[strongSwan] Strongswan 5.8 broke my setup

A P sashka76 at hotmail.com
Mon Jul 8 15:58:48 CEST 2019 

actually there is also an earlier discrepancy:

good: generating ID_PROT request 0 [ ID HASH N(INITIAL_CONTACT) ] (100 bytes)
vs
bad: generating ID_PROT request 0 [ ID HASH ] (68 bytes)

________________________________
From: Users <users-bounces at lists.strongswan.org> on behalf of A P <sashka76 at hotmail.com>
Sent: Monday, 8 July 2019 23:36
To: users at lists.strongswan.org
Subject: Re: [strongSwan] Strongswan 5.8 broke my setup

Ok... I've spent a few nights setting it up the old way.
Now the new way does not work... :-(((

Can you please maybe give me a hint as to why?


Old ipsec.conf:

conn myvpn
  keyexchange=ikev1
  left=%defaultroute
  auto=add
  authby=secret
  type=transport
  leftprotoport=17/1701
  rightprotoport=17/1701
  right=<remote-ip>
  rightsubnet=0.0.0.0/0
  ike=3des-sha1-modp1536!
  esp=3des-sha1!

Old ipsec.secrets:
 : PSK "<key>"


New swanctl.conf:

connections {
  myvpn {
    version = 1
    remote_addrs = <remote-ip>
    proposals = 3des-sha1-modp1536

    local {
      auth = psk
    }
    remote {
      auth = psk
    }

    children {
      myvpn {
        mode = transport
        esp_proposals = 3des-sha1
        remote_ts = 0.0.0.0/0
      }
    }
  }
}

secrets {
  ike {
    secret = <key>
  }



I get a virtually identical output until - see in red:

old - working
...
ipsec[1592]: 01[IKE] IKE_SA myvpn[1] established between <local-ip>[<local-ip>]...<remote-ip>[<remote-ip>]
ipsec[1592]: 01[IKE] scheduling reauthentication in 10104s
ipsec[1592]: 01[IKE] maximum IKE_SA lifetime 10644s
ipsec[1592]: 01[ENC] generating QUICK_MODE request 2607643999 [ HASH SA No ID ID NAT-OA NAT-OA ]
ipsec[1592]: 01[NET] sending packet: from <local-ip>[4500] to <remote-ip>[4500] (188 bytes)
ipsec[1592]: 06[NET] received packet: from <remote-ip>[4500] to <local-ip>[4500] (204 bytes)
ipsec[1592]: 06[ENC] parsed QUICK_MODE response 2607643999 [ HASH SA No ID ID N((24576)) NAT-OA NAT-OA ]
ipsec[1592]: 06[CFG] selected proposal: ESP:3DES_CBC/HMAC_SHA1_96/NO_EXT_SEQ


new - non-working
...
[IKE] IKE_SA myvpn[1] established between <local-ip>[<local-ip>]...<remote-ip>[<remote-ip>]
[IKE] scheduling rekeying in 14101s
[IKE] maximum IKE_SA lifetime 15541s
[ENC] generating QUICK_MODE request 2783263997 [ HASH SA No ID ID NAT-OA NAT-OA ]
01[NET] sending packet: from <local-ip>[4500] to <remote-ip>[4500] (188 bytes)
06[NET] received packet: from <remote-ip>[4500] to <local-ip>[4500] (84 bytes)
[ENC] parsed INFORMATIONAL_V1 request 394177358 [ HASH D ]
[IKE] received DELETE for IKE_SA myvpn[1]
[IKE] deleting IKE_SA myvpn[1] between <local-ip>[<local-ip>]...<remote-ip>[<remote-ip>]
initiate failed: establishing CHILD_SA 'myvpn' failed



Something wrong with <key>? If I use the wrong key on purpose, I get the same result: immediate failure. Quotes / no quotes don't make a difference




________________________________
From: Andreas Steffen <andreas.steffen at strongswan.org>
Sent: Monday, 8 July 2019 17:19
To: A P; users at lists.strongswan.org
Subject: Re: [strongSwan] Strongswan 5.8 broke my setup

Hi,

since strongSwan 5.8 is a major version we made the following changes
to the naming of the strongSwan systemd service files:

  systemctl start strongswan now starts the charon-systemd daemon which
  communicates via the vici interface e.g. using the swanctl command
  line tool

  systemctl start strongswan-swanctl is now an alias for
  systemctl start strongswan

The old behaviour with the starter process spawning the charon daemon
which in turn communicates via the whack interface can be retained
just by executing

  systemctl start strongswan-starter

Sorry for the inconvenience but vici and swanctl.conf has been our
preferred way of managing strongSwan for the last few years and this
is a further step to make it our default. Nevertheless we are still
committed to support the old whack and ipsec.conf interface.

Best regards

Andreas

On 07.07.19 17:50, A P wrote:
> I used to do:
>
> systemctl restart strongswan
> systemctl restart xl2tpd
> ipsec up myvpn
>
>
> Now the last step produces nothing!
>
>
> The difference in the logs:
>
> - new log (broken setup) has these, which old (working) does not have:
> swanctl[29887]: no files found matching '/etc/swanctl/conf.d/*.conf'
> swanctl[29887]: no authorities found, 0 unloaded
> swanctl[29887]: no pools found, 0 unloaded
> swanctl[29887]: no connections found, 0 unloaded
>
> - old log (working) has these, which new one (broken) never has:
> ipsec[1592]: charon (1601) started after 20 ms
> ipsec_starter[1592]: charon (1601) started after 20 ms
> charon[1601]: 07[CFG] received stroke: add connection 'myvpn'
> charon[1601]: 07[CFG] added configuration 'myvpn'
>
>
> Why did you have to break things?
======================================================================
Andreas Steffen                         andreas.steffen at strongswan.org
strongSwan - the Open Source VPN Solution!          www.strongswan.org<http://www.strongswan.org>
Institute for Networked Solutions
HSR University of Applied Sciences Rapperswil
CH-8640 Rapperswil (Switzerland)
===========================================================[INS-HSR]==

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20190708/50725cfb/attachment-0001.html>

More information about the Users mailing list