Hi! I was forced by a buggy openswan port to try StrongSwan on OpenWRT Backfire 10.03.01 RC6 (pluto did not receive reply packets, if you care). The server is still using OpenSwan.
But even after a lot of fiddling with settings I can't get StrongSwan to connect. Here is the info that hopefully allows somebody who knows StrongSwan well to tell me what I need to do to get this to work. I installed these packages (could do a full install for lack of space): strongswan4 - 4.5.2-1 strongswan4-app-charon - 4.5.2-1 strongswan4-app-pluto - 4.5.2-1 strongswan4-minimal - 4.5.2-1 strongswan4-mod-aes - 4.5.2-1 strongswan4-mod-blowfish - 4.5.2-1 strongswan4-mod-constraints - 4.5.2-1 strongswan4-mod-coupling - 4.5.2-1 strongswan4-mod-des - 4.5.2-1 strongswan4-mod-gmp - 4.5.2-1 strongswan4-mod-hmac - 4.5.2-1 strongswan4-mod-kernel-klips - 4.5.2-1 strongswan4-mod-kernel-netlink - 4.5.2-1 strongswan4-mod-md5 - 4.5.2-1 strongswan4-mod-pem - 4.5.2-1 strongswan4-mod-pkcs1 - 4.5.2-1 strongswan4-mod-pubkey - 4.5.2-1 strongswan4-mod-random - 4.5.2-1 strongswan4-mod-revocation - 4.5.2-1 strongswan4-mod-sha1 - 4.5.2-1 strongswan4-mod-sha2 - 4.5.2-1 strongswan4-mod-socket-default - 4.5.2-1 strongswan4-mod-stroke - 4.5.2-1 strongswan4-mod-updown - 4.5.2-1 strongswan4-mod-x509 - 4.5.2-1 strongswan4-mod-xcbc - 4.5.2-1 strongswan4-utils - 4.5.2-1 ===== StrongSwan config ===== config setup plutodebug=control # crlcheckinterval=600 # strictcrlpolicy=yes # cachecrls=yes # nat_traversal=yes # charonstart=no # plutostart=no nat_traversal=yes charonstart=yes plutostart=yes conn openswan-server auto=add authby=rsasig keyexchange=ikev1 right=%defaultroute rightsubnet=192.168.1.0/24 rightcert=/etc/ipsec.d/certs/strongswan-clientCert.pem rightsendcert=always rightrsasigkey=%cert rightid="C=DE, ST=Bavaria, O=My Company, OU=IPSec Clients, CN=strongswan-client.mycompany.de, E=lupe.christ...@mycompany.de" left=SERVERIPADDRESS leftcert=/etc/ipsec.d/certs/openswan-serverCert.pem leftrsasigkey=%cert ===== Openswan config ===== conn strongswan-client auto=add right=%any rightsubnet=192.168.1.0/24 rightcert=strongswan-clientCert.pem rightnexthop=%defaultroute left=%defaultroute leftcert=openswan-serverCert.pem leftsendcert=never ===== Output from ipsec up openswan-server ===== 002 "openswan-server" #1: initiating Main Mode 102 "openswan-server" #1: STATE_MAIN_I1: initiate 003 "openswan-server" #1: ignoring Vendor ID payload [4f45517b4f7f6e657a7b4351] 003 "openswan-server" #1: received Vendor ID payload [Dead Peer Detection] 003 "openswan-server" #1: received Vendor ID payload [RFC 3947] 002 "openswan-server" #1: enabling possible NAT-traversal with method 3 104 "openswan-server" #1: STATE_MAIN_I2: sent MI2, expecting MR2 003 "openswan-server" #1: NAT-Traversal: Result using RFC 3947: no NAT detected 002 "openswan-server" #1: we have a cert and are sending it 106 "openswan-server" #1: STATE_MAIN_I3: sent MI3, expecting MR3 003 "openswan-server" #1: ignoring Vendor ID payload [494b457632] 002 "openswan-server" #1: Peer ID is ID_DER_ASN1_DN: 'C=DE, ST=Bavaria, O=My Company, OU=IPSec Clients, CN=openswan-server.mycompany.de, E=lutz.christ...@mycompany.de' 002 "openswan-server" #1: ISAKMP SA established 004 "openswan-server" #1: STATE_MAIN_I4: ISAKMP SA established 002 "openswan-server" #2: initiating Quick Mode PUBKEY+ENCRYPT+TUNNEL+PFS+UP {using isakmp#1} 110 "openswan-server" #2: STATE_QUICK_I1: initiate 032 "openswan-server" #2: STATE_QUICK_I1: internal error === syslog === Nov 13 13:28:43 janus authpriv.debug pluto[28210]: | Nov 13 13:28:43 janus authpriv.debug pluto[28210]: | *received whack message Nov 13 13:28:43 janus authpriv.debug pluto[28210]: | creating state object #1 at 0x49bbe0 Nov 13 13:28:43 janus authpriv.debug pluto[28210]: | ICOOKIE: 76 08 08 8a f4 3c 2b 8a Nov 13 13:28:43 janus authpriv.debug pluto[28210]: | RCOOKIE: 00 00 00 00 00 00 00 00 Nov 13 13:28:43 janus authpriv.debug pluto[28210]: | peer: 55 d6 9d b0 Nov 13 13:28:43 janus authpriv.debug pluto[28210]: | state hash entry 11 Nov 13 13:28:43 janus authpriv.debug pluto[28210]: | inserting event EVENT_SO_DISCARD, timeout in 0 seconds for #1 Nov 13 13:28:43 janus authpriv.debug pluto[28210]: | Queuing pending Quick Mode with SERVERIPADDRESS "openswan-server" Nov 13 13:28:43 janus authpriv.warn pluto[28210]: "openswan-server" #1: initiating Main Mode Nov 13 13:28:43 janus authpriv.debug pluto[28210]: | ike proposal: AES_CBC_128/HMAC_SHA1/MODP_2048, 3DES_CBC/HMAC_SHA1/MODP_1536, Nov 13 13:28:43 janus authpriv.debug pluto[28210]: | inserting event EVENT_RETRANSMIT, timeout in 10 seconds for #1 Nov 13 13:28:43 janus authpriv.debug pluto[28210]: | next event EVENT_RETRANSMIT in 10 seconds for #1 Nov 13 13:28:43 janus authpriv.debug pluto[28210]: | Nov 13 13:28:43 janus authpriv.debug pluto[28210]: | *received 140 bytes from SERVERIPADDRESS:500 on pptp-wan Nov 13 13:28:43 janus authpriv.debug pluto[28210]: | ICOOKIE: 76 08 08 8a f4 3c 2b 8a Nov 13 13:28:43 janus authpriv.debug pluto[28210]: | RCOOKIE: 0b f2 2e a2 f3 62 65 19 Nov 13 13:28:43 janus authpriv.debug pluto[28210]: | peer: 55 d6 9d b0 Nov 13 13:28:43 janus authpriv.debug pluto[28210]: | state hash entry 1 Nov 13 13:28:43 janus authpriv.debug pluto[28210]: | state object not found Nov 13 13:28:43 janus authpriv.debug pluto[28210]: | ICOOKIE: 76 08 08 8a f4 3c 2b 8a Nov 13 13:28:43 janus authpriv.debug pluto[28210]: | RCOOKIE: 00 00 00 00 00 00 00 00 Nov 13 13:28:43 janus authpriv.debug pluto[28210]: | peer: 55 d6 9d b0 Nov 13 13:28:43 janus authpriv.debug pluto[28210]: | state hash entry 11 Nov 13 13:28:43 janus authpriv.debug pluto[28210]: | state object #1 found, in STATE_MAIN_I1 Nov 13 13:28:43 janus authpriv.warn pluto[28210]: "openswan-server" #1: ignoring Vendor ID payload [4f45517b4f7f6e657a7b4351] Nov 13 13:28:43 janus authpriv.warn pluto[28210]: "openswan-server" #1: received Vendor ID payload [Dead Peer Detection] Nov 13 13:28:43 janus authpriv.warn pluto[28210]: "openswan-server" #1: received Vendor ID payload [RFC 3947] Nov 13 13:28:43 janus authpriv.warn pluto[28210]: "openswan-server" #1: enabling possible NAT-traversal with method 3 Nov 13 13:28:44 janus authpriv.debug pluto[28210]: | ICOOKIE: 76 08 08 8a f4 3c 2b 8a Nov 13 13:28:44 janus authpriv.debug pluto[28210]: | RCOOKIE: 00 00 00 00 00 00 00 00 Nov 13 13:28:44 janus authpriv.debug pluto[28210]: | peer: 55 d6 9d b0 Nov 13 13:28:44 janus authpriv.debug pluto[28210]: | state hash entry 11 Nov 13 13:28:44 janus authpriv.debug pluto[28210]: | ICOOKIE: 76 08 08 8a f4 3c 2b 8a Nov 13 13:28:44 janus authpriv.debug pluto[28210]: | RCOOKIE: 0b f2 2e a2 f3 62 65 19 Nov 13 13:28:44 janus authpriv.debug pluto[28210]: | peer: 55 d6 9d b0 Nov 13 13:28:44 janus authpriv.debug pluto[28210]: | state hash entry 1 Nov 13 13:28:44 janus authpriv.debug pluto[28210]: | inserting event EVENT_RETRANSMIT, timeout in 10 seconds for #1 Nov 13 13:28:44 janus authpriv.debug pluto[28210]: | next event EVENT_RETRANSMIT in 10 seconds for #1 Nov 13 13:28:45 janus authpriv.debug pluto[28210]: | Nov 13 13:28:45 janus authpriv.debug pluto[28210]: | *received 572 bytes from SERVERIPADDRESS:500 on pptp-wan Nov 13 13:28:45 janus authpriv.debug pluto[28210]: | ICOOKIE: 76 08 08 8a f4 3c 2b 8a Nov 13 13:28:45 janus authpriv.debug pluto[28210]: | RCOOKIE: 0b f2 2e a2 f3 62 65 19 Nov 13 13:28:45 janus authpriv.debug pluto[28210]: | peer: 55 d6 9d b0 Nov 13 13:28:45 janus authpriv.debug pluto[28210]: | state hash entry 1 Nov 13 13:28:45 janus authpriv.debug pluto[28210]: | state object #1 found, in STATE_MAIN_I2 Nov 13 13:28:45 janus authpriv.debug pluto[28210]: | requested CA: "C=DE, ST=Bavaria, L=Hintertupfing, O=My Company, OU=IPSec Clients, CN=www.mycompany.de, E=lupe.christ...@mycompany.de" Nov 13 13:28:46 janus authpriv.warn pluto[28210]: "openswan-server" #1: NAT-Traversal: Result using RFC 3947: no NAT detected Nov 13 13:28:46 janus authpriv.debug pluto[28210]: | inserting event EVENT_NAT_T_KEEPALIVE, timeout in 20 seconds Nov 13 13:28:46 janus authpriv.debug pluto[28210]: | our certificate policy is ALWAYS_SEND Nov 13 13:28:46 janus authpriv.warn pluto[28210]: "openswan-server" #1: we have a cert and are sending it Nov 13 13:28:46 janus authpriv.debug pluto[28210]: | inserting event EVENT_RETRANSMIT, timeout in 10 seconds for #1 Nov 13 13:28:46 janus authpriv.debug pluto[28210]: | next event EVENT_RETRANSMIT in 10 seconds for #1 Nov 13 13:28:46 janus authpriv.debug pluto[28210]: | Nov 13 13:28:46 janus authpriv.debug pluto[28210]: | *received 380 bytes from SERVERIPADDRESS:500 on pptp-wan Nov 13 13:28:46 janus authpriv.debug pluto[28210]: | ICOOKIE: 76 08 08 8a f4 3c 2b 8a Nov 13 13:28:46 janus authpriv.debug pluto[28210]: | RCOOKIE: 0b f2 2e a2 f3 62 65 19 Nov 13 13:28:46 janus authpriv.debug pluto[28210]: | peer: 55 d6 9d b0 Nov 13 13:28:46 janus authpriv.debug pluto[28210]: | state hash entry 1 Nov 13 13:28:46 janus authpriv.debug pluto[28210]: | state object #1 found, in STATE_MAIN_I3 Nov 13 13:28:46 janus authpriv.warn pluto[28210]: "openswan-server" #1: ignoring Vendor ID payload [494b457632] Nov 13 13:28:46 janus authpriv.warn pluto[28210]: "openswan-server" #1: Peer ID is ID_DER_ASN1_DN: 'C=DE, ST=Bavaria, O=My Company, OU=IPSec Clients, CN=openswan-server.mycompany.de, E=lupe.christ...@mycompany.de' Nov 13 13:28:46 janus authpriv.debug pluto[28210]: | RSA signature check passed with keyid d2:0c:0c:4c:e6:32:76:2d:12:66:f2:5f:c9:86:fd:93:1b:ad:83:00 Nov 13 13:28:46 janus authpriv.debug pluto[28210]: | peer CA: "C=DE, ST=Bavaria, L=Hintertupfing, O=My Company, OU=IPSec Clients, CN=www.mycompany.de, E=lupe.christ...@mycompany.de" Nov 13 13:28:46 janus authpriv.debug pluto[28210]: | required CA: "0\361\255*H\361\255*\230\373\255*\300\372\255*\230\374\255*\374\373\255*|\377\255*|\365\255*\010\221I" Nov 13 13:28:46 janus authpriv.debug pluto[28210]: | inserting event EVENT_SA_REPLACE, timeout in 9807 seconds for #1 Nov 13 13:28:46 janus authpriv.warn pluto[28210]: "openswan-server" #1: ISAKMP SA established Nov 13 13:28:46 janus authpriv.debug pluto[28210]: | unqueuing pending Quick Mode with SERVERIPADDRESS "openswan-server" Nov 13 13:28:46 janus authpriv.debug pluto[28210]: | duplicating state object #1 Nov 13 13:28:46 janus authpriv.debug pluto[28210]: | creating state object #2 at 0x49dc78 Nov 13 13:28:46 janus authpriv.debug pluto[28210]: | ICOOKIE: 76 08 08 8a f4 3c 2b 8a Nov 13 13:28:46 janus authpriv.debug pluto[28210]: | RCOOKIE: 0b f2 2e a2 f3 62 65 19 Nov 13 13:28:46 janus authpriv.debug pluto[28210]: | peer: 55 d6 9d b0 Nov 13 13:28:46 janus authpriv.debug pluto[28210]: | state hash entry 1 Nov 13 13:28:46 janus authpriv.debug pluto[28210]: | inserting event EVENT_SO_DISCARD, timeout in 0 seconds for #2 Nov 13 13:28:46 janus authpriv.warn pluto[28210]: "openswan-server" #2: initiating Quick Mode PUBKEY+ENCRYPT+TUNNEL+PFS+UP {using isakmp#1} Nov 13 13:28:46 janus authpriv.debug pluto[28210]: | esp proposal: AES_CBC_128/HMAC_SHA1, 3DES_CBC/HMAC_SHA1, Nov 13 13:28:47 janus authpriv.debug pluto[28210]: | inserting event EVENT_RETRANSMIT, timeout in 10 seconds for #2 Nov 13 13:28:47 janus authpriv.debug pluto[28210]: | next event EVENT_RETRANSMIT in 10 seconds for #2 Nov 13 13:28:47 janus authpriv.debug pluto[28210]: | Nov 13 13:28:47 janus authpriv.debug pluto[28210]: | *received 428 bytes from SERVERIPADDRESS:500 on pptp-wan Nov 13 13:28:47 janus authpriv.debug pluto[28210]: | ICOOKIE: 76 08 08 8a f4 3c 2b 8a Nov 13 13:28:47 janus authpriv.debug pluto[28210]: | RCOOKIE: 0b f2 2e a2 f3 62 65 19 Nov 13 13:28:47 janus authpriv.debug pluto[28210]: | peer: 55 d6 9d b0 Nov 13 13:28:47 janus authpriv.debug pluto[28210]: | state hash entry 1 Nov 13 13:28:47 janus authpriv.debug pluto[28210]: | state object #2 found, in STATE_QUICK_I1 Nov 13 13:28:49 janus authpriv.debug pluto[28210]: | our client is subnet 192.168.1.0/24 Nov 13 13:28:49 janus authpriv.debug pluto[28210]: | our client protocol/port is 0/0 Nov 13 13:28:49 janus authpriv.debug pluto[28210]: | peer client is SERVERIPADDRESS Nov 13 13:28:49 janus authpriv.debug pluto[28210]: | peer client protocol/port is 0/0 Nov 13 13:28:49 janus authpriv.debug pluto[28210]: | no valid attribute cert found Nov 13 13:28:49 janus authpriv.debug pluto[28210]: | kernel_alg_esp_auth_keylen(auth=2, sadb_aalg=3): a_keylen=20 Nov 13 13:28:49 janus authpriv.debug pluto[28210]: | install_ipsec_sa() for #2: inbound and outbound Nov 13 13:28:49 janus authpriv.debug pluto[28210]: | route owner of "openswan-server" unrouted: NULL; eroute owner: NULL Nov 13 13:28:49 janus authpriv.info pluto[28210]: unable to add pseudo IPIP SA with SPI c1bb6ffe: Invalid argument (22) Nov 13 13:28:49 janus authpriv.info pluto[28210]: unable to add SAD entry with SPI c1bb6ffe Nov 13 13:28:49 janus authpriv.debug pluto[28210]: | state transition function for STATE_QUICK_I1 had internal error Nov 13 13:28:49 janus authpriv.debug pluto[28210]: | next event EVENT_RETRANSMIT in 8 seconds for #2 Any taker? Thanks for looking at this. Lupe Christoph -- | It is a well-known fact in any organisation that, if you want a job | | done, you should give it to someone who is already very busy. | | Terry Pratchett, "Unseen Academicals" | _______________________________________________ Users mailing list Users@lists.strongswan.org https://lists.strongswan.org/mailman/listinfo/users