[strongSwan] HELP: packet not encrypted in net2net-psk setting
Mac Lin
mkl0301 at gmail.com
Wed Dec 28 10:37:50 CET 2011
Hi,
I'm new to strongSwan, using ipsec-tools previously.
ipsec-tools works basically fine, but now I need ike+AES-GCM.
As a start, I use exactly the same topology and configurations in the
following link:
http://www.strongswan.org/uml/testresults/ikev1/net2net-psk/index.html
But the ping from "sun" with "ping -I 10.2.0.1 10.1.0.1" is not encrypted.
>From the result of "ip xfrm policy", it seems somehow, the policy is not
written to kernel.
Please let me know if I have missed anything.
Best Regards,
Mac Lin
---
linux-2.6.31.1, strongswan-4.6.1 (I've tried back to 4.2...)
no firewall used.
---
Using default config (./config)...
GWA setting
LANIP=10.1.0.1, WANIP=192.168.0.1
default gateway=192.168.0.2
# sh 3-ipsec-psk.sh a
Using default config (./config)...
GWA setting
Stopping strongSwan IPsec failed: starter is not running
Starting strongSwan 4.6.1 IPsec [starter]...
!! Your strongswan.conf contains manual plugin load options for
!! pluto and/or charon. This is recommended for experts only, see
!! http://wiki.strongswan.org/project[ 18.600000] NET: Registered
protocol family 15
s/strongswan/wiki/PluginLoad
| Default route found: iface=eth1, addr=192.168.0.1, nexthop=192.168.0.2
| Loading config setup
| plutodebug=control
| charonstart=no
| Loading conn %default
| ikelifetime=60m
| keylife=20m
| rekeymargin=3m
| keyingtries=1
| keyexchange=ikev1
| authby=secret
| Loading conn 'net-net'
| left=192.168.0.1
| leftsubnet=10.1.0.0/16
| leftfirewall=yes
| right=192.168.0.2
| rightsubnet=10.2.0.0/16
| auto=add
[ 18.740000] Initializing XFRM netlink socket
| Found netkey IPsec stack
# [ 18.810000] alg: No test for cipher_null (cipher_null-generic)
[ 18.820000] alg: No test for ecb(cipher_null) (ecb-cipher_null)
[ 18.830000] alg: No test for digest_null (digest_null-generic)
[ 18.840000] alg: No test for compress_null (compress_null-generic)
#
#
# tcpdump -i eth1 -s0 -n -t
[ 59.340000] device eth1 entered promiscuous mode
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth1, link-type EN10MB (Ethernet), capture size 65535 bytes
IP 10.2.0.1 > 10.1.0.1: ICMP echo request, id 29443, seq 0, length 64
IP 10.1.0.1 > 10.2.0.1: ICMP echo reply, id 29443, seq 0, length 64
12 [ 140.240000] device eth1 left promiscuous mode
packets captured
12 packets received by filter
0 packets dropped by kernel
# ipsec statusall
000 Status of IKEv1 pluto daemon (strongSwan 4.6.1):
000 interface lo/lo ::1:500
000 interface lo/lo 127.0.0.1:500
000 interface eth0/eth0 10.1.0.1:500
000 interface eth1/eth1 192.168.0.1:500
000 %myid = '%any'
000 loaded plugins: sha1 sha2 md5 aes des hmac gmp random kernel-netlink
000 debug options: control
000
000 "net-net":
10.1.0.0/16===192.168.0.1[192.168.0.1]...192.168.0.2[192.168.0.2]===10.2.0.0/16<http://10.1.0.0/16===192.168.0.1%5B192.168.0.1%5D...192.168.0.2%5B192.168.0.2%5D===10.2.0.0/16>;
unrouted; eroute owner: #0
000 "net-net": ike_life: 3600s; ipsec_life: 1200s; rekey_margin: 180s;
rekey_fuzz: 100%; keyingtries: 1
000 "net-net": policy: PSK+ENCRYPT+TUNNEL+PFS; prio: 16,16; interface:
eth1;
000 "net-net": newest ISAKMP SA: #0; newest IPsec SA: #0;
000
#
#
# ip xfrm policy
src ::/0 dst ::/0
dir 4 priority 0
src ::/0 dst ::/0
dir 3 priority 0
src 0.0.0.0/0 dst 0.0.0.0/0
dir 4 priority 0
src 0.0.0.0/0 dst 0.0.0.0/0
dir 3 priority 0
src 0.0.0.0/0 dst 0.0.0.0/0
dir 4 priority 0
src 0.0.0.0/0 dst 0.0.0.0/0
dir 3 priority 0
src 0.0.0.0/0 dst 0.0.0.0/0
dir 4 priority 0
src 0.0.0.0/0 dst 0.0.0.0/0
dir 3 priority 0
# ip xfrm state
#
# iptables -nvL
Chain INPUT (policy ACCEPT 4 packets, 336 bytes)
pkts bytes target prot opt in out source
destination
Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source
destination
Chain OUTPUT (policy ACCEPT 4 packets, 336 bytes)
pkts bytes target prot opt in out source
destination
#
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20111228/3a2355ef/attachment.html>
More information about the Users
mailing list