[strongSwan] IKE_SA_INIT request and response in a loop (strongswan 4.5.3)
Nanda Gopal
nandanator at gmail.com
Fri Aug 28 14:50:15 CEST 2015
Hi,
In my IPSec setup, DUT -> Sec GW, I have the same set of Certificates and
privkey.
(Everything kept in the following locations /etc/ipsec.d/cacerts,
/etc/ipsec.d/certs and /etc/ipsec.d/private)
Following is the ipsec.conf content from SecGW
config setup
nat_traversal=no
charonstart=yes
#plutostart=yes
uniqueids=no
charondebug="dmn 1, mgr 1, ike 0, chd 1, job 0, cfg 0, knl 0, net 0"
dumpdir=/root
conn %default
auto=add
mobike=no
conn conn1
type=passthrough
rightsubnet=14.14.14.156/32
leftsubnet=10.62.65.164/32
leftprotoport=6
rightprotoport=6
conn conn2
type=passthrough
rightsubnet=14.14.14.156/32
leftsubnet=0.0.0.0/0
leftprotoport=17/68
rightprotoport=17/67
conn conn3
type=tunnel
rightsubnet=14.14.14.156/24
leftsubnet=0.0.0.0/0
right=14.14.14.156
left=14.14.14.158
keyexchange=ikev2
ike=aes128-sha1-modp1024,3des-sha1-modp1024!
ikelifetime=83622s
esp=aes128-sha1,3des-sha1!
authby=pubkey
rightid=%any
keylife=86400s
dpdaction=clear
dpddelay=10
dpdtimeout=120
leftcert=cert.pem
rekeyfuzz=25%
rekeymargin=120s
Following is the ipsec.conf from DUT
config setup
uniqueids=no
charondebug="dmn 1, mgr 1, ike 0, chd 1, job 0, cfg 0, knl 0, net 0, enc
-1, lib -1"
conn %default
auto=start
mobike=no
conn conn1_9
type=passthrough
leftsubnet=14.14.14.156/32
rightsubnet=10.62.65.164/32
leftprotoport=6
rightprotoport=6
conn conn2_10
type=passthrough
leftsubnet=14.14.14.156/32
rightsubnet=0.0.0.0/0
leftprotoport=17/68
rightprotoport=17/67
conn conn3_11
type=tunnel
leftsubnet=14.14.14.156/24
rightsubnet=0.0.0.0/0
left=14.14.14.156
right=14.14.14.158
replay_window=256
keyexchange=ikev2
reauth=no
ike=aes128-sha1-modp1024,3des-sha1-modp1024!
ikelifetime=83197s
esp=aes128-sha1,3des-sha1!
authby=pubkey
rightid=%any
keylife=86400s
dpdaction=clear
dpddelay=10
dpdtimeout=120
leftcert=/etc/ipsec.d/certs/btsCert.pem
rekeyfuzz=25%
rekeymargin=120s
14.14.14.156 is the VLAN in DUT and .158 the VLAN in SecGW (VLAN ID 20)
I keep getting this message on the SecGW
Starting strongSwan 4.5.3 IPsec [starter]...
| Default route found: iface=eth0, addr=10.58.167.238, nexthop=10.58.167.1
| Loading config setup
| nat_traversal=no
| charonstart=yes
| uniqueids=no
| charondebug=dmn 1, mgr 1, ike 0, chd 1, job 0, cfg 0, knl 0, net 0
| dumpdir=/root
| Loading conn %default
| auto=add
| mobike=no
| Loading conn 'conn1'
| type=passthrough
| rightsubnet=14.14.14.156/32
| leftsubnet=10.62.65.164/32
| leftprotoport=6
| rightprotoport=6
| Loading conn 'conn2'
| type=passthrough
| rightsubnet=14.14.14.156/32
| leftsubnet=0.0.0.0/0
| leftprotoport=17/68
| rightprotoport=17/67
| Loading conn 'conn3'
| type=tunnel
| rightsubnet=14.14.14.156/24
| leftsubnet=0.0.0.0/0
| right=14.14.14.156
| left=14.14.14.158
| keyexchange=ikev2
| ike=aes128-sha1-modp1024,3des-sha1-modp1024!
| ikelifetime=83622s
| esp=aes128-sha1,3des-sha1!
| authby=pubkey
| rightid=%any
| keylife=86400s
| dpdaction=clear
| dpddelay=10
| dpdtimeout=120
| leftcert=cert.pem
| rekeyfuzz=25%
| rekeymargin=120s
| Found netkey IPsec stack
| Attempting to start pluto...
starter_start_pluto entered
Pluto initialized
Starting IKEv1 pluto daemon (strongSwan 4.5.3) THREADS VENDORID
listening on interfaces:
eth0
10.58.167.238
fe80::9e8e:99ff:fe63:d9e
eth1
fe80::9e8e:99ff:fe63:d9f
eth3
6.6.6.6
fe80::9e8e:99ff:fe63:da0
eth3.20
14.14.14.158
fe80::9e8e:99ff:fe63:da0
loaded plugins: aes des sha1 sha2 md5 random x509 pkcs1 pgp dnskey pem gmp
hmac xauth attr kernel-netlink resolve
including NAT-Traversal patch (Version 0.6c) [disabled]
pluto (14886) started after 20 ms
| Attempting to start charon...
00[DMN] Starting IKEv2 charon daemon (strongSwan 4.5.3)
00[DMN] loaded plugins: aes des sha1 sha2 md5 random x509 revocation
constraints pubkey pkcs1 pgp pem fips-prf gmp xcbc hmac attr kernel-netlink
resolve socket-raw stroke updown
charon (14911) started after 20 ms
loading ca certificates from '/etc/ipsec.d/cacerts'
loaded ca certificate from '/etc/ipsec.d/cacerts/CACert.pem'
loading aa certificates from '/etc/ipsec.d/aacerts'
loading ocsp certificates from '/etc/ipsec.d/ocspcerts'
Changing to directory '/etc/ipsec.d/crls'
loading attribute certificates from '/etc/ipsec.d/acerts'
spawning 4 worker threads
listening for IKE messages
adding interface eth3.20/eth3.20 14.14.14.158:500
adding interface eth3/eth3 6.6.6.6:500
adding interface eth0/eth0 10.58.167.238:500
adding interface lo/lo 127.0.0.2:500
adding interface lo/lo 127.0.0.1:500
adding interface lo/lo ::1:500
loading secrets from "/etc/ipsec.secrets"
loaded private key from 'privkey.pem'
connection must specify host IP address for our side
connection must specify host IP address for our side
loaded host certificate from '/etc/ipsec.d/certs/cert.pem'
id '%any' not confirmed by certificate, defaulting to 'CN=Juniper_EE_Cert'
added connection description "conn3"
12[ENC] parsed IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) ]
12[IKE] 14.14.14.156 is initiating an IKE_SA
12[ENC] generating IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP)
N(NATD_D_IP) CERTREQ N(MULT_AUTH) ]
13[ENC] parsed IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) ]
13[IKE] 14.14.14.156 is initiating an IKE_SA
13[ENC] generating IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP)
N(NATD_D_IP) CERTREQ N(MULT_AUTH) ]
14[ENC] parsed IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) ]
14[IKE] 14.14.14.156 is initiating an IKE_SA
14[ENC] generating IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP)
N(NATD_D_IP) CERTREQ N(MULT_AUTH) ]
15[ENC] parsed IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) ]
15[IKE] 14.14.14.156 is initiating an IKE_SA
15[ENC] generating IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP)
N(NATD_D_IP) CERTREQ N(MULT_AUTH) ]
09[ENC] parsed IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) ]
09[IKE] 14.14.14.156 is initiating an IKE_SA
09[ENC] generating IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP)
N(NATD_D_IP) CERTREQ N(MULT_AUTH) ]
02[ENC] parsed IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) ]
02[IKE] 14.14.14.156 is initiating an IKE_SA
02[ENC] generating IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP)
N(NATD_D_IP) CERTREQ N(MULT_AUTH) ]
11[ENC] parsed IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) ]
11[IKE] 14.14.14.156 is initiating an IKE_SA
11[ENC] generating IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP)
N(NATD_D_IP) CERTREQ N(MULT_AUTH) ]
13[ENC] parsed IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) ]
13[IKE] 14.14.14.156 is initiating an IKE_SA
13[ENC] generating IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP)
N(NATD_D_IP) CERTREQ N(MULT_AUTH) ]
15[ENC] parsed IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) ]
15[IKE] 14.14.14.156 is initiating an IKE_SA
15[ENC] generating IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP)
N(NATD_D_IP) CERTREQ N(MULT_AUTH) ]
09[ENC] parsed IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) ]
09[IKE] 14.14.14.156 is initiating an IKE_SA
09[ENC] generating IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP)
N(NATD_D_IP) CERTREQ N(MULT_AUTH) ]
02[ENC] parsed IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) ]
02[IKE] 14.14.14.156 is initiating an IKE_SA
02[ENC] generating IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP)
N(NATD_D_IP) CERTREQ N(MULT_AUTH) ]
11[ENC] parsed IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) ]
11[IKE] 14.14.14.156 is initiating an IKE_SA
11[ENC] generating IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP)
N(NATD_D_IP) CERTREQ N(MULT_AUTH) ]
13[ENC] parsed IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) ]
13[IKE] 14.14.14.156 is initiating an IKE_SA
13[ENC] generating IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP)
N(NATD_D_IP) CERTREQ N(MULT_AUTH) ]
15[ENC] parsed IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) ]
15[IKE] 14.14.14.156 is initiating an IKE_SA
15[ENC] generating IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP)
N(NATD_D_IP) CERTREQ N(MULT_AUTH) ]
09[ENC] parsed IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) ]
09[IKE] 14.14.14.156 is initiating an IKE_SA
09[ENC] generating IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP)
N(NATD_D_IP) CERTREQ N(MULT_AUTH) ]
02[ENC] parsed IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) ]
02[IKE] 14.14.14.156 is initiating an IKE_SA
02[ENC] generating IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP)
N(NATD_D_IP) CERTREQ N(MULT_AUTH) ]
ipsec statusall from SecGW
++++++++++++++++++++++
linux-89yz:/etc/ipsec.d/certs # ipsec statusall
000 Status of IKEv1 pluto daemon (strongSwan 4.5.3):
000 interface lo/lo ::1:500
000 interface lo/lo 127.0.0.1:500
000 interface lo/lo 127.0.0.2:500
000 interface eth0/eth0 10.58.167.238:500
000 interface eth3/eth3 6.6.6.6:500
000 interface eth3.20/eth3.20 14.14.14.158:500
000 %myid = '%any'
000 loaded plugins: aes des sha1 sha2 md5 random x509 pkcs1 pgp dnskey pem
gmp hmac xauth attr kernel-netlink resolve
000 debug options: none
000
Status of IKEv2 charon daemon (strongSwan 4.5.3):
uptime: 4 minutes, since Aug 28 18:14:33 2015
malloc: sbrk 266240, mmap 0, used 125080, free 141160
worker threads: 9 of 16 idle, 6/1/0/0 working, job queue: 0/0/0/0,
scheduled: 5
loaded plugins: aes des sha1 sha2 md5 random x509 revocation constraints
pubkey pkcs1 pgp pem fips-prf gmp xcbc hmac attr kernel-netlink resolve
socket-raw stroke updown
Listening IP addresses:
10.58.167.238
6.6.6.6
14.14.14.158
Connections:
conn1: %any...%any
conn1: local: [%any] uses public key authentication
conn1: remote: [%any] uses any authentication
conn1: child: 10.62.65.164/32[tcp] === 14.14.14.156/32[tcp] PASS
conn2: child: 0.0.0.0/0[udp/bootpc] ===
14.14.14.156/32[udp/bootps] PASS
conn3: 14.14.14.158...14.14.14.156, dpddelay=10s
conn3: local: [CN=Juniper_EE_Cert] uses public key authentication
conn3: cert: "CN=Juniper_EE_Cert"
conn3: remote: [%any] uses any authentication
conn3: child: 0.0.0.0/0 === 14.14.14.0/24 TUNNEL, dpdaction=clear
Security Associations (0 up, 5 connecting):
(unnamed)[31]: CONNECTING, 14.14.14.158[%any]...14.14.14.156[%any]
(unnamed)[31]: IKE SPIs: dc6f3d67687dbbbe_i b8ddb4aa904d6cc7_r*
(unnamed)[31]: IKE proposal:
AES_CBC_128/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024
(unnamed)[31]: Tasks passive: IKE_CERT_PRE IKE_AUTHENTICATE
IKE_CERT_POST IKE_CONFIG CHILD_CREATE IKE_AUTH_LIFETIME IKE_MOBIKE
(unnamed)[32]: CONNECTING, 14.14.14.158[%any]...14.14.14.156[%any]
(unnamed)[32]: IKE SPIs: 00cff6e01c90dada_i 6627d305c452bf84_r*
(unnamed)[32]: IKE proposal:
AES_CBC_128/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024
(unnamed)[32]: Tasks passive: IKE_CERT_PRE IKE_AUTHENTICATE
IKE_CERT_POST IKE_CONFIG CHILD_CREATE IKE_AUTH_LIFETIME IKE_MOBIKE
(unnamed)[33]: CONNECTING, 14.14.14.158[%any]...14.14.14.156[%any]
(unnamed)[33]: IKE SPIs: 09311004bb4ef92c_i 9a637a4c1707c811_r*
(unnamed)[33]: IKE proposal:
AES_CBC_128/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024
(unnamed)[33]: Tasks passive: IKE_CERT_PRE IKE_AUTHENTICATE
IKE_CERT_POST IKE_CONFIG CHILD_CREATE IKE_AUTH_LIFETIME IKE_MOBIKE
(unnamed)[34]: CONNECTING, 14.14.14.158[%any]...14.14.14.156[%any]
(unnamed)[34]: IKE SPIs: 9fd12f3cb133a80e_i 5ad350b36985bac0_r*
(unnamed)[34]: IKE proposal:
AES_CBC_128/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024
(unnamed)[34]: Tasks passive: IKE_CERT_PRE IKE_AUTHENTICATE
IKE_CERT_POST IKE_CONFIG CHILD_CREATE IKE_AUTH_LIFETIME IKE_MOBIKE
(unnamed)[35]: CONNECTING, 14.14.14.158[%any]...14.14.14.156[%any]
(unnamed)[35]: IKE SPIs: 6dd742a9b6a58fe0_i 4bf7a361c5485a2e_r*
(unnamed)[35]: IKE proposal:
AES_CBC_128/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024
(unnamed)[35]: Tasks passive: IKE_CERT_PRE IKE_AUTHENTICATE
IKE_CERT_POST IKE_CONFIG CHILD_CREATE IKE_AUTH_LIFETIME IKE_MOBIKE
ipsec statusall from DUT
++++++++++++++++++
root at transport:/opt/trs/bin >ipsec statusall
Status of IKE charon daemon (strongSwan 5.2.2, Linux
3.14.36-g50313b4-fsm4_axm, armv7l):
uptime: 10 seconds, since Aug 28 18:18:44 2015
malloc: sbrk 1961984, mmap 0, used 279296, free 1682688
worker threads: 11 of 16 idle, 5/0/0/0 working, job queue: 0/0/0/0,
scheduled: 1
loaded plugins: charon aes des rc2 sha1 sha2 md5 random nonce x509
revocation constraints pubkey pkcs1 pkcs7 pkcs8 pkcs12 pgp dnskey sshkey
pem openssl fips-prf gmp xcbc cmac hmac cra curl attr kernel-netlink
resolve socket-default stroke updown xauth-generic
Listening IP addresses:
192.168.253.177
192.168.253.16
10.43.39.88
192.168.255.129
192.168.255.1
14.14.14.156
Connections:
conn1_9: %any...%any IKEv1/2
conn1_9: local: uses public key authentication
conn1_9: remote: uses public key authentication
conn1_9: child: 14.14.14.156/32[tcp] === 10.62.65.164/32[tcp] PASS
conn2_10: child: 14.14.14.156/32[udp/bootpc] ===
0.0.0.0/0[udp/bootps] PASS
conn3_11: 14.14.14.156...14.14.14.158 IKEv2, dpddelay=10s
conn3_11: local: [CN=Juniper_EE_Cert] uses public key authentication
conn3_11: cert: "CN=Juniper_EE_Cert"
conn3_11: remote: uses public key authentication
conn3_11: child: 14.14.14.0/24 === 0.0.0.0/0 TUNNEL, dpdaction=clear
Security Associations (1 up, 0 connecting):
conn3_11[3]: CONNECTING, 14.14.14.156[%any]...14.14.14.158[%any]
conn3_11[3]: IKEv2 SPIs: 804a1c0728dc7beb_i* 0000000000000000_r
conn3_11[3]: Tasks active: IKE_VENDOR IKE_INIT IKE_NATD IKE_CERT_PRE
IKE_AUTH IKE_CERT_POST IKE_CONFIG CHILD_CREATE IKE_AUTH_LIFETIME
Any help in debugging / fixing this issue is much appreciated :)
Many thanks in advance.
Regards
Nanda
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20150828/ec0c1edd/attachment-0001.html>
More information about the Users
mailing list