actually there is also an earlier discrepancy:
good: generating ID_PROT request 0 [ ID HASH N(INITIAL_CONTACT) ] (100 bytes)
vs
bad: generating ID_PROT request 0 [ ID HASH ] (68 bytes)
________________________________
From: Users <users-boun...@lists.strongswan.org> on behalf of A P
<sashk...@hotmail.com>
Sent: Monday, 8 July 2019 23:36
To: users@lists.strongswan.org
Subject: Re: [strongSwan] Strongswan 5.8 broke my setup
Ok... I've spent a few nights setting it up the old way.
Now the new way does not work... :-(((
Can you please maybe give me a hint as to why?
Old ipsec.conf:
conn myvpn
keyexchange=ikev1
left=%defaultroute
auto=add
authby=secret
type=transport
leftprotoport=17/1701
rightprotoport=17/1701
right=<remote-ip>
rightsubnet=0.0.0.0/0
ike=3des-sha1-modp1536!
esp=3des-sha1!
Old ipsec.secrets:
: PSK "<key>"
New swanctl.conf:
connections {
myvpn {
version = 1
remote_addrs = <remote-ip>
proposals = 3des-sha1-modp1536
local {
auth = psk
}
remote {
auth = psk
}
children {
myvpn {
mode = transport
esp_proposals = 3des-sha1
remote_ts = 0.0.0.0/0
}
}
}
}
secrets {
ike {
secret = <key>
}
I get a virtually identical output until - see in red:
old - working
...
ipsec[1592]: 01[IKE] IKE_SA myvpn[1] established between
<local-ip>[<local-ip>]...<remote-ip>[<remote-ip>]
ipsec[1592]: 01[IKE] scheduling reauthentication in 10104s
ipsec[1592]: 01[IKE] maximum IKE_SA lifetime 10644s
ipsec[1592]: 01[ENC] generating QUICK_MODE request 2607643999 [ HASH SA No ID
ID NAT-OA NAT-OA ]
ipsec[1592]: 01[NET] sending packet: from <local-ip>[4500] to <remote-ip>[4500]
(188 bytes)
ipsec[1592]: 06[NET] received packet: from <remote-ip>[4500] to
<local-ip>[4500] (204 bytes)
ipsec[1592]: 06[ENC] parsed QUICK_MODE response 2607643999 [ HASH SA No ID ID
N((24576)) NAT-OA NAT-OA ]
ipsec[1592]: 06[CFG] selected proposal: ESP:3DES_CBC/HMAC_SHA1_96/NO_EXT_SEQ
new - non-working
...
[IKE] IKE_SA myvpn[1] established between
<local-ip>[<local-ip>]...<remote-ip>[<remote-ip>]
[IKE] scheduling rekeying in 14101s
[IKE] maximum IKE_SA lifetime 15541s
[ENC] generating QUICK_MODE request 2783263997 [ HASH SA No ID ID NAT-OA NAT-OA
]
01[NET] sending packet: from <local-ip>[4500] to <remote-ip>[4500] (188 bytes)
06[NET] received packet: from <remote-ip>[4500] to <local-ip>[4500] (84 bytes)
[ENC] parsed INFORMATIONAL_V1 request 394177358 [ HASH D ]
[IKE] received DELETE for IKE_SA myvpn[1]
[IKE] deleting IKE_SA myvpn[1] between
<local-ip>[<local-ip>]...<remote-ip>[<remote-ip>]
initiate failed: establishing CHILD_SA 'myvpn' failed
Something wrong with <key>? If I use the wrong key on purpose, I get the same
result: immediate failure. Quotes / no quotes don't make a difference
________________________________
From: Andreas Steffen <andreas.stef...@strongswan.org>
Sent: Monday, 8 July 2019 17:19
To: A P; users@lists.strongswan.org
Subject: Re: [strongSwan] Strongswan 5.8 broke my setup
Hi,
since strongSwan 5.8 is a major version we made the following changes
to the naming of the strongSwan systemd service files:
systemctl start strongswan now starts the charon-systemd daemon which
communicates via the vici interface e.g. using the swanctl command
line tool
systemctl start strongswan-swanctl is now an alias for
systemctl start strongswan
The old behaviour with the starter process spawning the charon daemon
which in turn communicates via the whack interface can be retained
just by executing
systemctl start strongswan-starter
Sorry for the inconvenience but vici and swanctl.conf has been our
preferred way of managing strongSwan for the last few years and this
is a further step to make it our default. Nevertheless we are still
committed to support the old whack and ipsec.conf interface.
Best regards
Andreas
On 07.07.19 17:50, A P wrote:
> I used to do:
>
> systemctl restart strongswan
> systemctl restart xl2tpd
> ipsec up myvpn
>
>
> Now the last step produces nothing!
>
>
> The difference in the logs:
>
> - new log (broken setup) has these, which old (working) does not have:
> swanctl[29887]: no files found matching '/etc/swanctl/conf.d/*.conf'
> swanctl[29887]: no authorities found, 0 unloaded
> swanctl[29887]: no pools found, 0 unloaded
> swanctl[29887]: no connections found, 0 unloaded
>
> - old log (working) has these, which new one (broken) never has:
> ipsec[1592]: charon (1601) started after 20 ms
> ipsec_starter[1592]: charon (1601) started after 20 ms
> charon[1601]: 07[CFG] received stroke: add connection 'myvpn'
> charon[1601]: 07[CFG] added configuration 'myvpn'
>
>
> Why did you have to break things?
======================================================================
Andreas Steffen andreas.stef...@strongswan.org
strongSwan - the Open Source VPN Solution!
www.strongswan.org<http://www.strongswan.org>
Institute for Networked Solutions
HSR University of Applied Sciences Rapperswil
CH-8640 Rapperswil (Switzerland)
===========================================================[INS-HSR]==
