Hi,<br><br>I'm new to strongSwan, using ipsec-tools previously.<br>ipsec-tools works basically fine, but now I need ike+AES-GCM.<br><br>As a start, I use exactly the same topology and configurations in the following link:<br>
<a href="http://www.strongswan.org/uml/testresults/ikev1/net2net-psk/index.html" target="_blank">http://www.strongswan.org/uml/testresults/ikev1/net2net-psk/index.html</a><br>But the ping from "sun" with "ping -I 10.2.0.1 10.1.0.1" is not encrypted.<br>
<br>From the result of "ip xfrm policy", it seems somehow, the policy is not written to kernel. <br><br>Please let me know if I have missed anything.<br><br>Best Regards,<br>Mac Lin<br>---<br>linux-2.6.31.1, strongswan-4.6.1 (I've tried back to 4.2...)<br>
no firewall used.<br>---<br>Using default config (./config)...<br>GWA setting<br>LANIP=10.1.0.1, WANIP=192.168.0.1<br>default gateway=192.168.0.2<br># sh 3-ipsec-psk.sh a<br>Using default config (./config)...<br>GWA setting<br>
Stopping strongSwan IPsec failed: starter is not running<br>Starting strongSwan 4.6.1 IPsec [starter]...<br>!! Your strongswan.conf contains manual plugin load options for<br>!! pluto and/or charon. This is recommended for experts only, see<br>
!! <a href="http://wiki.strongswan.org/project%5B" target="_blank">http://wiki.strongswan.org/project[</a> 18.600000] NET: Registered protocol family 15<br>s/strongswan/wiki/PluginLoad<br>| Default route found: iface=eth1, addr=192.168.0.1, nexthop=192.168.0.2<br>
| Loading config setup<br>| plutodebug=control<br>| charonstart=no<br>| Loading conn %default<br>| ikelifetime=60m<br>| keylife=20m<br>| rekeymargin=3m<br>| keyingtries=1<br>| keyexchange=ikev1<br>| authby=secret<br>
| Loading conn 'net-net'<br>| left=192.168.0.1<br>| leftsubnet=<a href="http://10.1.0.0/16" target="_blank">10.1.0.0/16</a><br>| leftfirewall=yes<br>| right=192.168.0.2<br>| rightsubnet=<a href="http://10.2.0.0/16" target="_blank">10.2.0.0/16</a><br>
| auto=add<br>[ 18.740000] Initializing XFRM netlink socket<br>| Found netkey IPsec stack<br># [ 18.810000] alg: No test for cipher_null (cipher_null-generic)<br>[ 18.820000] alg: No test for ecb(cipher_null) (ecb-cipher_null)<br>
[ 18.830000] alg: No test for digest_null (digest_null-generic)<br>[ 18.840000] alg: No test for compress_null (compress_null-generic)<br><br># <br># <br># tcpdump -i eth1 -s0 -n -t<br>[ 59.340000] device eth1 entered promiscuous mode<br>
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode<br>listening on eth1, link-type EN10MB (Ethernet), capture size 65535 bytes<br><br>IP 10.2.0.1 > <a href="http://10.1.0.1" target="_blank">10.1.0.1</a>: ICMP echo request, id 29443, seq 0, length 64<br>
IP 10.1.0.1 > <a href="http://10.2.0.1" target="_blank">10.2.0.1</a>: ICMP echo reply, id 29443, seq 0, length 64<br> <br>12 [ 140.240000] device eth1 left promiscuous mode<br>packets captured<br>12 packets received by filter<br>
0 packets dropped by kernel<br>
# ipsec statusall<br>000 Status of IKEv1 pluto daemon (strongSwan 4.6.1):<br>000 interface lo/lo ::1:500<br>000 interface lo/lo <a href="http://127.0.0.1:500" target="_blank">127.0.0.1:500</a><br>000 interface eth0/eth0 <a href="http://10.1.0.1:500" target="_blank">10.1.0.1:500</a><br>
000 interface eth1/eth1 <a href="http://192.168.0.1:500" target="_blank">192.168.0.1:500</a><br>000 %myid = '%any'<br>000 loaded plugins: sha1 sha2 md5 aes des hmac gmp random kernel-netlink <br>000 debug options: control<br>
000 <br>
000 "net-net": <a href="http://10.1.0.0/16===192.168.0.1%5B192.168.0.1%5D...192.168.0.2%5B192.168.0.2%5D===10.2.0.0/16" target="_blank">10.1.0.0/16===192.168.0.1[192.168.0.1]...192.168.0.2[192.168.0.2]===10.2.0.0/16</a>; unrouted; eroute owner: #0<br>
000 "net-net": ike_life: 3600s; ipsec_life: 1200s; rekey_margin: 180s; rekey_fuzz: 100%; keyingtries: 1<br>000 "net-net": policy: PSK+ENCRYPT+TUNNEL+PFS; prio: 16,16; interface: eth1; <br>000 "net-net": newest ISAKMP SA: #0; newest IPsec SA: #0; <br>
000 <br># <br># <br># ip xfrm policy<br>src ::/0 dst ::/0 <br> dir 4 priority 0 <br>src ::/0 dst ::/0 <br> dir 3 priority 0 <br>src <a href="http://0.0.0.0/0" target="_blank">0.0.0.0/0</a> dst <a href="http://0.0.0.0/0" target="_blank">0.0.0.0/0</a> <br>
dir 4 priority 0 <br>src <a href="http://0.0.0.0/0" target="_blank">0.0.0.0/0</a> dst <a href="http://0.0.0.0/0" target="_blank">0.0.0.0/0</a> <br> dir 3 priority 0 <br>src <a href="http://0.0.0.0/0" target="_blank">0.0.0.0/0</a> dst <a href="http://0.0.0.0/0" target="_blank">0.0.0.0/0</a> <br>
dir 4 priority 0 <br>src <a href="http://0.0.0.0/0" target="_blank">0.0.0.0/0</a> dst <a href="http://0.0.0.0/0" target="_blank">0.0.0.0/0</a> <br> dir 3 priority 0 <br>src <a href="http://0.0.0.0/0" target="_blank">0.0.0.0/0</a> dst <a href="http://0.0.0.0/0" target="_blank">0.0.0.0/0</a> <br>
dir 4 priority 0 <br>src <a href="http://0.0.0.0/0" target="_blank">0.0.0.0/0</a> dst <a href="http://0.0.0.0/0" target="_blank">0.0.0.0/0</a> <br> dir 3 priority 0 <br># ip xfrm state<br># <br># iptables -nvL<br>
Chain INPUT (policy ACCEPT 4 packets, 336 bytes)<br>
pkts bytes target prot opt in out source destination <br><br>Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)<br> pkts bytes target prot opt in out source destination <br>
<br>Chain OUTPUT (policy ACCEPT 4 packets, 336 bytes)<br> pkts bytes target prot opt in out source destination <br># <br>