[strongSwan] strongswan-5.1.1 with 4.xx, tunnel pb

s s y52 at europe.com
Mon Dec 30 21:04:39 CET 2013


Hello,

The complete configuration of both hosts is as follows:

root at bt:/etc/ipsec.d# ipsec --version
Linux strongSwan U4.3.2/K2.6.38

conn karmaIKE2
     left=%defaultroute
     leftsubnet=10.0.2.0/24
     leftcert=lnvo.hostCert.pem
     right=192.168.4.10
     rightsubnet=192.168.4.0/24
     rightcert=peercerts/karmaY2034.hostCert.pem
     rightid=@karma.mynet.com
     keyexchange=ikev2
     mobike=yes
     auto=add




[root at karma strongswan]# strongswan --version
Linux strongSwan U5.1.1/K2.6.18-308.16.1.el5PAE

conn %default
        left=%defaultroute
        leftcert=karmaY2034.hostCert.pem

conn karmaIKE2
        right=%any
        rightcert=peercerts/lnvo.hostCert.pem
        rightsubnet=10.0.2.0/24
        leftcert=karmaY2034.hostCert.pem
        leftid=@karma.mynet.com
        leftsubnet=192.168.4.0/24
        leftfirewall=yes
        keyexchange=ikev2
        mobike=yes
        auto=add



[root at karma strongswan]# cat /var/log/messages |grep "Dec 29 22:23"

Dec 29 22:23:18 karma charon: 08[NET] received packet: from 192.168.4.87[52704] to 192.168.4.10[500] (700 bytes) 
Dec 29 22:23:18 karma charon: 08[ENC] parsed IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) ] 
Dec 29 22:23:18 karma charon: 08[IKE] 192.168.4.87 is initiating an IKE_SA 
Dec 29 22:23:19 karma charon: 08[IKE] remote host is behind NAT 
Dec 29 22:23:19 karma charon: 08[IKE] sending cert request for "STR4.3CA" 
Dec 29 22:23:19 karma charon: 08[IKE] sending cert request for "STR5.1CA" 
Dec 29 22:23:19 karma charon: 08[ENC] generating IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) CERTREQ N(MULT_AUTH) ] 
Dec 29 22:23:19 karma charon: 08[NET] sending packet: from 192.168.4.10[500] to 192.168.4.87[52704] (485 bytes) 
Dec 29 22:23:19 karma charon: 11[NET] received packet: from 192.168.4.87[62698] to 192.168.4.10[4500] (1500 bytes) 
Dec 29 22:23:19 karma charon: 11[ENC] parsed IKE_AUTH request 1 [ IDi CERT CERTREQ IDr AUTH SA TSi TSr N(MOBIKE_SUP) N(NO_ADD_ADDR) N(MULT_AUTH) ] 
Dec 29 22:23:19 karma charon: 11[IKE] received cert request for "STR4.3CA" 
Dec 29 22:23:19 karma charon: 11[IKE] received end entity cert "STR4.3host.cert" 
Dec 29 22:23:19 karma charon: 11[CFG] looking for peer configs matching 192.168.4.10[karma.mynet.com]...192.168.4.87[STR4.3host.cert] 
Dec 29 22:23:19 karma charon: 11[CFG] selected peer config 'karmaIKE2' 
Dec 29 22:23:19 karma charon: 11[CFG]   using trusted ca certificate "STR4.3CA" 
Dec 29 22:23:19 karma charon: 11[CFG] checking certificate status of "STR4.3host.cert" 
Dec 29 22:23:19 karma charon: 11[CFG] certificate status is not available 
Dec 29 22:23:19 karma charon: 11[CFG]   reached self-signed root ca with a path length of 0 
Dec 29 22:23:19 karma charon: 11[CFG]   using trusted certificate "STR4.3host.cert" 
Dec 29 22:23:19 karma charon: 11[IKE] authentication of 'STR4.3host.cert' with RSA signature successful 
Dec 29 22:23:19 karma charon: 11[IKE] peer supports MOBIKE 
Dec 29 22:23:19 karma charon: 11[IKE] authentication of 'karma.mynet.com' (myself) with RSA signature successful 
Dec 29 22:23:19 karma charon: 11[IKE] IKE_SA karmaIKE2[5] established between 192.168.4.10[karma.mynet.com]...192.168.4.87[STR4.3host.cert] 
Dec 29 22:23:19 karma charon: 11[IKE] scheduling reauthentication in 10015s 
Dec 29 22:23:19 karma charon: 11[IKE] maximum IKE_SA lifetime 10555s 
Dec 29 22:23:19 karma charon: 11[IKE] sending end entity cert "STR5.1host.cert" 
Dec 29 22:23:19 karma charon: 11[IKE] CHILD_SA karmaIKE2{4} established with SPIs c5cace09_i cbf41872_o and TS 192.168.4.0/24 === 10.0.2.0/24  
Dec 29 22:23:19 karma vpn: + STR4.3host.cert 10.0.2.0/24 == 192.168.4.87 -- 192.168.4.10 == 192.168.4.0/24
Dec 29 22:23:19 karma charon: 11[ENC] generating IKE_AUTH response 1 [ IDr CERT AUTH SA TSi TSr N(AUTH_LFT) N(MOBIKE_SUP) N(ADD_4_ADDR) N(ADD_4_ADDR) N(ADD_6_ADDR) ] 
Dec 29 22:23:19 karma charon: 11[NET] sending packet: from 192.168.4.10[4500] to 192.168.4.87[62698] (1612 bytes) 
Dec 29 22:23:23 karma charon: 12[NET] received packet: from 192.168.4.87[62698] to 192.168.4.10[4500] (1500 bytes) 
Dec 29 22:23:23 karma charon: 12[ENC] parsed IKE_AUTH request 1 [ IDi CERT CERTREQ IDr AUTH SA TSi TSr N(MOBIKE_SUP) N(NO_ADD_ADDR) N(MULT_AUTH) ] 
Dec 29 22:23:23 karma charon: 12[IKE] received retransmit of request with ID 1, retransmitting response 
Dec 29 22:23:23 karma charon: 12[NET] sending packet: from 192.168.4.10[4500] to 192.168.4.87[62698] (1612 bytes) 
Dec 29 22:23:30 karma charon: 09[NET] received packet: from 192.168.4.87[62698] to 192.168.4.10[4500] (1500 bytes) 
Dec 29 22:23:30 karma charon: 09[ENC] parsed IKE_AUTH request 1 [ IDi CERT CERTREQ IDr AUTH SA TSi TSr N(MOBIKE_SUP) N(NO_ADD_ADDR) N(MULT_AUTH) ] 
Dec 29 22:23:30 karma charon: 09[IKE] received retransmit of request with ID 1, retransmitting response 
Dec 29 22:23:30 karma charon: 09[NET] sending packet: from 192.168.4.10[4500] to 192.168.4.87[62698] (1612 bytes) 
Dec 29 22:23:40 karma named[2671]: lame server resolving '62.1.119.225.dsl.dyn.forthnet.gr' (in 'dyn.forthnet.gr'?): 2001:648:2c30::191:3#53
Dec 29 22:23:43 karma charon: 13[NET] received packet: from 192.168.4.87[62698] to 192.168.4.10[4500] (1500 bytes) 
Dec 29 22:23:43 karma charon: 13[ENC] parsed IKE_AUTH request 1 [ IDi CERT CERTREQ IDr AUTH SA TSi TSr N(MOBIKE_SUP) N(NO_ADD_ADDR) N(MULT_AUTH) ] 
Dec 29 22:23:43 karma charon: 13[IKE] received retransmit of request with ID 1, retransmitting response 
Dec 29 22:23:43 karma charon: 13[NET] sending packet: from 192.168.4.10[4500] to 192.168.4.87[62698] (1612 bytes) 
Dec 29 22:23:52 karma charon: 07[CFG] received stroke: terminate 'karmaIKE2' 
Dec 29 22:23:52 karma charon: 08[IKE] deleting IKE_SA karmaIKE2[5] between 192.168.4.10[karma.mynet.com]...192.168.4.87[STR4.3host.cert] 
Dec 29 22:23:52 karma charon: 08[IKE] sending DELETE for IKE_SA karmaIKE2[5] 
Dec 29 22:23:52 karma charon: 08[ENC] generating INFORMATIONAL request 0 [ D ] 
Dec 29 22:23:52 karma charon: 08[NET] sending packet: from 192.168.4.10[4500] to 192.168.4.87[62698] (76 bytes) 
Dec 29 22:23:52 karma charon: 11[NET] received packet: from 192.168.4.87[62698] to 192.168.4.10[4500] (76 bytes) 
Dec 29 22:23:52 karma charon: 11[ENC] parsed INFORMATIONAL response 0 [ ] 
Dec 29 22:23:52 karma charon: 11[IKE] IKE_SA deleted 
Dec 29 22:23:52 karma vpn: - STR4.3host.cert 10.0.2.0/24 == 192.168.4.87 -- 192.168.4.10 == 192.168.4.0/24
Dec 29 22:23:52 karma charon: 10[CFG] received stroke: unroute 'karmaIKE2' 
[root at karma strongswan]# 


Do you see any particular culprits ?
Thanks,
Serge




> ----- Original Message -----
> From: Noel Kuntze
> Sent: 12/29/13 11:25 PM
> To: s s, users at lists.strongswan.org
> Subject: Re: [strongSwan]  strongswan-5.1.1 with 4.xx, tunnel pb
> 
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA256
> 
> Hello,
> 
> What is the configuration of the other side and what is in the log of the other side?
> 
> If configured properly, strongSwan 4.x and strongSwan 5.x are compatible to each other.
> 
> Regards
> Noel Kuntze
> 
> On 29.12.2013 22:43, s s wrote:
> > Hello,
> >
> > I am having a persistent problem of being unable to establish a tunnel between two strongswan hosts
> >
> > root at bt:/etc/ipsec.d# ipsec up karmaIKE2
> > initiating IKE_SA karmaIKE2[3] to 192.168.4.10
> > generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) ]
> > sending packet: from 10.0.2.15[500] to 192.168.4.10[500]
> > received packet: from 192.168.4.10[500] to 10.0.2.15[500]
> > parsed IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) CERTREQ N(MULT_AUTH) ]
> > local host is behind NAT, sending keep alives
> > received cert request for "STR4.3CA"
> > received cert request for unknown ca with keyid b0:31:27:8b:2e:4b:cd:53:6d:c4:a7:fb:e9:56:1b:9f:34:cc:71:a7
> > sending cert request for "STR4.3CA"
> > authentication of 'STR4.3host.cert' (myself) with RSA signature successful
> > sending end entity cert "STR4.3host.cert"
> > establishing CHILD_SA karmaIKE2
> > generating IKE_AUTH request 1 [ IDi CERT CERTREQ IDr AUTH SA TSi TSr N(MOBIKE_SUP) N(NO_ADD_ADDR) N(MULT_AUTH) ]
> > sending packet: from 10.0.2.15[4500] to 192.168.4.10[4500]
> > retransmit 1 of request with message ID 1
> > sending packet: from 10.0.2.15[4500] to 192.168.4.10[4500]
> > retransmit 2 of request with message ID 1
> > sending packet: from 10.0.2.15[4500] to 192.168.4.10[4500]
> >
> >
> > The status is stuck on "CONNECTING", which never happens:
> >
> > root at bt:/etc/ipsec.d# ipsec statusall
> >
> > karmaIKE2: 10.0.2.15...192.168.4.10
> > karmaIKE2: local: [STR4.3host.cert] uses public key authentication
> > karmaIKE2: cert: "STR4.3host.cert"
> > karmaIKE2: remote: [karma.ucp-is.com] uses any authentication
> > karmaIKE2: cert: "KRM5.1host.cert"
> > karmaIKE2: child: 10.0.2.0/24 === 192.168.4.0/24
> > Security Associations:
> > karmaIKE2[15]: CONNECTING, 10.0.2.15[STR4.3host.cert]...192.168.4.10[KRM5.1host.cert]
> > karmaIKE2[15]: IKE SPIs: 6d2c0e380935a207_i* 518160338263e01f_r
> >
> > After 5 rekying attempts, it stops.
> >
> > Dec 29 22:23:27 bt charon: 07[ENC] generating IKE_AUTH request 1 [ IDi CERT CERTREQ IDr AUTH SA TSi TSr N(MOBIKE_SUP) N(NO_ADD_ADDR) N(MULT_AUTH) ]
> > Dec 29 22:23:27 bt charon: 07[NET] sending packet: from 10.0.2.15[4500] to 192.168.4.10[4500]
> >
> > ==> /var/log/syslog <==
> > Dec 29 22:23:31 bt charon: 09[IKE] retransmit 1 of request with message ID 1
> > Dec 29 22:23:31 bt charon: 09[NET] sending packet: from 10.0.2.15[4500] to 192.168.4.10[4500]
> >
> > ==> /var/log/daemon.log <==
> > Dec 29 22:23:31 bt charon: 09[IKE] retransmit 1 of request with message ID 1
> > Dec 29 22:23:31 bt charon: 09[NET] sending packet: from 10.0.2.15[4500] to 192.168.4.10[4500]
> >
> > ==> /var/log/syslog <==
> > Dec 29 22:23:38 bt charon: 15[IKE] retransmit 2 of request with message ID 1
> > Dec 29 22:23:38 bt charon: 15[NET] sending packet: from 10.0.2.15[4500] to 192.168.4.10[4500]
> >
> >
> >
> > The policy for the channel does sets up, but nothing works
> >
> > [root at karma strongswan]# ip xfrm policy
> > src 10.0.2.0/24 dst 192.168.4.0/24
> > dir in priority 1859
> > tmpl src 192.168.4.87 dst 192.168.4.10
> > proto esp reqid 4 mode tunnel
> > src 192.168.4.0/24 dst 10.0.2.0/24
> > dir out priority 1859
> > tmpl src 192.168.4.10 dst 192.168.4.87
> > proto esp reqid 4 mode tunnel
> > src 10.0.2.0/24 dst 192.168.4.0/24
> > dir fwd priority 1859
> > tmpl src 192.168.4.87 dst 192.168.4.10
> > proto esp reqid 4 mode tunnel
> >
> >
> > Any hint how to fix it would be highly appreciated,
> > Regards,
> > Serge
> >
> >
> >
> >
> >
> >
> > Is the 4.xx branch compatible with the 5.x one?
> > I am unable to establish a tunnel in between 2 strongswan hosts one running the strongSwan U4.3.2/K2.6.38
> > and the second strongSwan U5.1.1/K2.6.18-308.16.1.el5PAE
> >
> > The configuration is more than classical: net-net
> >
> >
> > conn karmaIKE2
> > left=%defaultroute
> > leftsubnet=10.0.2.0/24
> > leftcert=lnvo.hostCert.pem
> > right=192.168.4.10
> > rightsubnet=192.168.4.0/24
> > rightcert=peercerts/karmaY2034.hostCert.pem
> > keyexchange=ikev2
> > mobike=yes
> > auto=add
> >
> >
> > root at bt:/etc/ipsec.d# ipsec up karmaIKE2
> > initiating IKE_SA karmaIKE2[1] to 192.168.4.10
> > generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) ]
> > sending packet: from 10.0.2.15[500] to 192.168.4.10[500]
> > received packet: from 192.168.4.10[500] to 10.0.2.15[500]
> > parsed IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) CERTREQ N(MULT_AUTH) ]
> > local host is behind NAT, sending keep alives
> > received cert request for "STR4.3CA"
> > received cert request for unknown ca with keyid b0:31:27:8b:2e:4b:cd:53:6d:c4:a7:fb:e9:56:1b:9f:34:cc:71:a7
> > sending cert request for "STR4.3CA"
> > authentication of 'STR4.3host.cert' (myself) with RSA signature successful
> > sending end entity cert "STR4.3host.cert"
> > establishing CHILD_SA karmaIKE2
> > generating IKE_AUTH request 1 [ IDi CERT CERTREQ IDr AUTH SA TSi TSr N(MOBIKE_SUP) N(NO_ADD_ADDR) N(MULT_AUTH) ]
> > sending packet: from 10.0.2.15[4500] to 192.168.4.10[4500]
> > retransmit 1 of request with message ID 1
> > sending packet: from 10.0.2.15[4500] to 192.168.4.10[4500]
> >
> >
> > But the tunnel
> >
> > root at bt:/etc/ipsec.d# ipsec statusall
> > 000 Status of IKEv1 pluto daemon (strongSwan 4.3.2):
> > 000 interface lo/lo ::1:500
> > 000 interface lo/lo 127.0.0.1:500
> > 000 interface eth0/eth0 10.0.2.15:500
> > 000 %myid = (none)
> > 000 loaded plugins: curl ldap random pubkey openssl hmac gmp
> > 000 debug options: none
> > 000
> > Status of IKEv2 charon daemon (strongSwan 4.3.2):
> > uptime: 7 minutes, since Dec 23 10:27:59 2013
> > worker threads: 9 idle of 16, job queue load: 0, scheduled events: 1
> > loaded plugins: curl ldap random x509 pubkey openssl xcbc hmac agent gmp kernel-netlink stroke updown eapidentity eapmd5 eapgtc eapaka eapmschapv2
> > Listening IP addresses:
> > 10.0.2.15
> > Connections:
> > karmaIKE2: 10.0.2.15...192.168.4.10
> > karmaIKE2: local: [STR4.3host.cert] uses public key authentication
> > karmaIKE2: cert: "STR4.3host.cert"
> > karmaIKE2: remote: [STR5.1host.cert] uses any authentication
> > karmaIKE2: cert: STR5.1host.cert"
> > karmaIKE2: child: 10.0.2.0/24 === 0.0.0.0/0
> > Security Associations:
> > karmaIKE2[1]: CREATED, 10.0.2.15[STR4.3host.cert]...192.168.4.10[STR5.1host.cert]
> > karmaIKE2[1]: IKE SPIs: 3483591a1d20afaf_i* 0000000000000000_r
> > karmaIKE2[1]: IKE proposal: AES_CBC_128/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_2048
> >
> > The logs show
> > Dec 23 10:32:01 bt charon: 16[IKE] establishing CHILD_SA karmaIKE2
> > Dec 23 10:32:01 bt charon: 16[ENC] generating IKE_AUTH request 1 [ IDi CERT CERTREQ IDr AUTH SA TSi TSr N(MOBIKE_SUP) N(NO_ADD_ADDR) N(MULT_AUTH) ]
> > Dec 23 10:32:01 bt charon: 16[NET] sending packet: from 10.0.2.15[4500] to 192.168.4.10[4500]
> >
> > But this child tunnel could not be setup.
> > Which result in the inability to reach the hosts and the the networks behind them.
> >
> > I am still running the routing problem between the same two strongSwan U5.1.1/K2.6.18-308.16.1.el5PAE hosts, one of them being behind the NATed gateway and unable to reach it through the tunnel, which apparently doesn't route the packets.
> >
> > Any help would be much appreciated.
> > Rgds,
> > Serge
> >
> >
> > ----
> >
> > Is standard Centos 5.x kernel 2.6.18-308.16.1.el5PAE compatible at all with
> > [root@ ~]# strongswan version
> > Linux strongSwan U5.1.1/K2.6.18-308.16.1.el5PAE
> >
> > We are unable to fix the routing problem. When the remote host is behind the NAT'ed provider's server, it can not be reached at all:
> >
> >
> > msc-hmnet{12}: 192.168.4.0/24 === 192.168.3.0/24
> > [root at karma ~]# ping 192.168.3.56
> > PING 192.168.3.56 (192.168.3.56) 56(84) bytes of data.
> >
> > --- 192.168.3.56 ping statistics ---
> > 2 packets transmitted, 0 received, 100% packet loss, time 999ms
> >
> > 
> >
> >
> > ----
> >>> But out of the 2 tunnels only 1 is reachable. The other one doesn't ping.
> >> Does that tunnel work if you don't establish the other one?
> > No, it doesn't.
> > Besides, once the 192.168.3.0/24 host is behind the NAT'ed gateway, neither of the tunnels work.
> > 
> >> Also, I'd try to disable IPComp for testing. There seems to be an issue
> >> with IPcomp on some kernels in some scenarios.
> > What an IPComp is and how to disable it ?
> >
> > We use a standard Centos 5.x kernel
> > 2.6.18-308.16.1.el5PAE #1 SMP Tue Oct 2 22:49:17 EDT 2012 i686 i686 i386 GNU/Linux
> >
> > Could anyone help to troubleshoot the problem and resolve the issue?
> >
> > Rgds,
> > Serge
> >
> > _______________________________________________
> > Users mailing list
> > Users at lists.strongswan.org
> > https://lists.strongswan.org/mailman/listinfo/users
> 
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v2.0.22 (GNU/Linux)
> Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/
> 
> iQIcBAEBCAAGBQJSwKFfAAoJEDg5KY9j7GZYYPgP/jUY+dVtRVE0o7XWZej8D38B
> GSynI1lTZ29Aq2TlxfzB9kMFhSgOF8xpg5WEgO8sOTr09SvSrUbmBUemLoC12uWQ
> wUBHod3TIiITxTQ3FW97ujB5rlNQrO8bMwSq+vKyPp7l3Xp+VYSzWXUEFhC4weXQ
> JyMKnLacSUdDnTU2FRtYSuGFX1ZgkFHqXVZbBOM0NCsRG2/hrDx/Nifiz781AH/Y
> JY8SvE6l0BM5+X4F11l1GGjBupHf5kEGqD6thYf5uDt32IDHLNO6zeDjdUWXoR7O
> DF6gmxAoFbyFuBeJXOE05ZJxx0Y/OosGgiS/V5h3A6ZHzYO9VgQ27W+t4xCTbEk0
> PBRD6r32XT76GM0NuPnvIqLj+gmTq+RplzeLX6lkqb73go8HSV+erbIAUA7NlpyK
> V/VIYjcniS/UAoxiDSGiOAbaYrGHhQt6J9Id4scoFjDpeqsGyW1uuEwt05It/TtU
> vVqw8N3rjH0T7+hlILF4duGzLD7Q1HWvlLoxjKB3Hd8oEwQq1gDIgxWINBPoPHRJ
> 4Zx9SXHXtfhKyVTynW4BoKynqjSvKvl5eKTWEWMYndkaiHfbUSY/Z3f1uP68vV6w
> WzXLRn463/SXGFRKAjvpJ2b/ZtNCjg2P/Dc/VUamBVq+xUfFsk2wx9kemtnp4mOL
> 9Kwb5h4a9QFGmlw+iukW
> =x1Cs
> -----END PGP SIGNATURE-----





More information about the Users mailing list