[strongSwan] Timeout Errors using Network Manager on Ubuntu 12.10

Andreas Steffen andreas.steffen at strongswan.org
Tue Jan 8 00:16:26 CET 2013


Hi Bruno,

there is know answer from the VPN gateway on the other end. Either
the gateway cannot be reached over the network, the gateway is not
running an listening on UDP port 500 or it supports the IKEv1 protocol
only.

Regards

Andreas

On 07.01.2013 14:00, BRAGA, Bruno wrote:
> Hi,
>
> I am having a hard time to get an IpSec VPN working in my machine... it
> works fine in other OS, and I am sure I am doing something stupid here,
> hope some guru can give me guidance!
>
> I am running Ubuntu 12.10, and installed strongswan (4.5.2), added the
> key secret in /etc/ipsec.secrets file, and setup the VPN through network
> manager.
>
> Without tempering with the strongswan.conf file, I have this output
> (noted a similar output is :
>
> --- /var/log/syslog ---
>
> Jan  7 22:00:06 mac17 NetworkManager[1092]: <info> Starting VPN service
> 'strongswan'...
> Jan  7 22:00:06 mac17 NetworkManager[1092]: <info> VPN service
> 'strongswan' started (org.freedesktop.NetworkManager.strongswan), PID 840
> Jan  7 22:00:06 mac17 charon: 00[DMN] Starting IKEv2 charon daemon
> (strongSwan 4.5.2)
> Jan  7 22:00:06 mac17 charon: 00[KNL] listening on interfaces:
> Jan  7 22:00:06 mac17 charon: 00[KNL]   eth0
> Jan  7 22:00:06 mac17 charon: 00[KNL]   wlan0
> Jan  7 22:00:06 mac17 charon: 00[KNL]     192.168.1.1
> Jan  7 22:00:06 mac17 charon: 00[KNL]     fe80::129a:ddff:feae:e16a
> Jan  7 22:00:06 mac17 charon: 00[CFG] loading ca certificates from
> '/etc/ipsec.d/cacerts'
> Jan  7 22:00:06 mac17 charon: 00[CFG] loading aa certificates from
> '/etc/ipsec.d/aacerts'
> Jan  7 22:00:06 mac17 charon: 00[CFG] loading ocsp signer certificates
> from '/etc/ipsec.d/ocspcerts'
> Jan  7 22:00:06 mac17 charon: 00[CFG] loading attribute certificates
> from '/etc/ipsec.d/acerts'
> Jan  7 22:00:06 mac17 charon: 00[CFG] loading crls from '/etc/ipsec.d/crls'
> Jan  7 22:00:06 mac17 charon: 00[CFG] loading secrets from
> '/etc/ipsec.secrets'
> Jan  7 22:00:06 mac17 charon: 00[CFG]   loaded IKE secret for x.x.x.x %any
> Jan  7 22:00:06 mac17 charon: 00[CFG] sql plugin: database URI not set
> Jan  7 22:00:06 mac17 charon: 00[LIB] plugin 'sql': failed to load -
> sql_plugin_create returned NULL
> Jan  7 22:00:06 mac17 charon: 00[CFG] loaded 0 RADIUS server configurations
> Jan  7 22:00:06 mac17 charon: 00[LIB] plugin 'medsrv' failed to load:
> /usr/lib/ipsec/plugins/libstrongswan-medsrv.so: cannot open shared
> object file: No such file or directory
> Jan  7 22:00:06 mac17 charon: 00[CFG] mediation client database URI not
> defined, skipped
> Jan  7 22:00:06 mac17 charon: 00[LIB] plugin 'medcli': failed to load -
> medcli_plugin_create returned NULL
> Jan  7 22:00:06 mac17 NetworkManager[1092]: <info> VPN service
> 'strongswan' appeared; activating connections
> Jan  7 22:00:06 mac17 charon: 00[CFG] HA config misses local/remote address
> Jan  7 22:00:06 mac17 charon: 00[LIB] plugin 'ha': failed to load -
> ha_plugin_create returned NULL
> Jan  7 22:00:06 mac17 charon: 00[DMN] loaded plugins: test-vectors curl
> ldap aes des sha1 sha2 md5 random x509 revocation constraints pubkey
> pkcs1 pgp pem openssl fips-prf gmp agent pkcs11 xcbc hmac ctr ccm gcm
> attr kernel-netlink resolve socket-raw farp stroke updown eap-identity
> eap-aka eap-md5 eap-gtc eap-mschapv2 eap-radius eap-tls eap-ttls eap-tnc
> nm dhcp led addrblock
> Jan  7 22:00:06 mac17 charon: 00[JOB] spawning 16 worker threads
> Jan  7 22:00:06 mac17 charon: 06[CFG] received initiate for
> NetworkManager connection TestVPN
> Jan  7 22:00:06 mac17 NetworkManager[1092]: <info> VPN plugin state
> changed: starting (3)
> Jan  7 22:00:06 mac17 charon: 06[CFG] using CA certificate, gateway
> identity x.x.x.x'
> Jan  7 22:00:06 mac17 charon: 06[IKE] initiating IKE_SA TestVPN[1]
> to x.x.x.x
> Jan  7 22:00:06 mac17 charon: 06[ENC] generating IKE_SA_INIT request 0 [
> SA KE No N(NATD_S_IP) N(NATD_D_IP) ]
> Jan  7 22:00:06 mac17 charon: 06[NET] sending packet: from
> 192.168.1.1[500] to x.x.x.x[500]
> Jan  7 22:00:06 mac17 NetworkManager[1092]: <info> VPN connection
> 'TestVPN' (Connect) reply received.
> Jan  7 22:00:10 mac17 charon: 11[IKE] retransmit 1 of request with
> message ID 0
> Jan  7 22:00:10 mac17 charon: 11[NET] sending packet: from
> 192.168.1.1[500] to x.x.x.x[500]
> Jan  7 22:00:17 mac17 charon: 12[IKE] retransmit 2 of request with
> message ID 0
> Jan  7 22:00:17 mac17 charon: 12[NET] sending packet: from
> 192.168.1.1[500] to x.x.x.x[500]
> Jan  7 22:00:30 mac17 wpa_supplicant[1361]: wlan0: WPA: Group rekeying
> completed with 00:24:a5:ea:a5:a2 [GTK=CCMP]
> Jan  7 22:00:30 mac17 charon: 13[IKE] retransmit 3 of request with
> message ID 0
> Jan  7 22:00:30 mac17 charon: 13[NET] sending packet: from
> 192.168.1.1[500] to x.x.x.x[500]
> Jan  7 22:00:46 mac17 NetworkManager[1092]: <warn> VPN connection
> 'TestVPN' (IP Config Get) timeout exceeded.
> Jan  7 22:00:46 mac17 NetworkManager[1092]: <info> Policy set 'Braga'
> (wlan0) as default for IPv4 routing and DNS.
> Jan  7 22:00:46 mac17 charon: 01[IKE] destroying IKE_SA in state
> CONNECTING without notification
> Jan  7 22:00:51 mac17 charon: 00[DMN] signal of type SIGTERM received.
> Shutting down
> Jan  7 22:00:51 mac17 NetworkManager[1092]: <info> VPN service
> 'strongswan' disappeared
>
> My initial configuration file was:
>
> --- /etc/strongswan.conf ---
>
> # strongswan.conf - strongSwan configuration file
> charon {
> threads = 16
> plugins {
> sql {
> loglevel = -1
> }
> }
> }
>
> pluto {
> }
> libstrongswan {
> }
>
> ----------------
>
> And here is the Network Manager configuration:
>
> --- /etc/NetworkManager/system-connections/TestVPN ---
>
> [connection]
> id=TestVPN
> uuid=07ac4ce3-c6c3-4d42-8bb6-29e56a8751db
> type=vpn
> autoconnect=false
>
> [vpn]
> service-type=org.freedesktop.NetworkManager.strongswan
> virtual=no
> encap=no
> address=x.x.x.x
> user=??????
> method=eap
> ipcomp=yes
> password-flags=1
>
> [ipv4]
> method=auto
> ----------------
>
> Besides the timeout issue, I noted the plugin loading issues in the
> charon logs. Looking at what I got in the system by default:
>
> $ ls /usr/lib/ipsec/plugins/
> libstrongswan-addrblock.so     libstrongswan-eap-tls.so
> libstrongswan-pkcs11.so
> libstrongswan-aes.so           libstrongswan-eap-tnc.so
> libstrongswan-pkcs1.so
> libstrongswan-agent.so         libstrongswan-eap-ttls.so
>   libstrongswan-pubkey.so
> libstrongswan-attr.so          libstrongswan-farp.so
>   libstrongswan-random.so
> libstrongswan-attr-sql.so      libstrongswan-fips-prf.so
>   libstrongswan-resolve.so
> libstrongswan-ccm.so           libstrongswan-gcm.so
> libstrongswan-revocation.so
> libstrongswan-constraints.so   libstrongswan-gmp.so
> libstrongswan-sha1.so
> libstrongswan-ctr.so           libstrongswan-ha.so
>   libstrongswan-sha2.so
> libstrongswan-curl.so          libstrongswan-hmac.so
>   libstrongswan-socket-raw.so
> libstrongswan-des.so           libstrongswan-kernel-netlink.so
>   libstrongswan-sql.so
> libstrongswan-dhcp.so          libstrongswan-ldap.so
>   libstrongswan-stroke.so
> libstrongswan-dnskey.so        libstrongswan-led.so
> libstrongswan-test-vectors.so
> libstrongswan-eap-aka.so       libstrongswan-md5.so
> libstrongswan-updown.so
> libstrongswan-eap-gtc.so       libstrongswan-medcli.so
>   libstrongswan-x509.so
> libstrongswan-eap-identity.so  libstrongswan-nm.so
>   libstrongswan-xauth.so
> libstrongswan-eap-md5.so       libstrongswan-openssl.so
> libstrongswan-xcbc.so
> libstrongswan-eap-mschapv2.so  libstrongswan-pem.so
> libstrongswan-eap-radius.so    libstrongswan-pgp.so
>
> By adding the load into the strongswan.conf file at least clears the
> warnings, but I am not sure on if these modules should be here, and
> loaded...
>
> Any help really appreciated!
>
> Thanks,
>
>
> --
> *Braga, Bruno*
> www.brunobraga.net <http://www.brunobraga.net>
> bruno.braga at gmail.com <mailto:bruno.braga at gmail.com>
>
======================================================================
Andreas Steffen                         andreas.steffen at strongswan.org
strongSwan - the Linux VPN Solution!                www.strongswan.org
Institute for Internet Technologies and Applications
University of Applied Sciences Rapperswil
CH-8640 Rapperswil (Switzerland)
===========================================================[ITA-HSR]==

-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4468 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://lists.strongswan.org/pipermail/users/attachments/20130108/899c5fbe/attachment.bin>


More information about the Users mailing list