CentOS 7.5

Noel Kuntze Wed, 10 Apr 2019 11:21:35 -0700

Hi Guilsson,

Please follow the instructions on the HelpRequests[1] page and when you request 
help here, provide all data listed on that page.


Kind regards

Noel

[1] https://wiki.strongswan.org/projects/strongswan/wiki/HelpRequests 
<https://wiki.strongswan.org/projects/strongswan/wiki/HelpRequests#Configuration-snippets>

Am 10.04.19 um 18:21 schrieb [email protected]:
> Hi Kostya/Everyone
>
> (1- Firewall):  It's not a firewall issue. Because the old machine
> still connects successfully, the permissions are ok. In fact, this IP
> (192.168.1.16) has full internet access.
>
> (2 - Key exchange version): DONE
>
> (3 - Proposal / SA encryption defaults): DONE
>
> Resulted ipsec.conf:
> =====================
> conn vpnbank
>         type=tunnel
>         left=192.168.1.16
>         leftsubnet=192.168.1.0/26
>         right=22.22.22.22
>         rightsubnet=11.11.11.11/32
>         # keyexchange=ike
>         auto=start
>         authby=secret
>         pfs=no
>         compress=no
>         keylife=1440m
>         ikelifetime=3600s
>         keyexchange=ikev1
>         
> ike=aes128-sha1-modp1024,aes128-md5-modp1024,3des-sha1-modp1024,3des-md5-modp1024
>         esp=aes128-sha1,aes128-md5,3des-sha1,3des-md5
> =====================
>
> The sniffing at firewall:
> =========================
> # tshark -i eth1 esp or port 500 or port 4500
> Running as user "root" and group "root". This could be dangerous.
> Capturing on eth1
>   0.000000 192.168.1.16 500 22.22.22.22 500 ISAKMP Informational
>   0.000399 192.168.1.16 500 22.22.22.22 500 ISAKMP Informational
>   0.014435 22.22.22.22 500 192.168.1.16 500 ISAKMP Informational
>   2.180599 192.168.1.16 500 22.22.22.22 500 ISAKMP Identity Protection
> (Main Mode)
>   2.191741 22.22.22.22 500 192.168.1.16 500 ISAKMP Identity Protection
> (Main Mode)
>   2.193680 192.168.1.16 500 22.22.22.22 500 ISAKMP Identity Protection
> (Main Mode)
>   2.205169 22.22.22.22 500 192.168.1.16 500 ISAKMP Identity Protection
> (Main Mode)
>   2.207159 192.168.1.16 500 22.22.22.22 500 ISAKMP Identity Protection
> (Main Mode)
>   2.218048 22.22.22.22 500 192.168.1.16 500 ISAKMP Identity Protection
> (Main Mode)
>   2.219140 192.168.1.16 500 22.22.22.22 500 ISAKMP Quick Mode
>   2.233076 22.22.22.22 500 192.168.1.16 500 ISAKMP Quick Mode
>   2.235664 192.168.1.16 500 22.22.22.22 500 ISAKMP Quick Mode
>  13.521578 22.22.22.22 500 192.168.1.16 500 ISAKMP Informational
>  13.522616 192.168.1.16 500 22.22.22.22 500 ISAKMP Informational
>  33.519399 22.22.22.22 500 192.168.1.16 500 ISAKMP Informational
>  33.520586 192.168.1.16 500 22.22.22.22 500 ISAKMP Informational
>  53.517667 22.22.22.22 500 192.168.1.16 500 ISAKMP Informational
>  53.519306 192.168.1.16 500 22.22.22.22 500 ISAKMP Informational
>  73.515940 22.22.22.22 500 192.168.1.16 500 ISAKMP Informational
>  73.517926 192.168.1.16 500 22.22.22.22 500 ISAKMP Informational
>  93.514266 22.22.22.22 500 192.168.1.16 500 ISAKMP Informational
>  93.515698 192.168.1.16 500 22.22.22.22 500 ISAKMP Informational
> 113.512031 22.22.22.22 500 192.168.1.16 500 ISAKMP Informational
> 113.513269 192.168.1.16 500 22.22.22.22 500 ISAKMP Informational
> 133.510302 22.22.22.22 500 192.168.1.16 500 ISAKMP Informational
> 133.511590 192.168.1.16 500 22.22.22.22 500 ISAKMP Informational
> 153.509694 22.22.22.22 500 192.168.1.16 500 ISAKMP Informational
> 153.510983 192.168.1.16 500 22.22.22.22 500 ISAKMP Informational
> 173.506067 22.22.22.22 500 192.168.1.16 500 ISAKMP Informational
> 173.507505 192.168.1.16 500 22.22.22.22 500 ISAKMP Informational
> 193.504186 22.22.22.22 500 192.168.1.16 500 ISAKMP Informational
> 193.505426 192.168.1.16 500 22.22.22.22 500 ISAKMP Informational
> 213.503207 22.22.22.22 500 192.168.1.16 500 ISAKMP Informational
> 213.504344 192.168.1.16 500 22.22.22.22 500 ISAKMP Informational
> 233.500579 22.22.22.22 500 192.168.1.16 500 ISAKMP Informational
> 233.501965 192.168.1.16 500 22.22.22.22 500 ISAKMP Informational
>
> [...] STAYS FOREVER REPEATING EVERY 20 SECONDS...
>
>
> NICE. NOW, these packets are exactly the same as OLD Fedora/OpenSwan !!! :)
> 3 Informational, 6 Main Mode and 3 Quick mode.
> BUT no ESP packets :(
> Only ISAKMP Informational stays forever.
>
>
> Here the /var/log/secure:
> =========================
> Apr 10 12:57:33 vmipsec polkitd[970]: Registered Authentication Agent
> for unix-process:9263:15380241 (system bus name :1.646
> [/usr/bin/pkttyagent --notify-fd 5 --fallback], object path
> /org/freedesktop/PolicyKit1/AuthenticationAgent, locale en_US.UTF-8)
> Apr 10 12:57:33 vmipsec polkitd[970]: Unregistered Authentication
> Agent for unix-process:9263:15380241 (system bus name :1.646, object
> path /org/freedesktop/PolicyKit1/AuthenticationAgent, locale
> en_US.UTF-8) (disconnected from bus)
> Apr 10 12:57:33 vmipsec ipsec_starter[9279]: Starting strongSwan 5.7.2
> IPsec [starter]...
> Apr 10 12:57:33 vmipsec ipsec_starter[9279]: # deprecated keyword
> 'pfs' in conn 'vpnbank'
> Apr 10 12:57:33 vmipsec ipsec_starter[9279]:  PFS is enabled by
> specifying a DH group in the 'esp' cipher suite
> Apr 10 12:57:33 vmipsec ipsec_starter[9279]: ### 1 parsing error (0 fatal) ###
> Apr 10 12:57:34 vmipsec ipsec_starter[9279]: charon (9288) started after 160 
> ms
> Apr 10 12:57:34 vmipsec charon: 06[IKE] initiating Main Mode IKE_SA
> vpnbank[1] to 22.22.22.22
> Apr 10 12:57:34 vmipsec charon: 10[IKE] IKE_SA vpnbank[1] established
> between 192.168.1.16[192.168.1.16]...22.22.22.22[22.22.22.22]
> Apr 10 12:57:34 vmipsec charon: 11[IKE] CHILD_SA vpnbank{1}
> established with SPIs c43a1aaa_i cf6683fa_o and TS 192.168.1.0/26 ===
> 11.11.11.11/32
>
>
> Here the /var/log/messages:
> ===========================
> Attached: migrating-openswan-to-strongswan-v2.txt
>
> I think we are almost there...
> Only ESP packets need to be present...
>
> Any hint, please ?
>
> Thanks in advance,

signature.asc
Description: OpenPGP digital signature

Re: [strongSwan] Migrating from OpenSwan/Fedora 13 to StrongSwan/CentOS 7.5

Reply via email to