[strongSwan] Timeout Errors using Network Manager on Ubuntu 12.10
{
}
And here is the Network Manager configuration:
--- /etc/NetworkManager/system-connections/TestVPN ---
[connection]
id=TestVPN
uuid=07ac4ce3-c6c3-4d42-8bb6-29e56a8751db
type=vpn
autoconnect=false
[vpn]
service-type=org.freedesktop.NetworkManager.strongswan
virtual=no
encap=no
address=x.x.x.x
user=??
method=eap
ipcomp=yes
password-flags=1
[ipv4]
method=auto
Besides the timeout issue, I noted the plugin loading issues in the charon
logs. Looking at what I got in the system by default:
$ ls /usr/lib/ipsec/plugins/
libstrongswan-addrblock.so libstrongswan-eap-tls.so
libstrongswan-pkcs11.so
libstrongswan-aes.so libstrongswan-eap-tnc.so
libstrongswan-pkcs1.so
libstrongswan-agent.so libstrongswan-eap-ttls.so
libstrongswan-pubkey.so
libstrongswan-attr.so libstrongswan-farp.so
libstrongswan-random.so
libstrongswan-attr-sql.so libstrongswan-fips-prf.so
libstrongswan-resolve.so
libstrongswan-ccm.so libstrongswan-gcm.so
libstrongswan-revocation.so
libstrongswan-constraints.so libstrongswan-gmp.so
libstrongswan-sha1.so
libstrongswan-ctr.so libstrongswan-ha.so
libstrongswan-sha2.so
libstrongswan-curl.so libstrongswan-hmac.so
libstrongswan-socket-raw.so
libstrongswan-des.so libstrongswan-kernel-netlink.so
libstrongswan-sql.so
libstrongswan-dhcp.so libstrongswan-ldap.so
libstrongswan-stroke.so
libstrongswan-dnskey.solibstrongswan-led.so
libstrongswan-test-vectors.so
libstrongswan-eap-aka.so libstrongswan-md5.so
libstrongswan-updown.so
libstrongswan-eap-gtc.so libstrongswan-medcli.so
libstrongswan-x509.so
libstrongswan-eap-identity.so libstrongswan-nm.so
libstrongswan-xauth.so
libstrongswan-eap-md5.so libstrongswan-openssl.so
libstrongswan-xcbc.so
libstrongswan-eap-mschapv2.so libstrongswan-pem.so
libstrongswan-eap-radius.solibstrongswan-pgp.so
By adding the load into the strongswan.conf file at least clears the
warnings, but I am not sure on if these modules should be here, and
loaded...
Any help really appreciated!
Thanks,
--
*Braga, Bruno*
www.brunobraga.net
bruno.br...@gmail.com
___
Users mailing list
Users@lists.strongswan.org
https://lists.strongswan.org/mailman/listinfo/users
[strongSwan] Pluto Setup (showing charon in syslog)
I was trying to use some examples from the StrongSwan doc, but stumbled
upon this weird behaviour... By any chance, is the deamon logged in syslog
defined as charon independently of which one is running?
When I turned off the charon in /etc/ipsec.conf (deleted all charon stuff
from strongswan.conf as well), still the syslog shows something like:
Jan 7 22:58:55 mac17 NetworkManager[1158]: info Starting VPN service
'strongswan'...
Jan 7 22:58:55 mac17 NetworkManager[1158]: info VPN service 'strongswan'
started (org.freedesktop.NetworkManager.strongswan), PID 13041
Jan 7 22:58:55 mac17 charon: 00[DMN] Starting IKEv2 charon daemon
(strongSwan 4.5.2)
...
If I execute the service myself, I notice that the message shows pluto, not
charon:
$ sudo service ipsec start
Starting strongSwan 4.5.2 IPsec [starter]...
$ sudo service ipsec start
Starting strongSwan 4.5.2 IPsec [starter]...
pluto is already running (/var/run/pluto.pid exists) -- skipping pluto start
starter is already running (/var/run/starter.pid exists) -- no fork done
Could it be that the Network manager is somehow trying to force charon to
run instead?
For reference, the files:
--- /etc/ipsec.conf ---
config setup
plutodebug=control
charonstart=no
plutostart=yes
conn %default
ikelifetime=60m
keylife=20m
rekeymargin=3m
keyingtries=1
keyexchange=ikev1
authby=secret
--- /etc/strongswan.conf ---
pluto {
}
libstrongswan {
dh_exponent_ansi_x9_42 = no
}
The complete syslog messages:
Jan 7 23:09:13 mac17 NetworkManager[1158]: info Starting VPN service
'strongswan'...
Jan 7 23:09:13 mac17 NetworkManager[1158]: info VPN service 'strongswan'
started (org.freedesktop.NetworkManager.strongswan), PID 9228
Jan 7 23:09:13 mac17 charon: 00[DMN] Starting IKEv2 charon daemon
(strongSwan 4.5.2)
Jan 7 23:09:13 mac17 charon: 00[KNL] listening on interfaces:
Jan 7 23:09:13 mac17 charon: 00[KNL] eth0
Jan 7 23:09:13 mac17 charon: 00[KNL] wlan0
Jan 7 23:09:13 mac17 charon: 00[KNL] 192.168.1.1
Jan 7 23:09:13 mac17 charon: 00[KNL] fe80::129a:ddff:feae:e16a
Jan 7 23:09:13 mac17 charon: 00[CFG] loading ca certificates from
'/etc/ipsec.d/cacerts'
Jan 7 23:09:13 mac17 charon: 00[CFG] loading aa certificates from
'/etc/ipsec.d/aacerts'
Jan 7 23:09:13 mac17 charon: 00[CFG] loading ocsp signer certificates from
'/etc/ipsec.d/ocspcerts'
Jan 7 23:09:13 mac17 charon: 00[CFG] loading attribute certificates from
'/etc/ipsec.d/acerts'
Jan 7 23:09:13 mac17 charon: 00[CFG] loading crls from '/etc/ipsec.d/crls'
Jan 7 23:09:13 mac17 charon: 00[CFG] loading secrets from
'/etc/ipsec.secrets'
Jan 7 23:09:13 mac17 charon: 00[CFG] loaded IKE secret for x.x.x.x %any
Jan 7 23:09:13 mac17 charon: 00[CFG] sql plugin: database URI not set
Jan 7 23:09:13 mac17 charon: 00[LIB] plugin 'sql': failed to load -
sql_plugin_create returned NULL
Jan 7 23:09:13 mac17 charon: 00[CFG] loaded 0 RADIUS server configurations
Jan 7 23:09:13 mac17 charon: 00[LIB] plugin 'medsrv' failed to load:
/usr/lib/ipsec/plugins/libstrongswan-medsrv.so: cannot open shared object
file: No such file or directory
Jan 7 23:09:13 mac17 charon: 00[CFG] mediation client database URI not
defined, skipped
Jan 7 23:09:13 mac17 charon: 00[LIB] plugin 'medcli': failed to load -
medcli_plugin_create returned NULL
Jan 7 23:09:13 mac17 NetworkManager[1158]: info VPN service 'strongswan'
appeared; activating connections
Jan 7 23:09:13 mac17 charon: 00[CFG] HA config misses local/remote address
Jan 7 23:09:13 mac17 charon: 00[LIB] plugin 'ha': failed to load -
ha_plugin_create returned NULL
Jan 7 23:09:13 mac17 charon: 00[DMN] loaded plugins: test-vectors curl
ldap aes des sha1 sha2 md5 random x509 revocation constraints pubkey pkcs1
pgp pem openssl fips-prf gmp agent pkcs11 xcbc hmac ctr ccm gcm attr
kernel-netlink resolve socket-raw farp stroke updown eap-identity eap-aka
eap-md5 eap-gtc eap-mschapv2 eap-radius eap-tls eap-ttls eap-tnc nm dhcp
led addrblock
Jan 7 23:09:13 mac17 charon: 00[JOB] spawning 16 worker threads
Thanks,
--
*Braga, Bruno*
www.brunobraga.net
bruno.br...@gmail.com
___
Users mailing list
Users@lists.strongswan.org
https://lists.strongswan.org/mailman/listinfo/users
Re: [strongSwan] Timeout Errors using Network Manager on Ubuntu 12.10
Hi Andreas, Thanks for the feedback. I took mt local network out of the equation because it works in the same environment and machine on a different IS (tried MacOS with racoon). That is why I figured it would be rather a matter of configuration instead. Any suggestions on how I could troubleshoot these possibilities? (Sorry I am not a network guy). Cheers, -- Bruno Braga (mobile) On Jan 8, 2013 9:16 AM, Andreas Steffen andreas.stef...@strongswan.org wrote: Hi Bruno, there is know answer from the VPN gateway on the other end. Either the gateway cannot be reached over the network, the gateway is not running an listening on UDP port 500 or it supports the IKEv1 protocol only. Regards Andreas On 07.01.2013 14:00, BRAGA, Bruno wrote: Hi, I am having a hard time to get an IpSec VPN working in my machine... it works fine in other OS, and I am sure I am doing something stupid here, hope some guru can give me guidance! I am running Ubuntu 12.10, and installed strongswan (4.5.2), added the key secret in /etc/ipsec.secrets file, and setup the VPN through network manager. Without tempering with the strongswan.conf file, I have this output (noted a similar output is : --- /var/log/syslog --- Jan 7 22:00:06 mac17 NetworkManager[1092]: info Starting VPN service 'strongswan'... Jan 7 22:00:06 mac17 NetworkManager[1092]: info VPN service 'strongswan' started (org.freedesktop.**NetworkManager.strongswan), PID 840 Jan 7 22:00:06 mac17 charon: 00[DMN] Starting IKEv2 charon daemon (strongSwan 4.5.2) Jan 7 22:00:06 mac17 charon: 00[KNL] listening on interfaces: Jan 7 22:00:06 mac17 charon: 00[KNL] eth0 Jan 7 22:00:06 mac17 charon: 00[KNL] wlan0 Jan 7 22:00:06 mac17 charon: 00[KNL] 192.168.1.1 Jan 7 22:00:06 mac17 charon: 00[KNL] fe80::129a:ddff:feae:e16a Jan 7 22:00:06 mac17 charon: 00[CFG] loading ca certificates from '/etc/ipsec.d/cacerts' Jan 7 22:00:06 mac17 charon: 00[CFG] loading aa certificates from '/etc/ipsec.d/aacerts' Jan 7 22:00:06 mac17 charon: 00[CFG] loading ocsp signer certificates from '/etc/ipsec.d/ocspcerts' Jan 7 22:00:06 mac17 charon: 00[CFG] loading attribute certificates from '/etc/ipsec.d/acerts' Jan 7 22:00:06 mac17 charon: 00[CFG] loading crls from '/etc/ipsec.d/crls' Jan 7 22:00:06 mac17 charon: 00[CFG] loading secrets from '/etc/ipsec.secrets' Jan 7 22:00:06 mac17 charon: 00[CFG] loaded IKE secret for x.x.x.x %any Jan 7 22:00:06 mac17 charon: 00[CFG] sql plugin: database URI not set Jan 7 22:00:06 mac17 charon: 00[LIB] plugin 'sql': failed to load - sql_plugin_create returned NULL Jan 7 22:00:06 mac17 charon: 00[CFG] loaded 0 RADIUS server configurations Jan 7 22:00:06 mac17 charon: 00[LIB] plugin 'medsrv' failed to load: /usr/lib/ipsec/plugins/**libstrongswan-medsrv.so: cannot open shared object file: No such file or directory Jan 7 22:00:06 mac17 charon: 00[CFG] mediation client database URI not defined, skipped Jan 7 22:00:06 mac17 charon: 00[LIB] plugin 'medcli': failed to load - medcli_plugin_create returned NULL Jan 7 22:00:06 mac17 NetworkManager[1092]: info VPN service 'strongswan' appeared; activating connections Jan 7 22:00:06 mac17 charon: 00[CFG] HA config misses local/remote address Jan 7 22:00:06 mac17 charon: 00[LIB] plugin 'ha': failed to load - ha_plugin_create returned NULL Jan 7 22:00:06 mac17 charon: 00[DMN] loaded plugins: test-vectors curl ldap aes des sha1 sha2 md5 random x509 revocation constraints pubkey pkcs1 pgp pem openssl fips-prf gmp agent pkcs11 xcbc hmac ctr ccm gcm attr kernel-netlink resolve socket-raw farp stroke updown eap-identity eap-aka eap-md5 eap-gtc eap-mschapv2 eap-radius eap-tls eap-ttls eap-tnc nm dhcp led addrblock Jan 7 22:00:06 mac17 charon: 00[JOB] spawning 16 worker threads Jan 7 22:00:06 mac17 charon: 06[CFG] received initiate for NetworkManager connection TestVPN Jan 7 22:00:06 mac17 NetworkManager[1092]: info VPN plugin state changed: starting (3) Jan 7 22:00:06 mac17 charon: 06[CFG] using CA certificate, gateway identity x.x.x.x' Jan 7 22:00:06 mac17 charon: 06[IKE] initiating IKE_SA TestVPN[1] to x.x.x.x Jan 7 22:00:06 mac17 charon: 06[ENC] generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) ] Jan 7 22:00:06 mac17 charon: 06[NET] sending packet: from 192.168.1.1[500] to x.x.x.x[500] Jan 7 22:00:06 mac17 NetworkManager[1092]: info VPN connection 'TestVPN' (Connect) reply received. Jan 7 22:00:10 mac17 charon: 11[IKE] retransmit 1 of request with message ID 0 Jan 7 22:00:10 mac17 charon: 11[NET] sending packet: from 192.168.1.1[500] to x.x.x.x[500] Jan 7 22:00:17 mac17 charon: 12[IKE] retransmit 2 of request with message ID 0 Jan 7 22:00:17 mac17 charon: 12[NET] sending packet: from 192.168.1.1[500] to x.x.x.x[500] Jan 7 22:00:30 mac17 wpa_supplicant[1361]: wlan0: WPA: Group rekeying completed with 00:24:a5:ea:a5:a2 [GTK=CCMP] Jan 7 22:00:30 mac17 charon: 13[IKE
