[strongSwan] invalid IKE header
Boleslav Sykora
boles at sykora.ca
Mon Jul 2 17:01:36 CEST 2012
Hello,
I am trying to run strongSwan on a Ubuntu 12.04 instance in Amazon VPC,
using a compiled version strongswan-5.0.0.tar.gz and connect from Windows
Server 2008 R2 client. I am using certificates for both sides. The
206.248.156.92 is my WS 2008 client What's My IP. The vpngw has two
interfaces, one 10.20.1.232 which is NATed to an Elastic IP and a private
interface 10.20.2.117 on the subnet where I want the tunnel to have access.
I implemented your VPC suggestions. I have been fighting with this for over
a week, and previously with an older strongSwan version. Please help.
Here is my /usr/local/etc/ipsec.conf config:
config setup
ca cloudCA
cacert=caCert.pem
auto=add
conn %default
# keyexchange=ikev2
ikelifetime=60m
keylife=20m
rekeymargin=3m
keyingtries=1
conn nat-cert
left=10.20.1.232
leftsubnet=10.20.2.0/24
leftcert=vpngwCert.pem
leftfirewall=yes
right=%any
rightsubnet=10.1.20.0/24
rightsourceip=10.20.2.192/26
rightid="C=US, O=Cloud1215 CN=student.lt1215.com"
auto=add
The /var/log/syslog file:
Jul 2 14:51:13 vpngw charon: 00[DMN] Starting IKE charon daemon (strongSwan
5.0.0, Linux 3.2.0-26-virtual, x86_64)
Jul 2 14:51:13 vpngw charon: 00[KNL] listening on interfaces:
Jul 2 14:51:13 vpngw charon: 00[KNL] eth0
Jul 2 14:51:13 vpngw charon: 00[KNL] 10.20.1.232
Jul 2 14:51:13 vpngw charon: 00[KNL] fe80::81f:b5ff:fe7e:9f68
Jul 2 14:51:13 vpngw charon: 00[KNL] eth1
Jul 2 14:51:13 vpngw charon: 00[KNL] 10.20.2.117
Jul 2 14:51:13 vpngw charon: 00[KNL] fe80::81f:b5ff:fe49:c917
Jul 2 14:51:13 vpngw charon: 00[CFG] loading ca certificates from
'/usr/local/etc/ipsec.d/cacerts'
Jul 2 14:51:13 vpngw charon: 00[CFG] loaded ca certificate "C=US,
O=Cloud1215, CN=cloudCA" from '/usr/local/etc/ipsec.d/cacerts/caCert.pem'
Jul 2 14:51:13 vpngw charon: 00[CFG] loaded ca certificate "C=US,
O=Cloud1215, CN=cloudCA" from '/usr/local/etc/ipsec.d/cacerts/caCert.der'
Jul 2 14:51:13 vpngw charon: 00[CFG] loading aa certificates from
'/usr/local/etc/ipsec.d/aacerts'
Jul 2 14:51:13 vpngw charon: 00[CFG] loading ocsp signer certificates from
'/usr/local/etc/ipsec.d/ocspcerts'
Jul 2 14:51:13 vpngw charon: 00[CFG] loading attribute certificates from
'/usr/local/etc/ipsec.d/acerts'
Jul 2 14:51:13 vpngw charon: 00[CFG] loading crls from
'/usr/local/etc/ipsec.d/crls'
Jul 2 14:51:13 vpngw charon: 00[CFG] loading secrets from
'/usr/local/etc/ipsec.secrets'
Jul 2 14:51:13 vpngw charon: 00[CFG] loaded RSA private key from
'/usr/local/etc/ipsec.d/private/vpngwKey.pem'
Jul 2 14:51:13 vpngw charon: 00[DMN] loaded plugins: charon aes des sha1
sha2 md5 random nonce x509 revocation constraints pubkey pkcs1 pkcs8 pgp
dnskey pem fips-prf gmp xcbc cmac hmac attr kernel-netlink resolve
socket-default stroke updown xauth-generic
Jul 2 14:51:13 vpngw charon: 00[JOB] spawning 16 worker threads
Jul 2 14:51:13 vpngw charon: 12[CFG] received stroke: add ca 'cloudCA'
Jul 2 14:51:13 vpngw charon: 12[CFG] added ca 'cloudCA'
Jul 2 14:51:13 vpngw charon: 14[CFG] received stroke: add connection
'nat-cert'
Jul 2 14:51:13 vpngw charon: 14[CFG] loaded certificate "C=US,
O=Cloud1215, CN=vpngw.lt1215.com" from 'vpngwCert.pem'
Jul 2 14:51:13 vpngw charon: 14[CFG] id '10.20.1.232' not confirmed by
certificate, defaulting to 'C=US, O=Cloud1215, CN=vpngw.lt1215.com'
Jul 2 14:51:13 vpngw charon: 14[CFG] added configuration 'nat-cert'
Jul 2 14:51:13 vpngw charon: 14[CFG] adding virtual IP address pool
'nat-cert': 10.20.2.192/26
Jul 2 14:51:23 vpngw charon: 05[ENC] header verification failed
Jul 2 14:51:23 vpngw charon: 05[NET] received invalid IKE header from
206.248.156.92 - ignored
Jul 2 14:51:24 vpngw charon: 05[ENC] header verification failed
Jul 2 14:51:24 vpngw charon: 05[NET] received invalid IKE header from
206.248.156.92 - ignored
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20120702/b8d8b075/attachment.html>
More information about the Users
mailing list