[strongSwan] strongswan to lancom. No ip via ike-configmode

Andre maillist at 5gbit.de
Wed Jul 27 15:07:36 CEST 2011 

 Hi,

 I'm trying to get a stronswan based vpn running. My linuxbased 
 strongswan
 client is configured to act as roadwarrior to connect to a lancom vpn
 router.
 Authentication is done with certs and most of the stuff is also 
 running.
 But my strongswan client isn't able to get an ip via ike-configmode.

 log on my strongswan client:
 Jul 27 14:47:45 box1 pluto[7087]: "VPN" #3: initiating Main Mode
 Jul 27 14:47:46 box1 pluto[7087]: "VPN" #3: received Vendor ID payload 
 [draft-ietf-ipsec-nat-t-ike-02_n]
 Jul 27 14:47:46 box1 pluto[7087]: "VPN" #3: received Vendor ID payload 
 [draft-ietf-ipsec-nat-t-ike-03]
 Jul 27 14:47:46 box1 pluto[7087]: "VPN" #3: received Vendor ID payload 
 [RFC3947]
 Jul 27 14:47:46 box1 pluto[7087]: "VPN" #3: ignoring Vendor ID payload 
 [eeefa37809e32ad4de4f6b010c26a640]
 Jul 27 14:47:46 box1 pluto[7087]: "VPN" #3: received Vendor ID payload 
 [XAUTH]
 Jul 27 14:47:46 box1 pluto[7087]: "VPN" #3: received Vendor ID payload 
 [Dead Peer Detection]
 Jul 27 14:47:46 box1 pluto[7087]: "VPN" #3: enabling possible 
 NAT-traversal with method 3
 Jul 27 14:47:46 box1 pluto[7087]: "VPN" #3: NAT-Traversal: Result using 
 RFC 3947: both are NATed
 Jul 27 14:47:46 box1 pluto[7087]: "VPN" #3: we have a cert and are 
 sending it upon request
 Jul 27 14:47:47 box1 pluto[7087]: "VPN" #3: Peer ID is ID_DER_ASN1_DN: 
 'C=DE, ST=N, L=O, O=N, OU=T, CN=GW, E=me at 5gbit.de'
 Jul 27 14:47:47 box1 pluto[7087]: "VPN" #3: crl not found
 Jul 27 14:47:47 box1 pluto[7087]: "VPN" #3: certificate status unknown
 Jul 27 14:47:47 box1 pluto[7087]: "VPN" #3: ISAKMP SA established
 Jul 27 14:47:47 box1 pluto[7087]: "VPN" #3: sending ModeCfg request
 Jul 27 14:47:47 box1 pluto[7087]: "VPN" #3: parsing ModeCfg reply
 Jul 27 14:47:47 box1 pluto[7087]: "VPN" #3: received ModeCfg reply, 
 established



 log on lancom vpn server:
 root at GW:/
>
 [VPN-Status] 2011/07/27 14:47:49,420
 IKE info: The remote server 109.44.202.224:4500 (UDP) peer 
 def-main-peer id  supports draft-ietf-ipsec-isakmp-xauth
 IKE info: The remote server 109.44.202.224:4500 (UDP) peer 
 def-main-peer id  negotiated rfc-3706-dead-peer-detection
 IKE info: The remote server 109.44.202.224:4500 (UDP) peer 
 def-main-peer id  supports NAT-T in mode rfc
 IKE info: The remote server 109.44.202.224:4500 (UDP) peer 
 def-main-peer id  supports NAT-T in mode rfc
 IKE info: The remote server 109.44.202.224:4500 (UDP) peer 
 def-main-peer id  supports NAT-T in mode rfc
 IKE info: The remote server 109.44.202.224:4500 (UDP) peer 
 def-main-peer id  supports NAT-T in mode rfc
 IKE info: The remote server 109.44.202.224:4500 (UDP) peer 
 def-main-peer id  supports NAT-T in mode rfc

 [VPN-Status] 2011/07/27 14:47:49,420
 IKE info: phase-1 proposal failed: remote No 1 authentication method = 
 rsa signature  local No 1 authentication method = PRE_SHARED
 IKE info: Phase-1 remote proposal 1 for peer def-main-peer matched with 
 local proposal 2

 [VPN-Status] 2011/07/27 14:47:49,940
 IKE info: Set local ID to </C=DE/ST=N/L=O/O=N/OU=T/CN=GW/E=me at 5gbit.de>

 [VPN-Status] 2011/07/27 14:47:50,170
 IKE info: Phase-1 [responder] for peer def-main-peer between initiator 
 id E=me at 5gbit.de,CN=Box1,OU=T,O=N,L=O,ST=N,C=DE, responder id 
 E=me at 5gbit.de,CN=GW,OU=T,O=N,L=O,ST=N,C=DE done
 IKE info: NAT-T enabled in mode rfc, we are behind a nat, the remote 
 side is behind a nat
 IKE info: SA ISAKMP for peer def-main-peer encryption aes-cbc 
 authentication md5
 IKE info: life time ( 3600 sec/ 0 kb)

 [VPN-Status] 2011/07/27 14:47:50,170
 IKE info: Phase-1 SA Rekeying Timeout (Soft-Event) for peer 
 def-main-peer set to 3240 seconds (Responder)

 [VPN-Status] 2011/07/27 14:47:50,170
 IKE info: Phase-1 SA Timeout (Hard-Event) for peer def-main-peer set to 
 3600 seconds (Responder)

 [VPN-Status] 2011/07/27 14:47:50,420
 IKE info: IKE-CFG: Received REQUEST message with id 0 from peer 
 def-main-peer
 IKE info: IKE-CFG: Attribute INTERNAL_IP4_ADDRESS len 0 value (none) 
 received
 IKE info: IKE-CFG: Attribute INTERNAL_IP4_NETMASK len 4 value 
 255.255.255.255 received

 [VPN-Status] 2011/07/27 14:47:50,420
 IKE info: IKE-CFG: Creating REPLY message with id 0 for peer 
 def-main-peer
 IKE info: IKE-CFG: Attribute INTERNAL_IP4_NETMASK len 0 skipped
 IKE info: IKE-CFG: Attribute INTERNAL_IP4_ADDRESS len 0 skipped
 IKE info: IKE-CFG: Sending message



 ipsec statusall:
 000 Status of IKEv1 pluto daemon (strongSwan 4.3.2):
 000 interface lo/lo ::1:500
 000 interface lo/lo 127.0.0.1:4500
 000 interface lo/lo 127.0.0.1:500
 000 interface eth0/eth0 10.2.4.1:4500
 000 interface eth0/eth0 10.2.4.1:500
 000 interface eth1/eth1 192.168.200.109:4500
 000 interface eth1/eth1 192.168.200.109:500
 000 interface wlan0/wlan0 10.2.3.100:4500
 000 interface wlan0/wlan0 10.2.3.100:500
 000 %myid = (none)
 000 loaded plugins: curl ldap random pubkey openssl hmac gmp
 000 debug options: none
 000
 000 "VPN": %modecfg===10.2.3.100:4500[C=DE, ST=N, L=O, O=N, OU=T, 
 CN=Box1, E=me at 5gbit.de]---10.2.3.1...85.17.130.131:4500[C=DE, ST=N, L=O, 
 O=N, OU=T, CN=GW, E=me at 5gbit.de]===192.168.1.0/24; unrouted; eroute 
 owner: #0
 000 "VPN": CAs: 'C=DE, ST=N, L=O, O=N, OU=T, CN=LinuxVPNCA, 
 E=me at 5gbit.de'...'%any'
 000 "VPN": ike_life: 3600s; ipsec_life: 28800s; rekey_margin: 540s; 
 rekey_fuzz: 100%; keyingtries: 0
 000 "VPN": policy: PUBKEY+ENCRYPT+TUNNEL+PFS+UP; prio: 24,32; 
 interface: wlan0;
 000 "VPN": newest ISAKMP SA: #3; newest IPsec SA: #0;
 000 "VPN": IKE proposal: AES_CBC_128/HMAC_MD5/MODP_1024
 000
 000 #3: "VPN" STATE_MODE_CFG_I2 (received ModeCfg reply, established); 
 EVENT_SA_REPLACE in 3225s; newest ISAKMP
 000 #3: pending Phase 2 for "VPN" replacing #0
 000

 In the logfiles, I can see, that my roadwarrior tries to get an ip, but 
 why does my vpn route don't give him one?
 Anyone tried to get such a combination running?

 rest regards
 Andre

More information about the Users mailing list