Hi Team,<br><br>I was trying to establish IPsec functionality between WRLlinux (strongswan 4.1.4) and Fedora(strongswan 4.6.2) but was unsuccessful. <br><br>Initially I had an error problem in spi allocation from kernel and then I loaded netlink-socket in the charon of Strongswan conf file.<br>
<br>Please find the Console logs , Configuration Lists and let me know if I am missing something.<br><br><b>Console Log in fedora :</b><br>[root@localhost ~]# ipsec up host-host<br>initiating IKE_SA host-host[1] to 10.10.10.61<br>
generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) ]<br>sending packet: from 10.10.10.200[500] to 10.10.10.61[500]<br>retransmit 1 of request with message ID 0<br>sending packet: from 10.10.10.200[500] to 10.10.10.61[500]<br>
retransmit 2 of request with message ID 0<br>sending packet: from 10.10.10.200[500] to 10.10.10.61[500]<br>retransmit 3 of request with message ID 0<br>sending packet: from 10.10.10.200[500] to 10.10.10.61[500]<br>retransmit 4 of request with message ID 0<br>
sending packet: from 10.10.10.200[500] to 10.10.10.61[500]<br>retransmit 5 of request with message ID 0<br>sending packet: from 10.10.10.200[500] to 10.10.10.61[500]<br>giving up after 5 retransmits<br>establishing IKE_SA failed, peer not responding<br>
[root@localhost ~]# ipsec statusall<br>Status of IKEv2 charon daemon (strongSwan 4.6.3):<br> uptime: 56 minutes, since Jul 12 19:15:08 2012<br> malloc: sbrk 233472, mmap 0, used 122656, free 110816<br> worker threads: 8 of 16 idle, 7/1/0/0 working, job queue: 0/0/0/0, scheduled: 0<br>
loaded plugins: aes des sha1 sha2 md5 random x509 revocation constraints pubkey pkcs1 pkcs8 pgp pem fips-prf gmp xcbc cmac hmac attr kernel-netlink resolve socket-raw stroke updown<br>Listening IP addresses:<br> 192.168.100.4<br>
10.10.10.200<br>Connections:<br> host-host: 10.10.10.200...10.10.10.61<br> host-host: local: [10.10.10.200] uses pre-shared key authentication<br> host-host: remote: [10.10.10.61] uses pre-shared key authentication<br>
host-host: child: dynamic === dynamic TRANSPORT<br> net-net: child: dynamic === dynamic TUNNEL<br> benu: child: dynamic === dynamic TUNNEL<br>Security Associations (0 up, 0 connecting):<br> none<br>
<br><b>ipsec.conf file :</b><br>
config setup<br>
plutostart=no<br>
<br>
conn %default<br>
ikelifetime=60m<br>
keylife=20m<br>
rekeymargin=3m<br>
keyingtries=1<br>
authby=secret<br>
keyexchange=ikev2<br>
mobike=no<br>
<br>
conn host-host<br>
left=10.10.10.200<br>
leftauth=psk<br>
leftfirewall=yes<br>
right=10.10.10.61<br>
rightauth=psk<br>
type=transport<br>
auto=add<br>
<br>
conn net-net<br>
left=10.10.10.200<br>
leftauth=psk<br>
leftfirewall=yes<br>
right=10.10.10.61<br>
rightauth=psk<br>
type=tunnel<br>
auto=add<br>
conn benu<br>
left=10.10.10.200<br>
leftauth=psk<br>
leftfirewall=yes<br>
right=10.10.10.61<br>
rightauth=psk<br>
type=tunnel<br>
auto=add<br>
<br>
<b>ipsec.secrets:</b><br>
# /etc/ipsec.secrets - strongSwan IPsec secrets file<br>
<br>
#@<a href="http://moon.strongswan.org">moon.strongswan.org</a> @<a href="http://sun.strongswan.org">sun.strongswan.org</a> : PSK "hanjuruddevkdonr"<br>
#: RSA moonKey.pem<br>
: PSK "strongSwan"<br>
<br><b>strongswan.conf:</b><br># strongswan.conf - strongSwan configuration file<br><br>charon {<br><br> # number of worker threads in charon<br> #threads = 16<br><br> # send strongswan vendor ID?<br>
# send_vendor_id = yes<br> #hash_and_url = yes<br> #load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default updown<br> #multiple_authentication = no<br>
#load = curl aes des sha1 sha2 md5 pem pkcs1 <br><br># plugins {<br><br># sql {<br> # loglevel to log into sql database<br># loglevel = -1<br>#<br># # URI to the database<br>
# # database = sqlite:///path/to/file.db<br> # database = mysql://user:password@localhost/database<br># }<br># }<br><br> # ...<br>}<br><br><br><br><br>
<b>Console log on Windriver linux</b><br><br>root@benu_msm-wrlinux:/root> ipsec start<br>Starting strongSwan 4.4.0 IPsec [starter]...<br>insmod /lib/modules/2.6.34.12-grsec-WR4.3.0.0_cgl/kernel/net/key/af_key.ko <br>root@benu_msm-wrlinux:/root> ipsec up host-host<br>
initiating IKE_SA host-host[1] to 10.10.10.200<br>generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) ]<br>sending packet: from 10.10.10.61[500] to 10.10.10.200[500]<br>retransmit 1 of request with message ID 0<br>
sending packet: from 10.10.10.61[500] to 10.10.10.200[500]<br>retransmit 2 of request with message ID 0<br>sending packet: from 10.10.10.61[500] to 10.10.10.200[500]<br>retransmit 3 of request with message ID 0<br>sending packet: from 10.10.10.61[500] to 10.10.10.200[500]<br>
retransmit 4 of request with message ID 0<br>sending packet: from 10.10.10.61[500] to 10.10.10.200[500]<br>retransmit 5 of request with message ID 0<br>sending packet: from 10.10.10.61[500] to 10.10.10.200[500]<br>giving up after 5 retransmits<br>
establishing IKE_SA failed, peer not responding<br>root@benu_msm-wrlinux:/root> ipsec statusall<br>Status of IKEv2 charon daemon (strongSwan 4.4.0):<br> uptime: 58 minutes, since Jul 12 23:58:24 2012<br> worker threads: 10 idle of 16, job queue load: 0, scheduled events: 0<br>
loaded plugins: aes des sha1 sha2 md5 pem pkcs1 gmp random hmac stroke kernel-netlink updown <br>Listening IP addresses:<br> 10.10.10.61<br>Connections:<br> host-host: 10.10.10.61...10.10.10.200<br> host-host: local: [10.10.10.61] uses pre-shared key authentication<br>
host-host: remote: [10.10.10.200] uses pre-shared key authentication<br> host-host: child: dynamic === dynamic <br> net-net: child: dynamic === dynamic <br> benu: child: dynamic === dynamic <br>
Security Associations:<br> none<br><br><b>ipsec.conf file :</b><br>
config setup<br>
plutostart=no<br>
<br>
conn %default<br>
ikelifetime=60m<br>
keylife=20m<br>
rekeymargin=3m<br>
keyingtries=1<br>
authby=secret<br>
keyexchange=ikev2<br>
mobike=no<br>
<br>
conn host-host<br>
left=10.10.10.61<br>
leftauth=psk<br>
leftfirewall=yes<br>
right=10.10.10.200<br>
rightauth=psk<br>
type=transport<br>
auto=add<br>
<br>
conn net-net<br>
left=10.10.10.61<br>
leftauth=psk<br>
leftfirewall=yes<br>
right=10.10.10.200<br>
rightauth=psk<br>
type=tunnel<br>
auto=add<br>
conn benu<br>
left=10.10.10.61<br>
leftauth=psk<br>
leftfirewall=yes<br>
right=10.10.10.200<br>
rightauth=psk<br>
type=tunnel<br>
auto=add<br>
<br>
<b>ipsec.secrets:</b><br>
# /etc/ipsec.secrets - strongSwan IPsec secrets file<br>
<br>
#@<a href="http://moon.strongswan.org">moon.strongswan.org</a> @<a href="http://sun.strongswan.org">sun.strongswan.org</a> : PSK "hanjuruddevkdonr"<br>
#: RSA moonKey.pem<br>
: PSK "strongSwan"<br>
<br>
<b>strongswan.conf:</b><br>
# strongswan.conf - strongSwan configuration file<br>
<br>
charon {<br>
<br>
# number of worker threads in charon<br>
#threads = 16<br>
<br>
# plugins to load in charon<br>
load = aes des sha1 sha2 md5 pem pkcs1 gmp random hmac stroke
kernel-netlink socket-default updown<br>
<br>
#plugins {<br>
<br>
# sql {<br>
# loglevel to log into sql database<br>
# loglevel = -1<br>
<br>
# URI to the database<br>
# database = sqlite:///path/to/file.db<br>
# database =
mysql://user:password@localhost/database<br>
# }<br>
#}<br>
<br>
# ...<br>
}<br>
<br>
pluto {<br>
<br>
# plugins to load in pluto<br>
# load = aes des sha1 md5 sha2 hmac gmp random pubkey<br>
<br>
}<br>
<br>
libstrongswan {<br>
<br>
# set to no, the DH exponent size is optimized<br>
# dh_exponent_ansi_x9_42 = no<br>
<br><br><br>Thanks,<br>KC<br>