[strongSwan] strongswan host to host setup problem

Randy Wyatt rwwyatt01 at gmail.com
Fri Jul 17 01:48:00 CEST 2015


It appears that we will need increased logging for cfg as well.  Have you
thought about my suggestion and just hardcoding the proposal for now?

On Thu, Jul 16, 2015 at 4:44 PM, Aaron <hawaiiaaron at gmail.com> wrote:

> Thanks. I've added the two lines to the ipsec.conf file and increased
> debugging.  It appears to be the same error.
>
> Here is the log from the left side and right side as well as the
> strongswan.conf file.
> You'll see in the logs that some certs are loaded but I am not using them
> in my ipsec.conf.  I just want to use PSK's at this time.
>
> #left side log
> Jul 16 23:27:17 vpn02 charon: 00[DMN] Starting IKE charon daemon
> (strongSwan 5.2.0, Linux 2.6.32-431.29.2.el6.x86_64, x86_64)
> Jul 16 23:27:17 vpn02 charon: 00[LIB] openssl FIPS mode(2) - enabled
> Jul 16 23:27:17 vpn02 charon: 00[CFG] loading ca certificates from
> '/etc/strongswan/ipsec.d/cacerts'
> Jul 16 23:27:17 vpn02 charon: 00[CFG]   loaded ca certificate "C=US,
> ST=WA, L=xxxx, O=xxxx, OU=xxxx, CN=StrongSwan Intermediate CA" from
> '/etc/strongswan/ipsec.d/cacerts/int.pem'
> Jul 16 23:27:17 vpn02 charon: 00[CFG]   loaded ca certificate "C=US,
> ST=WA, L=xxxx, O=xxxx, OU=xxxx, CN=StrongSwan Root CA" from
> '/etc/strongswan/ipsec.d/cacerts/rootCa.crt.pem'
> Jul 16 23:27:17 vpn02 charon: 00[CFG] loading aa certificates from
> '/etc/strongswan/ipsec.d/aacerts'
> Jul 16 23:27:17 vpn02 charon: 00[CFG] loading ocsp signer certificates
> from '/etc/strongswan/ipsec.d/ocspcerts'
> Jul 16 23:27:17 vpn02 charon: 00[CFG] loading attribute certificates from
> '/etc/strongswan/ipsec.d/acerts'
> Jul 16 23:27:17 vpn02 charon: 00[CFG] loading crls from
> '/etc/strongswan/ipsec.d/crls'
> Jul 16 23:27:17 vpn02 charon: 00[CFG] loading secrets from
> '/etc/strongswan/ipsec.secrets'
> Jul 16 23:27:17 vpn02 charon: 00[CFG]   loaded IKE secret for %any
> Jul 16 23:27:17 vpn02 charon: 00[LIB] loaded plugins: charon curl aes des
> rc2 sha1 sha2 md4 md5 random nonce x509 revocation constraints acert pubkey
> pkcs1 pkcs8 pkcs12 pgp dnskey sshkey pem openssl fips-prf gmp xcbc cmac
> hmac attr kernel-netlink resolve socket-default farp stroke vici updown
> eap-identity eap-md5 eap-gtc eap-mschapv2 eap-tls eap-ttls eap-peap
> xauth-generic xauth-eap xauth-pam xauth-noauth dhcp
> Jul 16 23:27:17 vpn02 charon: 00[LIB] unable to load 3 plugin features (3
> due to unmet dependencies)
> Jul 16 23:27:17 vpn02 charon: 00[JOB] spawning 16 worker threads
> Jul 16 23:27:17 vpn02 charon: 08[CFG] received stroke: add connection 'rw'
> Jul 16 23:27:17 vpn02 charon: 08[CFG] added configuration 'rw'
> Jul 16 23:27:23 vpn02 charon: 10[CFG] received stroke: initiate 'rw'
> Jul 16 23:27:23 vpn02 charon: 12[IKE] queueing IKE_VENDOR task
> Jul 16 23:27:23 vpn02 charon: 12[IKE] queueing IKE_INIT task
> Jul 16 23:27:23 vpn02 charon: 12[IKE] queueing IKE_NATD task
> Jul 16 23:27:23 vpn02 charon: 12[IKE] queueing IKE_CERT_PRE task
> Jul 16 23:27:23 vpn02 charon: 12[IKE] queueing IKE_AUTH task
> Jul 16 23:27:23 vpn02 charon: 12[IKE] queueing IKE_CERT_POST task
> Jul 16 23:27:23 vpn02 charon: 12[IKE] queueing IKE_CONFIG task
> Jul 16 23:27:23 vpn02 charon: 12[IKE] queueing IKE_AUTH_LIFETIME task
> Jul 16 23:27:23 vpn02 charon: 12[IKE] queueing IKE_MOBIKE task
> Jul 16 23:27:23 vpn02 charon: 12[IKE] queueing CHILD_CREATE task
> Jul 16 23:27:23 vpn02 charon: 12[IKE] activating new tasks
> Jul 16 23:27:23 vpn02 charon: 12[IKE]   activating IKE_VENDOR task
> Jul 16 23:27:23 vpn02 charon: 12[IKE]   activating IKE_INIT task
> Jul 16 23:27:23 vpn02 charon: 12[IKE]   activating IKE_NATD task
> Jul 16 23:27:23 vpn02 charon: 12[IKE]   activating IKE_CERT_PRE task
> Jul 16 23:27:23 vpn02 charon: 12[IKE]   activating IKE_AUTH task
> Jul 16 23:27:23 vpn02 charon: 12[IKE]   activating IKE_CERT_POST task
> Jul 16 23:27:23 vpn02 charon: 12[IKE]   activating IKE_CONFIG task
> Jul 16 23:27:23 vpn02 charon: 12[IKE]   activating CHILD_CREATE task
> Jul 16 23:27:23 vpn02 charon: 12[IKE]   activating IKE_AUTH_LIFETIME task
> Jul 16 23:27:23 vpn02 charon: 12[IKE]   activating IKE_MOBIKE task
> Jul 16 23:27:23 vpn02 charon: 12[IKE] initiating IKE_SA rw[1] to
> 10.100.1.31
> Jul 16 23:27:23 vpn02 charon: 12[IKE] IKE_SA rw[1] state change: CREATED
> => CONNECTING
> Jul 16 23:27:23 vpn02 charon: 12[IKE] natd_chunk => 22 bytes @
> 0x7fe30c0028c0
> Jul 16 23:27:23 vpn02 charon: 12[IKE]    0: 6A 4A DE E8 FC 8C FF D9 00 00
> 00 00 00 00 00 00  jJ..............
> Jul 16 23:27:23 vpn02 charon: 12[IKE]   16: 0A 64 01 1F 01
> F4                                .d....
> Jul 16 23:27:23 vpn02 charon: 12[IKE] natd_hash => 20 bytes @
> 0x7fe30c0028e0
> Jul 16 23:27:23 vpn02 charon: 12[IKE]    0: BE 1C 33 77 01 44 51 EF 11 0C
> 28 5E 55 66 F1 65  ..3w.DQ...(^Uf.e
> Jul 16 23:27:23 vpn02 charon: 12[IKE]   16: 7C 85 04
> 6A                                      |..j
> Jul 16 23:27:23 vpn02 charon: 12[IKE] natd_chunk => 22 bytes @
> 0x7fe30c0025c0
> Jul 16 23:27:23 vpn02 charon: 12[IKE]    0: 6A 4A DE E8 FC 8C FF D9 00 00
> 00 00 00 00 00 00  jJ..............
> Jul 16 23:27:23 vpn02 charon: 12[IKE]   16: 0A 64 01 14 01
> F4                                .d....
> Jul 16 23:27:23 vpn02 charon: 12[IKE] natd_hash => 20 bytes @
> 0x7fe30c0025e0
> Jul 16 23:27:23 vpn02 charon: 12[IKE]    0: 2C 77 72 D7 74 8D 69 C1 D7 5C
> 90 3E B7 66 79 D9  ,wr.t.i..\.>.fy.
> Jul 16 23:27:23 vpn02 charon: 12[IKE]   16: DB 4B 9B
> 3D                                      .K.=
> Jul 16 23:27:23 vpn02 charon: 12[ENC] generating IKE_SA_INIT request 0 [
> SA KE No N(NATD_S_IP) N(NATD_D_IP) ]
> Jul 16 23:27:23 vpn02 charon: 12[NET] sending packet: from
> 10.100.1.20[500] to 10.100.1.31[500] (964 bytes)
> Jul 16 23:27:27 vpn02 charon: 13[IKE] retransmit 1 of request with message
> ID 0
> Jul 16 23:27:27 vpn02 charon: 13[NET] sending packet: from
> 10.100.1.20[500] to 10.100.1.31[500] (964 bytes)
> Jul 16 23:27:29 vpn02 charon: 14[NET] received packet: from
> 10.100.1.131[500] to 10.100.1.20[500] (964 bytes)
> Jul 16 23:27:29 vpn02 charon: 14[ENC] parsed IKE_SA_INIT request 0 [ SA KE
> No N(NATD_S_IP) N(NATD_D_IP) ]
> Jul 16 23:27:29 vpn02 charon: 14[IKE] no IKE config found for
> 10.100.1.20...10.100.1.131, sending NO_PROPOSAL_CHOSEN
> Jul 16 23:27:29 vpn02 charon: 14[ENC] generating IKE_SA_INIT response 0 [
> N(NO_PROP) ]
> Jul 16 23:27:29 vpn02 charon: 14[NET] sending packet: from
> 10.100.1.20[500] to 10.100.1.131[500] (36 bytes)
> Jul 16 23:27:29 vpn02 charon: 14[IKE] IKE_SA (unnamed)[2] state change:
> CREATED => DESTROYING
>
> #right side
> Jul 16 23:27:12 vpn03 charon: 00[DMN] Starting IKE charon daemon
> (strongSwan 5.2.0, Linux 2.6.32-431.29.2.el6.x86_64, x86_64)
> Jul 16 23:27:12 vpn03 charon: 00[LIB] openssl FIPS mode(2) - enabled
> Jul 16 23:27:12 vpn03 charon: 00[CFG] loading ca certificates from
> '/etc/strongswan/ipsec.d/cacerts'
> Jul 16 23:27:12 vpn03 charon: 00[CFG]   loaded ca certificate "C=US,
> ST=WA, L=xxxxx, O=xxxxx, OU=xxxxx, CN=StrongSwan Intermediate CA" from
> '/etc/strongswan/ipsec.d/cacerts/int.crt.pem'
> Jul 16 23:27:12 vpn03 charon: 00[CFG]   loaded ca certificate "C=US,
> ST=WA, L=xxxxx, O=xxxxx, OU=xxxxx, CN=StrongSwan Root CA" from
> '/etc/strongswan/ipsec.d/cacerts/rootCa.crt.pem'
> Jul 16 23:27:12 vpn03 charon: 00[CFG] loading aa certificates from
> '/etc/strongswan/ipsec.d/aacerts'
> Jul 16 23:27:12 vpn03 charon: 00[CFG] loading ocsp signer certificates
> from '/etc/strongswan/ipsec.d/ocspcerts'
> Jul 16 23:27:12 vpn03 charon: 00[CFG] loading attribute certificates from
> '/etc/strongswan/ipsec.d/acerts'
> Jul 16 23:27:12 vpn03 charon: 00[CFG] loading crls from
> '/etc/strongswan/ipsec.d/crls'
> Jul 16 23:27:12 vpn03 charon: 00[CFG] loading secrets from
> '/etc/strongswan/ipsec.secrets'
> Jul 16 23:27:12 vpn03 charon: 00[CFG]   loaded IKE secret for %any
> Jul 16 23:27:12 vpn03 charon: 00[LIB] loaded plugins: charon curl aes des
> rc2 sha1 sha2 md4 md5 random nonce x509 revocation constraints acert pubkey
> pkcs1 pkcs8 pkcs12 pgp dnskey sshkey pem openssl fips-prf gmp xcbc cmac
> hmac attr kernel-netlink resolve socket-default farp stroke vici updown
> eap-identity eap-md5 eap-gtc eap-mschapv2 eap-tls eap-ttls eap-peap
> xauth-generic xauth-eap xauth-pam xauth-noauth dhcp
> Jul 16 23:27:12 vpn03 charon: 00[LIB] unable to load 3 plugin features (3
> due to unmet dependencies)
> Jul 16 23:27:12 vpn03 charon: 00[JOB] spawning 16 worker threads
> Jul 16 23:27:12 vpn03 charon: 08[CFG] received stroke: add connection 'rw'
> Jul 16 23:27:12 vpn03 charon: 08[CFG] added configuration 'rw'
> Jul 16 23:27:29 vpn03 charon: 10[CFG] received stroke: initiate 'rw'
> Jul 16 23:27:29 vpn03 charon: 12[IKE] queueing IKE_VENDOR task
> Jul 16 23:27:29 vpn03 charon: 12[IKE] queueing IKE_INIT task
> Jul 16 23:27:29 vpn03 charon: 12[IKE] queueing IKE_NATD task
> Jul 16 23:27:29 vpn03 charon: 12[IKE] queueing IKE_CERT_PRE task
> Jul 16 23:27:29 vpn03 charon: 12[IKE] queueing IKE_AUTH task
> Jul 16 23:27:29 vpn03 charon: 12[IKE] queueing IKE_CERT_POST task
> Jul 16 23:27:29 vpn03 charon: 12[IKE] queueing IKE_CONFIG task
> Jul 16 23:27:29 vpn03 charon: 12[IKE] queueing IKE_AUTH_LIFETIME task
> Jul 16 23:27:29 vpn03 charon: 12[IKE] queueing IKE_MOBIKE task
> Jul 16 23:27:29 vpn03 charon: 12[IKE] queueing CHILD_CREATE task
> Jul 16 23:27:29 vpn03 charon: 12[IKE] activating new tasks
> Jul 16 23:27:29 vpn03 charon: 12[IKE]   activating IKE_VENDOR task
> Jul 16 23:27:29 vpn03 charon: 12[IKE]   activating IKE_INIT task
> Jul 16 23:27:29 vpn03 charon: 12[IKE]   activating IKE_NATD task
> Jul 16 23:27:29 vpn03 charon: 12[IKE]   activating IKE_CERT_PRE task
> Jul 16 23:27:29 vpn03 charon: 12[IKE]   activating IKE_AUTH task
> Jul 16 23:27:29 vpn03 charon: 12[IKE]   activating IKE_CERT_POST task
> Jul 16 23:27:29 vpn03 charon: 12[IKE]   activating IKE_CONFIG task
> Jul 16 23:27:29 vpn03 charon: 12[IKE]   activating CHILD_CREATE task
> Jul 16 23:27:29 vpn03 charon: 12[IKE]   activating IKE_AUTH_LIFETIME task
> Jul 16 23:27:29 vpn03 charon: 12[IKE]   activating IKE_MOBIKE task
> Jul 16 23:27:29 vpn03 charon: 12[IKE] initiating IKE_SA rw[1] to
> 10.100.1.20
> Jul 16 23:27:29 vpn03 charon: 12[IKE] IKE_SA rw[1] state change: CREATED
> => CONNECTING
> Jul 16 23:27:29 vpn03 charon: 12[IKE] natd_chunk => 22 bytes @
> 0x7f586c0028c0
> Jul 16 23:27:29 vpn03 charon: 12[IKE]    0: 8E E1 E7 6D 58 37 7C 61 00 00
> 00 00 00 00 00 00  ...mX7|a........
> Jul 16 23:27:29 vpn03 charon: 12[IKE]   16: 0A 64 01 14 01
> F4                                .d....
> Jul 16 23:27:29 vpn03 charon: 12[IKE] natd_hash => 20 bytes @
> 0x7f586c0028e0
> Jul 16 23:27:29 vpn03 charon: 12[IKE]    0: D5 57 BE 5C 11 13 5D A8 60 7D
> 72 BF FC 4E A3 CF  .W.\..].`}r..N..
> Jul 16 23:27:29 vpn03 charon: 12[IKE]   16: 9C 06 49
> FD                                      ..I.
> Jul 16 23:27:29 vpn03 charon: 12[IKE] natd_chunk => 22 bytes @
> 0x7f586c0025c0
> Jul 16 23:27:29 vpn03 charon: 12[IKE]    0: 8E E1 E7 6D 58 37 7C 61 00 00
> 00 00 00 00 00 00  ...mX7|a........
> Jul 16 23:27:29 vpn03 charon: 12[IKE]   16: 0A 64 01 83 01
> F4                                .d....
> Jul 16 23:27:29 vpn03 charon: 12[IKE] natd_hash => 20 bytes @
> 0x7f586c0025e0
> Jul 16 23:27:29 vpn03 charon: 12[IKE]    0: 29 E2 9B CE 30 89 84 08 B6 13
> EF D5 75 EA 11 74  )...0.......u..t
> Jul 16 23:27:29 vpn03 charon: 12[IKE]   16: C7 9F E7
> 7B                                      ...{
> Jul 16 23:27:29 vpn03 charon: 12[ENC] generating IKE_SA_INIT request 0 [
> SA KE No N(NATD_S_IP) N(NATD_D_IP) ]
> Jul 16 23:27:29 vpn03 charon: 12[NET] sending packet: from
> 10.100.1.131[500] to 10.100.1.20[500] (964 bytes)
> Jul 16 23:27:29 vpn03 charon: 13[NET] received packet: from
> 10.100.1.20[500] to 10.100.1.131[500] (36 bytes)
> Jul 16 23:27:29 vpn03 charon: 13[ENC] parsed IKE_SA_INIT response 0 [
> N(NO_PROP) ]
> Jul 16 23:27:29 vpn03 charon: 13[IKE] received NO_PROPOSAL_CHOSEN notify
> error
> Jul 16 23:27:29 vpn03 charon: 13[IKE] IKE_SA rw[1] state change:
> CONNECTING => DESTROYING
>
> #strongswan.conf
> charon {
>         load_modular = yes
>         plugins {
>                 include strongswan.d/charon/*.conf
>         }
> }
>
> include strongswan.d/*.conf
>
>
> On Thu, Jul 16, 2015 at 3:10 PM, Randy Wyatt <rwwyatt01 at gmail.com> wrote:
>
>> Have you tried limiting the proposals supported?
>> ike=aes128-sha1-modp1024
>> esp=aes128-sha1
>>
>> If you don't specify the proposal, everything is sent.  Can you increase
>> the debugging on ike  so we can look a little more at the proposal and
>> configured?
>>
>> Regards,
>> Randy
>>
>>
>> On Thu, Jul 16, 2015 at 2:08 PM, Aaron <hawaiiaaron at gmail.com> wrote:
>>
>>> Hi, I have strongswan setup in a host to host configuration using a
>>> shared secret for testing, but am not able to get it to establish a
>>> tunnel.  The left side attempts to retransmit packets till it gives up and
>>> on the right side I receive this error.  Any help appreciated.  Thanks!
>>>
>>> Jul 16 21:01:19 vpn02 charon: 12[NET] received packet: from
>>> 10.100.1.20[500] to 10.100.1.131[500] (36 bytes)
>>> Jul 16 21:01:19 vpn02 charon: 12[ENC] parsed IKE_SA_INIT response 0 [
>>> N(NO_PROP) ]
>>> Jul 16 21:01:19 vpn02 charon: 12[IKE] received NO_PROPOSAL_CHOSEN notify
>>> error
>>>
>>> #ipsec.conf file
>>> #right side and leftside are identical
>>> config setup
>>>         charondebug=all
>>>
>>> conn %default
>>>         ikelifetime=60m
>>>         keylife=20m
>>>         rekeymargin=3m
>>>         keyingtries=1
>>>         keyexchange=ikev2
>>>         authby=psk
>>>
>>> conn rw
>>>         left=10.100.1.20
>>>         leftid=10.100.1.20
>>>         leftfirewall=no
>>>         right=10.100.1.131
>>>         rightid=10.100.1.131
>>>         auto=start
>>>         authby=psk
>>>
>>> # ipsec.secrets file
>>> : PSK "mypsksecret"
>>>
>>>
>>> _______________________________________________
>>> Users mailing list
>>> Users at lists.strongswan.org
>>> https://lists.strongswan.org/mailman/listinfo/users
>>>
>>
>>
>>
>>
>>
>>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20150716/c83908c9/attachment-0001.html>


More information about the Users mailing list