[strongSwan] StrongSwan Problem

Kambiz Mizanian mizanian at yahoo.com
Tue Nov 13 18:30:52 CET 2012



I have installed strongSwan 4.5.2 on Mandriv linux 2011 and we connected to Juniper VPN server. When my /etc/ipsec.secrets is RSA <USERACCOUNT>Key.pem "<password>"everything is OK and VPN connection established, but when I changed the RSA <USERACCOUNT>Key.pem "<password>"to RSA <USERACCOUNT>Key.pem %prompt in /etc/ipsec.secrets and I started IPSEC by ipsec start command then my connection is not established and my log file is as below:


Nov  6 17:32:32 wthr-lm9-p0106 charon: 00[DMN] Starting IKEv2 charon daemon (strongSwan 4.5.2)
Nov  6 17:32:32 wthr-lm9-p0106 charon: 00[KNL] listening on interfaces:
Nov  6 17:32:32 wthr-lm9-p0106 charon: 00[KNL]   eth0
Nov  6 17:32:32 wthr-lm9-p0106 charon: 00[KNL]     192.168.1.183
Nov  6 17:32:32 wthr-lm9-p0106 charon: 00[KNL]     fe80::221:70ff:fea7:55ea
Nov  6 17:32:32 wthr-lm9-p0106 charon: 00[CFG] loading ca certificates from '/etc/ipsec.d/cacerts'
Nov  6 17:32:32 wthr-lm9-p0106 charon: 00[CFG]   loaded ca certificate "C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=(c) 2006 VeriSign, Inc. - For authorized use only, CN=VeriSign Class 3 Public Primary Certification Authority - G5" from '/etc/ipsec.d/cacerts/VeriRootCA.pem'
Nov  6 17:32:32 wthr-lm9-p0106 charon: 00[CFG]   loaded ca certificate "C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=Terms of use at https://www.verisign.com/rpa (c)10, CN=VeriSign Class 3 International Server CA - G3" from '/etc/ipsec.d/cacerts/VeriIssueCA.pem'
Nov  6 17:32:32 wthr-lm9-p0106 charon: 00[CFG] loading aa certificates from '/etc/ipsec.d/aacerts'
Nov  6 17:32:32 wthr-lm9-p0106 charon: 00[CFG] loading ocsp signer certificates from '/etc/ipsec.d/ocspcerts'
Nov  6 17:32:32 wthr-lm9-p0106 charon: 00[CFG] loading attribute certificates from '/etc/ipsec.d/acerts'
Nov  6 17:32:32 wthr-lm9-p0106 charon: 00[CFG] loading crls from '/etc/ipsec.d/crls'
Nov  6 17:32:32 wthr-lm9-p0106 charon: 00[CFG] loading secrets from '/etc/ipsec.secrets'
Nov  6 17:32:32 wthr-lm9-p0106 charon: 00[DMN] loaded plugins: ldap aes des sha1 sha2 md5 random x509 revocation constraints pubkey pkcs1 pgp pem fips-prf gmp xcbc hmac attr kernel-netlink resolve socket-raw stroke updown 
Nov  6 17:32:32 wthr-lm9-p0106 charon: 00[JOB] spawning 16 worker threads
Nov  6 17:32:32 wthr-lm9-p0106 charon: 03[CFG] crl caching to /etc/ipsec.d/crls enabled
Nov  6 17:32:32 wthr-lm9-p0106 charon: 07[CFG] received stroke: add connection 'thrghazas'
Nov  6 17:32:32 wthr-lm9-p0106 charon: 07[CFG] left nor right host is our side, assuming left=local
Nov  6 17:32:32 wthr-lm9-p0106 charon: 07[CFG]   loaded certificate "DC=com, DC=XXX, DC=CORP, OU=MandrivaUser, OU=YYYY, CN=thrghazas" from 'thrghazasCert.pem'
Nov  6 17:32:32 wthr-lm9-p0106 charon: 07[CFG] added configuration 'thrghazas'
Nov  6 17:32:32 wthr-lm9-p0106 charon: 10[CFG] received stroke: initiate 'thrghazas'
Nov  6 17:32:32 wthr-lm9-p0106 charon: 10[IKE] initiating IKE_SA thrghazas[1] to A.B.C.D
Nov  6 17:32:32 wthr-lm9-p0106 charon: 10[ENC] generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) ]
Nov  6 17:32:32 wthr-lm9-p0106 charon: 10[NET] sending packet: from 192.168.1.183[500] to A.B.C.D[500]
Nov  6 17:32:32 wthr-lm9-p0106 charon: 13[NET] received packet: from A.B.C.D[500] to 192.168.1.183[500]
Nov  6 17:32:32 wthr-lm9-p0106 charon: 13[ENC] parsed IKE_SA_INIT response 0 [ SA KE No CERTREQ N(NATD_S_IP) N(NATD_D_IP) ]
Nov  6 17:32:32 wthr-lm9-p0106 charon: 13[IKE] local host is behind NAT, sending keep alives
Nov  6 17:32:32 wthr-lm9-p0106 charon: 13[IKE] remote host is behind NAT
Nov  6 17:32:32 wthr-lm9-p0106 charon: 13[IKE] received 2 cert requests for an unknown ca
Nov  6 17:32:32 wthr-lm9-p0106 charon: 13[IKE] sending cert request for "C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=Terms of use at https://www.verisign.com/rpa (c)10, CN=VeriSign Class 3 International Server CA - G3"
Nov  6 17:32:32 wthr-lm9-p0106 charon: 13[IKE] sending cert request for "C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=(c) 2006 VeriSign, Inc. - For authorized use only, CN=VeriSign Class 3 Public Primary Certification Authority - G5"
Nov  6 17:32:32 wthr-lm9-p0106 charon: 13[IKE] no private key found for 'DC=com, DC=XXX, DC=CORP, OU=MandrivaUser, OU=Iran, CN=thrghazas'


And after that I run ipsec serets and I got the following prompt:
wthr-lm9-p0106 charon: 05[CFG] rereading secrets
wthr-lm9-p0106 charon: 05[CFG] loading secrets from '/etc/ipsec.secrets'
wthr-lm9-p0106 charon: 05[CFG]   loaded RSA private key from '/etc/ipsec.d/private/thrghazasKey.pem'
and the following line will be added to log file:
Nov  6 17:32:37 wthr-lm9-p0106 charon: 11[CFG] rereading secrets
Nov  6 17:32:37 wthr-lm9-p0106 charon: 11[CFG] loading secrets from '/etc/ipsec.secrets'
Nov  6 17:32:52 wthr-lm9-p0106 charon: 11[CFG]   loaded RSA private key from '/etc/ipsec.d/private/thrghazasKey.pem'

and nothing else in log file. (no error but no VPN connection)

At that time, my log file at Junniper VPN server is as below:
Info NWC23465 2012-11-06 13:39:42 - ive - [188.245.200.84] Root::thrghazas(Com2-Trusted-Linux-IKEv2)[Com2-Trusted-XXX-Linux-IKEv2] - VPN Tunneling: Session ended for user with IP 10.84.255.160 
Info ERR24670 2012-11-06 13:39:42 - ive - [188.245.200.84] Root::thrghazas(Com2-Trusted-Linux-IKEv2)[Com2-Trusted-XXX-Linux-IKEv2] - VPN Tunneling: ACL count = 0. 
Info NWC23508 2012-11-06 13:38:34 - ive - [188.245.200.84] Root::thrghazas(Com2-Trusted-Linux-IKEv2)[Com2-Trusted-XXX-Linux-IKEv2] - Key Exchange number 1 occured for user with NCIP 10.84.255.160  
Info NWC30477 2012-11-06 13:38:34 - ive - [188.245.200.84] Root::thrghazas(Com2-Trusted-Linux-IKEv2)[Com2-Trusted-XXX-Linux-IKEv2] - VPN Tunneling: User with IP 10.84.255.160 connected with ESP transport mode.  
Info NWC23464 2012-11-06 13:38:34 - ive - [188.245.200.84] Root::thrghazas(Com2-Trusted-Linux-IKEv2)[Com2-Trusted-XXX-Linux-IKEv2] - VPN Tunneling: Session started for user with IP 10.84.255.160, hostname  
Info ERR24670 2012-11-06 13:38:34 - ive - [188.245.200.84] Root::thrghazas(Com2-Trusted-Linux-IKEv2)[Com2-Trusted-XXX-Linux-IKEv2] - VPN Tunneling: ACL count = 25. 
Info AUT24326 2012-11-06 13:38:34 - ive - [188.245.200.84] Root::thrghazas(Com2-Trusted-Linux-IKEv2)[] - Primary authentication successful for thrghazas/XXX-CERT-SN from 188.245.200.84 
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20121113/cca546f7/attachment.html>


More information about the Users mailing list