[strongSwan] unable to add pseudo IPIP SA with SPI c1bb6ffe: Invalid argument
Hi!
I was forced by a buggy openswan port to try StrongSwan on OpenWRT
Backfire 10.03.01 RC6 (pluto did not receive reply packets, if you
care). The server is still using OpenSwan.
But even after a lot of fiddling with settings I can't get StrongSwan to
connect.
Here is the info that hopefully allows somebody who knows StrongSwan
well to tell me what I need to do to get this to work.
I installed these packages (could do a full install for lack of space):
strongswan4 - 4.5.2-1
strongswan4-app-charon - 4.5.2-1
strongswan4-app-pluto - 4.5.2-1
strongswan4-minimal - 4.5.2-1
strongswan4-mod-aes - 4.5.2-1
strongswan4-mod-blowfish - 4.5.2-1
strongswan4-mod-constraints - 4.5.2-1
strongswan4-mod-coupling - 4.5.2-1
strongswan4-mod-des - 4.5.2-1
strongswan4-mod-gmp - 4.5.2-1
strongswan4-mod-hmac - 4.5.2-1
strongswan4-mod-kernel-klips - 4.5.2-1
strongswan4-mod-kernel-netlink - 4.5.2-1
strongswan4-mod-md5 - 4.5.2-1
strongswan4-mod-pem - 4.5.2-1
strongswan4-mod-pkcs1 - 4.5.2-1
strongswan4-mod-pubkey - 4.5.2-1
strongswan4-mod-random - 4.5.2-1
strongswan4-mod-revocation - 4.5.2-1
strongswan4-mod-sha1 - 4.5.2-1
strongswan4-mod-sha2 - 4.5.2-1
strongswan4-mod-socket-default - 4.5.2-1
strongswan4-mod-stroke - 4.5.2-1
strongswan4-mod-updown - 4.5.2-1
strongswan4-mod-x509 - 4.5.2-1
strongswan4-mod-xcbc - 4.5.2-1
strongswan4-utils - 4.5.2-1
= StrongSwan config =
config setup
plutodebug=control
# crlcheckinterval=600
# strictcrlpolicy=yes
# cachecrls=yes
# nat_traversal=yes
# charonstart=no
# plutostart=no
nat_traversal=yes
charonstart=yes
plutostart=yes
conn openswan-server
auto=add
authby=rsasig
keyexchange=ikev1
right=%defaultroute
rightsubnet=192.168.1.0/24
rightcert=/etc/ipsec.d/certs/strongswan-clientCert.pem
rightsendcert=always
rightrsasigkey=%cert
rightid=C=DE, ST=Bavaria, O=My Company, OU=IPSec Clients,
CN=strongswan-client.mycompany.de, E=lupe.christ...@mycompany.de
left=SERVERIPADDRESS
leftcert=/etc/ipsec.d/certs/openswan-serverCert.pem
leftrsasigkey=%cert
= Openswan config =
conn strongswan-client
auto=add
right=%any
rightsubnet=192.168.1.0/24
rightcert=strongswan-clientCert.pem
rightnexthop=%defaultroute
left=%defaultroute
leftcert=openswan-serverCert.pem
leftsendcert=never
= Output from ipsec up openswan-server =
002 openswan-server #1: initiating Main Mode
102 openswan-server #1: STATE_MAIN_I1: initiate
003 openswan-server #1: ignoring Vendor ID payload [4f45517b4f7f6e657a7b4351]
003 openswan-server #1: received Vendor ID payload [Dead Peer Detection]
003 openswan-server #1: received Vendor ID payload [RFC 3947]
002 openswan-server #1: enabling possible NAT-traversal with method 3
104 openswan-server #1: STATE_MAIN_I2: sent MI2, expecting MR2
003 openswan-server #1: NAT-Traversal: Result using RFC 3947: no NAT detected
002 openswan-server #1: we have a cert and are sending it
106 openswan-server #1: STATE_MAIN_I3: sent MI3, expecting MR3
003 openswan-server #1: ignoring Vendor ID payload [494b457632]
002 openswan-server #1: Peer ID is ID_DER_ASN1_DN: 'C=DE, ST=Bavaria, O=My
Company, OU=IPSec Clients, CN=openswan-server.mycompany.de,
E=lutz.christ...@mycompany.de'
002 openswan-server #1: ISAKMP SA established
004 openswan-server #1: STATE_MAIN_I4: ISAKMP SA established
002 openswan-server #2: initiating Quick Mode PUBKEY+ENCRYPT+TUNNEL+PFS+UP
{using isakmp#1}
110 openswan-server #2: STATE_QUICK_I1: initiate
032 openswan-server #2: STATE_QUICK_I1: internal error
=== syslog ===
Nov 13 13:28:43 janus authpriv.debug pluto[28210]: |
Nov 13 13:28:43 janus authpriv.debug pluto[28210]: | *received whack message
Nov 13 13:28:43 janus authpriv.debug pluto[28210]: | creating state object #1
at 0x49bbe0
Nov 13 13:28:43 janus authpriv.debug pluto[28210]: | ICOOKIE: 76 08 08 8a f4
3c 2b 8a
Nov 13 13:28:43 janus authpriv.debug pluto[28210]: | RCOOKIE: 00 00 00 00 00
00 00 00
Nov 13 13:28:43 janus authpriv.debug pluto[28210]: | peer: 55 d6 9d b0
Nov 13 13:28:43 janus authpriv.debug pluto[28210]: | state hash entry 11
Nov 13 13:28:43 janus authpriv.debug pluto[28210]: | inserting event
EVENT_SO_DISCARD, timeout in 0 seconds for #1
Nov 13 13:28:43 janus authpriv.debug pluto[28210]: | Queuing pending Quick Mode
with SERVERIPADDRESS openswan-server
Nov 13 13:28:43 janus authpriv.warn pluto[28210]: openswan-server #1:
initiating Main Mode
Nov 13 13:28:43 janus authpriv.debug pluto[28210]: | ike proposal:
AES_CBC_128/HMAC_SHA1/MODP_2048, 3DES_CBC/HMAC_SHA1/MODP_1536,
Nov 13 13:28:43 janus authpriv.debug pluto[28210]: | inserting event
EVENT_RETRANSMIT, timeout in 10 seconds for #1
Nov 13 13:28:43 janus authpriv.debug pluto[28210]: | next event
EVENT_RETRANSMIT in 10 seconds for #1
Nov 13 13:28:43 janus authpriv.debug pluto[28210]: |
Nov 13
[strongSwan] Traffic with dscp marking (other than BE) not going through IPsec tunnel
Hi,
My aim is to create two IPsec tunnels using strongSwan between two
end-points, each having a different dscp marking (like say EF, BE, AF31
etc). Right now, I see that when I set the dscp marking as BE (default),
the traffic goes through the designated IPsec tunnel. When I use anything
else, the traffic reaches the other end-point in plain-text (there is no
encryption). I tried refering to your example in
http://www2.strongswan.org/uml/testresults46rc/ikev2/net2net-psk-dscp/index.html.
I see that you are able to send encrypted traffic with dscp marking EF and
BE. I believe that the reason dscp-marked traffic does not flow through a
tunnel could be because the tunnel does not have the 'capability' to handle
that particular dscp-marking. Could you please let me know if this is the
case, and also if there is anything I need to change (kernel version,
strongSwan version, config file) to get this working. I have pasted the
details of my end-points below, with dscp set to EF:
linux kernel version on both end-points: 2.6.35
strongSwan version on both end-points: 4.5.2-1
*End-point1:*
# cat /etc/ipsec.conf
# ipsec.conf - strongSwan IPsec configuration file
# basic configuration
config setup
#plutostderrlog=/var/log/syslog
# plutodebug=control
# crlcheckinterval=600
strictcrlpolicy=no
# cachecrls=yes
# nat_traversal=yes
charonstart=yes
charondebug=control
plutostart=no
# Add connections here.
ca strongswan
cacert=caCert.der
auto=add
conn %default
type=tunnel
left=169.254.0.70
leftcert=VC1Cert.der
right=169.254.1.70
#rightid=C=CH, O=strongSwan, CN=169.254.1.70
keyexchange=ikev2
auto=start
conn tunnel1
leftid=@VC1-tunnel1
rightid=@VC2-tunnel1
leftsubnet=169.254.0.0/24
rightsubnet=169.254.1.0/24
mark=10
conn tunnel2
leftid=@VC1-tunnel2
rightid=@VC2-tunnel2
leftsubnet=169.254.0.0/24
rightsubnet=169.254.1.0/24
mark=20
# ipsec status
Security Associations:
tunnel1[1]: ESTABLISHED 37 seconds ago,
169.254.0.70[VC1-tunnel1]...169.254.1.70[VC2-tunnel1]
tunnel1{3}: INSTALLED, TUNNEL, ESP SPIs: c4b5ea2d_i c7cc7624_o
tunnel1{3}: 169.254.0.0/24 === 169.254.1.0/24
tunnel2[2]: ESTABLISHED 37 seconds ago,
169.254.0.70[VC1-tunnel2]...169.254.1.70[VC2-tunnel2]
tunnel2{4}: INSTALLED, TUNNEL, ESP SPIs: c9c8850e_i c7b5d498_o
tunnel2{4}: 169.254.0.0/24 === 169.254.1.0/24
# iptables -L -t mangle
Chain PREROUTING (policy ACCEPT)
target prot opt source destination
MARK all -- anywhere anywhereDSCP match
0x2eMARK set 0xa
Chain INPUT (policy ACCEPT)
target prot opt source destination
Chain FORWARD (policy ACCEPT)
target prot opt source destination
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
MARK all -- anywhere anywhereDSCP match
0x2eMARK set 0xa
Chain POSTROUTING (policy ACCEPT)
target prot opt source destination
# ping 169.254.1.70
PING 169.254.1.70 (169.254.1.70) 56(84) bytes of data.
64 bytes from 169.254.1.70: icmp_req=1 ttl=63 time=0.192 ms
64 bytes from 169.254.1.70: icmp_req=2 ttl=63 time=0.129 ms
^C
--- 169.254.1.70 ping statistics ---
2 packets transmitted, 2 received, 0% packet loss, time 999ms
rtt min/avg/max/mdev = 0.129/0.160/0.192/0.033 ms
*End-point 2:*
# cat /etc/ipsec.conf
# ipsec.conf - strongSwan IPsec configuration file
# basic configuration
config setup
# plutodebug=control
# crlcheckinterval=600
strictcrlpolicy=no
# cachecrls=yes
# nat_traversal=yes
charonstart=yes
plutostart=no
charondebug=control
# Add connections here.
ca strongswan
cacert=caCert.der
auto=add
conn %default
type=tunnel
left=169.254.1.70
leftcert=VC2Cert.der
right=169.254.0.70
#rightid=C=CH, O=strongSwan, CN=169.254.0.70
keyexchange=ikev2
auto=start
conn tunnel1
leftid=@VC2-tunnel1
rightid=@VC1-tunnel1
leftsubnet=169.254.1.0/24
rightsubnet=169.254.0.0/24
mark=10
conn tunnel2
leftid=@VC2-tunnel2
rightid=@VC1-tunnel2
leftsubnet=169.254.1.0/24
rightsubnet=169.254.0.0/24
mark=20
# ipsec status
Security Associations:
tunnel1[3]: ESTABLISHED 44 seconds ago,
169.254.1.70[VC2-tunnel1]...169.254.0.70[VC1-tunnel1]
tunnel1{3}: INSTALLED, TUNNEL, ESP SPIs: c7cc7624_i c4b5ea2d_o
tunnel1{3}: 169.254.1.0/24 === 169.254.0.0/24
tunnel2[4]: ESTABLISHED 44 seconds ago,
169.254.1.70[VC2-tunnel2]...169.254.0.70[VC1-tunnel2]
tunnel2{4}: INSTALLED, TUNNEL, ESP SPIs: c7b5d498_i c9c8850e_o
tunnel2{4}: 169.254.1.0/24 === 169.254.0.0/24
# iptables -L -t mangle
Chain PREROUTING (policy
