[strongSwan] Migrating from OpenSwan/Fedora 13 to StrongSwan/CentOS 7.5

guilsson at gmail.com guilsson at gmail.com
Wed Apr 10 16:07:16 CEST 2019


Hello everyone,

I'm currently running OpenSwan 2.6.29 since 2010 to connect to a bank.
It has been running for 9 years in a row.
First 3 years in a Debian box and 6 years in Fedora 13. Just
COPIED/PASTED from Debian to Fedora and worked.

But I need some others features in the operating system that Fedora 13
doesn't have. I've decided to replace it with CentOS 7.5.
I discovered that CentOS doesn't have OpenSwan. Just LIBRESWAN and STRONGSWAN.

The main issue is I don't have KNOWLEDGE about IPSEC. This machine has
been running IPSec using a configuration file
(ipsec.conf/ipsec.secrets) SUPPLIED by the bank. So, if I got some
errors about auth, netkey, pfs, ike, quick mode, main mode, phase 1/2.
etc I won't be able to fix it.

Having only LIBRESWAN and STRONGSWAN at CentOS 7.5, I tried first
STRONGSWAN, expecting not having compatibility problems migrating from
OpenSwan to STRNGSWAN.

But it not what I got.

Let's start with a baseline...

IPSEC.CONF:
========================================================================================
conn vpnbank
        type=tunnel
        left=192.168.1.16
        leftsubnet=192.168.1.0/26
        right=22.22.22.22
        rightsubnet=11.11.11.11/32
        keyexchange=ike
        auto=start
        authby=secret
        pfs=no
        compress=no
        keylife=1440m
        ikelifetime=3600s
========================================================================================

===========
VPN-FEDORA:
===========

# rpm -q openswan
openswan-2.6.29-1.fc13.i686
# uname -srvmpio
Linux 2.6.34.6-54.fc13.i686.PAE #1 SMP Sun Sep 5 17:33:43 UTC 2010
i686 i686 i386 GNU/Linux


Sniffing at firewall (Ipsec host is behind a NATd firewall):
-----------------------------------------------------------

# tshark -i eth1 esp or port 500
Running as user "root" and group "root". This could be dangerous.
Capturing on eth1
 17.442315 192.168.1.16 500 22.22.22.22 500 ISAKMP Informational
 17.455923 22.22.22.22 500 192.168.1.16 500 ISAKMP Informational
 17.462683 192.168.1.16 500 22.22.22.22 500 ISAKMP Informational
 18.950407 192.168.1.16 500 22.22.22.22 500 ISAKMP Identity Protection
(Main Mode)
 18.962636 22.22.22.22 500 192.168.1.16 500 ISAKMP Identity Protection
(Main Mode)
 18.964036 192.168.1.16 500 22.22.22.22 500 ISAKMP Identity Protection
(Main Mode)
 18.975267 22.22.22.22 500 192.168.1.16 500 ISAKMP Identity Protection
(Main Mode)
 18.977315 192.168.1.16 500 22.22.22.22 500 ISAKMP Identity Protection
(Main Mode)
 18.987846 22.22.22.22 500 192.168.1.16 500 ISAKMP Identity Protection
(Main Mode)
 18.988597 192.168.1.16 500 22.22.22.22 500 ISAKMP Quick Mode
 19.001824 22.22.22.22 500 192.168.1.16 500 ISAKMP Quick Mode
 19.010014 192.168.1.16 500 22.22.22.22 500 ISAKMP Quick Mode
 20.899162 192.168.1.16  22.22.22.22  ESP ESP (SPI=0x0ddd4294)
 20.911243 22.22.22.22  192.168.1.16  ESP ESP (SPI=0x4c1650a5)
[...] ONLY ESP PACKETS AFTER THIS....


# service ipsec start
/usr/libexec/ipsec/addconn Non-fips mode set in /proc/sys/crypto/fips_enabled
ipsec_setup: Starting Openswan IPsec U2.6.29/K2.6.34.6-54.fc13.i686.PAE...
ipsec_setup: /usr/libexec/ipsec/addconn Non-fips mode set in
/proc/sys/crypto/fips_enabled

/VAR/LOG/MESSAGES:
------------------
Mar 25 19:16:18 vmvpn kernel: NET: Registered protocol family 15
Mar 25 19:16:18 vmvpn ipsec_setup: Starting Openswan IPsec
U2.6.29/K2.6.34.6-54.fc13.i686.PAE...
Mar 25 19:16:18 vmvpn ipsec_setup: Using NETKEY(XFRM) stack
Mar 25 19:16:18 vmvpn kernel: padlock: VIA PadLock not detected.
Mar 25 19:16:18 vmvpn kernel: padlock: VIA PadLock Hash Engine not detected.
Mar 25 19:16:18 vmvpn kernel: padlock: VIA PadLock not detected.
Mar 25 19:16:18 vmvpn ipsec_setup: /usr/libexec/ipsec/addconn Non-fips
mode set in /proc/sys/crypto/fips_enabled
Mar 25 19:16:18 vmvpn ipsec_setup: ...Openswan IPsec started
Mar 25 19:16:18 vmvpn ipsec__plutorun: /usr/libexec/ipsec/addconn
Non-fips mode set in /proc/sys/crypto/fips_enabled
Mar 25 19:16:18 vmvpn ipsec__plutorun: adjusting ipsec.d to /etc/ipsec.d
Mar 25 19:16:18 vmvpn pluto: adjusting ipsec.d to /etc/ipsec.d
Mar 25 19:16:18 vmvpn ipsec__plutorun: /usr/libexec/ipsec/addconn
Non-fips mode set in /proc/sys/crypto/fips_enabled
Mar 25 19:16:18 vmvpn ipsec__plutorun: /usr/libexec/ipsec/addconn
Non-fips mode set in /proc/sys/crypto/fips_enabled
Mar 25 19:16:18 vmvpn ipsec__plutorun: 002 added connection
description "vpnbank"
Mar 25 19:16:18 vmvpn ipsec__plutorun: 003 NAT-Traversal: Trying new style NAT-T
Mar 25 19:16:18 vmvpn ipsec__plutorun: 003 NAT-Traversal: ESPINUDP(1)
setup failed for new style NAT-T family IPv4 (errno=19)
Mar 25 19:16:18 vmvpn ipsec__plutorun: 003 NAT-Traversal: Trying old style NAT-T
Mar 25 19:16:18 vmvpn ipsec__plutorun: 104 "vpnbank" #1: STATE_MAIN_I1: initiate


PARTIAL PS -AXF:
----------------
31571 pts/1    S      0:00 /bin/sh /usr/libexec/ipsec/_plutorun
--debug  --uniqueids yes --force_busy no --nocrsend no
--strictcrlpolicy no --nat_traversal yes --keep_alive 2 --protostack
netkey --force_keepalive yes --disable_port_floating no
--virtual_private oe=o
31575 pts/1    S      0:00  \_ /bin/sh /usr/libexec/ipsec/_plutorun
--debug  --uniqueids yes --force_busy no --nocrsend no
--strictcrlpolicy no --nat_traversal yes --keep_alive 2 --protostack
netkey --force_keepalive yes --disable_port_floating no
--virtual_private
31578 pts/1    S      0:00  |   \_ /usr/libexec/ipsec/pluto --nofork
--secretsfile /etc/ipsec.secrets --ipsecdir /etc/ipsec.d --use-netkey
--uniqueids --nat_traversal --keep_alive 2 --force_keepalive
--virtual_private oe=off --nhelpers 0
31605 pts/1    S      0:00  |       \_ _pluto_adns
31576 pts/1    S      0:00  \_ /bin/sh /usr/libexec/ipsec/_plutoload
--wait no --post
31572 pts/1    S      0:00 logger -s -p daemon.error -t ipsec__plutorun


=========================
STRONGSWAN at CENTOS 7.5:
=========================

Copied IPSEC.CONF and IPSEC.SECRETS into /ETC/STRONGSWAN/.

# rpm -q strongwan
strongswan-5.7.2-1.el7.x86_64

# uname -srvmpio
Linux 3.10.0-862.14.4.el7.x86_64 #1 SMP Wed Sep 26 15:12:11 UTC 2018
x86_64 x86_64 x86_64 GNU/Linux

# service ipsec start
Redirecting to /bin/systemctl stop strongswan.service


/VAR/LOG/SECURE:
----------------

Apr 10 10:10:45 vmipsec polkitd[970]: Registered Authentication Agent
for unix-process:8488:14379454 (system bus name :1.605
[/usr/bin/pkttyagent --notify-fd 5 --fallback], object path
/org/freedesktop/PolicyKit1/AuthenticationAgent, locale en_US.UTF-8)
Apr 10 10:10:45 vmipsec polkitd[970]: Unregistered Authentication
Agent for unix-process:8488:14379454 (system bus name :1.605, object
path /org/freedesktop/PolicyKit1/AuthenticationAgent, locale
en_US.UTF-8) (disconnected from bus)
Apr 10 10:10:45 vmipsec ipsec_starter[8504]: Starting strongSwan 5.7.2
IPsec [starter]...
Apr 10 10:10:45 vmipsec ipsec_starter[8504]: # deprecated keyword
'pfs' in conn 'vpnbank'
Apr 10 10:10:45 vmipsec ipsec_starter[8504]:  PFS is enabled by
specifying a DH group in the 'esp' cipher suite
Apr 10 10:10:45 vmipsec ipsec_starter[8504]: ### 1 parsing error (0 fatal) ###
Apr 10 10:10:46 vmipsec ipsec_starter[8504]: charon (8513) started after 160 ms
Apr 10 10:10:46 vmipsec charon: 07[IKE] initiating IKE_SA vpnbank[1]
to 22.22.22.22


/VAR/LOG/MESSAGES:
------------------

Apr 10 10:10:45 vmipsec systemd: Started strongSwan IPsec IKEv1/IKEv2
daemon using ipsec.conf.
Apr 10 10:10:45 vmipsec systemd: Starting strongSwan IPsec IKEv1/IKEv2
daemon using ipsec.conf...
Apr 10 10:10:45 vmipsec strongswan: Starting strongSwan 5.7.2 IPsec [starter]...
Apr 10 10:10:45 vmipsec strongswan: # deprecated keyword 'pfs' in conn 'vpnbank'
Apr 10 10:10:45 vmipsec strongswan: PFS is enabled by specifying a DH
group in the 'esp' cipher suite
Apr 10 10:10:45 vmipsec strongswan: ### 1 parsing error (0 fatal) ###
Apr 10 10:10:46 vmipsec charon: 00[DMN] Starting IKE charon daemon
(strongSwan 5.7.2, Linux 3.10.0-862.14.4.el7.x86_64, x86_64)
Apr 10 10:10:46 vmipsec charon: 00[CFG] PKCS11 module '<name>' lacks
library path
Apr 10 10:10:46 vmipsec charon: 00[LIB] openssl FIPS mode(2) - enabled
Apr 10 10:10:46 vmipsec charon: 00[CFG] loading ca certificates from
'/etc/strongswan/ipsec.d/cacerts'
Apr 10 10:10:46 vmipsec charon: 00[CFG] loading aa certificates from
'/etc/strongswan/ipsec.d/aacerts'
Apr 10 10:10:46 vmipsec charon: 00[CFG] loading ocsp signer
certificates from '/etc/strongswan/ipsec.d/ocspcerts'
Apr 10 10:10:46 vmipsec charon: 00[CFG] loading attribute certificates
from '/etc/strongswan/ipsec.d/acerts'
Apr 10 10:10:46 vmipsec charon: 00[CFG] loading crls from
'/etc/strongswan/ipsec.d/crls'
Apr 10 10:10:46 vmipsec charon: 00[CFG] loading secrets from
'/etc/strongswan/ipsec.secrets'
Apr 10 10:10:46 vmipsec charon: 00[CFG]   loaded IKE secret for
192.168.1.16 22.22.22.22
Apr 10 10:10:46 vmipsec charon: 00[CFG] opening triplet file
/etc/strongswan/ipsec.d/triplets.dat failed: No such file or directory
Apr 10 10:10:46 vmipsec charon: 00[CFG] loaded 0 RADIUS server configurations
Apr 10 10:10:46 vmipsec charon: 00[CFG] HA config misses local/remote address
Apr 10 10:10:46 vmipsec charon: 00[CFG] no script for ext-auth script
defined, disabled
Apr 10 10:10:46 vmipsec charon: 00[LIB] loaded plugins: charon pkcs11
tpm aesni aes des rc2 sha2 sha1 md4 md5 mgf1 random nonce x509
revocation constraints acert pubkey pkcs1 pkcs7 pkcs8 pkcs12 pgp
dnskey sshkey pem openssl gcrypt fips-prf gmp curve25519 chapoly xcbc
cmac hmac ctr ccm gcm curl attr kernel-netlink resolve socket-default
farp stroke vici updown eap-identity eap-sim eap-aka eap-aka-3gpp
eap-aka-3gpp2 eap-md5 eap-gtc eap-mschapv2 eap-dynamic eap-radius
eap-tls eap-ttls eap-peap xauth-generic xauth-eap xauth-pam
xauth-noauth dhcp led duplicheck unity counters
Apr 10 10:10:46 vmipsec charon: 00[JOB] spawning 16 worker threads
Apr 10 10:10:46 vmipsec strongswan: charon (8513) started after 160 ms
Apr 10 10:10:46 vmipsec charon: 05[CFG] received stroke: add
connection 'vpnbank'
Apr 10 10:10:46 vmipsec charon: 05[CFG] added configuration 'vpnbank'
Apr 10 10:10:46 vmipsec charon: 07[CFG] received stroke: initiate 'vpnbank'
Apr 10 10:10:46 vmipsec charon: 07[IKE] initiating IKE_SA vpnbank[1]
to 22.22.22.22
Apr 10 10:10:46 vmipsec charon: 07[ENC] generating IKE_SA_INIT request
0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG)
N(REDIR_SUP) ]
Apr 10 10:10:46 vmipsec charon: 07[NET] sending packet: from
192.168.1.16[500] to 22.22.22.22[500] (1064 bytes)
Apr 10 10:10:50 vmipsec charon: 14[IKE] retransmit 1 of request with
message ID 0
Apr 10 10:10:50 vmipsec charon: 14[NET] sending packet: from
192.168.1.16[500] to 22.22.22.22[500] (1064 bytes)
Apr 10 10:10:57 vmipsec charon: 13[IKE] retransmit 2 of request with
message ID 0
Apr 10 10:10:57 vmipsec charon: 13[NET] sending packet: from
192.168.1.16[500] to 22.22.22.22[500] (1064 bytes)
Apr 10 10:11:10 vmipsec charon: 05[IKE] retransmit 3 of request with
message ID 0
Apr 10 10:11:10 vmipsec charon: 05[NET] sending packet: from
192.168.1.16[500] to 22.22.22.22[500] (1064 bytes)
Apr 10 10:11:33 vmipsec charon: 06[IKE] retransmit 4 of request with
message ID 0
Apr 10 10:11:33 vmipsec charon: 06[NET] sending packet: from
192.168.1.16[500] to 22.22.22.22[500] (1064 bytes)
Apr 10 10:12:15 vmipsec charon: 07[IKE] retransmit 5 of request with
message ID 0
Apr 10 10:12:15 vmipsec charon: 07[NET] sending packet: from
192.168.1.16[500] to 22.22.22.22[500] (1064 bytes)
Apr 10 10:13:31 vmipsec charon: 12[IKE] giving up after 5 retransmits
Apr 10 10:13:31 vmipsec charon: 12[IKE] peer not responding, trying again (2/3)
Apr 10 10:13:31 vmipsec charon: 12[IKE] initiating IKE_SA vpnbank[1]
to 22.22.22.22
Apr 10 10:13:31 vmipsec charon: 12[ENC] generating IKE_SA_INIT request
0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG)
N(REDIR_SUP) ]
Apr 10 10:13:31 vmipsec charon: 12[NET] sending packet: from
192.168.1.16[500] to 22.22.22.22[500] (1064 bytes)
Apr 10 10:13:35 vmipsec charon: 05[IKE] retransmit 1 of request with
message ID 0
Apr 10 10:13:35 vmipsec charon: 05[NET] sending packet: from
192.168.1.16[500] to 22.22.22.22[500] (1064 bytes)
Apr 10 10:13:42 vmipsec charon: 11[IKE] retransmit 2 of request with
message ID 0
Apr 10 10:13:42 vmipsec charon: 11[NET] sending packet: from
192.168.1.16[500] to 22.22.22.22[500] (1064 bytes)
Apr 10 10:13:55 vmipsec charon: 08[IKE] retransmit 3 of request with
message ID 0
Apr 10 10:13:55 vmipsec charon: 08[NET] sending packet: from
192.168.1.16[500] to 22.22.22.22[500] (1064 bytes)
Apr 10 10:14:18 vmipsec charon: 05[IKE] retransmit 4 of request with
message ID 0
Apr 10 10:14:18 vmipsec charon: 05[NET] sending packet: from
192.168.1.16[500] to 22.22.22.22[500] (1064 bytes)
Apr 10 10:15:00 vmipsec charon: 10[IKE] retransmit 5 of request with
message ID 0
Apr 10 10:15:00 vmipsec charon: 10[NET] sending packet: from
192.168.1.16[500] to 22.22.22.22[500] (1064 bytes)
Apr 10 10:15:01 vmipsec systemd: Started Session 296 of user root.
Apr 10 10:15:01 vmipsec systemd: Starting Session 296 of user root.
Apr 10 10:16:16 vmipsec charon: 15[IKE] giving up after 5 retransmits
Apr 10 10:16:16 vmipsec charon: 15[IKE] peer not responding, trying again (3/3)


Sniffing at firewall the StrongSwan connection:
-----------------------------------------------

1051.228119 192.168.1.16 500 22.22.22.22 500 ISAKMP IKE_SA_INIT
1055.229068 192.168.1.16 500 22.22.22.22 500 ISAKMP IKE_SA_INIT
1062.429789 192.168.1.16 500 22.22.22.22 500 ISAKMP IKE_SA_INIT
1075.390638 192.168.1.16 500 22.22.22.22 500 ISAKMP IKE_SA_INIT
1098.720044 192.168.1.16 500 22.22.22.22 500 ISAKMP IKE_SA_INIT
1140.712334 192.168.1.16 500 22.22.22.22 500 ISAKMP IKE_SA_INIT
1216.298202 192.168.1.16 500 22.22.22.22 500 ISAKMP IKE_SA_INIT
1220.298804 192.168.1.16 500 22.22.22.22 500 ISAKMP IKE_SA_INIT
1227.499667 192.168.1.16 500 22.22.22.22 500 ISAKMP IKE_SA_INIT
1240.460476 192.168.1.16 500 22.22.22.22 500 ISAKMP IKE_SA_INIT
1263.789836 192.168.1.16 500 22.22.22.22 500 ISAKMP IKE_SA_INIT
1305.781652 192.168.1.16 500 22.22.22.22 500 ISAKMP IKE_SA_INIT
1381.367178 192.168.1.16 500 22.22.22.22 500 ISAKMP IKE_SA_INIT
1385.368028 192.168.1.16 500 22.22.22.22 500 ISAKMP IKE_SA_INIT
1392.568781 192.168.1.16 500 22.22.22.22 500 ISAKMP IKE_SA_INIT
1405.529837 192.168.1.16 500 22.22.22.22 500 ISAKMP IKE_SA_INIT
1428.859097 192.168.1.16 500 22.22.22.22 500 ISAKMP IKE_SA_INIT
1470.850858 192.168.1.16 500 22.22.22.22 500 ISAKMP IKE_SA_INIT

No ISAKMP Informational, ISAKMP Identity Protection (Main Mode),
ISAKMP Quick Mode and ESP packets, like in OpenSwan/Fedora !

>From here I don't know to proceed...
Could anyone point me some directions how to fix/adapt my
configuration (or StrongSwan cfg) to make compatible with STROMNGSWAN
at CentOS 7.5 ?

Thanks in advance
--Guilsson

THIS MESSAGE WTHOUT WORD WRAP: https://hastebin.com/utodajabov.sql


More information about the Users mailing list