[strongSwan] How to setup connection with kernel-ipsec
Sneaky Issues
sneaky.issues at gmail.com
Mon Mar 30 15:30:37 CEST 2015
Hello,
Problem with Strongswan 5.2.0 on RHEL6.5.
Remote host (Win7) connects with certificate authentication to Linux
[Win 10.163.0.120] - [ right 192.163.102.0/24 ] <---> (router) <---> RH [
left 192.163.3.0 / 24 ]
If only kernel-netlink plugin present, SA is created with no issues.With
kernel-ipsec there is problem with adding routing.
Same configuration and environment works with 5.3.1 where also only
kernel-netlink present.
9: ipsec0: <POINTOPOINT,MULTICAST,NOARP,UP,LOWER_UP> mtu 1400 qdisc
pfifo_fast state UNKNOWN qlen 500
link/[65534]
07:37:50 12[KNL] no local address found in traffic selector 192.163.3.0/24
07:37:50 12[KNL] error installing route with policy 192.163.3.0/24 ===
192.163.102.1/32 out
07:37:50 12[ESP] adding policy 192.163.3.0/24 === 192.163.102.1/32 out
07:37:50 12[KNL] getting a local address in traffic selector 192.163.3.0/24
07:37:50 12[KNL] no local address found in traffic selector 192.163.3.0/24
07:37:50 12[KNL] error installing route with policy 192.163.3.0/24 ===
192.163.102.1/32 out
07:37:50 12[ESP] adding policy 192.163.102.1/32 === 192.163.3.0/24 in
07:37:50 12[IKE] unable to install IPsec policies (SPD) in kernel
07:37:50 12[IKE] closing IKE_SA due CHILD_SA setup failure
07:37:50 12[ESP] deleted inbound SAD entry with SPI 25e34941
07:37:50 12[ESP] deleted outbound SAD entry with SPI c8806041
07:37:50 12[ESP] deleting policy 192.163.3.0/24 === 192.163.102.1/32 out
07:37:50 12[ESP] deleting policy 192.163.102.1/32 === 192.163.3.0/24 in
07:37:50 12[ESP] deleting policy 192.163.3.0/24 === 192.163.102.1/32 out
07:37:50 12[ESP] deleting policy 192.163.102.1/32 === 192.163.3.0/24 in
07:37:50 12[NET] sending packet: from 192.163.2.141[4500] to
10.163.0.120[4500] (1704 bytes)
ipsec.conf
config setup
cachecrls=yes
strictcrlpolicy=no
uniqueids=replace
conn %default
auto=ignore
esp=aes256gcm16-ecp384,aes256gcm16,aes256-sha1-modp1024,aes256-sha1!
ike=aes256-sha384-prfsha384-ecp384,aes256-sha384-prfsha384-modp1024!
mobike=yes
conn Remote_Access-1-Auth-chain1-CERT0.crt
also=Remote_Access-1
auto=add
leftauth=pubkey
leftca="<removed>"
leftcert=chain1-CERT0.crt
leftsendcert=always
rightauth=pubkey
rightca=%same
rightid="<removed>"
rightsendcert=always
conn Remote_Access-1
dpdaction=clear
dpddelay=5m
ikedscp=101000
ikelifetime=24h
keyexchange=ikev2
keyingtries=3
keylife=8h
left=192.163.2.141
leftdns=
leftfirewall=no
leftsubnet=192.163.3.0/24
reauth=no
rekey=yes
rekeyfuzz=0%
rekeymargin=3m
right=%any
rightsourceip=192.163.102.0/24
strongswan.conf
charon {
block_threshold = 1
close_ike_on_child_failure = yes
cookie_threshold = 512
dos_protection = no
ikesa_limit = 5
ikesa_table_segments = 128
ikesa_table_size = 512
init_limit_half_open = 2625
interfaces_use = eth2
keep_alive = 300s
port = 500
port_nat_t = 4500
retransmit_base = 1.0
retransmit_timeout = 15
retransmit_tries = 4
reuse_ikesa = yes
threads = 96
libstrongswan {
load = openssl
}
}
Kernel: RedHat 2.6.32-431.20.3.el6.x86_64
Strongswan: U5.2.0/K2.6.32-431.20.3.el6.x86_64
Best Regards,
Sneaky
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20150330/b010f8db/attachment-0001.html>
More information about the Users
mailing list