[strongSwan] OSX weakswan pfkey_open no such file

Alejandro Valcarcel - ODEC avalcarcel at odec.es
Tue Feb 24 03:18:15 CET 2015 

Hello,

this is my first message to the list ;-)

my setting:
VPN Server: Sonicwall NSA E5500 "WAN Group VPN"
Previously I made it work with CentOS6 and yum install strongswan, all fine
with a weakswan conn.

Now trying same conn with OSX 10.10 yosemite, just to act as a roadwarrior
against same VPN Server:

brew install strongswan --with-curl --with-suite-b


in charon.conf

i_dont_care_about_security_and_use_aggressive_mode_psk = yes

I'll ofuscate some info...

$ cat ipsec.conf
config setup
conn gandia12
auto=add
type=tunnel
aggressive=yes
keyexchange=ikev1
left=%defaultroute
leftauth=psk
leftid=GroupVPN
leftauth2=xauth
xauth=client
xauth_identity=user
right=host.domain.com
rightid=SNW UNIQ ID
rightsubnet="192.168.12.0/24"
rightauth=psk
keyingtries=1
ike=3des-sha1-modp1024
ikelifetime=28800s
esp=3des-sha1
lifetime=28800s

$ cat ipsec.secrets

"GroupVPN" "SNW UNIQ ID" : PSK "Secret;-)"
user : XAUTH "p at w0rd;-)"


$ sudo ipsec start
Starting weakSwan 5.2.2 IPsec [starter]...
no netkey IPsec stack detected
no KLIPS IPsec stack detected
no known IPsec stack detected, ignoring!

$ sudo ipsec up gandia12
ULISESXXI:etc alexval$ sudo ipsec up gandia12
initiating Aggressive Mode IKE_SA gandia12[1] to 94.127.192.243
generating AGGRESSIVE request 0 [ SA KE No ID V V V V ]
sending packet: from 192.168.2.15[500] to destip[500] (396 bytes)
received packet: from destip[500] to 192.168.2.15[500] (405 bytes)
parsed AGGRESSIVE response 0 [ SA KE No ID V V V NAT-D NAT-D V V HASH ]
received unknown vendor ID: 40:4b:f4:39:52:2c:a3:f6
received unknown vendor ID: 5b:36:2b:c8:20:f6:00:08
received NAT-T (RFC 3947) vendor ID
received DPD vendor ID
received XAuth vendor ID
local host is behind NAT, sending keep alives
generating AGGRESSIVE request 0 [ NAT-D NAT-D HASH ]
sending packet: from 192.168.2.15[4500] to destip[4500] (108 bytes)
received packet: from destip[4500] to 192.168.2.15[4500] (76 bytes)
parsed TRANSACTION request 4014275289 [ HASH CPRQ(X_TYPE X_USER X_PWD) ]
generating TRANSACTION response 4014275289 [ HASH CPRP(X_USER X_PWD) ]
sending packet: from 192.168.2.15[4500] to destip[4500] (92 bytes)
received packet: from destip[4500] to 192.168.2.15[4500] (84 bytes)
parsed INFORMATIONAL_V1 request 2418823313 [ HASH N(INITIAL_CONTACT) ]
configuration payload missing in XAuth request
establishing connection 'gandia12' failed

ULISESXXI:etc alexval$ sudo ipsec up gandia12
initiating Aggressive Mode IKE_SA gandia12[2] to destip
generating AGGRESSIVE request 0 [ SA KE No ID V V V V ]
sending packet: from 192.168.2.15[500] to destip[500] (396 bytes)
received packet: from destip[500] to 192.168.2.15[500] (405 bytes)
parsed AGGRESSIVE response 0 [ SA KE No ID V V V NAT-D NAT-D V V HASH ]
received unknown vendor ID: 40:4b:f4:39:52:2c:a3:f6
received unknown vendor ID: 5b:36:2b:c8:20:f6:00:08
received NAT-T (RFC 3947) vendor ID
received DPD vendor ID
received XAuth vendor ID
local host is behind NAT, sending keep alives
generating AGGRESSIVE request 0 [ NAT-D NAT-D HASH ]
sending packet: from 192.168.2.15[4500] to destip[4500] (108 bytes)
received packet: from destip[4500] to 192.168.2.15[4500] (76 bytes)
parsed TRANSACTION request 1102551187 [ HASH CPRQ(X_TYPE X_USER X_PWD) ]
generating TRANSACTION response 1102551187 [ HASH CPRP(X_USER X_PWD) ]
sending packet: from 192.168.2.15[4500] to destip[4500] (92 bytes)
received packet: from destip[4500] to 192.168.2.15[4500] (68 bytes)
parsed TRANSACTION request 3574825738 [ HASH CPS(X_STATUS) ]
XAuth authentication of 'user' (myself) successful
IKE_SA gandia12[2] established between 192.168.2.15[GroupVPN]...destip[SNW
UNIQ ID]
scheduling reauthentication in 28124s
maximum IKE_SA lifetime 28664s
generating TRANSACTION response 3574825738 [ HASH CPA(X_STATUS) ]
sending packet: from 192.168.2.15[4500] to destip[4500] (68 bytes)
generating QUICK_MODE request 1778390774 [ HASH SA No ID ID ]
sending packet: from 192.168.2.15[4500] to destip[4500] (196 bytes)
received packet: from destip[4500] to 192.168.2.15[4500] (156 bytes)
parsed QUICK_MODE response 1778390774 [ HASH SA No ID ID ]
CHILD_SA gandia12{1} established with SPIs 75525fbd_i 42f23025_o and TS
192.168.2.15/32 === 192.168.12.0/24
connection 'gandia12' established successfully

The tunnel is stablished OK always in the second try, sonicwalls asks twice
for the username and password.

The tunnel interface utun0 gets created:

Feb 24 02:55:57 ULISESXXI kernel[0]: utun_ctl_connect: creating interface
utun0
Feb 24 02:55:57 ULISESXXI.local charon[22124]: 00[LIB] created TUN device:
utun0


$ ifconfig
lo0: flags=8049<UP,LOOPBACK,RUNNING,MULTICAST> mtu 16384
options=3<RXCSUM,TXCSUM>
inet6 ::1 prefixlen 128
inet 127.0.0.1 netmask 0xff000000
inet6 fe80::1%lo0 prefixlen 64 scopeid 0x1
nd6 options=1<PERFORMNUD>
gif0: flags=8010<POINTOPOINT,MULTICAST> mtu 1280
stf0: flags=0<> mtu 1280
en1: flags=8863<UP,BROADCAST,SMART,RUNNING,SIMPLEX,MULTICAST> mtu 1500
options=4<VLAN_MTU>
ether b8:8d:12:55:d6:ba
inet6 fe80::ba8d:12ff:fe55:d6ba%en1 prefixlen 64 scopeid 0x4
inet 192.168.2.15 netmask 0xffffff00 broadcast 192.168.2.255
nd6 options=1<PERFORMNUD>
media: autoselect (100baseTX <full-duplex,flow-control>)
status: active
en0: flags=8823<UP,BROADCAST,SMART,SIMPLEX,MULTICAST> mtu 1500
ether 44:2a:60:f5:bf:44
nd6 options=1<PERFORMNUD>
media: autoselect (<unknown type>)
status: inactive
p2p0: flags=8802<BROADCAST,SIMPLEX,MULTICAST> mtu 2304
ether 06:2a:60:f5:bf:44
media: autoselect
status: inactive
utun0: flags=8051<UP,POINTOPOINT,RUNNING,MULTICAST> mtu 1400


But once stablished no packets are arriving to the VPN Server.

$ setkey -D
pfkey_open: No such file or directory


The only error found in the log is when $ ipsec stop:

Feb 24 03:02:33 ULISESXXI.local charon[22168]: 00[DMN] signal of type
SIGINT received. Shutting down
Feb 24 03:02:33 ULISESXXI kernel[0]: SIOCPROTODETACH_IN6: utun0 error=6
Feb 24 03:02:33 ULISESXXI.local charon[22168]: 00[ESP] flushing policies
Feb 24 03:02:33 ULISESXXI.local charon[22168]: 00[ESP] flushing SAD
Feb 24 03:02:33 ULISESXXI.local charon[22168]: 00[ESP] flushing allocated
SPIs



Please I ask for your valuable help. What I can double check?

Thanks.


--
Alejandro Valcarcel Garcia
Responsable de sistemas y comunicaciones
ODEC - Construimos Soluciones

avalcarcel at odec.es - http://www.odec.es - Calle Vicent Macip, 1 (46701)
Gandia SPAIN - T: +34 962 860 466 ext 1292 - M: +34 699 679 435
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20150224/56ba160c/attachment.html>

More information about the Users mailing list