<html>
<head>
<meta content="text/html; charset=utf-8" http-equiv="Content-Type">
</head>
<body bgcolor="#FFFFFF" text="#000000">
Hi Noel,<br>
<br>
why is 'ipsec up union' saying that the connection was established
successfully?<br>
<br>
Here is the output of 'ip route' and 'ip address':<br>
<br>
<tt>root@vpn-server:~# ip route<br>
default via 176.94.x.x dev eth1 <br>
176.94.x.x/29 dev eth1 proto kernel scope link src 176.94.x.x
metric 1 <br>
192.168.1.0/24 dev eth0 proto kernel scope link src
192.168.1.152 metric 1</tt><br>
<tt>root@vpn-server:~# ip address</tt><tt><br>
</tt><tt>1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue
state UNKNOWN group default </tt><tt><br>
</tt><tt> link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00</tt><tt><br>
</tt><tt> inet 127.0.0.1/8 scope host lo</tt><tt><br>
</tt><tt> valid_lft forever preferred_lft forever</tt><tt><br>
</tt><tt> inet6 ::1/128 scope host </tt><tt><br>
</tt><tt> valid_lft forever preferred_lft forever</tt><tt><br>
</tt><tt>2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500
qdisc pfifo_fast state UP group default qlen 1000</tt><tt><br>
</tt><tt> link/ether c4:6e:1f:06:xx:xx brd ff:ff:ff:ff:ff:ff</tt><tt><br>
</tt><tt> inet 192.168.1.152/24 brd 192.168.1.255 scope global
eth0</tt><tt><br>
</tt><tt> valid_lft forever preferred_lft forever</tt><tt><br>
</tt><tt> inet6 fe80::c66e:1fff:xxxx:xxxx/64 scope link </tt><tt><br>
</tt><tt> valid_lft forever preferred_lft forever</tt><tt><br>
</tt><tt>3: eth1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500
qdisc pfifo_fast state UNKNOWN group default qlen 1000</tt><tt><br>
</tt><tt> link/ether 00:1b:fc:90:xx:xx brd ff:ff:ff:ff:ff:ff</tt><tt><br>
</tt><tt> inet 176.94.x.x/29 brd 176.94.x.x scope global eth1</tt><tt><br>
</tt><tt> valid_lft forever preferred_lft forever</tt><tt><br>
</tt><tt> inet6 fe80::21b:fcff:xxxx:xxxx/64 scope link </tt><tt><br>
</tt><tt> valid_lft forever preferred_lft forever</tt><br>
<br>
Would it help if there were a more verbose output? How can I achieve
this?<br>
<br>
BTW this is the form I got from the other side so that I can
configure my side:<br>
<br>
<tt>IKE Phase 1<br>
Mode: Main Mode<br>
Authentication Method: Preshared Key<br>
Encryption: AES256<br>
Hashing Algorithm: SHA256<br>
Lifetime seconds: 86400s<br>
Diffie-Hellman group: DH Group 14<br>
<br>
Site A<br>
Gateway IP: 83.136.y.y<br>
Gateway Identification: 83.136.y.y<br>
<br>
Site B<br>
Gateway IP: 176.94.x.x<br>
Gateway Identification: 176.94.x.x<br>
<br>
IKE Phase 2<br>
Protocol: ESP<br>
Encapsulation Mode: Tunnel<br>
Encryption: AES256<br>
Hashing Algorithm: SHA256<br>
Lifetime seconds: 3600s<br>
Lifetime kbytes: 4608000kb<br>
Perfect forward secrecy: DH Group 14<br>
<br>
Site A Encryption Domain: 10.251.0.0/16<br>
Site B Encryption Domain: 10.100.1.0/24</tt><br>
<br>
Maybe there is also a failure in my configuration.<br>
<br>
Best Regards,<br>
Nicolas<br>
<br>
Am 09.06.2015 um 17:54 schrieb Noel Kuntze:<br>
<span style="white-space: pre;">></span><br>
<blockquote type="cite">Hello Nicolas,<br>
<br>
Output of "route" or "ifconfig" is useless. Please only post
output<br>
that "iproute2" produces. E.g: ip route, ip address<br>
<br>
The connection doesn't get initiated correctly. The other side
deletes the IKE SA<br>
after it gets established:<br>
<br>
> received packet: from 83.136.y.y[500] to 176.94.x.x[500] (108
bytes)<br>
> parsed INFORMATIONAL_V1 request 2733943088 [ HASH D ]<br>
> received DELETE for IKE_SA union[1]<br>
> deleting IKE_SA union[1] between
176.94.x.x[176.94.x.x]...83.136.y.y[83.136.y.y]<br>
> initiating Main Mode IKE_SA union[2] to 83.136.y.y<br>
<br>
Examine the other side and find out why that happens.<br>
<br>
<br>
Mit freundlichen Grüßen/Kind Regards,<br>
Noel Kuntze<br>
<br>
GPG Key ID: 0x63EC6658<br>
Fingerprint: 23CA BB60 2146 05E7 7278 6592 3839 298F 63EC 6658<br>
<br>
Am 09.06.2015 um 14:11 schrieb Nicolas Göddel:<br>
> Hi,<br>
<br>
> I am new to the topic VPN, IPSec, route, iptables, etc.<br>
<br>
> I have the scenario mentioned in the attachment. My IPSec
Gateway is a Lubuntu with two network interfaces. eth0 is
connected to the internal LAN. There is a switch which connects a
few Windows computers with a Cisco RV042 router and the Lubuntu
(IPSec Gateway). The Cisco gives internet acces over a fast
internet connection and has DHCP enabled so that all Windows
computers get their IP address from this router and are able to
use internet. At the moment Lubuntu is configured to a static IP
within the Subnet 192.168.1.0/24. On eth1 there is connected a
second modem with the static IP 176.94.x.x which should be used to
create a Site-to-Site IPSec connection to an other company.<br>
<br>
> _route looks like this:_<br>
<br>
> root@vpn-server:~# LANG=C route<br>
> Kernel IP routing table<br>
> Destination Gateway Genmask Flags Metric
Ref Use Iface<br>
> default business-176-09 0.0.0.0 UG 0
0 0 eth1<br>
> 176.94.52.88 * 255.255.255.248 U 1
0 0 eth1<br>
> 192.168.1.0 * 255.255.255.0 U 1
0 0 eth0<br>
<br>
> _This /etc/ipsec.conf__:_<br>
<br>
> config setup<br>
> charondebug="cfg 2, dmn 2, ike 2, net 2"<br>
<br>
> conn %default<br>
<br>
> conn union<br>
> left=176.94.x.x<br>
> leftsubnet=10.100.1.0/24<br>
> leftsourceip=10.100.1.1<br>
> leftfirewall=yes<br>
> right=83.136.y.y<br>
> rightsubnet=10.251.0.0/16<br>
> auto=add<br>
> ikelifetime=24h<br>
> lifetime=1h<br>
> type=tunnel<br>
> lifebytes=4718592000<br>
> ike=aes256-sha256-modp2048<br>
> esp=aes256-sha256-modp2048<br>
> authby=psk<br>
> keyexchange=ikev1<br>
> lefthostaccess=yes<br>
<br>
> _This is /etc/strongswan.conf__:_<br>
<br>
> charon {<br>
> load_modular = yes<br>
> plugins {<br>
> include strongswan.d/charon/*.conf<br>
> }<br>
> }<br>
<br>
> include strongswan.d/*.conf<br>
<br>
> _This is ifconfig -a:_<br>
<br>
> root@vpn-server:~# ifconfig -a<br>
> eth0 Link encap:Ethernet Hardware Adresse
c4:6e:1f:06:10:90<br>
> inet Adresse:192.168.1.152 Bcast:192.168.1.255
Maske:255.255.255.0<br>
> inet6-Adresse: fe80::c66e:1fff:fe06:1090/64
Gültigkeitsbereich:Verbindung<br>
> UP BROADCAST RUNNING MULTICAST MTU:1500 Metrik:1<br>
> RX-Pakete:1355634 Fehler:0 Verloren:360 Überläufe:0
Fenster:0<br>
> TX-Pakete:12684 Fehler:0 Verloren:0 Überläufe:0
Träger:0<br>
> Kollisionen:0 Sendewarteschlangenlänge:1000<br>
> RX-Bytes:113088435 (113.0 MB) TX-Bytes:1505232
(1.5 MB)<br>
<br>
> eth1 Link encap:Ethernet Hardware Adresse
00:1b:fc:90:80:51<br>
> inet Adresse:176.94.x.x Bcast:176.94.x.x
Maske:255.255.255.248<br>
> inet6-Adresse: fe80::21b:fcff:xxxx:xxxx/64
Gültigkeitsbereich:Verbindung<br>
> UP BROADCAST RUNNING MULTICAST MTU:1500 Metrik:1<br>
> RX-Pakete:1955017 Fehler:0 Verloren:0 Überläufe:0
Fenster:0<br>
> TX-Pakete:1898517 Fehler:0 Verloren:0 Überläufe:0
Träger:0<br>
> Kollisionen:0 Sendewarteschlangenlänge:1000<br>
> RX-Bytes:472209413 (472.2 MB) TX-Bytes:443885596
(443.8 MB)<br>
<br>
> lo Link encap:Lokale Schleife<br>
> inet Adresse:127.0.0.1 Maske:255.0.0.0<br>
> inet6-Adresse: ::1/128 Gültigkeitsbereich:Maschine<br>
> UP LOOPBACK RUNNING MTU:65536 Metrik:1<br>
> RX-Pakete:10137 Fehler:0 Verloren:0 Überläufe:0
Fenster:0<br>
> TX-Pakete:10137 Fehler:0 Verloren:0 Überläufe:0
Träger:0<br>
> Kollisionen:0 Sendewarteschlangenlänge:0<br>
> RX-Bytes:1341831 (1.3 MB) TX-Bytes:1341831 (1.3
MB)<br>
<br>
> _This is starting ipsec:_<br>
<br>
> root@vpn-server:~# ipsec start<br>
> Starting strongSwan 5.1.2 IPsec [starter]...<br>
> root@vpn-server:~# ipsec up union<br>
> initiating Main Mode IKE_SA union[1] to 83.136.y.y<br>
> generating ID_PROT request 0 [ SA V V V V ]<br>
> sending packet: from 176.94.x.x[500] to 83.136.y.y[500] (196
bytes)<br>
> received packet: from 83.136.y.y[500] to 176.94.x.x[500] (108
bytes)<br>
> parsed ID_PROT response 0 [ SA V ]<br>
> received NAT-T (RFC 3947) vendor ID<br>
> generating ID_PROT request 0 [ KE No NAT-D NAT-D ]<br>
> sending packet: from 176.94.x.x[500] to 83.136.y.y[500] (396
bytes)<br>
> received packet: from 83.136.y.y[500] to 176.94.x.x[500] (456
bytes)<br>
> parsed ID_PROT response 0 [ KE No V V V V NAT-D NAT-D ]<br>
> received Cisco Unity vendor ID<br>
> received DPD vendor ID<br>
> received unknown vendor ID:
75:37:a8:c7:39:54:ff:f2:a8:f6:8d:a3:d4:0b:63:11<br>
> received XAuth vendor ID<br>
> generating ID_PROT request 0 [ ID HASH ]<br>
> sending packet: from 176.94.x.x[500] to 83.136.y.y[500] (92
bytes)<br>
> received packet: from 83.136.y.y[500] to 176.94.x.x[500] (92
bytes)<br>
> parsed ID_PROT response 0 [ ID HASH ]<br>
> IKE_SA union[1] established between
176.94.x.x[176.94.x.x]...83.136.y.y[83.136.y.y]<br>
> scheduling reauthentication in 85375s<br>
> maximum IKE_SA lifetime 85915s<br>
> generating TRANSACTION request 247522367 [ HASH CPRQ(ADDR
DNS) ]<br>
> sending packet: from 176.94.x.x[500] to 83.136.y.y[500] (92
bytes)<br>
> received packet: from 83.136.y.y[500] to 176.94.x.x[500] (108
bytes)<br>
> parsed INFORMATIONAL_V1 request 2733943088 [ HASH D ]<br>
> received DELETE for IKE_SA union[1]<br>
> deleting IKE_SA union[1] between
176.94.x.x[176.94.x.x]...83.136.y.y[83.136.y.y]<br>
> initiating Main Mode IKE_SA union[2] to 83.136.y.y<br>
> generating ID_PROT request 0 [ SA V V V V ]<br>
> sending packet: from 176.94.x.x[500] to 83.136.y.y[500] (196
bytes)<br>
> connection 'union' established successfully<br>
> root@vpn-server:~# ipsec status<br>
> Security Associations (1 up, 0 connecting):<br>
> union[1627]: CONNECTING,
176.94.x.x[%any]...83.136.y.y[%any]<br>
<br>
> Now I want to be able to ping the computer on the other side
with the IP address 10.251.232.75 from Lubuntu. What have I to do?<br>
> Later I want to be able to connect from any Windows PC to the
10.251.232.75. What have I to do then?<br>
> I can assume that the other side is configured correctly, so
that I should be able to ping 10.251.232.75 from my side. But
first I have to do things right on my side.<br>
<br>
> I thought strongswan would create a virtual interface like
openvpn does. I guess this way I would be able to use this virtual
interface as gateway to the VPN/IPSec tunnel.<br>
> What do I need, where can I read about this scenario? Do you
need more information?<br>
<br>
> Thank you!<br>
<br>
> --<br>
> ——————————————————————————————————————————————<br>
> Homepage: <a class="moz-txt-link-freetext" href="http://freakscorner.de">http://freakscorner.de</a><br>
> Facebook: <a class="moz-txt-link-freetext" href="http://www.facebook.com/Bastelkeller">http://www.facebook.com/Bastelkeller</a><br>
> Twitter: <a class="moz-txt-link-freetext" href="http://twitter.com/freaks_corner">http://twitter.com/freaks_corner</a><br>
> Youtube: <a class="moz-txt-link-freetext" href="http://youtube.com/tubenic86">http://youtube.com/tubenic86</a><br>
<br>
<br>
> _______________________________________________<br>
> Users mailing list<br>
> <a class="moz-txt-link-abbreviated" href="mailto:Users@lists.strongswan.org">Users@lists.strongswan.org</a><br>
> <a class="moz-txt-link-freetext" href="https://lists.strongswan.org/mailman/listinfo/users">https://lists.strongswan.org/mailman/listinfo/users</a><br>
<br>
</blockquote>
<span style="white-space: pre;">><br>
></span><br>
<br>
<br>
<pre class="moz-signature" cols="80">--
——————————————————————————————————————————————
Homepage: <a class="moz-txt-link-freetext" href="http://freakscorner.de">http://freakscorner.de</a>
Facebook: <a class="moz-txt-link-freetext" href="http://www.facebook.com/Bastelkeller">http://www.facebook.com/Bastelkeller</a>
Twitter: <a class="moz-txt-link-freetext" href="http://twitter.com/freaks_corner">http://twitter.com/freaks_corner</a>
Youtube: <a class="moz-txt-link-freetext" href="http://youtube.com/tubenic86">http://youtube.com/tubenic86</a></pre>
<br>
</body>
</html>