[strongSwan] Problem getting tunnel up

Otto Bretz otto.bretz at gmail.com
Tue Mar 4 14:26:31 CET 2014 

Hello,

I’m having problems getting a tunnel going to a client with a cisco router. This is my first time using strongSwan so I’m probably missing something obvious. I’m running debian wheezy on google compute engine. I’ve verified that I can talk to another machine on the net with UDP on port 500. The people running the cisco router says that they see no connection attempt from my external ip (192.158.A.B).

Any help is much appreciated.

cheers,
Otto

ipsec.conf:
config setup
  charonstart=no
  plutostart=yes
  plutodebug=control
  plutostderrlog=/var/log/pluto.log

conn myconn
  authby=psk
  auto=add
  dpdaction=hold
  esp=aes192-sha1!
  forceencaps=yes
  ike=aes256-sha1-modp1024!
  keyexchange=ikev1
  mobike=no
  type=tunnel
  pfs=yes
  pfsgroup=modp1024
  left=192.158.A.B
  leftid=192.158.A.B
  leftsubnet=10.240.0.0/16
  leftauth=psk
  leftikeport=4500
  right=194.17.X.Y
  rightsubnet=192.168.1.0/24
  rightauth=psk
  rightikeport=4500

ipsec.secrets:
192.158.A.B 194.17.X.Y : PSK “mekmitasdigoat"

ipsec statusall:
000 Status of IKEv1 pluto daemon (strongSwan 4.5.2):
000 interface lo/lo 127.0.0.1:500
000 interface eth0/eth0 10.240.12.197:500
000 interface eth0:0/eth0:0 192.158.A.B:500
000 %myid = '%any'
000 loaded plugins: test-vectors curl ldap aes des sha1 sha2 md5 random x509 pkcs1 pgp dnskey pem openssl gmp hmac xauth attr kernel-netlink resolve 
000 debug options: control
000 
000 "myconn": 10.240.0.0/16===192.158.A.B[192.158.A.B]…194.17.X.Y[194.17.X.Y]===192.168.1.0/24; unrouted; eroute owner: #0
000 "myconn":   ike_life: 10800s; ipsec_life: 3600s; rekey_margin: 540s; rekey_fuzz: 100%; keyingtries: 3
000 "myconn":   dpd_action: hold; dpd_delay: 30s; dpd_timeout: 150s;
000 "myconn":   policy: PSK+ENCRYPT+TUNNEL+PFS+UP; prio: 16,24; interface: eth0:0; 
000 "myconn":   newest ISAKMP SA: #0; newest IPsec SA: #0; 
000

pluto.log:
Starting IKEv1 pluto daemon (strongSwan 4.5.2) THREADS SMARTCARD VENDORID
listening on interfaces:
  eth0
    10.240.12.197
    192.158.A.B
loaded plugins: test-vectors curl ldap aes des sha1 sha2 md5 random x509 pkcs1 pgp dnskey pem openssl gmp hmac xauth attr kernel-netlink resolve 
| inserting event EVENT_REINIT_SECRET, timeout in 3600 seconds
  including NAT-Traversal patch (Version 0.6c) [disabled]
| pkcs11 module '/usr/lib/opensc-pkcs11.so' loading...
failed to load pkcs11 module '/usr/lib/opensc-pkcs11.so'
loading ca certificates from '/etc/ipsec.d/cacerts'
loading aa certificates from '/etc/ipsec.d/aacerts'
loading ocsp certificates from '/etc/ipsec.d/ocspcerts'
Changing to directory '/etc/ipsec.d/crls'
loading attribute certificates from '/etc/ipsec.d/acerts'
spawning 4 worker threads
| inserting event EVENT_LOG_DAILY, timeout in 48567 seconds
| next event EVENT_REINIT_SECRET in 3600 seconds
| 
| *received whack message
listening for IKE messages
| found lo with address 127.0.0.1
| found eth0 with address 10.240.12.197
| found eth0:0 with address 192.158.A.B
adding interface eth0:0/eth0:0 192.158.A.B:500
adding interface eth0/eth0 10.240.12.197:500
adding interface lo/lo 127.0.0.1:500
loading secrets from "/etc/ipsec.secrets"
  loaded PSK secret for 192.158.A.B 194.17.X.Y 
| next event EVENT_REINIT_SECRET in 3600 seconds
| 
| *received whack message
| from whack: got --esp=aes192-sha1!;modp1024
| esp proposal: AES_CBC_192/HMAC_SHA1, ; pfsgroup=MODP_1024; strict
| from whack: got --ike=aes256-sha1-modp1024!
| ike proposal: AES_CBC_256/HMAC_SHA1/MODP_1024, strict
added connection description "myconn"
| 10.240.0.0/16===192.158.A.B[192.158.A.B]…194.17.X.Y[194.17.X.Y]===192.168.1.0/24
| ike_life: 10800s; ipsec_life: 3600s; rekey_margin: 540s; rekey_fuzz: 100%; keyingtries: 3; policy: PSK+ENCRYPT+TUNNEL+PFS
| next event EVENT_REINIT_SECRET in 3600 seconds
| 
| *received whack message
| creating state object #1 at 0x7f9db83236a0
| ICOOKIE:  25 17 5f 2b  9c c3 ee da
| RCOOKIE:  00 00 00 00  00 00 00 00
| peer:  c2 11 27 72
| state hash entry 25
| inserting event EVENT_SO_DISCARD, timeout in 0 seconds for #1
| Queuing pending Quick Mode with 194.17.X.Y "myconn"
"myconn" #1: initiating Main Mode
| ike proposal: AES_CBC_256/HMAC_SHA1/MODP_1024, strict
| inserting event EVENT_RETRANSMIT, timeout in 10 seconds for #1
| next event EVENT_RETRANSMIT in 10 seconds for #1
| 
| *time to handle event
| event after this is EVENT_REINIT_SECRET in 3572 seconds
| handling event EVENT_RETRANSMIT for 194.17.X.Y "myconn" #1
| inserting event EVENT_RETRANSMIT, timeout in 20 seconds for #1
| next event EVENT_RETRANSMIT in 20 seconds for #1
| 
| *time to handle event
| event after this is EVENT_REINIT_SECRET in 3552 seconds
| handling event EVENT_RETRANSMIT for 194.17.X.Y "myconn" #1
| inserting event EVENT_RETRANSMIT, timeout in 40 seconds for #1
| next event EVENT_RETRANSMIT in 40 seconds for #1
| 
| *time to handle event
| event after this is EVENT_REINIT_SECRET in 3512 seconds
| handling event EVENT_RETRANSMIT for 194.17.X.Y "myconn" #1
"myconn" #1: max number of retransmissions (2) reached STATE_MAIN_I1.  No response (or no acceptable response) to our first IKE message
"myconn" #1: starting keying attempt 2 of at most 3, but releasing whack
| creating state object #2 at 0x7f9db8324760
| ICOOKIE:  a2 ea 87 15  7c 25 01 21
| RCOOKIE:  00 00 00 00  00 00 00 00
| peer:  c2 11 27 72
| state hash entry 7
| inserting event EVENT_SO_DISCARD, timeout in 0 seconds for #2
"myconn" #2: initiating Main Mode to replace #1
| ike proposal: AES_CBC_256/HMAC_SHA1/MODP_1024, strict
| inserting event EVENT_RETRANSMIT, timeout in 10 seconds for #2
| ICOOKIE:  25 17 5f 2b  9c c3 ee da
| RCOOKIE:  00 00 00 00  00 00 00 00
| peer:  c2 11 27 72
| state hash entry 25
| next event EVENT_RETRANSMIT in 10 seconds for #2
| 
| *time to handle event
| event after this is EVENT_REINIT_SECRET in 3502 seconds
| handling event EVENT_RETRANSMIT for 194.17.X.Y "myconn" #2
| inserting event EVENT_RETRANSMIT, timeout in 20 seconds for #2
| next event EVENT_RETRANSMIT in 20 seconds for #2
| 
| *time to handle event
| event after this is EVENT_REINIT_SECRET in 3482 seconds
| handling event EVENT_RETRANSMIT for 194.17.X.Y "myconn" #2
| inserting event EVENT_RETRANSMIT, timeout in 40 seconds for #2
| next event EVENT_RETRANSMIT in 40 seconds for #2
| 
| *time to handle event
| event after this is EVENT_REINIT_SECRET in 3442 seconds
| handling event EVENT_RETRANSMIT for 194.17.X.Y "myconn" #2
"myconn" #2: max number of retransmissions (2) reached STATE_MAIN_I1.  No response (or no acceptable response) to our first IKE message
"myconn" #2: starting keying attempt 3 of at most 3
| creating state object #3 at 0x7f9db83236a0
| ICOOKIE:  df 88 f6 30  a3 f5 72 1a
| RCOOKIE:  00 00 00 00  00 00 00 00
| peer:  c2 11 27 72
| state hash entry 5
| inserting event EVENT_SO_DISCARD, timeout in 0 seconds for #3
"myconn" #3: initiating Main Mode to replace #2
| ike proposal: AES_CBC_256/HMAC_SHA1/MODP_1024, strict
| inserting event EVENT_RETRANSMIT, timeout in 10 seconds for #3
| ICOOKIE:  a2 ea 87 15  7c 25 01 21
| RCOOKIE:  00 00 00 00  00 00 00 00
| peer:  c2 11 27 72
| state hash entry 7
| next event EVENT_RETRANSMIT in 10 seconds for #3
| 
| *time to handle event
| event after this is EVENT_REINIT_SECRET in 3432 seconds
| handling event EVENT_RETRANSMIT for 194.17.X.Y "myconn" #3
| inserting event EVENT_RETRANSMIT, timeout in 20 seconds for #3
| next event EVENT_RETRANSMIT in 20 seconds for #3
| 
| *time to handle event
| event after this is EVENT_REINIT_SECRET in 3412 seconds
| handling event EVENT_RETRANSMIT for 194.17.X.Y "myconn" #3
| inserting event EVENT_RETRANSMIT, timeout in 40 seconds for #3
| next event EVENT_RETRANSMIT in 40 seconds for #3
| 
| *time to handle event
| event after this is EVENT_REINIT_SECRET in 3372 seconds
| handling event EVENT_RETRANSMIT for 194.17.X.Y "myconn" #3
"myconn" #3: max number of retransmissions (2) reached STATE_MAIN_I1.  No response (or no acceptable response) to our first IKE message
| ICOOKIE:  df 88 f6 30  a3 f5 72 1a
| RCOOKIE:  00 00 00 00  00 00 00 00
| peer:  c2 11 27 72
| state hash entry 5
| next event EVENT_REINIT_SECRET in 3372 seconds
| 
| *time to handle event
| event after this is EVENT_LOG_DAILY in 44967 seconds
| event EVENT_REINIT_SECRET handled
| inserting event EVENT_REINIT_SECRET, timeout in 3600 seconds
| next event EVENT_REINIT_SECRET in 3600 seconds

More information about the Users mailing list