[strongSwan] interop between FREES/WAN and racoon2;

Fri Oct 22 13:13:20 CEST 2010

Dear,

Currently My racoon2 can already interop with the strongswan, and later when i tries the openswan interop, seems there are still some wrong configurations. Hope you could guide me to solve this problem.

Here is the info.

Topology:
=========
I've replaced the strongswan with the openswan.

CONFIG:
=========
Racoon2:
--------
Essentially Same configuration(change the address accordingly)

Openswan:
----------
[root at TAR-EN1 ~]# cat /etc/ipsec.conf
config setup
        crlcheckinterval="180"
        strictcrlpolicy=no
        protostack=netkey        
        plutodebug=all

conn %default
        keyingtries=1
        ike=3des-sha1;modp1024
        phase2alg=3des-sha1
        authby=secret
        ikev2=yes
        rekey=yes

conn TAHI
        connaddrfamily=ipv6
        type=transport
        left=2001:db8:1:2:20c:29ff:fe0c:3ed1
        right=2001:db8:1:1:20c:29ff:fe4d:489
        leftid=2001:db8:1:2:20c:29ff:fe0c:3ed1
        rightid=2001:db8:1:1:20c:29ff:fe4d:489
        compress=no
        auto=add
[root at TAR-EN1 ~]# cat /etc/ipsec.secrets 
include /etc/ipsec.d/*.secrets
[root at TAR-EN1 ~]# cat /etc/ipsec.d/tahi.secrets 
: PSK "IKETEST123!"

Logging Messages
====================
1 OPENSWAN as the initiator

Log On Openswan: 
[root at TAR-EN1 ~]# ipsec auto --up TAHI
no default routes detected
133 "TAHI" #1: STATE_PARENT_I1: initiate
133 "TAHI" #1: STATE_PARENT_I1: sent v2I1, expected v2R1
134 "TAHI" #2: STATE_PARENT_I2: sent v2I2, expected v2R2 {auth=IKEv2 cipher=oakley_3des_cbc_192 integ=sha1_96 prf=oakley_sha group=modp1024}
004 "TAHI" #2: STATE_PARENT_I3: PARENT SA established transport mode {ESP=>0x00e9b46a <0xd25e4b1e xfrm=3DES_192-HMAC_SHA1 NATOA=none NATD=none DPD=none}

Log on Racoon2:
2010-10-22 19:08:06 [DEBUG]: script.c:317:ikev2_script_hook(): no hook script defined
-----------------------------------------------------------------------------------------------------------------------------------
The log seems to be no problem yet the ping isn't successful.

2 Racoon2 as the initiator
-------------------------------------------------------------------------------------------------------------------------------------
Log on Racoon2
2010-10-22 19:10:12 [PROTO_ERR]: ikev2_child.c:1441:ikev2_update_child(): 1:2001:db8:1:1:20c:29ff:fe4d:489[500] - 2001:db8:1:2:20c:29ff:fe0c:3ed1[500]:0x0:mode mismatch: peer tunnel mine transport
2010-10-22 19:10:12 [DEBUG]: ike_pfkey.c:392:sadb_responder_error(): sadb_responder_error: seq=1, satype=96, spi=0x00000000, errno=61
2010-10-22 19:10:12 [DEBUG]: ikev2_child.c:139:ikev2_child_state_set(): child_sa 0x28451500 state WAIT_RESPONSE -> EXPIRED
2010-10-22 19:10:12 [DEBUG]: ike_sa.c:552:ikev2_sa_start_lifetime_timer(): lifetime: 86400
2010-10-22 19:10:12 [DEBUG]: ike_sa.c:562:ikev2_sa_start_lifetime_timer(): lifetime_soft: 74726
2010-10-22 19:10:12 [DEBUG]: ike_sa.c:817:ikev2_sa_start_polling_timer(): dpd polling interval 3600
2010-10-22 19:10:12 [DEBUG]: script.c:317:ikev2_script_hook(): no hook script defined
2010-10-22 19:10:15 [DEBUG]: ike_sa.c:225:ikev2_sa_periodic_task(): ike_sa: 0x28458180 state 6
2010-10-22 19:10:15 [DEBUG]: ike_sa.c:230:ikev2_sa_periodic_task(): child_sa: 0x28451500 state 5
2010-10-22 19:10:15 [DEBUG]: ike_sa.c:234:ikev2_sa_periodic_task(): deallocating child_sa 0x28451500
2010-10-22 19:10:15 [DEBUG]: ike_pfkey.c:255:sadb_request_finish(): 0x28451518
2010-10-22 19:10:15 [DEBUG]: ike_sa.c:248:ikev2_sa_periodic_task(): launching grace period 0x28458180
-----------------------------------------------------------------------------------------------------------------------------------
The log says i've chosen the wrong mode on openswan, yet i've set the mode to be transport.

Thanks
Frank 