Ich bin gerade dabei, meinen Web-Server auf eine neue Hardware mit virtuellen Maschinen umzuziehen und bin dabei auf das Problem gestoßen, daß anscheinend StrongSwan nicht mehr so ohne weiteres funktioniert. Ich benutze das bisher auf meinem alten Server, um ein VPN zwischen dem Server und meinem Router zuhause aufzubauen, was auch all die Jahre wunderbar funktioniert hat. Aber einfach die bestehenden Konfigurationsdateien rüberkopieren und anzupassen (Rechnername, IP-Nummer) scheint nicht zu reichen, denn beim Start liefert StrongSwan jede Menge Fehlermeldungen im Log:
Apr 5 14:39:19 racoon2 ipsec[21343]: Starting strongSwan 5.1.3 IPsec [starter]...
Apr 5 14:39:19 racoon2 ipsec_starter[21343]: Starting strongSwan 5.1.3 IPsec [starter]...
Apr 5 14:39:19 racoon2 charon: 00[DMN] Starting IKE charon daemon (strongSwan 5.1.3, Linux 3.16.7-7-default, x86_64)
Apr 5 14:39:19 racoon2 charon: 00[LIB] openssl FIPS mode(0) - disabled
Apr 5 14:39:19 racoon2 charon: 00[CFG] could not bind XML socket: No such file or directory
Apr 5 14:39:19 racoon2 charon: 00[LIB] plugin 'smp': failed to load - smp_plugin_create returned NULL
Apr 5 14:39:19 racoon2 charon: 00[CFG] HA config misses local/remote address
Apr 5 14:39:19 racoon2 charon: 00[LIB] plugin 'ha': failed to load - ha_plugin_create returned NULL
Apr 5 14:39:19 racoon2 charon: 00[NET] binding socket 'unix:///run/strongswan/charon.dck' failed: No such file or directory
Apr 5 14:39:19 racoon2 charon: 00[CFG] creating duplicheck socket failed
Apr 5 14:39:19 racoon2 charon: 00[LIB] plugin 'duplicheck': failed to load - duplicheck_plugin_create returned NULL
Apr 5 14:39:19 racoon2 charon: 00[CFG] loading ca certificates from '/etc/ipsec.d/cacerts'
Apr 5 14:39:19 racoon2 charon: 00[CFG] loading aa certificates from '/etc/ipsec.d/aacerts'
Apr 5 14:39:19 racoon2 charon: 00[CFG] loading ocsp signer certificates from '/etc/ipsec.d/ocspcerts'
Apr 5 14:39:19 racoon2 charon: 00[CFG] loading attribute certificates from '/etc/ipsec.d/acerts'
Apr 5 14:39:19 racoon2 charon: 00[CFG] loading crls from '/etc/ipsec.d/crls'
Apr 5 14:39:19 racoon2 charon: 00[CFG] loading secrets from '/etc/ipsec.secrets'
Apr 5 14:39:19 racoon2 charon: 00[LIB] opening '/etc/ipsec.d/private/{' failed: No such file or directory
Apr 5 14:39:19 racoon2 charon: 00[LIB] building CRED_PRIVATE_KEY - RSA failed, tried 11 builders
Apr 5 14:39:19 racoon2 charon: 00[CFG] loading private key from '/etc/ipsec.d/private/{' failed
Apr 5 14:39:19 racoon2 charon: 00[CFG] line 16: missing ' : ' separator
Apr 5 14:39:19 racoon2 charon: 00[NET] binding socket 'unix:///run/strongswan/charon.ctl' failed: No such file or directory
Apr 5 14:39:19 racoon2 charon: 00[CFG] creating stroke socket failed
Apr 5 14:39:19 racoon2 charon: 00[CFG] opening triplet file /etc/ipsec.d/triplets.dat failed: No such file or directory
Apr 5 14:39:19 racoon2 charon: 00[CFG] loaded 0 RADIUS server configurations
Apr 5 14:39:19 racoon2 charon: 00[TNC] TNC recommendation policy is 'default'
Apr 5 14:39:19 racoon2 charon: 00[TNC] loading IMVs from '/etc/tnc_config'
Apr 5 14:39:19 racoon2 charon: 00[TNC] opening configuration file '/etc/tnc_config' failed: No such file or directory
Apr 5 14:39:19 racoon2 charon: 00[CFG] missing PDP server name, PDP disabled
Apr 5 14:39:19 racoon2 charon: 00[TNC] loading IMCs from '/etc/tnc_config'
Apr 5 14:39:19 racoon2 charon: 00[TNC] opening configuration file '/etc/tnc_config' failed: No such file or directory
Apr 5 14:39:19 racoon2 charon: 00[CFG] coupling file path unspecified
Apr 5 14:39:19 racoon2 charon: 00[LIB] loaded plugins: charon curl soup ldap pkcs11 aes des blowfish rc2 sha1 sha2 md4 md5 random nonce x509 revocation constraints pubkey pkcs1 pkcs7 pkcs8 pkcs12 pgp dnskey sshkey pem openssl gcrypt af-alg fips-prf gmp agent xcbc cmac hmac ctr ccm gcm attr kernel-netlink resolve socket-default farp updown eap-identity eap-sim eap-sim-pcsc eap-aka eap-aka-3gpp2 eap-simaka-pseudonym eap-simaka-reauth eap-md5 eap-gtc eap-mschapv2 eap-dynamic eap-radius eap-tls eap-ttls eap-peap eap-tnc xauth-generic xauth-eap xauth-pam tnc-imc tnc-imv tnc-tnccs tnccs-20 tnccs-11 tnccs-dynamic dhcp certexpire led radattr addrblock unity
Apr 5 14:39:19 racoon2 charon: 00[LIB] unable to load 16 plugin features (12 due to unmet dependencies)
Apr 5 14:39:19 racoon2 charon: 00[LIB] dropped capabilities, running as uid 0, gid 0
Apr 5 14:39:19 racoon2 charon: 00[JOB] spawning 16 worker threads
Apr 5 14:39:29 racoon2 ipsec_starter[21343]: charon too long to start... - kill kill
Apr 5 14:39:29 racoon2 charon: 00[DMN] signal of type SIGINT received. Shutting down
Apr 5 14:39:29 racoon2 ipsec[21343]: charon too long to start... - kill kill
Apr 5 14:39:29 racoon2 ipsec[21343]: 00[DMN] Starting IKE charon daemon (strongSwan 5.1.3, Linux 3.16.7-7-default, x86_64)
Apr 5 14:39:29 racoon2 ipsec[21343]: 00[LIB] openssl FIPS mode(0) - disabled
Apr 5 14:39:29 racoon2 ipsec[21343]: 00[CFG] could not bind XML socket: No such file or directory
Apr 5 14:39:29 racoon2 ipsec[21343]: 00[LIB] plugin 'smp': failed to load - smp_plugin_create returned NULL
Apr 5 14:39:29 racoon2 ipsec[21343]: 00[CFG] HA config misses local/remote address
Apr 5 14:39:29 racoon2 ipsec[21343]: 00[LIB] plugin 'ha': failed to load - ha_plugin_create returned NULL
Apr 5 14:39:29 racoon2 ipsec[21343]: 00[NET] binding socket 'unix:///run/strongswan/charon.dck' failed: No such file or directory
Apr 5 14:39:29 racoon2 ipsec[21343]: 00[CFG] creating duplicheck socket failed
Apr 5 14:39:29 racoon2 ipsec[21343]: 00[LIB] plugin 'duplicheck': failed to load - duplicheck_plugin_create returned NULL
Apr 5 14:39:29 racoon2 ipsec[21343]: 00[CFG] loading ca certificates from '/etc/ipsec.d/cacerts'
Apr 5 14:39:29 racoon2 ipsec[21343]: 00[CFG] loading aa certificates from '/etc/ipsec.d/aacerts'
Apr 5 14:39:29 racoon2 ipsec[21343]: 00[CFG] loading ocsp signer certificates from '/etc/ipsec.d/ocspcerts'
Apr 5 14:39:29 racoon2 ipsec[21343]: 00[CFG] loading attribute certificates from '/etc/ipsec.d/acerts'
Apr 5 14:39:29 racoon2 ipsec[21343]: 00[CFG] loading crls from '/etc/ipsec.d/crls'
Apr 5 14:39:29 racoon2 ipsec[21343]: 00[CFG] loading secrets from '/etc/ipsec.secrets'
Apr 5 14:39:29 racoon2 ipsec[21343]: 00[LIB] opening '/etc/ipsec.d/private/{' failed: No such file or directory
Apr 5 14:39:29 racoon2 ipsec[21343]: 00[LIB] building CRED_PRIVATE_KEY - RSA failed, tried 11 builders
Apr 5 14:39:29 racoon2 ipsec[21343]: 00[CFG] loading private key from '/etc/ipsec.d/private/{' failed
Apr 5 14:39:29 racoon2 ipsec[21343]: 00[CFG] line 16: missing ' : ' separator
Apr 5 14:39:29 racoon2 ipsec[21343]: 00[NET] binding socket 'unix:///run/strongswan/charon.ctl' failed: No such file or directory
Apr 5 14:39:29 racoon2 ipsec[21343]: 00[CFG] creating stroke socket failed
Apr 5 14:39:29 racoon2 ipsec[21343]: 00[CFG] opening triplet file /etc/ipsec.d/triplets.dat failed: No such file or directory
Apr 5 14:39:29 racoon2 ipsec[21343]: 00[CFG] loaded 0 RADIUS server configurations
Apr 5 14:39:29 racoon2 ipsec[21343]: 00[TNC] TNC recommendation policy is 'default'
Apr 5 14:39:29 racoon2 ipsec[21343]: 00[TNC] loading IMVs from '/etc/tnc_config'
Apr 5 14:39:29 racoon2 ipsec[21343]: 00[TNC] opening configuration file '/etc/tnc_config' failed: No such file or directory
Apr 5 14:39:29 racoon2 ipsec[21343]: 00[CFG] missing PDP server name, PDP disabled
Apr 5 14:39:29 racoon2 ipsec[21343]: 00[TNC] loading IMCs from '/etc/tnc_config'
Apr 5 14:39:29 racoon2 ipsec[21343]: 00[TNC] opening configuration file '/etc/tnc_config' failed: No such file or directory
Apr 5 14:39:29 racoon2 ipsec[21343]: 00[CFG] coupling file path unspecified
Apr 5 14:39:29 racoon2 ipsec_starter[21343]: charon has died -- restart scheduled (5sec)
Apr 5 14:39:29 racoon2 ipsec[21343]: 00[LIB] loaded plugins: charon curl soup ldap pkcs11 aes des blowfish rc2 sha1 sha2 md4 md5 random nonce x509 revocation constraints pubkey pkcs1 pkcs7 pkcs8 pkcs12 pgp dnskey sshkey pem openssl gcrypt af-alg fips-prf gmp agent xcbc cmac hmac ctr ccm gcm attr kernel-netlink resolve socket-default farp updown eap-identity eap-sim eap-sim-pcsc eap-aka eap-aka-3gpp2 eap-simaka-pseudonym eap-simaka-reauth eap-md5 eap-gtc eap-mschapv2 eap-dynamic eap-radius eap-tls eap-ttls eap-peap eap-tnc xauth-generic xauth-eap xauth-pam tnc-imc tnc-imv tnc-tnccs tnccs-20 tnccs-11 tnccs-dynamic dhcp certexpire led radattr addrblock unity
Apr 5 14:39:29 racoon2 ipsec[21343]: 00[LIB] unable to load 16 plugin features (12 due to unmet dependencies)
Apr 5 14:39:29 racoon2 ipsec[21343]: 00[LIB] dropped capabilities, running as uid 0, gid 0
Apr 5 14:39:29 racoon2 ipsec[21343]: 00[JOB] spawning 16 worker threads
Apr 5 14:39:29 racoon2 ipsec[21343]: 00[DMN] signal of type SIGINT received. Shutting down
Apr 5 14:39:29 racoon2 ipsec[21343]: charon has died -- restart scheduled (5sec)
Alles anzeigen
So geht das dann im Abstand von einigen Sekunden immer wieder von vorne los.
Bevor ich jetzt anfange, die Fehlermeldungen im einzelnen zu verstehen zu versuchen (wobei ich den Verdacht habe, daß einiges davon einfach nur daher kommt, daß bestimmte Sachen, die ich eh nicht brauche, nicht vorhanden sind), wollte ich mal fragen ob hier jemand Erfahrung mit dem Umstieg von StrongSwan Version 4.5.3 auf 5.1.3 hat (das sind die Versionen auf dem alten und neuen Server). Eventuell muß man ja nur Kleinigkeiten anpassen. Eine wirklich brauchbare Umstiegsanleitung habe ich im Web leider nicht gefunden.
Die ipsec-Konfiguration sieht so aus:
version 2.0 # conforms to second version of ipsec.conf specification
conn racoon2-panthernet
also=racoon2
also=panther
rightsubnet=192.168.100.0/24
authby=pubkey
keyexchange=ikev1
auto=start
conn racoon2
leftid=@racoon2.tvdr.de
left=88.198.76.220
#leftnexthop=%defaultroute
leftrsasigkey=0sAQNp+B81Oi5aRlqu+...
conn panther
rightid=@panther.tvdr.de
right=%any
rightrsasigkey=0sAQODgeptMH+9Obm...
Alles anzeigen
Den Parameter "leftnexthop" habe ich schon auskommentiert, da der inzwischen obsolete sein soll.
Wäre für jeden Hinweis dankbar.
Klaus