[strongSwan-dev] Able to establish tunnel via modified stroke code but unable to pass data through the tunnel

krishna chaitanya krishnachaitanya.sanapala at gmail.com
Thu Oct 4 18:00:11 CEST 2012


Hi Team,

I have tried building up the stroke_msg structure and able to establish
tunnel. But I was unable to send traffic via the established tunnel.

I am sending you the attached logs.

I need your help in fixing this issue. Thanks


Regards,
KC
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/dev/attachments/20121004/919bd372/attachment.html>
-------------- next part --------------
ipsec.conf files for both the PCs are attached in the mail.

PC-1 configuration:
===================

[root at localhost strongswan-5.0.0]# ipsec start
Starting strongSwan 5.0.0 IPsec [starter]...
[root at localhost strongswan-5.0.0]# ipsec stroke add host-host fedora_1 fedora_2 10.10.10.200 10.10.10.231 10.10.10.0 10.10.10.0 24 24

!!!!!!!!!! In 151 in add_connection from stroke.c !!!!!!!!!!!!

[root at localhost strongswan-5.0.0]# ipsec statusall
Status of IKE charon daemon (strongSwan 5.0.0, Linux 2.6.33.3-85.fc13.x86_64, x86_64):
  uptime: 45 seconds, since Oct 04 20:03:13 2012
  malloc: sbrk 270336, mmap 0, used 174608, free 95728
  worker threads: 8 of 16 idle, 7/1/0/0 working, job queue: 0/0/0/0, scheduled: 3
  loaded plugins: charon aes des sha1 sha2 md5 random nonce x509 revocation constraints pubkey pkcs1 pkcs8 pgp dnskey pem openssl fips-prf xcbc cmac hmac attr kernel-netlink resolve socket-default stroke updown xauth-generic
Listening IP addresses:
  10.10.10.200
Connections:
   host-host:  10.10.10.200...10.10.10.231  IKEv2
   host-host:   local:  [fedora_1] uses pre-shared key authentication
   host-host:   remote: [fedora_2] uses pre-shared key authentication
   host-host:   child:  0.0.0.0/0 === 0.0.0.0/0 TUNNEL
Security Associations (1 up, 0 connecting):
   host-host[1]: ESTABLISHED 10 seconds ago, 10.10.10.200[fedora_1]...10.10.10.231[fedora_2]
   host-host[1]: IKEv2 SPIs: b09b4dac68f84ed0_i 86e91076692bcf17_r*, rekeying in 2 hours
   host-host[1]: IKE proposal: AES_CBC_128/HMAC_MD5_96/PRF_HMAC_MD5/MODP_2048
   host-host{1}:  INSTALLED, TUNNEL, ESP SPIs: cdc94c48_i ca25b92e_o
   host-host{1}:  AES_CBC_128/HMAC_SHA1_96, 0 bytes_i, 0 bytes_o, rekeying in 43 minutes
   host-host{1}:   0.0.0.0/0 === 0.0.0.0/0
[root at localhost strongswan-5.0.0]#
[root at localhost strongswan-5.0.0]#
[root at localhost strongswan-5.0.0]# ip xfrm policy
src ::/0 dst ::/0
        dir 3 priority 0 ptype main
src ::/0 dst ::/0
        dir 4 priority 0 ptype main
src ::/0 dst ::/0
        dir 3 priority 0 ptype main
src ::/0 dst ::/0
        dir 4 priority 0 ptype main
src 0.0.0.0/0 dst 0.0.0.0/0
        dir 3 priority 0 ptype main
src 0.0.0.0/0 dst 0.0.0.0/0
        dir 4 priority 0 ptype main
src 0.0.0.0/0 dst 0.0.0.0/0
        dir 3 priority 0 ptype main
src 0.0.0.0/0 dst 0.0.0.0/0
        dir 4 priority 0 ptype main
[root at localhost strongswan-5.0.0]# ip xfrm state
src 10.10.10.200 dst 10.10.10.231
        proto esp spi 0xca25b92e reqid 1 mode tunnel
        replay-window 32 flag 20
        auth hmac(sha1) 0x49ad2c02f6894bc1c1de448b8ff9bcb88f83e855
        enc cbc(aes) 0xa534913e385d3bbaf067cac56d47ffff
src 10.10.10.231 dst 10.10.10.200
        proto esp spi 0xcdc94c48 reqid 1 mode tunnel
        replay-window 32 flag 20
        auth hmac(sha1) 0xb262c405e375b1bcb784c4ec0af1acd74c503c51
        enc cbc(aes) 0x46cfb52a92d3013bb6b11f9546b969de
[root at localhost strongswan-5.0.0]#



PC-2 configuration:
===================

[root at localhost strongswan-5.0.0]# vim /etc/ipsec.conf
[root at localhost strongswan-5.0.0]# ipsec start
Starting strongSwan 5.0.0 IPsec [starter]...
[root at localhost strongswan-5.0.0]# ipsec stroke add host-host fedora_2 fedora_1 10.10.10.231 10.10.10.200 10.10.10.0 10.10.10.0 24 24

!!!!!!!!!! In 151 in add_connection from stroke.c !!!!!!!!!!!!

[root at localhost strongswan-5.0.0]# ipsec up host-host
initiating IKE_SA host-host[1] to 10.10.10.200
generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) ]
sending packet: from 10.10.10.231[500] to 10.10.10.200[500]
received packet: from 10.10.10.200[500] to 10.10.10.231[500]
parsed IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(MULT_AUTH) ]
authentication of 'fedora_2' (myself) with pre-shared key
establishing CHILD_SA host-host
generating IKE_AUTH request 1 [ IDi IDr AUTH SA TSi TSr N(MULT_AUTH) N(EAP_ONLY) ]
sending packet: from 10.10.10.231[500] to 10.10.10.200[500]
received packet: from 10.10.10.200[500] to 10.10.10.231[500]
parsed IKE_AUTH response 1 [ IDr AUTH SA TSi TSr ]
authentication of 'fedora_1' with pre-shared key successful
IKE_SA host-host[1] established between 10.10.10.231[fedora_2]...10.10.10.200[fedora_1]
scheduling rekeying in 10197s
maximum IKE_SA lifetime 10737s
CHILD_SA host-host{1} established with SPIs ca25b92e_i cdc94c48_o and TS 0.0.0.0/0 === 0.0.0.0/0
[root at localhost strongswan-5.0.0]# ipsec statusall
Status of IKE charon daemon (strongSwan 5.0.0, Linux 2.6.33.3-85.fc13.x86_64, x86_64):
  uptime: 35 seconds, since Oct 04 19:34:53 2012
  malloc: sbrk 270336, mmap 0, used 175856, free 94480
  worker threads: 8 of 16 idle, 7/1/0/0 working, job queue: 0/0/0/0, scheduled: 2
  loaded plugins: charon aes des sha1 sha2 md5 random nonce x509 revocation constraints pubkey pkcs1 pkcs8 pgp dnskey pem openssl fips-prf xcbc cmac hmac attr kernel-netlink resolve socket-default stroke updown xauth-generic
Listening IP addresses:
  10.10.10.231
  192.168.11.155
Connections:
   host-host:  10.10.10.231...10.10.10.200  IKEv2
   host-host:   local:  [fedora_2] uses pre-shared key authentication
   host-host:   remote: [fedora_1] uses pre-shared key authentication
   host-host:   child:  0.0.0.0/0 === 0.0.0.0/0 TUNNEL
Security Associations (1 up, 0 connecting):
   host-host[1]: ESTABLISHED 4 seconds ago, 10.10.10.231[fedora_2]...10.10.10.200[fedora_1]
   host-host[1]: IKEv2 SPIs: b09b4dac68f84ed0_i* 86e91076692bcf17_r, rekeying in 2 hours
   host-host[1]: IKE proposal: AES_CBC_128/HMAC_MD5_96/PRF_HMAC_MD5/MODP_2048
   host-host{1}:  INSTALLED, TUNNEL, ESP SPIs: ca25b92e_i cdc94c48_o
   host-host{1}:  AES_CBC_128/HMAC_SHA1_96, 0 bytes_i, 0 bytes_o, rekeying in 47 minutes
   host-host{1}:   0.0.0.0/0 === 0.0.0.0/0
[root at localhost strongswan-5.0.0]#
[root at localhost strongswan-5.0.0]#
[root at localhost strongswan-5.0.0]# ip xfrm policy
src ::/0 dst ::/0
        dir 3 priority 0 ptype main
src ::/0 dst ::/0
        dir 4 priority 0 ptype main
src 0.0.0.0/0 dst 0.0.0.0/0
        dir 3 priority 0 ptype main
src 0.0.0.0/0 dst 0.0.0.0/0
        dir 4 priority 0 ptype main
[root at localhost strongswan-5.0.0]#
[root at localhost strongswan-5.0.0]#
[root at localhost strongswan-5.0.0]#
[root at localhost strongswan-5.0.0]# ip xfrm state
src 10.10.10.231 dst 10.10.10.200
        proto esp spi 0xcdc94c48 reqid 1 mode tunnel
        replay-window 32 flag 20
        auth hmac(sha1) 0xb262c405e375b1bcb784c4ec0af1acd74c503c51
        enc cbc(aes) 0x46cfb52a92d3013bb6b11f9546b969de
src 10.10.10.200 dst 10.10.10.231
        proto esp spi 0xca25b92e reqid 1 mode tunnel
        replay-window 32 flag 20
        auth hmac(sha1) 0x49ad2c02f6894bc1c1de448b8ff9bcb88f83e855
        enc cbc(aes) 0xa534913e385d3bbaf067cac56d47ffff
[root at localhost strongswan-5.0.0]#



-------------- next part --------------
A non-text attachment was scrubbed...
Name: ipsec.conf_PC1
Type: application/octet-stream
Size: 1463 bytes
Desc: not available
URL: <http://lists.strongswan.org/pipermail/dev/attachments/20121004/919bd372/attachment.obj>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: strongswan.conf_PC1
Type: application/octet-stream
Size: 638 bytes
Desc: not available
URL: <http://lists.strongswan.org/pipermail/dev/attachments/20121004/919bd372/attachment-0001.obj>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: ipsec.conf_PC2
Type: application/octet-stream
Size: 1408 bytes
Desc: not available
URL: <http://lists.strongswan.org/pipermail/dev/attachments/20121004/919bd372/attachment-0002.obj>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: strongswan.conf_PC2
Type: application/octet-stream
Size: 500 bytes
Desc: not available
URL: <http://lists.strongswan.org/pipermail/dev/attachments/20121004/919bd372/attachment-0003.obj>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: stroke.c
Type: text/x-csrc
Size: 16762 bytes
Desc: not available
URL: <http://lists.strongswan.org/pipermail/dev/attachments/20121004/919bd372/attachment.c>


More information about the Dev mailing list