Yes, without this output I cannot make any diagnosis. Regards
Andreas On 02.03.2011 16:20, Andrea Lanza wrote: > thank for your answer > > we discovered it by ourselves, but now the scenario changed: > > ike phase 1 is ok > > phase 2 hangs: > > now we have: > > ipsec.conf > onfig setup > plutodebug=all > charonstart=no > > conn %default > ikelifetime=60m > keylife=20m > rekeymargin=3m > keyingtries=1 > keyexchange=ikev1 > authby=secret > > conn net-net > authby=psk > keyexchange=ikev1 > left=... > leftsubnet=192.168.2.0/24 > leftid=@vrtappmi02..... > leftfirewall=yes > right=.... > rightsubnet=10.126.99.0/24 > rightid=@ipsecgw..... > ike=3des-sha1-modp1024 > compress=no > auto=start > pfs=no > esp=3des-sha1-modp1024 > > > ipsec statusall: > > 000 > 000 #2: "net-net" STATE_MAIN_I3 (sent MI3, expecting MR3); EVENT_RETRANSMIT > in 37s > 000 #2: pending Phase 2 for "net-net" replacing #0 > 000 > > > debug shows a lot of messages exchanged by the gateways, but they contain > "sensible" data, I think... > > maybe I can send that output separately, if you think it can be usefull > > Andrea > > > > >> -----Messaggio originale----- >> Da: Andreas Steffen [mailto:[email protected]] >> Inviato: mercoledì 2 marzo 2011 16:08 >> A: Andrea Lanza >> Cc: '[email protected]' >> Oggetto: Re: [strongSwan] ikev1-net2net-psk help >> >> Hello Andrea, >> >> if you define auto=add then you must explicitly start the >> IKE negotiation with the command >> >> ipsec up net-net >> >> Only if you define auto=start, the connection setup takes >> place automatically with >> >> ipsec start >> >> A third possibility would be to install an IPsec policy >> in the kernel with auto=route. The first packet destined >> for the tunnel will then trigger the IKE negotiation. >> >> Regards >> >> Andreas >> >> On 02.03.2011 14:37, Andrea Lanza wrote: >>> Hi all, >>> I am absolutly new to strongswan. >>> >>> I have to setup a scenario in which 2 separated private networks are >> connected via internet >>> >>> with ipsec >>> >>> The scenario is exactly the one described in Test ikev1/met2net-psk >>> >>> http://www.strongswan.org/uml/testresults/ikev1/net2net-psk/ >>> >>> I control only the left side, beiing the right side administered by >> another company, which >>> >>> uses hw devices. >>> >>> The problem I am facing is this: absolutely no packets exit from my >> gateway towards the >>> >>> other gateway ! >>> >>> I saw this using iptables log packet on outgoing packets, and also on >> remote gateway not >>> >>> receiving any packets >>> >>> I was using opensuse 11.3 and openvpn 4.4 (boundled in opensuse 11.3) >>> >>> Then I uninstalled and downloaded and compiled the 4.5.1 version: no >> changes, no errors are >>> >>> detected >>> everything seems to be very fine PSK is loaded... but no packets come >> out of my box...! >>> >>> >>> here is my setup: >>> >>> ipsec.conf >>> >>> # ipsec.conf - strongSwan IPsec configuration file >>> >>> config setup >>> plutodebug=control >>> charonstart=no >>> >>> conn %default >>> ikelifetime=60m >>> keylife=20m >>> rekeymargin=3m >>> keyingtries=1 >>> keyexchange=ikev1 >>> authby=secret >>> >>> conn net-net >>> left=<my public ip address here scrambled> >>> leftsubnet=192.168.2.0/24 >>> [email protected] >>> leftfirewall=yes >>> right=<theirs public ip address here scrambled> >>> rightsubnet=10.126.99.0/24 >>> [email protected] >>> auto=add >>> >>> >>> ipsec.secrets >>> # >>> # ipsec.secrets >>> # >>> # This file holds the RSA private keys or the PSK preshared secrets >> for # the IKE/IPsec authentication. See the ipsec.secrets(5) manual >> page. >>> # >>> @vrtappmi02.mydomain.mycountry @ipsecgw.theirsdomanin.theirscountry : >> PSK >>> >>> "thisisthescrambledkey" >>> >>> >>> >>> strongswan.conf >>> >>> pluto { >>> #load = sha1 sha2 md5 aes des hmac gmp random kernel-netlink # load = >> aes des sha1 md5 sha2 hmac gmp random pubkey >>> >>> # load = sha1 sha2 md5 aes des hmac gmp random pubkey } >>> >>> # pluto uses optimized DH exponent sizes (RFC 3526) >>> >>> libstrongswan { >>> dh_exponent_ansi_x9_42 = no >>> } >>> >>> >>> >>> when I start ipsec I can read this in messages log: >>> >>> >>> Mar 2 14:18:53 vrtappmi02 ipsec_starter[3722]: Starting strongSwan >> 4.5.1 IPsec >>> >>> [starter]... >>> Mar 2 14:18:53 vrtappmi02 pluto[3731]: Starting IKEv1 pluto daemon >> (strongSwan 4.5.1) >>> >>> THREADS VENDORID >>> Mar 2 14:18:53 vrtappmi02 pluto[3731]: listening on interfaces: >>> Mar 2 14:18:53 vrtappmi02 pluto[3731]: eth0 >>> Mar 2 14:18:53 vrtappmi02 pluto[3731]: <my public ip address >> here scrambled> >>> Mar 2 14:18:53 vrtappmi02 pluto[3731]: fe80::20c:29ff:fe23:4272 >>> Mar 2 14:18:53 vrtappmi02 pluto[3731]: eth1 >>> Mar 2 14:18:53 vrtappmi02 pluto[3731]: 192.168.2.225 >>> Mar 2 14:18:53 vrtappmi02 pluto[3731]: fe80::20c:29ff:fe23:427c >>> Mar 2 14:18:53 vrtappmi02 pluto[3731]: loaded plugins: aes des sha1 >> sha2 md5 random x509 >>> >>> pkcs1 pgp dnskey pem gmp hmac xauth attr kernel-netlink resolve Mar >> 2 14:18:53 vrtappmi02 pluto[3731]: | inserting event >> EVENT_REINIT_SECRET, timeout in >>> >>> 3600 seconds >>> Mar 2 14:18:53 vrtappmi02 pluto[3731]: including NAT-Traversal >> patch (Version 0.6c) >>> >>> [disabled] >>> Mar 2 14:18:53 vrtappmi02 ipsec_starter[3730]: pluto (3731) started >> after 20 ms Mar 2 14:18:53 vrtappmi02 pluto[3731]: loading ca >> certificates from '/etc/ipsec.d/cacerts' >>> Mar 2 14:18:53 vrtappmi02 pluto[3731]: loading aa certificates from >> '/etc/ipsec.d/aacerts' >>> Mar 2 14:18:53 vrtappmi02 pluto[3731]: loading ocsp certificates >> from >>> >>> '/etc/ipsec.d/ocspcerts' >>> Mar 2 14:18:53 vrtappmi02 pluto[3731]: Changing to directory >> '/etc/ipsec.d/crls' >>> Mar 2 14:18:53 vrtappmi02 pluto[3731]: loading attribute >> certificates from >>> >>> '/etc/ipsec.d/acerts' >>> Mar 2 14:18:53 vrtappmi02 pluto[3731]: spawning 4 worker threads Mar >> 2 14:18:53 vrtappmi02 pluto[3731]: | inserting event EVENT_LOG_DAILY, >> timeout in 34867 >>> >>> seconds >>> Mar 2 14:18:53 vrtappmi02 pluto[3731]: | next event >> EVENT_REINIT_SECRET in 3600 seconds Mar 2 14:18:53 vrtappmi02 >> pluto[3731]: | Mar 2 14:18:53 vrtappmi02 pluto[3731]: | *received >> whack message Mar 2 14:18:53 vrtappmi02 pluto[3731]: listening for IKE >> messages Mar 2 14:18:53 vrtappmi02 pluto[3731]: | found lo with >> address 127.0.0.1 Mar 2 14:18:53 vrtappmi02 pluto[3731]: | found lo >> with address 127.0.0.2 Mar 2 14:18:53 vrtappmi02 pluto[3731]: | found >> eth0 with address <my public ip address >>> >>> here scrambled> >>> Mar 2 14:18:53 vrtappmi02 pluto[3731]: | found eth1 with address >> 192.168.2.225 Mar 2 14:18:53 vrtappmi02 pluto[3731]: adding interface >> eth1/eth1 192.168.2.225:500 Mar 2 14:18:53 vrtappmi02 pluto[3731]: >> adding interface eth0/eth0 <my public ip address >>> >>> here scrambled>:500 >>> Mar 2 14:18:53 vrtappmi02 pluto[3731]: adding interface lo/lo >> 127.0.0.2:500 Mar 2 14:18:53 vrtappmi02 pluto[3731]: adding interface >> lo/lo 127.0.0.1:500 Mar 2 14:18:53 vrtappmi02 pluto[3731]: | found lo >> with address >>> >>> 0000:0000:0000:0000:0000:0000:0000:0001 >>> Mar 2 14:18:53 vrtappmi02 pluto[3731]: adding interface lo/lo >> ::1:500 Mar 2 14:18:53 vrtappmi02 pluto[3731]: loading secrets from >> "/etc/ipsec.secrets" >>> Mar 2 14:18:53 vrtappmi02 pluto[3731]: loaded PSK secret for >>> >>> vrtappmi02.mydomain.mycountry >> ipsecgw.ipsecgw.theirsdomanin.theirscountry >>> Mar 2 14:18:53 vrtappmi02 pluto[3731]: | next event >> EVENT_REINIT_SECRET in 3600 seconds Mar 2 14:18:53 vrtappmi02 >> pluto[3731]: | Mar 2 14:18:53 vrtappmi02 pluto[3731]: | *received >> whack message Mar 2 14:18:53 vrtappmi02 pluto[3731]: | from whack: got >> --esp=aes128-sha1,3des-sha1 Mar 2 14:18:53 vrtappmi02 pluto[3731]: | >> esp proposal: AES_CBC_128/HMAC_SHA1, >>> >>> 3DES_CBC/HMAC_SHA1, >>> Mar 2 14:18:53 vrtappmi02 pluto[3731]: | from whack: got -- >> ike=aes128-sha1-modp2048,3des- >>> >>> sha1-modp1536 >>> Mar 2 14:18:53 vrtappmi02 pluto[3731]: | ike proposal: >> AES_CBC_128/HMAC_SHA1/MODP_2048, >>> >>> 3DES_CBC/HMAC_SHA1/MODP_1536, >>> Mar 2 14:18:53 vrtappmi02 pluto[3731]: added connection description >> "net-net" >>> Mar 2 14:18:53 vrtappmi02 pluto[3731]: | 192.168.2.0/24===<my public >> ip address here >>> >>> scrambled>[vrtappmi02.mydomain.mycountry]...<theirs public ip address >>> scrambled>here scrambled> >>> >>> [ipsecgw.theirsdomanin.theirscountry]===10.126.99.0/24 >>> Mar 2 14:18:53 vrtappmi02 pluto[3731]: | ike_life: 3600s; >> ipsec_life: 1200s; rekey_margin: >>> >>> 180s; rekey_fuzz: 100%; keyingtries: 1; policy: >> PSK+ENCRYPT+TUNNEL+PFS Mar 2 14:18:53 vrtappmi02 pluto[3731]: | next >> event EVENT_REINIT_SECRET in 3600 seconds >>> >>> >>> >>> ipsec statusall shows: >>> >>> 000 Status of IKEv1 pluto daemon (strongSwan 4.5.1): >>> 000 interface lo/lo ::1:500 >>> 000 interface lo/lo 127.0.0.1:500 >>> 000 interface lo/lo 127.0.0.2:500 >>> 000 interface eth0/eth0 <my public ip address here scrambled>:500 000 >> interface eth1/eth1 192.168.2.225:500 000 %myid = '%any' >>> 000 loaded plugins: aes des sha1 sha2 md5 random x509 pkcs1 pgp >> dnskey pem gmp hmac xauth >>> >>> attr kernel-netlink resolve >>> 000 debug options: control >>> 000 >>> 000 "net-net": 192.168.2.0/24===<my public ip address here scrambled> >>> >>> [vrtappmi02.mydomain.mycountry]...<theirs public ip address here >> scrambled> >>> >>> [ipsecgw.theirsdomain.theirscountry]===10.126.99.0/24; unrouted; >> eroute owner: #0 >>> 000 "net-net": ike_life: 3600s; ipsec_life: 1200s; rekey_margin: >> 180s; rekey_fuzz: 100%; >>> >>> keyingtries: 1 >>> 000 "net-net": policy: PSK+ENCRYPT+TUNNEL+PFS; prio: 24,24; >> interface: eth0; >>> 000 "net-net": newest ISAKMP SA: #0; newest IPsec SA: #0; >>> 000 >>> >>> >>> comparing with ipsec statusall shown in the test scenario on the >> site, the last part is missing, but I think the problem is that NO >> packets transmitted, no IKE proposed. >>> >>> What can I check ? >>> >>> thanks in advance, >>> Andrea ====================================================================== Andreas Steffen [email protected] strongSwan - the Linux VPN Solution! www.strongswan.org Institute for Internet Technologies and Applications University of Applied Sciences Rapperswil CH-8640 Rapperswil (Switzerland) ===========================================================[ITA-HSR]== _______________________________________________ Users mailing list [email protected] https://lists.strongswan.org/mailman/listinfo/users
