[strongSwan] Ipsec tunnel is connected but can't see any ESP data

Farid Farid farid21657 at yahoo.com
Thu Jul 25 03:09:31 CEST 2013 

Hi  everyone,

Finally I am able to connect successfully two  linux machines runinng strongswan as net-net  topology using IKE1 and PSK.  You can see below the log data from>>ipsec  up  conne  command and >>>ipsec stausall
.But I can't still see any ESP packet when I ping the other machine.  Tcpdump still shows plain ip packet. 
I am following this example:  http://www.strongswan.org/uml/testresults/ikev1/net2net-psk/

Thanks for the help,
Farid


root at LMU5k:~# ipsec up lmu55
initiating Main Mode IKE_SA lmu55[1] to 192.168.1.56
generating ID_PROT request 0 [ SA V V V V ]
sending packet: from 192.168.1.55[500] to 192.168.1.56[500] (224 bytes)
received packet: from 192.168.1.56[500] to 192.168.1.55[500] (136 bytes)
parsed ID_PROT response 0 [ SA V V V ]
received XAuth vendor ID
received DPD vendor ID
received NAT-T (RFC 3947) vendor ID
generating ID_PROT request 0 [ KE No NAT-D NAT-D ]
sending packet: from 192.168.1.55[500] to 192.168.1.56[500] (372 bytes)
received packet: from 192.168.1.56[500] to 192.168.1.55[500] (372 bytes)
parsed ID_PROT response 0 [ KE No NAT-D NAT-D ]
generating ID_PROT request 0 [ ID HASH ]
sending packet: from 192.168.1.55[500] to 192.168.1.56[500] (92 bytes)
received packet: from 192.168.1.56[500] to 192.168.1.55[500] (92 bytes)
parsed ID_PROT response 0 [ ID HASH ]
IKE_SA lmu55[1] established between 192.168.1.55[lmu55.strongswan.com]...192.168.1.56[lmu56.strongswan.com]
scheduling reauthentication in 3253s
maximum IKE_SA lifetime 3433s
generating QUICK_MODE request 3127380485 [ HASH SA No ID ID ]
sending packet: from 192.168.1.55[500] to 192.168.1.56[500] (236 bytes)
received packet: from 192.168.1.56[500] to 192.168.1.55[500] (188 bytes)
parsed QUICK_MODE response 3127380485 [ HASH SA No ID ID ]
connection 'lmu55' established successfully


 root at LMU8:~# ipsec statusall
Status of IKE charon daemon (strongSwan 5.0.4, Linux 3.3.8, armv5tejl):
  uptime: 2 minutes, since Jul 25 00:01:40 2013
  malloc: sbrk 94208, mmap 0, used 79688, free 14520
  worker threads: 8 of 16 idle, 7/1/0/0 working, job queue: 0/0/0/0, scheduled: 2
  loaded plugins: charon aes des sha1 sha2 md5 gmp random nonce hmac stroke kernel-netlink socket-default updown
Listening IP addresses:
  192.168.1.56
  10.1.201.2
  10.5.125.142
Connections:
       lmu56:  192.168.1.56...192.168.1.55  IKEv1
       lmu56:   local:  [lmu56.strongswan.com] uses pre-shared key authentication
       lmu56:   remote: [lmu55.strongswan.com] uses pre-shared key authentication
       lmu56:   child:  10.1.201.0/24 === 10.0.201.0/24 TUNNEL
Security Associations (1 up, 0 connecting):
       lmu56[1]: ESTABLISHED 2 minutes ago, 192.168.1.56[lmu56.strongswan.com]...192.168.1.55[lmu55.strongswan.com]
       lmu56[1]: IKEv1 SPIs: 77df8f5e925d19d7_i* a0153d6dae17c55b_r, pre-shared key reauthentication in 52 minutes
       lmu56[1]: IKE proposal: AES_CBC_128/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_2048






________________________________
 From: Farid Farid <farid21657 at yahoo.com>
To: "users at lists.strongswan.org" <users at lists.strongswan.org> 
Sent: Wednesday, July 24, 2013 10:59 AM
Subject: [strongSwan] ipsec connectivity fails on phase2 with error: [ HASH	N(INVAL_ID) ]
 


Hi everyone,

I am trying to setup a simple ipsec  tunnel  ( net-to-net)  using PSK following the example showing here in strongswan website: http://www.strongswan.org/uml/testresults/ikev1/net2net-psk/

I am running strongswan   5.0.1   on both sides and I am using the exact set up shown  in this example.
My left gateway is lmu55=192.168.1.55 and right gateway  is lmu56=192.168.1.56. When I start the strongswan on both side and issue the command >>ipsec -up lmu55
(lmu55 is connection name for the left side)from the left side   I get the following messages and connection fails . I looked at the tcpdump data and it seems it completes phase1 but fails on phase2. I can also see in the stablishment of SA :
.......    
KE_SA lmu55[1] established between 192.168.1.55[lmu55.strongswan.com]...192.168.1.56[lmu56.strongswan.com]

....

Error is  [ HASH N(INVAL_ID) ]  which you can see below in the output of  ipsec command
I am wonder what I am missing here in my setup. 

I appreciate your help in advance.
Farid


root at LMU5k:~# ipsec up lmu55
initiating Main Mode IKE_SA lmu55[1] to 192.168.1.56
generating ID_PROT request 0 [ SA V V V V ]
sending packet: from 192.168.1.55[500] to 192.168.1.56[500] (224 bytes)
received packet: from 192.168.1.56[500] to 192.168.1.55[500] (136 bytes)
parsed ID_PROT response 0 [ SA V V V ]
received XAuth vendor ID
received DPD vendor ID
received NAT-T (RFC 3947) vendor ID
generating ID_PROT request 0 [ KE No NAT-D NAT-D ]
sending packet: from 192.168.1.55[500] to 192.168.1.56[500] (372 bytes)
received packet: from 192.168.1.56[500] to 192.168.1.55[500] (372 bytes)
parsed ID_PROT response 0 [ KE No NAT-D NAT-D ]
generating ID_PROT request 0 [ ID HASH ]
sending packet: from 192.168.1.55[500] to 192.168.1.56[500] (92 bytes)
received packet: from 192.168.1.56[500] to 192.168.1.55[500] (92 bytes)
parsed ID_PROT response 0 [ ID HASH ]
IKE_SA lmu55[1] established between 192.168.1.55[lmu55.strongswan.com]...192.168.1.56[lmu56.strongswan.com]
scheduling reauthentication in 10258s
maximum IKE_SA lifetime 10798s
generating QUICK_MODE request 1597565745 [ HASH SA No ID ID ]
sending packet: from 192.168.1.55[500] to 192.168.1.56[500] (236 bytes)
received packet: from 192.168.1.56[500] to 192.168.1.55[500] (76 bytes)
parsed INFORMATIONAL_V1 request 4090518834 [ HASH N(INVAL_ID) ]
received INVALID_ID_INFORMATION error notify
establishing connection 'lmu55' failed

_______________________________________________
Users mailing list
Users at lists.strongswan.org
https://lists.strongswan.org/mailman/listinfo/users
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20130724/eeb2c3fc/attachment.html>

More information about the Users mailing list