[strongSwan] "unable to add pseudo IPIP SA with SPI c1bb6ffe: Invalid argument"
Lupe Christoph
lupe at lupe-christoph.de
Sun Nov 13 15:45:03 CET 2011
Hi!
I was forced by a buggy openswan port to try StrongSwan on OpenWRT
Backfire 10.03.01 RC6 (pluto did not receive reply packets, if you
care). The server is still using OpenSwan.
But even after a lot of fiddling with settings I can't get StrongSwan to
connect.
Here is the info that hopefully allows somebody who knows StrongSwan
well to tell me what I need to do to get this to work.
I installed these packages (could do a full install for lack of space):
strongswan4 - 4.5.2-1
strongswan4-app-charon - 4.5.2-1
strongswan4-app-pluto - 4.5.2-1
strongswan4-minimal - 4.5.2-1
strongswan4-mod-aes - 4.5.2-1
strongswan4-mod-blowfish - 4.5.2-1
strongswan4-mod-constraints - 4.5.2-1
strongswan4-mod-coupling - 4.5.2-1
strongswan4-mod-des - 4.5.2-1
strongswan4-mod-gmp - 4.5.2-1
strongswan4-mod-hmac - 4.5.2-1
strongswan4-mod-kernel-klips - 4.5.2-1
strongswan4-mod-kernel-netlink - 4.5.2-1
strongswan4-mod-md5 - 4.5.2-1
strongswan4-mod-pem - 4.5.2-1
strongswan4-mod-pkcs1 - 4.5.2-1
strongswan4-mod-pubkey - 4.5.2-1
strongswan4-mod-random - 4.5.2-1
strongswan4-mod-revocation - 4.5.2-1
strongswan4-mod-sha1 - 4.5.2-1
strongswan4-mod-sha2 - 4.5.2-1
strongswan4-mod-socket-default - 4.5.2-1
strongswan4-mod-stroke - 4.5.2-1
strongswan4-mod-updown - 4.5.2-1
strongswan4-mod-x509 - 4.5.2-1
strongswan4-mod-xcbc - 4.5.2-1
strongswan4-utils - 4.5.2-1
===== StrongSwan config =====
config setup
plutodebug=control
# crlcheckinterval=600
# strictcrlpolicy=yes
# cachecrls=yes
# nat_traversal=yes
# charonstart=no
# plutostart=no
nat_traversal=yes
charonstart=yes
plutostart=yes
conn openswan-server
auto=add
authby=rsasig
keyexchange=ikev1
right=%defaultroute
rightsubnet=192.168.1.0/24
rightcert=/etc/ipsec.d/certs/strongswan-clientCert.pem
rightsendcert=always
rightrsasigkey=%cert
rightid="C=DE, ST=Bavaria, O=My Company, OU=IPSec Clients, CN=strongswan-client.mycompany.de, E=lupe.christoph at mycompany.de"
left=SERVERIPADDRESS
leftcert=/etc/ipsec.d/certs/openswan-serverCert.pem
leftrsasigkey=%cert
===== Openswan config =====
conn strongswan-client
auto=add
right=%any
rightsubnet=192.168.1.0/24
rightcert=strongswan-clientCert.pem
rightnexthop=%defaultroute
left=%defaultroute
leftcert=openswan-serverCert.pem
leftsendcert=never
===== Output from ipsec up openswan-server =====
002 "openswan-server" #1: initiating Main Mode
102 "openswan-server" #1: STATE_MAIN_I1: initiate
003 "openswan-server" #1: ignoring Vendor ID payload [4f45517b4f7f6e657a7b4351]
003 "openswan-server" #1: received Vendor ID payload [Dead Peer Detection]
003 "openswan-server" #1: received Vendor ID payload [RFC 3947]
002 "openswan-server" #1: enabling possible NAT-traversal with method 3
104 "openswan-server" #1: STATE_MAIN_I2: sent MI2, expecting MR2
003 "openswan-server" #1: NAT-Traversal: Result using RFC 3947: no NAT detected
002 "openswan-server" #1: we have a cert and are sending it
106 "openswan-server" #1: STATE_MAIN_I3: sent MI3, expecting MR3
003 "openswan-server" #1: ignoring Vendor ID payload [494b457632]
002 "openswan-server" #1: Peer ID is ID_DER_ASN1_DN: 'C=DE, ST=Bavaria, O=My Company, OU=IPSec Clients, CN=openswan-server.mycompany.de, E=lutz.christoph at mycompany.de'
002 "openswan-server" #1: ISAKMP SA established
004 "openswan-server" #1: STATE_MAIN_I4: ISAKMP SA established
002 "openswan-server" #2: initiating Quick Mode PUBKEY+ENCRYPT+TUNNEL+PFS+UP {using isakmp#1}
110 "openswan-server" #2: STATE_QUICK_I1: initiate
032 "openswan-server" #2: STATE_QUICK_I1: internal error
=== syslog ===
Nov 13 13:28:43 janus authpriv.debug pluto[28210]: |
Nov 13 13:28:43 janus authpriv.debug pluto[28210]: | *received whack message
Nov 13 13:28:43 janus authpriv.debug pluto[28210]: | creating state object #1 at 0x49bbe0
Nov 13 13:28:43 janus authpriv.debug pluto[28210]: | ICOOKIE: 76 08 08 8a f4 3c 2b 8a
Nov 13 13:28:43 janus authpriv.debug pluto[28210]: | RCOOKIE: 00 00 00 00 00 00 00 00
Nov 13 13:28:43 janus authpriv.debug pluto[28210]: | peer: 55 d6 9d b0
Nov 13 13:28:43 janus authpriv.debug pluto[28210]: | state hash entry 11
Nov 13 13:28:43 janus authpriv.debug pluto[28210]: | inserting event EVENT_SO_DISCARD, timeout in 0 seconds for #1
Nov 13 13:28:43 janus authpriv.debug pluto[28210]: | Queuing pending Quick Mode with SERVERIPADDRESS "openswan-server"
Nov 13 13:28:43 janus authpriv.warn pluto[28210]: "openswan-server" #1: initiating Main Mode
Nov 13 13:28:43 janus authpriv.debug pluto[28210]: | ike proposal: AES_CBC_128/HMAC_SHA1/MODP_2048, 3DES_CBC/HMAC_SHA1/MODP_1536,
Nov 13 13:28:43 janus authpriv.debug pluto[28210]: | inserting event EVENT_RETRANSMIT, timeout in 10 seconds for #1
Nov 13 13:28:43 janus authpriv.debug pluto[28210]: | next event EVENT_RETRANSMIT in 10 seconds for #1
Nov 13 13:28:43 janus authpriv.debug pluto[28210]: |
Nov 13 13:28:43 janus authpriv.debug pluto[28210]: | *received 140 bytes from SERVERIPADDRESS:500 on pptp-wan
Nov 13 13:28:43 janus authpriv.debug pluto[28210]: | ICOOKIE: 76 08 08 8a f4 3c 2b 8a
Nov 13 13:28:43 janus authpriv.debug pluto[28210]: | RCOOKIE: 0b f2 2e a2 f3 62 65 19
Nov 13 13:28:43 janus authpriv.debug pluto[28210]: | peer: 55 d6 9d b0
Nov 13 13:28:43 janus authpriv.debug pluto[28210]: | state hash entry 1
Nov 13 13:28:43 janus authpriv.debug pluto[28210]: | state object not found
Nov 13 13:28:43 janus authpriv.debug pluto[28210]: | ICOOKIE: 76 08 08 8a f4 3c 2b 8a
Nov 13 13:28:43 janus authpriv.debug pluto[28210]: | RCOOKIE: 00 00 00 00 00 00 00 00
Nov 13 13:28:43 janus authpriv.debug pluto[28210]: | peer: 55 d6 9d b0
Nov 13 13:28:43 janus authpriv.debug pluto[28210]: | state hash entry 11
Nov 13 13:28:43 janus authpriv.debug pluto[28210]: | state object #1 found, in STATE_MAIN_I1
Nov 13 13:28:43 janus authpriv.warn pluto[28210]: "openswan-server" #1: ignoring Vendor ID payload [4f45517b4f7f6e657a7b4351]
Nov 13 13:28:43 janus authpriv.warn pluto[28210]: "openswan-server" #1: received Vendor ID payload [Dead Peer Detection]
Nov 13 13:28:43 janus authpriv.warn pluto[28210]: "openswan-server" #1: received Vendor ID payload [RFC 3947]
Nov 13 13:28:43 janus authpriv.warn pluto[28210]: "openswan-server" #1: enabling possible NAT-traversal with method 3
Nov 13 13:28:44 janus authpriv.debug pluto[28210]: | ICOOKIE: 76 08 08 8a f4 3c 2b 8a
Nov 13 13:28:44 janus authpriv.debug pluto[28210]: | RCOOKIE: 00 00 00 00 00 00 00 00
Nov 13 13:28:44 janus authpriv.debug pluto[28210]: | peer: 55 d6 9d b0
Nov 13 13:28:44 janus authpriv.debug pluto[28210]: | state hash entry 11
Nov 13 13:28:44 janus authpriv.debug pluto[28210]: | ICOOKIE: 76 08 08 8a f4 3c 2b 8a
Nov 13 13:28:44 janus authpriv.debug pluto[28210]: | RCOOKIE: 0b f2 2e a2 f3 62 65 19
Nov 13 13:28:44 janus authpriv.debug pluto[28210]: | peer: 55 d6 9d b0
Nov 13 13:28:44 janus authpriv.debug pluto[28210]: | state hash entry 1
Nov 13 13:28:44 janus authpriv.debug pluto[28210]: | inserting event EVENT_RETRANSMIT, timeout in 10 seconds for #1
Nov 13 13:28:44 janus authpriv.debug pluto[28210]: | next event EVENT_RETRANSMIT in 10 seconds for #1
Nov 13 13:28:45 janus authpriv.debug pluto[28210]: |
Nov 13 13:28:45 janus authpriv.debug pluto[28210]: | *received 572 bytes from SERVERIPADDRESS:500 on pptp-wan
Nov 13 13:28:45 janus authpriv.debug pluto[28210]: | ICOOKIE: 76 08 08 8a f4 3c 2b 8a
Nov 13 13:28:45 janus authpriv.debug pluto[28210]: | RCOOKIE: 0b f2 2e a2 f3 62 65 19
Nov 13 13:28:45 janus authpriv.debug pluto[28210]: | peer: 55 d6 9d b0
Nov 13 13:28:45 janus authpriv.debug pluto[28210]: | state hash entry 1
Nov 13 13:28:45 janus authpriv.debug pluto[28210]: | state object #1 found, in STATE_MAIN_I2
Nov 13 13:28:45 janus authpriv.debug pluto[28210]: | requested CA: "C=DE, ST=Bavaria, L=Hintertupfing, O=My Company, OU=IPSec Clients, CN=www.mycompany.de, E=lupe.christoph at mycompany.de"
Nov 13 13:28:46 janus authpriv.warn pluto[28210]: "openswan-server" #1: NAT-Traversal: Result using RFC 3947: no NAT detected
Nov 13 13:28:46 janus authpriv.debug pluto[28210]: | inserting event EVENT_NAT_T_KEEPALIVE, timeout in 20 seconds
Nov 13 13:28:46 janus authpriv.debug pluto[28210]: | our certificate policy is ALWAYS_SEND
Nov 13 13:28:46 janus authpriv.warn pluto[28210]: "openswan-server" #1: we have a cert and are sending it
Nov 13 13:28:46 janus authpriv.debug pluto[28210]: | inserting event EVENT_RETRANSMIT, timeout in 10 seconds for #1
Nov 13 13:28:46 janus authpriv.debug pluto[28210]: | next event EVENT_RETRANSMIT in 10 seconds for #1
Nov 13 13:28:46 janus authpriv.debug pluto[28210]: |
Nov 13 13:28:46 janus authpriv.debug pluto[28210]: | *received 380 bytes from SERVERIPADDRESS:500 on pptp-wan
Nov 13 13:28:46 janus authpriv.debug pluto[28210]: | ICOOKIE: 76 08 08 8a f4 3c 2b 8a
Nov 13 13:28:46 janus authpriv.debug pluto[28210]: | RCOOKIE: 0b f2 2e a2 f3 62 65 19
Nov 13 13:28:46 janus authpriv.debug pluto[28210]: | peer: 55 d6 9d b0
Nov 13 13:28:46 janus authpriv.debug pluto[28210]: | state hash entry 1
Nov 13 13:28:46 janus authpriv.debug pluto[28210]: | state object #1 found, in STATE_MAIN_I3
Nov 13 13:28:46 janus authpriv.warn pluto[28210]: "openswan-server" #1: ignoring Vendor ID payload [494b457632]
Nov 13 13:28:46 janus authpriv.warn pluto[28210]: "openswan-server" #1: Peer ID is ID_DER_ASN1_DN: 'C=DE, ST=Bavaria, O=My Company, OU=IPSec Clients, CN=openswan-server.mycompany.de, E=lupe.christoph at mycompany.de'
Nov 13 13:28:46 janus authpriv.debug pluto[28210]: | RSA signature check passed with keyid d2:0c:0c:4c:e6:32:76:2d:12:66:f2:5f:c9:86:fd:93:1b:ad:83:00
Nov 13 13:28:46 janus authpriv.debug pluto[28210]: | peer CA: "C=DE, ST=Bavaria, L=Hintertupfing, O=My Company, OU=IPSec Clients, CN=www.mycompany.de, E=lupe.christoph at mycompany.de"
Nov 13 13:28:46 janus authpriv.debug pluto[28210]: | required CA: "0\361\255*H\361\255*\230\373\255*\300\372\255*\230\374\255*\374\373\255*|\377\255*|\365\255*\010\221I"
Nov 13 13:28:46 janus authpriv.debug pluto[28210]: | inserting event EVENT_SA_REPLACE, timeout in 9807 seconds for #1
Nov 13 13:28:46 janus authpriv.warn pluto[28210]: "openswan-server" #1: ISAKMP SA established
Nov 13 13:28:46 janus authpriv.debug pluto[28210]: | unqueuing pending Quick Mode with SERVERIPADDRESS "openswan-server"
Nov 13 13:28:46 janus authpriv.debug pluto[28210]: | duplicating state object #1
Nov 13 13:28:46 janus authpriv.debug pluto[28210]: | creating state object #2 at 0x49dc78
Nov 13 13:28:46 janus authpriv.debug pluto[28210]: | ICOOKIE: 76 08 08 8a f4 3c 2b 8a
Nov 13 13:28:46 janus authpriv.debug pluto[28210]: | RCOOKIE: 0b f2 2e a2 f3 62 65 19
Nov 13 13:28:46 janus authpriv.debug pluto[28210]: | peer: 55 d6 9d b0
Nov 13 13:28:46 janus authpriv.debug pluto[28210]: | state hash entry 1
Nov 13 13:28:46 janus authpriv.debug pluto[28210]: | inserting event EVENT_SO_DISCARD, timeout in 0 seconds for #2
Nov 13 13:28:46 janus authpriv.warn pluto[28210]: "openswan-server" #2: initiating Quick Mode PUBKEY+ENCRYPT+TUNNEL+PFS+UP {using isakmp#1}
Nov 13 13:28:46 janus authpriv.debug pluto[28210]: | esp proposal: AES_CBC_128/HMAC_SHA1, 3DES_CBC/HMAC_SHA1,
Nov 13 13:28:47 janus authpriv.debug pluto[28210]: | inserting event EVENT_RETRANSMIT, timeout in 10 seconds for #2
Nov 13 13:28:47 janus authpriv.debug pluto[28210]: | next event EVENT_RETRANSMIT in 10 seconds for #2
Nov 13 13:28:47 janus authpriv.debug pluto[28210]: |
Nov 13 13:28:47 janus authpriv.debug pluto[28210]: | *received 428 bytes from SERVERIPADDRESS:500 on pptp-wan
Nov 13 13:28:47 janus authpriv.debug pluto[28210]: | ICOOKIE: 76 08 08 8a f4 3c 2b 8a
Nov 13 13:28:47 janus authpriv.debug pluto[28210]: | RCOOKIE: 0b f2 2e a2 f3 62 65 19
Nov 13 13:28:47 janus authpriv.debug pluto[28210]: | peer: 55 d6 9d b0
Nov 13 13:28:47 janus authpriv.debug pluto[28210]: | state hash entry 1
Nov 13 13:28:47 janus authpriv.debug pluto[28210]: | state object #2 found, in STATE_QUICK_I1
Nov 13 13:28:49 janus authpriv.debug pluto[28210]: | our client is subnet 192.168.1.0/24
Nov 13 13:28:49 janus authpriv.debug pluto[28210]: | our client protocol/port is 0/0
Nov 13 13:28:49 janus authpriv.debug pluto[28210]: | peer client is SERVERIPADDRESS
Nov 13 13:28:49 janus authpriv.debug pluto[28210]: | peer client protocol/port is 0/0
Nov 13 13:28:49 janus authpriv.debug pluto[28210]: | no valid attribute cert found
Nov 13 13:28:49 janus authpriv.debug pluto[28210]: | kernel_alg_esp_auth_keylen(auth=2, sadb_aalg=3): a_keylen=20
Nov 13 13:28:49 janus authpriv.debug pluto[28210]: | install_ipsec_sa() for #2: inbound and outbound
Nov 13 13:28:49 janus authpriv.debug pluto[28210]: | route owner of "openswan-server" unrouted: NULL; eroute owner: NULL
Nov 13 13:28:49 janus authpriv.info pluto[28210]: unable to add pseudo IPIP SA with SPI c1bb6ffe: Invalid argument (22)
Nov 13 13:28:49 janus authpriv.info pluto[28210]: unable to add SAD entry with SPI c1bb6ffe
Nov 13 13:28:49 janus authpriv.debug pluto[28210]: | state transition function for STATE_QUICK_I1 had internal error
Nov 13 13:28:49 janus authpriv.debug pluto[28210]: | next event EVENT_RETRANSMIT in 8 seconds for #2
Any taker?
Thanks for looking at this.
Lupe Christoph
--
| It is a well-known fact in any organisation that, if you want a job |
| done, you should give it to someone who is already very busy. |
| Terry Pratchett, "Unseen Academicals" |
More information about the Users
mailing list