[strongSwan] invalid IKE header

Boleslav Sykora boles at sykora.ca
Mon Jul 2 17:01:36 CEST 2012


Hello,

 

I am trying to run strongSwan on a Ubuntu 12.04 instance in Amazon VPC,
using a compiled version  strongswan-5.0.0.tar.gz and connect from Windows
Server 2008 R2 client. I am using certificates for both sides. The
206.248.156.92  is my WS 2008 client What's My IP. The vpngw has two
interfaces, one 10.20.1.232 which is NATed to an Elastic IP and a private
interface 10.20.2.117 on the subnet where I want the tunnel to have access.
I implemented your VPC suggestions. I have been fighting with this for over
a week, and previously with an older strongSwan version. Please help.

 

Here is my /usr/local/etc/ipsec.conf  config:

config setup

 

ca cloudCA

       cacert=caCert.pem

       auto=add

 

conn %default

       # keyexchange=ikev2

       ikelifetime=60m

       keylife=20m

       rekeymargin=3m

       keyingtries=1

 

conn nat-cert

       left=10.20.1.232

       leftsubnet=10.20.2.0/24

       leftcert=vpngwCert.pem

       leftfirewall=yes

       right=%any

       rightsubnet=10.1.20.0/24

       rightsourceip=10.20.2.192/26

       rightid="C=US, O=Cloud1215 CN=student.lt1215.com"

       auto=add

 

The /var/log/syslog file:

Jul  2 14:51:13 vpngw charon: 00[DMN] Starting IKE charon daemon (strongSwan
5.0.0, Linux 3.2.0-26-virtual, x86_64)

Jul  2 14:51:13 vpngw charon: 00[KNL] listening on interfaces:

Jul  2 14:51:13 vpngw charon: 00[KNL]   eth0

Jul  2 14:51:13 vpngw charon: 00[KNL]     10.20.1.232

Jul  2 14:51:13 vpngw charon: 00[KNL]     fe80::81f:b5ff:fe7e:9f68

Jul  2 14:51:13 vpngw charon: 00[KNL]   eth1

Jul  2 14:51:13 vpngw charon: 00[KNL]     10.20.2.117

Jul  2 14:51:13 vpngw charon: 00[KNL]     fe80::81f:b5ff:fe49:c917

Jul  2 14:51:13 vpngw charon: 00[CFG] loading ca certificates from
'/usr/local/etc/ipsec.d/cacerts'

Jul  2 14:51:13 vpngw charon: 00[CFG]   loaded ca certificate "C=US,
O=Cloud1215, CN=cloudCA" from '/usr/local/etc/ipsec.d/cacerts/caCert.pem'

Jul  2 14:51:13 vpngw charon: 00[CFG]   loaded ca certificate "C=US,
O=Cloud1215, CN=cloudCA" from '/usr/local/etc/ipsec.d/cacerts/caCert.der'

Jul  2 14:51:13 vpngw charon: 00[CFG] loading aa certificates from
'/usr/local/etc/ipsec.d/aacerts'

Jul  2 14:51:13 vpngw charon: 00[CFG] loading ocsp signer certificates from
'/usr/local/etc/ipsec.d/ocspcerts'

Jul  2 14:51:13 vpngw charon: 00[CFG] loading attribute certificates from
'/usr/local/etc/ipsec.d/acerts'

Jul  2 14:51:13 vpngw charon: 00[CFG] loading crls from
'/usr/local/etc/ipsec.d/crls'

Jul  2 14:51:13 vpngw charon: 00[CFG] loading secrets from
'/usr/local/etc/ipsec.secrets'

Jul  2 14:51:13 vpngw charon: 00[CFG]   loaded RSA private key from
'/usr/local/etc/ipsec.d/private/vpngwKey.pem'

Jul  2 14:51:13 vpngw charon: 00[DMN] loaded plugins: charon aes des sha1
sha2 md5 random nonce x509 revocation constraints pubkey pkcs1 pkcs8 pgp
dnskey pem fips-prf gmp xcbc cmac hmac attr kernel-netlink resolve
socket-default stroke updown xauth-generic

Jul  2 14:51:13 vpngw charon: 00[JOB] spawning 16 worker threads

Jul  2 14:51:13 vpngw charon: 12[CFG] received stroke: add ca 'cloudCA'

Jul  2 14:51:13 vpngw charon: 12[CFG] added ca 'cloudCA'

Jul  2 14:51:13 vpngw charon: 14[CFG] received stroke: add connection
'nat-cert'

Jul  2 14:51:13 vpngw charon: 14[CFG]   loaded certificate "C=US,
O=Cloud1215, CN=vpngw.lt1215.com" from 'vpngwCert.pem'

Jul  2 14:51:13 vpngw charon: 14[CFG]   id '10.20.1.232' not confirmed by
certificate, defaulting to 'C=US, O=Cloud1215, CN=vpngw.lt1215.com'

Jul  2 14:51:13 vpngw charon: 14[CFG] added configuration 'nat-cert'

Jul  2 14:51:13 vpngw charon: 14[CFG] adding virtual IP address pool
'nat-cert': 10.20.2.192/26

Jul  2 14:51:23 vpngw charon: 05[ENC] header verification failed

Jul  2 14:51:23 vpngw charon: 05[NET] received invalid IKE header from
206.248.156.92 - ignored

Jul  2 14:51:24 vpngw charon: 05[ENC] header verification failed

Jul  2 14:51:24 vpngw charon: 05[NET] received invalid IKE header from
206.248.156.92 - ignored

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20120702/b8d8b075/attachment.html>


More information about the Users mailing list