[strongSwan] strongswan-5.1.1 with 4.xx, tunnel pb

Noel Kuntze noel at familie-kuntze.de
Sun Dec 29 23:25:35 CET 2013


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Hello,

What is the configuration of the other side and what is in the log of the other side?

If configured properly, strongSwan 4.x and strongSwan 5.x are compatible to each other.

Regards
Noel Kuntze

On 29.12.2013 22:43, s s wrote:
> Hello,
>
> I am having a persistent problem of being unable to establish a tunnel between two strongswan hosts
>
> root at bt:/etc/ipsec.d# ipsec up karmaIKE2
> initiating IKE_SA karmaIKE2[3] to 192.168.4.10
> generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) ]
> sending packet: from 10.0.2.15[500] to 192.168.4.10[500]
> received packet: from 192.168.4.10[500] to 10.0.2.15[500]
> parsed IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) CERTREQ N(MULT_AUTH) ]
> local host is behind NAT, sending keep alives
> received cert request for "STR4.3CA"
> received cert request for unknown ca with keyid b0:31:27:8b:2e:4b:cd:53:6d:c4:a7:fb:e9:56:1b:9f:34:cc:71:a7
> sending cert request for "STR4.3CA"
> authentication of 'STR4.3host.cert' (myself) with RSA signature successful
> sending end entity cert "STR4.3host.cert"
> establishing CHILD_SA karmaIKE2
> generating IKE_AUTH request 1 [ IDi CERT CERTREQ IDr AUTH SA TSi TSr N(MOBIKE_SUP) N(NO_ADD_ADDR) N(MULT_AUTH) ]
> sending packet: from 10.0.2.15[4500] to 192.168.4.10[4500]
> retransmit 1 of request with message ID 1
> sending packet: from 10.0.2.15[4500] to 192.168.4.10[4500]
> retransmit 2 of request with message ID 1
> sending packet: from 10.0.2.15[4500] to 192.168.4.10[4500]
>
>
> The status is stuck on "CONNECTING", which never happens:
>
> root at bt:/etc/ipsec.d# ipsec statusall
>
>    karmaIKE2:  10.0.2.15...192.168.4.10
>    karmaIKE2:   local:  [STR4.3host.cert] uses public key authentication
>    karmaIKE2:    cert:  "STR4.3host.cert"
>    karmaIKE2:   remote: [karma.ucp-is.com] uses any authentication
>    karmaIKE2:    cert:  "KRM5.1host.cert"
>    karmaIKE2:   child:  10.0.2.0/24 === 192.168.4.0/24
> Security Associations:
>    karmaIKE2[15]: CONNECTING, 10.0.2.15[STR4.3host.cert]...192.168.4.10[KRM5.1host.cert]
>    karmaIKE2[15]: IKE SPIs: 6d2c0e380935a207_i* 518160338263e01f_r
>
> After 5 rekying attempts, it stops.
>
> Dec 29 22:23:27 bt charon: 07[ENC] generating IKE_AUTH request 1 [ IDi CERT CERTREQ IDr AUTH SA TSi TSr N(MOBIKE_SUP) N(NO_ADD_ADDR) N(MULT_AUTH) ]
> Dec 29 22:23:27 bt charon: 07[NET] sending packet: from 10.0.2.15[4500] to 192.168.4.10[4500]
>
> ==> /var/log/syslog <==
> Dec 29 22:23:31 bt charon: 09[IKE] retransmit 1 of request with message ID 1
> Dec 29 22:23:31 bt charon: 09[NET] sending packet: from 10.0.2.15[4500] to 192.168.4.10[4500]
>
> ==> /var/log/daemon.log <==
> Dec 29 22:23:31 bt charon: 09[IKE] retransmit 1 of request with message ID 1
> Dec 29 22:23:31 bt charon: 09[NET] sending packet: from 10.0.2.15[4500] to 192.168.4.10[4500]
>
> ==> /var/log/syslog <==
> Dec 29 22:23:38 bt charon: 15[IKE] retransmit 2 of request with message ID 1
> Dec 29 22:23:38 bt charon: 15[NET] sending packet: from 10.0.2.15[4500] to 192.168.4.10[4500]
>
>
>
> The policy for the channel does sets up, but nothing works
>
> [root at karma strongswan]# ip xfrm policy
> src 10.0.2.0/24 dst 192.168.4.0/24
>         dir in priority 1859
>         tmpl src 192.168.4.87 dst 192.168.4.10
>                 proto esp reqid 4 mode tunnel
> src 192.168.4.0/24 dst 10.0.2.0/24
>         dir out priority 1859
>         tmpl src 192.168.4.10 dst 192.168.4.87
>                 proto esp reqid 4 mode tunnel
> src 10.0.2.0/24 dst 192.168.4.0/24
>         dir fwd priority 1859
>         tmpl src 192.168.4.87 dst 192.168.4.10
>                 proto esp reqid 4 mode tunnel
>
>
> Any hint how to fix it would be highly appreciated,
> Regards,
> Serge
>
>
>
>
>
>
> Is the 4.xx branch compatible with the 5.x one?
> I am unable to establish a tunnel in between 2 strongswan hosts one running the strongSwan U4.3.2/K2.6.38
>  and the second strongSwan U5.1.1/K2.6.18-308.16.1.el5PAE
>
> The configuration is more than classical: net-net
>
>
> conn karmaIKE2
>      left=%defaultroute
>      leftsubnet=10.0.2.0/24
>      leftcert=lnvo.hostCert.pem
>      right=192.168.4.10
>      rightsubnet=192.168.4.0/24
>      rightcert=peercerts/karmaY2034.hostCert.pem
>      keyexchange=ikev2
>      mobike=yes
>      auto=add
>
>
> root at bt:/etc/ipsec.d# ipsec up karmaIKE2
> initiating IKE_SA karmaIKE2[1] to 192.168.4.10
> generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) ]
> sending packet: from 10.0.2.15[500] to 192.168.4.10[500]
> received packet: from 192.168.4.10[500] to 10.0.2.15[500]
> parsed IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) CERTREQ N(MULT_AUTH) ]
> local host is behind NAT, sending keep alives
> received cert request for "STR4.3CA"
> received cert request for unknown ca with keyid b0:31:27:8b:2e:4b:cd:53:6d:c4:a7:fb:e9:56:1b:9f:34:cc:71:a7
> sending cert request for "STR4.3CA"
> authentication of 'STR4.3host.cert' (myself) with RSA signature successful
> sending end entity cert "STR4.3host.cert"
> establishing CHILD_SA karmaIKE2
> generating IKE_AUTH request 1 [ IDi CERT CERTREQ IDr AUTH SA TSi TSr N(MOBIKE_SUP) N(NO_ADD_ADDR) N(MULT_AUTH) ]
> sending packet: from 10.0.2.15[4500] to 192.168.4.10[4500]
> retransmit 1 of request with message ID 1
> sending packet: from 10.0.2.15[4500] to 192.168.4.10[4500]
>
>
> But the tunnel
>
> root at bt:/etc/ipsec.d# ipsec statusall
> 000 Status of IKEv1 pluto daemon (strongSwan 4.3.2):
> 000 interface lo/lo ::1:500
> 000 interface lo/lo 127.0.0.1:500
> 000 interface eth0/eth0 10.0.2.15:500
> 000 %myid = (none)
> 000 loaded plugins: curl ldap random pubkey openssl hmac gmp
> 000 debug options: none
> 000
> Status of IKEv2 charon daemon (strongSwan 4.3.2):
>   uptime: 7 minutes, since Dec 23 10:27:59 2013
>   worker threads: 9 idle of 16, job queue load: 0, scheduled events: 1
>   loaded plugins: curl ldap random x509 pubkey openssl xcbc hmac agent gmp kernel-netlink stroke updown eapidentity eapmd5 eapgtc eapaka eapmschapv2
> Listening IP addresses:
>   10.0.2.15
> Connections:
>    karmaIKE2:  10.0.2.15...192.168.4.10
>    karmaIKE2:   local:  [STR4.3host.cert] uses public key authentication
>    karmaIKE2:    cert:  "STR4.3host.cert"
>    karmaIKE2:   remote: [STR5.1host.cert] uses any authentication
>    karmaIKE2:    cert:  STR5.1host.cert"
>    karmaIKE2:   child:  10.0.2.0/24 === 0.0.0.0/0
> Security Associations:
>    karmaIKE2[1]: CREATED, 10.0.2.15[STR4.3host.cert]...192.168.4.10[STR5.1host.cert]
>    karmaIKE2[1]: IKE SPIs: 3483591a1d20afaf_i* 0000000000000000_r
>    karmaIKE2[1]: IKE proposal: AES_CBC_128/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_2048
>
> The logs show
> Dec 23 10:32:01 bt charon: 16[IKE] establishing CHILD_SA karmaIKE2
> Dec 23 10:32:01 bt charon: 16[ENC] generating IKE_AUTH request 1 [ IDi CERT CERTREQ IDr AUTH SA TSi TSr N(MOBIKE_SUP) N(NO_ADD_ADDR) N(MULT_AUTH) ]
> Dec 23 10:32:01 bt charon: 16[NET] sending packet: from 10.0.2.15[4500] to 192.168.4.10[4500]
>
> But this child tunnel could not be setup.
> Which result in the inability to reach the hosts and the the networks behind them.
>
> I am still running the routing problem between the same two strongSwan U5.1.1/K2.6.18-308.16.1.el5PAE hosts, one of them being behind the NATed gateway and unable to reach it through the tunnel, which apparently doesn't route the packets.
>
> Any help would be much appreciated.
> Rgds,
> Serge
>
>
> ----
>
> Is standard Centos 5.x kernel 2.6.18-308.16.1.el5PAE compatible at all with
> [root@ ~]# strongswan version
> Linux strongSwan U5.1.1/K2.6.18-308.16.1.el5PAE
>
> We are unable to fix the routing problem. When the remote host is behind the NAT'ed provider's server, it can not be reached at all:
>
>
>  msc-hmnet{12}:   192.168.4.0/24 === 192.168.3.0/24
> [root at karma ~]# ping 192.168.3.56
> PING 192.168.3.56 (192.168.3.56) 56(84) bytes of data.
>
> --- 192.168.3.56 ping statistics ---
> 2 packets transmitted, 0 received, 100% packet loss, time 999ms
>
> 
>
>
> ----
>>> But out of the 2 tunnels only 1 is reachable. The other one doesn't ping.
>> Does that tunnel work if you don't establish the other one?
> No, it doesn't.
> Besides, once the 192.168.3.0/24 host is behind the NAT'ed gateway, neither of the tunnels work.
> 
>> Also, I'd try to disable IPComp for testing. There seems to be an issue
>> with IPcomp on some kernels in some scenarios.
> What an IPComp is and how to disable it ?
>
> We use a standard Centos 5.x kernel
> 2.6.18-308.16.1.el5PAE #1 SMP Tue Oct 2 22:49:17 EDT 2012 i686 i686 i386 GNU/Linux
>
> Could anyone help to troubleshoot the problem and resolve the issue?
>
> Rgds,
> Serge
>
> _______________________________________________
> Users mailing list
> Users at lists.strongswan.org
> https://lists.strongswan.org/mailman/listinfo/users

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.22 (GNU/Linux)
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iQIcBAEBCAAGBQJSwKFfAAoJEDg5KY9j7GZYYPgP/jUY+dVtRVE0o7XWZej8D38B
GSynI1lTZ29Aq2TlxfzB9kMFhSgOF8xpg5WEgO8sOTr09SvSrUbmBUemLoC12uWQ
wUBHod3TIiITxTQ3FW97ujB5rlNQrO8bMwSq+vKyPp7l3Xp+VYSzWXUEFhC4weXQ
JyMKnLacSUdDnTU2FRtYSuGFX1ZgkFHqXVZbBOM0NCsRG2/hrDx/Nifiz781AH/Y
JY8SvE6l0BM5+X4F11l1GGjBupHf5kEGqD6thYf5uDt32IDHLNO6zeDjdUWXoR7O
DF6gmxAoFbyFuBeJXOE05ZJxx0Y/OosGgiS/V5h3A6ZHzYO9VgQ27W+t4xCTbEk0
PBRD6r32XT76GM0NuPnvIqLj+gmTq+RplzeLX6lkqb73go8HSV+erbIAUA7NlpyK
V/VIYjcniS/UAoxiDSGiOAbaYrGHhQt6J9Id4scoFjDpeqsGyW1uuEwt05It/TtU
vVqw8N3rjH0T7+hlILF4duGzLD7Q1HWvlLoxjKB3Hd8oEwQq1gDIgxWINBPoPHRJ
4Zx9SXHXtfhKyVTynW4BoKynqjSvKvl5eKTWEWMYndkaiHfbUSY/Z3f1uP68vV6w
WzXLRn463/SXGFRKAjvpJ2b/ZtNCjg2P/Dc/VUamBVq+xUfFsk2wx9kemtnp4mOL
9Kwb5h4a9QFGmlw+iukW
=x1Cs
-----END PGP SIGNATURE-----





More information about the Users mailing list