[strongSwan] Setting upp strongSwan U5.1.2 <-> Openswan IPsec U2.6.37

Noel Kuntze noel at familie-kuntze.de
Tue May 26 23:30:46 CEST 2015


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Hello Richard,

That looks like the openswan side is trying to reauthenticate or rekey the IKE SA for some reason.
The interesting thing to look at now is what openswan tries to do and what it sends to the strongSwan side.
Please post a log of the daemon start to this event of both sides.

Mit freundlichen Grüßen/Kind Regards,
Noel Kuntze

GPG Key ID: 0x63EC6658
Fingerprint: 23CA BB60 2146 05E7 7278 6592 3839 298F 63EC 6658

Am 26.05.2015 um 23:10 schrieb Richard Huber:
> Hello,
>
> I am trying to connect strongswan with openswan.
> It works for 60 seconds, then it all dies until I restart ipsec, then it works for another 60 seconds...
>
> $ sudo ipsec status
> Security Associations (1 up, 0 connecting):
>          hub[1]: ESTABLISHED 17 seconds ago, x[x]...y[y]
>          hub{1}:  INSTALLED, TUNNEL, ESP SPIs: ca70896d_i 1d4e67fe_o
>          hub{1}:   192.168.45.0/24 === 10.193.160.0/23
>
> Fine, connection is up and running!
>
> After one minute this happens:
>
> $ sudo ipsec status
> Security Associations (2 up, 0 connecting):
>          hub[2]: ESTABLISHED 11 seconds ago, x[x]...y[y]
>          hub[1]: DELETING, x[x]...y[y]
>          hub{1}:  INSTALLED, TUNNEL, ESP SPIs: ca70896d_i 1d4e67fe_o
>          hub{1}:   192.168.45.0/24 === 10.193.160.0/23
>
> Log entry in auth.log
> May 26 22:49:27 toto charon: 08[IKE] y is initiating a Main Mode IKE_SA
> May 26 22:49:27 toto charon: 15[IKE] deleting IKE_SA hub[1] between x[x]...y[y]
>
> Then all trafic is dead:
>
> $ sudo ipsec status
> Security Associations (1 up, 0 connecting):
>          hub[2]: ESTABLISHED 2 minutes ago, x[x]...y[y]
>
> Here are the logs from the openswan server:
>
> $ sudo ipsec auto --status | grep hub
> 000 "hub": 10.193.160.0/23===y<y>[+S=C]...x<x>[+S=C]===192.168.45.0/24; erouted; eroute owner: #76
> 000 "hub":     myip=unset; hisip=unset;
> 000 "hub":   ike_life: 3600s; ipsec_life: 28800s; rekey_margin: 540s; rekey_fuzz: 100%; keyingtries: 0
> 000 "hub":   policy: PSK+ENCRYPT+TUNNEL+PFS+UP+IKEv2ALLOW+SAREFTRACK+lKOD+rKOD; prio: 23,24; interface: eth0;
> 000 "hub":   newest ISAKMP SA: #77; newest IPsec SA: #76;
> 000 "hub":   IKE algorithm newest: AES_CBC_128-SHA1-MODP2048
> 000 "hub":   ESP algorithms wanted: 3DES(3)_000-MD5(1)_1024; flags=-strict
> 000 "hub":   ESP algorithms loaded: 3DES(3)_192-MD5(1)_1024
> 000 "hub":   ESP algorithm newest: 3DES_192-HMAC_MD5; pfsgroup=<Phase1>
> 000 #98: "hub":500 STATE_QUICK_I1 (sent QI1, expecting QR1); EVENT_RETRANSMIT in 6s; lastdpd=-1s(seq in:0 out:0); idle; import:admin initiate
> 000 #77: "hub":500 STATE_MAIN_I4 (ISAKMP SA established); EVENT_SA_REPLACE in 1907s; newest ISAKMP; lastdpd=-1s(seq in:0 out:0); idle; import:admin initiate
> 000 #76: "hub":500 STATE_PARENT_R2 (received v2I2, PARENT SA established); EVENT_SA_REPLACE in 27535s; newest IPSEC; eroute owner; nodpd; idle; import:respond to stranger
>
> conn hub
>        right=y
>        rightsubnet=10.193.160.0/23
>        left=x
>        leftsubnet=192.168.45.0/24
>        auto=start
>        authby=secret
>        esp=3des-md5-1024
>        pfs=yes
>        #keyexchange = ike
>
> What have I done wrong? :-)
>
> /Richard
> _______________________________________________
> Users mailing list
> Users at lists.strongswan.org
> https://lists.strongswan.org/mailman/listinfo/users

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2

iQIcBAEBCAAGBQJVZOYEAAoJEDg5KY9j7GZY4VMP/RRXe13Fqh2UwEZhbTLWnaMD
zByjP7wDmkJ0vkAV0Rq/w0D4sk0KNIO1921lbuNe9kDThlM6AED8+Dw2dgnqpzxW
GVJ9QQoDlk7aTnKKC8ZBtBdzCpQyvzTaxizZZIKGwXxp+j2mfZfdJm7xtaA3tQOA
UrwSN/7F32eVt0cZDIh6xAdzOlIlR1BqlQ+xA16U24QktURTjAqox5G4/4EM0mGP
T3uoaUhsUW8CNNzCVl88k431dRxwU8dZWzoB6x0LGHD9g2bXp5+Ir3b4UrAXolmZ
bv31Xml8WH4tPMIcfV9FV05Das1LKspkq9nA83WpLAF+M6UVon6pmzGY6a+UoiEE
ETBEUH2EtJXGOGXj6OzIMUevKHO/S2fK1P/GER5Iw0wn2a2C5qdZxPIGpUomvdd7
N7+ktpm3rqq2cIlwbZw9o4W5QD7tXLtGyZFT59EOdgwCIt05vCpn6PjOMskiLiGY
B4BdIhlIsKHTZBWu74IU8rBG+fq3UekTUrwgl6hcnkurI2WgDX3MApeGOA5jhS6G
Q6icIYEBoyKsP7bRDKp8eeGFxKwgQ3psXi+90aZ2fJF/0HyMaWijOGQThde6yQeI
ewdOhH683xBKxtAEL1nXVbviPHrtohy2ee7ec5UqmwWg95ijfBV0PQ4PVHfqMNMn
7l0bBqYKanBZnaJ8B9cT
=CAKP
-----END PGP SIGNATURE-----



More information about the Users mailing list