<div dir="ltr"><div dir="ltr"><div dir="ltr"><div dir="ltr"><div dir="ltr"><div>Hi Tobias,</div><div><br></div><div>Thanks for the reply.</div><div>But what could be the reasons that the configuration is not loaded? In my case, "ipsec statusall" could dump the configuration, but you mean it is not loaded by charon?</div><div>How should I debug this further?</div><div>One thing I should mention is that I am running strongswan in a container (actually K8s Pod). I enabled privileged mode and also disabled AppArmor (before that I saw some AppArmor errors). Anything else I should pay attention to?</div><div><br></div><div>Jianjun</div><div dir="ltr"><br></div><div dir="ltr"><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left-width:1px;border-left-style:solid;border-left-color:rgb(204,204,204);padding-left:1ex">Hi Jianjun,<br>
According to the log, the configuration is not loaded when the peer is<br>trying to connect:<br>
><i> 00[JOB] spawning 16 worker threads<br>
</i>><i> 05[NET] received packet: from 10.162.19.54[500] to 10.162.19.55[500]<br>
</i>><i> (660 bytes)<br>
</i>><i> 05[ENC] parsed IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP)<br>
</i>><i> N(NATD_D_IP) N(HASH_ALG) ]<br>
</i>><i> 05[CFG] looking for an ike config for 10.162.19.55...10.162.19.54<br>
</i>><i> 05[IKE] no IKE config found for 10.162.19.55...10.162.19.54, sending<br>
</i>><i> NO_PROPOSAL_CHOSEN<br>
</i>
There should be something like:<br>
><i> 05[CFG] received stroke: add connection 'host54'<br>
</i>><i> 05[CFG] added configuration 'host54'<br>
</i>><i> 07[CFG] received stroke: route 'host54'<br>
</i>
Until that happens the peer won't be able to connect. Also, your host<br>should initiate the connection afterwards if GRE traffic with matching<br>IPs hits the installed trap policy. Note that `left=0.0.0.0` is<br>replaced in the trap policy with the local IP address:<br>
><i> Routed Connections:<br>
</i>><i> host54 {1}: ROUTED, TRANSPORT, reqid 1<br>
</i>><i> host54 {1}: <a href="http://10.162.19.55/32[gre]">10.162.19.55/32[gre]</a> === <a href="http://10.162.19.54/32[gre]">10.162.19.54/32[gre]</a><br>
</i>
Regards,<br>Tobias</blockquote><div> </div></div><div class="gmail_quote"><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left-width:1px;border-left-style:solid;border-left-color:rgb(204,204,204);padding-left:1ex">On 9/2/19 5:03 PM, Jianjun Shen Shen
wrote:<br><div class="gmail_quote"><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left-width:1px;border-left-style:solid;border-left-color:rgb(204,204,204);padding-left:1ex"><div bgcolor="#FFFFFF">
<blockquote type="cite">
<div dir="ltr">
<div dir="ltr">
<div dir="ltr">
<div dir="ltr">
<div dir="ltr">
<div dir="ltr">
<div dir="ltr">
<div dir="ltr">
<div dir="ltr">
<div dir="ltr">
<div dir="ltr">
<div dir="ltr">
<div dir="ltr">Hello,
<div><br>
</div>
<div>I am using strongswan
(U5.3.5/K4.4.0-87-generic) on Ubuntu
(16.04.3 LTS).</div>
<div><br>
</div>
<div>Running "/usr/lib/ipsec/charon
--debug-cfg 4 --debug-ike 4" got the
following log messages:</div>
<div>
<div>00[DMN] Starting IKE charon
daemon (strongSwan 5.3.5, Linux
4.4.0-87-generic, x86_64)</div>
<div>00[CFG] loading ca certificates
from '/etc/ipsec.d/cacerts'</div>
<div>00[CFG] loading aa certificates
from '/etc/ipsec.d/aacerts'</div>
<div>00[CFG] loading ocsp signer
certificates from
'/etc/ipsec.d/ocspcerts'</div>
<div>00[CFG] loading attribute
certificates from
'/etc/ipsec.d/acerts'</div>
<div>00[CFG] loading crls from
'/etc/ipsec.d/crls'</div>
<div>00[CFG] loading secrets from
'/etc/ipsec.secrets'</div>
<div>00[CFG] loaded IKE secret for
0.0.0.0 10.162.19.54</div>
<div>00[CFG] secret:
73:77:6f:72:64:66:69:73:68</div>
<div>00[LIB] loaded plugins: charon
test-vectors aes rc2 sha1 sha2 md4
md5 random nonce x509 revocation
constraints pubkey pkcs1 pkcs7 pkcs8
pkcs12 pgp dnskey sshkey pem
fips-prf gmp xcbc hmac attr
kernel-netlink resolve
socket-default stroke updown</div>
<div>00[LIB] dropped capabilities,
running as uid 0, gid 0</div>
<div>00[JOB] spawning 16 worker
threads</div>
<div>05[NET] received packet: from
10.162.19.54[500] to
10.162.19.55[500] (660 bytes)</div>
<div>05[ENC] parsed IKE_SA_INIT
request 0 [ SA KE No N(NATD_S_IP)
N(NATD_D_IP) N(HASH_ALG) ]</div>
<div>05[CFG] looking for an ike config
for 10.162.19.55...10.162.19.54</div>
<div>05[IKE] no IKE config found for
10.162.19.55...10.162.19.54, sending
NO_PROPOSAL_CHOSEN</div>
<div>05[ENC] generating IKE_SA_INIT
response 0 [ N(NO_PROP) ]</div>
<div>05[NET] sending packet: from
10.162.19.55[500] to
10.162.19.54[500] (36 bytes)</div>
<div>05[IKE] IKE_SA (unnamed)[1] state
change: CREATED => DESTROYING</div>
</div>
<div><br>
</div>
<div>And my ipsec.conf is quite simple:</div>
<div>
<div>config setup</div>
<div> uniqueids=yes</div>
<div><br>
</div>
<div>conn %default</div>
<div> keyingtries=%forever</div>
<div> type=transport</div>
<div> keyexchange=ikev2</div>
<div> auto=route</div>
<div>
ike=aes256gcm16-sha256-modp2048</div>
<div> esp=aes256gcm16-modp2048</div>
<div><br>
</div>
<div>conn host54</div>
<div> left=0.0.0.0</div>
<div> right=10.162.19.54</div>
<div> authby=psk</div>
<div> leftprotoport=gre</div>
<div> rightprotoport=gre</div>
</div>
<div><br>
</div>
<div>"ipsec statusall" shows the
following:</div>
<div>
<div>Status of IKE charon daemon
(strongSwan 5.3.5, Linux
4.4.0-87-generic, x86_64):<br>
</div>
<div> uptime: 3 seconds, since Sep 02
22:00:24 2019</div>
<div> malloc: sbrk 1216512, mmap 0,
used 251808, free 964704</div>
<div> worker threads: 11 of 16 idle,
5/0/0/0 working, job queue: 0/0/0/0,
scheduled: 0</div>
<div> loaded plugins: charon
test-vectors aes rc2 sha1 sha2 md4
md5 random nonce x509 revocation
constraints pubkey pkcs1 pkcs7 pkcs8
pkcs12 pgp dnskey sshkey pem
fips-prf gmp xcbc hmac attr
kernel-netlink resolve
socket-default stroke updown</div>
<div>Listening IP addresses:</div>
<div> 10.162.19.55</div>
<div>
fd01:0:101:2616:20c:29ff:fe2f:26c4</div>
<div> 172.17.0.1</div>
<div> 192.168.0.55</div>
<div>Connections:</div>
<div> host54:
0.0.0.0...10.162.19.54 IKEv2</div>
<div> host54: local: uses
pre-shared key authentication</div>
<div> host54: remote:
[10.162.19.54] uses pre-shared key
authentication</div>
<div> host54: child:
dynamic[gre] === dynamic[gre]
TRANSPORT</div>
<div>Routed Connections:</div>
<div> host54 {1}: ROUTED,
TRANSPORT, reqid 1</div>
<div> host54 {1}: <a href="http://10.162.19.55/32%5Bgre%5D" target="_blank">10.162.19.55/32[gre]</a>
=== <a href="http://10.162.19.54/32%5Bgre%5D" target="_blank">10.162.19.54/32[gre]</a></div>
<div>Security Associations (0 up, 0
connecting):</div>
<div> none</div>
</div>
<div><br>
</div>
<div>So, I could not see anything wrong.
Could you please help?</div>
<div><br>
</div>
<div>Regards,</div>
<div>Jianjun</div>
<div><br>
</div>
<div><br>
</div>
<div><br>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</blockquote>
</div>
</blockquote></div>
</blockquote></div></div></div></div></div></div>