[strongSwan] Fwd: no ike packets being generated

neil payne payne.neil at gmail.com
Tue Apr 26 18:23:10 CEST 2011 


Begin forwarded message:

> From: neil payne <payne.neil at gmail.com>
> Date: 26 April 2011 15:40:03 GMT+01:00
> To: Andreas Steffen <andreas.steffen at strongswan.org>
> Cc: Alan Parkinson <alan.parkinson at arcticlake.com>
> Subject: Re: no ike packets being generated
> 
> 
> Hi Andreas,
> We reverted to v4.3.2 but the 'up'  command still doesn't recognize the net-net connection:
> 
> ubuntu at ip-10-5-51-61:~$ sudo ipsec --version
> sudo: unable to resolve host ip-10-5-51-61
> Linux strongSwan U4.3.2/K2.6.32-312-ec2
> Institute for Internet Technologies and Applications
> University of Applied Sciences Rapperswil, Switzerland
> See 'ipsec --copyright' for copyright information.
> ubuntu at ip-10-5-51-61:~$ 
> ubuntu at ip-10-5-51-61:~$ 
> ubuntu at ip-10-5-51-61:~$ 
> ubuntu at ip-10-5-51-61:~$ sudo ipsec up net-net
> sudo: unable to resolve host ip-10-5-51-61
> 021 no connection named "net-net"
> ubuntu at ip-10-5-51-61:~$ 
> ubuntu at ip-10-5-51-61:~$ 
> ubuntu at ip-10-5-51-61:~$ 
> ubuntu at ip-10-5-51-61:~$ sudo ipsec statusall  !!!!!!!!! this has the appearance of the later version's statusall output rather than v4.3.2 !!!!!!!!
> sudo: unable to resolve host ip-10-5-51-61
> 000 Status of IKEv1 pluto daemon (strongSwan 4.3.2):
> 000 interface lo/lo ::1:500
> 000 interface lo/lo 127.0.0.1:500
> 000 interface eth0/eth0 10.5.51.61:500
> 000 interface dummy0/dummy0 46.51.193.145:500
> 000 %myid = (none)
> 000 loaded plugins: aes des sha1 sha2 md5 random pubkey hmac gmp 
> 000 debug options: none
> 000 
> Status of IKEv2 charon daemon (strongSwan 4.3.2):
>   uptime: 4 minutes, since Apr 26 14:28:12 2011
>   worker threads: 9 idle of 16, job queue load: 0, scheduled events: 0
>   loaded plugins: aes des sha1 sha2 md5 fips-prf random x509 pubkey xcbc hmac gmp kernel-netlink stroke updown attr resolv-conf 
> Listening IP addresses:
>   10.5.51.61
>   46.51.193.145
> Connections:
> Security Associations:
>   none
> 
> 
> 
> 
> 
> 
> On 21 Apr 2011, at 13:25, neil payne wrote:
> 
>> 
>> Hi Andreas, 
>> We're now running version 4.5.1 on the leftfirewall (downgraded from the one below). We are using the same config files as the ones I sent last night but on the left firewall it doesn't recognize the net-net connection:
>> 
>> ubuntu at ip-10-5-51-61:/etc$ sudo ipsec --version
>> sudo: unable to resolve host ip-10-5-51-61
>> Linux strongSwan U4.5.1/K2.6.32-312-ec2
>> Institute for Internet Technologies and Applications
>> University of Applied Sciences Rapperswil, Switzerland
>> See 'ipsec --copyright' for copyright information.
>> ubuntu at ip-10-5-51-61:/etc$ 
>> ubuntu at ip-10-5-51-61:/etc$ 
>> ubuntu at ip-10-5-51-61:/etc$ 
>> ubuntu at ip-10-5-51-61:/etc$ 
>> ubuntu at ip-10-5-51-61:/etc$ sudo ipsec up net-net
>> sudo: unable to resolve host ip-10-5-51-61
>> 021 no connection named "net-net"
>> ubuntu at ip-10-5-51-61:/etc$ 
>> 
>> 
>> If I use ipsec up net-net on the rightfirewall running 4.3.2 it does generate IKE packets which reach the leftfirewall but the left firewall doesn't recognize it and  logs:
>> 
>> Apr 21 12:10:15 ip-10-5-51-61 pluto[16057]: packet from 50.56.121.20:500: ignoring Vendor ID payload [draft-ietf-ipsec-nat-t-ike-00]
>> Apr 21 12:10:15 ip-10-5-51-61 pluto[16057]: packet from 50.56.121.20:500: initial Main Mode message received on 10.5.51.61:500 but no connection has been authorized with policy=PSK
>> 
>> Regards,
>> Neil.
>> 
>> 
>> 
>> On 20 Apr 2011, at 22:43, neil payne wrote:
>> 
>>> Hi Andreas,
>>> No! 
>>> In fact I didn't know this was the ignition key.
>>> Unfortunately my colleague upgraded to strongswan 4.5.2dr5 on my prompting on one of the firewalls and now ipsec wont start - i get the following messages in auth.log:
>>> 
>>> Apr 20 21:32:06 ip-10-5-51-61 ipsec_starter[21851]: pluto has died -- restart scheduled (5sec)
>>> Apr 20 21:32:06 ip-10-5-51-61 ipsec_starter[21851]: pluto refused to be started
>>> Apr 20 21:32:06 ip-10-5-51-61 ipsec_starter[21851]: charon has died -- restart scheduled (5sec)
>>> Apr 20 21:32:06 ip-10-5-51-61 ipsec_starter[21851]: charon refused to be started
>>> Apr 20 21:32:11 ip-10-5-51-61 ipsec_starter[21851]: pluto has died -- restart scheduled (5sec)
>>> Apr 20 21:32:11 ip-10-5-51-61 ipsec_starter[21851]: pluto refused to be started
>>> Apr 20 21:32:11 ip-10-5-51-61 ipsec_starter[21851]: charon has died -- restart scheduled (5sec)
>>> Apr 20 21:32:11 ip-10-5-51-61 ipsec_starter[21851]: charon refused to be started
>>> Apr 20 21:32:16 ip-10-5-51-61 ipsec_starter[21851]: pluto has died -- restart scheduled (5sec)
>>> Apr 20 21:32:16 ip-10-5-51-61 ipsec_starter[21851]: pluto refused to be started
>>> Apr 20 21:32:16 ip-10-5-51-61 ipsec_starter[21851]: charon has died -- restart scheduled (5sec)
>>> Apr 20 21:32:16 ip-10-5-51-61 ipsec_starter[21851]: charon refused to be started
>>> Apr 20 21:32:21 ip-10-5-51-61 ipsec_starter[21851]: pluto has died -- restart scheduled (5sec)
>>> Apr 20 21:32:21 ip-10-5-51-61 ipsec_starter[21851]: pluto refused to be started
>>> 
>>> I fear that we didn't need this upgrade and my configs may have worked with the standard release if I'd known about this start command.
>>> Would you recommend uninstalling this release or are the errors recoverable?
>>> Thank you very much for your time and attention.
>>> Regards,
>>> Neil.
>>> 
>>> 
>>> On 20 Apr 2011, at 20:43, Andreas Steffen wrote:
>>> 
>>>> Hi Neil,
>>>> 
>>>> are you starting the connection explicitly with
>>>> 
>>>> ipsec up net-net
>>>> 
>>>> on one of the two peers?
>>>> 
>>>> Regards
>>>> 
>>>> Andreas
>>>> 
>>>> On 20.04.2011 19:56, neil payne wrote:
>>>>> Hi Andreas, I amended my syntax on ipsec.secrets as you suggested
>>>>> (may be change crypto algos later) but i still see no ike packets
>>>>> generated by the firewall on either side when i try and ping the
>>>>> remote encryption domain. Is my config missing something, i don't
>>>>> know how i'm going wrong here but surely it is something fundamental
>>>>> missing, I cannot tell as I've followed the available documentation
>>>>> as best as I can? I'm getting desperate for a solution now.
>>>>> 
>>>>> Thanks, Neil
>>>> 
>>>> ======================================================================
>>>> Andreas Steffen                         andreas.steffen at strongswan.org
>>>> strongSwan - the Linux VPN Solution!                www.strongswan.org
>>>> Institute for Internet Technologies and Applications
>>>> University of Applied Sciences Rapperswil
>>>> CH-8640 Rapperswil (Switzerland)
>>>> ===========================================================[ITA-HSR]==
>>> 
>> 
> 

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20110426/1531bc7b/attachment.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: leftfirewall2-ipsec.conf.rtf
Type: text/rtf
Size: 1022 bytes
Desc: not available
URL: <http://lists.strongswan.org/pipermail/users/attachments/20110426/1531bc7b/attachment.bin>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20110426/1531bc7b/attachment-0001.html>

More information about the Users mailing list