[strongSwan] SA failed while configuring through stroke message
Andreas Steffen
andreas.steffen at strongswan.org
Fri Apr 9 10:34:11 CEST 2010
How do you know that the packets are not being encapsulated?
Does ipsec statusall show 0 transmitted inbound and outbound bytes?
Regards
Andreas
MANORANJAN S wrote:
> Hi all,
>
> I was able to establish a connection.
>
> I have configured connection using stroke message:
>
> ./stroke add suhas 10.0.0.2 10.0.0.1 10.0.0.2 10.0.0.1 2.2.2.0/24
> <http://2.2.2.0/24> 1.1.1.0/24 <http://1.1.1.0/24> 24 24
> where 10.0.0.1 and 10.0.0.2 are two linux machine ip and 2.2.2.0/24
> <http://2.2.2.0/24> and 1.1.1.0/24 <http://1.1.1.0/24> are the subnets
>
> This is the message i got after establishment:
>
> [root at manoranjan stroke]# ./stroke up suhas
>
> initiating IKE_SA suhas[1] to 10.0.0.1
> generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) ]
> sending packet: from 10.0.0.2[500] to 10.0.0.1[500]
> received packet: from 10.0.0.1[500] to 10.0.0.2[500]
> parsed IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP)
> N(MULT_AUTH) ]
> authentication of '10.0.0.2' (myself) with pre-shared key
> establishing CHILD_SA suhas
> generating IKE_AUTH request 1 [ IDi IDr AUTH N(USE_TRANSP) SA TSi TSr
> N(MOBIKE_SUP) N(NO_ADD_ADDR) N(MULT_AUTH) ]
> sending packet: from 10.0.0.2[4500] to 10.0.0.1[4500]
> received packet: from 10.0.0.1[4500] to 10.0.0.2[4500]
> parsed IKE_AUTH response 1 [ IDr AUTH SA TSi TSr N(AUTH_LFT) ]
> authentication of '10.0.0.1' with pre-shared key successful
> IKE_SA suhas[1] established between 10.0.0.2[10.0.0.2]...10.0.0.1[10.0.0.1]
>
> [root at manoranjan stroke]# ./stroke status
> Security Associations:
> suhas[1]: ESTABLISHED 6 seconds ago,
> 10.0.0.2[10.0.0.2]...10.0.0.1[10.0.0.1]
> suhas{1}: INSTALLED, TUNNEL, ESP SPIs: cdef8e21_i c9c84ba0_o
> suhas{1}: 2.2.2.0/24 <http://2.2.2.0/24> === 1.1.1.0/24
> <http://1.1.1.0/24>
>
> But when i ping from 2.2.2.2 to 1.1.1.1 packets won't get encapsulated
> please help me.. thanks in advance
>
> With Regards
> Manoranjan S
>
> On Thu, Apr 8, 2010 at 1:39 PM, MANORANJAN S <manoranjan.s123 at gmail.com
> <mailto:manoranjan.s123 at gmail.com>> wrote:
>
> Hi All,
>
> I am trying to set up SA( ikev2 ) by installing strongswan4.3.5 in
> two linux box.
> I have configured connection using stroke message:
>
> ./stroke add mano 10.0.0.1 10.0.0.2 10.0.0.2 10.0.0.1 2.2.2.0/24
> <http://2.2.2.0/24> 1.1.1.0/24 <http://1.1.1.0/24> 1 2
>
> where 10.0.0.1 and 10.0.0.2 are two linux machine ip and 2.2.2.0 and
> 1.1.1.0 are the subnets.
>
> I am getting following error while SA establishment.
>
> Please let me know is there any more stroke command to be run for
> successful SA.
>
>
> [root at manoranjan stroke]# ./stroke up mano
> initiating IKE_SA mano[1] to 10.0.0.1
> generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) ]
> sending packet: from 10.0.0.2[500] to 10.0.0.1[500]
> received packet: from 10.0.0.1[500] to 10.0.0.2[500]
> parsed IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP)
> N(MULT_AUTH) ]
> authentication of '10.0.0.1' (myself) with pre-shared key
> establishing CHILD_SA mano
> generating IKE_AUTH request 1 [ IDi IDr AUTH N(USE_TRANSP) SA TSi
> TSr N(MOBIKE_SUP) N(NO_ADD_ADDR) N(MULT_AUTH) ]
> sending packet: from 10.0.0.2[4500] to 10.0.0.1[4500]
> received packet: from 10.0.0.1[4500] to 10.0.0.2[4500]
> parsed IKE_AUTH response 1 [ N(AUTH_FAILED) ]
> received AUTHENTICATION_FAILED notify error
> [root at manoranjan stroke]# ls
>
>
> regards
> Manoranjan S
======================================================================
Andreas Steffen andreas.steffen at strongswan.org
strongSwan - the Linux VPN Solution! www.strongswan.org
Institute for Internet Technologies and Applications
University of Applied Sciences Rapperswil
CH-8640 Rapperswil (Switzerland)
===========================================================[ITA-HSR]==
More information about the Users
mailing list