Discussion:
[strongSwan] Problem initilizig ipsec tunnel
MIDOL MONNET Philippe
2018-10-18 15:53:38 UTC
Permalink
Hello

I'm not familiar with StrongSwan and I have the following issue when I
try to establish a tunnel:

With the charon log and a tcpdump I can see that, initialisation and
authentication seem to be OK:

Send: IKE_SA_INIT Initiator Request
Recv: IKE_SA_INIT Responder Response
Send: IKE_AUTH Initiator Request
Recv: IKE_AUTH Responder Response

Therefore there is INFORMATIONNAL:
Send: INFORMATIONAL Initiator Request
Recv: INFORMATIONAL Responder  Request
Send: INFORMATIONAL Initiator Response
At this moment, distant host redo the request and localhost resend the
response:
Recv: INFORMATIONAL Responder  Request
Send: INFORMATIONAL Initiator Response
Send: INFORMATIONAL Initiator Request
etc..
and the tunnel can't be used

I don't know what happen, can you hel
Jafar Al-Gharaibeh
2018-10-19 20:49:59 UTC
Permalink
Philippe,

   We don't know what happened either. If you want help follow the
instructions on [1].
  provide configs/logs/etc.


--Jafar

[1] https://wiki.strongswan.org/projects/strongswan/wiki/HelpRequests
Post by MIDOL MONNET Philippe
Hello
I'm not familiar with StrongSwan and I have the following issue when I
With the charon log and a tcpdump I can see that, initialisation and
Send: IKE_SA_INIT Initiator Request
Recv: IKE_SA_INIT Responder Response
Send: IKE_AUTH Initiator Request
Recv: IKE_AUTH Responder Response
Send: INFORMATIONAL Initiator Request
Recv: INFORMATIONAL Responder  Request
Send: INFORMATIONAL Initiator Response
At this moment, distant host redo the request and localhost resend the
Recv: INFORMATIONAL Responder  Request
Send: INFORMATIONAL Initiator Response
Send: INFORMATIONAL Initiator Request
etc..
and the tunnel can't be used
I don't know what happen, can you help me?
Philippe
MIDOL MONNET Philippe
2018-10-23 14:53:50 UTC
Permalink
Hi

Sorry for the badly formulated request.
I solve my problem.
The ipsec configuration file was the following :
config setup
        charondebug="all"
        uniqueids=yes
        strictcrlpolicy=no
conn %default
conn tunnel
        leftupdown=/etc/strongswan.d/updown.sh
        leftid=petittestaplug
        leftsourceip=%config
        right=*********
        rightsubnet=0.0.0.0/0
        esp=aes256-sha512-modp4096!
        ike=aes256-sha512-modp4096!
        keyingtries=%forever
        ikelifetime=24h
        lifetime=8h
        dpddelay=30
        dpdtimeout=120
        dpdaction=restart
        authby=secret
        auto=start
        keyexchange=ikev2

the firewall rules are:
# Generated by iptables-save v1.6.0 on Tue May  8 04:31:16 2018
*raw
:PREROUTING ACCEPT [82254:41942801]
:OUTPUT ACCEPT [84703:37967014]
COMMIT
# Completed on Tue May  8 04:31:16 2018
# Generated by iptables-save v1.6.0 on Tue May  8 04:31:16 2018
*nat
:PREROUTING ACCEPT [10:600]
:INPUT ACCEPT [10:600]
:OUTPUT ACCEPT [18:2183]
:POSTROUTING ACCEPT [18:2183]
-A POSTROUTING -d 192.168.200.20/32 -o eth1 ! -p esp -j SNAT --to-source
10.3.0.51
-A POSTROUTING -d 192.168.200.20/32 -o eth1 ! -p esp -j SNAT --to-source
10.3.0.51
COMMIT
# Completed on Tue May  8 04:31:16 2018
# Generated by iptables-save v1.6.0 on Tue May  8 04:31:16 2018
*mangle
:PREROUTING ACCEPT [82254:41942801]
:INPUT ACCEPT [82252:41942175]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [84719:37970086]
:POSTROUTING ACCEPT [85363:38044708]
:connman-INPUT - [0:0]
:connman-POSTROUTING - [0:0]
-A INPUT -j connman-INPUT
-A POSTROUTING -j connman-POSTROUTING
-A connman-INPUT -j CONNMARK --restore-mark --nfmask 0xffffffff --ctmask
0xffffffff
-A connman-POSTROUTING -j CONNMARK --save-mark --nfmask 0xffffffff
--ctmask 0xffffffff
COMMIT
# Completed on Tue May  8 04:31:16 2018
# Generated by iptables-save v1.6.0 on Tue May  8 04:31:16 2018
*filter
:INPUT ACCEPT [82252:41942175]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [84719:37970086]
COMMIT
# Completed on Tue May  8 04:31:16 2018

Adding:

forceencaps=yes

in the configuration file solve the problem.

Philippe
Post by Jafar Al-Gharaibeh
Philippe,
   We don't know what happened either. If you want help follow the
instructions on [1].
  provide configs/logs/etc.
--Jafar
[1] https://wiki.strongswan.org/projects/strongswan/wiki/HelpRequests
Post by MIDOL MONNET Philippe
Hello
I'm not familiar with StrongSwan and I have the following issue when I
With the charon log and a tcpdump I can see that, initialisation and
Send: IKE_SA_INIT Initiator Request
Recv: IKE_SA_INIT Responder Response
Send: IKE_AUTH Initiator Request
Recv: IKE_AUTH Responder Response
Send: INFORMATIONAL Initiator Request
Recv: INFORMATIONAL Responder  Request
Send: INFORMATIONAL Initiator Response
At this moment, distant host redo the request and localhost resend the
Recv: INFORMATIONAL Responder  Request
Send: INFORMATIONAL Initiator Response
Send: INFORMATIONAL Initiator Request
etc..
and the tunnel can't be used
I don't know what happen, can you help me?
Loading...