NM, it seems to be a server issue. Other services are fine via IPSec. Thanks for the help. :)
> On Jun 25, 2015, at 3:11 PM, Glen Huang <[email protected]> wrote: > > I toke a closer look at the messages. It seems the aes module is missing. I > installed it and finally no error messages. > > But after the SA is up, I ping right, no response at all. While pinging, I > can see a bunch of "UDP-encap: ESP" messages from left to right showing up > every second from tcpdump, but no right to left, except for occasional > "isakmp-nat-keep-alive" (only right to left) and "NONESP-encap: isakmp: phase > 2/others ? inf[E]" (bidirectional) messages. > > What I might have done wrong? > >> On Jun 25, 2015, at 11:20 AM, Glen Huang <[email protected] >> <mailto:[email protected]>> wrote: >> >> Hi Noel, >> >> Thanks for the help. These are the log messages: >> http://pastebin.com/QjsA0XW2 <http://pastebin.com/QjsA0XW2> >> >> >>> On Jun 25, 2015, at 1:45 AM, Noel Kuntze <[email protected] >>> <mailto:[email protected]>> wrote: >>> >>> >>> -----BEGIN PGP SIGNED MESSAGE----- >>> Hash: SHA256 >>> >>> Hello Glen, >>> >>> No, they are not. There are different key exchanges and algorithm >>> negotiations for IKE and the subsequent SA pairs. >>> You need to configure a file logger[1] and look at the logs to figure out >>> what algos are negotiated for the IPsec SAs. >>> >>> Use those options for the file logger: >>> default = 3 >>> mgr = 1 >>> ike = 1 >>> net = 1 >>> enc = 0 >>> cfg = 2 >>> asn = 1 >>> job = 1 >>> knl = 1 >>> >>> [1] >>> https://wiki.strongswan.org/projects/strongswan/wiki/LoggerConfiguration >>> <https://wiki.strongswan.org/projects/strongswan/wiki/LoggerConfiguration> >>> Mit freundlichen Grüßen/Kind Regards, >>> Noel Kuntze >>> >>> GPG Key ID: 0x63EC6658 >>> Fingerprint: 23CA BB60 2146 05E7 7278 6592 3839 298F 63EC 6658 >>> >>> Am 24.06.2015 um 19:42 schrieb Glen Huang: >>>> Thank you. How do i check what algorithms are negotiated? Are those the >>>> "IKE proposal" from ipsec statusall? >>>> >>>> If so, they are "3DES_CBC/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1536", which >>>> ones do you think are missing from the lsmod list? >>>> >>>>> On Jun 25, 2015, at 1:36 AM, Noel Kuntze <[email protected] >>>>> <mailto:[email protected]>> wrote: >>>>> >>>>> >>>> Hello Glen, >>>> >>>> You obviously also need kernel support for the algorithms >>>> that are negotiated for the IPsec SAs. >>>> Check what algorithms are negotitated and then load the corresponding >>>> kernel module. >>>> >>>> Mit freundlichen Grüßen/Kind Regards, >>>> Noel Kuntze >>>> >>>> GPG Key ID: 0x63EC6658 >>>> Fingerprint: 23CA BB60 2146 05E7 7278 6592 3839 298F 63EC 6658 >>>> >>>> Am 24.06.2015 um 19:30 schrieb Glen Huang: >>>>>>> Hi, >>>>>>> >>>>>>> I'm trying to establish a ikev1 transport SA, but it failed with error >>>>>>> like "received netlink error: Function not implemented (89)", I guess >>>>>>> it might be that some algo module or kernel module is missing? >>>>>>> >>>>>>> ipsec.conf >>>>>>> http://pastebin.com/WsBDWvCC <http://pastebin.com/WsBDWvCC> >>>>>>> >>>>>>> messages from ipsec up >>>>>>> http://pastebin.com/iDxisnVt <http://pastebin.com/iDxisnVt> >>>>>>> >>>>>>> ipsec statusall >>>>>>> http://pastebin.com/CH6bQGYL >>>>>>> >>>>>>> output of lsmod >>>>>>> http://pastebin.com/7NJD0Mxa >>>>>>> >>>>>>> I have googled as hard as I can't, but didn't find any thing useful. I >>>>>>> tried kernel-libipsec, but unfortunately it doesn't support transport >>>>>>> mode. So I'm at my wits end. Could some one help me identify the >>>>>>> missing part? >>>>>>> >>>>>>> Thanks in advance. >>>>>>> >>>>>>> >>>>>>> _______________________________________________ >>>>>>> Users mailing list >>>>>>> [email protected] >>>>>>> https://lists.strongswan.org/mailman/listinfo/users >>>> >>>>> >>>>> _______________________________________________ >>>>> Users mailing list >>>>> [email protected] <mailto:[email protected]> >>>>> https://lists.strongswan.org/mailman/listinfo/users >>>>> <https://lists.strongswan.org/mailman/listinfo/users> >>>> >>> >>> -----BEGIN PGP SIGNATURE----- >>> Version: GnuPG v2 >>> >>> iQIcBAEBCAAGBQJViuzOAAoJEDg5KY9j7GZYpgcP/1DMKUt952SyFsSMOksR9CQJ >>> NUX0ieuBV/yVjW7N++28p7wlcCts1Mm143zAI3mjR2/YT2YujvjvItS1P1fHUyJ/ >>> EtthBFqcqSvPAlGwJClCBqHvRfHP7k7NXi7GLF6pMTxtY3hPKBKQAn8m4wqaY+NU >>> G4OFoT0l/cCLbdQsrf87jJ01Xp74dkpncl3hexhTnyfFjJOysrvxC7BYYmYOYmu9 >>> AiZW3YS9byXYDLTfwfo/H//m/GeCpQcQHp0uAXkGEVB77i9GIlFvAj0lGPb9/cuN >>> mcqHn9AFXiKr71jAVWOYX3eCN2WqbJOO1y9JJq9WD+syx3dGyKlVa/w6c+xE8tTm >>> w62fLUE0sXGdtRK4FOT+q4PtH2QuY5IP16l+Y93LQl9+f8nz6Pe3Rmn4X29h4maD >>> C9DIxc9Gecw/b9g/kxTyjCf41UxuLpRg0CZ1JYsVhaEEYgk7LcKlrAT9fc2QWhTK >>> Kp5tIOzeHkiQ9sWdyTIsLS8yJlHUXKmwXUQ3nfLRi1IJPkc+Sggs6nlebR+vW7zE >>> DrlUMMQnye69v+MAxMBHzHDDzH1PNGtbXbojwbtoPXDjnG2FGB7sPqJ2IY9qFf2J >>> fx2FRqocNPls20VQHWs9sQTOAweg9ptxKj1P7X5WZEYE7PC0FdKf3oZcqISfk5xw >>> o617eyUW0S3MVhW6I8TJ >>> =1Hvn >>> -----END PGP SIGNATURE----- >>> >> >
_______________________________________________ Users mailing list [email protected] https://lists.strongswan.org/mailman/listinfo/users
