[strongSwan] Help Site-to-Site configuration error installing route with policy

Noel Kuntze noel.kuntze+strongswan-users-ml at thermi.consulting
Wed Sep 27 01:49:07 CEST 2017


Hi,

The problem is caused by either the kernel lacking the modules or you running strongSwan inside a container that does not have
a working IPsec stack. Try rebooting. If that does not help, try loading the required modules manually.
The wiki elaborates on both of those problems in the way of listing the names of the required modules[1] and discussing
running strongSwan in the cloud[2].

There is also a dedicated article[3] about asking for help, which gives you guidance for helping yourself.

Kind regards

Noel

[1] https://wiki.strongswan.org/projects/strongswan/wiki/KernelModules#List-of-the-names-of-required-modules
[2] https://wiki.strongswan.org/projects/strongswan/wiki/Cloudplatforms
[3] https://wiki.strongswan.org/projects/strongswan/wiki/HelpRequests

On 26.09.2017 18:56, Olivier CALVANO wrote:
> StrongSwan is dead ?
>
> No help of communauty
> No answer of Strongswan commercial support 
>
>
>
>
> 2017-09-07 9:15 GMT+02:00 Olivier CALVANO <o.calvano at gmail.com <mailto:o.calvano at gmail.com>>:
>
>     Hi
>
>     i have a problems on a new Site-to-Site configuration of Strongswan :
>
>
>     ipsec.conf:
>
>     config setup
>             charondebug="knl 2, cfg 2"
>
>     conn %default
>             ikelifetime=60m
>             keylife=20m
>             rekeymargin=3m
>             keyingtries=1
>             authby=secret
>             keyexchange=ikev1
>             mobike=no
>
>     conn Galioppee
>             left=192.168.1.254
>             leftsubnet=192.168.62.0/24 <http://192.168.62.0/24>
>             leftfirewall=no
>             leftid=192.168.1.254
>             leftauth=psk
>
>             right=172.16.1.254
>             rightsubnet=192.168.163.0/24 <http://192.168.163.0/24>
>             rightid=172.16.1.254
>             rightauth=psk
>
>             type=tunnel
>             auto=start
>             ikelifetime=28800
>             keylife=900
>             aggressive=no
>             ike=aes256-sha1-modp1536!
>             esp=aes256-sha1-modp1536!
>
>
>
>     i have change "auto=start" to "add" or "route" but same problems.
>     server:
>
>     ifconfig
>     eth1: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 1500
>             inet 192.168.1.254.11  netmask 255.255.255.0  broadcast 192.168.1.255
>
>     eth2: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 1500
>             inet 172.20.22.233  netmask 255.255.255.248  broadcast 172.20.22.239
>
>     ipsec0: flags=4305<UP,POINTOPOINT,RUNNING,NOARP,MULTICAST>  mtu 1400
>             unspec 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00  txqueuelen 500  (UNSPEC)
>             RX packets 0  bytes 0 (0.0 B)
>             RX errors 0  dropped 0  overruns 0  frame 0
>             TX packets 0  bytes 0 (0.0 B)
>             TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0
>
>     route -n:
>
>     Kernel IP routing table
>     Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
>     0.0.0.0         192.168.1.1.1    0.0.0.0         UG    100    0        0 eth1
>     172.20.22.232   0.0.0.0         255.255.255.248 U     100    0        0 eth2
>     192.168.62.0    172.20.22.238   255.255.255.0   UG    0      0        0 eth2
>     192.168.62.0    172.20.22.238   255.255.254.0   UG    0      0        0 eth2
>
>
>
>
>     in logs i have:
>     Sep  6 17:34:43 irys01 charon: 12[ENC] parsed QUICK_MODE request 2463978021 [ HASH SA No KE ID ID ]
>     Sep  6 17:34:43 irys01 charon: 12[CFG] looking for a child config for 192.168.62.0/24 <http://192.168.62.0/24> === 192.168.163.0/24 <http://192.168.163.0/24>
>     Sep  6 17:34:43 irys01 charon: 12[CFG] proposing traffic selectors for us:
>     Sep  6 17:34:43 irys01 charon: 12[CFG]  192.168.62.0/24 <http://192.168.62.0/24>
>     Sep  6 17:34:43 irys01 charon: 12[CFG] proposing traffic selectors for other:
>     Sep  6 17:34:43 irys01 charon: 12[CFG]  192.168.163.0/24 <http://192.168.163.0/24>
>     Sep  6 17:34:43 irys01 charon: 12[CFG]   candidate "Galioppee" with prio 5+5
>     Sep  6 17:34:43 irys01 charon: 12[CFG] found matching child config "Galioppee" with prio 10
>     Sep  6 17:34:43 irys01 charon: 12[CFG] selecting traffic selectors for other:
>     Sep  6 17:34:43 irys01 charon: 12[CFG]  config: 192.168.163.0/24 <http://192.168.163.0/24>, received: 192.168.163.0/24 <http://192.168.163.0/24> => match: 192.168.163.0/24 <http://192.168.163.0/24>
>     Sep  6 17:34:43 irys01 charon: 12[CFG] selecting traffic selectors for us:
>     Sep  6 17:34:43 irys01 charon: 12[CFG]  config: 192.168.62.0/24 <http://192.168.62.0/24>, received: 192.168.62.0/24 <http://192.168.62.0/24> => match: 192.168.62.0/24 <http://192.168.62.0/24>
>     Sep  6 17:34:43 irys01 charon: 12[CFG] selecting proposal:
>     Sep  6 17:34:43 irys01 charon: 12[CFG]   proposal matches
>     Sep  6 17:34:43 irys01 charon: 12[CFG] received proposals: ESP:AES_CBC_256/HMAC_SHA1_96/MODP_1536/NO_EXT_SEQ
>     Sep  6 17:34:43 irys01 charon: 12[CFG] configured proposals: ESP:AES_CBC_256/HMAC_SHA1_96/MODP_1536/NO_EXT_SEQ
>     Sep  6 17:34:43 irys01 charon: 12[CFG] selected proposal: ESP:AES_CBC_256/HMAC_SHA1_96/MODP_1536/NO_EXT_SEQ
>     Sep  6 17:34:43 irys01 charon: 12[IKE] received 4608000000 lifebytes, configured 0
>     Sep  6 17:34:43 irys01 charon: 12[ENC] generating QUICK_MODE response 2463978021 [ HASH SA No KE ID ID ]
>     Sep  6 17:34:43 irys01 charon: 12[NET] sending packet: from 192.168.1.254[4500] to 172.16.1.254[4500] (396 bytes)
>     Sep  6 17:34:43 irys01 charon: 13[NET] received packet: from 172.16.1.254[4500] to 192.168.1.254[4500] (60 bytes)
>     Sep  6 17:34:43 irys01 charon: 13[ENC] parsed QUICK_MODE request 2463978021 [ HASH ]
>     Sep  6 17:34:43 irys01 charon: 13[KNL] getting a local address in traffic selector 192.168.62.0/24 <http://192.168.62.0/24>
>     Sep  6 17:34:43 irys01 charon: 13[KNL] no local address found in traffic selector 192.168.62.0/24 <http://192.168.62.0/24>
>     Sep  6 17:34:43 irys01 charon: 13[KNL] error installing route with policy 192.168.62.0/24 <http://192.168.62.0/24> === 192.168.163.0/24 <http://192.168.163.0/24> out
>     Sep  6 17:34:43 irys01 charon: 13[KNL] getting a local address in traffic selector 192.168.62.0/24 <http://192.168.62.0/24>
>     Sep  6 17:34:43 irys01 charon: 13[KNL] no local address found in traffic selector 192.168.62.0/24 <http://192.168.62.0/24>
>     Sep  6 17:34:43 irys01 charon: 13[KNL] error installing route with policy 192.168.62.0/24 <http://192.168.62.0/24> === 192.168.163.0/24 <http://192.168.163.0/24> out
>     Sep  6 17:34:43 irys01 charon: 13[IKE] unable to install IPsec policies (SPD) in kernel
>     Sep  6 17:34:43 irys01 charon: 13[IKE] sending DELETE for ESP CHILD_SA with SPI 16bcc04d
>     Sep  6 17:34:43 irys01 charon: 13[ENC] generating INFORMATIONAL_V1 request 4069478722 <tel:%28406%29%20947-8722> [ HASH D ]
>     Sep  6 17:34:43 irys01 charon: 13[NET] sending packet: from 192.168.1.254[4500] to 172.16.1.254[4500] (76 bytes)
>     Sep  6 17:36:12 irys01 charon: 15[NET] received packet: from 172.16.1.254[4500] to 192.168.1.254[4500] (76 bytes)
>     Sep  6 17:36:12 irys01 charon: 15[ENC] parsed INFORMATIONAL_V1 request 3827316135 [ HASH D ]
>     Sep  6 17:36:12 irys01 charon: 15[IKE] received DELETE for ESP CHILD_SA with SPI 16bcc04d
>     Sep  6 17:36:12 irys01 charon: 15[IKE] CHILD_SA not found, ignored
>
>
>     Anyone know my errors ?
>     thanks
>     olivier
>
>

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: OpenPGP digital signature
URL: <http://lists.strongswan.org/pipermail/users/attachments/20170927/d01af0eb/attachment.sig>


More information about the Users mailing list