[strongSwan] Setting upp strongSwan U5.1.2 <-> Openswan IPsec U2.6.37

Noel Kuntze noel at familie-kuntze.de
Wed May 27 21:00:07 CEST 2015 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Hello Richard,

What are the default openswan ESP cipher settings?
Make sure they match your esp setting in strongswan.

Mit freundlichen Grüßen/Kind Regards,
Noel Kuntze

GPG Key ID: 0x63EC6658
Fingerprint: 23CA BB60 2146 05E7 7278 6592 3839 298F 63EC 6658

Am 27.05.2015 um 16:02 schrieb Richard Huber:
> Hello Noel,
>
> Thanks for you reply
>
> Here is the negotation log from openswan:
>
> May 27 15:54:10 novVPN pluto[7916]: | found connection: hub
> May 27 15:54:10 novVPN pluto[7916]: "hub" #101: transition from state STATE_IKEv2_START to state STATE_PARENT_R1
> May 27 15:54:10 novVPN pluto[7916]: "hub" #101: STATE_PARENT_R1: received v2I1, sent v2R1 {auth=IKEv2 cipher=aes_128 integ=sha1_96 prf=oakley_sha group=modp1024}
> May 27 15:54:10 novVPN pluto[7916]: "hub" #101: IKEv2 mode peer ID is ID_IPV4_ADDR: 'x'
> May 27 15:54:10 novVPN pluto[7916]: "hub" #102: transition from state STATE_PARENT_R1 to state STATE_PARENT_R2
> May 27 15:54:10 novVPN pluto[7916]: "hub" #102: negotiated tunnel [10.193.160.0,10.193.161.255] -> [192.168.45.0,192.168.45.255]
> May 27 15:54:10 novVPN pluto[7916]: "hub" #102: STATE_PARENT_R2: received v2I2, PARENT SA established tunnel mode {ESP=>0xc1a5f397 <0xd927942c xfrm=AES_128-HMAC_SHA1 NATOA=none NATD=none DPD=none}
> May 27 15:54:53 novVPN pluto[7916]: "hub" #100: max number of retransmissions (2) reached STATE_QUICK_I1
> May 27 15:54:53 novVPN pluto[7916]: "hub" #100: starting keying attempt 17 of an unlimited number
> May 27 15:54:53 novVPN pluto[7916]: "hub" #103: initiating Main Mode
> May 27 15:54:53 novVPN pluto[7916]: "hub" #103: received Vendor ID payload [XAUTH]
> May 27 15:54:53 novVPN pluto[7916]: "hub" #103: received Vendor ID payload [Dead Peer Detection]
> May 27 15:54:53 novVPN pluto[7916]: "hub" #103: transition from state STATE_MAIN_I1 to state STATE_MAIN_I2
> May 27 15:54:53 novVPN pluto[7916]: "hub" #103: STATE_MAIN_I2: sent MI2, expecting MR2
> May 27 15:54:53 novVPN pluto[7916]: "hub" #103: transition from state STATE_MAIN_I2 to state STATE_MAIN_I3
> May 27 15:54:53 novVPN pluto[7916]: "hub" #103: STATE_MAIN_I3: sent MI3, expecting MR3
> May 27 15:54:53 novVPN pluto[7916]: "hub" #103: Main mode peer ID is ID_IPV4_ADDR: 'x'
> May 27 15:54:53 novVPN pluto[7916]: "hub" #103: transition from state STATE_MAIN_I3 to state STATE_MAIN_I4
> May 27 15:54:53 novVPN pluto[7916]: "hub" #103: STATE_MAIN_I4: ISAKMP SA established {auth=OAKLEY_PRESHARED_KEY cipher=aes_128 prf=oakley_sha group=modp1024}
> May 27 15:54:53 novVPN pluto[7916]: "hub" #104: initiating Quick Mode PSK+ENCRYPT+TUNNEL+PFS+UP+IKEv2ALLOW+SAREFTRACK {using isakmp#103 msgid:5f24c3fc proposal=defaults pfsgroup=OAKLEY_GROUP_MODP1024}
> May 27 15:54:53 novVPN pluto[7916]: "hub" #103: ignoring informational payload, type NO_PROPOSAL_CHOSEN msgid=00000000
> May 27 15:54:53 novVPN pluto[7916]: "hub" #103: received and ignored informational message
> May 27 15:56:03 novVPN pluto[7916]: "hub" #104: max number of retransmissions (2) reached STATE_QUICK_I1
> May 27 15:56:03 novVPN pluto[7916]: "hub" #104: starting keying attempt 2 of an unlimited number
> May 27 15:56:03 novVPN pluto[7916]: "hub" #105: initiating Quick Mode PSK+ENCRYPT+TUNNEL+PFS+UP+IKEv2ALLOW+SAREFTRACK to replace #104 {using isakmp#103 msgid:64bc78cf proposal=defaults pfsgroup=OAKLEY_GROUP_MODP1024}
> May 27 15:56:03 novVPN pluto[7916]: "hub" #103: ignoring informational payload, type NO_PROPOSAL_CHOSEN msgid=00000000
> May 27 15:56:03 novVPN pluto[7916]: "hub" #103: received and ignored informational message
> May 27 15:57:13 novVPN pluto[7916]: "hub" #105: max number of retransmissions (2) reached STATE_QUICK_I1
> May 27 15:57:13 novVPN pluto[7916]: "hub" #105: starting keying attempt 3 of an unlimited number
> May 27 15:57:13 novVPN pluto[7916]: "hub" #107: initiating Quick Mode PSK+ENCRYPT+TUNNEL+PFS+UP+IKEv2ALLOW+SAREFTRACK to replace #105 {using isakmp#103 msgid:94dd51c0 proposal=defaults pfsgroup=OAKLEY_GROUP_MODP1024}
> May 27 15:57:13 novVPN pluto[7916]: "hub" #103: ignoring informational payload, type NO_PROPOSAL_CHOSEN msgid=00000000
> May 27 15:57:13 novVPN pluto[7916]: "hub" #103: received and ignored informational message
> May 27 15:58:23 novVPN pluto[7916]: "hub" #107: max number of retransmissions (2) reached STATE_QUICK_I1
> May 27 15:58:23 novVPN pluto[7916]: "hub" #107: starting keying attempt 4 of an unlimited number
> May 27 15:58:23 novVPN pluto[7916]: "hub" #108: initiating Quick Mode PSK+ENCRYPT+TUNNEL+PFS+UP+IKEv2ALLOW+SAREFTRACK to replace #107 {using isakmp#103 msgid:d79200c9 proposal=defaults pfsgroup=OAKLEY_GROUP_MODP1024}
> May 27 15:58:23 novVPN pluto[7916]: "hub" #103: ignoring informational payload, type NO_PROPOSAL_CHOSEN msgid=00000000
> May 27 15:58:23 novVPN pluto[7916]: "hub" #103: received and ignored informational message
>
> What can it be?
>
> I have tried different encryptions, with and without pfs.
>
> /Richard
>
> On 2015-05-26 23:30, Noel Kuntze wrote:
> Hello Richard,
>
> That looks like the openswan side is trying to reauthenticate or rekey the IKE SA for some reason.
> The interesting thing to look at now is what openswan tries to do and what it sends to the strongSwan side.
> Please post a log of the daemon start to this event of both sides.
>
> Mit freundlichen Grüßen/Kind Regards,
> Noel Kuntze
>
> GPG Key ID: 0x63EC6658
> Fingerprint: 23CA BB60 2146 05E7 7278 6592 3839 298F 63EC 6658
>
> Am 26.05.2015 um 23:10 schrieb Richard Huber:
> >>> Hello,
> >>>
> >>> I am trying to connect strongswan with openswan.
> >>> It works for 60 seconds, then it all dies until I restart ipsec, then it works for another 60 seconds...
> >>>
> >>> $ sudo ipsec status
> >>> Security Associations (1 up, 0 connecting):
> >>>           hub[1]: ESTABLISHED 17 seconds ago, x[x]...y[y]
> >>>           hub{1}:  INSTALLED, TUNNEL, ESP SPIs: ca70896d_i 1d4e67fe_o
> >>>           hub{1}:   192.168.45.0/24 === 10.193.160.0/23
> >>>
> >>> Fine, connection is up and running!
> >>>
> >>> After one minute this happens:
> >>>
> >>> $ sudo ipsec status
> >>> Security Associations (2 up, 0 connecting):
> >>>           hub[2]: ESTABLISHED 11 seconds ago, x[x]...y[y]
> >>>           hub[1]: DELETING, x[x]...y[y]
> >>>           hub{1}:  INSTALLED, TUNNEL, ESP SPIs: ca70896d_i 1d4e67fe_o
> >>>           hub{1}:   192.168.45.0/24 === 10.193.160.0/23
> >>>
> >>> Log entry in auth.log
> >>> May 26 22:49:27 toto charon: 08[IKE] y is initiating a Main Mode IKE_SA
> >>> May 26 22:49:27 toto charon: 15[IKE] deleting IKE_SA hub[1] between x[x]...y[y]
> >>>
> >>> Then all trafic is dead:
> >>>
> >>> $ sudo ipsec status
> >>> Security Associations (1 up, 0 connecting):
> >>>           hub[2]: ESTABLISHED 2 minutes ago, x[x]...y[y]
> >>>
> >>> Here are the logs from the openswan server:
> >>>
> >>> $ sudo ipsec auto --status | grep hub
> >>> 000 "hub": 10.193.160.0/23===y<y>[+S=C]...x<x>[+S=C]===192.168.45.0/24; erouted; eroute owner: #76
> >>> 000 "hub":     myip=unset; hisip=unset;
> >>> 000 "hub":   ike_life: 3600s; ipsec_life: 28800s; rekey_margin: 540s; rekey_fuzz: 100%; keyingtries: 0
> >>> 000 "hub":   policy: PSK+ENCRYPT+TUNNEL+PFS+UP+IKEv2ALLOW+SAREFTRACK+lKOD+rKOD; prio: 23,24; interface: eth0;
> >>> 000 "hub":   newest ISAKMP SA: #77; newest IPsec SA: #76;
> >>> 000 "hub":   IKE algorithm newest: AES_CBC_128-SHA1-MODP2048
> >>> 000 "hub":   ESP algorithms wanted: 3DES(3)_000-MD5(1)_1024; flags=-strict
> >>> 000 "hub":   ESP algorithms loaded: 3DES(3)_192-MD5(1)_1024
> >>> 000 "hub":   ESP algorithm newest: 3DES_192-HMAC_MD5; pfsgroup=<Phase1>
> >>> 000 #98: "hub":500 STATE_QUICK_I1 (sent QI1, expecting QR1); EVENT_RETRANSMIT in 6s; lastdpd=-1s(seq in:0 out:0); idle; import:admin initiate
> >>> 000 #77: "hub":500 STATE_MAIN_I4 (ISAKMP SA established); EVENT_SA_REPLACE in 1907s; newest ISAKMP; lastdpd=-1s(seq in:0 out:0); idle; import:admin initiate
> >>> 000 #76: "hub":500 STATE_PARENT_R2 (received v2I2, PARENT SA established); EVENT_SA_REPLACE in 27535s; newest IPSEC; eroute owner; nodpd; idle; import:respond to stranger
> >>>
> >>> conn hub
> >>>         right=y
> >>>         rightsubnet=10.193.160.0/23
> >>>         left=x
> >>>         leftsubnet=192.168.45.0/24
> >>>         auto=start
> >>>         authby=secret
> >>>         esp=3des-md5-1024
> >>>         pfs=yes
> >>>         #keyexchange = ike
> >>>
> >>> What have I done wrong? :-)
> >>>
> >>> /Richard
> >>> _______________________________________________
> >>> Users mailing list
> >>> Users at lists.strongswan.org
> >>> https://lists.strongswan.org/mailman/listinfo/users
>>
>> _______________________________________________
>> Users mailing list
>> Users at lists.strongswan.org
>> https://lists.strongswan.org/mailman/listinfo/users
>

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2

iQIcBAEBCAAGBQJVZhQ1AAoJEDg5KY9j7GZYfUYP/R2bBzm5QXBmtsvR8xWRt2I9
CXP+b2nylPYWL6SOVb+gwVOcx++tY8ZnHLzeUWI1o10mBVozc/8wUO/YtveJ6KQb
SZepZOSP8TJTslsvmvgM5hcxICJRa//BEGBZsn3u2q9lQr6jwTNO+ERg2t2hEwJO
tQhV9+TCNFlhbpZgbkPa/P5VUg7DWG8OwqCb4iyVZhESXDyvjh64w7tCIT1wCqhW
2YZWfgFin8vJtTB2J7hCGAGK47MfnDzPBHKVvT7KcN2YHbuQJllzAr737qUvJUrl
Gs4Xr61Gp1sgEqBqPQURQmFfMzkSosoEbVSMz9ULjEUWkBmaqkZvObd/Lwr++Me4
5O4ye9RjgRIoh3hR04H90n1klVorzE74gERZwHdn1jnDeajXGhlDquiCslu6Xn1Y
7F3lrZy5p8HOBX9BlBGQWbYssa13qHdvmJE6hAFOgxSj8InuCBbg1jNUPObS+QoG
jD5ReuyozJtneXN03ojeXhN6Kbr7mGrVClqcstJvoNpaYQa7gPQnO5mJPK4sIgX0
xVo4EwOS9uPABK04PFaS1prQFLYuvVTykwHc3jtBWfwYZtEN2K2eFuGBGz3pF4z6
Pn4R9DmIlV+HULhaSamlYroW0qffTgzQ/TcBn8hXFqdNusUA5hl6wHH53LUg0roP
mVn6xwZV8uWXyI4e5eHi
=OeTe
-----END PGP SIGNATURE-----

More information about the Users mailing list