[strongSwan] IKEv1 not working

Lm, Kavitha (NSN - IN/Bangalore) kavitha.lm at nsn.com
Wed Aug 24 12:19:43 CEST 2011


Hi Andreas,

Thanks a lot for the logging info.
I have increased the log level as mentioned to 'control' and have been
observing the auth.log.
It seems like there is some authentication problem. 
Could you please let us know if there is any particular way in which the
certificates have to be handled for IKEv1?


The certificates seems to work fine with IKEv2.
Please find below certificate listing for IKEv2:

# ipsec listcerts

List of X.509 End Entity Certificates:

  subject:  "C=CH, O=strongSwan, CN=169.254.1.70"
  issuer:   "C=CH, O=strongSwan, CN=strongSwan CA"
  serial:    00:ed:ae:f9:52:c4:3b:a8:70
  validity:  not before Aug 24 11:52:27 2011, ok
             not after  Aug 23 11:52:27 2014, ok 
  pubkey:    RSA 2048 bits
  keyid:     cc:42:17:bb:4d:ce:86:1d:6c:62:5c:03:65:aa:e8:5a:97:df:41:44
  subjkey:   9a:f9:a4:1e:0f:71:54:78:8a:af:c6:2f:ae:24:20:71:c0:71:8d:43
  authkey:   1e:fc:6e:71:5e:90:8f:7a:7d:3e:44:6b:32:10:03:a6:13:8d:9f:fa

  subject:  "C=CH, O=strongSwan, CN=169.254.0.70"
  issuer:   "C=CH, O=strongSwan, CN=strongSwan CA"
  serial:    00:9f:bd:99:62:c2:a9:4e:b7
  validity:  not before Aug 24 11:51:14 2011, ok
             not after  Aug 23 11:51:14 2014, ok 
  pubkey:    RSA 2048 bits, has private key
  keyid:     3b:2a:c5:a1:c5:67:a9:39:5e:5b:2a:18:d4:05:73:b9:83:43:7d:ee
  subjkey:   26:9d:23:b0:57:d7:47:31:91:5f:aa:e6:cc:89:20:65:e4:c4:8a:0f
  authkey:   1e:fc:6e:71:5e:90:8f:7a:7d:3e:44:6b:32:10:03:a6:13:8d:9f:fa


When the ipsec.conf file is changed to IKEv1 configuration(with the same
setup for certs), they are somehow not getting exchanged..:
Please find below certificate listing for IKEv1:

#  ipsec listcerts
000  
000 List of X.509 End Entity Certificates:
000  
000   subject:  "C=CH, O=strongSwan, CN=169.254.0.70"
000   issuer:   "C=CH, O=strongSwan, CN=strongSwan CA"
000   serial:    00:9f:bd:99:62:c2:a9:4e:b7
000   validity:  not before Aug 24 11:51:14 2011 ok
000              not after  Aug 23 11:51:14 2014 ok
000   pubkey:    RSA 2048 bits
000   keyid:
3b:2a:c5:a1:c5:67:a9:39:5e:5b:2a:18:d4:05:73:b9:83:43:7d:ee
000   subjkey:
26:9d:23:b0:57:d7:47:31:91:5f:aa:e6:cc:89:20:65:e4:c4:8a:0f
000   authkey:
1e:fc:6e:71:5e:90:8f:7a:7d:3e:44:6b:32:10:03:a6:13:8d:9f:fa


The following lines were also seen in the auth.log:


Aug 24 15:03:40 vc2_TPC1 pluto[8747]: "kay2" #1: we have a cert and are
sending it upon request
Aug 24 15:03:40 vc2_TPC1 pluto[8747]: "kay2" #1: unable to locate my
private key for signature
Aug 24 15:03:40 vc2_TPC1 pluto[8747]: "kay2" #1: sending encrypted
notification AUTHENTICATION_FAILED to 169.254.0.70:500
Aug 24 15:03:40 vc2_TPC1 pluto[8747]: | state transition function for
STATE_MAIN_I2 failed: AUTHENTICATION_FAILED

Can you please let us know where we are going wrong?
Also please find the attached logs which might help in better
understanding.:

 <<authlog_src.txt>>  <<ipsec_dst.conf>>  <<ipsec_src.conf>>  
<<tcpdump_dst.txt>>  <<tcpdump_src.txt>>  <<authlog_dst.txt>> 


Thanks & Regards, 
Kavitha 

-----Original Message-----
From: ext Andreas Steffen [mailto:andreas.steffen at strongswan.org] 
Sent: Friday, August 19, 2011 4:23 PM
To: Lm, Kavitha (NSN - IN/Bangalore)
Cc: Users at lists.strongswan.org; Sudhakar, Meera (NSN - IN/Bangalore)
Subject: Re: [strongSwan] IKEv1 not working

Hello Kavitha,

the IKEv1 pluto daemon is logging to the authpriv syslog facility
and not to the daemon facility. Just grep for pluto in /var/log/
in order to find the correct log file.

The status information shows that the first IKEv1 Main Mode
exchange has been successful but that the other endpoint
does not send an answer. In order to generate a helpful log
please increase the loglevel in ipsec.conf to

  plutodebug="control"

and post the generated log output.

Best regards

Andreas

On 19.08.2011 09:22, Lm, Kavitha (NSN - IN/Bangalore) wrote:
> Hi,
> 
> This is regardingan issue that we are facing with IKEv1.
> 
> We are able to setup an IPSEC tunnel with IKEv2 but the same is
failing
> with  IKEv1.
> 
> *Ipsec.conf file**for IKEv2**:***
> 
> config setup
> 
>         # plutodebug=all
> 
>          strictcrlpolicy=no
> 
>         charonstart=yes
> 
>         plutostart=no
> 
>         charondebug=all
> 
> 
> ca strongswan
> 
>         cacert=caCert.der
> 
>         auto=add
> 
> conn sample-with-ca-cert
> 
>       left=169.254.1.70
> 
>       leftsubnet=169.254.1.0/24
> 
>       leftcert=VC2Cert.der
> 
>       right=169.254.0.70
> 
>       rightsubnet=169.254.0.0/24
> 
>       rightid="C=CH, O=strongSwan, CN=169.254.0.70"
> 
>       keyexchange=ikev2
> 
>       auto=start
> 
> This configuration works fine for IKEv2 tunnels:
> 
> *# ipsec status*
> 
> Security Associations:
> 
> sample-with-ca-cert[1]: ESTABLISHED 18 seconds ago, 169.254.0.70[C=CH,
> O=strongSwan, CN=169.254.0.70]...169.254.1.70[C=CH, O=strongSwan,
> CN=169.254.1.70]
> 
> sample-with-ca-cert{1}:  INSTALLED, TUNNEL, ESP SPIs: cb854b6d_i
cd9ac880_o
> 
> sample-with-ca-cert{1}:   169.254.0.0/24 === 169.254.1.0/24
> 
> The instant we try this for IKEv1(keyexchange=ikev1,  charonstart=no,

> plutostart=yes), it fails and the tunnel is not getting established.
> 
> *# ipsec status*
> 
> 000 "sample-with-ca-cert": 169.254.1.0/24===169.254.1.70[C=CH,
> O=strongSwan, CN=169.254.1.70]...169.254.0.70[C=CH, O=strongSwan,
> CN=169.254.0.70]===169.254.0.0/24; unrouted; eroute owner: #0
> 
> 000 "sample-with-ca-cert":   newest ISAKMP SA: #0; newest IPsec SA:
#0;
> 
> 000
> 
> 000 #1: "sample-with-ca-cert" STATE_MAIN_I2 (sent MI2, expecting MR2);
> EVENT_RETRANSMIT in 8s
> 
> 000 #1: pending Phase 2 for "sample-with-ca-cert" replacing #0
> 
> 000
> 
> No loggingwas observedat all for IKEv1. Could you please let us
knowhow
> to solve this issue??
> 
> Please find some of the detailsof our environmentbelow:
> 
> *Server:* Ubuntu-linux-2.6.35
> 
> *Strongswan**IKEv1**version:*
> 
> # apt-cache policy strongswan-ikev1
> 
> strongswan-ikev1:
> 
>   Installed: 4.5.2-1.1
> 
>   Candidate: 4.5.2-1.1
> 
>   Version table:
> 
>  *** 4.5.2-1.1 0
> 
>         100 /var/lib/dpkg/status
> 
> We assume that IKEv1 is already installed from the above status.
> 
> Can you let us know of any other way to checkifIKEv1is supported?
> 
> /////Thanks & Regards,/
> /////Kavitha/
> 
> 
> 
> _______________________________________________
> Users mailing list
> Users at lists.strongswan.org
> https://lists.strongswan.org/mailman/listinfo/users


-- 
======================================================================
Andreas Steffen                         andreas.steffen at strongswan.org
strongSwan - the Linux VPN Solution!                www.strongswan.org
Institute for Internet Technologies and Applications
University of Applied Sciences Rapperswil
CH-8640 Rapperswil (Switzerland)
===========================================================[ITA-HSR]==
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20110824/845580aa/attachment.html>
-------------- next part --------------
An embedded and charset-unspecified text was scrubbed...
Name: authlog_src.txt
URL: <http://lists.strongswan.org/pipermail/users/attachments/20110824/845580aa/attachment.txt>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: ipsec_dst.conf
Type: application/octet-stream
Size: 580 bytes
Desc: ipsec_dst.conf
URL: <http://lists.strongswan.org/pipermail/users/attachments/20110824/845580aa/attachment.obj>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: ipsec_src.conf
Type: application/octet-stream
Size: 562 bytes
Desc: ipsec_src.conf
URL: <http://lists.strongswan.org/pipermail/users/attachments/20110824/845580aa/attachment-0001.obj>
-------------- next part --------------
An embedded and charset-unspecified text was scrubbed...
Name: tcpdump_dst.txt
URL: <http://lists.strongswan.org/pipermail/users/attachments/20110824/845580aa/attachment-0001.txt>
-------------- next part --------------
An embedded and charset-unspecified text was scrubbed...
Name: tcpdump_src.txt
URL: <http://lists.strongswan.org/pipermail/users/attachments/20110824/845580aa/attachment-0002.txt>
-------------- next part --------------
An embedded and charset-unspecified text was scrubbed...
Name: authlog_dst.txt
URL: <http://lists.strongswan.org/pipermail/users/attachments/20110824/845580aa/attachment-0003.txt>


More information about the Users mailing list