[strongSwan] Planning an upgrade of strongswan from 4.4.1 to 5.2.1

CJ Fearnley cjf at LinuxForce.net
Sat Jan 9 07:04:18 CET 2016 

Well, my upgrade from strongswan 4.4.1-5.7 to 5.2.1-6+deb8u1 (Debian
Squeeze to Jessie on new hardware) is not going well. No connections
have re-established.

I'm using the same ipsec.conf that worked on 4.4.1-5.7. See the referenced
e-mail from Dec 9th when I asked about the upgrade process.

Each client is generating this pattern in the logs over and over:

Jan  9 01:01:07 cw1 charon: 06[IKE] 67.151.55.146 is initiating a Main Mode IKE_SA
Jan  9 01:01:07 cw1 charon: 06[CFG] received proposals: IKE:3DES_CBC/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024
Jan  9 01:01:07 cw1 charon: 06[CFG] configured proposals: IKE:AES_CBC_128/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_2048, IKE:3DES_CBC/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1536, IKE:AES_CBC_128/AES_CBC_192/AES_CBC_256/HMAC_SHA1_96/HMAC_MD5_96/HMAC_SHA2_256_128/HMAC_SHA2_384_192/HMAC_SHA2_512_256/AES_XCBC_96/PRF_HMAC_SHA1/PRF_HMAC_MD5/PRF_HMAC_SHA2_256/PRF_HMAC_SHA2_384/PRF_HMAC_SHA2_512/PRF_AES128_XCBC/MODP_2048/MODP_2048_224/MODP_2048_256/MODP_1536/MODP_3072/MODP_4096/MODP_8192/MODP_1024/MODP_1024_160
Jan  9 01:01:07 cw1 charon: 06[IKE] no proposal found
Jan  9 01:01:07 cw1 charon: 06[ENC] generating INFORMATIONAL_V1 request 3117715548 [ N(NO_PROP) ]

I have double checked that I copied from backups the contents of
/etc/ipsec.d/cacerts
/etc/ipsec.d/certs
/etc/ipsec.d/private

Do I need to add some encryption plugins? Or can I simply specify using
the ike= configuration option for the actual algorithm used by the
Netgears FVG318?

I tried adding the sha1 hmac xcbc and x509 modules to the load = line
in /etc/strongswan.d/charon.conf. No go.

The output of 
$ sudo ipsec version
Linux strongSwan U5.2.1/K3.16.0-4-amd64
Institute for Internet Technologies and Applications
University of Applied Sciences Rapperswil, Switzerland
See 'ipsec --copyright' for copyright information.

On Wed, Dec 09, 2015 at 08:12:42PM -0500, CJ Fearnley wrote:
> I have a working strongswan system running the Debian package at version
> 4.4.1-5.7 (Squeeze oldoldstable). In a week or so, I'll be replacing
> the box with a fresh install of Debian running 5.2.1-6+deb8u1 (Jessie).
> 
> I have two questions:
> 
> 1. Have any config options changed in strongswan that I need to study?
> 
> 2. Are there any issues with strongswan in connecting with a Netgear
>    FVG318 of various vintages. All of our clients connect with this
>    model of Netgear which is the only thing we've been able to get
>    working with certificates.
> 
> Here is a cleaned up version of /etc/ipsec.conf:
> 
> config setup
>     charonstart=yes
>     plutostart=yes
>     virtual_private=%v4:10.0.0.0/8,%v4:192.168.0.0/16,%v4:172.16.0.0/12,%v4:!192.168.101.0/24
>     uniqueids=no
> 
> conn %default
>     mobike=no
>     keyexchange=ikev1
>     left=xxx.xxx.xxx.xx
>     leftsubnet=192.168.xxx.0/24
>     auto=add
> 
> conn someplace
>     rightsubnet=192.168.yyy.0/24
>     right=%any
>     leftid="C=US, ST=ST, L=Some City, O=Some Company, CN=something.example.com, E=some at example.com"
>     leftcert=something.crt
>     leftsendcert=always
> 
> plus a half-dozen others of similar nature.
> 
> All of the systems that connect to this are various vintages of the
> Netgear FVG318.
> 
> Are there any known compatibility issues with strongswan 5.2.1 and the
> Netgear FVG318?
> 
> Have there been any relevant changes to the syntax of ipsec.conf since
> 4.4.1 and 5.2.1-6+deb8u1?
> 
> Any general strongswan relevant advice for planning such an upgrade?

-- 
CJ Fearnley                 |   LinuxForce Inc.
cjf at LinuxForce.net          |   IT Projects & Systems Maintenance
http://www.LinuxForce.net   |   http://blog.remoteresponder.net

More information about the Users mailing list