[strongSwan] question about how to connect from a mobile station

Farid Farid farid21657 at yahoo.com
Thu Oct 24 19:24:37 CEST 2013


Hi Martin, 

Thanks so much for the response. 
The other end runs openswan ( I need to found out where to find the log file). It is not important if I use IKEv1 or IKEv2 to establish the tunnel.(which one do u recommend and is easier to troubleshoot?)
Today as a test I tried IKEv2  and I got a different result  that  you can see below:( it failed but not re-transmitting any more)
I bet I am missing something here .

I truly appreciate your help on it.


Best Regards,
Farid

STRONGSWAN  side:

root at LMU5k:~# ipsec up 1
initiating IKE_SA 1[1] to 216.177.93.234
generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) ]
sending packet: from 10.98.148.242[500] to 216.177.93.234[500] (692 bytes)
received packet: from 216.177.93.234[500] to 10.98.148.242[500] (376 bytes)
parsed IKE_SA_INIT response 0 [ SA KE No V ]
received unknown vendor ID: 4f:45:68:79:4c:64:41:43:65:63:66:61
authentication of 'lmu55' (myself) with pre-shared key
establishing CHILD_SA 1
generating IKE_AUTH request 1 [ IDi N(INIT_CONTACT) IDr AUTH N(ESP_TFC_PAD_N) SA TSi TSr N(MOBIKE_SUP) N(ADD_4_ADDR) N(EAP_ONLY) ]
sending packet: from 10.98.148.242[500] to 216.177.93.234[500] (396 bytes)
received packet: from 216.177.93.234[500] to 10.98.148.242[500] (156 bytes)
parsed IKE_AUTH response 1 [ IDr AUTH SA N(TS_UNACCEPT) ]
authentication of 'lmudiag' with pre-shared key successful
IKE_SA 1[1] established between 10.98.148.242[lmu55]...216.177.93.234[lmudiag]
scheduling reauthentication in 10087s
maximum IKE_SA lifetime 10627s
received TS_UNACCEPTABLE notify, no CHILD_SA built
failed to establish CHILD_SA, keeping IKE_SA
establishing connection '1' failed


root at LMU5k:~# ipsec statusall
Status of IKE charon daemon (strongSwan 5.0.4, Linux 3.3.8, armv5tejl):
  uptime: 8 minutes, since Oct 24 17:02:18 2013
  malloc: sbrk 159744, mmap 0, used 129432, free 30312
  worker threads: 6 of 16 idle, 9/1/0/0 working, job queue: 0/0/0/0, scheduled: 2
  loaded plugins: charon test-vectors aes des blowfish sha1 sha2 md4 md5 random nonce x509 revocation constraints pubkey pkcs1 pgp dnskey pem openssl af-alg fips-prf gmp xcbc hmac attr kernel-pfkey kernel-klips kernel-netlink resolve socket-default farp stroke updown eap-md5 xauth-generic xauth-eap uci
Listening IP addresses:
  192.168.1.55
  10.98.148.242
Connections:
           1:  %any...216.177.93.234  IKEv2
           1:   local:  [lmu55] uses pre-shared key authentication
           1:   remote: [lmudiag] uses pre-shared key authentication
           1:   child:  dynamic === dynamic TUNNEL
Security Associations (1 up, 0 connecting):
           1[1]: ESTABLISHED 7 minutes ago, 10.98.148.242[lmu55]...216.177.93.234[lmudiag]
           1[1]: IKEv2 SPIs: c23cf7b84e791fa3_i* 590ceb5f86c39212_r, pre-shared key reauthentication in 2 hours
           1[1]: IKE proposal: AES_CBC_128/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_2048




OPENSWAN SIDE:

>>> ipsec   auto  --status  

000 stats db_ops: {curr_cnt, total_cnt, maxsz} :context={0,0,0} trans={0,0,0}
attrs={0,0,0}
000
000 "lmu": 10.0.12.34<10.0.12.34>[@lmudiag,+S=C]...%any[@lmu55,+S=C];
unrouted; eroute owner: #0
000 "lmu":     myip=unset; hisip=unset;
000 "lmu":   ike_life: 3600s; ipsec_life: 28800s; rekey_margin: 540s;
rekey_fuzz: 100%; keyingtries: 0
000 "lmu":   policy:
PSK+ENCRYPT+TUNNEL+PFS+IKEv2ALLOW+IKEv2Init+SAREFTRACK+lKOD+rKOD; prio: 32,32;
interface: eth0;
000 "lmu":   newest ISAKMP SA: #0; newest IPsec SA: #0;
000 "lmu"[1]:
10.0.12.34<10.0.12.34>[@lmudiag,+S=C]...166.137.184.249[@lmu55,+S=C];
unrouted; eroute owner: #0
000 "lmu"[1]:     myip=unset; hisip=unset;
000 "lmu"[1]:   ike_life: 3600s; ipsec_life: 28800s; rekey_margin: 540s;
rekey_fuzz: 100%; keyingtries: 0
000 "lmu"[1]:   policy:
PSK+ENCRYPT+TUNNEL+PFS+IKEv2ALLOW+IKEv2Init+SAREFTRACK+lKOD+rKOD; prio: 32,32;
interface: eth0;
000 "lmu"[1]:   newest ISAKMP SA: #3; newest IPsec SA: #0;
000 "lmu"[1]:   IKE algorithm newest: _128-SHA1-MODP2048
000
000 #1: "lmu"[1] 166.137.184.249:43125 STATE_MAIN_R3 (sent MR3, ISAKMP SA
established); EVENT_SA_REPLACE in 2757s; lastdpd=-1s(seq in:0 out:0); idle;
import:not set
000 #3: "lmu"[1] 166.137.184.249:60528 STATE_PARENT_R2 (received v2I2, PARENT
SA established); EVENT_SA_REPLACE in 2772s; newest ISAKMP; nodpd; idle;
import:respond to stranger


Here is ipsec.conf   from openswan  side:

# basic configuration
config setup
        # Debug-logging controls:  "none" for (almost) none, "all" for lots.
        # klipsdebug=none
        # plutodebug="control parsing"
        # For Red Hat Enterprise Linux and Fedora, leave protostack=netkey
        protostack=auto
        nat_traversal=yes
        #virtual_private=
        oe=off
        # Enable this if you see "failed to find any available worker"
        # nhelpers=0

conn  lmu
        left=10.0.12.34
        leftid=@lmudiag
        #ikev2=insist
        ikev2=yes
        #keyexchange=ike
        right=%any
        rightid=@lmu55
        type=tunnel
        authby=secret
        auth=esp
        #pfs=yes
        auto=add




Also below is output of openswan if I use IKEV1

Here is the output of   :  >>ipsec auto --status


 stats db_ops: {curr_cnt, total_cnt, maxsz} :context={0,0,0} trans={0,0,0}
attrs={0,0,0}
000
000 "lmu": 10.0.12.34<10.0.12.34>[@lmudiag,+S=C]...%any[@lmu55,+S=C];
unrouted; eroute owner: #0
000 "lmu":     myip=unset; hisip=unset;
000 "lmu":   ike_life: 3600s; ipsec_life: 28800s; rekey_margin: 540s;
rekey_fuzz: 100%; keyingtries: 0
000 "lmu":   policy: PSK+ENCRYPT+TUNNEL+PFS+IKEv2ALLOW+SAREFTRACK+lKOD+rKOD;
prio: 32,32; interface: eth0;
000 "lmu":   newest ISAKMP SA: #0; newest IPsec SA: #0;
000 "lmu"[1]:
10.0.12.34<10.0.12.34>[@lmudiag,+S=C]...198.228.211.206[@lmu55,+S=C];
unrouted; eroute owner: #0
000 "lmu"[1]:     myip=unset; hisip=unset;
000 "lmu"[1]:   ike_life: 3600s; ipsec_life: 28800s; rekey_margin: 540s;
rekey_fuzz: 100%; keyingtries: 0
000 "lmu"[1]:   policy:
PSK+ENCRYPT+TUNNEL+PFS+IKEv2ALLOW+SAREFTRACK+lKOD+rKOD; prio: 32,32;
interface: eth0;
000 "lmu"[1]:   newest ISAKMP SA: #1; newest IPsec SA: #0;
000 "lmu"[1]:   IKE algorithm newest: AES_CBC_128-SHA1-MODP2048
000
000 #2: "lmu"[1] 198.228.211.206:51400 STATE_QUICK_R0 (expecting QI1);
EVENT_CRYPTO_FAILED in 255s; lastdpd=-1s(seq in:0 out:0); idle; import:not set
000 #1: "lmu"[1] 198.228.211.206:51400 STATE_MAIN_R3 (sent MR3, ISAKMP SA
established); EVENT_SA_REPLACE in 3285s; newest ISAKMP; lastdpd=-1s(seq in:0
out:0); idle; import:not set
000






On Thursday, October 24, 2013 7:57 AM, Pruss Brian-ABP035 <brian.pruss at motorolasolutions.com> wrote:
 
The Fedora packages won't work on RHEL or CentOS, but EPEL packages will: http://pkgs.org/download/strongswan .


-----Original Message-----
From: Martin Willi [mailto:martin at strongswan.org] 
Sent: Thursday, October 24, 2013 2:14 AM
To: Farid Farid
Cc: users at lists.strongswan.org
Subject: Re: [strongSwan] question about how to connect from a mobile station

Hi,

> IKE_SA 1[1] established between 
> 10.227.110.112[lmu55]...216.177.93.234[lmudiag]
> generating QUICK_MODE request 1438687057 [ HASH SA No ] sending 
> packet: from 10.227.110.112[4500] to 216.177.93.234[4500] (204 bytes) 
> sending retransmit 1 of request message ID 1438687057, seq 4 sending 
> packet: from 10.227.110.112[4500] to 216.177.93.234[4500] (204 bytes)

The responder does not answer to the Quick Mode request. Most likely it considers it not acceptable. Have a look at the responder log what is wrong.

> The  other end  run Openswan on a Centos 5.8 machine. Is there any 
> strongswan package available for Centos?

Not any that I'm aware of. But maybe the Fedora packages [1] work?

Regards
Martin

[1]https://apps.fedoraproject.org/packages/strongswan
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20131024/e337f1b0/attachment.html>


More information about the Users mailing list