Open Stack

Just FYI,

I was able to get a site to site strongswan with IPSEC with PSKs setup (shown in the URL from my previous post) working on Ubuntu nodes running in VirtualBox VMs. The sticking points were loading socket-raw, instead of socket-default (as shown in the example), and setting IPv4 forwarding.

Next, I'll look at Nachi's BP for API and look more into the strongswan wiki for info on setup (need to see how to set up via CLI). I've gotta look at Swami's API/module wiki too! 


Any comments/suggestions welcome...

PCM (Paul Michali)


On May 14, 2013, at 9:49 PM, Paul Michali wrote:

> Hi guys… very slow process here…
> 
> I finally was able to get four VMs running in Virtual box, with a topology and config set up like this:
> 
> http://www.strongswan.org/uml/testresults/ikev2/net2net-psk/
> 
> Only difference is that I have a NAT I/F (to do S/W installs), which shows as eth0.
> 
> I restarted ipsec service on each GW. On moon,  it indicated that the pkcs11 plugging failed to load (thinking that is OK, as not using smart cards).  On sun, it indicated that the socket-default plugin failed to load. Though, I did the restart again and now it only mentions the pkcs11 plugin.
> 
> I tried ipsec start on each GW. On sun, I see:
> !! Your strongswan.conf contains manual plugin load options for
> !! pluto and/or charon. This is recommended for experts only, see
> !! http://wiki.strongswan.org/projects/strongswan/wiki/PluginLoad
> 
> Q: Is that possibly a problem?
> 
> 
> I did ipsec up net-net on each side and I see messages of retransmitting:
> 
> openstack at sun:/var/log$ sudo ipsec up net-net
> initiating IKE_SA net-net[1] to 192.168.0.1
> generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) ]
> sending packet: from 192.168.0.2[500] to 192.168.0.1[500]
> retransmit 1 of request with message ID 0
> sending packet: from 192.168.0.2[500] to 192.168.0.1[500]
> retransmit 2 of request with message ID 0
> sending packet: from 192.168.0.2[500] to 192.168.0.1[500]
> 
> If I look at status, I see that it is connecting, but not completing:
> 
> openstack at moon:/var/log$ sudo ipsec statusall
> 000 Status of IKEv1 pluto daemon (strongSwan 4.5.2):
> 000 interface lo/lo ::1:500
> 000 interface lo/lo 127.0.0.1:500
> 000 interface eth0/eth0 10.0.2.15:500
> 000 interface eth1/eth1 10.1.0.1:500
> 000 interface eth2/eth2 192.168.0.1:500
> 000 %myid = '%any'
> 000 loaded plugins: test-vectors curl ldap aes des sha1 sha2 md5 random x509 pkcs1 pgp dnskey pem openssl gmp hmac xauth attr kernel-netlink resolve 
> 000 debug options: none
> 000 
> Status of IKEv2 charon daemon (strongSwan 4.5.2):
>   uptime: 72 seconds, since May 14 21:32:21 2013
>   malloc: sbrk 270336, mmap 0, used 237648, free 32688
>   worker threads: 7 idle of 16, job queue load: 0, scheduled events: 1
>   loaded plugins: test-vectors curl ldap aes des sha1 sha2 md5 random x509 revocation constraints pubkey pkcs1 pgp pem openssl fips-prf gmp agent pkcs11 xcbc hmac ctr ccm gcm attr kernel-netlink resolve socket-raw farp stroke updown eap-identity eap-aka eap-md5 eap-gtc eap-mschapv2 eap-radius eap-tls eap-ttls eap-tnc dhcp led addrblock 
> Listening IP addresses:
>   10.0.2.15
>   10.1.0.1
>   192.168.0.1
> Connections:
>      net-net:  192.168.0.1...192.168.0.2
>      net-net:   local:  [moon.strongswan.org] uses pre-shared key authentication
>      net-net:   remote: [sun.strongswan.org] uses any authentication
>      net-net:   child:  10.1.0.0/16 === 10.2.0.0/16 
> Security Associations:
>      net-net[1]: CONNECTING, 192.168.0.1[%any]...192.168.0.2[%any]
>      net-net[1]: IKE SPIs: 95f2e9c6f5315397_i* 0000000000000000_r
>      net-net[1]: Tasks active: IKE_VENDOR IKE_INIT IKE_NATD IKE_CERT_PRE IKE_AUTHENTICATE IKE_CERT_POST IKE_CONFIG CHILD_CREATE IKE_AUTH_LIFETIME 
> 
> Q: Any idea why the SA is not connecting? Any debugging tips? I tried tcpdump on the I/F, but see no output during the startup. Installing wireshark on one node and will see what it shows.
> 
> 
> Goal here is to get this going and then see what the commands are to setup and start the tunnels. Then, I'd guess trying to see how that maps to the APIs.
> 
> Comments/suggestions welcome!
> 
> 
> PCM (Paul Michali)
> 
> _______________________________________________
> OpenStack-dev mailing list
> OpenStack-dev at lists.openstack.org
> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openstack.org/pipermail/openstack-dev/attachments/20130515/4f0541d2/attachment.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 495 bytes
Desc: Message signed with OpenPGP using GPGMail
URL: <http://lists.openstack.org/pipermail/openstack-dev/attachments/20130515/4f0541d2/attachment.pgp>