[Swan] Bringing up strongSwan+Libreswan transport connection

Andrew Cagney andrew.cagney at gmail.com
Mon Sep 30 15:23:57 UTC 2019 

On Mon, 30 Sep 2019 at 02:17, Pavel Volkov <sailor at lists.xtsubasa.org> wrote:
>
> On понедельник, 30 сентября 2019 г. 04:34:48 MSK, Andrew Cagney wrote:
> > (is this from whack or the log file?)
>
> This is from system log.

Thanks.

> >
> > two things are happening here:
> >
> > - first pluto authenticates that the response did indeed come from the
> > server, and hence, the contents can be trusted
> > (this seems to have worked so certs should be ok)
> > - it uses the network configuration information from the now trusted
> > packet to establish the tunnel;
> >
> > I suspect the second step failed, but for some reason it didn't log
> > it.  Perhaps there's something wrong with the network configuration.
> > However to spot this you might need to add:
> >     plutodebug=all
> > to the config
> >
>
> It already had plutodebug=all (I think).
> To be sure I added again plutodebug="all private crypt whackwatch" and
> there aren't any new messages.

Hmm, the below still doesn't contain any debug information - its easy
to spot as those lines are prefixed with '|'.  Is the plutodebug=all
line in the "config setup" section vis:

config setup
    plutodebug=all

(I'd stick with just "all" as should be more than sufficient).

> I'll post it again in full:
>
> сен 30 09:04:31 melforce systemd[1]: Starting Internet Key Exchange (IKE)
> Protocol Daemon for IPsec...
> ipsec[341933]: /usr/sbin/ipsec: line 176: iptables: command not found
> ipsec[341933]: nflog ipsec capture disabled
> pluto[341944]: NSS DB directory: sql:/etc/ipsec.d
> pluto[341944]: Initializing NSS
> pluto[341944]: Opening NSS database "sql:/etc/ipsec.d" read-only
> pluto[341944]: NSS initialized
> pluto[341944]: NSS crypto library initialized
> pluto[341944]: FIPS HMAC integrity support [disabled]
> pluto[341944]: libcap-ng support [disabled]
> pluto[341944]: Linux audit support [disabled]
> pluto[341944]: Starting Pluto (Libreswan Version 3.29 XFRM(netkey)
> esp-hw-offload FORK PTHREAD_SETSCHEDPRIO NSS (IPsec profile)
> SYSTEMD_WATCHDOG SECCOMP XAUTH_PAM NETWORKMANAGER) pid:341944
> pluto[341944]: core dump dir: /run/pluto
> pluto[341944]: secrets file: /etc/ipsec.secrets
> pluto[341944]: leak-detective enabled
> pluto[341944]: NSS crypto [enabled]
> pluto[341944]: XAUTH PAM support [enabled]
> pluto[341944]: Initializing libevent in pthreads mode: headers:
> 2.1.11-stable (2010b00); library: 2.1.11-stable (2010b00)
> pluto[341944]: NAT-Traversal support  [enabled]
> pluto[341944]: Encryption algorithms:
> pluto[341944]:   AES_CCM_16              IKEv1:     ESP     IKEv2:     ESP
>    FIPS  {256,192,*128}  aes_ccm, aes_ccm_c
> pluto[341944]:   AES_CCM_12              IKEv1:     ESP     IKEv2:     ESP
>    FIPS  {256,192,*128}  aes_ccm_b
> <... skipped ...>
> pluto[341944]:   DH21                    IKEv1: IKE         IKEv2: IKE ESP
> AH  FIPS  ecp_521, ecp521
> pluto[341944]:   DH31                    IKEv1: IKE         IKEv2: IKE ESP
> AH        curve25519
> pluto[341944]: 4 CPU cores online
> pluto[341944]: starting up 3 crypto helpers
> pluto[341944]: started thread for crypto helper 0
> pluto[341944]: started thread for crypto helper 1
> pluto[341944]: started thread for crypto helper 2
> pluto[341944]: Using Linux XFRM/NETKEY IPsec interface code on
> 5.3.1-gentoomelf
> systemd[1]: Started Internet Key Exchange (IKE) Protocol Daemon for IPsec.
> pluto[341944]: systemd watchdog for ipsec service configured with timeout
> of 200000000 usecs
> pluto[341944]: watchdog: sending probes every 100 secs
> pluto[341944]: added connection description "server"
> pluto[341944]: listening for IKE messages
> pluto[341944]: Kernel supports NIC esp-hw-offload
> pluto[341944]: adding interface eth0/eth0 (esp-hw-offload=no)
> 192.168.1.2:500
> pluto[341944]: adding interface eth0/eth0 192.168.1.2:4500
> pluto[341944]: Kernel supports NIC esp-hw-offload
> pluto[341944]: adding interface lo/lo (esp-hw-offload=no) 127.0.0.1:500
> pluto[341944]: adding interface lo/lo 127.0.0.1:4500
> pluto[341944]: Kernel supports NIC esp-hw-offload
> pluto[341944]: adding interface lo/lo (esp-hw-offload=no) ::1:500
> pluto[341944]: Kernel supports NIC esp-hw-offload
> pluto[341944]: adding interface eth0/eth0 (esp-hw-offload=no)
> 2a00:xxxx:xxxx:xxxx::xxxx:500
> pluto[341944]: Kernel supports NIC esp-hw-offload
> pluto[341944]: adding interface eth0/eth0 (esp-hw-offload=no)
> fdd5:xxxx:xxxx:xxxx::xxxx:500
> pluto[341944]: forgetting secrets
> pluto[341944]: loading secrets from "/etc/ipsec.secrets"
> pluto[341944]: no secrets filename matched "/etc/ipsec.d/*.secrets"
> pluto[341944]: "server" #1: initiating v2 parent SA
> pluto[341944]: "server": constructed local IKE proposals for server (IKE SA
> initiator selecting KE):
> 1:IKE:ENCR=AES_CBC_256;PRF=HMAC_SHA2_256;INTEG=HMAC_SHA2_256_128;DH=MODP2048,MODP3072,MODP4096,MODP8192,ECP_256,ECP_384,ECP_521,CURVE25519
> pluto[341944]: "server" #1: STATE_PARENT_I1: sent v2I1, expected v2R1
> pluto[341944]: "server": constructed local ESP/AH proposals for server (IKE
> SA initiator emitting ESP/AH proposals):
> 1:ESP:ENCR=AES_CBC_256;INTEG=HMAC_SHA2_256_128;DH=NONE;ESN=DISABLED
> pluto[341944]: "server" #2: STATE_PARENT_I2: sent v2I2, expected v2R2
> {auth=IKEv2 cipher=AES_CBC_256 integ=HMAC_SHA2_256_128 prf=HMAC_SHA2_256
> group=MODP2048}
> pluto[341944]: "server" #2: loading root certificate cache
> pluto[341944]: "server" #2: certificate verified OK: CN=server.example.com
> pluto[341944]: "server" #2: IKEv2 mode peer ID is ID_FQDN:
> '@server.example.com'
> pluto[341944]: "server" #2: Authenticated using RSA
> pluto[341944]: "server" #2: STATE_PARENT_I2: retransmission; will wait 0.5
> seconds for response
> pluto[341944]: "server" #2: EXPECTATION FAILED:
> st->st_remote_certs.verified == NULL (in decode_certs() at x509.c:696)
>

More information about the Swan mailing list