[strongSwan] Problem with running Strongswan on a consumer router: Asus RT-N16

Lawrence Chiu Lawrence_Chiu_TX3 at yahoo.com
Fri Sep 27 17:37:58 CEST 2013 

I am trying to run Strongswan on a consumer router, an Asus RT-N16. 
There isn't a lot of people who have done this and there isn't a lot of 
documentation to go on.  In any case, I have successfully compiled the 
Asus kernel to support IPsec and installed Strongswan.

I am using the example Win7 config on the Wiki:
http://wiki.strongswan.org/projects/strongswan/wiki/Win7EapMultipleConfig

ipsec.conf: The only change I made was "leftid=@vpn.strongswan.org" in 
the example to " leftid=@MYHOSTNAME.dyndns.org".
ipsec.secrets: Using same file as example with the 'carol' and 'dave' 
test accounts.
strongswan.conf: Changed to my own DNS/NBNS servers but otherwise 
identical to the example.

     $ diff strongswan.conf strongswan.conf.win7.orig
     <   dns1 = 192.168.0.3
     <   nbns1 = 192.168.0.3
     ---
     >   dns1 = 62.2.17.60
     >   dns2 = 62.2.24.162
     >   nbns1 = 10.10.1.1
     >   nbns2 = 10.10.0.1

The client is a Windows 7 PC.

The syslog shows (starting with connection attempt):

Sep 27 10:26:02 RT-N16 syslog: 15[NET] received packet: from 
70.139.113.210[500] to 50.162.106.134[500] (528 bytes)
Sep 27 10:26:02 RT-N16 syslog: 15[ENC] parsed IKE_SA_INIT request 0 [ SA 
KE No N(NATD_S_IP) N(NATD_D_IP) ]
Sep 27 10:26:02 RT-N16 syslog: 15[IKE] 70.139.113.210 is initiating an 
IKE_SA
Sep 27 10:26:02 RT-N16 syslog: 15[IKE] 70.139.113.210 is initiating an 
IKE_SA
Sep 27 10:26:02 RT-N16 syslog: 15[IKE] remote host is behind NAT
Sep 27 10:26:02 RT-N16 syslog: 15[ENC] generating IKE_SA_INIT response 0 
[ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(MULT_AUTH) ]
Sep 27 10:26:02 RT-N16 syslog: 15[NET] sending packet: from 
50.162.106.134[500] to 70.139.113.210[500] (312 bytes)
Sep 27 10:26:02 RT-N16 syslog: 16[NET] received packet: from 
70.139.113.210[4500] to 50.162.106.134[4500] (892 bytes)
Sep 27 10:26:02 RT-N16 syslog: 16[ENC] parsed IKE_AUTH request 1 [ IDi 
CERTREQ N(MOBIKE_SUP) CP(ADDR DNS NBNS SRV) SA TSi TSr ]
Sep 27 10:26:02 RT-N16 syslog: 16[IKE] received cert request for "C=CH, 
O=strongSwan, CN=pkiCA"
Sep 27 10:26:02 RT-N16 syslog: 16[IKE] received 31 cert requests for an 
unknown ca
Sep 27 10:26:02 RT-N16 syslog: 16[CFG] looking for peer configs matching 
50.162.106.134[%any]...70.139.113.210[192.168.1.183]
Sep 27 10:26:02 RT-N16 syslog: 16[CFG] selected peer config 'win7'
Sep 27 10:26:02 RT-N16 syslog: 16[IKE] initiating EAP_IDENTITY method 
(id 0x00)
Sep 27 10:26:02 RT-N16 syslog: 16[IKE] peer supports MOBIKE
Sep 27 10:26:03 RT-N16 syslog: 16[IKE] authentication of 
'MYHOSTNAME.dyndns.org' (myself) with RSA signature successful
Sep 27 10:26:03 RT-N16 syslog: 16[IKE] sending end entity cert "C=CH, 
O=strongSwan, CN=MYHOSTNAME.dyndns.org"
Sep 27 10:26:03 RT-N16 syslog: 16[ENC] generating IKE_AUTH response 1 [ 
IDr CERT AUTH EAP/REQ/ID ]
Sep 27 10:26:03 RT-N16 syslog: 16[NET] sending packet: from 
50.162.106.134[4500] to 70.139.113.210[4500] (1212 bytes)
Sep 27 10:26:03 RT-N16 syslog: 14[NET] received packet: from 
70.139.113.210[4500] to 50.162.106.134[4500] (92 bytes)
Sep 27 10:26:03 RT-N16 syslog: 14[ENC] parsed IKE_AUTH request 2 [ 
EAP/RES/ID ]
Sep 27 10:26:03 RT-N16 syslog: 14[IKE] received EAP identity 'dave'
Sep 27 10:26:03 RT-N16 syslog: 14[IKE] initiating EAP_MSCHAPV2 method 
(id 0xDB)
Sep 27 10:26:03 RT-N16 syslog: 14[ENC] generating IKE_AUTH response 2 [ 
EAP/REQ/MSCHAPV2 ]
Sep 27 10:26:03 RT-N16 syslog: 14[NET] sending packet: from 
50.162.106.134[4500] to 70.139.113.210[4500] (108 bytes)
Sep 27 10:26:03 RT-N16 syslog: 13[NET] received packet: from 
70.139.113.210[4500] to 50.162.106.134[4500] (140 bytes)
Sep 27 10:26:03 RT-N16 syslog: 13[ENC] parsed IKE_AUTH request 3 [ 
EAP/RES/MSCHAPV2 ]
Sep 27 10:26:03 RT-N16 syslog: 13[ENC] generating IKE_AUTH response 3 [ 
EAP/REQ/MSCHAPV2 ]
Sep 27 10:26:03 RT-N16 syslog: 13[NET] sending packet: from 
50.162.106.134[4500] to 70.139.113.210[4500] (140 bytes)
Sep 27 10:26:03 RT-N16 syslog: 15[NET] received packet: from 
70.139.113.210[4500] to 50.162.106.134[4500] (76 bytes)
Sep 27 10:26:03 RT-N16 syslog: 15[ENC] parsed IKE_AUTH request 4 [ 
EAP/RES/MSCHAPV2 ]
Sep 27 10:26:03 RT-N16 syslog: 15[IKE] EAP method EAP_MSCHAPV2 
succeeded, MSK established
Sep 27 10:26:03 RT-N16 syslog: 15[ENC] generating IKE_AUTH response 4 [ 
EAP/SUCC ]
Sep 27 10:26:03 RT-N16 syslog: 15[NET] sending packet: from 
50.162.106.134[4500] to 70.139.113.210[4500] (76 bytes)
Sep 27 10:26:03 RT-N16 syslog: 16[NET] received packet: from 
70.139.113.210[4500] to 50.162.106.134[4500] (92 bytes)
Sep 27 10:26:03 RT-N16 syslog: 16[ENC] parsed IKE_AUTH request 5 [ AUTH ]
Sep 27 10:26:03 RT-N16 syslog: 16[IKE] authentication of '192.168.1.183' 
with EAP successful
Sep 27 10:26:03 RT-N16 syslog: 16[IKE] authentication of 
'MYHOSTNAME.dyndns.org' (myself) with EAP
Sep 27 10:26:03 RT-N16 syslog: 16[IKE] IKE_SA win7[1] established 
between 
50.162.106.134[MYHOSTNAME.dyndns.org]...70.139.113.210[192.168.1.183]
Sep 27 10:26:03 RT-N16 syslog: 16[IKE] IKE_SA win7[1] established 
between 
50.162.106.134[MYHOSTNAME.dyndns.org]...70.139.113.210[192.168.1.183]
Sep 27 10:26:03 RT-N16 syslog: 16[IKE] peer requested virtual IP %any
Sep 27 10:26:03 RT-N16 syslog: 16[CFG] assigning new lease to 'dave'
Sep 27 10:26:03 RT-N16 syslog: 16[IKE] assigning virtual IP 10.10.3.1 to 
peer 'dave'
Sep 27 10:26:03 RT-N16 syslog: 16[KNL] unable to add SAD entry with SPI 
ce0f9914: Function not implemented (89)
Sep 27 10:26:03 RT-N16 syslog: 16[KNL] unable to add SAD entry with SPI 
146ce921: Function not implemented (89)
Sep 27 10:26:03 RT-N16 syslog: 16[IKE] unable to install inbound and 
outbound IPsec SA (SAD) in kernel
Sep 27 10:26:03 RT-N16 syslog: 16[IKE] failed to establish CHILD_SA, 
keeping IKE_SA
Sep 27 10:26:03 RT-N16 syslog: 16[KNL] unable to delete SAD entry with 
SPI 146ce921: No such process (3)
Sep 27 10:26:03 RT-N16 syslog: 16[ENC] generating IKE_AUTH response 5 [ 
AUTH CP(ADDR DNS NBNS) N(MOBIKE_SUP) N(ADD_4_ADDR) N(NO_PROP) ]
Sep 27 10:26:03 RT-N16 syslog: 16[NET] sending packet: from 
50.162.106.134[4500] to 70.139.113.210[4500] (156 bytes)
Sep 27 10:26:03 RT-N16 syslog: 14[NET] received packet: from 
70.139.113.210[4500] to 50.162.106.134[4500] (76 bytes)
Sep 27 10:26:03 RT-N16 syslog: 14[ENC] parsed INFORMATIONAL request 6 [ D ]
Sep 27 10:26:03 RT-N16 syslog: 14[IKE] received DELETE for IKE_SA win7[1]
Sep 27 10:26:03 RT-N16 syslog: 14[IKE] deleting IKE_SA win7[1] between 
50.162.106.134[MYHOSTNAME.dyndns.org]...70.139.113.210[192.168.1.183]
Sep 27 10:26:03 RT-N16 syslog: 14[IKE] deleting IKE_SA win7[1] between 
50.162.106.134[MYHOSTNAME.dyndns.org]...70.139.113.210[192.168.1.183]
Sep 27 10:26:03 RT-N16 syslog: 14[IKE] IKE_SA deleted
Sep 27 10:26:03 RT-N16 syslog: 14[IKE] IKE_SA deleted
Sep 27 10:26:03 RT-N16 syslog: 14[ENC] generating INFORMATIONAL response 
6 [ ]
Sep 27 10:26:03 RT-N16 syslog: 14[NET] sending packet: from 
50.162.106.134[4500] to 70.139.113.210[4500] (76 bytes)
Sep 27 10:26:03 RT-N16 syslog: 14[CFG] lease 10.10.3.1 by 'dave' went 
offline

Thank you for any assistance!

More information about the Users mailing list