[strongSwan] Strongswan 5.8 broke my setup
sashka76 at hotmail.com
Mon Jul 8 15:36:31 CEST 2019
Ok... I've spent a few nights setting it up the old way.
Now the new way does not work... :-(((
Can you please maybe give me a hint as to why?
: PSK "<key>"
version = 1
remote_addrs = <remote-ip>
proposals = 3des-sha1-modp1536
auth = psk
auth = psk
mode = transport
esp_proposals = 3des-sha1
remote_ts = 0.0.0.0/0
secret = <key>
I get a virtually identical output until - see in red:
old - working
ipsec: 01[IKE] IKE_SA myvpn established between <local-ip>[<local-ip>]...<remote-ip>[<remote-ip>]
ipsec: 01[IKE] scheduling reauthentication in 10104s
ipsec: 01[IKE] maximum IKE_SA lifetime 10644s
ipsec: 01[ENC] generating QUICK_MODE request 2607643999 [ HASH SA No ID ID NAT-OA NAT-OA ]
ipsec: 01[NET] sending packet: from <local-ip> to <remote-ip> (188 bytes)
ipsec: 06[NET] received packet: from <remote-ip> to <local-ip> (204 bytes)
ipsec: 06[ENC] parsed QUICK_MODE response 2607643999 [ HASH SA No ID ID N((24576)) NAT-OA NAT-OA ]
ipsec: 06[CFG] selected proposal: ESP:3DES_CBC/HMAC_SHA1_96/NO_EXT_SEQ
new - non-working
[IKE] IKE_SA myvpn established between <local-ip>[<local-ip>]...<remote-ip>[<remote-ip>]
[IKE] scheduling rekeying in 14101s
[IKE] maximum IKE_SA lifetime 15541s
[ENC] generating QUICK_MODE request 2783263997 [ HASH SA No ID ID NAT-OA NAT-OA ]
01[NET] sending packet: from <local-ip> to <remote-ip> (188 bytes)
06[NET] received packet: from <remote-ip> to <local-ip> (84 bytes)
[ENC] parsed INFORMATIONAL_V1 request 394177358 [ HASH D ]
[IKE] received DELETE for IKE_SA myvpn
[IKE] deleting IKE_SA myvpn between <local-ip>[<local-ip>]...<remote-ip>[<remote-ip>]
initiate failed: establishing CHILD_SA 'myvpn' failed
Something wrong with <key>? If I use the wrong key on purpose, I get the same result: immediate failure. Quotes / no quotes don't make a difference
From: Andreas Steffen <andreas.steffen at strongswan.org>
Sent: Monday, 8 July 2019 17:19
To: A P; users at lists.strongswan.org
Subject: Re: [strongSwan] Strongswan 5.8 broke my setup
since strongSwan 5.8 is a major version we made the following changes
to the naming of the strongSwan systemd service files:
systemctl start strongswan now starts the charon-systemd daemon which
communicates via the vici interface e.g. using the swanctl command
systemctl start strongswan-swanctl is now an alias for
systemctl start strongswan
The old behaviour with the starter process spawning the charon daemon
which in turn communicates via the whack interface can be retained
just by executing
systemctl start strongswan-starter
Sorry for the inconvenience but vici and swanctl.conf has been our
preferred way of managing strongSwan for the last few years and this
is a further step to make it our default. Nevertheless we are still
committed to support the old whack and ipsec.conf interface.
On 07.07.19 17:50, A P wrote:
> I used to do:
> systemctl restart strongswan
> systemctl restart xl2tpd
> ipsec up myvpn
> Now the last step produces nothing!
> The difference in the logs:
> - new log (broken setup) has these, which old (working) does not have:
> swanctl: no files found matching '/etc/swanctl/conf.d/*.conf'
> swanctl: no authorities found, 0 unloaded
> swanctl: no pools found, 0 unloaded
> swanctl: no connections found, 0 unloaded
> - old log (working) has these, which new one (broken) never has:
> ipsec: charon (1601) started after 20 ms
> ipsec_starter: charon (1601) started after 20 ms
> charon: 07[CFG] received stroke: add connection 'myvpn'
> charon: 07[CFG] added configuration 'myvpn'
> Why did you have to break things?
Andreas Steffen andreas.steffen at strongswan.org
strongSwan - the Open Source VPN Solution! www.strongswan.org<http://www.strongswan.org>
Institute for Networked Solutions
HSR University of Applied Sciences Rapperswil
CH-8640 Rapperswil (Switzerland)
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the Users