Ich bin gerade dabei, meinen Web-Server auf eine neue Hardware mit virtuellen Maschinen umzuziehen und bin dabei auf das Problem gestoßen, daß anscheinend StrongSwan nicht mehr so ohne weiteres funktioniert. Ich benutze das bisher auf meinem alten Server, um ein VPN zwischen dem Server und meinem Router zuhause aufzubauen, was auch all die Jahre wunderbar funktioniert hat. Aber einfach die bestehenden Konfigurationsdateien rüberkopieren und anzupassen (Rechnername, IP-Nummer) scheint nicht zu reichen, denn beim Start liefert StrongSwan jede Menge Fehlermeldungen im Log:
Code
- Apr 5 14:39:19 racoon2 ipsec[21343]: Starting strongSwan 5.1.3 IPsec [starter]...
- Apr 5 14:39:19 racoon2 ipsec_starter[21343]: Starting strongSwan 5.1.3 IPsec [starter]...
- Apr 5 14:39:19 racoon2 charon: 00[DMN] Starting IKE charon daemon (strongSwan 5.1.3, Linux 3.16.7-7-default, x86_64)
- Apr 5 14:39:19 racoon2 charon: 00[LIB] openssl FIPS mode(0) - disabled
- Apr 5 14:39:19 racoon2 charon: 00[CFG] could not bind XML socket: No such file or directory
- Apr 5 14:39:19 racoon2 charon: 00[LIB] plugin 'smp': failed to load - smp_plugin_create returned NULL
- Apr 5 14:39:19 racoon2 charon: 00[CFG] HA config misses local/remote address
- Apr 5 14:39:19 racoon2 charon: 00[LIB] plugin 'ha': failed to load - ha_plugin_create returned NULL
- Apr 5 14:39:19 racoon2 charon: 00[NET] binding socket 'unix:///run/strongswan/charon.dck' failed: No such file or directory
- Apr 5 14:39:19 racoon2 charon: 00[CFG] creating duplicheck socket failed
- Apr 5 14:39:19 racoon2 charon: 00[LIB] plugin 'duplicheck': failed to load - duplicheck_plugin_create returned NULL
- Apr 5 14:39:19 racoon2 charon: 00[CFG] loading ca certificates from '/etc/ipsec.d/cacerts'
- Apr 5 14:39:19 racoon2 charon: 00[CFG] loading aa certificates from '/etc/ipsec.d/aacerts'
- Apr 5 14:39:19 racoon2 charon: 00[CFG] loading ocsp signer certificates from '/etc/ipsec.d/ocspcerts'
- Apr 5 14:39:19 racoon2 charon: 00[CFG] loading attribute certificates from '/etc/ipsec.d/acerts'
- Apr 5 14:39:19 racoon2 charon: 00[CFG] loading crls from '/etc/ipsec.d/crls'
- Apr 5 14:39:19 racoon2 charon: 00[CFG] loading secrets from '/etc/ipsec.secrets'
- Apr 5 14:39:19 racoon2 charon: 00[LIB] opening '/etc/ipsec.d/private/{' failed: No such file or directory
- Apr 5 14:39:19 racoon2 charon: 00[LIB] building CRED_PRIVATE_KEY - RSA failed, tried 11 builders
- Apr 5 14:39:19 racoon2 charon: 00[CFG] loading private key from '/etc/ipsec.d/private/{' failed
- Apr 5 14:39:19 racoon2 charon: 00[CFG] line 16: missing ' : ' separator
- Apr 5 14:39:19 racoon2 charon: 00[NET] binding socket 'unix:///run/strongswan/charon.ctl' failed: No such file or directory
- Apr 5 14:39:19 racoon2 charon: 00[CFG] creating stroke socket failed
- Apr 5 14:39:19 racoon2 charon: 00[CFG] opening triplet file /etc/ipsec.d/triplets.dat failed: No such file or directory
- Apr 5 14:39:19 racoon2 charon: 00[CFG] loaded 0 RADIUS server configurations
- Apr 5 14:39:19 racoon2 charon: 00[TNC] TNC recommendation policy is 'default'
- Apr 5 14:39:19 racoon2 charon: 00[TNC] loading IMVs from '/etc/tnc_config'
- Apr 5 14:39:19 racoon2 charon: 00[TNC] opening configuration file '/etc/tnc_config' failed: No such file or directory
- Apr 5 14:39:19 racoon2 charon: 00[CFG] missing PDP server name, PDP disabled
- Apr 5 14:39:19 racoon2 charon: 00[TNC] loading IMCs from '/etc/tnc_config'
- Apr 5 14:39:19 racoon2 charon: 00[TNC] opening configuration file '/etc/tnc_config' failed: No such file or directory
- Apr 5 14:39:19 racoon2 charon: 00[CFG] coupling file path unspecified
- Apr 5 14:39:19 racoon2 charon: 00[LIB] loaded plugins: charon curl soup ldap pkcs11 aes des blowfish rc2 sha1 sha2 md4 md5 random nonce x509 revocation constraints pubkey pkcs1 pkcs7 pkcs8 pkcs12 pgp dnskey sshkey pem openssl gcrypt af-alg fips-prf gmp agent xcbc cmac hmac ctr ccm gcm attr kernel-netlink resolve socket-default farp updown eap-identity eap-sim eap-sim-pcsc eap-aka eap-aka-3gpp2 eap-simaka-pseudonym eap-simaka-reauth eap-md5 eap-gtc eap-mschapv2 eap-dynamic eap-radius eap-tls eap-ttls eap-peap eap-tnc xauth-generic xauth-eap xauth-pam tnc-imc tnc-imv tnc-tnccs tnccs-20 tnccs-11 tnccs-dynamic dhcp certexpire led radattr addrblock unity
- Apr 5 14:39:19 racoon2 charon: 00[LIB] unable to load 16 plugin features (12 due to unmet dependencies)
- Apr 5 14:39:19 racoon2 charon: 00[LIB] dropped capabilities, running as uid 0, gid 0
- Apr 5 14:39:19 racoon2 charon: 00[JOB] spawning 16 worker threads
- Apr 5 14:39:29 racoon2 ipsec_starter[21343]: charon too long to start... - kill kill
- Apr 5 14:39:29 racoon2 charon: 00[DMN] signal of type SIGINT received. Shutting down
- Apr 5 14:39:29 racoon2 ipsec[21343]: charon too long to start... - kill kill
- Apr 5 14:39:29 racoon2 ipsec[21343]: 00[DMN] Starting IKE charon daemon (strongSwan 5.1.3, Linux 3.16.7-7-default, x86_64)
- Apr 5 14:39:29 racoon2 ipsec[21343]: 00[LIB] openssl FIPS mode(0) - disabled
- Apr 5 14:39:29 racoon2 ipsec[21343]: 00[CFG] could not bind XML socket: No such file or directory
- Apr 5 14:39:29 racoon2 ipsec[21343]: 00[LIB] plugin 'smp': failed to load - smp_plugin_create returned NULL
- Apr 5 14:39:29 racoon2 ipsec[21343]: 00[CFG] HA config misses local/remote address
- Apr 5 14:39:29 racoon2 ipsec[21343]: 00[LIB] plugin 'ha': failed to load - ha_plugin_create returned NULL
- Apr 5 14:39:29 racoon2 ipsec[21343]: 00[NET] binding socket 'unix:///run/strongswan/charon.dck' failed: No such file or directory
- Apr 5 14:39:29 racoon2 ipsec[21343]: 00[CFG] creating duplicheck socket failed
- Apr 5 14:39:29 racoon2 ipsec[21343]: 00[LIB] plugin 'duplicheck': failed to load - duplicheck_plugin_create returned NULL
- Apr 5 14:39:29 racoon2 ipsec[21343]: 00[CFG] loading ca certificates from '/etc/ipsec.d/cacerts'
- Apr 5 14:39:29 racoon2 ipsec[21343]: 00[CFG] loading aa certificates from '/etc/ipsec.d/aacerts'
- Apr 5 14:39:29 racoon2 ipsec[21343]: 00[CFG] loading ocsp signer certificates from '/etc/ipsec.d/ocspcerts'
- Apr 5 14:39:29 racoon2 ipsec[21343]: 00[CFG] loading attribute certificates from '/etc/ipsec.d/acerts'
- Apr 5 14:39:29 racoon2 ipsec[21343]: 00[CFG] loading crls from '/etc/ipsec.d/crls'
- Apr 5 14:39:29 racoon2 ipsec[21343]: 00[CFG] loading secrets from '/etc/ipsec.secrets'
- Apr 5 14:39:29 racoon2 ipsec[21343]: 00[LIB] opening '/etc/ipsec.d/private/{' failed: No such file or directory
- Apr 5 14:39:29 racoon2 ipsec[21343]: 00[LIB] building CRED_PRIVATE_KEY - RSA failed, tried 11 builders
- Apr 5 14:39:29 racoon2 ipsec[21343]: 00[CFG] loading private key from '/etc/ipsec.d/private/{' failed
- Apr 5 14:39:29 racoon2 ipsec[21343]: 00[CFG] line 16: missing ' : ' separator
- Apr 5 14:39:29 racoon2 ipsec[21343]: 00[NET] binding socket 'unix:///run/strongswan/charon.ctl' failed: No such file or directory
- Apr 5 14:39:29 racoon2 ipsec[21343]: 00[CFG] creating stroke socket failed
- Apr 5 14:39:29 racoon2 ipsec[21343]: 00[CFG] opening triplet file /etc/ipsec.d/triplets.dat failed: No such file or directory
- Apr 5 14:39:29 racoon2 ipsec[21343]: 00[CFG] loaded 0 RADIUS server configurations
- Apr 5 14:39:29 racoon2 ipsec[21343]: 00[TNC] TNC recommendation policy is 'default'
- Apr 5 14:39:29 racoon2 ipsec[21343]: 00[TNC] loading IMVs from '/etc/tnc_config'
- Apr 5 14:39:29 racoon2 ipsec[21343]: 00[TNC] opening configuration file '/etc/tnc_config' failed: No such file or directory
- Apr 5 14:39:29 racoon2 ipsec[21343]: 00[CFG] missing PDP server name, PDP disabled
- Apr 5 14:39:29 racoon2 ipsec[21343]: 00[TNC] loading IMCs from '/etc/tnc_config'
- Apr 5 14:39:29 racoon2 ipsec[21343]: 00[TNC] opening configuration file '/etc/tnc_config' failed: No such file or directory
- Apr 5 14:39:29 racoon2 ipsec[21343]: 00[CFG] coupling file path unspecified
- Apr 5 14:39:29 racoon2 ipsec_starter[21343]: charon has died -- restart scheduled (5sec)
- Apr 5 14:39:29 racoon2 ipsec[21343]: 00[LIB] loaded plugins: charon curl soup ldap pkcs11 aes des blowfish rc2 sha1 sha2 md4 md5 random nonce x509 revocation constraints pubkey pkcs1 pkcs7 pkcs8 pkcs12 pgp dnskey sshkey pem openssl gcrypt af-alg fips-prf gmp agent xcbc cmac hmac ctr ccm gcm attr kernel-netlink resolve socket-default farp updown eap-identity eap-sim eap-sim-pcsc eap-aka eap-aka-3gpp2 eap-simaka-pseudonym eap-simaka-reauth eap-md5 eap-gtc eap-mschapv2 eap-dynamic eap-radius eap-tls eap-ttls eap-peap eap-tnc xauth-generic xauth-eap xauth-pam tnc-imc tnc-imv tnc-tnccs tnccs-20 tnccs-11 tnccs-dynamic dhcp certexpire led radattr addrblock unity
- Apr 5 14:39:29 racoon2 ipsec[21343]: 00[LIB] unable to load 16 plugin features (12 due to unmet dependencies)
- Apr 5 14:39:29 racoon2 ipsec[21343]: 00[LIB] dropped capabilities, running as uid 0, gid 0
- Apr 5 14:39:29 racoon2 ipsec[21343]: 00[JOB] spawning 16 worker threads
- Apr 5 14:39:29 racoon2 ipsec[21343]: 00[DMN] signal of type SIGINT received. Shutting down
- Apr 5 14:39:29 racoon2 ipsec[21343]: charon has died -- restart scheduled (5sec)
So geht das dann im Abstand von einigen Sekunden immer wieder von vorne los.
Bevor ich jetzt anfange, die Fehlermeldungen im einzelnen zu verstehen zu versuchen (wobei ich den Verdacht habe, daß einiges davon einfach nur daher kommt, daß bestimmte Sachen, die ich eh nicht brauche, nicht vorhanden sind), wollte ich mal fragen ob hier jemand Erfahrung mit dem Umstieg von StrongSwan Version 4.5.3 auf 5.1.3 hat (das sind die Versionen auf dem alten und neuen Server). Eventuell muß man ja nur Kleinigkeiten anpassen. Eine wirklich brauchbare Umstiegsanleitung habe ich im Web leider nicht gefunden.
Die ipsec-Konfiguration sieht so aus:
Code
- version 2.0 # conforms to second version of ipsec.conf specification
- conn racoon2-panthernet
- also=racoon2
- also=panther
- rightsubnet=192.168.100.0/24
- authby=pubkey
- keyexchange=ikev1
- auto=start
- conn racoon2
- leftid=@racoon2.tvdr.de
- left=88.198.76.220
- #leftnexthop=%defaultroute
- leftrsasigkey=0sAQNp+B81Oi5aRlqu+...
- conn panther
- rightid=@panther.tvdr.de
- right=%any
- rightrsasigkey=0sAQODgeptMH+9Obm...
Den Parameter "leftnexthop" habe ich schon auskommentiert, da der inzwischen obsolete sein soll.
Wäre für jeden Hinweis dankbar.
Klaus
