[strongSwan] IKEv1 not working

Andreas Steffen andreas.steffen at strongswan.org
Fri Aug 19 12:52:47 CEST 2011 

Hello Kavitha,

the IKEv1 pluto daemon is logging to the authpriv syslog facility
and not to the daemon facility. Just grep for pluto in /var/log/
in order to find the correct log file.

The status information shows that the first IKEv1 Main Mode
exchange has been successful but that the other endpoint
does not send an answer. In order to generate a helpful log
please increase the loglevel in ipsec.conf to

  plutodebug="control"

and post the generated log output.

Best regards

Andreas

On 19.08.2011 09:22, Lm, Kavitha (NSN - IN/Bangalore) wrote:
> Hi,
> 
> This is regardingan issue that we are facing with IKEv1.
> 
> We are able to setup an IPSEC tunnel with IKEv2 but the same is failing
> with  IKEv1.
> 
> *Ipsec.conf file**for IKEv2**:***
> 
> config setup
> 
>         # plutodebug=all
> 
>          strictcrlpolicy=no
> 
>         charonstart=yes
> 
>         plutostart=no
> 
>         charondebug=all
> 
> 
> ca strongswan
> 
>         cacert=caCert.der
> 
>         auto=add
> 
> conn sample-with-ca-cert
> 
>       left=169.254.1.70
> 
>       leftsubnet=169.254.1.0/24
> 
>       leftcert=VC2Cert.der
> 
>       right=169.254.0.70
> 
>       rightsubnet=169.254.0.0/24
> 
>       rightid="C=CH, O=strongSwan, CN=169.254.0.70"
> 
>       keyexchange=ikev2
> 
>       auto=start
> 
> This configuration works fine for IKEv2 tunnels:
> 
> *# ipsec status*
> 
> Security Associations:
> 
> sample-with-ca-cert[1]: ESTABLISHED 18 seconds ago, 169.254.0.70[C=CH,
> O=strongSwan, CN=169.254.0.70]...169.254.1.70[C=CH, O=strongSwan,
> CN=169.254.1.70]
> 
> sample-with-ca-cert{1}:  INSTALLED, TUNNEL, ESP SPIs: cb854b6d_i cd9ac880_o
> 
> sample-with-ca-cert{1}:   169.254.0.0/24 === 169.254.1.0/24
> 
> The instant we try this for IKEv1(keyexchange=ikev1,  charonstart=no,  
> plutostart=yes), it fails and the tunnel is not getting established.
> 
> *# ipsec status*
> 
> 000 "sample-with-ca-cert": 169.254.1.0/24===169.254.1.70[C=CH,
> O=strongSwan, CN=169.254.1.70]...169.254.0.70[C=CH, O=strongSwan,
> CN=169.254.0.70]===169.254.0.0/24; unrouted; eroute owner: #0
> 
> 000 "sample-with-ca-cert":   newest ISAKMP SA: #0; newest IPsec SA: #0;
> 
> 000
> 
> 000 #1: "sample-with-ca-cert" STATE_MAIN_I2 (sent MI2, expecting MR2);
> EVENT_RETRANSMIT in 8s
> 
> 000 #1: pending Phase 2 for "sample-with-ca-cert" replacing #0
> 
> 000
> 
> No loggingwas observedat all for IKEv1. Could you please let us knowhow
> to solve this issue??
> 
> Please find some of the detailsof our environmentbelow:
> 
> *Server:* Ubuntu–linux-2.6.35
> 
> *Strongswan**IKEv1**version:*
> 
> # apt-cache policy strongswan-ikev1
> 
> strongswan-ikev1:
> 
>   Installed: 4.5.2-1.1
> 
>   Candidate: 4.5.2-1.1
> 
>   Version table:
> 
>  *** 4.5.2-1.1 0
> 
>         100 /var/lib/dpkg/status
> 
> We assume that IKEv1 is already installed from the above status.
> 
> Can you let us know of any other way to checkifIKEv1is supported?
> 
> /////Thanks & Regards,/
> /////Kavitha/
> 
> 
> 
> _______________________________________________
> Users mailing list
> Users at lists.strongswan.org
> https://lists.strongswan.org/mailman/listinfo/users


-- 
======================================================================
Andreas Steffen                         andreas.steffen at strongswan.org
strongSwan - the Linux VPN Solution!                www.strongswan.org
Institute for Internet Technologies and Applications
University of Applied Sciences Rapperswil
CH-8640 Rapperswil (Switzerland)
===========================================================[ITA-HSR]==

More information about the Users mailing list