[strongSwan] no ping the internal network

carachi diego carachi83 at gmail.com
Wed Apr 17 23:41:41 CEST 2013


Hello,

I configure strongswan but the client (win XP) is connected to the server
but I am not able from the client to ping the internal network.

Where can be the problem??
Thank you


---------------------------------------------------------------------
root at debian:~# ipsec start --nofork --debug-all
Starting strongSwan 5.0.2 IPsec [starter]...
!! Your strongswan.conf contains manual plugin load options for charon.
!! This is recommended for experts only, see
!! http://wiki.strongswan.org/projects/strongswan/wiki/PluginLoad
Loading config setup
Loading conn %default
  ikelifetime=60m
  keylife=20m
  rekeymargin=3m
  keyingtries=1
  keyexchange=ikev1
Loading conn 'rw'
  left=172.16.151.100
  leftcert=server.crt
  leftid=@ipsec.org
  leftsubnet=192.168.7.0/24
  leftfirewall=yes
  right=%any
  rightsourceip=192.168.7.0/24
  auto=add
found netkey IPsec stack
Attempting to start charon...
00[DMN] Starting IKE charon daemon (strongSwan 5.0.2, Linux
3.2.0-0.bpo.4-amd64, x86_64)
00[LIB] enabled  AES_CBC[aes]: passed 6 test vectors
00[LIB] enabled  AES_CBC[aes]: passed 6 test vectors
00[LIB] enabled  AES_CBC[aes]: passed 6 test vectors
00[LIB] enabled  3DES_CBC[des]: passed 2 test vectors
00[LIB] enabled  DES_CBC[des]: passed 2 test vectors
00[LIB] enabled  DES_ECB[des]: passed 2 test vectors
00[LIB] enabled  HASH_SHA1[sha1]: passed 4 test vectors
00[LIB] enabled  PRF_KEYED_SHA1[sha1]: no test vectors found
00[LIB] enabled  HASH_SHA224[sha2]: passed 3 test vectors
00[LIB] enabled  HASH_SHA256[sha2]: passed 3 test vectors
00[LIB] enabled  HASH_SHA384[sha2]: passed 3 test vectors
00[LIB] enabled  HASH_SHA512[sha2]: passed 3 test vectors
00[LIB] enabled  HASH_MD5[md5]: passed 7 test vectors
00[LIB] enabled  RNG_STRONG[random]: passed 3 test vectors
00[LIB] enabled  RNG_TRUE[random]: skipping test (disabled by config)
00[LIB] enabled  PRF_HMAC_SHA1[hmac]: passed 6 test vectors
00[LIB] enabled  PRF_HMAC_MD5[hmac]: passed 6 test vectors
00[LIB] enabled  PRF_HMAC_SHA2_256[hmac]: passed 6 test vectors
00[LIB] enabled  PRF_HMAC_SHA2_384[hmac]: passed 6 test vectors
00[LIB] enabled  PRF_HMAC_SHA2_512[hmac]: passed 6 test vectors
00[LIB] enabled  HMAC_SHA1_96[hmac]: passed 2 test vectors
00[LIB] enabled  HMAC_SHA1_128[hmac]: passed 2 test vectors
00[LIB] enabled  HMAC_SHA1_160[hmac]: passed 2 test vectors
00[LIB] enabled  HMAC_MD5_96[hmac]: passed 2 test vectors
00[LIB] enabled  HMAC_MD5_128[hmac]: passed 2 test vectors
00[LIB] enabled  HMAC_SHA2_256_128[hmac]: passed 3 test vectors
00[LIB] enabled  HMAC_SHA2_256_256[hmac]: no test vectors found
00[LIB] enabled  HMAC_SHA2_384_192[hmac]: passed 3 test vectors
00[LIB] enabled  HMAC_SHA2_384_384[hmac]: no test vectors found
00[LIB] enabled  HMAC_SHA2_512_256[hmac]: passed 3 test vectors
00[LIB] enabled  PRF_AES128_XCBC[xcbc]: passed 7 test vectors
00[LIB] enabled  AES_XCBC_96[xcbc]: passed 5 test vectors
00[LIB] enabled  PRF_AES128_CMAC[cmac]: passed 7 test vectors
00[LIB] enabled  AES_CMAC_96[cmac]: passed 4 test vectors
00[LIB] enabled  AES_CTR[ctr]: passed 9 test vectors
00[LIB] enabled  AES_CTR[ctr]: passed 9 test vectors
00[LIB] enabled  AES_CTR[ctr]: passed 9 test vectors
00[LIB] enabled  AES_CCM_8[ccm]: passed 5 test vectors
00[LIB] enabled  AES_CCM_8[ccm]: passed 5 test vectors
00[LIB] enabled  AES_CCM_8[ccm]: passed 5 test vectors
00[LIB] enabled  AES_CCM_12[ccm]: passed 1 test vectors
00[LIB] enabled  AES_CCM_12[ccm]: passed 1 test vectors
00[LIB] enabled  AES_CCM_12[ccm]: passed 1 test vectors
00[LIB] enabled  AES_CCM_16[ccm]: passed 5 test vectors
00[LIB] enabled  AES_CCM_16[ccm]: passed 5 test vectors
00[LIB] enabled  AES_CCM_16[ccm]: passed 5 test vectors
00[LIB] enabled  AES_GCM_8[gcm]: passed 1 test vectors
00[LIB] enabled  AES_GCM_8[gcm]: passed 1 test vectors
00[LIB] enabled  AES_GCM_8[gcm]: passed 1 test vectors
00[LIB] enabled  AES_GCM_12[gcm]: passed 1 test vectors
00[LIB] enabled  AES_GCM_12[gcm]: passed 1 test vectors
00[LIB] enabled  AES_GCM_12[gcm]: passed 1 test vectors
00[LIB] enabled  AES_GCM_16[gcm]: passed 5 test vectors
00[LIB] enabled  AES_GCM_16[gcm]: passed 5 test vectors
00[LIB] enabled  AES_GCM_16[gcm]: passed 5 test vectors
00[CFG] loading ca certificates from '/etc/ipsec.d/cacerts'
00[CFG]   loaded ca certificate "C=UK, ST=Beds, L=Luton, O=Beds, OU=IT,
CN=Beds CA, N=Strongswan, E=root at ipsec.beds.com" from
'/etc/ipsec.d/cacerts/ca.crt'
00[CFG] loading aa certificates from '/etc/ipsec.d/aacerts'
00[CFG] loading ocsp signer certificates from '/etc/ipsec.d/ocspcerts'
00[CFG] loading attribute certificates from '/etc/ipsec.d/acerts'
00[CFG] loading crls from '/etc/ipsec.d/crls'
00[CFG] loading secrets from '/etc/ipsec.secrets'
00[CFG]   loaded RSA private key from '/etc/ipsec.d/private/server.key'
00[DMN] loaded plugins: charon curl test-vectors aes des sha1 sha2 md5 pem
pkcs1 pkcs8 gmp random nonce x509 revocation hmac xcbc cmac ctr ccm gcm
stroke kernel-netlink socket-default updown
00[JOB] spawning 16 worker threads
charon (2651) started after 40 ms
08[CFG] received stroke: add connection 'rw'
08[CFG] adding virtual IP address pool 192.168.7.0/24
08[CFG]   loaded certificate "C=UK, ST=Beds, L=Luton, O=Beds, OU=IT,
CN=server, N=Strongswan, E=root at ipsec.beds.com" from 'server.crt'
08[CFG]   id 'ipsec.org' not confirmed by certificate, defaulting to 'C=UK,
ST=Beds, L=Luton, O=Beds, OU=IT, CN=server, N=Strongswan, E=
root at ipsec.beds.com'
08[CFG] added configuration 'rw'
09[NET] received packet: from 172.16.151.131[500] to 172.16.151.100[500]
(3756 bytes)
09[ENC] parsed ID_PROT request 0 [ SA V V V V V V V V V V V ]
09[IKE] received draft-ietf-ipsec-nat-t-ike-00 vendor ID
09[ENC] received unknown vendor ID:
16:f6:ca:16:e4:a4:06:6d:83:82:1a:0f:0a:ea:a8:62
09[IKE] received draft-ietf-ipsec-nat-t-ike-02\n vendor ID
09[IKE] received draft-ietf-ipsec-nat-t-ike-03 vendor ID
09[IKE] received NAT-T (RFC 3947) vendor ID
09[IKE] received FRAGMENTATION vendor ID
09[IKE] received DPD vendor ID
09[ENC] received unknown vendor ID:
f1:4b:94:b7:bf:f1:fe:f0:27:73:b8:c4:9f:ed:ed:26
09[ENC] received unknown vendor ID:
16:6f:93:2d:55:eb:64:d8:e4:df:4f:d3:7e:23:13:f0:d0:fd:84:51
09[ENC] received unknown vendor ID:
84:04:ad:f9:cd:a0:57:60:b2:ca:29:2e:4b:ff:53:7b
09[IKE] received Cisco Unity vendor ID
09[IKE] 172.16.151.131 is initiating a Main Mode IKE_SA
09[ENC] generating ID_PROT response 0 [ SA V V V ]
09[NET] sending packet: from 172.16.151.100[500] to 172.16.151.131[500]
(140 bytes)
10[NET] received packet: from 172.16.151.131[500] to 172.16.151.100[500]
(365 bytes)
10[ENC] parsed ID_PROT request 0 [ KE No CERTREQ NAT-D NAT-D ]
10[IKE] ignoring certificate request without data
10[IKE] sending cert request for "C=UK, ST=Beds, L=Luton, O=Beds, OU=IT,
CN=Beds CA, N=Strongswan, E=root at ipsec.beds.com"
10[ENC] generating ID_PROT response 0 [ KE No CERTREQ NAT-D NAT-D ]
10[NET] sending packet: from 172.16.151.100[500] to 172.16.151.131[500]
(527 bytes)
11[NET] received packet: from 172.16.151.131[500] to 172.16.151.100[500]
(1724 bytes)
11[ENC] parsed ID_PROT request 0 [ ID CERT SIG ]
11[IKE] received end entity cert "C=UK, ST=Beds, L=Luton, O=Beds, OU=IT,
CN=client, N=Strongswan, E=root at ipsec.beds.com"
11[CFG] looking for RSA signature peer configs matching
172.16.151.100...172.16.151.131[C=UK, ST=Beds, L=Luton, O=Beds, OU=IT,
CN=client, N=Strongswan, E=root at ipsec.beds.com]
11[CFG] selected peer config "rw"
11[CFG]   using certificate "C=UK, ST=Beds, L=Luton, O=Beds, OU=IT,
CN=client, N=Strongswan, E=root at ipsec.beds.com"
11[CFG]   using trusted ca certificate "C=UK, ST=Beds, L=Luton, O=Beds,
OU=IT, CN=Beds CA, N=Strongswan, E=root at ipsec.beds.com"
11[CFG] checking certificate status of "C=UK, ST=Beds, L=Luton, O=Beds,
OU=IT, CN=client, N=Strongswan, E=root at ipsec.beds.com"
11[CFG] certificate status is not available
11[CFG]   reached self-signed root ca with a path length of 0
11[IKE] authentication of 'C=UK, ST=Beds, L=Luton, O=Beds, OU=IT,
CN=client, N=Strongswan, E=root at ipsec.beds.com' with RSA successful
11[IKE] authentication of 'C=UK, ST=Beds, L=Luton, O=Beds, OU=IT,
CN=server, N=Strongswan, E=root at ipsec.beds.com' (myself) successful
11[IKE] IKE_SA rw[1] established between 172.16.151.100[C=UK, ST=Beds,
L=Luton, O=Beds, OU=IT, CN=server, N=Strongswan,
E=root at ipsec.beds.com]...172.16.151.131[C=UK,
ST=Beds, L=Luton, O=Beds, OU=IT, CN=client, N=Strongswan, E=
root at ipsec.beds.com]
11[IKE] scheduling reauthentication in 3297s
11[IKE] maximum IKE_SA lifetime 3477s
11[IKE] sending end entity cert "C=UK, ST=Beds, L=Luton, O=Beds, OU=IT,
CN=server, N=Strongswan, E=root at ipsec.beds.com"
11[ENC] generating ID_PROT response 0 [ ID CERT SIG ]
11[NET] sending packet: from 172.16.151.100[500] to 172.16.151.131[500]
(1756 bytes)
13[NET] received packet: from 172.16.151.131[500] to 172.16.151.100[500]
(92 bytes)
13[ENC] parsed INFORMATIONAL_V1 request 2720293503 [ HASH
N(INITIAL_CONTACT) ]
13[NET] received packet: from 172.16.151.131[500] to 172.16.151.100[500]
(92 bytes)
13[ENC] parsed TRANSACTION request 640267562 [ HASH CP ]
13[IKE] peer requested virtual IP %any
13[CFG] assigning new lease to 'C=UK, ST=Beds, L=Luton, O=Beds, OU=IT,
CN=client, N=Strongswan, E=root at ipsec.beds.com'
13[IKE] assigning virtual IP 192.168.7.1 to peer 'C=UK, ST=Beds, L=Luton,
O=Beds, OU=IT, CN=client, N=Strongswan, E=root at ipsec.beds.com'
13[ENC] generating TRANSACTION response 640267562 [ HASH CP ]
13[NET] sending packet: from 172.16.151.100[500] to 172.16.151.131[500] (76
bytes)
15[NET] received packet: from 172.16.151.131[500] to 172.16.151.100[500]
(684 bytes)
15[ENC] parsed QUICK_MODE request 2781654303 [ HASH SA No ID ID ]
15[IKE] received 3600s lifetime, configured 1200s
15[ENC] generating QUICK_MODE response 2781654303 [ HASH SA No ID ID ]
15[NET] sending packet: from 172.16.151.100[500] to 172.16.151.131[500]
(172 bytes)
07[IKE] sending retransmit 1 of response message ID 2781654303, seq 5
07[NET] sending packet: from 172.16.151.100[500] to 172.16.151.131[500]
(172 bytes)
08[IKE] sending retransmit 2 of response message ID 2781654303, seq 5
08[NET] sending packet: from 172.16.151.100[500] to 172.16.151.131[500]
(172 bytes)
09[NET] received packet: from 172.16.151.131[500] to 172.16.151.100[500]
(92 bytes)
09[ENC] parsed INFORMATIONAL_V1 request 51255654 [ HASH N(DPD) ]
09[ENC] generating INFORMATIONAL_V1 request 2918765658 [ HASH N(DPD_ACK) ]
09[NET] sending packet: from 172.16.151.100[500] to 172.16.151.131[500] (92
bytes)
10[IKE] sending retransmit 3 of response message ID 2781654303, seq 5
10[NET] sending packet: from 172.16.151.100[500] to 172.16.151.131[500]
(172 bytes)
12[NET] received packet: from 172.16.151.131[500] to 172.16.151.100[500]
(684 bytes)
12[ENC] parsed QUICK_MODE request 2439206719 [ HASH SA No ID ID ]
12[IKE] CHILD_SA rw{1} established with SPIs c8de18b3_i 6b57c330_o and TS
192.168.7.0/24 === 192.168.7.1/32
13[NET] received packet: from 172.16.151.131[500] to 172.16.151.100[500]
(92 bytes)
13[ENC] parsed INFORMATIONAL_V1 request 959431080 [ HASH N(DPD) ]
13[ENC] generating INFORMATIONAL_V1 request 3238217689 [ HASH N(DPD_ACK) ]
13[NET] sending packet: from 172.16.151.100[500] to 172.16.151.131[500] (92
bytes)
14[NET] received packet: from 172.16.151.131[500] to 172.16.151.100[500]
(684 bytes)
14[ENC] invalid HASH_V1 payload length, decryption failed?
14[ENC] could not decrypt payloads
14[IKE] message parsing failed
14[ENC] generating INFORMATIONAL_V1 request 2658081635 [ HASH N(PLD_MAL) ]
14[NET] sending packet: from 172.16.151.100[500] to 172.16.151.131[500] (76
bytes)
14[IKE] QUICK_MODE request with message ID 2439206719 processing failed
15[NET] received packet: from 172.16.151.131[500] to 172.16.151.100[500]
(684 bytes)
15[ENC] invalid HASH_V1 payload length, decryption failed?
15[ENC] could not decrypt payloads
15[IKE] message parsing failed
15[ENC] generating INFORMATIONAL_V1 request 2558400398 [ HASH N(PLD_MAL) ]
15[NET] sending packet: from 172.16.151.100[500] to 172.16.151.131[500] (76
bytes)
15[IKE] QUICK_MODE request with message ID 2439206719 processing failed
07[NET] received packet: from 172.16.151.131[500] to 172.16.151.100[500]
(684 bytes)
07[ENC] invalid HASH_V1 payload length, decryption failed?
07[ENC] could not decrypt payloads
07[IKE] message parsing failed
07[ENC] generating INFORMATIONAL_V1 request 45400192 [ HASH N(PLD_MAL) ]
07[NET] sending packet: from 172.16.151.100[500] to 172.16.151.131[500] (76
bytes)
07[IKE] QUICK_MODE request with message ID 2439206719 processing failed
08[NET] received packet: from 172.16.151.131[500] to 172.16.151.100[500]
(92 bytes)
08[ENC] parsed INFORMATIONAL_V1 request 1445932911 [ HASH N(DPD) ]
08[ENC] generating INFORMATIONAL_V1 request 446635703 [ HASH N(DPD_ACK) ]
08[NET] sending packet: from 172.16.151.100[500] to 172.16.151.131[500] (92
bytes)
09[NET] received packet: from 172.16.151.131[500] to 172.16.151.100[500]
(684 bytes)
09[ENC] parsed QUICK_MODE request 3074289790 [ HASH SA No ID ID ]
09[IKE] received 3600s lifetime, configured 1200s
09[IKE] detected rekeying of CHILD_SA rw{1}
09[ENC] generating QUICK_MODE response 3074289790 [ HASH SA No ID ID ]
09[NET] sending packet: from 172.16.151.100[500] to 172.16.151.131[500]
(172 bytes)
10[IKE] sending retransmit 1 of response message ID 3074289790, seq 6
10[NET] sending packet: from 172.16.151.100[500] to 172.16.151.131[500]
(172 bytes)
11[IKE] sending retransmit 2 of response message ID 3074289790, seq 6
11[NET] sending packet: from 172.16.151.100[500] to 172.16.151.131[500]
(172 bytes)
13[NET] received packet: from 172.16.151.131[500] to 172.16.151.100[500]
(92 bytes)
13[ENC] parsed INFORMATIONAL_V1 request 4153077593 [ HASH N(DPD) ]
13[ENC] generating INFORMATIONAL_V1 request 677315988 [ HASH N(DPD_ACK) ]
13[NET] sending packet: from 172.16.151.100[500] to 172.16.151.131[500] (92
bytes)



-- 
http://www.2dd.it
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20130417/5d3e35f9/attachment.html>


More information about the Users mailing list