[strongSwan] Fwd: no ike packets being generated

Tue, 26 Apr 2011 09:23:19 -0700



Begin forwarded message:

From: neil payne <[email protected]>
Date: 26 April 2011 15:40:03 GMT+01:00
To: Andreas Steffen <[email protected]>
Cc: Alan Parkinson <[email protected]>
Subject: Re: no ike packets being generated


Hi Andreas,
We reverted to v4.3.2 but the 'up'  command still doesn't recognize the net-net connection:

ubuntu@ip-10-5-51-61:~$ sudo ipsec --version
sudo: unable to resolve host ip-10-5-51-61
Linux strongSwan U4.3.2/K2.6.32-312-ec2
Institute for Internet Technologies and Applications
University of Applied Sciences Rapperswil, Switzerland
See 'ipsec --copyright' for copyright information.
ubuntu@ip-10-5-51-61:~$ 
ubuntu@ip-10-5-51-61:~$ 
ubuntu@ip-10-5-51-61:~$ 
ubuntu@ip-10-5-51-61:~$ sudo ipsec up net-net
sudo: unable to resolve host ip-10-5-51-61
021 no connection named "net-net"
ubuntu@ip-10-5-51-61:~$ 
ubuntu@ip-10-5-51-61:~$ 
ubuntu@ip-10-5-51-61:~$ 
ubuntu@ip-10-5-51-61:~$ sudo ipsec statusall  !!!!!!!!! this has the appearance of the later version's statusall output rather than v4.3.2 !!!!!!!!
sudo: unable to resolve host ip-10-5-51-61
000 Status of IKEv1 pluto daemon (strongSwan 4.3.2):
000 interface lo/lo ::1:500
000 interface lo/lo 127.0.0.1:500
000 interface eth0/eth0 10.5.51.61:500
000 interface dummy0/dummy0 46.51.193.145:500
000 %myid = (none)
000 loaded plugins: aes des sha1 sha2 md5 random pubkey hmac gmp 
000 debug options: none
000 
Status of IKEv2 charon daemon (strongSwan 4.3.2):
  uptime: 4 minutes, since Apr 26 14:28:12 2011
  worker threads: 9 idle of 16, job queue load: 0, scheduled events: 0
  loaded plugins: aes des sha1 sha2 md5 fips-prf random x509 pubkey xcbc hmac gmp kernel-netlink stroke updown attr resolv-conf 
Listening IP addresses:
  10.5.51.61
  46.51.193.145
Connections:
Security Associations:
  none



{\rtf1\ansi\ansicpg1252\cocoartf1038\cocoasubrtf350
{\fonttbl\f0\fswiss\fcharset0 Helvetica;}
{\colortbl;\red255\green255\blue255;}
\paperw11900\paperh16840\margl1440\margr1440\vieww9000\viewh8400\viewkind0
\pard\tx566\tx1133\tx1700\tx2267\tx2834\tx3401\tx3968\tx4535\tx5102\tx5669\tx6236\tx6803\ql\qnatural\pardirnatural

\f0\fs24 \cf0 # /etc/ipsec.conf - strongSwan IPsec configuration file\
\
config setup\
        plutodebug=all\
        charonstart=no\
        nat_traversal=yes\
\
conn %default\
        ikelifetime=1440m\
        keylife=1m\
        rekeymargin=3m\
        keyingtries=1\
        keyexchange=ikev1\
        authby=secret\
        pfs=no\
\
\
conn net-net\
        ike=3des-md5-modp1024,3des-md5-modp1024\
        esp=3des-md5,3des-md5\
        leftid=@ip-10-5-51-61\
        leftsourceip=10.5.51.61\
        left=46.51.193.145\
        leftsubnetwithin=10.5.0.0/16\
        leftfirewall=yes\
        right=50.56.121.20\
        rightsubnet=10.181.32.0/19\
        rightid=@TestNP\
        auto=add}


On 21 Apr 2011, at 13:25, neil payne wrote:


Hi Andreas, 
We're now running version 4.5.1 on the leftfirewall (downgraded from the one below). We are using the same config files as the ones I sent last night but on the left firewall it doesn't recognize the net-net connection:

ubuntu@ip-10-5-51-61:/etc$ sudo ipsec --version
sudo: unable to resolve host ip-10-5-51-61
Linux strongSwan U4.5.1/K2.6.32-312-ec2
Institute for Internet Technologies and Applications
University of Applied Sciences Rapperswil, Switzerland
See 'ipsec --copyright' for copyright information.
ubuntu@ip-10-5-51-61:/etc$ 
ubuntu@ip-10-5-51-61:/etc$ 
ubuntu@ip-10-5-51-61:/etc$ 
ubuntu@ip-10-5-51-61:/etc$ 
ubuntu@ip-10-5-51-61:/etc$ sudo ipsec up net-net
sudo: unable to resolve host ip-10-5-51-61
021 no connection named "net-net"
ubuntu@ip-10-5-51-61:/etc$ 


If I use ipsec up net-net on the rightfirewall running 4.3.2 it does generate IKE packets which reach the leftfirewall but the left firewall doesn't recognize it and  logs:

Apr 21 12:10:15 ip-10-5-51-61 pluto[16057]: packet from 50.56.121.20:500: ignoring Vendor ID payload [draft-ietf-ipsec-nat-t-ike-00]
Apr 21 12:10:15 ip-10-5-51-61 pluto[16057]: packet from 50.56.121.20:500: initial Main Mode message received on 10.5.51.61:500 but no connection has been authorized with policy=PSK

Regards,
Neil.



On 20 Apr 2011, at 22:43, neil payne wrote:

Hi Andreas,
No!
In fact I didn't know this was the ignition key.
Unfortunately my colleague upgraded to strongswan 4.5.2dr5 on my prompting on one of the firewalls and now ipsec wont start - i get the following messages in auth.log:

Apr 20 21:32:06 ip-10-5-51-61 ipsec_starter[21851]: pluto has died -- restart scheduled (5sec)
Apr 20 21:32:06 ip-10-5-51-61 ipsec_starter[21851]: pluto refused to be started
Apr 20 21:32:06 ip-10-5-51-61 ipsec_starter[21851]: charon has died -- restart scheduled (5sec)
Apr 20 21:32:06 ip-10-5-51-61 ipsec_starter[21851]: charon refused to be started
Apr 20 21:32:11 ip-10-5-51-61 ipsec_starter[21851]: pluto has died -- restart scheduled (5sec)
Apr 20 21:32:11 ip-10-5-51-61 ipsec_starter[21851]: pluto refused to be started
Apr 20 21:32:11 ip-10-5-51-61 ipsec_starter[21851]: charon has died -- restart scheduled (5sec)
Apr 20 21:32:11 ip-10-5-51-61 ipsec_starter[21851]: charon refused to be started
Apr 20 21:32:16 ip-10-5-51-61 ipsec_starter[21851]: pluto has died -- restart scheduled (5sec)
Apr 20 21:32:16 ip-10-5-51-61 ipsec_starter[21851]: pluto refused to be started
Apr 20 21:32:16 ip-10-5-51-61 ipsec_starter[21851]: charon has died -- restart scheduled (5sec)
Apr 20 21:32:16 ip-10-5-51-61 ipsec_starter[21851]: charon refused to be started
Apr 20 21:32:21 ip-10-5-51-61 ipsec_starter[21851]: pluto has died -- restart scheduled (5sec)
Apr 20 21:32:21 ip-10-5-51-61 ipsec_starter[21851]: pluto refused to be started

I fear that we didn't need this upgrade and my configs may have worked with the standard release if I'd known about this start command.
Would you recommend uninstalling this release or are the errors recoverable?
Thank you very much for your time and attention.
Regards,
Neil.


On 20 Apr 2011, at 20:43, Andreas Steffen wrote:

Hi Neil,

are you starting the connection explicitly with

ipsec up net-net

on one of the two peers?

Regards

Andreas

On 20.04.2011 19:56, neil payne wrote:
Hi Andreas, I amended my syntax on ipsec.secrets as you suggested
(may be change crypto algos later) but i still see no ike packets
generated by the firewall on either side when i try and ping the
remote encryption domain. Is my config missing something, i don't
know how i'm going wrong here but surely it is something fundamental
missing, I cannot tell as I've followed the available documentation
as best as I can? I'm getting desperate for a solution now.

Thanks, Neil

======================================================================
Andreas Steffen                         [email protected]
strongSwan - the Linux VPN Solution!                www.strongswan.org
Institute for Internet Technologies and Applications
University of Applied Sciences Rapperswil
CH-8640 Rapperswil (Switzerland)
===========================================================[ITA-HSR]==




_______________________________________________
Users mailing list
[email protected]
https://lists.strongswan.org/mailman/listinfo/users

Reply via email to