[strongSwan-dev] Unable to establish tunnel between wrlinux and fedora

krishna chaitanya krishnachaitanya.sanapala at gmail.com
Thu Jul 12 17:16:43 CEST 2012 

Hi Team,

I was trying to establish IPsec functionality between WRLlinux (strongswan
4.1.4) and Fedora(strongswan 4.6.2) but was unsuccessful.

Initially I had an error problem in spi allocation from kernel and then I
loaded netlink-socket in the charon of Strongswan conf file.

Please find the Console logs , Configuration Lists and let me know if I am
missing something.

*Console Log in fedora :*
[root at localhost ~]# ipsec up host-host
initiating IKE_SA host-host[1] to 10.10.10.61
generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) ]
sending packet: from 10.10.10.200[500] to 10.10.10.61[500]
retransmit 1 of request with message ID 0
sending packet: from 10.10.10.200[500] to 10.10.10.61[500]
retransmit 2 of request with message ID 0
sending packet: from 10.10.10.200[500] to 10.10.10.61[500]
retransmit 3 of request with message ID 0
sending packet: from 10.10.10.200[500] to 10.10.10.61[500]
retransmit 4 of request with message ID 0
sending packet: from 10.10.10.200[500] to 10.10.10.61[500]
retransmit 5 of request with message ID 0
sending packet: from 10.10.10.200[500] to 10.10.10.61[500]
giving up after 5 retransmits
establishing IKE_SA failed, peer not responding
[root at localhost ~]# ipsec statusall
Status of IKEv2 charon daemon (strongSwan 4.6.3):
  uptime: 56 minutes, since Jul 12 19:15:08 2012
  malloc: sbrk 233472, mmap 0, used 122656, free 110816
  worker threads: 8 of 16 idle, 7/1/0/0 working, job queue: 0/0/0/0,
scheduled: 0
  loaded plugins: aes des sha1 sha2 md5 random x509 revocation constraints
pubkey pkcs1 pkcs8 pgp pem fips-prf gmp xcbc cmac hmac attr kernel-netlink
resolve socket-raw stroke updown
Listening IP addresses:
  192.168.100.4
  10.10.10.200
Connections:
   host-host:  10.10.10.200...10.10.10.61
   host-host:   local:  [10.10.10.200] uses pre-shared key authentication
   host-host:   remote: [10.10.10.61] uses pre-shared key authentication
   host-host:   child:  dynamic === dynamic TRANSPORT
     net-net:   child:  dynamic === dynamic TUNNEL
        benu:   child:  dynamic === dynamic TUNNEL
Security Associations (0 up, 0 connecting):
  none

*ipsec.conf file :*
config setup
        plutostart=no

conn %default
        ikelifetime=60m
        keylife=20m
        rekeymargin=3m
        keyingtries=1
        authby=secret
        keyexchange=ikev2
        mobike=no

conn host-host
       left=10.10.10.200
       leftauth=psk
       leftfirewall=yes
       right=10.10.10.61
       rightauth=psk
       type=transport
       auto=add

conn net-net
         left=10.10.10.200
         leftauth=psk
         leftfirewall=yes
         right=10.10.10.61
         rightauth=psk
         type=tunnel
         auto=add
conn benu
        left=10.10.10.200
        leftauth=psk
        leftfirewall=yes
        right=10.10.10.61
        rightauth=psk
        type=tunnel
        auto=add

*ipsec.secrets:*
# /etc/ipsec.secrets - strongSwan IPsec secrets file

#@moon.strongswan.org @sun.strongswan.org : PSK "hanjuruddevkdonr"
#: RSA moonKey.pem
: PSK "strongSwan"

*strongswan.conf:*
# strongswan.conf - strongSwan configuration file

charon {

        # number of worker threads in charon
        #threads = 16

        # send strongswan vendor ID?
        # send_vendor_id = yes
        #hash_and_url = yes
        #load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509
revocation hmac xcbc stroke kernel-netlink socket-default updown
        #multiple_authentication = no
        #load = curl aes des sha1 sha2 md5 pem pkcs1

#       plugins {

#               sql {
                        # loglevel to log into sql database
#                       loglevel = -1
#
#                       # URI to the database
#                       # database = sqlite:///path/to/file.db
                        # database = mysql://user:password@localhost
/database
#               }
#       }

        # ...
}




*Console log on Windriver linux*

root at benu_msm-wrlinux:/root> ipsec start
Starting strongSwan 4.4.0 IPsec [starter]...
insmod /lib/modules/2.6.34.12-grsec-WR4.3.0.0_cgl/kernel/net/key/af_key.ko
root at benu_msm-wrlinux:/root> ipsec up host-host
initiating IKE_SA host-host[1] to 10.10.10.200
generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) ]
sending packet: from 10.10.10.61[500] to 10.10.10.200[500]
retransmit 1 of request with message ID 0
sending packet: from 10.10.10.61[500] to 10.10.10.200[500]
retransmit 2 of request with message ID 0
sending packet: from 10.10.10.61[500] to 10.10.10.200[500]
retransmit 3 of request with message ID 0
sending packet: from 10.10.10.61[500] to 10.10.10.200[500]
retransmit 4 of request with message ID 0
sending packet: from 10.10.10.61[500] to 10.10.10.200[500]
retransmit 5 of request with message ID 0
sending packet: from 10.10.10.61[500] to 10.10.10.200[500]
giving up after 5 retransmits
establishing IKE_SA failed, peer not responding
root at benu_msm-wrlinux:/root> ipsec statusall
Status of IKEv2 charon daemon (strongSwan 4.4.0):
  uptime: 58 minutes, since Jul 12 23:58:24 2012
  worker threads: 10 idle of 16, job queue load: 0, scheduled events: 0
  loaded plugins: aes des sha1 sha2 md5 pem pkcs1 gmp random hmac stroke
kernel-netlink updown
Listening IP addresses:
  10.10.10.61
Connections:
   host-host:  10.10.10.61...10.10.10.200
   host-host:   local:  [10.10.10.61] uses pre-shared key authentication
   host-host:   remote: [10.10.10.200] uses pre-shared key authentication
   host-host:   child:  dynamic === dynamic
     net-net:   child:  dynamic === dynamic
        benu:   child:  dynamic === dynamic
Security Associations:
  none

*ipsec.conf file :*
config setup
        plutostart=no

conn %default
        ikelifetime=60m
        keylife=20m
        rekeymargin=3m
        keyingtries=1
        authby=secret
        keyexchange=ikev2
        mobike=no

conn host-host
       left=10.10.10.61
       leftauth=psk
       leftfirewall=yes
       right=10.10.10.200
       rightauth=psk
       type=transport
       auto=add

conn net-net
         left=10.10.10.61
         leftauth=psk
         leftfirewall=yes
         right=10.10.10.200
         rightauth=psk
         type=tunnel
         auto=add
conn benu
        left=10.10.10.61
        leftauth=psk
        leftfirewall=yes
        right=10.10.10.200
        rightauth=psk
        type=tunnel
        auto=add

*ipsec.secrets:*
# /etc/ipsec.secrets - strongSwan IPsec secrets file

#@moon.strongswan.org @sun.strongswan.org : PSK "hanjuruddevkdonr"
#: RSA moonKey.pem
: PSK "strongSwan"

*strongswan.conf:*
# strongswan.conf - strongSwan configuration file

charon {

        # number of worker threads in charon
        #threads = 16

        # plugins to load in charon
        load = aes des sha1 sha2 md5 pem pkcs1 gmp random hmac stroke
kernel-netlink socket-default updown

        #plugins {

        #       sql {
                        # loglevel to log into sql database
        #               loglevel = -1

                        # URI to the database
                        # database = sqlite:///path/to/file.db
                        # database = mysql://user:password@localhost
/database
        #       }
        #}

        # ...
}

pluto {

        # plugins to load in pluto
        # load = aes des sha1 md5 sha2 hmac gmp random pubkey

}

libstrongswan {

        #  set to no, the DH exponent size is optimized
        #  dh_exponent_ansi_x9_42 = no



Thanks,
KC
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/dev/attachments/20120712/5a03bae5/attachment.html>

More information about the Dev mailing list