[strongSwan] strongswan host to host setup problem
Aaron
hawaiiaaron at gmail.com
Fri Jul 17 01:58:35 CEST 2015
Where do I increase the logging for cfg?
I added the options you mentioned. I also added a leftauth and rightauth
config setup
strictcrlpolicy=no
# uniqueids = no
charondebug="ike 4"
# Add connections here.
conn %default
ikelifetime=60m
keylife=20m
rekeymargin=3m
keyingtries=1
keyexchange=ikev2
conn rw
ike=aes128-sha1-modp1024
esp=aes128-sha1
authby=secret
leftauth=psk
rightauth=psk
left=10.100.1.20
leftid=10.100.1.20
leftfirewall=no
right=10.100.1.131
rightid=10.100.1.131
auto=add
On Thu, Jul 16, 2015 at 4:48 PM, Randy Wyatt <rwwyatt01 at gmail.com> wrote:
> It appears that we will need increased logging for cfg as well. Have you
> thought about my suggestion and just hardcoding the proposal for now?
>
>
> On Thu, Jul 16, 2015 at 4:44 PM, Aaron <hawaiiaaron at gmail.com> wrote:
>
>> Thanks. I've added the two lines to the ipsec.conf file and increased
>> debugging. It appears to be the same error.
>>
>> Here is the log from the left side and right side as well as the
>> strongswan.conf file.
>> You'll see in the logs that some certs are loaded but I am not using them
>> in my ipsec.conf. I just want to use PSK's at this time.
>>
>> #left side log
>> Jul 16 23:27:17 vpn02 charon: 00[DMN] Starting IKE charon daemon
>> (strongSwan 5.2.0, Linux 2.6.32-431.29.2.el6.x86_64, x86_64)
>> Jul 16 23:27:17 vpn02 charon: 00[LIB] openssl FIPS mode(2) - enabled
>> Jul 16 23:27:17 vpn02 charon: 00[CFG] loading ca certificates from
>> '/etc/strongswan/ipsec.d/cacerts'
>> Jul 16 23:27:17 vpn02 charon: 00[CFG] loaded ca certificate "C=US,
>> ST=WA, L=xxxx, O=xxxx, OU=xxxx, CN=StrongSwan Intermediate CA" from
>> '/etc/strongswan/ipsec.d/cacerts/int.pem'
>> Jul 16 23:27:17 vpn02 charon: 00[CFG] loaded ca certificate "C=US,
>> ST=WA, L=xxxx, O=xxxx, OU=xxxx, CN=StrongSwan Root CA" from
>> '/etc/strongswan/ipsec.d/cacerts/rootCa.crt.pem'
>> Jul 16 23:27:17 vpn02 charon: 00[CFG] loading aa certificates from
>> '/etc/strongswan/ipsec.d/aacerts'
>> Jul 16 23:27:17 vpn02 charon: 00[CFG] loading ocsp signer certificates
>> from '/etc/strongswan/ipsec.d/ocspcerts'
>> Jul 16 23:27:17 vpn02 charon: 00[CFG] loading attribute certificates from
>> '/etc/strongswan/ipsec.d/acerts'
>> Jul 16 23:27:17 vpn02 charon: 00[CFG] loading crls from
>> '/etc/strongswan/ipsec.d/crls'
>> Jul 16 23:27:17 vpn02 charon: 00[CFG] loading secrets from
>> '/etc/strongswan/ipsec.secrets'
>> Jul 16 23:27:17 vpn02 charon: 00[CFG] loaded IKE secret for %any
>> Jul 16 23:27:17 vpn02 charon: 00[LIB] loaded plugins: charon curl aes des
>> rc2 sha1 sha2 md4 md5 random nonce x509 revocation constraints acert pubkey
>> pkcs1 pkcs8 pkcs12 pgp dnskey sshkey pem openssl fips-prf gmp xcbc cmac
>> hmac attr kernel-netlink resolve socket-default farp stroke vici updown
>> eap-identity eap-md5 eap-gtc eap-mschapv2 eap-tls eap-ttls eap-peap
>> xauth-generic xauth-eap xauth-pam xauth-noauth dhcp
>> Jul 16 23:27:17 vpn02 charon: 00[LIB] unable to load 3 plugin features (3
>> due to unmet dependencies)
>> Jul 16 23:27:17 vpn02 charon: 00[JOB] spawning 16 worker threads
>> Jul 16 23:27:17 vpn02 charon: 08[CFG] received stroke: add connection 'rw'
>> Jul 16 23:27:17 vpn02 charon: 08[CFG] added configuration 'rw'
>> Jul 16 23:27:23 vpn02 charon: 10[CFG] received stroke: initiate 'rw'
>> Jul 16 23:27:23 vpn02 charon: 12[IKE] queueing IKE_VENDOR task
>> Jul 16 23:27:23 vpn02 charon: 12[IKE] queueing IKE_INIT task
>> Jul 16 23:27:23 vpn02 charon: 12[IKE] queueing IKE_NATD task
>> Jul 16 23:27:23 vpn02 charon: 12[IKE] queueing IKE_CERT_PRE task
>> Jul 16 23:27:23 vpn02 charon: 12[IKE] queueing IKE_AUTH task
>> Jul 16 23:27:23 vpn02 charon: 12[IKE] queueing IKE_CERT_POST task
>> Jul 16 23:27:23 vpn02 charon: 12[IKE] queueing IKE_CONFIG task
>> Jul 16 23:27:23 vpn02 charon: 12[IKE] queueing IKE_AUTH_LIFETIME task
>> Jul 16 23:27:23 vpn02 charon: 12[IKE] queueing IKE_MOBIKE task
>> Jul 16 23:27:23 vpn02 charon: 12[IKE] queueing CHILD_CREATE task
>> Jul 16 23:27:23 vpn02 charon: 12[IKE] activating new tasks
>> Jul 16 23:27:23 vpn02 charon: 12[IKE] activating IKE_VENDOR task
>> Jul 16 23:27:23 vpn02 charon: 12[IKE] activating IKE_INIT task
>> Jul 16 23:27:23 vpn02 charon: 12[IKE] activating IKE_NATD task
>> Jul 16 23:27:23 vpn02 charon: 12[IKE] activating IKE_CERT_PRE task
>> Jul 16 23:27:23 vpn02 charon: 12[IKE] activating IKE_AUTH task
>> Jul 16 23:27:23 vpn02 charon: 12[IKE] activating IKE_CERT_POST task
>> Jul 16 23:27:23 vpn02 charon: 12[IKE] activating IKE_CONFIG task
>> Jul 16 23:27:23 vpn02 charon: 12[IKE] activating CHILD_CREATE task
>> Jul 16 23:27:23 vpn02 charon: 12[IKE] activating IKE_AUTH_LIFETIME task
>> Jul 16 23:27:23 vpn02 charon: 12[IKE] activating IKE_MOBIKE task
>> Jul 16 23:27:23 vpn02 charon: 12[IKE] initiating IKE_SA rw[1] to
>> 10.100.1.31
>> Jul 16 23:27:23 vpn02 charon: 12[IKE] IKE_SA rw[1] state change: CREATED
>> => CONNECTING
>> Jul 16 23:27:23 vpn02 charon: 12[IKE] natd_chunk => 22 bytes @
>> 0x7fe30c0028c0
>> Jul 16 23:27:23 vpn02 charon: 12[IKE] 0: 6A 4A DE E8 FC 8C FF D9 00 00
>> 00 00 00 00 00 00 jJ..............
>> Jul 16 23:27:23 vpn02 charon: 12[IKE] 16: 0A 64 01 1F 01
>> F4 .d....
>> Jul 16 23:27:23 vpn02 charon: 12[IKE] natd_hash => 20 bytes @
>> 0x7fe30c0028e0
>> Jul 16 23:27:23 vpn02 charon: 12[IKE] 0: BE 1C 33 77 01 44 51 EF 11 0C
>> 28 5E 55 66 F1 65 ..3w.DQ...(^Uf.e
>> Jul 16 23:27:23 vpn02 charon: 12[IKE] 16: 7C 85 04
>> 6A |..j
>> Jul 16 23:27:23 vpn02 charon: 12[IKE] natd_chunk => 22 bytes @
>> 0x7fe30c0025c0
>> Jul 16 23:27:23 vpn02 charon: 12[IKE] 0: 6A 4A DE E8 FC 8C FF D9 00 00
>> 00 00 00 00 00 00 jJ..............
>> Jul 16 23:27:23 vpn02 charon: 12[IKE] 16: 0A 64 01 14 01
>> F4 .d....
>> Jul 16 23:27:23 vpn02 charon: 12[IKE] natd_hash => 20 bytes @
>> 0x7fe30c0025e0
>> Jul 16 23:27:23 vpn02 charon: 12[IKE] 0: 2C 77 72 D7 74 8D 69 C1 D7 5C
>> 90 3E B7 66 79 D9 ,wr.t.i..\.>.fy.
>> Jul 16 23:27:23 vpn02 charon: 12[IKE] 16: DB 4B 9B
>> 3D .K.=
>> Jul 16 23:27:23 vpn02 charon: 12[ENC] generating IKE_SA_INIT request 0 [
>> SA KE No N(NATD_S_IP) N(NATD_D_IP) ]
>> Jul 16 23:27:23 vpn02 charon: 12[NET] sending packet: from
>> 10.100.1.20[500] to 10.100.1.31[500] (964 bytes)
>> Jul 16 23:27:27 vpn02 charon: 13[IKE] retransmit 1 of request with
>> message ID 0
>> Jul 16 23:27:27 vpn02 charon: 13[NET] sending packet: from
>> 10.100.1.20[500] to 10.100.1.31[500] (964 bytes)
>> Jul 16 23:27:29 vpn02 charon: 14[NET] received packet: from
>> 10.100.1.131[500] to 10.100.1.20[500] (964 bytes)
>> Jul 16 23:27:29 vpn02 charon: 14[ENC] parsed IKE_SA_INIT request 0 [ SA
>> KE No N(NATD_S_IP) N(NATD_D_IP) ]
>> Jul 16 23:27:29 vpn02 charon: 14[IKE] no IKE config found for
>> 10.100.1.20...10.100.1.131, sending NO_PROPOSAL_CHOSEN
>> Jul 16 23:27:29 vpn02 charon: 14[ENC] generating IKE_SA_INIT response 0 [
>> N(NO_PROP) ]
>> Jul 16 23:27:29 vpn02 charon: 14[NET] sending packet: from
>> 10.100.1.20[500] to 10.100.1.131[500] (36 bytes)
>> Jul 16 23:27:29 vpn02 charon: 14[IKE] IKE_SA (unnamed)[2] state change:
>> CREATED => DESTROYING
>>
>> #right side
>> Jul 16 23:27:12 vpn03 charon: 00[DMN] Starting IKE charon daemon
>> (strongSwan 5.2.0, Linux 2.6.32-431.29.2.el6.x86_64, x86_64)
>> Jul 16 23:27:12 vpn03 charon: 00[LIB] openssl FIPS mode(2) - enabled
>> Jul 16 23:27:12 vpn03 charon: 00[CFG] loading ca certificates from
>> '/etc/strongswan/ipsec.d/cacerts'
>> Jul 16 23:27:12 vpn03 charon: 00[CFG] loaded ca certificate "C=US,
>> ST=WA, L=xxxxx, O=xxxxx, OU=xxxxx, CN=StrongSwan Intermediate CA" from
>> '/etc/strongswan/ipsec.d/cacerts/int.crt.pem'
>> Jul 16 23:27:12 vpn03 charon: 00[CFG] loaded ca certificate "C=US,
>> ST=WA, L=xxxxx, O=xxxxx, OU=xxxxx, CN=StrongSwan Root CA" from
>> '/etc/strongswan/ipsec.d/cacerts/rootCa.crt.pem'
>> Jul 16 23:27:12 vpn03 charon: 00[CFG] loading aa certificates from
>> '/etc/strongswan/ipsec.d/aacerts'
>> Jul 16 23:27:12 vpn03 charon: 00[CFG] loading ocsp signer certificates
>> from '/etc/strongswan/ipsec.d/ocspcerts'
>> Jul 16 23:27:12 vpn03 charon: 00[CFG] loading attribute certificates from
>> '/etc/strongswan/ipsec.d/acerts'
>> Jul 16 23:27:12 vpn03 charon: 00[CFG] loading crls from
>> '/etc/strongswan/ipsec.d/crls'
>> Jul 16 23:27:12 vpn03 charon: 00[CFG] loading secrets from
>> '/etc/strongswan/ipsec.secrets'
>> Jul 16 23:27:12 vpn03 charon: 00[CFG] loaded IKE secret for %any
>> Jul 16 23:27:12 vpn03 charon: 00[LIB] loaded plugins: charon curl aes des
>> rc2 sha1 sha2 md4 md5 random nonce x509 revocation constraints acert pubkey
>> pkcs1 pkcs8 pkcs12 pgp dnskey sshkey pem openssl fips-prf gmp xcbc cmac
>> hmac attr kernel-netlink resolve socket-default farp stroke vici updown
>> eap-identity eap-md5 eap-gtc eap-mschapv2 eap-tls eap-ttls eap-peap
>> xauth-generic xauth-eap xauth-pam xauth-noauth dhcp
>> Jul 16 23:27:12 vpn03 charon: 00[LIB] unable to load 3 plugin features (3
>> due to unmet dependencies)
>> Jul 16 23:27:12 vpn03 charon: 00[JOB] spawning 16 worker threads
>> Jul 16 23:27:12 vpn03 charon: 08[CFG] received stroke: add connection 'rw'
>> Jul 16 23:27:12 vpn03 charon: 08[CFG] added configuration 'rw'
>> Jul 16 23:27:29 vpn03 charon: 10[CFG] received stroke: initiate 'rw'
>> Jul 16 23:27:29 vpn03 charon: 12[IKE] queueing IKE_VENDOR task
>> Jul 16 23:27:29 vpn03 charon: 12[IKE] queueing IKE_INIT task
>> Jul 16 23:27:29 vpn03 charon: 12[IKE] queueing IKE_NATD task
>> Jul 16 23:27:29 vpn03 charon: 12[IKE] queueing IKE_CERT_PRE task
>> Jul 16 23:27:29 vpn03 charon: 12[IKE] queueing IKE_AUTH task
>> Jul 16 23:27:29 vpn03 charon: 12[IKE] queueing IKE_CERT_POST task
>> Jul 16 23:27:29 vpn03 charon: 12[IKE] queueing IKE_CONFIG task
>> Jul 16 23:27:29 vpn03 charon: 12[IKE] queueing IKE_AUTH_LIFETIME task
>> Jul 16 23:27:29 vpn03 charon: 12[IKE] queueing IKE_MOBIKE task
>> Jul 16 23:27:29 vpn03 charon: 12[IKE] queueing CHILD_CREATE task
>> Jul 16 23:27:29 vpn03 charon: 12[IKE] activating new tasks
>> Jul 16 23:27:29 vpn03 charon: 12[IKE] activating IKE_VENDOR task
>> Jul 16 23:27:29 vpn03 charon: 12[IKE] activating IKE_INIT task
>> Jul 16 23:27:29 vpn03 charon: 12[IKE] activating IKE_NATD task
>> Jul 16 23:27:29 vpn03 charon: 12[IKE] activating IKE_CERT_PRE task
>> Jul 16 23:27:29 vpn03 charon: 12[IKE] activating IKE_AUTH task
>> Jul 16 23:27:29 vpn03 charon: 12[IKE] activating IKE_CERT_POST task
>> Jul 16 23:27:29 vpn03 charon: 12[IKE] activating IKE_CONFIG task
>> Jul 16 23:27:29 vpn03 charon: 12[IKE] activating CHILD_CREATE task
>> Jul 16 23:27:29 vpn03 charon: 12[IKE] activating IKE_AUTH_LIFETIME task
>> Jul 16 23:27:29 vpn03 charon: 12[IKE] activating IKE_MOBIKE task
>> Jul 16 23:27:29 vpn03 charon: 12[IKE] initiating IKE_SA rw[1] to
>> 10.100.1.20
>> Jul 16 23:27:29 vpn03 charon: 12[IKE] IKE_SA rw[1] state change: CREATED
>> => CONNECTING
>> Jul 16 23:27:29 vpn03 charon: 12[IKE] natd_chunk => 22 bytes @
>> 0x7f586c0028c0
>> Jul 16 23:27:29 vpn03 charon: 12[IKE] 0: 8E E1 E7 6D 58 37 7C 61 00 00
>> 00 00 00 00 00 00 ...mX7|a........
>> Jul 16 23:27:29 vpn03 charon: 12[IKE] 16: 0A 64 01 14 01
>> F4 .d....
>> Jul 16 23:27:29 vpn03 charon: 12[IKE] natd_hash => 20 bytes @
>> 0x7f586c0028e0
>> Jul 16 23:27:29 vpn03 charon: 12[IKE] 0: D5 57 BE 5C 11 13 5D A8 60 7D
>> 72 BF FC 4E A3 CF .W.\..].`}r..N..
>> Jul 16 23:27:29 vpn03 charon: 12[IKE] 16: 9C 06 49
>> FD ..I.
>> Jul 16 23:27:29 vpn03 charon: 12[IKE] natd_chunk => 22 bytes @
>> 0x7f586c0025c0
>> Jul 16 23:27:29 vpn03 charon: 12[IKE] 0: 8E E1 E7 6D 58 37 7C 61 00 00
>> 00 00 00 00 00 00 ...mX7|a........
>> Jul 16 23:27:29 vpn03 charon: 12[IKE] 16: 0A 64 01 83 01
>> F4 .d....
>> Jul 16 23:27:29 vpn03 charon: 12[IKE] natd_hash => 20 bytes @
>> 0x7f586c0025e0
>> Jul 16 23:27:29 vpn03 charon: 12[IKE] 0: 29 E2 9B CE 30 89 84 08 B6 13
>> EF D5 75 EA 11 74 )...0.......u..t
>> Jul 16 23:27:29 vpn03 charon: 12[IKE] 16: C7 9F E7
>> 7B ...{
>> Jul 16 23:27:29 vpn03 charon: 12[ENC] generating IKE_SA_INIT request 0 [
>> SA KE No N(NATD_S_IP) N(NATD_D_IP) ]
>> Jul 16 23:27:29 vpn03 charon: 12[NET] sending packet: from
>> 10.100.1.131[500] to 10.100.1.20[500] (964 bytes)
>> Jul 16 23:27:29 vpn03 charon: 13[NET] received packet: from
>> 10.100.1.20[500] to 10.100.1.131[500] (36 bytes)
>> Jul 16 23:27:29 vpn03 charon: 13[ENC] parsed IKE_SA_INIT response 0 [
>> N(NO_PROP) ]
>> Jul 16 23:27:29 vpn03 charon: 13[IKE] received NO_PROPOSAL_CHOSEN notify
>> error
>> Jul 16 23:27:29 vpn03 charon: 13[IKE] IKE_SA rw[1] state change:
>> CONNECTING => DESTROYING
>>
>> #strongswan.conf
>> charon {
>> load_modular = yes
>> plugins {
>> include strongswan.d/charon/*.conf
>> }
>> }
>>
>> include strongswan.d/*.conf
>>
>>
>> On Thu, Jul 16, 2015 at 3:10 PM, Randy Wyatt <rwwyatt01 at gmail.com> wrote:
>>
>>> Have you tried limiting the proposals supported?
>>> ike=aes128-sha1-modp1024
>>> esp=aes128-sha1
>>>
>>> If you don't specify the proposal, everything is sent. Can you increase
>>> the debugging on ike so we can look a little more at the proposal and
>>> configured?
>>>
>>> Regards,
>>> Randy
>>>
>>>
>>> On Thu, Jul 16, 2015 at 2:08 PM, Aaron <hawaiiaaron at gmail.com> wrote:
>>>
>>>> Hi, I have strongswan setup in a host to host configuration using a
>>>> shared secret for testing, but am not able to get it to establish a
>>>> tunnel. The left side attempts to retransmit packets till it gives up and
>>>> on the right side I receive this error. Any help appreciated. Thanks!
>>>>
>>>> Jul 16 21:01:19 vpn02 charon: 12[NET] received packet: from
>>>> 10.100.1.20[500] to 10.100.1.131[500] (36 bytes)
>>>> Jul 16 21:01:19 vpn02 charon: 12[ENC] parsed IKE_SA_INIT response 0 [
>>>> N(NO_PROP) ]
>>>> Jul 16 21:01:19 vpn02 charon: 12[IKE] received NO_PROPOSAL_CHOSEN
>>>> notify error
>>>>
>>>> #ipsec.conf file
>>>> #right side and leftside are identical
>>>> config setup
>>>> charondebug=all
>>>>
>>>> conn %default
>>>> ikelifetime=60m
>>>> keylife=20m
>>>> rekeymargin=3m
>>>> keyingtries=1
>>>> keyexchange=ikev2
>>>> authby=psk
>>>>
>>>> conn rw
>>>> left=10.100.1.20
>>>> leftid=10.100.1.20
>>>> leftfirewall=no
>>>> right=10.100.1.131
>>>> rightid=10.100.1.131
>>>> auto=start
>>>> authby=psk
>>>>
>>>> # ipsec.secrets file
>>>> : PSK "mypsksecret"
>>>>
>>>>
>>>> _______________________________________________
>>>> Users mailing list
>>>> Users at lists.strongswan.org
>>>> https://lists.strongswan.org/mailman/listinfo/users
>>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>
>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20150716/c392adb1/attachment-0001.html>
More information about the Users
mailing list