<div>Hi,</div>
<div> </div>
<div>I have a very peculiar problem. My endpoints can ping each other, but for some reason, the tunnel is not getting established. There are no error messages in the log file. Please find the relevant details below. Can someone please help me solve this problem? My strongswan version is 4.4.0. </div>
<div> </div>
<div>PS: this used to work fine till someone played around with my config files, trying to understand how to use strongswan.</div>
<div> </div>
<div>Thanks,</div>
<div>Meera </div>
<div> </div>
<div><strong><u>Peer 1 can ping peer 2:</u></strong></div>
<div><a href="mailto:root@vc1">root@vc1</a>:~# ping 10.58.113.118<br>PING 10.58.113.118 (10.58.113.118) 56(84) bytes of data.<br>64 bytes from <a href="http://10.58.113.118">10.58.113.118</a>: icmp_req=1 ttl=63 time=10.6 ms<br>
64 bytes from <a href="http://10.58.113.118">10.58.113.118</a>: icmp_req=2 ttl=63 time=0.297 ms<br>^C<br>--- 10.58.113.118 ping statistics ---<br>2 packets transmitted, 2 received, 0% packet loss, time 1002ms<br>rtt min/avg/max/mdev = 0.297/5.492/10.688/5.196 ms<br>
</div>
<div><strong><u>Peer 2 can ping peer 1:</u></strong></div>
<div><a href="mailto:root@vc2">root@vc2</a>:~# ping 10.58.113.37<br>PING 10.58.113.37 (10.58.113.37) 56(84) bytes of data.<br>64 bytes from <a href="http://10.58.113.37">10.58.113.37</a>: icmp_req=1 ttl=63 time=0.356 ms<br>
64 bytes from <a href="http://10.58.113.37">10.58.113.37</a>: icmp_req=2 ttl=63 time=0.283 ms<br>^C<br>--- 10.58.113.37 ping statistics ---<br>2 packets transmitted, 2 received, 0% packet loss, time 999ms<br>rtt min/avg/max/mdev = 0.283/0.319/0.356/0.040 ms<br>
</div>
<div><strong><u>ipsec.conf on peer 1:</u></strong></div>
<div><a href="mailto:root@vc1">root@vc1</a>:~# cat /etc/ipsec.conf<br># ipsec.conf - strongSwan IPsec configuration file</div>
<div># basic configuration</div>
<div>config setup<br> # plutodebug=all<br> # crlcheckinterval=600<br> strictcrlpolicy=no<br> # cachecrls=yes<br> # nat_traversal=yes<br> charonstart=yes<br> charondebug=all<br>
plutostart=no</div>
<div># Add connections here.</div>
<div># Sample VPN connections</div>
<div>#conn sample-self-signed<br># left=%defaultroute<br># leftsubnet=<a href="http://10.1.0.0/16">10.1.0.0/16</a><br># leftcert=selfCert.der<br># leftsendcert=never<br># right=192.168.0.2<br># rightsubnet=<a href="http://10.2.0.0/16">10.2.0.0/16</a><br>
# rightcert=peerCert.der<br># auto=start</div>
<div>ca strongswan<br> cacert=caCert.der<br> auto=add</div>
<div>conn sample-with-ca-cert<br> left=10.58.113.37<br> leftsubnet=<a href="http://10.58.113.0/24">10.58.113.0/24</a><br> leftcert=VC1Cert.der<br> right=10.58.113.118<br> rightsubnet=<a href="http://10.58.113.0/24">10.58.113.0/24</a><br>
rightid="C=CH, O=strongSwan, CN=10.58.113.118"<br> keyexchange=ikev2<br> auto=add<br></div>
<div><strong><u>ipsec.conf on peer 2:</u></strong></div>
<div><a href="mailto:root@vc2">root@vc2</a>:~# cat /etc/ipsec.conf<br># ipsec.conf - strongSwan IPsec configuration file</div>
<div># basic configuration</div>
<div>config setup<br> # plutodebug=all<br> # crlcheckinterval=600<br> strictcrlpolicy=no<br> # cachecrls=yes<br> # nat_traversal=yes<br> charonstart=yes<br> plutostart=no<br>
charondebug=all</div>
<div># Add connections here.</div>
<div># Sample VPN connections</div>
<div>#conn sample-self-signed<br># left=%defaultroute<br># leftsubnet=<a href="http://10.1.0.0/16">10.1.0.0/16</a><br># leftcert=selfCert.der<br># leftsendcert=never<br># right=192.168.0.2<br># rightsubnet=<a href="http://10.2.0.0/16">10.2.0.0/16</a><br>
# rightcert=peerCert.der<br># auto=start</div>
<div>ca strongswan<br> cacert=caCert.der<br> auto=add</div>
<div>conn sample-with-ca-cert<br> left=10.58.113.118<br> leftsubnet=<a href="http://10.58.113.0/24">10.58.113.0/24</a><br> leftcert=VC2Cert.der<br> right=10.58.113.37<br> rightsubnet=<a href="http://10.58.113.0/24">10.58.113.0/24</a><br>
rightid="C=CH, O=strongSwan, CN=10.58.113.37"<br> keyexchange=ikev2<br> auto=start<br></div>
<div> </div>
<div><strong><u>Log file on peer 1:</u></strong></div>
<div>May 9 23:11:23 vc1 charon: 00[DMN] Starting IKEv2 charon daemon (strongSwan 4.4.0)<br>May 9 23:11:23 vc1 charon: 00[KNL] listening on interfaces:<br>May 9 23:11:23 vc1 charon: 00[KNL] eth2<br>May 9 23:11:23 vc1 charon: 00[KNL] 10.58.113.37<br>
May 9 23:11:23 vc1 charon: 00[KNL] fe80::21f:29ff:fe69:70ae<br>May 9 23:11:23 vc1 charon: 00[KNL] ethvc1<br>May 9 23:11:23 vc1 charon: 00[KNL] 10.58.113.60<br>May 9 23:11:23 vc1 charon: 00[KNL] fe80::4824:96ff:fe30:e7ba<br>
May 9 23:11:23 vc1 charon: 00[CFG] loading ca certificates from '/etc/ipsec.d/cacerts'<br>May 9 23:11:23 vc1 charon: 00[CFG] loaded ca certificate "C=CH, O=strongSwan, CN=strongSwan CA" from '/etc/ipsec.d/cacerts/caCert.der'<br>
May 9 23:11:23 vc1 charon: 00[CFG] loading aa certificates from '/etc/ipsec.d/aacerts'<br>May 9 23:11:23 vc1 charon: 00[CFG] loading ocsp signer certificates from '/etc/ipsec.d/ocspcerts'<br>May 9 23:11:23 vc1 charon: 00[CFG] loading attribute certificates from '/etc/ipsec.d/acerts'<br>
May 9 23:11:23 vc1 charon: 00[CFG] loading crls from '/etc/ipsec.d/crls'<br>May 9 23:11:23 vc1 charon: 00[CFG] loading secrets from '/etc/ipsec.secrets'<br>May 9 23:11:23 vc1 charon: 00[CFG] loaded RSA private key from '/etc/ipsec.d/private/VC1Key.der'<br>
May 9 23:11:23 vc1 charon: 00[CFG] expanding file expression '/var/lib/strongswan/ipsec.secrets.inc' failed<br>May 9 23:11:23 vc1 charon: 00[DMN] loaded plugins: curl ldap aes des sha1 sha2 md5 random x509 pubkey pkcs1 pgp dnskey pem openssl fips-prf xcbc hmac agent gmp attr kernel-netlink socket-default farp stroke updown eap-identity eap-aka eap-md5 eap-gtc eap-mschapv2 dhcp resolve<br>
May 9 23:11:23 vc1 charon: 00[JOB] spawning 16 worker threads<br>May 9 23:11:23 vc1 charon: 09[CFG] received stroke: add ca 'strongswan'<br>May 9 23:11:23 vc1 charon: 09[CFG] added ca 'strongswan'<br>May 9 23:11:23 vc1 charon: 10[CFG] received stroke: add connection 'sample-with-ca-cert'<br>
May 9 23:11:23 vc1 charon: 10[CFG] loaded certificate "C=CH, O=strongSwan, CN=10.58.113.37" from 'VC1Cert.der'<br>May 9 23:11:23 vc1 charon: 10[CFG] id '10.58.113.37' not confirmed by certificate, defaulting to 'C=CH, O=strongSwan, CN=10.58.113.37'<br>
May 9 23:11:23 vc1 charon: 10[CFG] added configuration 'sample-with-ca-cert'<br>May 9 23:11:25 vc1 charon: 12[NET] received packet: from 10.58.113.118[500] to 10.58.113.37[500]<br>May 9 23:11:25 vc1 charon: 12[ENC] parsed IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) ]<br>
May 9 23:11:25 vc1 charon: 12[IKE] 10.58.113.118 is initiating an IKE_SA<br>May 9 23:11:26 vc1 charon: 12[IKE] sending cert request for "C=CH, O=strongSwan, CN=strongSwan CA"<br>May 9 23:11:26 vc1 charon: 12[ENC] generating IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) CERTREQ N(MULT_AUTH) ]<br>
May 9 23:11:26 vc1 charon: 12[NET] sending packet: from 10.58.113.37[500] to 10.58.113.118[500]<br>May 9 23:11:55 vc1 charon: 13[JOB] deleting half open IKE_SA after timeout<br></div>
<div> </div>
<div><strong><u>Log file on peer 2:</u></strong></div>
<div>May 9 23:11:25 vc2 charon: 00[DMN] Starting IKEv2 charon daemon (strongSwan 4.4.0)<br>May 9 23:11:25 vc2 charon: 00[KNL] listening on interfaces:<br>May 9 23:11:25 vc2 charon: 00[KNL] eth3<br>May 9 23:11:25 vc2 charon: 00[KNL] 10.58.113.118<br>
May 9 23:11:25 vc2 charon: 00[KNL] fe80::21f:29ff:fe69:28<br>May 9 23:11:25 vc2 charon: 00[KNL] ethvc2<br>May 9 23:11:25 vc2 charon: 00[KNL] 10.58.113.101<br>May 9 23:11:25 vc2 charon: 00[KNL] fe80::fcd1:15ff:feba:76c8<br>
May 9 23:11:25 vc2 charon: 00[CFG] loading ca certificates from '/etc/ipsec.d/cacerts'<br>May 9 23:11:25 vc2 charon: 00[CFG] loaded ca certificate "C=CH, O=strongSwan, CN=strongSwan CA" from '/etc/ipsec.d/cacerts/caCert.der'<br>
May 9 23:11:25 vc2 charon: 00[CFG] loading aa certificates from '/etc/ipsec.d/aacerts'<br>May 9 23:11:25 vc2 charon: 00[CFG] loading ocsp signer certificates from '/etc/ipsec.d/ocspcerts'<br>May 9 23:11:25 vc2 charon: 00[CFG] loading attribute certificates from '/etc/ipsec.d/acerts'<br>
May 9 23:11:25 vc2 charon: 00[CFG] loading crls from '/etc/ipsec.d/crls'<br>May 9 23:11:25 vc2 charon: 00[CFG] loading secrets from '/etc/ipsec.secrets'<br>May 9 23:11:25 vc2 charon: 00[CFG] loaded RSA private key from '/etc/ipsec.d/private/VC2Key.der'<br>
May 9 23:11:25 vc2 charon: 00[CFG] expanding file expression '/var/lib/strongswan/ipsec.secrets.inc' failed<br>May 9 23:11:25 vc2 charon: 00[DMN] loaded plugins: curl ldap aes des sha1 sha2 md5 random x509 pubkey pkcs1 pgp dnskey pem openssl fips-prf xcbc hmac agent gmp attr kernel-netlink socket-default farp stroke updown eap-identity eap-aka eap-md5 eap-gtc eap-mschapv2 dhcp resolve<br>
May 9 23:11:25 vc2 charon: 00[JOB] spawning 16 worker threads<br>May 9 23:11:25 vc2 charon: 05[CFG] received stroke: add ca 'strongswan'<br>May 9 23:11:25 vc2 charon: 05[CFG] added ca 'strongswan'<br>May 9 23:11:25 vc2 charon: 11[CFG] received stroke: add connection 'sample-with-ca-cert'<br>
May 9 23:11:25 vc2 charon: 11[CFG] loaded certificate "C=CH, O=strongSwan, CN=10.58.113.118" from 'VC2Cert.der'<br>May 9 23:11:25 vc2 charon: 11[CFG] id '10.58.113.118' not confirmed by certificate, defaulting to 'C=CH, O=strongSwan, CN=10.58.113.118'<br>
May 9 23:11:25 vc2 charon: 11[CFG] added configuration 'sample-with-ca-cert'<br>May 9 23:11:25 vc2 charon: 14[CFG] received stroke: initiate 'sample-with-ca-cert'<br>May 9 23:11:25 vc2 charon: 14[IKE] initiating IKE_SA sample-with-ca-cert[1] to 10.58.113.37<br>
May 9 23:11:25 vc2 charon: 14[ENC] generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) ]<br>May 9 23:11:25 vc2 charon: 14[NET] sending packet: from 10.58.113.118[500] to 10.58.113.37[500]<br>May 9 23:11:26 vc2 charon: 15[NET] received packet: from 10.58.113.37[500] to 10.58.113.118[500]<br>
May 9 23:11:26 vc2 charon: 15[ENC] parsed IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) CERTREQ N(MULT_AUTH) ]<br>May 9 23:11:26 vc2 charon: 15[IKE] received cert request for "C=CH, O=strongSwan, CN=strongSwan CA"<br>
May 9 23:11:26 vc2 charon: 15[IKE] sending cert request for "C=CH, O=strongSwan, CN=strongSwan CA"<br>May 9 23:11:26 vc2 charon: 15[IKE] authentication of 'C=CH, O=strongSwan, CN=10.58.113.118' (myself) with RSA signature successful<br>
May 9 23:11:26 vc2 charon: 15[IKE] sending end entity cert "C=CH, O=strongSwan, CN=10.58.113.118"<br>May 9 23:11:26 vc2 charon: 15[IKE] establishing CHILD_SA sample-with-ca-cert<br>May 9 23:11:26 vc2 charon: 15[ENC] generating IKE_AUTH request 1 [ IDi CERT CERTREQ IDr AUTH SA TSi TSr N(MOBIKE_SUP) N(ADD_4_ADDR) N(MULT_AUTH) N(EAP_ONLY) ]<br>
May 9 23:11:26 vc2 charon: 15[NET] sending packet: from 10.58.113.118[4500] to 10.58.113.37[4500]<br>May 9 23:11:30 vc2 charon: 09[IKE] retransmit 1 of request with message ID 1<br>May 9 23:11:30 vc2 charon: 09[NET] sending packet: from 10.58.113.118[4500] to 10.58.113.37[4500]<br>
May 9 23:11:37 vc2 charon: 05[IKE] retransmit 2 of request with message ID 1<br>May 9 23:11:37 vc2 charon: 05[NET] sending packet: from 10.58.113.118[4500] to 10.58.113.37[4500]<br>May 9 23:11:50 vc2 charon: 12[IKE] retransmit 3 of request with message ID 1<br>
May 9 23:11:50 vc2 charon: 12[NET] sending packet: from 10.58.113.118[4500] to 10.58.113.37[4500]<br>May 9 23:12:13 vc2 charon: 11[IKE] retransmit 4 of request with message ID 1<br>May 9 23:12:13 vc2 charon: 11[NET] sending packet: from 10.58.113.118[4500] to 10.58.113.37[4500]<br>
May 9 23:12:55 vc2 charon: 13[IKE] retransmit 5 of request with message ID 1<br>May 9 23:12:55 vc2 charon: 13[NET] sending packet: from 10.58.113.118[4500] to 10.58.113.37[4500]<br>May 9 23:14:11 vc2 charon: 16[KNL] creating delete job for ESP CHILD_SA with SPI c5a05f90 and reqid {1}<br>
</div>
<div>--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------</div>
<div> </div>
<div> </div>
<div> </div>