[strongSwan] question about how to connect from a mobile station
Farid Farid
farid21657 at yahoo.com
Thu Oct 24 19:24:37 CEST 2013
Hi Martin,
Thanks so much for the response.
The other end runs openswan ( I need to found out where to find the log file). It is not important if I use IKEv1 or IKEv2 to establish the tunnel.(which one do u recommend and is easier to troubleshoot?)
Today as a test I tried IKEv2 and I got a different result that you can see below:( it failed but not re-transmitting any more)
I bet I am missing something here .
I truly appreciate your help on it.
Best Regards,
Farid
STRONGSWAN side:
root at LMU5k:~# ipsec up 1
initiating IKE_SA 1[1] to 216.177.93.234
generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) ]
sending packet: from 10.98.148.242[500] to 216.177.93.234[500] (692 bytes)
received packet: from 216.177.93.234[500] to 10.98.148.242[500] (376 bytes)
parsed IKE_SA_INIT response 0 [ SA KE No V ]
received unknown vendor ID: 4f:45:68:79:4c:64:41:43:65:63:66:61
authentication of 'lmu55' (myself) with pre-shared key
establishing CHILD_SA 1
generating IKE_AUTH request 1 [ IDi N(INIT_CONTACT) IDr AUTH N(ESP_TFC_PAD_N) SA TSi TSr N(MOBIKE_SUP) N(ADD_4_ADDR) N(EAP_ONLY) ]
sending packet: from 10.98.148.242[500] to 216.177.93.234[500] (396 bytes)
received packet: from 216.177.93.234[500] to 10.98.148.242[500] (156 bytes)
parsed IKE_AUTH response 1 [ IDr AUTH SA N(TS_UNACCEPT) ]
authentication of 'lmudiag' with pre-shared key successful
IKE_SA 1[1] established between 10.98.148.242[lmu55]...216.177.93.234[lmudiag]
scheduling reauthentication in 10087s
maximum IKE_SA lifetime 10627s
received TS_UNACCEPTABLE notify, no CHILD_SA built
failed to establish CHILD_SA, keeping IKE_SA
establishing connection '1' failed
root at LMU5k:~# ipsec statusall
Status of IKE charon daemon (strongSwan 5.0.4, Linux 3.3.8, armv5tejl):
uptime: 8 minutes, since Oct 24 17:02:18 2013
malloc: sbrk 159744, mmap 0, used 129432, free 30312
worker threads: 6 of 16 idle, 9/1/0/0 working, job queue: 0/0/0/0, scheduled: 2
loaded plugins: charon test-vectors aes des blowfish sha1 sha2 md4 md5 random nonce x509 revocation constraints pubkey pkcs1 pgp dnskey pem openssl af-alg fips-prf gmp xcbc hmac attr kernel-pfkey kernel-klips kernel-netlink resolve socket-default farp stroke updown eap-md5 xauth-generic xauth-eap uci
Listening IP addresses:
192.168.1.55
10.98.148.242
Connections:
1: %any...216.177.93.234 IKEv2
1: local: [lmu55] uses pre-shared key authentication
1: remote: [lmudiag] uses pre-shared key authentication
1: child: dynamic === dynamic TUNNEL
Security Associations (1 up, 0 connecting):
1[1]: ESTABLISHED 7 minutes ago, 10.98.148.242[lmu55]...216.177.93.234[lmudiag]
1[1]: IKEv2 SPIs: c23cf7b84e791fa3_i* 590ceb5f86c39212_r, pre-shared key reauthentication in 2 hours
1[1]: IKE proposal: AES_CBC_128/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_2048
OPENSWAN SIDE:
>>> ipsec auto --status
000 stats db_ops: {curr_cnt, total_cnt, maxsz} :context={0,0,0} trans={0,0,0}
attrs={0,0,0}
000
000 "lmu": 10.0.12.34<10.0.12.34>[@lmudiag,+S=C]...%any[@lmu55,+S=C];
unrouted; eroute owner: #0
000 "lmu": myip=unset; hisip=unset;
000 "lmu": ike_life: 3600s; ipsec_life: 28800s; rekey_margin: 540s;
rekey_fuzz: 100%; keyingtries: 0
000 "lmu": policy:
PSK+ENCRYPT+TUNNEL+PFS+IKEv2ALLOW+IKEv2Init+SAREFTRACK+lKOD+rKOD; prio: 32,32;
interface: eth0;
000 "lmu": newest ISAKMP SA: #0; newest IPsec SA: #0;
000 "lmu"[1]:
10.0.12.34<10.0.12.34>[@lmudiag,+S=C]...166.137.184.249[@lmu55,+S=C];
unrouted; eroute owner: #0
000 "lmu"[1]: myip=unset; hisip=unset;
000 "lmu"[1]: ike_life: 3600s; ipsec_life: 28800s; rekey_margin: 540s;
rekey_fuzz: 100%; keyingtries: 0
000 "lmu"[1]: policy:
PSK+ENCRYPT+TUNNEL+PFS+IKEv2ALLOW+IKEv2Init+SAREFTRACK+lKOD+rKOD; prio: 32,32;
interface: eth0;
000 "lmu"[1]: newest ISAKMP SA: #3; newest IPsec SA: #0;
000 "lmu"[1]: IKE algorithm newest: _128-SHA1-MODP2048
000
000 #1: "lmu"[1] 166.137.184.249:43125 STATE_MAIN_R3 (sent MR3, ISAKMP SA
established); EVENT_SA_REPLACE in 2757s; lastdpd=-1s(seq in:0 out:0); idle;
import:not set
000 #3: "lmu"[1] 166.137.184.249:60528 STATE_PARENT_R2 (received v2I2, PARENT
SA established); EVENT_SA_REPLACE in 2772s; newest ISAKMP; nodpd; idle;
import:respond to stranger
Here is ipsec.conf from openswan side:
# basic configuration
config setup
# Debug-logging controls: "none" for (almost) none, "all" for lots.
# klipsdebug=none
# plutodebug="control parsing"
# For Red Hat Enterprise Linux and Fedora, leave protostack=netkey
protostack=auto
nat_traversal=yes
#virtual_private=
oe=off
# Enable this if you see "failed to find any available worker"
# nhelpers=0
conn lmu
left=10.0.12.34
leftid=@lmudiag
#ikev2=insist
ikev2=yes
#keyexchange=ike
right=%any
rightid=@lmu55
type=tunnel
authby=secret
auth=esp
#pfs=yes
auto=add
Also below is output of openswan if I use IKEV1
Here is the output of : >>ipsec auto --status
stats db_ops: {curr_cnt, total_cnt, maxsz} :context={0,0,0} trans={0,0,0}
attrs={0,0,0}
000
000 "lmu": 10.0.12.34<10.0.12.34>[@lmudiag,+S=C]...%any[@lmu55,+S=C];
unrouted; eroute owner: #0
000 "lmu": myip=unset; hisip=unset;
000 "lmu": ike_life: 3600s; ipsec_life: 28800s; rekey_margin: 540s;
rekey_fuzz: 100%; keyingtries: 0
000 "lmu": policy: PSK+ENCRYPT+TUNNEL+PFS+IKEv2ALLOW+SAREFTRACK+lKOD+rKOD;
prio: 32,32; interface: eth0;
000 "lmu": newest ISAKMP SA: #0; newest IPsec SA: #0;
000 "lmu"[1]:
10.0.12.34<10.0.12.34>[@lmudiag,+S=C]...198.228.211.206[@lmu55,+S=C];
unrouted; eroute owner: #0
000 "lmu"[1]: myip=unset; hisip=unset;
000 "lmu"[1]: ike_life: 3600s; ipsec_life: 28800s; rekey_margin: 540s;
rekey_fuzz: 100%; keyingtries: 0
000 "lmu"[1]: policy:
PSK+ENCRYPT+TUNNEL+PFS+IKEv2ALLOW+SAREFTRACK+lKOD+rKOD; prio: 32,32;
interface: eth0;
000 "lmu"[1]: newest ISAKMP SA: #1; newest IPsec SA: #0;
000 "lmu"[1]: IKE algorithm newest: AES_CBC_128-SHA1-MODP2048
000
000 #2: "lmu"[1] 198.228.211.206:51400 STATE_QUICK_R0 (expecting QI1);
EVENT_CRYPTO_FAILED in 255s; lastdpd=-1s(seq in:0 out:0); idle; import:not set
000 #1: "lmu"[1] 198.228.211.206:51400 STATE_MAIN_R3 (sent MR3, ISAKMP SA
established); EVENT_SA_REPLACE in 3285s; newest ISAKMP; lastdpd=-1s(seq in:0
out:0); idle; import:not set
000
On Thursday, October 24, 2013 7:57 AM, Pruss Brian-ABP035 <brian.pruss at motorolasolutions.com> wrote:
The Fedora packages won't work on RHEL or CentOS, but EPEL packages will: http://pkgs.org/download/strongswan .
-----Original Message-----
From: Martin Willi [mailto:martin at strongswan.org]
Sent: Thursday, October 24, 2013 2:14 AM
To: Farid Farid
Cc: users at lists.strongswan.org
Subject: Re: [strongSwan] question about how to connect from a mobile station
Hi,
> IKE_SA 1[1] established between
> 10.227.110.112[lmu55]...216.177.93.234[lmudiag]
> generating QUICK_MODE request 1438687057 [ HASH SA No ] sending
> packet: from 10.227.110.112[4500] to 216.177.93.234[4500] (204 bytes)
> sending retransmit 1 of request message ID 1438687057, seq 4 sending
> packet: from 10.227.110.112[4500] to 216.177.93.234[4500] (204 bytes)
The responder does not answer to the Quick Mode request. Most likely it considers it not acceptable. Have a look at the responder log what is wrong.
> The other end run Openswan on a Centos 5.8 machine. Is there any
> strongswan package available for Centos?
Not any that I'm aware of. But maybe the Fedora packages [1] work?
Regards
Martin
[1]https://apps.fedoraproject.org/packages/strongswan
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20131024/e337f1b0/attachment.html>
More information about the Users
mailing list