Open Stack

Hi guys… very slow process here…

I finally was able to get four VMs running in Virtual box, with a topology and config set up like this:

http://www.strongswan.org/uml/testresults/ikev2/net2net-psk/

Only difference is that I have a NAT I/F (to do S/W installs), which shows as eth0.

I restarted ipsec service on each GW. On moon,  it indicated that the pkcs11 plugging failed to load (thinking that is OK, as not using smart cards).  On sun, it indicated that the socket-default plugin failed to load. Though, I did the restart again and now it only mentions the pkcs11 plugin.

I tried ipsec start on each GW. On sun, I see:
!! Your strongswan.conf contains manual plugin load options for
!! pluto and/or charon. This is recommended for experts only, see
!! http://wiki.strongswan.org/projects/strongswan/wiki/PluginLoad

Q: Is that possibly a problem?


I did ipsec up net-net on each side and I see messages of retransmitting:

openstack at sun:/var/log$ sudo ipsec up net-net
initiating IKE_SA net-net[1] to 192.168.0.1
generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) ]
sending packet: from 192.168.0.2[500] to 192.168.0.1[500]
retransmit 1 of request with message ID 0
sending packet: from 192.168.0.2[500] to 192.168.0.1[500]
retransmit 2 of request with message ID 0
sending packet: from 192.168.0.2[500] to 192.168.0.1[500]

If I look at status, I see that it is connecting, but not completing:

openstack at moon:/var/log$ sudo ipsec statusall
000 Status of IKEv1 pluto daemon (strongSwan 4.5.2):
000 interface lo/lo ::1:500
000 interface lo/lo 127.0.0.1:500
000 interface eth0/eth0 10.0.2.15:500
000 interface eth1/eth1 10.1.0.1:500
000 interface eth2/eth2 192.168.0.1:500
000 %myid = '%any'
000 loaded plugins: test-vectors curl ldap aes des sha1 sha2 md5 random x509 pkcs1 pgp dnskey pem openssl gmp hmac xauth attr kernel-netlink resolve 
000 debug options: none
000 
Status of IKEv2 charon daemon (strongSwan 4.5.2):
  uptime: 72 seconds, since May 14 21:32:21 2013
  malloc: sbrk 270336, mmap 0, used 237648, free 32688
  worker threads: 7 idle of 16, job queue load: 0, scheduled events: 1
  loaded plugins: test-vectors curl ldap aes des sha1 sha2 md5 random x509 revocation constraints pubkey pkcs1 pgp pem openssl fips-prf gmp agent pkcs11 xcbc hmac ctr ccm gcm attr kernel-netlink resolve socket-raw farp stroke updown eap-identity eap-aka eap-md5 eap-gtc eap-mschapv2 eap-radius eap-tls eap-ttls eap-tnc dhcp led addrblock 
Listening IP addresses:
  10.0.2.15
  10.1.0.1
  192.168.0.1
Connections:
     net-net:  192.168.0.1...192.168.0.2
     net-net:   local:  [moon.strongswan.org] uses pre-shared key authentication
     net-net:   remote: [sun.strongswan.org] uses any authentication
     net-net:   child:  10.1.0.0/16 === 10.2.0.0/16 
Security Associations:
     net-net[1]: CONNECTING, 192.168.0.1[%any]...192.168.0.2[%any]
     net-net[1]: IKE SPIs: 95f2e9c6f5315397_i* 0000000000000000_r
     net-net[1]: Tasks active: IKE_VENDOR IKE_INIT IKE_NATD IKE_CERT_PRE IKE_AUTHENTICATE IKE_CERT_POST IKE_CONFIG CHILD_CREATE IKE_AUTH_LIFETIME 

Q: Any idea why the SA is not connecting? Any debugging tips? I tried tcpdump on the I/F, but see no output during the startup. Installing wireshark on one node and will see what it shows.


Goal here is to get this going and then see what the commands are to setup and start the tunnels. Then, I'd guess trying to see how that maps to the APIs.

Comments/suggestions welcome!


PCM (Paul Michali)

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openstack.org/pipermail/openstack-dev/attachments/20130514/d5a007a6/attachment.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 495 bytes
Desc: Message signed with OpenPGP using GPGMail
URL: <http://lists.openstack.org/pipermail/openstack-dev/attachments/20130514/d5a007a6/attachment.pgp>