[strongSwan] Strongswan 5.8 broke my setup

Noel Kuntze noel.kuntze at thermi.consulting
Tue Jul 9 01:35:43 CEST 2019


Hello,

You succeeded greatly in wasting your own time.

That is a red herring:
> good: generating ID_PROT request 0 [ ID HASH N(INITIAL_CONTACT) ] (100 bytes)
> vs
> bad: generating ID_PROT request 0 [ ID HASH ] (68 bytes)

The roadmap (changelog) for 5.8.0[1] readily gives away the reason it does different things for you now:
>
>   * The |systemd| service units have been renamed. The modern unit, which was called /strongswan-swanctl/,
>     is now called /strongswan/ (the previous name is configured as alias in the unit, for which a symlink is
>     created when the unit is enabled). The legacy unit is now called /strongswan-starter/.
>

So you only had to disable the strongswan unit and enable the strongswan-starter unit instead.

Alternatively, change to swanctl.conf, like you already did.
You screwed up though by not including your protoport settings in swanctl.conf.
>        remote_ts = 0.0.0.0/0

that should be "remote_ts = 0.0.0.0/0[17/1701]".
And for your leftprotoport setting, you had to set "local_ts = dynamic[17/1701]".

The UsableExamples article[2] even gives you example configs.

> secrets {
>   ike {
>     secret = <key>
>   }

That should be:

> secrets {
>   ike-myvpn {
>     id = <remote-ip>
>     secret = <key>
>   }
> }

I suspect what you pasted isn't your complete config. If you want any usable help, please provide
the information as shown on the HelpRequests page[3] exactly like it is described there.

Kind regards

Noel

[1] https://wiki.strongswan.org/versions/73
[2] https://wiki.strongswan.org/projects/strongswan/wiki/UsableExamples
[3] https://wiki.strongswan.org/wiki/HelpRequests

Am 08.07.19 um 15:58 schrieb A P:
> actually there is also an earlier discrepancy:
>
> good: generating ID_PROT request 0 [ ID HASH N(INITIAL_CONTACT) ] (100 bytes)
> vs
> bad: generating ID_PROT request 0 [ ID HASH ] (68 bytes)
>
> ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
> *From:* Users <users-bounces at lists.strongswan.org> on behalf of A P <sashka76 at hotmail.com>
> *Sent:* Monday, 8 July 2019 23:36
> *To:* users at lists.strongswan.org
> *Subject:* Re: [strongSwan] Strongswan 5.8 broke my setup
>  
> Ok... I've spent a few nights setting it up the old way.
> Now the new way does not work... :-(((
>
> Can you please maybe give me a hint as to why?
>
>
> *Old ipsec.conf:*
>
> conn myvpn
>   keyexchange=ikev1
>   left=%defaultroute
>   auto=add
>   authby=secret
>   type=transport
>   leftprotoport=17/1701
>   rightprotoport=17/1701
>   right=<remote-ip>
>   rightsubnet=0.0.0.0/0
>   ike=3des-sha1-modp1536!
>   esp=3des-sha1!
>
> *Old ipsec.secrets:*
>  : PSK "<key>"
>
>
> *New swanctl.conf:*
>
> connections {
>   myvpn {
>     version = 1
>     remote_addrs = <remote-ip>
>     proposals = 3des-sha1-modp1536
>
>     local {
>       auth = psk
>     }
>     remote {
>       auth = psk
>     }
>
>     children {
>       myvpn {
>         mode = transport
>         esp_proposals = 3des-sha1
>         remote_ts = 0.0.0.0/0
>       }
>     }
>   }
> }
>
> secrets {
>   ike {
>     secret = <key>
>   }
>
>
>
> I get a virtually identical output until - see in red:
>
> *old - working*
> ...*
> *
> ipsec[1592]: 01[IKE] IKE_SA myvpn[1] established between <local-ip>[<local-ip>]...<remote-ip>[<remote-ip>]
> ipsec[1592]: 01[IKE] scheduling reauthentication in 10104s
> ipsec[1592]: 01[IKE] maximum IKE_SA lifetime 10644s
> ipsec[1592]: 01[ENC] generating QUICK_MODE request 2607643999 [ HASH SA No ID ID NAT-OA NAT-OA ]
> ipsec[1592]: 01[NET] sending packet: from <local-ip>[4500] to <remote-ip>[4500] (188 bytes)
> ipsec[1592]: 06[NET] received packet: from <remote-ip>[4500] to <local-ip>[4500] (204 bytes)
> ipsec[1592]: 06[ENC] parsed QUICK_MODE response 2607643999 [ HASH SA No ID ID N((24576)) NAT-OA NAT-OA ]
> ipsec[1592]: 06[CFG] selected proposal: ESP:3DES_CBC/HMAC_SHA1_96/NO_EXT_SEQ
>
>
> *new - non-working*
> ...
> [IKE] IKE_SA myvpn[1] established between <local-ip>[<local-ip>]...<remote-ip>[<remote-ip>]
> [IKE] scheduling rekeyingin 14101s
> [IKE] maximum IKE_SA lifetime 15541s
> [ENC] generating QUICK_MODE request 2783263997 [ HASH SA No ID ID NAT-OA NAT-OA ]
> 01[NET] sending packet: from <local-ip>[4500] to <remote-ip>[4500] (188 bytes)
> 06[NET] received packet: from <remote-ip>[4500] to <local-ip>[4500] (84 bytes)
> [ENC] parsed INFORMATIONAL_V1 request 394177358 [ HASH D ]
> [IKE] received DELETE for IKE_SA myvpn[1]
> [IKE] deleting IKE_SA myvpn[1] between <local-ip>[<local-ip>]...<remote-ip>[<remote-ip>]
> initiate failed: establishing CHILD_SA 'myvpn' failed
>
>
>
> Something wrong with <key>? If I use the wrong key on purpose, I get the same result: immediate failure. Quotes / no quotes don't make a difference
>
>
>
>
> ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
> *From:* Andreas Steffen <andreas.steffen at strongswan.org>
> *Sent:* Monday, 8 July 2019 17:19
> *To:* A P; users at lists.strongswan.org
> *Subject:* Re: [strongSwan] Strongswan 5.8 broke my setup
>  
> Hi,
>
> since strongSwan 5.8 is a major version we made the following changes
> to the naming of the strongSwan systemd service files:
>
>   systemctl start strongswan now starts the charon-systemd daemon which
>   communicates via the vici interface e.g. using the swanctl command
>   line tool
>
>   systemctl start strongswan-swanctl is now an alias for
>   systemctl start strongswan
>
> The old behaviour with the starter process spawning the charon daemon
> which in turn communicates via the whack interface can be retained
> just by executing
>
>   systemctl start strongswan-starter
>
> Sorry for the inconvenience but vici and swanctl.conf has been our
> preferred way of managing strongSwan for the last few years and this
> is a further step to make it our default. Nevertheless we are still
> committed to support the old whack and ipsec.conf interface.
>
> Best regards
>
> Andreas
>
> On 07.07.19 17:50, A P wrote:
> > I used to do:
> >
> > systemctl restart strongswan
> > systemctl restart xl2tpd
> > ipsec up myvpn
> >
> >
> > Now the last step produces nothing!
> >
> >
> > The difference in the logs:
> >
> > - new log (broken setup) has these, which old (working) does not have:
> > swanctl[29887]: no files found matching '/etc/swanctl/conf.d/*.conf'
> > swanctl[29887]: no authorities found, 0 unloaded
> > swanctl[29887]: no pools found, 0 unloaded
> > swanctl[29887]: no connections found, 0 unloaded
> >
> > - old log (working) has these, which new one (broken) never has:
> > ipsec[1592]: charon (1601) started after 20 ms
> > ipsec_starter[1592]: charon (1601) started after 20 ms
> > charon[1601]: 07[CFG] received stroke: add connection 'myvpn'
> > charon[1601]: 07[CFG] added configuration 'myvpn'
> >
> >
> > Why did you have to break things?
> ======================================================================
> Andreas Steffen                         andreas.steffen at strongswan.org
> strongSwan - the Open Source VPN Solution!          www.strongswan.org <http://www.strongswan.org>
> Institute for Networked Solutions
> HSR University of Applied Sciences Rapperswil
> CH-8640 Rapperswil (Switzerland)
> ===========================================================[INS-HSR]==
>

-- 
Noel Kuntze
IT security consultant

GPG Key ID: 0x0739AD6C
Fingerprint: 3524 93BE B5F7 8E63 1372 AF2D F54E E40B 0739 AD6C


-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: OpenPGP digital signature
URL: <http://lists.strongswan.org/pipermail/users/attachments/20190709/afb7bb1a/attachment-0001.sig>


More information about the Users mailing list