OpenWrt Forum Archive

Topic: A Problem with the strongSwan and the Algo

The content of this topic has been archived on 24 Apr 2018. There are no obvious gaps in this topic, but there may still be some posts missing at the end.

Post #1
nikola.public
27 Oct 2017, 18:25

I'm trying to connect to the remote Algo server on the DigitalOcean. But there is a problem. I ask to help.


root@OpenWrt:/etc/ipsec.d/private# ipsec up ikev2
initiating IKE_SA ikev2[1] to 165.227.159.13
generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG) N(REDIR_SUP) ]
sending packet: from 10.24.10.6[500] to 165.227.159.13[500] (354 bytes)
received packet: from 165.227.159.13[500] to 10.24.10.6[500] (289 bytes)
parsed IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) CERTREQ N(FRAG_SUP) N(HASH_ALG) N(MULT_AUTH) ]
local host is behind NAT, sending keep alives
received cert request for "CN=165.227.159.13"
sending cert request for "CN=165.227.159.13"
authentication of 'CN=nick' (myself) with ECDSA_WITH_SHA256_DER successful
sending end entity cert "CN=nick"
establishing CHILD_SA ikev2{1}
generating IKE_AUTH request 1 [ IDi CERT CERTREQ IDr AUTH CPRQ(ADDR DNS) SA TSi TSr N(MOBIKE_SUP) N(ADD_4_ADDR) N(ADD_4_ADDR) N(MULT_AUTH) N(EAP_ONLY) N(MSG_ID_SYN_SUP) ]
sending packet: from 10.24.10.6[4500] to 165.227.159.13[4500] (886 bytes)
received packet: from 165.227.159.13[4500] to 10.24.10.6[4500] (544 bytes)
parsed IKE_AUTH response 1 [ EF(1/2) ]
received fragment #1 of 2, waiting for complete IKE message
received packet: from 165.227.159.13[4500] to 10.24.10.6[4500] (324 bytes)
parsed IKE_AUTH response 1 [ EF(2/2) ]
received fragment #2 of 2, reassembling fragmented IKE message
parsed IKE_AUTH response 1 [ IDr CERT AUTH CPRP(ADDR DNS DNS) SA TSi TSr N(MOBIKE_SUP) N(ADD_4_ADDR) ]
received end entity cert "CN=165.227.159.13"
  using certificate "CN=165.227.159.13"
  using trusted ca certificate "CN=165.227.159.13"
checking certificate status of "CN=165.227.159.13"
certificate status is not available
  reached self-signed root ca with a path length of 0
authentication of '165.227.159.13' with ECDSA_WITH_SHA256_DER successful
IKE_SA ikev2[1] established between 10.24.10.6[CN=nick]...165.227.159.13[165.227.159.13]
installing DNS server 8.8.8.8 to /etc/resolv.conf
installing DNS server 8.8.4.4 to /etc/resolv.conf
installing new virtual IP 10.19.48.1
received netlink error: Function not implemented (38)
unable to add SAD entry with SPI cf5468cc (FAILED)
received netlink error: Function not implemented (38)
unable to add SAD entry with SPI c0c7eb50 (FAILED)
unable to install inbound and outbound IPsec SA (SAD) in kernel
failed to establish CHILD_SA, keeping IKE_SA
peer supports MOBIKE
sending DELETE for ESP CHILD_SA with SPI cf5468cc
generating INFORMATIONAL request 2 [ D ]
sending packet: from 10.24.10.6[4500] to 165.227.159.13[4500] (69 bytes)
received packet: from 165.227.159.13[4500] to 10.24.10.6[4500] (69 bytes)
parsed INFORMATIONAL response 2 [ D ]
establishing connection 'ikev2' failed

ipsec.conf:

# Add connections here.

conn ikev2
    fragmentation=yes
    rekey=no
    dpdaction=clear
    keyexchange=ikev2
    compress=no
    dpddelay=35s

    ike=aes128gcm16-prfsha512-ecp256,aes128-sha2_512-prfsha512-ecp256,aes128-sha2_384-prfsha384-ecp256!
    esp=aes128gcm16-ecp256,aes128-sha2_512-prfsha512-ecp256!

    right=165.227.159.13
    rightid=165.227.159.13
    rightsubnet=0.0.0.0/0
    rightauth=pubkey

    leftsourceip=%config
    leftauth=pubkey
    leftcert=nick.crt
    leftfirewall=yes
    left=%defaultroute

    auto=add

(Last edited by nikola.public on 27 Oct 2017, 18:26)

Post #2
openwrt_geek
5 Nov 2017, 11:20

I'm facing the same issue, using strongswan version 5.3.3 on openwrt 15.05.1 Chaos Calmer as VPN client and ubuntu algo server. Any help would be grealy appreciated:

root@OpenWrt:/etc# ipsec restart
Stopping strongSwan IPsec...
Starting strongSwan 5.3.3 IPsec [starter]...
no files found matching '/etc/ipsec.uci.conf'
root@OpenWrt:/etc# ipsec up ikev2-54.153.70.247
initiating IKE_SA ikev2-54.153.70.247[1] to 54.153.70.247
generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG) ]
sending packet: from 192.168.86.105[500] to 54.153.70.247[500] (256 bytes)
received packet: from 54.153.70.247[500] to 192.168.86.105[500] (289 bytes)
parsed IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) CERTREQ N(FRAG_SUP) N(HASH_ALG) N(MULT_AUTH) ]
local host is behind NAT, sending keep alives
remote host is behind NAT
received cert request for "CN=54.153.70.247"
sending cert request for "CN=54.153.70.247"
authentication of 'CN=pravin' (myself) with ECDSA_WITH_SHA256_DER successful
sending end entity cert "CN=pravin"
establishing CHILD_SA ikev2-54.153.70.247
generating IKE_AUTH request 1 [ IDi CERT N(INIT_CONTACT) CERTREQ IDr AUTH CPRQ(ADDR DNS) SA TSi TSr N(MOBIKE_SUP) N(ADD_4_ADDR) N(ADD_6_ADDR) N(MULT_AUTH) N(EAP_ONLY) ]
splitting IKE message with length of 860 bytes into 2 fragments
generating IKE_AUTH request 1 [ EF(1/2) ]
generating IKE_AUTH request 1 [ EF(2/2) ]
sending packet: from 192.168.86.105[4500] to 54.153.70.247[4500] (544 bytes)
sending packet: from 192.168.86.105[4500] to 54.153.70.247[4500] (381 bytes)
received packet: from 54.153.70.247[4500] to 192.168.86.105[4500] (544 bytes)
parsed IKE_AUTH response 1 [ EF(1/2) ]
received fragment #1 of 2, waiting for complete IKE message
received packet: from 54.153.70.247[4500] to 192.168.86.105[4500] (331 bytes)
parsed IKE_AUTH response 1 [ EF(2/2) ]
received fragment #2 of 2, reassembling fragmented IKE message
parsed IKE_AUTH response 1 [ IDr CERT AUTH CPRP(ADDR DNS DNS) SA TSi TSr N(MOBIKE_SUP) N(ADD_6_ADDR) ]
received end entity cert "CN=54.153.70.247"
  using certificate "CN=54.153.70.247"
  using trusted ca certificate "CN=54.153.70.247"
checking certificate status of "CN=54.153.70.247"
certificate status is not available
  reached self-signed root ca with a path length of 0
authentication of '54.153.70.247' with ECDSA_WITH_SHA256_DER successful
IKE_SA ikev2-54.153.70.247[1] established between 192.168.86.105[CN=pravin]...54.153.70.247[54.153.70.247]
installing DNS server 8.8.8.8 to /etc/resolv.conf
installing DNS server 8.8.4.4 to /etc/resolv.conf
installing new virtual IP 10.19.48.2
received netlink error: Function not implemented (38)
unable to add SAD entry with SPI cd5950bb
received netlink error: Function not implemented (38)
unable to add SAD entry with SPI c8eb5f77
unable to install inbound and outbound IPsec SA (SAD) in kernel
failed to establish CHILD_SA, keeping IKE_SA
peer supports MOBIKE
sending DELETE for ESP CHILD_SA with SPI cd5950bb
generating INFORMATIONAL request 2 [ D ]
sending packet: from 192.168.86.105[4500] to 54.153.70.247[4500] (69 bytes)
received packet: from 54.153.70.247[4500] to 192.168.86.105[4500] (69 bytes)
parsed INFORMATIONAL response 2 [ D ]
establishing connection 'ikev2-54.153.70.247' failed

The discussion might have continued from here.