Closed hailigsblechle closed 7 years ago
dguido
commented
7 years ago Can you login to the server over SSH, do a 'service ipsec stop', then start it again with 'ipsec start --nofork', and paste the logs here? I'd like to see what StrongSwan thinks about this on the server side.
hailigsblechle
commented
7 years ago I ran the service ipsec stop and it ipsec.service seems not to be loaded which is strange.
(env) root@my-ip:~/algo-master# service ipsec stop
Failed to stop ipsec.service: Unit ipsec.service not loaded.
(env) root@my-ip:~/algo-master#
(env) root@my-ip:~/algo-master# ipsec start --nofork
Starting strongSwan 5.3.5 IPsec [starter]...
charon is already running (/var/run/charon.pid exists) -- skipping daemon start
no netkey IPsec stack detected
no KLIPS IPsec stack detected
no known IPsec stack detected, ignoring!
starter is already running (/var/run/starter.charon.pid exists) -- no fork done
jackivanov
commented
7 years ago What cloud provider do you use? @hailigsblechle
hailigsblechle
commented
7 years ago I use a virtual server which seems to be using OpenVZ (Open Virtuozzo) if this is any hint.
jackivanov
commented
7 years ago We have to add some instructions about how to check whether the vps is compatible with algo for unsupported cloud providers.
@hailigsblechle, For now you can check this - https://wiki.strongswan.org/projects/strongswan/wiki/KernelModules
hailigsblechle
commented
7 years ago Unfortunately check.sh says:
grep: /boot/config-4.4.0-042stab120.11: No such file or directory
...This link describing the issue with IPSec in OpenVZ kernel:
http://wiki.loopop.net/doku.php?id=server:vpn:strongswanonopenvz
Since there is not Native support for IPSec in OpenVZ kernel, it is not possible to use openSwan, strongSwan or Racoon for IPSec VPN on OpenVZ VM.
This has been changed, a plugin called kernel-libipsec was introduced after strongSwan Version 5.10. We can use this plugin with TUN to simulate a IPSec support in userspace.
Is there a way of using to simulate a IPSec support in userspace ? @gunph1ld
dguido
commented
7 years ago No, we're not making those changes just to support OpenVZ. There are also concerns about the safety and performance of libipsec that are not addressed.
wiiind
commented
7 years ago I am getting exactly the same problem with deployment to AWS from a windows machine.
Also got the following response when I ran command service ipsec stop
(env) root@my-ip:~/algo-master# service ipsec stop Failed to stop ipsec.service: Unit ipsec.service not loaded. (env) root@my-ip:~/algo-master# (env) root@my-ip:~/algo-master# ipsec start --nofork Starting strongSwan 5.3.5 IPsec [starter]... charon is already running (/var/run/charon.pid exists) -- skipping daemon start no netkey IPsec stack detected no KLIPS IPsec stack detected no known IPsec stack detected, ignoring! starter is already running (/var/run/starter.charon.pid exists) -- no fork done
wiiind
commented
7 years ago Let me know if there's any commands to try to get more helpful logs.
I am on commit 451394100db4cbb93d9d13345c54747e3146ccaa
rvkasper
commented
7 years ago I've been running:
sudo ipsec restart --nofork
wiiind
commented
7 years ago This one worked. The logs I got is pasted below. I restarted the service and then tried to connect from my iOS 10.3 device.
ubuntu@ip:~$ sudo ipsec restart --nofork Stopping strongSwan IPsec... Starting strongSwan 5.3.5 IPsec [starter]... 00[DMN] Starting IKE charon daemon (strongSwan 5.3.5, Linux 4.4.0-1016-aws, x86_64) 00[KNL] known interfaces and IP addresses: 00[KNL] lo 00[KNL] 127.0.0.1 00[KNL] 172.16.0.1 00[KNL] fcaa::1 00[KNL] ::1 00[KNL] eth0 00[KNL] 172.16.254.75 00[KNL] 2600:1f18:424:9500:4c11:6ef6:c85e:c0e9 00[KNL] fe80::438:5fff:fe66:ac2c 00[CFG] loading ca certificates from '/etc/ipsec.d/cacerts' 00[CFG] loaded ca certificate "CN=[AWS-Assigned-IP]" from '/etc/ipsec.d/cacerts/ca.crt' 00[CFG] loading aa certificates from '/etc/ipsec.d/aacerts' 00[CFG] loading ocsp signer certificates from '/etc/ipsec.d/ocspcerts' 00[CFG] loading attribute certificates from '/etc/ipsec.d/acerts' 00[CFG] loading crls from '/etc/ipsec.d/crls' 00[CFG] loading secrets from '/etc/ipsec.secrets' 00[CFG] loaded ECDSA private key from '/etc/ipsec.d/private/[AWS-Assigned-IP].key' 00[LIB] loaded plugins: charon aes sha2 random nonce x509 revocation pubkey pkcs7 pkcs8 pkcs12 pgp pem openssl hmac gcm kernel-netlink socket-default stroke 00[LIB] dropped capabilities, running as uid 1001, gid 1001 00[JOB] spawning 16 worker threads 09[NET] waiting for data on sockets charon (7842) started after 20 ms 11[CFG] received stroke: add connection 'ikev2-pubkey' 11[CFG] conn ikev2-pubkey 11[CFG] left=%any 11[CFG] leftsubnet=0.0.0.0/0,::/0 11[CFG] leftauth=pubkey 11[CFG] leftid=[AWS-Assigned-IP] 11[CFG] leftcert=[AWS-Assigned-IP].crt 11[CFG] right=%any 11[CFG] rightsourceip=10.19.48.0/24,fd9d:bc11:4020::/48 11[CFG] rightdns=208.67.222.222,138.197.25.214 11[CFG] rightauth=pubkey 11[CFG] ike=aes128gcm16-prfsha512-ecp256,aes128-sha2_512-prfsha512-ecp256,aes128-sha2_384-prfsha384-ecp256! 11[CFG] esp=aes128gcm16-ecp256,aes128-sha2_512-prfsha512-ecp256! 11[CFG] dpddelay=35 11[CFG] dpdtimeout=150 11[CFG] mediation=no 11[CFG] keyexchange=ikev2 11[CFG] adding virtual IP address pool 10.19.48.0/24 11[CFG] virtual IP pool too large, limiting to fd9d:bc11:4020::/97 11[CFG] adding virtual IP address pool fd9d:bc11:4020::/48 11[CFG] loaded certificate "CN=[AWS-Assigned-IP]" from '[AWS-Assigned-IP].crt' 11[CFG] added configuration 'ikev2-pubkey' 09[NET] received packet: from 198.232.30.236[3528] to 172.16.254.75[500] 09[NET] waiting for data on sockets 13[MGR] checkout IKE_SA by message 13[MGR] created IKE_SA (unnamed)[1] 13[NET] received packet: from 198.232.30.236[3528] to 172.16.254.75[500] (240 bytes) 13[ENC] parsed IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) ] 13[CFG] looking for an ike config for 172.16.254.75...198.232.30.236 13[CFG] candidate: %any...%any, prio 28 13[CFG] found matching ike config: %any...%any with prio 28 13[IKE] 198.232.30.236 is initiating an IKE_SA 13[IKE] IKE_SA (unnamed)[1] state change: CREATED => CONNECTING 13[CFG] selecting proposal: 13[CFG] proposal matches 13[CFG] received proposals: IKE:AES_GCM_16_128/PRF_HMAC_SHA2_512/ECP_256 13[CFG] configured proposals: IKE:AES_GCM_16_128/PRF_HMAC_SHA2_512/ECP_256, IKE:AES_CBC_128/HMAC_SHA2_512_256/PRF_HMAC_SHA2_512/ECP_256, IKE:AES_CBC_128/HMAC_SHA2_384_192/PRF_HMAC_SHA2_384/ECP_256 13[CFG] selected proposal: IKE:AES_GCM_16_128/PRF_HMAC_SHA2_512/ECP_256 13[IKE] local host is behind NAT, sending keep alives 13[IKE] remote host is behind NAT 13[IKE] sending cert request for "CN=[AWS-Assigned-IP]" 13[ENC] generating IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) CERTREQ N(FRAG_SUP) N(MULT_AUTH) ] 13[NET] sending packet: from 172.16.254.75[500] to 198.232.30.236[3528] (273 bytes) 13[MGR] checkin IKE_SA (unnamed)[1] 13[MGR] check-in of IKE_SA successful. 10[NET] sending packet: from 172.16.254.75[500] to 198.232.30.236[3528] 09[NET] received packet: from 198.232.30.236[18683] to 172.16.254.75[4500] 09[NET] waiting for data on sockets 09[NET] received packet: from 198.232.30.236[18683] to 172.16.254.75[4500] 09[NET] waiting for data on sockets 15[MGR] checkout IKE_SA by message 15[MGR] IKE_SA (unnamed)[1] successfully checked out 15[NET] received packet: from 198.232.30.236[18683] to 172.16.254.75[4500] (540 bytes) 15[ENC] parsed IKE_AUTH request 1 [ EF(1/2) ] 15[ENC] received fragment #1 of 2, waiting for complete IKE message 15[MGR] checkin IKE_SA (unnamed)[1] 15[MGR] check-in of IKE_SA successful. 14[MGR] checkout IKE_SA by message 14[MGR] IKE_SA (unnamed)[1] successfully checked out 14[NET] received packet: from 198.232.30.236[18683] to 172.16.254.75[4500] (436 bytes) 14[ENC] parsed IKE_AUTH request 1 [ EF(2/2) ] 14[ENC] received fragment #2 of 2, reassembling fragmented IKE message 14[ENC] unknown attribute type (25) 14[ENC] parsed IKE_AUTH request 1 [ IDi N(INIT_CONTACT) N(MOBIKE_SUP) IDr CERTREQ AUTH CERT CPRQ(ADDR DHCP DNS MASK ADDR6 DHCP6 DNS6 (25)) N(ESP_TFC_PAD_N) N(NON_FIRST_FRAG) SA TSi TSr ] 14[IKE] received cert request for "CN=[AWS-Assigned-IP]" 14[IKE] received end entity cert "CN=wiiind" 14[CFG] looking for peer configs matching 172.16.254.75[[AWS-Assigned-IP]]...198.232.30.236[wiiind] 14[CFG] candidate "ikev2-pubkey", match: 20/1/28 (me/other/ike) 14[CFG] selected peer config 'ikev2-pubkey' 14[IKE] no trusted RSA public key found for 'wiiind' 14[IKE] processing INTERNAL_IP4_ADDRESS attribute 14[IKE] processing INTERNAL_IP4_DHCP attribute 14[IKE] processing INTERNAL_IP4_DNS attribute 14[IKE] processing INTERNAL_IP4_NETMASK attribute 14[IKE] processing INTERNAL_IP6_ADDRESS attribute 14[IKE] processing INTERNAL_IP6_DHCP attribute 14[IKE] processing INTERNAL_IP6_DNS attribute 14[IKE] processing (25) attribute 14[IKE] received ESP_TFC_PADDING_NOT_SUPPORTED, not using ESPv3 TFC padding 14[IKE] peer supports MOBIKE 14[ENC] generating IKE_AUTH response 1 [ N(AUTH_FAILED) ] 14[NET] sending packet: from 172.16.254.75[4500] to 198.232.30.236[18683] (65 bytes) 14[MGR] checkin and destroy IKE_SA ikev2-pubkey[1] 14[IKE] IKE_SA ikev2-pubkey[1] state change: CONNECTING => DESTROYING 14[MGR] check-in and destroy of IKE_SA successful 10[NET] sending packet: from 172.16.254.75[4500] to 198.232.30.236[18683] 16[MGR] checkout IKE_SA
OS / Environment
virtual server , Ubuntu 16.04
Ansible version
ansible 2.0.0.2
Version of components from
requirements.txtmsrestazure Version: 0.4.7 setuptools Version: 35.0.1 dopy Version: 0.3.5 boto Version: 2.46.1 boto3 Version: 1.4.4 azure Version: 2.0.0rc5 msrest Version: 0.4.1 apache-libcloud Version: 1.5.0 six Version: 1.10.0 pyOpenSSL Version: 16.2.0 Jinja2 Version: 2.8
Summary of the problem
Can't connect to VPN. Aborts while connecting on iOS or Mac OSX
Steps to reproduce the behavior
start connecting to VPN.
The way of deployment (cloud or local)
local
Full log
log of journalctl -xe