[strongSwan] Timeout Errors using Network Manager on Ubuntu 12.10

BRAGA, Bruno bruno.braga at gmail.com
Tue Jan 8 01:41:06 CET 2013 

Hi Andreas,

Thanks for the feedback. I took mt local network out of the equation
because it works in the same environment and machine on a different IS
(tried MacOS with racoon). That is why I figured it would be rather a
matter of configuration instead.

Any suggestions on how I could troubleshoot these possibilities? (Sorry I
am not a network guy).

Cheers,

--
Bruno Braga (mobile)
On Jan 8, 2013 9:16 AM, "Andreas Steffen" <andreas.steffen at strongswan.org>
wrote:

> Hi Bruno,
>
> there is know answer from the VPN gateway on the other end. Either
> the gateway cannot be reached over the network, the gateway is not
> running an listening on UDP port 500 or it supports the IKEv1 protocol
> only.
>
> Regards
>
> Andreas
>
> On 07.01.2013 14:00, BRAGA, Bruno wrote:
>
>> Hi,
>>
>> I am having a hard time to get an IpSec VPN working in my machine... it
>> works fine in other OS, and I am sure I am doing something stupid here,
>> hope some guru can give me guidance!
>>
>> I am running Ubuntu 12.10, and installed strongswan (4.5.2), added the
>> key secret in /etc/ipsec.secrets file, and setup the VPN through network
>> manager.
>>
>> Without tempering with the strongswan.conf file, I have this output
>> (noted a similar output is :
>>
>> --- /var/log/syslog ---
>>
>> Jan  7 22:00:06 mac17 NetworkManager[1092]: <info> Starting VPN service
>> 'strongswan'...
>> Jan  7 22:00:06 mac17 NetworkManager[1092]: <info> VPN service
>> 'strongswan' started (org.freedesktop.**NetworkManager.strongswan), PID
>> 840
>> Jan  7 22:00:06 mac17 charon: 00[DMN] Starting IKEv2 charon daemon
>> (strongSwan 4.5.2)
>> Jan  7 22:00:06 mac17 charon: 00[KNL] listening on interfaces:
>> Jan  7 22:00:06 mac17 charon: 00[KNL]   eth0
>> Jan  7 22:00:06 mac17 charon: 00[KNL]   wlan0
>> Jan  7 22:00:06 mac17 charon: 00[KNL]     192.168.1.1
>> Jan  7 22:00:06 mac17 charon: 00[KNL]     fe80::129a:ddff:feae:e16a
>> Jan  7 22:00:06 mac17 charon: 00[CFG] loading ca certificates from
>> '/etc/ipsec.d/cacerts'
>> Jan  7 22:00:06 mac17 charon: 00[CFG] loading aa certificates from
>> '/etc/ipsec.d/aacerts'
>> Jan  7 22:00:06 mac17 charon: 00[CFG] loading ocsp signer certificates
>> from '/etc/ipsec.d/ocspcerts'
>> Jan  7 22:00:06 mac17 charon: 00[CFG] loading attribute certificates
>> from '/etc/ipsec.d/acerts'
>> Jan  7 22:00:06 mac17 charon: 00[CFG] loading crls from
>> '/etc/ipsec.d/crls'
>> Jan  7 22:00:06 mac17 charon: 00[CFG] loading secrets from
>> '/etc/ipsec.secrets'
>> Jan  7 22:00:06 mac17 charon: 00[CFG]   loaded IKE secret for x.x.x.x %any
>> Jan  7 22:00:06 mac17 charon: 00[CFG] sql plugin: database URI not set
>> Jan  7 22:00:06 mac17 charon: 00[LIB] plugin 'sql': failed to load -
>> sql_plugin_create returned NULL
>> Jan  7 22:00:06 mac17 charon: 00[CFG] loaded 0 RADIUS server
>> configurations
>> Jan  7 22:00:06 mac17 charon: 00[LIB] plugin 'medsrv' failed to load:
>> /usr/lib/ipsec/plugins/**libstrongswan-medsrv.so: cannot open shared
>> object file: No such file or directory
>> Jan  7 22:00:06 mac17 charon: 00[CFG] mediation client database URI not
>> defined, skipped
>> Jan  7 22:00:06 mac17 charon: 00[LIB] plugin 'medcli': failed to load -
>> medcli_plugin_create returned NULL
>> Jan  7 22:00:06 mac17 NetworkManager[1092]: <info> VPN service
>> 'strongswan' appeared; activating connections
>> Jan  7 22:00:06 mac17 charon: 00[CFG] HA config misses local/remote
>> address
>> Jan  7 22:00:06 mac17 charon: 00[LIB] plugin 'ha': failed to load -
>> ha_plugin_create returned NULL
>> Jan  7 22:00:06 mac17 charon: 00[DMN] loaded plugins: test-vectors curl
>> ldap aes des sha1 sha2 md5 random x509 revocation constraints pubkey
>> pkcs1 pgp pem openssl fips-prf gmp agent pkcs11 xcbc hmac ctr ccm gcm
>> attr kernel-netlink resolve socket-raw farp stroke updown eap-identity
>> eap-aka eap-md5 eap-gtc eap-mschapv2 eap-radius eap-tls eap-ttls eap-tnc
>> nm dhcp led addrblock
>> Jan  7 22:00:06 mac17 charon: 00[JOB] spawning 16 worker threads
>> Jan  7 22:00:06 mac17 charon: 06[CFG] received initiate for
>> NetworkManager connection TestVPN
>> Jan  7 22:00:06 mac17 NetworkManager[1092]: <info> VPN plugin state
>> changed: starting (3)
>> Jan  7 22:00:06 mac17 charon: 06[CFG] using CA certificate, gateway
>> identity x.x.x.x'
>> Jan  7 22:00:06 mac17 charon: 06[IKE] initiating IKE_SA TestVPN[1]
>> to x.x.x.x
>> Jan  7 22:00:06 mac17 charon: 06[ENC] generating IKE_SA_INIT request 0 [
>> SA KE No N(NATD_S_IP) N(NATD_D_IP) ]
>> Jan  7 22:00:06 mac17 charon: 06[NET] sending packet: from
>> 192.168.1.1[500] to x.x.x.x[500]
>> Jan  7 22:00:06 mac17 NetworkManager[1092]: <info> VPN connection
>> 'TestVPN' (Connect) reply received.
>> Jan  7 22:00:10 mac17 charon: 11[IKE] retransmit 1 of request with
>> message ID 0
>> Jan  7 22:00:10 mac17 charon: 11[NET] sending packet: from
>> 192.168.1.1[500] to x.x.x.x[500]
>> Jan  7 22:00:17 mac17 charon: 12[IKE] retransmit 2 of request with
>> message ID 0
>> Jan  7 22:00:17 mac17 charon: 12[NET] sending packet: from
>> 192.168.1.1[500] to x.x.x.x[500]
>> Jan  7 22:00:30 mac17 wpa_supplicant[1361]: wlan0: WPA: Group rekeying
>> completed with 00:24:a5:ea:a5:a2 [GTK=CCMP]
>> Jan  7 22:00:30 mac17 charon: 13[IKE] retransmit 3 of request with
>> message ID 0
>> Jan  7 22:00:30 mac17 charon: 13[NET] sending packet: from
>> 192.168.1.1[500] to x.x.x.x[500]
>> Jan  7 22:00:46 mac17 NetworkManager[1092]: <warn> VPN connection
>> 'TestVPN' (IP Config Get) timeout exceeded.
>> Jan  7 22:00:46 mac17 NetworkManager[1092]: <info> Policy set 'Braga'
>> (wlan0) as default for IPv4 routing and DNS.
>> Jan  7 22:00:46 mac17 charon: 01[IKE] destroying IKE_SA in state
>> CONNECTING without notification
>> Jan  7 22:00:51 mac17 charon: 00[DMN] signal of type SIGTERM received.
>> Shutting down
>> Jan  7 22:00:51 mac17 NetworkManager[1092]: <info> VPN service
>> 'strongswan' disappeared
>>
>> My initial configuration file was:
>>
>> --- /etc/strongswan.conf ---
>>
>> # strongswan.conf - strongSwan configuration file
>> charon {
>> threads = 16
>> plugins {
>> sql {
>> loglevel = -1
>> }
>> }
>> }
>>
>> pluto {
>> }
>> libstrongswan {
>> }
>>
>> ----------------
>>
>> And here is the Network Manager configuration:
>>
>> --- /etc/NetworkManager/system-**connections/TestVPN ---
>>
>> [connection]
>> id=TestVPN
>> uuid=07ac4ce3-c6c3-4d42-8bb6-**29e56a8751db
>> type=vpn
>> autoconnect=false
>>
>> [vpn]
>> service-type=org.freedesktop.**NetworkManager.strongswan
>> virtual=no
>> encap=no
>> address=x.x.x.x
>> user=??????
>> method=eap
>> ipcomp=yes
>> password-flags=1
>>
>> [ipv4]
>> method=auto
>> ----------------
>>
>> Besides the timeout issue, I noted the plugin loading issues in the
>> charon logs. Looking at what I got in the system by default:
>>
>> $ ls /usr/lib/ipsec/plugins/
>> libstrongswan-addrblock.so     libstrongswan-eap-tls.so
>> libstrongswan-pkcs11.so
>> libstrongswan-aes.so           libstrongswan-eap-tnc.so
>> libstrongswan-pkcs1.so
>> libstrongswan-agent.so         libstrongswan-eap-ttls.so
>>   libstrongswan-pubkey.so
>> libstrongswan-attr.so          libstrongswan-farp.so
>>   libstrongswan-random.so
>> libstrongswan-attr-sql.so      libstrongswan-fips-prf.so
>>   libstrongswan-resolve.so
>> libstrongswan-ccm.so           libstrongswan-gcm.so
>> libstrongswan-revocation.so
>> libstrongswan-constraints.so   libstrongswan-gmp.so
>> libstrongswan-sha1.so
>> libstrongswan-ctr.so           libstrongswan-ha.so
>>   libstrongswan-sha2.so
>> libstrongswan-curl.so          libstrongswan-hmac.so
>>   libstrongswan-socket-raw.so
>> libstrongswan-des.so           libstrongswan-kernel-netlink.**so
>>   libstrongswan-sql.so
>> libstrongswan-dhcp.so          libstrongswan-ldap.so
>>   libstrongswan-stroke.so
>> libstrongswan-dnskey.so        libstrongswan-led.so
>> libstrongswan-test-vectors.so
>> libstrongswan-eap-aka.so       libstrongswan-md5.so
>> libstrongswan-updown.so
>> libstrongswan-eap-gtc.so       libstrongswan-medcli.so
>>   libstrongswan-x509.so
>> libstrongswan-eap-identity.so  libstrongswan-nm.so
>>   libstrongswan-xauth.so
>> libstrongswan-eap-md5.so       libstrongswan-openssl.so
>> libstrongswan-xcbc.so
>> libstrongswan-eap-mschapv2.so  libstrongswan-pem.so
>> libstrongswan-eap-radius.so    libstrongswan-pgp.so
>>
>> By adding the load into the strongswan.conf file at least clears the
>> warnings, but I am not sure on if these modules should be here, and
>> loaded...
>>
>> Any help really appreciated!
>>
>> Thanks,
>>
>>
>> --
>> *Braga, Bruno*
>> www.brunobraga.net <http://www.brunobraga.net>
>> bruno.braga at gmail.com <mailto:bruno.braga at gmail.com>
>>
>>  ==============================**==============================**
> ==========
> Andreas Steffen                         andreas.steffen at strongswan.org
> strongSwan - the Linux VPN Solution!                www.strongswan.org
> Institute for Internet Technologies and Applications
> University of Applied Sciences Rapperswil
> CH-8640 Rapperswil (Switzerland)
> ==============================**=============================[**ITA-HSR]==
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20130108/d54b51d3/attachment.html>

More information about the Users mailing list