Hello Andrea, if you define auto=add then you must explicitly start the IKE negotiation with the command
ipsec up net-net Only if you define auto=start, the connection setup takes place automatically with ipsec start A third possibility would be to install an IPsec policy in the kernel with auto=route. The first packet destined for the tunnel will then trigger the IKE negotiation. Regards Andreas On 02.03.2011 14:37, Andrea Lanza wrote: > Hi all, > I am absolutly new to strongswan. > > I have to setup a scenario in which 2 separated private networks are > connected via internet > > with ipsec > > The scenario is exactly the one described in Test ikev1/met2net-psk > > http://www.strongswan.org/uml/testresults/ikev1/net2net-psk/ > > I control only the left side, beiing the right side administered by another > company, which > > uses hw devices. > > The problem I am facing is this: absolutely no packets exit from my gateway > towards the > > other gateway ! > > I saw this using iptables log packet on outgoing packets, and also on remote > gateway not > > receiving any packets > > I was using opensuse 11.3 and openvpn 4.4 (boundled in opensuse 11.3) > > Then I uninstalled and downloaded and compiled the 4.5.1 version: no changes, > no errors are > > detected > everything seems to be very fine PSK is loaded... but no packets come out of > my box...! > > > here is my setup: > > ipsec.conf > > # ipsec.conf - strongSwan IPsec configuration file > > config setup > plutodebug=control > charonstart=no > > conn %default > ikelifetime=60m > keylife=20m > rekeymargin=3m > keyingtries=1 > keyexchange=ikev1 > authby=secret > > conn net-net > left=<my public ip address here scrambled> > leftsubnet=192.168.2.0/24 > [email protected] > leftfirewall=yes > right=<theirs public ip address here scrambled> > rightsubnet=10.126.99.0/24 > [email protected] > auto=add > > > ipsec.secrets > # > # ipsec.secrets > # > # This file holds the RSA private keys or the PSK preshared secrets for # the > IKE/IPsec authentication. See the ipsec.secrets(5) manual page. > # > @vrtappmi02.mydomain.mycountry @ipsecgw.theirsdomanin.theirscountry : PSK > > "thisisthescrambledkey" > > > > strongswan.conf > > pluto { > #load = sha1 sha2 md5 aes des hmac gmp random kernel-netlink # load = aes des > sha1 md5 sha2 hmac gmp random pubkey > > # load = sha1 sha2 md5 aes des hmac gmp random pubkey } > > # pluto uses optimized DH exponent sizes (RFC 3526) > > libstrongswan { > dh_exponent_ansi_x9_42 = no > } > > > > when I start ipsec I can read this in messages log: > > > Mar 2 14:18:53 vrtappmi02 ipsec_starter[3722]: Starting strongSwan 4.5.1 > IPsec > > [starter]... > Mar 2 14:18:53 vrtappmi02 pluto[3731]: Starting IKEv1 pluto daemon > (strongSwan 4.5.1) > > THREADS VENDORID > Mar 2 14:18:53 vrtappmi02 pluto[3731]: listening on interfaces: > Mar 2 14:18:53 vrtappmi02 pluto[3731]: eth0 > Mar 2 14:18:53 vrtappmi02 pluto[3731]: <my public ip address here > scrambled> > Mar 2 14:18:53 vrtappmi02 pluto[3731]: fe80::20c:29ff:fe23:4272 > Mar 2 14:18:53 vrtappmi02 pluto[3731]: eth1 > Mar 2 14:18:53 vrtappmi02 pluto[3731]: 192.168.2.225 > Mar 2 14:18:53 vrtappmi02 pluto[3731]: fe80::20c:29ff:fe23:427c > Mar 2 14:18:53 vrtappmi02 pluto[3731]: loaded plugins: aes des sha1 sha2 md5 > random x509 > > pkcs1 pgp dnskey pem gmp hmac xauth attr kernel-netlink resolve Mar 2 > 14:18:53 vrtappmi02 pluto[3731]: | inserting event EVENT_REINIT_SECRET, > timeout in > > 3600 seconds > Mar 2 14:18:53 vrtappmi02 pluto[3731]: including NAT-Traversal patch > (Version 0.6c) > > [disabled] > Mar 2 14:18:53 vrtappmi02 ipsec_starter[3730]: pluto (3731) started after 20 > ms Mar 2 14:18:53 vrtappmi02 pluto[3731]: loading ca certificates from > '/etc/ipsec.d/cacerts' > Mar 2 14:18:53 vrtappmi02 pluto[3731]: loading aa certificates from > '/etc/ipsec.d/aacerts' > Mar 2 14:18:53 vrtappmi02 pluto[3731]: loading ocsp certificates from > > '/etc/ipsec.d/ocspcerts' > Mar 2 14:18:53 vrtappmi02 pluto[3731]: Changing to directory > '/etc/ipsec.d/crls' > Mar 2 14:18:53 vrtappmi02 pluto[3731]: loading attribute certificates from > > '/etc/ipsec.d/acerts' > Mar 2 14:18:53 vrtappmi02 pluto[3731]: spawning 4 worker threads Mar 2 > 14:18:53 vrtappmi02 pluto[3731]: | inserting event EVENT_LOG_DAILY, timeout > in 34867 > > seconds > Mar 2 14:18:53 vrtappmi02 pluto[3731]: | next event EVENT_REINIT_SECRET in > 3600 seconds Mar 2 14:18:53 vrtappmi02 pluto[3731]: | Mar 2 14:18:53 > vrtappmi02 pluto[3731]: | *received whack message Mar 2 14:18:53 vrtappmi02 > pluto[3731]: listening for IKE messages Mar 2 14:18:53 vrtappmi02 > pluto[3731]: | found lo with address 127.0.0.1 Mar 2 14:18:53 vrtappmi02 > pluto[3731]: | found lo with address 127.0.0.2 Mar 2 14:18:53 vrtappmi02 > pluto[3731]: | found eth0 with address <my public ip address > > here scrambled> > Mar 2 14:18:53 vrtappmi02 pluto[3731]: | found eth1 with address > 192.168.2.225 Mar 2 14:18:53 vrtappmi02 pluto[3731]: adding interface > eth1/eth1 192.168.2.225:500 Mar 2 14:18:53 vrtappmi02 pluto[3731]: adding > interface eth0/eth0 <my public ip address > > here scrambled>:500 > Mar 2 14:18:53 vrtappmi02 pluto[3731]: adding interface lo/lo 127.0.0.2:500 > Mar 2 14:18:53 vrtappmi02 pluto[3731]: adding interface lo/lo 127.0.0.1:500 > Mar 2 14:18:53 vrtappmi02 pluto[3731]: | found lo with address > > 0000:0000:0000:0000:0000:0000:0000:0001 > Mar 2 14:18:53 vrtappmi02 pluto[3731]: adding interface lo/lo ::1:500 Mar 2 > 14:18:53 vrtappmi02 pluto[3731]: loading secrets from "/etc/ipsec.secrets" > Mar 2 14:18:53 vrtappmi02 pluto[3731]: loaded PSK secret for > > vrtappmi02.mydomain.mycountry ipsecgw.ipsecgw.theirsdomanin.theirscountry > Mar 2 14:18:53 vrtappmi02 pluto[3731]: | next event EVENT_REINIT_SECRET in > 3600 seconds Mar 2 14:18:53 vrtappmi02 pluto[3731]: | Mar 2 14:18:53 > vrtappmi02 pluto[3731]: | *received whack message Mar 2 14:18:53 vrtappmi02 > pluto[3731]: | from whack: got --esp=aes128-sha1,3des-sha1 Mar 2 14:18:53 > vrtappmi02 pluto[3731]: | esp proposal: AES_CBC_128/HMAC_SHA1, > > 3DES_CBC/HMAC_SHA1, > Mar 2 14:18:53 vrtappmi02 pluto[3731]: | from whack: got > --ike=aes128-sha1-modp2048,3des- > > sha1-modp1536 > Mar 2 14:18:53 vrtappmi02 pluto[3731]: | ike proposal: > AES_CBC_128/HMAC_SHA1/MODP_2048, > > 3DES_CBC/HMAC_SHA1/MODP_1536, > Mar 2 14:18:53 vrtappmi02 pluto[3731]: added connection description "net-net" > Mar 2 14:18:53 vrtappmi02 pluto[3731]: | 192.168.2.0/24===<my public ip > address here > > scrambled>[vrtappmi02.mydomain.mycountry]...<theirs public ip address > scrambled>here scrambled> > > [ipsecgw.theirsdomanin.theirscountry]===10.126.99.0/24 > Mar 2 14:18:53 vrtappmi02 pluto[3731]: | ike_life: 3600s; ipsec_life: 1200s; > rekey_margin: > > 180s; rekey_fuzz: 100%; keyingtries: 1; policy: PSK+ENCRYPT+TUNNEL+PFS Mar 2 > 14:18:53 vrtappmi02 pluto[3731]: | next event EVENT_REINIT_SECRET in 3600 > seconds > > > > ipsec statusall shows: > > 000 Status of IKEv1 pluto daemon (strongSwan 4.5.1): > 000 interface lo/lo ::1:500 > 000 interface lo/lo 127.0.0.1:500 > 000 interface lo/lo 127.0.0.2:500 > 000 interface eth0/eth0 <my public ip address here scrambled>:500 000 > interface eth1/eth1 192.168.2.225:500 000 %myid = '%any' > 000 loaded plugins: aes des sha1 sha2 md5 random x509 pkcs1 pgp dnskey pem > gmp hmac xauth > > attr kernel-netlink resolve > 000 debug options: control > 000 > 000 "net-net": 192.168.2.0/24===<my public ip address here scrambled> > > [vrtappmi02.mydomain.mycountry]...<theirs public ip address here scrambled> > > [ipsecgw.theirsdomain.theirscountry]===10.126.99.0/24; unrouted; eroute > owner: #0 > 000 "net-net": ike_life: 3600s; ipsec_life: 1200s; rekey_margin: 180s; > rekey_fuzz: 100%; > > keyingtries: 1 > 000 "net-net": policy: PSK+ENCRYPT+TUNNEL+PFS; prio: 24,24; interface: eth0; > 000 "net-net": newest ISAKMP SA: #0; newest IPsec SA: #0; > 000 > > > comparing with ipsec statusall shown in the test scenario on the site, the > last part is missing, but I think the problem is that NO packets transmitted, > no IKE proposed. > > What can I check ? > > thanks in advance, > Andrea > > -- ====================================================================== Andreas Steffen [email protected] strongSwan - the Linux VPN Solution! www.strongswan.org Institute for Internet Technologies and Applications University of Applied Sciences Rapperswil CH-8640 Rapperswil (Switzerland) ===========================================================[ITA-HSR]== _______________________________________________ Users mailing list [email protected] https://lists.strongswan.org/mailman/listinfo/users
