Re: [Swan] Bringing up strongSwan+Libreswan transport connection

Sun, 29 Sep 2019 23:18:15 -0700 

On понедельник, 30 сентября 2019 г. 04:34:48 MSK, Andrew Cagney wrote:

(is this from whack or the log file?)


This is from system log.



two things are happening here:

- first pluto authenticates that the response did indeed come from the
server, and hence, the contents can be trusted
(this seems to have worked so certs should be ok)
- it uses the network configuration information from the now trusted
packet to establish the tunnel;

I suspect the second step failed, but for some reason it didn't log
it.  Perhaps there's something wrong with the network configuration.
However to spot this you might need to add:
    plutodebug=all
to the config



It already had plutodebug=all (I think).

To be sure I added again plutodebug="all private crypt whackwatch" and 
there aren't any new messages.


I'll post it again in full:


сен 30 09:04:31 melforce systemd[1]: Starting Internet Key Exchange (IKE) 
Protocol Daemon for IPsec...

ipsec[341933]: /usr/sbin/ipsec: line 176: iptables: command not found
ipsec[341933]: nflog ipsec capture disabled
pluto[341944]: NSS DB directory: sql:/etc/ipsec.d
pluto[341944]: Initializing NSS
pluto[341944]: Opening NSS database "sql:/etc/ipsec.d" read-only
pluto[341944]: NSS initialized
pluto[341944]: NSS crypto library initialized
pluto[341944]: FIPS HMAC integrity support [disabled]
pluto[341944]: libcap-ng support [disabled]
pluto[341944]: Linux audit support [disabled]

pluto[341944]: Starting Pluto (Libreswan Version 3.29 XFRM(netkey) 
esp-hw-offload FORK PTHREAD_SETSCHEDPRIO NSS (IPsec profile) 
SYSTEMD_WATCHDOG SECCOMP XAUTH_PAM NETWORKMANAGER) pid:341944

pluto[341944]: core dump dir: /run/pluto
pluto[341944]: secrets file: /etc/ipsec.secrets
pluto[341944]: leak-detective enabled
pluto[341944]: NSS crypto [enabled]
pluto[341944]: XAUTH PAM support [enabled]

pluto[341944]: Initializing libevent in pthreads mode: headers: 
2.1.11-stable (2010b00); library: 2.1.11-stable (2010b00)

pluto[341944]: NAT-Traversal support  [enabled]
pluto[341944]: Encryption algorithms:

pluto[341944]:   AES_CCM_16              IKEv1:     ESP     IKEv2:     ESP  
  FIPS  {256,192,*128}  aes_ccm, aes_ccm_c
pluto[341944]:   AES_CCM_12              IKEv1:     ESP     IKEv2:     ESP  
  FIPS  {256,192,*128}  aes_ccm_b

<... skipped ...>

pluto[341944]:   DH21                    IKEv1: IKE         IKEv2: IKE ESP 
AH  FIPS  ecp_521, ecp521
pluto[341944]:   DH31                    IKEv1: IKE         IKEv2: IKE ESP 
AH        curve25519

pluto[341944]: 4 CPU cores online
pluto[341944]: starting up 3 crypto helpers
pluto[341944]: started thread for crypto helper 0
pluto[341944]: started thread for crypto helper 1
pluto[341944]: started thread for crypto helper 2

pluto[341944]: Using Linux XFRM/NETKEY IPsec interface code on 
5.3.1-gentoomelf

systemd[1]: Started Internet Key Exchange (IKE) Protocol Daemon for IPsec.

pluto[341944]: systemd watchdog for ipsec service configured with timeout 
of 200000000 usecs

pluto[341944]: watchdog: sending probes every 100 secs
pluto[341944]: added connection description "server"
pluto[341944]: listening for IKE messages
pluto[341944]: Kernel supports NIC esp-hw-offload

pluto[341944]: adding interface eth0/eth0 (esp-hw-offload=no) 
192.168.1.2:500

pluto[341944]: adding interface eth0/eth0 192.168.1.2:4500
pluto[341944]: Kernel supports NIC esp-hw-offload
pluto[341944]: adding interface lo/lo (esp-hw-offload=no) 127.0.0.1:500
pluto[341944]: adding interface lo/lo 127.0.0.1:4500
pluto[341944]: Kernel supports NIC esp-hw-offload
pluto[341944]: adding interface lo/lo (esp-hw-offload=no) ::1:500
pluto[341944]: Kernel supports NIC esp-hw-offload

pluto[341944]: adding interface eth0/eth0 (esp-hw-offload=no) 
2a00:xxxx:xxxx:xxxx::xxxx:500

pluto[341944]: Kernel supports NIC esp-hw-offload

pluto[341944]: adding interface eth0/eth0 (esp-hw-offload=no) 
fdd5:xxxx:xxxx:xxxx::xxxx:500

pluto[341944]: forgetting secrets
pluto[341944]: loading secrets from "/etc/ipsec.secrets"
pluto[341944]: no secrets filename matched "/etc/ipsec.d/*.secrets"
pluto[341944]: "server" #1: initiating v2 parent SA

pluto[341944]: "server": constructed local IKE proposals for server (IKE SA 
initiator selecting KE): 
1:IKE:ENCR=AES_CBC_256;PRF=HMAC_SHA2_256;INTEG=HMAC_SHA2_256_128;DH=MODP2048,MODP3072,MODP4096,MODP8192,ECP_256,ECP_384,ECP_521,CURVE25519

pluto[341944]: "server" #1: STATE_PARENT_I1: sent v2I1, expected v2R1

pluto[341944]: "server": constructed local ESP/AH proposals for server (IKE 
SA initiator emitting ESP/AH proposals): 
1:ESP:ENCR=AES_CBC_256;INTEG=HMAC_SHA2_256_128;DH=NONE;ESN=DISABLED
pluto[341944]: "server" #2: STATE_PARENT_I2: sent v2I2, expected v2R2 
{auth=IKEv2 cipher=AES_CBC_256 integ=HMAC_SHA2_256_128 prf=HMAC_SHA2_256 
group=MODP2048}

pluto[341944]: "server" #2: loading root certificate cache
pluto[341944]: "server" #2: certificate verified OK: CN=server.example.com

pluto[341944]: "server" #2: IKEv2 mode peer ID is ID_FQDN: 
'@server.example.com'

pluto[341944]: "server" #2: Authenticated using RSA

pluto[341944]: "server" #2: STATE_PARENT_I2: retransmission; will wait 0.5 
seconds for response
pluto[341944]: "server" #2: EXPECTATION FAILED: 
st->st_remote_certs.verified == NULL (in decode_certs() at x509.c:696)


_______________________________________________
Swan mailing list
[email protected]
https://lists.libreswan.org/mailman/listinfo/swan






















					Reply via email to