[strongSwan] OpenSwan to StrongSwan migration (with CA): VPN not working

CJ Fearnley cjf at LinuxForce.net
Sun Oct 21 01:24:24 CEST 2012 

OK.  With everyone's help, I now have a working configuration:  both
Netgears can authenticate with strongswan.  But when I enable both
Netgear stanzas (grandrapids & sanjose) at the same time, strongswan
deletes the other connection.  Hoo boy.  What am I missing?

ispec.conf:
config setup
    charonstart=no
    plutostart=yes
    virtual_private=%v4:10.0.0.0/8,%v4:192.168.0.0/16,%v4:172.16.0.0/12,%v4:!192.168.101.0/24
    nat_traversal=yes
 
conn %default
    mobike=no
    keyexchange=ikev1
    left=216.130.102.66
    leftid="C=US, ST=IL, L=Glenwood, O=PRIVATE VPN Services, CN=cw1.private.com, E=tony at private2.com"
    leftsendcert=always
    leftsubnet=192.168.101.0/24
    leftcert=cw1.private.com.crt
    right=%any
    auto=add
 
conn grandrapids
    rightsubnet=192.168.112.0/24
 
conn sanjose
    rightsubnet=192.168.161.0/24

Here are the strongswan logs which shows both Netgears getting connected,
but sanjose gets booted followed by grandrapids:
Oct 20 14:29:52 cw1 ipsec_starter[10459]: Starting strongSwan 4.4.1 IPsec [starter]...
Oct 20 14:29:52 cw1 pluto[10473]: Starting IKEv1 pluto daemon (strongSwan 4.4.1) THREADS SMARTCARD VENDORID
Oct 20 14:29:52 cw1 pluto[10473]: plugin 'test-vectors' failed to load: /usr/lib/ipsec/plugins/libstrongswan-test-vectors.so: cannot open shared object file: No such file or directory
Oct 20 14:29:52 cw1 pluto[10473]: attr-sql plugin: database URI not set
Oct 20 14:29:52 cw1 pluto[10473]: plugin 'attr-sql': failed to load - attr_sql_plugin_create returned NULL
Oct 20 14:29:52 cw1 pluto[10473]: loaded plugins: curl ldap aes des sha1 sha2 md5 random x509 pubkey pkcs1 pgp dnskey pem openssl hmac gmp xauth attr resolve
Oct 20 14:29:52 cw1 pluto[10473]:   including NAT-Traversal patch (Version 0.6c)
Oct 20 14:29:52 cw1 pluto[10473]: failed to load pkcs11 module '/usr/lib/opensc-pkcs11.so'
Oct 20 14:29:52 cw1 pluto[10473]: Using Linux 2.6 IPsec interface code
Oct 20 14:29:52 cw1 ipsec_starter[10472]: pluto (10473) started after 20 ms
Oct 20 14:29:52 cw1 pluto[10473]: loading ca certificates from '/etc/ipsec.d/cacerts'
Oct 20 14:29:52 cw1 pluto[10473]:   loaded ca certificate from '/etc/ipsec.d/cacerts/ca.crt'
Oct 20 14:29:52 cw1 pluto[10473]: loading aa certificates from '/etc/ipsec.d/aacerts'
Oct 20 14:29:52 cw1 pluto[10473]: loading ocsp certificates from '/etc/ipsec.d/ocspcerts'
Oct 20 14:29:52 cw1 pluto[10473]: Changing to directory '/etc/ipsec.d/crls'
Oct 20 14:29:52 cw1 pluto[10473]: loading attribute certificates from '/etc/ipsec.d/acerts'
Oct 20 14:29:52 cw1 pluto[10473]: listening for IKE messages
Oct 20 14:29:52 cw1 pluto[10473]: adding interface br0/br0 192.168.101.254:500
Oct 20 14:29:52 cw1 pluto[10473]: adding interface br0/br0 192.168.101.254:4500
Oct 20 14:29:52 cw1 pluto[10473]: adding interface eth1/eth1 50.79.22.185:500
Oct 20 14:29:52 cw1 pluto[10473]: adding interface eth1/eth1 50.79.22.185:4500
Oct 20 14:29:52 cw1 pluto[10473]: adding interface eth0:70/eth0:70 216.130.102.70:500
Oct 20 14:29:52 cw1 pluto[10473]: adding interface eth0:70/eth0:70 216.130.102.70:4500
Oct 20 14:29:52 cw1 pluto[10473]: adding interface eth0:69/eth0:69 216.130.102.69:500
Oct 20 14:29:52 cw1 pluto[10473]: adding interface eth0:69/eth0:69 216.130.102.69:4500
Oct 20 14:29:52 cw1 pluto[10473]: adding interface eth0:68/eth0:68 216.130.102.68:500
Oct 20 14:29:52 cw1 pluto[10473]: adding interface eth0:68/eth0:68 216.130.102.68:4500
Oct 20 14:29:52 cw1 pluto[10473]: adding interface eth0:67/eth0:67 216.130.102.67:500
Oct 20 14:29:52 cw1 pluto[10473]: adding interface eth0:67/eth0:67 216.130.102.67:4500
Oct 20 14:29:52 cw1 pluto[10473]: adding interface eth0/eth0 216.130.102.66:500
Oct 20 14:29:52 cw1 pluto[10473]: adding interface eth0/eth0 216.130.102.66:4500
Oct 20 14:29:52 cw1 pluto[10473]: adding interface lo/lo 127.0.0.1:500
Oct 20 14:29:52 cw1 pluto[10473]: adding interface lo/lo 127.0.0.1:4500
Oct 20 14:29:52 cw1 pluto[10473]: adding interface lo/lo ::1:500
Oct 20 14:29:52 cw1 pluto[10473]: loading secrets from "/etc/ipsec.secrets"
Oct 20 14:29:52 cw1 pluto[10473]:   loaded private key from '/etc/ipsec.d/private/cw1.private.com.key'
Oct 20 14:29:52 cw1 pluto[10473]:   loaded host certificate from '/etc/ipsec.d/certs/cw1.private.com.crt'
Oct 20 14:29:52 cw1 pluto[10473]: added connection description "grandrapids"
Oct 20 14:29:52 cw1 pluto[10473]:   loaded host certificate from '/etc/ipsec.d/certs/cw1.private.com.crt'
Oct 20 14:29:52 cw1 pluto[10473]: added connection description "sanjose"
Oct 20 14:30:01 cw1 pluto[10473]: packet from 66.127.20.234:500: ignoring Vendor ID payload [810fa565f8ab14369105d706fbd57279]
Oct 20 14:30:01 cw1 pluto[10473]: packet from 66.127.20.234:500: received Vendor ID payload [Dead Peer Detection]
Oct 20 14:30:01 cw1 pluto[10473]: "sanjose"[1] 66.127.20.234 #1: responding to Main Mode from unknown peer 66.127.20.234
Oct 20 14:30:01 cw1 pluto[10473]: "sanjose"[1] 66.127.20.234 #1: ignoring Vendor ID payload [KAME/racoon]
Oct 20 14:30:02 cw1 pluto[10473]: "sanjose"[1] 66.127.20.234 #1: Peer ID is ID_DER_ASN1_DN: 'CN=Crossbow'
Oct 20 14:30:02 cw1 pluto[10473]: "sanjose"[1] 66.127.20.234 #1: crl not found
Oct 20 14:30:02 cw1 pluto[10473]: "sanjose"[1] 66.127.20.234 #1: certificate status unknown
Oct 20 14:30:02 cw1 pluto[10473]: "sanjose"[2] 66.127.20.234 #1: deleting connection "sanjose" instance with peer 66.127.20.234 {isakmp=#0/ipsec=#0}
Oct 20 14:30:02 cw1 pluto[10473]: "sanjose"[2] 66.127.20.234 #1: we have a cert and are sending it
Oct 20 14:30:02 cw1 pluto[10473]: "sanjose"[2] 66.127.20.234 #1: sent MR3, ISAKMP SA established
Oct 20 14:30:12 cw1 pluto[10473]: "sanjose"[2] 66.127.20.234 #1: retransmitting in response to duplicate packet; already STATE_MAIN_R3
Oct 20 14:30:13 cw1 pluto[10473]: "sanjose"[2] 66.127.20.234 #1: ignoring informational payload, type IPSEC_INITIAL_CONTACT
Oct 20 14:30:38 cw1 pluto[10473]: "sanjose"[2] 66.127.20.234 #2: responding to Quick Mode
Oct 20 14:30:39 cw1 pluto[10473]: "sanjose"[2] 66.127.20.234 #2: IPsec SA established {ESP=>0x089ed792 <0x2b85e728}
Oct 20 14:30:50 cw1 pluto[10473]: packet from 207.8.183.102:46769: not enough room in input packet for ISAKMP Message
Oct 20 14:30:50 cw1 pluto[10473]: packet from 207.8.183.102:46769: sending notification PAYLOAD_MALFORMED to 207.8.183.102:46769
Oct 20 14:36:45 cw1 pluto[10473]: packet from 50.192.114.17:500: ignoring Vendor ID payload [810fa565f8ab14369105d706fbd57279]
Oct 20 14:36:45 cw1 pluto[10473]: packet from 50.192.114.17:500: received Vendor ID payload [Dead Peer Detection]
Oct 20 14:36:45 cw1 pluto[10473]: "sanjose"[3] 50.192.114.17 #3: responding to Main Mode from unknown peer 50.192.114.17
Oct 20 14:36:46 cw1 pluto[10473]: "sanjose"[3] 50.192.114.17 #3: ignoring Vendor ID payload [KAME/racoon]
Oct 20 14:36:46 cw1 pluto[10473]: "sanjose"[3] 50.192.114.17 #3: Peer ID is ID_DER_ASN1_DN: 'CN=Crossbow'
Oct 20 14:36:46 cw1 pluto[10473]: "sanjose"[3] 50.192.114.17 #3: crl not found
Oct 20 14:36:46 cw1 pluto[10473]: "sanjose"[3] 50.192.114.17 #3: certificate status unknown
Oct 20 14:36:46 cw1 pluto[10473]: "sanjose"[4] 50.192.114.17 #3: deleting connection "sanjose" instance with peer 50.192.114.17 {isakmp=#0/ipsec=#0}
Oct 20 14:36:46 cw1 pluto[10473]: "sanjose"[4] 50.192.114.17 #3: we have a cert and are sending it
Oct 20 14:36:46 cw1 pluto[10473]: "sanjose"[4] 50.192.114.17 #3: deleting connection "sanjose" instance with peer 66.127.20.234 {isakmp=#1/ipsec=#2}
Oct 20 14:36:46 cw1 pluto[10473]: "sanjose" #2: deleting state (STATE_QUICK_R2)
Oct 20 14:36:46 cw1 pluto[10473]: "sanjose" #1: deleting state (STATE_MAIN_R3)
Oct 20 14:36:46 cw1 pluto[10473]: "sanjose"[4] 50.192.114.17 #3: sent MR3, ISAKMP SA established
Oct 20 14:36:46 cw1 pluto[10473]: "sanjose"[4] 50.192.114.17 #3: ignoring informational payload, type IPSEC_INITIAL_CONTACT
Oct 20 14:36:48 cw1 pluto[10473]: "grandrapids"[1] 50.192.114.17 #4: responding to Quick Mode
Oct 20 14:36:48 cw1 pluto[10473]: "grandrapids"[1] 50.192.114.17 #4: IPsec SA established {ESP=>0x0789dbb6 <0xa5ea6345}
Oct 20 14:36:53 cw1 pluto[10473]: "grandrapids"[1] 50.192.114.17 #5: responding to Quick Mode
Oct 20 14:36:53 cw1 pluto[10473]: "grandrapids"[1] 50.192.114.17 #5: IPsec SA established {ESP=>0x0113ff57 <0x34a08913}
Oct 20 14:36:56 cw1 pluto[10473]: "sanjose"[4] 50.192.114.17 #3: received Delete SA(0x0789dbb6) payload: deleting IPSEC State #4
Oct 20 14:36:56 cw1 pluto[10473]: "sanjose"[4] 50.192.114.17 #3: ignoring Delete SA payload: PROTO_IPSEC_ESP SA(0xa5ea6345) not found (maybe expired)
Oct 20 14:36:57 cw1 pluto[10473]: packet from 66.127.20.234:500: ignoring Vendor ID payload [810fa565f8ab14369105d706fbd57279]
Oct 20 14:36:57 cw1 pluto[10473]: packet from 66.127.20.234:500: received Vendor ID payload [Dead Peer Detection]
Oct 20 14:36:57 cw1 pluto[10473]: "sanjose"[5] 66.127.20.234 #6: responding to Main Mode from unknown peer 66.127.20.234
Oct 20 14:36:58 cw1 pluto[10473]: "sanjose"[5] 66.127.20.234 #6: ignoring Vendor ID payload [KAME/racoon]
Oct 20 14:36:58 cw1 pluto[10473]: "sanjose"[5] 66.127.20.234 #6: Peer ID is ID_DER_ASN1_DN: 'CN=Crossbow'
Oct 20 14:36:58 cw1 pluto[10473]: "sanjose"[5] 66.127.20.234 #6: crl not found
Oct 20 14:36:58 cw1 pluto[10473]: "sanjose"[5] 66.127.20.234 #6: certificate status unknown
Oct 20 14:36:58 cw1 pluto[10473]: "sanjose"[6] 66.127.20.234 #6: deleting connection "sanjose" instance with peer 66.127.20.234 {isakmp=#0/ipsec=#0}
Oct 20 14:36:58 cw1 pluto[10473]: "sanjose"[6] 66.127.20.234 #6: we have a cert and are sending it
Oct 20 14:36:58 cw1 pluto[10473]: "sanjose"[6] 66.127.20.234 #6: deleting connection "grandrapids" instance with peer 50.192.114.17 {isakmp=#0/ipsec=#5}
Oct 20 14:36:58 cw1 pluto[10473]: "grandrapids" #5: deleting state (STATE_QUICK_R2)
Oct 20 14:36:58 cw1 pluto[10473]: "sanjose"[6] 66.127.20.234 #6: deleting connection "sanjose" instance with peer 50.192.114.17 {isakmp=#3/ipsec=#0}
Oct 20 14:36:58 cw1 pluto[10473]: "sanjose" #3: deleting state (STATE_MAIN_R3)
Oct 20 14:36:58 cw1 pluto[10473]: "sanjose"[6] 66.127.20.234 #6: sent MR3, ISAKMP SA established
Oct 20 14:36:58 cw1 pluto[10473]: "sanjose"[6] 66.127.20.234 #6: ignoring informational payload, type IPSEC_INITIAL_CONTACT
Oct 20 14:36:59 cw1 pluto[10473]: "sanjose"[6] 66.127.20.234 #7: responding to Quick Mode
Oct 20 14:36:59 cw1 pluto[10473]: "sanjose"[6] 66.127.20.234 #7: IPsec SA established {ESP=>0x0d044102 <0x9b5c761a}

On Wed, Oct 17, 2012 at 10:11:10AM -0400, CJ Fearnley wrote:
> After a T1 outage left OpenSwan useless (again), I decided it was time
> to try StrongSwan.  The system uses a local CA on the server.  Keys and
> certs are in /etc/ipsec.d where we created them for OpenSwan.  Nice that
> no change seems to be necessary there.  It is a Debian Squeeze system,
> so I'm using the 4.4.1-5.2 version of the strongswan package.

-- 
CJ Fearnley                 |   LinuxForce Inc.
cjf at LinuxForce.net          |   IT Projects & Systems Maintenance
http://www.LinuxForce.net   |   http://blog.remoteresponder.net

More information about the Users mailing list