[strongSwan] IPSec session not getting established

ashok kj ashok_asij at yahoo.com
Mon Aug 3 16:07:23 CEST 2015 

Hi,
I am trying to establish simple PSK IPSec session between 2 ubuntu systems. 

configs are : 

ipsec.conf
config setup
        charondebug="ike 5, chd 5, cfg 5, net 5, enc 5, lib 5, mgr 5, knl 5 dmn 5"

conn default
        ikelifetime=60m
        keylife=20m
        rekeymargin=3m
        keyingtries=1
        authby=secret
        keyexchange=ikev2
        mobike=no

conn home
        left=192.168.1.5
        leftid=@moon.strongswan.org
#        leftauth=psk
#       leftauth=pubkey
        leftsubnet=192.168.1.5/32
        leftfirewall=yes
        right=192.168.1.16
        rightid=ashok at strongswan.org
        rightsubnet=192.168.1.16/32
#        rightauth=psk
        ike=3des-md5-modp768!
        esp=aes128-sha1-modp1024!
#        auto=add
        auto=start

ipsec.secrets
ashok at strongswan.org : PSK "@password11"
@moon.strongswan.org : PSK "@password1"
#: PSK "mysecret"

strongswan.confcharon {
  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac xcbc stroke kernel-netlink socket-default fips-prf eap-md5 updown
}

though everything looks to be correct. Tunnel is not coming up.
I could see IKE session comes up later it is getting destroyed,
root at user-Lenovo-Product:/home/user# ipsec statusall
Status of IKE charon daemon (strongSwan 5.3.2, Linux 3.13.0-45-generic, i686):
  uptime: 23 seconds, since Aug 03 19:15:51 2015
  malloc: sbrk 1081344, mmap 0, used 105848, free 975496
  worker threads: 11 of 16 idle, 5/0/0/0 working, job queue: 0/0/0/0, scheduled: 1
  loaded plugins: charon aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac xcbc stroke kernel-netlink socket-default fips-prf updown
Listening IP addresses:
  192.168.1.5
  192.168.100.1
Connections:
        home:  192.168.1.5...192.168.1.16  IKEv1/2
        home:   local:  [moon.strongswan.org] uses public key authentication
        home:   remote: [ashok at strongswan.org] uses public key authentication
        home:   child:  192.168.1.5/32 === 192.168.1.16/32 TUNNEL
Security Associations (0 up, 1 connecting):
   (unnamed)[2]: CONNECTING, 192.168.1.5[%any]...192.168.1.16[%any]
   (unnamed)[2]: IKEv2 SPIs: bb7cf8b864a3a82d_i 09ba6f5bcbb60829_r*
   (unnamed)[2]: IKE proposal: 3DES_CBC/HMAC_MD5_96/PRF_HMAC_MD5/MODP_768
   (unnamed)[2]: Tasks passive: IKE_CERT_PRE IKE_AUTH IKE_CERT_POST IKE_CONFIG CHILD_CREATE IKE_AUTH_LIFETIME IKE_MOBIKE 


root at user-Lenovo-Product:/home/user# ipsec statusall
Status of IKE charon daemon (strongSwan 5.3.2, Linux 3.13.0-45-generic, i686):
  uptime: 41 seconds, since Aug 03 19:15:51 2015
  malloc: sbrk 1081344, mmap 0, used 98048, free 983296
  worker threads: 11 of 16 idle, 5/0/0/0 working, job queue: 0/0/0/0, scheduled: 0
  loaded plugins: charon aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac xcbc stroke kernel-netlink socket-default fips-prf updown
Listening IP addresses:
  192.168.1.5
  192.168.100.1
Connections:
        home:  192.168.1.5...192.168.1.16  IKEv1/2
        home:   local:  [moon.strongswan.org] uses public key authentication
        home:   remote: [ashok at strongswan.org] uses public key authentication
        home:   child:  192.168.1.5/32 === 192.168.1.16/32 TUNNEL
Security Associations (0 up, 0 connecting):
  none
root at user-Lenovo-Product:/home/user# 



 I also looked into the log "/var/log/syslog" its says no private key found for the entity but I have configured it at "/etc/ipse.secrets"

Aug  3 19:15:55 user-Lenovo-Product charon: 14[IKE] reinitiating already active tasks
Aug  3 19:15:55 user-Lenovo-Product charon: 14[IKE]   IKE_CERT_PRE task
Aug  3 19:15:55 user-Lenovo-Product charon: 14[IKE]   IKE_AUTH task
Aug  3 19:15:55 user-Lenovo-Product charon: 14[ENC] added payload of type NOTIFY to message
Aug  3 19:15:55 user-Lenovo-Product charon: 14[ENC] added payload of type NOTIFY to message
Aug  3 19:15:55 user-Lenovo-Product charon: 14[ENC] added payload of type ID_RESPONDER to message
Aug  3 19:15:55 user-Lenovo-Product charon: 14[ENC] added payload of type ID_INITIATOR to message
Aug  3 19:15:55 user-Lenovo-Product charon: 14[ENC] added payload of type NOTIFY to message
Aug  3 19:15:55 user-Lenovo-Product charon: 14[IKE] no private key found for 'moon.strongswan.org'
Aug  3 19:15:55 user-Lenovo-Product charon: 14[MGR] checkin and destroy IKE_SA home[1]
Aug  3 19:15:55 user-Lenovo-Product charon: 14[IKE] IKE_SA home[1] state change: CONNECTING => DESTROYING
Aug  3 19:15:55 user-Lenovo-Product charon: 14[MGR] check-in and destroy of IKE_SA successful
Aug  3 19:16:02 user-Lenovo-Product charon: 10[MGR] checkout IKE_SA

May I know what am I missing? I have also attached the complete log as attachment for reference. 
Thanks in advance for the needful.

RegardsAshok
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20150803/48e7c57b/attachment-0001.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: strongswan_log
Type: application/octet-stream
Size: 1055899 bytes
Desc: not available
URL: <http://lists.strongswan.org/pipermail/users/attachments/20150803/48e7c57b/attachment-0001.obj>

More information about the Users mailing list