[strongSwan] Questions for getting Strongswan up and running
Brian Watson
bwats9999 at gmail.com
Wed May 7 20:42:59 CEST 2014
I got the log file problem resolved. I had to add an apparmor-utils package
and it's dependencies since I saw in /var/log/syslog that apparmor="DENIED"
was being seen when trying to write the log and I wanted to use the
aa-complain cmd to get around the error. I then did "sudo aa-complain
/usr/lib/ipsec/charon". It could be that this wasn't necessary and that I
was just missing some packages.
On Wed, May 7, 2014 at 10:42 AM, Brian Watson <bwats9999 at gmail.com> wrote:
> Does anyone know why when I try to log to a log file either in /var/log or
> my home folder that I get permission denied? This is what I'm seeing in
> syslog. I'm running "sudo ipsec start" so I thought that it would have the
> correct permissions to write the log file.
>
> Thanks,
> Brian
>
>
> ---------- Forwarded message ----------
> From: Brian Watson <bwats9999 at gmail.com>
> Date: Wed, May 7, 2014 at 8:20 AM
> Subject: Re: [strongSwan] Questions for getting Strongswan up and running
> To: Noel Kuntze <noel at familie-kuntze.de>
>
>
> I had been using openssl, but I'll install libgmp also.
>
>
> On Tue, May 6, 2014 at 5:41 PM, Noel Kuntze <noel at familie-kuntze.de>wrote:
>
>>
>> -----BEGIN PGP SIGNED MESSAGE-----
>> Hash: SHA256
>>
>> Did you install libgmp already? You need that for the DH exchange. As a
>> replacement, you could also use openssl, but you need to replace gmp with
>> openssl in the load statement.
>>
>> Am 07.05.2014 00:26, schrieb Brian Watson:
>> > If I do "sudo ipsec start" again it says that it's already running. I
>> then do "sudo ipsec up home" and that's when I get the NO_PROPOSAL_CHOSEN
>> error that i'm trying to debug. I'll be leaving soon, but will check for
>> syntax errors. Thanks for all your help! This is interesting.
>> >
>> >
>> > On Tue, May 6, 2014 at 5:13 PM, Noel Kuntze <noel at familie-kuntze.de<mailto:
>> noel at familie-kuntze.de>> wrote:
>> >
>> >
>> > Okay, that should be fairly recent. Check your strongswan.conf for
>> syntax errors. Does strongswan run after you started it or does it stop
>> itself?
>> >
>> > Am 07.05.2014 00:06, schrieb Brian Watson:
>> > > I do the following:
>> >
>> > > 1. sudo ipsec start (so yes it's running as root)
>> > > 2. It says the following:
>> > > !! Your strongswan.conf contains manual plugin load options for
>> charon.
>> > > !! This is recommended for experts only, see
>> > > !! http://wiki.strongswan.org/projects/strongswan/wiki/PluginLoad
>> > > 3. The log file doesn't get created.
>> > > 4. Version - U5.1.2/K3.13.0-24-generic
>> >
>> >
>> > > On Tue, May 6, 2014 at 4:50 PM, Noel Kuntze <noel at familie-kuntze.de<mailto:
>> noel at familie-kuntze.de> <mailto:noel at familie-kuntze.de <mailto:
>> noel at familie-kuntze.de>>> wrote:
>> >
>> >
>> > > Okay, as what user ist strongSwan running? Is it as root?
>> > > Does the file get created?
>> > > What does ipsec say when you start strongSwan?
>> > > What version of strongSwan are you using?
>> >
>> >
>> > > Am 06.05.2014 23:49, schrieb Brian Watson:
>> > > > Yes, I just checked and the extra curly brace is there even though
>> I didn't include it in the email. I also changed append=no to yes to see if
>> that would have an effect, but it didn't.
>> >
>> >
>> > > > On Tue, May 6, 2014 at 4:32 PM, Brian Watson <bwats9999 at gmail.com<mailto:
>> bwats9999 at gmail.com> <mailto:bwats9999 at gmail.com <mailto:
>> bwats9999 at gmail.com>> <mailto:bwats9999 at gmail.com <mailto:
>> bwats9999 at gmail.com> <mailto:bwats9999 at gmail.com <mailto:
>> bwats9999 at gmail.com>>>> wrote:
>> >
>> > > > I've been trying to get the log file to work, but something
>> isn't quite right. I have the following info in my strongswan.conf file:
>> >
>> > > > charon {
>> > > > load = aes des sha1 sha2 md5 openssl random nonce hmac
>> stroke kernel-netlink socket-default updown
>> > > > send_vendor_id=yes
>> > > > # two defined file loggers
>> > > > filelog {
>> > > > /var/log/charon.log {
>> > > > # add a timestamp prefix
>> > > > time_format = %b %e %T
>> > > > # prepend connection name, simplifies grepping
>> > > > ike_name = yes
>> > > > # overwrite existing files
>> > > > append = no
>> > > > # increase default loglevel for all daemon
>> subsystems
>> > > > default = 2
>> > > > # flush each line to disk
>> > > > flush_line = yes
>> > > > }
>> > > > stderr {
>> > > > # more detailed loglevel for a specific subsystem,
>> overriding the
>> > > > # default loglevel.
>> > > > ike = 2
>> > > > knl = 3
>> > > > }
>> > > > }
>> >
>> > > > I'm also trying different variations like changing the name and
>> location of the log file and I also tried to use stdout, but nothing
>> happening. Any ideas?
>> >
>> > > > Thanks,
>> > > > Brian
>> >
>> >
>> > > > On Tue, May 6, 2014 at 10:59 AM, Noel Kuntze <
>> noel at familie-kuntze.de <mailto:noel at familie-kuntze.de> <mailto:
>> noel at familie-kuntze.de <mailto:noel at familie-kuntze.de>> <mailto:
>> noel at familie-kuntze.de <mailto:noel at familie-kuntze.de> <mailto:
>> noel at familie-kuntze.de <mailto:noel at familie-kuntze.de>>>> wrote:
>> >
>> >
>> > > > Hello Brian,
>> >
>> > > > The two peers couldn't negotiate a shared cipher-hmac-modp 3-tupel
>> in phase one.
>> > > > I advise setting up logging to a file [1] and looking for the
>> cipher proposal the two peers send each other and adjusting them with the
>> "ike=" parameter in the connection section.
>> > > > Be advised, that you can not simply copy an paste the proposal in
>> ipsec.conf. Look for the fitting description of the tupel in the example
>> configurations [2].
>> > > > Also, read the manpage about the "ike" parameter.
>> >
>> > > > [1]
>> http://wiki.strongswan.org/projects/strongswan/wiki/LoggerConfiguration
>> > > > [2] http://www.strongswan.org/uml/testresults/all.html
>> >
>> > > > Regards,
>> > > > Noel Kuntze
>> >
>> > > > Am 06.05.2014 17:47, schrieb Brian Watson:
>> > > > > Hi Noel,
>> > > > > Thanks for the tip! I'm making progress and updated both
>> strongswan.conf files, but now I get the following error for which I'm
>> investigating:
>> >
>> > > > > initiating IKE_SA home[3] to 127.0.0.2
>> > > > > generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP)
>> N(NATD_D_IP) ]
>> > > > > sending packet: from 127.0.0.3[500] to 127.0.0.2[500] (892 bytes)
>> > > > > received packet: from 127.0.0.2[500] to 127.0.0.3[500] (36 bytes)
>> > > > > parsed IKE_SA_INIT response 0 [ N(NO_PROP) ]
>> > > > > received NO_PROPOSAL_CHOSEN notify error
>> > > > > establishing connection 'home' failed
>> >
>> > > > > Any ideas?
>> >
>> > > > > Thanks,
>> > > > > Brian
>> >
>> >
>> >
>> > > > > On Tue, May 6, 2014 at 10:11 AM, Noel Kuntze <
>> noel at familie-kuntze.de <mailto:noel at familie-kuntze.de> <mailto:
>> noel at familie-kuntze.de <mailto:noel at familie-kuntze.de>> <mailto:
>> noel at familie-kuntze.de <mailto:noel at familie-kuntze.de> <mailto:
>> noel at familie-kuntze.de <mailto:noel at familie-kuntze.de>>> <mailto:
>> noel at familie-kuntze.de <mailto:noel at familie-kuntze.de> <mailto:
>> noel at familie-kuntze.de <mailto:noel at familie-kuntze.de>> <mailto:
>> noel at familie-kuntze.de <mailto:noel at familie-kuntze.de> <mailto:
>> noel at familie-kuntze.de <mailto:noel at familie-kuntze.de>>>>> wrote:
>> >
>> >
>> > > > > Hello Brian,
>> >
>> > > > > Plugins in StrongSwan provide suppoer for cryptographic
>> operations, like Diffie-Hellman keyexchanges and ciphers.
>> > > > > StrongSwan itself only comes with a small number of plugins for
>> ciphers like aes or des, but not DH, which is used to negotiate the key in
>> phase one.
>> > > > > Plugins provide access to 3rd party APIs, like the ones of
>> openssl and libgmp.
>> > > > > The default proposal StrongSwan sends includes a DH exchange over
>> a modulus of 2048 bit, which is provided by either libgmp or openssl.
>> > > > > It seems you do not have libgmp installed on your box. Please
>> install it, then try again. As an alternative, you could also use openssl.
>> > > > > To use openssl instead of libgmp for cryptography, just replace
>> gmp with openssl in the load argument in strongswan.conf.
>> >
>> > > > > Regards,
>> > > > > Noel Kuntze
>> >
>> > > > > Am 06.05.2014 16:54, schrieb Brian Watson:
>> > > > > > I also have done the following:
>> >
>> > > > > > 1. ipsec up home
>> >
>> > > > > > 2. I get the following in response
>> > > > > > initiating IKE_SA home[1] to 127.0.0.2
>> > > > > > configured DH group MODP_2048 not supported
>> > > > > > tried to check-in and delete nonexisting IKE_SA
>> > > > > > establishing connection 'home' failed
>> >
>> > > > > > Thanks!
>> > > > > > Brian
>> >
>> >
>> > > > > > On Tue, May 6, 2014 at 9:06 AM, Brian Watson <
>> bwats9999 at gmail.com <mailto:bwats9999 at gmail.com> <mailto:
>> bwats9999 at gmail.com <mailto:bwats9999 at gmail.com>> <mailto:
>> bwats9999 at gmail.com <mailto:bwats9999 at gmail.com> <mailto:
>> bwats9999 at gmail.com <mailto:bwats9999 at gmail.com>>> <mailto:
>> bwats9999 at gmail.com <mailto:bwats9999 at gmail.com> <mailto:
>> bwats9999 at gmail.com <mailto:bwats9999 at gmail.com>> <mailto:
>> bwats9999 at gmail.com <mailto:bwats9999 at gmail.com> <mailto:
>> bwats9999 at gmail.com <mailto:bwats9999 at gmail.com>>>> <mailto:
>> bwats9999 at gmail.com <mailto:bwats9999 at gmail.com> <mailto:
>> bwats9999 at gmail.com <mailto:bwats9999 at gmail.com>> <mailto:
>> bwats9999 at gmail.com <mailto:bwats9999 at gmail.com> <mailto:
>> bwats9999 at gmail.com <mailto:bwats9999 at gmail.com>>> <mailto:
>> bwats9999 at gmail.com <mailto:bwats9999 at gmail.com> <mailto:
>> bwats9999 at gmail.com <mailto:bwats9999 at gmail.com>> <mailto:
>> bwats9999 at gmail.com <mailto:bwats9999 at gmail.com> <mailto:
>> bwats9999 at gmail.com <mailto:bwats9999 at gmail.com>>>>>> wrote:
>> >
>> > > > > > I have setup strongswan with the config files on 2 virtual
>> boxes running Ubuntu 14.04. I have the following with the 2nd virtual
>> machine basically mirroring the first with the exception of the ip address
>> being swapped around:
>> >
>> > > > > > 1. I setup the config files on 2 Ubuntu virtualbox machines
>> > > > > > ipsec.conf
>> > > > > > -------------------------
>> > > > > > config setup
>> >
>> > > > > > conn %default
>> > > > > > ikelifetime=60m
>> > > > > > keylife=20m
>> > > > > > rekeymargin=3m
>> > > > > > keyingtries=1
>> > > > > > keyexchange=ikev2
>> > > > > > authby=secret
>> >
>> > > > > > conn home
>> > > > > > left=127.0.0.2
>> > > > > > leftfirewall=no
>> > > > > > right=127.0.0.3
>> > > > > > auto=add
>> >
>> > > > > > ipsec.secrets
>> > > > > > ------------------------------
>> > > > > > 127.0.0.2 : PSK <shared secret>
>> >
>> > > > > > strongswan.conf
>> > > > > > -------------------------------
>> > > > > > charon {
>> > > > > > load = aes des sha1 sha2 md5 gmp random nonce hmac
>> stroke kernel-netlink socket-default updown
>> > > > > > }
>> >
>> > > > > > 2. I issue "sudo ipsec start" and status commands and get
>> the following:
>> >
>> > > > > > Starting strongSwan 5.1.2 IPsec [starter]...
>> > > > > > !! Your strongswan.conf contains manual plugin load options
>> for charon.
>> > > > > > !! This is recommended for experts only, see
>> > > > > > !!
>> http://wiki.strongswan.org/projects/strongswan/wiki/PluginLoad
>> > > > > > brianswan3 at brianswan3-VirtualBox:/etc$ sudo ipsec status
>> > > > > > Security Associations (0 up, 0 connecting):
>> > > > > > none
>> >
>> > > > > > 3. The fact that it shows no security associations implies
>> to me that it didn't work. Is this true and is there something obvious that
>> I'm doing wrong?
>> >
>> > > > > > Thanks,
>> > > > > > Brian
>> >
>> >
>> >
>> >
>> > > > > > _______________________________________________
>> > > > > > Users mailing list
>> > > > > > Users at lists.strongswan.org <mailto:Users at lists.strongswan.org>
>> <mailto:Users at lists.strongswan.org <mailto:Users at lists.strongswan.org>>
>> <mailto:Users at lists.strongswan.org <mailto:Users at lists.strongswan.org>
>> <mailto:Users at lists.strongswan.org <mailto:Users at lists.strongswan.org>>>
>> <mailto:Users at lists.strongswan.org <mailto:Users at lists.strongswan.org>
>> <mailto:Users at lists.strongswan.org <mailto:Users at lists.strongswan.org>>
>> <mailto:Users at lists.strongswan.org <mailto:Users at lists.strongswan.org>
>> <mailto:Users at lists.strongswan.org <mailto:Users at lists.strongswan.org>>>>
>> > > > > > https://lists.strongswan.org/mailman/listinfo/users
>> >
>> >
>> > > > > _______________________________________________
>> > > > > Users mailing list
>> > > > > Users at lists.strongswan.org <mailto:Users at lists.strongswan.org>
>> <mailto:Users at lists.strongswan.org <mailto:Users at lists.strongswan.org>>
>> <mailto:Users at lists.strongswan.org <mailto:Users at lists.strongswan.org>
>> <mailto:Users at lists.strongswan.org <mailto:Users at lists.strongswan.org>>>
>> <mailto:Users at lists.strongswan.org <mailto:Users at lists.strongswan.org>
>> <mailto:Users at lists.strongswan.org <mailto:Users at lists.strongswan.org>>
>> <mailto:Users at lists.strongswan.org <mailto:Users at lists.strongswan.org>
>> <mailto:Users at lists.strongswan.org <mailto:Users at lists.strongswan.org>>>>
>> > > > > https://lists.strongswan.org/mailman/listinfo/users
>> >
>> >
>> >
>> >
>> >
>> >
>> >
>> >
>> >
>> >
>> >
>> >
>>
>> -----BEGIN PGP SIGNATURE-----
>> Version: GnuPG v2.0.22 (GNU/Linux)
>> Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/
>>
>> iQIcBAEBCAAGBQJTaWUYAAoJEDg5KY9j7GZYFB0P/2DX+EXkCKbnQKNLiqQn9pL7
>> rWHTeIrqskl4GDo1OlJWz+Zlsk/rSC7eyOVdT8APQppf2XFgprRaTORku1CNE/tn
>> b6skkfhv7HuXbsUN8kFKEaldzt6LtEOSSw6a+OqTXVDlhTLCcT7ypvitdrwvp/x6
>> OcFWwakFWz1id7cLaJ2BV3W+3wa1KhtSMZevnpiAEVF/k1Ln7sxiBEPqegYN7vfZ
>> /NSX0zIoPjVClOLL3SM17hvd8Ino04EqnbY4h0gf3de7LnN0jgyZcOv/oXNWvvKk
>> 4T5Ccsbh23DRwrKqR7+JHzqZjUH8oj3iPcglVcFfbYtm5pPIi5HoX7DPi/RrdU5e
>> TIJEtA4nyNkLw3yoV3E0l40oiT+pwdMLqaiI2ymtIlkBGKSu5FhG8bqlB/9AJFq5
>> BC0nRabUrqMZgpe8q2NOV4Xr+/r0x1ao7UKYozxESgiYMjn0a7cTImVf4z7RFZsB
>> pq3RgNN9cwrJIXH6LNbYpByp4DjNKaR+qogfcqzllsw63mMRoVfmCErxa0yKzI9q
>> fLT4Sdc6hOHWr0X3Q4kb4ZBvtPz4P8dHQjFCd7mhXHJJWZfcgi1X3gEUKy/TPVHm
>> p+/0RCfaxZWm9bDHV8XGL4aBINxLDBGIeMGyAzItb73CE+PdeGPFo6zZG7BV5ucT
>> wXneE117DU71KQVSjQWk
>> =q7K3
>> -----END PGP SIGNATURE-----
>>
>>
>>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20140507/8d948b98/attachment-0001.html>
More information about the Users
mailing list