[strongSwan] connection not initiating
Karl Hiramoto
karl at hiramoto.org
Sat Dec 7 00:21:18 CET 2013
Hi,
I'm trying to setup something
like:http://www.strongswan.org/uml/testresults/ikev2/ip-pool/
<http://www.strongswan.org/uml/testresults/ikev2/ip-pool/>
I'm not sure why it's not starting up. I see some IPv6 errors which i
assume are safe to ignore as i'm not using ipv6 and don't have it
compiled into the kernel.
Any ideas what's wrong? With a tcpdump there is no traffic when i try
to startup.
On the roadwarrior "carol"
# ipsec start --nofork --debug-all
Starting strongSwan 5.1.1 IPsec [starter]...
!! Your strongswan.conf contains manual plugin load options for charon.
!! This is recommended for experts only, see
!! http://wiki.strongswan.org/projects/strongswan/wiki/PluginLoad
Loading config setup
Loading conn %default
ikelifetime=60m
keylife=20m
rekeymargin=3m
keyingtries=1
keyexchange=ikev2
Loading conn 'home'
left=192.168.255.1
leftsourceip=%config
leftcert=EK1Cert.der
leftid=ek1 at vpex.org
leftfirewall=yes
right=192.168.255.2
rightsubnet=192.168.12.0/24
rightid=192.168.255.1
auto=add
found netkey IPsec stack
Attempting to start charon...
00[DMN] Starting IKE charon daemon (strongSwan 5.1.1, Linux 3.6.9, armv7l)
00[NET] could not open socket: Address family not supported by protocol
00[NET] could not open IPv6 socket, IPv6 disabled
00[KNL] received netlink error: Address family not supported by protocol
(97)
00[KNL] unable to create IPv6 routing table rule
00[CFG] loading ca certificates from '/etc/ipsec.d/cacerts'
00[CFG] loading aa certificates from '/etc/ipsec.d/aacerts'
00[CFG] loading ocsp signer certificates from '/etc/ipsec.d/ocspcerts'
00[CFG] loading attribute certificates from '/etc/ipsec.d/acerts'
00[CFG] loading crls from '/etc/ipsec.d/crls'
00[CFG] loading secrets from '/etc/ipsec.secrets'
00[CFG] loaded RSA private key from '/etc/ipsec.d/private/EK1Key.der'
00[LIB] loaded plugins: charon curl aes des sha1 sha2 md5 pem pkcs1 gmp
random nonce x509 revocation hmac xcbc stroke kernel-netlink
socket-default updown
00[LIB] unable to load 11 plugin features (11 due to unmet dependencies)
00[JOB] spawning 16 worker threads
charon (1092) started after 120 ms
11[CFG] received stroke: add connection 'home'
11[CFG] loaded certificate "C=CH, O=strongSwan, CN=ek1 at vpex.org" from
'EK1Cert.der'
11[CFG] added configuration 'home'
# ipsec statusall
Status of IKE charon daemon (strongSwan 5.1.1, Linux 3.6.9, armv7l):
uptime: 90 seconds, since Jan 01 04:31:08 2007
malloc: sbrk 532480, mmap 0, used 166552, free 365928
worker threads: 11 of 16 idle, 5/0/0/0 working, job queue: 0/0/0/0,
scheduled: 0
loaded plugins: charon curl aes des rc2 sha1 sha2 md5 random nonce
x509 revocation constraints pubkey pkcs1 pkcs7 pkcs8 pkcs12 pgp dnskey
sshkey pem openssl gcrypt fips-prf gmp xcbc cmac hmac attr
kernel-netlink resolve socket-default stroke updown xauth-generic
Listening IP addresses:
10.64.1.8
192.168.255.1
Connections:
home: 192.168.255.1...192.168.255.2 IKEv2
home: local: [ek1 at vpex.org] uses public key authentication
home: cert: "C=CH, O=strongSwan, CN=ek1 at vpex.org"
home: remote: [192.168.255.1] uses public key authentication
home: child: dynamic === 192.168.12.0/24 TUNNEL
Security Associations (0 up, 0 connecting):
ip -s xfrm policy
src 0.0.0.0/0 dst 0.0.0.0/0 uid 0
socket in action allow index 283 priority 0 ptype main share
any flag (0x00000000)
lifetime config:
limit: soft 0(bytes), hard 0(bytes)
limit: soft 0(packets), hard 0(packets)
expire add: soft 0(sec), hard 0(sec)
expire use: soft 0(sec), hard 0(sec)
lifetime current:
0(bytes), 0(packets)
add 2007-01-01 04:31:07 use -
src 0.0.0.0/0 dst 0.0.0.0/0 uid 0
socket out action allow index 276 priority 0 ptype main share
any flag (0x00000000)
lifetime config:
limit: soft 0(bytes), hard 0(bytes)
limit: soft 0(packets), hard 0(packets)
expire add: soft 0(sec), hard 0(sec)
expire use: soft 0(sec), hard 0(sec)
lifetime current:
0(bytes), 0(packets)
add 2007-01-01 04:31:07 use -
src 0.0.0.0/0 dst 0.0.0.0/0 uid 0
socket in action allow index 267 priority 0 ptype main share
any flag (0x00000000)
lifetime config:
limit: soft 0(bytes), hard 0(bytes)
limit: soft 0(packets), hard 0(packets)
expire add: soft 0(sec), hard 0(sec)
expire use: soft 0(sec), hard 0(sec)
lifetime current:
0(bytes), 0(packets)
add 2007-01-01 04:31:07 use -
src 0.0.0.0/0 dst 0.0.0.0/0 uid 0
socket out action allow index 260 priority 0 ptype main share
any flag (0x00000000)
lifetime config:
limit: soft 0(bytes), hard 0(bytes)
limit: soft 0(packets), hard 0(packets)
expire add: soft 0(sec), hard 0(sec)
expire use: soft 0(sec), hard 0(sec)
lifetime current:
0(bytes), 0(packets)
add 2007-01-01 04:31:07 use -
#cat /etc/strongswan.conf
charon {
load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509
revocation hmac xcbc stroke kernel-netlink socket-default updown
}
When compiling the configure opts are:
./configure --build=x86_64-linux --host=arm-poky-linux-gnueabi
--target=arm-poky-linux-gnueabi --prefix=/usr --exec_prefix=/usr
--bindir=/usr/bin --sbindir=/usr/sbin --libexecdir=/usr/lib/strongswan
--datadir=/usr/share --sysconfdir=/etc --sharedstatedir=/com
--localstatedir=/var --libdir=/usr/lib --includedir=/usr/include
--oldincludedir=/usr/include --infodir=/usr/share/info
--mandir=/usr/share/man --disable-silent-rules
--disable-dependency-tracking
--with-libtool-sysroot=/home/karl/Work/yocto/poky-dylan-9.0.2/build/tmp/sysroots/exokey
--enable-curl --disable-soup --disable-ldap --enable-gmp --disable-mysql
--disable-sqlite --enable-openssl --enable-gcrypt --enable-nonce
Thanks,
Karl
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20131207/3dce2f32/attachment.html>
More information about the Users
mailing list