[strongSwan] interop between FREES/WAN and racoon2;

Andreas Steffen andreas.steffen at strongswan.org
Fri Oct 22 13:51:17 CEST 2010 

Hello,

please post your problem on the Openswan mailing list.

Kind regards

Andreas

On 22.10.2010 13:13, Yatong Cui wrote:
> Dear,
> 
> Currently My racoon2 can already interop with the strongswan, and
> later when i tries the openswan interop, seems there are still some
> wrong configurations. Hope you could guide me to solve this problem.
> 
> Here is the info.
> 
> Topology: ========= I've replaced the strongswan with the openswan.
> 
> CONFIG: ========= Racoon2: -------- Essentially Same
> configuration(change the address accordingly)
> 
> Openswan: ---------- [root at TAR-EN1 ~]# cat /etc/ipsec.conf config
> setup crlcheckinterval="180" strictcrlpolicy=no protostack=netkey
>  plutodebug=all
> 
> conn %default keyingtries=1 ike=3des-sha1;modp1024 
> phase2alg=3des-sha1 authby=secret ikev2=yes rekey=yes
> 
> conn TAHI connaddrfamily=ipv6 type=transport 
> left=2001:db8:1:2:20c:29ff:fe0c:3ed1 
> right=2001:db8:1:1:20c:29ff:fe4d:489 
> leftid=2001:db8:1:2:20c:29ff:fe0c:3ed1 
> rightid=2001:db8:1:1:20c:29ff:fe4d:489 compress=no auto=add 
> [root at TAR-EN1 ~]# cat /etc/ipsec.secrets include
> /etc/ipsec.d/*.secrets [root at TAR-EN1 ~]# cat
> /etc/ipsec.d/tahi.secrets : PSK "IKETEST123!"
> 
> Logging Messages ==================== 1 OPENSWAN as the initiator
> 
> Log On Openswan: [root at TAR-EN1 ~]# ipsec auto --up TAHI no default
> routes detected 133 "TAHI" #1: STATE_PARENT_I1: initiate 133 "TAHI"
> #1: STATE_PARENT_I1: sent v2I1, expected v2R1 134 "TAHI" #2:
> STATE_PARENT_I2: sent v2I2, expected v2R2 {auth=IKEv2
> cipher=oakley_3des_cbc_192 integ=sha1_96 prf=oakley_sha
> group=modp1024} 004 "TAHI" #2: STATE_PARENT_I3: PARENT SA established
> transport mode {ESP=>0x00e9b46a <0xd25e4b1e xfrm=3DES_192-HMAC_SHA1
> NATOA=none NATD=none DPD=none}
> 
> Log on Racoon2: 2010-10-22 19:08:06 [DEBUG]:
> script.c:317:ikev2_script_hook(): no hook script defined 
> -----------------------------------------------------------------------------------------------------------------------------------
>
> 
The log seems to be no problem yet the ping isn't successful.
> 
> 
> 
> 2 Racoon2 as the initiator 
> -------------------------------------------------------------------------------------------------------------------------------------
>
> 
Log on Racoon2
> 2010-10-22 19:10:12 [PROTO_ERR]:
> ikev2_child.c:1441:ikev2_update_child():
> 1:2001:db8:1:1:20c:29ff:fe4d:489[500] -
> 2001:db8:1:2:20c:29ff:fe0c:3ed1[500]:0x0:mode mismatch: peer tunnel
> mine transport 2010-10-22 19:10:12 [DEBUG]:
> ike_pfkey.c:392:sadb_responder_error(): sadb_responder_error: seq=1,
> satype=96, spi=0x00000000, errno=61 2010-10-22 19:10:12 [DEBUG]:
> ikev2_child.c:139:ikev2_child_state_set(): child_sa 0x28451500 state
> WAIT_RESPONSE -> EXPIRED 2010-10-22 19:10:12 [DEBUG]:
> ike_sa.c:552:ikev2_sa_start_lifetime_timer(): lifetime: 86400 
> 2010-10-22 19:10:12 [DEBUG]:
> ike_sa.c:562:ikev2_sa_start_lifetime_timer(): lifetime_soft: 74726 
> 2010-10-22 19:10:12 [DEBUG]:
> ike_sa.c:817:ikev2_sa_start_polling_timer(): dpd polling interval
> 3600 2010-10-22 19:10:12 [DEBUG]: script.c:317:ikev2_script_hook():
> no hook script defined 2010-10-22 19:10:15 [DEBUG]:
> ike_sa.c:225:ikev2_sa_periodic_task(): ike_sa: 0x28458180 state 6 
> 2010-10-22 19:10:15 [DEBUG]: ike_sa.c:230:ikev2_sa_periodic_task():
> child_sa: 0x28451500 state 5 2010-10-22 19:10:15 [DEBUG]:
> ike_sa.c:234:ikev2_sa_periodic_task(): deallocating child_sa
> 0x28451500 2010-10-22 19:10:15 [DEBUG]:
> ike_pfkey.c:255:sadb_request_finish(): 0x28451518 2010-10-22 19:10:15
> [DEBUG]: ike_sa.c:248:ikev2_sa_periodic_task(): launching grace
> period 0x28458180 
> -----------------------------------------------------------------------------------------------------------------------------------
>
> 
The log says i've chosen the wrong mode on openswan, yet i've set the
mode to be transport.
> 
> Thanks Frank

======================================================================
Andreas Steffen                         andreas.steffen at strongswan.org
strongSwan - the Linux VPN Solution!                www.strongswan.org
Institute for Internet Technologies and Applications
University of Applied Sciences Rapperswil
CH-8640 Rapperswil (Switzerland)
===========================================================[ITA-HSR]==

More information about the Users mailing list