[strongSwan] strongswan retransmit request problem
Aaron
hawaiiaaron at gmail.com
Fri Feb 27 00:35:04 CET 2015
Hi,
I'm trying to setup strongswan 5.2 but am experiencing problems where the
leftside can't seem to connect to the right side and keeps retransmitting
the request till it times out.
Both VPN's are within a VPC 10.100.0.0 in Amazon web services. The
leftside is in subnet 10.100.200.0 and the right side is in 10.100.201.0
I have the AWS security set so I can ping both servers even without a
tunnel established.
I do notice in the log file that this error occurs "unable to load 3 plugin
features (3 due to unmet dependencies)" but do not know if it is related to
the problem?
Thanks for all help.
#leftside ipsec.conf
conn vpn
type=tunnel
keyexchange=ikev2
left=10.100.200.52
leftcert=strongswanleftCert2.der
leftsubnet=10.100.200.0/24
leftid=@ip-10-100-200-52
leftfirewall=yes
right=10.100.201.54
rightid=@ip-10-100-201-54
rightcert=strongswanrightCert2.der
rightsubnet=10.100.201.0/24
rightsendcert=never
lefthostaccess=yes
auto=start
#rightside ipsec.conf
type=tunnel
keyexchange=ikev2
left=10.100.200.52
leftcert=strongswanleftCert2.der
leftsubnet=10.100.200.0/24
leftid=@ip-10-100-200-52
leftfirewall=yes
right=10.100.201.54
rightid=@ip-10-100-201-54
rightcert=strongswanrightCert2.der
rightsubnet=10.100.201.0/24
rightsendcert=never
lefthostaccess=yes
auto=start
#statusall from left side
[root at ip-10-100-200-52 strongswan]# strongswan statusall
Status of IKE charon daemon (strongSwan 5.2.0, Linux
2.6.32-431.29.2.el6.x86_64, x86_64):
uptime: 2 hours, since Feb 26 13:05:37 2015
malloc: sbrk 405504, mmap 0, used 373504, free 32000
worker threads: 11 of 16 idle, 5/0/0/0 working, job queue: 0/0/0/0,
scheduled: 0
loaded plugins: charon curl aes des rc2 sha1 sha2 md4 md5 random nonce
x509 revocation constraints acert pubkey pkcs1 pkcs8 pkcs12 pgp dnskey
sshkey pem openssl fips-prf gmp xcbc cmac hmac attr kernel-netlink resolve
socket-default farp stroke vici updown eap-identity eap-md5 eap-gtc
eap-mschapv2 eap-tls eap-ttls eap-peap xauth-generic xauth-eap xauth-pam
xauth-noauth dhcp
Listening IP addresses:
10.100.200.52
Connections:
vpn: 10.100.200.52...10.100.201.54 IKEv2
vpn: local: [ip-10-100-200-52] uses public key authentication
vpn: cert: "C=US, O=Example, CN=strongswanleft2"
vpn: remote: [ip-10-100-201-54] uses public key authentication
vpn: cert: "C=US, O=Example, CN=strongswanright2"
vpn: child: 10.100.200.0/24 === 10.100.201.0/24 TUNNEL
Security Associations (0 up, 0 connecting):
none
# statusall from right side
[root at ip-10-100-201-54 strongswan]# strongswan statusall
Status of IKE charon daemon (strongSwan 5.2.0, Linux
2.6.32-431.29.2.el6.x86_64, x86_64):
uptime: 2 hours, since Feb 26 13:05:42 2015
malloc: sbrk 540672, mmap 0, used 373552, free 167120
worker threads: 11 of 16 idle, 5/0/0/0 working, job queue: 0/0/0/0,
scheduled: 0
loaded plugins: charon curl aes des rc2 sha1 sha2 md4 md5 random nonce
x509 revocation constraints acert pubkey pkcs1 pkcs8 pkcs12 pgp dnskey
sshkey pem openssl fips-prf gmp xcbc cmac hmac attr kernel-netlink resolve
socket-default farp stroke vici updown eap-identity eap-md5 eap-gtc
eap-mschapv2 eap-tls eap-ttls eap-peap xauth-generic xauth-eap xauth-pam
xauth-noauth dhcp
Listening IP addresses:
10.100.201.54
Connections:
vpn: 10.100.201.54...10.100.200.52 IKEv2
vpn: local: [ip-10-100-201-54] uses public key authentication
vpn: cert: "C=US, O=Example, CN=strongswanright2"
vpn: remote: [ip-10-100-200-52] uses public key authentication
vpn: cert: "C=US, O=Example, CN=strongswanleft2"
vpn: child: 10.100.201.0/24 === 10.100.200.0/24 TUNNEL
Security Associations (0 up, 0 connecting):
none
#/var/log/messsages from right side 10.100.201.54
Feb 26 13:05:42 ip-10-100-201-54 charon: 00[CFG] loading attribute
certificates from '/etc/strongswan/ipsec.d/acerts'
Feb 26 13:05:42 ip-10-100-201-54 charon: 00[CFG] loading crls from
'/etc/strongswan/ipsec.d/crls'
Feb 26 13:05:42 ip-10-100-201-54 charon: 00[CFG] loading secrets from
'/etc/strongswan/ipsec.secrets'
Feb 26 13:05:42 ip-10-100-201-54 charon: 00[CFG] loaded RSA private key
from '/etc/strongswan/ipsec.d/private/strongswanrightKey2.der'
Feb 26 13:05:42 ip-10-100-201-54 charon: 00[LIB] loaded plugins: charon
curl aes des rc2 sha1 sha2 md4 md5 random nonce x509 revocation constraints
acert pubkey pkcs1 pkcs8 pkcs12 pgp dnskey sshkey pem openssl fips-prf gmp
xcbc cmac hmac attr kernel-netlink resolve socket-default farp stroke vici
updown eap-identity eap-md5 eap-gtc eap-mschapv2 eap-tls eap-ttls eap-peap
xauth-generic xauth-eap xauth-pam xauth-noauth dhcp
Feb 26 13:05:42 ip-10-100-201-54 charon: 00[LIB] unable to load 3 plugin
features (3 due to unmet dependencies)
Feb 26 13:05:42 ip-10-100-201-54 charon: 00[JOB] spawning 16 worker threads
Feb 26 13:05:42 ip-10-100-201-54 charon: 08[CFG] received stroke: add
connection 'vpn'
Feb 26 13:05:42 ip-10-100-201-54 charon: 08[CFG] loaded certificate
"C=US, O=Example, CN=strongswanright2" from 'strongswanrightCert2.der'
Feb 26 13:05:42 ip-10-100-201-54 charon: 08[CFG] loaded certificate
"C=US, O=Example, CN=strongswanleft2" from 'strongswanleftCert2.der'
Feb 26 13:05:42 ip-10-100-201-54 charon: 08[CFG] added configuration 'vpn'
Feb 26 13:05:42 ip-10-100-201-54 charon: 10[CFG] received stroke: initiate
'vpn'
Feb 26 13:05:42 ip-10-100-201-54 charon: 10[IKE] initiating IKE_SA vpn[1]
to 10.100.200.52
Feb 26 13:05:42 ip-10-100-201-54 charon: 10[ENC] generating IKE_SA_INIT
request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) ]
Feb 26 13:05:42 ip-10-100-201-54 charon: 10[NET] sending packet: from
10.100.201.54[500] to 10.100.200.52[500] (1132 bytes)
Feb 26 13:05:42 ip-10-100-201-54 charon: 12[NET] received packet: from
10.100.200.52[500] to 10.100.201.54[500] (36 bytes)
Feb 26 13:05:42 ip-10-100-201-54 charon: 12[ENC] parsed IKE_SA_INIT
response 0 [ N(NO_PROP) ]
Feb 26 13:05:42 ip-10-100-201-54 charon: 12[IKE] received
NO_PROPOSAL_CHOSEN notify error
Feb 26 13:05:48 ip-10-100-201-54 charon: 14[NET] received packet: from
10.100.200.52[500] to 10.100.201.54[500] (1132 bytes)
Feb 26 13:05:48 ip-10-100-201-54 charon: 14[ENC] parsed IKE_SA_INIT request
0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) ]
Feb 26 13:05:48 ip-10-100-201-54 charon: 14[IKE] 10.100.200.52 is
initiating an IKE_SA
Feb 26 13:05:48 ip-10-100-201-54 charon: 14[IKE] sending cert request for
"C=US, O=Example, CN=strongSwan CA"
Feb 26 13:05:48 ip-10-100-201-54 charon: 14[ENC] generating IKE_SA_INIT
response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) CERTREQ N(MULT_AUTH) ]
Feb 26 13:05:48 ip-10-100-201-54 charon: 14[NET] sending packet: from
10.100.201.54[500] to 10.100.200.52[500] (465 bytes)
Feb 26 13:05:52 ip-10-100-201-54 charon: 15[NET] received packet: from
10.100.200.52[500] to 10.100.201.54[500] (1132 bytes)
Feb 26 13:05:52 ip-10-100-201-54 charon: 15[ENC] parsed IKE_SA_INIT request
0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) ]
Feb 26 13:05:52 ip-10-100-201-54 charon: 15[IKE] received retransmit of
request with ID 0, retransmitting response
Feb 26 13:05:52 ip-10-100-201-54 charon: 15[NET] sending packet: from
10.100.201.54[500] to 10.100.200.52[500] (465 bytes)
Feb 26 13:05:59 ip-10-100-201-54 charon: 16[NET] received packet: from
10.100.200.52[500] to 10.100.201.54[500] (1132 bytes)
Feb 26 13:05:59 ip-10-100-201-54 charon: 16[ENC] parsed IKE_SA_INIT request
0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) ]
Feb 26 13:05:59 ip-10-100-201-54 charon: 16[IKE] received retransmit of
request with ID 0, retransmitting response
Feb 26 13:05:59 ip-10-100-201-54 charon: 16[NET] sending packet: from
10.100.201.54[500] to 10.100.200.52[500] (465 bytes)
Feb 26 13:06:12 ip-10-100-201-54 charon: 09[NET] received packet: from
10.100.200.52[500] to 10.100.201.54[500] (1132 bytes)
Feb 26 13:06:12 ip-10-100-201-54 charon: 09[ENC] parsed IKE_SA_INIT request
0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) ]
Feb 26 13:06:12 ip-10-100-201-54 charon: 09[IKE] received retransmit of
request with ID 0, retransmitting response
Feb 26 13:06:12 ip-10-100-201-54 charon: 09[NET] sending packet: from
10.100.201.54[500] to 10.100.200.52[500] (465 bytes)
Feb 26 13:06:18 ip-10-100-201-54 charon: 11[JOB] deleting half open IKE_SA
after timeout
Feb 26 13:06:36 ip-10-100-201-54 charon: 08[NET] received packet: from
10.100.200.52[500] to 10.100.201.54[500] (1132 bytes)
#var log messages from left side 10.100.200.52
Feb 26 13:11:07 ip-10-100-200-52 charon: 11[IKE] peer not responding,
trying again (3/3)
Feb 26 13:11:07 ip-10-100-200-52 charon: 11[IKE] initiating IKE_SA vpn[1]
to 10.100.201.54
Feb 26 13:11:07 ip-10-100-200-52 charon: 11[ENC] generating IKE_SA_INIT
request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) ]
Feb 26 13:11:07 ip-10-100-200-52 charon: 11[NET] sending packet: from
10.100.200.52[500] to 10.100.201.54[500] (1132 bytes)
Feb 26 13:11:11 ip-10-100-200-52 charon: 08[IKE] retransmit 1 of request
with message ID 0
Feb 26 13:11:11 ip-10-100-200-52 charon: 08[NET] sending packet: from
10.100.200.52[500] to 10.100.201.54[500] (1132 bytes)
Feb 26 13:11:18 ip-10-100-200-52 charon: 10[IKE] retransmit 2 of request
with message ID 0
Feb 26 13:11:18 ip-10-100-200-52 charon: 10[NET] sending packet: from
10.100.200.52[500] to 10.100.201.54[500] (1132 bytes)
Feb 26 13:11:31 ip-10-100-200-52 charon: 12[IKE] retransmit 3 of request
with message ID 0
Feb 26 13:11:31 ip-10-100-200-52 charon: 12[NET] sending packet: from
10.100.200.52[500] to 10.100.201.54[500] (1132 bytes)
Feb 26 13:11:55 ip-10-100-200-52 charon: 14[IKE] retransmit 4 of request
with message ID 0
Feb 26 13:11:55 ip-10-100-200-52 charon: 14[NET] sending packet: from
10.100.200.52[500] to 10.100.201.54[500] (1132 bytes)
Feb 26 13:12:37 ip-10-100-200-52 charon: 16[IKE] retransmit 5 of request
with message ID 0
Feb 26 13:12:37 ip-10-100-200-52 charon: 16[NET] sending packet: from
10.100.200.52[500] to 10.100.201.54[500] (1132 bytes)
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20150226/727fb91c/attachment.html>
More information about the Users
mailing list