[strongSwan] Migrating from OpenSwan/Fedora 13 to StrongSwan/CentOS 7.5
Noel Kuntze
noel.kuntze+strongswan-users-ml at thermi.consulting
Wed Apr 10 20:21:13 CEST 2019
Hi Guilsson,
Please follow the instructions on the HelpRequests[1] page and when you request help here, provide all data listed on that page.
Kind regards
Noel
[1] https://wiki.strongswan.org/projects/strongswan/wiki/HelpRequests <https://wiki.strongswan.org/projects/strongswan/wiki/HelpRequests#Configuration-snippets>
Am 10.04.19 um 18:21 schrieb guilsson at gmail.com:
> Hi Kostya/Everyone
>
> (1- Firewall): It's not a firewall issue. Because the old machine
> still connects successfully, the permissions are ok. In fact, this IP
> (192.168.1.16) has full internet access.
>
> (2 - Key exchange version): DONE
>
> (3 - Proposal / SA encryption defaults): DONE
>
> Resulted ipsec.conf:
> =====================
> conn vpnbank
> type=tunnel
> left=192.168.1.16
> leftsubnet=192.168.1.0/26
> right=22.22.22.22
> rightsubnet=11.11.11.11/32
> # keyexchange=ike
> auto=start
> authby=secret
> pfs=no
> compress=no
> keylife=1440m
> ikelifetime=3600s
> keyexchange=ikev1
> ike=aes128-sha1-modp1024,aes128-md5-modp1024,3des-sha1-modp1024,3des-md5-modp1024
> esp=aes128-sha1,aes128-md5,3des-sha1,3des-md5
> =====================
>
> The sniffing at firewall:
> =========================
> # tshark -i eth1 esp or port 500 or port 4500
> Running as user "root" and group "root". This could be dangerous.
> Capturing on eth1
> 0.000000 192.168.1.16 500 22.22.22.22 500 ISAKMP Informational
> 0.000399 192.168.1.16 500 22.22.22.22 500 ISAKMP Informational
> 0.014435 22.22.22.22 500 192.168.1.16 500 ISAKMP Informational
> 2.180599 192.168.1.16 500 22.22.22.22 500 ISAKMP Identity Protection
> (Main Mode)
> 2.191741 22.22.22.22 500 192.168.1.16 500 ISAKMP Identity Protection
> (Main Mode)
> 2.193680 192.168.1.16 500 22.22.22.22 500 ISAKMP Identity Protection
> (Main Mode)
> 2.205169 22.22.22.22 500 192.168.1.16 500 ISAKMP Identity Protection
> (Main Mode)
> 2.207159 192.168.1.16 500 22.22.22.22 500 ISAKMP Identity Protection
> (Main Mode)
> 2.218048 22.22.22.22 500 192.168.1.16 500 ISAKMP Identity Protection
> (Main Mode)
> 2.219140 192.168.1.16 500 22.22.22.22 500 ISAKMP Quick Mode
> 2.233076 22.22.22.22 500 192.168.1.16 500 ISAKMP Quick Mode
> 2.235664 192.168.1.16 500 22.22.22.22 500 ISAKMP Quick Mode
> 13.521578 22.22.22.22 500 192.168.1.16 500 ISAKMP Informational
> 13.522616 192.168.1.16 500 22.22.22.22 500 ISAKMP Informational
> 33.519399 22.22.22.22 500 192.168.1.16 500 ISAKMP Informational
> 33.520586 192.168.1.16 500 22.22.22.22 500 ISAKMP Informational
> 53.517667 22.22.22.22 500 192.168.1.16 500 ISAKMP Informational
> 53.519306 192.168.1.16 500 22.22.22.22 500 ISAKMP Informational
> 73.515940 22.22.22.22 500 192.168.1.16 500 ISAKMP Informational
> 73.517926 192.168.1.16 500 22.22.22.22 500 ISAKMP Informational
> 93.514266 22.22.22.22 500 192.168.1.16 500 ISAKMP Informational
> 93.515698 192.168.1.16 500 22.22.22.22 500 ISAKMP Informational
> 113.512031 22.22.22.22 500 192.168.1.16 500 ISAKMP Informational
> 113.513269 192.168.1.16 500 22.22.22.22 500 ISAKMP Informational
> 133.510302 22.22.22.22 500 192.168.1.16 500 ISAKMP Informational
> 133.511590 192.168.1.16 500 22.22.22.22 500 ISAKMP Informational
> 153.509694 22.22.22.22 500 192.168.1.16 500 ISAKMP Informational
> 153.510983 192.168.1.16 500 22.22.22.22 500 ISAKMP Informational
> 173.506067 22.22.22.22 500 192.168.1.16 500 ISAKMP Informational
> 173.507505 192.168.1.16 500 22.22.22.22 500 ISAKMP Informational
> 193.504186 22.22.22.22 500 192.168.1.16 500 ISAKMP Informational
> 193.505426 192.168.1.16 500 22.22.22.22 500 ISAKMP Informational
> 213.503207 22.22.22.22 500 192.168.1.16 500 ISAKMP Informational
> 213.504344 192.168.1.16 500 22.22.22.22 500 ISAKMP Informational
> 233.500579 22.22.22.22 500 192.168.1.16 500 ISAKMP Informational
> 233.501965 192.168.1.16 500 22.22.22.22 500 ISAKMP Informational
>
> [...] STAYS FOREVER REPEATING EVERY 20 SECONDS...
>
>
> NICE. NOW, these packets are exactly the same as OLD Fedora/OpenSwan !!! :)
> 3 Informational, 6 Main Mode and 3 Quick mode.
> BUT no ESP packets :(
> Only ISAKMP Informational stays forever.
>
>
> Here the /var/log/secure:
> =========================
> Apr 10 12:57:33 vmipsec polkitd[970]: Registered Authentication Agent
> for unix-process:9263:15380241 (system bus name :1.646
> [/usr/bin/pkttyagent --notify-fd 5 --fallback], object path
> /org/freedesktop/PolicyKit1/AuthenticationAgent, locale en_US.UTF-8)
> Apr 10 12:57:33 vmipsec polkitd[970]: Unregistered Authentication
> Agent for unix-process:9263:15380241 (system bus name :1.646, object
> path /org/freedesktop/PolicyKit1/AuthenticationAgent, locale
> en_US.UTF-8) (disconnected from bus)
> Apr 10 12:57:33 vmipsec ipsec_starter[9279]: Starting strongSwan 5.7.2
> IPsec [starter]...
> Apr 10 12:57:33 vmipsec ipsec_starter[9279]: # deprecated keyword
> 'pfs' in conn 'vpnbank'
> Apr 10 12:57:33 vmipsec ipsec_starter[9279]: PFS is enabled by
> specifying a DH group in the 'esp' cipher suite
> Apr 10 12:57:33 vmipsec ipsec_starter[9279]: ### 1 parsing error (0 fatal) ###
> Apr 10 12:57:34 vmipsec ipsec_starter[9279]: charon (9288) started after 160 ms
> Apr 10 12:57:34 vmipsec charon: 06[IKE] initiating Main Mode IKE_SA
> vpnbank[1] to 22.22.22.22
> Apr 10 12:57:34 vmipsec charon: 10[IKE] IKE_SA vpnbank[1] established
> between 192.168.1.16[192.168.1.16]...22.22.22.22[22.22.22.22]
> Apr 10 12:57:34 vmipsec charon: 11[IKE] CHILD_SA vpnbank{1}
> established with SPIs c43a1aaa_i cf6683fa_o and TS 192.168.1.0/26 ===
> 11.11.11.11/32
>
>
> Here the /var/log/messages:
> ===========================
> Attached: migrating-openswan-to-strongswan-v2.txt
>
> I think we are almost there...
> Only ESP packets need to be present...
>
> Any hint, please ?
>
> Thanks in advance,
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: OpenPGP digital signature
URL: <http://lists.strongswan.org/pipermail/users/attachments/20190410/6156908f/attachment.sig>
More information about the Users
mailing list