Maybe the problem is in the name : we are presenting as a name, and the peer gateway expect another name (or an address, I didn't understand): so they are checking this possibility modifying their setup
I will let you (and the list) know as early as I can. thanks again, Andrea > -----Messaggio originale----- > Da: Andreas Steffen [mailto:[email protected]] > Inviato: mercoledì 2 marzo 2011 16:22 > A: Andrea Lanza > Cc: '[email protected]' > Oggetto: Re: R: [strongSwan] ikev1-net2net-psk help > > Yes, without this output I cannot make any diagnosis. > > Regards > > Andreas > > On 02.03.2011 16:20, Andrea Lanza wrote: > > thank for your answer > > > > we discovered it by ourselves, but now the scenario changed: > > > > ike phase 1 is ok > > > > phase 2 hangs: > > > > now we have: > > > > ipsec.conf > > onfig setup > > plutodebug=all > > charonstart=no > > > > conn %default > > ikelifetime=60m > > keylife=20m > > rekeymargin=3m > > keyingtries=1 > > keyexchange=ikev1 > > authby=secret > > > > conn net-net > > authby=psk > > keyexchange=ikev1 > > left=... > > leftsubnet=192.168.2.0/24 > > leftid=@vrtappmi02..... > > leftfirewall=yes > > right=.... > > rightsubnet=10.126.99.0/24 > > rightid=@ipsecgw..... > > ike=3des-sha1-modp1024 > > compress=no > > auto=start > > pfs=no > > esp=3des-sha1-modp1024 > > > > > > ipsec statusall: > > > > 000 > > 000 #2: "net-net" STATE_MAIN_I3 (sent MI3, expecting MR3); > EVENT_RETRANSMIT in 37s > > 000 #2: pending Phase 2 for "net-net" replacing #0 > > 000 > > > > > > debug shows a lot of messages exchanged by the gateways, but they > contain "sensible" data, I think... > > > > maybe I can send that output separately, if you think it can be > usefull > > > > Andrea > > > > > > > > > >> -----Messaggio originale----- > >> Da: Andreas Steffen [mailto:[email protected]] > >> Inviato: mercoledì 2 marzo 2011 16:08 > >> A: Andrea Lanza > >> Cc: '[email protected]' > >> Oggetto: Re: [strongSwan] ikev1-net2net-psk help > >> > >> Hello Andrea, > >> > >> if you define auto=add then you must explicitly start the > >> IKE negotiation with the command > >> > >> ipsec up net-net > >> > >> Only if you define auto=start, the connection setup takes > >> place automatically with > >> > >> ipsec start > >> > >> A third possibility would be to install an IPsec policy > >> in the kernel with auto=route. The first packet destined > >> for the tunnel will then trigger the IKE negotiation. > >> > >> Regards > >> > >> Andreas > >> > >> On 02.03.2011 14:37, Andrea Lanza wrote: > >>> Hi all, > >>> I am absolutly new to strongswan. > >>> > >>> I have to setup a scenario in which 2 separated private networks > are > >> connected via internet > >>> > >>> with ipsec > >>> > >>> The scenario is exactly the one described in Test ikev1/met2net-psk > >>> > >>> http://www.strongswan.org/uml/testresults/ikev1/net2net-psk/ > >>> > >>> I control only the left side, beiing the right side administered by > >> another company, which > >>> > >>> uses hw devices. > >>> > >>> The problem I am facing is this: absolutely no packets exit from my > >> gateway towards the > >>> > >>> other gateway ! > >>> > >>> I saw this using iptables log packet on outgoing packets, and also > on > >> remote gateway not > >>> > >>> receiving any packets > >>> > >>> I was using opensuse 11.3 and openvpn 4.4 (boundled in opensuse > 11.3) > >>> > >>> Then I uninstalled and downloaded and compiled the 4.5.1 version: > no > >> changes, no errors are > >>> > >>> detected > >>> everything seems to be very fine PSK is loaded... but no packets > come > >> out of my box...! > >>> > >>> > >>> here is my setup: > >>> > >>> ipsec.conf > >>> > >>> # ipsec.conf - strongSwan IPsec configuration file > >>> > >>> config setup > >>> plutodebug=control > >>> charonstart=no > >>> > >>> conn %default > >>> ikelifetime=60m > >>> keylife=20m > >>> rekeymargin=3m > >>> keyingtries=1 > >>> keyexchange=ikev1 > >>> authby=secret > >>> > >>> conn net-net > >>> left=<my public ip address here scrambled> > >>> leftsubnet=192.168.2.0/24 > >>> [email protected] > >>> leftfirewall=yes > >>> right=<theirs public ip address here scrambled> > >>> rightsubnet=10.126.99.0/24 > >>> [email protected] > >>> auto=add > >>> > >>> > >>> ipsec.secrets > >>> # > >>> # ipsec.secrets > >>> # > >>> # This file holds the RSA private keys or the PSK preshared secrets > >> for # the IKE/IPsec authentication. See the ipsec.secrets(5) manual > >> page. > >>> # > >>> @vrtappmi02.mydomain.mycountry @ipsecgw.theirsdomanin.theirscountry > : > >> PSK > >>> > >>> "thisisthescrambledkey" > >>> > >>> > >>> > >>> strongswan.conf > >>> > >>> pluto { > >>> #load = sha1 sha2 md5 aes des hmac gmp random kernel-netlink # load > = > >> aes des sha1 md5 sha2 hmac gmp random pubkey > >>> > >>> # load = sha1 sha2 md5 aes des hmac gmp random pubkey } > >>> > >>> # pluto uses optimized DH exponent sizes (RFC 3526) > >>> > >>> libstrongswan { > >>> dh_exponent_ansi_x9_42 = no > >>> } > >>> > >>> > >>> > >>> when I start ipsec I can read this in messages log: > >>> > >>> > >>> Mar 2 14:18:53 vrtappmi02 ipsec_starter[3722]: Starting strongSwan > >> 4.5.1 IPsec > >>> > >>> [starter]... > >>> Mar 2 14:18:53 vrtappmi02 pluto[3731]: Starting IKEv1 pluto daemon > >> (strongSwan 4.5.1) > >>> > >>> THREADS VENDORID > >>> Mar 2 14:18:53 vrtappmi02 pluto[3731]: listening on interfaces: > >>> Mar 2 14:18:53 vrtappmi02 pluto[3731]: eth0 > >>> Mar 2 14:18:53 vrtappmi02 pluto[3731]: <my public ip address > >> here scrambled> > >>> Mar 2 14:18:53 vrtappmi02 pluto[3731]: > fe80::20c:29ff:fe23:4272 > >>> Mar 2 14:18:53 vrtappmi02 pluto[3731]: eth1 > >>> Mar 2 14:18:53 vrtappmi02 pluto[3731]: 192.168.2.225 > >>> Mar 2 14:18:53 vrtappmi02 pluto[3731]: > fe80::20c:29ff:fe23:427c > >>> Mar 2 14:18:53 vrtappmi02 pluto[3731]: loaded plugins: aes des > sha1 > >> sha2 md5 random x509 > >>> > >>> pkcs1 pgp dnskey pem gmp hmac xauth attr kernel-netlink resolve Mar > >> 2 14:18:53 vrtappmi02 pluto[3731]: | inserting event > >> EVENT_REINIT_SECRET, timeout in > >>> > >>> 3600 seconds > >>> Mar 2 14:18:53 vrtappmi02 pluto[3731]: including NAT-Traversal > >> patch (Version 0.6c) > >>> > >>> [disabled] > >>> Mar 2 14:18:53 vrtappmi02 ipsec_starter[3730]: pluto (3731) > started > >> after 20 ms Mar 2 14:18:53 vrtappmi02 pluto[3731]: loading ca > >> certificates from '/etc/ipsec.d/cacerts' > >>> Mar 2 14:18:53 vrtappmi02 pluto[3731]: loading aa certificates > from > >> '/etc/ipsec.d/aacerts' > >>> Mar 2 14:18:53 vrtappmi02 pluto[3731]: loading ocsp certificates > >> from > >>> > >>> '/etc/ipsec.d/ocspcerts' > >>> Mar 2 14:18:53 vrtappmi02 pluto[3731]: Changing to directory > >> '/etc/ipsec.d/crls' > >>> Mar 2 14:18:53 vrtappmi02 pluto[3731]: loading attribute > >> certificates from > >>> > >>> '/etc/ipsec.d/acerts' > >>> Mar 2 14:18:53 vrtappmi02 pluto[3731]: spawning 4 worker threads > Mar > >> 2 14:18:53 vrtappmi02 pluto[3731]: | inserting event > EVENT_LOG_DAILY, > >> timeout in 34867 > >>> > >>> seconds > >>> Mar 2 14:18:53 vrtappmi02 pluto[3731]: | next event > >> EVENT_REINIT_SECRET in 3600 seconds Mar 2 14:18:53 vrtappmi02 > >> pluto[3731]: | Mar 2 14:18:53 vrtappmi02 pluto[3731]: | *received > >> whack message Mar 2 14:18:53 vrtappmi02 pluto[3731]: listening for > IKE > >> messages Mar 2 14:18:53 vrtappmi02 pluto[3731]: | found lo with > >> address 127.0.0.1 Mar 2 14:18:53 vrtappmi02 pluto[3731]: | found lo > >> with address 127.0.0.2 Mar 2 14:18:53 vrtappmi02 pluto[3731]: | > found > >> eth0 with address <my public ip address > >>> > >>> here scrambled> > >>> Mar 2 14:18:53 vrtappmi02 pluto[3731]: | found eth1 with address > >> 192.168.2.225 Mar 2 14:18:53 vrtappmi02 pluto[3731]: adding > interface > >> eth1/eth1 192.168.2.225:500 Mar 2 14:18:53 vrtappmi02 pluto[3731]: > >> adding interface eth0/eth0 <my public ip address > >>> > >>> here scrambled>:500 > >>> Mar 2 14:18:53 vrtappmi02 pluto[3731]: adding interface lo/lo > >> 127.0.0.2:500 Mar 2 14:18:53 vrtappmi02 pluto[3731]: adding > interface > >> lo/lo 127.0.0.1:500 Mar 2 14:18:53 vrtappmi02 pluto[3731]: | found > lo > >> with address > >>> > >>> 0000:0000:0000:0000:0000:0000:0000:0001 > >>> Mar 2 14:18:53 vrtappmi02 pluto[3731]: adding interface lo/lo > >> ::1:500 Mar 2 14:18:53 vrtappmi02 pluto[3731]: loading secrets from > >> "/etc/ipsec.secrets" > >>> Mar 2 14:18:53 vrtappmi02 pluto[3731]: loaded PSK secret for > >>> > >>> vrtappmi02.mydomain.mycountry > >> ipsecgw.ipsecgw.theirsdomanin.theirscountry > >>> Mar 2 14:18:53 vrtappmi02 pluto[3731]: | next event > >> EVENT_REINIT_SECRET in 3600 seconds Mar 2 14:18:53 vrtappmi02 > >> pluto[3731]: | Mar 2 14:18:53 vrtappmi02 pluto[3731]: | *received > >> whack message Mar 2 14:18:53 vrtappmi02 pluto[3731]: | from whack: > got > >> --esp=aes128-sha1,3des-sha1 Mar 2 14:18:53 vrtappmi02 pluto[3731]: > | > >> esp proposal: AES_CBC_128/HMAC_SHA1, > >>> > >>> 3DES_CBC/HMAC_SHA1, > >>> Mar 2 14:18:53 vrtappmi02 pluto[3731]: | from whack: got -- > >> ike=aes128-sha1-modp2048,3des- > >>> > >>> sha1-modp1536 > >>> Mar 2 14:18:53 vrtappmi02 pluto[3731]: | ike proposal: > >> AES_CBC_128/HMAC_SHA1/MODP_2048, > >>> > >>> 3DES_CBC/HMAC_SHA1/MODP_1536, > >>> Mar 2 14:18:53 vrtappmi02 pluto[3731]: added connection > description > >> "net-net" > >>> Mar 2 14:18:53 vrtappmi02 pluto[3731]: | 192.168.2.0/24===<my > public > >> ip address here > >>> > >>> scrambled>[vrtappmi02.mydomain.mycountry]...<theirs public ip > address > >>> scrambled>here scrambled> > >>> > >>> [ipsecgw.theirsdomanin.theirscountry]===10.126.99.0/24 > >>> Mar 2 14:18:53 vrtappmi02 pluto[3731]: | ike_life: 3600s; > >> ipsec_life: 1200s; rekey_margin: > >>> > >>> 180s; rekey_fuzz: 100%; keyingtries: 1; policy: > >> PSK+ENCRYPT+TUNNEL+PFS Mar 2 14:18:53 vrtappmi02 pluto[3731]: | > next > >> event EVENT_REINIT_SECRET in 3600 seconds > >>> > >>> > >>> > >>> ipsec statusall shows: > >>> > >>> 000 Status of IKEv1 pluto daemon (strongSwan 4.5.1): > >>> 000 interface lo/lo ::1:500 > >>> 000 interface lo/lo 127.0.0.1:500 > >>> 000 interface lo/lo 127.0.0.2:500 > >>> 000 interface eth0/eth0 <my public ip address here scrambled>:500 > 000 > >> interface eth1/eth1 192.168.2.225:500 000 %myid = '%any' > >>> 000 loaded plugins: aes des sha1 sha2 md5 random x509 pkcs1 pgp > >> dnskey pem gmp hmac xauth > >>> > >>> attr kernel-netlink resolve > >>> 000 debug options: control > >>> 000 > >>> 000 "net-net": 192.168.2.0/24===<my public ip address here > scrambled> > >>> > >>> [vrtappmi02.mydomain.mycountry]...<theirs public ip address here > >> scrambled> > >>> > >>> [ipsecgw.theirsdomain.theirscountry]===10.126.99.0/24; unrouted; > >> eroute owner: #0 > >>> 000 "net-net": ike_life: 3600s; ipsec_life: 1200s; rekey_margin: > >> 180s; rekey_fuzz: 100%; > >>> > >>> keyingtries: 1 > >>> 000 "net-net": policy: PSK+ENCRYPT+TUNNEL+PFS; prio: 24,24; > >> interface: eth0; > >>> 000 "net-net": newest ISAKMP SA: #0; newest IPsec SA: #0; > >>> 000 > >>> > >>> > >>> comparing with ipsec statusall shown in the test scenario on the > >> site, the last part is missing, but I think the problem is that NO > >> packets transmitted, no IKE proposed. > >>> > >>> What can I check ? > >>> > >>> thanks in advance, > >>> Andrea > > ====================================================================== > Andreas Steffen [email protected] > strongSwan - the Linux VPN Solution! www.strongswan.org > Institute for Internet Technologies and Applications > University of Applied Sciences Rapperswil > CH-8640 Rapperswil (Switzerland) > ===========================================================[ITA-HSR]== > > -- > This message has been scanned for viruses and > dangerous content by MailScanner, and is > believed to be clean. -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. _______________________________________________ Users mailing list [email protected] https://lists.strongswan.org/mailman/listinfo/users
