-
Its using the xmp plugin and those paths are correct.
You should see why smp plugin is not loading?
-
@ermal:
Its using the xmp plugin and those paths are correct.
You should see why smp plugin is not loading?
You are right, smp plugin is not loading; Here is a restart log:
May 6 16:03:00 pfsense charon: 00[DMN] signal of type SIGINT received. Shutting down May 6 16:03:11 pfsense charon: 00[DMN] Starting IKE charon daemon (strongSwan 5.1.1, FreeBSD 10.0-STABLE, amd64) May 6 16:03:11 pfsense charon: 00[KNL] unable to set UDP_ENCAP: Invalid argument May 6 16:03:11 pfsense charon: 00[NET] enabling UDP decapsulation for IPv6 on port 4500 failed May 6 16:03:11 pfsense charon: 00[CFG] ipseckey plugin is disabled May 6 16:03:11 pfsense charon: 00[CFG] loading ca certificates from '/var/etc/ipsec/ipsec.d/cacerts' May 6 16:03:11 pfsense charon: 00[CFG] loaded ca certificate "C=US, xxxxxx CN=internal-ca" from '/var/etc/ipsec/ipsec.d/cacerts/067991fe.0' May 6 16:03:11 pfsense charon: 00[CFG] loading aa certificates from '/var/etc/ipsec/ipsec.d/aacerts' May 6 16:03:11 pfsense charon: 00[CFG] loading ocsp signer certificates from '/var/etc/ipsec/ipsec.d/ocspcerts' May 6 16:03:11 pfsense charon: 00[CFG] loading attribute certificates from '/var/etc/ipsec/ipsec.d/acerts' May 6 16:03:11 pfsense charon: 00[CFG] loading crls from '/var/etc/ipsec/ipsec.d/crls' May 6 16:03:11 pfsense charon: 00[CFG] loading secrets from '/var/etc/ipsec/ipsec.secrets' May 6 16:03:11 pfsense charon: 00[CFG] loaded IKE secret for vpnusers@moschelhome.com May 6 16:03:11 pfsense charon: 00[CFG] opening triplet file /var/etc/ipsec/ipsec.d/triplets.dat failed: No such fi le or directory May 6 16:03:11 pfsense charon: 00[CFG] loaded 0 RADIUS server configurations May 6 16:03:11 pfsense charon: 00[LIB] loaded plugins: charon curl unbound aes des blowfish rc2 sha1 sha2 md4 md5 random nonce x509 revocation constraints pubkey pkcs1 pkcs7 pkcs8 pkcs12 pgp dnskey sshkey ipseckey pem openssl fip s-prf gmp xcbc cmac hmac attr kernel-pfkey kernel-pfroute resolve socket-default stroke updown eap-identity eap-sim eap-aka eap-aka-3gpp2 eap-md5 eap-mschapv2 eap-dynamic eap-radius eap-tls eap-ttls eap-peap xauth-generic xauth-ea p whitelist addrblock May 6 16:03:11 pfsense charon: 00[LIB] unable to load 6 plugin features (5 due to unmet dependencies) May 6 16:03:11 pfsense charon: 00[JOB] spawning 16 worker threads May 6 16:03:11 pfsense charon: 04[CFG] received stroke: add connection 'con1-1' May 6 16:03:11 pfsense charon: 04[CFG] added configuration 'con1-1' May 6 16:03:11 pfsense charon: 04[CFG] received stroke: route 'con1-1' May 6 16:03:11 pfsense charon: 04[CFG] installing trap failed, remote address unknown May 6 16:03:11 pfsense charon: 13[CFG] received stroke: add connection 'con1-1' May 6 16:03:11 pfsense charon: 13[CFG] added child to existing configuration 'con1-1' May 6 16:03:11 pfsense charon: 13[CFG] received stroke: route 'con1-1' May 6 16:03:11 pfsense charon: 13[CFG] installing trap failed, remote address unknown May 6 16:08:22 pfsense charon: 08[CFG] rereading secrets May 6 16:08:22 pfsense charon: 08[CFG] loading secrets from '/var/etc/ipsec/ipsec.secrets' May 6 16:08:22 pfsense charon: 08[CFG] loaded IKE secret for vpnusers@xxxxx.com May 6 16:08:22 pfsense charon: 08[CFG] rereading ca certificates from '/var/etc/ipsec/ipsec.d/cacerts' May 6 16:08:22 pfsense charon: 08[CFG] loaded ca certificate "C=US, xxxxxxxxxx, CN=internal-ca" from '/var/etc/ipsec/ipsec.d/cacerts/067991fe.0' May 6 16:08:22 pfsense charon: 08[CFG] rereading ocsp signer certificates from '/var/etc/ipsec/ipsec.d/ocspcerts' May 6 16:08:22 pfsense charon: 08[CFG] rereading aa certificates from '/var/etc/ipsec/ipsec.d/aacerts' May 6 16:08:22 pfsense charon: 08[CFG] rereading attribute certificates from '/var/etc/ipsec/ipsec.d/acerts' May 6 16:08:22 pfsense charon: 08[CFG] rereading crls from '/var/etc/ipsec/ipsec.d/crls' May 6 16:08:23 pfsense charon: 13[CFG] received stroke: loglevel 1 for dmn May 6 16:08:23 pfsense charon: 08[CFG] received stroke: loglevel 0 for mgr May 6 16:08:23 pfsense charon: 13[CFG] received stroke: loglevel 1 for ike May 6 16:08:23 pfsense charon: 08[CFG] received stroke: loglevel -1 for chd May 6 16:08:23 pfsense charon: 13[CFG] received stroke: loglevel -1 for job May 6 16:08:24 pfsense charon: 07[CFG] received stroke: loglevel -1 for cfg May 6 16:22:30 pfsense charon: 16[NET] <1> received packet: from 173.15.xx.37[500] to 24.74.xx.yy[500] (564 bytes)
Note this: 00[LIB] unable to load 6 plugin features (5 due to unmet dependencies)
I will try to up the [LIB] logging level and restart ipsec, but I have not signed the TLA so I can't look into the configuration or build side.
-
Its not related to tool repo at all you have everything in that image.
Can you show me the ldd /usr/local/lib/ipsec/plugins/libstrongswan-smp.so
Somehow you are missing a dependency there. -
@ermal:
Can you show me the ldd /usr/local/lib/ipsec/plugins/libstrongswan-smp.so
Somehow you are missing a dependency there.There is no such plugin on my system, and I guess you need the tools repo to figure out why it's not being built. This is an AMD64 image from yesterday.
[2.2-ALPHA][root@pfsense.localdomain]/usr/local/lib/ipsec(4): find / -iname \*smp\* /kernels/kernel_SMP.gz [2.2-ALPHA][root@pfsense.localdomain]/usr/local/lib/ipsec(5): ls -l plugins total 1220 -rwxr-xr-x 1 root wheel 9349 May 6 05:20 libstrongswan-addrblock.so -rwxr-xr-x 1 root wheel 38028 May 6 05:20 libstrongswan-aes.so -rwxr-xr-x 1 root wheel 12613 May 6 05:20 libstrongswan-attr.so -rwxr-xr-x 1 root wheel 17666 May 6 05:20 libstrongswan-blowfish.so -rwxr-xr-x 1 root wheel 10380 May 6 05:20 libstrongswan-cmac.so -rwxr-xr-x 1 root wheel 12403 May 6 05:20 libstrongswan-constraints.so -rwxr-xr-x 1 root wheel 10856 May 6 05:20 libstrongswan-curl.so -rwxr-xr-x 1 root wheel 29206 May 6 05:20 libstrongswan-des.so -rwxr-xr-x 1 root wheel 9161 May 6 05:20 libstrongswan-dnskey.so -rwxr-xr-x 1 root wheel 19555 May 6 05:20 libstrongswan-eap-aka-3gpp2.so -rwxr-xr-x 1 root wheel 21748 May 6 05:20 libstrongswan-eap-aka.so -rwxr-xr-x 1 root wheel 10874 May 6 05:20 libstrongswan-eap-dynamic.so -rwxr-xr-x 1 root wheel 9472 May 6 05:20 libstrongswan-eap-identity.so -rwxr-xr-x 1 root wheel 11081 May 6 05:20 libstrongswan-eap-md5.so -rwxr-xr-x 1 root wheel 25868 May 6 05:20 libstrongswan-eap-mschapv2.so -rwxr-xr-x 1 root wheel 19188 May 6 05:20 libstrongswan-eap-peap.so -rwxr-xr-x 1 root wheel 48981 May 6 05:20 libstrongswan-eap-radius.so -rwxr-xr-x 1 root wheel 14671 May 6 05:20 libstrongswan-eap-sim-file.so -rwxr-xr-x 1 root wheel 22144 May 6 05:20 libstrongswan-eap-sim.so -rwxr-xr-x 1 root wheel 9642 May 6 05:20 libstrongswan-eap-tls.so -rwxr-xr-x 1 root wheel 18983 May 6 05:20 libstrongswan-eap-ttls.so -rwxr-xr-x 1 root wheel 9219 May 6 05:20 libstrongswan-fips-prf.so -rwxr-xr-x 1 root wheel 34630 May 6 05:20 libstrongswan-gmp.so -rwxr-xr-x 1 root wheel 10151 May 6 05:20 libstrongswan-hmac.so -rwxr-xr-x 1 root wheel 12819 May 6 05:20 libstrongswan-ipseckey.so -rwxr-xr-x 1 root wheel 36303 May 6 05:20 libstrongswan-kernel-pfkey.so -rwxr-xr-x 1 root wheel 26592 May 6 05:20 libstrongswan-kernel-pfroute.so -rwxr-xr-x 1 root wheel 9550 May 6 05:20 libstrongswan-md4.so -rwxr-xr-x 1 root wheel 10110 May 6 05:20 libstrongswan-md5.so -rwxr-xr-x 1 root wheel 7390 May 6 05:20 libstrongswan-nonce.so -rwxr-xr-x 1 root wheel 103975 May 6 05:20 libstrongswan-openssl.so -rwxr-xr-x 1 root wheel 19993 May 6 05:20 libstrongswan-pem.so -rwxr-xr-x 1 root wheel 19897 May 6 05:20 libstrongswan-pgp.so -rwxr-xr-x 1 root wheel 14472 May 6 05:20 libstrongswan-pkcs1.so -rwxr-xr-x 1 root wheel 14979 May 6 05:20 libstrongswan-pkcs12.so -rwxr-xr-x 1 root wheel 34623 May 6 05:20 libstrongswan-pkcs7.so -rwxr-xr-x 1 root wheel 9657 May 6 05:20 libstrongswan-pkcs8.so -rwxr-xr-x 1 root wheel 10008 May 6 05:20 libstrongswan-pubkey.so -rwxr-xr-x 1 root wheel 9426 May 6 05:20 libstrongswan-random.so -rwxr-xr-x 1 root wheel 10070 May 6 05:20 libstrongswan-rc2.so -rwxr-xr-x 1 root wheel 12288 May 6 05:20 libstrongswan-resolve.so -rwxr-xr-x 1 root wheel 15030 May 6 05:20 libstrongswan-revocation.so -rwxr-xr-x 1 root wheel 14382 May 6 05:20 libstrongswan-sha1.so -rwxr-xr-x 1 root wheel 16210 May 6 05:20 libstrongswan-sha2.so -rwxr-xr-x 1 root wheel 14942 May 6 05:20 libstrongswan-socket-default.so -rwxr-xr-x 1 root wheel 13568 May 6 05:20 libstrongswan-sshkey.so -rwxr-xr-x 1 root wheel 101821 May 6 05:20 libstrongswan-stroke.so -rwxr-xr-x 1 root wheel 16166 May 6 05:20 libstrongswan-unbound.so -rwxr-xr-x 1 root wheel 15377 May 6 05:20 libstrongswan-updown.so -rwxr-xr-x 1 root wheel 12132 May 6 05:20 libstrongswan-whitelist.so -rwxr-xr-x 1 root wheel 90623 May 6 05:20 libstrongswan-x509.so -rwxr-xr-x 1 root wheel 10314 May 6 05:20 libstrongswan-xauth-eap.so -rwxr-xr-x 1 root wheel 12961 May 6 05:20 libstrongswan-xauth-generic.so -rwxr-xr-x 1 root wheel 10345 May 6 05:20 libstrongswan-xcbc.so [2.2-ALPHA][root@pfsense.localdomain]/usr/local/lib/ipsec(6):
[edit: add system info]
-
Ok fixed should show up on upcoming snaps.
Thank you for the help.
-
@ermal:
Ok fixed should show up on upcoming snaps.
Well, the smp plugin is loaded OK now and charon.xml socket is created in /var/run. (I note on the StronSwan plugins wiki page, the smp plugin is still classified as 'in development / incomplete'). There are still some issues:
- gui still shows that ipsec is stopped
- I still get the "unable to load 6 plugin features (5 due to unmet dependencies)" in the ipsec log
- Log level setting changes from the gui are not honored (but I do get the 'changes have been successfully applied' banner).
- Strangely, each line in the log is duplicated; not initially, but only after "12[CFG] received stroke: loglevel 1 for cfg" line [1]
[1] Actually the lines for negotiation are not exact duplicates: one line is preceded by the logging level like so:
May 7 13:33:44 pfsense charon: 08[IKE] received draft-ietf-ipsec-nat-t-ike-00 vendor ID May 7 13:33:44 pfsense charon: 08[IKE] <1> received draft-ietf-ipsec-nat-t-ike-00 vendor ID
But this is far enough along for me to dig deeper and try to figure out why the negotiation is failing.
Thanks for looking into this.
-
As of: Current version: 2.2-ALPHA Built On: Sun May 11 03:46:29 CDT 2014
- gui still shows that ipsec is stopped
This one is fixed
- I still get the "unable to load 6 plugin features (5 due to unmet dependencies)" in the ipsec log
This one is still there
- Log level setting changes from the gui are not honored (but I do get the 'changes have been successfully applied' banner).
This one is fixed
- Strangely, each line in the log is duplicated; not initially, but only after "12[CFG] received stroke: loglevel 1 for cfg" line [1]
This one is still there
To date I've not been able to get Ipsec to work; I'm trying to get PSK mode working in road warrior mode, and charon is claiming to not find a shared key. Configuration was working with 2.1.2, though by now I've tried lots of different configs. Could be the 'ipseckey plugin is disabled' that's causing the issue?:
May 11 23:35:01 pfsense charon: 00[DMN] Starting IKE charon daemon (strongSwan 5.1.3, FreeBSD 10.0-STABLE, amd64)
May 11 23:35:01 pfsense charon: 00[KNL] unable to set UDP_ENCAP: Invalid argument
May 11 23:35:01 pfsense charon: 00[NET] enabling UDP decapsulation for IPv6 on port 4500 failed
May 11 23:35:01 pfsense charon: 00[CFG] ipseckey plugin is disabled
May 11 23:35:01 pfsense charon: 00[CFG] loading ca certificates from '/var/etc/ipsec/ipsec.d/cacerts'
May 11 23:35:01 pfsense charon: 00[CFG] loaded ca certificate "C=US, ST=xxxxxxxxxxx CN=internal-ca" from '/var/etc/ipsec/ipsec.d/cacerts/067991fe.0'
May 11 23:35:01 pfsense charon: 00[CFG] loading aa certificates from '/var/etc/ipsec/ipsec.d/aacerts'
May 11 23:35:01 pfsense charon: 00[CFG] loading ocsp signer certificates from '/var/etc/ipsec/ipsec.d/ocspcerts'
May 11 23:35:01 pfsense charon: 00[CFG] loading attribute certificates from '/var/etc/ipsec/ipsec.d/acerts'
May 11 23:35:01 pfsense charon: 00[CFG] loading crls from '/var/etc/ipsec/ipsec.d/crls'
May 11 23:35:01 pfsense charon: 00[CFG] loading secrets from '/var/etc/ipsec/ipsec.secrets'
May 11 23:35:01 pfsense charon: 00[CFG]** loaded IKE secret for vpnusers@no_place_special.com**
May 11 23:35:01 pfsense charon: 00[CFG] opening triplet file /var/etc/ipsec/ipsec.d/triplets.dat failed: No such fi
le or directory
May 11 23:35:01 pfsense charon: 00[CFG] loaded 0 RADIUS server configurations
May 11 23:35:01 pfsense charon: 00[LIB] loaded plugins: charon curl unbound aes des blowfish rc2 sha1 sha2 md4 md5
random nonce x509 revocation constraints pubkey pkcs1 pkcs7 pkcs8 pkcs12 pgp dnskey sshkey ipseckey pem openssl fip
s-prf gmp xcbc cmac hmac attr kernel-pfkey kernel-pfroute resolve socket-default stroke smp updown eap-identity eap
-sim eap-aka eap-aka-3gpp2 eap-md5 eap-mschapv2 eap-dynamic eap-radius eap-tls eap-ttls eap-peap xauth-generic xaut
h-eap whitelist addrblock
May 11 23:35:01 pfsense charon: 00[LIB] unable to load 6 plugin features (5 due to unmet dependencies)
May 11 23:35:01 pfsense charon: 00[JOB] spawning 16 worker threadsFailing to find PSK:
May 12 16:48:01 pfsense charon: 11[IKE] IKE_SA con1-1[26] state change: CONNECTING => DESTROYING May 12 16:48:01 pfsense charon: 11[IKE] <con1-1|26>IKE_SA con1-1[26] state change: CONNECTING => DESTROYING May 12 16:48:06 pfsense charon: 11[NET] received packet: from 173.xx.yy.zzz[500] to 24.aa.bb.ccc[500] (564 bytes) May 12 16:48:06 pfsense charon: 11[NET] <27> received packet: from 173.xx.yy.zzz[500] to 24.aa.bb.ccc[500] (564 bytes) May 12 16:48:06 pfsense charon: 11[IKE] received draft-ietf-ipsec-nat-t-ike-00 vendor ID May 12 16:48:06 pfsense charon: 11[IKE] <27> received draft-ietf-ipsec-nat-t-ike-00 vendor ID May 12 16:48:06 pfsense charon: 11[IKE] received draft-ietf-ipsec-nat-t-ike-02\n vendor ID May 12 16:48:06 pfsense charon: 11[IKE] <27> received draft-ietf-ipsec-nat-t-ike-02\n vendor ID May 12 16:48:06 pfsense charon: 11[IKE] received draft-ietf-ipsec-nat-t-ike-03 vendor ID May 12 16:48:06 pfsense charon: 11[IKE] <27> received draft-ietf-ipsec-nat-t-ike-03 vendor ID May 12 16:48:06 pfsense charon: 11[IKE] received NAT-T (RFC 3947) vendor ID May 12 16:48:06 pfsense charon: 11[IKE] <27> received NAT-T (RFC 3947) vendor ID May 12 16:48:06 pfsense charon: 11[IKE] received FRAGMENTATION vendor ID May 12 16:48:06 pfsense charon: 11[IKE] <27> received FRAGMENTATION vendor ID May 12 16:48:06 pfsense charon: 11[IKE] received Cisco Unity vendor ID May 12 16:48:06 pfsense charon: 11[IKE] <27> received Cisco Unity vendor ID May 12 16:48:06 pfsense charon: 11[IKE] 173.xx.yy.zzz is initiating a Aggressive Mode IKE_SA May 12 16:48:06 pfsense charon: 11[IKE] <27> 173.xx.yy.zzz is initiating a Aggressive Mode IKE_SA May 12 16:48:06 pfsense charon: 11[IKE] IKE_SA (unnamed)[27] state change: CREATED => CONNECTING May 12 16:48:06 pfsense charon: 11[IKE] <27> IKE_SA (unnamed)[27] state change: CREATED => CONNECTING May 12 16:48:06 pfsense charon: 11[CFG] looking for pre-shared key peer configs matching 24.aa.bb.ccc...173.xx.yy.zzz[vpnusers@no_place_special.com] May 12 16:48:06 pfsense charon: 11[CFG] <27> looking for pre-shared key peer configs matching 24.aa.bb.ccc...173.xx.yy.zzz[vpnusers@no_place_special.com] May 12 16:48:06 pfsense charon: 11[CFG] selected peer config "con1-1" May 12 16:48:06 pfsense charon: 11[CFG] <27> selected peer config "con1-1" May 12 16:48:06 pfsense charon: 11[IKE] sending XAuth vendor ID May 12 16:48:06 pfsense charon: 11[IKE] <con1-1|27>sending XAuth vendor ID May 12 16:48:06 pfsense charon: 11[IKE] sending DPD vendor ID May 12 16:48:06 pfsense charon: 11[IKE] <con1-1|27>sending DPD vendor ID May 12 16:48:06 pfsense charon: 11[IKE] sending FRAGMENTATION vendor ID May 12 16:48:06 pfsense charon: 11[IKE] <con1-1|27>sending FRAGMENTATION vendor ID May 12 16:48:06 pfsense charon: 11[IKE] sending NAT-T (RFC 3947) vendor ID May 12 16:48:06 pfsense charon: 11[IKE] <con1-1|27>sending NAT-T (RFC 3947) vendor ID May 12 16:48:06 pfsense charon: 11[IKE] no shared key found for '24.aa.bb.ccc'[24.aa.bb.ccc] - 'vpnusers@no_place_special.com'[173.xx.yy.zzz] May 12 16:48:06 pfsense charon: 11[IKE] <con1-1|27>no shared key found for '24.aa.bb.ccc'[24.aa.bb.ccc] - 'vpnusers@no_place_special.com'[173.xx.yy.zzz] May 12 16:48:06 pfsense charon: 11[IKE] queueing INFORMATIONAL task May 12 16:48:06 pfsense charon: 11[IKE] <con1-1|27>queueing INFORMATIONAL task May 12 16:48:06 pfsense charon: 11[IKE] activating new tasks May 12 16:48:06 pfsense charon: 11[IKE] <con1-1|27>activating new tasks May 12 16:48:06 pfsense charon: 11[IKE] activating INFORMATIONAL task May 12 16:48:06 pfsense charon: 11[IKE] <con1-1|27>activating INFORMATIONAL task May 12 16:48:06 pfsense charon: 11[NET] sending packet: from 24.aa.bb.ccc[500] to 173.xx.yy.zzz[500] (56 bytes) May 12 16:48:06 pfsense charon: 11[NET] <con1-1|27>sending packet: from 24.aa.bb.ccc[500] to 173.xx.yy.zzz[500] (56 bytes) May 12 16:48:06 pfsense charon: 11[IKE] IKE_SA con1-1[27] state change: CONNECTING => DESTROYING May 12 16:48:06 pfsense charon: 11[IKE] <con1-1|27>IKE_SA con1-1[27] state change: CONNECTING => DESTROYING May 12 16:48:11 pfsense charon: 11[NET] received packet: from 173.xx.yy.zzz[500] to 24.aa.bb.ccc[500] (564 bytes) May 12 16:48:11 pfsense charon: 11[NET] <28> received packet: from 173.xx.yy.zzz[500] to 24.aa.bb.ccc[500]</con1-1|27></con1-1|27></con1-1|27></con1-1|27></con1-1|27></con1-1|27></con1-1|27></con1-1|27></con1-1|27></con1-1|27></con1-1|26>
-
Can you try next snapshots?
Also if you get issues on matching the ID try using an PSK with a name of 'allusers'.
-
Works for me now, thanks. I did add 'any' and 'allusers', and also changed the client to use ip address as remote identity rather than 'key identifier'. Not sure which did it.
-
Check the format of ipsec.secrets. I added some code yesterday to make it properly honor the mobile tunnel identifier when it otherwise wouldn't.
Using allusers can help but it sets up an anonymous PSK which may not be what you want for general mobile IPsec (but it would be what someone wants for L2TP+IPsec)
-
Yep, the image I'm using already has that commit. Just now I took out the anonymous allusers and any PSK, and added the remote IP address. It still connects OK with IP, I'll try to test key id later.
I'm seeing the connection being destroyed due to initiator not reauthenticating though, but that may well be a config problem on the client end (shrewsoft). Client is unaware that the connection is dropped. Not sure why a timeout is announced 9 minutes before it's scheduled, and then the connection is dropped immediately. What happened to the 9 minutes?
May 16 13:14:29 pfsense charon: 05[IKE] <con1-1|19>initiator did not reauthenticate as requested May 16 13:14:29 pfsense charon: 05[IKE] IKE_SA con1-1[19] will timeout in 9 minutes May 16 13:14:29 pfsense charon: 05[IKE] <con1-1|19>IKE_SA con1-1[19] will timeout in 9 minutes May 16 13:14:56 pfsense charon: 07[IKE] <con1-1|19>delaying task initiation, QUICK_MODE exchange in progress May 16 13:15:00 pfsense charon: 07[IKE] giving up after 5 retransmits May 16 13:15:00 pfsense charon: 07[IKE] <con1-1|19>giving up after 5 retransmits May 16 13:15:00 pfsense charon: 07[IKE] unable to reestablish IKE_SA due to asymmetric setup May 16 13:15:00 pfsense charon: 07[IKE] <con1-1|19>unable to reestablish IKE_SA due to asymmetric setup May 16 13:15:00 pfsense charon: 07[IKE] IKE_SA con1-1[19] state change: ESTABLISHED => DESTROYING May 16 13:15:00 pfsense charon: 07[IKE] <con1-1|19>IKE_SA con1-1[19] state change: ESTABLISHED => DESTROYING May 16 13:15:00 pfsense charon: 07[CFG] lease 192.168.3.1 by '10.5.60.58' went offline May 16 13:15:00 pfsense charon: 07[CFG] <con1-1|19>lease 192.168.3.1 by '10.5.60.58' went offline</con1-1|19></con1-1|19></con1-1|19></con1-1|19></con1-1|19></con1-1|19></con1-1|19>
-
There are still some issues, some fixed by the commits made today (gitsync if you can't wait) but a couple more I'm about to create tickets for as they're not so simple.
-
In short:
- Snap from this morning can't have more than one concurrent user connected, fixed now
- "Provide a list of accessible networks to clients" doesn't seem to work, but it does work if you specify the policy on the client (Shrew, Android) or if the client ignores that and tunnels everything anyway (iOS).
- "Tunnel All" only works if you add a P2 with 0.0.0.0/0 as local
- If the same user connects twice, the first connection is cut off (good/intentional behavior, but may be different from 2.1)
-
[2.2-ALPHA][root@pfsense.localdomain]/root(4): cat /etc/version.buildtime Mon May 19 13:13:23 CDT 2014 [2.2-ALPHA][root@pfsense.localdomain]/root(5): ipsec pki exec: /usr/local/bin/pki: not found [2.2-ALPHA][root@pfsense.localdomain]/root(6): find / -iname pki [2.2-ALPHA][root@pfsense.localdomain]/root(7):
Is this intentional? Any valid reason not to include it?
-
Added mostly an oversight.
Though why would one need it in a GUI environment is out of me.
-
- Snap from this morning can't have more than one concurrent user connected, fixed now
Fixed on current snaps.
- "Provide a list of accessible networks to clients" doesn't seem to work, but it does work if you specify the policy on the client (Shrew, Android) or if the client ignores that and tunnels everything anyway (iOS).
Should be fixed on the next new snaps.
- "Tunnel All" only works if you add a P2 with 0.0.0.0/0 as local
That appears to be a difference in how strongswan and racoon operate mobile connections. It's going to be required to add that manually unless we add an option to automatically add it.
Also L2TP+IPsec is almost working. More on that later.
-
@ermal:
Though why would one need it in a GUI environment is out of me.
So newbies like me can follow how-tos on the 'net, trying to learn :)
-
Thanks for working on this. I'm seeing the following (ask for more details if needed):
- banner doesn't appear (shrewsoft client, banner appeared with racoon)
- re-auth fails, client is oblivious (psk road warrior config)
- No SAs or SPs appear on the web gui when connected
- connect by key-id doesn't work, but connect by ip-address does work (again, psk aggressive, aka weakswan :) )
Let me know if there is any particular testing or other info you need! I'm pretty new to IPSEC, just trying to get my 2.1 config working under 2.2.
BTW, the change to weakswan under psk aggressive is a strong motivator to learn a proper config ….
-
- banner doesn't appear (shrewsoft client, banner appeared with racoon)
It shows up for me. Are you sure you're on a current snapshot?
Though it appears to only allow a single line banner, where racoon allowed a multi-line banner.- re-auth fails, client is oblivious (psk road warrior config)
re-auth when? When the P1 expires? Or when the server restarts?
- No SAs or SPs appear on the web gui when connected
That's expected at the moment, there's a ticket open. Those tabs may go away, all the info is on the first tab there's a button under each connection to view the child SAs.
- connect by key-id doesn't work, but connect by ip-address does work (again, psk aggressive, aka weakswan :) )
What does that mean? Using the key id or IP address where on the client/server?
-
- banner doesn't appear (shrewsoft client, banner appeared with racoon)
It shows up for me. Are you sure you're on a current snapshot?
Though it appears to only allow a single line banner, where racoon allowed a multi-line banner.Current as of last night
- re-auth fails, client is oblivious (psk road warrior config)
re-auth when? When the P1 expires? Or when the server restarts?
When P1 expires:
May 21 10:33:46 pfsense charon: 01[IKE] <con1-1|4>IKE_SA con1-1[4] established between 24.74.xx.yy[24.74.xx.yy]…173.15.aa.bb[10.5.60.58]
May 21 10:33:46 pfsense charon: 01[IKE] scheduling reauthentication in 2828s
May 21 10:33:46 pfsense charon: 01[IKE] <con1-1|4>scheduling reauthentication in 2828s</con1-1|4>
May 21 10:33:46 pfsense charon: 01[IKE] maximum IKE_SA lifetime 3368s
.
.
.
May 21 11:20:06 pfsense charon: 16[IKE] <con1-1|4>sending keep alive to 173.15.aa.bb[4500]
May 21 11:20:26 pfsense charon: 16[IKE] sending keep alive to 173.15.aa.bb[4500]
May 21 11:20:26 pfsense charon: 16[IKE] <con1-1|4>sending keep alive to 173.15.aa.bb[4500]
May 21 11:20:46 pfsense charon: 16[IKE] sending keep alive to 173.15.aa.bb[4500]
May 21 11:20:46 pfsense charon: 16[IKE] <con1-1|4>sending keep alive to 173.15.aa.bb[4500]
May 21 11:20:54 pfsense charon: 16[IKE] initiator did not reauthenticate as requested <== 2828 sec expires here
May 21 11:20:54 pfsense charon: 16[IKE] <con1-1|4>initiator did not reauthenticate as requested
May 21 11:20:54 pfsense charon: 16[IKE] IKE_SA con1-1[4] will timeout in 9 minutes
May 21 11:20:54 pfsense charon: 16[IKE] <con1-1|4>IKE_SA con1-1[4] will timeout in 9 minutes
May 21 11:20:54 pfsense charon: 11[KNL] creating rekey job for ESP CHILD_SA with SPI c3d88eca and reqid {1}
May 21 11:20:54 pfsense charon: 11[ENC] generating QUICK_MODE request 2100136337 [ HASH SA No ID ID ]
May 21 11:20:54 pfsense charon: 11[NET] sending packet: from 24.74.xx.yy[4500] to 173.15.aa.bb[4500] (252 bytes)
May 21 11:20:58 pfsense charon: 16[IKE] sending retransmit 1 of request message ID 2100136337, seq 1
May 21 11:20:58 pfsense charon: 16[IKE] <con1-1|4>sending retransmit 1 of request message ID 2100136337, seq 1
May 21 11:20:58 pfsense charon: 16[NET] sending packet: from 24.74.xx.yy[4500] to 173.15.aa.bb[4500] (252 bytes)
May 21 11:21:06 pfsense charon: 16[IKE] sending retransmit 2 of request message ID 2100136337, seq 1
May 21 11:21:06 pfsense charon: 16[IKE] <con1-1|4>sending retransmit 2 of request message ID 2100136337, seq 1
May 21 11:21:06 pfsense charon: 16[NET] sending packet: from 24.74.xx.yy[4500] to 173.15.aa.bb[4500] (252 bytes)
May 21 11:21:19 pfsense charon: 16[IKE] sending retransmit 3 of request message ID 2100136337, seq 1
May 21 11:21:19 pfsense charon: 16[IKE] <con1-1|4>sending retransmit 3 of request message ID 2100136337, seq 1
May 21 11:21:19 pfsense charon: 16[NET] sending packet: from 24.74.xx.yy[4500] to 173.15.aa.bb[4500] (252 bytes)
May 21 11:21:38 pfsense charon: 16[IKE] sending keep alive to 173.15.aa.bb[4500]
May 21 11:21:38 pfsense charon: 16[IKE] <con1-1|4>sending keep alive to 173.15.aa.bb[4500]
May 21 11:21:42 pfsense charon: 16[IKE] sending retransmit 4 of request message ID 2100136337, seq 1
May 21 11:21:42 pfsense charon: 16[IKE] <con1-1|4>sending retransmit 4 of request message ID 2100136337, seq 1
May 21 11:21:42 pfsense charon: 16[NET] sending packet: from 24.74.xx.yy[4500] to 173.15.aa.bb[4500] (252 bytes)
May 21 11:21:42 pfsense charon: 16[KNL] creating rekey job for ESP CHILD_SA with SPI c71c158f and reqid {1}
May 21 11:22:01 pfsense charon: 01[IKE] sending keep alive to 173.15.aa.bb[4500]
May 21 11:22:01 pfsense charon: 01[IKE] <con1-1|4>sending keep alive to 173.15.aa.bb[4500]
May 21 11:22:21 pfsense charon: 01[IKE] sending keep alive to 173.15.aa.bb[4500]
May 21 11:22:21 pfsense charon: 01[IKE] <con1-1|4>sending keep alive to 173.15.aa.bb[4500]
May 21 11:22:24 pfsense charon: 01[IKE] sending retransmit 5 of request message ID 2100136337, seq 1
May 21 11:22:24 pfsense charon: 01[IKE] <con1-1|4>sending retransmit 5 of request message ID 2100136337, seq 1
May 21 11:22:24 pfsense charon: 01[NET] sending packet: from 24.74.xx.yy[4500] to 173.15.aa.bb[4500] (252 bytes)
May 21 11:22:43 pfsense charon: 01[IKE] sending keep alive to 173.15.aa.bb[4500]
May 21 11:22:43 pfsense charon: 01[IKE] <con1-1|4>sending keep alive to 173.15.aa.bb[4500]
May 21 11:23:03 pfsense charon: 01[IKE] sending keep alive to 173.15.aa.bb[4500]
May 21 11:23:03 pfsense charon: 01[IKE] <con1-1|4>sending keep alive to 173.15.aa.bb[4500]
May 21 11:23:23 pfsense charon: 16[IKE] sending keep alive to 173.15.aa.bb[4500]
May 21 11:23:23 pfsense charon: 16[IKE] <con1-1|4>sending keep alive to 173.15.aa.bb[4500]
May 21 11:23:39 pfsense charon: 16[IKE] giving up after 5 retransmits
May 21 11:23:39 pfsense charon: 16[IKE] <con1-1|4>giving up after 5 retransmits
May 21 11:23:39 pfsense charon: 16[IKE] unable to reestablish IKE_SA due to asymmetric setup
May 21 11:23:39 pfsense charon: 16[IKE] <con1-1|4>unable to reestablish IKE_SA due to asymmetric setup
May 21 11:23:39 pfsense charon: 16[KNL] unable to delete SAD entry with SPI ca40ad92: No such file or directory (2)
May 21 11:23:39 pfsense charon: 16[CFG] lease 192.168.3.2 by '10.5.60.58' went offline</con1-1|4></con1-1|4></con1-1|4></con1-1|4></con1-1|4></con1-1|4></con1-1|4></con1-1|4></con1-1|4></con1-1|4></con1-1|4></con1-1|4></con1-1|4></con1-1|4></con1-1|4></con1-1|4></con1-1|4></con1-1|4></con1-1|4>- connect by key-id doesn't work, but connect by ip-address does work (again, psk aggressive, aka weakswan :) )
What does that mean? Using the key id or IP address where on the client/server?
On pfSense I have to configure PSK entries for the ip addresses , and configure the shrewsoft client to use 'ip address (discovered remote host address)'. Can't get 'key id' to work. I'll pay more attention and give better details, or set up proper certs.