<div dir="ltr"><div dir="ltr"><div dir="ltr"><div dir="ltr"><div dir="ltr"><div>Hi Tobias,</div><div><br></div><div>Thanks for the reply.</div><div>But what could be the reasons that the configuration is not loaded? In my case, "ipsec statusall" could dump the configuration, but you mean it is not loaded by charon?</div><div>How should I debug this further?</div><div>One thing I should mention is that I am running strongswan in a container (actually K8s Pod). I enabled privileged mode and also disabled AppArmor (before that I saw some AppArmor errors). Anything else I should pay attention to?</div><div><br></div><div>Jianjun</div><div dir="ltr"><br></div><div dir="ltr"><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left-width:1px;border-left-style:solid;border-left-color:rgb(204,204,204);padding-left:1ex">Hi Jianjun,<br>
According to the log, the configuration is not loaded when the peer is<br>trying to connect:<br>
><i> 00[JOB] spawning 16 worker threads<br>
</i>><i> 05[NET] received packet: from 10.162.19.54[500] to 10.162.19.55[500]<br>
</i>><i> (660 bytes)<br>
</i>><i> 05[ENC] parsed IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP)<br>
</i>><i> N(NATD_D_IP) N(HASH_ALG) ]<br>
</i>><i> 05[CFG] looking for an ike config for 10.162.19.55...10.162.19.54<br>
</i>><i> 05[IKE] no IKE config found for 10.162.19.55...10.162.19.54, sending<br>
</i>><i> NO_PROPOSAL_CHOSEN<br>
</i>
There should be something like:<br>
><i> 05[CFG] received stroke: add connection 'host54'<br>
</i>><i> 05[CFG] added configuration 'host54'<br>
</i>><i> 07[CFG] received stroke: route 'host54'<br>
</i>
Until that happens the peer won't be able to connect.  Also, your host<br>should initiate the connection afterwards if GRE traffic with matching<br>IPs hits the installed trap policy.  Note that `left=0.0.0.0` is<br>replaced in the trap policy with the local IP address:<br>
><i> Routed Connections:<br>
</i>><i>     host54 {1}:  ROUTED, TRANSPORT, reqid 1<br>
</i>><i>     host54 {1}:   <a href="http://10.162.19.55/32[gre]">10.162.19.55/32[gre]</a> === <a href="http://10.162.19.54/32[gre]">10.162.19.54/32[gre]</a><br>
</i>
Regards,<br>Tobias</blockquote><div> </div></div><div class="gmail_quote"><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left-width:1px;border-left-style:solid;border-left-color:rgb(204,204,204);padding-left:1ex">On 9/2/19 5:03 PM, Jianjun Shen Shen
      wrote:<br><div class="gmail_quote"><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left-width:1px;border-left-style:solid;border-left-color:rgb(204,204,204);padding-left:1ex"><div bgcolor="#FFFFFF">
    <blockquote type="cite">
      
      <div dir="ltr">
        <div dir="ltr">
          <div dir="ltr">
            <div dir="ltr">
              <div dir="ltr">
                <div dir="ltr">
                  <div dir="ltr">
                    <div dir="ltr">
                      <div dir="ltr">
                        <div dir="ltr">
                          <div dir="ltr">
                            <div dir="ltr">
                              <div dir="ltr">Hello,
                                <div><br>
                                </div>
                                <div>I am using strongswan
                                  (U5.3.5/K4.4.0-87-generic) on Ubuntu
                                  (16.04.3 LTS).</div>
                                <div><br>
                                </div>
                                <div>Running "/usr/lib/ipsec/charon
                                  --debug-cfg 4 --debug-ike 4" got the
                                  following log messages:</div>
                                <div>
                                  <div>00[DMN] Starting IKE charon
                                    daemon (strongSwan 5.3.5, Linux
                                    4.4.0-87-generic, x86_64)</div>
                                  <div>00[CFG] loading ca certificates
                                    from '/etc/ipsec.d/cacerts'</div>
                                  <div>00[CFG] loading aa certificates
                                    from '/etc/ipsec.d/aacerts'</div>
                                  <div>00[CFG] loading ocsp signer
                                    certificates from
                                    '/etc/ipsec.d/ocspcerts'</div>
                                  <div>00[CFG] loading attribute
                                    certificates from
                                    '/etc/ipsec.d/acerts'</div>
                                  <div>00[CFG] loading crls from
                                    '/etc/ipsec.d/crls'</div>
                                  <div>00[CFG] loading secrets from
                                    '/etc/ipsec.secrets'</div>
                                  <div>00[CFG]   loaded IKE secret for
                                    0.0.0.0 10.162.19.54</div>
                                  <div>00[CFG]   secret:
                                    73:77:6f:72:64:66:69:73:68</div>
                                  <div>00[LIB] loaded plugins: charon
                                    test-vectors aes rc2 sha1 sha2 md4
                                    md5 random nonce x509 revocation
                                    constraints pubkey pkcs1 pkcs7 pkcs8
                                    pkcs12 pgp dnskey sshkey pem
                                    fips-prf gmp xcbc hmac attr
                                    kernel-netlink resolve
                                    socket-default stroke updown</div>
                                  <div>00[LIB] dropped capabilities,
                                    running as uid 0, gid 0</div>
                                  <div>00[JOB] spawning 16 worker
                                    threads</div>
                                  <div>05[NET] received packet: from
                                    10.162.19.54[500] to
                                    10.162.19.55[500] (660 bytes)</div>
                                  <div>05[ENC] parsed IKE_SA_INIT
                                    request 0 [ SA KE No N(NATD_S_IP)
                                    N(NATD_D_IP) N(HASH_ALG) ]</div>
                                  <div>05[CFG] looking for an ike config
                                    for 10.162.19.55...10.162.19.54</div>
                                  <div>05[IKE] no IKE config found for
                                    10.162.19.55...10.162.19.54, sending
                                    NO_PROPOSAL_CHOSEN</div>
                                  <div>05[ENC] generating IKE_SA_INIT
                                    response 0 [ N(NO_PROP) ]</div>
                                  <div>05[NET] sending packet: from
                                    10.162.19.55[500] to
                                    10.162.19.54[500] (36 bytes)</div>
                                  <div>05[IKE] IKE_SA (unnamed)[1] state
                                    change: CREATED => DESTROYING</div>
                                </div>
                                <div><br>
                                </div>
                                <div>And my ipsec.conf is quite simple:</div>
                                <div>
                                  <div>config setup</div>
                                  <div>    uniqueids=yes</div>
                                  <div><br>
                                  </div>
                                  <div>conn %default</div>
                                  <div>    keyingtries=%forever</div>
                                  <div>    type=transport</div>
                                  <div>    keyexchange=ikev2</div>
                                  <div>    auto=route</div>
                                  <div>   
                                    ike=aes256gcm16-sha256-modp2048</div>
                                  <div>    esp=aes256gcm16-modp2048</div>
                                  <div><br>
                                  </div>
                                  <div>conn host54</div>
                                  <div>    left=0.0.0.0</div>
                                  <div>    right=10.162.19.54</div>
                                  <div>    authby=psk</div>
                                  <div>    leftprotoport=gre</div>
                                  <div>    rightprotoport=gre</div>
                                </div>
                                <div><br>
                                </div>
                                <div>"ipsec statusall" shows the
                                  following:</div>
                                <div>
                                  <div>Status of IKE charon daemon
                                    (strongSwan 5.3.5, Linux
                                    4.4.0-87-generic, x86_64):<br>
                                  </div>
                                  <div>  uptime: 3 seconds, since Sep 02
                                    22:00:24 2019</div>
                                  <div>  malloc: sbrk 1216512, mmap 0,
                                    used 251808, free 964704</div>
                                  <div>  worker threads: 11 of 16 idle,
                                    5/0/0/0 working, job queue: 0/0/0/0,
                                    scheduled: 0</div>
                                  <div>  loaded plugins: charon
                                    test-vectors aes rc2 sha1 sha2 md4
                                    md5 random nonce x509 revocation
                                    constraints pubkey pkcs1 pkcs7 pkcs8
                                    pkcs12 pgp dnskey sshkey pem
                                    fips-prf gmp xcbc hmac attr
                                    kernel-netlink resolve
                                    socket-default stroke updown</div>
                                  <div>Listening IP addresses:</div>
                                  <div>  10.162.19.55</div>
                                  <div> 
                                    fd01:0:101:2616:20c:29ff:fe2f:26c4</div>
                                  <div>  172.17.0.1</div>
                                  <div>  192.168.0.55</div>
                                  <div>Connections:</div>
                                  <div>    host54:
                                     0.0.0.0...10.162.19.54  IKEv2</div>
                                  <div>    host54:   local:  uses
                                    pre-shared key authentication</div>
                                  <div>    host54:   remote:
                                    [10.162.19.54] uses pre-shared key
                                    authentication</div>
                                  <div>    host54:   child:
                                     dynamic[gre] === dynamic[gre]
                                    TRANSPORT</div>
                                  <div>Routed Connections:</div>
                                  <div>    host54 {1}:  ROUTED,
                                    TRANSPORT, reqid 1</div>
                                  <div>    host54 {1}:   <a href="http://10.162.19.55/32%5Bgre%5D" target="_blank">10.162.19.55/32[gre]</a>
                                    === <a href="http://10.162.19.54/32%5Bgre%5D" target="_blank">10.162.19.54/32[gre]</a></div>
                                  <div>Security Associations (0 up, 0
                                    connecting):</div>
                                  <div>  none</div>
                                </div>
                                <div><br>
                                </div>
                                <div>So, I could not see anything wrong.
                                  Could you please help?</div>
                                <div><br>
                                </div>
                                <div>Regards,</div>
                                <div>Jianjun</div>
                                <div><br>
                                </div>
                                <div><br>
                                </div>
                                <div><br>
                                </div>
                              </div>
                            </div>
                          </div>
                        </div>
                      </div>
                    </div>
                  </div>
                </div>
              </div>
            </div>
          </div>
        </div>
      </div>
    </blockquote>
  </div>

</blockquote></div>
</blockquote></div></div></div></div></div></div>