[strongSwan] StrongSwan Config for IMS
Andreas Steffen
andreas.steffen at strongswan.org
Fri Jun 22 08:50:38 CEST 2012
Hi,
your connection is not up successfully:
> Security Associations (*1 up*, 0 connecting):
> offhome[3]: CONNECTING,
> 2001:506:1000:0:2010:0:60:4[%any]...2001:1890:1001:2b00::7:5[%any]
probably because the password notation in ipsec.secrets is not correct:
> *ipsec.secrets*
> 2001:506:1000:0:2010:0:60:5 2001:1890:1001:2b00::7:5 PSK
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
> 2001:506:1000:0:2010:0:60:4 2001:1890:1001:2b00::7:5 PSK
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
>
> 00[CFG] loading secrets from '/usr/local/etc/ipsec.secrets'
> 00[CFG] line 11: missing ' : ' separator
The correct notation is
2001:506:1000:0:2010:0:60:5 2001:1890:1001:2b00::7:5 : PSK
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
2001:506:1000:0:2010:0:60:4 2001:1890:1001:2b00::7:5 : PSK
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
If you are using
> authby=secret
then you shouldn't use
> eap=aka
> xauth=client
and your crypto suite doesn't make much sense:
> esp=3des
> ike=md5
Rather use the defaults (aes128-sha1) or define
esp=3des-md5
ike=3des-md5
If you are restricting the IPsec SA to a given port
> rightprotoport=udp/5000
then you should also define eiter
leftprotoport=udp/5000
or
leftprotoport=udp
Regards
Andreas
On 06/21/2012 11:08 PM, Sdhar dhar wrote:
> Ok, i changed the config(now that i am bit familiar) and i see one way
> security association up(which i didnt expect as i was providing a wrong
> password). But when i try to send packets, it doesn't encrypt and
> neither do i see packets being sent out through tshark.
>
> Appreciate anyone's input on this.
>
> *ipsec.conf*
> conn home
> left=2001:506:1000:0:2010:0:60:5
> right=2001:1890:1001:2b00::7:5
> auth=esp
> authby=secret
> eap=aka
> esp=3des
> type=transport
> xauth=client
> auto=route
> ike=md5
> rightprotoport=udp/5000
>
> conn offhome
> left=2001:506:1000:0:2010:0:60:4
> right=2001:1890:1001:2b00::7:5
> auth=esp
> authby=secret
> eap=aka
> esp=3des
> type=transport
> xauth=client
> auto=route
> ike=md5
> rightprotoport=udp/5000
>
> *ipsec.secrets*
> 2001:506:1000:0:2010:0:60:5 2001:1890:1001:2b00::7:5 PSK
> AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
> 2001:506:1000:0:2010:0:60:4 2001:1890:1001:2b00::7:5 PSK
> AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
>
> *[test]# ipsec status*
> Routed Connections:
> home{1}: ROUTED, TRANSPORT
> home{1}: 2001:506:1000:0:2010:0:60:5/128 ===
> 2001:1890:1001:2b00::7:5/128[udp/commplex-main]
> offhome{2}: ROUTED, TRANSPORT
> offhome{2}: 2001:506:1000:0:2010:0:60:4/128 ===
> 2001:1890:1001:2b00::7:5/128[udp/commplex-main]
> Security Associations (*1 up*, 0 connecting):
> offhome[3]: CONNECTING,
> 2001:506:1000:0:2010:0:60:4[%any]...2001:1890:1001:2b00::7:5[%any]
>
> Thanks,
> Dhar.
>
> On Wed, Jun 20, 2012 at 11:00 AM, Sdhar dhar <svdharr at gmail.com
> <mailto:svdharr at gmail.com>> wrote:
>
> Hello Everyone,
>
> I am newbie to IPSec and Strong Swan.
> I have been trying to configure strongswan to setup security
> associations for making an IMS VoLTE call on Redhat Linux box.
> I have added below config and started ipsec, but when packets go
> from Client to Server i dont see any encryption done by strongswan
> and dont see anything going on in charon.log as well.
>
> Could anyone of expert tell me if i am doing anything wrong wrt
> configuration?
> Appreciate your help and if possible pls share config file if anyone
> tried similar config.
>
> ===================ipsec.conf=============
> config setup
> crlcheckinterval=600s
> cachecrls=yes
> strictcrlpolicy=yes
> plutostart=no
>
> conn %default
> ikelifetime=60m
> keylife=20m
> rekeymargin=3m
> keyingtries=1
> authby=secret
>
> conn home
> left=2001:506:1000:0:2010:0:60:5
> right=2001:1890:1001:2b00::7:5
> auto=add
>
> conn offhome
> left=2001:506:1000:0:2010:0:60:4
> right=2001:1890:1001:2b00::7:5
> auto=add
> ===============================
>
> charon.log
>
> 00[KNL] 2001:506:1000:0:2010:0:60:6
> 00[KNL] 2001:506:1000:0:2010:0:60:5
> 00[KNL] 2001:506:1000:0:2010:0:60:4
> 00[KNL] 2001:506:1000:0:2010:0:60:3
> 00[KNL] fe80::5ef3:fcff:fe4c:3ba
> 00[KNL] eth3
> 00[KNL] fe80::e61f:13ff:fe34:b5c6
> 00[LIB] plugin 'resolve': loaded successfully
> 00[LIB] plugin 'socket-raw': loaded successfully
> 00[CFG] loading ca certificates from '/usr/local/etc/ipsec.d/cacerts'
> 00[CFG] loading aa certificates from '/usr/local/etc/ipsec.d/aacerts'
> 00[CFG] loading ocsp signer certificates from
> '/usr/local/etc/ipsec.d/ocspcerts'
> 00[CFG] loading attribute certificates from
> '/usr/local/etc/ipsec.d/acerts'
> 00[CFG] loading crls from '/usr/local/etc/ipsec.d/crls'
> 00[CFG] loading secrets from '/usr/local/etc/ipsec.secrets'
> 00[CFG] line 11: missing ' : ' separator
> 00[LIB] plugin 'stroke': loaded successfully
> 00[LIB] plugin 'updown': loaded successfully
> 00[LIB] feature PRF:PRF_CAMELLIA128_XCBC in 'xcbc' plugin has
> unsatisfied dependency: CRYPTER:CAMELLIA_CBC-16
> 00[LIB] feature SIGNER:CAMELLIA_XCBC_96 in 'xcbc' plugin has
> unsatisfied dependency: CRYPTER:CAMELLIA_CBC-16
> 00[DMN] loaded plugins: aes des sha1 sha2 md5 random x509 revocation
> constraints pubkey pkcs1 pkcs8 pgp pem fips-prf gmp xcbc hmac attr
> kernel-netlink resolve socket-raw stroke updown
> 00[JOB] spawning 16 worker threads
> 01[LIB] created thread 01 [30396]
> 04[LIB] created thread 04 [30399]
> 04[JOB] started worker thread 04
> 01[JOB] started worker thread 01
> 05[LIB] created thread 05 [30400]
> 05[JOB] started worker thread 05
> 05[JOB] started worker thread 05
> 07[LIB] created thread 07 [30402]
> 09[LIB] created thread 09 [30404]
> 10[LIB] created thread 10 [30405]
> 13[LIB] created thread 13 [30408]
> 13[JOB] started worker thread 13
> 14[LIB] created thread 14 [30409]
> 14[JOB] started worker thread 14
> 16[LIB] created thread 16 [30411]
> 16[JOB] started worker thread 16
> 12[LIB] created thread 12 [30407]
> 12[JOB] started worker thread 12
> 06[LIB] created thread 06 [30401]
> 06[JOB] started worker thread 06
> 10[JOB] started worker thread 10
> 03[LIB] created thread 03 [30398]
> 03[JOB] started worker thread 03
> 07[JOB] started worker thread 07
> 08[LIB] created thread 08 [30403]
> 08[JOB] started worker thread 08
> 11[LIB] created thread 11 [30406]
> 11[JOB] started worker thread 11
> 09[JOB] started worker thread 09
> 02[LIB] created thread 02 [30397]
> 02[JOB] started worker thread 02
> 12[NET] waiting for data on raw sockets
> 15[LIB] created thread 15 [30410]
> 15[JOB] started worker thread 15
> 14[JOB] no events, waiting
> 06[CFG] stroke message => 568 bytes @ 0x7faef8253ac0
> 06[CFG] 0: 38 02 CC 24 0E 00 00 00 FF FF FF FF 00 00 00 00
> 8..$............
> 06[CFG] 16: 01 00 00 00 00 00 00 00 D6 EA E1 4F 00 00 00 00
> ...........O....
> 06[CFG] 32: DF 48 CC 24 FF 7F 00 00 0A 00 00 00 00 00 00 00
> .H.$............
> 06[CFG] 48: 10 4D CC 24 FF 7F 00 00 02 00 00 00 00 00 00 00
> .M.$............
> 06[CFG] 64: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
> ................
> 06[CFG] 80: 50 4F CC 24 FF 7F 00 00 D0 25 8E BD 39 00 00 00
> PO.$.....%..9...
> 06[CFG] 96: 18 00 00 00 30 00 00 00 E0 44 CC 24 FF 7F 00 00
> ....0....D.$....
> 06[CFG] 112: 20 44 CC 24 FF 7F 00 00 AC 33 80 BD 39 00 00 00
> D.$.....3..9...
> 06[CFG] 128: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
> ................
> 06[CFG] 144: E0 44 CC 24 FF 7F 00 00 03 00 00 00 00 00 00 00
> .D.$............
> 06[CFG] 160: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
> ................
> 06[CFG] 176: 00 00 00 00 A8 76 00 00 40 94 B8 BD 39 00 00 00
> .....v.. at ...9...
> 06[CFG] 192: 00 00 00 00 00 00 00 00 FF 00 00 00 08 00 01 00
> ................
> 06[CFG] 208: 88 11 22 BD 39 00 00 00 00 00 00 00 00 00 00 00
> ..".9...........
> 06[CFG] 224: 90 DB 56 06 4F 7F 00 00 D8 E4 78 06 4F 7F 00 00
> ..V.O.....x.O...
> 06[CFG] 240: 63 0F 40 00 00 00 00 00 40 07 81 BD 39 00 00 00
> c. at .....@...9...
> 06[CFG] 256: 78 08 40 00 00 00 00 00 00 00 00 00 01 00 00 00
> x. at .............
> 06[CFG] 272: 0A 00 00 00 00 00 00 00 10 4D CC 24 FF 7F 00 00
> .........M.$....
> 06[CFG] 288: 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
> ................
> 06[CFG] 304: 00 00 00 00 00 00 00 00 B1 C6 40 00 00 00 00 00
> .......... at .....
> 06[CFG] 320: 63 68 61 72 6F 6E 20 28 33 30 33 39 35 29 20 73
> charon (30395) s
> 06[CFG] 336: 74 61 72 74 65 64 20 61 66 74 65 72 20 34 30 20
> tarted after 40
> 06[CFG] 352: 6D 73 00 00 00 00 00 00 90 DB 56 06 4F 7F 00 00
> ms........V.O...
> 06[CFG] 368: 01 00 00 00 00 00 00 00 60 17 E5 01 00 00 00 00
> ........`.......
> 06[CFG] 384: 00 10 00 00 00 00 00 00 56 58 86 BD 39 00 00 00
> ........VX..9...
> 06[CFG] 400: 00 FD 00 00 00 00 00 00 5C 03 1A 00 00 00 00 00
> ........\.......
> 06[CFG] 416: 01 00 00 00 00 00 00 00 A4 81 00 00 00 00 00 00
> ................
> 06[CFG] 432: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
> ................
> 06[CFG] 448: 00 00 00 00 00 00 00 00 00 10 00 00 00 00 00 00
> ................
> 06[CFG] 464: 00 00 00 00 00 00 00 00 D6 EA E1 4F 00 00 00 00
> ...........O....
> 06[CFG] 480: 35 72 B6 03 00 00 00 00 D6 EA E1 4F 00 00 00 00
> 5r.........O....
> 06[CFG] 496: 35 72 B6 03 00 00 00 00 D6 EA E1 4F 00 00 00 00
> 5r.........O....
> 06[CFG] 512: 35 72 B6 03 00 00 00 00 00 00 00 00 00 00 00 00
> 5r..............
> 06[CFG] 528: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
> ................
> 06[CFG] 544: 02 20 00 00 FF 02 FE 02 60 17 E5 01 00 00 00 00 .
> ......`.......
> 06[CFG] 560: FF FF FF FF 00 00 00 00 ........
> 06[CFG] crl caching to /usr/local/etc/ipsec.d/crls enabled
> 07[CFG] stroke message => 711 bytes @ 0x7faef7852a30
> 07[CFG] 0: C7 02 00 00 03 00 00 00 FF FF FF FF 00 00 00 00
> ................
> 07[CFG] 16: 38 02 00 00 00 00 00 00 01 00 00 00 02 00 00 00
> 8...............
> 07[CFG] 32: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
> ................
> 07[CFG] 48: 00 00 00 00 00 00 00 00 02 00 00 00 01 00 00 00
> ................
> 07[CFG] 64: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
> ................
> 07[CFG] 80: 00 00 00 00 01 00 00 00 00 00 00 00 00 00 00 00
> ................
> 07[CFG] 112: 3D 02 00 00 00 00 00 00 65 02 00 00 00 00 00 00
> =.......e.......
> 07[CFG] 128: 01 00 00 00 00 00 00 00 B0 04 00 00 00 00 00 00
> ................
> 07[CFG] 144: 10 0E 00 00 00 00 00 00 B4 00 00 00 00 00 00 00
> ................
> 07[CFG] 160: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
> ................
> 07[CFG] 176: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
> ................
> 07[CFG] 192: 01 00 00 00 00 00 00 00 64 00 00 00 00 00 00 00
> ........d.......
> 07[CFG] 208: 1E 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
> ................
> 07[CFG] 224: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
> ................
> 07[CFG] 240: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
> ................
> 07[CFG] 256: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
> ................
> 07[CFG] 272: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
> ................
> 07[CFG] 288: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
> ................
> 07[CFG] 304: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
> ................
> 07[CFG] 320: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
> ................
> 07[CFG] 336: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
> ................
> 07[CFG] 352: 7B 02 00 00 00 00 00 00 92 02 00 00 00 00 00 00
> {...............
> 07[CFG] 368: F4 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00
> ................
> 07[CFG] 384: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
> ................
> 07[CFG] 400: 01 00 00 00 00 00 00 00 01 00 00 00 00 00 00 00
> ................
> 07[CFG] 416: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
> ................
> 07[CFG] 432: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
> ................
> 07[CFG] 448: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
> ................
> 07[CFG] 464: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
> ................
> 07[CFG] 480: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
> ................
> 07[CFG] 496: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
> ................
> 07[CFG] 512: AE 02 00 00 00 00 00 00 F4 01 00 00 00 00 00 00
> ................
> 07[CFG] 528: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
> ................
> 07[CFG] 544: 00 00 00 00 00 00 00 00 01 00 00 00 00 00 00 00
> ................
> 07[CFG] 560: 01 00 00 00 00 00 00 00 68 6F 6D 65 00 61 65 73
> ........home.aes
> 07[CFG] 576: 31 32 38 2D 73 68 61 31 2D 6D 6F 64 70 32 30 34
> 128-sha1-modp204
> 07[CFG] 592: 38 2C 33 64 65 73 2D 73 68 61 31 2D 6D 6F 64 70
> 8,3des-sha1-modp
> 07[CFG] 608: 31 35 33 36 00 61 65 73 31 32 38 2D 73 68 61 31
> 1536.aes128-sha1
> 07[CFG] 624: 2C 33 64 65 73 2D 73 68 61 31 00 69 70 73 65 63
> ,3des-sha1.ipsec
> 07[CFG] 640: 20 5F 75 70 64 6F 77 6E 20 69 70 74 61 62 6C 65
> _updown iptable
> 07[CFG] 656: 73 00 32 30 30 31 3A 35 30 36 3A 31 30 30 30 3A
> s.2001:506:1000:
> 07[CFG] 672: 30 3A 32 30 31 30 3A 30 3A 36 30 3A 35 00 32 30
> 0:2010:0:60:5.20
> 07[CFG] 688: 30 31 3A 31 38 39 30 3A 31 30 30 31 3A 32 62 30
> 01:1890:1001:2b0
> 07[CFG] 704: 30 3A 3A 37 3A 35 00 0::7:5.
> 07[CFG] received stroke: add connection 'home'
> 07[CFG] conn home
> 07[CFG] left=2001:506:1000:0:2010:0:60:5
> 07[CFG] leftsubnet=(null)
> 07[CFG] leftsourceip=(null)
> 07[CFG] leftauth=(null)
> 07[CFG] leftauth2=(null)
> 07[CFG] leftid=(null)
> 07[CFG] leftid2=(null)
> 07[CFG] leftcert=(null)
> 07[CFG] leftcert2=(null)
> 07[CFG] leftca=(null)
> 07[CFG] leftca2=(null)
> 07[CFG] leftgroups=(null)
> 07[CFG] leftupdown=ipsec _updown iptables
> 07[CFG] right=2001:1890:1001:2b00::7:5
> 07[CFG] rightsubnet=(null)
> 07[CFG] rightsourceip=(null)
> 07[CFG] rightauth=(null)
> 07[CFG] rightauth2=(null)
> 07[CFG] rightid=(null)
> 07[CFG] rightid2=(null)
> 07[CFG] rightcert=(null)
> 07[CFG] rightcert2=(null)
> 07[CFG] rightca=(null)
> 07[CFG] rightca2=(null)
> 07[CFG] rightgroups=(null)
> 07[CFG] rightupdown=(null)
> 07[CFG] eap_identity=(null)
> 07[CFG] aaa_identity=(null)
> 07[CFG] ike=aes128-sha1-modp2048,3des-sha1-modp1536
> 07[CFG] esp=aes128-sha1,3des-sha1
> 07[CFG] dpddelay=30
> 07[CFG] dpdaction=0
> 07[CFG] closeaction=0
> 07[CFG] mediation=no
> 07[CFG] mediated_by=(null)
> 07[CFG] me_peerid=(null)
> 07[KNL] getting interface name for 2001:1890:1001:2b00::7:5
> 07[KNL] 2001:1890:1001:2b00::7:5 is not a local address
> 07[KNL] getting interface name for 2001:506:1000:0:2010:0:60:5
> 07[KNL] 2001:506:1000:0:2010:0:60:5 is on interface eth1
> 07[CFG] added configuration 'home'
> 11[CFG] stroke message => 714 bytes @ 0x7faef504ea30
> 11[CFG] 0: CA 02 00 00 03 00 00 00 FF FF FF FF 00 00 00 00
> ................
> 11[CFG] 16: 38 02 00 00 00 00 00 00 01 00 00 00 02 00 00 00
> 8...............
> 11[CFG] 32: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
> ................
> 11[CFG] 48: 00 00 00 00 00 00 00 00 02 00 00 00 01 00 00 00
> ................
> 11[CFG] 64: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
> ................
> 11[CFG] 80: 00 00 00 00 01 00 00 00 00 00 00 00 00 00 00 00
> ................
> 11[CFG] 96: 00 00 00 00 01 00 00 00 01 00 00 00 00 00 00 00
> ................
> 11[CFG] 112: 40 02 00 00 00 00 00 00 68 02 00 00 00 00 00 00
> @.......h.......
> 11[CFG] 128: 01 00 00 00 00 00 00 00 B0 04 00 00 00 00 00 00
> ................
> 11[CFG] 144: 10 0E 00 00 00 00 00 00 B4 00 00 00 00 00 00 00
> ................
> 11[CFG] 160: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
> ................
> 11[CFG] 176: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
> ................
> 11[CFG] 192: 01 00 00 00 00 00 00 00 64 00 00 00 00 00 00 00
> ........d.......
> 11[CFG] 208: 1E 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
> ................
> 11[CFG] 224: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
> ................
> 11[CFG] 240: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
> ................
> 11[CFG] 256: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
> ................
> 11[CFG] 272: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
> ................
> 11[CFG] 288: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
> ............
>
>
> -Svdhar.
>
>
>
>
> _______________________________________________
> Users mailing list
> Users at lists.strongswan.org
> https://lists.strongswan.org/mailman/listinfo/users
--
======================================================================
Andreas Steffen andreas.steffen at strongswan.org
strongSwan - the Linux VPN Solution! www.strongswan.org
Institute for Internet Technologies and Applications
University of Applied Sciences Rapperswil
CH-8640 Rapperswil (Switzerland)
===========================================================[ITA-HSR]==
More information about the Users
mailing list