[strongSwan] Setting upp strongSwan U5.1.2 <-> Openswan IPsec U2.6.37

Noel Kuntze noel at familie-kuntze.de
Tue May 26 23:29:54 CEST 2015 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Hello Richard,

That looks like the openswan side is trying to reauthenticate or rekey the IKE SA for some reason.
The interesting thing to look at now is what openswan tries to do and what it sends to the strongSwan side.
Please post a log of the system start to this event of both sides.

Mit freundlichen Grüßen/Kind Regards,
Noel Kuntze

GPG Key ID: 0x63EC6658
Fingerprint: 23CA BB60 2146 05E7 7278 6592 3839 298F 63EC 6658

Am 26.05.2015 um 23:10 schrieb Richard Huber:
> Hello,
>
> I am trying to connect strongswan with openswan.
> It works for 60 seconds, then it all dies until I restart ipsec, then it works for another 60 seconds...
>
> $ sudo ipsec status
> Security Associations (1 up, 0 connecting):
>          hub[1]: ESTABLISHED 17 seconds ago, x[x]...y[y]
>          hub{1}:  INSTALLED, TUNNEL, ESP SPIs: ca70896d_i 1d4e67fe_o
>          hub{1}:   192.168.45.0/24 === 10.193.160.0/23
>
> Fine, connection is up and running!
>
> After one minute this happens:
>
> $ sudo ipsec status
> Security Associations (2 up, 0 connecting):
>          hub[2]: ESTABLISHED 11 seconds ago, x[x]...y[y]
>          hub[1]: DELETING, x[x]...y[y]
>          hub{1}:  INSTALLED, TUNNEL, ESP SPIs: ca70896d_i 1d4e67fe_o
>          hub{1}:   192.168.45.0/24 === 10.193.160.0/23
>
> Log entry in auth.log
> May 26 22:49:27 toto charon: 08[IKE] y is initiating a Main Mode IKE_SA
> May 26 22:49:27 toto charon: 15[IKE] deleting IKE_SA hub[1] between x[x]...y[y]
>
> Then all trafic is dead:
>
> $ sudo ipsec status
> Security Associations (1 up, 0 connecting):
>          hub[2]: ESTABLISHED 2 minutes ago, x[x]...y[y]
>
> Here are the logs from the openswan server:
>
> $ sudo ipsec auto --status | grep hub
> 000 "hub": 10.193.160.0/23===y<y>[+S=C]...x<x>[+S=C]===192.168.45.0/24; erouted; eroute owner: #76
> 000 "hub":     myip=unset; hisip=unset;
> 000 "hub":   ike_life: 3600s; ipsec_life: 28800s; rekey_margin: 540s; rekey_fuzz: 100%; keyingtries: 0
> 000 "hub":   policy: PSK+ENCRYPT+TUNNEL+PFS+UP+IKEv2ALLOW+SAREFTRACK+lKOD+rKOD; prio: 23,24; interface: eth0;
> 000 "hub":   newest ISAKMP SA: #77; newest IPsec SA: #76;
> 000 "hub":   IKE algorithm newest: AES_CBC_128-SHA1-MODP2048
> 000 "hub":   ESP algorithms wanted: 3DES(3)_000-MD5(1)_1024; flags=-strict
> 000 "hub":   ESP algorithms loaded: 3DES(3)_192-MD5(1)_1024
> 000 "hub":   ESP algorithm newest: 3DES_192-HMAC_MD5; pfsgroup=<Phase1>
> 000 #98: "hub":500 STATE_QUICK_I1 (sent QI1, expecting QR1); EVENT_RETRANSMIT in 6s; lastdpd=-1s(seq in:0 out:0); idle; import:admin initiate
> 000 #77: "hub":500 STATE_MAIN_I4 (ISAKMP SA established); EVENT_SA_REPLACE in 1907s; newest ISAKMP; lastdpd=-1s(seq in:0 out:0); idle; import:admin initiate
> 000 #76: "hub":500 STATE_PARENT_R2 (received v2I2, PARENT SA established); EVENT_SA_REPLACE in 27535s; newest IPSEC; eroute owner; nodpd; idle; import:respond to stranger
>
> conn hub
>        right=y
>        rightsubnet=10.193.160.0/23
>        left=x
>        leftsubnet=192.168.45.0/24
>        auto=start
>        authby=secret
>        esp=3des-md5-1024
>        pfs=yes
>        #keyexchange = ike
>
> What have I done wrong? :-)
>
> /Richard
> _______________________________________________
> Users mailing list
> Users at lists.strongswan.org
> https://lists.strongswan.org/mailman/listinfo/users

More information about the Users mailing list