[strongSwan] unable to add SAD entry with SPI

lily xuxiaoli86 at 126.com
Thu Aug 29 04:30:35 CEST 2013


hi
we have set 'sysctl -w net.ipv4.ip_forward=1',but it is not useful.
the problem we met is as this:
 
ENVIRONMENT:
routeA is connected with routeB on wireless.
computerA is connected to routeA , computerB is connected to routeB .
 
their IP:
computerA: 192.168.11.10
routeA: 10.96.78.118(192.168.11.1)
routeB: 10.96.17.252(192.168.12.1)
computerB: 192.168.12.13
 
computerA can successfully ping routeA and routeB.
computerB can successfully ping routeA and routeB.
routeA can successfully ping computerA and routeB.
routeB can successfully ping computerB and routeA.
BUT computerA cannot ping computerB.

We have put a datacatchtool in routeA to catch data when we try to ping computerB in computerA, and we got the data with its destination ip : 192.168.12.13(IP of computerB) and sourceIp is 10.96.78.118(routeA),
Actually here destination ip should be 10.96.17.252(ip of routeB) in a correct data transport ,(we have set a correct strongswan envionment  in another virtural network in ubuntu system,and it proved this case. )
but if we set 'ipsec down net-net',its sourceIp changed to ip of computerA.so the route has changed data source correctly , but do not change destination correctly.
 
so in my opinion, maybe there is still something wrong with the route ,short of any config with the kernel(we build it in ltib ) or something else ,which make it uncorrectly work.
what may the reasons?
 
this is our ipsec.conf==========
conn %default
 ikelifetime=60m
 keylife=20m
 rekeymargin=3m
 keyingtries=1
 authby=secret
 keyexchange=ikev2
 mobike=no
conn net-net
 left=10.96.17.252
 leftsubnet=192.168.12.0/24
 leftid=@10.96.17.252
 leftfirewall=yes
 right=10.96.78.118
 rightsubnet=192.168.11.0/24
 rightid=@10.96.78.118
 auto=add
 
 
 
 
=================================================
 sometimes we got log as this :
Dec 12 01:20:15 freescale authpriv.info ipsec_starter[11166]: Starting strongSwan 5.1.0 IPsec [starter]...
Dec 12 01:20:15 freescale authpriv.info ipsec_starter[11166]: removing pidfile '/var/run/charon.pid', process not running
Dec 12 01:20:16 freescale user.info kernel: Initializing XFRM netlink socket
Dec 12 01:20:16 freescale authpriv.info ipsec_starter[11166]: removing pidfile '/var/run/starter.charon.pid', process not running
Dec 12 01:20:16 freescale daemon.info charon: 00[DMN] opening file var/log/charon.log for logging failed: No such file or directory
is there any problem for charon.pid? and the log cannot correctly be written because file is not exist?
and is there any way we can get a log in details show how it deal with the data we want to send out?
 
 
best regards
xuxl





 



At 2013-08-28 17:46:00,"Noel Kuntze" <noel at familie-kuntze.de> wrote:
>-----BEGIN PGP SIGNED MESSAGE-----
>Hash: SHA256
>
>Hello xuxl,
>
>The last message wasn't properly signed. My mail client wraps the lines
>after signing it, so it breaks the signature. I am sorry for this.
>This message is prerly signed now.
>
>It might be, that ip_forwarding is not enabled.
>To enable it temporarily, use "sysctl -w net.ipv4.ip_forward=1"
>on both boxes.
>If makes the kernel forward packets from one network interface to another.
>
>Another possible problem could be, that the computers on the remote
>network don't have a route to your local network (neither themselves,
>nor their default router) ,
>so they can't send packets to your local network.
>This can be solved on three ways:
>
>Either install a route to the respective foreign networks on all the PCs
>on the network or install a route to the respective foreign network
>on the default routers of the PCs on the network.
>
>To get a list of supported ciphers, use "ipsec listalgs".
>It will list cipher-hmac-modp pairs.
>The names that are displayed there can not be used in your ipsec.conf,
>as the name formating in ipsec.conf is another one.
>If your version of strongSwan is compiled with
>the "aes" or "des" modules and those are loaded,
>strongSwan should be capable of using those encription algorithms.
>
>As far as I know, each crypto module of strongSwan implements
>the cipher in userland, so it is completely Kernel independent.
>
>There is, however, the "af-alg" module, that uses the Kernel API to
>provide more ciphers to strongSwan to choose from and hence the
>ciphers it provides, are Kernel dependant.
>
>It might be very useful to make strongSwan log to a file or syslog.
>The following example will make strongSwan log to syslog
>with the "daemon" facility, packet encoding set to no logging (-1),
>config,
>low-level en- and decoding set to generic control flow with errors (1)
>and IKE network communication, as well as IKE_SA to basic auditing log
>(0).
>It also makes it log to a file with mostly raw dumps in hexadecimal form
>(3).
>You can take a look at the manpage for
>strongswan.conf to see all the possible settings.
>
>Example:
>charon {
>        syslog {
>            daemon {
>                    enc=-1
>                    cfg=1
>                    esn=1
>                    net=0
>                    ike=0
>                    }
>           }
>        filelog {
>            /var/log/charon.log {
>                    default = 3
>                    enc=2
>                    cfg=3
>                    asn=3
>                    append=no
>                    ike_name=no
>            }
>        }
>}
>
>See the manpage for strongswan.conf for all the options.
>With cfg set to 2, you can see the proposals of the two peers.
>
>Regards,
>Noel Kuntze
>
>
>
>
>- -------- Original Message --------
>Subject:     Re:Re: [strongSwan] unable to add SAD entry with SPI
>Date:     Wed, 28 Aug 2013 16:59:37 +0800 (CST)
>From:     lily <xuxiaoli86 at 126.com>
>To:     Noel Kuntze <noel at familie-kuntze.de>, users at lists.strongswan.org
>
>
>
>
> Hi, Noel
>
>Thank you for all guides in detail very much.
>At last, we found if set CONFIG_CRYPTO_NULL y, and set 'esp=null-sha1! '
>in ipsec.conf file ,we can successfully establish the connection between
>two routes.
>but computers in subnets still can not ping the other side.
>Two routes can ping each other very well. however, it can not ping
>computers in other side too.
>did you have some advice for  this case?
>is there still short of modules in kernel even it can establish
>successfully ? or just some mistakes with config?
> best regards and thank you for any help!
>xuxl
>
>
>At 2013-08-27 10:30:40,"Noel Kuntze" <noel at familie-kuntze.de> wrote:
>> It seems my mail client mangled the message after it was signed by 
>> pgp. I'm sorry. I'll send one with a valid signature:
>> 
>> Hello,
>> 
>> To compile with "libipsec", you need to add "--enable-libipsec" to 
>> the arguments you give ./configure. It might end up looking like 
>> this: (This is taken from a script I wrote to build and package 
>> strongSwan on Arch Linux.)
>>> ./configure --prefix=/usr --sbindir=/usr/bin --sysconfdir=/etc 
>>> --libexecdir=/usr/lib \ --with-ipsecdir=/usr/lib/strongswan 
>>> --enable-sqlite \ --enable-openssl --enable-curl --enable-sql 
>>> --enable-attr-sql \ --enable-farp --enable-dhcp --enable-eap-sim 
>>> --enable-eap-sim-file \ --enable-eap-simaka-pseudonym \ 
>>> --enable-eap-simaka-reauth --enable-eap-identity --enable-eap-md5
>>> \ --enable-eap-gtc --enable-eap-aka --enable-eap-aka-3gpp2 \
>>> --enable-eap-mschapv2 --enable-eap-radius --enable-xauth-eap \
>>> --enable-ha --disable-mysql --disable-ldap --enable-libipsec
>> After configuring, just run "make" to compile.
>> 
>> When you installed strongSwan, you can load "libipsec" with the 
>> "charon.load" statement. This will look like this:
>>> charon { load=charon test-vectors curl sqlite random nonce x509 
>>> revocation \ constraints pubkey pkcs1 pkcs7 pkcs8 pkcs12 pgp 
>>> dnskey sshkey pem \ openssl af-alg gmp xcbc cmac hmac fips-pfr 
>>> ctr ccm gcm attr \ kernel-netlink socket-default >farp stroke 
>>> updown \ eap-identity eap-gtc eap-mschapv2 eap-radius 
>>> xauth-generic \ xauth-eap dhcp unity }
>> 
>> All the modules that are to be loaded need to be in the same line 
>> as the "load" statement! You also need to make sure to include all 
>> the modules you need in the "load" statement, as it will disable 
>> automatic loading.
>> 
>> Doing this will give you a warning as soon as you start
>> strongSwan. To disable this, you need to set "starter.load_warning"
>> to "no":
>>> starter { load_warning = no }
>> 
>> Regards, Noel Kuntze
>> 
>> On 27.08.2013 04:12, ÐìóãÀò wrote:
>> 
>>> Hi, Noel
>> 
>>> Thanks for your reply. Would you pls explain the detail of how to
>>> compile with libipsec and loading it with the "load" statement in
>>> strongswan.conf?
>> 
>>> Sorry , I am a newbie to strongswan~~
>> 
>>> Br,
>> 
>>> At 2013-08-26 18:52:55,"Noel Kuntze" <noel at familie-kuntze.de> 
>>> wrote:
>>>> 
>>> Hello xuxl,
>> 
>>> I've seen this behavious on systems virtualized with OpenVZ. On 
>>> such systems, it is not possible to insert xfrm policies into the
>>> kernel or use netlink's functionality. The solution to this 
>>> problem is compiling with libipsec and loading it with the
>>> "load" statement in strongswan.conf.
>> 
>>> Regards, Noel Kuntze
>> 
>>> On 26.08.2013 12:48, ??? wrote:
>> 
>>>> Dec 12 01:25:05 freescale daemon.info charon: 01[KNL] received 
>>>> netlink
>>> error: Function not implemented (38)
>> 
>>>> 
>> 
>> 
>> 
>-----BEGIN PGP SIGNATURE-----
>Version: GnuPG v2.0.21 (GNU/Linux)
>Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/
>
>iQIcBAEBCAAGBQJSHcbYAAoJEDg5KY9j7GZYU1MQAISuks0ni0BwXlUcrpbgypMg
>auxWZJnxw9YPt8Ex9duY5wGQKg+TD7sJQtgNw2xOZ3bkk9+RNJdg9v1lvnQ2AbjH
>3v4P4LrgQhK3iDzOXVVwWx+/K56cTM4mGET6Uv/EixsB2HY+hmKwUSYkVRECSPZF
>1+l1ONUkBPSR3dCVo2twWCcGvgM4xoGNDyKv72KU+MPb2QBcC7xUSP4nLxDXB6AH
>2GGuQDRxyTXj/WPz/8VHP8BjzvXU8gC53Vva2oJh2sta2PQgEU34ScJ6+aGsjjJF
>vduPAOI3mMCmZBfuLajFkn9zDaQbC+rFuq5nuiVtb+TY05twQ0kPTKB2p6CC2b+t
>GH6aWixY6scSNxZtesFGzfw1GaoycXp6dafjJF4FbWakc/SdfHtyVMHbpXjZmkaq
>SBOZ+Qh/iJYthOcizmKj1g6B6ve9AEbmfJZsjLjXuztAs1+iOcaswA+70yueNKzd
>fOPQrXshO++qvv6IoQbLqXBmheMN5Gcg6+GZJRnDMyg/DbPO00aQSwB4TGc2K+th
>tFIwN7Owey5FQaso+NlZWZXV1ar2Y2Rgv4FhCtoDVyh7XabtcGzx3UR9Uk14+Eqf
>pDpI6b8n1Pk/JidLjkn7EWybF2PkS1VTM5Jkf6UjHUGB2Hdo6vR9jU0H9SGaHVVN
>V1N2Nar6Xiyn+AmA726v
>=nJg0
>-----END PGP SIGNATURE-----
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20130829/249554fc/attachment.html>


More information about the Users mailing list