[Swan] Bringing up strongSwan+Libreswan transport connection

Pavel Volkov sailor at lists.xtsubasa.org
Mon Sep 30 06:17:11 UTC 2019


On понедельник, 30 сентября 2019 г. 04:34:48 MSK, Andrew Cagney wrote:
> (is this from whack or the log file?)

This is from system log.

>
> two things are happening here:
>
> - first pluto authenticates that the response did indeed come from the
> server, and hence, the contents can be trusted
> (this seems to have worked so certs should be ok)
> - it uses the network configuration information from the now trusted
> packet to establish the tunnel;
>
> I suspect the second step failed, but for some reason it didn't log
> it.  Perhaps there's something wrong with the network configuration.
> However to spot this you might need to add:
>     plutodebug=all
> to the config
>

It already had plutodebug=all (I think).
To be sure I added again plutodebug="all private crypt whackwatch" and 
there aren't any new messages.

I'll post it again in full:

сен 30 09:04:31 melforce systemd[1]: Starting Internet Key Exchange (IKE) 
Protocol Daemon for IPsec...
ipsec[341933]: /usr/sbin/ipsec: line 176: iptables: command not found
ipsec[341933]: nflog ipsec capture disabled
pluto[341944]: NSS DB directory: sql:/etc/ipsec.d
pluto[341944]: Initializing NSS
pluto[341944]: Opening NSS database "sql:/etc/ipsec.d" read-only
pluto[341944]: NSS initialized
pluto[341944]: NSS crypto library initialized
pluto[341944]: FIPS HMAC integrity support [disabled]
pluto[341944]: libcap-ng support [disabled]
pluto[341944]: Linux audit support [disabled]
pluto[341944]: Starting Pluto (Libreswan Version 3.29 XFRM(netkey) 
esp-hw-offload FORK PTHREAD_SETSCHEDPRIO NSS (IPsec profile) 
SYSTEMD_WATCHDOG SECCOMP XAUTH_PAM NETWORKMANAGER) pid:341944
pluto[341944]: core dump dir: /run/pluto
pluto[341944]: secrets file: /etc/ipsec.secrets
pluto[341944]: leak-detective enabled
pluto[341944]: NSS crypto [enabled]
pluto[341944]: XAUTH PAM support [enabled]
pluto[341944]: Initializing libevent in pthreads mode: headers: 
2.1.11-stable (2010b00); library: 2.1.11-stable (2010b00)
pluto[341944]: NAT-Traversal support  [enabled]
pluto[341944]: Encryption algorithms:
pluto[341944]:   AES_CCM_16              IKEv1:     ESP     IKEv2:     ESP  
   FIPS  {256,192,*128}  aes_ccm, aes_ccm_c
pluto[341944]:   AES_CCM_12              IKEv1:     ESP     IKEv2:     ESP  
   FIPS  {256,192,*128}  aes_ccm_b
<... skipped ...>
pluto[341944]:   DH21                    IKEv1: IKE         IKEv2: IKE ESP 
AH  FIPS  ecp_521, ecp521
pluto[341944]:   DH31                    IKEv1: IKE         IKEv2: IKE ESP 
AH        curve25519
pluto[341944]: 4 CPU cores online
pluto[341944]: starting up 3 crypto helpers
pluto[341944]: started thread for crypto helper 0
pluto[341944]: started thread for crypto helper 1
pluto[341944]: started thread for crypto helper 2
pluto[341944]: Using Linux XFRM/NETKEY IPsec interface code on 
5.3.1-gentoomelf
systemd[1]: Started Internet Key Exchange (IKE) Protocol Daemon for IPsec.
pluto[341944]: systemd watchdog for ipsec service configured with timeout 
of 200000000 usecs
pluto[341944]: watchdog: sending probes every 100 secs
pluto[341944]: added connection description "server"
pluto[341944]: listening for IKE messages
pluto[341944]: Kernel supports NIC esp-hw-offload
pluto[341944]: adding interface eth0/eth0 (esp-hw-offload=no) 
192.168.1.2:500
pluto[341944]: adding interface eth0/eth0 192.168.1.2:4500
pluto[341944]: Kernel supports NIC esp-hw-offload
pluto[341944]: adding interface lo/lo (esp-hw-offload=no) 127.0.0.1:500
pluto[341944]: adding interface lo/lo 127.0.0.1:4500
pluto[341944]: Kernel supports NIC esp-hw-offload
pluto[341944]: adding interface lo/lo (esp-hw-offload=no) ::1:500
pluto[341944]: Kernel supports NIC esp-hw-offload
pluto[341944]: adding interface eth0/eth0 (esp-hw-offload=no) 
2a00:xxxx:xxxx:xxxx::xxxx:500
pluto[341944]: Kernel supports NIC esp-hw-offload
pluto[341944]: adding interface eth0/eth0 (esp-hw-offload=no) 
fdd5:xxxx:xxxx:xxxx::xxxx:500
pluto[341944]: forgetting secrets
pluto[341944]: loading secrets from "/etc/ipsec.secrets"
pluto[341944]: no secrets filename matched "/etc/ipsec.d/*.secrets"
pluto[341944]: "server" #1: initiating v2 parent SA
pluto[341944]: "server": constructed local IKE proposals for server (IKE SA 
initiator selecting KE): 
1:IKE:ENCR=AES_CBC_256;PRF=HMAC_SHA2_256;INTEG=HMAC_SHA2_256_128;DH=MODP2048,MODP3072,MODP4096,MODP8192,ECP_256,ECP_384,ECP_521,CURVE25519
pluto[341944]: "server" #1: STATE_PARENT_I1: sent v2I1, expected v2R1
pluto[341944]: "server": constructed local ESP/AH proposals for server (IKE 
SA initiator emitting ESP/AH proposals): 
1:ESP:ENCR=AES_CBC_256;INTEG=HMAC_SHA2_256_128;DH=NONE;ESN=DISABLED
pluto[341944]: "server" #2: STATE_PARENT_I2: sent v2I2, expected v2R2 
{auth=IKEv2 cipher=AES_CBC_256 integ=HMAC_SHA2_256_128 prf=HMAC_SHA2_256 
group=MODP2048}
pluto[341944]: "server" #2: loading root certificate cache
pluto[341944]: "server" #2: certificate verified OK: CN=server.example.com
pluto[341944]: "server" #2: IKEv2 mode peer ID is ID_FQDN: 
'@server.example.com'
pluto[341944]: "server" #2: Authenticated using RSA
pluto[341944]: "server" #2: STATE_PARENT_I2: retransmission; will wait 0.5 
seconds for response
pluto[341944]: "server" #2: EXPECTATION FAILED: 
st->st_remote_certs.verified == NULL (in decode_certs() at x509.c:696)



More information about the Swan mailing list