[strongSwan] Don't know where to start
Rene Maurer
rmnet at mailc.net
Tue Apr 25 12:42:11 CEST 2017
Hello
I am new to strongSwan and I try to establish a connection between an
embedded Linux box (using Linux strongSwan U5.3.0/K3.14.43) and a MOXA
switch located on remote site.
On the embedded Linux box I have two interfaces:
ppp0 connects to the internet (using GPRS).
eth0 (10.4.48.1) connects to a local network.
For a first test, everything is routed between the two interfaces:
# net.ipv4.ip_forward = 1
# iptables -t nat -A POSTROUTING -o ppp0 -j ACCEPT
# iptables -A FORWARD -i eth0 -j ACCEPT
The configuration looks like this:
# /etc/ipsec.conf
config setup
charondebug="mgr 0, net 1, enc 1, asn 1, job 1, knl 1"
conn home
keyexchange=ikev2
ike=aes128-sha256-modp1024!
esp=aes128-sha256!
left=%config
leftcert=xxx.pem
right=xxx.137.25.195
leftid="CN=ebmtest at xxx.ch"
rightid="CN=xxx.137.25.195"
rightsubnet=10.4.30.0/24
leftsubnet=10.4.48.0/20
auto=route
# /etc/ipsec.secrets
: RSA xxx.key "blabla"
Here is the log after ipsec start:
----------------------------------------------------------------------
ipsec start
Starting strongSwan 5.3.0 IPsec [starter]...
NET: Registered protocol family 15
modprobe: module ah4 not found in modules.dep
modprobe: module esp4 not found in modules.dep
modprobe: module ipcomp not found in modules.dep
modprobe: module xfrm4_tunnel not found in modules.dep
10:04:24 Metering authpriv.info ipsec_starter[801]: Starting strongSwan 5.3.0 IPsec [starter]...
Apr 25 10:04:24 Initializing XFRM netlink socket
artesysMetering kern.info kernel: NET: Registered protocol family 15
Apr 25 10:04:25 Metering kern.info kernel: Initializing XFRM netlink socket
Apr 25 10:04:25 Metering daemon.info syslog: 00[DMN] Starting IKE charon daemon (strongSwan 5.3.0, Linux 3.14.43, armv5tejl)
Apr 25 10:04:25 Metering daemon.info syslog: 00[KNL] received netlink error: Address family not supported by protocol (97)
Apr 25 10:04:25 Metering daemon.info syslog: 00[KNL] unable to create IPv6 routing table rule
Apr 25 10:04:25 Metering daemon.info syslog: 00[NET] using forecast interface eth0
Apr 25 10:04:25 Metering daemon.info syslog: 00[CFG] joining forecast multicast groups: 224.0.0.1,224.0.0.22,224.0.0.251,224.0.0.252,239.255.255.250
Apr 25 10:04:25 Metering daemon.info syslog: 00[CFG] loading ca certificates from '/etc/ipsec.d/cacerts'
Apr 25 10:04:25 Metering daemon.info syslog: 00[CFG] loading aa certificates from '/etc/ipsec.d/aacerts'
Apr 25 10:04:25 Metering daemon.info syslog: 00[CFG] loading ocsp signer certificates from '/etc/ipsec.d/ocspcerts'
Apr 25 10:04:25 Metering daemon.info syslog: 00[CFG] loading attribute certificates from '/etc/ipsec.d/acerts'
Apr 25 10:04:25 Metering daemon.info syslog: 00[CFG] loading crls from '/etc/ipsec.d/crls'
Apr 25 10:04:25 Metering daemon.info syslog: 00[CFG] loading secrets from '/etc/ipsec.secrets'
Apr 25 10:04:25 Metering daemon.info syslog: 00[CFG] loaded RSA private key from '/etc/ipsec.d/private/xxx.key'
Apr 25 10:04:25 Metering daemon.info syslog: 00[LIB] loaded plugins: charon pkcs11 aes des rc2 sha1 sha2 md5 random nonce x509 revocation constraints pubkey pkcs1 pkcs7 pkcs8 pkcs12 pgp dnskey sshkey pem fips-prf gmp xcbc cmac hmac attr kernel-netlink resolve socket-defau
Apr 25 10:04:25 Metering daemon.info syslog: 00[JOB] spawning 16 worker threads
Apr 25 10:04:25 Metering authpriv.info ipsec_starter[818]: charon (819) started after 500 ms
Apr 25 10:04:25 Metering daemon.info syslog: 10[CFG] received stroke: add connection 'home'
Apr 25 10:04:25 Metering daemon.info syslog: 17[LIB] resolving 'config' failed: Name or service not known
Apr 25 10:04:25 Metering daemon.info syslog: 10[CFG] loaded certificate "CN=ebmtest at .ch" from 'xxx.pem'
Apr 25 10:04:25 Metering daemon.info syslog: 10[CFG] added configuration 'home'
Apr 25 10:04:25 Metering daemon.info syslog: 13[CFG] received stroke: route 'home'
Apr 25 10:04:25 Metering daemon.info syslog: 17[LIB] resolving 'config' failed: Name or service not known
Apr 25 10:04:25 Metering authpriv.info ipsec_starter[818]: 'home' routed
----------------------------------------------------------------------
My first question: What does the following line mean?
17[LIB] resolving 'config' failed: Name or service not known
Can it be ignored?
Here is the log after a ping
from 10.4.48.5 (eth0 local) to 10.4.30.11 (remote):
----------------------------------------------------------------------
Apr 25 10:12:57 Metering daemon.info syslog: 04[KNL] creating acquire job for policy 10.4.48.5/32[icmp/8] === 10.4.30.11/32[icmp/8] with reqid {1}
Apr 25 10:12:57 Metering daemon.info syslog: 18[LIB] resolving 'config' failed: Name or service not known
Apr 25 10:12:57 Metering daemon.info syslog: 03[IKE] initiating IKE_SA home[1] to xxx.137.25.195
Apr 25 10:12:57 Metering authpriv.info syslog: 03[IKE] initiating IKE_SA home[1] to xxx.137.25.195
Apr 25 10:12:57 Metering daemon.info syslog: 03[ENC] generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(HASH_ALG) ]
Apr 25 10:12:57 Metering daemon.info syslog: 03[NET] sending packet: from 0.0.0.0[500] to xxx.137.25.195[500] (320 bytes)
Apr 25 10:12:58 Metering daemon.info syslog: 02[NET] received packet: from xxx.137.25.195[500] to 10.0.33.143[500] (337 bytes)
Apr 25 10:12:58 Metering daemon.info syslog: 02[ENC] parsed IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) CERTREQ N(HTTP_CERT_LOOK) ]
Apr 25 10:12:58 Metering daemon.info syslog: 02[IKE] local host is behind NAT, sending keep alives
Apr 25 10:12:58 Metering daemon.info syslog: 02[IKE] received 1 cert requests for an unknown ca
Apr 25 10:12:58 Metering daemon.info syslog: 02[IKE] authentication of 'CN=ebmtest at xxx.ch' (myself) with RSA signature successful
Apr 25 10:12:58 Metering daemon.info syslog: 02[IKE] sending end entity cert "CN=ebmtest at xxx.ch"
Apr 25 10:12:58 Metering daemon.info syslog: 02[IKE] establishing CHILD_SA home{1}
Apr 25 10:12:58 Metering authpriv.info syslog: 02[IKE] establishing CHILD_SA home{1}
Apr 25 10:12:58 Metering daemon.info syslog: 02[ENC] generating IKE_AUTH request 1 [ IDi CERT N(INIT_CONTACT) IDr AUTH SA TSi TSr N(MOBIKE_SUP) N(ADD_4_ADDR) N(EAP_ONLY) ]
Apr 25 10:12:58 Metering daemon.info syslog: 02[NET] sending packet: from 10.0.33.143[4500] to xxx.137.25.195[4500] (1120 bytes)
Apr 25 10:13:02 Metering daemon.info syslog: 14[IKE] retransmit 1 of request with message ID 1
Apr 25 10:13:02 Metering daemon.info syslog: 14[NET] sending packet: from 10.0.33.143[4500] to xxx.137.25.195[4500] (1120 bytes)
Apr 25 10:13:04 Metering daemon.info syslog: 15[NET] received packet: from xxx.137.25.195[4500] to 10.0.33.143[4500] (80 bytes)
Apr 25 10:13:04 Metering daemon.info syslog: 15[ENC] parsed INFORMATIONAL request 0 [ ]
Apr 25 10:13:04 Metering daemon.info syslog: 15[ENC] generating INFORMATIONAL response 0 [ ]
Apr 25 10:13:04 Metering daemon.info syslog: 15[NET] sending packet: from 10.0.33.143[4500] to xxx.137.25.195[4500] (80 bytes)
Apr 25 10:13:10 Metering daemon.info syslog: 16[IKE] retransmit 2 of request with message ID 1
Apr 25 10:13:10 Metering daemon.info syslog: 16[NET] sending packet: from 10.0.33.143[4500] to xxx.137.25.195[4500] (1120 bytes)
Apr 25 10:13:10 Metering daemon.info syslog: 11[NET] received packet: from xxx.137.25.195[4500] to 10.0.33.143[4500] (80 bytes)
Apr 25 10:13:10 Metering daemon.info syslog: 11[ENC] parsed INFORMATIONAL request 1 [ ]
Apr 25 10:13:10 Metering daemon.info syslog: 11[ENC] generating INFORMATIONAL response 1 [ ]
Apr 25 10:13:10 Metering daemon.info syslog: 11[NET] sending packet: from 10.0.33.143[4500] to xxx.137.25.195[4500] (80 bytes)
----------------------------------------------------------------------
And after "retransmit 5" I have peer not responding:
----------------------------------------------------------------------
Apr 25 10:14:28 Metering daemon.info syslog: 14[IKE] retransmit 5 of request with message ID 1
Apr 25 10:14:28 Metering daemon.info syslog: 14[NET] sending packet: from 10.0.33.143[4500] to xxx.137.25.195[4500] (1120 bytes)
Apr 25 10:14:30 Metering daemon.info syslog: 15[NET] received packet: from xxx.137.25.195[4500] to 10.0.33.143[4500] (80 bytes)
Apr 25 10:14:30 Metering daemon.info syslog: 15[ENC] parsed INFORMATIONAL request 13 [ ]
Apr 25 10:14:30 Metering daemon.info syslog: 15[ENC] generating INFORMATIONAL response 13 [ ]
Apr 25 10:14:30 Metering daemon.info syslog: 15[NET] sending packet: from 10.0.33.143[4500] to xxx.137.25.195[4500] (80 bytes)
Apr 25 10:14:34 Metering daemon.info syslog: 16[NET] received packet: from xxx.137.25.195[4500] to 10.0.33.143[4500] (80 bytes)
Apr 25 10:14:35 Metering daemon.info syslog: 16[ENC] parsed INFORMATIONAL request 14 [ ]
Apr 25 10:14:35 Metering daemon.info syslog: 16[ENC] generating INFORMATIONAL response 14 [ ]
Apr 25 10:14:35 Metering daemon.info syslog: 16[NET] sending packet: from 10.0.33.143[4500] to xxx.137.25.195[4500] (80 bytes)
Apr 25 10:14:41 Metering daemon.info syslog: 11[NET] received packet: from xxx.137.25.195[4500] to 10.0.33.143[4500] (80 bytes)
Apr 25 10:14:41 Metering daemon.info syslog: 11[ENC] parsed INFORMATIONAL request 15 [ ]
Apr 25 10:14:41 Metering daemon.info syslog: 11[ENC] generating INFORMATIONAL response 15 [ ]
Apr 25 10:14:41 Metering daemon.info syslog: 11[NET] sending packet: from 10.0.33.143[4500] to xxx.137.25.195[4500] (80 bytes)
Apr 25 10:14:48 Metering daemon.info syslog: 06[NET] received packet: from xxx.137.25.195[4500] to 10.0.33.143[4500] (80 bytes)
Apr 25 10:14:48 Metering daemon.info syslog: 06[ENC] parsed INFORMATIONAL request 16 [ ]
Apr 25 10:14:48 Metering daemon.info syslog: 06[ENC] generating INFORMATIONAL response 16 [ ]
Apr 25 10:14:48 Metering daemon.info syslog: 06[NET] sending packet: from 10.0.33.143[4500] to xxx.137.25.195[4500] (80 bytes)
Apr 25 10:14:55 Metering daemon.info syslog: 05[NET] received packet: from xxx.137.25.195[4500] to 10.0.33.143[4500] (80 bytes)
Apr 25 10:14:55 Metering daemon.info syslog: 05[ENC] parsed INFORMATIONAL request 17 [ ]
Apr 25 10:14:55 Metering daemon.info syslog: 05[ENC] generating INFORMATIONAL response 17 [ ]
Apr 25 10:14:55 Metering daemon.info syslog: 05[NET] sending packet: from 10.0.33.143[4500] to xxx.137.25.195[4500] (80 bytes)
Apr 25 10:15:02 Metering daemon.info syslog: 13[NET] received packet: from xxx.137.25.195[4500] to 10.0.33.143[4500] (80 bytes)
Apr 25 10:15:02 Metering daemon.info syslog: 13[ENC] parsed INFORMATIONAL request 18 [ ]
Apr 25 10:15:02 Metering daemon.info syslog: 13[ENC] generating INFORMATIONAL response 18 [ ]
Apr 25 10:15:02 Metering daemon.info syslog: 13[NET] sending packet: from 10.0.33.143[4500] to xxx.137.25.195[4500] (80 bytes)
Apr 25 10:15:12 Metering daemon.info syslog: 03[NET] received packet: from xxx.137.25.195[4500] to 10.0.33.143[4500] (80 bytes)
Apr 25 10:15:12 Metering daemon.info syslog: 03[ENC] parsed INFORMATIONAL request 19 [ ]
Apr 25 10:15:12 Metering daemon.info syslog: 03[ENC] generating INFORMATIONAL response 19 [ ]
Apr 25 10:15:12 Metering daemon.info syslog: 03[NET] sending packet: from 10.0.33.143[4500] to xxx.137.25.195[4500] (80 bytes)
Apr 25 10:15:19 Metering daemon.info syslog: 02[NET] received packet: from xxx.137.25.195[4500] to 10.0.33.143[4500] (80 bytes)
Apr 25 10:15:19 Metering daemon.info syslog: 02[ENC] parsed INFORMATIONAL request 20 [ ]
Apr 25 10:15:19 Metering daemon.info syslog: 02[ENC] generating INFORMATIONAL response 20 [ ]
Apr 25 10:15:19 Metering daemon.info syslog: 02[NET] sending packet: from 10.0.33.143[4500] to xxx.137.25.195[4500] (80 bytes)
Apr 25 10:15:26 Metering daemon.info syslog: 01[NET] received packet: from xxx.137.25.195[4500] to 10.0.33.143[4500] (80 bytes)
Apr 25 10:15:26 Metering daemon.info syslog: 01[ENC] parsed INFORMATIONAL request 21 [ ]
Apr 25 10:15:26 Metering daemon.info syslog: 01[ENC] generating INFORMATIONAL response 21 [ ]
Apr 25 10:15:26 Metering daemon.info syslog: 01[NET] sending packet: from 10.0.33.143[4500] to xxx.137.25.195[4500] (80 bytes)
Apr 25 10:15:33 Metering daemon.info syslog: 15[NET] received packet: from xxx.137.25.195[4500] to 10.0.33.143[4500] (80 bytes)
Apr 25 10:15:33 Metering daemon.info syslog: 15[ENC] parsed INFORMATIONAL request 22 [ ]
Apr 25 10:15:33 Metering daemon.info syslog: 15[ENC] generating INFORMATIONAL response 22 [ ]
Apr 25 10:15:33 Metering daemon.info syslog: 15[NET] sending packet: from 10.0.33.143[4500] to xxx.137.25.195[4500] (80 bytes)
Apr 25 10:15:40 Metering daemon.info syslog: 11[NET] received packet: from xxx.137.25.195[4500] to 10.0.33.143[4500] (80 bytes)
Apr 25 10:15:40 Metering daemon.info syslog: 11[ENC] parsed INFORMATIONAL request 23 [ ]
Apr 25 10:15:40 Metering daemon.info syslog: 11[ENC] generating INFORMATIONAL response 23 [ ]
Apr 25 10:15:40 Metering daemon.info syslog: 11[NET] sending packet: from 10.0.33.143[4500] to xxx.137.25.195[4500] (80 bytes)
Apr 25 10:15:42 Metering daemon.info syslog: 06[KNL] creating delete job for CHILD_SA ESP/0x00000000/xxx.137.25.195
Apr 25 10:15:42 Metering daemon.info syslog: 10[JOB] CHILD_SA ESP/0x00000000/xxx.137.25.195 not found for delete
Apr 25 10:15:42 Metering daemon.info syslog: 05[KNL] creating acquire job for policy 10.4.48.5/32[icmp/8] === 10.4.30.11/32[icmp/8] with reqid {1}
Apr 25 10:15:42 Metering daemon.info syslog: 05[CFG] ignoring acquire, connection attempt pending
Apr 25 10:15:43 Metering daemon.info syslog: 04[KNL] creating delete job for CHILD_SA ESP/0xc1787a62/10.0.33.143
Apr 25 10:15:43 Metering daemon.info syslog: 04[JOB] CHILD_SA ESP/0xc1787a62/10.0.33.143 not found for delete
Apr 25 10:15:44 Metering daemon.info syslog: 02[IKE] giving up after 5 retransmits
Apr 25 10:15:44 Metering daemon.info syslog: 02[IKE] peer not responding, trying again (2/3)
----------------------------------------------------------------------
Additional information:
# ipsec statusall
Status of IKE charon daemon (strongSwan 5.3.0, Linux 3.14.43, armv5tejl):
uptime: 9 minutes, since Apr 25 10:04:26 2017
malloc: sbrk 151552, mmap 0, used 140320, free 11232
worker threads: 11 of 16 idle, 5/0/0/0 working, job queue: 0/0/0/0, scheduled: 2
loaded plugins: charon pkcs11 aes des rc2 sha1 sha2 md5 random nonce x509 revocation constraints pubkey pkcs1 pkcs7 pkcs8 pkcs12 pgp dnskey sshkey pem fips-prf gmp xcbc cmac hmac attr kern
el-netlink resolve socket-default connmark forecast stroke vici updown xauth-generic led
Listening IP addresses:
10.4.48.1
10.0.33.143
Connections:
home: config,0.0.0.0/0,::/0...xxx.137.25.195 IKEv2
home: local: [CN=ebmtest at xxx.ch] uses public key authentication
home: cert: "CN=ebmtest at xxx.ch"
home: remote: [CN=xxx.137.25.195] uses public key authentication
home: child: 10.4.48.0/20 === 10.4.30.0/24 TUNNEL
Routed Connections:
home{1}: ROUTED, TUNNEL, reqid 1
home{1}: 10.4.48.0/20 === 10.4.30.0/24
Security Associations (1 up, 0 connecting):
home[1]: CONNECTING, 10.0.33.143[CN=ebmtest at aartesys.ch]...xxx.137.25.195[CN=xxx.137.25.195]
home[1]: IKEv2 SPIs: c3aae4971dd24d2b_i* 81565ee1bdf2fe42_r
home[1]: IKE proposal: AES_CBC_128/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_1024
home[1]: Tasks active: IKE_CERT_PRE IKE_AUTH IKE_CERT_POST IKE_CONFIG CHILD_CREATE IKE_AUTH_LIFETIME IKE_MOBIKE
# ip route show table 220
10.4.30.0/24 via 83.137.25.195 dev ppp0 proto static src 10.4.48.1
Can anybody help me. I don't where to start to find the failure.
I assume that IKE does not work?
Or is it the cert requests for an *unknown* ca?
Thank you very much for your attention.
René
More information about the Users
mailing list