[strongSwan] R: ikev1-net2net-psk help
Andrea Lanza
andrea.lanza at frameweb.it
Wed Mar 2 16:20:00 CET 2011
thank for your answer
we discovered it by ourselves, but now the scenario changed:
ike phase 1 is ok
phase 2 hangs:
now we have:
ipsec.conf
onfig setup
plutodebug=all
charonstart=no
conn %default
ikelifetime=60m
keylife=20m
rekeymargin=3m
keyingtries=1
keyexchange=ikev1
authby=secret
conn net-net
authby=psk
keyexchange=ikev1
left=...
leftsubnet=192.168.2.0/24
leftid=@vrtappmi02.....
leftfirewall=yes
right=....
rightsubnet=10.126.99.0/24
rightid=@ipsecgw.....
ike=3des-sha1-modp1024
compress=no
auto=start
pfs=no
esp=3des-sha1-modp1024
ipsec statusall:
000
000 #2: "net-net" STATE_MAIN_I3 (sent MI3, expecting MR3); EVENT_RETRANSMIT in 37s
000 #2: pending Phase 2 for "net-net" replacing #0
000
debug shows a lot of messages exchanged by the gateways, but they contain "sensible" data, I think...
maybe I can send that output separately, if you think it can be usefull
Andrea
> -----Messaggio originale-----
> Da: Andreas Steffen [mailto:andreas.steffen at strongswan.org]
> Inviato: mercoledì 2 marzo 2011 16:08
> A: Andrea Lanza
> Cc: 'users at lists.strongswan.org'
> Oggetto: Re: [strongSwan] ikev1-net2net-psk help
>
> Hello Andrea,
>
> if you define auto=add then you must explicitly start the
> IKE negotiation with the command
>
> ipsec up net-net
>
> Only if you define auto=start, the connection setup takes
> place automatically with
>
> ipsec start
>
> A third possibility would be to install an IPsec policy
> in the kernel with auto=route. The first packet destined
> for the tunnel will then trigger the IKE negotiation.
>
> Regards
>
> Andreas
>
> On 02.03.2011 14:37, Andrea Lanza wrote:
> > Hi all,
> > I am absolutly new to strongswan.
> >
> > I have to setup a scenario in which 2 separated private networks are
> connected via internet
> >
> > with ipsec
> >
> > The scenario is exactly the one described in Test ikev1/met2net-psk
> >
> > http://www.strongswan.org/uml/testresults/ikev1/net2net-psk/
> >
> > I control only the left side, beiing the right side administered by
> another company, which
> >
> > uses hw devices.
> >
> > The problem I am facing is this: absolutely no packets exit from my
> gateway towards the
> >
> > other gateway !
> >
> > I saw this using iptables log packet on outgoing packets, and also on
> remote gateway not
> >
> > receiving any packets
> >
> > I was using opensuse 11.3 and openvpn 4.4 (boundled in opensuse 11.3)
> >
> > Then I uninstalled and downloaded and compiled the 4.5.1 version: no
> changes, no errors are
> >
> > detected
> > everything seems to be very fine PSK is loaded... but no packets come
> out of my box...!
> >
> >
> > here is my setup:
> >
> > ipsec.conf
> >
> > # ipsec.conf - strongSwan IPsec configuration file
> >
> > config setup
> > plutodebug=control
> > charonstart=no
> >
> > conn %default
> > ikelifetime=60m
> > keylife=20m
> > rekeymargin=3m
> > keyingtries=1
> > keyexchange=ikev1
> > authby=secret
> >
> > conn net-net
> > left=<my public ip address here scrambled>
> > leftsubnet=192.168.2.0/24
> > leftid=@vrtappmi02.mydomain.mycountry
> > leftfirewall=yes
> > right=<theirs public ip address here scrambled>
> > rightsubnet=10.126.99.0/24
> > rightid=@ipsecgw.theirsdomanin.theirscountry
> > auto=add
> >
> >
> > ipsec.secrets
> > #
> > # ipsec.secrets
> > #
> > # This file holds the RSA private keys or the PSK preshared secrets
> for # the IKE/IPsec authentication. See the ipsec.secrets(5) manual
> page.
> > #
> > @vrtappmi02.mydomain.mycountry @ipsecgw.theirsdomanin.theirscountry :
> PSK
> >
> > "thisisthescrambledkey"
> >
> >
> >
> > strongswan.conf
> >
> > pluto {
> > #load = sha1 sha2 md5 aes des hmac gmp random kernel-netlink # load =
> aes des sha1 md5 sha2 hmac gmp random pubkey
> >
> > # load = sha1 sha2 md5 aes des hmac gmp random pubkey }
> >
> > # pluto uses optimized DH exponent sizes (RFC 3526)
> >
> > libstrongswan {
> > dh_exponent_ansi_x9_42 = no
> > }
> >
> >
> >
> > when I start ipsec I can read this in messages log:
> >
> >
> > Mar 2 14:18:53 vrtappmi02 ipsec_starter[3722]: Starting strongSwan
> 4.5.1 IPsec
> >
> > [starter]...
> > Mar 2 14:18:53 vrtappmi02 pluto[3731]: Starting IKEv1 pluto daemon
> (strongSwan 4.5.1)
> >
> > THREADS VENDORID
> > Mar 2 14:18:53 vrtappmi02 pluto[3731]: listening on interfaces:
> > Mar 2 14:18:53 vrtappmi02 pluto[3731]: eth0
> > Mar 2 14:18:53 vrtappmi02 pluto[3731]: <my public ip address
> here scrambled>
> > Mar 2 14:18:53 vrtappmi02 pluto[3731]: fe80::20c:29ff:fe23:4272
> > Mar 2 14:18:53 vrtappmi02 pluto[3731]: eth1
> > Mar 2 14:18:53 vrtappmi02 pluto[3731]: 192.168.2.225
> > Mar 2 14:18:53 vrtappmi02 pluto[3731]: fe80::20c:29ff:fe23:427c
> > Mar 2 14:18:53 vrtappmi02 pluto[3731]: loaded plugins: aes des sha1
> sha2 md5 random x509
> >
> > pkcs1 pgp dnskey pem gmp hmac xauth attr kernel-netlink resolve Mar
> 2 14:18:53 vrtappmi02 pluto[3731]: | inserting event
> EVENT_REINIT_SECRET, timeout in
> >
> > 3600 seconds
> > Mar 2 14:18:53 vrtappmi02 pluto[3731]: including NAT-Traversal
> patch (Version 0.6c)
> >
> > [disabled]
> > Mar 2 14:18:53 vrtappmi02 ipsec_starter[3730]: pluto (3731) started
> after 20 ms Mar 2 14:18:53 vrtappmi02 pluto[3731]: loading ca
> certificates from '/etc/ipsec.d/cacerts'
> > Mar 2 14:18:53 vrtappmi02 pluto[3731]: loading aa certificates from
> '/etc/ipsec.d/aacerts'
> > Mar 2 14:18:53 vrtappmi02 pluto[3731]: loading ocsp certificates
> from
> >
> > '/etc/ipsec.d/ocspcerts'
> > Mar 2 14:18:53 vrtappmi02 pluto[3731]: Changing to directory
> '/etc/ipsec.d/crls'
> > Mar 2 14:18:53 vrtappmi02 pluto[3731]: loading attribute
> certificates from
> >
> > '/etc/ipsec.d/acerts'
> > Mar 2 14:18:53 vrtappmi02 pluto[3731]: spawning 4 worker threads Mar
> 2 14:18:53 vrtappmi02 pluto[3731]: | inserting event EVENT_LOG_DAILY,
> timeout in 34867
> >
> > seconds
> > Mar 2 14:18:53 vrtappmi02 pluto[3731]: | next event
> EVENT_REINIT_SECRET in 3600 seconds Mar 2 14:18:53 vrtappmi02
> pluto[3731]: | Mar 2 14:18:53 vrtappmi02 pluto[3731]: | *received
> whack message Mar 2 14:18:53 vrtappmi02 pluto[3731]: listening for IKE
> messages Mar 2 14:18:53 vrtappmi02 pluto[3731]: | found lo with
> address 127.0.0.1 Mar 2 14:18:53 vrtappmi02 pluto[3731]: | found lo
> with address 127.0.0.2 Mar 2 14:18:53 vrtappmi02 pluto[3731]: | found
> eth0 with address <my public ip address
> >
> > here scrambled>
> > Mar 2 14:18:53 vrtappmi02 pluto[3731]: | found eth1 with address
> 192.168.2.225 Mar 2 14:18:53 vrtappmi02 pluto[3731]: adding interface
> eth1/eth1 192.168.2.225:500 Mar 2 14:18:53 vrtappmi02 pluto[3731]:
> adding interface eth0/eth0 <my public ip address
> >
> > here scrambled>:500
> > Mar 2 14:18:53 vrtappmi02 pluto[3731]: adding interface lo/lo
> 127.0.0.2:500 Mar 2 14:18:53 vrtappmi02 pluto[3731]: adding interface
> lo/lo 127.0.0.1:500 Mar 2 14:18:53 vrtappmi02 pluto[3731]: | found lo
> with address
> >
> > 0000:0000:0000:0000:0000:0000:0000:0001
> > Mar 2 14:18:53 vrtappmi02 pluto[3731]: adding interface lo/lo
> ::1:500 Mar 2 14:18:53 vrtappmi02 pluto[3731]: loading secrets from
> "/etc/ipsec.secrets"
> > Mar 2 14:18:53 vrtappmi02 pluto[3731]: loaded PSK secret for
> >
> > vrtappmi02.mydomain.mycountry
> ipsecgw.ipsecgw.theirsdomanin.theirscountry
> > Mar 2 14:18:53 vrtappmi02 pluto[3731]: | next event
> EVENT_REINIT_SECRET in 3600 seconds Mar 2 14:18:53 vrtappmi02
> pluto[3731]: | Mar 2 14:18:53 vrtappmi02 pluto[3731]: | *received
> whack message Mar 2 14:18:53 vrtappmi02 pluto[3731]: | from whack: got
> --esp=aes128-sha1,3des-sha1 Mar 2 14:18:53 vrtappmi02 pluto[3731]: |
> esp proposal: AES_CBC_128/HMAC_SHA1,
> >
> > 3DES_CBC/HMAC_SHA1,
> > Mar 2 14:18:53 vrtappmi02 pluto[3731]: | from whack: got --
> ike=aes128-sha1-modp2048,3des-
> >
> > sha1-modp1536
> > Mar 2 14:18:53 vrtappmi02 pluto[3731]: | ike proposal:
> AES_CBC_128/HMAC_SHA1/MODP_2048,
> >
> > 3DES_CBC/HMAC_SHA1/MODP_1536,
> > Mar 2 14:18:53 vrtappmi02 pluto[3731]: added connection description
> "net-net"
> > Mar 2 14:18:53 vrtappmi02 pluto[3731]: | 192.168.2.0/24===<my public
> ip address here
> >
> > scrambled>[vrtappmi02.mydomain.mycountry]...<theirs public ip address
> > scrambled>here scrambled>
> >
> > [ipsecgw.theirsdomanin.theirscountry]===10.126.99.0/24
> > Mar 2 14:18:53 vrtappmi02 pluto[3731]: | ike_life: 3600s;
> ipsec_life: 1200s; rekey_margin:
> >
> > 180s; rekey_fuzz: 100%; keyingtries: 1; policy:
> PSK+ENCRYPT+TUNNEL+PFS Mar 2 14:18:53 vrtappmi02 pluto[3731]: | next
> event EVENT_REINIT_SECRET in 3600 seconds
> >
> >
> >
> > ipsec statusall shows:
> >
> > 000 Status of IKEv1 pluto daemon (strongSwan 4.5.1):
> > 000 interface lo/lo ::1:500
> > 000 interface lo/lo 127.0.0.1:500
> > 000 interface lo/lo 127.0.0.2:500
> > 000 interface eth0/eth0 <my public ip address here scrambled>:500 000
> interface eth1/eth1 192.168.2.225:500 000 %myid = '%any'
> > 000 loaded plugins: aes des sha1 sha2 md5 random x509 pkcs1 pgp
> dnskey pem gmp hmac xauth
> >
> > attr kernel-netlink resolve
> > 000 debug options: control
> > 000
> > 000 "net-net": 192.168.2.0/24===<my public ip address here scrambled>
> >
> > [vrtappmi02.mydomain.mycountry]...<theirs public ip address here
> scrambled>
> >
> > [ipsecgw.theirsdomain.theirscountry]===10.126.99.0/24; unrouted;
> eroute owner: #0
> > 000 "net-net": ike_life: 3600s; ipsec_life: 1200s; rekey_margin:
> 180s; rekey_fuzz: 100%;
> >
> > keyingtries: 1
> > 000 "net-net": policy: PSK+ENCRYPT+TUNNEL+PFS; prio: 24,24;
> interface: eth0;
> > 000 "net-net": newest ISAKMP SA: #0; newest IPsec SA: #0;
> > 000
> >
> >
> > comparing with ipsec statusall shown in the test scenario on the
> site, the last part is missing, but I think the problem is that NO
> packets transmitted, no IKE proposed.
> >
> > What can I check ?
> >
> > thanks in advance,
> > Andrea
> >
> >
>
>
> --
> ======================================================================
> Andreas Steffen andreas.steffen at strongswan.org
> strongSwan - the Linux VPN Solution! www.strongswan.org
> Institute for Internet Technologies and Applications
> University of Applied Sciences Rapperswil
> CH-8640 Rapperswil (Switzerland)
> ===========================================================[ITA-HSR]==
>
> --
> This message has been scanned for viruses and
> dangerous content by MailScanner, and is
> believed to be clean.
--
This message has been scanned for viruses and
dangerous content by MailScanner, and is
believed to be clean.
More information about the Users
mailing list