[strongSwan] IPv6 IKEv2 Road Warrior Connection issues
Randy Wyatt
rwwyatt01 at gmail.com
Fri Oct 3 20:03:45 CEST 2014
The network setup is like this:
Win7 PC --> MiFi (Verizon Wireless) IPv6 --> SoftlayerIPV6 --> VPS.
The following are the contents of /usr/local/etc/ipsec.conf
[root at ares rwwyatt]# cat /usr/local/etc/ipsec.conf
config setup
uniqueids=yes
charondebug="ike 3, knl 3, cfg 0"
conn %default
ikelifetime=60m
keylife=20m
rekeymargin=3m
keyingtries=1
keyexchange=ikev2
authby=rsasig
leftrsasigkey=%cert
rightrsasigkey=%cert
conn rw
left=serveripv61
# leftsubnet=serveripv6sub
leftfirewall=yes
leftid=@ares.ipv6.rwwyatt.com
authby=xauthrsasig
xauth=server
leftcert=/usr/local/etc/ipsec.d/certs/strongswanCert.pem
rightcert=hostCert.pem
right=%any
keyexchange=ikev2
auto=add
The following is from the ipsec.secrets with the password replaced:
:RSA /usr/local/etc/ipsec.d/private/strongswanKey.pem "passwd1"
:XAUTH user "!passwd2"
The following is the excerpt from the syslog: (Of course the IP addresses
are replaced)
Oct 3 12:40:41 ares charon: 00[DMN] signal of type SIGINT received.
Shutting down
Oct 3 12:40:45 ares charon: 00[DMN] Starting IKE charon daemon (strongSwan
5.2.0, Linux 2.6.32-431.29.2.el6.x86_64, x86_64)
Oct 3 12:40:45 ares charon: 00[KNL] detected Linux 2.6.32, no support for
RTA_PREFSRC for IPv6 routes
Oct 3 12:40:45 ares charon: 00[KNL] known interfaces and IP addresses:
Oct 3 12:40:45 ares charon: 00[KNL] lo
Oct 3 12:40:45 ares charon: 00[KNL] 127.0.0.1
Oct 3 12:40:45 ares charon: 00[KNL] ::1
Oct 3 12:40:45 ares charon: 00[KNL] eth0
Oct 3 12:40:45 ares charon: 00[KNL] 10.40.122.66
Oct 3 12:40:45 ares charon: 00[KNL] fe80::4fc:60ff:fe68:c68c
Oct 3 12:40:45 ares charon: 00[KNL] eth1
Oct 3 12:40:45 ares charon: 00[KNL] ipv41
Oct 3 12:40:45 ares charon: 00[KNL] ipv42
Oct 3 12:40:45 ares charon: 00[KNL] ipv43
Oct 3 12:40:45 ares charon: 00[KNL] ipv44
Oct 3 12:40:45 ares charon: 00[KNL] ipv45
Oct 3 12:40:45 ares charon: 00[KNL] ipv61
Oct 3 12:40:45 ares charon: 00[KNL] ipv62
Oct 3 12:40:45 ares charon: 00[KNL] fe80::48b:64ff:fee2:7a3c
Oct 3 12:40:45 ares charon: 00[LIB] opening
'/usr/local/etc/ipsec.d/private/{' failed: No such file or directory
Oct 3 12:40:45 ares charon: 00[LIB] building CRED_PRIVATE_KEY - RSA
failed, tried 6 builders
Oct 3 12:40:45 ares charon: 00[LIB] loaded plugins: charon aes des rc2
sha1 sha2 md5 random nonce x509 revocation constraints pubkey pkcs1 pkcs7
pkcs8 pkcs12 pgp dnskey sshkey pem fips-prf gmp xcbc cmac hmac attr
kernel-netlink resolve socket-default stroke updown xauth-generic
Oct 3 12:40:45 ares charon: 00[LIB] unable to load 6 plugin features (6
due to unmet dependencies)
Oct 3 12:40:45 ares charon: 00[JOB] spawning 16 worker threads
Oct 3 12:41:27 ares charon: 08[NET] received packet: from clientipv61[500]
to serveripv61[500] (528 bytes)
Oct 3 12:41:27 ares charon: 08[ENC] parsed IKE_SA_INIT request 0 [ SA KE
No N(NATD_S_IP) N(NATD_D_IP) ]
Oct 3 12:41:27 ares charon: 08[IKE] clientipv61 is initiating an IKE_SA
Oct 3 12:41:27 ares charon: 08[IKE] IKE_SA (unnamed)[1] state change:
CREATED => CONNECTING
Oct 3 12:41:27 ares charon: 08[IKE] natd_chunk => 34 bytes @ 0x7f4bdc004ce0
Oct 3 12:41:27 ares charon: 08[IKE] 0: DC 6E 2D 88 EF E0 A1 97 00 00 00
00 00 00 00 00 .n-.............
Oct 3 12:41:27 ares charon: 08[IKE] 16: 26 07 F0 D0 11 01 01 C2 00 00 00
00 00 00 00 02 &...............
Oct 3 12:41:27 ares charon: 08[IKE] 32: 01 F4
..
Oct 3 12:41:27 ares charon: 08[IKE] natd_hash => 20 bytes @ 0x7f4bdc004780
Oct 3 12:41:27 ares charon: 08[IKE] 0: 0B 26 3B B4 59 09 1E 53 20 8D 60
E2 43 21 61 22 .&;.Y..S .`.C!a"
Oct 3 12:41:27 ares charon: 08[IKE] 16: 64 D6 D0 E9
d...
Oct 3 12:41:27 ares charon: 08[IKE] natd_chunk => 34 bytes @ 0x7f4bdc004ce0
Oct 3 12:41:27 ares charon: 08[IKE] 0: DC 6E 2D 88 EF E0 A1 97 00 00 00
00 00 00 00 00 .n-.............
Oct 3 12:41:27 ares charon: 08[IKE] 16: 26 00 10 12 B1 27 D7 B6 D9 E8 09
0B 50 0F 76 E8 &....'......P.v.
Oct 3 12:41:27 ares charon: 08[IKE] 32: 01 F4
..
Oct 3 12:41:27 ares charon: 08[IKE] natd_hash => 20 bytes @ 0x7f4bdc005c00
Oct 3 12:41:27 ares charon: 08[IKE] 0: C0 55 B2 7B 12 C5 1C 29 62 F2 22
5B 45 B2 F3 E7 .U.{...)b."[E...
Oct 3 12:41:27 ares charon: 08[IKE] 16: 99 E5 64 F9
..d.
Oct 3 12:41:27 ares charon: 08[IKE] precalculated src_hash => 20 bytes @
0x7f4bdc005c00
Oct 3 12:41:27 ares charon: 08[IKE] 0: C0 55 B2 7B 12 C5 1C 29 62 F2 22
5B 45 B2 F3 E7 .U.{...)b."[E...
Oct 3 12:41:27 ares charon: 08[IKE] 16: 99 E5 64 F9
..d.
Oct 3 12:41:27 ares charon: 08[IKE] precalculated dst_hash => 20 bytes @
0x7f4bdc004780
Oct 3 12:41:27 ares charon: 08[IKE] 0: 0B 26 3B B4 59 09 1E 53 20 8D 60
E2 43 21 61 22 .&;.Y..S .`.C!a"
Oct 3 12:41:27 ares charon: 08[IKE] 16: 64 D6 D0 E9
d...
Oct 3 12:41:27 ares charon: 08[IKE] received src_hash => 20 bytes @
0x7f4bdc004b10
Oct 3 12:41:27 ares charon: 08[IKE] 0: C0 55 B2 7B 12 C5 1C 29 62 F2 22
5B 45 B2 F3 E7 .U.{...)b."[E...
Oct 3 12:41:27 ares charon: 08[IKE] 16: 99 E5 64 F9
..d.
Oct 3 12:41:27 ares charon: 08[IKE] received dst_hash => 20 bytes @
0x7f4bdc004c30
Oct 3 12:41:27 ares charon: 08[IKE] 0: 0B 26 3B B4 59 09 1E 53 20 8D 60
E2 43 21 61 22 .&;.Y..S .`.C!a"
Oct 3 12:41:27 ares charon: 08[IKE] 16: 64 D6 D0 E9
d...
Oct 3 12:41:27 ares charon: 08[IKE] natd_chunk => 34 bytes @ 0x7f4bdc004c70
Oct 3 12:41:27 ares charon: 08[IKE] 0: DC 6E 2D 88 EF E0 A1 97 C3 9B 7C
55 2B B9 81 B0 .n-.......|U+...
Oct 3 12:41:27 ares charon: 08[IKE] 16: 26 07 F0 D0 11 01 01 C2 00 00 00
00 00 00 00 02 &...............
Oct 3 12:41:27 ares charon: 08[IKE] 32: 01 F4
..
Oct 3 12:41:27 ares charon: 08[IKE] natd_hash => 20 bytes @ 0x7f4bdc005660
Oct 3 12:41:27 ares charon: 08[IKE] 0: 00 1D 06 BE 3D 7F 56 91 BD 6C E3
BA 83 10 BE C2 ....=.V..l......
Oct 3 12:41:27 ares charon: 08[IKE] 16: 80 F8 B4 D6
....
Oct 3 12:41:27 ares charon: 08[IKE] natd_chunk => 34 bytes @ 0x7f4bdc004c70
Oct 3 12:41:27 ares charon: 08[IKE] 0: DC 6E 2D 88 EF E0 A1 97 C3 9B 7C
55 2B B9 81 B0 .n-.......|U+...
Oct 3 12:41:27 ares charon: 08[IKE] 16: 26 00 10 12 B1 27 D7 B6 D9 E8 09
0B 50 0F 76 E8 &....'......P.v.
Oct 3 12:41:27 ares charon: 08[IKE] 32: 01 F4
..
Oct 3 12:41:27 ares charon: 08[IKE] natd_hash => 20 bytes @ 0x7f4bdc005df0
Oct 3 12:41:27 ares charon: 08[IKE] 0: 73 26 F6 C3 9B 0D 0A 7E 4F 79 31
AA ED 1D AC 4C s&.....~Oy1....L
Oct 3 12:41:27 ares charon: 08[IKE] 16: 4F 83 BF F5
O...
Oct 3 12:41:27 ares charon: 08[IKE] sending cert request for "C=US,
ST=California, L=San Diego, O=RWW, CN=ares.ipv6.rwwyatt.com, E=
rwwyatt at rwwyatt.com"
Oct 3 12:41:27 ares charon: 08[ENC] generating IKE_SA_INIT response 0 [ SA
KE No N(NATD_S_IP) N(NATD_D_IP) CERTREQ N(MULT_AUTH) ]
Oct 3 12:41:27 ares charon: 08[NET] sending packet: from serveripv61[500]
to clientipv61[500] (333 bytes)
Oct 3 12:41:29 ares charon: 09[NET] received packet: from clientipv61[500]
to serveripv61[500] (528 bytes)
Oct 3 12:41:29 ares charon: 09[ENC] parsed IKE_SA_INIT request 0 [ SA KE
No N(NATD_S_IP) N(NATD_D_IP) ]
Oct 3 12:41:29 ares charon: 09[IKE] received retransmit of request with ID
0, retransmitting response
Oct 3 12:41:29 ares charon: 09[NET] sending packet: from serveripv61[500]
to clientipv61[500] (333 bytes)
Oct 3 12:41:32 ares charon: 10[NET] received packet: from clientipv61[500]
to serveripv61[500] (528 bytes)
Oct 3 12:41:32 ares charon: 10[ENC] parsed IKE_SA_INIT request 0 [ SA KE
No N(NATD_S_IP) N(NATD_D_IP) ]
Oct 3 12:41:32 ares charon: 10[IKE] received retransmit of request with ID
0, retransmitting response
Oct 3 12:41:32 ares charon: 10[NET] sending packet: from serveripv61[500]
to clientipv61[500] (333 bytes)
Oct 3 12:41:57 ares charon: 11[JOB] deleting half open IKE_SA after timeout
Oct 3 12:41:57 ares charon: 11[IKE] IKE_SA (unnamed)[1] state change:
CONNECTING => DESTROYING
What am I doing wrong?
Thanks for any help and time.
Regards,
Randy
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20141003/e4cc6ea7/attachment-0001.html>
More information about the Users
mailing list