[strongSwan] unable to add SAD entry with SPI
lily
xuxiaoli86 at 126.com
Thu Aug 29 10:52:55 CEST 2013
Hi.
===============================================================
our network topology diagram:
(refer to strongSwan KVM Tests / ikev2 / net2net-psk in http://www.strongswan.org/testresults.html)
===============================================================
LAN WIRELESS LAN
computerA ---------------------------- routeA¬¬¬¬¬¬¬¬¬¬¬¬¬¬¬¬¬¬¬¬¬¬¬¬routeB---------------------------computerB
IP: 192.168.12.13(eth0) 192.168.12.1 (eth0) 192.168.11.1(eth2) 192.168.11.10(eth2)
10.93.4.74(ppp0) 10.96.61.8(ppp0)
THE BIG QUESTION: we want to ping 192.168.11.10(computerB) from computerA, but result is timeout.
===============================================================
secrets and config file on computerA
===============================================================
# /etc/ipsec.secrets - strongSwan IPsec secrets file
@10.93.4.74 @10.96.61.8 : PSK 0sv+NkxY9LLZvwj4qCC2o/gGrWDF2d21jL
@10.93.4.74 %any : PSK 0x45a30759df97dc26a15b88ff
@10.96.61.8 : PSK "This is a strong password"
: PSK 'My "home" is my "castle"!'
10.93.4.74 : PSK "Andi's home"
# /etc/ipsec.conf - strongSwan IPsec configuration file
config setup
conn %default
ikelifetime=60m
keylife=20m
rekeymargin=3m
keyingtries=1
authby=secret
keyexchange=ikev2
mobike=no
esp=null-sha1!
forceencaps=yes
conn net-net
left=10.93.4.74
leftsubnet=192.168.12.0/24
leftid=@10.93.4.74
leftfirewall=yes
right=10.96.61.8
rightsubnet=192.168.11.0/24
rightid=@10.96.61.8
auto=add
===============================================================
secrets and config file on computerB
===============================================================
# /etc/ipsec.secrets - strongSwan IPsec secrets file
@10.93.4.74 @10.96.61.8 : PSK 0sv+NkxY9LLZvwj4qCC2o/gGrWDF2d21jL
# /etc/ipsec.conf - strongSwan IPsec configuration file
config setup
conn %default
ikelifetime=60m
keylife=20m
rekeymargin=3m
keyingtries=1
authby=secret
keyexchange=ikev2
mobike=no
esp=null-sha1!
forceencaps=yes
conn net-net
left=10.96.61.8
leftsubnet=192.168.11.0/24
leftid=@10.96.61.8
leftfirewall=yes
right=10.93.4.74
rightsubnet=192.168.12.0/24
rightid=@10.93.4.74
auto=add
=======================================================================
computerA status after 'ipsec up net-net' successfully
======================================================================
root at freescale ~$ ipsec status
Security Associations (1 up, 0 connecting):
net-net[1]: ESTABLISHED 20 seconds ago, 10.93.4.74[10.93.4.74]...10.96.61.8
[10.96.61.8]
net-net{1}: INSTALLED, TUNNEL, ESP in UDP SPIs: ca552268_i c9a27b29_o
net-net{1}: 192.168.12.0/24 === 192.168.11.0/24
root at freescale ~$ ipsec statusall
Status of IKE charon daemon (strongSwan 5.1.0, Linux 2.6.35.3-571-gcca29a0-svn23
48, armv5tejl):
uptime: 4 minutes, since Dec 12 01:18:20 2012
malloc: sbrk 253952, mmap 0, used 117024, free 136928
worker threads: 11 of 16 idle, 5/0/0/0 working, job queue: 0/0/0/0, scheduled:
2
loaded plugins: charon aes des rc2 sha1 sha2 md5 random nonce x509 revocation
constraints pubkey pkcs1 pkcs7 pkcs8 pkcs12 pgp dnskey sshkey pem fips-prf gmp x
cbc cmac hmac attr kernel-netlink resolve socket-default stroke updown xauth-gen
eric
Listening IP addresses:
192.168.12.1
10.93.4.74
Connections:
net-net: 10.93.4.74...10.96.61.8 IKEv2
net-net: local: [10.93.4.74] uses pre-shared key authentication
net-net: remote: [10.96.61.8] uses pre-shared key authentication
net-net: child: 192.168.12.0/24 === 192.168.11.0/24 TUNNEL
Security Associations (1 up, 0 connecting):
net-net[1]: ESTABLISHED 2 minutes ago, 10.93.4.74[10.93.4.74]...10.96.61.8[
10.96.61.8]
net-net[1]: IKEv2 SPIs: e91f69e169c3de05_i cc021435fd865b15_r*, pre-shared
key reauthentication in 52 minutes
net-net[1]: IKE proposal: AES_CBC_128/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_2048
net-net{1}: INSTALLED, TUNNEL, ESP in UDP SPIs: ca552268_i c9a27b29_o
net-net{1}: NULL/HMAC_SHA1_96, 0 bytes_i, 0 bytes_o, rekeying in 12 minute
s
net-net{1}: 192.168.12.0/24 === 192.168.11.0/24
root at freescale ~$ ip route list table 220
192.168.11.0/24 via 10.96.61.8 dev ppp0 src 192.168.12.1
======================================================================
computerA status after exeute 'ipsec down net-net'
======================================================================
root at freescale ~$ ipsec down net-net
deleting IKE_SA net-net[1] between 10.93.4.74[10.93.4.74]...10.96.61.8[10.96.61.
8]
sending DELETE for IKE_SA net-net[1]
generating INFORMATIONAL request 0 [ D ]
sending packet: from 10.93.4.74[4500] to 10.96.61.8[4500] (76 bytes)
received packet: from 10.96.61.8[4500] to 10.93.4.74[4500] (76 bytes)
parsed INFORMATIONAL response 0 [ ]
IKE_SA deleted
IKE_SA [1] closed successfully
root at freescale ~$ ip route list table 220
(nothing exist)
root at freescale ~$ ipsec statusall
Status of IKE charon daemon (strongSwan 5.1.0, Linux 2.6.35.3-571-gcca29a0-svn23
48, armv5tejl):
uptime: 9 minutes, since Dec 12 01:18:19 2012
malloc: sbrk 253952, mmap 0, used 105816, free 148136
worker threads: 11 of 16 idle, 5/0/0/0 working, job queue: 0/0/0/0, scheduled:
2
loaded plugins: charon aes des rc2 sha1 sha2 md5 random nonce x509 revocation
constraints pubkey pkcs1 pkcs7 pkcs8 pkcs12 pgp dnskey sshkey pem fips-prf gmp x
cbc cmac hmac attr kernel-netlink resolve socket-default stroke updown xauth-gen
eric
Listening IP addresses:
192.168.12.1
10.93.4.74
Connections:
net-net: 10.93.4.74...10.96.61.8 IKEv2
net-net: local: [10.93.4.74] uses pre-shared key authentication
net-net: remote: [10.96.61.8] uses pre-shared key authentication
net-net: child: 192.168.12.0/24 === 192.168.11.0/24 TUNNEL
Security Associations (0 up, 0 connecting):
none
Those are all we set and get when we try to test the performance of strongswan.Pls tell me if you need any other information.
Thank you very much for your patience and quick answer.
regards
xuxl
At 2013-08-29 13:24:01,"Noel Kuntze" <noel at familie-kuntze.de> wrote:
>
>-----BEGIN PGP SIGNED MESSAGE-----
>Hash: SHA256
>
>Hello xuxl,
>
>if you try to ping exactly the VPN side IP of computerB from computerA, does that work?
>Also, you are talking about sourceips, but that doesn't appear in your ipsec.conf.
>I assume you can't ping the LAN side IP of computerB from computerA.
>You might want to take a look at the routing table of strongswan. It is in table 220.
>The command to see it is "ip route list table 220".
>I think it would be quite helpful at resolving your problem if you could send me the output of "ipsec status" for when you established the VPN connection,
>when you try to ping computerB and when you executed "ipsec down net-net".
>Also can you make a network topology diagram? It would be pretty handy in understanding the traffic flow.
>
>Regards,
>Noel Kuntze
>
>On 29.08.2013 06:22, lily wrote:
>> hi
>>
>> last mail may not send successfully ,send it again,sorry! :)
>>
>> we have set 'sysctl -w net.ipv4.ip_forward=1',but it is not useful.
>> the problem we met is as this:
>>
>> ENVIRONMENT:
>> routeA is connected with routeB on wireless.
>> computerA is connected to routeA , computerB is connected to routeB .
>>
>> their IP:
>> computerA: 192.168.11.10
>> routeA: 10.96.78.118(192.168.11.1)
>> routeB: 10.96.17.252(192.168.12.1)
>> computerB: 192.168.12.13
>>
>> computerA can successfully ping routeA and routeB.
>> computerB can successfully ping routeA and routeB.
>> routeA can successfully ping computerA and routeB.
>> routeB can successfully ping computerB and routeA.
>> BUT computerA cannot ping computerB.
>> We have put a datacatchtool in routeA to catch data when we try to ping computerB in computerA, and we got the data with its destination ip : 192.168.12.13(IP of computerB) and sourceIp is 10.96.78.118(routeA),
>> Actually here destination ip should be 10.96.17.252(ip of routeB) in a correct data transport ,(we have set a correct strongswan envionment in another virtural network in ubuntu system,and it proved this case. )
>> but if we set 'ipsec down net-net',its sourceIp changed to ip of computerA.so the route has changed data source correctly , but do not change destination correctly.
>>
>> so in my opinion, maybe there is still something wrong with the route ,short of any config with the kernel(we build it in ltib ) or something else ,which make it uncorrectly work.
>> what may the reasons?
>>
>> this is our ipsec.conf==========
>> conn %default
>> ikelifetime=60m
>> keylife=20m
>> rekeymargin=3m
>> keyingtries=1
>> authby=secret
>> keyexchange=ikev2
>> mobike=no
>> conn net-net
>> left=10.96.17.252
>> leftsubnet=192.168.12.0/24
>> leftid=@10.96.17.252 <mailto:leftid=@10.96.17.252>
>> leftfirewall=yes
>> right=10.96.78.118
>> rightsubnet=192.168.11.0/24
>> rightid=@10.96.78.118 <mailto:rightid=@10.96.78.118>
>> auto=add
>>
>>
>>
>>
>> =================================================
>> sometimes we got log as this :
>> Dec 12 01:20:15 freescale authpriv.info ipsec_starter[11166]: Starting strongSwan 5.1.0 IPsec [starter]...
>> Dec 12 01:20:15 freescale authpriv.info ipsec_starter[11166]: removing pidfile '/var/run/charon.pid', process not running
>> Dec 12 01:20:16 freescale user.info kernel: Initializing XFRM netlink socket
>> Dec 12 01:20:16 freescale authpriv.info ipsec_starter[11166]: removing pidfile '/var/run/starter.charon.pid', process not running
>> Dec 12 01:20:16 freescale daemon.info charon: 00[DMN] opening file var/log/charon.log for logging failed: No such file or directory
>> is there any problem for charon.pid? and the log cannot correctly be written because file is not exist?
>> and is there any way we can get a log in details show how it deal with the data we want to send out?
>>
>>
>> best regards
>> xuxl
>>
>>
>>
>>
>>
>>
>>
>> At 2013-08-28 17:46:00,"Noel Kuntze" <noel at familie-kuntze.de <mailto:noel at familie-kuntze.de>> wrote:
>> Hello xuxl,
>>
>> The last message wasn't properly signed. My mail client wraps the lines
>> after signing it, so it breaks the signature. I am sorry for this.
>> This message is prerly signed now.
>>
>> It might be, that ip_forwarding is not enabled.
>> To enable it temporarily, use "sysctl -w net.ipv4.ip_forward=1"
>> on both boxes.
>> If makes the kernel forward packets from one network interface to another.
>>
>> Another possible problem could be, that the computers on the remote
>> network don't have a route to your local network (neither themselves,
>> nor their default router) ,
>> so they can't send packets to your local network.
>> This can be solved on three ways:
>>
>> Either install a route to the respective foreign networks on all the PCs
>> on the network or install a route to the respective foreign network
>> on the default routers of the PCs on the network.
>>
>> To get a list of supported ciphers, use "ipsec listalgs".
>> It will list cipher-hmac-modp pairs.
>> The names that are displayed there can not be used in your ipsec.conf,
>> as the name formating in ipsec.conf is another one.
>> If your version of strongSwan is compiled with
>> the "aes" or "des" modules and those are loaded,
>> strongSwan should be capable of using those encription algorithms.
>>
>> As far as I know, each crypto module of strongSwan implements
>> the cipher in userland, so it is completely Kernel independent.
>>
>> There is, however, the "af-alg" module, that uses the Kernel API to
>> provide more ciphers to strongSwan to choose from and hence the
>> ciphers it provides, are Kernel dependant.
>>
>> It might be very useful to make strongSwan log to a file or syslog.
>> The following example will make strongSwan log to syslog
>> with the "daemon" facility, packet encoding set to no logging (-1),
>> config,
>> low-level en- and decoding set to generic control flow with errors (1)
>> and IKE network communication, as well as IKE_SA to basic auditing log
>> (0).
>> It also makes it log to a file with mostly raw dumps in hexadecimal form
>> (3).
>> You can take a look at the manpage for
>> strongswan.conf to see all the possible settings.
>>
>> Example:
>> charon {
>> syslog {
>> daemon {
>> enc=-1
>> cfg=1
>> esn=1
>> net=0
>> ike=0
>> }
>> }
>> filelog {
>> /var/log/charon.log {
>> default = 3
>> enc=2
>> cfg=3
>> asn=3
>> append=no
>> ike_name=no
>> }
>> }
>> }
>>
>> See the manpage for strongswan.conf for all the options.
>> With cfg set to 2, you can see the proposals of the two peers.
>>
>> Regards,
>> Noel Kuntze
>>
>>
>>
>>
>> -------- Original Message --------
>> Subject: Re:Re: [strongSwan] unable to add SAD entry with SPI
>> Date: Wed, 28 Aug 2013 16:59:37 +0800 (CST)
>> From: lily <xuxiaoli86 at 126.com <mailto:xuxiaoli86 at 126.com>>
>> To: Noel Kuntze <noel at familie-kuntze.de <mailto:noel at familie-kuntze.de>>, users at lists.strongswan.org <mailto:users at lists.strongswan.org>
>>
>>
>>
>>
>> Hi, Noel
>>
>> Thank you for all guides in detail very much.
>> At last, we found if set CONFIG_CRYPTO_NULL y, and set 'esp=null-sha1! '
>> in ipsec.conf file ,we can successfully establish the connection between
>> two routes.
>> but computers in subnets still can not ping the other side.
>> Two routes can ping each other very well. however, it can not ping
>> computers in other side too.
>> did you have some advice for this case?
>> is there still short of modules in kernel even it can establish
>> successfully ? or just some mistakes with config?
>> best regards and thank you for any help!
>> xuxl
>>
>>
>> At 2013-08-27 10:30:40,"Noel Kuntze" <noel at familie-kuntze.de <mailto:noel at familie-kuntze.de>> wrote:
>> > It seems my mail client mangled the message after it was signed by
>> > pgp. I'm sorry. I'll send one with a valid signature:
>>
>> > Hello,
>>
>> > To compile with "libipsec", you need to add "--enable-libipsec" to
>> > the arguments you give ./configure. It might end up looking like
>> > this: (This is taken from a script I wrote to build and package
>> > strongSwan on Arch Linux.)
>> >> ./configure --prefix=/usr --sbindir=/usr/bin --sysconfdir=/etc
>> >> --libexecdir=/usr/lib \ --with-ipsecdir=/usr/lib/strongswan
>> >> --enable-sqlite \ --enable-openssl --enable-curl --enable-sql
>> >> --enable-attr-sql \ --enable-farp --enable-dhcp --enable-eap-sim
>> >> --enable-eap-sim-file \ --enable-eap-simaka-pseudonym \
>> >> --enable-eap-simaka-reauth --enable-eap-identity --enable-eap-md5
>> >> \ --enable-eap-gtc --enable-eap-aka --enable-eap-aka-3gpp2 \
>> >> --enable-eap-mschapv2 --enable-eap-radius --enable-xauth-eap \
>> >> --enable-ha --disable-mysql --disable-ldap --enable-libipsec
>> > After configuring, just run "make" to compile.
>>
>> > When you installed strongSwan, you can load "libipsec" with the
>> > "charon.load" statement. This will look like this:
>> >> charon { load=charon test-vectors curl sqlite random nonce x509
>> >> revocation \ constraints pubkey pkcs1 pkcs7 pkcs8 pkcs12 pgp
>> >> dnskey sshkey pem \ openssl af-alg gmp xcbc cmac hmac fips-pfr
>> >> ctr ccm gcm attr \ kernel-netlink socket-default >farp stroke
>> >> updown \ eap-identity eap-gtc eap-mschapv2 eap-radius
>> >> xauth-generic \ xauth-eap dhcp unity }
>>
>> > All the modules that are to be loaded need to be in the same line
>> > as the "load" statement! You also need to make sure to include all
>> > the modules you need in the "load" statement, as it will disable
>> > automatic loading.
>>
>> > Doing this will give you a warning as soon as you start
>> > strongSwan. To disable this, you need to set "starter.load_warning"
>> > to "no":
>> >> starter { load_warning = no }
>>
>> > Regards, Noel Kuntze
>>
>> > On 27.08.2013 04:12, ÐìóãÀò wrote:
>>
>> >> Hi, Noel
>>
>> >> Thanks for your reply. Would you pls explain the detail of how to
>> >> compile with libipsec and loading it with the "load" statement in
>> >> strongswan.conf?
>>
>> >> Sorry , I am a newbie to strongswan~~
>>
>> >> Br,
>>
>> >> At 2013-08-26 18:52:55,"Noel Kuntze" <noel at familie-kuntze.de <mailto:noel at familie-kuntze.de>>
>> >> wrote:
>> >>>
>> >> Hello xuxl,
>>
>> >> I've seen this behavious on systems virtualized with OpenVZ. On
>> >> such systems, it is not possible to insert xfrm policies into the
>> >> kernel or use netlink's functionality. The solution to this
>> >> problem is compiling with libipsec and loading it with the
>> >> "load" statement in strongswan.conf.
>>
>> >> Regards, Noel Kuntze
>>
>> >> On 26.08.2013 12:48, ??? wrote:
>>
>> >>> Dec 12 01:25:05 freescale daemon.info charon: 01[KNL] received
>> >>> netlink
>> >> error: Function not implemented (38)
>>
>> >>>
>>
>>
>>
>>
>>
>>
>>
>
>-----BEGIN PGP SIGNATURE-----
>Version: GnuPG v2.0.21 (GNU/Linux)
>Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/
>
>iQIcBAEBCAAGBQJSHtrxAAoJEDg5KY9j7GZYoGUP/30658RU0nPN/xsVk6dYpvgA
>IhS7EKMPStJWYwpkL/BKaHlVT+cpZERRVSNZ83QNb4zcq6528R4v500nTNOM+42S
>5v4vQEBa92bdV9zKaVKfKk9Eo9VHjv62KXO6JrnLJrr2BaQIlDULc1GMtIgi8oFL
>YrcecyFanToRZLI5L1xee+EWCwviBZikX75+crpRfZFtLWGwm45VPy9trUCKbEUs
>dqRxYsrnXjOK71yJFoRa/HbRcNVW8w6LL3R5mZoBEivRYAphLvKxU3nqyrgRPotx
>gYYMdNrksv68tkS3FawsXTvEt7BwRGwa5+hhEuqZCbpvXJecFNUeBiLdD6cmPU1A
>vPvek+5GQ0g8rAiPICcgtw2bZi9M+bbOLNdVejBqEdyFvljE6PLsHq4imt3CzCMD
>s/xNtRL6GWu6SPz+QXo4BgOWqAxxB2FBr1fys+we6I+vhww3SSbZqwfGjIhFD1yx
>c/4pv6yP7RjJXpy+gWRwGwOosecWeJw+p0XGrJKvAWi9pqDTtRKJjUc+qN5QrZJq
>Fbc611qW6t+4TLD/NuT0qfHzg/LZBXykqMof2AFjaTtaxjyyQOnCL2NhDghqwQEM
>CB2nhJcKy/01DM5OM8uNS5/BokRbtjSqhT00U5oqPGHlqXlcvf6LH+lctvJ46+EG
>eFx6+kmWPHzxJsufvwq0
>=tEnK
>-----END PGP SIGNATURE-----
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20130829/f204da72/attachment.html>
More information about the Users
mailing list