[strongSwan] Testing the easiest config to send ISAKMP datagrams

Andreas Steffen andreas.steffen at strongswan.org
Wed Feb 6 06:00:19 CET 2013 

Hi Michael,

with auto=add as you configured strongSwan the start up sequence is

  ipsec start
  ipsec up here

If you change the setting in ipsec.conf to auto=start then

  ipsec start

will cause pluto to automatically negotiate the "here" connection
and with auto=route

  ipsec start

will install a trap in the kernel and the first IP payload packet
in direction to rightsubnet=192.168.1.0/24 will trigger
the IKE negotiation.

Regards

Andreas

On 02/05/2013 10:45 PM, strongswan at encambio.com wrote:
> 
> Hello list,
> 
> My goal is building a IPv4 IPSec tunnel using IKEv1.
> 
>   Ubuntu 12.10 GNU/Linux AMD64
>   Strongswan 4.5.2
> 
> /etc/strongswan.conf:
>   pluto {
>       load = sha1 sha2 md5 aes des hmac gmp random kernel-netlink
>   }
> 
>   libstrongswan {
>       dh_exponent_ansi_x9_42 = no
>   }
> 
> /etc/ipsec.conf:
>   config setup
>       plutodebug=all
>       charonstart=no
>       plutostart=yes
> 
>   conn %default
>       ikelifetime=60m
>       keylife=20m
>       rekeymargin=3m
>       keyingtries=1
>       keyexchange=ikev1
>       authby=secret
> 
>   conn here
>       left=192.168.0.22
>       right=12.34.56.78
>       rightsubnet=192.168.1.0/24
>       auto=add
> 
> /etc/ipsec.secrets:
>   12.34.56.78 : PSK "0000111122223333"
> 
> It would seem that the above config should suffice to at least send
> UDP packets to host 12.34.56.78 ports 500 or 4500, but...
> 
>   192.168.0.22# /etc/init.d/ipsec start
> 
>   192.168.0.22# ps aux | grep pluto
>   root    3662 ... 18:08 /usr/lib/ipsec/pluto --nofork --uniqueids --debug-all
> 
>   192.168.0.22# /usr/lib/ipsec/whack --status
>   000 "here": 192.168.0.22[192.168.0.22]...12.34.56.78[12.34.56.78]===192.168.1.0/24; unrouted; eroute owner; #0
>   000 "here":    newest ISAKMP SA: #0; newest IPsec SA: #0;
>   000
> 
> ...when I run tcpdump(1) and socat(1) to test, it's clear that pluto
> is not sending anything at all.
> 
>   12.34.56.78# socat UDP4-LISTEN:500,bind=12.34.56.77 -
>   12.34.56.78# socat UDP4-LISTEN:4500,bind=12.34.56.77 -
>   (nothing...)
> 
>   12.34.56.78# tcpdump -i eth0 port 500 or port 4500
>   192.168.0.22# tcpdump -i eth0 port 500 or port 4500
>   (nothing...)
> 
> Even after logging plutodebug=all I see no errors in /var/log/auth.log.
> What do I need to change to make pluto(8) send IKE UDP datagrams?
> 
> Thanks,
> Michael

======================================================================
Andreas Steffen                         andreas.steffen at strongswan.org
strongSwan - the Linux VPN Solution!                www.strongswan.org
Institute for Internet Technologies and Applications
University of Applied Sciences Rapperswil
CH-8640 Rapperswil (Switzerland)
===========================================================[ITA-HSR]==

-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4468 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://lists.strongswan.org/pipermail/users/attachments/20130206/fc05e60f/attachment.bin>

More information about the Users mailing list