Bug #1068
Updated by Tobias Brunner about 10 years ago
Hello,
I try to configure an IPsec tunnel between two peers (both running StrongSwan 5.3.2) in transport mode.
The tunnel between the peers is successfully established in IKEv2 (IKE_SA=UP + Child_SA=UP) mode but not in IKEv1 (IKE_SA=UP + Child_SA=DOWN).
The following issue https://wiki.strongswan.org/issues/819 maybe related.
ipsec.conf for Peer1:
<pre>
conn ike1-ip4-transp
left=172.16.0.4 // revert left and right for Peer2
right=172.16.0.24
leftauth=psk
rightauth=psk
leftid=@server.garderos.com // revert leftid and rightid for Peer2
rightid=@client.garderos.com
aggressive=yes
auto=start
keyingtries=1
keyexchange=ikev1 // with keyexchange=ikev2 the tunnel is established!
compress=yes
type=transport
margintime=540s
ike=3des-sha1-modp1024!
ikelifetime=4200s
esp=3des-sha1-modp1024!
lifetime=3600s
</pre>
Logs (IKEv1):
<pre>
Aug 17 12:15:56 Peer1 info ipsec_st[ 3389]: Starting weakSwan 5.3.2 IPsec [starter]...
Aug 17 12:15:56 Peer1 info charon: [ DMN] Starting IKE charon daemon (strongSwan 5.3.2, Linux 3.10.45, armv5teb)
Aug 17 12:15:56 Peer1 info charon: [ KNL] received netlink error: Address family not supported by protocol (97)
Aug 17 12:15:56 Peer1 info charon: [ KNL] unable to create IPv6 routing table rule
Aug 17 12:15:56 Peer1 info charon: [ CFG] loading ca certificates from '/var/etc/strongswan/ipsec.d/cacerts'
Aug 17 12:15:56 Peer1 info charon: [ CFG] loading aa certificates from '/var/etc/strongswan/ipsec.d/aacerts'
Aug 17 12:15:56 Peer1 info charon: [ CFG] loading ocsp signer certificates from '/var/etc/strongswan/ipsec.d/ocspcerts'
Aug 17 12:15:56 Peer1 info charon: [ CFG] loading attribute certificates from '/var/etc/strongswan/ipsec.d/acerts'
Aug 17 12:15:56 Peer1 info charon: [ CFG] loading crls from '/var/etc/strongswan/ipsec.d/crls'
Aug 17 12:15:56 Peer1 info charon: [ CFG] loading secrets from '/var/etc/strongswan/ipsec.secrets'
Aug 17 12:15:56 Peer1 info charon: [ CFG] loaded IKE secret for client.garderos.com
Aug 17 12:15:56 Peer1 info charon: [ LIB] loaded plugins: charon aes des sha1 sha2 md5 random nonce x509 revocation constraints pubkey pkcs1 pkcs7 pkcs8 pkcs12 pgp dnskey pem openssl fips-prf gmp xcbc hmac attr kernel-netlink resolve socket-default stroke updow
Aug 17 12:15:56 Peer1 info charon: [ JOB] spawning 32 worker threads
Aug 17 12:15:56 Peer1 info ipsec_st[ 3402]: charon (3403) started after 200 ms
Aug 17 12:15:56 Peer1 info charon: [ CFG] received stroke: add connection 'ike1-ip4-transp'
Aug 17 12:15:56 Peer1 info charon: [ CFG] added configuration 'ike1-ip4-transp'
Aug 17 12:15:56 Peer1 info charon: [ CFG] received stroke: initiate 'ike1-ip4-transp'
Aug 17 12:15:56 Peer1 info charon: [ IKE] initiating Aggressive Mode IKE_SA ike1-ip4-transp[1] to 172.16.0.24
Aug 17 12:15:57 Peer1 info charon: [ ENC] generating AGGRESSIVE request 0 [ SA KE No ID V V V V V ]
Aug 17 12:15:57 Peer1 info charon: [ NET] sending packet: from 172.16.0.4[500] to 172.16.0.24[500] (367 bytes)
Aug 17 12:15:57 Peer1 info charon: [ NET] received packet: from 172.16.0.24[500] to 172.16.0.4[500] (419 bytes)
Aug 17 12:15:57 Peer1 info charon: [ ENC] parsed AGGRESSIVE response 0 [ SA KE No ID NAT-D NAT-D HASH V V V V ]
Aug 17 12:15:57 Peer1 info charon: [ IKE] received XAuth vendor ID
Aug 17 12:15:57 Peer1 info charon: [ IKE] received DPD vendor ID
Aug 17 12:15:57 Peer1 info charon: [ IKE] received Cisco Unity vendor ID
Aug 17 12:15:57 Peer1 info charon: [ IKE] received NAT-T (RFC 3947) vendor ID
Aug 17 12:15:57 Peer1 info charon: [ IKE] IKE_SA ike1-ip4-transp[1] established between 172.16.0.4[server.garderos.com]...172.16.0.24[client.garderos.com]
Aug 17 12:15:57 Peer1 info charon: [ IKE] scheduling reauthentication in 3660s
Aug 17 12:15:57 Peer1 info charon: [ IKE] maximum IKE_SA lifetime 4200s
Aug 17 12:15:57 Peer1 info charon: [ ENC] generating AGGRESSIVE request 0 [ NAT-D NAT-D HASH ]
Aug 17 12:15:57 Peer1 info charon: [ NET] sending packet: from 172.16.0.4[500] to 172.16.0.24[500] (108 bytes)
Aug 17 12:15:57 Peer1 info charon: [ ENC] generating QUICK_MODE request 1928624787 [ HASH SA No KE ID ID ]
Aug 17 12:15:57 Peer1 info charon: [ NET] sending packet: from 172.16.0.4[500] to 172.16.0.24[500] (372 bytes)
Aug 17 12:15:57 Peer1 info charon: [ NET] received packet: from 172.16.0.24[500] to 172.16.0.4[500] (372 bytes)
Aug 17 12:15:57 Peer1 info charon: [ ENC] parsed QUICK_MODE response 1928624787 [ HASH SA No KE ID ID ]
Aug 17 12:15:57 Peer1 info charon: [ IKE] no acceptable traffic selectors found
Aug 17 12:15:57 Peer1 info charon: [ ENC] generating INFORMATIONAL_V1 request 3524574942 [ HASH N(NO_PROP) ]
Aug 17 12:15:57 Peer1 info charon: [ NET] sending packet: from 172.16.0.4[500] to 172.16.0.24[500] (76 bytes)
</pre>
Logs (IKEv2):
<pre>
Aug 17 12:28:01 Peer1 info ipsec_st[ 3730]: Starting weakSwan 5.3.2 IPsec [starter]...
Aug 17 12:28:01 Peer1 info charon: [ DMN] Starting IKE charon daemon (strongSwan 5.3.2, Linux 3.10.45, armv5teb)
Aug 17 12:28:01 Peer1 info charon: [ KNL] received netlink error: Address family not supported by protocol (97)
Aug 17 12:28:01 Peer1 info charon: [ KNL] unable to create IPv6 routing table rule
Aug 17 12:28:01 Peer1 info charon: [ CFG] loading ca certificates from '/var/etc/strongswan/ipsec.d/cacerts'
Aug 17 12:28:01 Peer1 info charon: [ CFG] loading aa certificates from '/var/etc/strongswan/ipsec.d/aacerts'
Aug 17 12:28:01 Peer1 info charon: [ CFG] loading ocsp signer certificates from '/var/etc/strongswan/ipsec.d/ocspcerts'
Aug 17 12:28:01 Peer1 info charon: [ CFG] loading attribute certificates from '/var/etc/strongswan/ipsec.d/acerts'
Aug 17 12:28:01 Peer1 info charon: [ CFG] loading crls from '/var/etc/strongswan/ipsec.d/crls'
Aug 17 12:28:01 Peer1 info charon: [ CFG] loading secrets from '/var/etc/strongswan/ipsec.secrets'
Aug 17 12:28:01 Peer1 info charon: [ CFG] loaded IKE secret for client.garderos.com
Aug 17 12:28:01 Peer1 info charon: [ LIB] loaded plugins: charon aes des sha1 sha2 md5 random nonce x509 revocation constraints pubkey pkcs1 pkcs7 pkcs8 pkcs12 pgp dnskey pem openssl fips-prf gmp xcbc hmac attr kernel-netlink resolve socket-default stroke updow
Aug 17 12:28:01 Peer1 info charon: [ JOB] spawning 32 worker threads
Aug 17 12:28:01 Peer1 info ipsec_st[ 3751]: charon (3752) started after 200 ms
Aug 17 12:28:01 Peer1 info charon: [ CFG] received stroke: add connection 'ike1-ip4-transp'
Aug 17 12:28:01 Peer1 info charon: [ CFG] added configuration 'ike1-ip4-transp'
Aug 17 12:28:01 Peer1 info charon: [ CFG] received stroke: initiate 'ike1-ip4-transp'
Aug 17 12:28:01 Peer1 info charon: [ IKE] initiating IKE_SA ike1-ip4-transp[1] to 172.16.0.24
Aug 17 12:28:01 Peer1 info charon: [ ENC] generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(HASH_ALG) ]
Aug 17 12:28:01 Peer1 info charon: [ NET] sending packet: from 172.16.0.4[500] to 172.16.0.24[500] (316 bytes)
Aug 17 12:28:01 Peer1 info charon: [ NET] received packet: from 172.16.0.24[500] to 172.16.0.4[500] (324 bytes)
Aug 17 12:28:01 Peer1 info charon: [ ENC] parsed IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(HASH_ALG) N(MULT_AUTH) ]
Aug 17 12:28:01 Peer1 info charon: [ IKE] authentication of 'server.garderos.com' (myself) with pre-shared key
Aug 17 12:28:01 Peer1 info charon: [ IKE] establishing CHILD_SA ike1-ip4-transp
Aug 17 12:28:01 Peer1 info charon: [ ENC] generating IKE_AUTH request 1 [ IDi N(INIT_CONTACT) IDr AUTH N(IPCOMP_SUP) N(USE_TRANSP) SA TSi TSr N(MOBIKE_SUP) N(NO_ADD_ADDR) N(MULT_AUTH) N(EAP_ONLY) ]
Aug 17 12:28:01 Peer1 info charon: [ NET] sending packet: from 172.16.0.4[4500] to 172.16.0.24[4500] (284 bytes)
Aug 17 12:28:01 Peer1 info charon: [ NET] received packet: from 172.16.0.24[4500] to 172.16.0.4[4500] (244 bytes)
Aug 17 12:28:01 Peer1 info charon: [ ENC] parsed IKE_AUTH response 1 [ IDr AUTH N(IPCOMP_SUP) N(USE_TRANSP) SA TSi TSr N(AUTH_LFT) N(MOBIKE_SUP) N(NO_ADD_ADDR) ]
Aug 17 12:28:01 Peer1 info charon: [ IKE] authentication of 'client.garderos.com' with pre-shared key successful
Aug 17 12:28:01 Peer1 info charon: [ IKE] IKE_SA ike1-ip4-transp[1] established between 172.16.0.4[server.garderos.com]...172.16.0.24[client.garderos.com]
Aug 17 12:28:01 Peer1 info charon: [ IKE] scheduling reauthentication in 3660s
Aug 17 12:28:01 Peer1 info charon: [ IKE] maximum IKE_SA lifetime 4200s
Aug 17 12:28:01 Peer1 info charon: [ IKE] CHILD_SA ike1-ip4-transp{1} established with SPIs c39bc78a_i ccda98bb_o and TS 172.16.0.4/32 === 172.16.0.24/32
Aug 17 12:28:01 Peer1 info charon: [ IKE] received AUTH_LIFETIME of 3660s, scheduling reauthentication in 3120s
Aug 17 12:28:01 Peer1 info charon: [ IKE] peer supports MOBIKE
</pre>
I try to configure an IPsec tunnel between two peers (both running StrongSwan 5.3.2) in transport mode.
The tunnel between the peers is successfully established in IKEv2 (IKE_SA=UP + Child_SA=UP) mode but not in IKEv1 (IKE_SA=UP + Child_SA=DOWN).
The following issue https://wiki.strongswan.org/issues/819 maybe related.
ipsec.conf for Peer1:
<pre>
conn ike1-ip4-transp
left=172.16.0.4 // revert left and right for Peer2
right=172.16.0.24
leftauth=psk
rightauth=psk
leftid=@server.garderos.com // revert leftid and rightid for Peer2
rightid=@client.garderos.com
aggressive=yes
auto=start
keyingtries=1
keyexchange=ikev1 // with keyexchange=ikev2 the tunnel is established!
compress=yes
type=transport
margintime=540s
ike=3des-sha1-modp1024!
ikelifetime=4200s
esp=3des-sha1-modp1024!
lifetime=3600s
</pre>
Logs (IKEv1):
<pre>
Aug 17 12:15:56 Peer1 info ipsec_st[ 3389]: Starting weakSwan 5.3.2 IPsec [starter]...
Aug 17 12:15:56 Peer1 info charon: [ DMN] Starting IKE charon daemon (strongSwan 5.3.2, Linux 3.10.45, armv5teb)
Aug 17 12:15:56 Peer1 info charon: [ KNL] received netlink error: Address family not supported by protocol (97)
Aug 17 12:15:56 Peer1 info charon: [ KNL] unable to create IPv6 routing table rule
Aug 17 12:15:56 Peer1 info charon: [ CFG] loading ca certificates from '/var/etc/strongswan/ipsec.d/cacerts'
Aug 17 12:15:56 Peer1 info charon: [ CFG] loading aa certificates from '/var/etc/strongswan/ipsec.d/aacerts'
Aug 17 12:15:56 Peer1 info charon: [ CFG] loading ocsp signer certificates from '/var/etc/strongswan/ipsec.d/ocspcerts'
Aug 17 12:15:56 Peer1 info charon: [ CFG] loading attribute certificates from '/var/etc/strongswan/ipsec.d/acerts'
Aug 17 12:15:56 Peer1 info charon: [ CFG] loading crls from '/var/etc/strongswan/ipsec.d/crls'
Aug 17 12:15:56 Peer1 info charon: [ CFG] loading secrets from '/var/etc/strongswan/ipsec.secrets'
Aug 17 12:15:56 Peer1 info charon: [ CFG] loaded IKE secret for client.garderos.com
Aug 17 12:15:56 Peer1 info charon: [ LIB] loaded plugins: charon aes des sha1 sha2 md5 random nonce x509 revocation constraints pubkey pkcs1 pkcs7 pkcs8 pkcs12 pgp dnskey pem openssl fips-prf gmp xcbc hmac attr kernel-netlink resolve socket-default stroke updow
Aug 17 12:15:56 Peer1 info charon: [ JOB] spawning 32 worker threads
Aug 17 12:15:56 Peer1 info ipsec_st[ 3402]: charon (3403) started after 200 ms
Aug 17 12:15:56 Peer1 info charon: [ CFG] received stroke: add connection 'ike1-ip4-transp'
Aug 17 12:15:56 Peer1 info charon: [ CFG] added configuration 'ike1-ip4-transp'
Aug 17 12:15:56 Peer1 info charon: [ CFG] received stroke: initiate 'ike1-ip4-transp'
Aug 17 12:15:56 Peer1 info charon: [ IKE] initiating Aggressive Mode IKE_SA ike1-ip4-transp[1] to 172.16.0.24
Aug 17 12:15:57 Peer1 info charon: [ ENC] generating AGGRESSIVE request 0 [ SA KE No ID V V V V V ]
Aug 17 12:15:57 Peer1 info charon: [ NET] sending packet: from 172.16.0.4[500] to 172.16.0.24[500] (367 bytes)
Aug 17 12:15:57 Peer1 info charon: [ NET] received packet: from 172.16.0.24[500] to 172.16.0.4[500] (419 bytes)
Aug 17 12:15:57 Peer1 info charon: [ ENC] parsed AGGRESSIVE response 0 [ SA KE No ID NAT-D NAT-D HASH V V V V ]
Aug 17 12:15:57 Peer1 info charon: [ IKE] received XAuth vendor ID
Aug 17 12:15:57 Peer1 info charon: [ IKE] received DPD vendor ID
Aug 17 12:15:57 Peer1 info charon: [ IKE] received Cisco Unity vendor ID
Aug 17 12:15:57 Peer1 info charon: [ IKE] received NAT-T (RFC 3947) vendor ID
Aug 17 12:15:57 Peer1 info charon: [ IKE] IKE_SA ike1-ip4-transp[1] established between 172.16.0.4[server.garderos.com]...172.16.0.24[client.garderos.com]
Aug 17 12:15:57 Peer1 info charon: [ IKE] scheduling reauthentication in 3660s
Aug 17 12:15:57 Peer1 info charon: [ IKE] maximum IKE_SA lifetime 4200s
Aug 17 12:15:57 Peer1 info charon: [ ENC] generating AGGRESSIVE request 0 [ NAT-D NAT-D HASH ]
Aug 17 12:15:57 Peer1 info charon: [ NET] sending packet: from 172.16.0.4[500] to 172.16.0.24[500] (108 bytes)
Aug 17 12:15:57 Peer1 info charon: [ ENC] generating QUICK_MODE request 1928624787 [ HASH SA No KE ID ID ]
Aug 17 12:15:57 Peer1 info charon: [ NET] sending packet: from 172.16.0.4[500] to 172.16.0.24[500] (372 bytes)
Aug 17 12:15:57 Peer1 info charon: [ NET] received packet: from 172.16.0.24[500] to 172.16.0.4[500] (372 bytes)
Aug 17 12:15:57 Peer1 info charon: [ ENC] parsed QUICK_MODE response 1928624787 [ HASH SA No KE ID ID ]
Aug 17 12:15:57 Peer1 info charon: [ IKE] no acceptable traffic selectors found
Aug 17 12:15:57 Peer1 info charon: [ ENC] generating INFORMATIONAL_V1 request 3524574942 [ HASH N(NO_PROP) ]
Aug 17 12:15:57 Peer1 info charon: [ NET] sending packet: from 172.16.0.4[500] to 172.16.0.24[500] (76 bytes)
</pre>
Logs (IKEv2):
<pre>
Aug 17 12:28:01 Peer1 info ipsec_st[ 3730]: Starting weakSwan 5.3.2 IPsec [starter]...
Aug 17 12:28:01 Peer1 info charon: [ DMN] Starting IKE charon daemon (strongSwan 5.3.2, Linux 3.10.45, armv5teb)
Aug 17 12:28:01 Peer1 info charon: [ KNL] received netlink error: Address family not supported by protocol (97)
Aug 17 12:28:01 Peer1 info charon: [ KNL] unable to create IPv6 routing table rule
Aug 17 12:28:01 Peer1 info charon: [ CFG] loading ca certificates from '/var/etc/strongswan/ipsec.d/cacerts'
Aug 17 12:28:01 Peer1 info charon: [ CFG] loading aa certificates from '/var/etc/strongswan/ipsec.d/aacerts'
Aug 17 12:28:01 Peer1 info charon: [ CFG] loading ocsp signer certificates from '/var/etc/strongswan/ipsec.d/ocspcerts'
Aug 17 12:28:01 Peer1 info charon: [ CFG] loading attribute certificates from '/var/etc/strongswan/ipsec.d/acerts'
Aug 17 12:28:01 Peer1 info charon: [ CFG] loading crls from '/var/etc/strongswan/ipsec.d/crls'
Aug 17 12:28:01 Peer1 info charon: [ CFG] loading secrets from '/var/etc/strongswan/ipsec.secrets'
Aug 17 12:28:01 Peer1 info charon: [ CFG] loaded IKE secret for client.garderos.com
Aug 17 12:28:01 Peer1 info charon: [ LIB] loaded plugins: charon aes des sha1 sha2 md5 random nonce x509 revocation constraints pubkey pkcs1 pkcs7 pkcs8 pkcs12 pgp dnskey pem openssl fips-prf gmp xcbc hmac attr kernel-netlink resolve socket-default stroke updow
Aug 17 12:28:01 Peer1 info charon: [ JOB] spawning 32 worker threads
Aug 17 12:28:01 Peer1 info ipsec_st[ 3751]: charon (3752) started after 200 ms
Aug 17 12:28:01 Peer1 info charon: [ CFG] received stroke: add connection 'ike1-ip4-transp'
Aug 17 12:28:01 Peer1 info charon: [ CFG] added configuration 'ike1-ip4-transp'
Aug 17 12:28:01 Peer1 info charon: [ CFG] received stroke: initiate 'ike1-ip4-transp'
Aug 17 12:28:01 Peer1 info charon: [ IKE] initiating IKE_SA ike1-ip4-transp[1] to 172.16.0.24
Aug 17 12:28:01 Peer1 info charon: [ ENC] generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(HASH_ALG) ]
Aug 17 12:28:01 Peer1 info charon: [ NET] sending packet: from 172.16.0.4[500] to 172.16.0.24[500] (316 bytes)
Aug 17 12:28:01 Peer1 info charon: [ NET] received packet: from 172.16.0.24[500] to 172.16.0.4[500] (324 bytes)
Aug 17 12:28:01 Peer1 info charon: [ ENC] parsed IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(HASH_ALG) N(MULT_AUTH) ]
Aug 17 12:28:01 Peer1 info charon: [ IKE] authentication of 'server.garderos.com' (myself) with pre-shared key
Aug 17 12:28:01 Peer1 info charon: [ IKE] establishing CHILD_SA ike1-ip4-transp
Aug 17 12:28:01 Peer1 info charon: [ ENC] generating IKE_AUTH request 1 [ IDi N(INIT_CONTACT) IDr AUTH N(IPCOMP_SUP) N(USE_TRANSP) SA TSi TSr N(MOBIKE_SUP) N(NO_ADD_ADDR) N(MULT_AUTH) N(EAP_ONLY) ]
Aug 17 12:28:01 Peer1 info charon: [ NET] sending packet: from 172.16.0.4[4500] to 172.16.0.24[4500] (284 bytes)
Aug 17 12:28:01 Peer1 info charon: [ NET] received packet: from 172.16.0.24[4500] to 172.16.0.4[4500] (244 bytes)
Aug 17 12:28:01 Peer1 info charon: [ ENC] parsed IKE_AUTH response 1 [ IDr AUTH N(IPCOMP_SUP) N(USE_TRANSP) SA TSi TSr N(AUTH_LFT) N(MOBIKE_SUP) N(NO_ADD_ADDR) ]
Aug 17 12:28:01 Peer1 info charon: [ IKE] authentication of 'client.garderos.com' with pre-shared key successful
Aug 17 12:28:01 Peer1 info charon: [ IKE] IKE_SA ike1-ip4-transp[1] established between 172.16.0.4[server.garderos.com]...172.16.0.24[client.garderos.com]
Aug 17 12:28:01 Peer1 info charon: [ IKE] scheduling reauthentication in 3660s
Aug 17 12:28:01 Peer1 info charon: [ IKE] maximum IKE_SA lifetime 4200s
Aug 17 12:28:01 Peer1 info charon: [ IKE] CHILD_SA ike1-ip4-transp{1} established with SPIs c39bc78a_i ccda98bb_o and TS 172.16.0.4/32 === 172.16.0.24/32
Aug 17 12:28:01 Peer1 info charon: [ IKE] received AUTH_LIFETIME of 3660s, scheduling reauthentication in 3120s
Aug 17 12:28:01 Peer1 info charon: [ IKE] peer supports MOBIKE
</pre>