[strongSwan] Ubuntu and openswan migration to strongswan

Rudi Barnard rudi at flickswitch.co.za
Sun Feb 17 10:04:22 CET 2019


Thank you for the feedback. Greatly appreciated.

The rightsubnet was just a typing error when replacing the actual IP with
a/b:

1) What we use is: rightsubnet=a.a.a.a/32,b.b.b.b/32
2) Please see below extract from charon log
3) 2x different subnets to access on right. Have read the FAQ and
understand Unity is only for roadwarrior (this is site to site). Therefore
we need to "define a separate child SA per subnet pair. I assumed the
following:

conn conn1
        rightsubnet=a.a.a.a/32

conn conn2
        also=conn1
        rightsubnet=b.b.b.b/32

4) Yes this connection is ancient. Once we have strongswan up and running,
I will propose to customer up the auth and encryption algorithms.
5) Yes will disable unity as this is site-to-site
6) Changed logging as instructed.
7) Changed back to auto=start
8) Did a scratch install on Strongswan and using the config files as per
the wiki.

Here are the logs, ipsec statusall and ip xfrm policy

tail: charon-debug-log: file truncated
Sun, 2019-02-17 08:38 00[DMN] Starting IKE charon daemon (strongSwan 5.6.2,
Linux 4.15.0-45-generic, x86_64)
Sun, 2019-02-17 08:38 00[LIB] plugin 'test-vectors': loaded successfully
Sun, 2019-02-17 08:38 00[LIB] plugin 'unbound': loaded successfully
Sun, 2019-02-17 08:38 00[LIB] plugin 'ldap': loaded successfully
Sun, 2019-02-17 08:38 00[CFG] PKCS11 module '<name>' lacks library path
Sun, 2019-02-17 08:38 00[LIB] plugin 'pkcs11': loaded successfully
Sun, 2019-02-17 08:38 00[LIB] plugin 'tpm': loaded successfully
Sun, 2019-02-17 08:38 00[LIB] plugin 'aesni': loaded successfully
Sun, 2019-02-17 08:38 00[LIB] plugin 'aes': loaded successfully
Sun, 2019-02-17 08:38 00[LIB] plugin 'rc2': loaded successfully
Sun, 2019-02-17 08:38 00[LIB] plugin 'sha2': loaded successfully
Sun, 2019-02-17 08:38 00[LIB] plugin 'sha1': loaded successfully
Sun, 2019-02-17 08:38 00[LIB] plugin 'md4': loaded successfully
Sun, 2019-02-17 08:38 00[LIB] plugin 'md5': loaded successfully
Sun, 2019-02-17 08:38 00[LIB] plugin 'mgf1': loaded successfully
Sun, 2019-02-17 08:38 00[LIB] plugin 'rdrand': loaded successfully
Sun, 2019-02-17 08:38 00[LIB] detected RDRAND support, enabled
Sun, 2019-02-17 08:38 00[LIB] plugin 'random': loaded successfully
Sun, 2019-02-17 08:38 00[LIB] plugin 'nonce': loaded successfully
Sun, 2019-02-17 08:38 00[LIB] plugin 'x509': loaded successfully
Sun, 2019-02-17 08:38 00[LIB] plugin 'revocation': loaded successfully
Sun, 2019-02-17 08:38 00[LIB] plugin 'constraints': loaded successfully
Sun, 2019-02-17 08:38 00[LIB] plugin 'acert': loaded successfully
Sun, 2019-02-17 08:38 00[LIB] plugin 'pubkey': loaded successfully
Sun, 2019-02-17 08:38 00[LIB] plugin 'pkcs1': loaded successfully
Sun, 2019-02-17 08:38 00[LIB] plugin 'pkcs7': loaded successfully
Sun, 2019-02-17 08:38 00[LIB] plugin 'pkcs8': loaded successfully
Sun, 2019-02-17 08:38 00[LIB] plugin 'pkcs12': loaded successfully
Sun, 2019-02-17 08:38 00[LIB] plugin 'pgp': loaded successfully
Sun, 2019-02-17 08:38 00[LIB] plugin 'dnskey': loaded successfully
Sun, 2019-02-17 08:38 00[LIB] plugin 'sshkey': loaded successfully
Sun, 2019-02-17 08:38 00[LIB] plugin 'dnscert': loaded successfully
Sun, 2019-02-17 08:38 00[LIB] plugin 'ipseckey': loaded successfully
Sun, 2019-02-17 08:38 00[LIB] plugin 'pem': loaded successfully
Sun, 2019-02-17 08:38 00[LIB] plugin 'openssl': loaded successfully
Sun, 2019-02-17 08:38 00[LIB] plugin 'gcrypt': loaded successfully
Sun, 2019-02-17 08:38 00[LIB] plugin 'af-alg': loaded successfully
Sun, 2019-02-17 08:38 00[LIB] plugin 'fips-prf': loaded successfully
Sun, 2019-02-17 08:38 00[LIB] plugin 'gmp': loaded successfully
Sun, 2019-02-17 08:38 00[LIB] plugin 'curve25519': loaded successfully
Sun, 2019-02-17 08:38 00[LIB] plugin 'agent': loaded successfully
Sun, 2019-02-17 08:38 00[LIB] plugin 'chapoly': loaded successfully
Sun, 2019-02-17 08:38 00[LIB] plugin 'xcbc': loaded successfully
Sun, 2019-02-17 08:38 00[LIB] plugin 'cmac': loaded successfully
Sun, 2019-02-17 08:38 00[LIB] plugin 'hmac': loaded successfully
Sun, 2019-02-17 08:38 00[LIB] plugin 'ctr': loaded successfully
Sun, 2019-02-17 08:38 00[LIB] plugin 'ccm': loaded successfully
Sun, 2019-02-17 08:38 00[LIB] plugin 'gcm': loaded successfully
Sun, 2019-02-17 08:38 00[LIB] plugin 'ntru': loaded successfully
Sun, 2019-02-17 08:38 00[LIB] plugin 'bliss': loaded successfully
Sun, 2019-02-17 08:38 00[LIB] plugin 'curl': loaded successfully
Sun, 2019-02-17 08:38 00[LIB] plugin 'soup': loaded successfully
Sun, 2019-02-17 08:38 00[LIB] plugin 'mysql': loaded successfully
Sun, 2019-02-17 08:38 00[LIB] using SQLite 3.22.0, thread safety 1
Sun, 2019-02-17 08:38 00[LIB] plugin 'sqlite': loaded successfully
Sun, 2019-02-17 08:38 00[LIB] plugin 'attr': loaded successfully
Sun, 2019-02-17 08:38 00[LIB] plugin 'attr-sql': loaded successfully
Sun, 2019-02-17 08:38 00[CFG] disabling load-tester plugin, not configured
Sun, 2019-02-17 08:38 00[LIB] plugin 'load-tester': failed to load -
load_tester_plugin_create returned NULL
Sun, 2019-02-17 08:38 00[LIB] plugin 'kernel-netlink': loaded successfully
Sun, 2019-02-17 08:38 00[LIB] plugin 'resolve': loaded successfully
Sun, 2019-02-17 08:38 00[LIB] plugin 'socket-default': loaded successfully
Sun, 2019-02-17 08:38 00[LIB] plugin 'connmark': loaded successfully
Sun, 2019-02-17 08:38 00[LIB] plugin 'farp': loaded successfully
Sun, 2019-02-17 08:38 00[LIB] plugin 'stroke': loaded successfully
Sun, 2019-02-17 08:38 00[LIB] plugin 'vici': loaded successfully
Sun, 2019-02-17 08:38 00[LIB] plugin 'sql': loaded successfully
Sun, 2019-02-17 08:38 00[LIB] plugin 'updown': loaded successfully
Sun, 2019-02-17 08:38 00[LIB] plugin 'eap-identity': loaded successfully
Sun, 2019-02-17 08:38 00[LIB] plugin 'eap-sim': loaded successfully
Sun, 2019-02-17 08:38 00[LIB] plugin 'eap-sim-file': loaded successfully
Sun, 2019-02-17 08:38 00[LIB] plugin 'eap-sim-pcsc': loaded successfully
Sun, 2019-02-17 08:38 00[LIB] plugin 'eap-aka': loaded successfully
Sun, 2019-02-17 08:38 00[LIB] plugin 'eap-aka-3gpp2': loaded successfully
Sun, 2019-02-17 08:38 00[LIB] plugin 'eap-simaka-sql': loaded successfully
Sun, 2019-02-17 08:38 00[LIB] plugin 'eap-simaka-pseudonym': loaded
successfully
Sun, 2019-02-17 08:38 00[LIB] plugin 'eap-simaka-reauth': loaded
successfully
Sun, 2019-02-17 08:38 00[LIB] plugin 'eap-md5': loaded successfully
Sun, 2019-02-17 08:38 00[LIB] plugin 'eap-gtc': loaded successfully
Sun, 2019-02-17 08:38 00[LIB] plugin 'eap-mschapv2': loaded successfully
Sun, 2019-02-17 08:38 00[LIB] plugin 'eap-dynamic': loaded successfully
Sun, 2019-02-17 08:38 00[LIB] plugin 'eap-radius': loaded successfully
Sun, 2019-02-17 08:38 00[LIB] plugin 'eap-tls': loaded successfully
Sun, 2019-02-17 08:38 00[LIB] plugin 'eap-ttls': loaded successfully
Sun, 2019-02-17 08:38 00[LIB] plugin 'eap-peap': loaded successfully
Sun, 2019-02-17 08:38 00[LIB] plugin 'eap-tnc': loaded successfully
Sun, 2019-02-17 08:38 00[LIB] plugin 'xauth-generic': loaded successfully
Sun, 2019-02-17 08:38 00[LIB] plugin 'xauth-eap': loaded successfully
Sun, 2019-02-17 08:38 00[LIB] plugin 'xauth-pam': loaded successfully
Sun, 2019-02-17 08:38 00[LIB] plugin 'xauth-noauth': loaded successfully
Sun, 2019-02-17 08:38 00[LIB] plugin 'tnc-tnccs': loaded successfully
Sun, 2019-02-17 08:38 00[LIB] plugin 'tnccs-20': loaded successfully
Sun, 2019-02-17 08:38 00[LIB] plugin 'tnccs-11': loaded successfully
Sun, 2019-02-17 08:38 00[LIB] plugin 'tnccs-dynamic': loaded successfully
Sun, 2019-02-17 08:38 00[LIB] plugin 'dhcp': loaded successfully
Sun, 2019-02-17 08:38 00[LIB] plugin 'ha': loaded successfully
Sun, 2019-02-17 08:38 00[LIB] plugin 'whitelist': loaded successfully
Sun, 2019-02-17 08:38 00[LIB] plugin 'lookip': loaded successfully
Sun, 2019-02-17 08:38 00[LIB] plugin 'error-notify': loaded successfully
Sun, 2019-02-17 08:38 00[LIB] plugin 'certexpire': loaded successfully
Sun, 2019-02-17 08:38 00[LIB] plugin 'systime-fix': loaded successfully
Sun, 2019-02-17 08:38 00[LIB] plugin 'led': loaded successfully
Sun, 2019-02-17 08:38 00[LIB] plugin 'coupling': loaded successfully
Sun, 2019-02-17 08:38 00[LIB] plugin 'radattr': loaded successfully
Sun, 2019-02-17 08:38 00[LIB] plugin 'addrblock': loaded successfully
Sun, 2019-02-17 08:38 00[LIB] plugin 'unity': loaded successfully
Sun, 2019-02-17 08:38 00[LIB] plugin 'counters': loaded successfully
Sun, 2019-02-17 08:38 00[KNL] known interfaces and IP addresses:
Sun, 2019-02-17 08:38 00[KNL]   lo
Sun, 2019-02-17 08:38 00[KNL]     127.0.0.1
Sun, 2019-02-17 08:38 00[KNL]     ::1
Sun, 2019-02-17 08:38 00[KNL]   eth0
Sun, 2019-02-17 08:38 00[KNL]     172.x.x.x
Sun, 2019-02-17 08:38 00[KNL]     fe80::4fe:14ff:fe20:3d30
Sun, 2019-02-17 08:38 00[LIB] feature PUBKEY:DSA in plugin 'pem' has unmet
dependency: PUBKEY:DSA
Sun, 2019-02-17 08:38 00[CFG] loading unbound resolver config from
'/etc/resolv.conf'
Sun, 2019-02-17 08:38 00[CFG] loading unbound trust anchors from
'/etc/ipsec.d/dnssec.keys'
Sun, 2019-02-17 08:38 00[CFG] dnscert plugin is disabled
Sun, 2019-02-17 08:38 00[CFG] loading unbound resolver config from
'/etc/resolv.conf'
Sun, 2019-02-17 08:38 00[CFG] loading unbound trust anchors from
'/etc/ipsec.d/dnssec.keys'
Sun, 2019-02-17 08:38 00[CFG] ipseckey plugin is disabled
Sun, 2019-02-17 08:38 00[LIB] feature PRIVKEY:DSA in plugin 'pem' has unmet
dependency: PRIVKEY:DSA
Sun, 2019-02-17 08:38 00[LIB] feature CERT_DECODE:OCSP_REQUEST in plugin
'pem' has unmet dependency: CERT_DECODE:OCSP_REQUEST
Sun, 2019-02-17 08:38 00[LIB] feature PRIVKEY_SIGN:RSA_EMSA_PKCS1_SHA3_224
in plugin 'gmp' has unmet dependency: HASHER:HASH_SHA3_224
Sun, 2019-02-17 08:38 00[LIB] feature PRIVKEY_SIGN:RSA_EMSA_PKCS1_SHA3_256
in plugin 'gmp' has unmet dependency: HASHER:HASH_SHA3_256
Sun, 2019-02-17 08:38 00[LIB] feature PRIVKEY_SIGN:RSA_EMSA_PKCS1_SHA3_384
in plugin 'gmp' has unmet dependency: HASHER:HASH_SHA3_384
Sun, 2019-02-17 08:38 00[LIB] feature PRIVKEY_SIGN:RSA_EMSA_PKCS1_SHA3_512
in plugin 'gmp' has unmet dependency: HASHER:HASH_SHA3_512
Sun, 2019-02-17 08:38 00[LIB] feature PUBKEY_VERIFY:RSA_EMSA_PKCS1_SHA3_224
in plugin 'gmp' has unmet dependency: HASHER:HASH_SHA3_224
Sun, 2019-02-17 08:38 00[LIB] feature PUBKEY_VERIFY:RSA_EMSA_PKCS1_SHA3_256
in plugin 'gmp' has unmet dependency: HASHER:HASH_SHA3_256
Sun, 2019-02-17 08:38 00[LIB] feature PUBKEY_VERIFY:RSA_EMSA_PKCS1_SHA3_384
in plugin 'gmp' has unmet dependency: HASHER:HASH_SHA3_384
Sun, 2019-02-17 08:38 00[LIB] feature PUBKEY_VERIFY:RSA_EMSA_PKCS1_SHA3_512
in plugin 'gmp' has unmet dependency: HASHER:HASH_SHA3_512
Sun, 2019-02-17 08:38 00[LIB] feature PRIVKEY_SIGN:BLISS_WITH_SHA3_256 in
plugin 'bliss' has unmet dependency: HASHER:HASH_SHA3_256
Sun, 2019-02-17 08:38 00[LIB] feature PRIVKEY_SIGN:BLISS_WITH_SHA3_384 in
plugin 'bliss' has unmet dependency: HASHER:HASH_SHA3_384
Sun, 2019-02-17 08:38 00[LIB] feature PRIVKEY_SIGN:BLISS_WITH_SHA3_512 in
plugin 'bliss' has unmet dependency: HASHER:HASH_SHA3_512
Sun, 2019-02-17 08:38 00[LIB] feature PUBKEY_VERIFY:BLISS_WITH_SHA3_256 in
plugin 'bliss' has unmet dependency: HASHER:HASH_SHA3_256
Sun, 2019-02-17 08:38 00[LIB] feature PUBKEY_VERIFY:BLISS_WITH_SHA3_384 in
plugin 'bliss' has unmet dependency: HASHER:HASH_SHA3_384
Sun, 2019-02-17 08:38 00[LIB] feature PUBKEY_VERIFY:BLISS_WITH_SHA3_512 in
plugin 'bliss' has unmet dependency: HASHER:HASH_SHA3_512
Sun, 2019-02-17 08:38 00[CFG] attr-sql plugin: database URI not set
Sun, 2019-02-17 08:38 00[LIB] feature CUSTOM:attr-sql in plugin 'attr-sql'
failed to load
Sun, 2019-02-17 08:38 00[CFG] loading ca certificates from
'/etc/ipsec.d/cacerts'
Sun, 2019-02-17 08:38 00[CFG] loading aa certificates from
'/etc/ipsec.d/aacerts'
Sun, 2019-02-17 08:38 00[CFG] loading ocsp signer certificates from
'/etc/ipsec.d/ocspcerts'
Sun, 2019-02-17 08:38 00[CFG] loading attribute certificates from
'/etc/ipsec.d/acerts'
Sun, 2019-02-17 08:38 00[CFG] loading crls from '/etc/ipsec.d/crls'
Sun, 2019-02-17 08:38 00[CFG] loading secrets from '/etc/ipsec.secrets'
Sun, 2019-02-17 08:38 00[CFG]   loaded IKE secret for 52.x.x.x 196.y.y.y
Sun, 2019-02-17 08:38 00[CFG] sql plugin: database URI not set
Sun, 2019-02-17 08:38 00[LIB] feature CUSTOM:sql in plugin 'sql' failed to
load
Sun, 2019-02-17 08:38 00[CFG] opening triplet file
/etc/ipsec.d/triplets.dat failed: No such file or directory
Sun, 2019-02-17 08:38 00[LIB] feature CUSTOM:eap-sim-file-triplets in
plugin 'eap-sim-file' failed to load
Sun, 2019-02-17 08:38 00[LIB] feature CUSTOM:sim-card in plugin
'eap-sim-file' has unmet dependency: CUSTOM:eap-sim-file-triplets
Sun, 2019-02-17 08:38 00[LIB] feature CUSTOM:sim-provider in plugin
'eap-sim-file' has unmet dependency: CUSTOM:eap-sim-file-triplets
Sun, 2019-02-17 08:38 00[CFG] eap-simaka-sql database URI missing
Sun, 2019-02-17 08:38 00[LIB] feature CUSTOM:eap-simaka-sql-db in plugin
'eap-simaka-sql' failed to load
Sun, 2019-02-17 08:38 00[LIB] feature CUSTOM:aka-card in plugin
'eap-simaka-sql' has unmet dependency: CUSTOM:eap-simaka-sql-db
Sun, 2019-02-17 08:38 00[LIB] feature CUSTOM:sim-card in plugin
'eap-simaka-sql' has unmet dependency: CUSTOM:eap-simaka-sql-db
Sun, 2019-02-17 08:38 00[LIB] feature CUSTOM:aka-provider in plugin
'eap-simaka-sql' has unmet dependency: CUSTOM:eap-simaka-sql-db
Sun, 2019-02-17 08:38 00[LIB] feature CUSTOM:sim-provider in plugin
'eap-simaka-sql' has unmet dependency: CUSTOM:eap-simaka-sql-db
Sun, 2019-02-17 08:38 00[CFG] loaded 0 RADIUS server configurations
Sun, 2019-02-17 08:38 00[CFG] HA config misses local/remote address
Sun, 2019-02-17 08:38 00[LIB] feature CUSTOM:ha in plugin 'ha' failed to
load
Sun, 2019-02-17 08:38 00[CFG] no threshold configured for systime-fix,
disabled
Sun, 2019-02-17 08:38 00[LIB] feature CUSTOM:systime-fix in plugin
'systime-fix' failed to load
Sun, 2019-02-17 08:38 00[CFG] coupling file path unspecified
Sun, 2019-02-17 08:38 00[LIB] feature CUSTOM:coupling in plugin 'coupling'
failed to load
Sun, 2019-02-17 08:38 00[LIB] unloading plugin 'attr-sql' without loaded
features
Sun, 2019-02-17 08:38 00[LIB] unloading plugin 'sql' without loaded features
Sun, 2019-02-17 08:38 00[LIB] unloading plugin 'eap-sim-file' without
loaded features
Sun, 2019-02-17 08:38 00[LIB] unloading plugin 'eap-simaka-sql' without
loaded features
Sun, 2019-02-17 08:38 00[LIB] unloading plugin 'ha' without loaded features
Sun, 2019-02-17 08:38 00[LIB] unloading plugin 'systime-fix' without loaded
features
Sun, 2019-02-17 08:38 00[LIB] unloading plugin 'coupling' without loaded
features
Sun, 2019-02-17 08:38 00[LIB] loaded plugins: charon test-vectors unbound
ldap pkcs11 tpm aesni aes rc2 sha2 sha1 md4 md5 mgf1 rdrand random nonce
x509 revocation constraints acert pubkey pkcs1 pkcs7 pkcs8 pkcs12 pgp
dnskey sshkey dnscert ipseckey pem openssl gcrypt af-alg fips-prf gmp
curve25519 agent chapoly xcbc cmac hmac ctr ccm gcm ntru bliss curl soup
mysql sqlite attr kernel-netlink resolve socket-default connmark farp
stroke vici updown eap-identity eap-sim eap-sim-pcsc eap-aka eap-aka-3gpp2
eap-simaka-pseudonym eap-simaka-reauth eap-md5 eap-gtc eap-mschapv2
eap-dynamic eap-radius eap-tls eap-ttls eap-peap eap-tnc xauth-generic
xauth-eap xauth-pam xauth-noauth tnc-tnccs tnccs-20 tnccs-11 tnccs-dynamic
dhcp whitelist lookip error-notify certexpire led radattr addrblock unity
counters
Sun, 2019-02-17 08:38 00[LIB] unable to load 30 plugin features (23 due to
unmet dependencies)
Sun, 2019-02-17 08:38 00[LIB] dropped capabilities, running as uid 0, gid 0
Sun, 2019-02-17 08:38 00[JOB] spawning 16 worker threads
Sun, 2019-02-17 08:38 01[LIB] created thread 01 [31726]
Sun, 2019-02-17 08:38 06[LIB] created thread 06 [31730]
Sun, 2019-02-17 08:38 03[LIB] created thread 03 [31728]
Sun, 2019-02-17 08:38 04[LIB] created thread 04 [31729]
Sun, 2019-02-17 08:38 05[LIB] created thread 05 [31725]
Sun, 2019-02-17 08:38 02[LIB] created thread 02 [31727]
Sun, 2019-02-17 08:38 07[LIB] created thread 07 [31731]
Sun, 2019-02-17 08:38 08[LIB] created thread 08 [31732]
Sun, 2019-02-17 08:38 09[LIB] created thread 09 [31733]
Sun, 2019-02-17 08:38 10[LIB] created thread 10 [31724]
Sun, 2019-02-17 08:38 11[LIB] created thread 11 [31734]
Sun, 2019-02-17 08:38 12[LIB] created thread 12 [31735]
Sun, 2019-02-17 08:38 13[LIB] created thread 13 [31723]
Sun, 2019-02-17 08:38 14[LIB] created thread 14 [31722]
Sun, 2019-02-17 08:38 15[LIB] created thread 15 [31721]
Sun, 2019-02-17 08:38 16[LIB] created thread 16 [31720]
Sun, 2019-02-17 08:38 05[CFG] received stroke: add connection 'Conn1'
Sun, 2019-02-17 08:38 05[CFG] conn Conn1
Sun, 2019-02-17 08:38 05[CFG]   left=%any
Sun, 2019-02-17 08:38 05[CFG]   leftsubnet=52.y.x.y/32
Sun, 2019-02-17 08:38 05[CFG]   leftauth=psk
Sun, 2019-02-17 08:38 05[CFG]   leftid=52.x.x.x
Sun, 2019-02-17 08:38 05[CFG]   right=196.y.y.y
Sun, 2019-02-17 08:38 05[CFG]   rightsubnet=a.a.a.a/32
Sun, 2019-02-17 08:38 05[CFG]   rightauth=psk
Sun, 2019-02-17 08:38 05[CFG]   rightid=196.y.y.y
Sun, 2019-02-17 08:38 05[CFG]   ike=3des-md5-modp1024
Sun, 2019-02-17 08:38 05[CFG]   esp=3des-md5-modp1024
Sun, 2019-02-17 08:38 05[CFG]   dpddelay=300
Sun, 2019-02-17 08:38 05[CFG]   dpdtimeout=150
Sun, 2019-02-17 08:38 05[CFG]   dpdaction=1
Sun, 2019-02-17 08:38 05[CFG]   sha256_96=no
Sun, 2019-02-17 08:38 05[CFG]   mediation=no
Sun, 2019-02-17 08:38 05[CFG]   keyexchange=ikev1
Sun, 2019-02-17 08:38 05[KNL] 196.y.y.y is not a local address or the
interface is down
Sun, 2019-02-17 08:38 05[CFG] added configuration 'Conn1'
Sun, 2019-02-17 08:38 11[CFG] received stroke: initiate 'Conn1'
Sun, 2019-02-17 08:38 11[KNL] <Conn1|1> using 172.x.x.x as address to reach
196.y.y.y/32
Sun, 2019-02-17 08:38 11[IKE] <Conn1|1> queueing ISAKMP_VENDOR task
Sun, 2019-02-17 08:38 11[IKE] <Conn1|1> queueing ISAKMP_CERT_PRE task
Sun, 2019-02-17 08:38 11[IKE] <Conn1|1> queueing MAIN_MODE task
Sun, 2019-02-17 08:38 11[IKE] <Conn1|1> queueing ISAKMP_CERT_POST task
Sun, 2019-02-17 08:38 11[IKE] <Conn1|1> queueing ISAKMP_NATD task
Sun, 2019-02-17 08:38 11[IKE] <Conn1|1> queueing QUICK_MODE task
Sun, 2019-02-17 08:38 11[IKE] <Conn1|1> activating new tasks
Sun, 2019-02-17 08:38 11[IKE] <Conn1|1>   activating ISAKMP_VENDOR task
Sun, 2019-02-17 08:38 11[IKE] <Conn1|1>   activating ISAKMP_CERT_PRE task
Sun, 2019-02-17 08:38 11[IKE] <Conn1|1>   activating MAIN_MODE task
Sun, 2019-02-17 08:38 11[IKE] <Conn1|1>   activating ISAKMP_CERT_POST task
Sun, 2019-02-17 08:38 11[IKE] <Conn1|1>   activating ISAKMP_NATD task
Sun, 2019-02-17 08:38 11[IKE] <Conn1|1> sending XAuth vendor ID
Sun, 2019-02-17 08:38 11[IKE] <Conn1|1> sending DPD vendor ID
Sun, 2019-02-17 08:38 11[IKE] <Conn1|1> sending FRAGMENTATION vendor ID
Sun, 2019-02-17 08:38 11[IKE] <Conn1|1> sending NAT-T (RFC 3947) vendor ID
Sun, 2019-02-17 08:38 11[IKE] <Conn1|1> sending
draft-ietf-ipsec-nat-t-ike-02\n vendor ID
Sun, 2019-02-17 08:38 11[IKE] <Conn1|1> initiating Main Mode IKE_SA
Conn1[1] to 196.y.y.y
Sun, 2019-02-17 08:38 11[IKE] <Conn1|1> IKE_SA Conn1[1] state change:
CREATED => CONNECTING
Sun, 2019-02-17 08:38 11[CFG] <Conn1|1> configured proposals:
IKE:3DES_CBC/HMAC_MD5_96/PRF_HMAC_MD5/MODP_1024,
IKE:AES_CBC_128/AES_CBC_192/AES_CBC_256/AES_CTR_128/AES_CTR_192/AES_CTR_256/CAMELLIA_CBC_128/CAMELLIA_CBC_192/CAMELLIA_CBC_256/CAMELLIA_CTR_128/CAMELLIA_CTR_192/CAMELLIA_CTR_256/3DES_CBC/HMAC_SHA2_256_128/HMAC_SHA2_384_192/HMAC_SHA2_512_256/AES_XCBC_96/AES_CMAC_96/HMAC_SHA1_96/PRF_AES128_XCBC/PRF_AES128_CMAC/PRF_HMAC_SHA2_256/PRF_HMAC_SHA2_384/PRF_HMAC_SHA2_512/PRF_HMAC_SHA1/ECP_256/ECP_384/ECP_521/ECP_256_BP/ECP_384_BP/ECP_512_BP/CURVE_25519/NTRU_128/NTRU_192/NTRU_256/MODP_3072/MODP_4096/MODP_6144/MODP_8192/MODP_2048,
IKE:AES_CCM_16_128/AES_CCM_16_192/AES_CCM_16_256/AES_GCM_16_128/AES_GCM_16_192/AES_GCM_16_256/CHACHA20_POLY1305_256/CAMELLIA_CCM_16_128/CAMELLIA_CCM_16_192/CAMELLIA_CCM_16_256/AES_CCM_8_128/AES_CCM_8_192/AES_CCM_8_256/AES_CCM_12_128/AES_CCM_12_192/AES_CCM_12_256/AES_GCM_8_128/AES_GCM_8_192/AES_GCM_8_256/AES_GCM_12_128/AES_GCM_12_192/AES_GCM_12_256/CAMELLIA_CCM_8_128/CAMELLIA_CCM_8_192/CAMELLIA_CCM_8_256/CAMELLIA_CCM_12_128/CAMELLIA_CCM_12_192/CAMELLIA_CCM_12_256/PRF_AES128_XCBC/PRF_AES128_CMAC/PRF_HMAC_SHA2_256/PRF_HMAC_SHA2_384/PRF_HMAC_SHA2_512/PRF_HMAC_SHA1/ECP_256/ECP_384/ECP_521/ECP_256_BP/ECP_384_BP/ECP_512_BP/CURVE_25519/NTRU_128/NTRU_192/NTRU_256/MODP_3072/MODP_4096/MODP_6144/MODP_8192/MODP_2048
Sun, 2019-02-17 08:38 11[ENC] <Conn1|1> generating ID_PROT request 0 [ SA V
V V V V ]
Sun, 2019-02-17 08:38 11[NET] <Conn1|1> sending packet: from 172.x.x.x[500]
to 196.y.y.y[500] (236 bytes)
Sun, 2019-02-17 08:38 12[CFG] received stroke: add connection 'Conn1-host2'
Sun, 2019-02-17 08:38 12[CFG] conn Conn1-host2
Sun, 2019-02-17 08:38 12[CFG]   left=%any
Sun, 2019-02-17 08:38 12[CFG]   leftsubnet=52.y.x.y/32
Sun, 2019-02-17 08:38 12[CFG]   leftauth=psk
Sun, 2019-02-17 08:38 12[CFG]   leftid=52.x.x.x
Sun, 2019-02-17 08:38 12[CFG]   right=196.y.y.y
Sun, 2019-02-17 08:38 12[CFG]   rightsubnet=b.b.b.b/32
Sun, 2019-02-17 08:38 12[CFG]   rightauth=psk
Sun, 2019-02-17 08:38 12[CFG]   rightid=196.y.y.y
Sun, 2019-02-17 08:38 12[CFG]   ike=3des-md5-modp1024
Sun, 2019-02-17 08:38 12[CFG]   esp=3des-md5-modp1024
Sun, 2019-02-17 08:38 12[CFG]   dpddelay=300
Sun, 2019-02-17 08:38 12[CFG]   dpdtimeout=150
Sun, 2019-02-17 08:38 12[CFG]   dpdaction=1
Sun, 2019-02-17 08:38 12[CFG]   sha256_96=no
Sun, 2019-02-17 08:38 12[CFG]   mediation=no
Sun, 2019-02-17 08:38 12[CFG]   keyexchange=ikev1
Sun, 2019-02-17 08:38 12[KNL] 196.y.y.y is not a local address or the
interface is down
Sun, 2019-02-17 08:38 12[CFG] added child to existing configuration 'Conn1'
Sun, 2019-02-17 08:38 09[CFG] received stroke: initiate 'Conn1-host2'
Sun, 2019-02-17 08:38 09[IKE] <Conn1|1> queueing QUICK_MODE task
Sun, 2019-02-17 08:38 09[IKE] <Conn1|1> delaying task initiation, ID_PROT
exchange in progress
Sun, 2019-02-17 08:38 13[IKE] <Conn1|1> sending retransmit 1 of request
message ID 0, seq 1
Sun, 2019-02-17 08:38 13[NET] <Conn1|1> sending packet: from 172.x.x.x
as9[500] to 196.y.y.y[500] (236 bytes)
Sun, 2019-02-17 08:38 14[NET] <2> received packet: from 196.y.y.y[500] to
172.x.x.x[500] (168 bytes)
Sun, 2019-02-17 08:38 14[ENC] <2> parsed ID_PROT request 0 [ SA V V V V ]
Sun, 2019-02-17 08:38 14[CFG] <2> looking for an ike config for
172.x.x.x...196.y.y.y
Sun, 2019-02-17 08:38 14[CFG] <2>   candidate: %any...196.y.y.y, prio 2076
Sun, 2019-02-17 08:38 14[CFG] <2> found matching ike config:
%any...196.y.y.y with prio 2076
Sun, 2019-02-17 08:38 14[IKE] <2> received DPD vendor ID
Sun, 2019-02-17 08:38 14[IKE] <2> received FRAGMENTATION vendor ID
Sun, 2019-02-17 08:38 14[IKE] <2> received FRAGMENTATION vendor ID
Sun, 2019-02-17 08:38 14[ENC] <2> received unknown vendor ID:
82:x:x:x:x:x:x:xe
Sun, 2019-02-17 08:38 14[IKE] <2> 196.y.y.y is initiating a Main Mode IKE_SA
Sun, 2019-02-17 08:38 14[IKE] <2> IKE_SA (unnamed)[2] state change: CREATED
=> CONNECTING
Sun, 2019-02-17 08:38 14[CFG] <2> selecting proposal:
Sun, 2019-02-17 08:38 14[CFG] <2>   proposal matches
Sun, 2019-02-17 08:38 14[CFG] <2> received proposals:
IKE:3DES_CBC/HMAC_MD5_96/PRF_HMAC_MD5/MODP_1024
Sun, 2019-02-17 08:38 14[CFG] <2> configured proposals:
IKE:3DES_CBC/HMAC_MD5_96/PRF_HMAC_MD5/MODP_1024,
IKE:AES_CBC_128/AES_CBC_192/AES_CBC_256/AES_CTR_128/AES_CTR_192/AES_CTR_256/CAMELLIA_CBC_128/CAMELLIA_CBC_192/CAMELLIA_CBC_256/CAMELLIA_CTR_128/CAMELLIA_CTR_192/CAMELLIA_CTR_256/3DES_CBC/HMAC_SHA2_256_128/HMAC_SHA2_384_192/HMAC_SHA2_512_256/AES_XCBC_96/AES_CMAC_96/HMAC_SHA1_96/PRF_AES128_XCBC/PRF_AES128_CMAC/PRF_HMAC_SHA2_256/PRF_HMAC_SHA2_384/PRF_HMAC_SHA2_512/PRF_HMAC_SHA1/ECP_256/ECP_384/ECP_521/ECP_256_BP/ECP_384_BP/ECP_512_BP/CURVE_25519/NTRU_128/NTRU_192/NTRU_256/MODP_3072/MODP_4096/MODP_6144/MODP_8192/MODP_2048,
IKE:AES_CCM_16_128/AES_CCM_16_192/AES_CCM_16_256/AES_GCM_16_128/AES_GCM_16_192/AES_GCM_16_256/CHACHA20_POLY1305_256/CAMELLIA_CCM_16_128/CAMELLIA_CCM_16_192/CAMELLIA_CCM_16_256/AES_CCM_8_128/AES_CCM_8_192/AES_CCM_8_256/AES_CCM_12_128/AES_CCM_12_192/AES_CCM_12_256/AES_GCM_8_128/AES_GCM_8_192/AES_GCM_8_256/AES_GCM_12_128/AES_GCM_12_192/AES_GCM_12_256/CAMELLIA_CCM_8_128/CAMELLIA_CCM_8_192/CAMELLIA_CCM_8_256/CAMELLIA_CCM_12_128/CAMELLIA_CCM_12_192/CAMELLIA_CCM_12_256/PRF_AES128_XCBC/PRF_AES128_CMAC/PRF_HMAC_SHA2_256/PRF_HMAC_SHA2_384/PRF_HMAC_SHA2_512/PRF_HMAC_SHA1/ECP_256/ECP_384/ECP_521/ECP_256_BP/ECP_384_BP/ECP_512_BP/CURVE_25519/NTRU_128/NTRU_192/NTRU_256/MODP_3072/MODP_4096/MODP_6144/MODP_8192/MODP_2048
Sun, 2019-02-17 08:38 14[CFG] <2> selected proposal:
IKE:3DES_CBC/HMAC_MD5_96/PRF_HMAC_MD5/MODP_1024
Sun, 2019-02-17 08:38 14[IKE] <2> sending XAuth vendor ID
Sun, 2019-02-17 08:38 14[IKE] <2> sending DPD vendor ID
Sun, 2019-02-17 08:38 14[IKE] <2> sending FRAGMENTATION vendor ID
Sun, 2019-02-17 08:38 14[ENC] <2> generating ID_PROT response 0 [ SA V V V ]
Sun, 2019-02-17 08:38 14[NET] <2> sending packet: from 172.x.x.x[500] to
196.y.y.y[500] (140 bytes)
Sun, 2019-02-17 08:38 15[NET] <2> received packet: from 196.y.y.y[500] to
172.x.x.x[500] (180 bytes)
Sun, 2019-02-17 08:38 15[ENC] <2> parsed ID_PROT request 0 [ KE No ]
Sun, 2019-02-17 08:38 15[LIB] <2> size of DH secret exponent: 1023 bits
Sun, 2019-02-17 08:38 15[CFG] <2>   candidate "Conn1", match: 1/1/2076
(me/other/ike)
Sun, 2019-02-17 08:38 15[ENC] <2> generating ID_PROT response 0 [ KE No ]
Sun, 2019-02-17 08:38 15[NET] <2> sending packet: from 172.x.x.x[500] to
196.y.y.y[500] (196 bytes)
Sun, 2019-02-17 08:38 16[NET] <2> received packet: from 196.y.y.y[500] to
172.x.x.x[500] (92 bytes)
Sun, 2019-02-17 08:38 16[ENC] <2> parsed ID_PROT request 0 [ ID HASH
N(INITIAL_CONTACT) ]
Sun, 2019-02-17 08:38 16[CFG] <2> looking for pre-shared key peer configs
matching 172.x.x.x...196.y.y.y[196.y.y.y]
Sun, 2019-02-17 08:38 16[CFG] <2>   candidate "Conn1", match: 1/20/2076
(me/other/ike)
Sun, 2019-02-17 08:38 16[CFG] <2> selected peer config "Conn1"
Sun, 2019-02-17 08:38 16[IKE] <Conn1|2> IKE_SA Conn1[2] established between
172.x.x.x[52.x.x.x]...196.y.y.y[196.y.y.y]
Sun, 2019-02-17 08:38 16[IKE] <Conn1|2> IKE_SA Conn1[2] state change:
CONNECTING => ESTABLISHED
Sun, 2019-02-17 08:38 16[ENC] <Conn1|2> generating ID_PROT response 0 [ ID
HASH ]
Sun, 2019-02-17 08:38 16[NET] <Conn1|2> sending packet: from 172.x.x.x[500]
to 196.y.y.y[500] (68 bytes)
Sun, 2019-02-17 08:38 02[NET] <Conn1|2> received packet: from
196.y.y.y[500] to 172.x.x.x[500] (84 bytes)
Sun, 2019-02-17 08:38 02[ENC] <Conn1|2> parsed INFORMATIONAL_V1 request
908762055 [ HASH N(DPD) ]
Sun, 2019-02-17 08:38 02[IKE] <Conn1|2> queueing ISAKMP_DPD task
Sun, 2019-02-17 08:38 02[IKE] <Conn1|2> activating new tasks
Sun, 2019-02-17 08:38 02[IKE] <Conn1|2>   activating ISAKMP_DPD task
Sun, 2019-02-17 08:38 02[ENC] <Conn1|2> generating INFORMATIONAL_V1 request
3433674651 [ HASH N(DPD_ACK) ]
Sun, 2019-02-17 08:38 02[NET] <Conn1|2> sending packet: from 172.x.x.x[500]
to 196.y.y.y[500] (84 bytes)
Sun, 2019-02-17 08:38 02[IKE] <Conn1|2> activating new tasks
Sun, 2019-02-17 08:38 02[IKE] <Conn1|2> nothing to initiate
Sun, 2019-02-17 08:38 07[IKE] <Conn1|1> sending retransmit 2 of request
message ID 0, seq 1
Sun, 2019-02-17 08:38 07[NET] <Conn1|1> sending packet: from 172.x.x.x[500]
to 196.y.y.y[500] (236 bytes)
Sun, 2019-02-17 08:38 11[NET] <Conn1|2> received packet: from
196.y.y.y[500] to 172.x.x.x[500] (84 bytes)
Sun, 2019-02-17 08:38 11[ENC] <Conn1|2> parsed INFORMATIONAL_V1 request
4267393360 [ HASH N(DPD) ]
Sun, 2019-02-17 08:38 11[IKE] <Conn1|2> queueing ISAKMP_DPD task
Sun, 2019-02-17 08:38 11[IKE] <Conn1|2> activating new tasks
Sun, 2019-02-17 08:38 11[IKE] <Conn1|2>   activating ISAKMP_DPD task
Sun, 2019-02-17 08:38 11[ENC] <Conn1|2> generating INFORMATIONAL_V1 request
2158128673 [ HASH N(DPD_ACK) ]
Sun, 2019-02-17 08:38 11[NET] <Conn1|2> sending packet: from 172.x.x.x[500]
to 196.y.y.y[500] (84 bytes)
Sun, 2019-02-17 08:38 11[IKE] <Conn1|2> activating new tasks
Sun, 2019-02-17 08:38 11[IKE] <Conn1|2> nothing to initiate
Sun, 2019-02-17 08:39 08[NET] <Conn1|2> received packet: from
196.y.y.y[500] to 172.x.x.x[500] (84 bytes)
Sun, 2019-02-17 08:39 08[ENC] <Conn1|2> parsed INFORMATIONAL_V1 request
2882714032 [ HASH N(DPD) ]
Sun, 2019-02-17 08:39 08[IKE] <Conn1|2> queueing ISAKMP_DPD task
Sun, 2019-02-17 08:39 08[IKE] <Conn1|2> activating new tasks
Sun, 2019-02-17 08:39 08[IKE] <Conn1|2>   activating ISAKMP_DPD task
Sun, 2019-02-17 08:39 08[ENC] <Conn1|2> generating INFORMATIONAL_V1 request
2370486549 [ HASH N(DPD_ACK) ]
Sun, 2019-02-17 08:39 08[NET] <Conn1|2> sending packet: from 172.x.x.x[500]
to 196.y.y.y[500] (84 bytes)
Sun, 2019-02-17 08:39 08[IKE] <Conn1|2> activating new tasks
Sun, 2019-02-17 08:39 08[IKE] <Conn1|2> nothing to initiate
Sun, 2019-02-17 08:39 12[IKE] <Conn1|1> sending retransmit 3 of request
message ID 0, seq 1
Sun, 2019-02-17 08:39 12[NET] <Conn1|1> sending packet: from 172.x.x.x[500]
to 196.y.y.y[500] (236 bytes)
Sun, 2019-02-17 08:39 09[NET] <Conn1|2> received packet: from
196.y.y.y[500] to 172.x.x.x[500] (84 bytes)
Sun, 2019-02-17 08:39 09[ENC] <Conn1|2> parsed INFORMATIONAL_V1 request
2027095304 [ HASH N(DPD) ]
Sun, 2019-02-17 08:39 09[IKE] <Conn1|2> queueing ISAKMP_DPD task
Sun, 2019-02-17 08:39 09[IKE] <Conn1|2> activating new tasks
Sun, 2019-02-17 08:39 09[IKE] <Conn1|2>   activating ISAKMP_DPD task
Sun, 2019-02-17 08:39 09[ENC] <Conn1|2> generating INFORMATIONAL_V1 request
249435543 [ HASH N(DPD_ACK) ]
Sun, 2019-02-17 08:39 09[NET] <Conn1|2> sending packet: from 172.x.x.x[500]
to 196.y.y.y[500] (84 bytes)
Sun, 2019-02-17 08:39 09[IKE] <Conn1|2> activating new tasks
Sun, 2019-02-17 08:39 09[IKE] <Conn1|2> nothing to initiate

ipsec statusall

Status of IKE charon daemon (strongSwan 5.6.2, Linux 4.15.0-45-generic,
x86_64):
  uptime: 10 minutes, since Feb 17 08:38:41 2019
  malloc: sbrk 2363392, mmap 532480, used 1495312, free 868080
  worker threads: 11 of 16 idle, 5/0/0/0 working, job queue: 0/0/0/0,
scheduled: 1
  loaded plugins: charon test-vectors unbound ldap pkcs11 tpm aesni aes rc2
sha2 sha1 md4 md5 mgf1 rdrand random nonce x509 revocation constraints
acert pubkey pkcs1 pkcs7 pkcs8 pkcs12 pgp dnskey sshkey dnscert ipseckey
pem openssl gcrypt af-alg fips-prf gmp curve25519 agent chapoly xcbc cmac
hmac ctr ccm gcm ntru bliss curl soup mysql sqlite attr kernel-netlink
resolve socket-default connmark farp stroke vici updown eap-identity
eap-sim eap-sim-pcsc eap-aka eap-aka-3gpp2 eap-simaka-pseudonym
eap-simaka-reauth eap-md5 eap-gtc eap-mschapv2 eap-dynamic eap-radius
eap-tls eap-ttls eap-peap eap-tnc xauth-generic xauth-eap xauth-pam
xauth-noauth tnc-tnccs tnccs-20 tnccs-11 tnccs-dynamic dhcp whitelist
lookip error-notify certexpire led radattr addrblock unity counters
Listening IP addresses:
  172.x.x.x
Connections:
 MTC-Namibia:  %any...196.y.y.y  IKEv1, dpddelay=300s
 MTC-Namibia:   local:  [52.x.x.x] uses pre-shared key authentication
 MTC-Namibia:   remote: [196.y.y.y] uses pre-shared key authentication
 MTC-Namibia:   child:  52.y.x.y/32 === a.a.a.a/32 TUNNEL, dpdaction=clear
MTC-Namibia-host2:   child:  52.y.x.y/32 === b.b.b.b/32 TUNNEL,
dpdaction=clear
Security Associations (1 up, 0 connecting):
 MTC-Namibia[2]: ESTABLISHED 10 minutes ago,
172.x.x.x[52.x.x.x]...196.y.y.y[196.y.y.y]
 MTC-Namibia[2]: IKEv1 SPIs: 3e88119e85b0d723_i a89707f016ee42b4_r*,
rekeying disabled
 MTC-Namibia[2]: IKE proposal: 3DES_CBC/HMAC_MD5_96/PRF_HMAC_MD5/MODP_1024

ip xfrm policy
src 0.0.0.0/0 dst 0.0.0.0/0
        socket in priority 0
src 0.0.0.0/0 dst 0.0.0.0/0
        socket out priority 0
src 0.0.0.0/0 dst 0.0.0.0/0
        socket in priority 0
src 0.0.0.0/0 dst 0.0.0.0/0
        socket out priority 0
src ::/0 dst ::/0
        socket in priority 0
src ::/0 dst ::/0
        socket out priority 0
src ::/0 dst ::/0
        socket in priority 0
src ::/0 dst ::/0
        socket out priority 0

ipsec.conf

# basic configuration

config setup
#       strictcrlpolicy=yes
        uniqueids = no
        charondebug="ike 1, knl 1, cfg 2"

# Add connections here.
conn Conn1
        auto=start
        compress=no
        type=tunnel
        keyexchange=ikev1
        fragmentation=yes
        forceencaps=yes
        dpdaction=clear
        dpddelay=300s
        rekey=no
        aggressive=no
        ike=3des-md5-modp1024
        ikelifetime=86400s
        esp=3des-md5-modp1024
        lifetime=3600s
        leftauth=psk
        left=%defaultroute
        leftid=52.x.x.x
        leftsubnet=52.y.x.y/32
        rightauth=psk
        right=196.y.y.y
        rightid=196.y.y.y
        rightsubnet=a.a.a.a/32

conn Conn1-host2
        also=Conn1
        rightsubnet=b.b.b.b/32











On Sun, Feb 17, 2019 at 12:35 AM Noel Kuntze
<noel.kuntze+strongswan-users-ml at thermi.consulting> wrote:

> Hello,
>
> 1)
> > Security Associations (1 up, 0 connecting):
> >  Conn1[3]: ESTABLISHED 2 seconds ago,
> 196.y.y.y[52.x.x.x]...196.y.y.y[196.y.y.y]
> >  Conn1:[3]: IKEv1 SPIs: 003afabcd1191ddf_i f84ca9def5333a82_r*, rekeying
> disabled
> >  Conn1:[3]: IKE proposal: 3DES_CBC/HMAC_MD5_96/PRF_HMAC_MD5/MODP_1024
>
> That is only an IKE SA, not a CHILD SA. The CHILD SA is the actual tunnel.
> The IKE SA is only used to manage the CHILD_SAs and to generally
> communicate between the IKE daemons on the different hosts.
>
> 2) You provide no logs so it's impossible to tell what exactly goes wrong.
>
> Your configuration with
> >         rightsubnet=a.a.a.a/b.b.b.b/32
> is INVALID.
>
> a.a.a.a/b.b.b.b/32 does NOT represent a valid subnet.
>
> 3) Your configuration by default does not permit several several different
> subnets because only one pair of subnets is listed
>    In order to configure a site-to-site tunnel with several subnets and
> IKEv1, you have to follow the scheme shown in the UsableExamples[1] article
> or
>    (try to) apply the information shown in the specific article in the
> FAQ[2].
>
> 4) All of your configured cryptographic algorithms are deprecated and
> vulnerable. Every. Single. One. And the way you're using it makes the VPN
> slow.
>    Transition to secure ones as shown in the UsableExamples article's
> Site-to-SIte section[3] or pick a secure pair from the IKEv1CipherList[4].
>
> 5) The Unity plugin is only used when you have a roadwarrior style
> configuration in which you request a virtual IP from the peer.
>    This is documented on the wiki[5].
>
> 6) Your logging settings will not write much useful information into any
> log file or syslog. Always use the the configuration[6] shown in the
> HelpRequests article.
>
> 7) The way you configured the tunnel makes it NOT recover on failures.
> Apply the information from the SecurityRecommendations[7] article.
> > # Add connections here.
> > conn Conn1
> >         auto=start
>
> 8) There's an article[8] in the FAQ regarding configuration compatibility
> with FreeS/WAN, Openswan and Libreswan.
>    Quote:
> > They are not compatible. Although the format of /ipsec.conf/ is
> identical between the different swans, they files are not compatible,
> because several options have different meanings and a variety of different
> > options are absent from some versions and others exist. Do not attempt
> to reuse configuration files between different swans.
>
> Please use the wiki. It exists for a reason. There's even an article
> regarding getting help[9]. Use it.
>
> Kind regards
>
> Noel
>
> [1] https://wiki.strongswan.org/projects/strongswan/wiki/UsableExamples
> [2]
> https://wiki.strongswan.org/projects/strongswan/wiki/FAQ#Multiple-subnets-per-SA
> [3]
> https://wiki.strongswan.org/projects/strongswan/wiki/UsableExamples#Site-To-Site-Scenario
> [4] https://wiki.strongswan.org/projects/strongswan/wiki/IKEv1CipherSuites
> [5]
> https://wiki.strongswan.org/projects/strongswan/wiki/UnityPlugin#Configuration
> [6]
> https://wiki.strongswan.org/projects/strongswan/wiki/HelpRequests#Configuration-snippets
> [7]
> https://wiki.strongswan.org/projects/strongswan/wiki/SecurityRecommendations#Tunnel-Shunting
> [8]
> https://wiki.strongswan.org/projects/strongswan/wiki/FAQ#configuration-compatibility-with-FreeSWAN-Openswan-and-Libreswan
> [9] https://wiki.strongswan.org/projects/strongswan/wiki/HelpRequests
>
> Am 16.02.19 um 20:59 schrieb Rudi Barnard:
> > Issue seems to do with the Cisco Unity plugin as we are trying to
> connect to multiple right subnets... All the VPNs we are connecting to is
> Cisco.
> > Have updated charon.conf and strongswan.conf with cisco_unity=yes but
> still same issue. Only 1 tunnel comes up bu ip xfrm policy shows no entry.
> >
> >
> >
> >
> >
> >
> >
> > On Sat, Feb 16, 2019 at 5:04 PM Kostya Vasilyev <kman at fastmail.com
> <mailto:kman at fastmail.com>> wrote:
> >
> >
> >     On Sat, Feb 16, 2019, at 10:09 AM, Rudi Barnard wrote:
> >>     Hi,
> >>
> >>     Have been using openswan on Ubuntu 14.04 on AWS EC2 for site to
> site connections (Ikev1 + PSK).
> >>     Recently upgraded an image of the Ubuntu EC2 instance from 14.04 to
> 18.04.
> >>     Result is that openswan gets replaced with Strongswan. I eventually
> did a scratch install of strongswan and also installed the Cisco plugin for
> multiple subnet support.
> >>
> >>     Now testing one of the MANY VPNs we have previously setup on
> openswan.
> >>     Tunnels are up but ip xfrm policy / state shows no entry and
> therefore I assume that there is config issue.
> >>
> >>     Very new with Strongswan so not sure where to start troubleshooting.
> >>
> >>     Thanks.
> >>
> >>     [snip]
> >>
> >
> >     I'm a newbie too, but ... anything interesting in the logs?
> >
> >     journalctl -f -u strongswan
> >
> >     And then force a reconnect from a client.
> >
> >     ---
> >
> >     By the way, this is like a plague that gets copied from tutorial to
> tutorial:
> >
> >             charondebug="ike 1, knl 1, cfg 0"
> >
> >     You may want to set "cfg" log level to 1 or even 2 (and the others
> too) for troubleshooting.
> >
> >     -- K
> >
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20190217/170dc8e2/attachment-0001.html>


More information about the Users mailing list