[strongSwan] Problem getting tunnel up

Noel Kuntze noel at familie-kuntze.de
Tue Mar 4 15:01:32 CET 2014 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Hello Otto,

Did you try to talk to the ASA on port 500 instead of port 4500 already?

Regards

Noel Kuntze

Am 04.03.2014 14:26, schrieb Otto Bretz:
> Hello,
>
> I’m having problems getting a tunnel going to a client with a cisco router. This is my first time using strongSwan so I’m probably missing something obvious. I’m running debian wheezy on google compute engine. I’ve verified that I can talk to another machine on the net with UDP on port 500. The people running the cisco router says that they see no connection attempt from my external ip (192.158.A.B).
>
> Any help is much appreciated.
>
> cheers,
> Otto
>
> ipsec.conf:
> config setup
>   charonstart=no
>   plutostart=yes
>   plutodebug=control
>   plutostderrlog=/var/log/pluto.log
>
> conn myconn
>   authby=psk
>   auto=add
>   dpdaction=hold
>   esp=aes192-sha1!
>   forceencaps=yes
>   ike=aes256-sha1-modp1024!
>   keyexchange=ikev1
>   mobike=no
>   type=tunnel
>   pfs=yes
>   pfsgroup=modp1024
>   left=192.158.A.B
>   leftid=192.158.A.B
>   leftsubnet=10.240.0.0/16
>   leftauth=psk
>   leftikeport=4500
>   right=194.17.X.Y
>   rightsubnet=192.168.1.0/24
>   rightauth=psk
>   rightikeport=4500
>
> ipsec.secrets:
> 192.158.A.B 194.17.X.Y : PSK “mekmitasdigoat"
>
> ipsec statusall:
> 000 Status of IKEv1 pluto daemon (strongSwan 4.5.2):
> 000 interface lo/lo 127.0.0.1:500
> 000 interface eth0/eth0 10.240.12.197:500
> 000 interface eth0:0/eth0:0 192.158.A.B:500
> 000 %myid = '%any'
> 000 loaded plugins: test-vectors curl ldap aes des sha1 sha2 md5 random x509 pkcs1 pgp dnskey pem openssl gmp hmac xauth attr kernel-netlink resolve
> 000 debug options: control
> 000
> 000 "myconn": 10.240.0.0/16===192.158.A.B[192.158.A.B]…194.17.X.Y[194.17.X.Y]===192.168.1.0/24; unrouted; eroute owner: #0
> 000 "myconn":   ike_life: 10800s; ipsec_life: 3600s; rekey_margin: 540s; rekey_fuzz: 100%; keyingtries: 3
> 000 "myconn":   dpd_action: hold; dpd_delay: 30s; dpd_timeout: 150s;
> 000 "myconn":   policy: PSK+ENCRYPT+TUNNEL+PFS+UP; prio: 16,24; interface: eth0:0;
> 000 "myconn":   newest ISAKMP SA: #0; newest IPsec SA: #0;
> 000
>
> pluto.log:
> Starting IKEv1 pluto daemon (strongSwan 4.5.2) THREADS SMARTCARD VENDORID
> listening on interfaces:
>   eth0
>     10.240.12.197
>     192.158.A.B
> loaded plugins: test-vectors curl ldap aes des sha1 sha2 md5 random x509 pkcs1 pgp dnskey pem openssl gmp hmac xauth attr kernel-netlink resolve
> | inserting event EVENT_REINIT_SECRET, timeout in 3600 seconds
>   including NAT-Traversal patch (Version 0.6c) [disabled]
> | pkcs11 module '/usr/lib/opensc-pkcs11.so' loading...
> failed to load pkcs11 module '/usr/lib/opensc-pkcs11.so'
> loading ca certificates from '/etc/ipsec.d/cacerts'
> loading aa certificates from '/etc/ipsec.d/aacerts'
> loading ocsp certificates from '/etc/ipsec.d/ocspcerts'
> Changing to directory '/etc/ipsec.d/crls'
> loading attribute certificates from '/etc/ipsec.d/acerts'
> spawning 4 worker threads
> | inserting event EVENT_LOG_DAILY, timeout in 48567 seconds
> | next event EVENT_REINIT_SECRET in 3600 seconds
> |
> | *received whack message
> listening for IKE messages
> | found lo with address 127.0.0.1
> | found eth0 with address 10.240.12.197
> | found eth0:0 with address 192.158.A.B
> adding interface eth0:0/eth0:0 192.158.A.B:500
> adding interface eth0/eth0 10.240.12.197:500
> adding interface lo/lo 127.0.0.1:500
> loading secrets from "/etc/ipsec.secrets"
>   loaded PSK secret for 192.158.A.B 194.17.X.Y
> | next event EVENT_REINIT_SECRET in 3600 seconds
> |
> | *received whack message
> | from whack: got --esp=aes192-sha1!;modp1024
> | esp proposal: AES_CBC_192/HMAC_SHA1, ; pfsgroup=MODP_1024; strict
> | from whack: got --ike=aes256-sha1-modp1024!
> | ike proposal: AES_CBC_256/HMAC_SHA1/MODP_1024, strict
> added connection description "myconn"
> | 10.240.0.0/16===192.158.A.B[192.158.A.B]…194.17.X.Y[194.17.X.Y]===192.168.1.0/24
> | ike_life: 10800s; ipsec_life: 3600s; rekey_margin: 540s; rekey_fuzz: 100%; keyingtries: 3; policy: PSK+ENCRYPT+TUNNEL+PFS
> | next event EVENT_REINIT_SECRET in 3600 seconds
> |
> | *received whack message
> | creating state object #1 at 0x7f9db83236a0
> | ICOOKIE:  25 17 5f 2b  9c c3 ee da
> | RCOOKIE:  00 00 00 00  00 00 00 00
> | peer:  c2 11 27 72
> | state hash entry 25
> | inserting event EVENT_SO_DISCARD, timeout in 0 seconds for #1
> | Queuing pending Quick Mode with 194.17.X.Y "myconn"
> "myconn" #1: initiating Main Mode
> | ike proposal: AES_CBC_256/HMAC_SHA1/MODP_1024, strict
> | inserting event EVENT_RETRANSMIT, timeout in 10 seconds for #1
> | next event EVENT_RETRANSMIT in 10 seconds for #1
> |
> | *time to handle event
> | event after this is EVENT_REINIT_SECRET in 3572 seconds
> | handling event EVENT_RETRANSMIT for 194.17.X.Y "myconn" #1
> | inserting event EVENT_RETRANSMIT, timeout in 20 seconds for #1
> | next event EVENT_RETRANSMIT in 20 seconds for #1
> |
> | *time to handle event
> | event after this is EVENT_REINIT_SECRET in 3552 seconds
> | handling event EVENT_RETRANSMIT for 194.17.X.Y "myconn" #1
> | inserting event EVENT_RETRANSMIT, timeout in 40 seconds for #1
> | next event EVENT_RETRANSMIT in 40 seconds for #1
> |
> | *time to handle event
> | event after this is EVENT_REINIT_SECRET in 3512 seconds
> | handling event EVENT_RETRANSMIT for 194.17.X.Y "myconn" #1
> "myconn" #1: max number of retransmissions (2) reached STATE_MAIN_I1.  No response (or no acceptable response) to our first IKE message
> "myconn" #1: starting keying attempt 2 of at most 3, but releasing whack
> | creating state object #2 at 0x7f9db8324760
> | ICOOKIE:  a2 ea 87 15  7c 25 01 21
> | RCOOKIE:  00 00 00 00  00 00 00 00
> | peer:  c2 11 27 72
> | state hash entry 7
> | inserting event EVENT_SO_DISCARD, timeout in 0 seconds for #2
> "myconn" #2: initiating Main Mode to replace #1
> | ike proposal: AES_CBC_256/HMAC_SHA1/MODP_1024, strict
> | inserting event EVENT_RETRANSMIT, timeout in 10 seconds for #2
> | ICOOKIE:  25 17 5f 2b  9c c3 ee da
> | RCOOKIE:  00 00 00 00  00 00 00 00
> | peer:  c2 11 27 72
> | state hash entry 25
> | next event EVENT_RETRANSMIT in 10 seconds for #2
> |
> | *time to handle event
> | event after this is EVENT_REINIT_SECRET in 3502 seconds
> | handling event EVENT_RETRANSMIT for 194.17.X.Y "myconn" #2
> | inserting event EVENT_RETRANSMIT, timeout in 20 seconds for #2
> | next event EVENT_RETRANSMIT in 20 seconds for #2
> |
> | *time to handle event
> | event after this is EVENT_REINIT_SECRET in 3482 seconds
> | handling event EVENT_RETRANSMIT for 194.17.X.Y "myconn" #2
> | inserting event EVENT_RETRANSMIT, timeout in 40 seconds for #2
> | next event EVENT_RETRANSMIT in 40 seconds for #2
> |
> | *time to handle event
> | event after this is EVENT_REINIT_SECRET in 3442 seconds
> | handling event EVENT_RETRANSMIT for 194.17.X.Y "myconn" #2
> "myconn" #2: max number of retransmissions (2) reached STATE_MAIN_I1.  No response (or no acceptable response) to our first IKE message
> "myconn" #2: starting keying attempt 3 of at most 3
> | creating state object #3 at 0x7f9db83236a0
> | ICOOKIE:  df 88 f6 30  a3 f5 72 1a
> | RCOOKIE:  00 00 00 00  00 00 00 00
> | peer:  c2 11 27 72
> | state hash entry 5
> | inserting event EVENT_SO_DISCARD, timeout in 0 seconds for #3
> "myconn" #3: initiating Main Mode to replace #2
> | ike proposal: AES_CBC_256/HMAC_SHA1/MODP_1024, strict
> | inserting event EVENT_RETRANSMIT, timeout in 10 seconds for #3
> | ICOOKIE:  a2 ea 87 15  7c 25 01 21
> | RCOOKIE:  00 00 00 00  00 00 00 00
> | peer:  c2 11 27 72
> | state hash entry 7
> | next event EVENT_RETRANSMIT in 10 seconds for #3
> |
> | *time to handle event
> | event after this is EVENT_REINIT_SECRET in 3432 seconds
> | handling event EVENT_RETRANSMIT for 194.17.X.Y "myconn" #3
> | inserting event EVENT_RETRANSMIT, timeout in 20 seconds for #3
> | next event EVENT_RETRANSMIT in 20 seconds for #3
> |
> | *time to handle event
> | event after this is EVENT_REINIT_SECRET in 3412 seconds
> | handling event EVENT_RETRANSMIT for 194.17.X.Y "myconn" #3
> | inserting event EVENT_RETRANSMIT, timeout in 40 seconds for #3
> | next event EVENT_RETRANSMIT in 40 seconds for #3
> |
> | *time to handle event
> | event after this is EVENT_REINIT_SECRET in 3372 seconds
> | handling event EVENT_RETRANSMIT for 194.17.X.Y "myconn" #3
> "myconn" #3: max number of retransmissions (2) reached STATE_MAIN_I1.  No response (or no acceptable response) to our first IKE message
> | ICOOKIE:  df 88 f6 30  a3 f5 72 1a
> | RCOOKIE:  00 00 00 00  00 00 00 00
> | peer:  c2 11 27 72
> | state hash entry 5
> | next event EVENT_REINIT_SECRET in 3372 seconds
> |
> | *time to handle event
> | event after this is EVENT_LOG_DAILY in 44967 seconds
> | event EVENT_REINIT_SECRET handled
> | inserting event EVENT_REINIT_SECRET, timeout in 3600 seconds
> | next event EVENT_REINIT_SECRET in 3600 seconds
> _______________________________________________
> Users mailing list
> Users at lists.strongswan.org
> https://lists.strongswan.org/mailman/listinfo/users

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.22 (GNU/Linux)
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iQIcBAEBCAAGBQJTFdy8AAoJEDg5KY9j7GZYBakP/RKkPv8cO2NCmTPBbDdBCDqQ
44zwPKBqy6MlaGv4buBJS+cUchBxiiGa/7QM1o/OvWyf1SZi4j12NKj0ZWiQD4K2
KICdSROm3+PwGg255y2pgW6O01Su+PSvOnzaCjXyEt4ryov8yrx85NppO2T70qjL
n8qSxvIaK+/SEMMvn3GsLALkBEnmZBk7uv1IQ2Q0TfC9Sl1/d8FGfWMiMGajBkyK
2+JWycLuqcKJxS0fw5khXFC85sD+eU2D965tuFnVr4SvoXYWTxye+9OxJAo5HPxz
TKwLZpiuIEg7xHe2A7OCBxi2jsUY7Qus0V5bYMgAs6bjUNybQsdac0Dc+ugo45zk
FTaRgCsDcelcF7QpTM4vh5Y9WUMHG7RWOrvMm50OmR7oy79Ym8+8fZsO7y4Ky5df
wB0AjXU1GU43Ioq+WJL5bQPBbIXq74MXJRrZgHpXRlVkaexIx0fDW6VgdN76U8PL
xb92MxiFl2wGQg3XB+KMbGcIwrGiN9KrVqKYpFrLRf+zoyi/733ZaMITLLmAEc8/
f8OyLOxSGU+/Tq/9tzsBalLmU/6ym8bRn67jqDfNK8LA++uiV03kR2DQSU5bdWuI
Bp/UhgYSZ7+JG5XwyAgfLn0lu+Jqq5OD7gFZt5089ALLDxcCZSPVp7mEkpxrDKfY
yw5hr2sRT8XqMm98H77C
=z8kF
-----END PGP SIGNATURE-----

More information about the Users mailing list