[strongSwan] Timeout Errors using Network Manager on Ubuntu 12.10

BRAGA, Bruno bruno.braga at gmail.com
Mon Jan 7 14:00:53 CET 2013 

Hi,

I am having a hard time to get an IpSec VPN working in my machine... it
works fine in other OS, and I am sure I am doing something stupid here,
hope some guru can give me guidance!

I am running Ubuntu 12.10, and installed strongswan (4.5.2), added the key
secret in /etc/ipsec.secrets file, and setup the VPN through network
manager.

Without tempering with the strongswan.conf file, I have this output (noted
a similar output is :

--- /var/log/syslog ---

Jan  7 22:00:06 mac17 NetworkManager[1092]: <info> Starting VPN service
'strongswan'...
Jan  7 22:00:06 mac17 NetworkManager[1092]: <info> VPN service 'strongswan'
started (org.freedesktop.NetworkManager.strongswan), PID 840
Jan  7 22:00:06 mac17 charon: 00[DMN] Starting IKEv2 charon daemon
(strongSwan 4.5.2)
Jan  7 22:00:06 mac17 charon: 00[KNL] listening on interfaces:
Jan  7 22:00:06 mac17 charon: 00[KNL]   eth0
Jan  7 22:00:06 mac17 charon: 00[KNL]   wlan0
Jan  7 22:00:06 mac17 charon: 00[KNL]     192.168.1.1
Jan  7 22:00:06 mac17 charon: 00[KNL]     fe80::129a:ddff:feae:e16a
Jan  7 22:00:06 mac17 charon: 00[CFG] loading ca certificates from
'/etc/ipsec.d/cacerts'
Jan  7 22:00:06 mac17 charon: 00[CFG] loading aa certificates from
'/etc/ipsec.d/aacerts'
Jan  7 22:00:06 mac17 charon: 00[CFG] loading ocsp signer certificates from
'/etc/ipsec.d/ocspcerts'
Jan  7 22:00:06 mac17 charon: 00[CFG] loading attribute certificates from
'/etc/ipsec.d/acerts'
Jan  7 22:00:06 mac17 charon: 00[CFG] loading crls from '/etc/ipsec.d/crls'
Jan  7 22:00:06 mac17 charon: 00[CFG] loading secrets from
'/etc/ipsec.secrets'
Jan  7 22:00:06 mac17 charon: 00[CFG]   loaded IKE secret for x.x.x.x %any
Jan  7 22:00:06 mac17 charon: 00[CFG] sql plugin: database URI not set
Jan  7 22:00:06 mac17 charon: 00[LIB] plugin 'sql': failed to load -
sql_plugin_create returned NULL
Jan  7 22:00:06 mac17 charon: 00[CFG] loaded 0 RADIUS server configurations
Jan  7 22:00:06 mac17 charon: 00[LIB] plugin 'medsrv' failed to load:
/usr/lib/ipsec/plugins/libstrongswan-medsrv.so: cannot open shared object
file: No such file or directory
Jan  7 22:00:06 mac17 charon: 00[CFG] mediation client database URI not
defined, skipped
Jan  7 22:00:06 mac17 charon: 00[LIB] plugin 'medcli': failed to load -
medcli_plugin_create returned NULL
Jan  7 22:00:06 mac17 NetworkManager[1092]: <info> VPN service 'strongswan'
appeared; activating connections
Jan  7 22:00:06 mac17 charon: 00[CFG] HA config misses local/remote address
Jan  7 22:00:06 mac17 charon: 00[LIB] plugin 'ha': failed to load -
ha_plugin_create returned NULL
Jan  7 22:00:06 mac17 charon: 00[DMN] loaded plugins: test-vectors curl
ldap aes des sha1 sha2 md5 random x509 revocation constraints pubkey pkcs1
pgp pem openssl fips-prf gmp agent pkcs11 xcbc hmac ctr ccm gcm attr
kernel-netlink resolve socket-raw farp stroke updown eap-identity eap-aka
eap-md5 eap-gtc eap-mschapv2 eap-radius eap-tls eap-ttls eap-tnc nm dhcp
led addrblock
Jan  7 22:00:06 mac17 charon: 00[JOB] spawning 16 worker threads
Jan  7 22:00:06 mac17 charon: 06[CFG] received initiate for NetworkManager
connection TestVPN
Jan  7 22:00:06 mac17 NetworkManager[1092]: <info> VPN plugin state
changed: starting (3)
Jan  7 22:00:06 mac17 charon: 06[CFG] using CA certificate, gateway
identity x.x.x.x'
Jan  7 22:00:06 mac17 charon: 06[IKE] initiating IKE_SA TestVPN[1]
to x.x.x.x
Jan  7 22:00:06 mac17 charon: 06[ENC] generating IKE_SA_INIT request 0 [ SA
KE No N(NATD_S_IP) N(NATD_D_IP) ]
Jan  7 22:00:06 mac17 charon: 06[NET] sending packet: from 192.168.1.1[500]
to x.x.x.x[500]
Jan  7 22:00:06 mac17 NetworkManager[1092]: <info> VPN connection 'TestVPN'
(Connect) reply received.
Jan  7 22:00:10 mac17 charon: 11[IKE] retransmit 1 of request with message
ID 0
Jan  7 22:00:10 mac17 charon: 11[NET] sending packet: from 192.168.1.1[500]
to x.x.x.x[500]
Jan  7 22:00:17 mac17 charon: 12[IKE] retransmit 2 of request with message
ID 0
Jan  7 22:00:17 mac17 charon: 12[NET] sending packet: from 192.168.1.1[500]
to x.x.x.x[500]
Jan  7 22:00:30 mac17 wpa_supplicant[1361]: wlan0: WPA: Group rekeying
completed with 00:24:a5:ea:a5:a2 [GTK=CCMP]
Jan  7 22:00:30 mac17 charon: 13[IKE] retransmit 3 of request with message
ID 0
Jan  7 22:00:30 mac17 charon: 13[NET] sending packet: from 192.168.1.1[500]
to x.x.x.x[500]
Jan  7 22:00:46 mac17 NetworkManager[1092]: <warn> VPN connection 'TestVPN'
(IP Config Get) timeout exceeded.
Jan  7 22:00:46 mac17 NetworkManager[1092]: <info> Policy set 'Braga'
(wlan0) as default for IPv4 routing and DNS.
Jan  7 22:00:46 mac17 charon: 01[IKE] destroying IKE_SA in state CONNECTING
without notification
Jan  7 22:00:51 mac17 charon: 00[DMN] signal of type SIGTERM received.
Shutting down
Jan  7 22:00:51 mac17 NetworkManager[1092]: <info> VPN service 'strongswan'
disappeared

My initial configuration file was:

--- /etc/strongswan.conf ---

# strongswan.conf - strongSwan configuration file
charon {
 threads = 16
plugins {
sql {
 loglevel = -1
}
}
}

pluto {
}
libstrongswan {
}

----------------

And here is the Network Manager configuration:

--- /etc/NetworkManager/system-connections/TestVPN ---

[connection]
id=TestVPN
uuid=07ac4ce3-c6c3-4d42-8bb6-29e56a8751db
type=vpn
autoconnect=false

[vpn]
service-type=org.freedesktop.NetworkManager.strongswan
virtual=no
encap=no
address=x.x.x.x
user=??????
method=eap
ipcomp=yes
password-flags=1

[ipv4]
method=auto
----------------

Besides the timeout issue, I noted the plugin loading issues in the charon
logs. Looking at what I got in the system by default:

$ ls /usr/lib/ipsec/plugins/
libstrongswan-addrblock.so     libstrongswan-eap-tls.so
libstrongswan-pkcs11.so
libstrongswan-aes.so           libstrongswan-eap-tnc.so
libstrongswan-pkcs1.so
libstrongswan-agent.so         libstrongswan-eap-ttls.so
 libstrongswan-pubkey.so
libstrongswan-attr.so          libstrongswan-farp.so
 libstrongswan-random.so
libstrongswan-attr-sql.so      libstrongswan-fips-prf.so
 libstrongswan-resolve.so
libstrongswan-ccm.so           libstrongswan-gcm.so
libstrongswan-revocation.so
libstrongswan-constraints.so   libstrongswan-gmp.so
libstrongswan-sha1.so
libstrongswan-ctr.so           libstrongswan-ha.so
 libstrongswan-sha2.so
libstrongswan-curl.so          libstrongswan-hmac.so
 libstrongswan-socket-raw.so
libstrongswan-des.so           libstrongswan-kernel-netlink.so
 libstrongswan-sql.so
libstrongswan-dhcp.so          libstrongswan-ldap.so
 libstrongswan-stroke.so
libstrongswan-dnskey.so        libstrongswan-led.so
libstrongswan-test-vectors.so
libstrongswan-eap-aka.so       libstrongswan-md5.so
libstrongswan-updown.so
libstrongswan-eap-gtc.so       libstrongswan-medcli.so
 libstrongswan-x509.so
libstrongswan-eap-identity.so  libstrongswan-nm.so
 libstrongswan-xauth.so
libstrongswan-eap-md5.so       libstrongswan-openssl.so
libstrongswan-xcbc.so
libstrongswan-eap-mschapv2.so  libstrongswan-pem.so
libstrongswan-eap-radius.so    libstrongswan-pgp.so

By adding the load into the strongswan.conf file at least clears the
warnings, but I am not sure on if these modules should be here, and
loaded...

Any help really appreciated!

Thanks,


--
*Braga, Bruno*
www.brunobraga.net
bruno.braga at gmail.com
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20130107/82b67d6f/attachment.html>

More information about the Users mailing list