[strongSwan] Unable to establish SA
Glen Huang
curvedmark at gmail.com
Thu Jun 25 18:42:41 CEST 2015
NM, it seems to be a server issue. Other services are fine via IPSec.
Thanks for the help. :)
> On Jun 25, 2015, at 3:11 PM, Glen Huang <curvedmark at gmail.com> wrote:
>
> I toke a closer look at the messages. It seems the aes module is missing. I installed it and finally no error messages.
>
> But after the SA is up, I ping right, no response at all. While pinging, I can see a bunch of "UDP-encap: ESP" messages from left to right showing up every second from tcpdump, but no right to left, except for occasional "isakmp-nat-keep-alive" (only right to left) and "NONESP-encap: isakmp: phase 2/others ? inf[E]" (bidirectional) messages.
>
> What I might have done wrong?
>
>> On Jun 25, 2015, at 11:20 AM, Glen Huang <curvedmark at gmail.com <mailto:curvedmark at gmail.com>> wrote:
>>
>> Hi Noel,
>>
>> Thanks for the help. These are the log messages:
>> http://pastebin.com/QjsA0XW2 <http://pastebin.com/QjsA0XW2>
>>
>>
>>> On Jun 25, 2015, at 1:45 AM, Noel Kuntze <noel at familie-kuntze.de <mailto:noel at familie-kuntze.de>> wrote:
>>>
>>>
>>> -----BEGIN PGP SIGNED MESSAGE-----
>>> Hash: SHA256
>>>
>>> Hello Glen,
>>>
>>> No, they are not. There are different key exchanges and algorithm negotiations for IKE and the subsequent SA pairs.
>>> You need to configure a file logger[1] and look at the logs to figure out what algos are negotiated for the IPsec SAs.
>>>
>>> Use those options for the file logger:
>>> default = 3
>>> mgr = 1
>>> ike = 1
>>> net = 1
>>> enc = 0
>>> cfg = 2
>>> asn = 1
>>> job = 1
>>> knl = 1
>>>
>>> [1] https://wiki.strongswan.org/projects/strongswan/wiki/LoggerConfiguration <https://wiki.strongswan.org/projects/strongswan/wiki/LoggerConfiguration>
>>> Mit freundlichen Grüßen/Kind Regards,
>>> Noel Kuntze
>>>
>>> GPG Key ID: 0x63EC6658
>>> Fingerprint: 23CA BB60 2146 05E7 7278 6592 3839 298F 63EC 6658
>>>
>>> Am 24.06.2015 um 19:42 schrieb Glen Huang:
>>>> Thank you. How do i check what algorithms are negotiated? Are those the "IKE proposal" from ipsec statusall?
>>>>
>>>> If so, they are "3DES_CBC/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1536", which ones do you think are missing from the lsmod list?
>>>>
>>>>> On Jun 25, 2015, at 1:36 AM, Noel Kuntze <noel at familie-kuntze.de <mailto:noel at familie-kuntze.de>> wrote:
>>>>>
>>>>>
>>>> Hello Glen,
>>>>
>>>> You obviously also need kernel support for the algorithms
>>>> that are negotiated for the IPsec SAs.
>>>> Check what algorithms are negotitated and then load the corresponding
>>>> kernel module.
>>>>
>>>> Mit freundlichen Grüßen/Kind Regards,
>>>> Noel Kuntze
>>>>
>>>> GPG Key ID: 0x63EC6658
>>>> Fingerprint: 23CA BB60 2146 05E7 7278 6592 3839 298F 63EC 6658
>>>>
>>>> Am 24.06.2015 um 19:30 schrieb Glen Huang:
>>>>>>> Hi,
>>>>>>>
>>>>>>> I'm trying to establish a ikev1 transport SA, but it failed with error like "received netlink error: Function not implemented (89)", I guess it might be that some algo module or kernel module is missing?
>>>>>>>
>>>>>>> ipsec.conf
>>>>>>> http://pastebin.com/WsBDWvCC <http://pastebin.com/WsBDWvCC>
>>>>>>>
>>>>>>> messages from ipsec up
>>>>>>> http://pastebin.com/iDxisnVt <http://pastebin.com/iDxisnVt>
>>>>>>>
>>>>>>> ipsec statusall
>>>>>>> http://pastebin.com/CH6bQGYL
>>>>>>>
>>>>>>> output of lsmod
>>>>>>> http://pastebin.com/7NJD0Mxa
>>>>>>>
>>>>>>> I have googled as hard as I can't, but didn't find any thing useful. I tried kernel-libipsec, but unfortunately it doesn't support transport mode. So I'm at my wits end. Could some one help me identify the missing part?
>>>>>>>
>>>>>>> Thanks in advance.
>>>>>>>
>>>>>>>
>>>>>>> _______________________________________________
>>>>>>> Users mailing list
>>>>>>> Users at lists.strongswan.org
>>>>>>> https://lists.strongswan.org/mailman/listinfo/users
>>>>
>>>>>
>>>>> _______________________________________________
>>>>> Users mailing list
>>>>> Users at lists.strongswan.org <mailto:Users at lists.strongswan.org>
>>>>> https://lists.strongswan.org/mailman/listinfo/users <https://lists.strongswan.org/mailman/listinfo/users>
>>>>
>>>
>>> -----BEGIN PGP SIGNATURE-----
>>> Version: GnuPG v2
>>>
>>> iQIcBAEBCAAGBQJViuzOAAoJEDg5KY9j7GZYpgcP/1DMKUt952SyFsSMOksR9CQJ
>>> NUX0ieuBV/yVjW7N++28p7wlcCts1Mm143zAI3mjR2/YT2YujvjvItS1P1fHUyJ/
>>> EtthBFqcqSvPAlGwJClCBqHvRfHP7k7NXi7GLF6pMTxtY3hPKBKQAn8m4wqaY+NU
>>> G4OFoT0l/cCLbdQsrf87jJ01Xp74dkpncl3hexhTnyfFjJOysrvxC7BYYmYOYmu9
>>> AiZW3YS9byXYDLTfwfo/H//m/GeCpQcQHp0uAXkGEVB77i9GIlFvAj0lGPb9/cuN
>>> mcqHn9AFXiKr71jAVWOYX3eCN2WqbJOO1y9JJq9WD+syx3dGyKlVa/w6c+xE8tTm
>>> w62fLUE0sXGdtRK4FOT+q4PtH2QuY5IP16l+Y93LQl9+f8nz6Pe3Rmn4X29h4maD
>>> C9DIxc9Gecw/b9g/kxTyjCf41UxuLpRg0CZ1JYsVhaEEYgk7LcKlrAT9fc2QWhTK
>>> Kp5tIOzeHkiQ9sWdyTIsLS8yJlHUXKmwXUQ3nfLRi1IJPkc+Sggs6nlebR+vW7zE
>>> DrlUMMQnye69v+MAxMBHzHDDzH1PNGtbXbojwbtoPXDjnG2FGB7sPqJ2IY9qFf2J
>>> fx2FRqocNPls20VQHWs9sQTOAweg9ptxKj1P7X5WZEYE7PC0FdKf3oZcqISfk5xw
>>> o617eyUW0S3MVhW6I8TJ
>>> =1Hvn
>>> -----END PGP SIGNATURE-----
>>>
>>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20150626/ff051a63/attachment.html>
More information about the Users
mailing list