<div dir="ltr"><div><div><div><div><div><div><div><div><div><div><div><div><div><div><div><div><div><div>Hello Martin,<br><br></div>Sorry for replying and acknowledging and reporting the results so late in the day.<br><br></div>Yes!!! your advice and solution was spot-on and worked . For the benefit of other users and future reference for info. Iam posting the sample configs used at both Server-side (vpn/roadwarrior-server for unity-supported clients and also a commented out section which can be used for other std vpn clients, etc) and Client-side. <br><br></div>These samples include other conf (plugins) used on the server side and the client side. Hopefully this info should be of some help<br><br></div>Thanks once again for your kind help<br><br>=======================================<br></div>On Server-side sample config<br><br></div>ipsec.conf<br>------------<br>#/etc/ipsec.conf - strongSwan IPsec configuration file<br><br>config setup<br> strictcrlpolicy=no<br> charondebug="ike 1, knl 1, cfg 1"<br> <br>conn %default<br> ikelifetime=8h<br> keylife=3h<br> rekeymargin=9m<br> keyingtries=1<br> mobike=no<br> dpddelay=30s<br> dpdtimeout=120s<br> dpdaction=clear<br><br>conn cscovpnclients1<br> aggressive=yes<br> left=1.1.1.3<br> leftsubnet=<a href="http://192.168.2.0/24,172.16.0.0/16">192.168.2.0/24,172.16.0.0/16</a><br> leftid=@<a href="http://vpnsrv1.svttest.com">vpnsrv1.svttest.com</a><br> leftauth=psk<br> right=%any<br> rightsourceip=<a href="http://192.168.219.0/24">192.168.219.0/24</a><br> rightauth=psk<br> rightauth2=xauth<br> keyexchange=ikev1<br> ike=aes256-sha1-modp1024<br> esp=aes128-sha1<br> xauth=server<br> modeconfig=pull<br> auto=add<br># <br>#conn otherclients1<br># left=1.1.1.3<br># leftsubnet=<a href="http://0.0.0.0/0">0.0.0.0/0</a><br># leftid=@<a href="http://vpnsrv2.svttest.com">vpnsrv2.svttest.com</a><br># leftauth=psk<br># right=%any<br># rightsourceip=<a href="http://192.168.220.0/24">192.168.220.0/24</a><br># rightauth=psk<br># rightauth2=xauth<br># keyexchange=ikev1<br># ike=aes128-sha1-modp1024<br># esp=aes128-sha1<br># xauth=server<br># modeconfig=pull<br># auto=add<br><br>-------------------<br></div>ipsec.secrets<br>------------------<br>#/etc/ipsec.secrets - strongSwan IPsec secrets file<br>@<a href="http://vpnsrv1.svttest.com">vpnsrv1.svttest.com</a> @<a href="http://remotclient.svttest.com">remotclient.svttest.com</a> : PSK "123456789"<br>@<a href="http://vpnsrv2.svttest.com">vpnsrv2.svttest.com</a> @<a href="http://otherclient.svttest.com">otherclient.svttest.com</a> : PSK "123456"<br>user1 : XAUTH "config123"<br>user2 : XAUTH "config1234"<br>user3 : XAUTH "config12345"<br>testuser1 : XAUTH "4iChxLT3"<br>testuser2 : XAUTH "ryftzG4A"<br><br>-------------------<br></div>attr.conf<br>--------------------<br># Section to specify arbitrary attributes that are assigned to a peer via<br># configuration payload (CP).<br>attr {<br><br> # <attr> is an attribute name or an integer, values can be an IP address,<br> # subnet or arbitrary value.<br> # <attr> =<br> dns = 192.168.2.20, 192.168.2.21<br> nbns = 172.16.1.2, 172.16.1.3<br> # the attribute for local-lan networks to be excluded from tunneling on the client<br> # #split-exclude = <a href="http://10.0.0.0/8">10.0.0.0/8</a>, <a href="http://172.31.1.0/24">172.31.1.0/24</a><br> # the attribute for backup-server ipaddresses<br> 28681 = 10.232.90.122, 10.232.90.124<br> # the attribute for default-domain name for the connected client<br> 28674 = <a href="http://svt1test.com">svt1test.com</a><br> # the attribute for split-dns domain names for the connected client<br> 28675 = <a href="http://svt1test.com">svt1test.com</a> <a href="http://svt2test.com">svt2test.com</a><br> # the attribute for unity banner name for the connected client<br> 28672 = "Welcome ...You are Connected"<br> # Whether to load the plugin. Can also be an integer to increase the<br> # priority of this plugin.<br> load = yes<br><br>}<br><br>------------------<br></div>charon.conf<br>------------------<br></div>enable/uncoment the below 2 options in this file on server<br><br> cisco_unity = yes<br><br> i_dont_care_about_security_and_use_aggressive_mode_psk = yes<br><br>--------------<br></div>unity.conf<br>-------------<br>unity {<br><br> # Whether to load the plugin. Can also be an integer to increase the<br> # priority of this plugin.<br> load = yes<br><br>}<br><br>=================================<br><br></div>On client -side (a Gw running say Strongswan as a client)<br>---------------------------------------------------------------------<br><br></div>ipsec.conf<br>-------------<br>#/etc/ipsec.conf - strongSwan IPsec configuration file<br><br>config setup<br> strictcrlpolicy=no<br> charondebug="ike 1, knl 1, cfg 1"<br> <br>conn %default<br> ikelifetime=8h<br> keylife=3h<br> rekeymargin=9m<br> keyingtries=1<br> mobike=no<br> dpddelay=30s<br> dpdtimeout=120s<br> dpdaction=clear<br><br>conn csvpnclnt1<br> aggressive=yes<br> left=1.1.1.2<br> leftid=@<a href="http://remoteclient.svttest.com">remoteclient.svttest.com</a><br> leftsourceip=%config<br> leftauth=psk<br> leftauth2=xauth<br> right=1.1.1.3<br> rightid=@<a href="http://vpnsrv1.svttest.com">vpnsrv1.svttest.com</a><br> rightauth=psk<br> keyexchange=ikev1<br> ike=aes256-sha1-modp1024<br> esp=aes128-sha1<br> modeconfig=pull<br> xauth=client<br> xauth_identity=user1<br> auto=start<br><br>---------------<br></div>ipsec.secrets<br>----------------<br> #/etc/ipsec.secrets - strongSwan IPsec secrets file<br>@<a href="http://remotclient.svttest.com">remotclient.svttest.com</a> @<a href="http://vpnsrv1.svttest.com">vpnsrv1.svttest.com</a> : PSK "123456789"<br>user1 : XAUTH "config123"<br><br>------------------<br>charon.conf<br>------------------<br>enable/uncoment the below 2 options in this file on server<br><br> cisco_unity = yes<br><br> i_dont_care_about_security_and_use_aggressive_mode_psk = yes<br><br>--------------<br>unity.conf<br>-------------<br>unity {<br><br> # Whether to load the plugin. Can also be an integer to increase the<br> # priority of this plugin.<br> load = yes<br><br>}<br><br>----------<br></div>resolve.conf<br>--------------------<br><br></div>uncomment the below line in this plugin file<br><br> file = /etc/resolv.conf<br><br>===============================================<br><br></div>thanks & regards<br></div>rajiv<br><br><div><div><div><div><br></div></div></div></div></div><div class="gmail_extra"><br><div class="gmail_quote">On Thu, Dec 4, 2014 at 3:01 PM, Martin Willi <span dir="ltr"><<a href="mailto:martin@strongswan.org" target="_blank">martin@strongswan.org</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">Hi,<br>
<br>
> leftsubnet=<a href="http://192.168.2.0/24,172.16.0.0/16" target="_blank">192.168.2.0/24,172.16.0.0/16</a><br>
<br>
Are you using the unity plugin to negotiate multiple subnets in IKEv1?<br>
<br>
> modeconfig=push<br>
<br>
Which of your clients is using push mode? Most of them probably use pull<br>
mode, and you must have the correct mode configured on the used<br>
strongSwan connection for each client.<br>
<br>
> 1. Quick mode is failing when i use shrew-soft-vpn clients (and the server<br>
> is configured with cisco unity extensions in the attr.conf file)<br>
<br>
It seems that it fails because of the wrong modeconfig configuration:<br>
Mode Config is triggered twice in your log, once in push and once in<br>
pull mode. Try to set modeconfig=pull, refer to [1] for details.<br>
<br>
Regards<br>
Martin<br>
<br>
[1]<a href="https://wiki.strongswan.org/issues/764#note-12" target="_blank">https://wiki.strongswan.org/issues/764#note-12</a><br>
<br>
</blockquote></div><br></div>