[strongSwan] Connecting but not connected

Stephen Feyrer stephen.feyrer at greensill.com
Thu Aug 15 18:48:35 CEST 2019


Hi there,

I have found this informative page:  wiki.strongswan.org/projects/strongswan/wiki/HelpRequests

I am unable to establish a connection, connecting but not connected.  Please help.

Thus please find the required details below:

Logs
Aug 15 17:13:30 Ubuntu-18 sudo[1932]:  user : TTY=pts/0 ; PWD=/home/user ; USER=root ; COMMAND=/usr/sbin/ipsec restart
Aug 15 17:13:30 Ubuntu-18 sudo[1932]: pam_unix(sudo:session): session opened for user root by (uid=0)
Aug 15 17:13:30 Ubuntu-18 ipsec_starter[1818]: charon stopped after 200 ms
Aug 15 17:13:30 Ubuntu-18 ipsec_starter[1818]: ipsec starter stopped
Aug 15 17:13:32 Ubuntu-18 ipsec_starter[1933]: Starting weakSwan 5.6.2 IPsec [starter]...
Aug 15 17:13:32 Ubuntu-18 sudo[1932]: pam_unix(sudo:session): session closed for user root
Aug 15 17:13:32 Ubuntu-18 audit[1962]: AVC apparmor="ALLOWED" operation="mknod" profile="/usr/lib/ipsec/charon" name="/var/log/charon_debug.log" pid=1962 comm="charon" requested_mask="c" denied_mask="c" fsuid=0 ouid=0
Aug 15 17:13:32 Ubuntu-18 audit[1962]: AVC apparmor="ALLOWED" operation="open" profile="/usr/lib/ipsec/charon" name="/var/log/charon_debug.log" pid=1962 comm="charon" requested_mask="wc" denied_mask="wc" fsuid=0 ouid=0
Aug 15 17:13:32 Ubuntu-18 kernel: audit: type=1400 audit(1565885612.563:84): apparmor="ALLOWED" operation="mknod" profile="/usr/lib/ipsec/charon" name="/var/log/charon_debug.log" pid=1962 comm="charon" requested_mask="c" denied_mask="c" fsuid=0 ouid=0
Aug 15 17:13:32 Ubuntu-18 kernel: audit: type=1400 audit(1565885612.563:85): apparmor="ALLOWED" operation="open" profile="/usr/lib/ipsec/charon" name="/var/log/charon_debug.log" pid=1962 comm="charon" requested_mask="wc" denied_mask="wc" fsuid=0 ouid=0
Aug 15 17:13:32 Ubuntu-18 ipsec_starter[1961]: charon (1962) started after 40 ms
Aug 15 17:13:38 Ubuntu-18 sudo[1979]:  user : TTY=pts/0 ; PWD=/home/user ; USER=root ; COMMAND=/usr/sbin/ipsec up officeVPN
Aug 15 17:13:38 Ubuntu-18 sudo[1979]: pam_unix(sudo:session): session opened for user root by (uid=0)
Aug 15 17:13:46 Ubuntu-18 sudo[1985]:  user : TTY=pts/2 ; PWD=/home/user ; USER=root ; COMMAND=/usr/sbin/ipsec statusall
Aug 15 17:13:46 Ubuntu-18 sudo[1985]: pam_unix(sudo:session): session opened for user root by (uid=0)
Aug 15 17:13:46 Ubuntu-18 sudo[1985]: pam_unix(sudo:session): session closed for user root
Aug 15 17:14:44 Ubuntu-18 sudo[1979]: pam_unix(sudo:session): session closed for user root


Configuration

/etc/ipsec.conf
conn officeVPN
    aggressive=yes
    keyexchange=ikev1
    type=tunnel
    authby=secret
    ike=aes128-sha1-modp2048
    left=%defaultroute
    leftsourceip=%config
    modeconfig=push
    leftprotoport=udp/%any
    right=50.45.0.51
    rightsubnet=192.168.50.0/24
    rightprotoport=udp/%any
    rightid=196.198.128.64
    auto=add
    xauth_identity=user

/etc/strongswan.conf
charon {
        keep_alive=0
        i_dont_care_about_security_and_use_aggressive_mode_psk=yes
        load_modular = yes
        plugins {
                include strongswan.d/charon/*.conf
        }
        filelog {
            /var/log/charon_debug.log {
                    time_format = %a, %Y-%m-%d %R
                    default = 2
                    mgr = 0
                    net = 1
                    enc = 1
                    asn = 1
                    job = 1
                    ike_name = yes
                    append = no
                    flush_line = yes
            }
         }

}


$ sudo ipsec statusall
Status of IKE charon daemon (weakSwan 5.6.2, Linux 5.0.0-23-generic, x86_64):
  uptime: 14 seconds, since Aug 15 17:13:32 2019
  malloc: sbrk 2162688, mmap 0, used 572608, free 1590080
  worker threads: 10 of 16 idle, 6/0/0/0 working, job queue: 0/0/0/0, scheduled: 3
  loaded plugins: charon aes rc2 sha2 sha1 md4 md5 mgf1 random nonce x509 revocation constraints pubkey pkcs1 pkcs7 pkcs8 pkcs12 pgp dnskey sshkey pem openssl fips-prf gmp agent xcbc hmac gcm attr kernel-netlink resolve socket-default connmark stroke vici updown eap-mschapv2 xauth-generic counters
Listening IP addresses:
  10.0.0.3
Connections:
officeVPN:  %any...50.45.0.51  IKEv1 Aggressive
officeVPN:   local:  [10.0.0.3] uses pre-shared key authentication
officeVPN:   remote: [196.198.128.64] uses pre-shared key authentication
officeVPN:   child:  dynamic === dynamic TUNNEL
Security Associations (1 up, 0 connecting):
officeVPN[1]: ESTABLISHED 8 seconds ago, 10.0.0.3[10.0.0.3]...50.45.0.51[196.198.128.64]
officeVPN[1]: IKEv1 SPIs: <SANITISED VALUE>_i* <SANITISED VALUE>_r, pre-shared key reauthentication in 2 hours
officeVPN[1]: IKE proposal: AES_CBC_128/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_2048
officeVPN[1]: Tasks queued: QUICK_MODE


sudo iptables-save
# Generated by iptables-save v1.6.1 on Thu Aug 15 12:11:29 2019
*nat
:PREROUTING ACCEPT [114:18309]
:INPUT ACCEPT [71:7900]
:OUTPUT ACCEPT [734:82033]
:POSTROUTING ACCEPT [734:82033]
-A POSTROUTING -o enp4s0 -j MASQUERADE
-A POSTROUTING -o enp4s0 ! -p esp -j SNAT --to-source 50.45.0.51
COMMIT
# Completed on Thu Aug 15 12:11:29 2019
# Generated by iptables-save v1.6.1 on Thu Aug 15 12:11:29 2019
*filter
:INPUT ACCEPT [1033:70520]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [485:53012]
-A INPUT -m policy --dir in --pol ipsec --proto esp -j ACCEPT
-A INPUT -p udp -m policy --dir in --pol ipsec -m udp --dport 1701 -j ACCEPT
-A INPUT -p udp -m udp -m udp --dport 1701 -j REJECT --reject-with icmp-port-unreachable
-A INPUT -p esp -j ACCEPT
-A INPUT -p ah -j ACCEPT
-A FORWARD -m policy --dir out --pol ipsec --proto esp -j ACCEPT
-A FORWARD -m policy --dir in --pol ipsec --proto esp -j ACCEPT
-A OUTPUT -m policy --dir out --pol ipsec --proto esp -j ACCEPT
-A OUTPUT -p udp -m policy --dir out --pol ipsec -m udp --dport 1701 -j ACCEPT
-A OUTPUT -p udp -m udp -m udp --dport 1701 -j REJECT --reject-with icmp-port-unreachable
-A OUTPUT -p esp -j ACCEPT
-A OUTPUT -p ah -j ACCEPT
COMMIT
# Completed on Thu Aug 15 12:11:29 2019

sudo ip6tables-save
# Generated by ip6tables-save v1.6.1 on Thu Aug 15 17:18:10 2019
*filter
:INPUT ACCEPT [61:9719]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [107:13371]
COMMIT
# Completed on Thu Aug 15 17:18:10 2019


$ ip route show table all
default via 10.0.0.1 dev wlp2s0 proto dhcp metric 600
169.254.0.0/16 dev wlp2s0 scope link metric 1000
10.0.0.0/28 dev wlp2s0 proto kernel scope link src 10.0.0.3 metric 600
broadcast 127.0.0.0 dev lo table local proto kernel scope link src 127.0.0.1
local 127.0.0.0/8 dev lo table local proto kernel scope host src 127.0.0.1
local 127.0.0.1 dev lo table local proto kernel scope host src 127.0.0.1
broadcast 127.255.255.255 dev lo table local proto kernel scope link src 127.0.0.1
broadcast 10.0.0.0 dev wlp2s0 table local proto kernel scope link src 10.0.0.3
local 10.0.0.3 dev wlp2s0 table local proto kernel scope host src 10.0.0.3
broadcast 10.0.0.15 dev wlp2s0 table local proto kernel scope link src 10.0.0.3
::1 dev lo proto kernel metric 256 pref medium
fe80::/64 dev wlp2s0 proto kernel metric 256 pref medium
fe80::/64 dev wlp2s0 proto kernel metric 600 pref medium
local ::1 dev lo table local proto kernel metric 0 pref medium
local <SANITISED VALUE> dev wlp2s0 table local proto kernel metric 0 pref medium
ff00::/8 dev wlp2s0 table local metric 256 pref medium


ip address
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
    inet6 ::1/128 scope host
       valid_lft forever preferred_lft forever
2: enp4s0: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc fq_codel state DOWN group default qlen 1000
    link/ether <SANITISED VALUE> brd ff:ff:ff:ff:ff:ff
3: wlp2s0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq state UP group default qlen 1000
    link/ether <SANITISED VALUE> brd ff:ff:ff:ff:ff:ff
    inet 10.0.0.3/28 brd 10.0.0.15 scope global dynamic noprefixroute wlp2s0
       valid_lft 83281sec preferred_lft 83281sec
    inet6 <SANITISED VALUE>/64 scope link noprefixroute
       valid_lft forever preferred_lft forever


sudo ipsec up officeVPN
initiating Aggressive Mode IKE_SA officeVPN[1] to 50.45.0.51
generating AGGRESSIVE request 0 [ SA KE No ID V V V V V ]
sending packet: from 10.0.0.3[500] to 50.45.0.51[500] (548 bytes)
received packet: from 50.45.0.51[500] to 10.0.0.3[500] (564 bytes)
parsed AGGRESSIVE response 0 [ SA KE No ID HASH V NAT-D NAT-D V V V V V ]
received NAT-T (RFC 3947) vendor ID
received DPD vendor ID
received XAuth vendor ID
received unknown vendor ID: <SANITISED VALUE>
received FRAGMENTATION vendor ID
received FRAGMENTATION vendor ID
local host is behind NAT, sending keep alives
remote host is behind NAT
IKE_SA officeVPN[1] established between 10.0.0.3[10.0.0.3]...50.45.0.51[196.198.128.64]
scheduling reauthentication in 9883s
maximum IKE_SA lifetime 10423s
generating AGGRESSIVE request 0 [ HASH NAT-D NAT-D ]
sending packet: from 10.0.0.3[4500] to 50.45.0.51[4500] (108 bytes)
received packet: from 50.45.0.51[4500] to 10.0.0.3[4500] (76 bytes)
parsed TRANSACTION request 2194615948 [ HASH CPRQ(X_TYPE X_USER X_PWD) ]
generating TRANSACTION response 2194615948 [ HASH CP ]
sending packet: from 10.0.0.3[4500] to 50.45.0.51[4500] (76 bytes)
received packet: from 50.45.0.51[4500] to 10.0.0.3[4500] (92 bytes)
parsed INFORMATIONAL_V1 request 3863129339 [ HASH N(DPD) ]
generating INFORMATIONAL_V1 request 608732088 [ HASH N(DPD_ACK) ]
sending packet: from 10.0.0.3[4500] to 50.45.0.51[4500] (92 bytes)


Please help, thank you.


--
Kind regards

Stephen Feyrer

This message is for the designated recipient only and may contain privileged, proprietary or otherwise confidential information. If you have received this in error, please contact the sender immediately and delete the original. Any other use of this e-mail by you is prohibited. If we collect and use your personal data we will use it in accordance with our privacy policy<http://www.greensill.com/privacy/>. Greensill Capital (UK) Limited. Registered in England and Wales. Registered Number: 8126173. Registered Office: One Southampton Street, Covent Garden, London, WC2R 0LR, United Kingdom. Greensill Capital Pty Limited. Australian Company Number: 154 088 132. Registered Office: 62 -66 Woondooma Street, Bundaberg, Queensland 4670, Australia.

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20190815/5e2b5634/attachment-0001.html>


More information about the Users mailing list