[strongSwan] Problem configuring strongSwan

Andreas Steffen andreas.steffen at strongswan.org
Thu Apr 15 16:31:56 CEST 2010 

Hi Pankaj,

could you start the pluto daemon without forking with the command

   ipsec start --nofork

and see what happens?

Regards

Andreas

On 15.04.2010 15:51, pankaj gupta wrote:
> Hi community,
>
> I am pretty desperate to make strongSwan work since last one week, but
> didnt succeded.
>
> I configured using README of strongswan 4.3.6 but connection is not working.
>
> I configured /etc/ipsec.conf for roadwarrior case with:
>
> 10.1.0.0/16 <http://10.1.0.0/16> -- | 192.168.1.24 | === | 192.168.1.21 |
>        karmic-net          karmic              pankaj-desktop
>
> contents of /etc/ipsec.conf:
>
>     config setup
>              plutodebug=control
>              crlcheckinterval=180
>              strictcrlpolicy=no
>              charonstart=no
>
>     # Add connections here.
>
>     conn %default
>              ikelifetime=60m
>              keylife=20m
>              rekeymargin=3m
>              keyingtries=1
>              left=192.168.1.24
>              leftcert=karmicCert.pem
>              leftid=@karmic
>              leftfirewall=yes
>
>     conn net-net
>              leftsubnet=10.1.0.0/16 <http://10.1.0.0/16>
>              right=192.168.1.21
>              rightsubnet=10.2.0.0/16 <http://10.2.0.0/16>
>              rightid=@pankaj-desktop
>              auto=add
>
>     conn host-host
>              right=192.168.1.21
>              rightid=@pankaj-desktop
>              auto=add
>
>     conn rw
>              left=192.168.1.21
>              leftsubnet=10.1.0.0/16 <http://10.1.0.0/16>
>              leftcert=karmicCert.pem
>              right=%any
>              auto=add
>
>
>
> I have configured certificates and roadwarrior machine(pankaj-desktop)
> as well.
>
> Now, I cannot ping 10.1.0.1 from pankaj-desktop(roadwarrior).
> Also commands like 'ipsec status', 'ipsec listcerts' they are not
> showing any result.
>
> Do you see any problem in this configuration?
>
> Please help me configuring this. Let me know any other diagnosis result
> you need to know in this regard.
>
> this is part of the log from /usr/log/auth.log:
>
>     Apr 15 18:35:01 karmic CRON[24082]: pam_unix(cron:session): session
>     closed for user root
>     Apr 15 18:38:32 karmic ipsec_starter[24120]: Starting strongSwan
>     4.3.6 IPsec [starter]...
>     Apr 15 18:38:43 karmic ipsec_starter[24133]: pluto too long to
>     start... - kill kill
>     Apr 15 18:38:45 karmic ipsec_starter[24135]: Starting strongSwan
>     4.3.6 IPsec [starter]...
>     Apr 15 18:38:55 karmic ipsec_starter[24160]: pluto too long to
>     start... - kill kill
>     Apr 15 18:38:56 karmic ipsec_starter[24160]: connect(pluto_ctl)
>     failed: No such file or directory
>     Apr 15 18:39:01 karmic last message repeated 3 times
>     Apr 15 18:39:02 karmic ipsec_starter[24160]: starter_stop_pluto():
>     pluto does not respond, sending KILL
>     Apr 15 18:39:03 karmic ipsec_starter[24160]: starter_stop_pluto():
>     can't stop pluto !!!
>     Apr 15 18:39:03 karmic starter[24160]: ipsec starter stopped
>     Apr 15 18:40:01 karmic CRON[24190]: pam_unix(cron:session): session
>     opened for user root by (uid=0)
>
>
> when I run starter with debugging:
>
>     root at karmic:~# /usr/libexec/ipsec/starter --debug-all
>     Starting strongSwan 4.3.6 IPsec [starter]...
>     | Default route found: iface=eth0, addr=192.168.1.24,
>     nexthop=192.168.1.1
>     | Loading config setup
>     |   plutodebug=all
>
>     |   crlcheckinterval=180
>     |   strictcrlpolicy=no
>     |   charonstart=no
>     | Loading conn %default
>
>     |   ikelifetime=60m
>     |   keylife=20m
>     |   rekeymargin=3m
>     |   keyingtries=1
>     |   left=192.168.1.24
>     |   leftcert=karmicCert.pem
>     |   leftid=@karmic
>     |   leftfirewall=yes
>     | Loading conn 'net-net'
>
>     |   leftsubnet=10.1.0.0/16 <http://10.1.0.0/16>
>     |   right=192.168.1.21
>     |   rightsubnet=10.2.0.0/16 <http://10.2.0.0/16>
>     |   rightid=@pankaj-desktop
>     |   auto=add
>     | Loading conn 'host-host'
>
>     |   right=192.168.1.21
>     |   rightid=@pankaj-desktop
>     |   auto=add
>     | Loading conn 'rw'
>
>     |   left=192.168.1.21
>     |   leftsubnet=10.1.0.0/16 <http://10.1.0.0/16>
>     |   leftcert=karmicCert.pem
>     |   right=%any
>     |   auto=add
>     | Found netkey IPsec stack
>
>
> that means starter is working fine, right?
>
> Regards
> Pankaj Gupta

======================================================================
Andreas Steffen                         andreas.steffen at strongswan.org
strongSwan - the Linux VPN Solution!                www.strongswan.org
Institute for Internet Technologies and Applications
University of Applied Sciences Rapperswil
CH-8640 Rapperswil (Switzerland)
===========================================================[ITA-HSR]==

More information about the Users mailing list