[strongSwan] StrongSwan Setup Questions

Chris Arnold carnold at electrichendrix.com
Sat Mar 31 05:17:09 CEST 2012 

OK, i can not get the tunnel to build. Here are my config files:
ipsec.conf:
config setup
	# plutodebug=all
	 crlcheckinterval=600
	 strictcrlpolicy=yes
	# cachecrls=yes
	# nat_traversal=yes
	# charonstart=no
	 plutostart=no

# Add connections here.

conn %default
	ikelifetime=60m
	keylife=20m
	rekeymargin=3m
	keyingtries=1
	keyexchange=ikev2

conn host-host
	left=192.168.123.3
	leftcert=/etc/ipsec.d/cacerts/self_teknerds.pem
	leftid=@servername.electricdomain.com
	leftfirewall=yes
	right=192.168.1.18
	rightid=@servername.edensdomain.com
	auto=add

-ipsec.secrets:
: RSA /etc/ipsec.d/cacerts/self_teknerds.pem

and the strongswan conf is below.

-Results of ipsec up host-host:
no socket implementation registered, receiving failed
initiating IKE_SA host-host[1] to 192.168.1.18
generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) ]
sending packet: from 192.168.123.3[500] to 192.168.1.18[500]
retransmit 1 of request with message ID 0
sending packet: from 192.168.123.3[500] to 192.168.1.18[500]
retransmit 2 of request with message ID 0
sending packet: from 192.168.123.3[500] to 192.168.1.18[500]
retransmit 3 of request with message ID 0
sending packet: from 192.168.123.3[500] to 192.168.1.18[500]
retransmit 4 of request with message ID 0
sending packet: from 192.168.123.3[500] to 192.168.1.18[500]
retransmit 5 of request with message ID 0
sending packet: from 192.168.123.3[500] to 192.168.1.18[500]
giving up after 5 retransmits
establishing IKE_SA failed, peer not responding

-Results of ipsec statusall:
Status of IKEv2 charon daemon (strongSwan 4.4.0):
  uptime: 20 minutes, since Mar 30 22:32:04 2012 
  worker threads: 9 idle of 16, job queue load: 0, scheduled events: 0
  loaded plugins: curl ldap aes des sha1 sha2 md5 random x509 pubkey pkcs1 pgp dnskey pem openssl gcrypt fips-prf xcbc hmac gmp attr kernel-netlink socket-raw stroke updown resolve 
Listening IP addresses:                                                                                                                                                              
  192.168.123.3                                                                                                                                                                      
Connections:                                                                                                                                                                         
   host-host:  192.168.123.3...192.168.1.18                                                                                                                                          
   host-host:   local:  [C=US, ST=North, L=City, O=Tek-Nerds, CN=Chris, E=emailaaddress at here] uses public key authentication
   host-host:    cert:  "C=US, ST=North, L=City, O=Tek-Nerds, CN=Chris, E=emailaaddress at here"
   host-host:   remote: [servername.edensdomain.com] uses any authentication
   host-host:    crl:   status must be GOOD
   host-host:   child:  dynamic === dynamic
Security Associations:
  none

----- Original Message -----
From: "Chris Arnold" <carnold at electrichendrix.com>
To: users at lists.strongswan.org
Sent: Friday, March 30, 2012 9:58:42 PM
Subject: Re: [strongSwan] StrongSwan Setup Questions

>> -Where is the authlog located?
>iirc, strongswan logs to syslog by default. Have a look at
><http://wiki.strongswan.org/projects/strongswan/wiki/LoggerConfiguration>
>if you want to customize logging.

OK, i have configured strongSwan on both servers. Created the certs on both servers and open 500 and 4500 on both firewalls. I try to ping the remote network and get 0 replies. I am a little confused on where the log entries go in strongswan.conf. Here is said file:
# strongswan.conf - strongSwan configuration file

charon {

	# number of worker threads in charon
	threads = 16
	
	# plugins to load in charon
	# load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default updown
	
	plugins {

		sql {
			# loglevel to log into sql database
			loglevel = -1
			
			# URI to the database
			# database = sqlite:///path/to/file.db
			# database = mysql://user:password@localhost/database
		}
	}
	
	# ...
}

pluto {

	# plugins to load in pluto
	# load = aes des sha1 md5 sha2 hmac gmp random pubkey
	
}

libstrongswan {

	#  set to no, the DH exponent size is optimized
	#  dh_exponent_ansi_x9_42 = no
}

charon {
    # Two defined file loggers. Each subsection is either a file
    # in the filesystem or one of: stdout, stderr.
    filelog {
        /var/log/charon.log {
            # add a timestamp prefix
            time_format = %b %e %T
            # loggers to files also accept the append option to open files in
            # append mode at startup (default is yes)
            append = no
            # the default loglevel for all daemon subsystems (defaults to 1).
            default = 1
            # flush each line to disk
            flush_line = yes
        }
        stderr {
            # more detailed loglevel for a specific subsystem, overriding the
            # default loglevel.
            ike = 2
            knl = 3
            # prepend connection name, simplifies grepping
            ike_name = yes
        }
    }
    # And two loggers using syslog. The subsections define the facility to log
    # to, currently one of: daemon, auth.
    syslog {
        # default level to the LOG_DAEMON facility
        daemon {
        }
        # very minimalistic IKE auditing logs to LOG_AUTHPRIV
        auth {
            default = -1
            ike = 0
        }
    }
    # ...
}

Is this right for the log file? I also restarted ipsec and looked in /var/log to see if i see the charon file and do not.

_______________________________________________
Users mailing list
Users at lists.strongswan.org
https://lists.strongswan.org/mailman/listinfo/users

More information about the Users mailing list