[strongSwan] ikev1-net2net-psk help
Andreas Steffen
andreas.steffen at strongswan.org
Wed Mar 2 16:07:51 CET 2011
Hello Andrea,
if you define auto=add then you must explicitly start the
IKE negotiation with the command
ipsec up net-net
Only if you define auto=start, the connection setup takes
place automatically with
ipsec start
A third possibility would be to install an IPsec policy
in the kernel with auto=route. The first packet destined
for the tunnel will then trigger the IKE negotiation.
Regards
Andreas
On 02.03.2011 14:37, Andrea Lanza wrote:
> Hi all,
> I am absolutly new to strongswan.
>
> I have to setup a scenario in which 2 separated private networks are connected via internet
>
> with ipsec
>
> The scenario is exactly the one described in Test ikev1/met2net-psk
>
> http://www.strongswan.org/uml/testresults/ikev1/net2net-psk/
>
> I control only the left side, beiing the right side administered by another company, which
>
> uses hw devices.
>
> The problem I am facing is this: absolutely no packets exit from my gateway towards the
>
> other gateway !
>
> I saw this using iptables log packet on outgoing packets, and also on remote gateway not
>
> receiving any packets
>
> I was using opensuse 11.3 and openvpn 4.4 (boundled in opensuse 11.3)
>
> Then I uninstalled and downloaded and compiled the 4.5.1 version: no changes, no errors are
>
> detected
> everything seems to be very fine PSK is loaded... but no packets come out of my box...!
>
>
> here is my setup:
>
> ipsec.conf
>
> # ipsec.conf - strongSwan IPsec configuration file
>
> config setup
> plutodebug=control
> charonstart=no
>
> conn %default
> ikelifetime=60m
> keylife=20m
> rekeymargin=3m
> keyingtries=1
> keyexchange=ikev1
> authby=secret
>
> conn net-net
> left=<my public ip address here scrambled>
> leftsubnet=192.168.2.0/24
> leftid=@vrtappmi02.mydomain.mycountry
> leftfirewall=yes
> right=<theirs public ip address here scrambled>
> rightsubnet=10.126.99.0/24
> rightid=@ipsecgw.theirsdomanin.theirscountry
> auto=add
>
>
> ipsec.secrets
> #
> # ipsec.secrets
> #
> # This file holds the RSA private keys or the PSK preshared secrets for # the IKE/IPsec authentication. See the ipsec.secrets(5) manual page.
> #
> @vrtappmi02.mydomain.mycountry @ipsecgw.theirsdomanin.theirscountry : PSK
>
> "thisisthescrambledkey"
>
>
>
> strongswan.conf
>
> pluto {
> #load = sha1 sha2 md5 aes des hmac gmp random kernel-netlink # load = aes des sha1 md5 sha2 hmac gmp random pubkey
>
> # load = sha1 sha2 md5 aes des hmac gmp random pubkey }
>
> # pluto uses optimized DH exponent sizes (RFC 3526)
>
> libstrongswan {
> dh_exponent_ansi_x9_42 = no
> }
>
>
>
> when I start ipsec I can read this in messages log:
>
>
> Mar 2 14:18:53 vrtappmi02 ipsec_starter[3722]: Starting strongSwan 4.5.1 IPsec
>
> [starter]...
> Mar 2 14:18:53 vrtappmi02 pluto[3731]: Starting IKEv1 pluto daemon (strongSwan 4.5.1)
>
> THREADS VENDORID
> Mar 2 14:18:53 vrtappmi02 pluto[3731]: listening on interfaces:
> Mar 2 14:18:53 vrtappmi02 pluto[3731]: eth0
> Mar 2 14:18:53 vrtappmi02 pluto[3731]: <my public ip address here scrambled>
> Mar 2 14:18:53 vrtappmi02 pluto[3731]: fe80::20c:29ff:fe23:4272
> Mar 2 14:18:53 vrtappmi02 pluto[3731]: eth1
> Mar 2 14:18:53 vrtappmi02 pluto[3731]: 192.168.2.225
> Mar 2 14:18:53 vrtappmi02 pluto[3731]: fe80::20c:29ff:fe23:427c
> Mar 2 14:18:53 vrtappmi02 pluto[3731]: loaded plugins: aes des sha1 sha2 md5 random x509
>
> pkcs1 pgp dnskey pem gmp hmac xauth attr kernel-netlink resolve Mar 2 14:18:53 vrtappmi02 pluto[3731]: | inserting event EVENT_REINIT_SECRET, timeout in
>
> 3600 seconds
> Mar 2 14:18:53 vrtappmi02 pluto[3731]: including NAT-Traversal patch (Version 0.6c)
>
> [disabled]
> Mar 2 14:18:53 vrtappmi02 ipsec_starter[3730]: pluto (3731) started after 20 ms Mar 2 14:18:53 vrtappmi02 pluto[3731]: loading ca certificates from '/etc/ipsec.d/cacerts'
> Mar 2 14:18:53 vrtappmi02 pluto[3731]: loading aa certificates from '/etc/ipsec.d/aacerts'
> Mar 2 14:18:53 vrtappmi02 pluto[3731]: loading ocsp certificates from
>
> '/etc/ipsec.d/ocspcerts'
> Mar 2 14:18:53 vrtappmi02 pluto[3731]: Changing to directory '/etc/ipsec.d/crls'
> Mar 2 14:18:53 vrtappmi02 pluto[3731]: loading attribute certificates from
>
> '/etc/ipsec.d/acerts'
> Mar 2 14:18:53 vrtappmi02 pluto[3731]: spawning 4 worker threads Mar 2 14:18:53 vrtappmi02 pluto[3731]: | inserting event EVENT_LOG_DAILY, timeout in 34867
>
> seconds
> Mar 2 14:18:53 vrtappmi02 pluto[3731]: | next event EVENT_REINIT_SECRET in 3600 seconds Mar 2 14:18:53 vrtappmi02 pluto[3731]: | Mar 2 14:18:53 vrtappmi02 pluto[3731]: | *received whack message Mar 2 14:18:53 vrtappmi02 pluto[3731]: listening for IKE messages Mar 2 14:18:53 vrtappmi02 pluto[3731]: | found lo with address 127.0.0.1 Mar 2 14:18:53 vrtappmi02 pluto[3731]: | found lo with address 127.0.0.2 Mar 2 14:18:53 vrtappmi02 pluto[3731]: | found eth0 with address <my public ip address
>
> here scrambled>
> Mar 2 14:18:53 vrtappmi02 pluto[3731]: | found eth1 with address 192.168.2.225 Mar 2 14:18:53 vrtappmi02 pluto[3731]: adding interface eth1/eth1 192.168.2.225:500 Mar 2 14:18:53 vrtappmi02 pluto[3731]: adding interface eth0/eth0 <my public ip address
>
> here scrambled>:500
> Mar 2 14:18:53 vrtappmi02 pluto[3731]: adding interface lo/lo 127.0.0.2:500 Mar 2 14:18:53 vrtappmi02 pluto[3731]: adding interface lo/lo 127.0.0.1:500 Mar 2 14:18:53 vrtappmi02 pluto[3731]: | found lo with address
>
> 0000:0000:0000:0000:0000:0000:0000:0001
> Mar 2 14:18:53 vrtappmi02 pluto[3731]: adding interface lo/lo ::1:500 Mar 2 14:18:53 vrtappmi02 pluto[3731]: loading secrets from "/etc/ipsec.secrets"
> Mar 2 14:18:53 vrtappmi02 pluto[3731]: loaded PSK secret for
>
> vrtappmi02.mydomain.mycountry ipsecgw.ipsecgw.theirsdomanin.theirscountry
> Mar 2 14:18:53 vrtappmi02 pluto[3731]: | next event EVENT_REINIT_SECRET in 3600 seconds Mar 2 14:18:53 vrtappmi02 pluto[3731]: | Mar 2 14:18:53 vrtappmi02 pluto[3731]: | *received whack message Mar 2 14:18:53 vrtappmi02 pluto[3731]: | from whack: got --esp=aes128-sha1,3des-sha1 Mar 2 14:18:53 vrtappmi02 pluto[3731]: | esp proposal: AES_CBC_128/HMAC_SHA1,
>
> 3DES_CBC/HMAC_SHA1,
> Mar 2 14:18:53 vrtappmi02 pluto[3731]: | from whack: got --ike=aes128-sha1-modp2048,3des-
>
> sha1-modp1536
> Mar 2 14:18:53 vrtappmi02 pluto[3731]: | ike proposal: AES_CBC_128/HMAC_SHA1/MODP_2048,
>
> 3DES_CBC/HMAC_SHA1/MODP_1536,
> Mar 2 14:18:53 vrtappmi02 pluto[3731]: added connection description "net-net"
> Mar 2 14:18:53 vrtappmi02 pluto[3731]: | 192.168.2.0/24===<my public ip address here
>
> scrambled>[vrtappmi02.mydomain.mycountry]...<theirs public ip address
> scrambled>here scrambled>
>
> [ipsecgw.theirsdomanin.theirscountry]===10.126.99.0/24
> Mar 2 14:18:53 vrtappmi02 pluto[3731]: | ike_life: 3600s; ipsec_life: 1200s; rekey_margin:
>
> 180s; rekey_fuzz: 100%; keyingtries: 1; policy: PSK+ENCRYPT+TUNNEL+PFS Mar 2 14:18:53 vrtappmi02 pluto[3731]: | next event EVENT_REINIT_SECRET in 3600 seconds
>
>
>
> ipsec statusall shows:
>
> 000 Status of IKEv1 pluto daemon (strongSwan 4.5.1):
> 000 interface lo/lo ::1:500
> 000 interface lo/lo 127.0.0.1:500
> 000 interface lo/lo 127.0.0.2:500
> 000 interface eth0/eth0 <my public ip address here scrambled>:500 000 interface eth1/eth1 192.168.2.225:500 000 %myid = '%any'
> 000 loaded plugins: aes des sha1 sha2 md5 random x509 pkcs1 pgp dnskey pem gmp hmac xauth
>
> attr kernel-netlink resolve
> 000 debug options: control
> 000
> 000 "net-net": 192.168.2.0/24===<my public ip address here scrambled>
>
> [vrtappmi02.mydomain.mycountry]...<theirs public ip address here scrambled>
>
> [ipsecgw.theirsdomain.theirscountry]===10.126.99.0/24; unrouted; eroute owner: #0
> 000 "net-net": ike_life: 3600s; ipsec_life: 1200s; rekey_margin: 180s; rekey_fuzz: 100%;
>
> keyingtries: 1
> 000 "net-net": policy: PSK+ENCRYPT+TUNNEL+PFS; prio: 24,24; interface: eth0;
> 000 "net-net": newest ISAKMP SA: #0; newest IPsec SA: #0;
> 000
>
>
> comparing with ipsec statusall shown in the test scenario on the site, the last part is missing, but I think the problem is that NO packets transmitted, no IKE proposed.
>
> What can I check ?
>
> thanks in advance,
> Andrea
>
>
--
======================================================================
Andreas Steffen andreas.steffen at strongswan.org
strongSwan - the Linux VPN Solution! www.strongswan.org
Institute for Internet Technologies and Applications
University of Applied Sciences Rapperswil
CH-8640 Rapperswil (Switzerland)
===========================================================[ITA-HSR]==
More information about the Users
mailing list