Hi,all<br><br>I use strongswan 5.0.2 in debian 6, here is the config<br><br>============================================================<br>strongswan server<br>LAN IP: <a href="http://192.168.100.200/24">192.168.100.200/24</a><br>
DG: 192.168.100.1<br>WAN IP: 1.1.1.1<br><br># /etc/ipsec.conf<br>config setup<br>conn psk<br> auto=add<br> authby=secret<br> keyexchange=ikev1<br> aggressive=yes<br> modeconfig=push<br> left=%defaultroute<br>
leftsubnet=<a href="http://0.0.0.0/0">0.0.0.0/0</a><br> leftauth=psk<br> right=%any<br> rightsourceip=10.0.0.200<br> rightauth=psk<br> rightauth2=xauth<br><br># /etc/ipsec.secrets<br>
user : XAUTH "pass"<br>2.2.2.2 : PSK "pass"<br><br># /etc/strongswan.conf<br>charon {<br> threads = 16<br> dns1 = 8.8.8.8<br> dns2 = 8.8.4.4<br> i_dont_care_about_security_and_use_aggressive_mode_psk = yes<br>
}<br><br># ipsec statusall<br>Status of IKE charon daemon (weakSwan 5.0.2, Linux 2.6.32-5-amd64, x86_64):<br> uptime: 17 minutes, since Apr 07 11:31:17 2013<br> malloc: sbrk 401408, mmap 0, used 237472, free 163936<br> worker threads: 8 of 16 idle, 7/1/0/0 working, job queue: 0/0/0/0, scheduled: 3<br>
loaded plugins: charon aes des sha1 sha2 md5 random nonce x509 revocation constraints pubkey pkcs1 pkcs8 pgp dnskey pem openssl fips-prf gmp xcbc cmac hmac attr kernel-netlink resolve socket-default stroke updown xauth-generic unity<br>
Virtual IP pools (size/online/offline):<br> <a href="http://10.0.0.200">10.0.0.200</a>: 1/1/0<br>Listening IP addresses:<br> 192.168.100.200<br>Connections:<br> psk: %any...%any IKEv1 Aggressive<br> psk: local: [192.168.100.200] uses pre-shared key authentication<br>
psk: remote: uses pre-shared key authentication<br> psk: remote: uses XAuth authentication: any<br> psk: child: <a href="http://0.0.0.0/0">0.0.0.0/0</a> === dynamic TUNNEL<br>Security Associations (1 up, 0 connecting):<br>
psk[1]: ESTABLISHED 17 minutes ago, 192.168.100.200[192.168.100.200]...2.2.2.2[client]<br> psk[1]: Remote XAuth identity: user<br> psk[1]: IKEv1 SPIs: 10e5b73cb5de2748_i adabd73d6c43d71a_r*, pre-shared key reauthentication in 2 hours<br>
psk[1]: IKE proposal: AES_CBC_256/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024<br> psk{1}: INSTALLED, TUNNEL, ESP in UDP SPIs: cd10078b_i daeaedfe_o<br> psk{1}: AES_CBC_128/HMAC_SHA1_96, 0 bytes_i, 0 bytes_o, rekeying in 25 minutes<br>
psk{1}: <a href="http://0.0.0.0/0">0.0.0.0/0</a> === <a href="http://10.0.0.200/32">10.0.0.200/32</a><br>============================================================<br><br>VPN client is vpnc in debian 6<br><br>
============================================================<br>vpnc client<br>LAN IP: <a href="http://192.168.1.77/24">192.168.1.77/24</a><br>DG: 192.168.1.1<br>WAN IP: 2.2.2.2<br><br># /etc/vpnc/config<br>IPSec gateway 1.1.1.1<br>
IPSec ID client<br>IPSec secret pass<br>IKE Authmode psk<br>Xauth username user<br>Xauth password pass<br>============================================================<br><br>it's working, but some warnings on log file<br>
<br>============================================================<br>11:31:17 vpn charon: 00[DMN] Starting IKE charon daemon (strongSwan 5.0.2, Linux 2.6.32-5-amd64, x86_64)<br>11:31:17 vpn charon: 00[CFG] loading ca certificates from '/etc/ipsec.d/cacerts'<br>
11:31:17 vpn charon: 00[CFG] loaded ca certificate "C=CN, O=StrongSwan, CN=<a href="http://ipsec.xxx.com">ipsec.xxx.com</a>" from '/etc/ipsec.d/cacerts/caCert.pem'<br>11:31:17 vpn charon: 00[CFG] loading aa certificates from '/etc/ipsec.d/aacerts'<br>
11:31:17 vpn charon: 00[CFG] loading ocsp signer certificates from '/etc/ipsec.d/ocspcerts'<br>11:31:17 vpn charon: 00[CFG] loading attribute certificates from '/etc/ipsec.d/acerts'<br>11:31:17 vpn charon: 00[CFG] loading crls from '/etc/ipsec.d/crls'<br>
11:31:17 vpn charon: 00[CFG] loading secrets from '/etc/ipsec.secrets'<br>11:31:17 vpn charon: 00[CFG] loaded EAP secret for user<br>11:31:17 vpn charon: 00[CFG] loaded IKE secret for 2.2.2.2<br>11:31:17 vpn charon: 00[DMN] loaded plugins: charon aes des sha1 sha2 md5 random nonce x509 revocation constraints pubkey pkcs1 pkcs8 pgp dnskey pem openssl fips-prf gmp xcbc cmac hmac attr kernel-netlink resolve socket-default stroke updown xauth-generic unity<br>
11:31:17 vpn charon: 00[JOB] spawning 16 worker threads<br>11:31:17 vpn charon: 06[CFG] received stroke: add connection 'psk'<br>11:31:17 vpn charon: 06[CFG] left nor right host is our side, assuming left=local<br>
11:31:17 vpn charon: 06[CFG] adding virtual IP address pool 10.0.0.200<br>11:31:17 vpn charon: 06[CFG] added configuration 'psk'<br>11:31:23 vpn charon: 07[NET] received packet: from 2.2.2.2[25722] to 192.168.100.200[500] (1282 bytes)<br>
11:31:23 vpn charon: 07[ENC] parsed AGGRESSIVE request 0 [ SA KE No ID V V V V V V V V ]<br>11:31:23 vpn charon: 07[IKE] received XAuth vendor ID<br>11:31:23 vpn charon: 07[IKE] received Cisco Unity vendor ID<br>11:31:23 vpn charon: 07[IKE] received NAT-T (RFC 3947) vendor ID<br>
11:31:23 vpn charon: 07[IKE] received draft-ietf-ipsec-nat-t-ike-02\n vendor ID<br>11:31:23 vpn charon: 07[IKE] received draft-ietf-ipsec-nat-t-ike-02 vendor ID<br>11:31:23 vpn charon: 07[ENC] received unknown vendor ID: 27:f1:d6:32:df:a5:13:6f:72:25:aa:3f:6a:ef:a8:88<br>
11:31:23 vpn charon: 07[IKE] received draft-ietf-ipsec-nat-t-ike-00 vendor ID<br>11:31:23 vpn charon: 07[IKE] received DPD vendor ID<br>11:31:23 vpn charon: 07[IKE] 2.2.2.2 is initiating a Aggressive Mode IKE_SA<br>11:31:23 vpn charon: 07[CFG] looking for XAuthInitPSK peer configs matching 192.168.100.200...2.2.2.2[client]<br>
11:31:23 vpn charon: 07[CFG] selected peer config "psk"<br>11:31:23 vpn charon: 07[ENC] generating AGGRESSIVE response 0 [ SA KE No ID NAT-D NAT-D HASH V V V ]<br>11:31:23 vpn charon: 07[NET] sending packet: from 192.168.100.200[500] to 2.2.2.2[25722] (392 bytes)<br>
11:31:23 vpn charon: 09[NET] received packet: from 2.2.2.2[15275] to 192.168.100.200[4500] (172 bytes)<br>11:31:23 vpn charon: 09[ENC] parsed AGGRESSIVE request 0 [ HASH N(INITIAL_CONTACT) V V NAT-D NAT-D ]<br>11:31:23 vpn charon: 09[IKE] local host is behind NAT, sending keep alives<br>
11:31:23 vpn charon: 09[IKE] remote host is behind NAT<br>11:31:23 vpn charon: 09[ENC] generating TRANSACTION request 2654103914 [ HASH CP ]<br>11:31:23 vpn charon: 09[NET] sending packet: from 192.168.100.200[4500] to 2.2.2.2[15275] (76 bytes)<br>
11:31:23 vpn charon: 11[NET] received packet: from 2.2.2.2[15275] to 192.168.100.200[4500] (92 bytes)<br>11:31:23 vpn charon: 11[ENC] parsed TRANSACTION response 2654103914 [ HASH CP ]<br>11:31:23 vpn charon: 11[IKE] XAuth authentication of 'user' successful<br>
11:31:23 vpn charon: 11[ENC] generating TRANSACTION request 2343375310 [ HASH CP ]<br>11:31:23 vpn charon: 11[NET] sending packet: from 192.168.100.200[4500] to 2.2.2.2[15275] (76 bytes)<br>11:31:23 vpn charon: 12[NET] received packet: from 2.2.2.2[15275] to 192.168.100.200[4500] (76 bytes)<br>
11:31:23 vpn charon: 12[ENC] parsed TRANSACTION response 2343375310 [ HASH CP ]<br>11:31:23 vpn charon: 12[IKE] IKE_SA psk[1] established between 192.168.100.200[192.168.100.200]...2.2.2.2[client]<br>11:31:23 vpn charon: 12[IKE] scheduling reauthentication in 9843s<br>
11:31:23 vpn charon: 12[IKE] maximum IKE_SA lifetime 10383s<br>11:31:23 vpn charon: 10[NET] received packet: from 2.2.2.2[15275] to 192.168.100.200[4500] (172 bytes)<br>11:31:23 vpn charon: 10[ENC] parsed TRANSACTION request 2262595363 [ HASH CP ]<br>
11:31:23 vpn charon: 10[IKE] peer requested virtual IP %any<br>11:31:23 vpn charon: 10[CFG] assigning new lease to 'user'<br>11:31:23 vpn charon: 10[IKE] assigning virtual IP 10.0.0.200 to peer 'user'<br>11:31:23 vpn charon: 10[ENC] generating TRANSACTION response 2262595363 [ HASH CP ]<br>
11:31:23 vpn charon: 10[NET] sending packet: from 192.168.100.200[4500] to 2.2.2.2[15275] (92 bytes)<br>11:31:23 vpn charon: 13[NET] received packet: from 2.2.2.2[15275] to 192.168.100.200[4500] (620 bytes)<br>11:31:23 vpn charon: 13[ENC] parsed QUICK_MODE request 117587104 [ HASH SA No ID ID ]<br>
11:31:23 vpn charon: 13[IKE] received 2147483s lifetime, configured 3600s<br>11:31:23 vpn charon: 13[ENC] generating QUICK_MODE response 117587104 [ HASH SA No ID ID ]<br>11:31:23 vpn charon: 13[NET] sending packet: from 192.168.100.200[4500] to 2.2.2.2[15275] (188 bytes)<br>
11:31:23 vpn charon: 08[NET] received packet: from 2.2.2.2[15275] to 192.168.100.200[4500] (60 bytes)<br>11:31:23 vpn charon: 08[ENC] parsed QUICK_MODE request 117587104 [ HASH ]<br>11:31:23 vpn charon: 08[IKE] CHILD_SA psk{1} established with SPIs cd10078b_i daeaedfe_o and TS <a href="http://0.0.0.0/0">0.0.0.0/0</a> === <a href="http://10.0.0.200/32">10.0.0.200/32</a><br>
11:31:23 vpn charon: 06[NET] received packet: from 2.2.2.2[15275] to 192.168.100.200[4500] (92 bytes)<br>11:31:23 vpn charon: 06[ENC] parsed INFORMATIONAL_V1 request 2510066777 [ HASH N(DPD) ]<br>11:31:23 vpn charon: 06[ENC] generating INFORMATIONAL_V1 request 2638375961 [ HASH N(DPD_ACK) ]<br>
11:31:23 vpn charon: 06[NET] sending packet: from 192.168.100.200[4500] to 2.2.2.2[15275] (92 bytes)<br>11:31:32 vpn charon: 01[ENC] not enough input to parse rule 0 IKE_SPI<br>11:31:32 vpn charon: 01[ENC] header could not be parsed<br>
11:31:32 vpn charon: 01[NET] received invalid IKE header from 2.2.2.2 - ignored<br>11:31:41 vpn charon: 01[ENC] not enough input to parse rule 0 IKE_SPI<br>11:31:41 vpn charon: 01[ENC] header could not be parsed<br>11:31:41 vpn charon: 01[NET] received invalid IKE header from 2.2.2.2 - ignored<br>
11:31:47 vpn charon: 10[IKE] sending keep alive to 2.2.2.2[15275]<br>11:31:56 vpn charon: 01[ENC] not enough input to parse rule 0 IKE_SPI<br>11:31:56 vpn charon: 01[ENC] header could not be parsed<br>11:31:56 vpn charon: 01[NET] received invalid IKE header from 2.2.2.2 - ignored<br>
============================================================<br><br>How can I fixed it?<br>