[strongSwan] strongswan to lancom. No ip via ike-configmode

Andreas Steffen andreas.steffen at strongswan.org
Thu Jul 28 17:48:30 CEST 2011 

Hello Andre,

 IKE info: IKE-CFG: Attribute INTERNAL_IP4_ADDRESS len 0 skipped

I don't know why the LANCOM VPN router doesn't want to assign a
virtual IP address although it gets a request.

Regards

Andreas

On 07/27/2011 03:07 PM, Andre wrote:
>  Hi,
> 
>  I'm trying to get a stronswan based vpn running. My linuxbased 
>  strongswan
>  client is configured to act as roadwarrior to connect to a lancom vpn
>  router.
>  Authentication is done with certs and most of the stuff is also 
>  running.
>  But my strongswan client isn't able to get an ip via ike-configmode.
> 
>  log on my strongswan client:
>  Jul 27 14:47:45 box1 pluto[7087]: "VPN" #3: initiating Main Mode
>  Jul 27 14:47:46 box1 pluto[7087]: "VPN" #3: received Vendor ID payload 
>  [draft-ietf-ipsec-nat-t-ike-02_n]
>  Jul 27 14:47:46 box1 pluto[7087]: "VPN" #3: received Vendor ID payload 
>  [draft-ietf-ipsec-nat-t-ike-03]
>  Jul 27 14:47:46 box1 pluto[7087]: "VPN" #3: received Vendor ID payload 
>  [RFC3947]
>  Jul 27 14:47:46 box1 pluto[7087]: "VPN" #3: ignoring Vendor ID payload 
>  [eeefa37809e32ad4de4f6b010c26a640]
>  Jul 27 14:47:46 box1 pluto[7087]: "VPN" #3: received Vendor ID payload 
>  [XAUTH]
>  Jul 27 14:47:46 box1 pluto[7087]: "VPN" #3: received Vendor ID payload 
>  [Dead Peer Detection]
>  Jul 27 14:47:46 box1 pluto[7087]: "VPN" #3: enabling possible 
>  NAT-traversal with method 3
>  Jul 27 14:47:46 box1 pluto[7087]: "VPN" #3: NAT-Traversal: Result using 
>  RFC 3947: both are NATed
>  Jul 27 14:47:46 box1 pluto[7087]: "VPN" #3: we have a cert and are 
>  sending it upon request
>  Jul 27 14:47:47 box1 pluto[7087]: "VPN" #3: Peer ID is ID_DER_ASN1_DN: 
>  'C=DE, ST=N, L=O, O=N, OU=T, CN=GW, E=me at 5gbit.de'
>  Jul 27 14:47:47 box1 pluto[7087]: "VPN" #3: crl not found
>  Jul 27 14:47:47 box1 pluto[7087]: "VPN" #3: certificate status unknown
>  Jul 27 14:47:47 box1 pluto[7087]: "VPN" #3: ISAKMP SA established
>  Jul 27 14:47:47 box1 pluto[7087]: "VPN" #3: sending ModeCfg request
>  Jul 27 14:47:47 box1 pluto[7087]: "VPN" #3: parsing ModeCfg reply
>  Jul 27 14:47:47 box1 pluto[7087]: "VPN" #3: received ModeCfg reply, 
>  established
> 
> 
> 
>  log on lancom vpn server:
>  root at GW:/
>>
>  [VPN-Status] 2011/07/27 14:47:49,420
>  IKE info: The remote server 109.44.202.224:4500 (UDP) peer 
>  def-main-peer id  supports draft-ietf-ipsec-isakmp-xauth
>  IKE info: The remote server 109.44.202.224:4500 (UDP) peer 
>  def-main-peer id  negotiated rfc-3706-dead-peer-detection
>  IKE info: The remote server 109.44.202.224:4500 (UDP) peer 
>  def-main-peer id  supports NAT-T in mode rfc
>  IKE info: The remote server 109.44.202.224:4500 (UDP) peer 
>  def-main-peer id  supports NAT-T in mode rfc
>  IKE info: The remote server 109.44.202.224:4500 (UDP) peer 
>  def-main-peer id  supports NAT-T in mode rfc
>  IKE info: The remote server 109.44.202.224:4500 (UDP) peer 
>  def-main-peer id  supports NAT-T in mode rfc
>  IKE info: The remote server 109.44.202.224:4500 (UDP) peer 
>  def-main-peer id  supports NAT-T in mode rfc
> 
>  [VPN-Status] 2011/07/27 14:47:49,420
>  IKE info: phase-1 proposal failed: remote No 1 authentication method = 
>  rsa signature  local No 1 authentication method = PRE_SHARED
>  IKE info: Phase-1 remote proposal 1 for peer def-main-peer matched with 
>  local proposal 2
> 
>  [VPN-Status] 2011/07/27 14:47:49,940
>  IKE info: Set local ID to </C=DE/ST=N/L=O/O=N/OU=T/CN=GW/E=me at 5gbit.de>
> 
>  [VPN-Status] 2011/07/27 14:47:50,170
>  IKE info: Phase-1 [responder] for peer def-main-peer between initiator 
>  id E=me at 5gbit.de,CN=Box1,OU=T,O=N,L=O,ST=N,C=DE, responder id 
>  E=me at 5gbit.de,CN=GW,OU=T,O=N,L=O,ST=N,C=DE done
>  IKE info: NAT-T enabled in mode rfc, we are behind a nat, the remote 
>  side is behind a nat
>  IKE info: SA ISAKMP for peer def-main-peer encryption aes-cbc 
>  authentication md5
>  IKE info: life time ( 3600 sec/ 0 kb)
> 
>  [VPN-Status] 2011/07/27 14:47:50,170
>  IKE info: Phase-1 SA Rekeying Timeout (Soft-Event) for peer 
>  def-main-peer set to 3240 seconds (Responder)
> 
>  [VPN-Status] 2011/07/27 14:47:50,170
>  IKE info: Phase-1 SA Timeout (Hard-Event) for peer def-main-peer set to 
>  3600 seconds (Responder)
> 
>  [VPN-Status] 2011/07/27 14:47:50,420
>  IKE info: IKE-CFG: Received REQUEST message with id 0 from peer 
>  def-main-peer
>  IKE info: IKE-CFG: Attribute INTERNAL_IP4_ADDRESS len 0 value (none) 
>  received
>  IKE info: IKE-CFG: Attribute INTERNAL_IP4_NETMASK len 4 value 
>  255.255.255.255 received
> 
>  [VPN-Status] 2011/07/27 14:47:50,420
>  IKE info: IKE-CFG: Creating REPLY message with id 0 for peer 
>  def-main-peer
>  IKE info: IKE-CFG: Attribute INTERNAL_IP4_NETMASK len 0 skipped
>  IKE info: IKE-CFG: Attribute INTERNAL_IP4_ADDRESS len 0 skipped
>  IKE info: IKE-CFG: Sending message
> 
> 
> 
>  ipsec statusall:
>  000 Status of IKEv1 pluto daemon (strongSwan 4.3.2):
>  000 interface lo/lo ::1:500
>  000 interface lo/lo 127.0.0.1:4500
>  000 interface lo/lo 127.0.0.1:500
>  000 interface eth0/eth0 10.2.4.1:4500
>  000 interface eth0/eth0 10.2.4.1:500
>  000 interface eth1/eth1 192.168.200.109:4500
>  000 interface eth1/eth1 192.168.200.109:500
>  000 interface wlan0/wlan0 10.2.3.100:4500
>  000 interface wlan0/wlan0 10.2.3.100:500
>  000 %myid = (none)
>  000 loaded plugins: curl ldap random pubkey openssl hmac gmp
>  000 debug options: none
>  000
>  000 "VPN": %modecfg===10.2.3.100:4500[C=DE, ST=N, L=O, O=N, OU=T, 
>  CN=Box1, E=me at 5gbit.de]---10.2.3.1...85.17.130.131:4500[C=DE, ST=N, L=O, 
>  O=N, OU=T, CN=GW, E=me at 5gbit.de]===192.168.1.0/24; unrouted; eroute 
>  owner: #0
>  000 "VPN": CAs: 'C=DE, ST=N, L=O, O=N, OU=T, CN=LinuxVPNCA, 
>  E=me at 5gbit.de'...'%any'
>  000 "VPN": ike_life: 3600s; ipsec_life: 28800s; rekey_margin: 540s; 
>  rekey_fuzz: 100%; keyingtries: 0
>  000 "VPN": policy: PUBKEY+ENCRYPT+TUNNEL+PFS+UP; prio: 24,32; 
>  interface: wlan0;
>  000 "VPN": newest ISAKMP SA: #3; newest IPsec SA: #0;
>  000 "VPN": IKE proposal: AES_CBC_128/HMAC_MD5/MODP_1024
>  000
>  000 #3: "VPN" STATE_MODE_CFG_I2 (received ModeCfg reply, established); 
>  EVENT_SA_REPLACE in 3225s; newest ISAKMP
>  000 #3: pending Phase 2 for "VPN" replacing #0
>  000
> 
>  In the logfiles, I can see, that my roadwarrior tries to get an ip, but 
>  why does my vpn route don't give him one?
>  Anyone tried to get such a combination running?
> 
>  rest regards
>  Andre

======================================================================
Andreas Steffen                         andreas.steffen at strongswan.org
strongSwan - the Linux VPN Solution!                www.strongswan.org
Institute for Internet Technologies and Applications
University of Applied Sciences Rapperswil
CH-8640 Rapperswil (Switzerland)
===========================================================[ITA-HSR]==

More information about the Users mailing list