[strongSwan] ikev1-net2net-psk help

Andreas Steffen andreas.steffen at strongswan.org
Wed Mar 2 16:07:51 CET 2011 

Hello Andrea,

if you define auto=add then you must explicitly start the
IKE negotiation with the command

  ipsec up net-net

Only if you define auto=start, the connection setup takes
place automatically with

  ipsec start

A third possibility would be to install an IPsec policy
in the kernel with auto=route. The first packet destined
for the tunnel will then trigger the IKE negotiation.

Regards

Andreas

On 02.03.2011 14:37, Andrea Lanza wrote:
> Hi all,
> I am absolutly new to strongswan.
> 
> I have to setup a scenario in which 2 separated private networks are connected via internet 
> 
> with ipsec
> 
> The scenario is exactly the one described in Test ikev1/met2net-psk
> 
> http://www.strongswan.org/uml/testresults/ikev1/net2net-psk/
> 
> I control only the left side, beiing the right side administered by another company, which 
> 
> uses hw devices.
> 
> The problem I am facing is this: absolutely no packets exit from my gateway towards the 
> 
> other gateway !
> 
> I saw this using iptables log packet on outgoing packets, and also on remote gateway not 
> 
> receiving any packets
> 
> I was using opensuse 11.3 and openvpn 4.4 (boundled in opensuse 11.3)
> 
> Then I uninstalled and downloaded and compiled the 4.5.1 version: no changes, no errors are 
> 
> detected
> everything seems to be very fine PSK is loaded... but no packets come out of my box...!
> 
> 
> here is my setup:
> 
> ipsec.conf
> 
> # ipsec.conf - strongSwan IPsec configuration file
> 
> config setup
>         plutodebug=control
>         charonstart=no
> 
> conn %default
>         ikelifetime=60m
>         keylife=20m
>         rekeymargin=3m
>         keyingtries=1
>         keyexchange=ikev1
>         authby=secret
> 
> conn net-net
>         left=<my public ip address here scrambled>
>         leftsubnet=192.168.2.0/24
>         leftid=@vrtappmi02.mydomain.mycountry
>         leftfirewall=yes
>         right=<theirs public ip address here scrambled>
>         rightsubnet=10.126.99.0/24
>         rightid=@ipsecgw.theirsdomanin.theirscountry
>         auto=add
> 
> 
> ipsec.secrets
> #
> # ipsec.secrets
> #
> # This file holds the RSA private keys or the PSK preshared secrets for # the IKE/IPsec authentication. See the ipsec.secrets(5) manual page.
> #
> @vrtappmi02.mydomain.mycountry @ipsecgw.theirsdomanin.theirscountry : PSK 
> 
> "thisisthescrambledkey"
> 
> 
> 
> strongswan.conf 
> 
> pluto {
> #load = sha1 sha2 md5 aes des hmac gmp random kernel-netlink # load = aes des sha1 md5 sha2 hmac gmp random pubkey
> 
> # load = sha1 sha2 md5 aes des hmac gmp random pubkey }
> 
> # pluto uses optimized DH exponent sizes (RFC 3526)
> 
> libstrongswan {
>   dh_exponent_ansi_x9_42 = no
> }
> 
> 
> 
> when I start ipsec I can read this in messages log:
> 
> 
> Mar  2 14:18:53 vrtappmi02 ipsec_starter[3722]: Starting strongSwan 4.5.1 IPsec 
> 
> [starter]...
> Mar  2 14:18:53 vrtappmi02 pluto[3731]: Starting IKEv1 pluto daemon (strongSwan 4.5.1) 
> 
> THREADS VENDORID
> Mar  2 14:18:53 vrtappmi02 pluto[3731]: listening on interfaces:
> Mar  2 14:18:53 vrtappmi02 pluto[3731]:   eth0
> Mar  2 14:18:53 vrtappmi02 pluto[3731]:     <my public ip address here scrambled>
> Mar  2 14:18:53 vrtappmi02 pluto[3731]:     fe80::20c:29ff:fe23:4272
> Mar  2 14:18:53 vrtappmi02 pluto[3731]:   eth1
> Mar  2 14:18:53 vrtappmi02 pluto[3731]:     192.168.2.225
> Mar  2 14:18:53 vrtappmi02 pluto[3731]:     fe80::20c:29ff:fe23:427c
> Mar  2 14:18:53 vrtappmi02 pluto[3731]: loaded plugins: aes des sha1 sha2 md5 random x509 
> 
> pkcs1 pgp dnskey pem gmp hmac xauth attr kernel-netlink resolve Mar  2 14:18:53 vrtappmi02 pluto[3731]: | inserting event EVENT_REINIT_SECRET, timeout in 
> 
> 3600 seconds
> Mar  2 14:18:53 vrtappmi02 pluto[3731]:   including NAT-Traversal patch (Version 0.6c) 
> 
> [disabled]
> Mar  2 14:18:53 vrtappmi02 ipsec_starter[3730]: pluto (3731) started after 20 ms Mar  2 14:18:53 vrtappmi02 pluto[3731]: loading ca certificates from '/etc/ipsec.d/cacerts'
> Mar  2 14:18:53 vrtappmi02 pluto[3731]: loading aa certificates from '/etc/ipsec.d/aacerts'
> Mar  2 14:18:53 vrtappmi02 pluto[3731]: loading ocsp certificates from 
> 
> '/etc/ipsec.d/ocspcerts'
> Mar  2 14:18:53 vrtappmi02 pluto[3731]: Changing to directory '/etc/ipsec.d/crls'
> Mar  2 14:18:53 vrtappmi02 pluto[3731]: loading attribute certificates from 
> 
> '/etc/ipsec.d/acerts'
> Mar  2 14:18:53 vrtappmi02 pluto[3731]: spawning 4 worker threads Mar  2 14:18:53 vrtappmi02 pluto[3731]: | inserting event EVENT_LOG_DAILY, timeout in 34867 
> 
> seconds
> Mar  2 14:18:53 vrtappmi02 pluto[3731]: | next event EVENT_REINIT_SECRET in 3600 seconds Mar  2 14:18:53 vrtappmi02 pluto[3731]: | Mar  2 14:18:53 vrtappmi02 pluto[3731]: | *received whack message Mar  2 14:18:53 vrtappmi02 pluto[3731]: listening for IKE messages Mar  2 14:18:53 vrtappmi02 pluto[3731]: | found lo with address 127.0.0.1 Mar  2 14:18:53 vrtappmi02 pluto[3731]: | found lo with address 127.0.0.2 Mar  2 14:18:53 vrtappmi02 pluto[3731]: | found eth0 with address <my public ip address 
> 
> here scrambled>
> Mar  2 14:18:53 vrtappmi02 pluto[3731]: | found eth1 with address 192.168.2.225 Mar  2 14:18:53 vrtappmi02 pluto[3731]: adding interface eth1/eth1 192.168.2.225:500 Mar  2 14:18:53 vrtappmi02 pluto[3731]: adding interface eth0/eth0 <my public ip address 
> 
> here scrambled>:500
> Mar  2 14:18:53 vrtappmi02 pluto[3731]: adding interface lo/lo 127.0.0.2:500 Mar  2 14:18:53 vrtappmi02 pluto[3731]: adding interface lo/lo 127.0.0.1:500 Mar  2 14:18:53 vrtappmi02 pluto[3731]: | found lo with address 
> 
> 0000:0000:0000:0000:0000:0000:0000:0001
> Mar  2 14:18:53 vrtappmi02 pluto[3731]: adding interface lo/lo ::1:500 Mar  2 14:18:53 vrtappmi02 pluto[3731]: loading secrets from "/etc/ipsec.secrets"
> Mar  2 14:18:53 vrtappmi02 pluto[3731]:   loaded PSK secret for 
> 
> vrtappmi02.mydomain.mycountry ipsecgw.ipsecgw.theirsdomanin.theirscountry
> Mar  2 14:18:53 vrtappmi02 pluto[3731]: | next event EVENT_REINIT_SECRET in 3600 seconds Mar  2 14:18:53 vrtappmi02 pluto[3731]: | Mar  2 14:18:53 vrtappmi02 pluto[3731]: | *received whack message Mar  2 14:18:53 vrtappmi02 pluto[3731]: | from whack: got --esp=aes128-sha1,3des-sha1 Mar  2 14:18:53 vrtappmi02 pluto[3731]: | esp proposal: AES_CBC_128/HMAC_SHA1, 
> 
> 3DES_CBC/HMAC_SHA1,
> Mar  2 14:18:53 vrtappmi02 pluto[3731]: | from whack: got --ike=aes128-sha1-modp2048,3des-
> 
> sha1-modp1536
> Mar  2 14:18:53 vrtappmi02 pluto[3731]: | ike proposal: AES_CBC_128/HMAC_SHA1/MODP_2048, 
> 
> 3DES_CBC/HMAC_SHA1/MODP_1536,
> Mar  2 14:18:53 vrtappmi02 pluto[3731]: added connection description "net-net"
> Mar  2 14:18:53 vrtappmi02 pluto[3731]: | 192.168.2.0/24===<my public ip address here 
> 
> scrambled>[vrtappmi02.mydomain.mycountry]...<theirs public ip address 
> scrambled>here scrambled>
> 
> [ipsecgw.theirsdomanin.theirscountry]===10.126.99.0/24
> Mar  2 14:18:53 vrtappmi02 pluto[3731]: | ike_life: 3600s; ipsec_life: 1200s; rekey_margin: 
> 
> 180s; rekey_fuzz: 100%; keyingtries: 1; policy: PSK+ENCRYPT+TUNNEL+PFS Mar  2 14:18:53 vrtappmi02 pluto[3731]: | next event EVENT_REINIT_SECRET in 3600 seconds
> 
> 
> 
> ipsec statusall shows:
> 
> 000 Status of IKEv1 pluto daemon (strongSwan 4.5.1):
> 000 interface lo/lo ::1:500
> 000 interface lo/lo 127.0.0.1:500
> 000 interface lo/lo 127.0.0.2:500
> 000 interface eth0/eth0 <my public ip address here scrambled>:500 000 interface eth1/eth1 192.168.2.225:500 000 %myid = '%any'
> 000 loaded plugins: aes des sha1 sha2 md5 random x509 pkcs1 pgp dnskey pem gmp hmac xauth 
> 
> attr kernel-netlink resolve
> 000 debug options: control
> 000
> 000 "net-net": 192.168.2.0/24===<my public ip address here scrambled>
> 
> [vrtappmi02.mydomain.mycountry]...<theirs  public ip address here scrambled>
> 
> [ipsecgw.theirsdomain.theirscountry]===10.126.99.0/24; unrouted; eroute owner: #0
> 000 "net-net":   ike_life: 3600s; ipsec_life: 1200s; rekey_margin: 180s; rekey_fuzz: 100%; 
> 
> keyingtries: 1
> 000 "net-net":   policy: PSK+ENCRYPT+TUNNEL+PFS; prio: 24,24; interface: eth0;
> 000 "net-net":   newest ISAKMP SA: #0; newest IPsec SA: #0;
> 000
> 
> 
> comparing with ipsec statusall shown in the test scenario on the site, the last part is missing, but I think the problem is that NO packets transmitted, no IKE proposed.
> 
> What can I check ?
> 
> thanks in advance,
> Andrea
> 
> 


-- 
======================================================================
Andreas Steffen                         andreas.steffen at strongswan.org
strongSwan - the Linux VPN Solution!                www.strongswan.org
Institute for Internet Technologies and Applications
University of Applied Sciences Rapperswil
CH-8640 Rapperswil (Switzerland)
===========================================================[ITA-HSR]==

More information about the Users mailing list