Hi all, I am absolutly new to strongswan. I have to setup a scenario in which 2 separated private networks are connected via internet
with ipsec The scenario is exactly the one described in Test ikev1/met2net-psk http://www.strongswan.org/uml/testresults/ikev1/net2net-psk/ I control only the left side, beiing the right side administered by another company, which uses hw devices. The problem I am facing is this: absolutely no packets exit from my gateway towards the other gateway ! I saw this using iptables log packet on outgoing packets, and also on remote gateway not receiving any packets I was using opensuse 11.3 and openvpn 4.4 (boundled in opensuse 11.3) Then I uninstalled and downloaded and compiled the 4.5.1 version: no changes, no errors are detected everything seems to be very fine PSK is loaded... but no packets come out of my box...! here is my setup: ipsec.conf # ipsec.conf - strongSwan IPsec configuration file config setup plutodebug=control charonstart=no conn %default ikelifetime=60m keylife=20m rekeymargin=3m keyingtries=1 keyexchange=ikev1 authby=secret conn net-net left=<my public ip address here scrambled> leftsubnet=192.168.2.0/24 [email protected] leftfirewall=yes right=<theirs public ip address here scrambled> rightsubnet=10.126.99.0/24 [email protected] auto=add ipsec.secrets # # ipsec.secrets # # This file holds the RSA private keys or the PSK preshared secrets for # the IKE/IPsec authentication. See the ipsec.secrets(5) manual page. # @vrtappmi02.mydomain.mycountry @ipsecgw.theirsdomanin.theirscountry : PSK "thisisthescrambledkey" strongswan.conf pluto { #load = sha1 sha2 md5 aes des hmac gmp random kernel-netlink # load = aes des sha1 md5 sha2 hmac gmp random pubkey # load = sha1 sha2 md5 aes des hmac gmp random pubkey } # pluto uses optimized DH exponent sizes (RFC 3526) libstrongswan { dh_exponent_ansi_x9_42 = no } when I start ipsec I can read this in messages log: Mar 2 14:18:53 vrtappmi02 ipsec_starter[3722]: Starting strongSwan 4.5.1 IPsec [starter]... Mar 2 14:18:53 vrtappmi02 pluto[3731]: Starting IKEv1 pluto daemon (strongSwan 4.5.1) THREADS VENDORID Mar 2 14:18:53 vrtappmi02 pluto[3731]: listening on interfaces: Mar 2 14:18:53 vrtappmi02 pluto[3731]: eth0 Mar 2 14:18:53 vrtappmi02 pluto[3731]: <my public ip address here scrambled> Mar 2 14:18:53 vrtappmi02 pluto[3731]: fe80::20c:29ff:fe23:4272 Mar 2 14:18:53 vrtappmi02 pluto[3731]: eth1 Mar 2 14:18:53 vrtappmi02 pluto[3731]: 192.168.2.225 Mar 2 14:18:53 vrtappmi02 pluto[3731]: fe80::20c:29ff:fe23:427c Mar 2 14:18:53 vrtappmi02 pluto[3731]: loaded plugins: aes des sha1 sha2 md5 random x509 pkcs1 pgp dnskey pem gmp hmac xauth attr kernel-netlink resolve Mar 2 14:18:53 vrtappmi02 pluto[3731]: | inserting event EVENT_REINIT_SECRET, timeout in 3600 seconds Mar 2 14:18:53 vrtappmi02 pluto[3731]: including NAT-Traversal patch (Version 0.6c) [disabled] Mar 2 14:18:53 vrtappmi02 ipsec_starter[3730]: pluto (3731) started after 20 ms Mar 2 14:18:53 vrtappmi02 pluto[3731]: loading ca certificates from '/etc/ipsec.d/cacerts' Mar 2 14:18:53 vrtappmi02 pluto[3731]: loading aa certificates from '/etc/ipsec.d/aacerts' Mar 2 14:18:53 vrtappmi02 pluto[3731]: loading ocsp certificates from '/etc/ipsec.d/ocspcerts' Mar 2 14:18:53 vrtappmi02 pluto[3731]: Changing to directory '/etc/ipsec.d/crls' Mar 2 14:18:53 vrtappmi02 pluto[3731]: loading attribute certificates from '/etc/ipsec.d/acerts' Mar 2 14:18:53 vrtappmi02 pluto[3731]: spawning 4 worker threads Mar 2 14:18:53 vrtappmi02 pluto[3731]: | inserting event EVENT_LOG_DAILY, timeout in 34867 seconds Mar 2 14:18:53 vrtappmi02 pluto[3731]: | next event EVENT_REINIT_SECRET in 3600 seconds Mar 2 14:18:53 vrtappmi02 pluto[3731]: | Mar 2 14:18:53 vrtappmi02 pluto[3731]: | *received whack message Mar 2 14:18:53 vrtappmi02 pluto[3731]: listening for IKE messages Mar 2 14:18:53 vrtappmi02 pluto[3731]: | found lo with address 127.0.0.1 Mar 2 14:18:53 vrtappmi02 pluto[3731]: | found lo with address 127.0.0.2 Mar 2 14:18:53 vrtappmi02 pluto[3731]: | found eth0 with address <my public ip address here scrambled> Mar 2 14:18:53 vrtappmi02 pluto[3731]: | found eth1 with address 192.168.2.225 Mar 2 14:18:53 vrtappmi02 pluto[3731]: adding interface eth1/eth1 192.168.2.225:500 Mar 2 14:18:53 vrtappmi02 pluto[3731]: adding interface eth0/eth0 <my public ip address here scrambled>:500 Mar 2 14:18:53 vrtappmi02 pluto[3731]: adding interface lo/lo 127.0.0.2:500 Mar 2 14:18:53 vrtappmi02 pluto[3731]: adding interface lo/lo 127.0.0.1:500 Mar 2 14:18:53 vrtappmi02 pluto[3731]: | found lo with address 0000:0000:0000:0000:0000:0000:0000:0001 Mar 2 14:18:53 vrtappmi02 pluto[3731]: adding interface lo/lo ::1:500 Mar 2 14:18:53 vrtappmi02 pluto[3731]: loading secrets from "/etc/ipsec.secrets" Mar 2 14:18:53 vrtappmi02 pluto[3731]: loaded PSK secret for vrtappmi02.mydomain.mycountry ipsecgw.ipsecgw.theirsdomanin.theirscountry Mar 2 14:18:53 vrtappmi02 pluto[3731]: | next event EVENT_REINIT_SECRET in 3600 seconds Mar 2 14:18:53 vrtappmi02 pluto[3731]: | Mar 2 14:18:53 vrtappmi02 pluto[3731]: | *received whack message Mar 2 14:18:53 vrtappmi02 pluto[3731]: | from whack: got --esp=aes128-sha1,3des-sha1 Mar 2 14:18:53 vrtappmi02 pluto[3731]: | esp proposal: AES_CBC_128/HMAC_SHA1, 3DES_CBC/HMAC_SHA1, Mar 2 14:18:53 vrtappmi02 pluto[3731]: | from whack: got --ike=aes128-sha1-modp2048,3des- sha1-modp1536 Mar 2 14:18:53 vrtappmi02 pluto[3731]: | ike proposal: AES_CBC_128/HMAC_SHA1/MODP_2048, 3DES_CBC/HMAC_SHA1/MODP_1536, Mar 2 14:18:53 vrtappmi02 pluto[3731]: added connection description "net-net" Mar 2 14:18:53 vrtappmi02 pluto[3731]: | 192.168.2.0/24===<my public ip address here scrambled>[vrtappmi02.mydomain.mycountry]...<theirs public ip address scrambled>here scrambled> [ipsecgw.theirsdomanin.theirscountry]===10.126.99.0/24 Mar 2 14:18:53 vrtappmi02 pluto[3731]: | ike_life: 3600s; ipsec_life: 1200s; rekey_margin: 180s; rekey_fuzz: 100%; keyingtries: 1; policy: PSK+ENCRYPT+TUNNEL+PFS Mar 2 14:18:53 vrtappmi02 pluto[3731]: | next event EVENT_REINIT_SECRET in 3600 seconds ipsec statusall shows: 000 Status of IKEv1 pluto daemon (strongSwan 4.5.1): 000 interface lo/lo ::1:500 000 interface lo/lo 127.0.0.1:500 000 interface lo/lo 127.0.0.2:500 000 interface eth0/eth0 <my public ip address here scrambled>:500 000 interface eth1/eth1 192.168.2.225:500 000 %myid = '%any' 000 loaded plugins: aes des sha1 sha2 md5 random x509 pkcs1 pgp dnskey pem gmp hmac xauth attr kernel-netlink resolve 000 debug options: control 000 000 "net-net": 192.168.2.0/24===<my public ip address here scrambled> [vrtappmi02.mydomain.mycountry]...<theirs public ip address here scrambled> [ipsecgw.theirsdomain.theirscountry]===10.126.99.0/24; unrouted; eroute owner: #0 000 "net-net": ike_life: 3600s; ipsec_life: 1200s; rekey_margin: 180s; rekey_fuzz: 100%; keyingtries: 1 000 "net-net": policy: PSK+ENCRYPT+TUNNEL+PFS; prio: 24,24; interface: eth0; 000 "net-net": newest ISAKMP SA: #0; newest IPsec SA: #0; 000 comparing with ipsec statusall shown in the test scenario on the site, the last part is missing, but I think the problem is that NO packets transmitted, no IKE proposed. What can I check ? thanks in advance, Andrea -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. _______________________________________________ Users mailing list [email protected] https://lists.strongswan.org/mailman/listinfo/users
