[strongSwan] connection not initiating

Karl Hiramoto karl at hiramoto.org
Sat Dec 7 00:27:26 CET 2013 

Actually i sent this email too soon I changed "auto=start" and it 
starts, but i've got to double check the keys.

06[CFG] received stroke: initiate 'home'
06[IKE] initiating IKE_SA home[1] to 192.168.255.2
06[ENC] generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) 
N(NATD_D_IP) ]
06[NET] sending packet: from 192.168.255.1[500] to 192.168.255.2[500] 
(692 bytes)
08[NET] received packet: from 192.168.255.2[500] to 192.168.255.1[500] 
(465 bytes)
08[ENC] parsed IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) 
N(NATD_D_IP) CERTREQ N(MULT_AUTH) ]
08[IKE] received 1 cert requests for an unknown ca
08[IKE] authentication of 'ek1 at vpex.org' (myself) with RSA signature 
successful
08[IKE] sending end entity cert "C=CH, O=strongSwan, CN=ek1 at vpex.org"
08[IKE] establishing CHILD_SA home
08[ENC] generating IKE_AUTH request 1 [ IDi CERT N(INIT_CONTACT) IDr 
AUTH CPRQ(ADDR) SA TSi TSr N(MOBIKE_SUP) N(ADD_4_ADDR) N(MULT_AUTH) 
N(EAP_ONLY) ]
08[NET] sending packet: from 192.168.255.1[4500] to 192.168.255.2[4500] 
(1484 bytes)
09[NET] received packet: from 192.168.255.2[4500] to 192.168.255.1[4500] 
(76 bytes)
09[ENC] parsed IKE_AUTH response 1 [ N(AUTH_FAILED) ]
09[IKE] received AUTHENTICATION_FAILED notify error



On 12/07/2013 12:21 AM, Karl Hiramoto wrote:
> Hi,
>
> I'm trying to setup something 
> like:http://www.strongswan.org/uml/testresults/ikev2/ip-pool/ 
> <http://www.strongswan.org/uml/testresults/ikev2/ip-pool/>
>
> I'm not sure why it's not starting up.    I see some IPv6 errors which 
> i assume are safe to ignore as i'm not using ipv6 and don't have it 
> compiled into the kernel.
>
> Any ideas what's wrong?    With a tcpdump there is no traffic when i 
> try to startup.
>
> On the roadwarrior "carol"
>
> # ipsec start --nofork --debug-all
>
> Starting strongSwan 5.1.1 IPsec [starter]...
> !! Your strongswan.conf contains manual plugin load options for charon.
> !! This is recommended for experts only, see
> !! http://wiki.strongswan.org/projects/strongswan/wiki/PluginLoad
> Loading config setup
> Loading conn %default
>   ikelifetime=60m
>   keylife=20m
>   rekeymargin=3m
>   keyingtries=1
>   keyexchange=ikev2
> Loading conn 'home'
>   left=192.168.255.1
>   leftsourceip=%config
>   leftcert=EK1Cert.der
> leftid=ek1 at vpex.org
>   leftfirewall=yes
>   right=192.168.255.2
>   rightsubnet=192.168.12.0/24
>   rightid=192.168.255.1
>   auto=add
> found netkey IPsec stack
> Attempting to start charon...
> 00[DMN] Starting IKE charon daemon (strongSwan 5.1.1, Linux 3.6.9, armv7l)
> 00[NET] could not open socket: Address family not supported by protocol
> 00[NET] could not open IPv6 socket, IPv6 disabled
> 00[KNL] received netlink error: Address family not supported by 
> protocol (97)
> 00[KNL] unable to create IPv6 routing table rule
> 00[CFG] loading ca certificates from '/etc/ipsec.d/cacerts'
> 00[CFG] loading aa certificates from '/etc/ipsec.d/aacerts'
> 00[CFG] loading ocsp signer certificates from '/etc/ipsec.d/ocspcerts'
> 00[CFG] loading attribute certificates from '/etc/ipsec.d/acerts'
> 00[CFG] loading crls from '/etc/ipsec.d/crls'
> 00[CFG] loading secrets from '/etc/ipsec.secrets'
> 00[CFG]   loaded RSA private key from '/etc/ipsec.d/private/EK1Key.der'
> 00[LIB] loaded plugins: charon curl aes des sha1 sha2 md5 pem pkcs1 
> gmp random nonce x509 revocation hmac xcbc stroke kernel-netlink 
> socket-default updown
> 00[LIB] unable to load 11 plugin features (11 due to unmet dependencies)
> 00[JOB] spawning 16 worker threads
> charon (1092) started after 120 ms
> 11[CFG] received stroke: add connection 'home'
> 11[CFG]   loaded certificate "C=CH, O=strongSwan, CN=ek1 at vpex.org" 
> from 'EK1Cert.der'
> 11[CFG] added configuration 'home'
>
>
>
>
> # ipsec statusall
> Status of IKE charon daemon (strongSwan 5.1.1, Linux 3.6.9, armv7l):
>   uptime: 90 seconds, since Jan 01 04:31:08 2007
>   malloc: sbrk 532480, mmap 0, used 166552, free 365928
>   worker threads: 11 of 16 idle, 5/0/0/0 working, job queue: 0/0/0/0, 
> scheduled: 0
>   loaded plugins: charon curl aes des rc2 sha1 sha2 md5 random nonce 
> x509 revocation constraints pubkey pkcs1 pkcs7 pkcs8 pkcs12 pgp dnskey 
> sshkey pem openssl gcrypt fips-prf gmp xcbc cmac hmac attr 
> kernel-netlink resolve socket-default stroke updown xauth-generic
> Listening IP addresses:
>   10.64.1.8
>   192.168.255.1
> Connections:
>         home:  192.168.255.1...192.168.255.2  IKEv2
>         home:   local:  [ek1 at vpex.org] uses public key authentication
>         home:    cert:  "C=CH, O=strongSwan, CN=ek1 at vpex.org"
>         home:   remote: [192.168.255.1] uses public key authentication
>         home:   child:  dynamic === 192.168.12.0/24 TUNNEL
> Security Associations (0 up, 0 connecting):
>
>
>
>  ip -s xfrm policy
> src 0.0.0.0/0 dst 0.0.0.0/0 uid 0
>         socket in action allow index 283 priority 0 ptype main share 
> any flag  (0x00000000)
>         lifetime config:
>           limit: soft 0(bytes), hard 0(bytes)
>           limit: soft 0(packets), hard 0(packets)
>           expire add: soft 0(sec), hard 0(sec)
>           expire use: soft 0(sec), hard 0(sec)
>         lifetime current:
>           0(bytes), 0(packets)
>           add 2007-01-01 04:31:07 use -
> src 0.0.0.0/0 dst 0.0.0.0/0 uid 0
>         socket out action allow index 276 priority 0 ptype main share 
> any flag  (0x00000000)
>         lifetime config:
>           limit: soft 0(bytes), hard 0(bytes)
>           limit: soft 0(packets), hard 0(packets)
>           expire add: soft 0(sec), hard 0(sec)
>           expire use: soft 0(sec), hard 0(sec)
>         lifetime current:
>           0(bytes), 0(packets)
>           add 2007-01-01 04:31:07 use -
> src 0.0.0.0/0 dst 0.0.0.0/0 uid 0
>         socket in action allow index 267 priority 0 ptype main share 
> any flag  (0x00000000)
>         lifetime config:
>           limit: soft 0(bytes), hard 0(bytes)
>           limit: soft 0(packets), hard 0(packets)
>           expire add: soft 0(sec), hard 0(sec)
>           expire use: soft 0(sec), hard 0(sec)
>         lifetime current:
>           0(bytes), 0(packets)
>           add 2007-01-01 04:31:07 use -
> src 0.0.0.0/0 dst 0.0.0.0/0 uid 0
>         socket out action allow index 260 priority 0 ptype main share 
> any flag  (0x00000000)
>         lifetime config:
>           limit: soft 0(bytes), hard 0(bytes)
>           limit: soft 0(packets), hard 0(packets)
>           expire add: soft 0(sec), hard 0(sec)
>           expire use: soft 0(sec), hard 0(sec)
>         lifetime current:
>           0(bytes), 0(packets)
>           add 2007-01-01 04:31:07 use -
>
>
>
>
> #cat /etc/strongswan.conf
>
> charon {
>   load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 
> revocation hmac xcbc stroke kernel-netlink socket-default updown
> }
>
> When compiling the configure opts are:
>
> ./configure --build=x86_64-linux --host=arm-poky-linux-gnueabi 
> --target=arm-poky-linux-gnueabi --prefix=/usr --exec_prefix=/usr 
> --bindir=/usr/bin --sbindir=/usr/sbin --libexecdir=/usr/lib/strongswan 
> --datadir=/usr/share --sysconfdir=/etc --sharedstatedir=/com 
> --localstatedir=/var --libdir=/usr/lib --includedir=/usr/include 
> --oldincludedir=/usr/include --infodir=/usr/share/info 
> --mandir=/usr/share/man --disable-silent-rules 
> --disable-dependency-tracking 
> --with-libtool-sysroot=/home/karl/Work/yocto/poky-dylan-9.0.2/build/tmp/sysroots/exokey 
> --enable-curl --disable-soup --disable-ldap --enable-gmp 
> --disable-mysql --disable-sqlite --enable-openssl --enable-gcrypt 
> --enable-nonce
>
>
>
> Thanks,
>
> Karl
>
>
> _______________________________________________
> Users mailing list
> Users at lists.strongswan.org
> https://lists.strongswan.org/mailman/listinfo/users

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20131207/40e1dce5/attachment.html>

More information about the Users mailing list