Hi all: I'm tring to configure the example--"IKEv2 negotiation between a VPP responder and a strongSwan initiator, using Pre-Shared Key authentication metho", but encounter problem.The detailed description is as follows:
**** VPP: **** * System:ubuntu18.04 (kernel 4.15.0-42-generic, x86_64) * VPP:18.10 *********** StrongSwan: *********** * System:ubuntu18.04 (kernel 4.15.0-42-generic, x86_64) * strongswan: strongSwan 5.6.2 ****************** vpp configuration: ****************** vpp# set int ip addr GigabitEthernet0/9/0 192.168.1.253/24 vpp# set int state GigabitEthernet0/9/0 up vpp# ikev2 profile add pr1 vpp# ikev2 profile set pr1 auth shared-key-mic string Vpp123 vpp# ikev2 profile set pr1 id local fqdn vpp.home vpp# ikev2 profile set pr1 id remote fqdn roadwarrior.vpn.example.com vpp# ikev2 profile set pr1 traffic-selector remote ip-range 255.255.255.0-255.255.255.0 port-range 0 - 65535 protocol 0 vpp# ikev2 profile set pr1 traffic-selector local ip-range 255.255.255.0-255.255.255.0 port-range 0 - 65535 protocol 0 ************************** *strongswan configration:* ************************** ------------------------------ root@bk:~# cat /etc/ipsec.conf ------------------------------ # ipsec.conf - strongSwan IPsec configuration file # basic configuration config setup strictcrlpolicy=no # Add connections here. conn %default ike=aes256-sha1-modp2048! esp=aes192-sha1-esn! mobike=no keyexchange=ikev2 ikelifetime=24h lifetime=24h conn net-net right=192.168.1.253 rightsubnet=255.255.255.0/24 rightauth=psk rightid=@vpp.home left=192.168.1.88 leftsubnet=255.255.255.0/24 leftauth=psk leftid=@roadwarrior.vpn.example.com auto=start -------------------------------- root@bk:~# cat /etc/ipsec.secrets -------------------------------- # This file holds shared secrets or RSA private keys for authentication. # RSA private key for this host, authenticating it to any other host # which knows the public part. : PSK "Vpp123" ************************************************************* I execute 'ipsec restart' , then obtain the following result: ************************************************************* vpp# show ikev2 sa iip 192.168.1.88 ispi a59b00882846498f rip 192.168.1.253 rspi ebbc521abde4c639 encr:aes-cbc-256 prf:hmac-sha1 integ:sha1-96 dh-group:modp-2048 nonce i:e3ae6779e580489c8b4a1b12fa261cdb741f0a56f5cfa072609e8dffef15dd3c r:cc626b90cf8a235f5257cfebdd4b8c7a5229cfa85aa7a022cfc94131486a21da SK_d SK_a i: r: SK_e i: r: SK_p i: r: identifier (i) none identifier (r) none iip 192.168.1.88 ispi a59b00882846498f rip 192.168.1.253 rspi ebbc521abde4c639 root@bk:~# ipsec statusall Status of IKE charon daemon (strongSwan 5.6.2, Linux 4.15.0-42-generic, x86_64): uptime: 72 minutes, since Dec 24 11:14:46 2018 malloc: sbrk 2564096, mmap 0, used 542256, free 2021840 worker threads: 11 of 16 idle, 5/0/0/0 working, job queue: 0/0/0/0, scheduled: 0 loaded plugins: charon aes rc2 sha2 sha1 md4 md5 mgf1 random nonce x509 revocation constraints pubkey pkcs1 pkcs7 pkcs8 pkcs12 pgp dnskey sshkey pem openssl fips-prf gmp agent xcbc hmac gcm attr kernel-netlink resolve socket-default connmark stroke updown eap-mschapv2 xauth-generic counters Listening IP addresses: 10.0.2.15 192.168.1.88 Connections: net-net: 192.168.1.88...192.168.1.253 IKEv2 net-net: local: [roadwarrior.vpn.example.com] uses pre-shared key authentication net-net: remote: [vpp.home] uses pre-shared key authentication net-net: child: 255.255.255.0/24 === 255.255.255.0/24 TUNNEL Security Associations (0 up, 0 connecting): none I have tried using gdb to debug code of the vpp, but not find the issue. I don't know what to do next . Can you help me ? Thanks . renkic
-=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#11769): https://lists.fd.io/g/vpp-dev/message/11769 Mute This Topic: https://lists.fd.io/mt/28843227/21656 Group Owner: vpp-dev+ow...@lists.fd.io Unsubscribe: https://lists.fd.io/g/vpp-dev/unsub [arch...@mail-archive.com] -=-=-=-=-=-=-=-=-=-=-=-
