[strongSwan] strongSwan on a KVM VPS does not work

hayate hayatelee at gmail.com
Tue Feb 14 19:13:02 CET 2012 

Hi all,

I just set up strongSwan server on a KVM VPS, but the connections have
problems.

First, show my ipsec.conf

config setup
        strictcrlpolicy=no
        charonstart=yes
        uniqueids=yes

conn %default
        authby=rsasig
        leftrsasigkey=%cert
        rightrsasigkey=%cert
        left=%defaultroute

conn ikev2
        keyexchange=ikev2
        leftsubnet=0.0.0.0/0
        leftcert=strongswan.crt
        rightca=%same
        right=%any
        rightsourceip=192.168.11.0/24
        auto=add

the client is a roadwarrior and want get a virtual ip, from the log it
seems it got the virtual ip, however the ping from server to client does
not work. here is the charon.log

00[DMN] Starting IKEv2 charon daemon (strongSwan 4.6.1)
00[CFG] attr-sql plugin: database URI not set
00[LIB] plugin 'attr-sql': failed to load - attr_sql_plugin_create returned
NULL
00[KNL] listening on interfaces:
00[KNL]   eth0
00[KNL]     64.62.209.183
00[KNL]     fe80::216:3cff:febf:ead9
00[CFG] loading ca certificates from '/etc/ipsec.d/cacerts'
00[CFG]   loaded ca certificate "C=TC, ST=YC, L=YiFeng, O=Lauyu.me,
CN=Lauyu.me CA, E=lauyu at lauyu.me" from '/etc/ipsec.d/cacerts/ca.crt'
00[CFG] loading aa certificates from '/etc/ipsec.d/aacerts'
00[CFG] loading ocsp signer certificates from '/etc/ipsec.d/ocspcerts'
00[CFG] loading attribute certificates from '/etc/ipsec.d/acerts'
00[CFG] loading crls from '/etc/ipsec.d/crls'
00[CFG] loading secrets from '/etc/ipsec.secrets'
00[CFG]   loaded RSA private key from '/etc/ipsec.d/private/strongswan.key'
00[CFG] sql plugin: database URI not set
00[LIB] plugin 'sql': failed to load - sql_plugin_create returned NULL
00[CFG] opening triplet file /etc/ipsec.d/triplets.dat failed: No such file
or directory
00[CFG] loaded 0 RADIUS server configurations
00[CFG] HA config misses local/remote address
00[LIB] plugin 'ha': failed to load - ha_plugin_create returned NULL
00[LIB] feature CUSTOM:sim-card in 'eap-sim-file' plugin has unsatisfied
dependency: CUSTOM:eap-sim-file-triplets
00[LIB] feature CUSTOM:sim-provider in 'eap-sim-file' plugin has
unsatisfied dependency: CUSTOM:eap-sim-file-triplets
00[DMN] loaded plugins: curl sqlite aes des sha1 sha2 md5 random x509
revocation constraints pubkey pkcs1 pgp pem openssl fips-prf gmp xcbc hmac
attr kernel-netlink resolve socket-raw farp stroke updown eap-identity
eap-sim eap-aka eap-aka-3gpp2 eap-simaka-pseudonym eap-simaka-reauth
eap-md5 eap-gtc eap-mschapv2 eap-radius dhcp
00[JOB] spawning 16 worker threads
16[CFG] received stroke: add connection 'ikev2'
16[CFG]   loaded certificate "C=TC, ST=YC, L=YiFeng, O=Lauyu.me,
CN=strongswan, E=lauyu at lauyu.me" from 'strongswan.crt'
16[CFG]   id '64.62.209.183' not confirmed by certificate, defaulting to
'C=TC, ST=YC, L=YiFeng, O=Lauyu.me, CN=strongswan, E=lauyu at lauyu.me'
16[CFG] added configuration 'ikev2'
16[CFG] adding virtual IP address pool 'ikev2': 192.168.11.0/24
06[NET] received packet: from 121.63.63.197[500] to 64.62.209.183[500]
06[ENC] parsed IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) ]
06[IKE] 121.63.63.197 is initiating an IKE_SA
06[IKE] remote host is behind NAT
06[IKE] sending cert request for "C=TC, ST=YC, L=YiFeng, O=Lauyu.me,
CN=Lauyu.me CA, E=lauyu at lauyu.me"
06[ENC] generating IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP)
N(NATD_D_IP) CERTREQ N(MULT_AUTH) ]
06[NET] sending packet: from 64.62.209.183[500] to 121.63.63.197[500]
05[NET] received packet: from 121.63.63.197[4500] to 64.62.209.183[4500]
05[ENC] parsed IKE_AUTH request 1 [ IDi CERT N(INIT_CONTACT) CERTREQ AUTH
CP(ADDR DNS) SA TSi TSr ]
05[IKE] received cert request for "C=TC, ST=YC, L=YiFeng, O=Lauyu.me,
CN=Lauyu.me CA, E=lauyu at lauyu.me"
05[IKE] received end entity cert "C=TC, ST=YC, L=YiFeng, O=Lauyu.me,
CN=e71, E=lauyu at lauyu.me"
05[CFG] looking for peer configs matching
64.62.209.183[%any]...121.63.63.197[C=TC, ST=YC, L=YiFeng, O=Lauyu.me,
CN=e71, E=lauyu at lauyu.me]
05[CFG] selected peer config 'ikev2'
05[CFG]   using certificate "C=TC, ST=YC, L=YiFeng, O=Lauyu.me, CN=e71, E=
lauyu at lauyu.me"
05[CFG]   using trusted ca certificate "C=TC, ST=YC, L=YiFeng, O=Lauyu.me,
CN=Lauyu.me CA, E=lauyu at lauyu.me"
05[CFG] checking certificate status of "C=TC, ST=YC, L=YiFeng, O=Lauyu.me,
CN=e71, E=lauyu at lauyu.me"
05[CFG] certificate status is not available
05[CFG]   reached self-signed root ca with a path length of 0
05[IKE] authentication of 'C=TC, ST=YC, L=YiFeng, O=Lauyu.me, CN=e71, E=
lauyu at lauyu.me' with RSA signature successful
05[IKE] authentication of 'C=TC, ST=YC, L=YiFeng, O=Lauyu.me,
CN=strongswan, E=lauyu at lauyu.me' (myself) with RSA signature successful
05[IKE] IKE_SA ikev2[1] established between 64.62.209.183[C=TC, ST=YC,
L=YiFeng, O=Lauyu.me, CN=strongswan, E=lauyu at lauyu.me]...121.63.63.197[C=TC,
ST=YC, L=YiFeng, O=Lauyu.me, CN=e71, E=lauyu at lauyu.me]
05[IKE] scheduling reauthentication in 10122s
05[IKE] maximum IKE_SA lifetime 10662s
05[IKE] sending end entity cert "C=TC, ST=YC, L=YiFeng, O=Lauyu.me,
CN=strongswan, E=lauyu at lauyu.me"
05[IKE] peer requested virtual IP %any
05[CFG] assigning new lease to 'C=TC, ST=YC, L=YiFeng, O=Lauyu.me, CN=e71,
E=lauyu at lauyu.me'
05[IKE] assigning virtual IP 192.168.11.1 to peer 'C=TC, ST=YC, L=YiFeng,
O=Lauyu.me, CN=e71, E=lauyu at lauyu.me'
05[IKE] CHILD_SA ikev2{1} established with SPIs c25dd424_i 1c1e2ef3_o and
TS 0.0.0.0/0 === 192.168.11.1/32
05[ENC] generating IKE_AUTH response 1 [ IDr CERT AUTH CP(ADDR DNS) SA TSi
TSr N(AUTH_LFT) ]
05[NET] sending packet: from 64.62.209.183[4500] to 121.63.63.197[4500]
03[IKE] sending DPD request
03[ENC] generating INFORMATIONAL request 0 [ ]
03[NET] sending packet: from 64.62.209.183[4500] to 121.63.63.197[4500]
02[NET] received packet: from 121.63.63.197[4500] to 64.62.209.183[4500]
02[ENC] parsed INFORMATIONAL response 0 [ ]
01[NET] received packet: from 121.63.63.197[4500] to 64.62.209.183[4500]
01[ENC] parsed INFORMATIONAL request 2 [ ]
01[ENC] generating INFORMATIONAL response 2 [ ]
01[NET] sending packet: from 64.62.209.183[4500] to 121.63.63.197[4500]
06[NET] received packet: from 121.63.63.197[4500] to 64.62.209.183[4500]
06[ENC] parsed INFORMATIONAL request 3 [ ]
06[ENC] generating INFORMATIONAL response 3 [ ]
06[NET] sending packet: from 64.62.209.183[4500] to 121.63.63.197[4500]
04[NET] received packet: from 121.63.63.197[4500] to 64.62.209.183[4500]
04[ENC] parsed INFORMATIONAL request 4 [ ]
04[ENC] generating INFORMATIONAL response 4 [ ]
04[NET] sending packet: from 64.62.209.183[4500] to 121.63.63.197[4500]
07[NET] received packet: from 121.63.63.197[4500] to 64.62.209.183[4500]
07[ENC] parsed INFORMATIONAL request 5 [ ]
07[ENC] generating INFORMATIONAL response 5 [ ]
07[NET] sending packet: from 64.62.209.183[4500] to 121.63.63.197[4500]
06[NET] received packet: from 121.63.63.197[4500] to 64.62.209.183[4500]
06[ENC] parsed INFORMATIONAL request 6 [ ]
06[ENC] generating INFORMATIONAL response 6 [ ]
06[NET] sending packet: from 64.62.209.183[4500] to 121.63.63.197[4500]
04[NET] received packet: from 121.63.63.197[4500] to 64.62.209.183[4500]
04[ENC] parsed INFORMATIONAL request 7 [ ]
04[ENC] generating INFORMATIONAL response 7 [ ]
04[NET] sending packet: from 64.62.209.183[4500] to 121.63.63.197[4500]
01[NET] received packet: from 121.63.63.197[4500] to 64.62.209.183[4500]
01[ENC] parsed INFORMATIONAL request 8 [ ]
01[ENC] generating INFORMATIONAL response 8 [ ]

The above shows that there are a lot of strange message betweent the server
and client.

Thanks very much~
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20120215/facb921b/attachment.html>

More information about the Users mailing list