[strongSwan] R: ikev1-net2net-psk help

Andreas Steffen andreas.steffen at strongswan.org
Wed Mar 2 16:22:06 CET 2011


Yes, without this output I cannot make any diagnosis.

Regards

Andreas

On 02.03.2011 16:20, Andrea Lanza wrote:
> thank for your answer
> 
> we discovered it by ourselves, but now the scenario changed:
> 
> ike phase 1 is ok
> 
> phase 2 hangs:
> 
> now we have:
> 
> ipsec.conf
> onfig setup
>         plutodebug=all
>         charonstart=no
> 
> conn %default
>         ikelifetime=60m
>         keylife=20m
>         rekeymargin=3m
>         keyingtries=1
>         keyexchange=ikev1
>         authby=secret
> 
> conn net-net
>         authby=psk
>         keyexchange=ikev1
>         left=...
>         leftsubnet=192.168.2.0/24
>         leftid=@vrtappmi02.....
>         leftfirewall=yes
>         right=....
>         rightsubnet=10.126.99.0/24
>         rightid=@ipsecgw.....
>         ike=3des-sha1-modp1024
>         compress=no
>         auto=start
>         pfs=no
>         esp=3des-sha1-modp1024
> 
> 
> ipsec statusall:
> 
> 000
> 000 #2: "net-net" STATE_MAIN_I3 (sent MI3, expecting MR3); EVENT_RETRANSMIT in 37s
> 000 #2: pending Phase 2 for "net-net" replacing #0
> 000
> 
> 
> debug shows a lot of messages exchanged by the gateways, but they contain "sensible" data, I think...
> 
> maybe I can send that output separately, if you think it can be usefull
> 
> Andrea
> 
> 
> 
> 
>> -----Messaggio originale-----
>> Da: Andreas Steffen [mailto:andreas.steffen at strongswan.org]
>> Inviato: mercoledì 2 marzo 2011 16:08
>> A: Andrea Lanza
>> Cc: 'users at lists.strongswan.org'
>> Oggetto: Re: [strongSwan] ikev1-net2net-psk help
>>
>> Hello Andrea,
>>
>> if you define auto=add then you must explicitly start the
>> IKE negotiation with the command
>>
>>   ipsec up net-net
>>
>> Only if you define auto=start, the connection setup takes
>> place automatically with
>>
>>   ipsec start
>>
>> A third possibility would be to install an IPsec policy
>> in the kernel with auto=route. The first packet destined
>> for the tunnel will then trigger the IKE negotiation.
>>
>> Regards
>>
>> Andreas
>>
>> On 02.03.2011 14:37, Andrea Lanza wrote:
>>> Hi all,
>>> I am absolutly new to strongswan.
>>>
>>> I have to setup a scenario in which 2 separated private networks are
>> connected via internet
>>>
>>> with ipsec
>>>
>>> The scenario is exactly the one described in Test ikev1/met2net-psk
>>>
>>> http://www.strongswan.org/uml/testresults/ikev1/net2net-psk/
>>>
>>> I control only the left side, beiing the right side administered by
>> another company, which
>>>
>>> uses hw devices.
>>>
>>> The problem I am facing is this: absolutely no packets exit from my
>> gateway towards the
>>>
>>> other gateway !
>>>
>>> I saw this using iptables log packet on outgoing packets, and also on
>> remote gateway not
>>>
>>> receiving any packets
>>>
>>> I was using opensuse 11.3 and openvpn 4.4 (boundled in opensuse 11.3)
>>>
>>> Then I uninstalled and downloaded and compiled the 4.5.1 version: no
>> changes, no errors are
>>>
>>> detected
>>> everything seems to be very fine PSK is loaded... but no packets come
>> out of my box...!
>>>
>>>
>>> here is my setup:
>>>
>>> ipsec.conf
>>>
>>> # ipsec.conf - strongSwan IPsec configuration file
>>>
>>> config setup
>>>         plutodebug=control
>>>         charonstart=no
>>>
>>> conn %default
>>>         ikelifetime=60m
>>>         keylife=20m
>>>         rekeymargin=3m
>>>         keyingtries=1
>>>         keyexchange=ikev1
>>>         authby=secret
>>>
>>> conn net-net
>>>         left=<my public ip address here scrambled>
>>>         leftsubnet=192.168.2.0/24
>>>         leftid=@vrtappmi02.mydomain.mycountry
>>>         leftfirewall=yes
>>>         right=<theirs public ip address here scrambled>
>>>         rightsubnet=10.126.99.0/24
>>>         rightid=@ipsecgw.theirsdomanin.theirscountry
>>>         auto=add
>>>
>>>
>>> ipsec.secrets
>>> #
>>> # ipsec.secrets
>>> #
>>> # This file holds the RSA private keys or the PSK preshared secrets
>> for # the IKE/IPsec authentication. See the ipsec.secrets(5) manual
>> page.
>>> #
>>> @vrtappmi02.mydomain.mycountry @ipsecgw.theirsdomanin.theirscountry :
>> PSK
>>>
>>> "thisisthescrambledkey"
>>>
>>>
>>>
>>> strongswan.conf
>>>
>>> pluto {
>>> #load = sha1 sha2 md5 aes des hmac gmp random kernel-netlink # load =
>> aes des sha1 md5 sha2 hmac gmp random pubkey
>>>
>>> # load = sha1 sha2 md5 aes des hmac gmp random pubkey }
>>>
>>> # pluto uses optimized DH exponent sizes (RFC 3526)
>>>
>>> libstrongswan {
>>>   dh_exponent_ansi_x9_42 = no
>>> }
>>>
>>>
>>>
>>> when I start ipsec I can read this in messages log:
>>>
>>>
>>> Mar  2 14:18:53 vrtappmi02 ipsec_starter[3722]: Starting strongSwan
>> 4.5.1 IPsec
>>>
>>> [starter]...
>>> Mar  2 14:18:53 vrtappmi02 pluto[3731]: Starting IKEv1 pluto daemon
>> (strongSwan 4.5.1)
>>>
>>> THREADS VENDORID
>>> Mar  2 14:18:53 vrtappmi02 pluto[3731]: listening on interfaces:
>>> Mar  2 14:18:53 vrtappmi02 pluto[3731]:   eth0
>>> Mar  2 14:18:53 vrtappmi02 pluto[3731]:     <my public ip address
>> here scrambled>
>>> Mar  2 14:18:53 vrtappmi02 pluto[3731]:     fe80::20c:29ff:fe23:4272
>>> Mar  2 14:18:53 vrtappmi02 pluto[3731]:   eth1
>>> Mar  2 14:18:53 vrtappmi02 pluto[3731]:     192.168.2.225
>>> Mar  2 14:18:53 vrtappmi02 pluto[3731]:     fe80::20c:29ff:fe23:427c
>>> Mar  2 14:18:53 vrtappmi02 pluto[3731]: loaded plugins: aes des sha1
>> sha2 md5 random x509
>>>
>>> pkcs1 pgp dnskey pem gmp hmac xauth attr kernel-netlink resolve Mar
>> 2 14:18:53 vrtappmi02 pluto[3731]: | inserting event
>> EVENT_REINIT_SECRET, timeout in
>>>
>>> 3600 seconds
>>> Mar  2 14:18:53 vrtappmi02 pluto[3731]:   including NAT-Traversal
>> patch (Version 0.6c)
>>>
>>> [disabled]
>>> Mar  2 14:18:53 vrtappmi02 ipsec_starter[3730]: pluto (3731) started
>> after 20 ms Mar  2 14:18:53 vrtappmi02 pluto[3731]: loading ca
>> certificates from '/etc/ipsec.d/cacerts'
>>> Mar  2 14:18:53 vrtappmi02 pluto[3731]: loading aa certificates from
>> '/etc/ipsec.d/aacerts'
>>> Mar  2 14:18:53 vrtappmi02 pluto[3731]: loading ocsp certificates
>> from
>>>
>>> '/etc/ipsec.d/ocspcerts'
>>> Mar  2 14:18:53 vrtappmi02 pluto[3731]: Changing to directory
>> '/etc/ipsec.d/crls'
>>> Mar  2 14:18:53 vrtappmi02 pluto[3731]: loading attribute
>> certificates from
>>>
>>> '/etc/ipsec.d/acerts'
>>> Mar  2 14:18:53 vrtappmi02 pluto[3731]: spawning 4 worker threads Mar
>> 2 14:18:53 vrtappmi02 pluto[3731]: | inserting event EVENT_LOG_DAILY,
>> timeout in 34867
>>>
>>> seconds
>>> Mar  2 14:18:53 vrtappmi02 pluto[3731]: | next event
>> EVENT_REINIT_SECRET in 3600 seconds Mar  2 14:18:53 vrtappmi02
>> pluto[3731]: | Mar  2 14:18:53 vrtappmi02 pluto[3731]: | *received
>> whack message Mar  2 14:18:53 vrtappmi02 pluto[3731]: listening for IKE
>> messages Mar  2 14:18:53 vrtappmi02 pluto[3731]: | found lo with
>> address 127.0.0.1 Mar  2 14:18:53 vrtappmi02 pluto[3731]: | found lo
>> with address 127.0.0.2 Mar  2 14:18:53 vrtappmi02 pluto[3731]: | found
>> eth0 with address <my public ip address
>>>
>>> here scrambled>
>>> Mar  2 14:18:53 vrtappmi02 pluto[3731]: | found eth1 with address
>> 192.168.2.225 Mar  2 14:18:53 vrtappmi02 pluto[3731]: adding interface
>> eth1/eth1 192.168.2.225:500 Mar  2 14:18:53 vrtappmi02 pluto[3731]:
>> adding interface eth0/eth0 <my public ip address
>>>
>>> here scrambled>:500
>>> Mar  2 14:18:53 vrtappmi02 pluto[3731]: adding interface lo/lo
>> 127.0.0.2:500 Mar  2 14:18:53 vrtappmi02 pluto[3731]: adding interface
>> lo/lo 127.0.0.1:500 Mar  2 14:18:53 vrtappmi02 pluto[3731]: | found lo
>> with address
>>>
>>> 0000:0000:0000:0000:0000:0000:0000:0001
>>> Mar  2 14:18:53 vrtappmi02 pluto[3731]: adding interface lo/lo
>> ::1:500 Mar  2 14:18:53 vrtappmi02 pluto[3731]: loading secrets from
>> "/etc/ipsec.secrets"
>>> Mar  2 14:18:53 vrtappmi02 pluto[3731]:   loaded PSK secret for
>>>
>>> vrtappmi02.mydomain.mycountry
>> ipsecgw.ipsecgw.theirsdomanin.theirscountry
>>> Mar  2 14:18:53 vrtappmi02 pluto[3731]: | next event
>> EVENT_REINIT_SECRET in 3600 seconds Mar  2 14:18:53 vrtappmi02
>> pluto[3731]: | Mar  2 14:18:53 vrtappmi02 pluto[3731]: | *received
>> whack message Mar  2 14:18:53 vrtappmi02 pluto[3731]: | from whack: got
>> --esp=aes128-sha1,3des-sha1 Mar  2 14:18:53 vrtappmi02 pluto[3731]: |
>> esp proposal: AES_CBC_128/HMAC_SHA1,
>>>
>>> 3DES_CBC/HMAC_SHA1,
>>> Mar  2 14:18:53 vrtappmi02 pluto[3731]: | from whack: got --
>> ike=aes128-sha1-modp2048,3des-
>>>
>>> sha1-modp1536
>>> Mar  2 14:18:53 vrtappmi02 pluto[3731]: | ike proposal:
>> AES_CBC_128/HMAC_SHA1/MODP_2048,
>>>
>>> 3DES_CBC/HMAC_SHA1/MODP_1536,
>>> Mar  2 14:18:53 vrtappmi02 pluto[3731]: added connection description
>> "net-net"
>>> Mar  2 14:18:53 vrtappmi02 pluto[3731]: | 192.168.2.0/24===<my public
>> ip address here
>>>
>>> scrambled>[vrtappmi02.mydomain.mycountry]...<theirs public ip address
>>> scrambled>here scrambled>
>>>
>>> [ipsecgw.theirsdomanin.theirscountry]===10.126.99.0/24
>>> Mar  2 14:18:53 vrtappmi02 pluto[3731]: | ike_life: 3600s;
>> ipsec_life: 1200s; rekey_margin:
>>>
>>> 180s; rekey_fuzz: 100%; keyingtries: 1; policy:
>> PSK+ENCRYPT+TUNNEL+PFS Mar  2 14:18:53 vrtappmi02 pluto[3731]: | next
>> event EVENT_REINIT_SECRET in 3600 seconds
>>>
>>>
>>>
>>> ipsec statusall shows:
>>>
>>> 000 Status of IKEv1 pluto daemon (strongSwan 4.5.1):
>>> 000 interface lo/lo ::1:500
>>> 000 interface lo/lo 127.0.0.1:500
>>> 000 interface lo/lo 127.0.0.2:500
>>> 000 interface eth0/eth0 <my public ip address here scrambled>:500 000
>> interface eth1/eth1 192.168.2.225:500 000 %myid = '%any'
>>> 000 loaded plugins: aes des sha1 sha2 md5 random x509 pkcs1 pgp
>> dnskey pem gmp hmac xauth
>>>
>>> attr kernel-netlink resolve
>>> 000 debug options: control
>>> 000
>>> 000 "net-net": 192.168.2.0/24===<my public ip address here scrambled>
>>>
>>> [vrtappmi02.mydomain.mycountry]...<theirs  public ip address here
>> scrambled>
>>>
>>> [ipsecgw.theirsdomain.theirscountry]===10.126.99.0/24; unrouted;
>> eroute owner: #0
>>> 000 "net-net":   ike_life: 3600s; ipsec_life: 1200s; rekey_margin:
>> 180s; rekey_fuzz: 100%;
>>>
>>> keyingtries: 1
>>> 000 "net-net":   policy: PSK+ENCRYPT+TUNNEL+PFS; prio: 24,24;
>> interface: eth0;
>>> 000 "net-net":   newest ISAKMP SA: #0; newest IPsec SA: #0;
>>> 000
>>>
>>>
>>> comparing with ipsec statusall shown in the test scenario on the
>> site, the last part is missing, but I think the problem is that NO
>> packets transmitted, no IKE proposed.
>>>
>>> What can I check ?
>>>
>>> thanks in advance,
>>> Andrea

======================================================================
Andreas Steffen                         andreas.steffen at strongswan.org
strongSwan - the Linux VPN Solution!                www.strongswan.org
Institute for Internet Technologies and Applications
University of Applied Sciences Rapperswil
CH-8640 Rapperswil (Switzerland)
===========================================================[ITA-HSR]==




More information about the Users mailing list