Does anyone know why when I try to log to a log file either in /var/log or my home folder that I get permission denied? This is what I'm seeing in syslog. I'm running "sudo ipsec start" so I thought that it would have the correct permissions to write the log file.
Thanks, Brian ---------- Forwarded message ---------- From: Brian Watson <[email protected]> Date: Wed, May 7, 2014 at 8:20 AM Subject: Re: [strongSwan] Questions for getting Strongswan up and running To: Noel Kuntze <[email protected]> I had been using openssl, but I'll install libgmp also. On Tue, May 6, 2014 at 5:41 PM, Noel Kuntze <[email protected]> wrote: > > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA256 > > Did you install libgmp already? You need that for the DH exchange. As a > replacement, you could also use openssl, but you need to replace gmp with > openssl in the load statement. > > Am 07.05.2014 00:26, schrieb Brian Watson: > > If I do "sudo ipsec start" again it says that it's already running. I > then do "sudo ipsec up home" and that's when I get the NO_PROPOSAL_CHOSEN > error that i'm trying to debug. I'll be leaving soon, but will check for > syntax errors. Thanks for all your help! This is interesting. > > > > > > On Tue, May 6, 2014 at 5:13 PM, Noel Kuntze <[email protected]<mailto: > [email protected]>> wrote: > > > > > > Okay, that should be fairly recent. Check your strongswan.conf for > syntax errors. Does strongswan run after you started it or does it stop > itself? > > > > Am 07.05.2014 00:06, schrieb Brian Watson: > > > I do the following: > > > > > 1. sudo ipsec start (so yes it's running as root) > > > 2. It says the following: > > > !! Your strongswan.conf contains manual plugin load options for charon. > > > !! This is recommended for experts only, see > > > !! http://wiki.strongswan.org/projects/strongswan/wiki/PluginLoad > > > 3. The log file doesn't get created. > > > 4. Version - U5.1.2/K3.13.0-24-generic > > > > > > > On Tue, May 6, 2014 at 4:50 PM, Noel Kuntze > > > <[email protected]<mailto: > [email protected]> <mailto:[email protected] <mailto: > [email protected]>>> wrote: > > > > > > > Okay, as what user ist strongSwan running? Is it as root? > > > Does the file get created? > > > What does ipsec say when you start strongSwan? > > > What version of strongSwan are you using? > > > > > > > Am 06.05.2014 23:49, schrieb Brian Watson: > > > > Yes, I just checked and the extra curly brace is there even though I > didn't include it in the email. I also changed append=no to yes to see if > that would have an effect, but it didn't. > > > > > > > > On Tue, May 6, 2014 at 4:32 PM, Brian Watson > > > > <[email protected]<mailto: > [email protected]> <mailto:[email protected] <mailto: > [email protected]>> <mailto:[email protected] <mailto: > [email protected]> <mailto:[email protected] <mailto: > [email protected]>>>> wrote: > > > > > > I've been trying to get the log file to work, but something > isn't quite right. I have the following info in my strongswan.conf file: > > > > > > charon { > > > > load = aes des sha1 sha2 md5 openssl random nonce hmac > stroke kernel-netlink socket-default updown > > > > send_vendor_id=yes > > > > # two defined file loggers > > > > filelog { > > > > /var/log/charon.log { > > > > # add a timestamp prefix > > > > time_format = %b %e %T > > > > # prepend connection name, simplifies grepping > > > > ike_name = yes > > > > # overwrite existing files > > > > append = no > > > > # increase default loglevel for all daemon subsystems > > > > default = 2 > > > > # flush each line to disk > > > > flush_line = yes > > > > } > > > > stderr { > > > > # more detailed loglevel for a specific subsystem, > overriding the > > > > # default loglevel. > > > > ike = 2 > > > > knl = 3 > > > > } > > > > } > > > > > > I'm also trying different variations like changing the name and > location of the log file and I also tried to use stdout, but nothing > happening. Any ideas? > > > > > > Thanks, > > > > Brian > > > > > > > > On Tue, May 6, 2014 at 10:59 AM, Noel Kuntze < > [email protected] <mailto:[email protected]> <mailto: > [email protected] <mailto:[email protected]>> <mailto: > [email protected] <mailto:[email protected]> <mailto: > [email protected] <mailto:[email protected]>>>> wrote: > > > > > > > > Hello Brian, > > > > > > The two peers couldn't negotiate a shared cipher-hmac-modp 3-tupel > in phase one. > > > > I advise setting up logging to a file [1] and looking for the cipher > proposal the two peers send each other and adjusting them with the "ike=" > parameter in the connection section. > > > > Be advised, that you can not simply copy an paste the proposal in > ipsec.conf. Look for the fitting description of the tupel in the example > configurations [2]. > > > > Also, read the manpage about the "ike" parameter. > > > > > > [1] > http://wiki.strongswan.org/projects/strongswan/wiki/LoggerConfiguration > > > > [2] http://www.strongswan.org/uml/testresults/all.html > > > > > > Regards, > > > > Noel Kuntze > > > > > > Am 06.05.2014 17:47, schrieb Brian Watson: > > > > > Hi Noel, > > > > > Thanks for the tip! I'm making progress and updated both > strongswan.conf files, but now I get the following error for which I'm > investigating: > > > > > > > initiating IKE_SA home[3] to 127.0.0.2 > > > > > generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) > N(NATD_D_IP) ] > > > > > sending packet: from 127.0.0.3[500] to 127.0.0.2[500] (892 bytes) > > > > > received packet: from 127.0.0.2[500] to 127.0.0.3[500] (36 bytes) > > > > > parsed IKE_SA_INIT response 0 [ N(NO_PROP) ] > > > > > received NO_PROPOSAL_CHOSEN notify error > > > > > establishing connection 'home' failed > > > > > > > Any ideas? > > > > > > > Thanks, > > > > > Brian > > > > > > > > > > > On Tue, May 6, 2014 at 10:11 AM, Noel Kuntze < > [email protected] <mailto:[email protected]> <mailto: > [email protected] <mailto:[email protected]>> <mailto: > [email protected] <mailto:[email protected]> <mailto: > [email protected] <mailto:[email protected]>>> <mailto: > [email protected] <mailto:[email protected]> <mailto: > [email protected] <mailto:[email protected]>> <mailto: > [email protected] <mailto:[email protected]> <mailto: > [email protected] <mailto:[email protected]>>>>> wrote: > > > > > > > > > Hello Brian, > > > > > > > Plugins in StrongSwan provide suppoer for cryptographic > operations, like Diffie-Hellman keyexchanges and ciphers. > > > > > StrongSwan itself only comes with a small number of plugins for > ciphers like aes or des, but not DH, which is used to negotiate the key in > phase one. > > > > > Plugins provide access to 3rd party APIs, like the ones of openssl > and libgmp. > > > > > The default proposal StrongSwan sends includes a DH exchange over > a modulus of 2048 bit, which is provided by either libgmp or openssl. > > > > > It seems you do not have libgmp installed on your box. Please > install it, then try again. As an alternative, you could also use openssl. > > > > > To use openssl instead of libgmp for cryptography, just replace > gmp with openssl in the load argument in strongswan.conf. > > > > > > > Regards, > > > > > Noel Kuntze > > > > > > > Am 06.05.2014 16:54, schrieb Brian Watson: > > > > > > I also have done the following: > > > > > > > > 1. ipsec up home > > > > > > > > 2. I get the following in response > > > > > > initiating IKE_SA home[1] to 127.0.0.2 > > > > > > configured DH group MODP_2048 not supported > > > > > > tried to check-in and delete nonexisting IKE_SA > > > > > > establishing connection 'home' failed > > > > > > > > Thanks! > > > > > > Brian > > > > > > > > > > On Tue, May 6, 2014 at 9:06 AM, Brian Watson < > [email protected] <mailto:[email protected]> <mailto: > [email protected] <mailto:[email protected]>> <mailto: > [email protected] <mailto:[email protected]> <mailto: > [email protected] <mailto:[email protected]>>> <mailto: > [email protected] <mailto:[email protected]> <mailto: > [email protected] <mailto:[email protected]>> <mailto: > [email protected] <mailto:[email protected]> <mailto: > [email protected] <mailto:[email protected]>>>> <mailto: > [email protected] <mailto:[email protected]> <mailto: > [email protected] <mailto:[email protected]>> <mailto: > [email protected] <mailto:[email protected]> <mailto: > [email protected] <mailto:[email protected]>>> <mailto: > [email protected] <mailto:[email protected]> <mailto: > [email protected] <mailto:[email protected]>> <mailto: > [email protected] <mailto:[email protected]> <mailto: > [email protected] <mailto:[email protected]>>>>>> wrote: > > > > > > > > I have setup strongswan with the config files on 2 virtual > boxes running Ubuntu 14.04. I have the following with the 2nd virtual > machine basically mirroring the first with the exception of the ip address > being swapped around: > > > > > > > > 1. I setup the config files on 2 Ubuntu virtualbox machines > > > > > > ipsec.conf > > > > > > ------------------------- > > > > > > config setup > > > > > > > > conn %default > > > > > > ikelifetime=60m > > > > > > keylife=20m > > > > > > rekeymargin=3m > > > > > > keyingtries=1 > > > > > > keyexchange=ikev2 > > > > > > authby=secret > > > > > > > > conn home > > > > > > left=127.0.0.2 > > > > > > leftfirewall=no > > > > > > right=127.0.0.3 > > > > > > auto=add > > > > > > > > ipsec.secrets > > > > > > ------------------------------ > > > > > > 127.0.0.2 : PSK <shared secret> > > > > > > > > strongswan.conf > > > > > > ------------------------------- > > > > > > charon { > > > > > > load = aes des sha1 sha2 md5 gmp random nonce hmac > stroke kernel-netlink socket-default updown > > > > > > } > > > > > > > > 2. I issue "sudo ipsec start" and status commands and get > the following: > > > > > > > > Starting strongSwan 5.1.2 IPsec [starter]... > > > > > > !! Your strongswan.conf contains manual plugin load options > for charon. > > > > > > !! This is recommended for experts only, see > > > > > > !! > http://wiki.strongswan.org/projects/strongswan/wiki/PluginLoad > > > > > > brianswan3@brianswan3-VirtualBox:/etc$ sudo ipsec status > > > > > > Security Associations (0 up, 0 connecting): > > > > > > none > > > > > > > > 3. The fact that it shows no security associations implies > to me that it didn't work. Is this true and is there something obvious that > I'm doing wrong? > > > > > > > > Thanks, > > > > > > Brian > > > > > > > > > > > > > > _______________________________________________ > > > > > > Users mailing list > > > > > > [email protected] <mailto:[email protected]> > <mailto:[email protected] <mailto:[email protected]>> > <mailto:[email protected] <mailto:[email protected]> > <mailto:[email protected] <mailto:[email protected]>>> > <mailto:[email protected] <mailto:[email protected]> > <mailto:[email protected] <mailto:[email protected]>> > <mailto:[email protected] <mailto:[email protected]> > <mailto:[email protected] <mailto:[email protected]>>>> > > > > > > https://lists.strongswan.org/mailman/listinfo/users > > > > > > > > > _______________________________________________ > > > > > Users mailing list > > > > > [email protected] <mailto:[email protected]> > <mailto:[email protected] <mailto:[email protected]>> > <mailto:[email protected] <mailto:[email protected]> > <mailto:[email protected] <mailto:[email protected]>>> > <mailto:[email protected] <mailto:[email protected]> > <mailto:[email protected] <mailto:[email protected]>> > <mailto:[email protected] <mailto:[email protected]> > <mailto:[email protected] <mailto:[email protected]>>>> > > > > > https://lists.strongswan.org/mailman/listinfo/users > > > > > > > > > > > > > > > > > > > > > > > > > > -----BEGIN PGP SIGNATURE----- > Version: GnuPG v2.0.22 (GNU/Linux) > Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ > > iQIcBAEBCAAGBQJTaWUYAAoJEDg5KY9j7GZYFB0P/2DX+EXkCKbnQKNLiqQn9pL7 > rWHTeIrqskl4GDo1OlJWz+Zlsk/rSC7eyOVdT8APQppf2XFgprRaTORku1CNE/tn > b6skkfhv7HuXbsUN8kFKEaldzt6LtEOSSw6a+OqTXVDlhTLCcT7ypvitdrwvp/x6 > OcFWwakFWz1id7cLaJ2BV3W+3wa1KhtSMZevnpiAEVF/k1Ln7sxiBEPqegYN7vfZ > /NSX0zIoPjVClOLL3SM17hvd8Ino04EqnbY4h0gf3de7LnN0jgyZcOv/oXNWvvKk > 4T5Ccsbh23DRwrKqR7+JHzqZjUH8oj3iPcglVcFfbYtm5pPIi5HoX7DPi/RrdU5e > TIJEtA4nyNkLw3yoV3E0l40oiT+pwdMLqaiI2ymtIlkBGKSu5FhG8bqlB/9AJFq5 > BC0nRabUrqMZgpe8q2NOV4Xr+/r0x1ao7UKYozxESgiYMjn0a7cTImVf4z7RFZsB > pq3RgNN9cwrJIXH6LNbYpByp4DjNKaR+qogfcqzllsw63mMRoVfmCErxa0yKzI9q > fLT4Sdc6hOHWr0X3Q4kb4ZBvtPz4P8dHQjFCd7mhXHJJWZfcgi1X3gEUKy/TPVHm > p+/0RCfaxZWm9bDHV8XGL4aBINxLDBGIeMGyAzItb73CE+PdeGPFo6zZG7BV5ucT > wXneE117DU71KQVSjQWk > =q7K3 > -----END PGP SIGNATURE----- > > >
_______________________________________________ Users mailing list [email protected] https://lists.strongswan.org/mailman/listinfo/users
