[openstack-dev] VPNaaS strongswan questions...
Vasudevan, Swaminathan (PNB Roseville)
swaminathan.vasudevan at hp.com
Wed May 15 15:54:17 UTC 2013
Hi Paul,
Can you turn on Pluto logging if you are using iKEv1 and charon logging if you are using IKEv2.
Please send me the log information.
Thanks
Swaminathan Vasudevan
Systems Software Engineer (TC)
HP Networking
Hewlett-Packard
8000 Foothills Blvd
M/S 5541
Roseville, CA - 95747
tel: 916.785.0937
fax: 916.785.1815
email: swaminathan.vasudevan at hp.com
From: Paul Michali [mailto:pcm at cisco.com]
Sent: Tuesday, May 14, 2013 6:50 PM
To: Nachi Ueno; Vasudevan, Swaminathan (PNB Roseville)
Cc: OpenStack Development Mailing List
Subject: VPNaaS strongswan questions...
Hi guys... very slow process here...
I finally was able to get four VMs running in Virtual box, with a topology and config set up like this:
http://www.strongswan.org/uml/testresults/ikev2/net2net-psk/
Only difference is that I have a NAT I/F (to do S/W installs), which shows as eth0.
I restarted ipsec service on each GW. On moon, it indicated that the pkcs11 plugging failed to load (thinking that is OK, as not using smart cards). On sun, it indicated that the socket-default plugin failed to load. Though, I did the restart again and now it only mentions the pkcs11 plugin.
I tried ipsec start on each GW. On sun, I see:
!! Your strongswan.conf contains manual plugin load options for
!! pluto and/or charon. This is recommended for experts only, see
!! http://wiki.strongswan.org/projects/strongswan/wiki/PluginLoad
Q: Is that possibly a problem?
I did ipsec up net-net on each side and I see messages of retransmitting:
openstack at sun:/var/log$ sudo ipsec up net-net
initiating IKE_SA net-net[1] to 192.168.0.1
generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) ]
sending packet: from 192.168.0.2[500] to 192.168.0.1[500]
retransmit 1 of request with message ID 0
sending packet: from 192.168.0.2[500] to 192.168.0.1[500]
retransmit 2 of request with message ID 0
sending packet: from 192.168.0.2[500] to 192.168.0.1[500]
If I look at status, I see that it is connecting, but not completing:
openstack at moon:/var/log$ sudo ipsec statusall
000 Status of IKEv1 pluto daemon (strongSwan 4.5.2):
000 interface lo/lo ::1:500
000 interface lo/lo 127.0.0.1:500
000 interface eth0/eth0 10.0.2.15:500
000 interface eth1/eth1 10.1.0.1:500
000 interface eth2/eth2 192.168.0.1:500
000 %myid = '%any'
000 loaded plugins: test-vectors curl ldap aes des sha1 sha2 md5 random x509 pkcs1 pgp dnskey pem openssl gmp hmac xauth attr kernel-netlink resolve
000 debug options: none
000
Status of IKEv2 charon daemon (strongSwan 4.5.2):
uptime: 72 seconds, since May 14 21:32:21 2013
malloc: sbrk 270336, mmap 0, used 237648, free 32688
worker threads: 7 idle of 16, job queue load: 0, scheduled events: 1
loaded plugins: test-vectors curl ldap aes des sha1 sha2 md5 random x509 revocation constraints pubkey pkcs1 pgp pem openssl fips-prf gmp agent pkcs11 xcbc hmac ctr ccm gcm attr kernel-netlink resolve socket-raw farp stroke updown eap-identity eap-aka eap-md5 eap-gtc eap-mschapv2 eap-radius eap-tls eap-ttls eap-tnc dhcp led addrblock
Listening IP addresses:
10.0.2.15
10.1.0.1
192.168.0.1
Connections:
net-net: 192.168.0.1...192.168.0.2
net-net: local: [moon.strongswan.org<http://moon.strongswan.org>] uses pre-shared key authentication
net-net: remote: [sun.strongswan.org<http://sun.strongswan.org>] uses any authentication
net-net: child: 10.1.0.0/16 === 10.2.0.0/16
Security Associations:
net-net[1]: CONNECTING, 192.168.0.1[%any]...192.168.0.2[%any]
net-net[1]: IKE SPIs: 95f2e9c6f5315397_i* 0000000000000000_r
net-net[1]: Tasks active: IKE_VENDOR IKE_INIT IKE_NATD IKE_CERT_PRE IKE_AUTHENTICATE IKE_CERT_POST IKE_CONFIG CHILD_CREATE IKE_AUTH_LIFETIME
Q: Any idea why the SA is not connecting? Any debugging tips? I tried tcpdump on the I/F, but see no output during the startup. Installing wireshark on one node and will see what it shows.
Goal here is to get this going and then see what the commands are to setup and start the tunnels. Then, I'd guess trying to see how that maps to the APIs.
Comments/suggestions welcome!
PCM (Paul Michali)
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openstack.org/pipermail/openstack-dev/attachments/20130515/378823a8/attachment.html>
More information about the OpenStack-dev
mailing list