[strongSwan] Strongswan on OpenWRT road warrior issues

Robert Wicks robwicks at gmail.com
Wed Jan 26 23:38:41 CET 2011


I have Strongswan installed on my router, and I cannot seem to establish a
tunnel using the roadwarrior directions. I was trying to do RSA
authentication, but I am using PSK for testing until I am able to
successfully connect. My ipsec.conf file on the router:

# /etc/ipsec.conf - strongSwan IPsec configuration file

config setup
plutostart=no
charondebug=all

conn %default
keyexchange=ikev2
left=%defaultroute
 leftcert=server.crt
leftfirewall=yes
authby=secret
 auto=add
conn nat-t
left=<Public IP>
 leftsubnet=192.168.2.0/24
ike=aes128-sha1-modp2048!
 esp=aes128-sha1-modp2048!
right=%any
auto=add

On the client side, Ubuntu 10.10:
# ipsec.conf - strongSwan IPsec configuration file

config setup
charonstart=yes
 plutostart=no

conn roadwarrior
      left=%defaultroute
      leftcert=toshiba.crt
      leftsourceip=%config
      authby=secret
      leftfirewall=yes
      right=<Router's Public IP>
      rightsubnet=192.168.2.0/24
      rightcert=server.crt
      keyexchange=ikev2
      ike=aes128-sha1-modp2048!
      esp=aes128-sha1-modp2048!
      auto=start

include /var/lib/strongswan/ipsec.conf.inc

I put the same passcode in both ipsec.secrets files:

: PSK "mysecret"

My logs on the router side shows:
Jan 26 17:24:14 gateway.linux.bogus syslog: 08[ENC] parsing body of message,
first payload is SECURITY_ASSOCIATION
Jan 26 17:24:14 gateway.linux.bogus syslog: 08[ENC] starting parsing a
SECURITY_ASSOCIATION payload
Jan 26 17:24:14 gateway.linux.bogus syslog: 08[ENC] parsing
SECURITY_ASSOCIATION payload, 404 bytes left
Jan 26 17:24:14 gateway.linux.bogus syslog: 08[ENC] parsing payload from =>
404 bytes @ 0x46bc1c
Jan 26 17:24:14 gateway.linux.bogus syslog: 08[ENC]    0: 22 00 00 30 00 00
00 2C 01 01 00 04 03 00 00 0C  "..0...,........
Jan 26 17:24:14 gateway.linux.bogus syslog: 08[ENC]   16: 01 00 00 0C 80 0E
00 80 03 00 00 08 03 00 00 02  ................
Jan 26 17:24:14 gateway.linux.bogus syslog: 08[ENC]   32: 03 00 00 08 02 00
00 02 00 00 00 08 04 00 00 0E  ................
Jan 26 17:24:14 gateway.linux.bogus syslog: 08[ENC]   48: 28 00 01 08 00 0E
00 00 6C B6 38 79 AC 94 F0 1D  (.......l.8y....
Jan 26 17:24:14 gateway.linux.bogus syslog: 08[ENC]   64: 56 FD 5A 46 D9 75
BA 9F E3 23 A2 8E 8C 6C 36 A0  V.ZF.u...#...l6.
Jan 26 17:24:14 gateway.linux.bogus syslog: 08[ENC]   80: EB DF 22 06 3D A5
DC BF EB 21 60 7D 97 4A 12 03  ..".=....!`}.J..
Jan 26 17:24:14 gateway.linux.bogus syslog: 08[ENC]   96: 22 AB C1 28 36 9C
58 ED E6 BD 6C D8 C0 D6 48 7B  "..(6.X...l...H{
Jan 26 17:24:14 gateway.linux.bogus syslog: 08[ENC]  112: E2 72 D0 E8 26 C8
A5 C6 24 B5 A3 7B E0 81 9C 81  .r..&...$..{....
Jan 26 17:24:14 gateway.linux.bogus syslog: 08[ENC]  128: DC F1 57 A3 09 5D
74 3D 23 84 60 16 CB B1 FA 5C  ..W..]t=#.`....\
Jan 26 17:24:14 gateway.linux.bogus syslog: 08[ENC]  144: 98 7A 81 6C 32 0E
68 D1 B3 AA 78 1A C9 56 45 B6  .z.l2.h...x..VE.
Jan 26 17:24:14 gateway.linux.bogus syslog: 08[ENC]  160: 56 D3 80 C0 23 CA
F1 24 12 61 E0 6B 38 42 71 FC  V...#..$.a.k8Bq.
Jan 26 17:24:14 gateway.linux.bogus syslog: 08[ENC]  176: B1 21 A4 61 45 06
50 A5 05 E4 6C 56 1D 60 3F D7  .!.aE.P...lV.`?.
Jan 26 17:24:14 gateway.linux.bogus syslog: 08[ENC]  192: 80 E2 DF 8A FB 27
E5 C0 3E 95 36 3F EC 63 8D E9  .....'..>.6?.c..
Jan 26 17:24:14 gateway.linux.bogus syslog: 08[ENC]  208: F9 4B 52 85 3A EB
03 97 83 B4 6B 71 27 E8 94 DD  .KR.:.....kq'...
Jan 26 17:24:14 gateway.linux.bogus syslog: 08[ENC]  224: A5 87 6B 7F 70 57
25 76 2A 21 F2 6B E6 D8 82 E8  ..k.pW%v*!.k....
Jan 26 17:24:14 gateway.linux.bogus syslog: 08[ENC]  240: DA A3 2A B8 E3 F5
9E D1 5B 40 1A 30 2C CD 56 85  ..*.....[@.0,.V.
Jan 26 17:24:14 gateway.linux.bogus syslog: 08[ENC]    => 0
Jan 26 17:24:14 gateway.linux.bogus syslog: 08[ENC]    => 44
Jan 26 17:24:15 gateway.linux.bogus syslog: 08[ENC]   parsing rule 6
U_INT_8
Jan 26 17:24:15 gateway.linux.bogus syslog: 08[ENC]   80: E2 72 D0 E8 26 C8
A5 C6 24 B5 A3 7B E0 81 9C 81  .r..&...$..{....
Jan 26 17:24:15 gateway.linux.bogus syslog: 08[ENC]   parsing rule 3
RESERVED_BIT
Jan 26 17:24:15 gateway.linux.bogus syslog: 08[IKE] natd_chunk => 22 bytes @
0x46af08
Jan 26 17:24:15 gateway.linux.bogus syslog: 08[IKE]    0: 75 2C 8D 71 87 CD
7E F7 00 00 00 00 00 00 00 00  u,.q..~.........
Jan 26 17:24:15 gateway.linux.bogus syslog: 08[IKE]   16: 4C 61 92 C9 01 F4
                               La....
Jan 26 17:24:15 gateway.linux.bogus syslog: 08[IKE] natd_hash => 20 bytes @
0x469170
Jan 26 17:24:15 gateway.linux.bogus syslog: 08[IKE]    0: 0C 05 7F B2 E8 A0
C0 62 5E 97 67 CF 1E A9 2E 47  .......b^.g....G
Jan 26 17:24:15 gateway.linux.bogus syslog: 08[IKE]   16: 57 E8 06 30
                               W..0
Jan 26 17:24:15 gateway.linux.bogus syslog: 08[IKE] natd_chunk => 22 bytes @
0x46af08
Jan 26 17:24:15 gateway.linux.bogus syslog: 08[IKE]    0: 75 2C 8D 71 87 CD
7E F7 00 00 00 00 00 00 00 00  u,.q..~.........
Jan 26 17:24:15 gateway.linux.bogus syslog: 08[IKE]   16: 40 86 BE 2B 01 F4
                               @..+..
Jan 26 17:24:15 gateway.linux.bogus syslog: 08[IKE] natd_hash => 20 bytes @
0x46af28
Jan 26 17:24:15 gateway.linux.bogus syslog: 08[IKE]    0: 20 B4 16 C4 5E C6
42 A2 CA 6D 5B 2D 3C 51 C9 F1   ...^.B..m[-<Q..
Jan 26 17:24:15 gateway.linux.bogus syslog: 08[IKE]   16: D9 80 C3 A7
                               ....
Jan 26 17:24:15 gateway.linux.bogus syslog: 08[IKE] precalculated src_hash
=> 20 bytes @ 0x46af28
Jan 26 17:24:15 gateway.linux.bogus syslog: 08[IKE]    0: 20 B4 16 C4 5E C6
42 A2 CA 6D 5B 2D 3C 51 C9 F1   ...^.B..m[-<Q..
Jan 26 17:24:15 gateway.linux.bogus syslog: 08[IKE]   16: D9 80 C3 A7
                               ....
Jan 26 17:24:15 gateway.linux.bogus syslog: 08[IKE] precalculated dst_hash
=> 20 bytes @ 0x469170
Jan 26 17:24:15 gateway.linux.bogus syslog: 08[IKE]    0: 0C 05 7F B2 E8 A0
C0 62 5E 97 67 CF 1E A9 2E 47  .......b^.g....G
Jan 26 17:24:15 gateway.linux.bogus syslog: 08[IKE]   16: 57 E8 06 30
                               W..0
Jan 26 17:24:15 gateway.linux.bogus syslog: 08[IKE] received src_hash => 20
bytes @ 0x46be98
Jan 26 17:24:15 gateway.linux.bogus syslog: 08[IKE]    0: 64 D6 AF 1D EB CE
8B AC E7 BF 97 43 C3 C3 82 B3  d..........C....
Jan 26 17:24:16 gateway.linux.bogus syslog: 08[IKE]   16: 51 BA 8C C1
                               Q...
Jan 26 17:24:16 gateway.linux.bogus syslog: 08[IKE] received dst_hash => 20
bytes @ 0x469100
Jan 26 17:24:16 gateway.linux.bogus syslog: 08[IKE]    0: 0C 05 7F B2 E8 A0
C0 62 5E 97 67 CF 1E A9 2E 47  .......b^.g....G
Jan 26 17:24:16 gateway.linux.bogus syslog: 08[IKE]   16: 57 E8 06 30
                               W..0
Jan 26 17:24:16 gateway.linux.bogus syslog: 08[IKE] remote host is behind
NAT
Jan 26 17:24:16 gateway.linux.bogus syslog: 08[IKE] shared Diffie Hellman
secret => 256 bytes @ 0x46c650
Jan 26 17:24:16 gateway.linux.bogus syslog: 08[IKE]    0: 1F 48 93 8A 4A 9C
05 C4 8E 2A 97 A9 E3 75 BA C6  .H..J....*...u..
Jan 26 17:24:16 gateway.linux.bogus syslog: 08[IKE]   16: 07 46 4B 9E 0D D8
B1 E9 2F F0 F8 E3 70 EF D1 AD  .FK...../...p...
Jan 26 17:24:16 gateway.linux.bogus syslog: 08[IKE]   32: 8E A1 87 C4 B5 7F
28 A5 15 3A C7 D2 F0 D5 A5 45  ......(..:.....E
Jan 26 17:24:16 gateway.linux.bogus syslog: 08[IKE]   48: D4 8A 12 97 5F 73
27 30 D5 3B 33 7D BA 79 DA 70  ...._s'0.;3}.y.p
Jan 26 17:24:16 gateway.linux.bogus syslog: 08[IKE]   64: 74 F6 C9 37 85 4D
36 A0 BF 59 03 0C 35 4B BD 66  t..7.M6..Y..5K.f
Jan 26 17:24:16 gateway.linux.bogus syslog: 08[ENC]    0: 00 0C
                               ..
Jan 26 17:24:16 gateway.linux.bogus syslog: 08[ENC]   generating rule 2
RESERVED_BIT
Jan 26 17:24:42 gateway.linux.bogus syslog: 01[JOB] got event, queuing job
for execution
Jan 26 17:24:42 gateway.linux.bogus syslog: 01[JOB] no events, waiting
Jan 26 17:24:42 gateway.linux.bogus syslog: 07[MGR] checkout IKE_SA
Jan 26 17:24:42 gateway.linux.bogus syslog: 07[MGR] IKE_SA successfully
checked out
Jan 26 17:24:42 gateway.linux.bogus syslog: 07[JOB] deleting half open
IKE_SA after timeout
Jan 26 17:24:42 gateway.linux.bogus syslog: 07[MGR] checkin and destroy
IKE_SA
Jan 26 17:24:42 gateway.linux.bogus syslog: 07[IKE] IKE_SA (unnamed)[12]
state change: CONNECTING => DESTROYING
Jan 26 17:24:42 gateway.linux.bogus syslog: 07[MGR] check-in and destroy of
IKE_SA successful


On the client side:

Jan 26 17:24:09 rwicks-m11 charon: 09[NET] sending packet: from
192.168.5.115[500] to <Router's Public IP Address>[500]
Jan 26 17:24:09 rwicks-m11 charon: 01[JOB] next event in 75s 581ms, waiting
Jan 26 17:25:25 rwicks-m11 charon: 01[JOB] got event, queuing job for
execution
Jan 26 17:25:25 rwicks-m11 charon: 01[JOB] no events, waiting
Jan 26 17:25:25 rwicks-m11 charon: 08[MGR] checkout IKE_SA
Jan 26 17:25:25 rwicks-m11 charon: 08[MGR] IKE_SA successfully checked out
Jan 26 17:25:25 rwicks-m11 charon: 08[IKE] giving up after 5 retransmits
Jan 26 17:25:25 rwicks-m11 charon: 08[IKE] establishing IKE_SA failed, peer
not responding
Jan 26 17:25:25 rwicks-m11 charon: 08[MGR] checkin and destroy IKE_SA
Jan 26 17:25:25 rwicks-m11 charon: 08[IKE] IKE_SA roadwarrior[1] state
change: CONNECTING => DESTROYING
Jan 26 17:25:25 rwicks-m11 charon: 08[MGR] check-in and destroy of IKE_SA
successful

My router's iptables accepts esp, ah, and packets on udp 500 and 4500:


ACCEPT     esp  --  0.0.0.0/0            0.0.0.0/0
ACCEPT     udp  --  0.0.0.0/0            0.0.0.0/0           udp dpt:500
ACCEPT     udp  --  0.0.0.0/0            0.0.0.0/0           udp dpt:4500
ACCEPT     ah   --  0.0.0.0/0            0.0.0.0/0

Could anyone enlighten me as to what I should be looking for?

Here is the router at startup:

Jan 26 17:36:24 gateway.linux.bogus ipsec_starter[1778]: Starting strongSwan
4.3.7 IPsec [starter]...
Jan 26 17:36:24 gateway.linux.bogus syslog: 00[DMN] Starting IKEv2 charon
daemon (strongSwan 4.3.7)
Jan 26 17:36:24 gateway.linux.bogus syslog: 00[NET] unable to create raw
socket: Address family not supported by protocol
Jan 26 17:36:24 gateway.linux.bogus syslog: 00[NET] could not open IPv6
receive socket, IPv6 disabled
Jan 26 17:36:24 gateway.linux.bogus syslog: 00[LIB] plugin 'curl': failed to
load '/usr/lib/ipsec/plugins/libstrongswan-curl.so' - File not found
Jan 26 17:36:24 gateway.linux.bogus syslog: 00[LIB] plugin 'ldap': failed to
load '/usr/lib/ipsec/plugins/libstrongswan-ldap.so' - File not found
Jan 26 17:36:24 gateway.linux.bogus syslog: 00[LIB] plugin 'aes': loaded
successfully
Jan 26 17:36:24 gateway.linux.bogus syslog: 00[LIB] plugin 'des': loaded
successfully
Jan 26 17:36:24 gateway.linux.bogus syslog: 00[LIB] plugin 'blowfish':
failed to load '/usr/lib/ipsec/plugins/libstrongswan-blowfish.so' - File not
found
Jan 26 17:36:25 gateway.linux.bogus syslog: 00[LIB] plugin 'sha1': loaded
successfully
Jan 26 17:36:25 gateway.linux.bogus syslog: 00[LIB] plugin 'sha2': loaded
successfully
Jan 26 17:36:25 gateway.linux.bogus syslog: 00[LIB] plugin 'md5': loaded
successfully
Jan 26 17:36:25 gateway.linux.bogus syslog: 00[LIB] plugin 'fips-prf':
loaded successfully
Jan 26 17:36:25 gateway.linux.bogus syslog: 00[LIB] plugin 'random': loaded
successfully
Jan 26 17:36:25 gateway.linux.bogus syslog: 00[LIB] plugin 'x509': loaded
successfully
Jan 26 17:36:25 gateway.linux.bogus syslog: 00[LIB] plugin 'pubkey': loaded
successfully
Jan 26 17:36:25 gateway.linux.bogus syslog: 00[LIB] plugin 'pkcs1': loaded
successfully
Jan 26 17:36:25 gateway.linux.bogus syslog: 00[LIB] plugin 'pgp': loaded
successfully
Jan 26 17:36:25 gateway.linux.bogus syslog: 00[LIB] plugin 'dnskey': loaded
successfully
Jan 26 17:36:25 gateway.linux.bogus syslog: 00[LIB] plugin 'pem': loaded
successfully
Jan 26 17:36:25 gateway.linux.bogus syslog: 00[LIB] plugin 'mysql': failed
to load '/usr/lib/ipsec/plugins/libstrongswan-mysql.so' - File not found
Jan 26 17:36:25 gateway.linux.bogus syslog: 00[LIB] plugin 'sqlite': failed
to load '/usr/lib/ipsec/plugins/libstrongswan-sqlite.so' - File not found
Jan 26 17:36:25 gateway.linux.bogus syslog: 00[LIB] plugin 'attr-sql':
failed to load '/usr/lib/ipsec/plugins/libstrongswan-attr-sql.so' - File not
found
Jan 26 17:36:25 gateway.linux.bogus syslog: 00[LIB] plugin 'gcrypt': failed
to load '/usr/lib/ipsec/plugins/libstrongswan-gcrypt.so' - File not found
Jan 26 17:36:25 gateway.linux.bogus syslog: 00[LIB] plugin 'xcbc': loaded
successfully
Jan 26 17:36:25 gateway.linux.bogus syslog: 00[LIB] plugin 'hmac': loaded
successfully
Jan 26 17:36:25 gateway.linux.bogus syslog: 00[LIB] plugin 'agent': failed
to load '/usr/lib/ipsec/plugins/libstrongswan-agent.so' - File not found
Jan 26 17:36:25 gateway.linux.bogus syslog: 00[LIB] plugin 'gmp': loaded
successfully
Jan 26 17:36:25 gateway.linux.bogus syslog: 00[LIB] plugin 'load-tester':
failed to load '/usr/lib/ipsec/plugins/libstrongswan-load-tester.so' - File
not found
Jan 26 17:36:25 gateway.linux.bogus syslog: 00[LIB] plugin 'kernel-pfkey':
failed to load '/usr/lib/ipsec/plugins/libstrongswan-kernel-pfkey.so' - File
not found
Jan 26 17:36:26 gateway.linux.bogus syslog: 00[LIB] plugin 'kernel-klips':
failed to load '/usr/lib/ipsec/plugins/libstrongswan-kernel-klips.so' - File
not found
Jan 26 17:36:26 gateway.linux.bogus syslog: 00[KNL] listening on
interfaces:
Jan 26 17:36:26 gateway.linux.bogus syslog: 00[KNL]   eth0
Jan 26 17:36:26 gateway.linux.bogus syslog: 00[KNL]   eth1
Jan 26 17:36:26 gateway.linux.bogus syslog: 00[KNL]     <Public IP>
Jan 26 17:36:26 gateway.linux.bogus syslog: 00[KNL]   br-lan
Jan 26 17:36:26 gateway.linux.bogus syslog: 00[KNL]     192.168.2.1
Jan 26 17:36:26 gateway.linux.bogus syslog: 00[KNL]     192.168.3.1
Jan 26 17:36:26 gateway.linux.bogus syslog: 00[KNL]   imq0
Jan 26 17:36:26 gateway.linux.bogus syslog: 00[KNL]   tun0
Jan 26 17:36:26 gateway.linux.bogus syslog: 00[KNL]     192.168.44.1
Jan 26 17:36:26 gateway.linux.bogus syslog: 00[KNL] received netlink error:
Address family not supported by protocol (124)
Jan 26 17:36:26 gateway.linux.bogus syslog: 00[KNL] unable to create IPv6
routing table rule
Jan 26 17:36:26 gateway.linux.bogus syslog: 00[LIB] plugin 'kernel-netlink':
loaded successfully
Jan 26 17:36:26 gateway.linux.bogus syslog: 00[CFG] loading ca certificates
from '/etc/ipsec.d/cacerts'
Jan 26 17:36:26 gateway.linux.bogus syslog: 00[CFG] loading aa certificates
from '/etc/ipsec.d/aacerts'
Jan 26 17:36:26 gateway.linux.bogus syslog: 00[CFG] loading ocsp signer
certificates from '/etc/ipsec.d/ocspcerts'
Jan 26 17:36:26 gateway.linux.bogus syslog: 00[CFG] loading attribute
certificates from '/etc/ipsec.d/acerts'
Jan 26 17:36:26 gateway.linux.bogus syslog: 00[CFG] loading crls from
'/etc/ipsec.d/crls'
Jan 26 17:36:26 gateway.linux.bogus syslog: 00[CFG] loading secrets from
'/etc/ipsec.secrets'
Jan 26 17:36:26 gateway.linux.bogus syslog: 00[LIB]   opening
'/etc/ipsec.d/private/server.der' failed: No such file or directory
Jan 26 17:36:26 gateway.linux.bogus syslog: 04[JOB] no events, waiting
Jan 26 17:36:27 gateway.linux.bogus syslog: 02[CFG] conn nat-t
Jan 26 17:36:27 gateway.linux.bogus syslog: 02[CFG]   rightid=(null)
Jan 26 17:36:27 gateway.linux.bogus syslog: 02[CFG]   rightid2=(null)
Jan 26 17:36:27 gateway.linux.bogus syslog: 02[CFG]   rightcert=(null)
Jan 26 17:36:27 gateway.linux.bogus syslog: 02[CFG]   rightcert2=(null)
Jan 26 17:36:27 gateway.linux.bogus syslog: 02[CFG]   rightca=(null)
Jan 26 17:36:27 gateway.linux.bogus syslog: 02[CFG]   rightca2=(null)
Jan 26 17:36:27 gateway.linux.bogus syslog: 02[CFG]   rightgroups=(null)
Jan 26 17:36:27 gateway.linux.bogus syslog: 02[CFG]   rightupdown=(null)
Jan 26 17:36:27 gateway.linux.bogus syslog: 02[CFG]   mediation=no

-- 
Rob Wicks
robwicks at gmail.com
http://robwicks.wordpress.com
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20110126/97f955d0/attachment.html>


More information about the Users mailing list