[strongSwan] no IKE config found error with VICI interface (strongswan-5.2.2)
Chinmaya Dwibedy
ckdwibedy at yahoo.com
Mon Apr 13 14:51:57 CEST 2015
Hi Noel,
Thanks for your email and sorry for not sending the sourcecode and configuration earlier.
I noticed that, after loading the connection definition intoCharon daemon (using the test program stated below), if I trigger list-conncommand (#swanctl –L), it does not print anything in console. Here goes the sample program, which I am using.
int get_version(vici_conn_t *conn)
{
vici_req_t *req;
vici_res_t *res;
int ret = 0;
req =vici_begin("version");
res =vici_submit(req, conn);
if (res)
{
printf("%s %s (%s, %s, %s)\n",
vici_find_str(res, "", "daemon"),
vici_find_str(res, "", "version"),
vici_find_str(res, "", "sysname"),
vici_find_str(res, "", "release"),
vici_find_str(res, "", "machine"));
vici_free_res(res);
}
else
{
ret = errno;
fprintf(stderr, "version request failed: %s\n",strerror(errno));
}
return ret;
}
int add_list_key_values(vici_req_t *req, char* str)
{
const chars[2] = "=";
char*token,*key,*value;
token =strtok(str, s);
key=token;
while( token!= NULL )
{
printf( " %s\n", token );
token= strtok(NULL, s);
value=token;
vici_add_key_value(req, "key", "value",strlen("value"));
}
return 0;
}
int add_key_values(vici_req_t *req, char* str)
{
const chars[2] = "=";
char*token,*key,*value;
token =strtok(str, s);
key=token;
while( token!= NULL )
{
printf( " %s\n", token );
token= strtok(NULL, s);
value=token;
vici_add_key_valuef(req, key, "%s", value);
}
return 0;
}
int load_conn(vici_conn_t *conn)
{
int ret = 0;
vici_req_t*req;
vici_res_t*res;
char buf[128];
char*section="GW-GW";
snprintf(buf,sizeof(buf), "%s.%s", "connections", section);
req =vici_begin("load-conn");
char s1[] ="local_addrs = 10.20.20.1";
char s2[] ="remote_addrs = 10.20.20.4";
char s3[] ="remote_ts = 172.16.220.4/32";
char s4[] ="local_ts = 0.0.0.0/0";
char s5[] ="esp_proposals = aes128-sha1";
char s6[] ="version=2 ";
char s7[] ="mobike=no";
char s8[] ="reauth_time=60m";
char s9[] ="rekey_time =20m";
char s10[] ="auth =psk";
char s11[] ="auth =psk";
char s12[] ="start_action=start";
char s13[] ="rekey_time=1000m";
char s14[] ="proposals=aes128-sha1-modp2048";
add_list_key_values(req,s1);
add_list_key_values(req,s2);
add_list_key_values(req,s3);
add_list_key_values(req,s4);
add_list_key_values(req,s5);
add_key_values(req,s6);
add_key_values(req,s7);
add_key_values(req,s8);
add_key_values(req,s9);
add_key_values(req,s10);
add_key_values(req,s11);
add_key_values(req,s12);
add_key_values(req,s13);
add_key_values(req,s14);
res =vici_submit(req, conn);
if (!res)
{
fprintf(stderr, "load-conn request failed: %s\n",strerror(errno));
returnFALSE;
}
if(!streq(vici_find_str(res, "no", "success"),"yes"))
{
fprintf(stderr, "loading connection '%s' failed: %s\n",
section,vici_find_str(res, "", "errmsg"));
ret =FALSE;
}
else
{
printf("loaded connection '%s'\n", section);
}
vici_free_res(res);
return ret;
}
int main(int argc, char **argv)
{
vici_conn_t *conn;
vici_init();
conn =vici_connect(NULL);
if (conn)
{
get_version(conn);
load_conn(conn);
vici_disconnect(conn);
printf("Connected to VICI Socket\n");
}
else
{
ret = errno;
fprintf(stderr, "connecting failed: %s\n", strerror(errno));
}
vici_deinit();
return 0;
}
Here goes the configuration.
Swanctl.conf at IKE Initiator end
connections {
gw-gw {
local_addrs = 10.20.20.4
remote_addrs =10.20.20.1
local {
auth = psk
}
remote {
auth = psk
}
vips=172.16.220.4
pull=yes
children {
net-net {
local_ts = 172.16.220.4/32
remote_ts = 0.0.0.0/0
start_action = start
updown = /usr/local/libexec/ipsec/_updown iptables
rekey_time = 1000m
esp_proposals = aes128-sha1
}
}
version = 2
mobike = no
reauth_time =60m
rekey_time= 20m
proposals =aes128-sha1-modp2048
}
}
secrets {
# IKE presharedsecret section for a specific secret.
ike-WG {
# Value of the IKE preshared secret.
secret =: PSK"strongSwan"
}
}
Swanctl.conf at IKE Responder end (when sample program isnot used)
connections {
gw-gw {
local_addrs = 10.20.20.1
remote_addrs =10.20.20.4
local {
auth = psk
}
remote {
auth = psk
}
children {
net-net {
remote_ts = 172.16.220.4/32
local_ts = 0.0.0.0/0
start_action = start
updown= /usr/local/libexec/ipsec/_updown iptables
rekey_time = 1000m
esp_proposals = aes128-sha1
}
version = 2
mobike = no
reauth_time =60m
rekey_time= 20m
proposals =aes128-sha1-modp2048
}
secrets {
# IKE presharedsecret section for a specific secret.
ike-WG {
# Value of theIKE preshared secret.
secret =: PSK "strongSwan"
}
}But If I use #swanctl –c (to load the connection without using the sample program) and then #swanctl –L, it prints the following connection info in console. It implies that, there is something wrong in my encoding the request message. Additionally can you please let me know, the secrets section of swanctl.conf file is being parsed in which function?
gw-gw: IKEv2
local: 10.20.20.1
remote: 10.20.20.4
local pre-shared key authentication:
remote pre-shared key authentication:
net-net: TUNNEL
local: 0.0.0.0/0
remote: 172.16.220.4/32
Regards,
Chinmaya
On Monday, April 13, 2015 5:38 PM, Noel Kuntze <noel at familie-kuntze.de> wrote:
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Hello Chinmaya,
Well, if you expect us to help, you should at least give us your source
code and the configuration you're loading.
Mit freundlichen Grüßen/Regards,
Noel Kuntze
Fingerprint: 23CA BB60 2146 05E7 7278 6592 3839 298F 63EC 6658
Am 13.04.2015 um 14:02 schrieb Chinmaya Dwibedy:
>
>
>
>
>
>
> Hi,
> I have written a C program which uses the VICI to configure and control the IKE daemon Charon (at IKE Responder end). I have updated the request (of type vici_req_t) using the vici_add_key_value() and vici_add_key_valuef(),and send the same via vici_submit (load-conn command). It says that, the connection has been loaded to Charon daemon successfully. But when I run the Charon daemon (at IKE initiator end), I get the following error in Charon log file.
>
> Jan 1 04:34:10 07[ENC] parsed IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(N
> ATD_D_IP) ]
> Jan 1 04:34:10 07[CFG] looking for an ike config for 10.20.20.1...10.20.20.4
> Jan 1 04:34:10 07[IKE] no IKE config found for 10.20.20.1...10.20.20.4, sending
> NO_PROPOSAL_CHOSEN
> Jan 1 04:34:10 07[ENC] added payload of type NOTIFY to message
> Jan 1 04:34:10 07[ENC] order payloads in message
> Jan 1 04:34:10 07[ENC] added payload of type NOTIFY to message
> Jan 1 04:34:10 07[ENC] generating IKE_SA_INIT response 0 [ N(NO_PROP) ]
>
> Note that, I have configured matching proposal for IKE and Child SA at both ends and using strongswan-5.2.2. Can anyone please suggest what I am doing wrong? Thanks in advance for your support.
>
> Regards,
> Chinmaya
>
>
>
>
> _______________________________________________
> Users mailing list
> Users at lists.strongswan.org
> https://lists.strongswan.org/mailman/listinfo/users
>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2
iQIcBAEBCAAGBQJVK7G3AAoJEDg5KY9j7GZYfJoP/jvzC/DsaoAHIX/JKKEc91NX
n+cBViJECpIRL5L4NNBjtJ4lIOr0jZ/tgrt5EQAXagaK+KhstHemsjmVjK/SV87H
sB3CEDaR6Ht5JmrpEiT76+qGOF1ibT3qlUvPoKE+z6xMpryjfXHFGDjs18Fkz8Y7
VeJcrZ7e8JO+CNKBbE8wsi9k/iQSsPquXO68xRhbpRgMIIzZ3lWND/YKXnQiq5FG
Owc7U12IDwo5pDHdDwnNQYwYG+fbGuuEnY0inEFwXybyyhEDEVlmpzFekE+BSgTy
cxHtt+7m0sJLcnogzCxJdZx1deQAk3bZsIGSvGE/ho+VrNhjEdlkqCkLwk7Uw12u
apzE34TWYpL5GL5ffMQQ3qeocQHLf/5txm/T4bKkb/4GOi8xknUvFPyIA1XmKDpU
4uYbCKYHsWXFMSj+zDVFWheQ8LltEeApuLLSmKECWl6Ok3ucIerSm9Yag4f82wjJ
fECXLwfaV4xAtyVLvrHO+MDGdXZ30VUcjqCnfcwJDlMdWL1v2xXAIN3Z0ue2uCl1
qP34ZhiFqfecX1J662mllTutf+SM5etKw5NYRBwMCNm/VE7Ma2P1ODRB4GYGFOrO
X1Ik2JeCAr0+4vy8W3Xyr0ho3XJ9LBH9Za3/yy7GHGYkORP5ycGcCX7uechGQj4d
bpOgew4i5EgNKGBXJ8YA
=01GK
-----END PGP SIGNATURE-----
_______________________________________________
Users mailing list
Users at lists.strongswan.org
https://lists.strongswan.org/mailman/listinfo/users
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20150413/a460e1ed/attachment-0001.html>
More information about the Users
mailing list