I got the log file problem resolved. I had to add an apparmor-utils package and it's dependencies since I saw in /var/log/syslog that apparmor="DENIED" was being seen when trying to write the log and I wanted to use the aa-complain cmd to get around the error. I then did "sudo aa-complain /usr/lib/ipsec/charon". It could be that this wasn't necessary and that I was just missing some packages.
On Wed, May 7, 2014 at 10:42 AM, Brian Watson <[email protected]> wrote: > Does anyone know why when I try to log to a log file either in /var/log or > my home folder that I get permission denied? This is what I'm seeing in > syslog. I'm running "sudo ipsec start" so I thought that it would have the > correct permissions to write the log file. > > Thanks, > Brian > > > ---------- Forwarded message ---------- > From: Brian Watson <[email protected]> > Date: Wed, May 7, 2014 at 8:20 AM > Subject: Re: [strongSwan] Questions for getting Strongswan up and running > To: Noel Kuntze <[email protected]> > > > I had been using openssl, but I'll install libgmp also. > > > On Tue, May 6, 2014 at 5:41 PM, Noel Kuntze <[email protected]>wrote: > >> >> -----BEGIN PGP SIGNED MESSAGE----- >> Hash: SHA256 >> >> Did you install libgmp already? You need that for the DH exchange. As a >> replacement, you could also use openssl, but you need to replace gmp with >> openssl in the load statement. >> >> Am 07.05.2014 00:26, schrieb Brian Watson: >> > If I do "sudo ipsec start" again it says that it's already running. I >> then do "sudo ipsec up home" and that's when I get the NO_PROPOSAL_CHOSEN >> error that i'm trying to debug. I'll be leaving soon, but will check for >> syntax errors. Thanks for all your help! This is interesting. >> > >> > >> > On Tue, May 6, 2014 at 5:13 PM, Noel Kuntze <[email protected]<mailto: >> [email protected]>> wrote: >> > >> > >> > Okay, that should be fairly recent. Check your strongswan.conf for >> syntax errors. Does strongswan run after you started it or does it stop >> itself? >> > >> > Am 07.05.2014 00:06, schrieb Brian Watson: >> > > I do the following: >> > >> > > 1. sudo ipsec start (so yes it's running as root) >> > > 2. It says the following: >> > > !! Your strongswan.conf contains manual plugin load options for >> charon. >> > > !! This is recommended for experts only, see >> > > !! http://wiki.strongswan.org/projects/strongswan/wiki/PluginLoad >> > > 3. The log file doesn't get created. >> > > 4. Version - U5.1.2/K3.13.0-24-generic >> > >> > >> > > On Tue, May 6, 2014 at 4:50 PM, Noel Kuntze >> > > <[email protected]<mailto: >> [email protected]> <mailto:[email protected] <mailto: >> [email protected]>>> wrote: >> > >> > >> > > Okay, as what user ist strongSwan running? Is it as root? >> > > Does the file get created? >> > > What does ipsec say when you start strongSwan? >> > > What version of strongSwan are you using? >> > >> > >> > > Am 06.05.2014 23:49, schrieb Brian Watson: >> > > > Yes, I just checked and the extra curly brace is there even though >> I didn't include it in the email. I also changed append=no to yes to see if >> that would have an effect, but it didn't. >> > >> > >> > > > On Tue, May 6, 2014 at 4:32 PM, Brian Watson >> > > > <[email protected]<mailto: >> [email protected]> <mailto:[email protected] <mailto: >> [email protected]>> <mailto:[email protected] <mailto: >> [email protected]> <mailto:[email protected] <mailto: >> [email protected]>>>> wrote: >> > >> > > > I've been trying to get the log file to work, but something >> isn't quite right. I have the following info in my strongswan.conf file: >> > >> > > > charon { >> > > > load = aes des sha1 sha2 md5 openssl random nonce hmac >> stroke kernel-netlink socket-default updown >> > > > send_vendor_id=yes >> > > > # two defined file loggers >> > > > filelog { >> > > > /var/log/charon.log { >> > > > # add a timestamp prefix >> > > > time_format = %b %e %T >> > > > # prepend connection name, simplifies grepping >> > > > ike_name = yes >> > > > # overwrite existing files >> > > > append = no >> > > > # increase default loglevel for all daemon >> subsystems >> > > > default = 2 >> > > > # flush each line to disk >> > > > flush_line = yes >> > > > } >> > > > stderr { >> > > > # more detailed loglevel for a specific subsystem, >> overriding the >> > > > # default loglevel. >> > > > ike = 2 >> > > > knl = 3 >> > > > } >> > > > } >> > >> > > > I'm also trying different variations like changing the name and >> location of the log file and I also tried to use stdout, but nothing >> happening. Any ideas? >> > >> > > > Thanks, >> > > > Brian >> > >> > >> > > > On Tue, May 6, 2014 at 10:59 AM, Noel Kuntze < >> [email protected] <mailto:[email protected]> <mailto: >> [email protected] <mailto:[email protected]>> <mailto: >> [email protected] <mailto:[email protected]> <mailto: >> [email protected] <mailto:[email protected]>>>> wrote: >> > >> > >> > > > Hello Brian, >> > >> > > > The two peers couldn't negotiate a shared cipher-hmac-modp 3-tupel >> in phase one. >> > > > I advise setting up logging to a file [1] and looking for the >> cipher proposal the two peers send each other and adjusting them with the >> "ike=" parameter in the connection section. >> > > > Be advised, that you can not simply copy an paste the proposal in >> ipsec.conf. Look for the fitting description of the tupel in the example >> configurations [2]. >> > > > Also, read the manpage about the "ike" parameter. >> > >> > > > [1] >> http://wiki.strongswan.org/projects/strongswan/wiki/LoggerConfiguration >> > > > [2] http://www.strongswan.org/uml/testresults/all.html >> > >> > > > Regards, >> > > > Noel Kuntze >> > >> > > > Am 06.05.2014 17:47, schrieb Brian Watson: >> > > > > Hi Noel, >> > > > > Thanks for the tip! I'm making progress and updated both >> strongswan.conf files, but now I get the following error for which I'm >> investigating: >> > >> > > > > initiating IKE_SA home[3] to 127.0.0.2 >> > > > > generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) >> N(NATD_D_IP) ] >> > > > > sending packet: from 127.0.0.3[500] to 127.0.0.2[500] (892 bytes) >> > > > > received packet: from 127.0.0.2[500] to 127.0.0.3[500] (36 bytes) >> > > > > parsed IKE_SA_INIT response 0 [ N(NO_PROP) ] >> > > > > received NO_PROPOSAL_CHOSEN notify error >> > > > > establishing connection 'home' failed >> > >> > > > > Any ideas? >> > >> > > > > Thanks, >> > > > > Brian >> > >> > >> > >> > > > > On Tue, May 6, 2014 at 10:11 AM, Noel Kuntze < >> [email protected] <mailto:[email protected]> <mailto: >> [email protected] <mailto:[email protected]>> <mailto: >> [email protected] <mailto:[email protected]> <mailto: >> [email protected] <mailto:[email protected]>>> <mailto: >> [email protected] <mailto:[email protected]> <mailto: >> [email protected] <mailto:[email protected]>> <mailto: >> [email protected] <mailto:[email protected]> <mailto: >> [email protected] <mailto:[email protected]>>>>> wrote: >> > >> > >> > > > > Hello Brian, >> > >> > > > > Plugins in StrongSwan provide suppoer for cryptographic >> operations, like Diffie-Hellman keyexchanges and ciphers. >> > > > > StrongSwan itself only comes with a small number of plugins for >> ciphers like aes or des, but not DH, which is used to negotiate the key in >> phase one. >> > > > > Plugins provide access to 3rd party APIs, like the ones of >> openssl and libgmp. >> > > > > The default proposal StrongSwan sends includes a DH exchange over >> a modulus of 2048 bit, which is provided by either libgmp or openssl. >> > > > > It seems you do not have libgmp installed on your box. Please >> install it, then try again. As an alternative, you could also use openssl. >> > > > > To use openssl instead of libgmp for cryptography, just replace >> gmp with openssl in the load argument in strongswan.conf. >> > >> > > > > Regards, >> > > > > Noel Kuntze >> > >> > > > > Am 06.05.2014 16:54, schrieb Brian Watson: >> > > > > > I also have done the following: >> > >> > > > > > 1. ipsec up home >> > >> > > > > > 2. I get the following in response >> > > > > > initiating IKE_SA home[1] to 127.0.0.2 >> > > > > > configured DH group MODP_2048 not supported >> > > > > > tried to check-in and delete nonexisting IKE_SA >> > > > > > establishing connection 'home' failed >> > >> > > > > > Thanks! >> > > > > > Brian >> > >> > >> > > > > > On Tue, May 6, 2014 at 9:06 AM, Brian Watson < >> [email protected] <mailto:[email protected]> <mailto: >> [email protected] <mailto:[email protected]>> <mailto: >> [email protected] <mailto:[email protected]> <mailto: >> [email protected] <mailto:[email protected]>>> <mailto: >> [email protected] <mailto:[email protected]> <mailto: >> [email protected] <mailto:[email protected]>> <mailto: >> [email protected] <mailto:[email protected]> <mailto: >> [email protected] <mailto:[email protected]>>>> <mailto: >> [email protected] <mailto:[email protected]> <mailto: >> [email protected] <mailto:[email protected]>> <mailto: >> [email protected] <mailto:[email protected]> <mailto: >> [email protected] <mailto:[email protected]>>> <mailto: >> [email protected] <mailto:[email protected]> <mailto: >> [email protected] <mailto:[email protected]>> <mailto: >> [email protected] <mailto:[email protected]> <mailto: >> [email protected] <mailto:[email protected]>>>>>> wrote: >> > >> > > > > > I have setup strongswan with the config files on 2 virtual >> boxes running Ubuntu 14.04. I have the following with the 2nd virtual >> machine basically mirroring the first with the exception of the ip address >> being swapped around: >> > >> > > > > > 1. I setup the config files on 2 Ubuntu virtualbox machines >> > > > > > ipsec.conf >> > > > > > ------------------------- >> > > > > > config setup >> > >> > > > > > conn %default >> > > > > > ikelifetime=60m >> > > > > > keylife=20m >> > > > > > rekeymargin=3m >> > > > > > keyingtries=1 >> > > > > > keyexchange=ikev2 >> > > > > > authby=secret >> > >> > > > > > conn home >> > > > > > left=127.0.0.2 >> > > > > > leftfirewall=no >> > > > > > right=127.0.0.3 >> > > > > > auto=add >> > >> > > > > > ipsec.secrets >> > > > > > ------------------------------ >> > > > > > 127.0.0.2 : PSK <shared secret> >> > >> > > > > > strongswan.conf >> > > > > > ------------------------------- >> > > > > > charon { >> > > > > > load = aes des sha1 sha2 md5 gmp random nonce hmac >> stroke kernel-netlink socket-default updown >> > > > > > } >> > >> > > > > > 2. I issue "sudo ipsec start" and status commands and get >> the following: >> > >> > > > > > Starting strongSwan 5.1.2 IPsec [starter]... >> > > > > > !! Your strongswan.conf contains manual plugin load options >> for charon. >> > > > > > !! This is recommended for experts only, see >> > > > > > !! >> http://wiki.strongswan.org/projects/strongswan/wiki/PluginLoad >> > > > > > brianswan3@brianswan3-VirtualBox:/etc$ sudo ipsec status >> > > > > > Security Associations (0 up, 0 connecting): >> > > > > > none >> > >> > > > > > 3. The fact that it shows no security associations implies >> to me that it didn't work. Is this true and is there something obvious that >> I'm doing wrong? >> > >> > > > > > Thanks, >> > > > > > Brian >> > >> > >> > >> > >> > > > > > _______________________________________________ >> > > > > > Users mailing list >> > > > > > [email protected] <mailto:[email protected]> >> <mailto:[email protected] <mailto:[email protected]>> >> <mailto:[email protected] <mailto:[email protected]> >> <mailto:[email protected] <mailto:[email protected]>>> >> <mailto:[email protected] <mailto:[email protected]> >> <mailto:[email protected] <mailto:[email protected]>> >> <mailto:[email protected] <mailto:[email protected]> >> <mailto:[email protected] <mailto:[email protected]>>>> >> > > > > > https://lists.strongswan.org/mailman/listinfo/users >> > >> > >> > > > > _______________________________________________ >> > > > > Users mailing list >> > > > > [email protected] <mailto:[email protected]> >> <mailto:[email protected] <mailto:[email protected]>> >> <mailto:[email protected] <mailto:[email protected]> >> <mailto:[email protected] <mailto:[email protected]>>> >> <mailto:[email protected] <mailto:[email protected]> >> <mailto:[email protected] <mailto:[email protected]>> >> <mailto:[email protected] <mailto:[email protected]> >> <mailto:[email protected] <mailto:[email protected]>>>> >> > > > > https://lists.strongswan.org/mailman/listinfo/users >> > >> > >> > >> > >> > >> > >> > >> > >> > >> > >> > >> > >> >> -----BEGIN PGP SIGNATURE----- >> Version: GnuPG v2.0.22 (GNU/Linux) >> Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ >> >> iQIcBAEBCAAGBQJTaWUYAAoJEDg5KY9j7GZYFB0P/2DX+EXkCKbnQKNLiqQn9pL7 >> rWHTeIrqskl4GDo1OlJWz+Zlsk/rSC7eyOVdT8APQppf2XFgprRaTORku1CNE/tn >> b6skkfhv7HuXbsUN8kFKEaldzt6LtEOSSw6a+OqTXVDlhTLCcT7ypvitdrwvp/x6 >> OcFWwakFWz1id7cLaJ2BV3W+3wa1KhtSMZevnpiAEVF/k1Ln7sxiBEPqegYN7vfZ >> /NSX0zIoPjVClOLL3SM17hvd8Ino04EqnbY4h0gf3de7LnN0jgyZcOv/oXNWvvKk >> 4T5Ccsbh23DRwrKqR7+JHzqZjUH8oj3iPcglVcFfbYtm5pPIi5HoX7DPi/RrdU5e >> TIJEtA4nyNkLw3yoV3E0l40oiT+pwdMLqaiI2ymtIlkBGKSu5FhG8bqlB/9AJFq5 >> BC0nRabUrqMZgpe8q2NOV4Xr+/r0x1ao7UKYozxESgiYMjn0a7cTImVf4z7RFZsB >> pq3RgNN9cwrJIXH6LNbYpByp4DjNKaR+qogfcqzllsw63mMRoVfmCErxa0yKzI9q >> fLT4Sdc6hOHWr0X3Q4kb4ZBvtPz4P8dHQjFCd7mhXHJJWZfcgi1X3gEUKy/TPVHm >> p+/0RCfaxZWm9bDHV8XGL4aBINxLDBGIeMGyAzItb73CE+PdeGPFo6zZG7BV5ucT >> wXneE117DU71KQVSjQWk >> =q7K3 >> -----END PGP SIGNATURE----- >> >> >> > >
_______________________________________________ Users mailing list [email protected] https://lists.strongswan.org/mailman/listinfo/users
