Thanks Martin,
I downloaded 5.2.0 and patched it. I've moved on from that error but it's still
not working. It looks like the linux box thinks the connection is up and I can
see packets from it to the router but for some reason the router isn't
responding. I'm stumped.
A0089-Mint1 sbin # ./ipsec statusall
Status of IKE charon daemon (strongSwan 5.2.0, Linux 3.13.0-24-generic, x86_64):
uptime: 12 minutes, since Aug 07 16:52:32 2014
malloc: sbrk 1351680, mmap 0, used 253760, free 1097920
worker threads: 11 of 16 idle, 5/0/0/0 working, job queue: 0/0/0/0,
scheduled: 2
loaded plugins: charon aes des rc2 sha1 sha2 md5 random nonce x509 revocation
constraints pubkey pkcs1 pkcs7 pkcs8 pkcs12 pgp dnskey sshkey pem fips-prf gmp
xcbc cmac hmac attr kernel-netlink resolve socket-default stroke updown
xauth-generic unity
Listening IP addresses:
192.168.0.1
10.1.0.1
Connections:
strongswan-router: 192.168.0.1...192.168.1.1 IKEv1
strongswan-router: local: [192.168.0.1] uses pre-shared key authentication
strongswan-router: remote: [192.168.1.1] uses pre-shared key authentication
strongswan-router: child: 10.1.0.0/24 === 10.2.0.0/24 TUNNEL
Security Associations (1 up, 0 connecting):
strongswan-router[1]: ESTABLISHED 12 minutes ago,
192.168.0.1[192.168.0.1]...192.168.1.1[192.168.1.1]
strongswan-router[1]: IKEv1 SPIs: b554a84868aed5bd_i* 831939ece7b34833_r,
pre-shared key reauthentication in 42 minutes
strongswan-router[1]: IKE proposal:
AES_CBC_128/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1536
strongswan-router{1}: INSTALLED, TUNNEL, ESP SPIs: c77b0968_i 1deaf0e1_o
strongswan-router{1}: AES_CBC_128/HMAC_SHA1_96, 0 bytes_i, 10488 bytes_o (114
pkts, 412s ago), rekeying in 117 seconds
strongswan-router{1}: 10.1.0.0/24 === 10.2.0.0/24
R2#debug crypto ipsec
Crypto IPSEC debugging is on
R2#
*Mar 1 02:03:29.535: IPSEC(key_engine): got a queue event with 1 kei messages
*Mar 1 02:03:29.539: IPSEC(key_engine_delete_sas): rec'd delete notify from
ISAKMP
*Mar 1 02:03:29.543: IPSEC(key_engine_delete_sas): delete SA with spi
0xC1A5C3C1 proto 50 for 192.168.0.1
*Mar 1 02:03:29.543: IPSEC(delete_sa): deleting SA,
(sa) sa_dest= 192.168.1.1, sa_proto= 50,
sa_spi= 0xDDC145(14532933),
sa_trans= esp-aes esp-sha-hmac , sa_conn_id= 2003
sa_lifetime(k/sec)= (4591396/1200),
(identity) local= 192.168.1.1, remote= 192.168.0.1,
local_proxy= 10.2.0.0/255.255.255.0/0/0 (type=4),
remote_proxy= 10.1.0.0/255.255.255.0/0/0 (type=4)
*Mar 1 02:03:29.547: IPSEC(add_sa): have new SAs -- expire existing in 30 sec.,
(sa) sa_dest= 192.168.0.1, sa_proto= 50,
sa_spi= 0xC1A5C3C1(3248866241),
sa_trans= esp-aes esp-sha-hmac , sa_conn_id= 2004
sa_lifetime(k/sec)= (4591396/1200),
(identity) local= 192.168.1.1, remote= 192.168.0.1,
local_proxy= 10.2.0.0/255.255.255.0/0/0 (type=4),
remote_proxy= 10.1.0.0/255.255.255.0/0/0 (type=4)
*Mar 1 02:03:29.547: IPSEC(delete_sa): deleting SA,
(sa) sa_dest= 192.168.0.1, sa_proto= 50,
sa_spi= 0xC1A5C3C1(3248866241),
sa_trans= esp-aes esp-sha-hmac , sa_conn_id= 2004
sa_lifetime(k/sec)= (4591396/1200),
(identity) local= 192.168.1.1, remote= 192.168.0.1,
local_proxy= 10.2.0.0/255.255.255.0/0/0 (type=4),
remote_proxy= 10.1.0.0/255.255.255.0/0/0 (type=4)
*Mar 1 02:03:29.547: IPSec: Flow_switching Deallocated flow for sibling
80000010
*Mar 1 02:03:29.567: IPSEC(key_engine): got a queue event with 1 kei messages
R2#
R2#
*Mar 1 02:03:32.811: IPSEC(validate_proposal_request): proposal part #1,
(key eng. msg.) INBOUND local= 192.168.1.1, remote= 192.168.0.1,
local_proxy= 10.2.0.0/255.255.255.0/0/0 (type=4),
remote_proxy= 10.1.0.0/255.255.255.0/0/0 (type=4),
protocol= ESP, transform= esp-aes esp-sha-hmac (Tunnel),
lifedur= 0s and 0kb,
spi= 0x0(0), conn_id= 0, keysize= 128, flags= 0x2
*Mar 1 02:03:32.823: Crypto mapdb : proxy_match
src addr : 10.2.0.0
dst addr : 10.1.0.0
protocol : 0
src port : 0
dst port : 0
*Mar 1 02:03:32.831: IPSEC(key_engine): got a queue event with 1 kei messages
*Mar 1 02:03:32.831: IPSEC(spi_response): getting spi 3215584645 for SA
from 192.168.1.1 to 192.168.0.1 for prot 3
*Mar 1 02:03:32.843: IPSEC(key_engine): got a queue event with 2 kei messages
*Mar 1 02:03:32.847: IPSEC(initialize_sas): ,
(key eng. msg.) INBOUND local= 192.168.1.1, remote= 192.168.0.1,
local_proxy= 10.2.0.0/255.255.255.0
R2#/0/0 (type=4),
remote_proxy= 10.1.0.0/255.255.255.0/0/0 (type=4),
protocol= ESP, transform= esp-aes esp-sha-hmac (Tunnel),
lifedur= 1200s and 0kb,
spi= 0xBFA9ED85(3215584645), conn_id= 0, keysize= 128, flags= 0x2
*Mar 1 02:03:32.851: IPSEC(initialize_sas): ,
(key eng. msg.) OUTBOUND local= 192.168.1.1, remote= 192.168.0.1,
local_proxy= 10.2.0.0/255.255.255.0/0/0 (type=4),
remote_proxy= 10.1.0.0/255.255.255.0/0/0 (type=4),
protocol= ESP, transform= esp-aes esp-sha-hmac (Tunnel),
lifedur= 1200s and 0kb,
spi= 0xC20F459B(3255780763), conn_id= 0, keysize= 128, flags= 0xA
*Mar 1 02:03:32.851: Crypto mapdb : proxy_match
src addr : 10.2.0.0
dst addr : 10.1.0.0
protocol : 0
src port : 0
dst port : 0
*Mar 1 02:03:32.851: IPSEC(crypto_ipsec_sa_find_ident_head): reconnecting with
the same proxies and 192.168.0.1
*Mar 1 02:03:32.855: IPSec: Flow_switching Allocated flow for sibling 80000011
*Mar 1 02:03:32.855: IPSEC(policy_db_add_ident): src 10.2.0.0, dest 10.1.0.0,
dest_port 0
*Mar 1 02:03:32.855: IPSEC(create_sa): sa created,
(sa) sa_dest= 192.168.1.1, sa_proto= 50,
sa_spi= 0xBFA9ED85(3215584645),
sa_trans= esp-aes esp-sha-hmac , sa_conn_id= 2004
sa_lifetime(k/sec)= (4432709/1200)
*Mar 1 02:03:32.855: IPSEC(create_sa): sa created,
(sa) sa_dest= 192.168.0.1, sa_proto= 50,
sa_spi= 0xC20F459B(3255780763),
sa_trans= esp-aes esp-sha-hmac , sa_conn_id= 2003
sa_lifetime(k/sec)= (4432709/1200)
*Mar 1 02:03:32.887: IPSEC(key_engine): got a queue event with 1 kei messages
*Mar 1 02:03:32.891: IPSEC(key_engine_enable_outbound): rec'd enable notify
from ISAKMP
*Mar 1 02:03:32.895: IPSEC(key_engine_enable_outbound): enable SA with spi
3255780763/50
R2#
Cheers,
Tormod
>>> Martin Willi <[email protected]> 07/08/2014 12:33 >>>
Hi,
> Aug 7 12:06:03 A0089-Mint1 charon: 09[CFG] proposing traffic selectors for
> other:
> Aug 7 12:06:03 A0089-Mint1 charon: 09[CFG] 10.2.0.0/24
> Aug 7 12:06:03 A0089-Mint1 charon: 09[CFG] changing proposed traffic
> selectors for other:
> Aug 7 12:06:03 A0089-Mint1 charon: 09[CFG] 0.0.0.0/0
The unity plugin widens the traffic selector as initiator, to later
dynamically reduce it to what has been negotiated with the Split-Include
Unity extension.
If the plugin is enabled, this is done on all connections where the
Unity Vendor ID has been received, which is likely with Cisco boxes.
I've recently pushed a patch [1] which disables that behavior if no
Split-Include attribute has been received on the connection. Please try
that patch, I think it should fix this issue.
Regards
Martin
[1]http://git.strongswan.org/?p=strongswan.git;a=commitdiff;h=1a62fb0a
Please consider the environment before printing this email
*********************************************************************
This e-mail and any attachments are confidential. If it is not for you,
please inform us and delete it immediately without disclosing, copying, or
distributing it. If the content is not about the business of PayWizard Group
PLC or its clients, then it is neither from nor sanctioned by PayWizard Group
PLC. Use of this or any other PayWizard Group PLC e-mail facility signifies
consent to interception by PayWizard Group PLC. The views expressed in this
email or any attachments may not reflect the views and opinions of PayWizard
Group PLC. This message has been scanned for viruses and dangerous content by
MailScanner, but PayWizard Group PLC accepts no liability for any damage caused
by the transmission of any viruses. PayWizard Group PLC is a public limited
company registered in Scotland (SC175703) with its registered office at Cluny
Court, John Smith Business Park, Kirkcaldy, Fife, KY2 6QJ.
********************************************************************
_______________________________________________
Users mailing list
[email protected]
https://lists.strongswan.org/mailman/listinfo/users
