[strongSwan] Help with Strongswan configuration (Virtual-IP, Subnet, DNS, ...) needed

Andreas Steffen andreas.steffen at strongswan.org
Sun Dec 23 08:53:56 CET 2012 

Hi Markus,

looking at your log and your ip xfrm and ip route entries the
connection seems successfully up and running.
Actually the table 220 entry

   default via 192.168.2.1 dev wlan0  proto static  src 10.20.223.225

implements the virtual interface. If you notice that this route
disappears then the NCP gateway might have deleted the connection.
Do you register any further log entries?

Regards

Andreas

On 22.12.2012 17:01, Markus Mazurczak wrote:
> Hi all,
>
> I am trying to configure strongswan since 2 weeks now and I am not able
> to get a working connection.
>
> I hope that someone can help me.
>
> What I try to do:
>
> I want to connect into the intranet of the company I am working for
> using my Laptop. We have an NCP Secure Communications gateway Server
> installed which uses a PSK and XAuth for authentication and authorization.
> That gateway offeres a new IP address (Virtual-IP) and 2 DNS Servers.
>
> I use Strongswan 5.0.1 at Archlinux.
>
> Until now I managed to get a working connection. This means, that I can
> build up the IPSec tunnel.
>
> This is my actual configuration (IP's are not the correct ones ;)).
>
> strongswan.conf
> ------------------------
> # strongswan.conf - strongSwan configuration file
>
> charon {
>       # number of worker threads in charon
>       threads = 16
>       #port_nat_t = 4500
>       #load = aes des sha1 sha2 md5 gmp random nonce hmac stroke
> kernel-netlink socket-default updown resolv request_virtual_ip
> }
>
> pluto {
>
> }
>
> libstrongswan {
>
>       #  set to no, the DH exponent size is optimized
>       #  dh_exponent_ansi_x9_42 = no
> }
>
> ipsec.conf:
> ---------------
> # ipsec.conf - strongSwan IPsec configuration file
>
> # basic configuration
>
> config setup
>       charondebug="dmn 4, mgr 4, mgr 4, ike 4, chd 4, job 4, cfg 4, knl
> 4, net 4, asn 4, enc 4, lib 4, esp 4, tls 4, tnc 4, imc 4, imv 4, pts 4"
>
> conn %default
>       ikelifetime=60m
>       keylife=20m
>       rekeymargin=3m
>       keyingtries=1
>       keyexchange=ikev1
>       aggressive=no
>       compress=no
>       esp=aes256-sha256--modp1024
>       ike=aes256-sha256--modp1024
>       installpolicy=yes
>       type=tunnel
>       leftikeport=4500
>       rightikeport=4500
>       mobike=yes
>
> conn home
>       left=%any
>       leftsourceip=%config
>       leftfirewall=no
>       leftauth=psk
>       leftauth2=xauth
>       right=195.1.2.3
>       rightsubnet=0.0.0.0/0
>       rightauth=psk
>       rightid=%any
>       xauth_identity=myUsername
>       auto=add
>
> ipsec.secrets:
> ------------------
> : PSK "PreSharedKey"
> : XAUTH "MyPassword"
>
>
> 195.1.2.3 is the IP of the public interface of our VPN gateway. By now I
> want to tunnel all my traffic. Thats why I configured rightsubnet=0.0.0.0/0.
>
> Here is the topology of what I am trying:
>
> I am using an Notebook with an IP of 192.168.2.101 and I am behind a
> router which has the IP 192.168.2.1. I want to build up a tunnel to the
> Gateway 195.1.2.3, the gateway offers me an IP address always from the
> pool 10.20.223.0/24 and from that point I think all my traffic should go
> through the tunnel to the gateway 195.1.2.3 with an source IP of
> 10.20.223.0/24.
>
> If I start building the tunnel i see the following output:
>
> root at hoare: ~$>ipsec up home
> initiating Main Mode IKE_SA home[1] to 195.1.2.3
> generating ID_PROT request 0 [ SA V V V ]
> sending packet: from 192.168.2.101[4500] to 195.1.2.3[4500]
> received packet: from 195.1.2.3[4500] to 192.168.2.101[4500]
> parsed ID_PROT response 0 [ SA V V V V V V ]
> received XAuth vendor ID
> received NAT-T (RFC 3947) vendor ID
> received DPD vendor ID
> received unknown vendor ID:
> 40:48:b7:d5:6e:bc:e8:85:25:e7:de:7f:00:d6:c2:d3:c0:00:00:00
> received Cisco Unity vendor ID
> received unknown vendor ID: c6:f5:7a:c3:98:f4:93:20:81:45:b7:58:1e:87:89:83
> generating ID_PROT request 0 [ KE No NAT-D NAT-D ]
> sending packet: from 192.168.2.101[4500] to 195.1.2.3[4500]
> received packet: from 195.1.2.3[4500] to 192.168.2.101[4500]
> parsed ID_PROT response 0 [ KE No NAT-D NAT-D ]
> local host is behind NAT, sending keep alives
> remote host is behind NAT
> generating ID_PROT request 0 [ ID HASH ]
> sending packet: from 192.168.2.101[4500] to 195.1.2.3[4500]
> received packet: from 195.1.2.3[4500] to 192.168.2.101[4500]
> parsed ID_PROT response 0 [ ID HASH N(INITIAL_CONTACT) ]
> received packet: from 195.1.2.3[4500] to 192.168.2.101[4500]
> parsed TRANSACTION request 1390831875 [ HASH CP ]
> generating TRANSACTION response 1390831875 [ HASH CP ]
> sending packet: from 192.168.2.101[4500] to 195.1.2.3[4500]
> received packet: from 195.1.2.3[4500] to 192.168.2.101[4500]
> parsed TRANSACTION request 4028851316 [ HASH CP ]
> XAuth authentication of 'myUsername' (myself) successful
> IKE_SA home[1] established between
> 192.168.2.101[192.168.2.101]...195.1.2.3[10.20.223.136]
> scheduling reauthentication in 3322s
> maximum IKE_SA lifetime 3502s
> generating TRANSACTION response 4028851316 [ HASH CP ]
> sending packet: from 192.168.2.101[4500] to 195.1.2.3[4500]
> generating TRANSACTION request 887603534 [ HASH CP ]
> sending packet: from 192.168.2.101[4500] to 195.1.2.3[4500]
> received packet: from 195.1.2.3[4500] to 192.168.2.101[4500]
> parsed TRANSACTION response 887603534 [ HASH CP ]
> installing DNS server 10.20.100.21 to /etc/resolv.conf
> installing DNS server 10.20.151.21 to /etc/resolv.conf
> installing new virtual IP 10.20.223.225
> generating QUICK_MODE request 2572835224 [ HASH SA No KE ID ID ]
> sending packet: from 192.168.2.101[4500] to 195.1.2.3[4500]
> received packet: from 195.1.2.3[4500] to 192.168.2.101[4500]
> parsed QUICK_MODE response 2572835224 [ HASH SA No KE ID ID ]
> CHILD_SA home{1} established with SPIs cba38bd9_i d6f6f51c_o and TS
> 10.20.223.225/32 === 0.0.0.0/0
> root at hoare: ~$>
>
> Executing 'ip route list' gives me:
> default via 192.168.2.1 dev wlan0  proto static
> 192.168.2.0/24 dev wlan0  proto kernel  scope link  src 192.168.2.101
>
> and 'ip list route table 220' shows:
> default via 192.168.2.1 dev wlan0  proto static  src 10.20.223.225
>
> The command 'ip xfrm policy' gives back:
> src 0.0.0.0/0 dst 10.20.223.225/32
>           dir fwd priority 1923
>           tmpl src  dst 192.168.2.101
>                   proto esp reqid 2 mode tunnel
> src 0.0.0.0/0 dst 10.20.223.225/32
>           dir in priority 1923
>           tmpl src 195.1.2.3 dst 192.168.2.101
>                   proto esp reqid 2 mode tunnel
> src 10.20.223.225/32 dst 0.0.0.0/0
>           dir out priority 1923
>           tmpl src 192.168.2.101 dst 195.1.2.3
>                   proto esp reqid 2 mode tunnel
> src 0.0.0.0/0 dst 0.0.0.0/0
>           socket in priority 0
> src 0.0.0.0/0 dst 0.0.0.0/0
>           socket out priority 0
> src 0.0.0.0/0 dst 0.0.0.0/0
>           socket in priority 0
> src 0.0.0.0/0 dst 0.0.0.0/0
>           socket out priority 0
> src ::/0 dst ::/0
>           socket in priority 0
> src ::/0 dst ::/0
>           socket out priority 0
> src ::/0 dst ::/0
>           socket in priority 0
> src ::/0 dst ::/0
>           socket out priority 0
>
> After a minute or two if I re-execute 'ip route list table 220' I get no
> output, table 220 is empty. Is this correct? I also see, that the
> offered DNS servers are deleted from /etc/resolv.conf.
>
> After I established the tunnel using the above mentioned configuration
> and I try to enter one of our Intranet-Sites I see a lot of ESP traffic
> (using wireshark) but I never get back an answer.
>
> Using the NCP client under windows I can see that the client installs a
> virtual network interface. Connecting to the gateway the client assignes
> the offered virtual IP to this interface. I am also able to connect into
> the companys intranet using my HTC smartphone with its pre installed VPN
> client. So, i think there is no special protocol behaviour of the NCP
> VPN gateway.
>
> I will apprecitate any help.
>
> Thanks and regards
>
> Markus


-- 
======================================================================
Andreas Steffen                         andreas.steffen at strongswan.org
strongSwan - the Linux VPN Solution!                www.strongswan.org
Institute for Internet Technologies and Applications
University of Applied Sciences Rapperswil
CH-8640 Rapperswil (Switzerland)
===========================================================[ITA-HSR]==

-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4468 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://lists.strongswan.org/pipermail/users/attachments/20121223/3051b108/attachment.bin>

More information about the Users mailing list