[strongSwan] unable to add pseudo IPIP SA with SPI c1bb6ffe: Invalid argument
Hi! I was forced by a buggy openswan port to try StrongSwan on OpenWRT Backfire 10.03.01 RC6 (pluto did not receive reply packets, if you care). The server is still using OpenSwan. But even after a lot of fiddling with settings I can't get StrongSwan to connect. Here is the info that hopefully allows somebody who knows StrongSwan well to tell me what I need to do to get this to work. I installed these packages (could do a full install for lack of space): strongswan4 - 4.5.2-1 strongswan4-app-charon - 4.5.2-1 strongswan4-app-pluto - 4.5.2-1 strongswan4-minimal - 4.5.2-1 strongswan4-mod-aes - 4.5.2-1 strongswan4-mod-blowfish - 4.5.2-1 strongswan4-mod-constraints - 4.5.2-1 strongswan4-mod-coupling - 4.5.2-1 strongswan4-mod-des - 4.5.2-1 strongswan4-mod-gmp - 4.5.2-1 strongswan4-mod-hmac - 4.5.2-1 strongswan4-mod-kernel-klips - 4.5.2-1 strongswan4-mod-kernel-netlink - 4.5.2-1 strongswan4-mod-md5 - 4.5.2-1 strongswan4-mod-pem - 4.5.2-1 strongswan4-mod-pkcs1 - 4.5.2-1 strongswan4-mod-pubkey - 4.5.2-1 strongswan4-mod-random - 4.5.2-1 strongswan4-mod-revocation - 4.5.2-1 strongswan4-mod-sha1 - 4.5.2-1 strongswan4-mod-sha2 - 4.5.2-1 strongswan4-mod-socket-default - 4.5.2-1 strongswan4-mod-stroke - 4.5.2-1 strongswan4-mod-updown - 4.5.2-1 strongswan4-mod-x509 - 4.5.2-1 strongswan4-mod-xcbc - 4.5.2-1 strongswan4-utils - 4.5.2-1 = StrongSwan config = config setup plutodebug=control # crlcheckinterval=600 # strictcrlpolicy=yes # cachecrls=yes # nat_traversal=yes # charonstart=no # plutostart=no nat_traversal=yes charonstart=yes plutostart=yes conn openswan-server auto=add authby=rsasig keyexchange=ikev1 right=%defaultroute rightsubnet=192.168.1.0/24 rightcert=/etc/ipsec.d/certs/strongswan-clientCert.pem rightsendcert=always rightrsasigkey=%cert rightid=C=DE, ST=Bavaria, O=My Company, OU=IPSec Clients, CN=strongswan-client.mycompany.de, E=lupe.christ...@mycompany.de left=SERVERIPADDRESS leftcert=/etc/ipsec.d/certs/openswan-serverCert.pem leftrsasigkey=%cert = Openswan config = conn strongswan-client auto=add right=%any rightsubnet=192.168.1.0/24 rightcert=strongswan-clientCert.pem rightnexthop=%defaultroute left=%defaultroute leftcert=openswan-serverCert.pem leftsendcert=never = Output from ipsec up openswan-server = 002 openswan-server #1: initiating Main Mode 102 openswan-server #1: STATE_MAIN_I1: initiate 003 openswan-server #1: ignoring Vendor ID payload [4f45517b4f7f6e657a7b4351] 003 openswan-server #1: received Vendor ID payload [Dead Peer Detection] 003 openswan-server #1: received Vendor ID payload [RFC 3947] 002 openswan-server #1: enabling possible NAT-traversal with method 3 104 openswan-server #1: STATE_MAIN_I2: sent MI2, expecting MR2 003 openswan-server #1: NAT-Traversal: Result using RFC 3947: no NAT detected 002 openswan-server #1: we have a cert and are sending it 106 openswan-server #1: STATE_MAIN_I3: sent MI3, expecting MR3 003 openswan-server #1: ignoring Vendor ID payload [494b457632] 002 openswan-server #1: Peer ID is ID_DER_ASN1_DN: 'C=DE, ST=Bavaria, O=My Company, OU=IPSec Clients, CN=openswan-server.mycompany.de, E=lutz.christ...@mycompany.de' 002 openswan-server #1: ISAKMP SA established 004 openswan-server #1: STATE_MAIN_I4: ISAKMP SA established 002 openswan-server #2: initiating Quick Mode PUBKEY+ENCRYPT+TUNNEL+PFS+UP {using isakmp#1} 110 openswan-server #2: STATE_QUICK_I1: initiate 032 openswan-server #2: STATE_QUICK_I1: internal error === syslog === Nov 13 13:28:43 janus authpriv.debug pluto[28210]: | Nov 13 13:28:43 janus authpriv.debug pluto[28210]: | *received whack message Nov 13 13:28:43 janus authpriv.debug pluto[28210]: | creating state object #1 at 0x49bbe0 Nov 13 13:28:43 janus authpriv.debug pluto[28210]: | ICOOKIE: 76 08 08 8a f4 3c 2b 8a Nov 13 13:28:43 janus authpriv.debug pluto[28210]: | RCOOKIE: 00 00 00 00 00 00 00 00 Nov 13 13:28:43 janus authpriv.debug pluto[28210]: | peer: 55 d6 9d b0 Nov 13 13:28:43 janus authpriv.debug pluto[28210]: | state hash entry 11 Nov 13 13:28:43 janus authpriv.debug pluto[28210]: | inserting event EVENT_SO_DISCARD, timeout in 0 seconds for #1 Nov 13 13:28:43 janus authpriv.debug pluto[28210]: | Queuing pending Quick Mode with SERVERIPADDRESS openswan-server Nov 13 13:28:43 janus authpriv.warn pluto[28210]: openswan-server #1: initiating Main Mode Nov 13 13:28:43 janus authpriv.debug pluto[28210]: | ike proposal: AES_CBC_128/HMAC_SHA1/MODP_2048, 3DES_CBC/HMAC_SHA1/MODP_1536, Nov 13 13:28:43 janus authpriv.debug pluto[28210]: | inserting event EVENT_RETRANSMIT, timeout in 10 seconds for #1 Nov 13 13:28:43 janus authpriv.debug pluto[28210]: | next event EVENT_RETRANSMIT in 10 seconds for #1 Nov 13 13:28:43 janus authpriv.debug pluto[28210]: | Nov 13
[strongSwan] Traffic with dscp marking (other than BE) not going through IPsec tunnel
Hi, My aim is to create two IPsec tunnels using strongSwan between two end-points, each having a different dscp marking (like say EF, BE, AF31 etc). Right now, I see that when I set the dscp marking as BE (default), the traffic goes through the designated IPsec tunnel. When I use anything else, the traffic reaches the other end-point in plain-text (there is no encryption). I tried refering to your example in http://www2.strongswan.org/uml/testresults46rc/ikev2/net2net-psk-dscp/index.html. I see that you are able to send encrypted traffic with dscp marking EF and BE. I believe that the reason dscp-marked traffic does not flow through a tunnel could be because the tunnel does not have the 'capability' to handle that particular dscp-marking. Could you please let me know if this is the case, and also if there is anything I need to change (kernel version, strongSwan version, config file) to get this working. I have pasted the details of my end-points below, with dscp set to EF: linux kernel version on both end-points: 2.6.35 strongSwan version on both end-points: 4.5.2-1 *End-point1:* # cat /etc/ipsec.conf # ipsec.conf - strongSwan IPsec configuration file # basic configuration config setup #plutostderrlog=/var/log/syslog # plutodebug=control # crlcheckinterval=600 strictcrlpolicy=no # cachecrls=yes # nat_traversal=yes charonstart=yes charondebug=control plutostart=no # Add connections here. ca strongswan cacert=caCert.der auto=add conn %default type=tunnel left=169.254.0.70 leftcert=VC1Cert.der right=169.254.1.70 #rightid=C=CH, O=strongSwan, CN=169.254.1.70 keyexchange=ikev2 auto=start conn tunnel1 leftid=@VC1-tunnel1 rightid=@VC2-tunnel1 leftsubnet=169.254.0.0/24 rightsubnet=169.254.1.0/24 mark=10 conn tunnel2 leftid=@VC1-tunnel2 rightid=@VC2-tunnel2 leftsubnet=169.254.0.0/24 rightsubnet=169.254.1.0/24 mark=20 # ipsec status Security Associations: tunnel1[1]: ESTABLISHED 37 seconds ago, 169.254.0.70[VC1-tunnel1]...169.254.1.70[VC2-tunnel1] tunnel1{3}: INSTALLED, TUNNEL, ESP SPIs: c4b5ea2d_i c7cc7624_o tunnel1{3}: 169.254.0.0/24 === 169.254.1.0/24 tunnel2[2]: ESTABLISHED 37 seconds ago, 169.254.0.70[VC1-tunnel2]...169.254.1.70[VC2-tunnel2] tunnel2{4}: INSTALLED, TUNNEL, ESP SPIs: c9c8850e_i c7b5d498_o tunnel2{4}: 169.254.0.0/24 === 169.254.1.0/24 # iptables -L -t mangle Chain PREROUTING (policy ACCEPT) target prot opt source destination MARK all -- anywhere anywhereDSCP match 0x2eMARK set 0xa Chain INPUT (policy ACCEPT) target prot opt source destination Chain FORWARD (policy ACCEPT) target prot opt source destination Chain OUTPUT (policy ACCEPT) target prot opt source destination MARK all -- anywhere anywhereDSCP match 0x2eMARK set 0xa Chain POSTROUTING (policy ACCEPT) target prot opt source destination # ping 169.254.1.70 PING 169.254.1.70 (169.254.1.70) 56(84) bytes of data. 64 bytes from 169.254.1.70: icmp_req=1 ttl=63 time=0.192 ms 64 bytes from 169.254.1.70: icmp_req=2 ttl=63 time=0.129 ms ^C --- 169.254.1.70 ping statistics --- 2 packets transmitted, 2 received, 0% packet loss, time 999ms rtt min/avg/max/mdev = 0.129/0.160/0.192/0.033 ms *End-point 2:* # cat /etc/ipsec.conf # ipsec.conf - strongSwan IPsec configuration file # basic configuration config setup # plutodebug=control # crlcheckinterval=600 strictcrlpolicy=no # cachecrls=yes # nat_traversal=yes charonstart=yes plutostart=no charondebug=control # Add connections here. ca strongswan cacert=caCert.der auto=add conn %default type=tunnel left=169.254.1.70 leftcert=VC2Cert.der right=169.254.0.70 #rightid=C=CH, O=strongSwan, CN=169.254.0.70 keyexchange=ikev2 auto=start conn tunnel1 leftid=@VC2-tunnel1 rightid=@VC1-tunnel1 leftsubnet=169.254.1.0/24 rightsubnet=169.254.0.0/24 mark=10 conn tunnel2 leftid=@VC2-tunnel2 rightid=@VC1-tunnel2 leftsubnet=169.254.1.0/24 rightsubnet=169.254.0.0/24 mark=20 # ipsec status Security Associations: tunnel1[3]: ESTABLISHED 44 seconds ago, 169.254.1.70[VC2-tunnel1]...169.254.0.70[VC1-tunnel1] tunnel1{3}: INSTALLED, TUNNEL, ESP SPIs: c7cc7624_i c4b5ea2d_o tunnel1{3}: 169.254.1.0/24 === 169.254.0.0/24 tunnel2[4]: ESTABLISHED 44 seconds ago, 169.254.1.70[VC2-tunnel2]...169.254.0.70[VC1-tunnel2] tunnel2{4}: INSTALLED, TUNNEL, ESP SPIs: c7b5d498_i c9c8850e_o tunnel2{4}: 169.254.1.0/24 === 169.254.0.0/24 # iptables -L -t mangle Chain PREROUTING (policy