[strongSwan] Unable to establish SA

Glen Huang curvedmark at gmail.com
Thu Jun 25 18:42:41 CEST 2015 

NM, it seems to be a server issue. Other services are fine via IPSec.

Thanks for the help. :)

> On Jun 25, 2015, at 3:11 PM, Glen Huang <curvedmark at gmail.com> wrote:
> 
> I toke a closer look at the messages. It seems the aes module is missing. I installed it and finally no error messages.
> 
> But after the SA is up, I ping right, no response at all. While pinging, I can see a bunch of "UDP-encap: ESP" messages from left to right showing up every second from tcpdump, but no right to left, except for occasional "isakmp-nat-keep-alive" (only right to left) and "NONESP-encap: isakmp: phase 2/others ? inf[E]" (bidirectional) messages.
> 
> What I might have done wrong?
> 
>> On Jun 25, 2015, at 11:20 AM, Glen Huang <curvedmark at gmail.com <mailto:curvedmark at gmail.com>> wrote:
>> 
>> Hi Noel,
>> 
>> Thanks for the help. These are the log messages:
>> http://pastebin.com/QjsA0XW2 <http://pastebin.com/QjsA0XW2>
>> 
>> 
>>> On Jun 25, 2015, at 1:45 AM, Noel Kuntze <noel at familie-kuntze.de <mailto:noel at familie-kuntze.de>> wrote:
>>> 
>>> 
>>> -----BEGIN PGP SIGNED MESSAGE-----
>>> Hash: SHA256
>>> 
>>> Hello Glen,
>>> 
>>> No, they are not. There are different key exchanges and algorithm negotiations for IKE and the subsequent SA pairs.
>>> You need to configure a file logger[1] and look at the logs to figure out what algos are negotiated for the IPsec SAs.
>>> 
>>> Use those options for the file logger:
>>>                        default = 3
>>>                        mgr = 1
>>>                        ike = 1
>>>                        net = 1
>>>                        enc = 0
>>>                        cfg = 2
>>>                        asn = 1
>>>                        job = 1                
>>>                        knl = 1
>>> 
>>> [1] https://wiki.strongswan.org/projects/strongswan/wiki/LoggerConfiguration <https://wiki.strongswan.org/projects/strongswan/wiki/LoggerConfiguration>
>>> Mit freundlichen Grüßen/Kind Regards,
>>> Noel Kuntze
>>> 
>>> GPG Key ID: 0x63EC6658
>>> Fingerprint: 23CA BB60 2146 05E7 7278 6592 3839 298F 63EC 6658
>>> 
>>> Am 24.06.2015 um 19:42 schrieb Glen Huang:
>>>> Thank you. How do i check what algorithms are negotiated? Are those the "IKE proposal" from ipsec statusall?
>>>> 
>>>> If so, they are "3DES_CBC/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1536", which ones do you think are missing from the lsmod list?
>>>> 
>>>>> On Jun 25, 2015, at 1:36 AM, Noel Kuntze <noel at familie-kuntze.de <mailto:noel at familie-kuntze.de>> wrote:
>>>>> 
>>>>> 
>>>> Hello Glen,
>>>> 
>>>> You obviously also need kernel support for the algorithms
>>>> that are negotiated for the IPsec SAs.
>>>> Check what algorithms are negotitated and then load the corresponding
>>>> kernel module.
>>>> 
>>>> Mit freundlichen Grüßen/Kind Regards,
>>>> Noel Kuntze
>>>> 
>>>> GPG Key ID: 0x63EC6658
>>>> Fingerprint: 23CA BB60 2146 05E7 7278 6592 3839 298F 63EC 6658
>>>> 
>>>> Am 24.06.2015 um 19:30 schrieb Glen Huang:
>>>>>>> Hi,
>>>>>>> 
>>>>>>> I'm trying to establish a ikev1 transport SA, but it failed with error like "received netlink error: Function not implemented (89)", I guess it might be that some algo module or kernel module is missing?
>>>>>>> 
>>>>>>> ipsec.conf
>>>>>>> http://pastebin.com/WsBDWvCC <http://pastebin.com/WsBDWvCC>
>>>>>>> 
>>>>>>> messages from ipsec up
>>>>>>> http://pastebin.com/iDxisnVt <http://pastebin.com/iDxisnVt>
>>>>>>> 
>>>>>>> ipsec statusall
>>>>>>> http://pastebin.com/CH6bQGYL
>>>>>>> 
>>>>>>> output of lsmod
>>>>>>> http://pastebin.com/7NJD0Mxa
>>>>>>> 
>>>>>>> I have googled as hard as I can't, but didn't find any thing useful. I tried kernel-libipsec, but unfortunately it doesn't support transport mode. So I'm at my wits end. Could some one help me identify the missing part?
>>>>>>> 
>>>>>>> Thanks in advance.
>>>>>>> 
>>>>>>> 
>>>>>>> _______________________________________________
>>>>>>> Users mailing list
>>>>>>> Users at lists.strongswan.org
>>>>>>> https://lists.strongswan.org/mailman/listinfo/users
>>>> 
>>>>> 
>>>>> _______________________________________________
>>>>> Users mailing list
>>>>> Users at lists.strongswan.org <mailto:Users at lists.strongswan.org>
>>>>> https://lists.strongswan.org/mailman/listinfo/users <https://lists.strongswan.org/mailman/listinfo/users>
>>>> 
>>> 
>>> -----BEGIN PGP SIGNATURE-----
>>> Version: GnuPG v2
>>> 
>>> iQIcBAEBCAAGBQJViuzOAAoJEDg5KY9j7GZYpgcP/1DMKUt952SyFsSMOksR9CQJ
>>> NUX0ieuBV/yVjW7N++28p7wlcCts1Mm143zAI3mjR2/YT2YujvjvItS1P1fHUyJ/
>>> EtthBFqcqSvPAlGwJClCBqHvRfHP7k7NXi7GLF6pMTxtY3hPKBKQAn8m4wqaY+NU
>>> G4OFoT0l/cCLbdQsrf87jJ01Xp74dkpncl3hexhTnyfFjJOysrvxC7BYYmYOYmu9
>>> AiZW3YS9byXYDLTfwfo/H//m/GeCpQcQHp0uAXkGEVB77i9GIlFvAj0lGPb9/cuN
>>> mcqHn9AFXiKr71jAVWOYX3eCN2WqbJOO1y9JJq9WD+syx3dGyKlVa/w6c+xE8tTm
>>> w62fLUE0sXGdtRK4FOT+q4PtH2QuY5IP16l+Y93LQl9+f8nz6Pe3Rmn4X29h4maD
>>> C9DIxc9Gecw/b9g/kxTyjCf41UxuLpRg0CZ1JYsVhaEEYgk7LcKlrAT9fc2QWhTK
>>> Kp5tIOzeHkiQ9sWdyTIsLS8yJlHUXKmwXUQ3nfLRi1IJPkc+Sggs6nlebR+vW7zE
>>> DrlUMMQnye69v+MAxMBHzHDDzH1PNGtbXbojwbtoPXDjnG2FGB7sPqJ2IY9qFf2J
>>> fx2FRqocNPls20VQHWs9sQTOAweg9ptxKj1P7X5WZEYE7PC0FdKf3oZcqISfk5xw
>>> o617eyUW0S3MVhW6I8TJ
>>> =1Hvn
>>> -----END PGP SIGNATURE-----
>>> 
>> 
> 

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20150626/ff051a63/attachment.html>

More information about the Users mailing list