[strongSwan] HELP: packet not encrypted in net2net-psk setting

Wed Dec 28 18:39:09 CET 2011

Hello Mac Lin,

you must first set up the IPsec connection via IKE.
Either define

  auto=start

in ipsec.conf which automatically starts the negotiation
or with the current

  auto=add

you must start the negotiation manually with

  ipsec up net-net

Further if you use strongSwan on both sides I recommend the
much more robust and stable IKEv2 protocol with

  keyexchange=ikev2

Best regards

Andreas

On 12/28/2011 10:37 AM, Mac Lin wrote:
> Hi,
> 
> I'm new to strongSwan, using ipsec-tools previously.
> ipsec-tools works basically fine, but now I need ike+AES-GCM.
> 
> As a start, I use exactly the same topology and configurations in the
> following link:
> http://www.strongswan.org/uml/testresults/ikev1/net2net-psk/index.html
> But the ping from "sun" with "ping -I 10.2.0.1 10.1.0.1" is not encrypted.
> 
> From the result of "ip xfrm policy", it seems somehow, the policy is not
> written to kernel.
> 
> Please let me know if I have missed anything.
> 
> Best Regards,
> Mac Lin
> ---
> linux-2.6.31.1, strongswan-4.6.1 (I've tried back to 4.2...)
> no firewall used.
> ---
> Using default config (./config)...
> GWA setting
> LANIP=10.1.0.1, WANIP=192.168.0.1
> default gateway=192.168.0.2
> # sh 3-ipsec-psk.sh a
> Using default config (./config)...
> GWA setting
> Stopping strongSwan IPsec failed: starter is not running
> Starting strongSwan 4.6.1 IPsec [starter]...
> !! Your strongswan.conf contains manual plugin load options for
> !! pluto and/or charon. This is recommended for experts only, see
> !! http://wiki.strongswan.org/project[
> <http://wiki.strongswan.org/project%5B>   18.600000] NET: Registered
> protocol family 15
> s/strongswan/wiki/PluginLoad
> | Default route found: iface=eth1, addr=192.168.0.1, nexthop=192.168.0.2
> | Loading config setup
> |   plutodebug=control
> |   charonstart=no
> | Loading conn %default
> |   ikelifetime=60m
> |   keylife=20m
> |   rekeymargin=3m
> |   keyingtries=1
> |   keyexchange=ikev1
> |   authby=secret
> | Loading conn 'net-net'
> |   left=192.168.0.1
> |   leftsubnet=10.1.0.0/16 <http://10.1.0.0/16>
> |   leftfirewall=yes
> |   right=192.168.0.2
> |   rightsubnet=10.2.0.0/16 <http://10.2.0.0/16>
> |   auto=add
> [   18.740000] Initializing XFRM netlink socket
> | Found netkey IPsec stack
> # [   18.810000] alg: No test for cipher_null (cipher_null-generic)
> [   18.820000] alg: No test for ecb(cipher_null) (ecb-cipher_null)
> [   18.830000] alg: No test for digest_null (digest_null-generic)
> [   18.840000] alg: No test for compress_null (compress_null-generic)
> 
> #
> #
> # tcpdump -i eth1 -s0 -n -t
> [   59.340000] device eth1 entered promiscuous mode
> tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
> listening on eth1, link-type EN10MB (Ethernet), capture size 65535 bytes
> 
> IP 10.2.0.1 > 10.1.0.1 <http://10.1.0.1>: ICMP echo request, id 29443,
> seq 0, length 64
> IP 10.1.0.1 > 10.2.0.1 <http://10.2.0.1>: ICMP echo reply, id 29443, seq
> 0, length 64
> 
> 12 [  140.240000] device eth1 left promiscuous mode
> packets captured
> 12 packets received by filter
> 0 packets dropped by kernel
> # ipsec statusall
> 000 Status of IKEv1 pluto daemon (strongSwan 4.6.1):
> 000 interface lo/lo ::1:500
> 000 interface lo/lo 127.0.0.1:500 <http://127.0.0.1:500>
> 000 interface eth0/eth0 10.1.0.1:500 <http://10.1.0.1:500>
> 000 interface eth1/eth1 192.168.0.1:500 <http://192.168.0.1:500>
> 000 %myid = '%any'
> 000 loaded plugins: sha1 sha2 md5 aes des hmac gmp random kernel-netlink
> 000 debug options: control
> 000
> 000 "net-net":
> 10.1.0.0/16===192.168.0.1[192.168.0.1]...192.168.0.2[192.168.0.2]===10.2.0.0/16
> <http://10.1.0.0/16===192.168.0.1%5B192.168.0.1%5D...192.168.0.2%5B192.168.0.2%5D===10.2.0.0/16>;
> unrouted; eroute owner: #0
> 000 "net-net":   ike_life: 3600s; ipsec_life: 1200s; rekey_margin: 180s;
> rekey_fuzz: 100%; keyingtries: 1
> 000 "net-net":   policy: PSK+ENCRYPT+TUNNEL+PFS; prio: 16,16; interface:
> eth1;
> 000 "net-net":   newest ISAKMP SA: #0; newest IPsec SA: #0;
> 000
> #
> #
> # ip xfrm policy
> src ::/0 dst ::/0
>         dir 4 priority 0
> src ::/0 dst ::/0
>         dir 3 priority 0
> src 0.0.0.0/0 <http://0.0.0.0/0> dst 0.0.0.0/0 <http://0.0.0.0/0>
>         dir 4 priority 0
> src 0.0.0.0/0 <http://0.0.0.0/0> dst 0.0.0.0/0 <http://0.0.0.0/0>
>         dir 3 priority 0
> src 0.0.0.0/0 <http://0.0.0.0/0> dst 0.0.0.0/0 <http://0.0.0.0/0>
>         dir 4 priority 0
> src 0.0.0.0/0 <http://0.0.0.0/0> dst 0.0.0.0/0 <http://0.0.0.0/0>
>         dir 3 priority 0
> src 0.0.0.0/0 <http://0.0.0.0/0> dst 0.0.0.0/0 <http://0.0.0.0/0>
>         dir 4 priority 0
> src 0.0.0.0/0 <http://0.0.0.0/0> dst 0.0.0.0/0 <http://0.0.0.0/0>
>         dir 3 priority 0
> # ip xfrm state
> #
> # iptables -nvL
> Chain INPUT (policy ACCEPT 4 packets, 336 bytes)
>  pkts bytes target     prot opt in     out     source              
> destination        
> 
> Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
>  pkts bytes target     prot opt in     out     source              
> destination        
> 
> Chain OUTPUT (policy ACCEPT 4 packets, 336 bytes)
>  pkts bytes target     prot opt in     out     source              
> destination        

======================================================================
Andreas Steffen                         andreas.steffen at strongswan.org
strongSwan - the Linux VPN Solution!                www.strongswan.org
Institute for Internet Technologies and Applications
University of Applied Sciences Rapperswil
CH-8640 Rapperswil (Switzerland)
===========================================================[ITA-HSR]==