[strongSwan] Migration from OpenSWAN to StrongSWAN problem.
K K
horizn at wp.pl
Sun Dec 2 17:38:45 CET 2018
Hi, I have working IPsec tunnel between OpenSWAN on CentOS7 and third party partner company in Azure. The plan is to migrate OpenSWAN to StrongSWAN (Ubuntu) and retire CentOS box. Unfortunately configuration doesn't work and can't find the problem. My working config on OpenSWAN: config setup nat_traversal=yes virtual_private=%v4:10.1 protostack=netkey interfaces="ipsec0=eth0" oe=off conn azure authby=secret auto=start type=tunnel left=%defaultroute leftsubnets=10.1.0.0/16, leftnexthop=%defaultrout right=PUB_IP_REMOTE rightsubnet=10.5.0.0/24 phase2alg=aes256-sha1;mo ike=aes256-sha1;modp1024 ikelifetime=8h keylife=1h pfs=no dpdaction=restart_by_pee dpdtimeout=10 dpddelay=10 On my StrongSWAN I have: conn azure1 authby=secret type=tunnel leftsendcert=nev left=PUB_IP_LOCA leftsubnet=10.1. right=PUB_IP_REM rightsubnet=10.5 ike=aes256-sha1 ikelifetime=8h keylife=1h keyingtries=1 rekeymargin=3m compress=no auto=start conn azure2 authby=secret type=tunnel leftsendcert=nev left=PUB_IP_LOCA leftsubnet=10.2. right=PUB_IP_REM rightsubnet=10.5 ike=aes256-sha1 ikelifetime=8h keylife=1h keyingtries=1 rekeymargin=3m compress=no auto=start The log output says that it is connected and then dropped because ike is not established: Dec 2 15:34:11 systemd[1]: Starting strongSwan IPsec services... Dec 2 15:34:11 ipsec[20651]: Starting strongFSwan 5.3.5 IPsec [starter]... Dec 2 15:34:11 systemd[1]: Started strongSwan IPsec services. Dec 2 15:34:11 charon-custom: 00[DMN] opening file charon for logging failed: Permission denied Dec 2 15:34:11 charon-custom: 00[DMN] Starting IKE charon daemon (strongSwan 5.3.5, Linux 4.4.0-138-generic, x86_64) Dec 2 15:34:11 kernel: [3962500.785155] audit: type=1400 audit(1543764851.950:28): apparmor="DENIED" operation="mknod" profile="/usr/lib/ipsec/charon name="/charon" pid=20668 comm="charon" requested_mask="c" denied_mask="c" fsuid=0 ouid=0 Dec 2 15:34:12 kernel: [3962501.191338] NET: Registered protocol family 38 Dec 2 15:34:12 kernel: [3962501.315701] AVX or AES-NI instructions are not detected. Dec 2 15:34:12 kernel: [3962501.342215] AVX or AES-NI instructions are not detected. Dec 2 15:34:12 kernel: [3962501.468445] CPU feature 'AVX registers' is not supported. Dec 2 15:34:12 kernel: [3962501.577645] CPU feature 'AVX registers' is not supported. Dec 2 15:34:12 kernel: [3962501.602133] CPU feature 'AVX registers' is not supported. Dec 2 15:34:12 kernel: [3962501.664258] CPU feature 'AVX registers' is not supported. Dec 2 15:34:12 charon-custom: 00[CFG] disabling load-tester plugin, not configured Dec 2 15:34:12 charon-custom: 00[LIB] plugin 'load-tester': failed to load - load_tester_plugin_create returned NULL Dec 2 15:34:13 charon-custom: 00[CFG] dnscert plugin is disabled Dec 2 15:34:13 charon-custom: 00[CFG] ipseckey plugin is disabled Dec 2 15:34:13 charon-custom: 00[CFG] attr-sql plugin: database URI not set Dec 2 15:34:13 charon-custom: 00[CFG] loading ca certificates from '/etc/ipsec.d/cacerts' Dec 2 15:34:13 charon-custom: 00[CFG] loading aa certificates from '/etc/ipsec.d/aacerts' Dec 2 15:34:13 charon-custom: 00[CFG] loading ocsp signer certificates from '/etc/ipsec.d/ocspcerts' Dec 2 15:34:13 charon-custom: 00[CFG] loading attribute certificates from '/etc/ipsec.d/acerts' Dec 2 15:34:13 charon-custom: 00[CFG] loading crls from '/etc/ipsec.d/crls' Dec 2 15:34:13 charon-custom: 00[CFG] loading secrets from '/etc/ipsec.secrets' Dec 2 15:34:13 charon-custom: 00[CFG] loaded IKE secret for PUB_IP_REMOTE Dec 2 15:34:13 charon-custom: 00[CFG] sql plugin: database URI not set Dec 2 15:34:13 charon-custom: 00[CFG] opening triplet file /etc/ipsec.d/triplets.dat failed: No such file or directory Dec 2 15:34:13 charon-custom: 00[CFG] eap-simaka-sql database URI missing Dec 2 15:34:13 charon-custom: 00[CFG] loaded 0 RADIUS server configurations Dec 2 15:34:13 charon-custom: 00[CFG] no threshold configured for systime-fix, disabled Dec 2 15:34:13 charon-custom: 00[CFG] coupling file path unspecified Dec 2 15:34:13 charon-custom: 00[LIB] loaded plugins: charon test-vectors unbound ldap pkcs11 aes rc2 sha1 sha2 md4 md5 random nonce x509 revocation constraints acert pubkey pkcs1 pkcs7 pkcs8 pkcs12 pgp dnskey sshkey dnscert ipseckey pem openssl gcrypt af-alg fips-prf gmp agent chapoly xcbc cmac hmac ctr ccm gcm ntru bliss curl soup mysql sqlite attr kernel-netlink resolve socket-default connmark farp stroke updown eap-identity eap-sim eap-sim-pcsc eap-aka eap-aka-3gpp2 eap-simaka-pseudonym eap-simaka-reauth eap-md5 eap-gtc eap-mschapv2 eap-dynamic eap-radius eap-tls eap-ttls eap-peap eap-tnc xauth-generic xauth-eap xauth-pam xauth-noauth tnc-tnccs tnccs-20 tnccs-11 tnccs-dynamic dhcp whitelist lookip error-notify certexpire led radattr addrblock unity Dec 2 15:34:13 charon-custom: 00[LIB] dropped capabilities, running as uid 0, gid 0 Dec 2 15:34:13 charon-custom: 00[JOB] spawning 16 worker threads Dec 2 15:34:13 charon-custom: 07[CFG] received stroke: add connection 'azure1' Dec 2 15:34:13 charon-custom: 07[CFG] added configuration 'azure1' Dec 2 15:34:13 charon-custom: 11[CFG] received stroke: initiate 'azure1' Dec 2 15:34:13 charon-custom: 11[IKE] initiating IKE_SA azure1[1] to PUB_IP_REMOTE Dec 2 15:34:13 charon-custom: 11[ENC] generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(HASH_ALG) ] Dec 2 15:34:13 charon-custom: 11[NET] sending packet: from PUB_IP_LOCAL[500] to PUB_IP_REMOTE[500] (1452 bytes) Dec 2 15:34:13 charon-custom: 15[CFG] received stroke: add connection 'azure2' Dec 2 15:34:13 charon-custom: 15[CFG] added child to existing configuration 'azure1' Dec 2 15:34:13 charon-custom: 14[CFG] received stroke: initiate 'azure2' Dec 2 15:34:13 charon-custom: 09[CFG] received stroke: add connection 'azure3' Dec 2 15:34:13 charon-custom: 09[CFG] added child to existing configuration 'azure1' Dec 2 15:34:13 charon-custom: 16[CFG] received stroke: initiate 'azure3' Dec 2 15:34:17 charon-custom: 10[IKE] retransmit 1 of request with message ID 0 Dec 2 15:34:17 charon-custom: 10[NET] sending packet: from PUB_IP_LOCAL[500] to PUB_IP_REMOTE[500] (1452 bytes) Dec 2 15:34:24 charon-custom: 14[IKE] retransmit 2 of request with message ID 0 Dec 2 15:34:24 charon-custom: 14[NET] sending packet: from PUB_IP_LOCAL[500] to PUB_IP_REMOTE[500] (1452 bytes) Dec 2 15:34:37 charon-custom: 10[IKE] retransmit 3 of request with message ID 0 Dec 2 15:34:37 charon-custom: 10[NET] sending packet: from PUB_IP_LOCAL[500] to PUB_IP_REMOTE[500] (1452 bytes) Dec 2 15:34:49 charon-custom: 10[NET] received packet: from PUB_IP_REMOTE[500] to PUB_IP_LOCAL[500] (372 bytes) Dec 2 15:34:49 charon-custom: 10[ENC] parsed ID_PROT request 0 [ SA V V V V V V V V ] Dec 2 15:34:49 charon-custom: 10[ENC] received unknown vendor ID: 01:52:8b:bb:c0:06:96:12:18:49: Dec 2 15:34:49 charon-custom: 10[IKE] received MS NT5 ISAKMPOAKLEY vendor ID Dec 2 15:34:49 charon-custom: 10[IKE] received NAT-T (RFC 3947) vendor ID Dec 2 15:34:49 charon-custom: 10[IKE] received draft-ietf-ipsec-nat-t-ike-02\ vendor ID Dec 2 15:34:49 charon-custom: 10[IKE] received FRAGMENTATION vendor ID Dec 2 15:34:49 charon-custom: 10[ENC] received unknown vendor ID: fb:1d:e3:cd:f3:41:b7:ea:16:b7: Dec 2 15:34:49 charon-custom: 10[ENC] received unknown vendor ID: 26:24:4d:38:ed:db:61:b3:17:2a: Dec 2 15:34:49 charon-custom: 10[ENC] received unknown vendor ID: e3:a5:96:6a:76:37:9f:e7:07:22: Dec 2 15:34:49 charon-custom: 10[IKE] PUB_IP_REMOTE is initiating a Main Mode IKE_SA Dec 2 15:34:49 charon-custom: 10[ENC] generating ID_PROT response 0 [ SA V V V ] Dec 2 15:34:49 charon-custom: 10[NET] sending packet: from PUB_IP_LOCAL[500] to PUB_IP_REMOTE[500] (136 bytes) Dec 2 15:34:49 charon-custom: 15[NET] received packet: from PUB_IP_REMOTE[500] to PUB_IP_LOCAL[500] (284 bytes) Dec 2 15:34:49 charon-custom: 15[ENC] parsed ID_PROT request 0 [ KE No NAT-D NAT-D ] Dec 2 15:34:49 charon-custom: 15[ENC] generating ID_PROT response 0 [ KE No NAT-D NAT-D ] Dec 2 15:34:49 charon-custom: 15[NET] sending packet: from PUB_IP_LOCAL[500] to PUB_IP_REMOTE[500] (268 bytes) Dec 2 15:34:49 charon-custom: 13[NET] received packet: from PUB_IP_REMOTE[500] to PUB_IP_LOCAL[500] (92 bytes) Dec 2 15:34:49 charon-custom: 13[ENC] parsed ID_PROT request 0 [ ID HASH ] Dec 2 15:34:49 charon-custom: 13[CFG] looking for pre-shared key peer configs matching PUB_IP_LOCAL...PUB_IP_REMOTE[P Dec 2 15:34:49 charon-custom: 13[CFG] selected peer config "azure1" Dec 2 15:34:49 charon-custom: 13[IKE] IKE_SA azure1[2] established between PUB_IP_LOCAL[PUB_IP_LOCAL]...P Dec 2 15:34:49 charon-custom: 13[IKE] scheduling reauthentication in 28494s Dec 2 15:34:49 charon-custom: 13[IKE] maximum IKE_SA lifetime 28674s Dec 2 15:34:49 charon-custom: 13[ENC] generating ID_PROT response 0 [ ID HASH ] Dec 2 15:34:49 charon-custom: 13[NET] sending packet: from PUB_IP_LOCAL[500] to PUB_IP_REMOTE[500] (92 bytes) Dec 2 15:34:49 charon-custom: 08[NET] received packet: from PUB_IP_REMOTE[500] to PUB_IP_LOCAL[500] (396 bytes) Dec 2 15:34:49 charon-custom: 08[ENC] parsed QUICK_MODE request 1 [ HASH SA No ID ID ] Dec 2 15:34:49 charon-custom: 08[IKE] received 102400000000 lifebytes, configured 0 Dec 2 15:34:49 charon-custom: 08[ENC] generating QUICK_MODE response 1 [ HASH SA No ID ID ] Dec 2 15:34:49 charon-custom: 08[NET] sending packet: from PUB_IP_LOCAL[500] to PUB_IP_REMOTE[500] (204 bytes) Dec 2 15:34:49 charon-custom: 09[NET] received packet: from PUB_IP_REMOTE[500] to PUB_IP_LOCAL[500] (396 bytes) Dec 2 15:34:49 charon-custom: 09[ENC] parsed QUICK_MODE request 2 [ HASH SA No ID ID ] Dec 2 15:34:49 charon-custom: 09[IKE] received 102400000000 lifebytes, configured 0 Dec 2 15:34:49 charon-custom: 09[ENC] generating QUICK_MODE response 2 [ HASH SA No ID ID ] Dec 2 15:34:49 charon-custom: 09[NET] sending packet: from PUB_IP_LOCAL[500] to PUB_IP_REMOTE[500] (204 bytes) Dec 2 15:34:49 charon-custom: 04[NET] received packet: from PUB_IP_REMOTE[500] to PUB_IP_LOCAL[500] (76 bytes) Dec 2 15:34:49 charon-custom: 04[ENC] parsed QUICK_MODE request 1 [ HASH ] Dec 2 15:34:50 charon-custom: 04[IKE] CHILD_SA azure1{1} established with SPIs ca324e62_i 24d548c4_o and TS 10.1.0.0/16 === 10.5.0.0/24 Dec 2 15:34:50 charon-custom: 16[NET] received packet: from PUB_IP_REMOTE[500] to PUB_IP_LOCAL[500] (76 bytes) Dec 2 15:34:50 charon-custom: 16[ENC] parsed QUICK_MODE request 2 [ HASH ] Dec 2 15:34:50 charon-custom: 16[IKE] CHILD_SA azure2{2} established with SPIs cd87fa1d_i c89fa3be_o and TS 10.2.0.0/16 === 10.5.0.0/24 Dec 2 15:35:00 charon-custom: 10[IKE] retransmit 4 of request with message ID 0 Dec 2 15:35:00 charon-custom: 10[NET] sending packet: from PUB_IP_LOCAL[500] to PUB_IP_REMOTE[500] (1452 bytes) Dec 2 15:35:42 charon-custom: 04[IKE] retransmit 5 of request with message ID 0 Dec 2 15:35:42 charon-custom: 04[NET] sending packet: from PUB_IP_LOCAL[500] to PUB_IP_REMOTE[500] (1452 bytes) Dec 2 15:36:58 charon-custom: 11[IKE] giving up after 5 retransmits Dec 2 15:36:58 charon-custom: 11[IKE] establishing IKE_SA failed, peer not responding Any idea what is wrong here?
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20181202/19a27400/attachment-0001.html>
More information about the Users
mailing list