VPN Check

• CONN=s2s
• CHECK="(CHILD_SA|failed|error|could not|proposal)"
• PATTERN=${CONN}.*$CHECK

Abfrage

• tail -f /var/log/strongswan/charon.log | egrep "$PATTERN"

=Verbindung erfolgreich="

Nov 17 10:29:36 01[IKE] <s2s|1> sending DELETE for ESP CHILD_SA with SPI c484ade1
Nov 17 10:29:38 04[CFG] <s2s|2> configured proposals: IKE:AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_2048
Nov 17 10:29:38 16[CFG] <s2s|2> received proposals: IKE:AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_2048
Nov 17 10:29:38 16[CFG] <s2s|2> configured proposals: IKE:AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_2048
Nov 17 10:29:38 03[CFG] <s2s|2> configured proposals: ESP:AES_CBC_256/HMAC_SHA2_256_128/MODP_2048/NO_EXT_SEQ
Nov 17 10:29:38 03[CFG] <s2s|2> configured proposals: ESP:AES_CBC_256/HMAC_SHA2_256_128/MODP_2048/NO_EXT_SEQ
Nov 17 10:29:38 06[CFG] <s2s|2> received proposals: ESP:AES_CBC_256/HMAC_SHA2_256_128/MODP_2048/NO_EXT_SEQ
Nov 17 10:29:38 06[CFG] <s2s|2> configured proposals: ESP:AES_CBC_256/HMAC_SHA2_256_128/MODP_2048/NO_EXT_SEQ
Nov 17 10:29:38 06[IKE] <s2s|2> CHILD_SA s2s{2} established with SPIs c3dde116_i ced89952_o and TS 10.83.33.0/24 === 10.83.32.0/24

PSK falsch

• tail -f /var/log/strongswan/charon.log | egrep "$PATTERN"

Nov 17 10:32:47 16[CFG] <s2s|2> configured proposals: IKE:AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_2048
Nov 17 10:32:47 15[CFG] <s2s|2> received proposals: IKE:AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_2048
Nov 17 10:32:47 15[CFG] <s2s|2> configured proposals: IKE:AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_2048
Nov 17 10:32:47 04[ENC] <s2s|2> invalid HASH_V1 payload length, decryption failed?
Nov 17 10:32:47 04[ENC] <s2s|2> could not decrypt payloads
Nov 17 10:32:47 04[IKE] <s2s|2> message parsing failed
Nov 17 10:32:47 04[IKE] <s2s|2> INFORMATIONAL_V1 request with message ID 2548885084 processing failed

PHASE1 oder PHASE2 Proposals

PHASE1 und PHASE2 ok

• tail -f /var/log/strongswan/charon.log | egrep "$CONN.*proposal"

Nov 17 10:12:35 05[CFG] <s2s|2> received proposals: IKE:AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_2048
Nov 17 10:12:35 05[CFG] <s2s|2> configured proposals: IKE:AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_2048
Nov 17 10:12:35 05[CFG] <s2s|2> selected proposal: IKE:AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_2048
...
Nov 17 10:12:35 01[CFG] <s2s|2> received proposals: ESP:AES_CBC_256/HMAC_SHA2_256_128/MODP_2048/NO_EXT_SEQ
Nov 17 10:12:35 01[CFG] <s2s|2> configured proposals: ESP:AES_CBC_256/HMAC_SHA2_256_128/MODP_2048/NO_EXT_SEQ
Nov 17 10:12:35 01[CFG] <s2s|2> selected proposal: ESP:AES_CBC_256/HMAC_SHA2_256_128/MODP_2048/NO_EXT_SEQ

Fehlkonfiguration der Proposals

• tail -f /var/log/strongswan/charon.log | egrep "$PATTERN"

Nov 17 10:38:28 06[CFG] <s2s|1> configured proposals:

PHASE1 oder PHASE2 error

• tail -f /var/log/strongswan/charon.log | egrep "$PATTERN"

Nov 16 12:24:57 05[IKE] <s2s|10> received NO_PROPOSAL_CHOSEN error notify

PHASE1 Proposals werden nicht beantwortet

Es fehlt das selected proposal bei IKE

Nov 17 10:42:24 01[CFG] <s2s|3> configured proposals: IKE:AES_CBC_256/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_2048
Nov 17 10:42:24 12[IKE] <s2s|3> received NO_PROPOSAL_CHOSEN error notify

Verschiedene Phase2 Proposals

Es fehlt das selected proposal bei ESP

• tail -f /var/log/strongswan/charon.log | egrep "$CONN.*proposal.*ESP"

Nov 16 20:29:38 15[CFG] <s2s|4> received proposals: ESP:AES_CBC_256/HMAC_SHA2_256_128/MODP_1024/NO_EXT_SEQ
Nov 16 20:29:38 15[CFG] <s2s|4> configured proposals: ESP:AES_CBC_256/HMAC_SHA2_256_128/MODP_2048/NO_EXT_SEQ

Falsches Netz

• tail -f /var/log/strongswan/charon.log | egrep "$PATTERN"

Nov 16 20:00:41 01[IKE] <s2s|6> received INVALID_ID_INFORMATION error notify

Falsche ID

• tail -f /var/log/strongswan/charon.log | egrep "$PATTERN"

Nov 16 20:12:55 12[IKE] <s2s|2> received AUTHENTICATION_FAILED error notify

Angebotene IKE Lifetime

• tail -f /var/log/strongswan/charon.log | egrep "$CONN.*time"

Nov 16 22:19:51 12[IKE] <s2s|5> maximum IKE_SA lifetime 3375s