Dear strongswan users,
I have installed a self compiled strongswan 5.1.1 on my Ubuntu 12.04
server. On the other side there is a Fritzbox 7360 with newest firmware.
After some try an error I found a configuration where the Fitzbox can
establish a lan-lan connection.
There is just one problem left. Directly after starting/restarting
strongswan I can't reach the other side by ping or by a http request no
matter from which side I try but the connection is established. In my
syslog I see messages like this as a response to every ping request from
the Fritzbox side:
Feb 2 18:54:18 h2257975 charon: 05[NET] received packet: from
85.178.xxx.xx[4500] to 85.178.xxx.xx[4500] (92 bytes)
Feb 2 18:54:18 h2257975 charon: 05[ENC] parsed INFORMATIONAL_V1 request
1027839158 [ HASH N(DPD) ]
Feb 2 18:54:18 h2257975 charon: 05[ENC] generating INFORMATIONAL_V1
request 3931842864 [ HASH N(DPD_ACK) ]
Feb 2 18:54:18 h2257975 charon: 05[NET] sending packet: from
85.178.xxx.xx[4500] to 85.178.xxx.xx[4500] (92 bytes)
Feb 2 18:55:21 h2257975 charon: 07[NET] received packet: from
85.178.xxx.xx[4500] to 85.178.xxx.xx[4500] (92 bytes)
Feb 2 18:55:21 h2257975 charon: 07[ENC] parsed INFORMATIONAL_V1 request
1680524696 [ HASH N(DPD) ]
Feb 2 18:55:21 h2257975 charon: 07[ENC] generating INFORMATIONAL_V1
request 2431241367 [ HASH N(DPD_ACK) ]
Feb 2 18:55:21 h2257975 charon: 07[NET] sending packet: from
85.178.xxx.xx[4500] to 85.178.xxx.xx[4500] (92 bytes)
Then after some time the ping starts to work and than no messages appear
in syslog. It took me some time to figure out what's the trigger that
makes it start working and now I found out. It is the rekeying. After
the first rekeying everything is fine. I have reproduced that several
times with different rekey intervals.
ipsec status-all output:
Status of IKE charon daemon (strongSwan 5.1.1, Linux 3.2.0-58-virtual,
x86_64):
uptime: 13 hours, since Feb 02 19:19:36 2014
malloc: sbrk 270336, mmap 0, used 194016, free 76320
worker threads: 11 of 16 idle, 5/0/0/0 working, job queue: 0/0/0/0,
scheduled: 2
loaded plugins: charon aes des rc2 sha1 sha2 md5 random nonce x509
revocation constraints pubkey pkcs1 pkcs7 pkcs8 pkcs12 pgp dnskey sshkey
pem fips-prf gmp xcbc cmac hmac attr kernel-netlink resolve
socket-default stroke updown xauth-generic
Listening IP addresses:
81.169.xxx.xx
192.168.2.1
Connections:
fritzbox: 81.169.xxx.xx...yyyyyyyy.myfritz.net IKEv1/2
fritzbox: local: [81.169.xxx.xx] uses pre-shared key authentication
fritzbox: remote: [yyyyyyyy.myfritz.net] uses pre-shared key
authentication
fritzbox: child: 192.168.2.0/24 === 192.168.1.0/24 TUNNEL
Security Associations (1 up, 0 connecting):
fritzbox[55]: ESTABLISHED 17 minutes ago,
81.169.xxx.xx[81.169.xxx.xx]...85.178.xxx.xx[yyyyyyyy.myfritz.net]
fritzbox[55]: IKEv1 SPIs: 70a65e9ece5a250a_i* cc1793981d9d5756_r,
pre-shared key reauthentication in 29 minutes
fritzbox[55]: IKE proposal: AES_CBC_128/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024
fritzbox{4}: INSTALLED, TUNNEL, ESP in UDP SPIs: c7bc8bcb_i 92ba0970_o
fritzbox{4}: AES_CBC_256/HMAC_SHA1_96, 1920 bytes_i (32 pkts, 1s ago),
1920 bytes_o (32 pkts, 1s ago), rekeying in 14 minutes
fritzbox{4}: 192.168.2.0/24 === 192.168.1.0/24
The question is what can do to make it work right from the start and not
until the first rekeying happens.
Thank you for your held!
Klaus
_______________________________________________
Users mailing list
[email protected]
https://lists.strongswan.org/mailman/listinfo/users
