[strongSwan] "unable to add pseudo IPIP SA with SPI c1bb6ffe: Invalid argument"

2011-11-13 Thread Lupe Christoph 
Hi!

I was forced by a buggy openswan port to try StrongSwan on OpenWRT
Backfire 10.03.01 RC6 (pluto did not receive reply packets, if you
care). The server is still using OpenSwan.

But even after a lot of fiddling with settings I can't get StrongSwan to
connect.

Here is the info that hopefully allows somebody who knows StrongSwan
well to tell me what I need to do to get this to work.

I installed these packages (could do a full install for lack of space):

strongswan4 - 4.5.2-1
strongswan4-app-charon - 4.5.2-1
strongswan4-app-pluto - 4.5.2-1
strongswan4-minimal - 4.5.2-1
strongswan4-mod-aes - 4.5.2-1
strongswan4-mod-blowfish - 4.5.2-1
strongswan4-mod-constraints - 4.5.2-1
strongswan4-mod-coupling - 4.5.2-1
strongswan4-mod-des - 4.5.2-1
strongswan4-mod-gmp - 4.5.2-1
strongswan4-mod-hmac - 4.5.2-1
strongswan4-mod-kernel-klips - 4.5.2-1
strongswan4-mod-kernel-netlink - 4.5.2-1
strongswan4-mod-md5 - 4.5.2-1
strongswan4-mod-pem - 4.5.2-1
strongswan4-mod-pkcs1 - 4.5.2-1
strongswan4-mod-pubkey - 4.5.2-1
strongswan4-mod-random - 4.5.2-1
strongswan4-mod-revocation - 4.5.2-1
strongswan4-mod-sha1 - 4.5.2-1
strongswan4-mod-sha2 - 4.5.2-1
strongswan4-mod-socket-default - 4.5.2-1
strongswan4-mod-stroke - 4.5.2-1
strongswan4-mod-updown - 4.5.2-1
strongswan4-mod-x509 - 4.5.2-1
strongswan4-mod-xcbc - 4.5.2-1
strongswan4-utils - 4.5.2-1

= StrongSwan config =

config setup
plutodebug=control
# crlcheckinterval=600
# strictcrlpolicy=yes
# cachecrls=yes
# nat_traversal=yes
# charonstart=no
# plutostart=no
nat_traversal=yes
charonstart=yes
plutostart=yes

conn openswan-server
auto=add
authby=rsasig
keyexchange=ikev1
right=%defaultroute
rightsubnet=192.168.1.0/24
rightcert=/etc/ipsec.d/certs/strongswan-clientCert.pem
rightsendcert=always
rightrsasigkey=%cert
rightid="C=DE, ST=Bavaria, O=My Company, OU=IPSec Clients, 
CN=strongswan-client.mycompany.de, E=lupe.christ...@mycompany.de"
left=SERVERIPADDRESS
leftcert=/etc/ipsec.d/certs/openswan-serverCert.pem
leftrsasigkey=%cert

= Openswan config =

conn strongswan-client
auto=add
right=%any
rightsubnet=192.168.1.0/24
rightcert=strongswan-clientCert.pem
rightnexthop=%defaultroute
left=%defaultroute
leftcert=openswan-serverCert.pem
leftsendcert=never

= Output from ipsec up openswan-server =
002 "openswan-server" #1: initiating Main Mode
102 "openswan-server" #1: STATE_MAIN_I1: initiate
003 "openswan-server" #1: ignoring Vendor ID payload [4f45517b4f7f6e657a7b4351]
003 "openswan-server" #1: received Vendor ID payload [Dead Peer Detection]
003 "openswan-server" #1: received Vendor ID payload [RFC 3947]
002 "openswan-server" #1: enabling possible NAT-traversal with method 3
104 "openswan-server" #1: STATE_MAIN_I2: sent MI2, expecting MR2
003 "openswan-server" #1: NAT-Traversal: Result using RFC 3947: no NAT detected
002 "openswan-server" #1: we have a cert and are sending it 
106 "openswan-server" #1: STATE_MAIN_I3: sent MI3, expecting MR3
003 "openswan-server" #1: ignoring Vendor ID payload [494b457632]
002 "openswan-server" #1: Peer ID is ID_DER_ASN1_DN: 'C=DE, ST=Bavaria, O=My 
Company, OU=IPSec Clients, CN=openswan-server.mycompany.de, 
E=lutz.christ...@mycompany.de'
002 "openswan-server" #1: ISAKMP SA established
004 "openswan-server" #1: STATE_MAIN_I4: ISAKMP SA established
002 "openswan-server" #2: initiating Quick Mode PUBKEY+ENCRYPT+TUNNEL+PFS+UP 
{using isakmp#1}
110 "openswan-server" #2: STATE_QUICK_I1: initiate
032 "openswan-server" #2: STATE_QUICK_I1: internal error

=== syslog ===

Nov 13 13:28:43 janus authpriv.debug pluto[28210]: | 
Nov 13 13:28:43 janus authpriv.debug pluto[28210]: | *received whack message
Nov 13 13:28:43 janus authpriv.debug pluto[28210]: | creating state object #1 
at 0x49bbe0
Nov 13 13:28:43 janus authpriv.debug pluto[28210]: | ICOOKIE:  76 08 08 8a  f4 
3c 2b 8a
Nov 13 13:28:43 janus authpriv.debug pluto[28210]: | RCOOKIE:  00 00 00 00  00 
00 00 00
Nov 13 13:28:43 janus authpriv.debug pluto[28210]: | peer:  55 d6 9d b0
Nov 13 13:28:43 janus authpriv.debug pluto[28210]: | state hash entry 11
Nov 13 13:28:43 janus authpriv.debug pluto[28210]: | inserting event 
EVENT_SO_DISCARD, timeout in 0 seconds for #1
Nov 13 13:28:43 janus authpriv.debug pluto[28210]: | Queuing pending Quick Mode 
with SERVERIPADDRESS "openswan-server"
Nov 13 13:28:43 janus authpriv.warn pluto[28210]: "openswan-server" #1: 
initiating Main Mode
Nov 13 13:28:43 janus authpriv.debug pluto[28210]: | ike proposal: 
AES_CBC_128/HMAC_SHA1/MODP_2048, 3DES_CBC/HMAC_SHA1/MODP_1536, 
Nov 13 13:28:43 janus authpriv.debug pluto[28210]: | inserting event 
EVENT_RETRANSMIT, timeout in 10 seconds for #1
Nov 13 13:28:43 janus authpriv.debug pluto[28210]: | next event 
EVENT_RETRANSMIT in 10 seconds for #1
Nov 13 13:28:43 janus aut

Re: [strongSwan] "unable to add pseudo IPIP SA with SPI c1bb6ffe: Invalid argument"

2011-11-14 Thread Tobias Brunner 
Hi,

> strongswan4-mod-kernel-klips - 4.5.2-1

Please try to remove this module from your build.  The kernel-klips
plugin was done for a very specific (and rather old) KLIPS release.  And
depending on whether your kernel actually includes the KLIPS patch or
not might never work.  So, do you actually use KLIPS?  If so, you might
have to go back to a 2.x strongSwan release that supported KLIPS.  If
not, then just use the kernel-netlink plugin.

Regards,
Tobias

___
Users mailing list
Users@lists.strongswan.org
https://lists.strongswan.org/mailman/listinfo/users

Re: [strongSwan] "unable to add pseudo IPIP SA with SPI c1bb6ffe: Invalid argument"

2011-11-20 Thread Lupe Christoph 
On Monday, 2011-11-14 at 14:39:39 +0100, Tobias Brunner wrote:

> > strongswan4-mod-kernel-klips - 4.5.2-1

> Please try to remove this module from your build.  The kernel-klips
> plugin was done for a very specific (and rather old) KLIPS release.  And
> depending on whether your kernel actually includes the KLIPS patch or
> not might never work.  So, do you actually use KLIPS?  If so, you might
> have to go back to a 2.x strongSwan release that supported KLIPS.  If
> not, then just use the kernel-netlink plugin.

This works:

110 "openswan-server" #2: STATE_QUICK_I1: initiate
002 "openswan-server" #2: sent QI2, IPsec SA established {ESP=>0x83c08d51 
<0xccb60e59}
004 "openswan-server" #2: STATE_QUICK_I2: sent QI2, IPsec SA established 
{ESP=>0x83c08d51 <0xccb60e59}

But, alas, there is no ipsec0 interface generated. I require an
interface for my firewall rules. Marking packets is just to error-prone
for my taste.

This dismerits of the interfaceless implementation have been discussed
to death on many mailing lists, and there is no solution. I left FreeBSD
because of the lack of an interface to tack firewall rules to, and it
seems StrongSwan is just to weak for me, too.

So unless you have a way to make StrongSwan support an interface for
tunnelled traffic, I will have to concentrate on getting Openswan going
on OpenWRT 10.03.1.

Thanks for your effort,
Luep Christoph
-- 
| It is a well-known fact in any organisation that, if you want a job|
| done, you should give it to someone who is already very busy.  |
| Terry Pratchett, "Unseen Academicals"  |

___
Users mailing list
Users@lists.strongswan.org
https://lists.strongswan.org/mailman/listinfo/users

Re: [strongSwan] "unable to add pseudo IPIP SA with SPI c1bb6ffe: Invalid argument"

2011-11-20 Thread Andreas Steffen 
Hello Christoph,

it is up to you which IPsec package to use. In our opinion
the IPsec policy rules offered by Linux netfilter are powerful
enough to bind plaintext traffic coming out or going into
an IPsec tunnel to any specific firewall rules. Of course
a special interface would be nice but this is not how
the netfilter framework is set up.

Regards

Andreas

On 11/20/2011 01:55 PM, Lupe Christoph wrote:
> On Monday, 2011-11-14 at 14:39:39 +0100, Tobias Brunner wrote:
> 
>>> strongswan4-mod-kernel-klips - 4.5.2-1
> 
>> Please try to remove this module from your build.  The kernel-klips
>> plugin was done for a very specific (and rather old) KLIPS release.  And
>> depending on whether your kernel actually includes the KLIPS patch or
>> not might never work.  So, do you actually use KLIPS?  If so, you might
>> have to go back to a 2.x strongSwan release that supported KLIPS.  If
>> not, then just use the kernel-netlink plugin.
> 
> This works:
> 
> 110 "openswan-server" #2: STATE_QUICK_I1: initiate
> 002 "openswan-server" #2: sent QI2, IPsec SA established {ESP=>0x83c08d51 
> <0xccb60e59}
> 004 "openswan-server" #2: STATE_QUICK_I2: sent QI2, IPsec SA established 
> {ESP=>0x83c08d51 <0xccb60e59}
> 
> But, alas, there is no ipsec0 interface generated. I require an
> interface for my firewall rules. Marking packets is just to error-prone
> for my taste.
> 
> This dismerits of the interfaceless implementation have been discussed
> to death on many mailing lists, and there is no solution. I left FreeBSD
> because of the lack of an interface to tack firewall rules to, and it
> seems StrongSwan is just to weak for me, too.
> 
> So unless you have a way to make StrongSwan support an interface for
> tunnelled traffic, I will have to concentrate on getting Openswan going
> on OpenWRT 10.03.1.
> 
> Thanks for your effort,
> Luep Christoph

==
Andreas Steffen andreas.stef...@strongswan.org
strongSwan - the Linux VPN Solution!www.strongswan.org
Institute for Internet Technologies and Applications
University of Applied Sciences Rapperswil
CH-8640 Rapperswil (Switzerland)
===[ITA-HSR]==

___
Users mailing list
Users@lists.strongswan.org
https://lists.strongswan.org/mailman/listinfo/users