : Ensure that the algo group exist] ****************************************************************
changed: [167.99.59.205]

TASK [ssh_tunneling : Ensure that the jail directory exist] ************************************************************
changed: [167.99.59.205]

TASK [ssh_tunneling : Ensure that the SSH users exist] *****************************************************************
changed: [167.99.59.205] => (item=dan)
changed: [167.99.59.205] => (item=jack)
changed: [167.99.59.205] => (item=user1)
changed: [167.99.59.205] => (item=khair)

TASK [ssh_tunneling : The authorized keys file created] ****************************************************************
changed: [167.99.59.205] => (item=dan)
changed: [167.99.59.205] => (item=jack)
changed: [167.99.59.205] => (item=user1)
changed: [167.99.59.205] => (item=khair)

TASK [ssh_tunneling : Generate SSH fingerprints] ***********************************************************************
changed: [167.99.59.205]

TASK [ssh_tunneling : Fetch users SSH private keys] ********************************************************************
changed: [167.99.59.205] => (item=dan)
changed: [167.99.59.205] => (item=jack)
changed: [167.99.59.205] => (item=user1)
changed: [167.99.59.205] => (item=khair)

TASK [ssh_tunneling : Change mode for SSH private keys] ****************************************************************
changed: [167.99.59.205 -> localhost] => (item=dan)
changed: [167.99.59.205 -> localhost] => (item=jack)
changed: [167.99.59.205 -> localhost] => (item=user1)
changed: [167.99.59.205 -> localhost] => (item=khair)

TASK [ssh_tunneling : Fetch the known_hosts file] **********************************************************************
changed: [167.99.59.205 -> localhost]

TASK [ssh_tunneling : Build the client ssh config] *********************************************************************
changed: [167.99.59.205 -> localhost] => (item=dan)
changed: [167.99.59.205 -> localhost] => (item=jack)
changed: [167.99.59.205 -> localhost] => (item=user1)
changed: [167.99.59.205 -> localhost] => (item=khair)

TASK [ssh_tunneling : SSH | Get active system users] *******************************************************************
skipping: [167.99.59.205]

TASK [ssh_tunneling : SSH | Delete non-existing users] *****************************************************************
skipping: [167.99.59.205] => (item=null)

TASK [vpn : Ensure that the strongswan group exist] ********************************************************************
changed: [167.99.59.205]

TASK [vpn : Ensure that the strongswan user exist] *********************************************************************
changed: [167.99.59.205]

TASK [vpn : include_tasks] *********************************************************************************************
included: /home/Bassel/algo/roles/vpn/tasks/ubuntu.yml for 167.99.59.205

TASK [vpn : set_fact] **************************************************************************************************
ok: [167.99.59.205]

TASK [vpn : Ubuntu | Install strongSwan] *******************************************************************************
changed: [167.99.59.205]

TASK [vpn : Ubuntu | Enforcing ipsec with apparmor] ********************************************************************
changed: [167.99.59.205] => (item=/usr/lib/ipsec/charon)
changed: [167.99.59.205] => (item=/usr/lib/ipsec/lookip)
changed: [167.99.59.205] => (item=/usr/lib/ipsec/stroke)

TASK [vpn : Ubuntu | Enable services] **********************************************************************************
ok: [167.99.59.205] => (item=apparmor)
ok: [167.99.59.205] => (item=strongswan)
ok: [167.99.59.205] => (item=netfilter-persistent)

TASK [vpn : Ubuntu | Ensure that the strongswan service directory exist] ***********************************************
changed: [167.99.59.205]

TASK [vpn : Ubuntu | Setup the cgroup limitations for the ipsec daemon] ************************************************
changed: [167.99.59.205]

TASK [vpn : include_tasks] *********************************************************************************************
included: /home/Bassel/algo/roles/vpn/tasks/iptables.yml for 167.99.59.205

TASK [vpn : Iptables configured] ***************************************************************************************
changed: [167.99.59.205] => (item={u'dest': u'/etc/iptables/rules.v4', u'src': u'rules.v4.j2'})

TASK [vpn : Iptables configured] ***************************************************************************************
changed: [167.99.59.205] => (item={u'dest': u'/etc/iptables/rules.v6', u'src': u'rules.v6.j2'})

TASK [vpn : include_tasks] *********************************************************************************************
skipping: [167.99.59.205]

TASK [vpn : Install strongSwan] ****************************************************************************************
ok: [167.99.59.205]

TASK [vpn : include_tasks] *********************************************************************************************
included: /home/Bassel/algo/roles/vpn/tasks/ipec_configuration.yml for 167.99.59.205

TASK [vpn : Setup the config files from our templates] *****************************************************************
changed: [167.99.59.205] => (item={u'dest': u'/etc/strongswan.conf', u'src': u'strongswan.conf.j2', u'group': u'root', u'mode': u'0644', u'owner': u'root'})
changed: [167.99.59.205] => (item={u'dest': u'/etc/ipsec.conf', u'src': u'ipsec.conf.j2', u'group': u'root', u'mode': u'0644', u'owner': u'root'})
changed: [167.99.59.205] => (item={u'dest': u'/etc/ipsec.secrets', u'src': u'ipsec.secrets.j2', u'group': u'root', u'mode': u'0600', u'owner': u'strongswan'})

TASK [vpn : Get loaded plugins] ****************************************************************************************
changed: [167.99.59.205]

TASK [vpn : Disable unneeded plugins] **********************************************************************************
skipping: [167.99.59.205] => (item=socket-default)
changed: [167.99.59.205] => (item=gmp)
skipping: [167.99.59.205] => (item=nonce)
changed: [167.99.59.205] => (item=xcbc)
skipping: [167.99.59.205] => (item=pem)
changed: [167.99.59.205] => (item=md5)
changed: [167.99.59.205] => (item=sha1)
changed: [167.99.59.205] => (item=agent)
skipping: [167.99.59.205] => (item=sha2)
changed: [167.99.59.205] => (item=rc2)
skipping: [167.99.59.205] => (item=kernel-netlink)
skipping: [167.99.59.205] => (item=pkcs7)
changed: [167.99.59.205] => (item=test-vectors)
changed: [167.99.59.205] => (item=dnskey)
changed: [167.99.59.205] => (item=md4)
changed: [167.99.59.205] => (item=pkcs1)
skipping: [167.99.59.205] => (item=x509)
changed: [167.99.59.205] => (item=constraints)
changed: [167.99.59.205] => (item=connmark)
skipping: [167.99.59.205] => (item=pubkey)
skipping: [167.99.59.205] => (item=aes)
skipping: [167.99.59.205] => (item=stroke)
changed: [167.99.59.205] => (item=sshkey)
skipping: [167.99.59.205] => (item=pgp)
changed: [167.99.59.205] => (item=attr)
skipping: [167.99.59.205] => (item=random)
changed: [167.99.59.205] => (item=resolve)
skipping: [167.99.59.205] => (item=revocation)
changed: [167.99.59.205] => (item=fips-prf)
skipping: [167.99.59.205] => (item=pkcs8)
changed: [167.99.59.205] => (item=updown)
skipping: [167.99.59.205] => (item=hmac)
skipping: [167.99.59.205] => (item=openssl)
skipping: [167.99.59.205] => (item=pkcs12)
skipping: [167.99.59.205] => (item=gcm)

TASK [vpn : Ensure that required plugins are enabled] ******************************************************************
changed: [167.99.59.205] => (item=socket-default)
skipping: [167.99.59.205] => (item=gmp)
changed: [167.99.59.205] => (item=nonce)
skipping: [167.99.59.205] => (item=xcbc)
changed: [167.99.59.205] => (item=pem)
skipping: [167.99.59.205] => (item=md5)
skipping: [167.99.59.205] => (item=sha1)
skipping: [167.99.59.205] => (item=agent)
changed: [167.99.59.205] => (item=sha2)
skipping: [167.99.59.205] => (item=rc2)
changed: [167.99.59.205] => (item=kernel-netlink)
changed: [167.99.59.205] => (item=pkcs7)
skipping: [167.99.59.205] => (item=test-vectors)
skipping: [167.99.59.205] => (item=dnskey)
skipping: [167.99.59.205] => (item=md4)
skipping: [167.99.59.205] => (item=pkcs1)
changed: [167.99.59.205] => (item=x509)
skipping: [167.99.59.205] => (item=constraints)
skipping: [167.99.59.205] => (item=connmark)
changed: [167.99.59.205] => (item=pubkey)
changed: [167.99.59.205] => (item=aes)
changed: [167.99.59.205] => (item=stroke)
skipping: [167.99.59.205] => (item=sshkey)
changed: [167.99.59.205] => (item=pgp)
skipping: [167.99.59.205] => (item=attr)
changed: [167.99.59.205] => (item=random)
skipping: [167.99.59.205] => (item=resolve)
changed: [167.99.59.205] => (item=revocation)
skipping: [167.99.59.205] => (item=fips-prf)
changed: [167.99.59.205] => (item=pkcs8)
skipping: [167.99.59.205] => (item=updown)
changed: [167.99.59.205] => (item=hmac)
changed: [167.99.59.205] => (item=openssl)
changed: [167.99.59.205] => (item=pkcs12)
changed: [167.99.59.205] => (item=gcm)

TASK [vpn : include_tasks] *********************************************************************************************
included: /home/Bassel/algo/roles/vpn/tasks/openssl.yml for 167.99.59.205

TASK [vpn : Ensure the pki directory does not exist] *******************************************************************
skipping: [167.99.59.205]

TASK [vpn : Ensure the pki directories exist] **************************************************************************
changed: [167.99.59.205 -> localhost] => (item=ecparams)
changed: [167.99.59.205 -> localhost] => (item=certs)
changed: [167.99.59.205 -> localhost] => (item=crl)
changed: [167.99.59.205 -> localhost] => (item=newcerts)
changed: [167.99.59.205 -> localhost] => (item=private)
changed: [167.99.59.205 -> localhost] => (item=reqs)

TASK [vpn : Ensure the files exist] ************************************************************************************
changed: [167.99.59.205 -> localhost] => (item=.rnd)
changed: [167.99.59.205 -> localhost] => (item=private/.rnd)
changed: [167.99.59.205 -> localhost] => (item=index.txt)
changed: [167.99.59.205 -> localhost] => (item=index.txt.attr)
changed: [167.99.59.205 -> localhost] => (item=serial)

TASK [vpn : Generate the openssl server configs] ***********************************************************************
changed: [167.99.59.205 -> localhost]

TASK [vpn : Build the CA pair] *****************************************************************************************
changed: [167.99.59.205 -> localhost]

TASK [vpn : Copy the CA certificate] ***********************************************************************************
changed: [167.99.59.205 -> localhost]

TASK [vpn : Generate the serial number] ********************************************************************************
changed: [167.99.59.205 -> localhost]

TASK [vpn : Build the server pair] *************************************************************************************
changed: [167.99.59.205 -> localhost]

TASK [vpn : Build the client's pair] ***********************************************************************************
changed: [167.99.59.205 -> localhost] => (item=dan)
changed: [167.99.59.205 -> localhost] => (item=jack)
changed: [167.99.59.205 -> localhost] => (item=user1)
changed: [167.99.59.205 -> localhost] => (item=khair)

TASK [vpn : Build the client's p12] ************************************************************************************
changed: [167.99.59.205 -> localhost] => (item=dan)
changed: [167.99.59.205 -> localhost] => (item=jack)
changed: [167.99.59.205 -> localhost] => (item=user1)
changed: [167.99.59.205 -> localhost] => (item=khair)

TASK [vpn : Copy the p12 certificates] *********************************************************************************
changed: [167.99.59.205 -> localhost] => (item=dan)
changed: [167.99.59.205 -> localhost] => (item=jack)
changed: [167.99.59.205 -> localhost] => (item=user1)
changed: [167.99.59.205 -> localhost] => (item=khair)

TASK [vpn : Get active users] ******************************************************************************************
changed: [167.99.59.205 -> localhost]

TASK [vpn : Revoke non-existing users] *********************************************************************************
skipping: [167.99.59.205] => (item=dan)
skipping: [167.99.59.205] => (item=jack)
skipping: [167.99.59.205] => (item=user1)
skipping: [167.99.59.205] => (item=khair)

TASK [vpn : Genereate new CRL file] ************************************************************************************
skipping: [167.99.59.205]

TASK [vpn : Copy the CRL to the vpn server] ****************************************************************************
skipping: [167.99.59.205]

TASK [vpn : include_tasks] *********************************************************************************************
included: /home/Bassel/algo/roles/vpn/tasks/distribute_keys.yml for 167.99.59.205

TASK [vpn : Copy the keys to the strongswan directory] *****************************************************************
changed: [167.99.59.205] => (item={u'dest': u'/etc/ipsec.d/cacerts/ca.crt', u'src': u'configs/167.99.59.205/pki/cacert.pem', u'group': u'root', u'mode': u'0600', u'owner': u'strongswan'})
changed: [167.99.59.205] => (item={u'dest': u'/etc/ipsec.d/certs/167.99.59.205.crt', u'src': u'configs/167.99.59.205/pki/certs/167.99.59.205.crt', u'group': u'root', u'mode': u'0600', u'owner': u'strongswan'})
changed: [167.99.59.205] => (item={u'dest': u'/etc/ipsec.d/private/167.99.59.205.key', u'src': u'configs/167.99.59.205/pki/private/167.99.59.205.key', u'group': u'root', u'mode': u'0600', u'owner': u'strongswan'})

TASK [vpn : include_tasks] *********************************************************************************************
included: /home/Bassel/algo/roles/vpn/tasks/client_configs.yml for 167.99.59.205

TASK [vpn : Register p12 PayloadContent] *******************************************************************************
changed: [167.99.59.205 -> localhost] => (item=dan)
changed: [167.99.59.205 -> localhost] => (item=jack)
changed: [167.99.59.205 -> localhost] => (item=user1)
changed: [167.99.59.205 -> localhost] => (item=khair)

TASK [vpn : Set facts for mobileconfigs] *******************************************************************************
ok: [167.99.59.205 -> localhost]

TASK [vpn : Build the mobileconfigs] ***********************************************************************************
changed: [167.99.59.205] => (item=None)
changed: [167.99.59.205] => (item=None)
changed: [167.99.59.205] => (item=None)
changed: [167.99.59.205] => (item=None)

TASK [vpn : Build the strongswan app android config] *******************************************************************
changed: [167.99.59.205] => (item=None)
changed: [167.99.59.205] => (item=None)
changed: [167.99.59.205] => (item=None)
changed: [167.99.59.205] => (item=None)

TASK [vpn : Build the android helper html] *****************************************************************************
changed: [167.99.59.205] => (item=None)
changed: [167.99.59.205] => (item=None)
changed: [167.99.59.205] => (item=None)
changed: [167.99.59.205] => (item=None)

TASK [vpn : Build the client ipsec config file] ************************************************************************
changed: [167.99.59.205 -> localhost] => (item=dan)
changed: [167.99.59.205 -> localhost] => (item=jack)
changed: [167.99.59.205 -> localhost] => (item=user1)
changed: [167.99.59.205 -> localhost] => (item=khair)

TASK [vpn : Build the client ipsec secret file] ************************************************************************
changed: [167.99.59.205 -> localhost] => (item=dan)
changed: [167.99.59.205 -> localhost] => (item=jack)
changed: [167.99.59.205 -> localhost] => (item=user1)
changed: [167.99.59.205 -> localhost] => (item=khair)

TASK [vpn : Create the windows check file] *****************************************************************************
changed: [167.99.59.205 -> localhost]

TASK [vpn : Check if the windows check file exists] ********************************************************************
ok: [167.99.59.205 -> localhost]

TASK [vpn : Build the windows client powershell script] ****************************************************************
changed: [167.99.59.205 -> localhost] => (item=dan)
changed: [167.99.59.205 -> localhost] => (item=jack)
changed: [167.99.59.205 -> localhost] => (item=user1)
changed: [167.99.59.205 -> localhost] => (item=khair)

TASK [vpn : Restrict permissions for the local private directories] ****************************************************
changed: [167.99.59.205 -> localhost] => (item=configs/167.99.59.205)

RUNNING HANDLER [dns_adblocking : restart apparmor] ********************************************************************
changed: [167.99.59.205]

RUNNING HANDLER [ssh_tunneling : restart ssh] **************************************************************************
changed: [167.99.59.205]

RUNNING HANDLER [vpn : restart strongswan] *****************************************************************************
changed: [167.99.59.205]

RUNNING HANDLER [vpn : daemon-reload] **********************************************************************************
changed: [167.99.59.205]

RUNNING HANDLER [vpn : restart iptables] *******************************************************************************
changed: [167.99.59.205]

TASK [vpn : strongSwan started] ****************************************************************************************
ok: [167.99.59.205]

TASK [debug] ***********************************************************************************************************
ok: [167.99.59.205] => {
    "msg": [
        [
            "\"#                          Congratulations!                            #\"",
            "\"#                     Your Algo server is running.                     #\"",
            "\"#    Config files and certificates are in the ./configs/ directory.    #\"",
            "\"#              Go to https://whoer.net/ after connecting               #\"",
            "\"#        and ensure that all your traffic passes through the VPN.      #\"",
            "\"#               Local DNS resolver 172.16.0.1              #\"",
            ""
        ],
        "    \"#                The p12 and SSH keys password for new users is ozS8hyIe             #\"\n",
        "    \"#                  The CA key password is fd1cf2cf2cae41fcd6131ad5c33f6bfa                 #\"\n",
        "    \"#      Shell access: ssh -i configs/algo.pem root@167.99.59.205        #\"\n"
    ]
}

TASK [Delete the CA key] ***********************************************************************************************
skipping: [167.99.59.205]

PLAY RECAP *************************************************************************************************************
167.99.59.205              : ok=109  changed=77   unreachable=0    failed=0
localhost                  : ok=23   changed=5    unreachable=0    failed=0

The Error Log From StrongSwan app on Android ..............

Mar 23 21:22:57 00[DMN] Starting IKE charon daemon (strongSwan 5.6.1dr3, Android 7.0 - NRD90M.G955USQS1AQF7/2017-06-01, SM-G955U - samsung/dream2qltesq/samsung, Linux 4.4.16-11449429, aarch64)
Mar 23 21:22:57 00[LIB] loaded plugins: androidbridge charon android-log openssl fips-prf random nonce pubkey chapoly curve25519 pkcs1 pkcs8 pem xcbc hmac socket-default revocation eap-identity eap-mschapv2 eap-md5 eap-gtc eap-tls x509
Mar 23 21:22:57 00[JOB] spawning 16 worker threads
Mar 23 21:22:57 07[CFG] loaded user certificate 'CN=user1' and private key
Mar 23 21:22:57 07[IKE] initiating IKE_SA android[3] to 167.99.59.205
Mar 23 21:22:57 07[ENC] generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG) N(REDIR_SUP) ]
Mar 23 21:22:57 07[NET] sending packet: from 192.168.1.23[46142] to 167.99.59.205[500] (704 bytes)
Mar 23 21:22:57 10[NET] received packet: from 167.99.59.205[500] to 192.168.1.23[46142] (289 bytes)
Mar 23 21:22:57 10[ENC] parsed IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) CERTREQ N(FRAG_SUP) N(HASH_ALG) N(MULT_AUTH) ]
Mar 23 21:22:57 10[IKE] local host is behind NAT, sending keep alives
Mar 23 21:22:57 10[IKE] received 1 cert requests for an unknown ca
Mar 23 21:22:57 10[IKE] sending cert request for "C=CN, O=WoSign CA Limited, CN=CA WoSign ECC Root"
Mar 23 21:22:57 10[IKE] sending cert request for "C=FR, O=Certinomis, OU=0002 433998903, CN=Certinomis - Autorit?? Racine"
Mar 23 21:22:57 10[IKE] sending cert request for "C=US, O=IdenTrust, CN=IdenTrust Public Sector Root CA 1"
Mar 23 21:22:57 10[IKE] sending cert request for "C=NL, O=Staat der Nederlanden, CN=Staat der Nederlanden EV Root CA"
Mar 23 21:22:57 10[IKE] sending cert request for "C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert High Assurance EV Root CA"
Mar 23 21:22:57 10[IKE] sending cert request for "OU=GlobalSign Root CA - R3, O=GlobalSign, CN=GlobalSign"
Mar 23 21:22:57 10[IKE] sending cert request for "C=IT, L=Milan, O=Actalis S.p.A./03358520967, CN=Actalis Authentication Root CA"
Mar 23 21:22:57 10[IKE] sending cert request for "C=JP, O=SECOM Trust.net, OU=Security Communication RootCA1"
Mar 23 21:22:57 10[IKE] sending cert request for "C=US, O=IdenTrust, CN=IdenTrust Commercial Root CA 1"
Mar 23 21:22:57 10[IKE] sending cert request for "C=JP, O=Japanese Government, OU=ApplicationCA"
Mar 23 21:22:57 10[IKE] sending cert request for "C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert Assured ID Root CA"
Mar 23 21:22:57 10[IKE] sending cert request for "C=US, O=Starfield Technologies, Inc., OU=Starfield Class 2 Certification Authority"
Mar 23 21:22:57 10[IKE] sending cert request for "C=TW, O=Chunghwa Telecom Co., Ltd., OU=ePKI Root Certification Authority"
Mar 23 21:22:57 10[IKE] sending cert request for "C=RO, O=certSIGN, OU=certSIGN ROOT CA"
Mar 23 21:22:57 10[IKE] sending cert request for "C=FR, O=Dhimyotis, CN=Certigna"
Mar 23 21:22:57 10[IKE] sending cert request for "C=US, O=GeoTrust Inc., CN=GeoTrust Universal CA 2"
Mar 23 21:22:57 10[IKE] sending cert request for "C=CN, O=WoSign CA Limited, CN=Certification Authority of WoSign G2"
Mar 23 21:22:57 10[IKE] sending cert request for "O=RSA Security Inc, OU=RSA Security 2048 V3"
Mar 23 21:22:57 10[IKE] sending cert request for "C=NO, O=Buypass AS-983163327, CN=Buypass Class 2 Root CA"
Mar 23 21:22:57 10[IKE] sending cert request for "C=SK, L=Bratislava, O=Disig a.s., CN=CA Disig Root R2"
Mar 23 21:22:57 10[IKE] sending cert request for "C=TR, L=Ankara, O=E-Tu??ra EBG Bili??im Teknolojileri ve Hizmetleri A.??., OU=E-Tugra Sertifikasyon Merkezi, CN=E-Tugra Certification Authority"
Mar 23 21:22:57 10[IKE] sending cert request for "C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert Trusted Root G4"
Mar 23 21:22:57 10[IKE] sending cert request for "C=TR, L=Gebze - Kocaeli, O=T??rkiye Bilimsel ve Teknolojik Ara??t??rma Kurumu - T??B??TAK, OU=Ulusal Elektronik ve Kriptoloji Ara??t??rma Enstit??s?? - UEKAE, OU=Kamu Sertifikasyon Merkezi, CN=T??B??TAK UEKAE K??k Sertifika Hizmet Sa??lay??c??s?? - S??r??m 3"
Mar 23 21:22:57 10[IKE] sending cert request for "C=US, O=GeoTrust Inc., CN=GeoTrust Primary Certification Authority"
Mar 23 21:22:57 10[IKE] sending cert request for "C=SK, L=Bratislava, O=Disig a.s., CN=CA Disig Root R1"
Mar 23 21:22:57 10[IKE] sending cert request for "C=US, ST=New Jersey, L=Jersey City, O=The USERTRUST Network, CN=USERTrust RSA Certification Authority"
Mar 23 21:22:57 10[IKE] sending cert request for "C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert Global Root G2"
Mar 23 21:22:57 10[IKE] sending cert request for "C=FR, ST=France, L=Paris, O=PM/SGDN, OU=DCSSI, CN=IGC/A, E=igca@sgdn.pm.gouv.fr"
Mar 23 21:22:57 10[IKE] sending cert request for "C=CH, O=SwissSign AG, CN=SwissSign Gold CA - G2"
Mar 23 21:22:57 10[IKE] sending cert request for "C=US, O=SecureTrust Corporation, CN=SecureTrust CA"
Mar 23 21:22:57 10[IKE] sending cert request for "C=GB, ST=Greater Manchester, L=Salford, O=Comodo CA Limited, CN=Trusted Certificate Services"
Mar 23 21:22:57 10[IKE] sending cert request for "C=SE, O=AddTrust AB, OU=AddTrust TTP Network, CN=AddTrust Qualified CA Root"
Mar 23 21:22:57 10[IKE] sending cert request for "C=BE, O=GlobalSign nv-sa, OU=Root CA, CN=GlobalSign Root CA"
Mar 23 21:22:57 10[IKE] sending cert request for "C=BM, O=QuoVadis Limited, CN=QuoVadis Root CA 3"
Mar 23 21:22:57 10[IKE] sending cert request for "C=GR, O=Hellenic Academic and Research Institutions Cert. Authority, CN=Hellenic Academic and Research Institutions RootCA 2011"
Mar 23 21:22:57 10[IKE] sending cert request for "C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert Global Root CA"
Mar 23 21:22:57 10[IKE] sending cert request for "CN=ACCVRAIZ1, OU=PKIACCV, O=ACCV, C=ES"
Mar 23 21:22:57 10[IKE] sending cert request for "C=BM, O=QuoVadis Limited, CN=QuoVadis Root CA 2 G3"
Mar 23 21:22:57 10[IKE] sending cert request for "O=Cybertrust, Inc, CN=Cybertrust Global Root"
Mar 23 21:22:57 10[IKE] sending cert request for "C=BM, O=QuoVadis Limited, CN=QuoVadis Root CA 2"
Mar 23 21:22:57 10[IKE] sending cert request for "C=TW, O=TAIWAN-CA, OU=Root CA, CN=TWCA Global Root CA"
Mar 23 21:22:57 10[IKE] sending cert request for "C=ch, O=Swisscom, OU=Digital Certificate Services, CN=Swisscom Root CA 2"
Mar 23 21:22:57 10[IKE] sending cert request for "C=GB, ST=Greater Manchester, L=Salford, O=COMODO CA Limited, CN=COMODO ECC Certification Authority"
Mar 23 21:22:57 10[IKE] sending cert request for "C=ch, O=Swisscom, OU=Digital Certificate Services, CN=Swisscom Root CA 1"
Mar 23 21:22:57 10[IKE] sending cert request for "C=HK, O=Hongkong Post, CN=Hongkong Post Root CA 1"
Mar 23 21:22:57 10[IKE] sending cert request for "C=IL, O=StartCom Ltd., CN=StartCom Certification Authority G2"
Mar 23 21:22:57 10[IKE] sending cert request for "C=US, O=GeoTrust Inc., CN=GeoTrust Global CA 2"
Mar 23 21:22:57 10[IKE] sending cert request for "C=NL, O=Staat der Nederlanden, CN=Staat der Nederlanden Root CA - G3"
Mar 23 21:22:57 10[IKE] sending cert request for "C=HU, L=Budapest, O=Microsec Ltd., CN=Microsec e-Szigno Root CA 2009, E=info@e-szigno.hu"
Mar 23 21:22:57 10[IKE] sending cert request for "C=US, O=AffirmTrust, CN=AffirmTrust Commercial"
Mar 23 21:22:57 10[IKE] sending cert request for "C=ES, O=Agencia Catalana de Certificacio (NIF Q-0801176-I), OU=Serveis Publics de Certificacio, OU=Vegeu https://www.catcert.net/verarrel (c)03, OU=Jerarquia Entitats de Certificacio Catalanes, CN=EC-ACC"
Mar 23 21:22:57 10[IKE] sending cert request for "C=FR, O=Certinomis, OU=0002 433998903, CN=Certinomis - Root CA"
Mar 23 21:22:57 10[IKE] sending cert request for "C=US, ST=Arizona, L=Scottsdale, O=Starfield Technologies, Inc., CN=Starfield Services Root Certificate Authority - G2"
Mar 23 21:22:57 10[IKE] sending cert request for "C=DE, O=D-Trust GmbH, CN=D-TRUST Root Class 3 CA 2 EV 2009"
Mar 23 21:22:57 10[IKE] sending cert request for "C=ES, CN=Autoridad de Certificacion Firmaprofesional CIF A62634068"
Mar 23 21:22:57 10[IKE] sending cert request for "E=pki@sk.ee, C=EE, O=AS Sertifitseerimiskeskus, CN=Juur-SK"
Mar 23 21:22:57 10[IKE] sending cert request for "C=US, O=thawte, Inc., OU=Certification Services Division, OU=(c) 2006 thawte, Inc. - For authorized use only, CN=thawte Primary Root CA"
Mar 23 21:22:57 10[IKE] sending cert request for "C=ch, O=Swisscom, OU=Digital Certificate Services, CN=Swisscom Root EV CA 2"
Mar 23 21:22:57 10[IKE] sending cert request for "C=US, O=Entrust, Inc., OU=www.entrust.net/CPS is incorporated by reference, OU=(c) 2006 Entrust, Inc., CN=Entrust Root Certification Authority"
Mar 23 21:22:57 10[IKE] sending cert request for "C=US, ST=UT, L=Salt Lake City, O=The USERTRUST Network, OU=http://www.usertrust.com, CN=UTN-USERFirst-Hardware"
Mar 23 21:22:57 10[IKE] sending cert request for "C=ES, O=Generalitat Valenciana, OU=PKIGVA, CN=Root CA Generalitat Valenciana"
Mar 23 21:22:57 10[IKE] sending cert request for "C=US, O=thawte, Inc., OU=(c) 2007 thawte, Inc. - For authorized use only, CN=thawte Primary Root CA - G2"
Mar 23 21:22:57 10[IKE] sending cert request for "C=US, ST=Arizona, L=Scottsdale, O=GoDaddy.com, Inc., CN=Go Daddy Root Certificate Authority - G2"
Mar 23 21:22:57 10[IKE] sending cert request for "C=US, O=Digital Signature Trust, OU=DST ACES, CN=DST ACES CA X6"
Mar 23 21:22:57 10[IKE] sending cert request for "C=CH, O=WISeKey, OU=OISTE Foundation Endorsed, CN=OISTE WISeKey Global Root GB CA"
Mar 23 21:22:57 10[IKE] sending cert request for "C=ES, O=IZENPE S.A., CN=Izenpe.com"
Mar 23 21:22:57 10[IKE] sending cert request for "CN=Atos TrustedRoot 2011, O=Atos, C=DE"
Mar 23 21:22:57 10[IKE] sending cert request for "C=EU, L=Madrid (see current address at www.camerfirma.com/address), SN=A82743287, O=AC Camerfirma S.A., CN=Chambers of Commerce Root - 2008"
Mar 23 21:22:57 10[IKE] sending cert request for "C=US, O=Network Solutions L.L.C., CN=Network Solutions Certificate Authority"
Mar 23 21:22:57 10[IKE] sending cert request for "C=TR, L=Ankara, O=T??RKTRUST Bilgi ??leti??im ve Bili??im G??venli??i Hizmetleri A.??., CN=T??RKTRUST Elektronik Sertifika Hizmet Sa??lay??c??s?? H6"
Mar 23 21:22:57 10[IKE] sending cert request for "C=FR, O=Certplus, CN=Class 2 Primary CA"
Mar 23 21:22:57 10[IKE] sending cert request for "C=US, O=GeoTrust Inc., OU=(c) 2008 GeoTrust Inc. - For authorized use only, CN=GeoTrust Primary Certification Authority - G3"
Mar 23 21:22:57 10[IKE] sending cert request for "C=US, O=GeoTrust Inc., OU=(c) 2007 GeoTrust Inc. - For authorized use only, CN=GeoTrust Primary Certification Authority - G2"
Mar 23 21:22:57 10[IKE] sending cert request for "C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=(c) 2008 VeriSign, Inc. - For authorized use only, CN=VeriSign Universal Root Certification Authority"
Mar 23 21:22:57 10[IKE] sending cert request for "C=BM, O=QuoVadis Limited, OU=Root Certification Authority, CN=QuoVadis Root Certification Authority"
Mar 23 21:22:57 10[IKE] sending cert request for "C=DE, O=T-Systems Enterprise Services GmbH, OU=T-Systems Trust Center, CN=T-TeleSec GlobalRoot Class 2"
Mar 23 21:22:57 10[IKE] sending cert request for "C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert Assured ID Root G3"
Mar 23 21:22:57 10[IKE] sending cert request for "C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert Assured ID Root G2"
Mar 23 21:22:57 10[IKE] sending cert request for "C=US, ST=Arizona, L=Scottsdale, O=Starfield Technologies, Inc., CN=Starfield Root Certificate Authority - G2"
Mar 23 21:22:57 10[IKE] sending cert request for "C=GB, ST=Greater Manchester, L=Salford, O=Comodo CA Limited, CN=AAA Certificate Services"
Mar 23 21:22:57 10[IKE] sending cert request for "C=GB, ST=Greater Manchester, L=Salford, O=Comodo CA Limited, CN=Secure Certificate Services"
Mar 23 21:22:57 10[IKE] sending cert request for "C=TW, O=TAIWAN-CA, OU=Root CA, CN=TWCA Root Certification Authority"
Mar 23 21:22:57 10[IKE] sending cert request for "C=JP, O=SECOM Trust Systems CO.,LTD., OU=Security Communication EV RootCA1"
Mar 23 21:22:57 10[IKE] sending cert request for "C=TR, L=Ankara, O=T??RKTRUST Bilgi ??leti??im ve Bili??im G??venli??i Hizmetleri A.??., CN=T??RKTRUST Elektronik Sertifika Hizmet Sa??lay??c??s?? H5"
Mar 23 21:22:57 10[IKE] sending cert request for "C=NO, O=Buypass AS-983163327, CN=Buypass Class 2 CA 1"
Mar 23 21:22:57 10[IKE] sending cert request for "C=US, O=VISA, OU=Visa International Service Association, CN=Visa eCommerce Root"
Mar 23 21:22:57 10[IKE] sending cert request for "C=HU, L=Budapest, O=NetLock Kft., OU=Tan??s??tv??nykiad??k (Certification Services), CN=NetLock Arany (Class Gold) F??tan??s??tv??ny"
Mar 23 21:22:57 10[IKE] sending cert request for "C=FI, O=Sonera, CN=Sonera Class2 CA"
Mar 23 21:22:57 10[IKE] sending cert request for "C=BM, O=QuoVadis Limited, CN=QuoVadis Root CA 1 G3"
Mar 23 21:22:57 10[IKE] sending cert request for "C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=(c) 2007 VeriSign, Inc. - For authorized use only, CN=VeriSign Class 3 Public Primary Certification Authority - G4"
Mar 23 21:22:57 10[IKE] sending cert request for "OU=GlobalSign ECC Root CA - R4, O=GlobalSign, CN=GlobalSign"
Mar 23 21:22:57 10[IKE] sending cert request for "C=GB, O=Trustis Limited, OU=Trustis FPS Root CA"
Mar 23 21:22:57 10[IKE] sending cert request for "C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert Global Root G3"
Mar 23 21:22:57 10[IKE] sending cert request for "CN=ACEDICOM Root, OU=PKI, O=EDICOM, C=ES"
Mar 23 21:22:57 10[IKE] sending cert request for "C=US, O=The Go Daddy Group, Inc., OU=Go Daddy Class 2 Certification Authority"
Mar 23 21:22:57 10[IKE] sending cert request for "C=CN, O=WoSign CA Limited, CN=Certification Authority of WoSign"
Mar 23 21:22:57 10[IKE] sending cert request for "C=PL, O=Unizeto Technologies S.A., OU=Certum Certification Authority, CN=Certum Trusted Network CA 2"
Mar 23 21:22:57 10[IKE] sending cert request for "C=IL, O=StartCom Ltd., OU=Secure Digital Certificate Signing, CN=StartCom Certification Authority"
Mar 23 21:22:57 10[IKE] sending cert request for "C=IL, O=StartCom Ltd., OU=Secure Digital Certificate Signing, CN=StartCom Certification Authority"
Mar 23 21:22:57 10[IKE] sending cert request for "O=Digital Signature Trust Co., CN=DST Root CA X3"
Mar 23 21:22:57 10[IKE] sending cert request for "C=US, O=thawte, Inc., OU=Certification Services Division, OU=(c) 2008 thawte, Inc. - For authorized use only, CN=thawte Primary Root CA - G3"
Mar 23 21:22:57 10[IKE] sending cert request for "C=BM, O=QuoVadis Limited, CN=QuoVadis Root CA 3 G3"
Mar 23 21:22:57 10[IKE] sending cert request for "C=SE, O=AddTrust AB, OU=AddTrust TTP Network, CN=AddTrust Public CA Root"
Mar 23 21:22:57 10[IKE] sending cert request for "C=JP, O=Japan Certification Services, Inc., CN=SecureSign RootCA11"
Mar 23 21:22:57 10[IKE] sending cert request for "C=US, O=SecureTrust Corporation, CN=Secure Global CA"
Mar 23 21:22:57 10[IKE] sending cert request for "CN=EBG Elektronik Sertifika Hizmet Sa??lay??c??s??, O=EBG Bili??im Teknolojileri ve Hizmetleri A.??., C=TR"
Mar 23 21:22:57 10[IKE] sending cert request for "O=Entrust.net, OU=www.entrust.net/CPS_2048 incorp. by ref. (limits liab.), OU=(c) 1999 Entrust.net Limited, CN=Entrust.net Certification Authority (2048)"
Mar 23 21:22:57 10[IKE] sending cert request for "C=US, O=GeoTrust Inc., CN=GeoTrust Global CA"
Mar 23 21:22:57 10[IKE] sending cert request for "C=SE, O=AddTrust AB, OU=AddTrust External TTP Network, CN=AddTrust External CA Root"
Mar 23 21:22:57 10[IKE] sending cert request for "C=GB, ST=Greater Manchester, L=Salford, O=COMODO CA Limited, CN=COMODO RSA Certification Authority"
Mar 23 21:22:57 10[IKE] sending cert request for "C=US, O=Entrust, Inc., OU=See www.entrust.net/legal-terms, OU=(c) 2009 Entrust, Inc. - for authorized use only, CN=Entrust Root Certification Authority - G2"
Mar 23 21:22:57 10[IKE] sending cert request for "C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=(c) 2006 VeriSign, Inc. - For authorized use only, CN=VeriSign Class 3 Public Primary Certification Authority - G5"
Mar 23 21:22:57 10[IKE] sending cert request for "C=DE, O=T-Systems Enterprise Services GmbH, OU=T-Systems Trust Center, CN=T-TeleSec GlobalRoot Class 3"
Mar 23 21:22:57 10[IKE] sending cert request for "C=CH, O=WISeKey, OU=Copyright (c) 2005, OU=OISTE Foundation Endorsed, CN=OISTE WISeKey Global Root GA CA"
Mar 23 21:22:57 10[IKE] sending cert request for "C=EE, O=AS Sertifitseerimiskeskus, CN=EE Certification Centre Root CA, E=pki@sk.ee"
Mar 23 21:22:57 10[IKE] sending cert request for "C=JP, O=SECOM Trust Systems CO.,LTD., OU=Security Communication RootCA2"
Mar 23 21:22:57 10[IKE] sending cert request for "OU=GlobalSign Root CA - R2, O=GlobalSign, CN=GlobalSign"
Mar 23 21:22:57 10[IKE] sending cert request for "C=PL, O=Krajowa Izba Rozliczeniowa S.A., CN=SZAFIR ROOT CA2"
Mar 23 21:22:57 10[IKE] sending cert request for "C=US, O=AffirmTrust, CN=AffirmTrust Premium ECC"
Mar 23 21:22:57 10[IKE] sending cert request for "C=GB, ST=Greater Manchester, L=Salford, O=COMODO CA Limited, CN=COMODO Certification Authority"
Mar 23 21:22:57 10[IKE] sending cert request for "C=SE, O=AddTrust AB, OU=AddTrust TTP Network, CN=AddTrust Class 1 CA Root"
Mar 23 21:22:57 10[IKE] sending cert request for "C=NO, O=Buypass AS-983163327, CN=Buypass Class 3 Root CA"
Mar 23 21:22:57 10[IKE] sending cert request for "C=US, O=AffirmTrust, CN=AffirmTrust Premium"
Mar 23 21:22:57 10[IKE] sending cert request for "C=US, OU=www.xrampsecurity.com, O=XRamp Security Services Inc, CN=XRamp Global Certification Authority"
Mar 23 21:22:57 10[IKE] sending cert request for "C=CN, O=China Internet Network Information Center, CN=China Internet Network Information Center EV Certificates Root"
Mar 23 21:22:57 10[IKE] sending cert request for "O=TeliaSonera, CN=TeliaSonera Root CA v1"
Mar 23 21:22:57 10[IKE] sending cert request for "C=IE, O=Baltimore, OU=CyberTrust, CN=Baltimore CyberTrust Root"
Mar 23 21:22:57 10[IKE] sending cert request for "C=US, O=GeoTrust Inc., CN=GeoTrust Universal CA"
Mar 23 21:22:57 10[IKE] sending cert request for "C=US, O=Wells Fargo WellsSecure, OU=Wells Fargo Bank NA, CN=WellsSecure Public Root Certificate Authority"
Mar 23 21:22:57 10[IKE] sending cert request for "C=HU, L=Budapest, O=Microsec Ltd., OU=e-Szigno CA, CN=Microsec e-Szigno Root CA"
Mar 23 21:22:57 10[IKE] sending cert request for "OU=GlobalSign ECC Root CA - R5, O=GlobalSign, CN=GlobalSign"
Mar 23 21:22:57 10[IKE] sending cert request for "C=DE, O=Deutsche Telekom AG, OU=T-TeleSec Trust Center, CN=Deutsche Telekom Root CA 2"
Mar 23 21:22:57 10[IKE] sending cert request for "C=EU, O=AC Camerfirma SA CIF A82743287, OU=http://www.chambersign.org, CN=Global Chambersign Root"
Mar 23 21:22:57 10[IKE] sending cert request for "C=US, O=Entrust, Inc., OU=See www.entrust.net/legal-terms, OU=(c) 2012 Entrust, Inc. - for authorized use only, CN=Entrust Root Certification Authority - EC1"
Mar 23 21:22:57 10[IKE] sending cert request for "C=US, ST=New Jersey, L=Jersey City, O=The USERTRUST Network, CN=USERTrust ECC Certification Authority"
Mar 23 21:22:57 10[IKE] sending cert request for "C=CH, O=SwissSign AG, CN=SwissSign Silver CA - G2"
Mar 23 21:22:57 10[IKE] sending cert request for "C=DE, O=D-Trust GmbH, CN=D-TRUST Root Class 3 CA 2 2009"
Mar 23 21:22:57 10[IKE] sending cert request for "C=PL, O=Unizeto Sp. z o.o., CN=Certum CA"
Mar 23 21:22:57 10[IKE] sending cert request for "C=TW, O=Government Root Certification Authority"
Mar 23 21:22:57 10[IKE] sending cert request for "C=EU, L=Madrid (see current address at www.camerfirma.com/address), SN=A82743287, O=AC Camerfirma S.A., CN=Global Chambersign Root - 2008"
Mar 23 21:22:57 10[IKE] sending cert request for "C=NL, O=Staat der Nederlanden, CN=Staat der Nederlanden Root CA - G2"
Mar 23 21:22:57 10[IKE] sending cert request for "C=CN, O=China Financial Certification Authority, CN=CFCA EV ROOT"
Mar 23 21:22:57 10[IKE] sending cert request for "C=PL, O=Unizeto Technologies S.A., OU=Certum Certification Authority, CN=Certum Trusted Network CA"
Mar 23 21:22:57 10[IKE] sending cert request for "CN=T??RKTRUST Elektronik Sertifika Hizmet Sa??lay??c??s??, C=TR, L=Ankara, O=T??RKTRUST Bilgi ??leti??im ve Bili??im G??venli??i Hizmetleri A.??. (c) Aral??k 2007"
Mar 23 21:22:57 10[IKE] sending cert request for "C=EU, O=AC Camerfirma SA CIF A82743287, OU=http://www.chambersign.org, CN=Chambers of Commerce Root"
Mar 23 21:22:57 10[IKE] sending cert request for "C=CN, O=WoSign CA Limited, CN=CA ???????????????"
Mar 23 21:22:57 10[IKE] sending cert request for "C=US, O=AffirmTrust, CN=AffirmTrust Networking"
Mar 23 21:22:57 10[IKE] authentication of 'CN=user1' (myself) with ECDSA_WITH_SHA256_DER successful
Mar 23 21:22:57 10[IKE] sending end entity cert "CN=user1"
Mar 23 21:22:57 10[IKE] establishing CHILD_SA android{3}
Mar 23 21:22:57 10[ENC] generating IKE_AUTH request 1 [ IDi CERT N(INIT_CONTACT) CERTREQ AUTH CPRQ(ADDR ADDR6 DNS DNS6) N(ESP_TFC_PAD_N) SA TSi TSr N(MOBIKE_SUP) N(NO_ADD_ADDR) N(MULT_AUTH) N(EAP_ONLY) N(MSG_ID_SYN_SUP) ]
Mar 23 21:22:57 10[ENC] splitting IKE message with length of 4037 bytes into 4 fragments
Mar 23 21:22:57 10[ENC] generating IKE_AUTH request 1 [ EF(1/4) ]
Mar 23 21:22:57 10[ENC] generating IKE_AUTH request 1 [ EF(2/4) ]
Mar 23 21:22:57 10[ENC] generating IKE_AUTH request 1 [ EF(3/4) ]
Mar 23 21:22:57 10[ENC] generating IKE_AUTH request 1 [ EF(4/4) ]
Mar 23 21:22:57 10[NET] sending packet: from 192.168.1.23[33212] to 167.99.59.205[4500] (1368 bytes)
Mar 23 21:22:57 10[NET] sending packet: from 192.168.1.23[33212] to 167.99.59.205[4500] (1368 bytes)
Mar 23 21:22:57 10[NET] sending packet: from 192.168.1.23[33212] to 167.99.59.205[4500] (1368 bytes)
Mar 23 21:22:57 10[NET] sending packet: from 192.168.1.23[33212] to 167.99.59.205[4500] (120 bytes)
Mar 23 21:22:58 11[NET] received packet: from 167.99.59.205[4500] to 192.168.1.23[33212] (544 bytes)
Mar 23 21:22:58 11[ENC] parsed IKE_AUTH response 1 [ EF(1/2) ]
Mar 23 21:22:58 11[ENC] received fragment #1 of 2, waiting for complete IKE message
Mar 23 21:22:58 11[NET] received packet: from 167.99.59.205[4500] to 192.168.1.23[33212] (436 bytes)
Mar 23 21:22:58 11[ENC] parsed IKE_AUTH response 1 [ EF(2/2) ]
Mar 23 21:22:58 11[ENC] received fragment #2 of 2, reassembling fragmented IKE message
Mar 23 21:22:58 11[ENC] parsed IKE_AUTH response 1 [ IDr CERT AUTH CPRP(ADDR ADDR6 DNS) SA TSi TSr N(MOBIKE_SUP) N(ADD_4_ADDR) N(ADD_6_ADDR) ]
Mar 23 21:22:58 11[IKE] received end entity cert "CN=167.99.59.205"
Mar 23 21:22:58 11[CFG]   using certificate "CN=167.99.59.205"
Mar 23 21:22:58 11[CFG] no issuer certificate found for "CN=167.99.59.205"
Mar 23 21:22:58 11[CFG]   issuer is "CN=167.99.59.205"
Mar 23 21:22:58 11[IKE] no trusted ECDSA public key found for '167.99.59.205'
Mar 23 21:22:58 11[ENC] generating INFORMATIONAL request 2 [ N(AUTH_FAILED) ]
Mar 23 21:22:58 11[NET] sending packet: from 192.168.1.23[33212] to 167.99.59.205[4500] (65 bytes)
dguido commented 6 years ago

What client are you connecting from and how is it configured?

bassel999 commented 6 years ago

I'm using Strongswan on Android using: IKEV2 Certificate

jackivanov commented 6 years ago

It seems the CA certificate hasn't been installed. Try to import the profile once again and select the proper CA certificate there

bassel999 commented 6 years ago

thank you so much