[strongSwan] Fwd: Questions for getting Strongswan up and running
Brian Watson
bwats9999 at gmail.com
Wed May 7 17:42:21 CEST 2014
Does anyone know why when I try to log to a log file either in /var/log or
my home folder that I get permission denied? This is what I'm seeing in
syslog. I'm running "sudo ipsec start" so I thought that it would have the
correct permissions to write the log file.
Thanks,
Brian
---------- Forwarded message ----------
From: Brian Watson <bwats9999 at gmail.com>
Date: Wed, May 7, 2014 at 8:20 AM
Subject: Re: [strongSwan] Questions for getting Strongswan up and running
To: Noel Kuntze <noel at familie-kuntze.de>
I had been using openssl, but I'll install libgmp also.
On Tue, May 6, 2014 at 5:41 PM, Noel Kuntze <noel at familie-kuntze.de> wrote:
>
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA256
>
> Did you install libgmp already? You need that for the DH exchange. As a
> replacement, you could also use openssl, but you need to replace gmp with
> openssl in the load statement.
>
> Am 07.05.2014 00:26, schrieb Brian Watson:
> > If I do "sudo ipsec start" again it says that it's already running. I
> then do "sudo ipsec up home" and that's when I get the NO_PROPOSAL_CHOSEN
> error that i'm trying to debug. I'll be leaving soon, but will check for
> syntax errors. Thanks for all your help! This is interesting.
> >
> >
> > On Tue, May 6, 2014 at 5:13 PM, Noel Kuntze <noel at familie-kuntze.de<mailto:
> noel at familie-kuntze.de>> wrote:
> >
> >
> > Okay, that should be fairly recent. Check your strongswan.conf for
> syntax errors. Does strongswan run after you started it or does it stop
> itself?
> >
> > Am 07.05.2014 00:06, schrieb Brian Watson:
> > > I do the following:
> >
> > > 1. sudo ipsec start (so yes it's running as root)
> > > 2. It says the following:
> > > !! Your strongswan.conf contains manual plugin load options for charon.
> > > !! This is recommended for experts only, see
> > > !! http://wiki.strongswan.org/projects/strongswan/wiki/PluginLoad
> > > 3. The log file doesn't get created.
> > > 4. Version - U5.1.2/K3.13.0-24-generic
> >
> >
> > > On Tue, May 6, 2014 at 4:50 PM, Noel Kuntze <noel at familie-kuntze.de<mailto:
> noel at familie-kuntze.de> <mailto:noel at familie-kuntze.de <mailto:
> noel at familie-kuntze.de>>> wrote:
> >
> >
> > > Okay, as what user ist strongSwan running? Is it as root?
> > > Does the file get created?
> > > What does ipsec say when you start strongSwan?
> > > What version of strongSwan are you using?
> >
> >
> > > Am 06.05.2014 23:49, schrieb Brian Watson:
> > > > Yes, I just checked and the extra curly brace is there even though I
> didn't include it in the email. I also changed append=no to yes to see if
> that would have an effect, but it didn't.
> >
> >
> > > > On Tue, May 6, 2014 at 4:32 PM, Brian Watson <bwats9999 at gmail.com<mailto:
> bwats9999 at gmail.com> <mailto:bwats9999 at gmail.com <mailto:
> bwats9999 at gmail.com>> <mailto:bwats9999 at gmail.com <mailto:
> bwats9999 at gmail.com> <mailto:bwats9999 at gmail.com <mailto:
> bwats9999 at gmail.com>>>> wrote:
> >
> > > > I've been trying to get the log file to work, but something
> isn't quite right. I have the following info in my strongswan.conf file:
> >
> > > > charon {
> > > > load = aes des sha1 sha2 md5 openssl random nonce hmac
> stroke kernel-netlink socket-default updown
> > > > send_vendor_id=yes
> > > > # two defined file loggers
> > > > filelog {
> > > > /var/log/charon.log {
> > > > # add a timestamp prefix
> > > > time_format = %b %e %T
> > > > # prepend connection name, simplifies grepping
> > > > ike_name = yes
> > > > # overwrite existing files
> > > > append = no
> > > > # increase default loglevel for all daemon subsystems
> > > > default = 2
> > > > # flush each line to disk
> > > > flush_line = yes
> > > > }
> > > > stderr {
> > > > # more detailed loglevel for a specific subsystem,
> overriding the
> > > > # default loglevel.
> > > > ike = 2
> > > > knl = 3
> > > > }
> > > > }
> >
> > > > I'm also trying different variations like changing the name and
> location of the log file and I also tried to use stdout, but nothing
> happening. Any ideas?
> >
> > > > Thanks,
> > > > Brian
> >
> >
> > > > On Tue, May 6, 2014 at 10:59 AM, Noel Kuntze <
> noel at familie-kuntze.de <mailto:noel at familie-kuntze.de> <mailto:
> noel at familie-kuntze.de <mailto:noel at familie-kuntze.de>> <mailto:
> noel at familie-kuntze.de <mailto:noel at familie-kuntze.de> <mailto:
> noel at familie-kuntze.de <mailto:noel at familie-kuntze.de>>>> wrote:
> >
> >
> > > > Hello Brian,
> >
> > > > The two peers couldn't negotiate a shared cipher-hmac-modp 3-tupel
> in phase one.
> > > > I advise setting up logging to a file [1] and looking for the cipher
> proposal the two peers send each other and adjusting them with the "ike="
> parameter in the connection section.
> > > > Be advised, that you can not simply copy an paste the proposal in
> ipsec.conf. Look for the fitting description of the tupel in the example
> configurations [2].
> > > > Also, read the manpage about the "ike" parameter.
> >
> > > > [1]
> http://wiki.strongswan.org/projects/strongswan/wiki/LoggerConfiguration
> > > > [2] http://www.strongswan.org/uml/testresults/all.html
> >
> > > > Regards,
> > > > Noel Kuntze
> >
> > > > Am 06.05.2014 17:47, schrieb Brian Watson:
> > > > > Hi Noel,
> > > > > Thanks for the tip! I'm making progress and updated both
> strongswan.conf files, but now I get the following error for which I'm
> investigating:
> >
> > > > > initiating IKE_SA home[3] to 127.0.0.2
> > > > > generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP)
> N(NATD_D_IP) ]
> > > > > sending packet: from 127.0.0.3[500] to 127.0.0.2[500] (892 bytes)
> > > > > received packet: from 127.0.0.2[500] to 127.0.0.3[500] (36 bytes)
> > > > > parsed IKE_SA_INIT response 0 [ N(NO_PROP) ]
> > > > > received NO_PROPOSAL_CHOSEN notify error
> > > > > establishing connection 'home' failed
> >
> > > > > Any ideas?
> >
> > > > > Thanks,
> > > > > Brian
> >
> >
> >
> > > > > On Tue, May 6, 2014 at 10:11 AM, Noel Kuntze <
> noel at familie-kuntze.de <mailto:noel at familie-kuntze.de> <mailto:
> noel at familie-kuntze.de <mailto:noel at familie-kuntze.de>> <mailto:
> noel at familie-kuntze.de <mailto:noel at familie-kuntze.de> <mailto:
> noel at familie-kuntze.de <mailto:noel at familie-kuntze.de>>> <mailto:
> noel at familie-kuntze.de <mailto:noel at familie-kuntze.de> <mailto:
> noel at familie-kuntze.de <mailto:noel at familie-kuntze.de>> <mailto:
> noel at familie-kuntze.de <mailto:noel at familie-kuntze.de> <mailto:
> noel at familie-kuntze.de <mailto:noel at familie-kuntze.de>>>>> wrote:
> >
> >
> > > > > Hello Brian,
> >
> > > > > Plugins in StrongSwan provide suppoer for cryptographic
> operations, like Diffie-Hellman keyexchanges and ciphers.
> > > > > StrongSwan itself only comes with a small number of plugins for
> ciphers like aes or des, but not DH, which is used to negotiate the key in
> phase one.
> > > > > Plugins provide access to 3rd party APIs, like the ones of openssl
> and libgmp.
> > > > > The default proposal StrongSwan sends includes a DH exchange over
> a modulus of 2048 bit, which is provided by either libgmp or openssl.
> > > > > It seems you do not have libgmp installed on your box. Please
> install it, then try again. As an alternative, you could also use openssl.
> > > > > To use openssl instead of libgmp for cryptography, just replace
> gmp with openssl in the load argument in strongswan.conf.
> >
> > > > > Regards,
> > > > > Noel Kuntze
> >
> > > > > Am 06.05.2014 16:54, schrieb Brian Watson:
> > > > > > I also have done the following:
> >
> > > > > > 1. ipsec up home
> >
> > > > > > 2. I get the following in response
> > > > > > initiating IKE_SA home[1] to 127.0.0.2
> > > > > > configured DH group MODP_2048 not supported
> > > > > > tried to check-in and delete nonexisting IKE_SA
> > > > > > establishing connection 'home' failed
> >
> > > > > > Thanks!
> > > > > > Brian
> >
> >
> > > > > > On Tue, May 6, 2014 at 9:06 AM, Brian Watson <
> bwats9999 at gmail.com <mailto:bwats9999 at gmail.com> <mailto:
> bwats9999 at gmail.com <mailto:bwats9999 at gmail.com>> <mailto:
> bwats9999 at gmail.com <mailto:bwats9999 at gmail.com> <mailto:
> bwats9999 at gmail.com <mailto:bwats9999 at gmail.com>>> <mailto:
> bwats9999 at gmail.com <mailto:bwats9999 at gmail.com> <mailto:
> bwats9999 at gmail.com <mailto:bwats9999 at gmail.com>> <mailto:
> bwats9999 at gmail.com <mailto:bwats9999 at gmail.com> <mailto:
> bwats9999 at gmail.com <mailto:bwats9999 at gmail.com>>>> <mailto:
> bwats9999 at gmail.com <mailto:bwats9999 at gmail.com> <mailto:
> bwats9999 at gmail.com <mailto:bwats9999 at gmail.com>> <mailto:
> bwats9999 at gmail.com <mailto:bwats9999 at gmail.com> <mailto:
> bwats9999 at gmail.com <mailto:bwats9999 at gmail.com>>> <mailto:
> bwats9999 at gmail.com <mailto:bwats9999 at gmail.com> <mailto:
> bwats9999 at gmail.com <mailto:bwats9999 at gmail.com>> <mailto:
> bwats9999 at gmail.com <mailto:bwats9999 at gmail.com> <mailto:
> bwats9999 at gmail.com <mailto:bwats9999 at gmail.com>>>>>> wrote:
> >
> > > > > > I have setup strongswan with the config files on 2 virtual
> boxes running Ubuntu 14.04. I have the following with the 2nd virtual
> machine basically mirroring the first with the exception of the ip address
> being swapped around:
> >
> > > > > > 1. I setup the config files on 2 Ubuntu virtualbox machines
> > > > > > ipsec.conf
> > > > > > -------------------------
> > > > > > config setup
> >
> > > > > > conn %default
> > > > > > ikelifetime=60m
> > > > > > keylife=20m
> > > > > > rekeymargin=3m
> > > > > > keyingtries=1
> > > > > > keyexchange=ikev2
> > > > > > authby=secret
> >
> > > > > > conn home
> > > > > > left=127.0.0.2
> > > > > > leftfirewall=no
> > > > > > right=127.0.0.3
> > > > > > auto=add
> >
> > > > > > ipsec.secrets
> > > > > > ------------------------------
> > > > > > 127.0.0.2 : PSK <shared secret>
> >
> > > > > > strongswan.conf
> > > > > > -------------------------------
> > > > > > charon {
> > > > > > load = aes des sha1 sha2 md5 gmp random nonce hmac
> stroke kernel-netlink socket-default updown
> > > > > > }
> >
> > > > > > 2. I issue "sudo ipsec start" and status commands and get
> the following:
> >
> > > > > > Starting strongSwan 5.1.2 IPsec [starter]...
> > > > > > !! Your strongswan.conf contains manual plugin load options
> for charon.
> > > > > > !! This is recommended for experts only, see
> > > > > > !!
> http://wiki.strongswan.org/projects/strongswan/wiki/PluginLoad
> > > > > > brianswan3 at brianswan3-VirtualBox:/etc$ sudo ipsec status
> > > > > > Security Associations (0 up, 0 connecting):
> > > > > > none
> >
> > > > > > 3. The fact that it shows no security associations implies
> to me that it didn't work. Is this true and is there something obvious that
> I'm doing wrong?
> >
> > > > > > Thanks,
> > > > > > Brian
> >
> >
> >
> >
> > > > > > _______________________________________________
> > > > > > Users mailing list
> > > > > > Users at lists.strongswan.org <mailto:Users at lists.strongswan.org>
> <mailto:Users at lists.strongswan.org <mailto:Users at lists.strongswan.org>>
> <mailto:Users at lists.strongswan.org <mailto:Users at lists.strongswan.org>
> <mailto:Users at lists.strongswan.org <mailto:Users at lists.strongswan.org>>>
> <mailto:Users at lists.strongswan.org <mailto:Users at lists.strongswan.org>
> <mailto:Users at lists.strongswan.org <mailto:Users at lists.strongswan.org>>
> <mailto:Users at lists.strongswan.org <mailto:Users at lists.strongswan.org>
> <mailto:Users at lists.strongswan.org <mailto:Users at lists.strongswan.org>>>>
> > > > > > https://lists.strongswan.org/mailman/listinfo/users
> >
> >
> > > > > _______________________________________________
> > > > > Users mailing list
> > > > > Users at lists.strongswan.org <mailto:Users at lists.strongswan.org>
> <mailto:Users at lists.strongswan.org <mailto:Users at lists.strongswan.org>>
> <mailto:Users at lists.strongswan.org <mailto:Users at lists.strongswan.org>
> <mailto:Users at lists.strongswan.org <mailto:Users at lists.strongswan.org>>>
> <mailto:Users at lists.strongswan.org <mailto:Users at lists.strongswan.org>
> <mailto:Users at lists.strongswan.org <mailto:Users at lists.strongswan.org>>
> <mailto:Users at lists.strongswan.org <mailto:Users at lists.strongswan.org>
> <mailto:Users at lists.strongswan.org <mailto:Users at lists.strongswan.org>>>>
> > > > > https://lists.strongswan.org/mailman/listinfo/users
> >
> >
> >
> >
> >
> >
> >
> >
> >
> >
> >
> >
>
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v2.0.22 (GNU/Linux)
> Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/
>
> iQIcBAEBCAAGBQJTaWUYAAoJEDg5KY9j7GZYFB0P/2DX+EXkCKbnQKNLiqQn9pL7
> rWHTeIrqskl4GDo1OlJWz+Zlsk/rSC7eyOVdT8APQppf2XFgprRaTORku1CNE/tn
> b6skkfhv7HuXbsUN8kFKEaldzt6LtEOSSw6a+OqTXVDlhTLCcT7ypvitdrwvp/x6
> OcFWwakFWz1id7cLaJ2BV3W+3wa1KhtSMZevnpiAEVF/k1Ln7sxiBEPqegYN7vfZ
> /NSX0zIoPjVClOLL3SM17hvd8Ino04EqnbY4h0gf3de7LnN0jgyZcOv/oXNWvvKk
> 4T5Ccsbh23DRwrKqR7+JHzqZjUH8oj3iPcglVcFfbYtm5pPIi5HoX7DPi/RrdU5e
> TIJEtA4nyNkLw3yoV3E0l40oiT+pwdMLqaiI2ymtIlkBGKSu5FhG8bqlB/9AJFq5
> BC0nRabUrqMZgpe8q2NOV4Xr+/r0x1ao7UKYozxESgiYMjn0a7cTImVf4z7RFZsB
> pq3RgNN9cwrJIXH6LNbYpByp4DjNKaR+qogfcqzllsw63mMRoVfmCErxa0yKzI9q
> fLT4Sdc6hOHWr0X3Q4kb4ZBvtPz4P8dHQjFCd7mhXHJJWZfcgi1X3gEUKy/TPVHm
> p+/0RCfaxZWm9bDHV8XGL4aBINxLDBGIeMGyAzItb73CE+PdeGPFo6zZG7BV5ucT
> wXneE117DU71KQVSjQWk
> =q7K3
> -----END PGP SIGNATURE-----
>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20140507/90605e4a/attachment-0001.html>
More information about the Users
mailing list