Here's some output from the debug log:
Nov 15 15:33:37 cli[5123]: [primary tunnel] ipsec_tunnel_connect(1764): primary tunnel, cli_local_ip 10.40.168.206 netmask 255.0.0.0
Nov 15 15:33:37 cli[5123]: [primary tunnel] addroute(602):Dst 81856705 mask 0 gw 100000a
Nov 15 15:33:37 cli[5123]: [primary tunnel] set_route_af: ioctl (SIOCADDRT) failed error no(17)
Nov 15 15:33:37 cli[5123]: [primary tunnel] ipsec_tunnel_connect(1785): add route table destination X.XXX.XXX.XXX, gw 10.0.0.1, interface ppp0.
Nov 15 15:33:37 cli[5123]: [primary tunnel] Starting rapper with lifetime p1 = 28000 p2 = 7200
Nov 15 15:33:37 cli[5123]: [primary tunnel] Starting IAP rapper 0 to X.XXX.XXX.XXX:8423 attmpt 0 for profile tunnel
Nov 15 15:33:37 cli[5123]: [primary tunnel] lauch rapper command: rapper -c X.XXX.XXX.XXX -d 1 -C -b 1 -i ppp0 -x -G 0 -r 8423 -l 28000 -L 7200 -w 1 -o /tmp/rapper-X.XXX.XXX.XXX.txt
Nov 15 15:33:37 cli[5123]: [primary tunnel] Populate the PID 8336 in file /tmp/rapper_ppp_pid_dc_1
Nov 15 15:33:37 cli[5123]: [primary tunnel] tunnel_stop_up_timer(731): stop up timer.
Nov 15 15:33:37 cli[5123]: [primary tunnel] tunnel_start_up_timer(930): tunnel primary tunnel start up timer (30 secs)
Nov 15 15:33:37 cli[5123]: [primary tunnel] tunnel_stop_up_timer(731): stop up timer.
Nov 15 15:33:38 cli[5123]: send_register_local,member send defaultcert checksum at heartbeat,cs_defaultcert_csum= 770462176
Nov 15 15:33:38 cli[5123]: recv_heartbeat_local,compare defaultcert checksum,cs_defaultcert_csum= 770462176 ,received defaultcert_csum =770462176
Nov 15 15:33:38 cli[5123]: recv_heartbeat_local, AP(127.0.0.1) config has taken effect
Nov 15 15:33:38 cli[5123]: receive ap 127.0.0.1 with drt status 0
Nov 15 15:33:42 cli[5123]: ipsec_tunnel_monitor_action(2961): process rapper died, pid 8336.
Nov 15 15:33:48 sapd[5142]: sapd_papi_rcv_cb: Received AMAPI Packet from 127.0.0.1:24891 to 127.0.0.1:7968
Nov 15 15:33:48 sapd[5142]: executeCommandObject: Executing AMAPI Command Type: 100
Nov 15 15:33:48 sapd[5142]: sapd_papi_rcv_cb: Received AMAPI Packet from 127.0.0.1:24891 to 127.0.0.1:7968
Nov 15 15:33:48 sapd[5142]: executeCommandObject: Executing AMAPI Command Type: 100
Nov 15 15:33:49 cli[5123]: send_register_local,member send defaultcert checksum at heartbeat,cs_defaultcert_csum= 770462176
Nov 15 15:33:49 cli[5123]: recv_heartbeat_local,compare defaultcert checksum,cs_defaultcert_csum= 770462176 ,received defaultcert_csum =770462176
Nov 15 15:33:49 cli[5123]: recv_heartbeat_local, AP(127.0.0.1) config has taken effect
Nov 15 15:33:49 cli[5123]: receive ap 127.0.0.1 with drt status 0
Nov 15 15:33:53 cli[5123]: ipsec_tunnel_monitor_action(2961): process rapper died, pid 8336.
Nov 15 15:33:56 sapd[5142]: sapd_papi_rcv_cb: Received AMAPI Packet from 127.0.0.1:24891 to 127.0.0.1:7968
Nov 15 15:33:56 sapd[5142]: executeCommandObject: Executing AMAPI Command Type: 100
It makes little sense to me, but my hunch is its happening because it cannot pick/find the certificate file to use when attempting the connection.
In the vpn-brief log files i just have a million lines of
2021-11-15 15:51:46 [primary tunnel] name.mydomain.dk resolved peer ip address X.XXX.XXX.XXX.
and in the vpn-tunnel log files a million lines of:
2021-11-15 15:56:50 ipsec_tunnel_monitor_action(2961): process rapper died, pid 24067.
2021-11-15 15:56:59 ipsec_tunnel_monitor_action(2961): process rapper died, pid 24067.
2021-11-15 15:57:04 ipsec_tunnel_monitor_action(2961): process rapper died, pid 24067.
2021-11-15 15:57:10 ipsec_tunnel_monitor_action(2961): process rapper died, pid 24467.
2021-11-15 15:57:15 ipsec_tunnel_monitor_action(2961): process rapper died, pid 24467.
2021-11-15 15:57:20 ipsec_tunnel_monitor_action(2961): process rapper died, pid 24467.
2021-11-15 15:57:25 ipsec_tunnel_monitor_action(2961): process rapper died, pid 24467.
2021-11-15 15:57:34 ipsec_tunnel_monitor_action(2961): process rapper died, pid 24467.
2021-11-15 15:57:39 ipsec_tunnel_monitor_action(2961): process rapper died, pid 24467.
2021-11-15 15:57:45 ipsec_tunnel_monitor_action(2961): process rapper died, pid 24856.
2021-11-15 15:57:50 ipsec_tunnel_monitor_action(2961): process rapper died, pid 24856.
2021-11-15 15:57:55 ipsec_tunnel_monitor_action(2961): process rapper died, pid 24856.
2021-11-15 15:58:00 ipsec_tunnel_monitor_action(2961): process rapper died, pid 24856.
2021-11-15 15:58:10 ipsec_tunnel_monitor_action(2961): process rapper died, pid 24856.
2021-11-15 15:58:15 ipsec_tunnel_monitor_action(2961): process rapper died, pid 24856.
2021-11-15 15:58:20 ipsec_tunnel_monitor_action(2961): process rapper died, pid 25247.
2021-11-15 15:58:25 ipsec_tunnel_monitor_action(2961): process rapper died, pid 25247.
2021-11-15 15:58:30 ipsec_tunnel_monitor_action(2961): process rapper died, pid 25247.
2021-11-15 15:58:35 ipsec_tunnel_monitor_action(2961): process rapper died, pid 25247.
2021-11-15 15:58:45 ipsec_tunnel_monitor_action(2961): process rapper died, pid 25247.
I have substituted my domainname and resolved Ip address in these logs, but they are both correctly mentioned in the logs.
------------------------------
Tue Madsen
------------------------------
Original Message:
Sent: Nov 15, 2021 09:45 AM
From: Tue Madsen
Subject: IAP VPN and custom certs
I'm trying to get my standalone IAP to VPN home to my strongswan implementation on pfSense, but I cannot get it to use the proper certificates.
I have uploaded the proper CA authority that does my cert signing, I have uploaded a client cert that I use for Tunneldata, but no matter what I do, it still attempts to connect using the built-in TPM Device certificate which is not trusted in my Strongswan IPsec server.
I have then tried creating a custom VPN profile using "vpn tunnel-profile <profilename>", where you can issue a "use-custom-cert" command...
But this seems like rather unfinished work in the OS. I cannot specify which cert to use, and even though I have setup to profile correctly, the rapper process dies several times a minute trying to establish the VPN connection. It never gets so far I actually see any connects on the other end.
Any ideas? Running Instant OS 8.9.0.0 on a Aruba IAP-203R
------------------------------
Tue Madsen
------------------------------