Hi, I have working IPsec tunnel between OpenSWAN on CentOS7 and third party
partner company in Azure. The plan is to migrate OpenSWAN to StrongSWAN
(Ubuntu) and retire CentOS box. Unfortunately configuration doesn't work
and can't find the problem. My working config on OpenSWAN: config
setup nat_traversal=yes virtual_private=%v4:10.1
protostack=netkey interfaces="ipsec0=eth0" oe=off conn
azure authby=secret auto=start type=tunnel
left=%defaultroute leftsubnets=10.1.0.0/16,
leftnexthop=%defaultrout right=PUB_IP_REMOTE rightsubnet=10.5.0.0/24
phase2alg=aes256-sha1;mo ike=aes256-sha1;modp1024
ikelifetime=8h keylife=1h pfs=no dpdaction=restart_by_pee
dpdtimeout=10 dpddelay=10 On my StrongSWAN I have: conn azure1
authby=secret type=tunnel leftsendcert=nev
left=PUB_IP_LOCA leftsubnet=10.1. right=PUB_IP_REM
rightsubnet=10.5 ike=aes256-sha1 ikelifetime=8h
keylife=1h keyingtries=1 rekeymargin=3m
compress=no auto=start conn azure2 authby=secret
type=tunnel leftsendcert=nev left=PUB_IP_LOCA
leftsubnet=10.2. right=PUB_IP_REM rightsubnet=10.5
ike=aes256-sha1 ikelifetime=8h keylife=1h
keyingtries=1 rekeymargin=3m compress=no
auto=start The log output says that it is connected and then dropped because
ike is not established: Dec 2 15:34:11 systemd[1]: Starting strongSwan IPsec
services... Dec 2 15:34:11 ipsec[20651]: Starting strongFSwan 5.3.5 IPsec
[starter]... Dec 2 15:34:11 systemd[1]: Started strongSwan IPsec services.
Dec 2 15:34:11 charon-custom: 00[DMN] opening file charon for logging failed:
Permission denied Dec 2 15:34:11 charon-custom: 00[DMN] Starting IKE charon
daemon (strongSwan 5.3.5, Linux 4.4.0-138-generic, x86_64) Dec 2 15:34:11
kernel: [3962500.785155] audit: type=1400 audit(1543764851.950:28):
apparmor="DENIED" operation="mknod"
profile="/usr/lib/ipsec/charon name="/charon" pid=20668
comm="charon" requested_mask="c" denied_mask="c"
fsuid=0 ouid=0 Dec 2 15:34:12 kernel: [3962501.191338] NET: Registered
protocol family 38 Dec 2 15:34:12 kernel: [3962501.315701] AVX or AES-NI
instructions are not detected. Dec 2 15:34:12 kernel: [3962501.342215] AVX or
AES-NI instructions are not detected. Dec 2 15:34:12 kernel: [3962501.468445]
CPU feature 'AVX registers' is not supported. Dec 2 15:34:12 kernel:
[3962501.577645] CPU feature 'AVX registers' is not supported. Dec 2
15:34:12 kernel: [3962501.602133] CPU feature 'AVX registers' is not
supported. Dec 2 15:34:12 kernel: [3962501.664258] CPU feature 'AVX
registers' is not supported. Dec 2 15:34:12 charon-custom: 00[CFG]
disabling load-tester plugin, not configured Dec 2 15:34:12 charon-custom:
00[LIB] plugin 'load-tester': failed to load -
load_tester_plugin_create returned NULL Dec 2 15:34:13 charon-custom: 00[CFG]
dnscert plugin is disabled Dec 2 15:34:13 charon-custom: 00[CFG] ipseckey
plugin is disabled Dec 2 15:34:13 charon-custom: 00[CFG] attr-sql plugin:
database URI not set Dec 2 15:34:13 charon-custom: 00[CFG] loading ca
certificates from '/etc/ipsec.d/cacerts' Dec 2 15:34:13
charon-custom: 00[CFG] loading aa certificates from
'/etc/ipsec.d/aacerts' Dec 2 15:34:13 charon-custom: 00[CFG] loading
ocsp signer certificates from '/etc/ipsec.d/ocspcerts' Dec 2 15:34:13
charon-custom: 00[CFG] loading attribute certificates from
'/etc/ipsec.d/acerts' Dec 2 15:34:13 charon-custom: 00[CFG] loading
crls from '/etc/ipsec.d/crls' Dec 2 15:34:13 charon-custom: 00[CFG]
loading secrets from '/etc/ipsec.secrets' Dec 2 15:34:13
charon-custom: 00[CFG] loaded IKE secret for PUB_IP_REMOTE Dec 2 15:34:13
charon-custom: 00[CFG] sql plugin: database URI not set Dec 2 15:34:13
charon-custom: 00[CFG] opening triplet file /etc/ipsec.d/triplets.dat failed:
No such file or directory Dec 2 15:34:13 charon-custom: 00[CFG]
eap-simaka-sql database URI missing Dec 2 15:34:13 charon-custom: 00[CFG]
loaded 0 RADIUS server configurations Dec 2 15:34:13 charon-custom: 00[CFG]
no threshold configured for systime-fix, disabled Dec 2 15:34:13
charon-custom: 00[CFG] coupling file path unspecified Dec 2 15:34:13
charon-custom: 00[LIB] loaded plugins: charon test-vectors unbound ldap pkcs11
aes rc2 sha1 sha2 md4 md5 random nonce x509 revocation constraints acert pubkey
pkcs1 pkcs7 pkcs8 pkcs12 pgp dnskey sshkey dnscert ipseckey pem openssl gcrypt
af-alg fips-prf gmp agent chapoly xcbc cmac hmac ctr ccm gcm ntru bliss curl
soup mysql sqlite attr kernel-netlink resolve socket-default connmark farp
stroke updown eap-identity eap-sim eap-sim-pcsc eap-aka eap-aka-3gpp2
eap-simaka-pseudonym eap-simaka-reauth eap-md5 eap-gtc eap-mschapv2 eap-dynamic
eap-radius eap-tls eap-ttls eap-peap eap-tnc xauth-generic xauth-eap xauth-pam
xauth-noauth tnc-tnccs tnccs-20 tnccs-11 tnccs-dynamic dhcp whitelist lookip
error-notify certexpire led radattr addrblock unity Dec 2 15:34:13
charon-custom: 00[LIB] dropped capabilities, running as uid 0, gid 0 Dec 2
15:34:13 charon-custom: 00[JOB] spawning 16 worker threads Dec 2 15:34:13
charon-custom: 07[CFG] received stroke: add connection 'azure1' Dec 2
15:34:13 charon-custom: 07[CFG] added configuration 'azure1' Dec 2
15:34:13 charon-custom: 11[CFG] received stroke: initiate 'azure1' Dec
2 15:34:13 charon-custom: 11[IKE] initiating IKE_SA azure1[1] to PUB_IP_REMOTE
Dec 2 15:34:13 charon-custom: 11[ENC] generating IKE_SA_INIT request 0 [ SA
KE No N(NATD_S_IP) N(NATD_D_IP) N(HASH_ALG) ] Dec 2 15:34:13 charon-custom:
11[NET] sending packet: from PUB_IP_LOCAL[500] to PUB_IP_REMOTE[500] (1452
bytes) Dec 2 15:34:13 charon-custom: 15[CFG] received stroke: add connection
'azure2' Dec 2 15:34:13 charon-custom: 15[CFG] added child to
existing configuration 'azure1' Dec 2 15:34:13 charon-custom: 14[CFG]
received stroke: initiate 'azure2' Dec 2 15:34:13 charon-custom:
09[CFG] received stroke: add connection 'azure3' Dec 2 15:34:13
charon-custom: 09[CFG] added child to existing configuration 'azure1'
Dec 2 15:34:13 charon-custom: 16[CFG] received stroke: initiate
'azure3' Dec 2 15:34:17 charon-custom: 10[IKE] retransmit 1 of
request with message ID 0 Dec 2 15:34:17 charon-custom: 10[NET] sending
packet: from PUB_IP_LOCAL[500] to PUB_IP_REMOTE[500] (1452 bytes) Dec 2
15:34:24 charon-custom: 14[IKE] retransmit 2 of request with message ID 0 Dec
2 15:34:24 charon-custom: 14[NET] sending packet: from PUB_IP_LOCAL[500] to
PUB_IP_REMOTE[500] (1452 bytes) Dec 2 15:34:37 charon-custom: 10[IKE]
retransmit 3 of request with message ID 0 Dec 2 15:34:37 charon-custom:
10[NET] sending packet: from PUB_IP_LOCAL[500] to PUB_IP_REMOTE[500] (1452
bytes) Dec 2 15:34:49 charon-custom: 10[NET] received packet: from
PUB_IP_REMOTE[500] to PUB_IP_LOCAL[500] (372 bytes) Dec 2 15:34:49
charon-custom: 10[ENC] parsed ID_PROT request 0 [ SA V V V V V V V V ] Dec 2
15:34:49 charon-custom: 10[ENC] received unknown vendor ID:
01:52:8b:bb:c0:06:96:12:18:49: Dec 2 15:34:49 charon-custom: 10[IKE] received
MS NT5 ISAKMPOAKLEY vendor ID Dec 2 15:34:49 charon-custom: 10[IKE] received
NAT-T (RFC 3947) vendor ID Dec 2 15:34:49 charon-custom: 10[IKE] received
draft-ietf-ipsec-nat-t-ike-02\ vendor ID Dec 2 15:34:49 charon-custom:
10[IKE] received FRAGMENTATION vendor ID Dec 2 15:34:49 charon-custom:
10[ENC] received unknown vendor ID: fb:1d:e3:cd:f3:41:b7:ea:16:b7: Dec 2
15:34:49 charon-custom: 10[ENC] received unknown vendor ID:
26:24:4d:38:ed:db:61:b3:17:2a: Dec 2 15:34:49 charon-custom: 10[ENC] received
unknown vendor ID: e3:a5:96:6a:76:37:9f:e7:07:22: Dec 2 15:34:49
charon-custom: 10[IKE] PUB_IP_REMOTE is initiating a Main Mode IKE_SA Dec 2
15:34:49 charon-custom: 10[ENC] generating ID_PROT response 0 [ SA V V V ] Dec
2 15:34:49 charon-custom: 10[NET] sending packet: from PUB_IP_LOCAL[500] to
PUB_IP_REMOTE[500] (136 bytes) Dec 2 15:34:49 charon-custom: 15[NET] received
packet: from PUB_IP_REMOTE[500] to PUB_IP_LOCAL[500] (284 bytes) Dec 2
15:34:49 charon-custom: 15[ENC] parsed ID_PROT request 0 [ KE No NAT-D NAT-D ]
Dec 2 15:34:49 charon-custom: 15[ENC] generating ID_PROT response 0 [ KE No
NAT-D NAT-D ] Dec 2 15:34:49 charon-custom: 15[NET] sending packet: from
PUB_IP_LOCAL[500] to PUB_IP_REMOTE[500] (268 bytes) Dec 2 15:34:49
charon-custom: 13[NET] received packet: from PUB_IP_REMOTE[500] to
PUB_IP_LOCAL[500] (92 bytes) Dec 2 15:34:49 charon-custom: 13[ENC] parsed
ID_PROT request 0 [ ID HASH ] Dec 2 15:34:49 charon-custom: 13[CFG] looking
for pre-shared key peer configs matching PUB_IP_LOCAL...PUB_IP_REMOTE[P Dec 2
15:34:49 charon-custom: 13[CFG] selected peer config "azure1" Dec 2
15:34:49 charon-custom: 13[IKE] IKE_SA azure1[2] established between
PUB_IP_LOCAL[PUB_IP_LOCAL]...P Dec 2 15:34:49 charon-custom: 13[IKE]
scheduling reauthentication in 28494s Dec 2 15:34:49 charon-custom: 13[IKE]
maximum IKE_SA lifetime 28674s Dec 2 15:34:49 charon-custom: 13[ENC]
generating ID_PROT response 0 [ ID HASH ] Dec 2 15:34:49 charon-custom:
13[NET] sending packet: from PUB_IP_LOCAL[500] to PUB_IP_REMOTE[500] (92 bytes)
Dec 2 15:34:49 charon-custom: 08[NET] received packet: from
PUB_IP_REMOTE[500] to PUB_IP_LOCAL[500] (396 bytes) Dec 2 15:34:49
charon-custom: 08[ENC] parsed QUICK_MODE request 1 [ HASH SA No ID ID ] Dec 2
15:34:49 charon-custom: 08[IKE] received 102400000000 lifebytes, configured 0
Dec 2 15:34:49 charon-custom: 08[ENC] generating QUICK_MODE response 1 [ HASH
SA No ID ID ] Dec 2 15:34:49 charon-custom: 08[NET] sending packet: from
PUB_IP_LOCAL[500] to PUB_IP_REMOTE[500] (204 bytes) Dec 2 15:34:49
charon-custom: 09[NET] received packet: from PUB_IP_REMOTE[500] to
PUB_IP_LOCAL[500] (396 bytes) Dec 2 15:34:49 charon-custom: 09[ENC] parsed
QUICK_MODE request 2 [ HASH SA No ID ID ] Dec 2 15:34:49 charon-custom:
09[IKE] received 102400000000 lifebytes, configured 0 Dec 2 15:34:49
charon-custom: 09[ENC] generating QUICK_MODE response 2 [ HASH SA No ID ID ]
Dec 2 15:34:49 charon-custom: 09[NET] sending packet: from PUB_IP_LOCAL[500]
to PUB_IP_REMOTE[500] (204 bytes) Dec 2 15:34:49 charon-custom: 04[NET]
received packet: from PUB_IP_REMOTE[500] to PUB_IP_LOCAL[500] (76 bytes) Dec
2 15:34:49 charon-custom: 04[ENC] parsed QUICK_MODE request 1 [ HASH ] Dec 2
15:34:50 charon-custom: 04[IKE] CHILD_SA azure1{1} established with SPIs
ca324e62_i 24d548c4_o and TS 10.1.0.0/16 === 10.5.0.0/24 Dec 2 15:34:50
charon-custom: 16[NET] received packet: from PUB_IP_REMOTE[500] to
PUB_IP_LOCAL[500] (76 bytes) Dec 2 15:34:50 charon-custom: 16[ENC] parsed
QUICK_MODE request 2 [ HASH ] Dec 2 15:34:50 charon-custom: 16[IKE] CHILD_SA
azure2{2} established with SPIs cd87fa1d_i c89fa3be_o and TS 10.2.0.0/16 ===
10.5.0.0/24 Dec 2 15:35:00 charon-custom: 10[IKE] retransmit 4 of request
with message ID 0 Dec 2 15:35:00 charon-custom: 10[NET] sending packet: from
PUB_IP_LOCAL[500] to PUB_IP_REMOTE[500] (1452 bytes) Dec 2 15:35:42
charon-custom: 04[IKE] retransmit 5 of request with message ID 0 Dec 2
15:35:42 charon-custom: 04[NET] sending packet: from PUB_IP_LOCAL[500] to
PUB_IP_REMOTE[500] (1452 bytes) Dec 2 15:36:58 charon-custom: 11[IKE] giving
up after 5 retransmits Dec 2 15:36:58 charon-custom: 11[IKE] establishing
IKE_SA failed, peer not responding Any idea what is wrong here?
