Hi, On Sun, Aug 10, 2014 at 02:48:42PM +0200, Markus Wernig wrote: > Hi all > > I am trying to set up a ipsec tunnel with iked in a double NAT scenario: > > Client --> NAT GW 1 --> Inet --> NAT GW 2 --> VPN GW > > Client has 192.168.1.x, User is [email protected] > VPN GW has 10.x.y.z, hostname vpn.doe.com > NAT GW 1 does hide NAT to A.B.C.D > NAT GW 2 does static NAT for public GW IP, forwards to VPN GW > > The client runs Strongswan on Linux. > VPN GW is running 5.5 GENERIC#271 on amd64. > > I'm trying to set up RSA authentication with X.509 certificates, so I've > configured Strongswan to use Key and Cert with > subjectAltname=email:[email protected], and to ask for IP address. Copied the > client cert and the issuing CA cert to /etc/iked/certs on the VPN GW. > PF is disabled. Configured iked on the VPN GW in iked.conf: > > ikev2 johndoevpn \ > quick esp inet \ > from any to 10.x.y.z \ > peer any local any \ > srcid vpn.doe.com dstid [email protected] \ > config address 10.x.y.A \ > config netmask 255.255.255.0 \ > config name-server 10.x.y.B \ (valid IP of DNS at VPN site) > tag johndoevpn > > VPNGW# sysctl -a | grep esp > net.inet.esp.enable=1 > net.inet.esp.udpencap=1 > net.inet.esp.udpencap_port=4500 > > But the client is unable to connect to the VPN GW, and I just can't find > out what's going wrong. Unfortunately there are two ways it is failing: > > 1) Client sends IKEv2 msg IKE_SA_INIT on Port 500, VPN GW replies with > IKE_SA_INIT and CertReq, then client sends IKE_AUTH. But to this packet > the VPN GW never replies, and the client resends until it times out. I > see in the client log that it is selecting and sending the [email protected] > certificate. In the VPN GW logs I get: > > Aug 9 08:40:35 tunnel iked[18255]: ikev2_recv: IKE_SA_INIT from > initiator A.B.C.D:34276 to 10.x.y.z:500 policy 'johndoevpn' id 0, 1048 bytes > Aug 9 08:40:35 tunnel iked[18255]: ikev2_msg_send: IKE_SA_INIT from > 10.x.y.z:500 to A.B.C.D:34276, 457 bytes > Aug 9 08:40:35 tunnel iked[18255]: ikev2_recv: IKE_AUTH from initiator > A.B.C.D:4500 to 10.x.y.z:4500 policy 'johndoevpn' id 1, 2320 bytes > Aug 9 08:40:39 tunnel iked[18255]: ikev2_recv: IKE_AUTH from initiator > A.B.C.D:4500 to 10.x.y.z:4500 policy 'johndoevpn' id 1, 2320 bytes > Aug 9 08:40:46 tunnel iked[18255]: ikev2_recv: IKE_AUTH from initiator > A.B.C.D:4500 to 10.x.y.z:4500 policy 'johndoevpn' id 1, 2320 bytes > Aug 9 08:40:59 tunnel iked[18255]: ikev2_recv: IKE_AUTH from initiator > A.B.C.D:4500 to 10.x.y.z:4500 policy 'johndoevpn' id 1, 2320 bytes > > 2) Client sends IKEv2 msg IKE_SA_INIT on Port 500, and iked terminates > immediately. If this happens, only a reboot will ever again get it to at > least answer the SA_INIT. If iked is simply restarted, it will only > crash again when the next packet arrives. > > Aug 9 14:31:56 tunnel iked[32658]: ikev2_recv: IKE_SA_INIT from > initiator A.B.C.D:36858 to 10.x.y.z:500 policy 'johndoevpn' id 0, 1048 bytes > Aug 9 14:31:56 tunnel iked[4493]: lost child: ikev2 terminated; signal 11 > Aug 9 14:31:56 tunnel iked[27717]: ikev1 exiting > Aug 9 14:31:56 tunnel iked[20802]: ca exiting > Aug 9 14:31:56 tunnel iked[4493]: parent terminating > > In both cases, there are no other logs anywhere on the VPN GW. I've > started iked with "-DA=99 -v" and sent an "ikectl log verbose", but no > change. ikectl monitor shows nothing. >
-DA=99 is old syntax from isakmpd. Just try to increase the number of "v"s to get more info, for example, iked -dvv or iked -dvvv to get packet dumps. > So I was wondering if anybody saw what I am doing wrong - probably I > got the config wrong. Especially I'm not quite sure if the files > containing the certs need to have special names. > If not: How does one debug iked? Why is it not answering, and, above > all, why is it crashing? Are there really no logs? > The crash is not good. You should really use iked form -current, it is much better than the 5.5 version, and try to debug the crash if it is still happening there: - compile iked with debugging symbols # make DEBUG=-g clean all install - On 5.6 or later use the new core dump to directory feature: # sysctl kern.nosuidcoredump=3 # mkdir -m 0700 /var/crash/iked - After getting the next signal 11, run gdb to debug it # ls -lt /var/crash/iked/*.core # gdb /sbin/iked /var/crash/$COREFILE you can also automate it to: # gdb /sbin/iked $(ls -1t /var/crash/iked/*.core | head -1) At the gdb prompt type "bt" and you get line numbers, function names and more information about the creash. Reyk
