[strongSwan] parsed ID_PROT response 0 [ KE No ]

Lakshmi Prasanna lakshmi.1147 at gmail.com
Tue Aug 2 14:27:36 CEST 2016 

Hi Andreas,

Glad, that "  ipsec start --nofork" helped.

I see that the charon crashed with the following error:

*/usr/libexec/ipsec/charon: symbol lookup error:
/usr/lib/ipsec/plugins/libstrongswan-openssl.so: undefined symbol:
EC_POINT_is_on_curve*

*charon has died -- restart scheduled (5sec)*

Even though openssl is shown as part of the loaded configs, this error
seems to get hit. Is there anything that I am possibly missing whike
compiling?

-Lakshmi

On Tue, Aug 2, 2016 at 3:26 PM, Andreas Steffen <
andreas.steffen at strongswan.org> wrote:

> Hi Lakshmi,
>
> there must be a more detailed log somewhere. Just try
>
>   grep charon /var/log/*
>
> and see if you get any hits in a log file (usually either
> daemon.log, syslog or messages).
>
> Alternatively just start the daemon in the foreground so that
> you get the complete log on in the console window:
>
>   ipsec start --nofork
>
> I suspect that the problem is not with the DH group but
> with the selection of the PSK which is needed for Main Mode 3.
>
> Regards
>
> Andreas
>
> On 02.08.2016 11:45, Lakshmi Prasanna wrote:
> > bash-4.2# ipsec up 9.11.53.11-9.11.120.120-0-1812
> >
> > initiating Main Mode IKE_SA 9.11.53.11-9.11.120.120-0-1812[1] to
> > 9.11.120.120
> >
> > generating ID_PROT request 0 [ SA V V V V ]
> >
> > sending packet: from 9.11.53.11[500] to 9.11.120.120[500] (156 bytes)
> >
> > received packet: from 9.11.120.120[500] to 9.11.53.11[500] (136 bytes)
> >
> > parsed ID_PROT response 0 [ SA V V V ]
> >
> > received strongSwan vendor ID
> >
> > received XAuth vendor ID
> >
> > received DPD vendor ID
> >
> > generating ID_PROT request 0 [ KE No ]
> >
> > sending packet: from 9.11.53.11[500] to 9.11.120.120[500] (132 bytes)
> >
> > received packet: from 9.11.120.120[500] to 9.11.53.11[500] (116 bytes)
> >
> > parsed ID_PROT response 0 [ KE No ]
> >
> > There is no more logs beyond this and my wireshark capture stops at MM2.
> >
> > - Lakshmi
> >
> >
> > On Tue, Aug 2, 2016 at 3:12 PM, Andreas Steffen
> > <andreas.steffen at strongswan.org <mailto:andreas.steffen at strongswan.org>>
> > wrote:
> >
> >     Well then without a log to diagnose I cannot help you further.
> >
> >     Andreas
> >
> >     On 02.08.2016 11:38, Lakshmi Prasanna wrote:
> >     > Hi Andreas,
> >     >
> >     > Thanks for the quick reply. I do see that the openssl plugin is
> loaded.
> >     >
> >     > *  loaded plugins: charon aes des rc2 sha1 sha2 md5 random nonce
> x509
> >     > revocation constraints pubkey pkcs1 pkcs7 pkcs8 pkcs12 pgp dnskey
> sshkey
> >     > pem _openssl_ fips-prf xcbc cmac hmac attr kernel-netlink resolve
> >     > socket-default stroke updown xauth-generic*
> >     >
> >     > Do you think there is something else that I might need to check?
> >     >
> >     > Thanks,
> >     >
> >     > Lakshmi
> >     >
> >     >
> >     > On Tue, Aug 2, 2016 at 2:56 PM, Andreas Steffen
> >     > <andreas.steffen at strongswan.org
> >     <mailto:andreas.steffen at strongswan.org>
> >     <mailto:andreas.steffen at strongswan.org
> >     <mailto:andreas.steffen at strongswan.org>>>
> >     > wrote:
> >     >
> >     >     Hi Lakshmi,
> >     >
> >     >     ECP256 requires the openssl plugin which is not compiled by
> >     default.
> >     >     Make sure that the openssl plugin is present and has been
> loaded
> >     >     by the charon daemon. The ipsec statusall command returns a
> >     list of
> >     >     all loaded plugins.
> >     >
> >     >     BTW - the pfs parameter has been deprecated. Please use the esp
> >     >           parameter as you have correctly done.g
> >     >
> >     >     Regards
> >     >
> >     >     Andreas
> >     >
> >     >     On 02.08.2016 08:48, Lakshmi Prasanna wrote:
> >     >     > Hello,
> >     >     >
> >     >     > While trying to test strongswan with IKE DH group-19, the
> >     negotiation
> >     >     > somehow doesn't go past main mode 2. There is however no log
> to
> >     >     describe
> >     >     > the error that prevents the negotiation.
> >     >     >
> >     >     > Could someone post some insight? My configs looks like this:
> >     >     >
> >     >     > keyexchange=ikev1
> >     >     >
> >     >     >         type=transport
> >     >     >
> >     >     >         ikelifetime=480m
> >     >     >
> >     >     > ike=aes256-sha256-ecp256!
> >     >     >
> >     >     > esp=aes256-sha256!
> >     >     >
> >     >     > left=9.11.120.120
> >     >     >
> >     >     >         leftprotoport=17/1812
> >     >     >
> >     >     >         right=9.11.53.11
> >     >     >
> >     >     >         rightprotoport=17/0-1812
> >     >     >
> >     >     >         pfs=no
> >     >     >
> >     >     >         authby=psk
> >     >     >
> >     >     >         auto=add
> >     >     >
> >     >     >
> >     >     > Thanks,
> >     >     >
> >     >     > Lakshmi
> >     >     >
> ======================================================================
> Andreas Steffen                         andreas.steffen at strongswan.org
> strongSwan - the Open Source VPN Solution!          www.strongswan.org
> Institute for Internet Technologies and Applications
> University of Applied Sciences Rapperswil
> CH-8640 Rapperswil (Switzerland)
> ===========================================================[ITA-HSR]==
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20160802/5878e392/attachment.html>

More information about the Users mailing list