[strongSwan] StrongSwan Config for IMS

Sdhar dhar svdharr at gmail.com
Thu Jun 21 23:08:38 CEST 2012


Ok, i changed the config(now that i am bit familiar) and i see one way
security association up(which i didnt expect as i was providing a wrong
password). But when i try to send packets, it doesn't encrypt and neither
do i see packets being sent out through tshark.

Appreciate anyone's input on this.

*ipsec.conf*
conn home
        left=2001:506:1000:0:2010:0:60:5
        right=2001:1890:1001:2b00::7:5
        auth=esp
        authby=secret
        eap=aka
        esp=3des
        type=transport
        xauth=client
        auto=route
        ike=md5
        rightprotoport=udp/5000

conn offhome
        left=2001:506:1000:0:2010:0:60:4
        right=2001:1890:1001:2b00::7:5
        auth=esp
        authby=secret
        eap=aka
        esp=3des
        type=transport
        xauth=client
        auto=route
        ike=md5
        rightprotoport=udp/5000

*ipsec.secrets*
2001:506:1000:0:2010:0:60:5 2001:1890:1001:2b00::7:5 PSK
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
2001:506:1000:0:2010:0:60:4 2001:1890:1001:2b00::7:5 PSK
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA

*[test]# ipsec status*
Routed Connections:
        home{1}:  ROUTED, TRANSPORT
        home{1}:   2001:506:1000:0:2010:0:60:5/128 ===
2001:1890:1001:2b00::7:5/128[udp/commplex-main]
     offhome{2}:  ROUTED, TRANSPORT
     offhome{2}:   2001:506:1000:0:2010:0:60:4/128 ===
2001:1890:1001:2b00::7:5/128[udp/commplex-main]
Security Associations (*1 up*, 0 connecting):
     offhome[3]: CONNECTING,
2001:506:1000:0:2010:0:60:4[%any]...2001:1890:1001:2b00::7:5[%any]

Thanks,
Dhar.

On Wed, Jun 20, 2012 at 11:00 AM, Sdhar dhar <svdharr at gmail.com> wrote:

> Hello Everyone,
>
> I am newbie to IPSec and Strong Swan.
> I have been trying to configure strongswan to setup security associations
> for making an IMS VoLTE call on Redhat Linux box.
> I have added below config and started ipsec, but when packets go from
> Client to Server i dont see any encryption done by strongswan and dont see
> anything going on in charon.log as well.
>
> Could anyone of expert tell me if i am doing anything wrong wrt
> configuration?
> Appreciate your help and if possible pls share config file if anyone tried
> similar config.
>
> ===================ipsec.conf=============
> config setup
>        crlcheckinterval=600s
>        cachecrls=yes
>        strictcrlpolicy=yes
>        plutostart=no
>
> conn %default
>         ikelifetime=60m
>         keylife=20m
>         rekeymargin=3m
>         keyingtries=1
>         authby=secret
>
> conn home
>         left=2001:506:1000:0:2010:0:60:5
>         right=2001:1890:1001:2b00::7:5
>         auto=add
>
> conn offhome
>         left=2001:506:1000:0:2010:0:60:4
>         right=2001:1890:1001:2b00::7:5
>         auto=add
> ===============================
>
> charon.log
>
> 00[KNL]     2001:506:1000:0:2010:0:60:6
> 00[KNL]     2001:506:1000:0:2010:0:60:5
> 00[KNL]     2001:506:1000:0:2010:0:60:4
> 00[KNL]     2001:506:1000:0:2010:0:60:3
> 00[KNL]     fe80::5ef3:fcff:fe4c:3ba
> 00[KNL]   eth3
> 00[KNL]     fe80::e61f:13ff:fe34:b5c6
> 00[LIB] plugin 'resolve': loaded successfully
> 00[LIB] plugin 'socket-raw': loaded successfully
> 00[CFG] loading ca certificates from '/usr/local/etc/ipsec.d/cacerts'
> 00[CFG] loading aa certificates from '/usr/local/etc/ipsec.d/aacerts'
> 00[CFG] loading ocsp signer certificates from
> '/usr/local/etc/ipsec.d/ocspcerts'
> 00[CFG] loading attribute certificates from '/usr/local/etc/ipsec.d/acerts'
> 00[CFG] loading crls from '/usr/local/etc/ipsec.d/crls'
> 00[CFG] loading secrets from '/usr/local/etc/ipsec.secrets'
> 00[CFG] line 11: missing ' : ' separator
> 00[LIB] plugin 'stroke': loaded successfully
> 00[LIB] plugin 'updown': loaded successfully
> 00[LIB] feature PRF:PRF_CAMELLIA128_XCBC in 'xcbc' plugin has unsatisfied
> dependency: CRYPTER:CAMELLIA_CBC-16
> 00[LIB] feature SIGNER:CAMELLIA_XCBC_96 in 'xcbc' plugin has unsatisfied
> dependency: CRYPTER:CAMELLIA_CBC-16
> 00[DMN] loaded plugins: aes des sha1 sha2 md5 random x509 revocation
> constraints pubkey pkcs1 pkcs8 pgp pem fips-prf gmp xcbc hmac attr
> kernel-netlink resolve socket-raw stroke updown
> 00[JOB] spawning 16 worker threads
> 01[LIB] created thread 01 [30396]
> 04[LIB] created thread 04 [30399]
> 04[JOB] started worker thread 04
> 01[JOB] started worker thread 01
> 05[LIB] created thread 05 [30400]
> 05[JOB] started worker thread 05
> 05[JOB] started worker thread 05
> 07[LIB] created thread 07 [30402]
> 09[LIB] created thread 09 [30404]
> 10[LIB] created thread 10 [30405]
> 13[LIB] created thread 13 [30408]
> 13[JOB] started worker thread 13
> 14[LIB] created thread 14 [30409]
> 14[JOB] started worker thread 14
> 16[LIB] created thread 16 [30411]
> 16[JOB] started worker thread 16
> 12[LIB] created thread 12 [30407]
> 12[JOB] started worker thread 12
> 06[LIB] created thread 06 [30401]
> 06[JOB] started worker thread 06
> 10[JOB] started worker thread 10
> 03[LIB] created thread 03 [30398]
> 03[JOB] started worker thread 03
> 07[JOB] started worker thread 07
> 08[LIB] created thread 08 [30403]
> 08[JOB] started worker thread 08
> 11[LIB] created thread 11 [30406]
> 11[JOB] started worker thread 11
> 09[JOB] started worker thread 09
> 02[LIB] created thread 02 [30397]
> 02[JOB] started worker thread 02
> 12[NET] waiting for data on raw sockets
> 15[LIB] created thread 15 [30410]
> 15[JOB] started worker thread 15
> 14[JOB] no events, waiting
> 06[CFG] stroke message => 568 bytes @ 0x7faef8253ac0
> 06[CFG]    0: 38 02 CC 24 0E 00 00 00 FF FF FF FF 00 00 00 00
>  8..$............
> 06[CFG]   16: 01 00 00 00 00 00 00 00 D6 EA E1 4F 00 00 00 00
>  ...........O....
> 06[CFG]   32: DF 48 CC 24 FF 7F 00 00 0A 00 00 00 00 00 00 00
>  .H.$............
> 06[CFG]   48: 10 4D CC 24 FF 7F 00 00 02 00 00 00 00 00 00 00
>  .M.$............
> 06[CFG]   64: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
>  ................
> 06[CFG]   80: 50 4F CC 24 FF 7F 00 00 D0 25 8E BD 39 00 00 00
>  PO.$.....%..9...
> 06[CFG]   96: 18 00 00 00 30 00 00 00 E0 44 CC 24 FF 7F 00 00
>  ....0....D.$....
> 06[CFG]  112: 20 44 CC 24 FF 7F 00 00 AC 33 80 BD 39 00 00 00
> D.$.....3..9...
> 06[CFG]  128: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
>  ................
> 06[CFG]  144: E0 44 CC 24 FF 7F 00 00 03 00 00 00 00 00 00 00
>  .D.$............
> 06[CFG]  160: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
>  ................
> 06[CFG]  176: 00 00 00 00 A8 76 00 00 40 94 B8 BD 39 00 00 00  .....v..@
> ...9...
> 06[CFG]  192: 00 00 00 00 00 00 00 00 FF 00 00 00 08 00 01 00
>  ................
> 06[CFG]  208: 88 11 22 BD 39 00 00 00 00 00 00 00 00 00 00 00
>  ..".9...........
> 06[CFG]  224: 90 DB 56 06 4F 7F 00 00 D8 E4 78 06 4F 7F 00 00
>  ..V.O.....x.O...
> 06[CFG]  240: 63 0F 40 00 00 00 00 00 40 07 81 BD 39 00 00 00  c.@
> ..... at ...9...
> 06[CFG]  256: 78 08 40 00 00 00 00 00 00 00 00 00 01 00 00 00  x.@
> .............
> 06[CFG]  272: 0A 00 00 00 00 00 00 00 10 4D CC 24 FF 7F 00 00
>  .........M.$....
> 06[CFG]  288: 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
>  ................
> 06[CFG]  304: 00 00 00 00 00 00 00 00 B1 C6 40 00 00 00 00 00
>  .......... at .....
> 06[CFG]  320: 63 68 61 72 6F 6E 20 28 33 30 33 39 35 29 20 73  charon
> (30395) s
> 06[CFG]  336: 74 61 72 74 65 64 20 61 66 74 65 72 20 34 30 20  tarted
> after 40
> 06[CFG]  352: 6D 73 00 00 00 00 00 00 90 DB 56 06 4F 7F 00 00
>  ms........V.O...
> 06[CFG]  368: 01 00 00 00 00 00 00 00 60 17 E5 01 00 00 00 00
>  ........`.......
> 06[CFG]  384: 00 10 00 00 00 00 00 00 56 58 86 BD 39 00 00 00
>  ........VX..9...
> 06[CFG]  400: 00 FD 00 00 00 00 00 00 5C 03 1A 00 00 00 00 00
>  ........\.......
> 06[CFG]  416: 01 00 00 00 00 00 00 00 A4 81 00 00 00 00 00 00
>  ................
> 06[CFG]  432: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
>  ................
> 06[CFG]  448: 00 00 00 00 00 00 00 00 00 10 00 00 00 00 00 00
>  ................
> 06[CFG]  464: 00 00 00 00 00 00 00 00 D6 EA E1 4F 00 00 00 00
>  ...........O....
> 06[CFG]  480: 35 72 B6 03 00 00 00 00 D6 EA E1 4F 00 00 00 00
>  5r.........O....
> 06[CFG]  496: 35 72 B6 03 00 00 00 00 D6 EA E1 4F 00 00 00 00
>  5r.........O....
> 06[CFG]  512: 35 72 B6 03 00 00 00 00 00 00 00 00 00 00 00 00
>  5r..............
> 06[CFG]  528: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
>  ................
> 06[CFG]  544: 02 20 00 00 FF 02 FE 02 60 17 E5 01 00 00 00 00  .
> ......`.......
> 06[CFG]  560: FF FF FF FF 00 00 00 00                          ........
> 06[CFG] crl caching to /usr/local/etc/ipsec.d/crls enabled
> 07[CFG] stroke message => 711 bytes @ 0x7faef7852a30
> 07[CFG]    0: C7 02 00 00 03 00 00 00 FF FF FF FF 00 00 00 00
>  ................
> 07[CFG]   16: 38 02 00 00 00 00 00 00 01 00 00 00 02 00 00 00
>  8...............
> 07[CFG]   32: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
>  ................
> 07[CFG]   48: 00 00 00 00 00 00 00 00 02 00 00 00 01 00 00 00
>  ................
> 07[CFG]   64: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
>  ................
> 07[CFG]   80: 00 00 00 00 01 00 00 00 00 00 00 00 00 00 00 00
>  ................
> 07[CFG]  112: 3D 02 00 00 00 00 00 00 65 02 00 00 00 00 00 00
>  =.......e.......
> 07[CFG]  128: 01 00 00 00 00 00 00 00 B0 04 00 00 00 00 00 00
>  ................
> 07[CFG]  144: 10 0E 00 00 00 00 00 00 B4 00 00 00 00 00 00 00
>  ................
> 07[CFG]  160: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
>  ................
> 07[CFG]  176: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
>  ................
> 07[CFG]  192: 01 00 00 00 00 00 00 00 64 00 00 00 00 00 00 00
>  ........d.......
> 07[CFG]  208: 1E 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
>  ................
> 07[CFG]  224: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
>  ................
> 07[CFG]  240: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
>  ................
> 07[CFG]  256: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
>  ................
> 07[CFG]  272: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
>  ................
> 07[CFG]  288: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
>  ................
> 07[CFG]  304: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
>  ................
> 07[CFG]  320: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
>  ................
> 07[CFG]  336: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
>  ................
> 07[CFG]  352: 7B 02 00 00 00 00 00 00 92 02 00 00 00 00 00 00
>  {...............
> 07[CFG]  368: F4 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00
>  ................
> 07[CFG]  384: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
>  ................
> 07[CFG]  400: 01 00 00 00 00 00 00 00 01 00 00 00 00 00 00 00
>  ................
> 07[CFG]  416: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
>  ................
> 07[CFG]  432: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
>  ................
> 07[CFG]  448: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
>  ................
> 07[CFG]  464: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
>  ................
> 07[CFG]  480: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
>  ................
> 07[CFG]  496: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
>  ................
> 07[CFG]  512: AE 02 00 00 00 00 00 00 F4 01 00 00 00 00 00 00
>  ................
> 07[CFG]  528: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
>  ................
> 07[CFG]  544: 00 00 00 00 00 00 00 00 01 00 00 00 00 00 00 00
>  ................
> 07[CFG]  560: 01 00 00 00 00 00 00 00 68 6F 6D 65 00 61 65 73
>  ........home.aes
> 07[CFG]  576: 31 32 38 2D 73 68 61 31 2D 6D 6F 64 70 32 30 34
>  128-sha1-modp204
> 07[CFG]  592: 38 2C 33 64 65 73 2D 73 68 61 31 2D 6D 6F 64 70
>  8,3des-sha1-modp
> 07[CFG]  608: 31 35 33 36 00 61 65 73 31 32 38 2D 73 68 61 31
>  1536.aes128-sha1
> 07[CFG]  624: 2C 33 64 65 73 2D 73 68 61 31 00 69 70 73 65 63
>  ,3des-sha1.ipsec
> 07[CFG]  640: 20 5F 75 70 64 6F 77 6E 20 69 70 74 61 62 6C 65   _updown
> iptable
> 07[CFG]  656: 73 00 32 30 30 31 3A 35 30 36 3A 31 30 30 30 3A
>  s.2001:506:1000:
> 07[CFG]  672: 30 3A 32 30 31 30 3A 30 3A 36 30 3A 35 00 32 30
>  0:2010:0:60:5.20
> 07[CFG]  688: 30 31 3A 31 38 39 30 3A 31 30 30 31 3A 32 62 30
>  01:1890:1001:2b0
> 07[CFG]  704: 30 3A 3A 37 3A 35 00                             0::7:5.
> 07[CFG] received stroke: add connection 'home'
> 07[CFG] conn home
> 07[CFG]   left=2001:506:1000:0:2010:0:60:5
> 07[CFG]   leftsubnet=(null)
> 07[CFG]   leftsourceip=(null)
> 07[CFG]   leftauth=(null)
> 07[CFG]   leftauth2=(null)
> 07[CFG]   leftid=(null)
> 07[CFG]   leftid2=(null)
> 07[CFG]   leftcert=(null)
> 07[CFG]   leftcert2=(null)
> 07[CFG]   leftca=(null)
> 07[CFG]   leftca2=(null)
> 07[CFG]   leftgroups=(null)
> 07[CFG]   leftupdown=ipsec _updown iptables
> 07[CFG]   right=2001:1890:1001:2b00::7:5
> 07[CFG]   rightsubnet=(null)
> 07[CFG]   rightsourceip=(null)
> 07[CFG]   rightauth=(null)
> 07[CFG]   rightauth2=(null)
> 07[CFG]   rightid=(null)
> 07[CFG]   rightid2=(null)
> 07[CFG]   rightcert=(null)
> 07[CFG]   rightcert2=(null)
> 07[CFG]   rightca=(null)
> 07[CFG]   rightca2=(null)
> 07[CFG]   rightgroups=(null)
> 07[CFG]   rightupdown=(null)
> 07[CFG]   eap_identity=(null)
> 07[CFG]   aaa_identity=(null)
> 07[CFG]   ike=aes128-sha1-modp2048,3des-sha1-modp1536
> 07[CFG]   esp=aes128-sha1,3des-sha1
> 07[CFG]   dpddelay=30
> 07[CFG]   dpdaction=0
> 07[CFG]   closeaction=0
> 07[CFG]   mediation=no
> 07[CFG]   mediated_by=(null)
> 07[CFG]   me_peerid=(null)
> 07[KNL] getting interface name for 2001:1890:1001:2b00::7:5
> 07[KNL] 2001:1890:1001:2b00::7:5 is not a local address
> 07[KNL] getting interface name for 2001:506:1000:0:2010:0:60:5
> 07[KNL] 2001:506:1000:0:2010:0:60:5 is on interface eth1
> 07[CFG] added configuration 'home'
> 11[CFG] stroke message => 714 bytes @ 0x7faef504ea30
> 11[CFG]    0: CA 02 00 00 03 00 00 00 FF FF FF FF 00 00 00 00
>  ................
> 11[CFG]   16: 38 02 00 00 00 00 00 00 01 00 00 00 02 00 00 00
>  8...............
> 11[CFG]   32: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
>  ................
> 11[CFG]   48: 00 00 00 00 00 00 00 00 02 00 00 00 01 00 00 00
>  ................
> 11[CFG]   64: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
>  ................
> 11[CFG]   80: 00 00 00 00 01 00 00 00 00 00 00 00 00 00 00 00
>  ................
> 11[CFG]   96: 00 00 00 00 01 00 00 00 01 00 00 00 00 00 00 00
>  ................
> 11[CFG]  112: 40 02 00 00 00 00 00 00 68 02 00 00 00 00 00 00
>  @.......h.......
> 11[CFG]  128: 01 00 00 00 00 00 00 00 B0 04 00 00 00 00 00 00
>  ................
> 11[CFG]  144: 10 0E 00 00 00 00 00 00 B4 00 00 00 00 00 00 00
>  ................
> 11[CFG]  160: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
>  ................
> 11[CFG]  176: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
>  ................
> 11[CFG]  192: 01 00 00 00 00 00 00 00 64 00 00 00 00 00 00 00
>  ........d.......
> 11[CFG]  208: 1E 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
>  ................
> 11[CFG]  224: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
>  ................
> 11[CFG]  240: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
>  ................
> 11[CFG]  256: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
>  ................
> 11[CFG]  272: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
>  ................
> 11[CFG]  288: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ............
>
>
> -Svdhar.
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20120621/6f59c12a/attachment.html>


More information about the Users mailing list