Okay, what's your complete ipsec.conf? Can you send it?
Kind regards Noel Am 12.05.21 um 00:54 schrieb Karuna Sagar Krishna:
Attaching full charon logs.
Can you help with the ipsec.conf interface. I'll plan to switch to swanctl
going forward, but currently this is blocking our releases.
--karuna
On Tue, May 11, 2021 at 2:54 PM Noel Kuntze
<noel.kuntze+strongswan-users-ml@thermi.consulting> wrote:
Hi,
Full logs please, as shown on the HelpRequests[1] page on the wiki.
Also, it's strongly recommended to use swanctl instead if possible. That's
the better configuration backend.
Kind regards
Noel
[1] https://wiki.strongswan.org/projects/strongswan/wiki/HelpRequests
<https://wiki.strongswan.org/projects/strongswan/wiki/HelpRequests>
Am 11.05.21 um 23:50 schrieb Karuna Sagar Krishna:
> Hi,
>
> I'm setting up a IPSec connection between a bunch of Ubuntu 18.04 LTS nodes. I'm using
Strongswan (Linux strongSwan U5.6.2/K5.4.0-1046-azure) on the Ubuntu nodes. The number of nodes
is dynamic i.e. there are frequent scale out/ins. So the ipsec.conf file (see attached) is
updated with additional conn sections and `sudo ipsec update` is used to reload the config
file. However, I've noticed intermittent network connectivity issues and the syslog shows ->
"no IKE config found for 10.0.0.14...10.0.0.18, sending NO_PROPOSAL_CHOSEN". Clearly,
the ipsec status shows that the daemon has not reloaded the config irrespective of issuing
`sudo ipsec update` multiple times.
>
> Can you help understand why the config is not updated and how to fix this
issue?
>
>
>
> IPSec status:
> -----------------
>
> > sudo ipsec statusall
>
> Status of IKE charon daemon (strongSwan 5.6.2, Linux 5.4.0-1046-azure,
x86_64):
> uptime: 45 minutes, since May 11 20:42:07 2021
> malloc: sbrk 2703360, mmap 0, used 778800, free 1924560
> worker threads: 11 of 16 idle, 5/0/0/0 working, job queue: 0/0/0/0,
scheduled: 2
> loaded plugins: charon aesni aes rc2 sha2 sha1 md4 md5 mgf1 random
nonce x509 revocation constraints pubkey pkcs1 pkcs7 pkcs8 pkcs12 pgp dnskey
sshkey pem openssl fips-prf gmp agent xcbc hmac gcm attr kernel-netlink resolve
socket-default connmark stroke updown eap-mschapv2 xauth-generic counters
> Listening IP addresses:
> 10.0.0.14
> Connections:
> hn0-kkafka.p0gi1uxxaaeebnlz4hfuq0bvkf.dx.internal.cloudapp.net
<http://hn0-kkafka.p0gi1uxxaaeebnlz4hfuq0bvkf.dx.internal.cloudapp.net>
<http://hn0-kkafka.p0gi1uxxaaeebnlz4hfuq0bvkf.dx.internal.cloudapp.net
<http://hn0-kkafka.p0gi1uxxaaeebnlz4hfuq0bvkf.dx.internal.cloudapp.net>>:
10.0.0.14...10.0.0.15 IKEv2
> hn0-kkafka.p0gi1uxxaaeebnlz4hfuq0bvkf.dx.internal.cloudapp.net
<http://hn0-kkafka.p0gi1uxxaaeebnlz4hfuq0bvkf.dx.internal.cloudapp.net>
<http://hn0-kkafka.p0gi1uxxaaeebnlz4hfuq0bvkf.dx.internal.cloudapp.net
<http://hn0-kkafka.p0gi1uxxaaeebnlz4hfuq0bvkf.dx.internal.cloudapp.net>>: local:
[CN=IP-37fa1445fc.hdinsight-stable.azure-test.net <http://IP-37fa1445fc.hdinsight-stable.azure-test.net>
<http://IP-37fa1445fc.hdinsight-stable.azure-test.net
<http://IP-37fa1445fc.hdinsight-stable.azure-test.net>>] uses public key authentication
> hn0-kkafka.p0gi1uxxaaeebnlz4hfuq0bvkf.dx.internal.cloudapp.net
<http://hn0-kkafka.p0gi1uxxaaeebnlz4hfuq0bvkf.dx.internal.cloudapp.net>
<http://hn0-kkafka.p0gi1uxxaaeebnlz4hfuq0bvkf.dx.internal.cloudapp.net
<http://hn0-kkafka.p0gi1uxxaaeebnlz4hfuq0bvkf.dx.internal.cloudapp.net>>: cert:
"CN=IP-37fa1445fc.hdinsight-stable.azure-test.net <http://IP-37fa1445fc.hdinsight-stable.azure-test.net>
<http://IP-37fa1445fc.hdinsight-stable.azure-test.net <http://IP-37fa1445fc.hdinsight-stable.azure-test.net>>"
> hn0-kkafka.p0gi1uxxaaeebnlz4hfuq0bvkf.dx.internal.cloudapp.net
<http://hn0-kkafka.p0gi1uxxaaeebnlz4hfuq0bvkf.dx.internal.cloudapp.net>
<http://hn0-kkafka.p0gi1uxxaaeebnlz4hfuq0bvkf.dx.internal.cloudapp.net
<http://hn0-kkafka.p0gi1uxxaaeebnlz4hfuq0bvkf.dx.internal.cloudapp.net>>: remote:
[CN=IP-37fa1445fc.hdinsight-stable.azure-test.net <http://IP-37fa1445fc.hdinsight-stable.azure-test.net>
<http://IP-37fa1445fc.hdinsight-stable.azure-test.net
<http://IP-37fa1445fc.hdinsight-stable.azure-test.net>>] uses public key authentication
> hn0-kkafka.p0gi1uxxaaeebnlz4hfuq0bvkf.dx.internal.cloudapp.net
<http://hn0-kkafka.p0gi1uxxaaeebnlz4hfuq0bvkf.dx.internal.cloudapp.net>
<http://hn0-kkafka.p0gi1uxxaaeebnlz4hfuq0bvkf.dx.internal.cloudapp.net
<http://hn0-kkafka.p0gi1uxxaaeebnlz4hfuq0bvkf.dx.internal.cloudapp.net>>: cert:
"CN=IP-37fa1445fc.hdinsight-stable.azure-test.net <http://IP-37fa1445fc.hdinsight-stable.azure-test.net>
<http://IP-37fa1445fc.hdinsight-stable.azure-test.net <http://IP-37fa1445fc.hdinsight-stable.azure-test.net>>"
> hn0-kkafka.p0gi1uxxaaeebnlz4hfuq0bvkf.dx.internal.cloudapp.net
<http://hn0-kkafka.p0gi1uxxaaeebnlz4hfuq0bvkf.dx.internal.cloudapp.net>
<http://hn0-kkafka.p0gi1uxxaaeebnlz4hfuq0bvkf.dx.internal.cloudapp.net
<http://hn0-kkafka.p0gi1uxxaaeebnlz4hfuq0bvkf.dx.internal.cloudapp.net>>: child: dynamic
=== dynamic TRANSPORT
> hn1-kkafka.p0gi1uxxaaeebnlz4hfuq0bvkf.dx.internal.cloudapp.net
<http://hn1-kkafka.p0gi1uxxaaeebnlz4hfuq0bvkf.dx.internal.cloudapp.net>
<http://hn1-kkafka.p0gi1uxxaaeebnlz4hfuq0bvkf.dx.internal.cloudapp.net
<http://hn1-kkafka.p0gi1uxxaaeebnlz4hfuq0bvkf.dx.internal.cloudapp.net>>:
10.0.0.14...10.0.0.14 IKEv2
> hn1-kkafka.p0gi1uxxaaeebnlz4hfuq0bvkf.dx.internal.cloudapp.net
<http://hn1-kkafka.p0gi1uxxaaeebnlz4hfuq0bvkf.dx.internal.cloudapp.net>
<http://hn1-kkafka.p0gi1uxxaaeebnlz4hfuq0bvkf.dx.internal.cloudapp.net
<http://hn1-kkafka.p0gi1uxxaaeebnlz4hfuq0bvkf.dx.internal.cloudapp.net>>: local:
[CN=IP-37fa1445fc.hdinsight-stable.azure-test.net <http://IP-37fa1445fc.hdinsight-stable.azure-test.net>
<http://IP-37fa1445fc.hdinsight-stable.azure-test.net
<http://IP-37fa1445fc.hdinsight-stable.azure-test.net>>] uses public key authentication
> hn1-kkafka.p0gi1uxxaaeebnlz4hfuq0bvkf.dx.internal.cloudapp.net
<http://hn1-kkafka.p0gi1uxxaaeebnlz4hfuq0bvkf.dx.internal.cloudapp.net>
<http://hn1-kkafka.p0gi1uxxaaeebnlz4hfuq0bvkf.dx.internal.cloudapp.net
<http://hn1-kkafka.p0gi1uxxaaeebnlz4hfuq0bvkf.dx.internal.cloudapp.net>>: cert:
"CN=IP-37fa1445fc.hdinsight-stable.azure-test.net <http://IP-37fa1445fc.hdinsight-stable.azure-test.net>
<http://IP-37fa1445fc.hdinsight-stable.azure-test.net <http://IP-37fa1445fc.hdinsight-stable.azure-test.net>>"
> hn1-kkafka.p0gi1uxxaaeebnlz4hfuq0bvkf.dx.internal.cloudapp.net
<http://hn1-kkafka.p0gi1uxxaaeebnlz4hfuq0bvkf.dx.internal.cloudapp.net>
<http://hn1-kkafka.p0gi1uxxaaeebnlz4hfuq0bvkf.dx.internal.cloudapp.net
<http://hn1-kkafka.p0gi1uxxaaeebnlz4hfuq0bvkf.dx.internal.cloudapp.net>>: remote:
[CN=IP-37fa1445fc.hdinsight-stable.azure-test.net <http://IP-37fa1445fc.hdinsight-stable.azure-test.net>
<http://IP-37fa1445fc.hdinsight-stable.azure-test.net
<http://IP-37fa1445fc.hdinsight-stable.azure-test.net>>] uses public key authentication
> hn1-kkafka.p0gi1uxxaaeebnlz4hfuq0bvkf.dx.internal.cloudapp.net
<http://hn1-kkafka.p0gi1uxxaaeebnlz4hfuq0bvkf.dx.internal.cloudapp.net>
<http://hn1-kkafka.p0gi1uxxaaeebnlz4hfuq0bvkf.dx.internal.cloudapp.net
<http://hn1-kkafka.p0gi1uxxaaeebnlz4hfuq0bvkf.dx.internal.cloudapp.net>>: cert:
"CN=IP-37fa1445fc.hdinsight-stable.azure-test.net <http://IP-37fa1445fc.hdinsight-stable.azure-test.net>
<http://IP-37fa1445fc.hdinsight-stable.azure-test.net <http://IP-37fa1445fc.hdinsight-stable.azure-test.net>>"
> hn1-kkafka.p0gi1uxxaaeebnlz4hfuq0bvkf.dx.internal.cloudapp.net
<http://hn1-kkafka.p0gi1uxxaaeebnlz4hfuq0bvkf.dx.internal.cloudapp.net>
<http://hn1-kkafka.p0gi1uxxaaeebnlz4hfuq0bvkf.dx.internal.cloudapp.net
<http://hn1-kkafka.p0gi1uxxaaeebnlz4hfuq0bvkf.dx.internal.cloudapp.net>>: child: dynamic
=== dynamic TRANSPORT
> /*Routed Connections:
> hn1-kkafka.p0gi1uxxaaeebnlz4hfuq0bvkf.dx.internal.cloudapp.net
<http://hn1-kkafka.p0gi1uxxaaeebnlz4hfuq0bvkf.dx.internal.cloudapp.net>
<http://hn1-kkafka.p0gi1uxxaaeebnlz4hfuq0bvkf.dx.internal.cloudapp.net
<http://hn1-kkafka.p0gi1uxxaaeebnlz4hfuq0bvkf.dx.internal.cloudapp.net>>{2}: ROUTED,
TRANSPORT, reqid 2
> hn1-kkafka.p0gi1uxxaaeebnlz4hfuq0bvkf.dx.internal.cloudapp.net
<http://hn1-kkafka.p0gi1uxxaaeebnlz4hfuq0bvkf.dx.internal.cloudapp.net>
<http://hn1-kkafka.p0gi1uxxaaeebnlz4hfuq0bvkf.dx.internal.cloudapp.net
<http://hn1-kkafka.p0gi1uxxaaeebnlz4hfuq0bvkf.dx.internal.cloudapp.net>>{2}: 10.0.0.14/32 <http://10.0.0.14/32>
<http://10.0.0.14/32 <http://10.0.0.14/32>> === 10.0.0.14/32 <http://10.0.0.14/32> <http://10.0.0.14/32
<http://10.0.0.14/32>>
> hn0-kkafka.p0gi1uxxaaeebnlz4hfuq0bvkf.dx.internal.cloudapp.net
<http://hn0-kkafka.p0gi1uxxaaeebnlz4hfuq0bvkf.dx.internal.cloudapp.net>
<http://hn0-kkafka.p0gi1uxxaaeebnlz4hfuq0bvkf.dx.internal.cloudapp.net
<http://hn0-kkafka.p0gi1uxxaaeebnlz4hfuq0bvkf.dx.internal.cloudapp.net>>{1}: ROUTED,
TRANSPORT, reqid 1
> hn0-kkafka.p0gi1uxxaaeebnlz4hfuq0bvkf.dx.internal.cloudapp.net
<http://hn0-kkafka.p0gi1uxxaaeebnlz4hfuq0bvkf.dx.internal.cloudapp.net>
<http://hn0-kkafka.p0gi1uxxaaeebnlz4hfuq0bvkf.dx.internal.cloudapp.net
<http://hn0-kkafka.p0gi1uxxaaeebnlz4hfuq0bvkf.dx.internal.cloudapp.net>>{1}: 10.0.0.14/32 <http://10.0.0.14/32>
<http://10.0.0.14/32 <http://10.0.0.14/32>> === 10.0.0.15/32 <http://10.0.0.15/32> <http://10.0.0.15/32
<http://10.0.0.15/32>>*/
> Security Associations (1 up, 0 connecting):
> hn0-kkafka.p0gi1uxxaaeebnlz4hfuq0bvkf.dx.internal.cloudapp.net
<http://hn0-kkafka.p0gi1uxxaaeebnlz4hfuq0bvkf.dx.internal.cloudapp.net>
<http://hn0-kkafka.p0gi1uxxaaeebnlz4hfuq0bvkf.dx.internal.cloudapp.net
<http://hn0-kkafka.p0gi1uxxaaeebnlz4hfuq0bvkf.dx.internal.cloudapp.net>>[11]: ESTABLISHED 26 minutes ago,
10.0.0.14[CN=IP-37fa1445fc.hdinsight-stable.azure-test.net <http://IP-37fa1445fc.hdinsight-stable.azure-test.net>
<http://IP-37fa1445fc.hdinsight-stable.azure-test.net
<http://IP-37fa1445fc.hdinsight-stable.azure-test.net>>]...10.0.0.15[CN=IP-37fa1445fc.hdinsight-stable.azure-test.net
<http://IP-37fa1445fc.hdinsight-stable.azure-test.net> <http://IP-37fa1445fc.hdinsight-stable.azure-test.net
<http://IP-37fa1445fc.hdinsight-stable.azure-test.net>>]
> hn0-kkafka.p0gi1uxxaaeebnlz4hfuq0bvkf.dx.internal.cloudapp.net
<http://hn0-kkafka.p0gi1uxxaaeebnlz4hfuq0bvkf.dx.internal.cloudapp.net>
<http://hn0-kkafka.p0gi1uxxaaeebnlz4hfuq0bvkf.dx.internal.cloudapp.net
<http://hn0-kkafka.p0gi1uxxaaeebnlz4hfuq0bvkf.dx.internal.cloudapp.net>>[11]: IKEv2 SPIs:
1536ce9853bef399_i c00b62dfefa5f4ce_r*, public key reauthentication in 7 hours
> hn0-kkafka.p0gi1uxxaaeebnlz4hfuq0bvkf.dx.internal.cloudapp.net
<http://hn0-kkafka.p0gi1uxxaaeebnlz4hfuq0bvkf.dx.internal.cloudapp.net>
<http://hn0-kkafka.p0gi1uxxaaeebnlz4hfuq0bvkf.dx.internal.cloudapp.net
<http://hn0-kkafka.p0gi1uxxaaeebnlz4hfuq0bvkf.dx.internal.cloudapp.net>>[11]: IKE proposal:
AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_2048
> hn0-kkafka.p0gi1uxxaaeebnlz4hfuq0bvkf.dx.internal.cloudapp.net
<http://hn0-kkafka.p0gi1uxxaaeebnlz4hfuq0bvkf.dx.internal.cloudapp.net>
<http://hn0-kkafka.p0gi1uxxaaeebnlz4hfuq0bvkf.dx.internal.cloudapp.net
<http://hn0-kkafka.p0gi1uxxaaeebnlz4hfuq0bvkf.dx.internal.cloudapp.net>>{3}: INSTALLED,
TRANSPORT, reqid 1, ESP SPIs: c73ba254_i c0ffd04a_o
> hn0-kkafka.p0gi1uxxaaeebnlz4hfuq0bvkf.dx.internal.cloudapp.net
<http://hn0-kkafka.p0gi1uxxaaeebnlz4hfuq0bvkf.dx.internal.cloudapp.net>
<http://hn0-kkafka.p0gi1uxxaaeebnlz4hfuq0bvkf.dx.internal.cloudapp.net
<http://hn0-kkafka.p0gi1uxxaaeebnlz4hfuq0bvkf.dx.internal.cloudapp.net>>{3}:
AES_CBC_256/HMAC_SHA2_256_128, 44961 bytes_i (822 pkts, 0s ago), 193357 bytes_o (570 pkts, 1557s
ago), rekeying in 7 hours
> hn0-kkafka.p0gi1uxxaaeebnlz4hfuq0bvkf.dx.internal.cloudapp.net
<http://hn0-kkafka.p0gi1uxxaaeebnlz4hfuq0bvkf.dx.internal.cloudapp.net>
<http://hn0-kkafka.p0gi1uxxaaeebnlz4hfuq0bvkf.dx.internal.cloudapp.net
<http://hn0-kkafka.p0gi1uxxaaeebnlz4hfuq0bvkf.dx.internal.cloudapp.net>>{3}: 10.0.0.14/32 <http://10.0.0.14/32>
<http://10.0.0.14/32 <http://10.0.0.14/32>> === 10.0.0.15/32 <http://10.0.0.15/32> <http://10.0.0.15/32
<http://10.0.0.15/32>>
>
>
> Charon logs:
> -----------------
>
> May 11 21:23:20 hn1-kkafka charon: 09[NET] received packet: from
10.0.0.18[500] to 10.0.0.14[500] (536 bytes)
> May 11 21:23:20 hn1-kkafka charon: 09[ENC] parsed IKE_SA_INIT request 0 [
SA KE No N(NATD_S_IP) N(NATD_D_IP) V V V V ]
> May 11 21:23:20 hn1-kkafka charon: 09[IKE] /*no IKE config found for
10.0.0.14...10.0.0.18, sending NO_PROPOSAL_CHOSEN*/
> May 11 21:23:20 hn1-kkafka charon: 09[ENC] generating IKE_SA_INIT
response 0 [ N(NO_PROP) ]
> May 11 21:23:20 hn1-kkafka charon: 09[NET] sending packet: from
10.0.0.14[500] to 10.0.0.18[500] (36 bytes)
>
> --karuna
>
OpenPGP_signature
Description: OpenPGP digital signature
