<html>
<head>
<meta content="text/html; charset=ISO-8859-1"
http-equiv="Content-Type">
</head>
<body bgcolor="#FFFFFF" text="#000000">
<div class="moz-cite-prefix">Actually i sent this email too soon I
changed "auto=start" and it starts, but i've got to double check
the keys.<br>
<br>
06[CFG] received stroke: initiate 'home'<br>
06[IKE] initiating IKE_SA home[1] to 192.168.255.2<br>
06[ENC] generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP)
N(NATD_D_IP) ]<br>
06[NET] sending packet: from 192.168.255.1[500] to
192.168.255.2[500] (692 bytes)<br>
08[NET] received packet: from 192.168.255.2[500] to
192.168.255.1[500] (465 bytes)<br>
08[ENC] parsed IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP)
N(NATD_D_IP) CERTREQ N(MULT_AUTH) ]<br>
08[IKE] received 1 cert requests for an unknown ca<br>
08[IKE] authentication of '<a class="moz-txt-link-abbreviated" href="mailto:ek1@vpex.org">ek1@vpex.org</a>' (myself) with RSA
signature successful<br>
08[IKE] sending end entity cert "C=CH, O=strongSwan,
<a class="moz-txt-link-abbreviated" href="mailto:CN=ek1@vpex.org">CN=ek1@vpex.org</a>"<br>
08[IKE] establishing CHILD_SA home<br>
08[ENC] generating IKE_AUTH request 1 [ IDi CERT N(INIT_CONTACT)
IDr AUTH CPRQ(ADDR) SA TSi TSr N(MOBIKE_SUP) N(ADD_4_ADDR)
N(MULT_AUTH) N(EAP_ONLY) ]<br>
08[NET] sending packet: from 192.168.255.1[4500] to
192.168.255.2[4500] (1484 bytes)<br>
09[NET] received packet: from 192.168.255.2[4500] to
192.168.255.1[4500] (76 bytes)<br>
09[ENC] parsed IKE_AUTH response 1 [ N(AUTH_FAILED) ]<br>
09[IKE] received AUTHENTICATION_FAILED notify error<br>
<br>
<br>
<br>
On 12/07/2013 12:21 AM, Karl Hiramoto wrote:<br>
</div>
<blockquote cite="mid:52A25BEE.3040303@hiramoto.org" type="cite">
<meta http-equiv="content-type" content="text/html;
charset=ISO-8859-1">
Hi,<br>
<br>
I'm trying to setup something like:<a moz-do-not-send="true"
href="http://www.strongswan.org/uml/testresults/ikev2/ip-pool/">
http://www.strongswan.org/uml/testresults/ikev2/ip-pool/</a><br>
<br>
I'm not sure why it's not starting up. I see some IPv6 errors
which i assume are safe to ignore as i'm not using ipv6 and don't
have it compiled into the kernel. <br>
<br>
Any ideas what's wrong? With a tcpdump there is no traffic when
i try to startup. <br>
<br>
On the roadwarrior "carol"<br>
<br>
<meta http-equiv="content-type" content="text/html;
charset=ISO-8859-1">
# ipsec start --nofork --debug-all<br>
<br>
Starting strongSwan 5.1.1 IPsec [starter]...<br>
!! Your strongswan.conf contains manual plugin load options for
charon.<br>
!! This is recommended for experts only, see<br>
!! <a moz-do-not-send="true" class="moz-txt-link-freetext"
href="http://wiki.strongswan.org/projects/strongswan/wiki/PluginLoad">http://wiki.strongswan.org/projects/strongswan/wiki/PluginLoad</a><br>
Loading config setup<br>
Loading conn %default<br>
ikelifetime=60m<br>
keylife=20m<br>
rekeymargin=3m<br>
keyingtries=1<br>
keyexchange=ikev2<br>
Loading conn 'home'<br>
left=192.168.255.1<br>
leftsourceip=%config<br>
leftcert=EK1Cert.der<br>
<a moz-do-not-send="true" class="moz-txt-link-abbreviated"
href="mailto:leftid=ek1@vpex.org">leftid=ek1@vpex.org</a><br>
leftfirewall=yes<br>
right=192.168.255.2<br>
rightsubnet=192.168.12.0/24<br>
rightid=192.168.255.1<br>
auto=add<br>
found netkey IPsec stack<br>
Attempting to start charon...<br>
00[DMN] Starting IKE charon daemon (strongSwan 5.1.1, Linux 3.6.9,
armv7l)<br>
00[NET] could not open socket: Address family not supported by
protocol<br>
00[NET] could not open IPv6 socket, IPv6 disabled<br>
00[KNL] received netlink error: Address family not supported by
protocol (97)<br>
00[KNL] unable to create IPv6 routing table rule<br>
00[CFG] loading ca certificates from '/etc/ipsec.d/cacerts'<br>
00[CFG] loading aa certificates from '/etc/ipsec.d/aacerts'<br>
00[CFG] loading ocsp signer certificates from
'/etc/ipsec.d/ocspcerts'<br>
00[CFG] loading attribute certificates from '/etc/ipsec.d/acerts'<br>
00[CFG] loading crls from '/etc/ipsec.d/crls'<br>
00[CFG] loading secrets from '/etc/ipsec.secrets'<br>
00[CFG] loaded RSA private key from
'/etc/ipsec.d/private/EK1Key.der'<br>
00[LIB] loaded plugins: charon curl aes des sha1 sha2 md5 pem
pkcs1 gmp random nonce x509 revocation hmac xcbc stroke
kernel-netlink socket-default updown<br>
00[LIB] unable to load 11 plugin features (11 due to unmet
dependencies)<br>
00[JOB] spawning 16 worker threads<br>
charon (1092) started after 120 ms<br>
11[CFG] received stroke: add connection 'home'<br>
11[CFG] loaded certificate "C=CH, O=strongSwan, <a
moz-do-not-send="true" class="moz-txt-link-abbreviated"
href="mailto:CN=ek1@vpex.org">CN=ek1@vpex.org</a>" from
'EK1Cert.der'<br>
11[CFG] added configuration 'home'<br>
<br>
<br>
<br>
<br>
# ipsec statusall<br>
Status of IKE charon daemon (strongSwan 5.1.1, Linux 3.6.9,
armv7l):<br>
uptime: 90 seconds, since Jan 01 04:31:08 2007<br>
malloc: sbrk 532480, mmap 0, used 166552, free 365928<br>
worker threads: 11 of 16 idle, 5/0/0/0 working, job queue:
0/0/0/0, scheduled: 0<br>
loaded plugins: charon curl aes des rc2 sha1 sha2 md5 random
nonce x509 revocation constraints pubkey pkcs1 pkcs7 pkcs8 pkcs12
pgp dnskey sshkey pem openssl gcrypt fips-prf gmp xcbc cmac hmac
attr kernel-netlink resolve socket-default stroke updown
xauth-generic<br>
Listening IP addresses:<br>
10.64.1.8<br>
192.168.255.1<br>
Connections:<br>
home: 192.168.255.1...192.168.255.2 IKEv2<br>
home: local: [<a moz-do-not-send="true"
class="moz-txt-link-abbreviated" href="mailto:ek1@vpex.org">ek1@vpex.org</a>]
uses public key authentication<br>
home: cert: "C=CH, O=strongSwan, <a
moz-do-not-send="true" class="moz-txt-link-abbreviated"
href="mailto:CN=ek1@vpex.org">CN=ek1@vpex.org</a>"<br>
home: remote: [192.168.255.1] uses public key
authentication<br>
home: child: dynamic === 192.168.12.0/24 TUNNEL<br>
Security Associations (0 up, 0 connecting):<br>
<br>
<br>
<br>
ip -s xfrm policy<br>
src 0.0.0.0/0 dst 0.0.0.0/0 uid 0<br>
socket in action allow index 283 priority 0 ptype main
share any flag (0x00000000)<br>
lifetime config:<br>
limit: soft 0(bytes), hard 0(bytes)<br>
limit: soft 0(packets), hard 0(packets)<br>
expire add: soft 0(sec), hard 0(sec)<br>
expire use: soft 0(sec), hard 0(sec)<br>
lifetime current:<br>
0(bytes), 0(packets)<br>
add 2007-01-01 04:31:07 use -<br>
src 0.0.0.0/0 dst 0.0.0.0/0 uid 0<br>
socket out action allow index 276 priority 0 ptype main
share any flag (0x00000000)<br>
lifetime config:<br>
limit: soft 0(bytes), hard 0(bytes)<br>
limit: soft 0(packets), hard 0(packets)<br>
expire add: soft 0(sec), hard 0(sec)<br>
expire use: soft 0(sec), hard 0(sec)<br>
lifetime current:<br>
0(bytes), 0(packets)<br>
add 2007-01-01 04:31:07 use -<br>
src 0.0.0.0/0 dst 0.0.0.0/0 uid 0<br>
socket in action allow index 267 priority 0 ptype main
share any flag (0x00000000)<br>
lifetime config:<br>
limit: soft 0(bytes), hard 0(bytes)<br>
limit: soft 0(packets), hard 0(packets)<br>
expire add: soft 0(sec), hard 0(sec)<br>
expire use: soft 0(sec), hard 0(sec)<br>
lifetime current:<br>
0(bytes), 0(packets)<br>
add 2007-01-01 04:31:07 use -<br>
src 0.0.0.0/0 dst 0.0.0.0/0 uid 0<br>
socket out action allow index 260 priority 0 ptype main
share any flag (0x00000000)<br>
lifetime config:<br>
limit: soft 0(bytes), hard 0(bytes)<br>
limit: soft 0(packets), hard 0(packets)<br>
expire add: soft 0(sec), hard 0(sec)<br>
expire use: soft 0(sec), hard 0(sec)<br>
lifetime current:<br>
0(bytes), 0(packets)<br>
add 2007-01-01 04:31:07 use -<br>
<br>
<br>
<br>
<br>
#cat /etc/strongswan.conf <br>
<br>
charon {<br>
load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce
x509 revocation hmac xcbc stroke kernel-netlink socket-default
updown<br>
}<br>
<br>
When compiling the configure opts are:<br>
<br>
./configure --build=x86_64-linux --host=arm-poky-linux-gnueabi
--target=arm-poky-linux-gnueabi --prefix=/usr --exec_prefix=/usr
--bindir=/usr/bin --sbindir=/usr/sbin
--libexecdir=/usr/lib/strongswan --datadir=/usr/share
--sysconfdir=/etc --sharedstatedir=/com --localstatedir=/var
--libdir=/usr/lib --includedir=/usr/include
--oldincludedir=/usr/include --infodir=/usr/share/info
--mandir=/usr/share/man --disable-silent-rules
--disable-dependency-tracking
--with-libtool-sysroot=/home/karl/Work/yocto/poky-dylan-9.0.2/build/tmp/sysroots/exokey
--enable-curl --disable-soup --disable-ldap --enable-gmp
--disable-mysql --disable-sqlite --enable-openssl --enable-gcrypt
--enable-nonce<br>
<br>
<br>
<br>
Thanks,<br>
<br>
Karl<br>
<br>
<fieldset class="mimeAttachmentHeader"></fieldset>
<br>
<pre wrap="">_______________________________________________
Users mailing list
<a class="moz-txt-link-abbreviated" href="mailto:Users@lists.strongswan.org">Users@lists.strongswan.org</a>
<a class="moz-txt-link-freetext" href="https://lists.strongswan.org/mailman/listinfo/users">https://lists.strongswan.org/mailman/listinfo/users</a></pre>
</blockquote>
<br>
</body>
</html>