[strongSwan] no ike packets being generated

neil payne payne.neil at gmail.com
Mon May 9 15:14:22 CEST 2011


Hi,
The ipsec up command doesn't seem to work with ike v2 so i've reverted to ike v1. when i use ipsec up on the AWS host the packets don't reach 50.56.121.20.
If I instead use ipsec up from the 50.56.121.20 host, the packets do reach the AWS firewall but the following message is logged:

May  9 13:04:23 ip-10-5-51-242 pluto[29702]: packet from 50.56.121.20:500: initial Main Mode message received on 10.5.51.242:500 but no connection has been authorized with policy=PS
K

what does this mean?
Our config files are attached




On 28 Apr 2011, at 14:06, neil payne wrote:

> Andreas, 
> We built a 'vanilla' new build linux AWS instance and loaded v4.3.2 fresh. Unfortunately when I try to bring up the connection with the command ipsec up net-net I see the following entry in the logs:
> 
> Apr 28 12:58:16 ip-10-5-51-242 pluto[2167]: "net-net": we have no ipsecN interface for either end of this connection
> 
> 
> 
> There is only one physical interface as it is an AWS instance.
> We tried binding the elastic ip to the dummy0 interface in order to leverage the cloud infrastructure to no avail, and while strongswan finds the interface and ip on starting it appears it wont try to encapsulate the traffic when we bring up the connection - is the above error terminal for this scenario?
> 
> Regards,
> Neil.
> 
> 
> On 26 Apr 2011, at 15:40, neil payne wrote:
> 
>> 
>> Hi Andreas,
>> We reverted to v4.3.2 but the 'up'  command still doesn't recognize the net-net connection:
>> 
>> ubuntu at ip-10-5-51-61:~$ sudo ipsec --version
>> sudo: unable to resolve host ip-10-5-51-61
>> Linux strongSwan U4.3.2/K2.6.32-312-ec2
>> Institute for Internet Technologies and Applications
>> University of Applied Sciences Rapperswil, Switzerland
>> See 'ipsec --copyright' for copyright information.
>> ubuntu at ip-10-5-51-61:~$ 
>> ubuntu at ip-10-5-51-61:~$ 
>> ubuntu at ip-10-5-51-61:~$ 
>> ubuntu at ip-10-5-51-61:~$ sudo ipsec up net-net
>> sudo: unable to resolve host ip-10-5-51-61
>> 021 no connection named "net-net"
>> ubuntu at ip-10-5-51-61:~$ 
>> ubuntu at ip-10-5-51-61:~$ 
>> ubuntu at ip-10-5-51-61:~$ 
>> ubuntu at ip-10-5-51-61:~$ sudo ipsec statusall  !!!!!!!!! this has the appearance of the later version's statusall output rather than v4.3.2 !!!!!!!!
>> sudo: unable to resolve host ip-10-5-51-61
>> 000 Status of IKEv1 pluto daemon (strongSwan 4.3.2):
>> 000 interface lo/lo ::1:500
>> 000 interface lo/lo 127.0.0.1:500
>> 000 interface eth0/eth0 10.5.51.61:500
>> 000 interface dummy0/dummy0 46.51.193.145:500
>> 000 %myid = (none)
>> 000 loaded plugins: aes des sha1 sha2 md5 random pubkey hmac gmp 
>> 000 debug options: none
>> 000 
>> Status of IKEv2 charon daemon (strongSwan 4.3.2):
>>   uptime: 4 minutes, since Apr 26 14:28:12 2011
>>   worker threads: 9 idle of 16, job queue load: 0, scheduled events: 0
>>   loaded plugins: aes des sha1 sha2 md5 fips-prf random x509 pubkey xcbc hmac gmp kernel-netlink stroke updown attr resolv-conf 
>> Listening IP addresses:
>>   10.5.51.61
>>   46.51.193.145
>> Connections:
>> Security Associations:
>>   none
>> 
>> 
>> 
>> <leftfirewall2-ipsec.conf.rtf>
>> 
>> 
>> On 21 Apr 2011, at 13:25, neil payne wrote:
>> 
>>> 
>>> Hi Andreas, 
>>> We're now running version 4.5.1 on the leftfirewall (downgraded from the one below). We are using the same config files as the ones I sent last night but on the left firewall it doesn't recognize the net-net connection:
>>> 
>>> ubuntu at ip-10-5-51-61:/etc$ sudo ipsec --version
>>> sudo: unable to resolve host ip-10-5-51-61
>>> Linux strongSwan U4.5.1/K2.6.32-312-ec2
>>> Institute for Internet Technologies and Applications
>>> University of Applied Sciences Rapperswil, Switzerland
>>> See 'ipsec --copyright' for copyright information.
>>> ubuntu at ip-10-5-51-61:/etc$ 
>>> ubuntu at ip-10-5-51-61:/etc$ 
>>> ubuntu at ip-10-5-51-61:/etc$ 
>>> ubuntu at ip-10-5-51-61:/etc$ 
>>> ubuntu at ip-10-5-51-61:/etc$ sudo ipsec up net-net
>>> sudo: unable to resolve host ip-10-5-51-61
>>> 021 no connection named "net-net"
>>> ubuntu at ip-10-5-51-61:/etc$ 
>>> 
>>> 
>>> If I use ipsec up net-net on the rightfirewall running 4.3.2 it does generate IKE packets which reach the leftfirewall but the left firewall doesn't recognize it and  logs:
>>> 
>>> Apr 21 12:10:15 ip-10-5-51-61 pluto[16057]: packet from 50.56.121.20:500: ignoring Vendor ID payload [draft-ietf-ipsec-nat-t-ike-00]
>>> Apr 21 12:10:15 ip-10-5-51-61 pluto[16057]: packet from 50.56.121.20:500: initial Main Mode message received on 10.5.51.61:500 but no connection has been authorized with policy=PSK
>>> 
>>> Regards,
>>> Neil.
>>> 
>>> 
>>> 
>>> On 20 Apr 2011, at 22:43, neil payne wrote:
>>> 
>>>> Hi Andreas,
>>>> No! 
>>>> In fact I didn't know this was the ignition key.
>>>> Unfortunately my colleague upgraded to strongswan 4.5.2dr5 on my prompting on one of the firewalls and now ipsec wont start - i get the following messages in auth.log:
>>>> 
>>>> Apr 20 21:32:06 ip-10-5-51-61 ipsec_starter[21851]: pluto has died -- restart scheduled (5sec)
>>>> Apr 20 21:32:06 ip-10-5-51-61 ipsec_starter[21851]: pluto refused to be started
>>>> Apr 20 21:32:06 ip-10-5-51-61 ipsec_starter[21851]: charon has died -- restart scheduled (5sec)
>>>> Apr 20 21:32:06 ip-10-5-51-61 ipsec_starter[21851]: charon refused to be started
>>>> Apr 20 21:32:11 ip-10-5-51-61 ipsec_starter[21851]: pluto has died -- restart scheduled (5sec)
>>>> Apr 20 21:32:11 ip-10-5-51-61 ipsec_starter[21851]: pluto refused to be started
>>>> Apr 20 21:32:11 ip-10-5-51-61 ipsec_starter[21851]: charon has died -- restart scheduled (5sec)
>>>> Apr 20 21:32:11 ip-10-5-51-61 ipsec_starter[21851]: charon refused to be started
>>>> Apr 20 21:32:16 ip-10-5-51-61 ipsec_starter[21851]: pluto has died -- restart scheduled (5sec)
>>>> Apr 20 21:32:16 ip-10-5-51-61 ipsec_starter[21851]: pluto refused to be started
>>>> Apr 20 21:32:16 ip-10-5-51-61 ipsec_starter[21851]: charon has died -- restart scheduled (5sec)
>>>> Apr 20 21:32:16 ip-10-5-51-61 ipsec_starter[21851]: charon refused to be started
>>>> Apr 20 21:32:21 ip-10-5-51-61 ipsec_starter[21851]: pluto has died -- restart scheduled (5sec)
>>>> Apr 20 21:32:21 ip-10-5-51-61 ipsec_starter[21851]: pluto refused to be started
>>>> 
>>>> I fear that we didn't need this upgrade and my configs may have worked with the standard release if I'd known about this start command.
>>>> Would you recommend uninstalling this release or are the errors recoverable?
>>>> Thank you very much for your time and attention.
>>>> Regards,
>>>> Neil.
>>>> 
>>>> 
>>>> On 20 Apr 2011, at 20:43, Andreas Steffen wrote:
>>>> 
>>>>> Hi Neil,
>>>>> 
>>>>> are you starting the connection explicitly with
>>>>> 
>>>>> ipsec up net-net
>>>>> 
>>>>> on one of the two peers?
>>>>> 
>>>>> Regards
>>>>> 
>>>>> Andreas
>>>>> 
>>>>> On 20.04.2011 19:56, neil payne wrote:
>>>>>> Hi Andreas, I amended my syntax on ipsec.secrets as you suggested
>>>>>> (may be change crypto algos later) but i still see no ike packets
>>>>>> generated by the firewall on either side when i try and ping the
>>>>>> remote encryption domain. Is my config missing something, i don't
>>>>>> know how i'm going wrong here but surely it is something fundamental
>>>>>> missing, I cannot tell as I've followed the available documentation
>>>>>> as best as I can? I'm getting desperate for a solution now.
>>>>>> 
>>>>>> Thanks, Neil
>>>>> 
>>>>> ======================================================================
>>>>> Andreas Steffen                         andreas.steffen at strongswan.org
>>>>> strongSwan - the Linux VPN Solution!                www.strongswan.org
>>>>> Institute for Internet Technologies and Applications
>>>>> University of Applied Sciences Rapperswil
>>>>> CH-8640 Rapperswil (Switzerland)
>>>>> ===========================================================[ITA-HSR]==
>>>> 
>>> 
>> 
> 

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20110509/c7128711/attachment.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: leftfirewall.ipsec.secrets.rtf
Type: text/rtf
Size: 426 bytes
Desc: not available
URL: <http://lists.strongswan.org/pipermail/users/attachments/20110509/c7128711/attachment.bin>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20110509/c7128711/attachment-0001.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: leftfirewall.rtf
Type: text/rtf
Size: 1182 bytes
Desc: not available
URL: <http://lists.strongswan.org/pipermail/users/attachments/20110509/c7128711/attachment-0001.bin>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20110509/c7128711/attachment-0002.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: rightfirewall-ipsec.secrets.rtf
Type: text/rtf
Size: 418 bytes
Desc: not available
URL: <http://lists.strongswan.org/pipermail/users/attachments/20110509/c7128711/attachment-0002.bin>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20110509/c7128711/attachment-0003.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: rightfirewall.ipsec.conf.rtf
Type: text/rtf
Size: 1019 bytes
Desc: not available
URL: <http://lists.strongswan.org/pipermail/users/attachments/20110509/c7128711/attachment-0003.bin>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20110509/c7128711/attachment-0004.html>


More information about the Users mailing list