[strongSwan] R: R: ikev1-net2net-psk help
Andrea Lanza
andrea.lanza at frameweb.it
Wed Mar 2 16:32:27 CET 2011
Maybe the problem is in the name : we are presenting as a name,
and the peer gateway expect another name (or an address, I didn't understand):
so they are checking this possibility modifying their setup
I will let you (and the list) know as early as I can.
thanks again,
Andrea
> -----Messaggio originale-----
> Da: Andreas Steffen [mailto:andreas.steffen at strongswan.org]
> Inviato: mercoledì 2 marzo 2011 16:22
> A: Andrea Lanza
> Cc: 'users at lists.strongswan.org'
> Oggetto: Re: R: [strongSwan] ikev1-net2net-psk help
>
> Yes, without this output I cannot make any diagnosis.
>
> Regards
>
> Andreas
>
> On 02.03.2011 16:20, Andrea Lanza wrote:
> > thank for your answer
> >
> > we discovered it by ourselves, but now the scenario changed:
> >
> > ike phase 1 is ok
> >
> > phase 2 hangs:
> >
> > now we have:
> >
> > ipsec.conf
> > onfig setup
> > plutodebug=all
> > charonstart=no
> >
> > conn %default
> > ikelifetime=60m
> > keylife=20m
> > rekeymargin=3m
> > keyingtries=1
> > keyexchange=ikev1
> > authby=secret
> >
> > conn net-net
> > authby=psk
> > keyexchange=ikev1
> > left=...
> > leftsubnet=192.168.2.0/24
> > leftid=@vrtappmi02.....
> > leftfirewall=yes
> > right=....
> > rightsubnet=10.126.99.0/24
> > rightid=@ipsecgw.....
> > ike=3des-sha1-modp1024
> > compress=no
> > auto=start
> > pfs=no
> > esp=3des-sha1-modp1024
> >
> >
> > ipsec statusall:
> >
> > 000
> > 000 #2: "net-net" STATE_MAIN_I3 (sent MI3, expecting MR3);
> EVENT_RETRANSMIT in 37s
> > 000 #2: pending Phase 2 for "net-net" replacing #0
> > 000
> >
> >
> > debug shows a lot of messages exchanged by the gateways, but they
> contain "sensible" data, I think...
> >
> > maybe I can send that output separately, if you think it can be
> usefull
> >
> > Andrea
> >
> >
> >
> >
> >> -----Messaggio originale-----
> >> Da: Andreas Steffen [mailto:andreas.steffen at strongswan.org]
> >> Inviato: mercoledì 2 marzo 2011 16:08
> >> A: Andrea Lanza
> >> Cc: 'users at lists.strongswan.org'
> >> Oggetto: Re: [strongSwan] ikev1-net2net-psk help
> >>
> >> Hello Andrea,
> >>
> >> if you define auto=add then you must explicitly start the
> >> IKE negotiation with the command
> >>
> >> ipsec up net-net
> >>
> >> Only if you define auto=start, the connection setup takes
> >> place automatically with
> >>
> >> ipsec start
> >>
> >> A third possibility would be to install an IPsec policy
> >> in the kernel with auto=route. The first packet destined
> >> for the tunnel will then trigger the IKE negotiation.
> >>
> >> Regards
> >>
> >> Andreas
> >>
> >> On 02.03.2011 14:37, Andrea Lanza wrote:
> >>> Hi all,
> >>> I am absolutly new to strongswan.
> >>>
> >>> I have to setup a scenario in which 2 separated private networks
> are
> >> connected via internet
> >>>
> >>> with ipsec
> >>>
> >>> The scenario is exactly the one described in Test ikev1/met2net-psk
> >>>
> >>> http://www.strongswan.org/uml/testresults/ikev1/net2net-psk/
> >>>
> >>> I control only the left side, beiing the right side administered by
> >> another company, which
> >>>
> >>> uses hw devices.
> >>>
> >>> The problem I am facing is this: absolutely no packets exit from my
> >> gateway towards the
> >>>
> >>> other gateway !
> >>>
> >>> I saw this using iptables log packet on outgoing packets, and also
> on
> >> remote gateway not
> >>>
> >>> receiving any packets
> >>>
> >>> I was using opensuse 11.3 and openvpn 4.4 (boundled in opensuse
> 11.3)
> >>>
> >>> Then I uninstalled and downloaded and compiled the 4.5.1 version:
> no
> >> changes, no errors are
> >>>
> >>> detected
> >>> everything seems to be very fine PSK is loaded... but no packets
> come
> >> out of my box...!
> >>>
> >>>
> >>> here is my setup:
> >>>
> >>> ipsec.conf
> >>>
> >>> # ipsec.conf - strongSwan IPsec configuration file
> >>>
> >>> config setup
> >>> plutodebug=control
> >>> charonstart=no
> >>>
> >>> conn %default
> >>> ikelifetime=60m
> >>> keylife=20m
> >>> rekeymargin=3m
> >>> keyingtries=1
> >>> keyexchange=ikev1
> >>> authby=secret
> >>>
> >>> conn net-net
> >>> left=<my public ip address here scrambled>
> >>> leftsubnet=192.168.2.0/24
> >>> leftid=@vrtappmi02.mydomain.mycountry
> >>> leftfirewall=yes
> >>> right=<theirs public ip address here scrambled>
> >>> rightsubnet=10.126.99.0/24
> >>> rightid=@ipsecgw.theirsdomanin.theirscountry
> >>> auto=add
> >>>
> >>>
> >>> ipsec.secrets
> >>> #
> >>> # ipsec.secrets
> >>> #
> >>> # This file holds the RSA private keys or the PSK preshared secrets
> >> for # the IKE/IPsec authentication. See the ipsec.secrets(5) manual
> >> page.
> >>> #
> >>> @vrtappmi02.mydomain.mycountry @ipsecgw.theirsdomanin.theirscountry
> :
> >> PSK
> >>>
> >>> "thisisthescrambledkey"
> >>>
> >>>
> >>>
> >>> strongswan.conf
> >>>
> >>> pluto {
> >>> #load = sha1 sha2 md5 aes des hmac gmp random kernel-netlink # load
> =
> >> aes des sha1 md5 sha2 hmac gmp random pubkey
> >>>
> >>> # load = sha1 sha2 md5 aes des hmac gmp random pubkey }
> >>>
> >>> # pluto uses optimized DH exponent sizes (RFC 3526)
> >>>
> >>> libstrongswan {
> >>> dh_exponent_ansi_x9_42 = no
> >>> }
> >>>
> >>>
> >>>
> >>> when I start ipsec I can read this in messages log:
> >>>
> >>>
> >>> Mar 2 14:18:53 vrtappmi02 ipsec_starter[3722]: Starting strongSwan
> >> 4.5.1 IPsec
> >>>
> >>> [starter]...
> >>> Mar 2 14:18:53 vrtappmi02 pluto[3731]: Starting IKEv1 pluto daemon
> >> (strongSwan 4.5.1)
> >>>
> >>> THREADS VENDORID
> >>> Mar 2 14:18:53 vrtappmi02 pluto[3731]: listening on interfaces:
> >>> Mar 2 14:18:53 vrtappmi02 pluto[3731]: eth0
> >>> Mar 2 14:18:53 vrtappmi02 pluto[3731]: <my public ip address
> >> here scrambled>
> >>> Mar 2 14:18:53 vrtappmi02 pluto[3731]:
> fe80::20c:29ff:fe23:4272
> >>> Mar 2 14:18:53 vrtappmi02 pluto[3731]: eth1
> >>> Mar 2 14:18:53 vrtappmi02 pluto[3731]: 192.168.2.225
> >>> Mar 2 14:18:53 vrtappmi02 pluto[3731]:
> fe80::20c:29ff:fe23:427c
> >>> Mar 2 14:18:53 vrtappmi02 pluto[3731]: loaded plugins: aes des
> sha1
> >> sha2 md5 random x509
> >>>
> >>> pkcs1 pgp dnskey pem gmp hmac xauth attr kernel-netlink resolve Mar
> >> 2 14:18:53 vrtappmi02 pluto[3731]: | inserting event
> >> EVENT_REINIT_SECRET, timeout in
> >>>
> >>> 3600 seconds
> >>> Mar 2 14:18:53 vrtappmi02 pluto[3731]: including NAT-Traversal
> >> patch (Version 0.6c)
> >>>
> >>> [disabled]
> >>> Mar 2 14:18:53 vrtappmi02 ipsec_starter[3730]: pluto (3731)
> started
> >> after 20 ms Mar 2 14:18:53 vrtappmi02 pluto[3731]: loading ca
> >> certificates from '/etc/ipsec.d/cacerts'
> >>> Mar 2 14:18:53 vrtappmi02 pluto[3731]: loading aa certificates
> from
> >> '/etc/ipsec.d/aacerts'
> >>> Mar 2 14:18:53 vrtappmi02 pluto[3731]: loading ocsp certificates
> >> from
> >>>
> >>> '/etc/ipsec.d/ocspcerts'
> >>> Mar 2 14:18:53 vrtappmi02 pluto[3731]: Changing to directory
> >> '/etc/ipsec.d/crls'
> >>> Mar 2 14:18:53 vrtappmi02 pluto[3731]: loading attribute
> >> certificates from
> >>>
> >>> '/etc/ipsec.d/acerts'
> >>> Mar 2 14:18:53 vrtappmi02 pluto[3731]: spawning 4 worker threads
> Mar
> >> 2 14:18:53 vrtappmi02 pluto[3731]: | inserting event
> EVENT_LOG_DAILY,
> >> timeout in 34867
> >>>
> >>> seconds
> >>> Mar 2 14:18:53 vrtappmi02 pluto[3731]: | next event
> >> EVENT_REINIT_SECRET in 3600 seconds Mar 2 14:18:53 vrtappmi02
> >> pluto[3731]: | Mar 2 14:18:53 vrtappmi02 pluto[3731]: | *received
> >> whack message Mar 2 14:18:53 vrtappmi02 pluto[3731]: listening for
> IKE
> >> messages Mar 2 14:18:53 vrtappmi02 pluto[3731]: | found lo with
> >> address 127.0.0.1 Mar 2 14:18:53 vrtappmi02 pluto[3731]: | found lo
> >> with address 127.0.0.2 Mar 2 14:18:53 vrtappmi02 pluto[3731]: |
> found
> >> eth0 with address <my public ip address
> >>>
> >>> here scrambled>
> >>> Mar 2 14:18:53 vrtappmi02 pluto[3731]: | found eth1 with address
> >> 192.168.2.225 Mar 2 14:18:53 vrtappmi02 pluto[3731]: adding
> interface
> >> eth1/eth1 192.168.2.225:500 Mar 2 14:18:53 vrtappmi02 pluto[3731]:
> >> adding interface eth0/eth0 <my public ip address
> >>>
> >>> here scrambled>:500
> >>> Mar 2 14:18:53 vrtappmi02 pluto[3731]: adding interface lo/lo
> >> 127.0.0.2:500 Mar 2 14:18:53 vrtappmi02 pluto[3731]: adding
> interface
> >> lo/lo 127.0.0.1:500 Mar 2 14:18:53 vrtappmi02 pluto[3731]: | found
> lo
> >> with address
> >>>
> >>> 0000:0000:0000:0000:0000:0000:0000:0001
> >>> Mar 2 14:18:53 vrtappmi02 pluto[3731]: adding interface lo/lo
> >> ::1:500 Mar 2 14:18:53 vrtappmi02 pluto[3731]: loading secrets from
> >> "/etc/ipsec.secrets"
> >>> Mar 2 14:18:53 vrtappmi02 pluto[3731]: loaded PSK secret for
> >>>
> >>> vrtappmi02.mydomain.mycountry
> >> ipsecgw.ipsecgw.theirsdomanin.theirscountry
> >>> Mar 2 14:18:53 vrtappmi02 pluto[3731]: | next event
> >> EVENT_REINIT_SECRET in 3600 seconds Mar 2 14:18:53 vrtappmi02
> >> pluto[3731]: | Mar 2 14:18:53 vrtappmi02 pluto[3731]: | *received
> >> whack message Mar 2 14:18:53 vrtappmi02 pluto[3731]: | from whack:
> got
> >> --esp=aes128-sha1,3des-sha1 Mar 2 14:18:53 vrtappmi02 pluto[3731]:
> |
> >> esp proposal: AES_CBC_128/HMAC_SHA1,
> >>>
> >>> 3DES_CBC/HMAC_SHA1,
> >>> Mar 2 14:18:53 vrtappmi02 pluto[3731]: | from whack: got --
> >> ike=aes128-sha1-modp2048,3des-
> >>>
> >>> sha1-modp1536
> >>> Mar 2 14:18:53 vrtappmi02 pluto[3731]: | ike proposal:
> >> AES_CBC_128/HMAC_SHA1/MODP_2048,
> >>>
> >>> 3DES_CBC/HMAC_SHA1/MODP_1536,
> >>> Mar 2 14:18:53 vrtappmi02 pluto[3731]: added connection
> description
> >> "net-net"
> >>> Mar 2 14:18:53 vrtappmi02 pluto[3731]: | 192.168.2.0/24===<my
> public
> >> ip address here
> >>>
> >>> scrambled>[vrtappmi02.mydomain.mycountry]...<theirs public ip
> address
> >>> scrambled>here scrambled>
> >>>
> >>> [ipsecgw.theirsdomanin.theirscountry]===10.126.99.0/24
> >>> Mar 2 14:18:53 vrtappmi02 pluto[3731]: | ike_life: 3600s;
> >> ipsec_life: 1200s; rekey_margin:
> >>>
> >>> 180s; rekey_fuzz: 100%; keyingtries: 1; policy:
> >> PSK+ENCRYPT+TUNNEL+PFS Mar 2 14:18:53 vrtappmi02 pluto[3731]: |
> next
> >> event EVENT_REINIT_SECRET in 3600 seconds
> >>>
> >>>
> >>>
> >>> ipsec statusall shows:
> >>>
> >>> 000 Status of IKEv1 pluto daemon (strongSwan 4.5.1):
> >>> 000 interface lo/lo ::1:500
> >>> 000 interface lo/lo 127.0.0.1:500
> >>> 000 interface lo/lo 127.0.0.2:500
> >>> 000 interface eth0/eth0 <my public ip address here scrambled>:500
> 000
> >> interface eth1/eth1 192.168.2.225:500 000 %myid = '%any'
> >>> 000 loaded plugins: aes des sha1 sha2 md5 random x509 pkcs1 pgp
> >> dnskey pem gmp hmac xauth
> >>>
> >>> attr kernel-netlink resolve
> >>> 000 debug options: control
> >>> 000
> >>> 000 "net-net": 192.168.2.0/24===<my public ip address here
> scrambled>
> >>>
> >>> [vrtappmi02.mydomain.mycountry]...<theirs public ip address here
> >> scrambled>
> >>>
> >>> [ipsecgw.theirsdomain.theirscountry]===10.126.99.0/24; unrouted;
> >> eroute owner: #0
> >>> 000 "net-net": ike_life: 3600s; ipsec_life: 1200s; rekey_margin:
> >> 180s; rekey_fuzz: 100%;
> >>>
> >>> keyingtries: 1
> >>> 000 "net-net": policy: PSK+ENCRYPT+TUNNEL+PFS; prio: 24,24;
> >> interface: eth0;
> >>> 000 "net-net": newest ISAKMP SA: #0; newest IPsec SA: #0;
> >>> 000
> >>>
> >>>
> >>> comparing with ipsec statusall shown in the test scenario on the
> >> site, the last part is missing, but I think the problem is that NO
> >> packets transmitted, no IKE proposed.
> >>>
> >>> What can I check ?
> >>>
> >>> thanks in advance,
> >>> Andrea
>
> ======================================================================
> Andreas Steffen andreas.steffen at strongswan.org
> strongSwan - the Linux VPN Solution! www.strongswan.org
> Institute for Internet Technologies and Applications
> University of Applied Sciences Rapperswil
> CH-8640 Rapperswil (Switzerland)
> ===========================================================[ITA-HSR]==
>
> --
> This message has been scanned for viruses and
> dangerous content by MailScanner, and is
> believed to be clean.
--
This message has been scanned for viruses and
dangerous content by MailScanner, and is
believed to be clean.
More information about the Users
mailing list