[strongSwan] Strongswan on OpenWRT road warrior issues
Robert Wicks
robwicks at gmail.com
Wed Jan 26 23:38:41 CET 2011
I have Strongswan installed on my router, and I cannot seem to establish a
tunnel using the roadwarrior directions. I was trying to do RSA
authentication, but I am using PSK for testing until I am able to
successfully connect. My ipsec.conf file on the router:
# /etc/ipsec.conf - strongSwan IPsec configuration file
config setup
plutostart=no
charondebug=all
conn %default
keyexchange=ikev2
left=%defaultroute
leftcert=server.crt
leftfirewall=yes
authby=secret
auto=add
conn nat-t
left=<Public IP>
leftsubnet=192.168.2.0/24
ike=aes128-sha1-modp2048!
esp=aes128-sha1-modp2048!
right=%any
auto=add
On the client side, Ubuntu 10.10:
# ipsec.conf - strongSwan IPsec configuration file
config setup
charonstart=yes
plutostart=no
conn roadwarrior
left=%defaultroute
leftcert=toshiba.crt
leftsourceip=%config
authby=secret
leftfirewall=yes
right=<Router's Public IP>
rightsubnet=192.168.2.0/24
rightcert=server.crt
keyexchange=ikev2
ike=aes128-sha1-modp2048!
esp=aes128-sha1-modp2048!
auto=start
include /var/lib/strongswan/ipsec.conf.inc
I put the same passcode in both ipsec.secrets files:
: PSK "mysecret"
My logs on the router side shows:
Jan 26 17:24:14 gateway.linux.bogus syslog: 08[ENC] parsing body of message,
first payload is SECURITY_ASSOCIATION
Jan 26 17:24:14 gateway.linux.bogus syslog: 08[ENC] starting parsing a
SECURITY_ASSOCIATION payload
Jan 26 17:24:14 gateway.linux.bogus syslog: 08[ENC] parsing
SECURITY_ASSOCIATION payload, 404 bytes left
Jan 26 17:24:14 gateway.linux.bogus syslog: 08[ENC] parsing payload from =>
404 bytes @ 0x46bc1c
Jan 26 17:24:14 gateway.linux.bogus syslog: 08[ENC] 0: 22 00 00 30 00 00
00 2C 01 01 00 04 03 00 00 0C "..0...,........
Jan 26 17:24:14 gateway.linux.bogus syslog: 08[ENC] 16: 01 00 00 0C 80 0E
00 80 03 00 00 08 03 00 00 02 ................
Jan 26 17:24:14 gateway.linux.bogus syslog: 08[ENC] 32: 03 00 00 08 02 00
00 02 00 00 00 08 04 00 00 0E ................
Jan 26 17:24:14 gateway.linux.bogus syslog: 08[ENC] 48: 28 00 01 08 00 0E
00 00 6C B6 38 79 AC 94 F0 1D (.......l.8y....
Jan 26 17:24:14 gateway.linux.bogus syslog: 08[ENC] 64: 56 FD 5A 46 D9 75
BA 9F E3 23 A2 8E 8C 6C 36 A0 V.ZF.u...#...l6.
Jan 26 17:24:14 gateway.linux.bogus syslog: 08[ENC] 80: EB DF 22 06 3D A5
DC BF EB 21 60 7D 97 4A 12 03 ..".=....!`}.J..
Jan 26 17:24:14 gateway.linux.bogus syslog: 08[ENC] 96: 22 AB C1 28 36 9C
58 ED E6 BD 6C D8 C0 D6 48 7B "..(6.X...l...H{
Jan 26 17:24:14 gateway.linux.bogus syslog: 08[ENC] 112: E2 72 D0 E8 26 C8
A5 C6 24 B5 A3 7B E0 81 9C 81 .r..&...$..{....
Jan 26 17:24:14 gateway.linux.bogus syslog: 08[ENC] 128: DC F1 57 A3 09 5D
74 3D 23 84 60 16 CB B1 FA 5C ..W..]t=#.`....\
Jan 26 17:24:14 gateway.linux.bogus syslog: 08[ENC] 144: 98 7A 81 6C 32 0E
68 D1 B3 AA 78 1A C9 56 45 B6 .z.l2.h...x..VE.
Jan 26 17:24:14 gateway.linux.bogus syslog: 08[ENC] 160: 56 D3 80 C0 23 CA
F1 24 12 61 E0 6B 38 42 71 FC V...#..$.a.k8Bq.
Jan 26 17:24:14 gateway.linux.bogus syslog: 08[ENC] 176: B1 21 A4 61 45 06
50 A5 05 E4 6C 56 1D 60 3F D7 .!.aE.P...lV.`?.
Jan 26 17:24:14 gateway.linux.bogus syslog: 08[ENC] 192: 80 E2 DF 8A FB 27
E5 C0 3E 95 36 3F EC 63 8D E9 .....'..>.6?.c..
Jan 26 17:24:14 gateway.linux.bogus syslog: 08[ENC] 208: F9 4B 52 85 3A EB
03 97 83 B4 6B 71 27 E8 94 DD .KR.:.....kq'...
Jan 26 17:24:14 gateway.linux.bogus syslog: 08[ENC] 224: A5 87 6B 7F 70 57
25 76 2A 21 F2 6B E6 D8 82 E8 ..k.pW%v*!.k....
Jan 26 17:24:14 gateway.linux.bogus syslog: 08[ENC] 240: DA A3 2A B8 E3 F5
9E D1 5B 40 1A 30 2C CD 56 85 ..*.....[@.0,.V.
Jan 26 17:24:14 gateway.linux.bogus syslog: 08[ENC] => 0
Jan 26 17:24:14 gateway.linux.bogus syslog: 08[ENC] => 44
Jan 26 17:24:15 gateway.linux.bogus syslog: 08[ENC] parsing rule 6
U_INT_8
Jan 26 17:24:15 gateway.linux.bogus syslog: 08[ENC] 80: E2 72 D0 E8 26 C8
A5 C6 24 B5 A3 7B E0 81 9C 81 .r..&...$..{....
Jan 26 17:24:15 gateway.linux.bogus syslog: 08[ENC] parsing rule 3
RESERVED_BIT
Jan 26 17:24:15 gateway.linux.bogus syslog: 08[IKE] natd_chunk => 22 bytes @
0x46af08
Jan 26 17:24:15 gateway.linux.bogus syslog: 08[IKE] 0: 75 2C 8D 71 87 CD
7E F7 00 00 00 00 00 00 00 00 u,.q..~.........
Jan 26 17:24:15 gateway.linux.bogus syslog: 08[IKE] 16: 4C 61 92 C9 01 F4
La....
Jan 26 17:24:15 gateway.linux.bogus syslog: 08[IKE] natd_hash => 20 bytes @
0x469170
Jan 26 17:24:15 gateway.linux.bogus syslog: 08[IKE] 0: 0C 05 7F B2 E8 A0
C0 62 5E 97 67 CF 1E A9 2E 47 .......b^.g....G
Jan 26 17:24:15 gateway.linux.bogus syslog: 08[IKE] 16: 57 E8 06 30
W..0
Jan 26 17:24:15 gateway.linux.bogus syslog: 08[IKE] natd_chunk => 22 bytes @
0x46af08
Jan 26 17:24:15 gateway.linux.bogus syslog: 08[IKE] 0: 75 2C 8D 71 87 CD
7E F7 00 00 00 00 00 00 00 00 u,.q..~.........
Jan 26 17:24:15 gateway.linux.bogus syslog: 08[IKE] 16: 40 86 BE 2B 01 F4
@..+..
Jan 26 17:24:15 gateway.linux.bogus syslog: 08[IKE] natd_hash => 20 bytes @
0x46af28
Jan 26 17:24:15 gateway.linux.bogus syslog: 08[IKE] 0: 20 B4 16 C4 5E C6
42 A2 CA 6D 5B 2D 3C 51 C9 F1 ...^.B..m[-<Q..
Jan 26 17:24:15 gateway.linux.bogus syslog: 08[IKE] 16: D9 80 C3 A7
....
Jan 26 17:24:15 gateway.linux.bogus syslog: 08[IKE] precalculated src_hash
=> 20 bytes @ 0x46af28
Jan 26 17:24:15 gateway.linux.bogus syslog: 08[IKE] 0: 20 B4 16 C4 5E C6
42 A2 CA 6D 5B 2D 3C 51 C9 F1 ...^.B..m[-<Q..
Jan 26 17:24:15 gateway.linux.bogus syslog: 08[IKE] 16: D9 80 C3 A7
....
Jan 26 17:24:15 gateway.linux.bogus syslog: 08[IKE] precalculated dst_hash
=> 20 bytes @ 0x469170
Jan 26 17:24:15 gateway.linux.bogus syslog: 08[IKE] 0: 0C 05 7F B2 E8 A0
C0 62 5E 97 67 CF 1E A9 2E 47 .......b^.g....G
Jan 26 17:24:15 gateway.linux.bogus syslog: 08[IKE] 16: 57 E8 06 30
W..0
Jan 26 17:24:15 gateway.linux.bogus syslog: 08[IKE] received src_hash => 20
bytes @ 0x46be98
Jan 26 17:24:15 gateway.linux.bogus syslog: 08[IKE] 0: 64 D6 AF 1D EB CE
8B AC E7 BF 97 43 C3 C3 82 B3 d..........C....
Jan 26 17:24:16 gateway.linux.bogus syslog: 08[IKE] 16: 51 BA 8C C1
Q...
Jan 26 17:24:16 gateway.linux.bogus syslog: 08[IKE] received dst_hash => 20
bytes @ 0x469100
Jan 26 17:24:16 gateway.linux.bogus syslog: 08[IKE] 0: 0C 05 7F B2 E8 A0
C0 62 5E 97 67 CF 1E A9 2E 47 .......b^.g....G
Jan 26 17:24:16 gateway.linux.bogus syslog: 08[IKE] 16: 57 E8 06 30
W..0
Jan 26 17:24:16 gateway.linux.bogus syslog: 08[IKE] remote host is behind
NAT
Jan 26 17:24:16 gateway.linux.bogus syslog: 08[IKE] shared Diffie Hellman
secret => 256 bytes @ 0x46c650
Jan 26 17:24:16 gateway.linux.bogus syslog: 08[IKE] 0: 1F 48 93 8A 4A 9C
05 C4 8E 2A 97 A9 E3 75 BA C6 .H..J....*...u..
Jan 26 17:24:16 gateway.linux.bogus syslog: 08[IKE] 16: 07 46 4B 9E 0D D8
B1 E9 2F F0 F8 E3 70 EF D1 AD .FK...../...p...
Jan 26 17:24:16 gateway.linux.bogus syslog: 08[IKE] 32: 8E A1 87 C4 B5 7F
28 A5 15 3A C7 D2 F0 D5 A5 45 ......(..:.....E
Jan 26 17:24:16 gateway.linux.bogus syslog: 08[IKE] 48: D4 8A 12 97 5F 73
27 30 D5 3B 33 7D BA 79 DA 70 ...._s'0.;3}.y.p
Jan 26 17:24:16 gateway.linux.bogus syslog: 08[IKE] 64: 74 F6 C9 37 85 4D
36 A0 BF 59 03 0C 35 4B BD 66 t..7.M6..Y..5K.f
Jan 26 17:24:16 gateway.linux.bogus syslog: 08[ENC] 0: 00 0C
..
Jan 26 17:24:16 gateway.linux.bogus syslog: 08[ENC] generating rule 2
RESERVED_BIT
Jan 26 17:24:42 gateway.linux.bogus syslog: 01[JOB] got event, queuing job
for execution
Jan 26 17:24:42 gateway.linux.bogus syslog: 01[JOB] no events, waiting
Jan 26 17:24:42 gateway.linux.bogus syslog: 07[MGR] checkout IKE_SA
Jan 26 17:24:42 gateway.linux.bogus syslog: 07[MGR] IKE_SA successfully
checked out
Jan 26 17:24:42 gateway.linux.bogus syslog: 07[JOB] deleting half open
IKE_SA after timeout
Jan 26 17:24:42 gateway.linux.bogus syslog: 07[MGR] checkin and destroy
IKE_SA
Jan 26 17:24:42 gateway.linux.bogus syslog: 07[IKE] IKE_SA (unnamed)[12]
state change: CONNECTING => DESTROYING
Jan 26 17:24:42 gateway.linux.bogus syslog: 07[MGR] check-in and destroy of
IKE_SA successful
On the client side:
Jan 26 17:24:09 rwicks-m11 charon: 09[NET] sending packet: from
192.168.5.115[500] to <Router's Public IP Address>[500]
Jan 26 17:24:09 rwicks-m11 charon: 01[JOB] next event in 75s 581ms, waiting
Jan 26 17:25:25 rwicks-m11 charon: 01[JOB] got event, queuing job for
execution
Jan 26 17:25:25 rwicks-m11 charon: 01[JOB] no events, waiting
Jan 26 17:25:25 rwicks-m11 charon: 08[MGR] checkout IKE_SA
Jan 26 17:25:25 rwicks-m11 charon: 08[MGR] IKE_SA successfully checked out
Jan 26 17:25:25 rwicks-m11 charon: 08[IKE] giving up after 5 retransmits
Jan 26 17:25:25 rwicks-m11 charon: 08[IKE] establishing IKE_SA failed, peer
not responding
Jan 26 17:25:25 rwicks-m11 charon: 08[MGR] checkin and destroy IKE_SA
Jan 26 17:25:25 rwicks-m11 charon: 08[IKE] IKE_SA roadwarrior[1] state
change: CONNECTING => DESTROYING
Jan 26 17:25:25 rwicks-m11 charon: 08[MGR] check-in and destroy of IKE_SA
successful
My router's iptables accepts esp, ah, and packets on udp 500 and 4500:
ACCEPT esp -- 0.0.0.0/0 0.0.0.0/0
ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 udp dpt:500
ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 udp dpt:4500
ACCEPT ah -- 0.0.0.0/0 0.0.0.0/0
Could anyone enlighten me as to what I should be looking for?
Here is the router at startup:
Jan 26 17:36:24 gateway.linux.bogus ipsec_starter[1778]: Starting strongSwan
4.3.7 IPsec [starter]...
Jan 26 17:36:24 gateway.linux.bogus syslog: 00[DMN] Starting IKEv2 charon
daemon (strongSwan 4.3.7)
Jan 26 17:36:24 gateway.linux.bogus syslog: 00[NET] unable to create raw
socket: Address family not supported by protocol
Jan 26 17:36:24 gateway.linux.bogus syslog: 00[NET] could not open IPv6
receive socket, IPv6 disabled
Jan 26 17:36:24 gateway.linux.bogus syslog: 00[LIB] plugin 'curl': failed to
load '/usr/lib/ipsec/plugins/libstrongswan-curl.so' - File not found
Jan 26 17:36:24 gateway.linux.bogus syslog: 00[LIB] plugin 'ldap': failed to
load '/usr/lib/ipsec/plugins/libstrongswan-ldap.so' - File not found
Jan 26 17:36:24 gateway.linux.bogus syslog: 00[LIB] plugin 'aes': loaded
successfully
Jan 26 17:36:24 gateway.linux.bogus syslog: 00[LIB] plugin 'des': loaded
successfully
Jan 26 17:36:24 gateway.linux.bogus syslog: 00[LIB] plugin 'blowfish':
failed to load '/usr/lib/ipsec/plugins/libstrongswan-blowfish.so' - File not
found
Jan 26 17:36:25 gateway.linux.bogus syslog: 00[LIB] plugin 'sha1': loaded
successfully
Jan 26 17:36:25 gateway.linux.bogus syslog: 00[LIB] plugin 'sha2': loaded
successfully
Jan 26 17:36:25 gateway.linux.bogus syslog: 00[LIB] plugin 'md5': loaded
successfully
Jan 26 17:36:25 gateway.linux.bogus syslog: 00[LIB] plugin 'fips-prf':
loaded successfully
Jan 26 17:36:25 gateway.linux.bogus syslog: 00[LIB] plugin 'random': loaded
successfully
Jan 26 17:36:25 gateway.linux.bogus syslog: 00[LIB] plugin 'x509': loaded
successfully
Jan 26 17:36:25 gateway.linux.bogus syslog: 00[LIB] plugin 'pubkey': loaded
successfully
Jan 26 17:36:25 gateway.linux.bogus syslog: 00[LIB] plugin 'pkcs1': loaded
successfully
Jan 26 17:36:25 gateway.linux.bogus syslog: 00[LIB] plugin 'pgp': loaded
successfully
Jan 26 17:36:25 gateway.linux.bogus syslog: 00[LIB] plugin 'dnskey': loaded
successfully
Jan 26 17:36:25 gateway.linux.bogus syslog: 00[LIB] plugin 'pem': loaded
successfully
Jan 26 17:36:25 gateway.linux.bogus syslog: 00[LIB] plugin 'mysql': failed
to load '/usr/lib/ipsec/plugins/libstrongswan-mysql.so' - File not found
Jan 26 17:36:25 gateway.linux.bogus syslog: 00[LIB] plugin 'sqlite': failed
to load '/usr/lib/ipsec/plugins/libstrongswan-sqlite.so' - File not found
Jan 26 17:36:25 gateway.linux.bogus syslog: 00[LIB] plugin 'attr-sql':
failed to load '/usr/lib/ipsec/plugins/libstrongswan-attr-sql.so' - File not
found
Jan 26 17:36:25 gateway.linux.bogus syslog: 00[LIB] plugin 'gcrypt': failed
to load '/usr/lib/ipsec/plugins/libstrongswan-gcrypt.so' - File not found
Jan 26 17:36:25 gateway.linux.bogus syslog: 00[LIB] plugin 'xcbc': loaded
successfully
Jan 26 17:36:25 gateway.linux.bogus syslog: 00[LIB] plugin 'hmac': loaded
successfully
Jan 26 17:36:25 gateway.linux.bogus syslog: 00[LIB] plugin 'agent': failed
to load '/usr/lib/ipsec/plugins/libstrongswan-agent.so' - File not found
Jan 26 17:36:25 gateway.linux.bogus syslog: 00[LIB] plugin 'gmp': loaded
successfully
Jan 26 17:36:25 gateway.linux.bogus syslog: 00[LIB] plugin 'load-tester':
failed to load '/usr/lib/ipsec/plugins/libstrongswan-load-tester.so' - File
not found
Jan 26 17:36:25 gateway.linux.bogus syslog: 00[LIB] plugin 'kernel-pfkey':
failed to load '/usr/lib/ipsec/plugins/libstrongswan-kernel-pfkey.so' - File
not found
Jan 26 17:36:26 gateway.linux.bogus syslog: 00[LIB] plugin 'kernel-klips':
failed to load '/usr/lib/ipsec/plugins/libstrongswan-kernel-klips.so' - File
not found
Jan 26 17:36:26 gateway.linux.bogus syslog: 00[KNL] listening on
interfaces:
Jan 26 17:36:26 gateway.linux.bogus syslog: 00[KNL] eth0
Jan 26 17:36:26 gateway.linux.bogus syslog: 00[KNL] eth1
Jan 26 17:36:26 gateway.linux.bogus syslog: 00[KNL] <Public IP>
Jan 26 17:36:26 gateway.linux.bogus syslog: 00[KNL] br-lan
Jan 26 17:36:26 gateway.linux.bogus syslog: 00[KNL] 192.168.2.1
Jan 26 17:36:26 gateway.linux.bogus syslog: 00[KNL] 192.168.3.1
Jan 26 17:36:26 gateway.linux.bogus syslog: 00[KNL] imq0
Jan 26 17:36:26 gateway.linux.bogus syslog: 00[KNL] tun0
Jan 26 17:36:26 gateway.linux.bogus syslog: 00[KNL] 192.168.44.1
Jan 26 17:36:26 gateway.linux.bogus syslog: 00[KNL] received netlink error:
Address family not supported by protocol (124)
Jan 26 17:36:26 gateway.linux.bogus syslog: 00[KNL] unable to create IPv6
routing table rule
Jan 26 17:36:26 gateway.linux.bogus syslog: 00[LIB] plugin 'kernel-netlink':
loaded successfully
Jan 26 17:36:26 gateway.linux.bogus syslog: 00[CFG] loading ca certificates
from '/etc/ipsec.d/cacerts'
Jan 26 17:36:26 gateway.linux.bogus syslog: 00[CFG] loading aa certificates
from '/etc/ipsec.d/aacerts'
Jan 26 17:36:26 gateway.linux.bogus syslog: 00[CFG] loading ocsp signer
certificates from '/etc/ipsec.d/ocspcerts'
Jan 26 17:36:26 gateway.linux.bogus syslog: 00[CFG] loading attribute
certificates from '/etc/ipsec.d/acerts'
Jan 26 17:36:26 gateway.linux.bogus syslog: 00[CFG] loading crls from
'/etc/ipsec.d/crls'
Jan 26 17:36:26 gateway.linux.bogus syslog: 00[CFG] loading secrets from
'/etc/ipsec.secrets'
Jan 26 17:36:26 gateway.linux.bogus syslog: 00[LIB] opening
'/etc/ipsec.d/private/server.der' failed: No such file or directory
Jan 26 17:36:26 gateway.linux.bogus syslog: 04[JOB] no events, waiting
Jan 26 17:36:27 gateway.linux.bogus syslog: 02[CFG] conn nat-t
Jan 26 17:36:27 gateway.linux.bogus syslog: 02[CFG] rightid=(null)
Jan 26 17:36:27 gateway.linux.bogus syslog: 02[CFG] rightid2=(null)
Jan 26 17:36:27 gateway.linux.bogus syslog: 02[CFG] rightcert=(null)
Jan 26 17:36:27 gateway.linux.bogus syslog: 02[CFG] rightcert2=(null)
Jan 26 17:36:27 gateway.linux.bogus syslog: 02[CFG] rightca=(null)
Jan 26 17:36:27 gateway.linux.bogus syslog: 02[CFG] rightca2=(null)
Jan 26 17:36:27 gateway.linux.bogus syslog: 02[CFG] rightgroups=(null)
Jan 26 17:36:27 gateway.linux.bogus syslog: 02[CFG] rightupdown=(null)
Jan 26 17:36:27 gateway.linux.bogus syslog: 02[CFG] mediation=no
--
Rob Wicks
robwicks at gmail.com
http://robwicks.wordpress.com
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20110126/97f955d0/attachment.html>
More information about the Users
mailing list