[strongSwan] Site to Site with PSK Error

Chris Arnold carnold at electrichendrix.com
Sun Apr 1 13:47:53 CEST 2012 

Thanks Andreas! Commenting out the load line now gets me further. Output from:
ipsec up teknerds
initiating IKE_SA teknerds[1] to sonicwall.publi.ip
generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) ]
sending packet: from 192.168.1.18[500] to sonicwall.publi.ip[500]
received packet: from sonicwall.publi.ip[500] to 192.168.1.18[500]
parsed IKE_SA_INIT response 0 [ N(INVAL_SYN) ]
received INVALID_SYNTAX notify error

Logs from sonicwall side:
04/01/2012 07:36:17.576 Warning VPN IKE IKEv2 Payload processing error strongswan.public.ip, 500 sonicwall.public.ip, 500 Type: SA Payload   
5 04/01/2012 07:36:17.576 Warning VPN IKE IKEv2 VPN Policy not found strongswan.public.ip, 500 sonicwall.public.ip, 500 No VPN policy for peer gateway :strongswan.public.ip
6 04/01/2012 07:36:17.576 Info VPN IKE IKEv2 Responder: Received IKE_SA_INIT request strongswan.public.ip, 500 sonicwall.public.ip, 500 



----- Original Message -----
From: "Andreas Steffen" <andreas.steffen at strongswan.org>
To: "Chris Arnold" <carnold at electrichendrix.com>
Cc: users at lists.strongswan.org
Sent: Sunday, April 1, 2012 4:15:10 AM
Subject: Re: [strongSwan] Site to Site with PSK Error

Hello,

it seems that the socket-default plugin is not availabe in your SLES11
distribution. Therefore please exchange socket-default by socket-raw
in your load list or as the warning recommends, don't define an explicit
load list at all, since the default load list is fine for most
applications.

Regards

Andreas

On 03/31/2012 09:40 PM, Chris Arnold wrote:
> StrongSwan 4.5.xx on SLES11 SP2. When running ipsec up net-net, i get:
> /etc/init.d/ipsec start
> Starting strongSwan 4.5.3 IPsec [starter]...
> !! Your strongswan.conf contains manual plugin load options for
> !! pluto and/or charon. This is recommended for experts only, see
> !! http://wiki.strongswan.org/projects/strongswan/wiki/PluginLoad
> 
> Here is the strongswan.conf load line:
> charon {
>     load = aes des sha1 sha2 md5 pem pkcs1 gmp random hmac xcbc stroke kernel-netlink socket-default updown
>  multiple_authentication = no
> 
> And in the charon.log file, i see:
> Mar 31 15:29:34 00[DMN] Starting IKEv2 charon daemon (strongSwan 4.5.3)
> Mar 31 15:29:34 00[CFG] loading ca certificates from '/etc/ipsec.d/cacerts'
> Mar 31 15:29:34 00[CFG] loading aa certificates from '/etc/ipsec.d/aacerts'
> Mar 31 15:29:34 00[CFG] loading ocsp signer certificates from '/etc/ipsec.d/ocspcerts'
> Mar 31 15:29:34 00[CFG] loading attribute certificates from '/etc/ipsec.d/acerts'
> Mar 31 15:29:34 00[CFG] loading crls from '/etc/ipsec.d/crls'
> Mar 31 15:29:34 00[CFG] loading secrets from '/etc/ipsec.secrets'
> Mar 31 15:29:34 00[CFG]   loaded IKE secret for @servername.electricdomain.com
> Mar 31 15:29:34 00[CFG]   loaded IKE secret for @servername.electricdomain.com %any
> Mar 31 15:29:34 00[CFG]   loaded IKE secret for @servername.edensdomain.com
> Mar 31 15:29:34 00[CFG]   loaded IKE secret for %any
> Mar 31 15:29:34 00[CFG]   loaded IKE secret for 192.168.123.3
> Mar 31 15:29:34 00[KNL] listening on interfaces:
> Mar 31 15:29:34 00[KNL]   eth0
> Mar 31 15:29:34 00[KNL]     192.168.123.3
> Mar 31 15:29:34 00[KNL] received netlink error: Address family not supported by protocol (97)
> Mar 31 15:29:34 00[KNL] unable to create IPv6 routing table rule
> Mar 31 15:29:34 00[LIB] plugin 'socket-default' failed to load: /usr/lib/ipsec/plugins/libstrongswan-socket-default.so: cannot open shared object file: No such file or directory
> Mar 31 15:29:34 00[DMN] loaded plugins: aes des sha1 sha2 md5 pem pkcs1 gmp random hmac xcbc stroke kernel-netlink updown 
> Mar 31 15:29:34 00[JOB] spawning 16 worker threads
> Mar 31 15:29:34 06[NET] no socket implementation registered, receiving failed
> Mar 31 15:29:34 07[CFG] received stroke: add connection 'net-net'
> Mar 31 15:29:34 07[CFG] left nor right host is our side, assuming left=local
> Mar 31 15:29:34 07[CFG] added configuration 'net-net'
> 
> Then running ipsec up net-net:
> received stroke: initiate 'net-net'
> Mar 31 15:33:18 10[IKE] initiating IKE_SA net-net[1] to pu.bl.ic.ip
> Mar 31 15:33:18 10[ENC] generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) ]
> Mar 31 15:33:18 10[NET] sending packet: from (moon)pu.bl.ic.ip to (sun)pu.bl.ic.ip[500]
> Mar 31 15:33:18 05[NET] no socket implementation registered, sending failed
> Mar 31 15:33:22 11[IKE] retransmit 1 of request with message ID 0
> Mar 31 15:33:22 11[NET] sending packet: from (moon)pu.bl.ic.ip to (sun)pu.bl.ic.ip[500]
> Mar 31 15:33:22 05[NET] no socket implementation registered, sending failed
> 
> It seems the socket-default plugin is causing the initial issue? /usr/lib/ipsec/plugins/libstrongswan-socket-default.so is NOT in that directory.
> 
> _______________________________________________
> Users mailing list
> Users at lists.strongswan.org
> https://lists.strongswan.org/mailman/listinfo/users


-- 
======================================================================
Andreas Steffen                         andreas.steffen at strongswan.org
strongSwan - the Linux VPN Solution!                www.strongswan.org
Institute for Internet Technologies and Applications
University of Applied Sciences Rapperswil
CH-8640 Rapperswil (Switzerland)
===========================================================[ITA-HSR]==

More information about the Users mailing list