[strongSwan] Problem connecting to VPN router

Thorsten Meinl Thorsten.Meinl at uni-konstanz.de
Wed Mar 13 17:35:16 CET 2013


Hi,

I'm currentl switching from openswan for strongswan. My VPN connection
worked perfectly with openswan, but I have no luck with strongswan. The
connection gets stuck in between the IKE phase (complete log attached):

13[ENC] generating ID_PROT request 0 [ ID SIG CERTREQ ]_
13[NET] sending packet: from 134.34.224.42[500] to 212.126.160.54[500]
(412 bytes)_
14[NET] received packet: from 212.126.160.54[500] to 134.34.224.42[500]
(356 bytes)_
14[IKE] received retransmit of response with ID 0, but next request
already sent_

Some more "received retransmit" follow. It seems the VPN router (Draytek
Vigor) is responding to the second ID_PROT request with the same
response as for the first. My ipsec.conf is also attached. Any ideas?

Cheers,

Thorsten


-- 
Dr.-Ing. Thorsten Meinl               room: Z813
Nycomed Chair for Bioinformatics      fax: +49 (0)7531 88-5132
and Information Mining                phone: +49 (0)7531 88-5016
Box 712, 78457 Konstanz, Germany
-------------- next part --------------
Mar 13 17:30:40 [charon] 00[DMN] Starting IKE charon daemon (strongSwan 5.0.2, Linux 3.0.35-tuxonice, x86_64)_
Mar 13 17:30:40 [charon] 00[KNL] received netlink error: Address family not supported by protocol (97)_
Mar 13 17:30:40 [charon] 00[KNL] unable to create IPv6 routing table rule_
Mar 13 17:30:40 [charon] 00[NET] could not open socket: Address family not supported by protocol_
Mar 13 17:30:40 [charon] 00[NET] could not open IPv6 socket, IPv6 disabled_
Mar 13 17:30:40 [charon] 00[CFG] loading ca certificates from '/etc/ipsec.d/cacerts'_
Mar 13 17:30:40 [charon] 00[CFG]   loaded ca certificate "C=CH, ST=Zurich, O=KNIME.com AG, CN=KNIME.com Certificate Authority" from '/etc/ipsec.d/cacerts/knime-com.pem'_
Mar 13 17:30:40 [charon] 00[CFG] loading aa certificates from '/etc/ipsec.d/aacerts'_
Mar 13 17:30:40 [charon] 00[CFG] loading ocsp signer certificates from '/etc/ipsec.d/ocspcerts'_
Mar 13 17:30:40 [charon] 00[CFG] loading attribute certificates from '/etc/ipsec.d/acerts'_
Mar 13 17:30:40 [charon] 00[CFG] loading crls from '/etc/ipsec.d/crls'_
Mar 13 17:30:40 [charon] 00[CFG] loading secrets from '/etc/ipsec.secrets'_
Mar 13 17:30:40 [charon] 00[CFG]   loaded RSA private key from '/etc/ipsec.d/private/knime-vpn.pem'_
Mar 13 17:30:40 [charon] 00[DMN] loaded plugins: charon aes des sha1 sha2 md5 random nonce x509 revocation constraints pubkey pkcs1 pkcs8 pgp dnskey pem openssl fips-prf gmp xcbc cmac hmac attr kernel-netlink resolve socket-default stroke updown xauth-generic_
Mar 13 17:30:40 [charon] 00[LIB] dropped capabilities, running as uid 0, gid 0_
Mar 13 17:30:40 [charon] 00[JOB] spawning 16 worker threads_
Mar 13 17:30:40 [ipsec_starter] charon (10586) started after 20 ms_
Mar 13 17:30:40 [charon] 09[CFG] received stroke: add connection 'zurich'_
Mar 13 17:30:40 [charon] 09[CFG] left nor right host is our side, assuming left=local_
Mar 13 17:30:40 [charon] 09[CFG]   loaded certificate "C=CH, ST=Zurich, L=Zurich, O=KNIME.com AG, CN=Thorsten Meinl, E=thorsten.meinl at knime.com" from 'knime-vpn.pem'_
Mar 13 17:30:40 [charon] 09[CFG]   loaded certificate "C=CH, ST=Zurich, L=Zurich, O=KNIME.com AG, CN=KNIME.com VPN Router" from 'knime-router.pem'_
Mar 13 17:30:40 [charon] 09[CFG] added configuration 'zurich'_
Mar 13 17:30:40 [charon] 11[CFG] received stroke: initiate 'zurich'_
Mar 13 17:30:40 [charon] 11[IKE] initiating Main Mode IKE_SA zurich[1] to 212.126.160.54_
                - Last output repeated twice -
Mar 13 17:30:40 [charon] 11[ENC] generating ID_PROT request 0 [ SA V V V V ]_
Mar 13 17:30:40 [charon] 11[NET] sending packet: from 134.34.224.42[500] to 212.126.160.54[500] (224 bytes)_
Mar 13 17:30:40 [charon] 12[NET] received packet: from 212.126.160.54[500] to 134.34.224.42[500] (124 bytes)_
Mar 13 17:30:40 [charon] 12[ENC] parsed ID_PROT response 0 [ SA V V ]_
Mar 13 17:30:40 [charon] 12[IKE] received DPD vendor ID_
Mar 13 17:30:40 [charon] 12[IKE] received NAT-T (RFC 3947) vendor ID_
Mar 13 17:30:40 [charon] 12[ENC] generating ID_PROT request 0 [ KE No NAT-D NAT-D ]_
Mar 13 17:30:40 [charon] 12[NET] sending packet: from 134.34.224.42[500] to 212.126.160.54[500] (372 bytes)_
Mar 13 17:30:40 [charon] 13[NET] received packet: from 212.126.160.54[500] to 134.34.224.42[500] (356 bytes)_
Mar 13 17:30:40 [charon] 13[ENC] parsed ID_PROT response 0 [ KE No NAT-D NAT-D ]_
Mar 13 17:30:40 [charon] 13[IKE] sending cert request for "C=CH, ST=Zurich, O=KNIME.com AG, CN=KNIME.com Certificate Authority"_
Mar 13 17:30:40 [charon] 13[IKE] authentication of 'C=CH, ST=Zurich, L=Zurich, O=KNIME.com AG, CN=Thorsten Meinl, E=thorsten.meinl at knime.com' (myself) successful_
Mar 13 17:30:40 [charon] 13[ENC] generating ID_PROT request 0 [ ID SIG CERTREQ ]_
Mar 13 17:30:40 [charon] 13[NET] sending packet: from 134.34.224.42[500] to 212.126.160.54[500] (412 bytes)_
Mar 13 17:30:43 [charon] 14[NET] received packet: from 212.126.160.54[500] to 134.34.224.42[500] (356 bytes)_
Mar 13 17:30:43 [charon] 14[IKE] received retransmit of response with ID 0, but next request already sent_
Mar 13 17:30:44 [charon] 08[IKE] sending retransmit 1 of request message ID 0, seq 3_
Mar 13 17:30:44 [charon] 08[NET] sending packet: from 134.34.224.42[500] to 212.126.160.54[500] (412 bytes)_
Mar 13 17:30:49 [charon] 09[NET] received packet: from 212.126.160.54[500] to 134.34.224.42[500] (356 bytes)_
Mar 13 17:30:49 [charon] 09[IKE] received retransmit of response with ID 0, but next request already sent_
Mar 13 17:30:52 [charon] 10[IKE] sending retransmit 2 of request message ID 0, seq 3_
Mar 13 17:30:52 [charon] 10[NET] sending packet: from 134.34.224.42[500] to 212.126.160.54[500] (412 bytes)_
Mar 13 17:31:05 [charon] 11[IKE] sending retransmit 3 of request message ID 0, seq 3_
Mar 13 17:31:05 [charon] 11[NET] sending packet: from 134.34.224.42[500] to 212.126.160.54[500] (412 bytes)_
-------------- next part --------------
# ipsec.conf - strongSwan IPsec configuration file

version	2.0	# conforms to second version of ipsec.conf specification

# basic configuration
config setup


conn zurich 
	authby=rsasig
	type=tunnel
	keyexchange=ikev1
	# left=%any
	leftid="C=CH, ST=Zurich, L=Zurich, O=KNIME.com AG, CN=Thorsten Meinl, E=thorsten.meinl at knime.com"
	leftauth=pubkey
	leftfirewall=yes
	# leftrsasigkey=%cert
	leftcert=knime-vpn.pem
	right=212.126.160.54
	rightid="C=CH, ST=Zurich, L=Zurich, O=KNIME.com AG, CN=KNIME.com VPN Router"
	rightauth=pubkey
	rightcert=knime-router.pem
	rightsubnet=172.17.17.0/24
	auto=start
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 198 bytes
Desc: OpenPGP digital signature
URL: <http://lists.strongswan.org/pipermail/users/attachments/20130313/34e27392/attachment.pgp>


More information about the Users mailing list