<div>Hi Andreas,</div>
<div> </div>
<div>Thank you so much for your quick response. You were so right. The default mtu size for in the interfaces on my peers was changed from 1500 to some jumbo size (3000). This was causing the failure. It started to work again once I changed it back to 1500 :). I guess this is one of the problems of using hardware in shared mode....</div>
<div> </div>
<div>Thanks and regards,</div>
<div>Meera <br><br></div>
<div class="gmail_quote">On Mon, May 9, 2011 at 7:09 PM, Andreas Steffen <span dir="ltr"><<a href="mailto:andreas.steffen@strongswan.org">andreas.steffen@strongswan.org</a>></span> wrote:<br>
<blockquote class="gmail_quote" style="PADDING-LEFT: 1ex; MARGIN: 0px 0px 0px 0.8ex; BORDER-LEFT: #ccc 1px solid">Hello Meera,<br><br>Peer 2 initiates with an IKE_SA_INIT request on UDP port 500 and<br>gets back an IKE_SA_INIT reply from peer 1. Peer 2 then sends an<br>
IKE_AUTH request on UDP port 4500 (floating due to MOBIKE) but this<br>message never arrives at peer 1. There are two probable reasons:<br><br>* UDP port 4500 is not open on peer 1<br><br> Workaround:<br> - Set mobike=no in ipsec.conf to prevent floating to port 4500.<br>
<br>* Peer 2 sends its large certificate in the CERT payload of the<br> IKE_AUTH request which will cause the IKE packet to be segmented.<br> The IP segments are then discarded either by the firewall of<br> peer 1 or a router in between.<br>
<br> Workaround:<br> - Prevent the IP segments from being discarded<br> or<br> - set leftsendcert=no and use the IKEv2 Hash-and-URL mechanism<br> <a href="http://wiki.strongswan.org/projects/strongswan/wiki/HashAndUrl" target="_blank">http://wiki.strongswan.org/projects/strongswan/wiki/HashAndUrl</a><br>
to fetch the certificates from a HTTP server<br> or<br> - set leftsendcert=no and load the peer certificate locally<br> with rightcert=peerCert.pem<br><br>Best regards<br><br>Andreas
<div class="im"><br><br><br>On 05/09/2011 12:45 PM, Meera Sudhakar wrote:<br></div>
<blockquote class="gmail_quote" style="PADDING-LEFT: 1ex; MARGIN: 0px 0px 0px 0.8ex; BORDER-LEFT: #ccc 1px solid">
<div class="im">Hi,<br>I have a very peculiar problem. My endpoints can ping each other, but<br>for some reason, the tunnel is not getting established. There are no<br>error messages in the log file. Please find the relevant details below.<br>
Can someone please help me solve this problem? My strongswan version is<br>4.4.0.<br>PS: this used to work fine till someone played around with my config<br>files, trying to understand how to use strongswan.<br>Thanks,<br>
Meera<br>*_Peer 1 can ping peer 2:_*<br></div>root@vc1 <mailto:<a href="mailto:root@vc1" target="_blank">root@vc1</a>>:~# ping 10.58.113.118
<div class="im"><br>PING 10.58.113.118 (10.58.113.118) 56(84) bytes of data.<br></div>64 bytes from 10.58.113.118 <<a href="http://10.58.113.118/" target="_blank">http://10.58.113.118</a>>: icmp_req=1 ttl=63<br>time=10.6 ms<br>
64 bytes from 10.58.113.118 <<a href="http://10.58.113.118/" target="_blank">http://10.58.113.118</a>>: icmp_req=2 ttl=63
<div class="im"><br>time=0.297 ms<br>^C<br>--- 10.58.113.118 ping statistics ---<br>2 packets transmitted, 2 received, 0% packet loss, time 1002ms<br>rtt min/avg/max/mdev = 0.297/5.492/10.688/5.196 ms<br>*_Peer 2 can ping peer 1:_*<br>
</div>root@vc2 <mailto:<a href="mailto:root@vc2" target="_blank">root@vc2</a>>:~# ping 10.58.113.37
<div class="im"><br>PING 10.58.113.37 (10.58.113.37) 56(84) bytes of data.<br></div>64 bytes from 10.58.113.37 <<a href="http://10.58.113.37/" target="_blank">http://10.58.113.37</a>>: icmp_req=1 ttl=63<br>time=0.356 ms<br>
64 bytes from 10.58.113.37 <<a href="http://10.58.113.37/" target="_blank">http://10.58.113.37</a>>: icmp_req=2 ttl=63
<div class="im"><br>time=0.283 ms<br>^C<br>--- 10.58.113.37 ping statistics ---<br>2 packets transmitted, 2 received, 0% packet loss, time 999ms<br>rtt min/avg/max/mdev = 0.283/0.319/0.356/0.040 ms<br>*_ipsec.conf on peer 1:_*<br>
</div>root@vc1 <mailto:<a href="mailto:root@vc1" target="_blank">root@vc1</a>>:~# cat /etc/ipsec.conf
<div class="im"><br># ipsec.conf - strongSwan IPsec configuration file<br># basic configuration<br>config setup<br> # plutodebug=all<br> # crlcheckinterval=600<br> strictcrlpolicy=no<br> # cachecrls=yes<br>
# nat_traversal=yes<br> charonstart=yes<br> charondebug=all<br> plutostart=no<br># Add connections here.<br># Sample VPN connections<br>#conn sample-self-signed<br># left=%defaultroute<br>
</div># leftsubnet=<a href="http://10.1.0.0/16" target="_blank">10.1.0.0/16</a> <<a href="http://10.1.0.0/16" target="_blank">http://10.1.0.0/16</a>>
<div class="im"><br># leftcert=selfCert.der<br># leftsendcert=never<br># right=192.168.0.2<br></div># rightsubnet=<a href="http://10.2.0.0/16" target="_blank">10.2.0.0/16</a> <<a href="http://10.2.0.0/16" target="_blank">http://10.2.0.0/16</a>>
<div class="im"><br># rightcert=peerCert.der<br># auto=start<br>ca strongswan<br> cacert=caCert.der<br> auto=add<br>conn sample-with-ca-cert<br> left=10.58.113.37<br></div> leftsubnet=<a href="http://10.58.113.0/24" target="_blank">10.58.113.0/24</a> <<a href="http://10.58.113.0/24" target="_blank">http://10.58.113.0/24</a>>
<div class="im"><br> leftcert=VC1Cert.der<br> right=10.58.113.118<br></div> rightsubnet=<a href="http://10.58.113.0/24" target="_blank">10.58.113.0/24</a> <<a href="http://10.58.113.0/24" target="_blank">http://10.58.113.0/24</a>>
<div class="im"><br> rightid="C=CH, O=strongSwan, CN=10.58.113.118"<br> keyexchange=ikev2<br> auto=add<br>*_ipsec.conf on peer 2:_*<br></div>root@vc2 <mailto:<a href="mailto:root@vc2" target="_blank">root@vc2</a>>:~# cat /etc/ipsec.conf
<div class="im"><br># ipsec.conf - strongSwan IPsec configuration file<br># basic configuration<br>config setup<br> # plutodebug=all<br> # crlcheckinterval=600<br> strictcrlpolicy=no<br> # cachecrls=yes<br>
# nat_traversal=yes<br> charonstart=yes<br> plutostart=no<br> charondebug=all<br># Add connections here.<br># Sample VPN connections<br>#conn sample-self-signed<br># left=%defaultroute<br>
</div># leftsubnet=<a href="http://10.1.0.0/16" target="_blank">10.1.0.0/16</a> <<a href="http://10.1.0.0/16" target="_blank">http://10.1.0.0/16</a>>
<div class="im"><br># leftcert=selfCert.der<br># leftsendcert=never<br># right=192.168.0.2<br></div># rightsubnet=<a href="http://10.2.0.0/16" target="_blank">10.2.0.0/16</a> <<a href="http://10.2.0.0/16" target="_blank">http://10.2.0.0/16</a>>
<div class="im"><br># rightcert=peerCert.der<br># auto=start<br>ca strongswan<br> cacert=caCert.der<br> auto=add<br>conn sample-with-ca-cert<br> left=10.58.113.118<br></div> leftsubnet=<a href="http://10.58.113.0/24" target="_blank">10.58.113.0/24</a> <<a href="http://10.58.113.0/24" target="_blank">http://10.58.113.0/24</a>>
<div class="im"><br> leftcert=VC2Cert.der<br> right=10.58.113.37<br></div> rightsubnet=<a href="http://10.58.113.0/24" target="_blank">10.58.113.0/24</a> <<a href="http://10.58.113.0/24" target="_blank">http://10.58.113.0/24</a>>
<div>
<div></div>
<div class="h5"><br> rightid="C=CH, O=strongSwan, CN=10.58.113.37"<br> keyexchange=ikev2<br> auto=start<br>*_Log file on peer 1:_*<br>May 9 23:11:23 vc1 charon: 00[DMN] Starting IKEv2 charon daemon<br>
(strongSwan 4.4.0)<br>May 9 23:11:23 vc1 charon: 00[KNL] listening on interfaces:<br>May 9 23:11:23 vc1 charon: 00[KNL] eth2<br>May 9 23:11:23 vc1 charon: 00[KNL] 10.58.113.37<br>May 9 23:11:23 vc1 charon: 00[KNL] fe80::21f:29ff:fe69:70ae<br>
May 9 23:11:23 vc1 charon: 00[KNL] ethvc1<br>May 9 23:11:23 vc1 charon: 00[KNL] 10.58.113.60<br>May 9 23:11:23 vc1 charon: 00[KNL] fe80::4824:96ff:fe30:e7ba<br>May 9 23:11:23 vc1 charon: 00[CFG] loading ca certificates from<br>
'/etc/ipsec.d/cacerts'<br>May 9 23:11:23 vc1 charon: 00[CFG] loaded ca certificate "C=CH,<br>O=strongSwan, CN=strongSwan CA" from '/etc/ipsec.d/cacerts/caCert.der'<br>May 9 23:11:23 vc1 charon: 00[CFG] loading aa certificates from<br>
'/etc/ipsec.d/aacerts'<br>May 9 23:11:23 vc1 charon: 00[CFG] loading ocsp signer certificates<br>from '/etc/ipsec.d/ocspcerts'<br>May 9 23:11:23 vc1 charon: 00[CFG] loading attribute certificates from<br>
'/etc/ipsec.d/acerts'<br>May 9 23:11:23 vc1 charon: 00[CFG] loading crls from '/etc/ipsec.d/crls'<br>May 9 23:11:23 vc1 charon: 00[CFG] loading secrets from<br>'/etc/ipsec.secrets'<br>May 9 23:11:23 vc1 charon: 00[CFG] loaded RSA private key from<br>
'/etc/ipsec.d/private/VC1Key.der'<br>May 9 23:11:23 vc1 charon: 00[CFG] expanding file expression<br>'/var/lib/strongswan/ipsec.secrets.inc' failed<br>May 9 23:11:23 vc1 charon: 00[DMN] loaded plugins: curl ldap aes des<br>
sha1 sha2 md5 random x509 pubkey pkcs1 pgp dnskey pem openssl fips-prf<br>xcbc hmac agent gmp attr kernel-netlink socket-default farp stroke<br>updown eap-identity eap-aka eap-md5 eap-gtc eap-mschapv2 dhcp resolve<br>May 9 23:11:23 vc1 charon: 00[JOB] spawning 16 worker threads<br>
May 9 23:11:23 vc1 charon: 09[CFG] received stroke: add ca 'strongswan'<br>May 9 23:11:23 vc1 charon: 09[CFG] added ca 'strongswan'<br>May 9 23:11:23 vc1 charon: 10[CFG] received stroke: add connection<br>
'sample-with-ca-cert'<br>May 9 23:11:23 vc1 charon: 10[CFG] loaded certificate "C=CH,<br>O=strongSwan, CN=10.58.113.37" from 'VC1Cert.der'<br>May 9 23:11:23 vc1 charon: 10[CFG] id '10.58.113.37' not confirmed by<br>
certificate, defaulting to 'C=CH, O=strongSwan, CN=10.58.113.37'<br>May 9 23:11:23 vc1 charon: 10[CFG] added configuration<br>'sample-with-ca-cert'<br>May 9 23:11:25 vc1 charon: 12[NET] received packet: from<br>
10.58.113.118[500] to 10.58.113.37[500]<br>May 9 23:11:25 vc1 charon: 12[ENC] parsed IKE_SA_INIT request 0 [ SA KE<br>No N(NATD_S_IP) N(NATD_D_IP) ]<br>May 9 23:11:25 vc1 charon: 12[IKE] 10.58.113.118 is initiating an IKE_SA<br>
May 9 23:11:26 vc1 charon: 12[IKE] sending cert request for "C=CH,<br>O=strongSwan, CN=strongSwan CA"<br>May 9 23:11:26 vc1 charon: 12[ENC] generating IKE_SA_INIT response 0 [<br>SA KE No N(NATD_S_IP) N(NATD_D_IP) CERTREQ N(MULT_AUTH) ]<br>
May 9 23:11:26 vc1 charon: 12[NET] sending packet: from<br>10.58.113.37[500] to 10.58.113.118[500]<br>May 9 23:11:55 vc1 charon: 13[JOB] deleting half open IKE_SA after timeout<br>*_Log file on peer 2:_*<br>May 9 23:11:25 vc2 charon: 00[DMN] Starting IKEv2 charon daemon<br>
(strongSwan 4.4.0)<br>May 9 23:11:25 vc2 charon: 00[KNL] listening on interfaces:<br>May 9 23:11:25 vc2 charon: 00[KNL] eth3<br>May 9 23:11:25 vc2 charon: 00[KNL] 10.58.113.118<br>May 9 23:11:25 vc2 charon: 00[KNL] fe80::21f:29ff:fe69:28<br>
May 9 23:11:25 vc2 charon: 00[KNL] ethvc2<br>May 9 23:11:25 vc2 charon: 00[KNL] 10.58.113.101<br>May 9 23:11:25 vc2 charon: 00[KNL] fe80::fcd1:15ff:feba:76c8<br>May 9 23:11:25 vc2 charon: 00[CFG] loading ca certificates from<br>
'/etc/ipsec.d/cacerts'<br>May 9 23:11:25 vc2 charon: 00[CFG] loaded ca certificate "C=CH,<br>O=strongSwan, CN=strongSwan CA" from '/etc/ipsec.d/cacerts/caCert.der'<br>May 9 23:11:25 vc2 charon: 00[CFG] loading aa certificates from<br>
'/etc/ipsec.d/aacerts'<br>May 9 23:11:25 vc2 charon: 00[CFG] loading ocsp signer certificates<br>from '/etc/ipsec.d/ocspcerts'<br>May 9 23:11:25 vc2 charon: 00[CFG] loading attribute certificates from<br>
'/etc/ipsec.d/acerts'<br>May 9 23:11:25 vc2 charon: 00[CFG] loading crls from '/etc/ipsec.d/crls'<br>May 9 23:11:25 vc2 charon: 00[CFG] loading secrets from<br>'/etc/ipsec.secrets'<br>May 9 23:11:25 vc2 charon: 00[CFG] loaded RSA private key from<br>
'/etc/ipsec.d/private/VC2Key.der'<br>May 9 23:11:25 vc2 charon: 00[CFG] expanding file expression<br>'/var/lib/strongswan/ipsec.secrets.inc' failed<br>May 9 23:11:25 vc2 charon: 00[DMN] loaded plugins: curl ldap aes des<br>
sha1 sha2 md5 random x509 pubkey pkcs1 pgp dnskey pem openssl fips-prf<br>xcbc hmac agent gmp attr kernel-netlink socket-default farp stroke<br>updown eap-identity eap-aka eap-md5 eap-gtc eap-mschapv2 dhcp resolve<br>May 9 23:11:25 vc2 charon: 00[JOB] spawning 16 worker threads<br>
May 9 23:11:25 vc2 charon: 05[CFG] received stroke: add ca 'strongswan'<br>May 9 23:11:25 vc2 charon: 05[CFG] added ca 'strongswan'<br>May 9 23:11:25 vc2 charon: 11[CFG] received stroke: add connection<br>
'sample-with-ca-cert'<br>May 9 23:11:25 vc2 charon: 11[CFG] loaded certificate "C=CH,<br>O=strongSwan, CN=10.58.113.118" from 'VC2Cert.der'<br>May 9 23:11:25 vc2 charon: 11[CFG] id '10.58.113.118' not confirmed<br>
by certificate, defaulting to 'C=CH, O=strongSwan, CN=10.58.113.118'<br>May 9 23:11:25 vc2 charon: 11[CFG] added configuration<br>'sample-with-ca-cert'<br>May 9 23:11:25 vc2 charon: 14[CFG] received stroke: initiate<br>
'sample-with-ca-cert'<br>May 9 23:11:25 vc2 charon: 14[IKE] initiating IKE_SA<br>sample-with-ca-cert[1] to 10.58.113.37<br>May 9 23:11:25 vc2 charon: 14[ENC] generating IKE_SA_INIT request 0 [<br>SA KE No N(NATD_S_IP) N(NATD_D_IP) ]<br>
May 9 23:11:25 vc2 charon: 14[NET] sending packet: from<br>10.58.113.118[500] to 10.58.113.37[500]<br>May 9 23:11:26 vc2 charon: 15[NET] received packet: from<br>10.58.113.37[500] to 10.58.113.118[500]<br>May 9 23:11:26 vc2 charon: 15[ENC] parsed IKE_SA_INIT response 0 [ SA<br>
KE No N(NATD_S_IP) N(NATD_D_IP) CERTREQ N(MULT_AUTH) ]<br>May 9 23:11:26 vc2 charon: 15[IKE] received cert request for "C=CH,<br>O=strongSwan, CN=strongSwan CA"<br>May 9 23:11:26 vc2 charon: 15[IKE] sending cert request for "C=CH,<br>
O=strongSwan, CN=strongSwan CA"<br>May 9 23:11:26 vc2 charon: 15[IKE] authentication of 'C=CH,<br>O=strongSwan, CN=10.58.113.118' (myself) with RSA signature successful<br>May 9 23:11:26 vc2 charon: 15[IKE] sending end entity cert "C=CH,<br>
O=strongSwan, CN=10.58.113.118"<br>May 9 23:11:26 vc2 charon: 15[IKE] establishing CHILD_SA<br>sample-with-ca-cert<br>May 9 23:11:26 vc2 charon: 15[ENC] generating IKE_AUTH request 1 [ IDi<br>CERT CERTREQ IDr AUTH SA TSi TSr N(MOBIKE_SUP) N(ADD_4_ADDR)<br>
N(MULT_AUTH) N(EAP_ONLY) ]<br>May 9 23:11:26 vc2 charon: 15[NET] sending packet: from<br>10.58.113.118[4500] to 10.58.113.37[4500]<br>May 9 23:11:30 vc2 charon: 09[IKE] retransmit 1 of request with message<br>ID 1<br>May 9 23:11:30 vc2 charon: 09[NET] sending packet: from<br>
10.58.113.118[4500] to 10.58.113.37[4500]<br>May 9 23:11:37 vc2 charon: 05[IKE] retransmit 2 of request with message<br>ID 1<br>May 9 23:11:37 vc2 charon: 05[NET] sending packet: from<br>10.58.113.118[4500] to 10.58.113.37[4500]<br>
May 9 23:11:50 vc2 charon: 12[IKE] retransmit 3 of request with message<br>ID 1<br>May 9 23:11:50 vc2 charon: 12[NET] sending packet: from<br>10.58.113.118[4500] to 10.58.113.37[4500]<br>May 9 23:12:13 vc2 charon: 11[IKE] retransmit 4 of request with message<br>
ID 1<br>May 9 23:12:13 vc2 charon: 11[NET] sending packet: from<br>10.58.113.118[4500] to 10.58.113.37[4500]<br>May 9 23:12:55 vc2 charon: 13[IKE] retransmit 5 of request with message<br>ID 1<br>May 9 23:12:55 vc2 charon: 13[NET] sending packet: from<br>
10.58.113.118[4500] to 10.58.113.37[4500]<br>May 9 23:14:11 vc2 charon: 16[KNL] creating delete job for ESP CHILD_SA<br>with SPI c5a05f90 and reqid {1}<br></div></div></blockquote><br>======================================================================<br>
<font color="#888888">Andreas Steffen <a href="mailto:andreas.steffen@strongswan.org" target="_blank">andreas.steffen@strongswan.org</a><br>strongSwan - the Linux VPN Solution! <a href="http://www.strongswan.org/" target="_blank">www.strongswan.org</a><br>
Institute for Internet Technologies and Applications<br>University of Applied Sciences Rapperswil<br>CH-8640 Rapperswil (Switzerland)<br>===========================================================[ITA-HSR]==<br></font></blockquote>
</div><br>