[strongSwan] Multiple tunnels between two endpoints
Hi all I have a simple question, and I would be grateful if anyone could answer it. If we want to establish multiple tunnels between two endpoints, is it recommended to use reuse_ikesa = no option in strongswan.conf. I figured it in my tests that it is better to use the default config. Am I right? What is the application of reuse_ikesa option? Thanks a lot. Best wishes Ali ___ Users mailing list Users@lists.strongswan.org https://lists.strongswan.org/mailman/listinfo/users
Re: [strongSwan] Multiple tunnels between two endpoints
Hi Ali, --On Monday, January 07, 2013 02:39:55 PM +0330 Ali Masoudi masoudi1...@gmail.com wrote: I have a simple question, and I would be grateful if anyone could answer it. If we want to establish multiple tunnels between two endpoints, is it recommended to use reuse_ikesa = no option in strongswan.conf. I figured it in my tests that it is better to use the default config. Am I right? What is the application of reuse_ikesa option? Thanks a lot. if you set reuse_ikesa = no there will be a new IKE_SA for every CHILD_SA. Normally it is ok to have one IKE_SA with more CHILD_SAs. Handling is a little bit easier if you want to stop/start single CHILD_SAs. Do the different tunnels run to the same net on one side? Then you could enable them in a single tunnel. Example: rightsubnet= 192.168.1.0/25 leftsubnet=10.0.0.0/8,172.16.1.0/24,172.16.2.0/24,172.31.0.0/16 Best Regards Dirk ___ Users mailing list Users@lists.strongswan.org https://lists.strongswan.org/mailman/listinfo/users
[strongSwan] Timeout Errors using Network Manager on Ubuntu 12.10
Hi, I am having a hard time to get an IpSec VPN working in my machine... it works fine in other OS, and I am sure I am doing something stupid here, hope some guru can give me guidance! I am running Ubuntu 12.10, and installed strongswan (4.5.2), added the key secret in /etc/ipsec.secrets file, and setup the VPN through network manager. Without tempering with the strongswan.conf file, I have this output (noted a similar output is : --- /var/log/syslog --- Jan 7 22:00:06 mac17 NetworkManager[1092]: info Starting VPN service 'strongswan'... Jan 7 22:00:06 mac17 NetworkManager[1092]: info VPN service 'strongswan' started (org.freedesktop.NetworkManager.strongswan), PID 840 Jan 7 22:00:06 mac17 charon: 00[DMN] Starting IKEv2 charon daemon (strongSwan 4.5.2) Jan 7 22:00:06 mac17 charon: 00[KNL] listening on interfaces: Jan 7 22:00:06 mac17 charon: 00[KNL] eth0 Jan 7 22:00:06 mac17 charon: 00[KNL] wlan0 Jan 7 22:00:06 mac17 charon: 00[KNL] 192.168.1.1 Jan 7 22:00:06 mac17 charon: 00[KNL] fe80::129a:ddff:feae:e16a Jan 7 22:00:06 mac17 charon: 00[CFG] loading ca certificates from '/etc/ipsec.d/cacerts' Jan 7 22:00:06 mac17 charon: 00[CFG] loading aa certificates from '/etc/ipsec.d/aacerts' Jan 7 22:00:06 mac17 charon: 00[CFG] loading ocsp signer certificates from '/etc/ipsec.d/ocspcerts' Jan 7 22:00:06 mac17 charon: 00[CFG] loading attribute certificates from '/etc/ipsec.d/acerts' Jan 7 22:00:06 mac17 charon: 00[CFG] loading crls from '/etc/ipsec.d/crls' Jan 7 22:00:06 mac17 charon: 00[CFG] loading secrets from '/etc/ipsec.secrets' Jan 7 22:00:06 mac17 charon: 00[CFG] loaded IKE secret for x.x.x.x %any Jan 7 22:00:06 mac17 charon: 00[CFG] sql plugin: database URI not set Jan 7 22:00:06 mac17 charon: 00[LIB] plugin 'sql': failed to load - sql_plugin_create returned NULL Jan 7 22:00:06 mac17 charon: 00[CFG] loaded 0 RADIUS server configurations Jan 7 22:00:06 mac17 charon: 00[LIB] plugin 'medsrv' failed to load: /usr/lib/ipsec/plugins/libstrongswan-medsrv.so: cannot open shared object file: No such file or directory Jan 7 22:00:06 mac17 charon: 00[CFG] mediation client database URI not defined, skipped Jan 7 22:00:06 mac17 charon: 00[LIB] plugin 'medcli': failed to load - medcli_plugin_create returned NULL Jan 7 22:00:06 mac17 NetworkManager[1092]: info VPN service 'strongswan' appeared; activating connections Jan 7 22:00:06 mac17 charon: 00[CFG] HA config misses local/remote address Jan 7 22:00:06 mac17 charon: 00[LIB] plugin 'ha': failed to load - ha_plugin_create returned NULL Jan 7 22:00:06 mac17 charon: 00[DMN] loaded plugins: test-vectors curl ldap aes des sha1 sha2 md5 random x509 revocation constraints pubkey pkcs1 pgp pem openssl fips-prf gmp agent pkcs11 xcbc hmac ctr ccm gcm attr kernel-netlink resolve socket-raw farp stroke updown eap-identity eap-aka eap-md5 eap-gtc eap-mschapv2 eap-radius eap-tls eap-ttls eap-tnc nm dhcp led addrblock Jan 7 22:00:06 mac17 charon: 00[JOB] spawning 16 worker threads Jan 7 22:00:06 mac17 charon: 06[CFG] received initiate for NetworkManager connection TestVPN Jan 7 22:00:06 mac17 NetworkManager[1092]: info VPN plugin state changed: starting (3) Jan 7 22:00:06 mac17 charon: 06[CFG] using CA certificate, gateway identity x.x.x.x' Jan 7 22:00:06 mac17 charon: 06[IKE] initiating IKE_SA TestVPN[1] to x.x.x.x Jan 7 22:00:06 mac17 charon: 06[ENC] generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) ] Jan 7 22:00:06 mac17 charon: 06[NET] sending packet: from 192.168.1.1[500] to x.x.x.x[500] Jan 7 22:00:06 mac17 NetworkManager[1092]: info VPN connection 'TestVPN' (Connect) reply received. Jan 7 22:00:10 mac17 charon: 11[IKE] retransmit 1 of request with message ID 0 Jan 7 22:00:10 mac17 charon: 11[NET] sending packet: from 192.168.1.1[500] to x.x.x.x[500] Jan 7 22:00:17 mac17 charon: 12[IKE] retransmit 2 of request with message ID 0 Jan 7 22:00:17 mac17 charon: 12[NET] sending packet: from 192.168.1.1[500] to x.x.x.x[500] Jan 7 22:00:30 mac17 wpa_supplicant[1361]: wlan0: WPA: Group rekeying completed with 00:24:a5:ea:a5:a2 [GTK=CCMP] Jan 7 22:00:30 mac17 charon: 13[IKE] retransmit 3 of request with message ID 0 Jan 7 22:00:30 mac17 charon: 13[NET] sending packet: from 192.168.1.1[500] to x.x.x.x[500] Jan 7 22:00:46 mac17 NetworkManager[1092]: warn VPN connection 'TestVPN' (IP Config Get) timeout exceeded. Jan 7 22:00:46 mac17 NetworkManager[1092]: info Policy set 'Braga' (wlan0) as default for IPv4 routing and DNS. Jan 7 22:00:46 mac17 charon: 01[IKE] destroying IKE_SA in state CONNECTING without notification Jan 7 22:00:51 mac17 charon: 00[DMN] signal of type SIGTERM received. Shutting down Jan 7 22:00:51 mac17 NetworkManager[1092]: info VPN service 'strongswan' disappeared My initial configuration file was: --- /etc/strongswan.conf --- # strongswan.conf - strongSwan configuration file charon { threads = 16 plugins { sql { loglevel = -1 } } } pluto { } libstrongswan { } And
[strongSwan] Pluto Setup (showing charon in syslog)
I was trying to use some examples from the StrongSwan doc, but stumbled upon this weird behaviour... By any chance, is the deamon logged in syslog defined as charon independently of which one is running? When I turned off the charon in /etc/ipsec.conf (deleted all charon stuff from strongswan.conf as well), still the syslog shows something like: Jan 7 22:58:55 mac17 NetworkManager[1158]: info Starting VPN service 'strongswan'... Jan 7 22:58:55 mac17 NetworkManager[1158]: info VPN service 'strongswan' started (org.freedesktop.NetworkManager.strongswan), PID 13041 Jan 7 22:58:55 mac17 charon: 00[DMN] Starting IKEv2 charon daemon (strongSwan 4.5.2) ... If I execute the service myself, I notice that the message shows pluto, not charon: $ sudo service ipsec start Starting strongSwan 4.5.2 IPsec [starter]... $ sudo service ipsec start Starting strongSwan 4.5.2 IPsec [starter]... pluto is already running (/var/run/pluto.pid exists) -- skipping pluto start starter is already running (/var/run/starter.pid exists) -- no fork done Could it be that the Network manager is somehow trying to force charon to run instead? For reference, the files: --- /etc/ipsec.conf --- config setup plutodebug=control charonstart=no plutostart=yes conn %default ikelifetime=60m keylife=20m rekeymargin=3m keyingtries=1 keyexchange=ikev1 authby=secret --- /etc/strongswan.conf --- pluto { } libstrongswan { dh_exponent_ansi_x9_42 = no } The complete syslog messages: Jan 7 23:09:13 mac17 NetworkManager[1158]: info Starting VPN service 'strongswan'... Jan 7 23:09:13 mac17 NetworkManager[1158]: info VPN service 'strongswan' started (org.freedesktop.NetworkManager.strongswan), PID 9228 Jan 7 23:09:13 mac17 charon: 00[DMN] Starting IKEv2 charon daemon (strongSwan 4.5.2) Jan 7 23:09:13 mac17 charon: 00[KNL] listening on interfaces: Jan 7 23:09:13 mac17 charon: 00[KNL] eth0 Jan 7 23:09:13 mac17 charon: 00[KNL] wlan0 Jan 7 23:09:13 mac17 charon: 00[KNL] 192.168.1.1 Jan 7 23:09:13 mac17 charon: 00[KNL] fe80::129a:ddff:feae:e16a Jan 7 23:09:13 mac17 charon: 00[CFG] loading ca certificates from '/etc/ipsec.d/cacerts' Jan 7 23:09:13 mac17 charon: 00[CFG] loading aa certificates from '/etc/ipsec.d/aacerts' Jan 7 23:09:13 mac17 charon: 00[CFG] loading ocsp signer certificates from '/etc/ipsec.d/ocspcerts' Jan 7 23:09:13 mac17 charon: 00[CFG] loading attribute certificates from '/etc/ipsec.d/acerts' Jan 7 23:09:13 mac17 charon: 00[CFG] loading crls from '/etc/ipsec.d/crls' Jan 7 23:09:13 mac17 charon: 00[CFG] loading secrets from '/etc/ipsec.secrets' Jan 7 23:09:13 mac17 charon: 00[CFG] loaded IKE secret for x.x.x.x %any Jan 7 23:09:13 mac17 charon: 00[CFG] sql plugin: database URI not set Jan 7 23:09:13 mac17 charon: 00[LIB] plugin 'sql': failed to load - sql_plugin_create returned NULL Jan 7 23:09:13 mac17 charon: 00[CFG] loaded 0 RADIUS server configurations Jan 7 23:09:13 mac17 charon: 00[LIB] plugin 'medsrv' failed to load: /usr/lib/ipsec/plugins/libstrongswan-medsrv.so: cannot open shared object file: No such file or directory Jan 7 23:09:13 mac17 charon: 00[CFG] mediation client database URI not defined, skipped Jan 7 23:09:13 mac17 charon: 00[LIB] plugin 'medcli': failed to load - medcli_plugin_create returned NULL Jan 7 23:09:13 mac17 NetworkManager[1158]: info VPN service 'strongswan' appeared; activating connections Jan 7 23:09:13 mac17 charon: 00[CFG] HA config misses local/remote address Jan 7 23:09:13 mac17 charon: 00[LIB] plugin 'ha': failed to load - ha_plugin_create returned NULL Jan 7 23:09:13 mac17 charon: 00[DMN] loaded plugins: test-vectors curl ldap aes des sha1 sha2 md5 random x509 revocation constraints pubkey pkcs1 pgp pem openssl fips-prf gmp agent pkcs11 xcbc hmac ctr ccm gcm attr kernel-netlink resolve socket-raw farp stroke updown eap-identity eap-aka eap-md5 eap-gtc eap-mschapv2 eap-radius eap-tls eap-ttls eap-tnc nm dhcp led addrblock Jan 7 23:09:13 mac17 charon: 00[JOB] spawning 16 worker threads Thanks, -- *Braga, Bruno* www.brunobraga.net bruno.br...@gmail.com ___ Users mailing list Users@lists.strongswan.org https://lists.strongswan.org/mailman/listinfo/users
Re: [strongSwan] Strongswan OpenVPN client
Hello, the VPN gateway must assign a virtual IP address to your Android Client: I/charon (17492): 15[IKE] received INTERNAL_ADDRESS_FAILURE notify, no CHILD_SA built On a strongSwan gateway Ttis can be done by defining a dynamic address pool, e.g. rightsourceip=10.0.1.0/24 Regards Andreas On 07.01.2013 23:02, Gia T. Nguyen wrote: Samsung Nexus III Android client. I've included the host IP as the SubjectAltName in the certificates and have seemed to get over that error, but I am still not able to connect: Error: Failure to connect to VPN, Authentication Failed. Any hint on where to look next would be appreciated. Regards, I/charon (17492): 00[DMN] loaded plugins: androidbridge charon android-log openssl fips-prf random nonce pubkey pkcs1 pkcs8 pem xcbc hmac socket-default eap-identity eap-mschapv2 eap-md5 eap-gtc I/charon (17492): 00[JOB] spawning 16 worker threads I/charon (17492): 16[CFG] loaded user certificate 'C=US, ST=VIRGINIA, L=RESTON, O=Metronome Software LLC, CN=192.168.24.11' and private key I/charon (17492): 16[CFG] loaded CA certificate 'C=US, ST=VIRGINIA, L=RESTON, O=Metronome Software LLC, CN=mns-lan.com' I/charon (17492): 16[IKE] initiating IKE_SA android[1] to 192.168.24.18 I/charon (17492): 16[ENC] generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) ] I/charon (17492): 16[NET] sending packet: from 192.168.24.11[58445] to 192.168.24.18[500] I/charon (17492): 01[NET] received packet: from 192.168.24.18[500] to 192.168.24.11[58445] I/charon (17492): 01[ENC] parsed IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) CERTREQ N(MULT_AUTH) ] I/charon (17492): 01[IKE] faking NAT situation to enforce UDP encapsulation I/charon (17492): 01[IKE] received cert request for C=US, ST=VIRGINIA, L=RESTON, O=Metronome Software LLC, CN=mns-lan.com I/charon (17492): 01[IKE] sending cert request for C=US, ST=VIRGINIA, L=RESTON, O=Metronome Software LLC, CN=mns-lan.com I/charon (17492): 01[IKE] authentication of 'C=US, ST=VIRGINIA, L=RESTON, O=Metronome Software LLC, CN=192.168.24.11' (myself) with RSA signature successful I/charon (17492): 01[IKE] sending end entity cert C=US, ST=VIRGINIA, L=RESTON, O=Metronome Software LLC, CN=192.168.24.11 I/charon (17492): 01[IKE] establishing CHILD_SA android I/charon (17492): 01[ENC] generating IKE_AUTH request 1 [ IDi CERT N(INIT_CONTACT) CERTREQ AUTH CP(ADDR DNS) SA TSi TSr N(MOBIKE_SUP) N(NO_ADD_ADDR) N(MULT_AUTH) N(EAP_ONLY) ] I/charon (17492): 01[NET] sending packet: from 192.168.24.11[37948] to 192.168.24.18[4500] I/charon (17492): 05[NET] received packet: from 192.168.24.18[4500] to 192.168.24.11[37948] I/charon (17492): 05[ENC] parsed IKE_AUTH response 1 [ IDr CERT AUTH N(AUTH_LFT) N(MOBIKE_SUP) N(NO_ADD_ADDR) N(INT_ADDR_FAIL) ] I/charon (17492): 05[IKE] received end entity cert C=US, ST=VIRGINIA, L=RESTON, O=Metronome Software LLC, CN=192.168.24.18 I/charon (17492): 05[CFG] using certificate C=US, ST=VIRGINIA, L=RESTON, O=Metronome Software LLC, CN=192.168.24.18 I/charon (17492): 05[CFG] using trusted ca certificate C=US, ST=VIRGINIA, L=RESTON, O=Metronome Software LLC, CN=mns-lan.com I/charon (17492): 05[CFG] reached self-signed root ca with a path length of 0 I/charon (17492): 05[IKE] authentication of 'C=US, ST=VIRGINIA, L=RESTON, O=Metronome Software LLC, CN=192.168.24.18' with RSA signature successful I/charon (17492): 05[IKE] IKE_SA android[1] established between 192.168.24.11[C=US, ST=VIRGINIA, L=RESTON, O=Metronome Software LLC, CN=192.168.24.11]...192.168.24.18[C=US, ST=VIRGINIA, L=RESTON, O=Metronome Software LLC, CN=192.168.24.18] I/charon (17492): 05[IKE] scheduling rekeying in 35599s I/charon (17492): 05[IKE] maximum IKE_SA lifetime 36199s I/charon (17492): 05[IKE] received INTERNAL_ADDRESS_FAILURE notify, no CHILD_SA built I/charon (17492): 05[IKE] closing IKE_SA due CHILD_SA setup failure I/charon (17492): 05[IKE] received AUTH_LIFETIME of 3346s, scheduling reauthentication in 2746s I/charon (17492): 05[IKE] peer supports MOBIKE I/charon (17492): 02[IKE] deleting IKE_SA android[1] between 192.168.24.11[C=US, ST=VIRGINIA, L=RESTON, O=Metronome Software LLC, CN=192.168.24.11]...192.168.24.18[C=US, ST=VIRGINIA, L=RESTON, O=Metronome Software LLC, CN=192.168.24.18] I/charon (17492): 02[IKE] sending DELETE for IKE_SA android[1] I/charon (17492): 02[ENC] generating INFORMATIONAL request 2 [ D ] I/charon (17492): 02[NET] sending packet: from 192.168.24.11[37948] to 192.168.24.18[4500] I/charon (17492): 06[NET] received packet: from 192.168.24.18[4500] to 192.168.24.11[37948] I/charon (17492): 06[ENC] parsed INFORMATIONAL response 2 [ ] I/charon (17492): 06[IKE] IKE_SA deleted I/charon (17492): 00[LIB] intentionally leaking private key reference due to a bug in the framework I/charon (17492): 00[DMN] loaded plugins: androidbridge charon android-log openssl fips-prf random nonce pubkey pkcs1 pkcs8 pem xcbc hmac socket-default eap-identity eap-mschapv2 eap-md5
Re: [strongSwan] Timeout Errors using Network Manager on Ubuntu 12.10
Hi Bruno, there is know answer from the VPN gateway on the other end. Either the gateway cannot be reached over the network, the gateway is not running an listening on UDP port 500 or it supports the IKEv1 protocol only. Regards Andreas On 07.01.2013 14:00, BRAGA, Bruno wrote: Hi, I am having a hard time to get an IpSec VPN working in my machine... it works fine in other OS, and I am sure I am doing something stupid here, hope some guru can give me guidance! I am running Ubuntu 12.10, and installed strongswan (4.5.2), added the key secret in /etc/ipsec.secrets file, and setup the VPN through network manager. Without tempering with the strongswan.conf file, I have this output (noted a similar output is : --- /var/log/syslog --- Jan 7 22:00:06 mac17 NetworkManager[1092]: info Starting VPN service 'strongswan'... Jan 7 22:00:06 mac17 NetworkManager[1092]: info VPN service 'strongswan' started (org.freedesktop.NetworkManager.strongswan), PID 840 Jan 7 22:00:06 mac17 charon: 00[DMN] Starting IKEv2 charon daemon (strongSwan 4.5.2) Jan 7 22:00:06 mac17 charon: 00[KNL] listening on interfaces: Jan 7 22:00:06 mac17 charon: 00[KNL] eth0 Jan 7 22:00:06 mac17 charon: 00[KNL] wlan0 Jan 7 22:00:06 mac17 charon: 00[KNL] 192.168.1.1 Jan 7 22:00:06 mac17 charon: 00[KNL] fe80::129a:ddff:feae:e16a Jan 7 22:00:06 mac17 charon: 00[CFG] loading ca certificates from '/etc/ipsec.d/cacerts' Jan 7 22:00:06 mac17 charon: 00[CFG] loading aa certificates from '/etc/ipsec.d/aacerts' Jan 7 22:00:06 mac17 charon: 00[CFG] loading ocsp signer certificates from '/etc/ipsec.d/ocspcerts' Jan 7 22:00:06 mac17 charon: 00[CFG] loading attribute certificates from '/etc/ipsec.d/acerts' Jan 7 22:00:06 mac17 charon: 00[CFG] loading crls from '/etc/ipsec.d/crls' Jan 7 22:00:06 mac17 charon: 00[CFG] loading secrets from '/etc/ipsec.secrets' Jan 7 22:00:06 mac17 charon: 00[CFG] loaded IKE secret for x.x.x.x %any Jan 7 22:00:06 mac17 charon: 00[CFG] sql plugin: database URI not set Jan 7 22:00:06 mac17 charon: 00[LIB] plugin 'sql': failed to load - sql_plugin_create returned NULL Jan 7 22:00:06 mac17 charon: 00[CFG] loaded 0 RADIUS server configurations Jan 7 22:00:06 mac17 charon: 00[LIB] plugin 'medsrv' failed to load: /usr/lib/ipsec/plugins/libstrongswan-medsrv.so: cannot open shared object file: No such file or directory Jan 7 22:00:06 mac17 charon: 00[CFG] mediation client database URI not defined, skipped Jan 7 22:00:06 mac17 charon: 00[LIB] plugin 'medcli': failed to load - medcli_plugin_create returned NULL Jan 7 22:00:06 mac17 NetworkManager[1092]: info VPN service 'strongswan' appeared; activating connections Jan 7 22:00:06 mac17 charon: 00[CFG] HA config misses local/remote address Jan 7 22:00:06 mac17 charon: 00[LIB] plugin 'ha': failed to load - ha_plugin_create returned NULL Jan 7 22:00:06 mac17 charon: 00[DMN] loaded plugins: test-vectors curl ldap aes des sha1 sha2 md5 random x509 revocation constraints pubkey pkcs1 pgp pem openssl fips-prf gmp agent pkcs11 xcbc hmac ctr ccm gcm attr kernel-netlink resolve socket-raw farp stroke updown eap-identity eap-aka eap-md5 eap-gtc eap-mschapv2 eap-radius eap-tls eap-ttls eap-tnc nm dhcp led addrblock Jan 7 22:00:06 mac17 charon: 00[JOB] spawning 16 worker threads Jan 7 22:00:06 mac17 charon: 06[CFG] received initiate for NetworkManager connection TestVPN Jan 7 22:00:06 mac17 NetworkManager[1092]: info VPN plugin state changed: starting (3) Jan 7 22:00:06 mac17 charon: 06[CFG] using CA certificate, gateway identity x.x.x.x' Jan 7 22:00:06 mac17 charon: 06[IKE] initiating IKE_SA TestVPN[1] to x.x.x.x Jan 7 22:00:06 mac17 charon: 06[ENC] generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) ] Jan 7 22:00:06 mac17 charon: 06[NET] sending packet: from 192.168.1.1[500] to x.x.x.x[500] Jan 7 22:00:06 mac17 NetworkManager[1092]: info VPN connection 'TestVPN' (Connect) reply received. Jan 7 22:00:10 mac17 charon: 11[IKE] retransmit 1 of request with message ID 0 Jan 7 22:00:10 mac17 charon: 11[NET] sending packet: from 192.168.1.1[500] to x.x.x.x[500] Jan 7 22:00:17 mac17 charon: 12[IKE] retransmit 2 of request with message ID 0 Jan 7 22:00:17 mac17 charon: 12[NET] sending packet: from 192.168.1.1[500] to x.x.x.x[500] Jan 7 22:00:30 mac17 wpa_supplicant[1361]: wlan0: WPA: Group rekeying completed with 00:24:a5:ea:a5:a2 [GTK=CCMP] Jan 7 22:00:30 mac17 charon: 13[IKE] retransmit 3 of request with message ID 0 Jan 7 22:00:30 mac17 charon: 13[NET] sending packet: from 192.168.1.1[500] to x.x.x.x[500] Jan 7 22:00:46 mac17 NetworkManager[1092]: warn VPN connection 'TestVPN' (IP Config Get) timeout exceeded. Jan 7 22:00:46 mac17 NetworkManager[1092]: info Policy set 'Braga' (wlan0) as default for IPv4 routing and DNS. Jan 7 22:00:46 mac17 charon: 01[IKE] destroying IKE_SA in state CONNECTING without notification Jan 7 22:00:51 mac17 charon: 00[DMN] signal of type SIGTERM received. Shutting down Jan 7 22:00:51 mac17
Re: [strongSwan] Strongswan OpenVPN client
Many thanks! That was it. ;-) On 1/7/13 6:11 PM, Andreas Steffen andreas.stef...@strongswan.org wrote: Hello, the VPN gateway must assign a virtual IP address to your Android Client: I/charon (17492): 15[IKE] received INTERNAL_ADDRESS_FAILURE notify, no CHILD_SA built On a strongSwan gateway Ttis can be done by defining a dynamic address pool, e.g. rightsourceip=10.0.1.0/24 Regards Andreas On 07.01.2013 23:02, Gia T. Nguyen wrote: Samsung Nexus III Android client. I've included the host IP as the SubjectAltName in the certificates and have seemed to get over that error, but I am still not able to connect: Error: Failure to connect to VPN, Authentication Failed. Any hint on where to look next would be appreciated. Regards, I/charon (17492): 00[DMN] loaded plugins: androidbridge charon android-log openssl fips-prf random nonce pubkey pkcs1 pkcs8 pem xcbc hmac socket-default eap-identity eap-mschapv2 eap-md5 eap-gtc I/charon (17492): 00[JOB] spawning 16 worker threads I/charon (17492): 16[CFG] loaded user certificate 'C=US, ST=VIRGINIA, L=RESTON, O=Metronome Software LLC, CN=192.168.24.11' and private key I/charon (17492): 16[CFG] loaded CA certificate 'C=US, ST=VIRGINIA, L=RESTON, O=Metronome Software LLC, CN=mns-lan.com' I/charon (17492): 16[IKE] initiating IKE_SA android[1] to 192.168.24.18 I/charon (17492): 16[ENC] generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) ] I/charon (17492): 16[NET] sending packet: from 192.168.24.11[58445] to 192.168.24.18[500] I/charon (17492): 01[NET] received packet: from 192.168.24.18[500] to 192.168.24.11[58445] I/charon (17492): 01[ENC] parsed IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) CERTREQ N(MULT_AUTH) ] I/charon (17492): 01[IKE] faking NAT situation to enforce UDP encapsulation I/charon (17492): 01[IKE] received cert request for C=US, ST=VIRGINIA, L=RESTON, O=Metronome Software LLC, CN=mns-lan.com I/charon (17492): 01[IKE] sending cert request for C=US, ST=VIRGINIA, L=RESTON, O=Metronome Software LLC, CN=mns-lan.com I/charon (17492): 01[IKE] authentication of 'C=US, ST=VIRGINIA, L=RESTON, O=Metronome Software LLC, CN=192.168.24.11' (myself) with RSA signature successful I/charon (17492): 01[IKE] sending end entity cert C=US, ST=VIRGINIA, L=RESTON, O=Metronome Software LLC, CN=192.168.24.11 I/charon (17492): 01[IKE] establishing CHILD_SA android I/charon (17492): 01[ENC] generating IKE_AUTH request 1 [ IDi CERT N(INIT_CONTACT) CERTREQ AUTH CP(ADDR DNS) SA TSi TSr N(MOBIKE_SUP) N(NO_ADD_ADDR) N(MULT_AUTH) N(EAP_ONLY) ] I/charon (17492): 01[NET] sending packet: from 192.168.24.11[37948] to 192.168.24.18[4500] I/charon (17492): 05[NET] received packet: from 192.168.24.18[4500] to 192.168.24.11[37948] I/charon (17492): 05[ENC] parsed IKE_AUTH response 1 [ IDr CERT AUTH N(AUTH_LFT) N(MOBIKE_SUP) N(NO_ADD_ADDR) N(INT_ADDR_FAIL) ] I/charon (17492): 05[IKE] received end entity cert C=US, ST=VIRGINIA, L=RESTON, O=Metronome Software LLC, CN=192.168.24.18 I/charon (17492): 05[CFG] using certificate C=US, ST=VIRGINIA, L=RESTON, O=Metronome Software LLC, CN=192.168.24.18 I/charon (17492): 05[CFG] using trusted ca certificate C=US, ST=VIRGINIA, L=RESTON, O=Metronome Software LLC, CN=mns-lan.com I/charon (17492): 05[CFG] reached self-signed root ca with a path length of 0 I/charon (17492): 05[IKE] authentication of 'C=US, ST=VIRGINIA, L=RESTON, O=Metronome Software LLC, CN=192.168.24.18' with RSA signature successful I/charon (17492): 05[IKE] IKE_SA android[1] established between 192.168.24.11[C=US, ST=VIRGINIA, L=RESTON, O=Metronome Software LLC, CN=192.168.24.11]...192.168.24.18[C=US, ST=VIRGINIA, L=RESTON, O=Metronome Software LLC, CN=192.168.24.18] I/charon (17492): 05[IKE] scheduling rekeying in 35599s I/charon (17492): 05[IKE] maximum IKE_SA lifetime 36199s I/charon (17492): 05[IKE] received INTERNAL_ADDRESS_FAILURE notify, no CHILD_SA built I/charon (17492): 05[IKE] closing IKE_SA due CHILD_SA setup failure I/charon (17492): 05[IKE] received AUTH_LIFETIME of 3346s, scheduling reauthentication in 2746s I/charon (17492): 05[IKE] peer supports MOBIKE I/charon (17492): 02[IKE] deleting IKE_SA android[1] between 192.168.24.11[C=US, ST=VIRGINIA, L=RESTON, O=Metronome Software LLC, CN=192.168.24.11]...192.168.24.18[C=US, ST=VIRGINIA, L=RESTON, O=Metronome Software LLC, CN=192.168.24.18] I/charon (17492): 02[IKE] sending DELETE for IKE_SA android[1] I/charon (17492): 02[ENC] generating INFORMATIONAL request 2 [ D ] I/charon (17492): 02[NET] sending packet: from 192.168.24.11[37948] to 192.168.24.18[4500] I/charon (17492): 06[NET] received packet: from 192.168.24.18[4500] to 192.168.24.11[37948] I/charon (17492): 06[ENC] parsed INFORMATIONAL response 2 [ ] I/charon (17492): 06[IKE] IKE_SA deleted I/charon (17492): 00[LIB] intentionally leaking private key reference due to a bug in the framework I/charon
Re: [strongSwan] Timeout Errors using Network Manager on Ubuntu 12.10
Hi Andreas, Thanks for the feedback. I took mt local network out of the equation because it works in the same environment and machine on a different IS (tried MacOS with racoon). That is why I figured it would be rather a matter of configuration instead. Any suggestions on how I could troubleshoot these possibilities? (Sorry I am not a network guy). Cheers, -- Bruno Braga (mobile) On Jan 8, 2013 9:16 AM, Andreas Steffen andreas.stef...@strongswan.org wrote: Hi Bruno, there is know answer from the VPN gateway on the other end. Either the gateway cannot be reached over the network, the gateway is not running an listening on UDP port 500 or it supports the IKEv1 protocol only. Regards Andreas On 07.01.2013 14:00, BRAGA, Bruno wrote: Hi, I am having a hard time to get an IpSec VPN working in my machine... it works fine in other OS, and I am sure I am doing something stupid here, hope some guru can give me guidance! I am running Ubuntu 12.10, and installed strongswan (4.5.2), added the key secret in /etc/ipsec.secrets file, and setup the VPN through network manager. Without tempering with the strongswan.conf file, I have this output (noted a similar output is : --- /var/log/syslog --- Jan 7 22:00:06 mac17 NetworkManager[1092]: info Starting VPN service 'strongswan'... Jan 7 22:00:06 mac17 NetworkManager[1092]: info VPN service 'strongswan' started (org.freedesktop.**NetworkManager.strongswan), PID 840 Jan 7 22:00:06 mac17 charon: 00[DMN] Starting IKEv2 charon daemon (strongSwan 4.5.2) Jan 7 22:00:06 mac17 charon: 00[KNL] listening on interfaces: Jan 7 22:00:06 mac17 charon: 00[KNL] eth0 Jan 7 22:00:06 mac17 charon: 00[KNL] wlan0 Jan 7 22:00:06 mac17 charon: 00[KNL] 192.168.1.1 Jan 7 22:00:06 mac17 charon: 00[KNL] fe80::129a:ddff:feae:e16a Jan 7 22:00:06 mac17 charon: 00[CFG] loading ca certificates from '/etc/ipsec.d/cacerts' Jan 7 22:00:06 mac17 charon: 00[CFG] loading aa certificates from '/etc/ipsec.d/aacerts' Jan 7 22:00:06 mac17 charon: 00[CFG] loading ocsp signer certificates from '/etc/ipsec.d/ocspcerts' Jan 7 22:00:06 mac17 charon: 00[CFG] loading attribute certificates from '/etc/ipsec.d/acerts' Jan 7 22:00:06 mac17 charon: 00[CFG] loading crls from '/etc/ipsec.d/crls' Jan 7 22:00:06 mac17 charon: 00[CFG] loading secrets from '/etc/ipsec.secrets' Jan 7 22:00:06 mac17 charon: 00[CFG] loaded IKE secret for x.x.x.x %any Jan 7 22:00:06 mac17 charon: 00[CFG] sql plugin: database URI not set Jan 7 22:00:06 mac17 charon: 00[LIB] plugin 'sql': failed to load - sql_plugin_create returned NULL Jan 7 22:00:06 mac17 charon: 00[CFG] loaded 0 RADIUS server configurations Jan 7 22:00:06 mac17 charon: 00[LIB] plugin 'medsrv' failed to load: /usr/lib/ipsec/plugins/**libstrongswan-medsrv.so: cannot open shared object file: No such file or directory Jan 7 22:00:06 mac17 charon: 00[CFG] mediation client database URI not defined, skipped Jan 7 22:00:06 mac17 charon: 00[LIB] plugin 'medcli': failed to load - medcli_plugin_create returned NULL Jan 7 22:00:06 mac17 NetworkManager[1092]: info VPN service 'strongswan' appeared; activating connections Jan 7 22:00:06 mac17 charon: 00[CFG] HA config misses local/remote address Jan 7 22:00:06 mac17 charon: 00[LIB] plugin 'ha': failed to load - ha_plugin_create returned NULL Jan 7 22:00:06 mac17 charon: 00[DMN] loaded plugins: test-vectors curl ldap aes des sha1 sha2 md5 random x509 revocation constraints pubkey pkcs1 pgp pem openssl fips-prf gmp agent pkcs11 xcbc hmac ctr ccm gcm attr kernel-netlink resolve socket-raw farp stroke updown eap-identity eap-aka eap-md5 eap-gtc eap-mschapv2 eap-radius eap-tls eap-ttls eap-tnc nm dhcp led addrblock Jan 7 22:00:06 mac17 charon: 00[JOB] spawning 16 worker threads Jan 7 22:00:06 mac17 charon: 06[CFG] received initiate for NetworkManager connection TestVPN Jan 7 22:00:06 mac17 NetworkManager[1092]: info VPN plugin state changed: starting (3) Jan 7 22:00:06 mac17 charon: 06[CFG] using CA certificate, gateway identity x.x.x.x' Jan 7 22:00:06 mac17 charon: 06[IKE] initiating IKE_SA TestVPN[1] to x.x.x.x Jan 7 22:00:06 mac17 charon: 06[ENC] generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) ] Jan 7 22:00:06 mac17 charon: 06[NET] sending packet: from 192.168.1.1[500] to x.x.x.x[500] Jan 7 22:00:06 mac17 NetworkManager[1092]: info VPN connection 'TestVPN' (Connect) reply received. Jan 7 22:00:10 mac17 charon: 11[IKE] retransmit 1 of request with message ID 0 Jan 7 22:00:10 mac17 charon: 11[NET] sending packet: from 192.168.1.1[500] to x.x.x.x[500] Jan 7 22:00:17 mac17 charon: 12[IKE] retransmit 2 of request with message ID 0 Jan 7 22:00:17 mac17 charon: 12[NET] sending packet: from 192.168.1.1[500] to x.x.x.x[500] Jan 7 22:00:30 mac17 wpa_supplicant[1361]: wlan0: WPA: Group rekeying completed with 00:24:a5:ea:a5:a2 [GTK=CCMP] Jan 7 22:00:30 mac17 charon: 13[IKE]