Hello, The complete configuration of both hosts is as follows:
root@bt:/etc/ipsec.d# ipsec --version Linux strongSwan U4.3.2/K2.6.38 conn karmaIKE2 left=%defaultroute leftsubnet=10.0.2.0/24 leftcert=lnvo.hostCert.pem right=192.168.4.10 rightsubnet=192.168.4.0/24 rightcert=peercerts/karmaY2034.hostCert.pem rightid=@karma.mynet.com keyexchange=ikev2 mobike=yes auto=add [root@karma strongswan]# strongswan --version Linux strongSwan U5.1.1/K2.6.18-308.16.1.el5PAE conn %default left=%defaultroute leftcert=karmaY2034.hostCert.pem conn karmaIKE2 right=%any rightcert=peercerts/lnvo.hostCert.pem rightsubnet=10.0.2.0/24 leftcert=karmaY2034.hostCert.pem leftid=@karma.mynet.com leftsubnet=192.168.4.0/24 leftfirewall=yes keyexchange=ikev2 mobike=yes auto=add [root@karma strongswan]# cat /var/log/messages |grep "Dec 29 22:23" Dec 29 22:23:18 karma charon: 08[NET] received packet: from 192.168.4.87[52704] to 192.168.4.10[500] (700 bytes) Dec 29 22:23:18 karma charon: 08[ENC] parsed IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) ] Dec 29 22:23:18 karma charon: 08[IKE] 192.168.4.87 is initiating an IKE_SA Dec 29 22:23:19 karma charon: 08[IKE] remote host is behind NAT Dec 29 22:23:19 karma charon: 08[IKE] sending cert request for "STR4.3CA" Dec 29 22:23:19 karma charon: 08[IKE] sending cert request for "STR5.1CA" Dec 29 22:23:19 karma charon: 08[ENC] generating IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) CERTREQ N(MULT_AUTH) ] Dec 29 22:23:19 karma charon: 08[NET] sending packet: from 192.168.4.10[500] to 192.168.4.87[52704] (485 bytes) Dec 29 22:23:19 karma charon: 11[NET] received packet: from 192.168.4.87[62698] to 192.168.4.10[4500] (1500 bytes) Dec 29 22:23:19 karma charon: 11[ENC] parsed IKE_AUTH request 1 [ IDi CERT CERTREQ IDr AUTH SA TSi TSr N(MOBIKE_SUP) N(NO_ADD_ADDR) N(MULT_AUTH) ] Dec 29 22:23:19 karma charon: 11[IKE] received cert request for "STR4.3CA" Dec 29 22:23:19 karma charon: 11[IKE] received end entity cert "STR4.3host.cert" Dec 29 22:23:19 karma charon: 11[CFG] looking for peer configs matching 192.168.4.10[karma.mynet.com]...192.168.4.87[STR4.3host.cert] Dec 29 22:23:19 karma charon: 11[CFG] selected peer config 'karmaIKE2' Dec 29 22:23:19 karma charon: 11[CFG] using trusted ca certificate "STR4.3CA" Dec 29 22:23:19 karma charon: 11[CFG] checking certificate status of "STR4.3host.cert" Dec 29 22:23:19 karma charon: 11[CFG] certificate status is not available Dec 29 22:23:19 karma charon: 11[CFG] reached self-signed root ca with a path length of 0 Dec 29 22:23:19 karma charon: 11[CFG] using trusted certificate "STR4.3host.cert" Dec 29 22:23:19 karma charon: 11[IKE] authentication of 'STR4.3host.cert' with RSA signature successful Dec 29 22:23:19 karma charon: 11[IKE] peer supports MOBIKE Dec 29 22:23:19 karma charon: 11[IKE] authentication of 'karma.mynet.com' (myself) with RSA signature successful Dec 29 22:23:19 karma charon: 11[IKE] IKE_SA karmaIKE2[5] established between 192.168.4.10[karma.mynet.com]...192.168.4.87[STR4.3host.cert] Dec 29 22:23:19 karma charon: 11[IKE] scheduling reauthentication in 10015s Dec 29 22:23:19 karma charon: 11[IKE] maximum IKE_SA lifetime 10555s Dec 29 22:23:19 karma charon: 11[IKE] sending end entity cert "STR5.1host.cert" Dec 29 22:23:19 karma charon: 11[IKE] CHILD_SA karmaIKE2{4} established with SPIs c5cace09_i cbf41872_o and TS 192.168.4.0/24 === 10.0.2.0/24 Dec 29 22:23:19 karma vpn: + STR4.3host.cert 10.0.2.0/24 == 192.168.4.87 -- 192.168.4.10 == 192.168.4.0/24 Dec 29 22:23:19 karma charon: 11[ENC] generating IKE_AUTH response 1 [ IDr CERT AUTH SA TSi TSr N(AUTH_LFT) N(MOBIKE_SUP) N(ADD_4_ADDR) N(ADD_4_ADDR) N(ADD_6_ADDR) ] Dec 29 22:23:19 karma charon: 11[NET] sending packet: from 192.168.4.10[4500] to 192.168.4.87[62698] (1612 bytes) Dec 29 22:23:23 karma charon: 12[NET] received packet: from 192.168.4.87[62698] to 192.168.4.10[4500] (1500 bytes) Dec 29 22:23:23 karma charon: 12[ENC] parsed IKE_AUTH request 1 [ IDi CERT CERTREQ IDr AUTH SA TSi TSr N(MOBIKE_SUP) N(NO_ADD_ADDR) N(MULT_AUTH) ] Dec 29 22:23:23 karma charon: 12[IKE] received retransmit of request with ID 1, retransmitting response Dec 29 22:23:23 karma charon: 12[NET] sending packet: from 192.168.4.10[4500] to 192.168.4.87[62698] (1612 bytes) Dec 29 22:23:30 karma charon: 09[NET] received packet: from 192.168.4.87[62698] to 192.168.4.10[4500] (1500 bytes) Dec 29 22:23:30 karma charon: 09[ENC] parsed IKE_AUTH request 1 [ IDi CERT CERTREQ IDr AUTH SA TSi TSr N(MOBIKE_SUP) N(NO_ADD_ADDR) N(MULT_AUTH) ] Dec 29 22:23:30 karma charon: 09[IKE] received retransmit of request with ID 1, retransmitting response Dec 29 22:23:30 karma charon: 09[NET] sending packet: from 192.168.4.10[4500] to 192.168.4.87[62698] (1612 bytes) Dec 29 22:23:40 karma named[2671]: lame server resolving '62.1.119.225.dsl.dyn.forthnet.gr' (in 'dyn.forthnet.gr'?): 2001:648:2c30::191:3#53 Dec 29 22:23:43 karma charon: 13[NET] received packet: from 192.168.4.87[62698] to 192.168.4.10[4500] (1500 bytes) Dec 29 22:23:43 karma charon: 13[ENC] parsed IKE_AUTH request 1 [ IDi CERT CERTREQ IDr AUTH SA TSi TSr N(MOBIKE_SUP) N(NO_ADD_ADDR) N(MULT_AUTH) ] Dec 29 22:23:43 karma charon: 13[IKE] received retransmit of request with ID 1, retransmitting response Dec 29 22:23:43 karma charon: 13[NET] sending packet: from 192.168.4.10[4500] to 192.168.4.87[62698] (1612 bytes) Dec 29 22:23:52 karma charon: 07[CFG] received stroke: terminate 'karmaIKE2' Dec 29 22:23:52 karma charon: 08[IKE] deleting IKE_SA karmaIKE2[5] between 192.168.4.10[karma.mynet.com]...192.168.4.87[STR4.3host.cert] Dec 29 22:23:52 karma charon: 08[IKE] sending DELETE for IKE_SA karmaIKE2[5] Dec 29 22:23:52 karma charon: 08[ENC] generating INFORMATIONAL request 0 [ D ] Dec 29 22:23:52 karma charon: 08[NET] sending packet: from 192.168.4.10[4500] to 192.168.4.87[62698] (76 bytes) Dec 29 22:23:52 karma charon: 11[NET] received packet: from 192.168.4.87[62698] to 192.168.4.10[4500] (76 bytes) Dec 29 22:23:52 karma charon: 11[ENC] parsed INFORMATIONAL response 0 [ ] Dec 29 22:23:52 karma charon: 11[IKE] IKE_SA deleted Dec 29 22:23:52 karma vpn: - STR4.3host.cert 10.0.2.0/24 == 192.168.4.87 -- 192.168.4.10 == 192.168.4.0/24 Dec 29 22:23:52 karma charon: 10[CFG] received stroke: unroute 'karmaIKE2' [root@karma strongswan]# Do you see any particular culprits ? Thanks, Serge > ----- Original Message ----- > From: Noel Kuntze > Sent: 12/29/13 11:25 PM > To: s s, users@lists.strongswan.org > Subject: Re: [strongSwan] strongswan-5.1.1 with 4.xx, tunnel pb > > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA256 > > Hello, > > What is the configuration of the other side and what is in the log of the > other side? > > If configured properly, strongSwan 4.x and strongSwan 5.x are compatible to > each other. > > Regards > Noel Kuntze > > On 29.12.2013 22:43, s s wrote: > > Hello, > > > > I am having a persistent problem of being unable to establish a tunnel > > between two strongswan hosts > > > > root@bt:/etc/ipsec.d# ipsec up karmaIKE2 > > initiating IKE_SA karmaIKE2[3] to 192.168.4.10 > > generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) ] > > sending packet: from 10.0.2.15[500] to 192.168.4.10[500] > > received packet: from 192.168.4.10[500] to 10.0.2.15[500] > > parsed IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) CERTREQ > > N(MULT_AUTH) ] > > local host is behind NAT, sending keep alives > > received cert request for "STR4.3CA" > > received cert request for unknown ca with keyid > > b0:31:27:8b:2e:4b:cd:53:6d:c4:a7:fb:e9:56:1b:9f:34:cc:71:a7 > > sending cert request for "STR4.3CA" > > authentication of 'STR4.3host.cert' (myself) with RSA signature successful > > sending end entity cert "STR4.3host.cert" > > establishing CHILD_SA karmaIKE2 > > generating IKE_AUTH request 1 [ IDi CERT CERTREQ IDr AUTH SA TSi TSr > > N(MOBIKE_SUP) N(NO_ADD_ADDR) N(MULT_AUTH) ] > > sending packet: from 10.0.2.15[4500] to 192.168.4.10[4500] > > retransmit 1 of request with message ID 1 > > sending packet: from 10.0.2.15[4500] to 192.168.4.10[4500] > > retransmit 2 of request with message ID 1 > > sending packet: from 10.0.2.15[4500] to 192.168.4.10[4500] > > > > > > The status is stuck on "CONNECTING", which never happens: > > > > root@bt:/etc/ipsec.d# ipsec statusall > > > > karmaIKE2: 10.0.2.15...192.168.4.10 > > karmaIKE2: local: [STR4.3host.cert] uses public key authentication > > karmaIKE2: cert: "STR4.3host.cert" > > karmaIKE2: remote: [karma.ucp-is.com] uses any authentication > > karmaIKE2: cert: "KRM5.1host.cert" > > karmaIKE2: child: 10.0.2.0/24 === 192.168.4.0/24 > > Security Associations: > > karmaIKE2[15]: CONNECTING, > > 10.0.2.15[STR4.3host.cert]...192.168.4.10[KRM5.1host.cert] > > karmaIKE2[15]: IKE SPIs: 6d2c0e380935a207_i* 518160338263e01f_r > > > > After 5 rekying attempts, it stops. > > > > Dec 29 22:23:27 bt charon: 07[ENC] generating IKE_AUTH request 1 [ IDi CERT > > CERTREQ IDr AUTH SA TSi TSr N(MOBIKE_SUP) N(NO_ADD_ADDR) N(MULT_AUTH) ] > > Dec 29 22:23:27 bt charon: 07[NET] sending packet: from 10.0.2.15[4500] to > > 192.168.4.10[4500] > > > > ==> /var/log/syslog <== > > Dec 29 22:23:31 bt charon: 09[IKE] retransmit 1 of request with message ID 1 > > Dec 29 22:23:31 bt charon: 09[NET] sending packet: from 10.0.2.15[4500] to > > 192.168.4.10[4500] > > > > ==> /var/log/daemon.log <== > > Dec 29 22:23:31 bt charon: 09[IKE] retransmit 1 of request with message ID 1 > > Dec 29 22:23:31 bt charon: 09[NET] sending packet: from 10.0.2.15[4500] to > > 192.168.4.10[4500] > > > > ==> /var/log/syslog <== > > Dec 29 22:23:38 bt charon: 15[IKE] retransmit 2 of request with message ID 1 > > Dec 29 22:23:38 bt charon: 15[NET] sending packet: from 10.0.2.15[4500] to > > 192.168.4.10[4500] > > > > > > > > The policy for the channel does sets up, but nothing works > > > > [root@karma strongswan]# ip xfrm policy > > src 10.0.2.0/24 dst 192.168.4.0/24 > > dir in priority 1859 > > tmpl src 192.168.4.87 dst 192.168.4.10 > > proto esp reqid 4 mode tunnel > > src 192.168.4.0/24 dst 10.0.2.0/24 > > dir out priority 1859 > > tmpl src 192.168.4.10 dst 192.168.4.87 > > proto esp reqid 4 mode tunnel > > src 10.0.2.0/24 dst 192.168.4.0/24 > > dir fwd priority 1859 > > tmpl src 192.168.4.87 dst 192.168.4.10 > > proto esp reqid 4 mode tunnel > > > > > > Any hint how to fix it would be highly appreciated, > > Regards, > > Serge > > > > > > > > > > > > > > Is the 4.xx branch compatible with the 5.x one? > > I am unable to establish a tunnel in between 2 strongswan hosts one running > > the strongSwan U4.3.2/K2.6.38 > > and the second strongSwan U5.1.1/K2.6.18-308.16.1.el5PAE > > > > The configuration is more than classical: net-net > > > > > > conn karmaIKE2 > > left=%defaultroute > > leftsubnet=10.0.2.0/24 > > leftcert=lnvo.hostCert.pem > > right=192.168.4.10 > > rightsubnet=192.168.4.0/24 > > rightcert=peercerts/karmaY2034.hostCert.pem > > keyexchange=ikev2 > > mobike=yes > > auto=add > > > > > > root@bt:/etc/ipsec.d# ipsec up karmaIKE2 > > initiating IKE_SA karmaIKE2[1] to 192.168.4.10 > > generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) ] > > sending packet: from 10.0.2.15[500] to 192.168.4.10[500] > > received packet: from 192.168.4.10[500] to 10.0.2.15[500] > > parsed IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) CERTREQ > > N(MULT_AUTH) ] > > local host is behind NAT, sending keep alives > > received cert request for "STR4.3CA" > > received cert request for unknown ca with keyid > > b0:31:27:8b:2e:4b:cd:53:6d:c4:a7:fb:e9:56:1b:9f:34:cc:71:a7 > > sending cert request for "STR4.3CA" > > authentication of 'STR4.3host.cert' (myself) with RSA signature successful > > sending end entity cert "STR4.3host.cert" > > establishing CHILD_SA karmaIKE2 > > generating IKE_AUTH request 1 [ IDi CERT CERTREQ IDr AUTH SA TSi TSr > > N(MOBIKE_SUP) N(NO_ADD_ADDR) N(MULT_AUTH) ] > > sending packet: from 10.0.2.15[4500] to 192.168.4.10[4500] > > retransmit 1 of request with message ID 1 > > sending packet: from 10.0.2.15[4500] to 192.168.4.10[4500] > > > > > > But the tunnel > > > > root@bt:/etc/ipsec.d# ipsec statusall > > 000 Status of IKEv1 pluto daemon (strongSwan 4.3.2): > > 000 interface lo/lo ::1:500 > > 000 interface lo/lo 127.0.0.1:500 > > 000 interface eth0/eth0 10.0.2.15:500 > > 000 %myid = (none) > > 000 loaded plugins: curl ldap random pubkey openssl hmac gmp > > 000 debug options: none > > 000 > > Status of IKEv2 charon daemon (strongSwan 4.3.2): > > uptime: 7 minutes, since Dec 23 10:27:59 2013 > > worker threads: 9 idle of 16, job queue load: 0, scheduled events: 1 > > loaded plugins: curl ldap random x509 pubkey openssl xcbc hmac agent gmp > > kernel-netlink stroke updown eapidentity eapmd5 eapgtc eapaka eapmschapv2 > > Listening IP addresses: > > 10.0.2.15 > > Connections: > > karmaIKE2: 10.0.2.15...192.168.4.10 > > karmaIKE2: local: [STR4.3host.cert] uses public key authentication > > karmaIKE2: cert: "STR4.3host.cert" > > karmaIKE2: remote: [STR5.1host.cert] uses any authentication > > karmaIKE2: cert: STR5.1host.cert" > > karmaIKE2: child: 10.0.2.0/24 === 0.0.0.0/0 > > Security Associations: > > karmaIKE2[1]: CREATED, > > 10.0.2.15[STR4.3host.cert]...192.168.4.10[STR5.1host.cert] > > karmaIKE2[1]: IKE SPIs: 3483591a1d20afaf_i* 0000000000000000_r > > karmaIKE2[1]: IKE proposal: AES_CBC_128/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_2048 > > > > The logs show > > Dec 23 10:32:01 bt charon: 16[IKE] establishing CHILD_SA karmaIKE2 > > Dec 23 10:32:01 bt charon: 16[ENC] generating IKE_AUTH request 1 [ IDi CERT > > CERTREQ IDr AUTH SA TSi TSr N(MOBIKE_SUP) N(NO_ADD_ADDR) N(MULT_AUTH) ] > > Dec 23 10:32:01 bt charon: 16[NET] sending packet: from 10.0.2.15[4500] to > > 192.168.4.10[4500] > > > > But this child tunnel could not be setup. > > Which result in the inability to reach the hosts and the the networks > > behind them. > > > > I am still running the routing problem between the same two strongSwan > > U5.1.1/K2.6.18-308.16.1.el5PAE hosts, one of them being behind the NATed > > gateway and unable to reach it through the tunnel, which apparently doesn't > > route the packets. > > > > Any help would be much appreciated. > > Rgds, > > Serge > > > > > > ---- > > > > Is standard Centos 5.x kernel 2.6.18-308.16.1.el5PAE compatible at all with > > [root@ ~]# strongswan version > > Linux strongSwan U5.1.1/K2.6.18-308.16.1.el5PAE > > > > We are unable to fix the routing problem. When the remote host is behind > > the NAT'ed provider's server, it can not be reached at all: > > > > > > msc-hmnet{12}: 192.168.4.0/24 === 192.168.3.0/24 > > [root@karma ~]# ping 192.168.3.56 > > PING 192.168.3.56 (192.168.3.56) 56(84) bytes of data. > > > > --- 192.168.3.56 ping statistics --- > > 2 packets transmitted, 0 received, 100% packet loss, time 999ms > > > > > > > > > > ---- > >>> But out of the 2 tunnels only 1 is reachable. The other one doesn't ping. > >> Does that tunnel work if you don't establish the other one? > > No, it doesn't. > > Besides, once the 192.168.3.0/24 host is behind the NAT'ed gateway, neither > > of the tunnels work. > > > >> Also, I'd try to disable IPComp for testing. There seems to be an issue > >> with IPcomp on some kernels in some scenarios. > > What an IPComp is and how to disable it ? > > > > We use a standard Centos 5.x kernel > > 2.6.18-308.16.1.el5PAE #1 SMP Tue Oct 2 22:49:17 EDT 2012 i686 i686 i386 > > GNU/Linux > > > > Could anyone help to troubleshoot the problem and resolve the issue? > > > > Rgds, > > Serge > > > > _______________________________________________ > > Users mailing list > > Users@lists.strongswan.org > > https://lists.strongswan.org/mailman/listinfo/users > > -----BEGIN PGP SIGNATURE----- > Version: GnuPG v2.0.22 (GNU/Linux) > Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ > > iQIcBAEBCAAGBQJSwKFfAAoJEDg5KY9j7GZYYPgP/jUY+dVtRVE0o7XWZej8D38B > GSynI1lTZ29Aq2TlxfzB9kMFhSgOF8xpg5WEgO8sOTr09SvSrUbmBUemLoC12uWQ > wUBHod3TIiITxTQ3FW97ujB5rlNQrO8bMwSq+vKyPp7l3Xp+VYSzWXUEFhC4weXQ > JyMKnLacSUdDnTU2FRtYSuGFX1ZgkFHqXVZbBOM0NCsRG2/hrDx/Nifiz781AH/Y > JY8SvE6l0BM5+X4F11l1GGjBupHf5kEGqD6thYf5uDt32IDHLNO6zeDjdUWXoR7O > DF6gmxAoFbyFuBeJXOE05ZJxx0Y/OosGgiS/V5h3A6ZHzYO9VgQ27W+t4xCTbEk0 > PBRD6r32XT76GM0NuPnvIqLj+gmTq+RplzeLX6lkqb73go8HSV+erbIAUA7NlpyK > V/VIYjcniS/UAoxiDSGiOAbaYrGHhQt6J9Id4scoFjDpeqsGyW1uuEwt05It/TtU > vVqw8N3rjH0T7+hlILF4duGzLD7Q1HWvlLoxjKB3Hd8oEwQq1gDIgxWINBPoPHRJ > 4Zx9SXHXtfhKyVTynW4BoKynqjSvKvl5eKTWEWMYndkaiHfbUSY/Z3f1uP68vV6w > WzXLRn463/SXGFRKAjvpJ2b/ZtNCjg2P/Dc/VUamBVq+xUfFsk2wx9kemtnp4mOL > 9Kwb5h4a9QFGmlw+iukW > =x1Cs > -----END PGP SIGNATURE----- _______________________________________________ Users mailing list Users@lists.strongswan.org https://lists.strongswan.org/mailman/listinfo/users