[strongSwan] Working simple setup was working, now no packets pass

James Lay jlay at slave-tothe-box.net
Mon Mar 2 01:58:18 CET 2015


Simple setup...shown below:
Server:
conn rw
        leftsubnet=192.168.1.0/24
        leftcert=StrongSwanHostCert.pem
        right=%any
        rightsourceip=192.168.1.11
        auto=add

Client
 conn rw
        leftsourceip=192.168.1.11
        leftcert=mycert.pem
        right=ext.ip
        rightsubnet=.192.168.1.0/24
        rightid="C=CH, O=strongswan, CN=my.server.name
        auto=add

This is literally it....really easy, no internet required, just one
client ever to connect, me.  Here's the log with error...again, this was
working just fine a month ago...no clue what happened besides package
updates to Ubuntu 14.  Thanks for any help:

Mar  1 17:45:22 gateway charon: 00[DMN] Starting IKE charon daemon
(strongSwan 5.1.2, Linux 3.13.0-46-generic, i686)
Mar  1 17:45:22 gateway charon: 00[LIB] Padlock not found, CPU is
GenuineIntel
Mar  1 17:45:22 gateway charon: 00[LIB] plugin 'padlock': failed to load
- padlock_plugin_create returned NULL
Mar  1 17:45:23 gateway charon: 00[CFG] loading ca certificates from
'/etc/ipsec.d/cacerts'
Mar  1 17:45:23 gateway charon: 00[CFG]   loaded ca certificate "C=CH,
O=strongSwan, CN=strongSwan Root CA" from
'/etc/ipsec.d/cacerts/StrongSwanCACert.pem'
Mar  1 17:45:23 gateway charon: 00[CFG] loading aa certificates from
'/etc/ipsec.d/aacerts'
Mar  1 17:45:23 gateway charon: 00[CFG] loading ocsp signer certificates
from '/etc/ipsec.d/ocspcerts'
Mar  1 17:45:23 gateway charon: 00[CFG] loading attribute certificates
from '/etc/ipsec.d/acerts'
Mar  1 17:45:23 gateway charon: 00[CFG] loading crls from
'/etc/ipsec.d/crls'
Mar  1 17:45:23 gateway charon: 00[CFG] loading secrets from
'/etc/ipsec.secrets'
Mar  1 17:45:23 gateway charon: 00[CFG]   loaded RSA private key from
'/etc/ipsec.d/private/StrongSwanHostKey.pem'
Mar  1 17:45:23 gateway charon: 00[LIB] loaded plugins: charon
test-vectors aes rc2 sha1 sha2 md4 md5 random nonce x509 revocation
constraints pkcs1 pkcs7 pkcs8 pkcs12 pem openssl xcbc cmac hmac ctr ccm
gcm attr kernel-netlink resolve socket-default stroke updown
eap-identity xauth-generic addrblock
Mar  1 17:45:23 gateway charon: 00[LIB] unable to load 5 plugin features
(5 due to unmet dependencies)
Mar  1 17:45:23 gateway charon: 00[LIB] dropped capabilities, running as
uid 0, gid 0
Mar  1 17:45:23 gateway charon: 00[JOB] spawning 16 worker threads
Mar  1 17:45:23 gateway ipsec_starter[598]: charon (599) started after
740 ms
Mar  1 17:45:23 gateway charon: 06[CFG] received stroke: add connection
'rw'
Mar  1 17:45:23 gateway charon: 06[CFG] left nor right host is our side,
assuming left=local
Mar  1 17:45:23 gateway charon: 06[CFG] adding virtual IP address pool
192.168.1.11
Mar  1 17:45:23 gateway charon: 06[CFG]   loaded certificate "C=CH,
O=strongSwan, CN=ns1.my.domain" from 'StrongSwanHostCert.pem'
Mar  1 17:45:23 gateway charon: 06[CFG]   id '%any' not confirmed by
certificate, defaulting to 'C=CH, O=strongSwan, CN=ns1.my.domain'
Mar  1 17:45:23 gateway charon: 06[CFG] added configuration 'rw'
Mar  1 17:46:17 gateway charon: 05[NET] received packet: from
client.external.ip[31551] to server.external.ip[500] (1212 bytes)
Mar  1 17:46:17 gateway charon: 05[ENC] parsed IKE_SA_INIT request 0
[ SA KE No N(NATD_S_IP) N(NATD_D_IP) ]
Mar  1 17:46:17 gateway charon: 05[IKE] client.external.ip is initiating
an IKE_SA
Mar  1 17:46:17 gateway charon: 05[IKE] client.external.ip is initiating
an IKE_SA
Mar  1 17:46:17 gateway charon: 05[IKE] remote host is behind NAT
Mar  1 17:46:17 gateway charon: 05[IKE] sending cert request for "C=CH,
O=strongSwan, CN=strongSwan Root CA"
Mar  1 17:46:17 gateway charon: 05[ENC] generating IKE_SA_INIT response
0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) CERTREQ N(MULT_AUTH) ]
Mar  1 17:46:17 gateway charon: 05[NET] sending packet: from
server.external.ip[500] to client.external.ip[31551] (465 bytes)
Mar  1 17:46:17 gateway charon: 08[NET] received packet: from
client.external.ip[15546] to server.external.ip[4500] (1916 bytes)
Mar  1 17:46:17 gateway charon: 08[ENC] parsed IKE_AUTH request 1 [ IDi
CERT N(INIT_CONTACT) CERTREQ IDr AUTH CPRQ(ADDR DNS) SA TSi TSr
N(MOBIKE_SUP) N(ADD_4_ADDR) N(MULT_AUTH) N(EAP_ONLY) ]
Mar  1 17:46:17 gateway charon: 08[IKE] received cert request for "C=CH,
O=strongSwan, CN=strongSwan Root CA"
Mar  1 17:46:17 gateway charon: 08[IKE] received end entity cert "C=CH,
O=strongSwan, CN=me at my.domain"
Mar  1 17:46:17 gateway charon: 08[CFG] looking for peer configs
matching server.external.ip[C=CH, O=strongSwan,
CN=ns1.my.domain]...client.external.ip[C=CH, O=strongSwan,
CN=me at my.domain]
Mar  1 17:46:17 gateway charon: 08[CFG] selected peer config 'rw'
Mar  1 17:46:17 gateway charon: 08[CFG]   using certificate "C=CH,
O=strongSwan, CN=me at my.domain"
Mar  1 17:46:17 gateway charon: 08[CFG]   using trusted ca certificate
"C=CH, O=strongSwan, CN=strongSwan Root CA"
Mar  1 17:46:17 gateway charon: 08[CFG] checking certificate status of
"C=CH, O=strongSwan, CN=me at my.domain"
Mar  1 17:46:17 gateway charon: 08[CFG] certificate status is not
available
Mar  1 17:46:17 gateway charon: 08[CFG]   reached self-signed root ca
with a path length of 0
Mar  1 17:46:17 gateway charon: 08[IKE] authentication of 'C=CH,
O=strongSwan, CN=me at my.domain' with RSA signature successful
Mar  1 17:46:17 gateway charon: 08[IKE] peer supports MOBIKE
Mar  1 17:46:17 gateway charon: 08[IKE] authentication of 'C=CH,
O=strongSwan, CN=ns1.my.domain' (myself) with RSA signature successful
Mar  1 17:46:17 gateway charon: 08[IKE] IKE_SA rw[1] established between
server.external.ip[C=CH, O=strongSwan,
CN=ns1.my.domain]...client.external.ip[C=CH, O=strongSwan,
CN=me at my.domain]
Mar  1 17:46:17 gateway charon: 08[IKE] IKE_SA rw[1] established between
server.external.ip[C=CH, O=strongSwan,
CN=ns1.my.domain]...client.external.ip[C=CH, O=strongSwan,
CN=me at my.domain]
Mar  1 17:46:17 gateway charon: 08[IKE] scheduling reauthentication in
9739s
Mar  1 17:46:17 gateway charon: 08[IKE] maximum IKE_SA lifetime 10279s
Mar  1 17:46:17 gateway charon: 08[IKE] sending end entity cert "C=CH,
O=strongSwan, CN=ns1.my.domain"
Mar  1 17:46:17 gateway charon: 08[IKE] peer requested virtual IP
192.168.1.11
Mar  1 17:46:17 gateway charon: 08[CFG] assigning new lease to 'C=CH,
O=strongSwan, CN=me at my.domain'
Mar  1 17:46:17 gateway charon: 08[IKE] assigning virtual IP
192.168.1.11 to peer 'C=CH, O=strongSwan, CN=me at my.domain'
Mar  1 17:46:17 gateway charon: 08[IKE] CHILD_SA rw{1} established with
SPIs c3749028_i c5defa7e_o and TS 192.168.1.0/24 === 192.168.1.11/32 
Mar  1 17:46:17 gateway charon: 08[IKE] CHILD_SA rw{1} established with
SPIs c3749028_i c5defa7e_o and TS 192.168.1.0/24 === 192.168.1.11/32 
Mar  1 17:46:17 gateway charon: 08[ENC] generating IKE_AUTH response 1
[ IDr CERT AUTH CPRP(ADDR) SA TSi TSr N(AUTH_LFT) N(MOBIKE_SUP)
N(ADD_4_ADDR) ]
Mar  1 17:46:17 gateway charon: 08[NET] sending packet: from
server.external.ip[4500] to client.external.ip[15546] (2204 bytes)
Mar  1 17:46:21 gateway charon: 11[NET] received packet: from
client.external.ip[15546] to server.external.ip[4500] (1916 bytes)
Mar  1 17:46:21 gateway charon: 11[ENC] parsed IKE_AUTH request 1 [ IDi
CERT N(INIT_CONTACT) CERTREQ IDr AUTH CPRQ(ADDR DNS) SA TSi TSr
N(MOBIKE_SUP) N(ADD_4_ADDR) N(MULT_AUTH) N(EAP_ONLY) ]
Mar  1 17:46:21 gateway charon: 11[IKE] received retransmit of request
with ID 1, retransmitting response
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20150301/d858c35b/attachment.html>


More information about the Users mailing list