<!DOCTYPE html><html><head>
<style type="text/css">body { font-family:'DejaVu Sans Mono'; font-size:12px}</style>
</head>
<body><div>Hi Miroslav,</div><div><br></div><div>Thank you.</div><div><br></div><div>We've made progress. I haven't included the any of the log file as it is very verbose (24488 lines - for ipsec up, statusall, down). Please let me know which sections to look at and I'll grab those.</div><div><br></div><div>As you can see below the transaction request below seems to be very laboured but does result in a success statement. Following that I have tried to test with openl2tp to create the l2tp ppp tunnel. Openl2tp seems create this tunnel but ifconfig does not show any ppp interfaces.</div><div><br></div><div>The lines in the conn left/rightprotoport do not seem to affect the outcome whether included or not. The charondebug line when uncommented prevents any output and I suspect that the syntax is wrong there.</div><div><br></div><div><br></div><div><br></div><div>code:</div><div><br></div><div># ipsec.conf - strongSwan IPsec configuration file<br><br># basic configuration<br><br>config setup<br> # strictcrlpolicy=yes<br> # uniqueids = no<br># charondebug="ike 3, cfg 3, app 3, chd 3, dmn 3, net 3"<br><br>conn VPN-OFFICE-COM<br> keyexchange=ikev1<br> type=tunnel<br> authby=secret<br> ike=3des-sha1-modp1024<br> rekey=no<br> left=%any<br> leftsourceip=%config<br># leftprotoport=udp/l2tp<br> right=vpn.office.com<br># rightprotoport=udp/l2tp<br> rightid=17.11.7.5<br> rightsubnet=0.0.0.0/0<br> auto=add<br><br><br># ipsec up VPN-OFFICE-COM<br>initiating Main Mode IKE_SA VPN-OFFICE-COM[1] to 17.11.7.5<br>generating ID_PROT request 0 [ SA V V V V ]<br>sending packet: from 1.2.3.4[500] to 17.11.7.5[500] (212 bytes)<br>received packet: from 17.11.7.5[500] to 1.2.3.4[500] (116 bytes)<br>parsed ID_PROT response 0 [ SA V V ]<br>received draft-ietf-ipsec-nat-t-ike-02\n vendor ID<br>received FRAGMENTATION vendor ID<br>generating ID_PROT request 0 [ KE No NAT-D NAT-D ]<br>sending packet: from 1.2.3.4[500] to 17.11.7.5[500] (244 bytes)<br>received packet: from 17.11.7.5[500] to 1.2.3.4[500] (304 bytes)<br>parsed ID_PROT response 0 [ KE No V V V V NAT-D NAT-D ]<br>received Cisco Unity vendor ID<br>received XAuth vendor ID<br>received unknown vendor ID: [HIDDEN]<br>received unknown vendor ID: [HIDDEN]<br>local host is behind NAT, sending keep alives<br>generating ID_PROT request 0 [ ID HASH N(INITIAL_CONTACT) ]<br>sending packet: from 1.2.3.4[4500] to 17.11.7.5[4500] (84 bytes)<br>received packet: from 17.11.7.5[4500] to 1.2.3.4[4500] (84 bytes)<br>parsed ID_PROT response 0 [ ID HASH V ]<br>received DPD vendor ID<br>IKE_SA VPN-OFFICE-COM[1] established between 1.2.3.4[1.2.3.4]...17.11.7.5[17.11.7.5]<br>generating TRANSACTION request [HIDDEN] [ HASH CPRQ(ADDR DNS U_SPLITINC U_LOCALLAN) ]<br>sending packet: from 1.2.3.4[4500] to 17.11.7.5[4500] (84 bytes)<br>sending retransmit 1 of request message ID [HIDDEN], seq 4<br>sending packet: from 1.2.3.4[4500] to 17.11.7.5[4500] (84 bytes)<br>sending retransmit 2 of request message ID [HIDDEN], seq 4<br>sending packet: from 1.2.3.4[4500] to 17.11.7.5[4500] (84 bytes)<br>sending retransmit 3 of request message ID [HIDDEN], seq 4<br>sending packet: from 1.2.3.4[4500] to 17.11.7.5[4500] (84 bytes)<br>received packet: from 17.11.7.5[4500] to 1.2.3.4[4500] (84 bytes)<br>parsed INFORMATIONAL_V1 request [HIDDEN] [ HASH N(DPD) ]<br>received packet: from 17.11.7.5[4500] to 1.2.3.4[4500] (84 bytes)<br>parsed INFORMATIONAL_V1 request [HIDDEN] [ HASH N(DPD) ]<br>received packet: from 17.11.7.5[4500] to 1.2.3.4[4500] (84 bytes)<br>parsed INFORMATIONAL_V1 request [HIDDEN] [ HASH N(DPD) ]<br>sending keep alive to 17.11.7.5[4500]<br>sending retransmit 4 of request message ID [HIDDEN], seq 4<br>sending packet: from 1.2.3.4[4500] to 17.11.7.5[4500] (84 bytes)<br>received packet: from 17.11.7.5[4500] to 1.2.3.4[4500] (84 bytes)<br>parsed INFORMATIONAL_V1 request [HIDDEN] [ HASH D ]<br>received DELETE for IKE_SA VPN-OFFICE-COM[1]<br>deleting IKE_SA VPN-OFFICE-COM[1] between 1.2.3.4[1.2.3.4]...17.11.7.5[17.11.7.5]<br>initiating Main Mode IKE_SA VPN-OFFICE-COM[2] to 17.11.7.5<br>generating ID_PROT request 0 [ SA V V V V ]<br>sending packet: from 1.2.3.4[500] to 17.11.7.5[500] (212 bytes)<br>connection 'VPN-OFFICE-COM' established successfully<br><br><br># ipsec statusall<br>Status of IKE charon daemon (strongSwan 5.2.2, Linux 3.16.5-gentoo, x86_64):<br> uptime: 112 seconds, since Apr 20 09:23:17 2015<br> malloc: sbrk [HIDDEN], mmap 0, used [HIDDEN], free [HIDDEN]<br> worker threads: 11 of 16 idle, 5/0/0/0 working, job queue: 0/0/0/0, scheduled: 2<br> loaded plugins: charon ldap mysql sqlite aes des rc2 sha1 sha2 md4 md5 random nonce x509 revocation constraints pubkey pkcs1 pkcs7 pkcs8 pkcs12 pgp dnskey sshkey pem openssl gcrypt fips-prf gmp xcbc cmac hmac curl attr kernel-netlink resolve socket-default socket-dynamic farp stroke vici updown eap-identity eap-sim eap-aka eap-aka-3gpp2 eap-simaka-pseudonym eap-simaka-reauth eap-md5 eap-gtc eap-mschapv2 eap-radius eap-tls xauth-generic xauth-eap xauth-pam dhcp lookip led unity<br>Listening IP addresses:<br> 1.2.3.4<br>Connections:<br>VPN-OFFICE-COM: %any...vpn.office.com IKEv1<br>VPN-OFFICE-COM: local: [1.2.3.4] uses pre-shared key authentication<br>VPN-OFFICE-COM: remote: [17.11.7.5] uses pre-shared key authentication<br>VPN-OFFICE-COM: child: dynamic[udp/l2tp] === 172.18.7.0/24[udp/l2tp] TUNNEL<br>Security Associations (1 up, 0 connecting):<br>VPN-OFFICE-COM[2]: ESTABLISHED 40 seconds ago, 1.2.3.4[1.2.3.4]...17.11.7.5[17.11.7.5]<br>VPN-OFFICE-COM[2]: IKEv1 SPIs: [HIDDEN]_i* [HIDDEN]_r, rekeying disabled<br>VPN-OFFICE-COM[2]: IKE proposal: 3DES_CBC/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024<br>VPN-OFFICE-COM[2]: Tasks queued: QUICK_MODE ISAKMP_DPD ISAKMP_DPD ISAKMP_DPD <br>VPN-OFFICE-COM[2]: Tasks active: MODE_CONFIG<br><br><br># ipsec down VPN-OFFICE-COM<br>received packet: from 17.11.7.5[4500] to 1.2.3.4[4500] (84 bytes)<br>parsed INFORMATIONAL_V1 request [HIDDEN] [ HASH D ]<br>received DELETE for IKE_SA VPN-OFFICE-COM[2]<br>deleting IKE_SA VPN-OFFICE-COM[2] between 1.2.3.4[1.2.3.4]...17.11.7.5[17.11.7.5]<br>initiating Main Mode IKE_SA VPN-OFFICE-COM[3] to 17.11.7.5<br>generating ID_PROT request 0 [ SA V V V V ]<br>sending packet: from 1.2.3.4[500] to 17.11.7.5[500] (212 bytes)<br>IKE_SA [2] closed successfully</div><div><br></div><div><br></div><div><br></div><div><br></div><div>--</div><div>Kind regards</div><div><br></div><div>Stephen Feyrer</div><div><br></div><div><br></div><div><br></div><div>On Mon, 20 Apr 2015 00:57:42 +0100, Miroslav Svoboda <goodmirek@goodmirek.cz> wrote:<br></div><br><blockquote style="margin: 0 0 0.80ex; border-left: #0000FF 2px solid; padding-left: 1ex"><div dir="ltr">Hi Stephen,<div><br></div><div>Please delete type=transport or change it to type=tunnel.</div><div>Also delete rightprotoport and leftprotoport.</div><div><br></div><div>If this did not help, please provide again ipsec statusall + enable logging at higher level as described <a href="https://wiki.strongswan.org/projects/strongswan/wiki/LoggerConfiguration">here</a> and provide logfile.</div><div><br></div><div>Regards,</div><div>Miroslav<br><br>On Monday, April 20, 2015 at 1:47:48 AM UTC+2, Stephen Feyrer wrote:<blockquote class="gmail_quote" style="margin: 0;margin-left: 0.8ex;border-left: 1px #ccc solid;padding-left: 1ex;">
<div><div>Hi Miroslav,</div><div><br></div><div>You are correct, the syntax error is gone. Sadly, there is not much which I can tell you about my office Network topology. All that I do know is that we pass through a Windows Firewall before being able to connect our work stations.</div><div><br></div><div><br></div><div>code:</div><div><br></div><div># ipsec.conf - strongSwan IPsec configuration file<br><br># basic configuration<br><br>config setup<br> # strictcrlpolicy=yes<br> # uniqueids = no<br><br>conn VPN-OFFICE-COM<br> keyexchange=ikev1<br> type=transport<br> authby=secret<br> ike=3des-sha1-modp1024<br> rekey=no<br> left=%any<br> leftsourceip=%config<br> leftprotoport=udp/l2tp<br> right=<a href="http://vpn.office.com" target="_blank" rel="nofollow" onmousedown="this.href='http://www.google.com/url?q\75http%3A%2F%2Fvpn.office.com\46sa\75D\46sntz\0751\46usg\75AFQjCNGQRLQlVjlUgNcSD2i1qgrVed6G-Q';return true;" onclick="this.href='http://www.google.com/url?q\75http%3A%2F%2Fvpn.office.com\46sa\75D\46sntz\0751\46usg\75AFQjCNGQRLQlVjlUgNcSD2i1qgrVed6G-Q';return true;">vpn.office.com</a><br> rightprotoport=udp/l2tp<br> rightid=17.11.7.5<br> rightsubnet=<a href="http://0.0.0.0/0" target="_blank" rel="nofollow" onmousedown="this.href='http://www.google.com/url?q\75http%3A%2F%2F0.0.0.0%2F0\46sa\75D\46sntz\0751\46usg\75AFQjCNETOu60a3HCyMN138-VZlWuvaAA1A';return true;" onclick="this.href='http://www.google.com/url?q\75http%3A%2F%2F0.0.0.0%2F0\46sa\75D\46sntz\0751\46usg\75AFQjCNETOu60a3HCyMN138-VZlWuvaAA1A';return true;">0.0.0.0/0</a><br> auto=add<br><br><br><br># ipsec up VPN-OFFICE-COM<br>initiating Main Mode IKE_SA VPN-OFFICE-COM[14] to 17.11.7.5<br>generating ID_PROT request 0 [ SA V V V V ]<br>sending packet: from 1.2.3.4[500] to 17.11.7.5[500] (212 bytes)<br>received packet: from 17.11.7.5[500] to 1.2.3.4[500] (116 bytes)<br>parsed ID_PROT response 0 [ SA V V ]<br>received draft-ietf-ipsec-nat-t-ike-02\n vendor ID<br>received FRAGMENTATION vendor ID<br>generating ID_PROT request 0 [ KE No NAT-D NAT-D ]<br>sending packet: from 1.2.3.4[500] to 17.11.7.5[500] (244 bytes)<br>received packet: from 17.11.7.5[500] to 1.2.3.4[500] (304 bytes)<br>parsed ID_PROT response 0 [ KE No V V V V NAT-D NAT-D ]<br>received Cisco Unity vendor ID<br>received XAuth vendor ID<br>received unknown vendor ID: [HIDDEN]<br>received unknown vendor ID: [HIDDEN]<br>local host is behind NAT, sending keep alives<br>generating ID_PROT request 0 [ ID HASH N(INITIAL_CONTACT) ]<br>sending packet: from 1.2.3.4[4500] to 17.11.7.5[4500] (84 bytes)<br>received packet: from 17.11.7.5[4500] to 1.2.3.4[4500] (84 bytes)<br>parsed ID_PROT response 0 [ ID HASH V ]<br>received DPD vendor ID<br>IKE_SA VPN-OFFICE-COM[14] established between 1.2.3.4[1.2.3.4]...17.11.7.5[17.11.7.5]<br>generating QUICK_MODE request [HIDDEN] [ HASH SA No ID ID NAT-OA NAT-OA ]<br>sending packet: from 1.2.3.4[4500] to 17.11.7.5[4500] (220 bytes)<br>received packet: from 17.11.7.5[4500] to 1.2.3.4[4500] (180 bytes)<br>parsed QUICK_MODE response [HIDDEN] [ HASH SA No ID ID N(([HIDDEN])) NAT-OA ]<br>received 28800s lifetime, configured 0s<br>no acceptable traffic selectors found<br>establishing connection 'VPN-OFFICE-COM' failed<br><br><br># ipsec statusall<br>Status of IKE charon daemon (strongSwan 5.2.2, Linux 3.16.5-gentoo, x86_64):<br> uptime: 3 hours, since Apr 19 20:50:15 2015<br> malloc: sbrk [HIDDEN], mmap 0, used [HIDDEN], free [HIDDEN]<br> worker threads: 11 of 16 idle, 5/0/0/0 working, job queue: 0/0/0/0, scheduled: 1<br> loaded plugins: charon ldap mysql sqlite aes des rc2 sha1 sha2 md4 md5 random nonce x509 revocation constraints pubkey pkcs1 pkcs7 pkcs8 pkcs12 pgp dnskey sshkey pem openssl gcrypt fips-prf gmp xcbc cmac hmac curl attr kernel-netlink resolve socket-default socket-dynamic farp stroke vici updown eap-identity eap-sim eap-aka eap-aka-3gpp2 eap-simaka-pseudonym eap-simaka-reauth eap-md5 eap-gtc eap-mschapv2 eap-radius eap-tls xauth-generic xauth-eap xauth-pam dhcp lookip led unity<br>Listening IP addresses:<br> 1.2.3.4<br>Connections:<br>VPN-OFFICE-COM: %any...<a href="http://vpn.office.com" target="_blank" rel="nofollow" onmousedown="this.href='http://www.google.com/url?q\75http%3A%2F%2Fvpn.office.com\46sa\75D\46sntz\0751\46usg\75AFQjCNGQRLQlVjlUgNcSD2i1qgrVed6G-Q';return true;" onclick="this.href='http://www.google.com/url?q\75http%3A%2F%2Fvpn.office.com\46sa\75D\46sntz\0751\46usg\75AFQjCNGQRLQlVjlUgNcSD2i1qgrVed6G-Q';return true;">vpn.office.com</a> IKEv1<br>VPN-OFFICE-COM: local: [1.2.3.4] uses pre-shared key authentication<br>VPN-OFFICE-COM: remote: [17.11.7.5] uses pre-shared key authentication<br>VPN-OFFICE-COM: child: dynamic[udp/l2tp] === dynamic[udp/l2tp] TRANSPORT<br>Security Associations (1 up, 0 connecting):<br>VPN-OFFICE-COM[14]: ESTABLISHED 6 seconds ago, 1.2.3.4[1.2.3.4]...17.11.7.5[17.11.7.5]<br>VPN-OFFICE-COM[14]: IKEv1 SPIs: [HIDDEN]_i* [HIDDEN]_r, rekeying disabled<br>VPN-OFFICE-COM[14]: IKE proposal: 3DES_CBC/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024</div><div><br></div><div><br></div><div>Thank you for your help. I hope this tells you more than it does me.</div><div><br></div><div><br></div><div>--</div><div>Kind regards</div><div><br></div><div>Stephen Feyrer.</div><div><br></div><div><br></div><div><br></div><div>On Sun, 19 Apr 2015 09:11:04 +0100, Miroslav Svoboda <<a href="javascript:" target="_blank" gdf-obfuscated-mailto="7dLT-Bgi7owJ" rel="nofollow" onmousedown="this.href='javascript:';return true;" onclick="this.href='javascript:';return true;">good...@goodmirek.cz</a>> wrote:<br></div><br><blockquote style="margin:0 0 0.80ex;border-left:#0000ff 2px solid;padding-left:1ex"><div dir="ltr">Hi Stephen,<div><br></div><div>So I assume there is no longer any syntax error reported.</div><div><br></div><div>From logfile I see there is no acceptable traffic selector. I assume that you have a home PC (Ubuntu) with Strongswan which you want to connect to the office VPN concentrator with IP <span style="color:rgb(0,0,0);white-space:pre-wrap">17.11.7.5 </span>running Windows. I suppose VPN concentrator in the office is not configured to route any traffic towards you home PC's IP address, thus you will need a virtual IP address assigned to your home PC by the VPN concentrator. Also I suppose you want to route all traffic via that VPN once connected.</div><div><div>Then, please try to modify "left=%defaultroute" to "left=%any" and add "rightsubnet=<a href="http://0.0.0.0/0" target="_blank" rel="nofollow" onmousedown="this.href='http://www.google.com/url?q\75http%3A%2F%2F0.0.0.0%2F0\46sa\75D\46sntz\0751\46usg\75AFQjCNETOu60a3HCyMN138-VZlWuvaAA1A';return true;" onclick="this.href='http://www.google.com/url?q\75http%3A%2F%2F0.0.0.0%2F0\46sa\75D\46sntz\0751\46usg\75AFQjCNETOu60a3HCyMN138-VZlWuvaAA1A';return true;">0.0.0.0/0</a>" and "leftsourceip=%config". You should not specify "leftsubnet", it has same effect as "leftsubnet=%dynamic".</div><div>According to documentation at <a href="https://wiki.strongswan.org/projects/strongswan/wiki/ConnSection" target="_blank" rel="nofollow" onmousedown="this.href='https://www.google.com/url?q\75https%3A%2F%2Fwiki.strongswan.org%2Fprojects%2Fstrongswan%2Fwiki%2FConnSection\46sa\75D\46sntz\0751\46usg\75AFQjCNFsdYeEM5NBFD0X47iY0f8kR2fGVw';return true;" onclick="this.href='https://www.google.com/url?q\75https%3A%2F%2Fwiki.strongswan.org%2Fprojects%2Fstrongswan%2Fwiki%2FConnSection\46sa\75D\46sntz\0751\46usg\75AFQjCNFsdYeEM5NBFD0X47iY0f8kR2fGVw';return true;">wiki</a> configuration directive "left=defaultroute%" was used prior to version 5.0.0, superseded by "left=%any".<br></div><div>leftsubnet=%dynamic (or omitting leftsubnet at all) and rightsubnet=<a href="http://0.0.0.0/0" target="_blank" rel="nofollow" onmousedown="this.href='http://www.google.com/url?q\75http%3A%2F%2F0.0.0.0%2F0\46sa\75D\46sntz\0751\46usg\75AFQjCNETOu60a3HCyMN138-VZlWuvaAA1A';return true;" onclick="this.href='http://www.google.com/url?q\75http%3A%2F%2F0.0.0.0%2F0\46sa\75D\46sntz\0751\46usg\75AFQjCNETOu60a3HCyMN138-VZlWuvaAA1A';return true;">0.0.0.0/0</a> will create your traffic selector. It says that anything (<a href="http://0.0.0.0/0" target="_blank" rel="nofollow" onmousedown="this.href='http://www.google.com/url?q\75http%3A%2F%2F0.0.0.0%2F0\46sa\75D\46sntz\0751\46usg\75AFQjCNETOu60a3HCyMN138-VZlWuvaAA1A';return true;" onclick="this.href='http://www.google.com/url?q\75http%3A%2F%2F0.0.0.0%2F0\46sa\75D\46sntz\0751\46usg\75AFQjCNETOu60a3HCyMN138-VZlWuvaAA1A';return true;">0.0.0.0/0</a>) from your side will be routed to remote host and that the remote host will route towards your PC (left==local) a traffic which would fit your dynamically assigned IP. Should you want to route towards office network only office-related traffic then change "rightsubnet=<subnet_used_in_Stephen's_office>".</div><div><div><br></div></div><div>If that didn't help please can you provide output of 'ipsec statusall' and also more details about network topology?</div></div><div><br></div><div>Regards,</div><div>Miroslav</div><div><br>On Saturday, April 18, 2015 at 5:28:12 PM UTC+2, Stephen Feyrer wrote:<blockquote class="gmail_quote" style="margin:0;margin-left:0.8ex;border-left:1px #ccc solid;padding-left:1ex">
<div><div>Hi Miroslav,</div><div><br></div><div>Thank you. The conn section as presented below was copied and pasted from web page for convenience (this stripped the leading white spaced from the conn section). For the moment the white spaces are in form of TAB characters. I will test with space characters and complete this email.</div><div><br></div><div>I Apologise for the lack of white spaces in the conn section of below email. I have now tested with both spaces and tabs, each producing the same error as below.</div><div><br></div><div><br></div><div>--</div><div>Kind regards</div><div><br></div><div>Stephen Feyrer.</div><div><br></div><div><br></div><div>On Sat, 18 Apr 2015 13:25:20 +0100, Miroslav Svoboda <<a rel="nofollow">good...@goodmirek.cz</a>> wrote:<br></div><br><blockquote style="margin:0 0 0.80ex;border-left:#0000ff 2px solid;padding-left:1ex"><div dir="ltr"><div><div>Hi Stephen,</div><div><br></div><div>I believe the issue might be caused as the "conn" section is not compliant with prescribed format. There should be at least one whitespace at the beginning of each line within the section. Only sections can and shall start at the first character of the line.</div><div><br></div><div>Supposed correction:</div><div><div><font face="monospace, monospace"><b>conn VPN-OFFICE-COM</b></font></div><div><font face="monospace, monospace"><b> keyexchange=ikev1</b></font></div><div><b style="font-family:monospace,monospace"> </b><font face="monospace, monospace"><b>type=transport</b></font></div><div><b style="font-family:monospace,monospace"> </b><font face="monospace, monospace"><b>authby=secret</b></font></div><div><b style="font-family:monospace,monospace"> </b><font face="monospace, monospace"><b>ike=3des-sha1-modp1024</b></font></div><div><b style="font-family:monospace,monospace"> </b><font face="monospace, monospace"><b>rekey=no</b></font></div><div><b style="font-family:monospace,monospace"> </b><font face="monospace, monospace"><b>left=%defaultroute</b></font></div><div><b style="font-family:monospace,monospace"> </b><font face="monospace, monospace"><b>leftprotoport=udp/l2tp</b></font></div><div><b style="font-family:monospace,monospace"> </b><font face="monospace, monospace"><b>right=<a href="http://vpn.office.com" rel="nofollow" target="_blank" onmousedown="this.href='http://www.google.com/url?q\75http%3A%2F%2Fvpn.office.com\46sa\75D\46sntz\0751\46usg\75AFQjCNGQRLQlVjlUgNcSD2i1qgrVed6G-Q';return true;" onclick="this.href='http://www.google.com/url?q\75http%3A%2F%2Fvpn.office.com\46sa\75D\46sntz\0751\46usg\75AFQjCNGQRLQlVjlUgNcSD2i1qgrVed6G-Q';return true;">vpn.office.com</a></b></font></div><div><b style="font-family:monospace,monospace"> </b><font face="monospace, monospace"><b>rightprotoport=udp/l2tp</b></font></div><div><b style="font-family:monospace,monospace"> </b><font face="monospace, monospace"><b>rightid=17.11.7.5</b></font></div><div><b style="font-family:monospace,monospace"> </b><font face="monospace, monospace"><b>auto=add</b></font></div></div><div><br></div><div>Regards,</div><div>Miroslav</div><div><br></div><div>Message: 3</div><div>Date: Fri, 17 Apr 2015 14:08:57 +0100</div><div>From: "Stephen Feyrer" <<a rel="nofollow">stephen...@btinternet.com</a>></div><div>To: <a rel="nofollow">us...@lists.strongswan.org</a></div><div>Subject: Re: [strongSwan] /etc/strongswan.d/VPN.conf:1: syntax error,</div><div> unexpected NAME, expecting NEWLINE or '{' or '=' [vpn]</div><div>Message-ID: <<a rel="nofollow">op.xw8ms...@sveta.home.org</a>></div><div>Content-Type: text/plain; charset=utf-8; format=flowed; delsp=yes</div><div><br></div><div>Hi Neol,</div><div><br></div><div>Thank you. I have removed the file /etc/strongswan.d/VPN.conf</div><div><br></div><div>In /etc/ipsec.conf I have the same configuration. At least there is</div><div>progress, unfortunately I am still baffled. This is the previously</div><div>working configuration.</div><div><br></div><div>code:</div><div><br></div><div># ipsec.conf - strongSwan IPsec configuration file</div><div><br></div><div># basic configuration</div><div><br></div><div>config setup</div><div> # strictcrlpolicy=yes</div><div> # uniqueids = no</div><div><br></div><div>conn VPN-OFFICE-COM</div><div>keyexchange=ikev1</div><div>type=transport</div><div>authby=secret</div><div>ike=3des-sha1-modp1024</div><div>rekey=no</div><div>left=%defaultroute</div><div>leftprotoport=udp/l2tp</div><div>right=<a href="http://vpn.office.com" rel="nofollow" target="_blank" onmousedown="this.href='http://www.google.com/url?q\75http%3A%2F%2Fvpn.office.com\46sa\75D\46sntz\0751\46usg\75AFQjCNGQRLQlVjlUgNcSD2i1qgrVed6G-Q';return true;" onclick="this.href='http://www.google.com/url?q\75http%3A%2F%2Fvpn.office.com\46sa\75D\46sntz\0751\46usg\75AFQjCNGQRLQlVjlUgNcSD2i1qgrVed6G-Q';return true;">vpn.office.com</a></div><div>rightprotoport=udp/l2tp</div><div>rightid=17.11.7.5</div><div>auto=add</div><div><br></div><div><br></div><div>Having restarted ipsec, I get the following result</div><div><br></div><div>code:</div><div><br></div><div># ipsec up VPN-OFFICE-COM</div><div>initiating Main Mode IKE_SA VPN-OFFICE-COM[1] to 17.11.7.5</div><div>generating ID_PROT request 0 [ SA V V V V ]</div><div>sending packet: from 1.2.3.4[500] to 17.11.7.5[500] (212 bytes)</div><div>received packet: from 17.11.7.5[500] to 1.2.3.4[500] (116 bytes)</div><div>parsed ID_PROT response 0 [ SA V V ]</div><div>received draft-ietf-ipsec-nat-t-ike-02\n vendor ID</div><div>received FRAGMENTATION vendor ID</div><div>generating ID_PROT request 0 [ KE No NAT-D NAT-D ]</div><div>sending packet: from 1.2.3.4[500] to 17.11.7.5[500] (244 bytes)</div><div>received packet: from 17.11.7.5[500] to 1.2.3.4[500] (304 bytes)</div><div>parsed ID_PROT response 0 [ KE No V V V V NAT-D NAT-D ]</div><div>received Cisco Unity vendor ID</div><div>received XAuth vendor ID</div><div>received unknown vendor ID: [Available On Request]</div><div>received unknown vendor ID: [Available On Request]</div><div>local host is behind NAT, sending keep alives</div><div>generating ID_PROT request 0 [ ID HASH N(INITIAL_CONTACT) ]</div><div>sending packet: from 1.2.3.4[4500] to 17.11.7.5[4500] (84 bytes)</div><div>received packet: from 17.11.7.5[4500] to 1.2.3.4[4500] (84 bytes)</div><div>parsed ID_PROT response 0 [ ID HASH V ]</div><div>received DPD vendor ID</div><div>IKE_SA VPN-OFFICE-COM[1] established between</div><div>1.2.3.4[1.2.3.4]...17.11.7.5[17.11.7.5]</div><div>generating QUICK_MODE request [Available On Request] [ HASH SA No ID ID</div><div>NAT-OA NAT-OA ]</div><div>sending packet: from 1.2.3.4[4500] to 17.11.7.5[4500] (220 bytes)</div><div>received packet: from 17.11.7.5[4500] to 1.2.3.4[4500] (180 bytes)</div><div>parsed QUICK_MODE response [Available On Request] [ HASH SA No ID ID</div><div>N((24576)) NAT-OA ]</div><div>received 28800s lifetime, configured 0s</div><div>no acceptable traffic selectors found</div><div>establishing connection 'VPN-OFFICE-COM' failed</div><div><br></div><div><br></div><div><br></div><div>--</div><div>Kind regards</div><div><br></div><div><br></div><div>Stephen Feyrer<br></div></div></div></blockquote></div></blockquote></div></div></blockquote><br><br><br><div><div>-- </div><div><div>Kind regards<br><br><br>Stephen Feyrer<br></div></div></div></div></blockquote></div></div></blockquote><br><br><br><div id="M2Signature"><div>-- </div><div><div>Kind regards<br><br><br>Stephen Feyrer<br></div></div></div></body></html>