[strongSwan] Strongswan - no tunnel, but no errors in log either :(
Meera Sudhakar
mira.sudhakar at gmail.com
Mon May 9 12:45:52 CEST 2011
Hi,
I have a very peculiar problem. My endpoints can ping each other, but for
some reason, the tunnel is not getting established. There are no error
messages in the log file. Please find the relevant details below. Can
someone please help me solve this problem? My strongswan version is 4.4.0.
PS: this used to work fine till someone played around with my config files,
trying to understand how to use strongswan.
Thanks,
Meera
*Peer 1 can ping peer 2:*
root at vc1:~# ping 10.58.113.118
PING 10.58.113.118 (10.58.113.118) 56(84) bytes of data.
64 bytes from 10.58.113.118: icmp_req=1 ttl=63 time=10.6 ms
64 bytes from 10.58.113.118: icmp_req=2 ttl=63 time=0.297 ms
^C
--- 10.58.113.118 ping statistics ---
2 packets transmitted, 2 received, 0% packet loss, time 1002ms
rtt min/avg/max/mdev = 0.297/5.492/10.688/5.196 ms
*Peer 2 can ping peer 1:*
root at vc2:~# ping 10.58.113.37
PING 10.58.113.37 (10.58.113.37) 56(84) bytes of data.
64 bytes from 10.58.113.37: icmp_req=1 ttl=63 time=0.356 ms
64 bytes from 10.58.113.37: icmp_req=2 ttl=63 time=0.283 ms
^C
--- 10.58.113.37 ping statistics ---
2 packets transmitted, 2 received, 0% packet loss, time 999ms
rtt min/avg/max/mdev = 0.283/0.319/0.356/0.040 ms
*ipsec.conf on peer 1:*
root at vc1:~# cat /etc/ipsec.conf
# ipsec.conf - strongSwan IPsec configuration file
# basic configuration
config setup
# plutodebug=all
# crlcheckinterval=600
strictcrlpolicy=no
# cachecrls=yes
# nat_traversal=yes
charonstart=yes
charondebug=all
plutostart=no
# Add connections here.
# Sample VPN connections
#conn sample-self-signed
# left=%defaultroute
# leftsubnet=10.1.0.0/16
# leftcert=selfCert.der
# leftsendcert=never
# right=192.168.0.2
# rightsubnet=10.2.0.0/16
# rightcert=peerCert.der
# auto=start
ca strongswan
cacert=caCert.der
auto=add
conn sample-with-ca-cert
left=10.58.113.37
leftsubnet=10.58.113.0/24
leftcert=VC1Cert.der
right=10.58.113.118
rightsubnet=10.58.113.0/24
rightid="C=CH, O=strongSwan, CN=10.58.113.118"
keyexchange=ikev2
auto=add
*ipsec.conf on peer 2:*
root at vc2:~# cat /etc/ipsec.conf
# ipsec.conf - strongSwan IPsec configuration file
# basic configuration
config setup
# plutodebug=all
# crlcheckinterval=600
strictcrlpolicy=no
# cachecrls=yes
# nat_traversal=yes
charonstart=yes
plutostart=no
charondebug=all
# Add connections here.
# Sample VPN connections
#conn sample-self-signed
# left=%defaultroute
# leftsubnet=10.1.0.0/16
# leftcert=selfCert.der
# leftsendcert=never
# right=192.168.0.2
# rightsubnet=10.2.0.0/16
# rightcert=peerCert.der
# auto=start
ca strongswan
cacert=caCert.der
auto=add
conn sample-with-ca-cert
left=10.58.113.118
leftsubnet=10.58.113.0/24
leftcert=VC2Cert.der
right=10.58.113.37
rightsubnet=10.58.113.0/24
rightid="C=CH, O=strongSwan, CN=10.58.113.37"
keyexchange=ikev2
auto=start
*Log file on peer 1:*
May 9 23:11:23 vc1 charon: 00[DMN] Starting IKEv2 charon daemon (strongSwan
4.4.0)
May 9 23:11:23 vc1 charon: 00[KNL] listening on interfaces:
May 9 23:11:23 vc1 charon: 00[KNL] eth2
May 9 23:11:23 vc1 charon: 00[KNL] 10.58.113.37
May 9 23:11:23 vc1 charon: 00[KNL] fe80::21f:29ff:fe69:70ae
May 9 23:11:23 vc1 charon: 00[KNL] ethvc1
May 9 23:11:23 vc1 charon: 00[KNL] 10.58.113.60
May 9 23:11:23 vc1 charon: 00[KNL] fe80::4824:96ff:fe30:e7ba
May 9 23:11:23 vc1 charon: 00[CFG] loading ca certificates from
'/etc/ipsec.d/cacerts'
May 9 23:11:23 vc1 charon: 00[CFG] loaded ca certificate "C=CH,
O=strongSwan, CN=strongSwan CA" from '/etc/ipsec.d/cacerts/caCert.der'
May 9 23:11:23 vc1 charon: 00[CFG] loading aa certificates from
'/etc/ipsec.d/aacerts'
May 9 23:11:23 vc1 charon: 00[CFG] loading ocsp signer certificates from
'/etc/ipsec.d/ocspcerts'
May 9 23:11:23 vc1 charon: 00[CFG] loading attribute certificates from
'/etc/ipsec.d/acerts'
May 9 23:11:23 vc1 charon: 00[CFG] loading crls from '/etc/ipsec.d/crls'
May 9 23:11:23 vc1 charon: 00[CFG] loading secrets from
'/etc/ipsec.secrets'
May 9 23:11:23 vc1 charon: 00[CFG] loaded RSA private key from
'/etc/ipsec.d/private/VC1Key.der'
May 9 23:11:23 vc1 charon: 00[CFG] expanding file expression
'/var/lib/strongswan/ipsec.secrets.inc' failed
May 9 23:11:23 vc1 charon: 00[DMN] loaded plugins: curl ldap aes des sha1
sha2 md5 random x509 pubkey pkcs1 pgp dnskey pem openssl fips-prf xcbc hmac
agent gmp attr kernel-netlink socket-default farp stroke updown eap-identity
eap-aka eap-md5 eap-gtc eap-mschapv2 dhcp resolve
May 9 23:11:23 vc1 charon: 00[JOB] spawning 16 worker threads
May 9 23:11:23 vc1 charon: 09[CFG] received stroke: add ca 'strongswan'
May 9 23:11:23 vc1 charon: 09[CFG] added ca 'strongswan'
May 9 23:11:23 vc1 charon: 10[CFG] received stroke: add connection
'sample-with-ca-cert'
May 9 23:11:23 vc1 charon: 10[CFG] loaded certificate "C=CH,
O=strongSwan, CN=10.58.113.37" from 'VC1Cert.der'
May 9 23:11:23 vc1 charon: 10[CFG] id '10.58.113.37' not confirmed by
certificate, defaulting to 'C=CH, O=strongSwan, CN=10.58.113.37'
May 9 23:11:23 vc1 charon: 10[CFG] added configuration
'sample-with-ca-cert'
May 9 23:11:25 vc1 charon: 12[NET] received packet: from 10.58.113.118[500]
to 10.58.113.37[500]
May 9 23:11:25 vc1 charon: 12[ENC] parsed IKE_SA_INIT request 0 [ SA KE No
N(NATD_S_IP) N(NATD_D_IP) ]
May 9 23:11:25 vc1 charon: 12[IKE] 10.58.113.118 is initiating an IKE_SA
May 9 23:11:26 vc1 charon: 12[IKE] sending cert request for "C=CH,
O=strongSwan, CN=strongSwan CA"
May 9 23:11:26 vc1 charon: 12[ENC] generating IKE_SA_INIT response 0 [ SA
KE No N(NATD_S_IP) N(NATD_D_IP) CERTREQ N(MULT_AUTH) ]
May 9 23:11:26 vc1 charon: 12[NET] sending packet: from 10.58.113.37[500]
to 10.58.113.118[500]
May 9 23:11:55 vc1 charon: 13[JOB] deleting half open IKE_SA after timeout
*Log file on peer 2:*
May 9 23:11:25 vc2 charon: 00[DMN] Starting IKEv2 charon daemon (strongSwan
4.4.0)
May 9 23:11:25 vc2 charon: 00[KNL] listening on interfaces:
May 9 23:11:25 vc2 charon: 00[KNL] eth3
May 9 23:11:25 vc2 charon: 00[KNL] 10.58.113.118
May 9 23:11:25 vc2 charon: 00[KNL] fe80::21f:29ff:fe69:28
May 9 23:11:25 vc2 charon: 00[KNL] ethvc2
May 9 23:11:25 vc2 charon: 00[KNL] 10.58.113.101
May 9 23:11:25 vc2 charon: 00[KNL] fe80::fcd1:15ff:feba:76c8
May 9 23:11:25 vc2 charon: 00[CFG] loading ca certificates from
'/etc/ipsec.d/cacerts'
May 9 23:11:25 vc2 charon: 00[CFG] loaded ca certificate "C=CH,
O=strongSwan, CN=strongSwan CA" from '/etc/ipsec.d/cacerts/caCert.der'
May 9 23:11:25 vc2 charon: 00[CFG] loading aa certificates from
'/etc/ipsec.d/aacerts'
May 9 23:11:25 vc2 charon: 00[CFG] loading ocsp signer certificates from
'/etc/ipsec.d/ocspcerts'
May 9 23:11:25 vc2 charon: 00[CFG] loading attribute certificates from
'/etc/ipsec.d/acerts'
May 9 23:11:25 vc2 charon: 00[CFG] loading crls from '/etc/ipsec.d/crls'
May 9 23:11:25 vc2 charon: 00[CFG] loading secrets from
'/etc/ipsec.secrets'
May 9 23:11:25 vc2 charon: 00[CFG] loaded RSA private key from
'/etc/ipsec.d/private/VC2Key.der'
May 9 23:11:25 vc2 charon: 00[CFG] expanding file expression
'/var/lib/strongswan/ipsec.secrets.inc' failed
May 9 23:11:25 vc2 charon: 00[DMN] loaded plugins: curl ldap aes des sha1
sha2 md5 random x509 pubkey pkcs1 pgp dnskey pem openssl fips-prf xcbc hmac
agent gmp attr kernel-netlink socket-default farp stroke updown eap-identity
eap-aka eap-md5 eap-gtc eap-mschapv2 dhcp resolve
May 9 23:11:25 vc2 charon: 00[JOB] spawning 16 worker threads
May 9 23:11:25 vc2 charon: 05[CFG] received stroke: add ca 'strongswan'
May 9 23:11:25 vc2 charon: 05[CFG] added ca 'strongswan'
May 9 23:11:25 vc2 charon: 11[CFG] received stroke: add connection
'sample-with-ca-cert'
May 9 23:11:25 vc2 charon: 11[CFG] loaded certificate "C=CH,
O=strongSwan, CN=10.58.113.118" from 'VC2Cert.der'
May 9 23:11:25 vc2 charon: 11[CFG] id '10.58.113.118' not confirmed by
certificate, defaulting to 'C=CH, O=strongSwan, CN=10.58.113.118'
May 9 23:11:25 vc2 charon: 11[CFG] added configuration
'sample-with-ca-cert'
May 9 23:11:25 vc2 charon: 14[CFG] received stroke: initiate
'sample-with-ca-cert'
May 9 23:11:25 vc2 charon: 14[IKE] initiating IKE_SA sample-with-ca-cert[1]
to 10.58.113.37
May 9 23:11:25 vc2 charon: 14[ENC] generating IKE_SA_INIT request 0 [ SA KE
No N(NATD_S_IP) N(NATD_D_IP) ]
May 9 23:11:25 vc2 charon: 14[NET] sending packet: from 10.58.113.118[500]
to 10.58.113.37[500]
May 9 23:11:26 vc2 charon: 15[NET] received packet: from 10.58.113.37[500]
to 10.58.113.118[500]
May 9 23:11:26 vc2 charon: 15[ENC] parsed IKE_SA_INIT response 0 [ SA KE No
N(NATD_S_IP) N(NATD_D_IP) CERTREQ N(MULT_AUTH) ]
May 9 23:11:26 vc2 charon: 15[IKE] received cert request for "C=CH,
O=strongSwan, CN=strongSwan CA"
May 9 23:11:26 vc2 charon: 15[IKE] sending cert request for "C=CH,
O=strongSwan, CN=strongSwan CA"
May 9 23:11:26 vc2 charon: 15[IKE] authentication of 'C=CH, O=strongSwan,
CN=10.58.113.118' (myself) with RSA signature successful
May 9 23:11:26 vc2 charon: 15[IKE] sending end entity cert "C=CH,
O=strongSwan, CN=10.58.113.118"
May 9 23:11:26 vc2 charon: 15[IKE] establishing CHILD_SA
sample-with-ca-cert
May 9 23:11:26 vc2 charon: 15[ENC] generating IKE_AUTH request 1 [ IDi CERT
CERTREQ IDr AUTH SA TSi TSr N(MOBIKE_SUP) N(ADD_4_ADDR) N(MULT_AUTH)
N(EAP_ONLY) ]
May 9 23:11:26 vc2 charon: 15[NET] sending packet: from 10.58.113.118[4500]
to 10.58.113.37[4500]
May 9 23:11:30 vc2 charon: 09[IKE] retransmit 1 of request with message ID
1
May 9 23:11:30 vc2 charon: 09[NET] sending packet: from 10.58.113.118[4500]
to 10.58.113.37[4500]
May 9 23:11:37 vc2 charon: 05[IKE] retransmit 2 of request with message ID
1
May 9 23:11:37 vc2 charon: 05[NET] sending packet: from 10.58.113.118[4500]
to 10.58.113.37[4500]
May 9 23:11:50 vc2 charon: 12[IKE] retransmit 3 of request with message ID
1
May 9 23:11:50 vc2 charon: 12[NET] sending packet: from 10.58.113.118[4500]
to 10.58.113.37[4500]
May 9 23:12:13 vc2 charon: 11[IKE] retransmit 4 of request with message ID
1
May 9 23:12:13 vc2 charon: 11[NET] sending packet: from 10.58.113.118[4500]
to 10.58.113.37[4500]
May 9 23:12:55 vc2 charon: 13[IKE] retransmit 5 of request with message ID
1
May 9 23:12:55 vc2 charon: 13[NET] sending packet: from 10.58.113.118[4500]
to 10.58.113.37[4500]
May 9 23:14:11 vc2 charon: 16[KNL] creating delete job for ESP CHILD_SA
with SPI c5a05f90 and reqid {1}
--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20110509/7c39b229/attachment.html>
More information about the Users
mailing list