Hi Michael, with auto=add as you configured strongSwan the start up sequence is
ipsec start ipsec up here If you change the setting in ipsec.conf to auto=start then ipsec start will cause pluto to automatically negotiate the "here" connection and with auto=route ipsec start will install a trap in the kernel and the first IP payload packet in direction to rightsubnet=192.168.1.0/24 will trigger the IKE negotiation. Regards Andreas On 02/05/2013 10:45 PM, [email protected] wrote: > > Hello list, > > My goal is building a IPv4 IPSec tunnel using IKEv1. > > Ubuntu 12.10 GNU/Linux AMD64 > Strongswan 4.5.2 > > /etc/strongswan.conf: > pluto { > load = sha1 sha2 md5 aes des hmac gmp random kernel-netlink > } > > libstrongswan { > dh_exponent_ansi_x9_42 = no > } > > /etc/ipsec.conf: > config setup > plutodebug=all > charonstart=no > plutostart=yes > > conn %default > ikelifetime=60m > keylife=20m > rekeymargin=3m > keyingtries=1 > keyexchange=ikev1 > authby=secret > > conn here > left=192.168.0.22 > right=12.34.56.78 > rightsubnet=192.168.1.0/24 > auto=add > > /etc/ipsec.secrets: > 12.34.56.78 : PSK "0000111122223333" > > It would seem that the above config should suffice to at least send > UDP packets to host 12.34.56.78 ports 500 or 4500, but... > > 192.168.0.22# /etc/init.d/ipsec start > > 192.168.0.22# ps aux | grep pluto > root 3662 ... 18:08 /usr/lib/ipsec/pluto --nofork --uniqueids --debug-all > > 192.168.0.22# /usr/lib/ipsec/whack --status > 000 "here": > 192.168.0.22[192.168.0.22]...12.34.56.78[12.34.56.78]===192.168.1.0/24; > unrouted; eroute owner; #0 > 000 "here": newest ISAKMP SA: #0; newest IPsec SA: #0; > 000 > > ...when I run tcpdump(1) and socat(1) to test, it's clear that pluto > is not sending anything at all. > > 12.34.56.78# socat UDP4-LISTEN:500,bind=12.34.56.77 - > 12.34.56.78# socat UDP4-LISTEN:4500,bind=12.34.56.77 - > (nothing...) > > 12.34.56.78# tcpdump -i eth0 port 500 or port 4500 > 192.168.0.22# tcpdump -i eth0 port 500 or port 4500 > (nothing...) > > Even after logging plutodebug=all I see no errors in /var/log/auth.log. > What do I need to change to make pluto(8) send IKE UDP datagrams? > > Thanks, > Michael ====================================================================== Andreas Steffen [email protected] strongSwan - the Linux VPN Solution! www.strongswan.org Institute for Internet Technologies and Applications University of Applied Sciences Rapperswil CH-8640 Rapperswil (Switzerland) ===========================================================[ITA-HSR]==
smime.p7s
Description: S/MIME Cryptographic Signature
_______________________________________________ Users mailing list [email protected] https://lists.strongswan.org/mailman/listinfo/users
