[strongSwan] OpenSwan to StrongSwan migration (with CA): VPN not working

Andreas Steffen andreas.steffen at strongswan.org
Sun Oct 21 09:05:51 CEST 2012 

Hi,

both grandrapids and sanjose have the same identity 'CN=Crossbow'
which causes the other connection to be deleted since the
default setting is uniqueids=yes.

Workaround:

- set uniqueids=no in the config setup section of ipsec.conf.
  This will allow multiple concurrent connections with the
  same ID.

Proper fix:

- generate individual certificates for grandrapids and sanjose
  with distinct identities.

Best regards

Andreas

On 10/21/2012 01:24 AM, CJ Fearnley wrote:
> OK.  With everyone's help, I now have a working configuration:  both
> Netgears can authenticate with strongswan.  But when I enable both
> Netgear stanzas (grandrapids & sanjose) at the same time, strongswan
> deletes the other connection.  Hoo boy.  What am I missing?
> 
> ispec.conf:
> config setup
>     charonstart=no
>     plutostart=yes
>     virtual_private=%v4:10.0.0.0/8,%v4:192.168.0.0/16,%v4:172.16.0.0/12,%v4:!192.168.101.0/24
>     nat_traversal=yes
>  
> conn %default
>     mobike=no
>     keyexchange=ikev1
>     left=216.130.102.66
>     leftid="C=US, ST=IL, L=Glenwood, O=PRIVATE VPN Services, CN=cw1.private.com, E=tony at private2.com"
>     leftsendcert=always
>     leftsubnet=192.168.101.0/24
>     leftcert=cw1.private.com.crt
>     right=%any
>     auto=add
>  
> conn grandrapids
>     rightsubnet=192.168.112.0/24
>  
> conn sanjose
>     rightsubnet=192.168.161.0/24
> 
> Here are the strongswan logs which shows both Netgears getting connected,
> but sanjose gets booted followed by grandrapids:
> Oct 20 14:29:52 cw1 ipsec_starter[10459]: Starting strongSwan 4.4.1 IPsec [starter]...
> Oct 20 14:29:52 cw1 pluto[10473]: Starting IKEv1 pluto daemon (strongSwan 4.4.1) THREADS SMARTCARD VENDORID
> Oct 20 14:29:52 cw1 pluto[10473]: plugin 'test-vectors' failed to load: /usr/lib/ipsec/plugins/libstrongswan-test-vectors.so: cannot open shared object file: No such file or directory
> Oct 20 14:29:52 cw1 pluto[10473]: attr-sql plugin: database URI not set
> Oct 20 14:29:52 cw1 pluto[10473]: plugin 'attr-sql': failed to load - attr_sql_plugin_create returned NULL
> Oct 20 14:29:52 cw1 pluto[10473]: loaded plugins: curl ldap aes des sha1 sha2 md5 random x509 pubkey pkcs1 pgp dnskey pem openssl hmac gmp xauth attr resolve
> Oct 20 14:29:52 cw1 pluto[10473]:   including NAT-Traversal patch (Version 0.6c)
> Oct 20 14:29:52 cw1 pluto[10473]: failed to load pkcs11 module '/usr/lib/opensc-pkcs11.so'
> Oct 20 14:29:52 cw1 pluto[10473]: Using Linux 2.6 IPsec interface code
> Oct 20 14:29:52 cw1 ipsec_starter[10472]: pluto (10473) started after 20 ms
> Oct 20 14:29:52 cw1 pluto[10473]: loading ca certificates from '/etc/ipsec.d/cacerts'
> Oct 20 14:29:52 cw1 pluto[10473]:   loaded ca certificate from '/etc/ipsec.d/cacerts/ca.crt'
> Oct 20 14:29:52 cw1 pluto[10473]: loading aa certificates from '/etc/ipsec.d/aacerts'
> Oct 20 14:29:52 cw1 pluto[10473]: loading ocsp certificates from '/etc/ipsec.d/ocspcerts'
> Oct 20 14:29:52 cw1 pluto[10473]: Changing to directory '/etc/ipsec.d/crls'
> Oct 20 14:29:52 cw1 pluto[10473]: loading attribute certificates from '/etc/ipsec.d/acerts'
> Oct 20 14:29:52 cw1 pluto[10473]: listening for IKE messages
> Oct 20 14:29:52 cw1 pluto[10473]: adding interface br0/br0 192.168.101.254:500
> Oct 20 14:29:52 cw1 pluto[10473]: adding interface br0/br0 192.168.101.254:4500
> Oct 20 14:29:52 cw1 pluto[10473]: adding interface eth1/eth1 50.79.22.185:500
> Oct 20 14:29:52 cw1 pluto[10473]: adding interface eth1/eth1 50.79.22.185:4500
> Oct 20 14:29:52 cw1 pluto[10473]: adding interface eth0:70/eth0:70 216.130.102.70:500
> Oct 20 14:29:52 cw1 pluto[10473]: adding interface eth0:70/eth0:70 216.130.102.70:4500
> Oct 20 14:29:52 cw1 pluto[10473]: adding interface eth0:69/eth0:69 216.130.102.69:500
> Oct 20 14:29:52 cw1 pluto[10473]: adding interface eth0:69/eth0:69 216.130.102.69:4500
> Oct 20 14:29:52 cw1 pluto[10473]: adding interface eth0:68/eth0:68 216.130.102.68:500
> Oct 20 14:29:52 cw1 pluto[10473]: adding interface eth0:68/eth0:68 216.130.102.68:4500
> Oct 20 14:29:52 cw1 pluto[10473]: adding interface eth0:67/eth0:67 216.130.102.67:500
> Oct 20 14:29:52 cw1 pluto[10473]: adding interface eth0:67/eth0:67 216.130.102.67:4500
> Oct 20 14:29:52 cw1 pluto[10473]: adding interface eth0/eth0 216.130.102.66:500
> Oct 20 14:29:52 cw1 pluto[10473]: adding interface eth0/eth0 216.130.102.66:4500
> Oct 20 14:29:52 cw1 pluto[10473]: adding interface lo/lo 127.0.0.1:500
> Oct 20 14:29:52 cw1 pluto[10473]: adding interface lo/lo 127.0.0.1:4500
> Oct 20 14:29:52 cw1 pluto[10473]: adding interface lo/lo ::1:500
> Oct 20 14:29:52 cw1 pluto[10473]: loading secrets from "/etc/ipsec.secrets"
> Oct 20 14:29:52 cw1 pluto[10473]:   loaded private key from '/etc/ipsec.d/private/cw1.private.com.key'
> Oct 20 14:29:52 cw1 pluto[10473]:   loaded host certificate from '/etc/ipsec.d/certs/cw1.private.com.crt'
> Oct 20 14:29:52 cw1 pluto[10473]: added connection description "grandrapids"
> Oct 20 14:29:52 cw1 pluto[10473]:   loaded host certificate from '/etc/ipsec.d/certs/cw1.private.com.crt'
> Oct 20 14:29:52 cw1 pluto[10473]: added connection description "sanjose"
> Oct 20 14:30:01 cw1 pluto[10473]: packet from 66.127.20.234:500: ignoring Vendor ID payload [810fa565f8ab14369105d706fbd57279]
> Oct 20 14:30:01 cw1 pluto[10473]: packet from 66.127.20.234:500: received Vendor ID payload [Dead Peer Detection]
> Oct 20 14:30:01 cw1 pluto[10473]: "sanjose"[1] 66.127.20.234 #1: responding to Main Mode from unknown peer 66.127.20.234
> Oct 20 14:30:01 cw1 pluto[10473]: "sanjose"[1] 66.127.20.234 #1: ignoring Vendor ID payload [KAME/racoon]
> Oct 20 14:30:02 cw1 pluto[10473]: "sanjose"[1] 66.127.20.234 #1: Peer ID is ID_DER_ASN1_DN: 'CN=Crossbow'
> Oct 20 14:30:02 cw1 pluto[10473]: "sanjose"[1] 66.127.20.234 #1: crl not found
> Oct 20 14:30:02 cw1 pluto[10473]: "sanjose"[1] 66.127.20.234 #1: certificate status unknown
> Oct 20 14:30:02 cw1 pluto[10473]: "sanjose"[2] 66.127.20.234 #1: deleting connection "sanjose" instance with peer 66.127.20.234 {isakmp=#0/ipsec=#0}
> Oct 20 14:30:02 cw1 pluto[10473]: "sanjose"[2] 66.127.20.234 #1: we have a cert and are sending it
> Oct 20 14:30:02 cw1 pluto[10473]: "sanjose"[2] 66.127.20.234 #1: sent MR3, ISAKMP SA established
> Oct 20 14:30:12 cw1 pluto[10473]: "sanjose"[2] 66.127.20.234 #1: retransmitting in response to duplicate packet; already STATE_MAIN_R3
> Oct 20 14:30:13 cw1 pluto[10473]: "sanjose"[2] 66.127.20.234 #1: ignoring informational payload, type IPSEC_INITIAL_CONTACT
> Oct 20 14:30:38 cw1 pluto[10473]: "sanjose"[2] 66.127.20.234 #2: responding to Quick Mode
> Oct 20 14:30:39 cw1 pluto[10473]: "sanjose"[2] 66.127.20.234 #2: IPsec SA established {ESP=>0x089ed792 <0x2b85e728}
> Oct 20 14:30:50 cw1 pluto[10473]: packet from 207.8.183.102:46769: not enough room in input packet for ISAKMP Message
> Oct 20 14:30:50 cw1 pluto[10473]: packet from 207.8.183.102:46769: sending notification PAYLOAD_MALFORMED to 207.8.183.102:46769
> Oct 20 14:36:45 cw1 pluto[10473]: packet from 50.192.114.17:500: ignoring Vendor ID payload [810fa565f8ab14369105d706fbd57279]
> Oct 20 14:36:45 cw1 pluto[10473]: packet from 50.192.114.17:500: received Vendor ID payload [Dead Peer Detection]
> Oct 20 14:36:45 cw1 pluto[10473]: "sanjose"[3] 50.192.114.17 #3: responding to Main Mode from unknown peer 50.192.114.17
> Oct 20 14:36:46 cw1 pluto[10473]: "sanjose"[3] 50.192.114.17 #3: ignoring Vendor ID payload [KAME/racoon]
> Oct 20 14:36:46 cw1 pluto[10473]: "sanjose"[3] 50.192.114.17 #3: Peer ID is ID_DER_ASN1_DN: 'CN=Crossbow'
> Oct 20 14:36:46 cw1 pluto[10473]: "sanjose"[3] 50.192.114.17 #3: crl not found
> Oct 20 14:36:46 cw1 pluto[10473]: "sanjose"[3] 50.192.114.17 #3: certificate status unknown
> Oct 20 14:36:46 cw1 pluto[10473]: "sanjose"[4] 50.192.114.17 #3: deleting connection "sanjose" instance with peer 50.192.114.17 {isakmp=#0/ipsec=#0}
> Oct 20 14:36:46 cw1 pluto[10473]: "sanjose"[4] 50.192.114.17 #3: we have a cert and are sending it
> Oct 20 14:36:46 cw1 pluto[10473]: "sanjose"[4] 50.192.114.17 #3: deleting connection "sanjose" instance with peer 66.127.20.234 {isakmp=#1/ipsec=#2}
> Oct 20 14:36:46 cw1 pluto[10473]: "sanjose" #2: deleting state (STATE_QUICK_R2)
> Oct 20 14:36:46 cw1 pluto[10473]: "sanjose" #1: deleting state (STATE_MAIN_R3)
> Oct 20 14:36:46 cw1 pluto[10473]: "sanjose"[4] 50.192.114.17 #3: sent MR3, ISAKMP SA established
> Oct 20 14:36:46 cw1 pluto[10473]: "sanjose"[4] 50.192.114.17 #3: ignoring informational payload, type IPSEC_INITIAL_CONTACT
> Oct 20 14:36:48 cw1 pluto[10473]: "grandrapids"[1] 50.192.114.17 #4: responding to Quick Mode
> Oct 20 14:36:48 cw1 pluto[10473]: "grandrapids"[1] 50.192.114.17 #4: IPsec SA established {ESP=>0x0789dbb6 <0xa5ea6345}
> Oct 20 14:36:53 cw1 pluto[10473]: "grandrapids"[1] 50.192.114.17 #5: responding to Quick Mode
> Oct 20 14:36:53 cw1 pluto[10473]: "grandrapids"[1] 50.192.114.17 #5: IPsec SA established {ESP=>0x0113ff57 <0x34a08913}
> Oct 20 14:36:56 cw1 pluto[10473]: "sanjose"[4] 50.192.114.17 #3: received Delete SA(0x0789dbb6) payload: deleting IPSEC State #4
> Oct 20 14:36:56 cw1 pluto[10473]: "sanjose"[4] 50.192.114.17 #3: ignoring Delete SA payload: PROTO_IPSEC_ESP SA(0xa5ea6345) not found (maybe expired)
> Oct 20 14:36:57 cw1 pluto[10473]: packet from 66.127.20.234:500: ignoring Vendor ID payload [810fa565f8ab14369105d706fbd57279]
> Oct 20 14:36:57 cw1 pluto[10473]: packet from 66.127.20.234:500: received Vendor ID payload [Dead Peer Detection]
> Oct 20 14:36:57 cw1 pluto[10473]: "sanjose"[5] 66.127.20.234 #6: responding to Main Mode from unknown peer 66.127.20.234
> Oct 20 14:36:58 cw1 pluto[10473]: "sanjose"[5] 66.127.20.234 #6: ignoring Vendor ID payload [KAME/racoon]
> Oct 20 14:36:58 cw1 pluto[10473]: "sanjose"[5] 66.127.20.234 #6: Peer ID is ID_DER_ASN1_DN: 'CN=Crossbow'
> Oct 20 14:36:58 cw1 pluto[10473]: "sanjose"[5] 66.127.20.234 #6: crl not found
> Oct 20 14:36:58 cw1 pluto[10473]: "sanjose"[5] 66.127.20.234 #6: certificate status unknown
> Oct 20 14:36:58 cw1 pluto[10473]: "sanjose"[6] 66.127.20.234 #6: deleting connection "sanjose" instance with peer 66.127.20.234 {isakmp=#0/ipsec=#0}
> Oct 20 14:36:58 cw1 pluto[10473]: "sanjose"[6] 66.127.20.234 #6: we have a cert and are sending it
> Oct 20 14:36:58 cw1 pluto[10473]: "sanjose"[6] 66.127.20.234 #6: deleting connection "grandrapids" instance with peer 50.192.114.17 {isakmp=#0/ipsec=#5}
> Oct 20 14:36:58 cw1 pluto[10473]: "grandrapids" #5: deleting state (STATE_QUICK_R2)
> Oct 20 14:36:58 cw1 pluto[10473]: "sanjose"[6] 66.127.20.234 #6: deleting connection "sanjose" instance with peer 50.192.114.17 {isakmp=#3/ipsec=#0}
> Oct 20 14:36:58 cw1 pluto[10473]: "sanjose" #3: deleting state (STATE_MAIN_R3)
> Oct 20 14:36:58 cw1 pluto[10473]: "sanjose"[6] 66.127.20.234 #6: sent MR3, ISAKMP SA established
> Oct 20 14:36:58 cw1 pluto[10473]: "sanjose"[6] 66.127.20.234 #6: ignoring informational payload, type IPSEC_INITIAL_CONTACT
> Oct 20 14:36:59 cw1 pluto[10473]: "sanjose"[6] 66.127.20.234 #7: responding to Quick Mode
> Oct 20 14:36:59 cw1 pluto[10473]: "sanjose"[6] 66.127.20.234 #7: IPsec SA established {ESP=>0x0d044102 <0x9b5c761a}
> 
> On Wed, Oct 17, 2012 at 10:11:10AM -0400, CJ Fearnley wrote:
>> After a T1 outage left OpenSwan useless (again), I decided it was time
>> to try StrongSwan.  The system uses a local CA on the server.  Keys and
>> certs are in /etc/ipsec.d where we created them for OpenSwan.  Nice that
>> no change seems to be necessary there.  It is a Debian Squeeze system,
>> so I'm using the 4.4.1-5.2 version of the strongswan package.
> 

======================================================================
Andreas Steffen                         andreas.steffen at strongswan.org
strongSwan - the Linux VPN Solution!                www.strongswan.org
Institute for Internet Technologies and Applications
University of Applied Sciences Rapperswil
CH-8640 Rapperswil (Switzerland)
===========================================================[ITA-HSR]==

More information about the Users mailing list