[strongSwan] Can SAs be setup between linux virtual containers?

Meera Sudhakar mira.sudhakar at gmail.com
Mon Apr 25 13:18:00 CEST 2011 

Hi Andreas and Team,

You had previously helped me out with setting up of SAs between two physical
nodes. I am now trying to send IPsec traffic from a linux virtual container
to another virtual container, through a physical device that acts as a
router. I installed strongswan on the two virtual containers (both are on
the same host). The machine acting as router does not have strongswan
installed on it. Now, the two virtual containers can ping each other
(traffic goes via the router...this can be seen using the command ping -R),
but for some reason, when I start strongswan, the two virtual containers
cannot exchange messages.

I believe they should have been able to exchange messages, since they can
ping each other. I see no other error in the log files. Could you please let
me know if I am using strongswan correctly here? Is it enough if strongswan
is installed and configured on the two virtual containers only?

Please find the setup, logs and configuration below:

*Setup:*
 Attached to this mail.


* ipsec.conf on VC1:*
# ipsec.conf - strongSwan IPsec configuration file
# basic configuration
config setup
        # plutodebug=all
        # crlcheckinterval=600
        strictcrlpolicy=no
        # cachecrls=yes
        # nat_traversal=yes
        charonstart=yes
        charondebug=all
        plutostart=no
# Add connections here.
# Sample VPN connections
#conn sample-self-signed
#      left=%defaultroute
#      leftsubnet=10.1.0.0/16
#      leftcert=selfCert.der
#      leftsendcert=never
#      right=192.168.0.2
#      rightsubnet=10.2.0.0/16
#      rightcert=peerCert.der
#      auto=start
ca strongswan
        cacert=caCert.der
        auto=add
conn sample-with-ca-cert
      left=10.58.113.37
      leftsubnet=10.58.113.0/24
      leftcert=VC1Cert.der
      right=10.58.113.118
      rightsubnet=10.58.113.0/24
      rightid="C=CH, O=Linux strongSwan CN=10.58.113.118"
      keyexchange=ikev2
      auto=add

*ipsec.conf on VC2:*
# ipsec.conf - strongSwan IPsec configuration file
# basic configuration
config setup
        # plutodebug=all
        # crlcheckinterval=600
         strictcrlpolicy=no
        # cachecrls=yes
        # nat_traversal=yes
        charonstart=yes
        plutostart=no
        charondebug=all
# Add connections here.
# Sample VPN connections
#conn sample-self-signed
#      left=%defaultroute
#      leftsubnet=10.1.0.0/16
#      leftcert=selfCert.der
#      leftsendcert=never
#      right=192.168.0.2
#      rightsubnet=10.2.0.0/16
#      rightcert=peerCert.der
#      auto=start
ca strongswan
        cacert=caCert.der
        auto=add
conn sample-with-ca-cert
      left=10.58.113.118
      leftsubnet=10.58.113.0/24
      leftcert=VC2Cert.der
      right=10.58.113.37
      rightsubnet=10.58.113.0/24
      rightid="C=CH, O=Linux strongSwan CN=10.58.113.37"
      keyexchange=ikev2
      auto=start

*log file on VC1:*
Apr 25 23:17:16 vc1 charon: 00[DMN] Starting IKEv2 charon daemon (strongSwan
4.4.0)
Apr 25 23:17:16 vc1 charon: 00[LIB] Padlock not found, CPU is GenuineIntel
Apr 25 23:17:16 vc1 charon: 00[LIB] plugin 'padlock': failed to load -
padlock_plugin_create returned NULL
Apr 25 23:17:16 vc1 charon: 00[CFG] attr-sql plugin: database URI not set
Apr 25 23:17:16 vc1 charon: 00[LIB] plugin 'attr-sql': failed to load -
attr_sql_plugin_create returned NULL
Apr 25 23:17:16 vc1 charon: 00[KNL] listening on interfaces:
Apr 25 23:17:16 vc1 charon: 00[KNL]   eth2
Apr 25 23:17:16 vc1 charon: 00[KNL]     10.58.113.37
Apr 25 23:17:16 vc1 charon: 00[KNL]     fe80::21f:29ff:fe69:70ae
Apr 25 23:17:16 vc1 charon: 00[KNL]   ethvc1
Apr 25 23:17:16 vc1 charon: 00[KNL]     10.58.113.60
Apr 25 23:17:16 vc1 charon: 00[KNL]     fe80::4caa:9cff:fe10:c28
Apr 25 23:17:16 vc1 charon: 00[CFG] loading ca certificates from
'/etc/ipsec.d/cacerts'
Apr 25 23:17:16 vc1 charon: 00[CFG]   loaded ca certificate "C=CH,
O=strongSwan, CN=strongSwan CA" from '/etc/ipsec.d/cacerts/caCert.der'
Apr 25 23:17:16 vc1 charon: 00[CFG] loading aa certificates from
'/etc/ipsec.d/aacerts'
Apr 25 23:17:16 vc1 charon: 00[CFG] loading ocsp signer certificates from
'/etc/ipsec.d/ocspcerts'
Apr 25 23:17:16 vc1 charon: 00[CFG] loading attribute certificates from
'/etc/ipsec.d/acerts'
Apr 25 23:17:16 vc1 charon: 00[CFG] loading crls from '/etc/ipsec.d/crls'
Apr 25 23:17:16 vc1 charon: 00[CFG] loading secrets from
'/etc/ipsec.secrets'
Apr 25 23:17:16 vc1 charon: 00[CFG]   loaded RSA private key from
'/etc/ipsec.d/private/VC1Key.der'
Apr 25 23:17:16 vc1 charon: 00[CFG] expanding file expression
'/var/lib/strongswan/ipsec.secrets.inc' failed
Apr 25 23:17:16 vc1 charon: 00[CFG] sql plugin: database URI not set
Apr 25 23:17:16 vc1 charon: 00[LIB] plugin 'sql': failed to load -
sql_plugin_create returned NULL
Apr 25 23:17:16 vc1 charon: 00[CFG] no RADUIS secret defined
Apr 25 23:17:16 vc1 charon: 00[CFG] RADIUS plugin initialization failed
Apr 25 23:17:16 vc1 charon: 00[LIB] plugin 'eap-radius': failed to load -
eap_radius_plugin_create returned NULL
Apr 25 23:17:16 vc1 charon: 00[CFG] mediation database URI not defined,
skipped
Apr 25 23:17:16 vc1 charon: 00[LIB] plugin 'medsrv': failed to load -
medsrv_plugin_create returned NULL
Apr 25 23:17:16 vc1 charon: 00[CFG] mediation client database URI not
defined, skipped
Apr 25 23:17:16 vc1 charon: 00[LIB] plugin 'medcli': failed to load -
medcli_plugin_create returned NULL
Apr 25 23:17:16 vc1 charon: 00[LIB] plugin 'nm': failed to load
'/usr/lib/ipsec/plugins/libstrongswan-nm.so' -
/usr/lib/ipsec/plugins/libstrongswan-nm.so: cannot open shared object file:
No such file or directory
Apr 25 23:17:16 vc1 charon: 00[CFG] HA config misses local/remote address
Apr 25 23:17:16 vc1 charon: 00[LIB] plugin 'ha': failed to load -
ha_plugin_create returned NULL
Apr 25 23:17:16 vc1 charon: 00[DMN] loaded plugins: curl ldap aes des sha1
sha2 md5 random x509 pubkey pkcs1 pgp dnskey pem openssl fips-prf xcbc hmac
agent gmp attr kernel-netlink socket-default socket-raw socket-dynamic farp
stroke updown eap-identity eap-aka eap-md5 eap-gtc eap-mschapv2 dhcp resolve
Apr 25 23:17:16 vc1 charon: 00[JOB] spawning 16 worker threads
Apr 25 23:17:16 vc1 charon: 06[CFG] received stroke: add ca 'strongswan'
Apr 25 23:17:16 vc1 charon: 06[CFG] added ca 'strongswan'
Apr 25 23:17:16 vc1 charon: 06[CFG] received stroke: add connection
'sample-with-ca-cert'
Apr 25 23:17:16 vc1 charon: 06[CFG]   loaded certificate "C=CH,
O=strongSwan, CN=10.58.113.37" from 'VC1Cert.der'
Apr 25 23:17:16 vc1 charon: 06[CFG]   id '10.58.113.37' not confirmed by
certificate, defaulting to 'C=CH, O=strongSwan, CN=10.58.113.37'
Apr 25 23:17:16 vc1 charon: 06[CFG] added configuration
'sample-with-ca-cert'
Apr 25 23:20:01 vc1 CRON[9313]: (smmsp) CMD (test -x /etc/init.d/sendmail &&
/usr/share/sendmail/sendmail cron-msp)

*log file on VC2:*
Apr 25 23:17:20 vc2 charon: 00[DMN] Starting IKEv2 charon daemon (strongSwan
4.4.0)
Apr 25 23:17:20 vc2 charon: 00[LIB] Padlock not found, CPU is GenuineIntel
Apr 25 23:17:20 vc2 charon: 00[LIB] plugin 'padlock': failed to load -
padlock_plugin_create returned NULL
Apr 25 23:17:20 vc2 charon: 00[CFG] attr-sql plugin: database URI not set
Apr 25 23:17:20 vc2 charon: 00[LIB] plugin 'attr-sql': failed to load -
attr_sql_plugin_create returned NULL
Apr 25 23:17:20 vc2 charon: 00[KNL] listening on interfaces:
Apr 25 23:17:20 vc2 charon: 00[KNL]   eth3
Apr 25 23:17:20 vc2 charon: 00[KNL]     10.58.113.118
Apr 25 23:17:20 vc2 charon: 00[KNL]     fe80::21f:29ff:fe69:28
Apr 25 23:17:20 vc2 charon: 00[KNL]   ethvc2
Apr 25 23:17:20 vc2 charon: 00[KNL]     10.58.113.101
Apr 25 23:17:20 vc2 charon: 00[KNL]     fe80::384d:1aff:fe17:36e2
Apr 25 23:17:20 vc2 charon: 00[CFG] loading ca certificates from
'/etc/ipsec.d/cacerts'
Apr 25 23:17:20 vc2 charon: 00[CFG]   loaded ca certificate "C=CH,
O=strongSwan, CN=strongSwan CA" from '/etc/ipsec.d/cacerts/caCert.der'
Apr 25 23:17:20 vc2 charon: 00[CFG] loading aa certificates from
'/etc/ipsec.d/aacerts'
Apr 25 23:17:20 vc2 charon: 00[CFG] loading ocsp signer certificates from
'/etc/ipsec.d/ocspcerts'
Apr 25 23:17:20 vc2 charon: 00[CFG] loading attribute certificates from
'/etc/ipsec.d/acerts'
Apr 25 23:17:20 vc2 charon: 00[CFG] loading crls from '/etc/ipsec.d/crls'
Apr 25 23:17:20 vc2 charon: 00[CFG] loading secrets from
'/etc/ipsec.secrets'
Apr 25 23:17:21 vc2 charon: 00[CFG]   loaded RSA private key from
'/etc/ipsec.d/private/VC2Key.der'
Apr 25 23:17:21 vc2 charon: 00[CFG] expanding file expression
'/var/lib/strongswan/ipsec.secrets.inc' failed
Apr 25 23:17:21 vc2 charon: 00[CFG] sql plugin: database URI not set
Apr 25 23:17:21 vc2 charon: 00[LIB] plugin 'sql': failed to load -
sql_plugin_create returned NULL
Apr 25 23:17:21 vc2 charon: 00[CFG] no RADUIS secret defined
Apr 25 23:17:21 vc2 charon: 00[CFG] RADIUS plugin initialization failed
Apr 25 23:17:21 vc2 charon: 00[LIB] plugin 'eap-radius': failed to load -
eap_radius_plugin_create returned NULL
Apr 25 23:17:21 vc2 charon: 00[CFG] mediation database URI not defined,
skipped
Apr 25 23:17:21 vc2 charon: 00[LIB] plugin 'medsrv': failed to load -
medsrv_plugin_create returned NULL
Apr 25 23:17:21 vc2 charon: 00[CFG] mediation client database URI not
defined, skipped
Apr 25 23:17:21 vc2 charon: 00[LIB] plugin 'medcli': failed to load -
medcli_plugin_create returned NULL
Apr 25 23:17:21 vc2 charon: 00[LIB] plugin 'nm': failed to load
'/usr/lib/ipsec/plugins/libstrongswan-nm.so' -
/usr/lib/ipsec/plugins/libstrongswan-nm.so: cannot open shared object file:
No such file or directory
Apr 25 23:17:21 vc2 charon: 00[CFG] HA config misses local/remote address
Apr 25 23:17:21 vc2 charon: 00[LIB] plugin 'ha': failed to load -
ha_plugin_create returned NULL
Apr 25 23:17:21 vc2 charon: 00[DMN] loaded plugins: curl ldap aes des sha1
sha2 md5 random x509 pubkey pkcs1 pgp dnskey pem openssl fips-prf xcbc hmac
agent gmp attr kernel-netlink socket-default socket-raw socket-dynamic farp
stroke updown eap-identity eap-aka eap-md5 eap-gtc eap-mschapv2 dhcp resolve
Apr 25 23:17:21 vc2 charon: 00[JOB] spawning 16 worker threads
Apr 25 23:17:21 vc2 charon: 06[CFG] received stroke: add ca 'strongswan'
Apr 25 23:17:21 vc2 charon: 06[CFG] added ca 'strongswan'
Apr 25 23:17:21 vc2 charon: 06[CFG] received stroke: add connection
'sample-with-ca-cert'
Apr 25 23:17:21 vc2 charon: 06[CFG]   loaded certificate "C=CH,
O=strongSwan, CN=10.58.113.118" from 'VC2Cert.der'
Apr 25 23:17:21 vc2 charon: 06[CFG]   id '10.58.113.118' not confirmed by
certificate, defaulting to 'C=CH, O=strongSwan, CN=10.58.113.118'
Apr 25 23:17:21 vc2 charon: 06[CFG] added configuration
'sample-with-ca-cert'
*Apr 25 23:17:21 vc2 charon: 06[CFG] received stroke: initiate
'sample-with-ca-cert'
Apr 25 23:17:21 vc2 charon: 06[IKE] initiating IKE_SA sample-with-ca-cert[1]
to 10.58.113.37
Apr 25 23:17:21 vc2 charon: 06[ENC] generating IKE_SA_INIT request 0 [ SA KE
No N(NATD_S_IP) N(NATD_D_IP) ]
Apr 25 23:17:21 vc2 charon: 06[NET] sending packet: from 10.58.113.118[500]
to 10.58.113.37[500]
Apr 25 23:17:25 vc2 charon: 16[IKE] retransmit 1 of request with message ID
0
Apr 25 23:17:25 vc2 charon: 16[NET] sending packet: from 10.58.113.118[500]
to 10.58.113.37[500]
*Apr 25 23:17:32 vc2 charon: 01[IKE] retransmit 2 of request with message ID
0
Apr 25 23:17:32 vc2 charon: 01[NET] sending packet: from 10.58.113.118[500]
to 10.58.113.37[500]
Apr 25 23:17:45 vc2 charon: 11[IKE] retransmit 3 of request with message ID
0
Apr 25 23:17:45 vc2 charon: 11[NET] sending packet: from 10.58.113.118[500]
to 10.58.113.37[500]
Apr 25 23:18:08 vc2 charon: 13[IKE] retransmit 4 of request with message ID
0
Apr 25 23:18:08 vc2 charon: 13[NET] sending packet: from 10.58.113.118[500]
to 10.58.113.37[500]
Apr 25 23:18:50 vc2 charon: 10[IKE] retransmit 5 of request with message ID
0
Apr 25 23:18:50 vc2 charon: 10[NET] sending packet: from 10.58.113.118[500]
to 10.58.113.37[500]
Apr 25 23:20:01 vc2 CRON[10869]: (smmsp) CMD (test -x /etc/init.d/sendmail
&& /usr/share/sendmail/sendmail cron-msp)
Apr 25 23:20:06 vc2 charon: 15[IKE] giving up after 5 retransmits
Apr 25 23:20:06 vc2 charon: 15[IKE] peer not responding, trying again (2/3)
Apr 25 23:20:06 vc2 charon: 15[IKE] initiating IKE_SA sample-with-ca-cert[1]
to 10.58.113.37
Apr 25 23:20:06 vc2 charon: 15[ENC] generating IKE_SA_INIT request 0 [ SA KE
No N(NATD_S_IP) N(NATD_D_IP) ]
Apr 25 23:20:06 vc2 charon: 15[NET] sending packet: from 10.58.113.118[500]
to 10.58.113.37[500]
Apr 25 23:20:10 vc2 charon: 12[IKE] retransmit 1 of request with message ID
0
Apr 25 23:20:10 vc2 charon: 12[NET] sending packet: from 10.58.113.118[500]
to 10.58.113.37[500]


*Ping happening between VC1 and VC2(through the router):*
root at vc2:~# *ping -R 10.58.113.37
*PING 10.58.113.37 (10.58.113.37) 56(124) bytes of data.
64 bytes from 10.58.113.37: icmp_req=1 ttl=63 time=0.464 ms
RR:     10.58.113.118
        10.58.113.89
        10.58.113.37
        10.58.113.37
        10.58.113.254
        10.58.113.118
64 bytes from 10.58.113.37: icmp_req=2 ttl=63 time=0.431 ms     (same route)
64 bytes from 10.58.113.37: icmp_req=3 ttl=63 time=0.438 ms     (same route)
64 bytes from 10.58.113.37: icmp_req=4 ttl=63 time=0.427 ms     (same route)
^C
--- 10.58.113.37 ping statistics ---
4 packets transmitted, 4 received, 0% packet loss, time 2998ms
rtt min/avg/max/mdev = 0.427/0.440/0.464/0.014 ms


Thanks and regards,
Meera
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20110425/be1fc18d/attachment.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: setup.doc
Type: application/msword
Size: 30720 bytes
Desc: not available
URL: <http://lists.strongswan.org/pipermail/users/attachments/20110425/be1fc18d/attachment.doc>

More information about the Users mailing list