IPSec with strongSwan problem

[Otto Bretz]

Hello,

I'm having trouble getting ipsec going on debian. I've tried to follow https://developers.google.com/compute/docs/networking#settingupvpn

but when I'm running ipsec up myconn I get the following message:

022 "myconn": we have no ipsecN interface for either end of this connection

I read somewhere that this could happen if leftid does not match a local interface. But my leftid matches the static external id of my instance.

ifconfig:

eth0      Link encap:Ethernet  HWaddr 42:01:0a:f0:b8:bc  

          inet addr:10.240.184.X  Bcast:10.240.184.X  Mask:255.255.255.255

          UP BROADCAST RUNNING MULTICAST  MTU:1460  Metric:1

          RX packets:54320 errors:0 dropped:0 overruns:0 frame:5

          TX packets:11403 errors:0 dropped:0 overruns:0 carrier:0

          collisions:0 txqueuelen:1000 

          RX bytes:72799257 (69.4 MiB)  TX bytes:1197571 (1.1 MiB)

Any ideas what I'm doing wrong?

ps. someone else seems to have similar problems: http://stackoverflow.com/questions/21972976/strongswan-ipsec-vpn-at-google-compute-engine-we-have-no-ipsecn-interface-for

[Otto Bretz]

And the charon log:

Feb 28 10:47:01 gw charon: 00[DMN] Starting IKEv2 charon daemon (strongSwan 4.5.2)
Feb 28 10:47:01 gw charon: 00[KNL] listening on interfaces:
Feb 28 10:47:01 gw charon: 00[KNL]   eth0
Feb 28 10:47:01 gw charon: 00[KNL]     10.240.184.X
Feb 28 10:47:01 gw charon: 00[CFG] loading ca certificates from '/etc/ipsec.d/cacerts'
Feb 28 10:47:01 gw charon: 00[CFG] loading aa certificates from '/etc/ipsec.d/aacerts'
Feb 28 10:47:01 gw charon: 00[CFG] loading ocsp signer certificates from '/etc/ipsec.d/ocspcerts'
Feb 28 10:47:01 gw charon: 00[CFG] loading attribute certificates from '/etc/ipsec.d/acerts'
Feb 28 10:47:01 gw charon: 00[CFG] loading crls from '/etc/ipsec.d/crls'
Feb 28 10:47:01 gw charon: 00[CFG] loading secrets from '/etc/ipsec.secrets'
Feb 28 10:47:01 gw charon: 00[CFG]   loaded IKE secret for %any
Feb 28 10:47:01 gw charon: 00[CFG] sql plugin: database URI not set
Feb 28 10:47:01 gw charon: 00[LIB] plugin 'sql': failed to load - sql_plugin_create returned NULL
Feb 28 10:47:01 gw charon: 00[CFG] loaded 0 RADIUS server configurations
Feb 28 10:47:01 gw charon: 00[LIB] plugin 'medsrv' failed to load: /usr/lib/ipsec/plugins/libstrongswan-medsrv.so: cannot open shared object file: No such file or directory
Feb 28 10:47:01 gw charon: 00[CFG] mediation client database URI not defined, skipped
Feb 28 10:47:01 gw charon: 00[LIB] plugin 'medcli': failed to load - medcli_plugin_create returned NULL
Feb 28 10:47:01 gw charon: 00[LIB] plugin 'nm' failed to load: /usr/lib/ipsec/plugins/libstrongswan-nm.so: cannot open shared object file: No such file or directory
Feb 28 10:47:01 gw charon: 00[CFG] HA config misses local/remote address
Feb 28 10:47:01 gw charon: 00[LIB] plugin 'ha': failed to load - ha_plugin_create returned NULL
Feb 28 10:47:01 gw charon: 00[DMN] loaded plugins: test-vectors curl ldap aes des sha1 sha2 md5 random x509 revocation constraints pubkey pkcs1 pgp pem openssl fips-prf gmp agent pkcs11 xcbc hmac ctr ccm gcm attr kernel-netlink resolve socket-raw farp stroke updown eap-identity eap-aka eap-md5 eap-gtc eap-mschapv2 eap-radius eap-tls eap-ttls eap-tnc dhcp led addrblock 
Feb 28 10:47:01 gw charon: 00[JOB] spawning 16 worker threads
Feb 28 10:47:01 gw charon: 05[NET] waiting for data on raw sockets
Feb 28 10:47:01 gw charon: 10[CFG] received stroke: add connection 'myconn'
Feb 28 10:47:01 gw charon: 10[CFG] left nor right host is our side, assuming left=local
Feb 28 10:47:01 gw charon: 10[CFG] added configuration 'myconn'

[Brian Lynch]

Otto,

  Try adding an alias ip on the instance interface (replace [external static ip] with the one for this box):   

$ sudo /sbin/ifconfig eth0:0 [external static ip] netmask 255.255.255.255

Best,

Brian

[Otto Bretz]

On Sunday, March 2, 2014 4:06:15 AM UTC+1, Brian Lynch wrote:

Otto,

  Try adding an alias ip on the instance interface (replace [external static ip] with the one for this box):   

$ sudo /sbin/ifconfig eth0:0 [external static ip] netmask 255.255.255.255

Thanks for looking at this Brian. Still the same message though:

root@gw:/home/ottob# ipsec up myconn

022 "myconn": we have no ipsecN interface for either end of this connection

from serialconsole

Mar  2 10:04:01 gw charon: 10[CFG] received stroke: add connection 'myconn'
Mar  2 10:04:01 gw charon: 10[CFG] left nor right host is our side, assuming left=local
Mar  2 10:04:01 gw charon: 10[CFG] added configuration 'myconn'
Mar  2 10:04:17 gw charon: 16[CFG] received stroke: initiate 'myconn' 

Mar 2 10:04:17 gw charon: 16[CFG] ignoring initiation request for IKEv1 config

ifconfig:

root@gw:/home/ottob# ifconfig

eth0      Link encap:Ethernet  HWaddr 42:01:0a:f0:39:8f  

          inet addr:10.240.57.143  Bcast:10.240.57.143  Mask:255.255.255.255

          UP BROADCAST RUNNING MULTICAST  MTU:1460  Metric:1

          RX packets:1981 errors:0 dropped:0 overruns:0 frame:3

          TX packets:1716 errors:0 dropped:0 overruns:0 carrier:0

          collisions:0 txqueuelen:1000 

          RX bytes:222933 (217.7 KiB)  TX bytes:199558 (194.8 KiB)

eth0:0    Link encap:Ethernet  HWaddr 42:01:0a:f0:39:8f  

          inet addr:192.158.X.Y  Bcast:192.158.X.255  Mask:255.255.255.255

          UP BROADCAST RUNNING MULTICAST  MTU:1460  Metric:1

cheers,

Otto 

[Otto Bretz]

On Sunday, March 2, 2014 11:18:08 AM UTC+1, Otto Bretz wrote:

On Sunday, March 2, 2014 4:06:15 AM UTC+1, Brian Lynch wrote:

Otto,

  Try adding an alias ip on the instance interface (replace [external static ip] with the one for this box):   

$ sudo /sbin/ifconfig eth0:0 [external static ip] netmask 255.255.255.255

Thanks for looking at this Brian. Still the same message though:

root@gw:/home/ottob# ipsec up myconn

022 "myconn": we have no ipsecN interface for either end of this connection

I got this message since left=%any can't be used with keyexchange=ikev1. Still no IPSEC connection though, but that is probably something I can try to solve on my own.

[Otto Bretz]

I can't create firewalls to allow AH and ESP protocols for my instance. Are these protocols allowed and forwarded by default to my instance?

[Alex Gaysinsky]

Hi Otto,

You might need to configure protocol forwarding to allow non-encapsulated AH/ESP from Internet to your instances.

Please look at the documentation here: https://developers.google.com/compute/docs/protocol-forwarding/

-Alex

On Wed, Mar 5, 2014 at 6:15 AM, Otto Bretz <otto....@gmail.com> wrote:

I can't create firewalls to allow AH and ESP protocols for my instance. Are these protocols allowed and forwarded by default to my instance?

--
© 2013 Google Inc. 1600 Amphitheatre Parkway, Mountain View, CA 94043
 
Email preferences: You received this email because you signed up for the Google Compute Engine Discussion Google Group (gce-dis...@googlegroups.com) to participate in discussions with other members of the Google Compute Engine community and the Google Compute Engine Team.
---
You received this message because you are subscribed to the Google Groups "gce-discussion" group.
To unsubscribe from this group and stop receiving emails from it, send an email to gce-discussio...@googlegroups.com.
To post to this group, send email to gce-dis...@googlegroups.com.

To view this discussion on the web visit https://groups.google.com/d/msgid/gce-discussion/98a8ff71-678f-48e6-9172-e7ad31ea77a8%40googlegroups.com.

For more options, visit https://groups.google.com/groups/opt_out.

--

Alex Gaysinsky | Product Manager | gays...@google.com | 310-406-4298

[Otto Bretz]

On Wednesday, March 5, 2014 4:45:53 PM UTC+1, gaysinsky wrote:

You might need to configure protocol forwarding to allow non-encapsulated AH/ESP from Internet to your instances.

Thanks Alex! That helped. 

[Otto Bretz]

For the archives:

since I had to use ikev1 I had to upgrade to strongSwan 5.x and set forceencaps = yes to finally get traffic flowing.

[Gary Ling]

Hi Otto,

I am glad you got it to work. Just to be clear, which one did the trick for you? Protocol forwarding? or forceencaps = yes?

Thanks.

-Gary

[Otto Bretz]

On Wednesday, April 2, 2014 6:46:39 PM UTC+2, Gary Ling wrote:

I am glad you got it to work. Just to be clear, which one did the trick for you? Protocol forwarding? or forceencaps = yes?

Both.