cancel
Showing results for 
Search instead for 
Did you mean: 
Create a Post
Remote Access Solutions

The place to discuss all of Check Point's Remote Access VPN solutions, including Mobile Access Software Blade, Endpoint Remote Access VPN, SNX, Capsule Connect, and more!

Soeren_Rothe
Soeren_Rothe inside Remote Access Solutions 17 hours ago
views 710 2 9

C2S - strongSwan (Roadwarrior) and R80.30 - working

******************************WORKING RELEASES:ReleasestrongSwan VersionFedora 315.7.2/K5.3.11-300.fc31      Mint 18.35.3.5/K4.10.0-38openSUSE 15.15.6.0/K4.12.14-lp151.28.32openSUSE Tumbleweed5.6.4******************************Before you begin, please make sure you have a working Remote Access environment using one of the Check Point Endpoint Clients (Windows / MacOS). This is a guide to connect a Linux VPN Client based on strongSwan to your Check Point environment, using certificates from the InternalCA.----------------------Attention:- You might adjust the MTU settings manually because this is not done by strongSwan- right=%defaultroute does not work for me, I need to enter my Client IP Address- if possible use Libreswan, it works better and easier to configure----------------------Gateway / SmartCenter The first step is to export the Check Point VPN Gateway Certificate from the SmartCenter. Also create a local User in SmartDashboard and export the User p12 Certificate.R80.30 Jumbo Take 76 - Standalone Firewall VPN Object: home-fwVPN Certificate: defaultCertEncryption Domain: 192.168.0.0/24 1)Export the Firewall p12 VPN Certificate (home-fw) from the SmartCenter. To check the Certificate name, open the FW object in SmartDashboard - IPSec VPN - Certificate Nickname  (usually defaultCert) Usage: export_p12 -obj <network object> -cert <certobj> -file <filename> -passwd <password> Mgmt# export_p12 -obj home-fw -cert defaultCert -f home-fw.p12 -passwd 123456 A file named "home-fw.p12" will be generated. Copy this over to the Linux VM.2)In the User object create a p12 certificate and copy the file over to the Linux VM. For example: soeren.p12Make sure that this user is part of the Remote Access community, you can check if the connections works with a Check Point VPN Client using Username / PW for example. openSUSE1) Install and configure strongSwan using yast  # sudo yast 2) Now it is time to convert the P12 to PEM files and place them in the correct folder 1) Convert User Certificate # openssl pkcs12 -in soeren.p12 -out soeren.pem -clcerts -nokeys 2) Extract private Key from User Certificate # openssl pkcs12 -in soeren.p12 -out soeren.key.pem -nocerts -nodes 3) Convert Firewall Certificate # openssl pkcs12 -in home-fw.p12 -out home-fw.pem -clcerts -nokeys 4) copy PEM files to /etc/ipsec.d # sudo cp soeren.pem /etc/ipsec.d/certs # sudo cp home-fw.pem /etc/ipsec.d/certs # sudo cp soeren.key.pem /etc/ipsec.d/private 3) enable and start strongSwan.  # systemctl enable strongswan # systemctl start strongswan # systemctl status strongswan # only status information 4) Edit the main configuration file /etc/ipsec.conf # sudo vi /etc/ipsec.conf  # ipsec.conf - strongSwan IPsec configuration file # basic configuration config setup # strictcrlpolicy=yes # uniqueids = no # charondebug=1 # Add connections here. conn home # Right side is stronSwan - RoadWarrior right=172.20.10.13 # Client IP Address or try %defaultroute rightcert=soeren.pem # Certificate filename of the user - from /etc/ipsec.d/certs # Left side is Check Point left=46.89.4.xxx # put here your Gateway IP Address leftsubnet=192.168.0.0/24 # put here your company's network range or 0.0.0.0/0 for any leftcert=home-fw.pem # Certificate filename of the FW - from /etc/ipsec.d/certs leftid=192.168.0.1 # Check Point responds with the Main IP Address from the FW Object # config type=tunnel keyingtries=3 authby=rsasig ike=aes256-sha1-modp1024 # check if IKE P1 parameters are allowed under Global Prop. - RA esp=aes128-sha1 # check if IKE P2 parameters are allowed ikelifetime=8h # IKE Lifetime 8h for IKE Phase P1 IMPORTANT lifetime=1h # SA Lifetime 1h for IKE Phase P2 IMPORTANT keyexchange=ikev1 # use IKEv1 auto=add ******************************Attention:You need to change "leftid=xxx.xxx.xxx.xxx" to the IP Address which is configured as the Main IP Address of the Firewall Object in SmartDashboard. If the IP Address is not correct, the Logfile will show an error like this:received end entity cert "O=home-fw..22erwk, CN=home-fw VPN Certificate"IDir '192.168.0.1' does not match to 'O=home-fw..22erwk, CN=home-fw VPN Certificate'deleting IKE_SA home[1] between 172.20.10.13[O=home-fw..22erwk, OU=users, CN=soeren]...46.89.4.xxx[%any]sending DELETE for IKE_SA home[1]generating INFORMATIONAL_V1 request 2100344439 [ HASH D ]sending packet: from 172.20.10.13[4500] to 46.89.4.xxx[4500] (92 bytes)establishing connection 'home' failedThe meaning of the error: leftid must be "192.168.0.1" in this example******************************5) Edit /etc/ipsec.secrets and add the private Key from your User # sudo vi /etc/ipsec.secrets  # # ipsec.secrets # # This file holds the RSA private keys or the PSK preshared secrets for # the IKE/IPsec authentication. See the ipsec.secrets(5) manual page. # : RSA /etc/ipsec.d/private/soeren.key.pem 6) restart strongSwan # sudo ipsec restart 7) Initiate the connection # sudo ipsec up home 8 ) For troubleshooting, always run this after modifying /etc/ipsec.conf # sudo ipsec restart # sudo ipsec up home 9) Troubleshooting command # sudo ipsec statusall 10) Logfile from working setup soeren@linux-4suj:~> sudo ipsec up home initiating Main Mode IKE_SA home[2] to 46.89.4.xxx generating ID_PROT request 0 [ SA V V V V V ] sending packet: from 172.20.10.13[500] to 46.89.4.xxx[500] (240 bytes) received packet: from 46.89.4.xxx[500] to 172.20.10.13[500] (124 bytes) parsed ID_PROT response 0 [ SA V V ] received FRAGMENTATION vendor ID received NAT-T (RFC 3947) vendor ID generating ID_PROT request 0 [ KE No NAT-D NAT-D ] sending packet: from 172.20.10.13[500] to 46.89.4.xxx[500] (244 bytes) received packet: from 46.89.4.xxx[500] to 172.20.10.13[500] (432 bytes) parsed ID_PROT response 0 [ KE No CERTREQ CERTREQ CERTREQ NAT-D NAT-D NAT-D ] received cert request for unknown ca 'O=home-fw..22erwk' ignoring certificate request without data local host is behind NAT, sending keep alives remote host is behind NAT authentication of 'O=home-fw..22erwk, OU=users, CN=soeren' (myself) successful sending end entity cert "O=home-fw..22erwk, OU=users, CN=soeren" generating ID_PROT request 0 [ ID CERT SIG N(INITIAL_CONTACT) ] sending packet: from 172.20.10.13[4500] to 46.89.4.xxx[4500] (988 bytes) received packet: from 46.89.4.xxx[4500] to 172.20.10.13[4500] (940 bytes) parsed ID_PROT response 0 [ ID CERT SIG V ] received DPD vendor ID received end entity cert "O=home-fw..22erwk, CN=home-fw VPN Certificate" no issuer certificate found for "O=home-fw..22erwk, CN=home-fw VPN Certificate" issuer is "O=home-fw..22erwk" using trusted certificate "O=home-fw..22erwk, CN=home-fw VPN Certificate" authentication of '192.168.0.1' with RSA_EMSA_PKCS1_NULL successful IKE_SA home[2] established between 172.20.10.13[O=home-fw..22erwk, OU=users, CN=soeren]...46.89.4.xxx[192.168.0.1] scheduling reauthentication in 28150s maximum IKE_SA lifetime 28690s generating QUICK_MODE request 2852597160 [ HASH SA No ID ID ] sending packet: from 172.20.10.13[4500] to 46.89.4.xxx[4500] (204 bytes) received packet: from 46.89.4.xxx[4500] to 172.20.10.13[4500] (172 bytes) parsed QUICK_MODE response 2852597160 [ HASH SA No ID ID ] CHILD_SA home{2} established with SPIs c9f7a279_i dc7aff75_o and TS 172.20.10.13/32 === 192.168.0.0/24 generating QUICK_MODE request 2852597160 [ HASH ] sending packet: from 172.20.10.13[4500] to 46.89.4.xxx[4500] (60 bytes) connection 'home' established successfully *Note openSUSE*- perform a reboot if there is no output by running the "ipsec" commands.- after a reboot run "# sudo ipsec restart", otherwise an error show up like described belowFor example: soeren@linux-guki:~> sudo ipsec up home initiating Main Mode IKE_SA home[1] to 172.20.10.11 no private key found for '192.168.0.1' configuration uses unsupported authentication tried to checkin and delete nonexisting IKE_SA establishing connection 'home' failed soeren@linux-guki:~> sudo ipsec restart Stopping strongSwan IPsec... Starting strongSwan 5.6.0 IPsec [starter]... soeren@linux-guki:~> sudo ipsec up home initiating Main Mode IKE_SA home[1] to 46.89.4.xxx generating ID_PROT request 0 [ SA V V V V V ] sending packet: from 172.20.10.11[500] to 46.89.4.xxx[500] (240 bytes) received packet: from 46.89.4.xxx[500] to 172.20.10.11[500] (124 bytes) then it works...    MTU SIZEFind out the Interface Name and actual MTU size soeren@linux-4suj:/etc> ip link show | grep mtu 1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN mode DEFAULT group default qlen 1000 2: ens33: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP mode DEFAULT group default qlen 1000 Establish the VPN connection and find out the max MTU size soeren@linux-4suj:/etc> ping -c 3 -M do -s 1500 192.168.0.20 PING 192.168.0.20 (192.168.0.20) 1500(1528) bytes of data. ping: local error: message too long, mtu=1422 ping: local error: message too long, mtu=1422 ping: local error: message too long, mtu=1422 In this example the max MTU size is: 1394 (+28 = 1422) soeren@linux-4suj:/etc> sudo ip link set ens33 mtu 1394 Re-establish the VPN connection. # sudo ipsec restart # sudo ipesc up home 
Soeren_Rothe
Soeren_Rothe inside Remote Access Solutions yesterday
views 631 4 12

C2S - Libreswan 3.23 (Roadwarrior) and R80.30 - working

******************************WORKING RELEASES:CentOS 8.0Fedora 31Mint 19.2Ubuntu 18.04.03 LTSUbuntu 19.10******************************Before you begin, please make sure you have a working Remote Access environment using one of the Check Point Endpoint Clients (Windows / MacOS). This is a guide to connect a Linux VPN Client based on Libreswan to your Check Point environment, using certificates from the InternalCA.Beginning with libreswan all certificates are stored in the NSS database, therefore we need all certificates (User and CP GW) in P12. Linux Mint 19.21) Download the ISO Image linuxmint-19.2-cinnamon-64bit.iso which uses libreswan: 3.23 (netkey)2) After Mint 19.2 Linux was installed, install the latest libreswan binary using # sudo apt-get install libreswan 3) Initialize the NSS Database  # sudo ipsec initnss 4) check Database by running # sudo certutil -L -d sql:/var/lib/ipsec/nss Gateway / SmartCenter The first step is to export the Check Point VPN Gateway Certificate from the SmartCenter. Also create a local User in SmartDashboard and export the User p12 Certificate.R80.30 Jumbo Take 76 - Standalone Firewall VPN Object: home-fwVPN Certificate: defaultCertEncryption Domain: 192.168.0.0/24  1) Export the Firewall p12 VPN Certificate (home-fw) from the SmartCenter. To check the Certificate name, open the FW object in SmartDashboard - IPSec VPN - Certificate Nickname  (usually defaultCert).Run in CLI (bash) on the SmartCenter: Usage: export_p12 -obj <network object> -cert <certobj> -file <filename> -passwd <password> Mgmt# export_p12 -obj home-fw -cert defaultCert -f home-fw.p12 -passwd 123456 A file named "home-fw.p12" will be generated. Copy this over to the Linux VM.2) In the User object create a p12 certificate and copy the file over to the Linux VM. For example: soeren.p12Make sure that this user is part of the Remote Access community, you can check if the connections works with a Check Point VPN Client using Username / PW for example. Linux Mint 19.2Now it is time to import the certificates and to do the libreswan config1)Both p12 certificates home-fw.p12 and soeren.p12 are imported using the command "ipsec import"  # sudo ipsec import home-fw.p12 # sudo ipsec import soeren.p12 The following command should display all certificates, also the Certificate Nicknames. The Nickname is important for the libreswan configuration later on. # sudo certutil -L -d sql:/var/lib/ipsec/nss # sudo certutil -L -d sql:/etc/ipsec.d # Fedora # CentOS  soeren.p12 uses the Certificate Nickname "soeren" and home-fw.p12 uses the Certificate Nickname "defaultCert".2)In /etc/ipsec.conf only enable the logging.  # sudo vi /etc/ipsec.conf # /etc/ipsec.conf - Libreswan IPsec configuration file # # Manual: ipsec.conf.5 config setup # Normally, pluto logs via syslog. If you want to log to a file, # specify below or to disable logging, eg for embedded systems, use # the file name /dev/null # Note: SElinux policies might prevent pluto writing to a log file at # an unusual location. logfile=/var/log/pluto.log # # Do not enable debug options to debug configuration issues! # # plutodebug "all", "none" or a combation from below: # "raw crypt parsing emitting control controlmore kernel pfkey # natt x509 dpd dns oppo oppoinfo private". # Note: "private" is not included with "all", as it can show confidential # information. It must be specifically specified # examples: # plutodebug="control parsing" # plutodebug="all crypt" # Again: only enable plutodebug when asked by a developer # plutodebug=none # # NAT-TRAVERSAL support # exclude networks used on server side by adding %v4:!a.b.c.0/24 # It seems that T-Mobile in the US and Rogers/Fido in Canada are # using 25/8 as "private" address space on their wireless networks. # This range has never been announced via BGP (at least up to 2015) virtual_private=%v4:10.0.0.0/8,%v4:192.168.0.0/16,%v4:172.16.0.0/12,%v4:25.0.0.0/8,%v4:100.64.0.0/10,%v6:fd00::/8,%v6:fe80::/10 # There is also a lot of information in the manual page, "man ipsec.conf" # # It is best to add your IPsec connections as separate files in /etc/ipsec.d/ include /etc/ipsec.d/*.conf 3) Create a new file called "ra.conf" and "ra.secrets" in /etc/ipsec.d/ #sudo touch /etc/ipsec.d/ra.conf #sudo touch /etc/ipsec.d/ra.secrets 4) edit the /etc/ipsec.d/ra.conf file  #sudo vi /etc/ipsec.d/ra.confconn home # Right side is libreswan - RoadWarrior right=%defaultroute # or IP address of the Client rightcert=soeren # Certificate Nickname of the users rightid=%fromcert # Certificate ID # Left side is Check Point left=xxx.xxx.xxx.xxx # put here your Gateway IP Address leftsubnet=192.168.0.0/24 # put here your company's network range or 0.0.0.0/0 for any leftcert=defaultCert # Certificate Nickname of the CP GW leftid=%fromcert # Certificate ID # config type=tunnel keyingtries=3 disablearrivalcheck=no authby=rsasig #ike=aes256-sha1;modp1536 # force AES256, SHA1; DH5 in IKE Phase 1 #phase2alg=aes128-sha1 # force AES128, SHA1 in IKE Phase 2 ikelifetime=8h # IKE Lifetime 8h for IKE Phase P1 salifetime=1h # SA Lifetime 1h for IKE Phase P2 pfs=no # No PFS in IKE Phase 2 mtu=1400 # lower MTU size, if not, several Web Sites won't be accessible ikev2=no # IKEv2 is not supported by Check Point in RemoteAccess keyexchange=ike auto=route 5) Start ipsec with systemctl # systemctl enable ipsec # systemctl start ipsec # systemctl status ipsec (to check if ipsec was started successfully) 6) Initiate VPN connection to Check Point Gateway # sudo ipsec auto --add home # systemctl restart ipsec # sudo ipsec auto --up home Connection from Client was successfully initialized. 7 ) Logs from Check Point GUII still need to test DPD (Dead Peer Detection). If the VPN is removed from the CP side, the connection won't be re-established from libreswan.

Client Capsule VPN on IOS or ANDROID -- Routing all traffics in VPN Tunnel

Is there a way to active the all routing traffics in the VPN Tunnel for a IOS Client Capsule like the Endpoint VPN client ?Thanks/nj  
Help_Desk_Help_
Help_Desk_Help_ inside Remote Access Solutions yesterday
views 4754 14 1

SSL SNX macos catalina support

hello all ,some users upgraded their macbook to the latest macos catalina , and since then they can no longer connect to ssl using their installed network extender.We have gaia r77.30 take 317 and the mabda sk113410.Any suggestion will be welcome. I assume Checkpoint will offer a new mabda version in the near future,thank you 
abihsot__
abihsot__ inside Remote Access Solutions Saturday
views 104 3

MAB - disable web credentials popup

Hello,is there a way to disable "web credentials" popup for particular web application in Mobile Access (R80.20)?  
Gaurav_Pandya
Gaurav_Pandya inside Remote Access Solutions Friday
views 1279 5

File Share Application in Mobile Access SSL VPN

Hi All,Below are the steps to implement File share application with Mobile Access SSL VPN.Create File share Application.Configure Target IP in which Sharing file/ application located.Give proper pathAllow this application in Mobile access rule & you will find this application after connecting to SSL VPN.

R80.30 - Viewing SmartView as a web application via SSL VPN portal (non-native)

Hi,I can view SmartView via full VPN, and also via Capsule VPN.But on a host where that is not an option, I have tried to enable access as a web application.It almost works(!) , but when I click on the link via the SSL VPN, the page attempts to load, I see a spinner in the middle of the screen and the tab at the top of the Chrome browser shows the SmartView text and colour scheme but the login screen never actually appears.When I had a look in the logs I can see that when I access via full VPN, my office mode address is the source.  Over SSL VPN, it shows the IP of either of the two firewalls as part of the cluster, which makes sense, but these are allowed. I see no blocks.Has anyone had any luck getting this to work?Howard
abihsot__
abihsot__ inside Remote Access Solutions Thursday
views 568 7

CVPND process consumes 100% CPU

Hi There, I have a problem - during policy push cvpnd process is going 100% for 30 seconds during which existing or new connections are not served and users get page not displayed error. I checked debug of cvpnd process and my findings are that 98% of the lines (out of 2 millions) are:[12609][23 Apr 17:35:12][ROLES] [ROLES (NAC::IS::TD::Events)] NAC::IS::ROLE_MATCHER_API::RangeList::intersect: no intersection[12609][23 Apr 17:35:12][ROLES] [ROLES (NAC::IS::TD::Events)] NAC::IS::ROLE_MATCHER_API::RangeList::intersect: intersecting: [x.x.x.x.,x.x.x.x] and [x.x..x.x,x.x..x.x.x.][12609][23 Apr 17:35:12][ROLES] [ROLES (NAC::IS::TD::Events)] NAC::IS::ROLE_MATCHER_API::RangeList::intersect: no intersection What is this ROLE_MATCHER_API doing? It seems it is flooding the process hence it is busy with 100% load. R80.20 latest JHF 
abihsot__
abihsot__ inside Remote Access Solutions Thursday
views 152 3

Cannot open "link translation" in SmartDashboard

Hello,I am using R80.30 jhf50 for management server and when I go to mobile access > additional settings > link translation I get following error. I click ok and get another message saying encountered an improper argument and it is in the endless loop showing the same message... I have to kill smartdashboard process from task manager.I found this domain object in mobile access > additional settings > DNS names, removed it, but that didn't helped... Any ideas?  
Garrett_Anderso
Garrett_Anderso inside Remote Access Solutions Thursday
views 156 3 1

why does MABDA still require Java? SNX replacement

Hello -- I was under impression that R&D actively working on replacement of the legacy JAVA-based SNX.The expectation was was new HTML5-based architecture with JAVA not part of equation.     Example:   customer who would like to completely remove JAVA from any endpoint device. The following SK has been referenced multiple times on checkmates.    Why is JAVA still an installation requirement on Windows (example:  it's needed for endpoint compliance check)?apologies for the potentially dense question.   thx sk113410 - Mobile Access Portal and Java Compatibility - New Mobile Access Portal Agent technology 
Gabriel_Rosas
Gabriel_Rosas inside Remote Access Solutions Wednesday
views 147 2

SSL Network Extender Issue

Hi team,I am having a random issue with remote users connected to the RemoteAccess vpn.Remote users can login to the portal and the office mode IP assigns correctly. We do not know why some times users cannot access the resource. When connections are being dropped logs show: "Drecipted and user method are not identical (vpn error code 1). It seems like that the gateway is identifying the users connections as a Site-to-Site communication from one of our peer gateways even when the encryption domains are not the same. This issue is presenting since we upgraded to R80.20.So, we have some questions...Do we need to configure static routes in the customer switch core?We have a clusterXL HA deployment and different office mode segments are configured in the cluster members. We have detected that only with one member the issue is presenting. Do we need to use the same office mode pool in both cluster members? Regards.     
rkucera
rkucera inside Remote Access Solutions a week ago
views 2107 6

L2TP over IPSec Linux VPN

Hi,we are trying to establish a L2TP over IPSec connection with Linux clients. I've already read a few entries about Linux client vpn in the forum, but they didn't really help me.We tested it with an IOS and Android device where it worked without any problems. On the IOS device you only have to enter the Gateway IP address, the shared key and the username /password (see screen). We get an Office Mode IP address at the connection.Unfortunately the connection with Linux does not work although we use the same settings (see screen).We always get the following entries/errors in the connection log. We have tried it with Strongswan as well as with Libreswan:Strongswan:Mar 26 21:46:30 I-00000342U NetworkManager[996]: <info> [1553633190.0399] audit: op="connection-activate" uuid="60aa7e6b-c31f-4ce1-abe5-5b7695c44209" name="VPN_GW" pid=2365 uid=591804607 result="success" Mar 26 21:46:30 I-00000342U NetworkManager[996]: <info> [1553633190.0436] vpn-connection[0x556d610801e0,60aa7e6b-c31f-4ce1-abe5-5b7695c44209,"VPN_GW",0]: Started the VPN service, PID 8568 Mar 26 21:46:30 I-00000342U NetworkManager[996]: <info> [1553633190.0502] vpn-connection[0x556d610801e0,60aa7e6b-c31f-4ce1-abe5-5b7695c44209,"VPN_GW",0]: Saw the service appear; activating connection Mar 26 21:46:30 I-00000342U org.mate.panel.applet.BriskMenuFactory[2028]: GdkPixbuf-LOG **: gdk_pixbuf_from_pixdata() called on: at /usr/bin/shutter line 2891. Mar 26 21:46:30 I-00000342U org.mate.panel.applet.BriskMenuFactory[2028]: GdkPixbuf-LOG **: #011Encoding raw at /usr/bin/shutter line 2891. Mar 26 21:46:30 I-00000342U org.mate.panel.applet.BriskMenuFactory[2028]: GdkPixbuf-LOG **: #011Dimensions: 16 x 16 at /usr/bin/shutter line 2891. Mar 26 21:46:30 I-00000342U org.mate.panel.applet.BriskMenuFactory[2028]: GdkPixbuf-LOG **: #011Rowstride: 64, Length: 1048 at /usr/bin/shutter line 2891. Mar 26 21:46:30 I-00000342U org.mate.panel.applet.BriskMenuFactory[2028]: GdkPixbuf-LOG **: #011Copy pixels == false at /usr/bin/shutter line 2891. Mar 26 21:46:30 I-00000342U org.mate.panel.applet.BriskMenuFactory[2028]: GdkPixbuf-LOG **: gdk_pixbuf_from_pixdata() called on: at /usr/bin/shutter line 2891. Mar 26 21:46:30 I-00000342U org.mate.panel.applet.BriskMenuFactory[2028]: GdkPixbuf-LOG **: #011Encoding raw at /usr/bin/shutter line 2891. Mar 26 21:46:30 I-00000342U org.mate.panel.applet.BriskMenuFactory[2028]: GdkPixbuf-LOG **: #011Dimensions: 16 x 16 at /usr/bin/shutter line 2891. Mar 26 21:46:30 I-00000342U org.mate.panel.applet.BriskMenuFactory[2028]: GdkPixbuf-LOG **: #011Rowstride: 64, Length: 1048 at /usr/bin/shutter line 2891. Mar 26 21:46:30 I-00000342U org.mate.panel.applet.BriskMenuFactory[2028]: GdkPixbuf-LOG **: #011Copy pixels == false at /usr/bin/shutter line 2891. Mar 26 21:46:35 I-00000342U org.mate.panel.applet.BriskMenuFactory[2028]: GdkPixbuf-LOG **: gdk_pixbuf_from_pixdata() called on: at /usr/bin/shutter line 2891. Mar 26 21:46:35 I-00000342U org.mate.panel.applet.BriskMenuFactory[2028]: GdkPixbuf-LOG **: #011Encoding raw at /usr/bin/shutter line 2891. Mar 26 21:46:35 I-00000342U org.mate.panel.applet.BriskMenuFactory[2028]: GdkPixbuf-LOG **: #011Dimensions: 16 x 16 at /usr/bin/shutter line 2891. Mar 26 21:46:35 I-00000342U org.mate.panel.applet.BriskMenuFactory[2028]: GdkPixbuf-LOG **: #011Rowstride: 64, Length: 1048 at /usr/bin/shutter line 2891. Mar 26 21:46:35 I-00000342U org.mate.panel.applet.BriskMenuFactory[2028]: GdkPixbuf-LOG **: #011Copy pixels == false at /usr/bin/shutter line 2891. Mar 26 21:46:35 I-00000342U org.mate.panel.applet.BriskMenuFactory[2028]: GdkPixbuf-LOG **: gdk_pixbuf_from_pixdata() called on: at /usr/bin/shutter line 2891. Mar 26 21:46:35 I-00000342U org.mate.panel.applet.BriskMenuFactory[2028]: GdkPixbuf-LOG **: #011Encoding raw at /usr/bin/shutter line 2891. Mar 26 21:46:35 I-00000342U org.mate.panel.applet.BriskMenuFactory[2028]: GdkPixbuf-LOG **: #011Dimensions: 16 x 16 at /usr/bin/shutter line 2891. Mar 26 21:46:35 I-00000342U org.mate.panel.applet.BriskMenuFactory[2028]: GdkPixbuf-LOG **: #011Rowstride: 64, Length: 1048 at /usr/bin/shutter line 2891. Mar 26 21:46:35 I-00000342U org.mate.panel.applet.BriskMenuFactory[2028]: GdkPixbuf-LOG **: #011Copy pixels == false at /usr/bin/shutter line 2891. Mar 26 21:46:35 I-00000342U NetworkManager[996]: <info> [1553633195.1799] settings-connection[0x556d60ecf440,60aa7e6b-c31f-4ce1-abe5-5b7695c44209]: write: successfully updated (keyfile: update /etc/NetworkManager/system-connections/VPN_GW (60aa7e6b-c31f-4ce1-abe5-5b7695c44209,"VPN_GW")), connection was modified in the process Mar 26 21:46:35 I-00000342U NetworkManager[996]: <info> [1553633195.1878] vpn-connection[0x556d610801e0,60aa7e6b-c31f-4ce1-abe5-5b7695c44209,"VPN_GW",0]: VPN connection: (ConnectInteractive) reply received Mar 26 21:46:35 I-00000342U nm-l2tp-service[8568]: Check port 1701 Mar 26 21:46:35 I-00000342U NetworkManager[996]: Stopping strongSwan IPsec failed: starter is not running Mar 26 21:46:37 I-00000342U NetworkManager[996]: Starting strongSwan 5.6.2 IPsec [starter]... Mar 26 21:46:37 I-00000342U NetworkManager[996]: Loading config setup Mar 26 21:46:37 I-00000342U NetworkManager[996]: Loading conn '60aa7e6b-c31f-4ce1-abe5-5b7695c44209' Mar 26 21:46:37 I-00000342U NetworkManager[996]: found netkey IPsec stack Mar 26 21:46:37 I-00000342U charon: 00[DMN] Starting IKE charon daemon (strongSwan 5.6.2, Linux 4.15.0-45-generic, x86_64) Mar 26 21:46:37 I-00000342U charon: 00[CFG] loading ca certificates from '/etc/ipsec.d/cacerts' Mar 26 21:46:37 I-00000342U charon: 00[CFG] loading aa certificates from '/etc/ipsec.d/aacerts' Mar 26 21:46:37 I-00000342U charon: 00[CFG] loading ocsp signer certificates from '/etc/ipsec.d/ocspcerts' Mar 26 21:46:37 I-00000342U charon: 00[CFG] loading attribute certificates from '/etc/ipsec.d/acerts' Mar 26 21:46:37 I-00000342U charon: 00[CFG] loading crls from '/etc/ipsec.d/crls' Mar 26 21:46:37 I-00000342U charon: 00[CFG] loading secrets from '/etc/ipsec.secrets' Mar 26 21:46:37 I-00000342U charon: 00[CFG] loading secrets from '/etc/ipsec.d/nm-l2tp-ipsec-60aa7e6b-c31f-4ce1-abe5-5b7695c44209.secrets' Mar 26 21:46:37 I-00000342U charon: 00[CFG] loaded IKE secret for 1.2.3.4 Mar 26 21:46:37 I-00000342U charon: 00[CFG] loading secrets from '/etc/ipsec.d/nm-l2tp-ipsec-68fc3d21-166a-4f56-a302-edd559574ff3.secrets' Mar 26 21:46:37 I-00000342U charon: 00[CFG] loaded IKE secret for %any Mar 26 21:46:37 I-00000342U charon: 00[LIB] loaded plugins: charon aesni aes rc2 sha2 sha1 md4 md5 mgf1 random nonce x509 revocation constraints pubkey pkcs1 pkcs7 pkcs8 pkcs12 pgp dnskey sshkey pem openssl fips-prf gmp agent xcbc hmac gcm attr kernel-netlink resolve socket-default connmark stroke updown eap-mschapv2 xauth-generic counters Mar 26 21:46:37 I-00000342U charon: 00[LIB] dropped capabilities, running as uid 0, gid 0 Mar 26 21:46:37 I-00000342U charon: 00[JOB] spawning 16 worker threads Mar 26 21:46:37 I-00000342U charon: 05[CFG] received stroke: add connection '60aa7e6b-c31f-4ce1-abe5-5b7695c44209' Mar 26 21:46:37 I-00000342U charon: 05[CFG] added configuration '60aa7e6b-c31f-4ce1-abe5-5b7695c44209' Mar 26 21:46:38 I-00000342U charon: 07[CFG] rereading secrets Mar 26 21:46:38 I-00000342U charon: 07[CFG] loading secrets from '/etc/ipsec.secrets' Mar 26 21:46:38 I-00000342U charon: 07[CFG] loading secrets from '/etc/ipsec.d/nm-l2tp-ipsec-60aa7e6b-c31f-4ce1-abe5-5b7695c44209.secrets' Mar 26 21:46:38 I-00000342U charon: 07[CFG] loaded IKE secret for 1.2.3.4 Mar 26 21:46:38 I-00000342U charon: 07[CFG] loading secrets from '/etc/ipsec.d/nm-l2tp-ipsec-68fc3d21-166a-4f56-a302-edd559574ff3.secrets' Mar 26 21:46:38 I-00000342U charon: 07[CFG] loaded IKE secret for %any Mar 26 21:46:38 I-00000342U charon: 08[CFG] received stroke: initiate '60aa7e6b-c31f-4ce1-abe5-5b7695c44209' Mar 26 21:46:38 I-00000342U charon: 10[IKE] initiating Main Mode IKE_SA 60aa7e6b-c31f-4ce1-abe5-5b7695c44209[1] to 1.2.3.4 Mar 26 21:46:38 I-00000342U charon: 10[ENC] generating ID_PROT request 0 [ SA V V V V V ] Mar 26 21:46:38 I-00000342U charon: 10[NET] sending packet: from 192.168.133.24[500] to 1.2.3.4[500] (204 bytes) Mar 26 21:46:38 I-00000342U charon: 12[NET] received packet: from 1.2.3.4[500] to 192.168.133.24[500] (40 bytes) Mar 26 21:46:38 I-00000342U charon: 12[ENC] parsed INFORMATIONAL_V1 request 604563902 [ N(NO_PROP) ] Mar 26 21:46:38 I-00000342U charon: 12[IKE] received NO_PROPOSAL_CHOSEN error notify Mar 26 21:46:38 I-00000342U NetworkManager[996]: initiating Main Mode IKE_SA 60aa7e6b-c31f-4ce1-abe5-5b7695c44209[1] to 1.2.3.4 Mar 26 21:46:38 I-00000342U NetworkManager[996]: generating ID_PROT request 0 [ SA V V V V V ] Mar 26 21:46:38 I-00000342U NetworkManager[996]: sending packet: from 192.168.133.24[500] to 1.2.3.4[500] (204 bytes) Mar 26 21:46:38 I-00000342U NetworkManager[996]: received packet: from 1.2.3.4[500] to 192.168.133.24[500] (40 bytes) Mar 26 21:46:38 I-00000342U NetworkManager[996]: parsed INFORMATIONAL_V1 request 604563902 [ N(NO_PROP) ] Mar 26 21:46:38 I-00000342U NetworkManager[996]: received NO_PROPOSAL_CHOSEN error notify Mar 26 21:46:38 I-00000342U NetworkManager[996]: establishing connection '60aa7e6b-c31f-4ce1-abe5-5b7695c44209' failed Mar 26 21:46:38 I-00000342U NetworkManager[996]: Stopping strongSwan IPsec... Mar 26 21:46:38 I-00000342U charon: 00[DMN] signal of type SIGINT received. Shutting down Mar 26 21:46:38 I-00000342U nm-l2tp-service[8568]: g_dbus_method_invocation_take_error: assertion 'error != NULL' failed Mar 26 21:46:38 I-00000342U NetworkManager[996]: <info> [1553633198.6915] vpn-connection[0x556d610801e0,60aa7e6b-c31f-4ce1-abe5-5b7695c44209,"VPN_GW",0]: VPN plugin: state changed: stopped (6) Mar 26 21:46:38 I-00000342U dbus-daemon[2028]: [session uid=591804607 pid=2028] Activating service name='org.freedesktop.Notifications' requested by ':1.33' (uid=591804607 pid=2365 comm="nm-applet " label="unconfined") Mar 26 21:46:38 I-00000342U NetworkManager[996]: <info> [1553633198.7007] vpn-connection[0x556d610801e0,60aa7e6b-c31f-4ce1-abe5-5b7695c44209,"VPN_GW",0]: VPN service disappeared Mar 26 21:46:38 I-00000342U NetworkManager[996]: <warn> [1553633198.7050] vpn-connection[0x556d610801e0,60aa7e6b-c31f-4ce1-abe5-5b7695c44209,"VPN_GW",0]: VPN connection: failed to connect: 'Message recipient disconnected from message bus without replying' Mar 26 21:46:38 I-00000342U dbus-daemon[2028]: [session uid=591804607 pid=2028] Successfully activated service 'org.freedesktop.Notifications' Mar 26 21:46:40 I-00000342U ntpd[1131]: error resolving pool windows.ad.loc: No address associated with hostname (-5)Libreswan:Mar 26 21:48:06 I-00000342U systemd[1]: message repeated 4 times: [ Reloading.] Mar 26 21:48:25 I-00000342U NetworkManager[996]: <info> [1553633305.9419] audit: op="connection-activate" uuid="60aa7e6b-c31f-4ce1-abe5-5b7695c44209" name="VPN_GW" pid=2365 uid=591804607 result="success" Mar 26 21:48:25 I-00000342U NetworkManager[996]: <info> [1553633305.9480] vpn-connection[0x556d610801e0,60aa7e6b-c31f-4ce1-abe5-5b7695c44209,"VPN_GW",0]: Started the VPN service, PID 9153 Mar 26 21:48:25 I-00000342U NetworkManager[996]: <info> [1553633305.9572] vpn-connection[0x556d610801e0,60aa7e6b-c31f-4ce1-abe5-5b7695c44209,"VPN_GW",0]: Saw the service appear; activating connection Mar 26 21:48:26 I-00000342U org.mate.panel.applet.BriskMenuFactory[2028]: GdkPixbuf-LOG **: gdk_pixbuf_from_pixdata() called on: at /usr/bin/shutter line 2891. Mar 26 21:48:26 I-00000342U org.mate.panel.applet.BriskMenuFactory[2028]: GdkPixbuf-LOG **: #011Encoding raw at /usr/bin/shutter line 2891. Mar 26 21:48:26 I-00000342U org.mate.panel.applet.BriskMenuFactory[2028]: GdkPixbuf-LOG **: #011Dimensions: 16 x 16 at /usr/bin/shutter line 2891. Mar 26 21:48:26 I-00000342U org.mate.panel.applet.BriskMenuFactory[2028]: GdkPixbuf-LOG **: #011Rowstride: 64, Length: 1048 at /usr/bin/shutter line 2891. Mar 26 21:48:26 I-00000342U org.mate.panel.applet.BriskMenuFactory[2028]: GdkPixbuf-LOG **: #011Copy pixels == false at /usr/bin/shutter line 2891. Mar 26 21:48:26 I-00000342U org.mate.panel.applet.BriskMenuFactory[2028]: GdkPixbuf-LOG **: gdk_pixbuf_from_pixdata() called on: at /usr/bin/shutter line 2891. Mar 26 21:48:26 I-00000342U org.mate.panel.applet.BriskMenuFactory[2028]: GdkPixbuf-LOG **: #011Encoding raw at /usr/bin/shutter line 2891. Mar 26 21:48:26 I-00000342U org.mate.panel.applet.BriskMenuFactory[2028]: GdkPixbuf-LOG **: #011Dimensions: 16 x 16 at /usr/bin/shutter line 2891. Mar 26 21:48:26 I-00000342U org.mate.panel.applet.BriskMenuFactory[2028]: GdkPixbuf-LOG **: #011Rowstride: 64, Length: 1048 at /usr/bin/shutter line 2891. Mar 26 21:48:26 I-00000342U org.mate.panel.applet.BriskMenuFactory[2028]: GdkPixbuf-LOG **: #011Copy pixels == false at /usr/bin/shutter line 2891. Mar 26 21:48:30 I-00000342U org.mate.panel.applet.BriskMenuFactory[2028]: GdkPixbuf-LOG **: gdk_pixbuf_from_pixdata() called on: at /usr/bin/shutter line 2891. Mar 26 21:48:30 I-00000342U org.mate.panel.applet.BriskMenuFactory[2028]: GdkPixbuf-LOG **: #011Encoding raw at /usr/bin/shutter line 2891. Mar 26 21:48:30 I-00000342U org.mate.panel.applet.BriskMenuFactory[2028]: GdkPixbuf-LOG **: #011Dimensions: 16 x 16 at /usr/bin/shutter line 2891. Mar 26 21:48:30 I-00000342U org.mate.panel.applet.BriskMenuFactory[2028]: GdkPixbuf-LOG **: #011Rowstride: 64, Length: 1048 at /usr/bin/shutter line 2891. Mar 26 21:48:30 I-00000342U org.mate.panel.applet.BriskMenuFactory[2028]: GdkPixbuf-LOG **: #011Copy pixels == false at /usr/bin/shutter line 2891. Mar 26 21:48:30 I-00000342U org.mate.panel.applet.BriskMenuFactory[2028]: GdkPixbuf-LOG **: gdk_pixbuf_from_pixdata() called on: at /usr/bin/shutter line 2891. Mar 26 21:48:30 I-00000342U org.mate.panel.applet.BriskMenuFactory[2028]: GdkPixbuf-LOG **: #011Encoding raw at /usr/bin/shutter line 2891. Mar 26 21:48:30 I-00000342U org.mate.panel.applet.BriskMenuFactory[2028]: GdkPixbuf-LOG **: #011Dimensions: 16 x 16 at /usr/bin/shutter line 2891. Mar 26 21:48:30 I-00000342U org.mate.panel.applet.BriskMenuFactory[2028]: GdkPixbuf-LOG **: #011Rowstride: 64, Length: 1048 at /usr/bin/shutter line 2891. Mar 26 21:48:30 I-00000342U org.mate.panel.applet.BriskMenuFactory[2028]: GdkPixbuf-LOG **: #011Copy pixels == false at /usr/bin/shutter line 2891. Mar 26 21:48:30 I-00000342U NetworkManager[996]: <info> [1553633310.2738] settings-connection[0x556d60ecf440,60aa7e6b-c31f-4ce1-abe5-5b7695c44209]: write: successfully updated (keyfile: update /etc/NetworkManager/system-connections/VPN_GW (60aa7e6b-c31f-4ce1-abe5-5b7695c44209,"VPN_GW")), connection was modified in the process Mar 26 21:48:30 I-00000342U NetworkManager[996]: <info> [1553633310.2794] vpn-connection[0x556d610801e0,60aa7e6b-c31f-4ce1-abe5-5b7695c44209,"VPN_GW",0]: VPN connection: (ConnectInteractive) reply received Mar 26 21:48:30 I-00000342U nm-l2tp-service[9153]: Check port 1701 Mar 26 21:48:30 I-00000342U NetworkManager[996]: whack: Pluto is not running (no "/run/pluto/pluto.ctl") Mar 26 21:48:30 I-00000342U NetworkManager[996]: Redirecting to: systemctl stop ipsec.service Mar 26 21:48:30 I-00000342U NetworkManager[996]: warning: could not open include filename: '/etc/ipsec.d/*.conf' Mar 26 21:48:30 I-00000342U libipsecconf[9185]: warning: could not open include filename: '/etc/ipsec.d/*.conf' Mar 26 21:48:30 I-00000342U NetworkManager[996]: warning: could not open include filename: '/etc/ipsec.d/*.conf' Mar 26 21:48:30 I-00000342U libipsecconf[9190]: warning: could not open include filename: '/etc/ipsec.d/*.conf' Mar 26 21:48:30 I-00000342U NetworkManager[996]: warning: could not open include filename: '/etc/ipsec.d/*.conf' Mar 26 21:48:30 I-00000342U libipsecconf[9203]: warning: could not open include filename: '/etc/ipsec.d/*.conf' Mar 26 21:48:30 I-00000342U NetworkManager[996]: warning: could not open include filename: '/etc/ipsec.d/*.conf' Mar 26 21:48:30 I-00000342U libipsecconf[9208]: warning: could not open include filename: '/etc/ipsec.d/*.conf' Mar 26 21:48:30 I-00000342U NetworkManager[996]: Redirecting to: systemctl start ipsec.service Mar 26 21:48:30 I-00000342U systemd[1]: Starting Internet Key Exchange (IKE) Protocol Daemon for IPsec... Mar 26 21:48:30 I-00000342U addconn[9477]: warning: could not open include filename: '/etc/ipsec.d/*.conf' Mar 26 21:48:30 I-00000342U libipsecconf[9477]: warning: could not open include filename: '/etc/ipsec.d/*.conf' Mar 26 21:48:30 I-00000342U _stackmanager[9478]: warning: could not open include filename: '/etc/ipsec.d/*.conf' Mar 26 21:48:30 I-00000342U libipsecconf[9480]: warning: could not open include filename: '/etc/ipsec.d/*.conf' Mar 26 21:48:30 I-00000342U _stackmanager[9478]: warning: could not open include filename: '/etc/ipsec.d/*.conf' Mar 26 21:48:30 I-00000342U libipsecconf[9485]: warning: could not open include filename: '/etc/ipsec.d/*.conf' Mar 26 21:48:31 I-00000342U ipsec[9753]: Initializing NSS database Mar 26 21:48:31 I-00000342U ipsec[9756]: warning: could not open include filename: '/etc/ipsec.d/*.conf' Mar 26 21:48:31 I-00000342U libipsecconf[9758]: warning: could not open include filename: '/etc/ipsec.d/*.conf' Mar 26 21:48:31 I-00000342U ipsec[9756]: nflog ipsec capture disabled Mar 26 21:48:31 I-00000342U systemd[1]: Started Internet Key Exchange (IKE) Protocol Daemon for IPsec. Mar 26 21:48:31 I-00000342U NetworkManager[996]: 002 listening for IKE messages Mar 26 21:48:31 I-00000342U NetworkManager[996]: 002 adding interface vmnet8/vmnet8 172.16.7.1:500 Mar 26 21:48:31 I-00000342U NetworkManager[996]: 002 adding interface vmnet8/vmnet8 172.16.7.1:4500 Mar 26 21:48:31 I-00000342U NetworkManager[996]: 002 adding interface vmnet1/vmnet1 172.16.98.1:500 Mar 26 21:48:31 I-00000342U NetworkManager[996]: 002 adding interface vmnet1/vmnet1 172.16.98.1:4500 Mar 26 21:48:31 I-00000342U NetworkManager[996]: 002 adding interface wlp4s0/wlp4s0 192.168.133.24:500 Mar 26 21:48:31 I-00000342U NetworkManager[996]: 002 adding interface wlp4s0/wlp4s0 192.168.133.24:4500 Mar 26 21:48:31 I-00000342U NetworkManager[996]: 002 adding interface lo/lo 127.0.0.1:500 Mar 26 21:48:31 I-00000342U NetworkManager[996]: 002 adding interface lo/lo 127.0.0.1:4500 Mar 26 21:48:31 I-00000342U NetworkManager[996]: 002 adding interface lo/lo ::1:500 Mar 26 21:48:31 I-00000342U NetworkManager[996]: 002 loading secrets from "/etc/ipsec.secrets" Mar 26 21:48:31 I-00000342U NetworkManager[996]: 002 loading secrets from "/etc/ipsec.d/nm-l2tp-ipsec-60aa7e6b-c31f-4ce1-abe5-5b7695c44209.secrets" Mar 26 21:48:31 I-00000342U NetworkManager[996]: 002 loading secrets from "/etc/ipsec.d/nm-l2tp-ipsec-68fc3d21-166a-4f56-a302-edd559574ff3.secrets" Mar 26 21:48:31 I-00000342U NetworkManager[996]: debugging mode enabled Mar 26 21:48:31 I-00000342U NetworkManager[996]: end of file /var/run/nm-l2tp-ipsec-60aa7e6b-c31f-4ce1-abe5-5b7695c44209.conf Mar 26 21:48:31 I-00000342U NetworkManager[996]: Loading conn 60aa7e6b-c31f-4ce1-abe5-5b7695c44209 Mar 26 21:48:31 I-00000342U NetworkManager[996]: starter: left is KH_DEFAULTROUTE Mar 26 21:48:31 I-00000342U NetworkManager[996]: conn: "60aa7e6b-c31f-4ce1-abe5-5b7695c44209" labeled_ipsec=0 Mar 26 21:48:31 I-00000342U NetworkManager[996]: conn: "60aa7e6b-c31f-4ce1-abe5-5b7695c44209" modecfgdns=(null) Mar 26 21:48:31 I-00000342U NetworkManager[996]: conn: "60aa7e6b-c31f-4ce1-abe5-5b7695c44209" modecfgdomains=(null) Mar 26 21:48:31 I-00000342U NetworkManager[996]: conn: "60aa7e6b-c31f-4ce1-abe5-5b7695c44209" modecfgbanner=(null) Mar 26 21:48:31 I-00000342U NetworkManager[996]: conn: "60aa7e6b-c31f-4ce1-abe5-5b7695c44209" mark=(null) Mar 26 21:48:31 I-00000342U NetworkManager[996]: conn: "60aa7e6b-c31f-4ce1-abe5-5b7695c44209" mark-in=(null) Mar 26 21:48:31 I-00000342U NetworkManager[996]: conn: "60aa7e6b-c31f-4ce1-abe5-5b7695c44209" mark-out=(null) Mar 26 21:48:31 I-00000342U NetworkManager[996]: conn: "60aa7e6b-c31f-4ce1-abe5-5b7695c44209" vti_iface=(null) Mar 26 21:48:31 I-00000342U NetworkManager[996]: opening file: /var/run/nm-l2tp-ipsec-60aa7e6b-c31f-4ce1-abe5-5b7695c44209.conf Mar 26 21:48:31 I-00000342U NetworkManager[996]: loading named conns: 60aa7e6b-c31f-4ce1-abe5-5b7695c44209 Mar 26 21:48:31 I-00000342U NetworkManager[996]: seeking_src=1, seeking_gateway = 1, has_peer = 1 Mar 26 21:48:31 I-00000342U NetworkManager[996]: seeking_src=0, seeking_gateway = 1, has_dst = 1 Mar 26 21:48:31 I-00000342U NetworkManager[996]: dst via 192.168.133.1 dev wlp4s0 src table 254 Mar 26 21:48:31 I-00000342U NetworkManager[996]: set nexthop: 192.168.133.1 Mar 26 21:48:31 I-00000342U NetworkManager[996]: dst 169.254.0.0 via dev wlp4s0 src table 254 Mar 26 21:48:31 I-00000342U NetworkManager[996]: dst 172.16.7.0 via dev vmnet8 src 172.16.7.1 table 254 Mar 26 21:48:31 I-00000342U NetworkManager[996]: dst 172.16.98.0 via dev vmnet1 src 172.16.98.1 table 254 Mar 26 21:48:31 I-00000342U NetworkManager[996]: dst 192.168.133.0 via dev wlp4s0 src 192.168.133.24 table 254 Mar 26 21:48:31 I-00000342U NetworkManager[996]: dst 127.0.0.0 via dev lo src 127.0.0.1 table 255 (ignored) Mar 26 21:48:31 I-00000342U NetworkManager[996]: dst 127.0.0.0 via dev lo src 127.0.0.1 table 255 (ignored) Mar 26 21:48:31 I-00000342U NetworkManager[996]: dst 127.0.0.1 via dev lo src 127.0.0.1 table 255 (ignored) Mar 26 21:48:31 I-00000342U NetworkManager[996]: dst 127.255.255.255 via dev lo src 127.0.0.1 table 255 (ignored) Mar 26 21:48:31 I-00000342U NetworkManager[996]: dst 172.16.7.0 via dev vmnet8 src 172.16.7.1 table 255 (ignored) Mar 26 21:48:31 I-00000342U NetworkManager[996]: dst 172.16.7.1 via dev vmnet8 src 172.16.7.1 table 255 (ignored) Mar 26 21:48:31 I-00000342U NetworkManager[996]: dst 172.16.7.255 via dev vmnet8 src 172.16.7.1 table 255 (ignored) Mar 26 21:48:31 I-00000342U NetworkManager[996]: dst 172.16.98.0 via dev vmnet1 src 172.16.98.1 table 255 (ignored) Mar 26 21:48:31 I-00000342U NetworkManager[996]: dst 172.16.98.1 via dev vmnet1 src 172.16.98.1 table 255 (ignored) Mar 26 21:48:31 I-00000342U NetworkManager[996]: dst 172.16.98.255 via dev vmnet1 src 172.16.98.1 table 255 (ignored) Mar 26 21:48:31 I-00000342U NetworkManager[996]: dst 192.168.133.0 via dev wlp4s0 src 192.168.133.24 table 255 (ignored) Mar 26 21:48:31 I-00000342U NetworkManager[996]: dst 192.168.133.24 via dev wlp4s0 src 192.168.133.24 table 255 (ignored) Mar 26 21:48:31 I-00000342U NetworkManager[996]: dst 192.168.133.255 via dev wlp4s0 src 192.168.133.24 table 255 (ignored) Mar 26 21:48:31 I-00000342U NetworkManager[996]: seeking_src=1, seeking_gateway = 0, has_peer = 1 Mar 26 21:48:31 I-00000342U NetworkManager[996]: seeking_src=1, seeking_gateway = 0, has_dst = 1 Mar 26 21:48:31 I-00000342U NetworkManager[996]: dst 192.168.133.1 via dev wlp4s0 src 192.168.133.24 table 254 Mar 26 21:48:31 I-00000342U NetworkManager[996]: set addr: 192.168.133.24 Mar 26 21:48:31 I-00000342U NetworkManager[996]: seeking_src=0, seeking_gateway = 0, has_peer = 1 Mar 26 21:48:31 I-00000342U NetworkManager[996]: 002 "60aa7e6b-c31f-4ce1-abe5-5b7695c44209" #1: initiating Main Mode Mar 26 21:48:31 I-00000342U NetworkManager[996]: 104 "60aa7e6b-c31f-4ce1-abe5-5b7695c44209" #1: STATE_MAIN_I1: initiate Mar 26 21:48:31 I-00000342U NetworkManager[996]: 106 "60aa7e6b-c31f-4ce1-abe5-5b7695c44209" #1: STATE_MAIN_I2: sent MI2, expecting MR2 Mar 26 21:48:31 I-00000342U NetworkManager[996]: 108 "60aa7e6b-c31f-4ce1-abe5-5b7695c44209" #1: STATE_MAIN_I3: sent MI3, expecting MR3 Mar 26 21:48:31 I-00000342U NetworkManager[996]: 002 "60aa7e6b-c31f-4ce1-abe5-5b7695c44209" #1: Peer ID is ID_IPV4_ADDR: '1.2.3.4' Mar 26 21:48:31 I-00000342U NetworkManager[996]: 004 "60aa7e6b-c31f-4ce1-abe5-5b7695c44209" #1: STATE_MAIN_I4: ISAKMP SA established {auth=PRESHARED_KEY cipher=aes_128 integ=sha group=MODP1536} Mar 26 21:48:31 I-00000342U NetworkManager[996]: 002 "60aa7e6b-c31f-4ce1-abe5-5b7695c44209" #2: initiating Quick Mode PSK+ENCRYPT+UP+IKEV1_ALLOW+IKEV2_ALLOW+SAREF_TRACK+IKE_FRAG_ALLOW+ESN_NO {using isakmp#1 msgid:fa1d1722 proposal=defaults pfsgroup=no-pfs} Mar 26 21:48:31 I-00000342U NetworkManager[996]: 117 "60aa7e6b-c31f-4ce1-abe5-5b7695c44209" #2: STATE_QUICK_I1: initiate Mar 26 21:48:31 I-00000342U NetworkManager[996]: 010 "60aa7e6b-c31f-4ce1-abe5-5b7695c44209" #2: STATE_QUICK_I1: retransmission; will wait 0.5 seconds for response Mar 26 21:48:32 I-00000342U libipsecconf[9785]: warning: could not open include filename: '/etc/ipsec.d/*.conf' Mar 26 21:48:32 I-00000342U NetworkManager[996]: 010 "60aa7e6b-c31f-4ce1-abe5-5b7695c44209" #2: STATE_QUICK_I1: retransmission; will wait 1 seconds for response Mar 26 21:48:33 I-00000342U NetworkManager[996]: 010 "60aa7e6b-c31f-4ce1-abe5-5b7695c44209" #2: STATE_QUICK_I1: retransmission; will wait 2 seconds for response Mar 26 21:48:35 I-00000342U NetworkManager[996]: 010 "60aa7e6b-c31f-4ce1-abe5-5b7695c44209" #2: STATE_QUICK_I1: retransmission; will wait 4 seconds for response Mar 26 21:48:39 I-00000342U NetworkManager[996]: 010 "60aa7e6b-c31f-4ce1-abe5-5b7695c44209" #2: STATE_QUICK_I1: retransmission; will wait 8 seconds for response Mar 26 21:48:41 I-00000342U nm-l2tp-service[9153]: g_dbus_method_invocation_take_error: assertion 'error != NULL' failed Mar 26 21:48:41 I-00000342U NetworkManager[996]: <info> [1553633321.2615] vpn-connection[0x556d610801e0,60aa7e6b-c31f-4ce1-abe5-5b7695c44209,"VPN_GW",0]: VPN plugin: state changed: stopped (6) Mar 26 21:48:41 I-00000342U NetworkManager[996]: <info> [1553633321.2717] vpn-connection[0x556d610801e0,60aa7e6b-c31f-4ce1-abe5-5b7695c44209,"VPN_GW",0]: VPN service disappeared Mar 26 21:48:41 I-00000342U dbus-daemon[2028]: [session uid=591804607 pid=2028] Activating service name='org.freedesktop.Notifications' requested by ':1.33' (uid=591804607 pid=2365 comm="nm-applet " label="unconfined") Mar 26 21:48:41 I-00000342U NetworkManager[996]: <warn> [1553633321.2774] vpn-connection[0x556d610801e0,60aa7e6b-c31f-4ce1-abe5-5b7695c44209,"VPN_GW",0]: VPN connection: failed to connect: 'Message recipient disconnected from message bus without replying' Mar 26 21:48:41 I-00000342U dbus-daemon[2028]: [session uid=591804607 pid=2028] Successfully activated service 'org.freedesktop.Notifications'Has anyone any idea why L2TP over IPSec works so easy with IOS and Adroid devices and not with a Linux client?Hopefully someone of you has a solution for this. BRRené
D_W
D_W inside Remote Access Solutions a week ago
views 184

iOS 13.x Capsule Connect Certificate

Hi all,we use Intune Azure to Roll Out Capsule Connect on iOS Devices. The App is configured as Per-App VPN and authentication via user certificate. Certificate rolled out by SCEP. This works so far!Now we want to change the Roll Out of the Capsule Connect App via the Apple Volume Purchase Program but when we do this the Capsule App cannot see the certificate.Tested on iOS 13.2 and 13.1.2. Checkpoint Capsule Connect Version: 1.600.48Is someone having the same issue or any idea to solve it?Cheers,David 
Ricardo_Gros
Ricardo_Gros inside Remote Access Solutions a week ago
views 280 2

Endpoint Vpn Location awareness

Hi, We have stumbled upon a small issue and we would like your opinion on a possible solution So we have a client behind a site 2 site tunnel. The client has Location awareness active and is always building the VPN directly to its VPN gateway, as the connection goes over the external link it is always detected as Outside.How do we make the Client understand that he is actually internal and should use the Site 2 site tunnel and does not need to build up the client VPN? The option Domain controller and Network Group is not acceptable, the first does not work as intended and the 2 could lead to other issues, are there any quick solutions for this? 
Ted_Serreyn
Ted_Serreyn inside Remote Access Solutions 2 weeks ago
views 438 12

Mobile access portal with Office 365

Does anyone have r80.20 or later working with office 365? In particular I am interested in the following: Capsule Mobile access to office365 on IOS.Mobile access link to OWA in SSL portal.native mail access in SSL portal. Currently I have apps configured, but they are not working and no error logs are currently being generated.