-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Hello,
You probably didn't run ./configure with the correct parameters and set "--with-ipsecdir=/usr/lib/strongswan". Regards, Noel Kuntze GPG Key id: 0x63EC6658 Fingerprint: 23CA BB60 2146 05E7 7278 6592 3839 298F 63EC 6658 Am 09.07.2014 13:29, schrieb Shahreen Ahmed: > Hi, > > Can you please help in this regard? > > I want to test max throughput based on Ipsec ESP userland encryption with > libipsec. > > I configured Strongswan 5.1.3 with following option: > --enable-kernel-libipsec > > While trying to make a setup following below link: > > http://www.strongswan.org/uml/testresults/libipsec/net2net-cert/ > > It seems that even though a Tunnel is UP based on X.509 authentication and a > TUN interface 'ipsec0' is injected, NO firewall rules are present for routing > through 'ipsec0' and encrypted traffic that is decrypted by the peer > IPsec GW never reaches the site beyond that GW. > > Following log is visible in one of the GW's: > > Jul 9 11:46:25 ZNYX9210 charon: 08[IKE] restarting CHILD_SA test > Jul 9 11:46:25 ZNYX9210 charon: 08[IKE] initiating IKE_SA test[2] to > 12.0.0.167 > Jul 9 11:46:25 ZNYX9210 charon: 08[ENC] generating IKE_SA_INIT request 0 [ > SA KE No N(NATD_S_IP) N(NATD_D_IP) ] > Jul 9 11:46:25 ZNYX9210 charon: 08[NET] sending packet: from 12.0.0.189[500] > to 12.0.0.167[500] (708 bytes) > Jul 9 11:46:25 ZNYX9210 charon: 14[NET] received packet: from > 12.0.0.167[500] to 12.0.0.189[500] (457 bytes) > Jul 9 11:46:25 ZNYX9210 charon: 14[ENC] parsed IKE_SA_INIT response 0 [ SA > KE No N(NATD_S_IP) N(NATD_D_IP) CERTREQ ] > Jul 9 11:46:25 ZNYX9210 charon: 14[IKE] remote host is behind NAT > Jul 9 11:46:25 ZNYX9210 charon: 14[IKE] received cert request for "C=CA, > ST=PB, O=strongswan org, OU=strongswan root, [email protected]" > Jul 9 11:46:25 ZNYX9210 charon: 14[IKE] sending cert request for "C=CA, > ST=PB, O=strongswan org, OU=strongswan root, [email protected]" > Jul 9 11:46:25 ZNYX9210 charon: 14[IKE] authentication of 'C=CA, ST=PB, > O=strongswan org, OU=strongswan peer2, [email protected]' (myself) with RSA > signature successful > Jul 9 11:46:25 ZNYX9210 charon: 14[IKE] sending end entity cert "C=CA, > ST=PB, O=strongswan org, OU=strongswan peer2, [email protected]" > Jul 9 11:46:25 ZNYX9210 charon: 14[IKE] establishing CHILD_SA test{1} > Jul 9 11:46:25 ZNYX9210 charon: 14[ENC] generating IKE_AUTH request 1 [ IDi > CERT N(INIT_CONTACT) CERTREQ IDr AUTH SA TSi TSr N(EAP_ONLY) ] > Jul 9 11:46:25 ZNYX9210 charon: 14[NET] sending packet: from > 12.0.0.189[4500] to 12.0.0.167[4500] (1564 bytes) > Jul 9 11:46:25 ZNYX9210 charon: 09[NET] received packet: from > 12.0.0.167[4500] to 12.0.0.189[4500] (1276 bytes) > Jul 9 11:46:25 ZNYX9210 charon: 09[ENC] parsed IKE_AUTH response 1 [ IDr > CERT AUTH SA TSi TSr N(AUTH_LFT) ] > Jul 9 11:46:25 ZNYX9210 charon: 09[IKE] received end entity cert "C=CA, > ST=PB, O=strongswan org, OU=strongswan peer1, [email protected]" > Jul 9 11:46:25 ZNYX9210 charon: 09[CFG] using trusted ca certificate > "C=CA, ST=PB, O=strongswan org, OU=strongswan root, [email protected]" > Jul 9 11:46:25 ZNYX9210 charon: 09[CFG] checking certificate status of > "C=CA, ST=PB, O=strongswan org, OU=strongswan peer1, [email protected]" > Jul 9 11:46:25 ZNYX9210 charon: 09[CFG] certificate status is not available > Jul 9 11:46:25 ZNYX9210 charon: 09[CFG] reached self-signed root ca with a > path length of 0 > Jul 9 11:46:25 ZNYX9210 charon: 09[CFG] using trusted certificate "C=CA, > ST=PB, O=strongswan org, OU=strongswan peer1, [email protected]" > Jul 9 11:46:25 ZNYX9210 charon: 09[IKE] authentication of 'C=CA, ST=PB, > O=strongswan org, OU=strongswan peer1, [email protected]' with RSA signature > successful > Jul 9 11:46:25 ZNYX9210 charon: 09[IKE] IKE_SA test[2] established between > 12.0.0.189[C=CA, ST=PB, O=strongswan org, OU=strongswan peer2, > [email protected]]...12.0.0.167[C=CA, ST=PB, O=strongswan org, OU=strongswan > peer1, [email protected]] > Jul 9 11:46:25 ZNYX9210 charon: 09[IKE] scheduling reauthentication in 3420s > Jul 9 11:46:25 ZNYX9210 charon: 09[IKE] maximum IKE_SA lifetime 3600s > Jul 9 11:46:25 ZNYX9210 charon: 09[IKE] CHILD_SA test{1} established with > SPIs 213dcf52_i c9b38fce_o and TS 11.0.0.0/24 === 10.0.0.0/24 > *Jul 9 11:46:25 ZNYX9210 charon: 09[CHD] updown: sh: /etc/updown: No such > file or directory* > Jul 9 11:46:25 ZNYX9210 charon: 09[IKE] received AUTH_LIFETIME of 3311s, > scheduling reauthentication in 3131s > > > Can you please let us know why this /etc/updown file is missing and where > should we get it from? > > Thanks, > Shahreen > -- > > Shahreen Noor Ahmed > Network Support Department > Adax Europe Ltd > url: www.adax.com > e-mail: [email protected] > Direct line: +44(0)118 952 2804 > > > _______________________________________________ > Users mailing list > [email protected] > https://lists.strongswan.org/mailman/listinfo/users -----BEGIN PGP SIGNATURE----- Version: GnuPG v2 Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iQIcBAEBCAAGBQJTvSh6AAoJEDg5KY9j7GZYTxYP/2GxFCPL6gPQ1xtJiMniGfhn 8yCHCiW1nrL+O3ZHLxT/hpGEHoztTbGn/XnZg9Rgpa4BKtrCvFb1kwiuVaOrb5BI JnYJ80pWJfzamE87KhwdDwWnWfORgtcqt6XwwBPtd9Y7XkdRvONt1NIZFWHhxCXg kqRGBb2UCXXwezybegZ7WdUXUbQ+jwYtc0S7ScJ+PNStGY642oxVoXnQjkV94LmY +zC7ukGaNqp4i2F6nmK24buYTRg+FPZiIKdRFXTErlBXRy4RK1kz6UDVO5wd/+df LHuuwXx0JXykSCZ+t96xaxpwUtwIyTN2QPkugeY5qRxPE6N7jyQ16oeV4claduHB V0kwrDtnbsMou1WaBE3659I4KFnQ1Uj89PGkA6yuGmjjmV4yHB2QgabZCp95v9WB NrU6EVxLyn737MoGWek3ljHOwKk55IikDpBAfI5gF9oyXsJfrc++tHh5enxajzkp oGDyXOIwfUPhZSLL/zCkcY0huEeHeYbazc0XFaiZT79IeFLKI31eBQdvA7DKNdxJ +p4G2ezXoUt1s2rdLhchcXh+7wEn3Fw5HZyj7vFkFqF4wfnEpByZ6jczJqg50LoK x0Rk2hXO7gmu0NGiriBORqLGAInY11+nDBRfGcOjmO1j1WGqR//x/lYkC+6wNwCP IWxYd98nzj4pYj8y9aHy =vZUM -----END PGP SIGNATURE----- _______________________________________________ Users mailing list [email protected] https://lists.strongswan.org/mailman/listinfo/users
