<html xmlns:v="urn:schemas-microsoft-com:vml" xmlns:o="urn:schemas-microsoft-com:office:office" xmlns:w="urn:schemas-microsoft-com:office:word" xmlns:m="http://schemas.microsoft.com/office/2004/12/omml" xmlns="http://www.w3.org/TR/REC-html40">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=us-ascii">
<meta name="Generator" content="Microsoft Word 15 (filtered medium)">
<style><!--
/* Font Definitions */
@font-face
{font-family:"Cambria Math";
panose-1:2 4 5 3 5 4 6 3 2 4;}
@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0in;
margin-bottom:.0001pt;
font-size:11.0pt;
font-family:"Calibri",sans-serif;}
a:link, span.MsoHyperlink
{mso-style-priority:99;
color:#0563C1;
text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
{mso-style-priority:99;
color:#954F72;
text-decoration:underline;}
span.EmailStyle17
{mso-style-type:personal-compose;
font-family:"Calibri",sans-serif;
color:windowtext;}
.MsoChpDefault
{mso-style-type:export-only;
font-family:"Calibri",sans-serif;}
@page WordSection1
{size:8.5in 11.0in;
margin:1.0in 1.0in 1.0in 1.0in;}
div.WordSection1
{page:WordSection1;}
--></style><!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]-->
</head>
<body lang="EN-US" link="#0563C1" vlink="#954F72">
<div class="WordSection1">
<p class="MsoNormal">Hello!<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">I am trying to use Strongswan to connect an embedded system board to a Cisco CGR 1000 router.<o:p></o:p></p>
<p class="MsoNormal">The connection partially succeeds, but when strongswan tries to establish a CHILD_SA strongswan hangs.<o:p></o:p></p>
<p class="MsoNormal">If I use the same configuration and addressing scheme with strongSwan 5.3.5 on an Ubuntu 16.04 LTS x64 system,<o:p></o:p></p>
<p class="MsoNormal">the connection is successful.<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">I am using Strongswan 5.5.0 compiled for a Timesys embedded system running an ARM CPU.<o:p></o:p></p>
<p class="MsoNormal">The linux kernel version is 3.14.26-ts-armv7l. I suspect that there is some resource that is missing or not set up<o:p></o:p></p>
<p class="MsoNormal">properly on the embedded system and would appreciate some pointers on where to look.
<o:p></o:p></p>
<p class="MsoNormal">The logs are not being particularly helpful in this regard.<o:p></o:p></p>
<p class="MsoNormal"><o:p></o:p></p>
<p class="MsoNormal">The configuration looks like this. I am using unique-local IPv6 addresses as the basis for the VPN.<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">conn rivaios6<o:p></o:p></p>
<p class="MsoNormal"> left=FDFF:444:11:1:ff:1:1:10<o:p></o:p></p>
<p class="MsoNormal"> leftsubnet=2620:444:11:100::/64<o:p></o:p></p>
<p class="MsoNormal"> leftid=FDFF:444:11:1:ff:1:1:10<o:p></o:p></p>
<p class="MsoNormal"> leftfirewall=yes<o:p></o:p></p>
<p class="MsoNormal"> right=FDFF:444:11:1:ff:1:1:f<o:p></o:p></p>
<p class="MsoNormal"> rightsubnet=2620:222:10:100::/64<o:p></o:p></p>
<p class="MsoNormal"> rightid=FDFF:444:11:1:ff:1:1:f<o:p></o:p></p>
<p class="MsoNormal"> auto=add<o:p></o:p></p>
<p class="MsoNormal"> ike=aes128-sha1-modp1536<o:p></o:p></p>
<p class="MsoNormal"> esp=aes128-sha1<o:p></o:p></p>
<p class="MsoNormal"> keyexchange=ikev2<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">I am using PSKs for now.<o:p></o:p></p>
<p class="MsoNormal">FDFF:444:11:1:ff:1:1:10 : PSK "cisco"<o:p></o:p></p>
<p class="MsoNormal">FDFF:444:11:1:ff:1:1:f : PSK "cisco"<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">With this configuration and addressing scheme strongswan works fine on the Ubuntu system and I get this:<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">$ sudo ipsec up rivaios6<o:p></o:p></p>
<p class="MsoNormal">initiating IKE_SA rivaios6[1] to fdff:444:11:1:ff:1:1:f<o:p></o:p></p>
<p class="MsoNormal">generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(HASH_ALG) ]<o:p></o:p></p>
<p class="MsoNormal">sending packet: from fdff:444:11:1:ff:1:1:10[500] to fdff:444:11:1:ff:1:1:f[500] (1020 bytes)<o:p></o:p></p>
<p class="MsoNormal">received packet: from fdff:444:11:1:ff:1:1:f[500] to fdff:444:11:1:ff:1:1:10[500] (412 bytes)<o:p></o:p></p>
<p class="MsoNormal">parsed IKE_SA_INIT response 0 [ SA KE No V V N(NATD_S_IP) N(NATD_D_IP) ]<o:p></o:p></p>
<p class="MsoNormal">received Cisco Delete Reason vendor ID<o:p></o:p></p>
<p class="MsoNormal">received unknown vendor ID: 46:4c:45:58:56:50:4e:2d:53:55:50:50:4f:52:54:45:44<o:p></o:p></p>
<p class="MsoNormal">authentication of 'fdff:444:11:1:ff:1:1:10' (myself) with pre-shared key<o:p></o:p></p>
<p class="MsoNormal">establishing CHILD_SA rivaios6<o:p></o:p></p>
<p class="MsoNormal">generating IKE_AUTH request 1 [ IDi N(INIT_CONTACT) IDr AUTH SA TSi TSr N(MOBIKE_SUP) N(ADD_4_ADDR) N(ADD_4_ADDR) N(ADD_6_ADDR) N(EAP_ONLY) ]<o:p></o:p></p>
<p class="MsoNormal">sending packet: from fdff:444:11:1:ff:1:1:10[4500] to fdff:444:11:1:ff:1:1:f[4500] (460 bytes)<o:p></o:p></p>
<p class="MsoNormal">received packet: from fdff:444:11:1:ff:1:1:f[4500] to fdff:444:11:1:ff:1:1:10[4500] (316 bytes)<o:p></o:p></p>
<p class="MsoNormal">parsed IKE_AUTH response 1 [ V IDr AUTH SA TSi TSr N(SET_WINSIZE) N(ESP_TFC_PAD_N) N(NON_FIRST_FRAG) ]<o:p></o:p></p>
<p class="MsoNormal">authentication of 'fdff:444:11:1:ff:1:1:f' with pre-shared key successful<o:p></o:p></p>
<p class="MsoNormal">IKE_SA rivaios6[1] established between fdff:444:11:1:ff:1:1:10[fdff:444:11:1:ff:1:1:10]...fdff:444:11:1:ff:1:1:f[fdff:444:11:1:ff:1:1:f]<o:p></o:p></p>
<p class="MsoNormal">scheduling reauthentication in 86125s<o:p></o:p></p>
<p class="MsoNormal">maximum IKE_SA lifetime 86305s<o:p></o:p></p>
<p class="MsoNormal">received ESP_TFC_PADDING_NOT_SUPPORTED, not using ESPv3 TFC padding<o:p></o:p></p>
<p class="MsoNormal">CHILD_SA rivaios6{1} established with SPIs c1339792_i 9265ffde_o and TS 2620:444:11:100::/64 === 2620:222:10:100::/64<o:p></o:p></p>
<p class="MsoNormal">connection 'rivaios6' established successfully<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">If I try this on the embedded system, strongswan hangs when trying to establish the CHILD_SA:<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal"># ./ipsec up rivaios6<o:p></o:p></p>
<p class="MsoNormal">Riva1# ./ipsec up rivaios6<o:p></o:p></p>
<p class="MsoNormal">initiating IKE_SA rivaios6[1] to fdff:444:11:1:ff:1:1:f<o:p></o:p></p>
<p class="MsoNormal">generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(HASH_ALG) N(REDIR_SUP) ]<o:p></o:p></p>
<p class="MsoNormal">sending packet: from fdff:444:11:1:ff:1:1:10[500] to fdff:444:11:1:ff:1:1:f[500] (604 bytes)<o:p></o:p></p>
<p class="MsoNormal">received packet: from fdff:444:11:1:ff:1:1:f[500] to fdff:444:11:1:ff:1:1:10[500] (412 bytes)<o:p></o:p></p>
<p class="MsoNormal">parsed IKE_SA_INIT response 0 [ SA KE No V V N(NATD_S_IP) N(NATD_D_IP) ]<o:p></o:p></p>
<p class="MsoNormal">received Cisco Delete Reason vendor ID<o:p></o:p></p>
<p class="MsoNormal">received unknown vendor ID: 46:4c:45:58:56:50:4e:2d:53:55:50:50:4f:52:54:45:44<o:p></o:p></p>
<p class="MsoNormal">authentication of 'fdff:444:11:1:ff:1:1:10' (myself) with pre-shared key<o:p></o:p></p>
<p class="MsoNormal">establishing CHILD_SA rivaios6<b> <o:p></o:p></b></p>
<p class="MsoNormal"><b>(hangs)<o:p></o:p></b></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">The end of the strongswan log file looks like this:<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">…<o:p></o:p></p>
<p class="MsoNormal">2016-09-08T21:56:03.505 08[ENC] <rivaios6|1> received unknown vendor ID: 46:4c:45:58:56:50:4e:2d:53:55:50:5<o:p></o:p></p>
<p class="MsoNormal">2016-09-08T21:56:03.615 08[CFG] <rivaios6|1> selecting proposal: <o:p></o:p></p>
<p class="MsoNormal">2016-09-08T21:56:03.729 08[CFG] <rivaios6|1> proposal matches
<o:p></o:p></p>
<p class="MsoNormal">2016-09-08T21:56:03.825 08[CFG] <rivaios6|1> received proposals: IKE:AES_CBC_128/HMAC_SHA1_96/PRF_HMAC_SHA1<o:p></o:p></p>
<p class="MsoNormal">2016-09-08T21:56:03.932 08[CFG] <rivaios6|1> configured proposals: IKE:AES_CBC_128/HMAC_SHA1_96/PRF_HMAC_SH<o:p></o:p></p>
<p class="MsoNormal">2016-09-08T21:56:04.035 08[CFG] <rivaios6|1> selected proposal: IKE:AES_CBC_128/HMAC_SHA1_96/PRF_HMAC_SHA1/<o:p></o:p></p>
<p class="MsoNormal">2016-09-08T21:56:04.271 08[IKE] <rivaios6|1> reinitiating already active tasks
<o:p></o:p></p>
<p class="MsoNormal">2016-09-08T21:56:04.361 08[IKE] <rivaios6|1> IKE_CERT_PRE task
<o:p></o:p></p>
<p class="MsoNormal">2016-09-08T21:56:04.503 08[IKE] <rivaios6|1> IKE_AUTH task
<o:p></o:p></p>
<p class="MsoNormal">2016-09-08T21:56:04.591 08[ENC] <rivaios6|1> added payload of type NOTIFY to message
<o:p></o:p></p>
<p class="MsoNormal">2016-09-08T21:56:04.692 08[ENC] <rivaios6|1> added payload of type ID_RESPONDER to message
<o:p></o:p></p>
<p class="MsoNormal">2016-09-08T21:56:04.799 08[ENC] <rivaios6|1> added payload of type ID_INITIATOR to message
<o:p></o:p></p>
<p class="MsoNormal">2016-09-08T21:56:04.889 08[ENC] <rivaios6|1> added payload of type NOTIFY to message
<o:p></o:p></p>
<p class="MsoNormal">2016-09-08T21:56:04.987 08[IKE] <rivaios6|1> authentication of 'fdff:444:11:1:ff:1:1:10' (myself) with pre-<o:p></o:p></p>
<p class="MsoNormal">2016-09-08T21:56:05.105 08[IKE] <rivaios6|1> successfully created shared key MAC
<o:p></o:p></p>
<p class="MsoNormal">2016-09-08T21:56:05.195 08[ENC] <rivaios6|1> added payload of type AUTH to message
<o:p></o:p></p>
<p class="MsoNormal">2016-09-08T21:56:05.284 08[IKE] <rivaios6|1> establishing CHILD_SA rivaios6
<o:p></o:p></p>
<p class="MsoNormal">2016-09-08T21:56:05.414 08[CFG] <rivaios6|1> proposing traffic selectors for us:
<o:p></o:p></p>
<p class="MsoNormal">2016-09-08T21:56:05.521 08[CFG] <rivaios6|1> 2620:444:11:100::/64
<o:p></o:p></p>
<p class="MsoNormal">2016-09-08T21:56:05.621 08[CFG] <rivaios6|1> proposing traffic selectors for other:
<o:p></o:p></p>
<p class="MsoNormal">2016-09-08T21:56:05.730 08[CFG] <rivaios6|1> 2620:222:10:100::/64 <o:p></o:p></p>
<p class="MsoNormal">2016-09-08T21:56:05.825 08[CFG] <rivaios6|1> configured proposals: ESP:AES_CBC_128/HMAC_SHA1_96/NO_EXT_SEQ,<o:p></o:p></p>
<p class="MsoNormal">2016-09-08T21:56:16.752 01[JOB] watched FD 15 ready to read
<o:p></o:p></p>
<p class="MsoNormal">2016-09-08T21:56:16.836 01[JOB] watcher going to poll() 5 fds
<o:p></o:p></p>
<p class="MsoNormal">2016-09-08T21:56:16.928 01[JOB] watcher got notification, rebuilding
<o:p></o:p></p>
<p class="MsoNormal">2016-09-08T21:56:17.021 01[JOB] watcher going to poll() 5 fds <o:p></o:p></p>
<p class="MsoNormal">2016-09-08T21:56:17.140 01[JOB] watched FD 15 ready to read
<o:p></o:p></p>
<p class="MsoNormal">2016-09-08T21:56:17.221 01[JOB] watcher going to poll() 5 fds
<o:p></o:p></p>
<p class="MsoNormal">2016-09-08T21:56:17.303 01[JOB] watcher got notification, rebuilding<o:p></o:p></p>
<p class="MsoNormal"><b>(repeats until you stop it)<o:p></o:p></b></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">Do you have any idea what is causing the problem? We probably don’t have something set up right but if you could point us<o:p></o:p></p>
<p class="MsoNormal">In the right direction that would be helpful. Looking at the code it seems like we are trying to send the next message to the router<o:p></o:p></p>
<p class="MsoNormal">and something is going wrong with that.<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">I tried doing a level 3 log but for some reason the ipsec up command quits very early in the process when logging at that level.<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
</body>
</html>