Friday, October 22, 2010

StrongSwan: we have no ipsecN interface for either end of this connection

I installed a new NIC card on one of my PCs where IPSec was already set up through StrongSwan and configured NAT-ing through iptables. Afterward, when I tried to do "ipsec up myconnection" I got this error:
we have no ipsecN interface for either end of this connection
The reason, it turns out, is that if the ipsec services were started before all the network interfaces came up, it is confused about which egress route to take. As I found on the Layer9 blog (and translated from German to English via Babelfish), it turns out you need to make sure that ipsec starts after the network has come up. The quick fix was just an IPSec restart:
sudo /etc/init.d/ipsec restart

And the long-term fix was definitely to just delay the ipsec a little. Add this to your /etc/rc.local file:
/etc/init.d/ipsec stopsleep 5/etc/init.d/ipsec start

Thursday, October 7, 2010

Strongswan: ike alg: unable to locate my private key

If you are using StrongSwan to establish an IPSec connection and you encounter this error:
root@crackjack:~# ipsec up conn-to-td
002 "conn-to-td" #2: initiating Main Mode
002 "conn-to-td" #2: ike alg: unable to locate my private key
002 "conn-to-td" #2: ike alg: unable to locate my private key
003 "conn-to-td" #2: empty ISAKMP SA proposal to send (no algorithms for ike selection?)

Then I have found the way to solve the first part of your problem - the private key part. Basically, after FreeSwan became OpenSwan and then finally StrongSwan, they created a directory for each individual part under /etc/ipsec.d. So for example the CA certs are stored in the folder /etc/ipsec.d/cacerts, or the certs you got are stored in /etc/ipsec.d/certs. Similarly, you are supposed to store your private key at /etc/ipsec.d/private. What you have probably done is that in /etc/ipsec.conf you wrote down
leftcert=/etc/ipsec.d/private/my_private_key.pem
When in fact you should have your /etc/ipsec.conf as the following:

# ipsec.conf - strongSwan IPsec configuration file

# basic configuration

config setup
    plutodebug=all
    plutostderrlog=/var/log/pluto.log
    charonstart=yes
    plutostart=yes


conn host-to-host
      left=
      leftcert=my_cert.pem
      leftid=my_private_key.pem
      right=
      rightid=
      auto=start
      pfs=no
      rekey=no
      keyingtries=3
After this, you can do the faithful /etc/init.d/ipsec restart and the private key problem will disappear