[strongSwan] Trying a basic peer to peer ipsec
Andreas Steffen
andreas.steffen at strongswan.org
Mon Sep 19 14:18:52 CEST 2011
Hello Shilpa,
it seems that either the peer 107.108.204.245 never receives
the IKE_SA_INIT request from 107.108.204.246 on UDP port 500
or the IKE_SA_INIT response from 107.108.204.245 is never
received by the initiator 107.108.204.246. In order to check
that I need the logs on both endpoints. Execute
grep charon /var/log/*
to find out to which logfile the charon debug output goes.
If the logs don't show any entries about received or sent
IKE packets, run wireshark or tcpdump to check whether the
UDP/500 datagrams are received at all (the might get blocked
by a firewall).
Best regards
Andreas
On 19.09.2011 14:04, Shilpa Shree wrote:
>
>
> Hi I m new to ipsec tunnel …. Current we are establishing ipsec tunnel
> between two linux machines using strongswan open source
>
>
>
> Here are config file : alice
>
>
>
> # ipsec.conf - strongSwan IPsec configuration file
>
>
>
> config setup
>
> crlcheckinterval=600
>
> strictcrlpolicy=no
>
> plutostart=no
>
>
>
> conn %default
>
> ikelifetime=60m
>
> keylife=20m
>
> rekeymargin=3m
>
> keyingtries=1
>
> keyexchange=ikev2
>
>
>
> conn host-host
>
> left=107.108.204.246
>
> right=107.108.204.245
>
> leftcert=aliceCert.pem
>
> rightid="C=CH, O=Linux strongSwan, CN=venus.strongswan.org"
>
> auto=add
>
>
>
>
>
> and same on other side
>
>
>
> # ipsec.conf - strongSwan IPsec configuration file
>
>
>
> config setup
>
> crlcheckinterval=600
>
> strictcrlpolicy=no
>
> plutostart=no
>
>
>
> conn %default
>
> ikelifetime=60m
>
> keylife=20m
>
> rekeymargin=3m
>
> keyingtries=1
>
> keyexchange=ikev2
>
>
>
> conn host-host
>
> left=107.108.204.245
>
> right=107.108.204.246
>
> leftcert=venusCert.pem
>
> rightid="C=CH, O=Linux strongSwan, CN=alice.strongswan.org"
>
> leftfirewall=yes
>
> auto=add
>
>
>
> and log when I run
>
>
>
> /usr/sbin/ipsec statusall
>
> Status of IKEv2 charon daemon (strongSwan 4.5.3):
>
> uptime: 10 seconds, since Sep 19 16:37:53 2011
>
> malloc: sbrk 135168, mmap 0, used 82288, free 52880
>
> worker threads: 9 of 16 idle, 6/1/0/0 working, job queue: 0/0/0/0,
> scheduled: 1
>
> loaded plugins: aes des sha1 sha2 md5 random x509 revocation
> constraints pubkey pkcs1 pgp pem fips-prf gmp xcbc hmac attr
> kernel-netlink resolve socket-default stroke updown eap-aka
>
> Listening IP addresses:
>
> 107.108.204.246
>
> 2011::14
>
> 107.108.204.246
>
> Connections:
>
> host-host: 107.108.204.246...107.108.204.245
>
> host-host: local: [C=CH, O=Linux strongSwan, OU=Sales,
> CN=alice at strongswan.org] uses public key authentication
>
> host-host: cert: "C=CH, O=Linux strongSwan, OU=Sales,
> CN=alice at strongswan.org"
>
> host-host: remote: [C=CH, O=Linux strongSwan,
> CN=venus.strongswan.org] uses any authentication
>
> host-host: child: dynamic === dynamic TUNNEL
>
> Security Associations (1 up, 0 connecting):
>
> host-host[1]: CONNECTING, 107.108.204.246[%any]...107.108.204.245[%any]
>
> host-host[1]: IKE SPIs: c6d28a10188c9f00_i* 0000000000000000_r
>
> host-host[1]: Tasks active: IKE_VENDOR IKE_INIT IKE_NATD IKE_CERT_PRE
> IKE_AUTHENTICATE IKE_CERT_POST IKE_CONFIG CHILD_CREATE IKE_AUTH_LIFETIME
> IKE_MOBIKE
>
>
>
> *********************************
>
> /usr/sbin/ipsec up host-host
>
> retransmit 4 of request with message ID 0
>
> sending packet: from 107.108.204.246[500] to 107.108.204.245[500]
>
> retransmit 5 of request with message ID 0
>
> sending packet: from 107.108.204.246[500] to 107.108.204.245[500]
>
> I m not getting where the error has occurred and why it is unable to
> establish connection ..kindly do help me in this regard… hoping any
> response
>
> Thanks and regards,
>
> Shilpa
======================================================================
Andreas Steffen andreas.steffen at strongswan.org
strongSwan - the Linux VPN Solution! www.strongswan.org
Institute for Internet Technologies and Applications
University of Applied Sciences Rapperswil
CH-8640 Rapperswil (Switzerland)
===========================================================[ITA-HSR]==
More information about the Users
mailing list