Re: [strongSwan] no ike packets being generated

[neil payne]

Hi, The ipsec up command doesn't seem to work with ike v2 so i've reverted to ike v1. when i use ipsec up on the AWS host the packets don't reach 50.56.121.20. If I instead use ipsec up from the 50.56.121.20 host, the packets do reach the AWS firewall but the following message is logged: May  9 13:04:23 ip-10-5-51-242 pluto[29702]: packet from 50.56.121.20:500: initial Main Mode message received on 10.5.51.242:500 but no connection has been authorized with policy=PS K what does this mean? Our config files are attached

{\rtf1\ansi\ansicpg1252\cocoartf1038\cocoasubrtf350
{\fonttbl\f0\fswiss\fcharset0 Helvetica;}
{\colortbl;\red255\green255\blue255;}
\paperw11900\paperh16840\margl1440\margr1440\vieww9000\viewh8400\viewkind0
\pard\tx566\tx1133\tx1700\tx2267\tx2834\tx3401\tx3968\tx4535\tx5102\tx5669\tx6236\tx6803\ql\qnatural\pardirnatural

\f0\fs24 \cf0 # /etc/ipsec.secrets - strongSwan IPsec:q!\
@ip-10-5-51-242 %any : PSK "Rel1439@RCM#123"}

{\rtf1\ansi\ansicpg1252\cocoartf1038\cocoasubrtf350
{\fonttbl\f0\fswiss\fcharset0 Helvetica;}
{\colortbl;\red255\green255\blue255;}
\paperw11900\paperh16840\margl1440\margr1440\vieww9000\viewh8400\viewkind0
\pard\tx566\tx1133\tx1700\tx2267\tx2834\tx3401\tx3968\tx4535\tx5102\tx5669\tx6236\tx6803\ql\qnatural\pardirnatural

\f0\fs24 \cf0    # /etc/ipsec.conf - strongSwan IPsec configuration file\
\
config setup\
        plutodebug=all\
        charonstart=no\
        nat_traversal=yes\
\
conn %default\
        ikelifetime=1440m\
        keylife=1m\
        rekeymargin=3m\
        keyingtries=1\
        keyexchange=ikev1\
        authby=secret\
        pfs=no\
\
\
conn net-net\
        ike=3des-md5-modp1024,3des-md5-modp1024\
        esp=3des-md5,3des-md5\
        leftid=@ip-10-5-51-242\
        leftsourceip=10.5.51.61\
        left=46.51.193.228\
        leftsubnet=10.5.0.0/16\
        leftfirewall=yes\
        right=50.56.121.20\
        rightsubnet=10.181.32.0/19\
        rightid=@TestNP\
        auto=add\
ubuntu@ip-10-5-51-61:~$ \
\
\
!!!!!!!!!! ipsec.secrets follows!!!!!!!!\
\
# /etc/ipsec.secrets - strongSwan IPsec:q!\
46.51.193.145 %any : PSK "Rel1439@RCM#123"}

{\rtf1\ansi\ansicpg1252\cocoartf1038\cocoasubrtf350
{\fonttbl\f0\fswiss\fcharset0 Helvetica;}
{\colortbl;\red255\green255\blue255;}
\paperw11900\paperh16840\margl1440\margr1440\vieww9000\viewh8400\viewkind0
\pard\tx566\tx1133\tx1700\tx2267\tx2834\tx3401\tx3968\tx4535\tx5102\tx5669\tx6236\tx6803\ql\qnatural\pardirnatural

\f0\fs24 \cf0 # /etc/ipsec.secrets - strongSwan IPsec:q!\
@TestNP %any : PSK "Rel1439@RCM#123"}

{\rtf1\ansi\ansicpg1252\cocoartf1038\cocoasubrtf350
{\fonttbl\f0\fswiss\fcharset0 Helvetica;}
{\colortbl;\red255\green255\blue255;}
\paperw11900\paperh16840\margl1440\margr1440\vieww9000\viewh8400\viewkind0
\pard\tx566\tx1133\tx1700\tx2267\tx2834\tx3401\tx3968\tx4535\tx5102\tx5669\tx6236\tx6803\ql\qnatural\pardirnatural

\f0\fs24 \cf0 # /etc/ipsec.conf - strongSwan IPsec configuration file\
\
config setup\
        plutodebug=all\
        charonstart=no\
        nat_traversal=yes\
\
conn %default\
        ikelifetime=1440m\
        keylife=1m\
        rekeymargin=3m\
        keyingtries=1\
        keyexchange=ikev1\
        authby=secret\
        pfs=no\
\
\
conn net-net\
        ike=3des-md5-modp1024,3des-md5-modp1024\
        esp=3des-md5,3des-md5\
        leftid=@TestNP\
        left=50.56.121.20\
        leftsubnet=10.181.32.0/19\
        leftfirewall=yes\
        leftsourceip=10.181.52.82\
        right=46.51.193.228\
        rightsubnet=10.5.0.0/16\
        rightid=@ip-10-5-51-242\
        auto=add}

On 28 Apr 2011, at 14:06, neil payne wrote: Andreas,  We built a 'vanilla' new build linux AWS instance and loaded v4.3.2 fresh. Unfortunately when I try to bring up the connection with the command ipsec up net-net I see the following entry in the logs: Apr 28 12:58:16 ip-10-5-51-242 pluto[2167]: "net-net": we have no ipsecN interface for either end of this connection There is only one physical interface as it is an AWS instance. We tried binding the elastic ip to the dummy0 interface in order to leverage the cloud infrastructure to no avail, and while strongswan finds the interface and ip on starting it appears it wont try to encapsulate the traffic when we bring up the connection - is the above error terminal for this scenario? Regards, Neil. On 26 Apr 2011, at 15:40, neil payne wrote: Hi Andreas, We reverted to v4.3.2 but the 'up'  command still doesn't recognize the net-net connection: ubuntu@ip-10-5-51-61:~$ sudo ipsec --version sudo: unable to resolve host ip-10-5-51-61 Linux strongSwan U4.3.2/K2.6.32-312-ec2 Institute for Internet Technologies and Applications University of Applied Sciences Rapperswil, Switzerland See 'ipsec --copyright' for copyright information. ubuntu@ip-10-5-51-61:~$  ubuntu@ip-10-5-51-61:~$  ubuntu@ip-10-5-51-61:~$  ubuntu@ip-10-5-51-61:~$ sudo ipsec up net-net sudo: unable to resolve host ip-10-5-51-61 021 no connection named "net-net" ubuntu@ip-10-5-51-61:~$  ubuntu@ip-10-5-51-61:~$  ubuntu@ip-10-5-51-61:~$  ubuntu@ip-10-5-51-61:~$ sudo ipsec statusall  !!!!!!!!! this has the appearance of the later version's statusall output rather than v4.3.2 !!!!!!!! sudo: unable to resolve host ip-10-5-51-61 000 Status of IKEv1 pluto daemon (strongSwan 4.3.2): 000 interface lo/lo ::1:500 000 interface lo/lo 127.0.0.1:500 000 interface eth0/eth0 10.5.51.61:500 000 interface dummy0/dummy0 46.51.193.145:500 000 %myid = (none) 000 loaded plugins: aes des sha1 sha2 md5 random pubkey hmac gmp  000 debug options: none 000  Status of IKEv2 charon daemon (strongSwan 4.3.2):   uptime: 4 minutes, since Apr 26 14:28:12 2011   worker threads: 9 idle of 16, job queue load: 0, scheduled events: 0   loaded plugins: aes des sha1 sha2 md5 fips-prf random x509 pubkey xcbc hmac gmp kernel-netlink stroke updown attr resolv-conf  Listening IP addresses:   10.5.51.61   46.51.193.145 Connections: Security Associations:   none <leftfirewall2-ipsec.conf.rtf> On 21 Apr 2011, at 13:25, neil payne wrote: Hi Andreas,  We're now running version 4.5.1 on the leftfirewall (downgraded from the one below). We are using the same config files as the ones I sent last night but on the left firewall it doesn't recognize the net-net connection: ubuntu@ip-10-5-51-61:/etc$ sudo ipsec --version sudo: unable to resolve host ip-10-5-51-61 Linux strongSwan U4.5.1/K2.6.32-312-ec2 Institute for Internet Technologies and Applications University of Applied Sciences Rapperswil, Switzerland See 'ipsec --copyright' for copyright information. ubuntu@ip-10-5-51-61:/etc$  ubuntu@ip-10-5-51-61:/etc$  ubuntu@ip-10-5-51-61:/etc$  ubuntu@ip-10-5-51-61:/etc$  ubuntu@ip-10-5-51-61:/etc$ sudo ipsec up net-net sudo: unable to resolve host ip-10-5-51-61 021 no connection named "net-net" ubuntu@ip-10-5-51-61:/etc$  If I use ipsec up net-net on the rightfirewall running 4.3.2 it does generate IKE packets which reach the leftfirewall but the left firewall doesn't recognize it and  logs: Apr 21 12:10:15 ip-10-5-51-61 pluto[16057]: packet from 50.56.121.20:500: ignoring Vendor ID payload [draft-ietf-ipsec-nat-t-ike-00] Apr 21 12:10:15 ip-10-5-51-61 pluto[16057]: packet from 50.56.121.20:500: initial Main Mode message received on 10.5.51.61:500 but no connection has been authorized with policy=PSK Regards, Neil. On 20 Apr 2011, at 22:43, neil payne wrote: Hi Andreas, No! In fact I didn't know this was the ignition key. Unfortunately my colleague upgraded to strongswan 4.5.2dr5 on my prompting on one of the firewalls and now ipsec wont start - i get the following messages in auth.log: Apr 20 21:32:06 ip-10-5-51-61 ipsec_starter[21851]: pluto has died -- restart scheduled (5sec) Apr 20 21:32:06 ip-10-5-51-61 ipsec_starter[21851]: pluto refused to be started Apr 20 21:32:06 ip-10-5-51-61 ipsec_starter[21851]: charon has died -- restart scheduled (5sec) Apr 20 21:32:06 ip-10-5-51-61 ipsec_starter[21851]: charon refused to be started Apr 20 21:32:11 ip-10-5-51-61 ipsec_starter[21851]: pluto has died -- restart scheduled (5sec) Apr 20 21:32:11 ip-10-5-51-61 ipsec_starter[21851]: pluto refused to be started Apr 20 21:32:11 ip-10-5-51-61 ipsec_starter[21851]: charon has died -- restart scheduled (5sec) Apr 20 21:32:11 ip-10-5-51-61 ipsec_starter[21851]: charon refused to be started Apr 20 21:32:16 ip-10-5-51-61 ipsec_starter[21851]: pluto has died -- restart scheduled (5sec) Apr 20 21:32:16 ip-10-5-51-61 ipsec_starter[21851]: pluto refused to be started Apr 20 21:32:16 ip-10-5-51-61 ipsec_starter[21851]: charon has died -- restart scheduled (5sec) Apr 20 21:32:16 ip-10-5-51-61 ipsec_starter[21851]: charon refused to be started Apr 20 21:32:21 ip-10-5-51-61 ipsec_starter[21851]: pluto has died -- restart scheduled (5sec) Apr 20 21:32:21 ip-10-5-51-61 ipsec_starter[21851]: pluto refused to be started I fear that we didn't need this upgrade and my configs may have worked with the standard release if I'd known about this start command. Would you recommend uninstalling this release or are the errors recoverable? Thank you very much for your time and attention. Regards, Neil. On 20 Apr 2011, at 20:43, Andreas Steffen wrote: Hi Neil, are you starting the connection explicitly with ipsec up net-net on one of the two peers? Regards Andreas On 20.04.2011 19:56, neil payne wrote: Hi Andreas, I amended my syntax on ipsec.secrets as you suggested (may be change crypto algos later) but i still see no ike packets generated by the firewall on either side when i try and ping the remote encryption domain. Is my config missing something, i don't know how i'm going wrong here but surely it is something fundamental missing, I cannot tell as I've followed the available documentation as best as I can? I'm getting desperate for a solution now. Thanks, Neil ====================================================================== Andreas Steffen                         andreas.stef...@strongswan.org strongSwan - the Linux VPN Solution!                www.strongswan.org Institute for Internet Technologies and Applications University of Applied Sciences Rapperswil CH-8640 Rapperswil (Switzerland) ===========================================================[ITA-HSR]==

_______________________________________________
Users mailing list
Users@lists.strongswan.org
https://lists.strongswan.org/mailman/listinfo/users