[strongSwan] Windows 2008 R2 to Linux connection issues

Rightler, Dwayne R. Dwayne.Rightler at thelacledegroup.com
Tue Mar 10 15:41:29 CET 2015


Windows firewall is off, IPTables is allowing connections.  I would hope it's a simple configuration issue, but I can't put my finger on it.  Connections from linux to linux work.  Any help would be appreciated.

Windows side: Swanctl.conf

connections {
                host-to-host {
                                local_addrs = 10.1.186.35
                                remote_addrs = 10.1.186.174

                                local {
                                                auth = pubkey
                                                certs = stl-dfusapp-80.crt
                                                id = "C=US,ST=Missouri,O=Company,OU=DBA Team,CN=stl-dfusapp-80"
                                }
                                remote {
                                                auth = pubkey
                                                id = "C=US,ST=Missouri,O=Company,OU=DBA Team,CN=stl-dfusadb-20"
                                }
                                children {
                                                stl-dfusapp-80_stl-dfusadb-20 {
                                                                start_action = start
                                                }
                                }
                                version = 2
                                mobike = yes
                                reauth_time = 60m
                                rekey_time =  20m
                                proposals = aes128-sha256-modp2048
                }
}

Linux side: ipsec.conf

conn stl-dfusadb-20_stl-dfusapp-80
     left=stl-dfusadb-20
     leftcert=stl-dfusadb-20.crt
     leftid="C=US,ST=Missouri,O=Company,OU=DBA Team,CN=stl-dfusadb-20"
     right=stl-dfusapp-80
     rightid="C=US,ST=Missouri,O=Company,OU=DBA Team,CN=stl-dfusapp-80"
     auto=add


Windows output:

00[DMN] Starting IKE service charon-svc (strongSwan 5.2.2, Windows Server 6.1.76
01 (SP 1.0)
00[LIB] loaded plugins: charon-svc nonce x509 pubkey pkcs1 pem openssl kernel-wf
p kernel-iph socket-win vici
00[LIB] unable to load 5 plugin features (5 due to unmet dependencies)
00[JOB] spawning 16 worker threads
11[CFG] loaded certificate 'C=US, ST=Missouri, O=Company, OU=DBA Tea
m, CN=stl-dfusapp-80'
08[CFG] loaded certificate 'C=US, ST=Missouri, L=St. Louis, O=Compan
y, OU=DBA Team, CN=strongswanCA'
09[CFG] loaded RSA private key
13[CFG] added vici connection: host-to-host
09[CFG] vici initiate 'stl-dfusapp-80_stl-dfusadb-20'
13[IKE] initiating IKE_SA host-to-host[1] to 10.1.186.174
13[ENC] generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) ]
13[NET] sending packet: from 10.1.186.35[500] to 10.1.186.174[500] (432 bytes)
17[KNL] WFP MM failure: 10.1.186.35/32 === 10.1.186.174/32, 0x00003601, filterId
0
08[IKE] retransmit 1 of request with message ID 0
08[NET] sending packet: from 10.1.186.35[500] to 10.1.186.174[500] (432 bytes)
17[KNL] WFP MM failure: 10.1.186.35/32 === 10.1.186.174/32, 0x00003601, filterId
0
16[IKE] retransmit 2 of request with message ID 0
16[NET] sending packet: from 10.1.186.35[500] to 10.1.186.174[500] (432 bytes)
17[KNL] WFP MM failure: 10.1.186.35/32 === 10.1.186.174/32, 0x00003601, filterId
0
13[IKE] retransmit 3 of request with message ID 0
13[NET] sending packet: from 10.1.186.35[500] to 10.1.186.174[500] (432 bytes)
17[KNL] WFP MM failure: 10.1.186.35/32 === 10.1.186.174/32, 0x00003601, filterId
0
10[IKE] retransmit 4 of request with message ID 0
10[NET] sending packet: from 10.1.186.35[500] to 10.1.186.174[500] (432 bytes)
17[KNL] WFP MM failure: 10.1.186.35/32 === 10.1.186.174/32, 0x00003601, filterId
0
06[IKE] retransmit 5 of request with message ID 0
06[NET] sending packet: from 10.1.186.35[500] to 10.1.186.174[500] (432 bytes)
17[KNL] WFP MM failure: 10.1.186.35/32 === 10.1.186.174/32, 0x00003601, filterId
0
13[IKE] giving up after 5 retransmits
13[IKE] establishing IKE_SA failed, peer not responding

Linux log:

Mar 10 09:16:01 stl-dfusadb-20 charon: 16[NET] received packet: from 10.1.186.35[500] to 10.1.186.174[500] (432 bytes)
Mar 10 09:16:01 stl-dfusadb-20 charon: 16[ENC] parsed IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) ]
Mar 10 09:16:01 stl-dfusadb-20 charon: 16[IKE] 10.1.186.35 is initiating an IKE_SA
Mar 10 09:16:01 stl-dfusadb-20 charon: 16[IKE] sending cert request for "C=US, ST=Missouri, L=St. Louis, O=Company, OU=DBA Team, CN=strongswanCA"
Mar 10 09:16:01 stl-dfusadb-20 charon: 16[ENC] generating IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) CERTREQ N(MULT_AUTH) ]
Mar 10 09:16:01 stl-dfusadb-20 charon: 16[NET] sending packet: from 10.1.186.174[500] to 10.1.186.35[500] (465 bytes)
Mar 10 09:16:31 stl-dfusadb-20 charon: 11[JOB] deleting half open IKE_SA after timeout
Mar 10 09:16:43 stl-dfusadb-20 charon: 13[NET] received packet: from 10.1.186.35[500] to 10.1.186.174[500] (432 bytes)
Mar 10 09:16:43 stl-dfusadb-20 charon: 13[ENC] parsed IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) ]
Mar 10 09:16:43 stl-dfusadb-20 charon: 13[IKE] 10.1.186.35 is initiating an IKE_SA
Mar 10 09:16:43 stl-dfusadb-20 charon: 13[IKE] sending cert request for "C=US, ST=Missouri, L=St. Louis, O=Company, OU=DBA Team, CN=strongswanCA"
Mar 10 09:16:43 stl-dfusadb-20 charon: 13[ENC] generating IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) CERTREQ N(MULT_AUTH) ]
Mar 10 09:16:43 stl-dfusadb-20 charon: 13[NET] sending packet: from 10.1.186.174[500] to 10.1.186.35[500] (465 bytes)
Mar 10 09:17:13 stl-dfusadb-20 charon: 09[JOB] deleting half open IKE_SA after timeout
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20150310/6752191a/attachment-0001.html>


More information about the Users mailing list