Issue #2442
Updated by Tobias Brunner almost 8 years ago
Connection details -
stac16---------------cool1--------------------viper1----------------sandy4
10.1.1.196 10.1.1.21 20.1.1.21 20.1.1.96 30.1.1.96 30.1.1.184
Configuration on cool1 -
<pre>
[root@cool1 swanctl]# pwd
/usr/local/etc/swanctl
[root@cool1 swanctl]# cat swanctl.conf
connections {
gw-gw {
local_addrs = 20.1.1.21
remote_addrs = 20.1.1.96
local {
auth = pubkey
certs = cool1Cert.der
id = "C=CH, O=blr.asicdesigners.com, CN=cool1"
}
remote {
auth = pubkey
id = "C=CH, O=blr.asicdesigners.com, CN=viper1"
}
children {
net-net {
local_ts = 10.1.1.0/24
remote_ts = 30.1.1.0/24
# updown = /usr/local/libexec/ipsec/_updown iptables
rekey_time = 5400
rekey_bytes = 500000000
rekey_packets = 1000000
esp_proposals = aes128gcm128-x25519
hw_offload = yes
}
}
version = 2
mobike = no
reauth_time = 10800
proposals = aes128-sha256-x25519
}
}
</pre>
Configuration on viper1 -
<pre>
[root@viper1 swanctl]# pwd
/usr/local/etc/swanctl
[root@viper1 swanctl]# cat swanctl.conf
connections {
gw-gw {
local_addrs = 20.1.1.96
remote_addrs = 20.1.1.21
local {
auth = pubkey
certs = viper1Cert.der
id = "C=CH, O=blr.asicdesigners.com, CN=viper1"
}
remote {
auth = pubkey
id = "C=CH, O=blr.asicdesigners.com, CN=cool1"
}
children {
net-net {
local_ts = 30.1.1.0/24
remote_ts = 10.1.1.0/24
# updown = /usr/local/libexec/ipsec/_updown iptables
rekey_time = 5400
rekey_bytes = 500000000
rekey_packets = 1000000
esp_proposals = aes128gcm128-x25519
hw_offload = yes
}
}
version = 2
mobike = no
reauth_time = 10800
proposals = aes128-sha256-x25519
}
}
</pre>
On initiating I get the following error -
<pre>
[root@cool1 etc]# sudo /usr/local/libexec/ipsec/charon &
[1] 8257
[root@cool1 etc]# 00[DMN] Starting IKE charon daemon (strongSwan 5.6.0, Linux 4.14.0-rc1-withespoffload+, x86_64)
00[CFG] loading ca certificates from '/usr/local/etc/ipsec.d/cacerts'
00[CFG] loaded ca certificate "C=CH, O=blr.asicdesigners.com, CN=blr.asicdesigners.com CA" from '/usr/local/etc/ipsec.d/cacerts/caCert.der'
00[CFG] loading aa certificates from '/usr/local/etc/ipsec.d/aacerts'
00[CFG] loading ocsp signer certificates from '/usr/local/etc/ipsec.d/ocspcerts'
00[CFG] loading attribute certificates from '/usr/local/etc/ipsec.d/acerts'
00[CFG] loading crls from '/usr/local/etc/ipsec.d/crls'
00[CFG] loading secrets from '/usr/local/etc/ipsec.secrets'
00[CFG] loading secrets from '/usr/local/etc/ipsec.secrets'
00[CFG] loading secrets from '/usr/local/etc/ipsec.secrets'
00[CFG] loading secrets from '/usr/local/etc/ipsec.secrets'
00[CFG] loading secrets from '/usr/local/etc/ipsec.secrets'
00[CFG] loading secrets from '/usr/local/etc/ipsec.secrets'
00[CFG] loading secrets from '/usr/local/etc/ipsec.secrets'
00[CFG] loading secrets from '/usr/local/etc/ipsec.secrets'
00[CFG] loading secrets from '/usr/local/etc/ipsec.secrets'
00[CFG] loading secrets from '/usr/local/etc/ipsec.secrets'
00[CFG] loading secrets from '/usr/local/etc/ipsec.secrets'
00[CFG] loading secrets from '/usr/local/etc/ipsec.secrets'
00[CFG] maximum level of 10 includes reached, ignored
00[CFG] loaded RSA private key from '/usr/local/etc/ipsec.d/private/cool1Key.der'
00[CFG] loaded RSA private key from '/usr/local/etc/ipsec.d/private/cool1Key.der'
00[CFG] loaded RSA private key from '/usr/local/etc/ipsec.d/private/cool1Key.der'
00[CFG] loaded RSA private key from '/usr/local/etc/ipsec.d/private/cool1Key.der'
00[CFG] loaded RSA private key from '/usr/local/etc/ipsec.d/private/cool1Key.der'
00[CFG] loaded RSA private key from '/usr/local/etc/ipsec.d/private/cool1Key.der'
00[CFG] loaded RSA private key from '/usr/local/etc/ipsec.d/private/cool1Key.der'
00[CFG] loaded RSA private key from '/usr/local/etc/ipsec.d/private/cool1Key.der'
00[CFG] loaded RSA private key from '/usr/local/etc/ipsec.d/private/cool1Key.der'
00[CFG] loaded RSA private key from '/usr/local/etc/ipsec.d/private/cool1Key.der'
00[CFG] loaded RSA private key from '/usr/local/etc/ipsec.d/private/cool1Key.der'
00[CFG] loaded RSA private key from '/usr/local/etc/ipsec.d/private/cool1Key.der'
00[LIB] loaded plugins: charon aes des rc2 sha2 sha1 md5 random nonce x509 revocation constraints pubkey pkcs1 pkcs7 pkcs8 pkcs12 pgp dnskey sshkey pem fips-prnel-netlink resolve socket-default stroke vici updown xauth-generic
00[JOB] spawning 16 worker threads
[root@cool1 etc]# ps -ef | grep charon
root 8257 3254 0 05:18 pts/0 00:00:00 sudo /usr/local/libexec/ipsec/charon
root 8258 8257 0 05:18 pts/0 00:00:00 /usr/local/libexec/ipsec/charon
root 8276 3254 0 05:18 pts/0 00:00:00 grep --color=auto charon
[root@cool1 etc]# swanctl --initiate --child net-net --ike gw-gw
10[CFG] vici initiate 'net-net'
initiate failed: CHILD_SA config 'net-net' not found
</pre>
What am I missing ??
stac16---------------cool1--------------------viper1----------------sandy4
10.1.1.196 10.1.1.21 20.1.1.21 20.1.1.96 30.1.1.96 30.1.1.184
Configuration on cool1 -
<pre>
[root@cool1 swanctl]# pwd
/usr/local/etc/swanctl
[root@cool1 swanctl]# cat swanctl.conf
connections {
gw-gw {
local_addrs = 20.1.1.21
remote_addrs = 20.1.1.96
local {
auth = pubkey
certs = cool1Cert.der
id = "C=CH, O=blr.asicdesigners.com, CN=cool1"
}
remote {
auth = pubkey
id = "C=CH, O=blr.asicdesigners.com, CN=viper1"
}
children {
net-net {
local_ts = 10.1.1.0/24
remote_ts = 30.1.1.0/24
# updown = /usr/local/libexec/ipsec/_updown iptables
rekey_time = 5400
rekey_bytes = 500000000
rekey_packets = 1000000
esp_proposals = aes128gcm128-x25519
hw_offload = yes
}
}
version = 2
mobike = no
reauth_time = 10800
proposals = aes128-sha256-x25519
}
}
</pre>
Configuration on viper1 -
<pre>
[root@viper1 swanctl]# pwd
/usr/local/etc/swanctl
[root@viper1 swanctl]# cat swanctl.conf
connections {
gw-gw {
local_addrs = 20.1.1.96
remote_addrs = 20.1.1.21
local {
auth = pubkey
certs = viper1Cert.der
id = "C=CH, O=blr.asicdesigners.com, CN=viper1"
}
remote {
auth = pubkey
id = "C=CH, O=blr.asicdesigners.com, CN=cool1"
}
children {
net-net {
local_ts = 30.1.1.0/24
remote_ts = 10.1.1.0/24
# updown = /usr/local/libexec/ipsec/_updown iptables
rekey_time = 5400
rekey_bytes = 500000000
rekey_packets = 1000000
esp_proposals = aes128gcm128-x25519
hw_offload = yes
}
}
version = 2
mobike = no
reauth_time = 10800
proposals = aes128-sha256-x25519
}
}
</pre>
On initiating I get the following error -
<pre>
[root@cool1 etc]# sudo /usr/local/libexec/ipsec/charon &
[1] 8257
[root@cool1 etc]# 00[DMN] Starting IKE charon daemon (strongSwan 5.6.0, Linux 4.14.0-rc1-withespoffload+, x86_64)
00[CFG] loading ca certificates from '/usr/local/etc/ipsec.d/cacerts'
00[CFG] loaded ca certificate "C=CH, O=blr.asicdesigners.com, CN=blr.asicdesigners.com CA" from '/usr/local/etc/ipsec.d/cacerts/caCert.der'
00[CFG] loading aa certificates from '/usr/local/etc/ipsec.d/aacerts'
00[CFG] loading ocsp signer certificates from '/usr/local/etc/ipsec.d/ocspcerts'
00[CFG] loading attribute certificates from '/usr/local/etc/ipsec.d/acerts'
00[CFG] loading crls from '/usr/local/etc/ipsec.d/crls'
00[CFG] loading secrets from '/usr/local/etc/ipsec.secrets'
00[CFG] loading secrets from '/usr/local/etc/ipsec.secrets'
00[CFG] loading secrets from '/usr/local/etc/ipsec.secrets'
00[CFG] loading secrets from '/usr/local/etc/ipsec.secrets'
00[CFG] loading secrets from '/usr/local/etc/ipsec.secrets'
00[CFG] loading secrets from '/usr/local/etc/ipsec.secrets'
00[CFG] loading secrets from '/usr/local/etc/ipsec.secrets'
00[CFG] loading secrets from '/usr/local/etc/ipsec.secrets'
00[CFG] loading secrets from '/usr/local/etc/ipsec.secrets'
00[CFG] loading secrets from '/usr/local/etc/ipsec.secrets'
00[CFG] loading secrets from '/usr/local/etc/ipsec.secrets'
00[CFG] loading secrets from '/usr/local/etc/ipsec.secrets'
00[CFG] maximum level of 10 includes reached, ignored
00[CFG] loaded RSA private key from '/usr/local/etc/ipsec.d/private/cool1Key.der'
00[CFG] loaded RSA private key from '/usr/local/etc/ipsec.d/private/cool1Key.der'
00[CFG] loaded RSA private key from '/usr/local/etc/ipsec.d/private/cool1Key.der'
00[CFG] loaded RSA private key from '/usr/local/etc/ipsec.d/private/cool1Key.der'
00[CFG] loaded RSA private key from '/usr/local/etc/ipsec.d/private/cool1Key.der'
00[CFG] loaded RSA private key from '/usr/local/etc/ipsec.d/private/cool1Key.der'
00[CFG] loaded RSA private key from '/usr/local/etc/ipsec.d/private/cool1Key.der'
00[CFG] loaded RSA private key from '/usr/local/etc/ipsec.d/private/cool1Key.der'
00[CFG] loaded RSA private key from '/usr/local/etc/ipsec.d/private/cool1Key.der'
00[CFG] loaded RSA private key from '/usr/local/etc/ipsec.d/private/cool1Key.der'
00[CFG] loaded RSA private key from '/usr/local/etc/ipsec.d/private/cool1Key.der'
00[CFG] loaded RSA private key from '/usr/local/etc/ipsec.d/private/cool1Key.der'
00[LIB] loaded plugins: charon aes des rc2 sha2 sha1 md5 random nonce x509 revocation constraints pubkey pkcs1 pkcs7 pkcs8 pkcs12 pgp dnskey sshkey pem fips-prnel-netlink resolve socket-default stroke vici updown xauth-generic
00[JOB] spawning 16 worker threads
[root@cool1 etc]# ps -ef | grep charon
root 8257 3254 0 05:18 pts/0 00:00:00 sudo /usr/local/libexec/ipsec/charon
root 8258 8257 0 05:18 pts/0 00:00:00 /usr/local/libexec/ipsec/charon
root 8276 3254 0 05:18 pts/0 00:00:00 grep --color=auto charon
[root@cool1 etc]# swanctl --initiate --child net-net --ike gw-gw
10[CFG] vici initiate 'net-net'
initiate failed: CHILD_SA config 'net-net' not found
</pre>
What am I missing ??