[strongSwan] Attempting to use 5.0 MDS Ref#:00040620

Henry R. Prins HPrins at multidataservices.com
Tue Sep 25 15:03:56 CEST 2012


The first question I have is if this is what's preventing the connection? Or is there something else that's causing the 5.0 side not to be able to initiate.
The second is why is the connection dropping, I see nothing that indicates why, all I know is when I do an ipsec status on the 5.0 side its gone.



Hello Henry,



> Sep 24 10:41:07 VPN pluto[16791]: "test" #324: received ModeCfg

> message when in state STATE_MAIN_R3, and we aren't mode config client



Seems that 5.0 sends a Mode Config message, but 4.5 does not expect one.



With strongSwan 4.x and IKEv1, pluto didn't send a Mode Config message if you define leftsourceip to a fixed IP. With 5.0, charon always negotiates the address in both IKEv1 and IKEv2.



Specifying leftsourceip might not be required anymore with 5.x, as charon always installs a route with a matching source address. However, there is currently no way to enforce a specific address if two addresses would match to the negotiated traffic selector.



Regards

Martin


From: users-bounces+hprins=multidataservices.com at lists.strongswan.org [mailto:users-bounces+hprins=multidataservices.com at lists.strongswan.org] On Behalf Of Henry R. Prins
Sent: Monday, September 24, 2012 2:57 PM
To: users at lists.strongswan.org
Subject: [strongSwan] Attempting to use 5.0 MDS Ref#:00040620

Hey all,

I'm trying to use the new 5.0 but am having a few problems (they may be related). Since I am currently using 4.5 on all my other boxes,  I set up a new box, opened the ports on my firewall which have been used by my other boxes and proceeded to install 5.0.0, this build/make install went rather smoothly.

I then proceeded to try to connect this new box with one of my existing remote boxes.  I read the change logs and found out how to configure pfs, and took out the other depreciated commands.  That being said I still have the following issues.

At this point if I start the connection from the 4.5 side it does connect. Although the 4.5 side logs show this:
received ModeCfg message when in state STATE_MAIN_R3, and we aren't mode config client.

After the connection is established we can transmit data for a few mins, after that it seems that the connection drops on the 5.0 side.  The 4.5 side still shows as being up, but as you would expect it is unable to send data through the tunnel.


I get the following When the 5.0 side tries to initiate the connection which gives up after the 4th retransmit or request, never getting to the point where data can be sent.

When the 5.0  side initiates I get this on the 4.5 side:
Sep 24 10:36:03 VPN pluto[16791]: packet from ***.***.207.34:500: Informational Exchange is for an unknown (expired?) SA
Sep 24 10:41:06 VPN pluto[16791]: packet from ***.***.29.155:500: received Vendor ID payload [XAUTH]
Sep 24 10:41:06 VPN pluto[16791]: packet from ***.***.29.155:500: ignoring Vendor ID payload [RFC 3947]
Sep 24 10:41:06 VPN pluto[16791]: packet from ***.***.29.155:500: received Vendor ID payload [Dead Peer Detection]
Sep 24 10:41:06 VPN pluto[16791]: "test" #324: responding to Main Mode
Sep 24 10:41:07 VPN pluto[16791]: "test" #324: Peer ID is ID_IPV4_ADDR: '***.***.***.***'
Sep 24 10:41:07 VPN pluto[16791]: "test" #324: sent MR3, ISAKMP SA established
Sep 24 10:41:07 VPN pluto[16791]: "test" #324: received ModeCfg message when in state STATE_MAIN_R3, and we aren't mode config client

On the 5.0 side I get this:
==> /var/log/secure <==
Sep 24 10:38:42 Linux-2 charon: 09[IKE] IKE_SA remote[3] established between ***.***.29.155[***.***.29.155]...***.***.135.50[***.***.135.50]

==> /var/log/messages <==
Sep 24 10:38:46 Linux-2 charon: 12[IKE] sending retransmit 1 of request message ID 3872125085, seq 4
Sep 24 10:38:46 Linux-2 charon: 12[NET] sending packet: from ***.***.29.155[500] to ***.***.135.50[500]
Sep 24 10:38:53 Linux-2 charon: 14[IKE] sending retransmit 2 of request message ID 3872125085, seq 4
Sep 24 10:38:53 Linux-2 charon: 14[NET] sending packet: from ***.***.29.155[500] to ***.***.135.50[500]
Sep 24 10:39:06 Linux-2 charon: 13[IKE] sending retransmit 3 of request message ID 3872125085, seq 4
Sep 24 10:39:06 Linux-2 charon: 13[NET] sending packet: from ***.***.29.155[500] to ***.***.135.50[500]
Sep 24 10:39:29 Linux-2 charon: 05[IKE] sending retransmit 4 of request message ID 3872125085, seq 4
Sep 24 10:39:29 Linux-2 charon: 05[NET] sending packet: from ***.***.29.155[500] to ***.***.135.50[500]


Thanks,

Henry.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20120925/cd4cceb7/attachment.html>


More information about the Users mailing list