[strongSwan] Strongswan - no tunnel, but no errors in log either :(
Andreas Steffen
andreas.steffen at strongswan.org
Mon May 9 15:39:42 CEST 2011
Hello Meera,
Peer 2 initiates with an IKE_SA_INIT request on UDP port 500 and
gets back an IKE_SA_INIT reply from peer 1. Peer 2 then sends an
IKE_AUTH request on UDP port 4500 (floating due to MOBIKE) but this
message never arrives at peer 1. There are two probable reasons:
* UDP port 4500 is not open on peer 1
Workaround:
- Set mobike=no in ipsec.conf to prevent floating to port 4500.
* Peer 2 sends its large certificate in the CERT payload of the
IKE_AUTH request which will cause the IKE packet to be segmented.
The IP segments are then discarded either by the firewall of
peer 1 or a router in between.
Workaround:
- Prevent the IP segments from being discarded
or
- set leftsendcert=no and use the IKEv2 Hash-and-URL mechanism
http://wiki.strongswan.org/projects/strongswan/wiki/HashAndUrl
to fetch the certificates from a HTTP server
or
- set leftsendcert=no and load the peer certificate locally
with rightcert=peerCert.pem
Best regards
Andreas
On 05/09/2011 12:45 PM, Meera Sudhakar wrote:
> Hi,
> I have a very peculiar problem. My endpoints can ping each other, but
> for some reason, the tunnel is not getting established. There are no
> error messages in the log file. Please find the relevant details below.
> Can someone please help me solve this problem? My strongswan version is
> 4.4.0.
> PS: this used to work fine till someone played around with my config
> files, trying to understand how to use strongswan.
> Thanks,
> Meera
> *_Peer 1 can ping peer 2:_*
> root at vc1 <mailto:root at vc1>:~# ping 10.58.113.118
> PING 10.58.113.118 (10.58.113.118) 56(84) bytes of data.
> 64 bytes from 10.58.113.118 <http://10.58.113.118>: icmp_req=1 ttl=63
> time=10.6 ms
> 64 bytes from 10.58.113.118 <http://10.58.113.118>: icmp_req=2 ttl=63
> time=0.297 ms
> ^C
> --- 10.58.113.118 ping statistics ---
> 2 packets transmitted, 2 received, 0% packet loss, time 1002ms
> rtt min/avg/max/mdev = 0.297/5.492/10.688/5.196 ms
> *_Peer 2 can ping peer 1:_*
> root at vc2 <mailto:root at vc2>:~# ping 10.58.113.37
> PING 10.58.113.37 (10.58.113.37) 56(84) bytes of data.
> 64 bytes from 10.58.113.37 <http://10.58.113.37>: icmp_req=1 ttl=63
> time=0.356 ms
> 64 bytes from 10.58.113.37 <http://10.58.113.37>: icmp_req=2 ttl=63
> time=0.283 ms
> ^C
> --- 10.58.113.37 ping statistics ---
> 2 packets transmitted, 2 received, 0% packet loss, time 999ms
> rtt min/avg/max/mdev = 0.283/0.319/0.356/0.040 ms
> *_ipsec.conf on peer 1:_*
> root at vc1 <mailto:root at vc1>:~# cat /etc/ipsec.conf
> # ipsec.conf - strongSwan IPsec configuration file
> # basic configuration
> config setup
> # plutodebug=all
> # crlcheckinterval=600
> strictcrlpolicy=no
> # cachecrls=yes
> # nat_traversal=yes
> charonstart=yes
> charondebug=all
> plutostart=no
> # Add connections here.
> # Sample VPN connections
> #conn sample-self-signed
> # left=%defaultroute
> # leftsubnet=10.1.0.0/16 <http://10.1.0.0/16>
> # leftcert=selfCert.der
> # leftsendcert=never
> # right=192.168.0.2
> # rightsubnet=10.2.0.0/16 <http://10.2.0.0/16>
> # rightcert=peerCert.der
> # auto=start
> ca strongswan
> cacert=caCert.der
> auto=add
> conn sample-with-ca-cert
> left=10.58.113.37
> leftsubnet=10.58.113.0/24 <http://10.58.113.0/24>
> leftcert=VC1Cert.der
> right=10.58.113.118
> rightsubnet=10.58.113.0/24 <http://10.58.113.0/24>
> rightid="C=CH, O=strongSwan, CN=10.58.113.118"
> keyexchange=ikev2
> auto=add
> *_ipsec.conf on peer 2:_*
> root at vc2 <mailto:root at vc2>:~# cat /etc/ipsec.conf
> # ipsec.conf - strongSwan IPsec configuration file
> # basic configuration
> config setup
> # plutodebug=all
> # crlcheckinterval=600
> strictcrlpolicy=no
> # cachecrls=yes
> # nat_traversal=yes
> charonstart=yes
> plutostart=no
> charondebug=all
> # Add connections here.
> # Sample VPN connections
> #conn sample-self-signed
> # left=%defaultroute
> # leftsubnet=10.1.0.0/16 <http://10.1.0.0/16>
> # leftcert=selfCert.der
> # leftsendcert=never
> # right=192.168.0.2
> # rightsubnet=10.2.0.0/16 <http://10.2.0.0/16>
> # rightcert=peerCert.der
> # auto=start
> ca strongswan
> cacert=caCert.der
> auto=add
> conn sample-with-ca-cert
> left=10.58.113.118
> leftsubnet=10.58.113.0/24 <http://10.58.113.0/24>
> leftcert=VC2Cert.der
> right=10.58.113.37
> rightsubnet=10.58.113.0/24 <http://10.58.113.0/24>
> rightid="C=CH, O=strongSwan, CN=10.58.113.37"
> keyexchange=ikev2
> auto=start
> *_Log file on peer 1:_*
> May 9 23:11:23 vc1 charon: 00[DMN] Starting IKEv2 charon daemon
> (strongSwan 4.4.0)
> May 9 23:11:23 vc1 charon: 00[KNL] listening on interfaces:
> May 9 23:11:23 vc1 charon: 00[KNL] eth2
> May 9 23:11:23 vc1 charon: 00[KNL] 10.58.113.37
> May 9 23:11:23 vc1 charon: 00[KNL] fe80::21f:29ff:fe69:70ae
> May 9 23:11:23 vc1 charon: 00[KNL] ethvc1
> May 9 23:11:23 vc1 charon: 00[KNL] 10.58.113.60
> May 9 23:11:23 vc1 charon: 00[KNL] fe80::4824:96ff:fe30:e7ba
> May 9 23:11:23 vc1 charon: 00[CFG] loading ca certificates from
> '/etc/ipsec.d/cacerts'
> May 9 23:11:23 vc1 charon: 00[CFG] loaded ca certificate "C=CH,
> O=strongSwan, CN=strongSwan CA" from '/etc/ipsec.d/cacerts/caCert.der'
> May 9 23:11:23 vc1 charon: 00[CFG] loading aa certificates from
> '/etc/ipsec.d/aacerts'
> May 9 23:11:23 vc1 charon: 00[CFG] loading ocsp signer certificates
> from '/etc/ipsec.d/ocspcerts'
> May 9 23:11:23 vc1 charon: 00[CFG] loading attribute certificates from
> '/etc/ipsec.d/acerts'
> May 9 23:11:23 vc1 charon: 00[CFG] loading crls from '/etc/ipsec.d/crls'
> May 9 23:11:23 vc1 charon: 00[CFG] loading secrets from
> '/etc/ipsec.secrets'
> May 9 23:11:23 vc1 charon: 00[CFG] loaded RSA private key from
> '/etc/ipsec.d/private/VC1Key.der'
> May 9 23:11:23 vc1 charon: 00[CFG] expanding file expression
> '/var/lib/strongswan/ipsec.secrets.inc' failed
> May 9 23:11:23 vc1 charon: 00[DMN] loaded plugins: curl ldap aes des
> sha1 sha2 md5 random x509 pubkey pkcs1 pgp dnskey pem openssl fips-prf
> xcbc hmac agent gmp attr kernel-netlink socket-default farp stroke
> updown eap-identity eap-aka eap-md5 eap-gtc eap-mschapv2 dhcp resolve
> May 9 23:11:23 vc1 charon: 00[JOB] spawning 16 worker threads
> May 9 23:11:23 vc1 charon: 09[CFG] received stroke: add ca 'strongswan'
> May 9 23:11:23 vc1 charon: 09[CFG] added ca 'strongswan'
> May 9 23:11:23 vc1 charon: 10[CFG] received stroke: add connection
> 'sample-with-ca-cert'
> May 9 23:11:23 vc1 charon: 10[CFG] loaded certificate "C=CH,
> O=strongSwan, CN=10.58.113.37" from 'VC1Cert.der'
> May 9 23:11:23 vc1 charon: 10[CFG] id '10.58.113.37' not confirmed by
> certificate, defaulting to 'C=CH, O=strongSwan, CN=10.58.113.37'
> May 9 23:11:23 vc1 charon: 10[CFG] added configuration
> 'sample-with-ca-cert'
> May 9 23:11:25 vc1 charon: 12[NET] received packet: from
> 10.58.113.118[500] to 10.58.113.37[500]
> May 9 23:11:25 vc1 charon: 12[ENC] parsed IKE_SA_INIT request 0 [ SA KE
> No N(NATD_S_IP) N(NATD_D_IP) ]
> May 9 23:11:25 vc1 charon: 12[IKE] 10.58.113.118 is initiating an IKE_SA
> May 9 23:11:26 vc1 charon: 12[IKE] sending cert request for "C=CH,
> O=strongSwan, CN=strongSwan CA"
> May 9 23:11:26 vc1 charon: 12[ENC] generating IKE_SA_INIT response 0 [
> SA KE No N(NATD_S_IP) N(NATD_D_IP) CERTREQ N(MULT_AUTH) ]
> May 9 23:11:26 vc1 charon: 12[NET] sending packet: from
> 10.58.113.37[500] to 10.58.113.118[500]
> May 9 23:11:55 vc1 charon: 13[JOB] deleting half open IKE_SA after timeout
> *_Log file on peer 2:_*
> May 9 23:11:25 vc2 charon: 00[DMN] Starting IKEv2 charon daemon
> (strongSwan 4.4.0)
> May 9 23:11:25 vc2 charon: 00[KNL] listening on interfaces:
> May 9 23:11:25 vc2 charon: 00[KNL] eth3
> May 9 23:11:25 vc2 charon: 00[KNL] 10.58.113.118
> May 9 23:11:25 vc2 charon: 00[KNL] fe80::21f:29ff:fe69:28
> May 9 23:11:25 vc2 charon: 00[KNL] ethvc2
> May 9 23:11:25 vc2 charon: 00[KNL] 10.58.113.101
> May 9 23:11:25 vc2 charon: 00[KNL] fe80::fcd1:15ff:feba:76c8
> May 9 23:11:25 vc2 charon: 00[CFG] loading ca certificates from
> '/etc/ipsec.d/cacerts'
> May 9 23:11:25 vc2 charon: 00[CFG] loaded ca certificate "C=CH,
> O=strongSwan, CN=strongSwan CA" from '/etc/ipsec.d/cacerts/caCert.der'
> May 9 23:11:25 vc2 charon: 00[CFG] loading aa certificates from
> '/etc/ipsec.d/aacerts'
> May 9 23:11:25 vc2 charon: 00[CFG] loading ocsp signer certificates
> from '/etc/ipsec.d/ocspcerts'
> May 9 23:11:25 vc2 charon: 00[CFG] loading attribute certificates from
> '/etc/ipsec.d/acerts'
> May 9 23:11:25 vc2 charon: 00[CFG] loading crls from '/etc/ipsec.d/crls'
> May 9 23:11:25 vc2 charon: 00[CFG] loading secrets from
> '/etc/ipsec.secrets'
> May 9 23:11:25 vc2 charon: 00[CFG] loaded RSA private key from
> '/etc/ipsec.d/private/VC2Key.der'
> May 9 23:11:25 vc2 charon: 00[CFG] expanding file expression
> '/var/lib/strongswan/ipsec.secrets.inc' failed
> May 9 23:11:25 vc2 charon: 00[DMN] loaded plugins: curl ldap aes des
> sha1 sha2 md5 random x509 pubkey pkcs1 pgp dnskey pem openssl fips-prf
> xcbc hmac agent gmp attr kernel-netlink socket-default farp stroke
> updown eap-identity eap-aka eap-md5 eap-gtc eap-mschapv2 dhcp resolve
> May 9 23:11:25 vc2 charon: 00[JOB] spawning 16 worker threads
> May 9 23:11:25 vc2 charon: 05[CFG] received stroke: add ca 'strongswan'
> May 9 23:11:25 vc2 charon: 05[CFG] added ca 'strongswan'
> May 9 23:11:25 vc2 charon: 11[CFG] received stroke: add connection
> 'sample-with-ca-cert'
> May 9 23:11:25 vc2 charon: 11[CFG] loaded certificate "C=CH,
> O=strongSwan, CN=10.58.113.118" from 'VC2Cert.der'
> May 9 23:11:25 vc2 charon: 11[CFG] id '10.58.113.118' not confirmed
> by certificate, defaulting to 'C=CH, O=strongSwan, CN=10.58.113.118'
> May 9 23:11:25 vc2 charon: 11[CFG] added configuration
> 'sample-with-ca-cert'
> May 9 23:11:25 vc2 charon: 14[CFG] received stroke: initiate
> 'sample-with-ca-cert'
> May 9 23:11:25 vc2 charon: 14[IKE] initiating IKE_SA
> sample-with-ca-cert[1] to 10.58.113.37
> May 9 23:11:25 vc2 charon: 14[ENC] generating IKE_SA_INIT request 0 [
> SA KE No N(NATD_S_IP) N(NATD_D_IP) ]
> May 9 23:11:25 vc2 charon: 14[NET] sending packet: from
> 10.58.113.118[500] to 10.58.113.37[500]
> May 9 23:11:26 vc2 charon: 15[NET] received packet: from
> 10.58.113.37[500] to 10.58.113.118[500]
> May 9 23:11:26 vc2 charon: 15[ENC] parsed IKE_SA_INIT response 0 [ SA
> KE No N(NATD_S_IP) N(NATD_D_IP) CERTREQ N(MULT_AUTH) ]
> May 9 23:11:26 vc2 charon: 15[IKE] received cert request for "C=CH,
> O=strongSwan, CN=strongSwan CA"
> May 9 23:11:26 vc2 charon: 15[IKE] sending cert request for "C=CH,
> O=strongSwan, CN=strongSwan CA"
> May 9 23:11:26 vc2 charon: 15[IKE] authentication of 'C=CH,
> O=strongSwan, CN=10.58.113.118' (myself) with RSA signature successful
> May 9 23:11:26 vc2 charon: 15[IKE] sending end entity cert "C=CH,
> O=strongSwan, CN=10.58.113.118"
> May 9 23:11:26 vc2 charon: 15[IKE] establishing CHILD_SA
> sample-with-ca-cert
> May 9 23:11:26 vc2 charon: 15[ENC] generating IKE_AUTH request 1 [ IDi
> CERT CERTREQ IDr AUTH SA TSi TSr N(MOBIKE_SUP) N(ADD_4_ADDR)
> N(MULT_AUTH) N(EAP_ONLY) ]
> May 9 23:11:26 vc2 charon: 15[NET] sending packet: from
> 10.58.113.118[4500] to 10.58.113.37[4500]
> May 9 23:11:30 vc2 charon: 09[IKE] retransmit 1 of request with message
> ID 1
> May 9 23:11:30 vc2 charon: 09[NET] sending packet: from
> 10.58.113.118[4500] to 10.58.113.37[4500]
> May 9 23:11:37 vc2 charon: 05[IKE] retransmit 2 of request with message
> ID 1
> May 9 23:11:37 vc2 charon: 05[NET] sending packet: from
> 10.58.113.118[4500] to 10.58.113.37[4500]
> May 9 23:11:50 vc2 charon: 12[IKE] retransmit 3 of request with message
> ID 1
> May 9 23:11:50 vc2 charon: 12[NET] sending packet: from
> 10.58.113.118[4500] to 10.58.113.37[4500]
> May 9 23:12:13 vc2 charon: 11[IKE] retransmit 4 of request with message
> ID 1
> May 9 23:12:13 vc2 charon: 11[NET] sending packet: from
> 10.58.113.118[4500] to 10.58.113.37[4500]
> May 9 23:12:55 vc2 charon: 13[IKE] retransmit 5 of request with message
> ID 1
> May 9 23:12:55 vc2 charon: 13[NET] sending packet: from
> 10.58.113.118[4500] to 10.58.113.37[4500]
> May 9 23:14:11 vc2 charon: 16[KNL] creating delete job for ESP CHILD_SA
> with SPI c5a05f90 and reqid {1}
======================================================================
Andreas Steffen andreas.steffen at strongswan.org
strongSwan - the Linux VPN Solution! www.strongswan.org
Institute for Internet Technologies and Applications
University of Applied Sciences Rapperswil
CH-8640 Rapperswil (Switzerland)
===========================================================[ITA-HSR]==
More information about the Users
mailing list