<html>
<head>
<meta http-equiv="content-type" content="text/html; charset=utf-8">
</head>
<body text="#000000" bgcolor="#FFFFFF">
<p>Hello all,</p>
<p>I'm trying to connect to my companies network. They have a
Juniper SRX-100 as VPN Gateway, which is working fine as tested
with other VPN clients. I'm using strongswan 5.5.3.<br>
</p>
<p>I'm using IKEv1 aggressive mode, PSK+XAUTH. The connection is
established, but i cannot ping any member of the company network.</p>
<p>Ipsec log:<br>
</p>
<p><font size="-1">initiating Aggressive Mode IKE_SA company[2] to
10.0.0.1<br>
generating AGGRESSIVE request 0 [ SA KE No ID V V V V V ]<br>
sending packet: from 192.168.1.204[500] to 10.0.0.1[500] (503
bytes)<br>
received packet: from 10.0.0.1[500] to 192.168.1.204[500] (492
bytes)<br>
parsed AGGRESSIVE response 0 [ SA KE No ID HASH V V V NAT-D
NAT-D ]<br>
received DPD vendor ID<br>
received NAT-T (RFC 3947) vendor ID<br>
received unknown vendor ID:
69:93:69:22:87:41:c6:d4:ca:09:4c:93:e2:42:c9:de:19:e7:b7:c6:00:00:00:05:00:00:05:00<br>
local host is behind NAT, sending keep alives<br>
generating AGGRESSIVE request 0 [ HASH NAT-D NAT-D ]<br>
sending packet: from 192.168.1.204[4500] to 10.0.0.1[4500] (140
bytes)<br>
received packet: from 10.0.0.1[4500] to 192.168.1.204[4500] (92
bytes)<br>
parsed TRANSACTION request 199491043 [ HASH CPRQ(X_USER X_PWD) ]<br>
generating TRANSACTION response 199491043 [ HASH CPRP(X_USER
X_PWD) ]<br>
sending packet: from 192.168.1.204[4500] to 10.0.0.1[4500] (108
bytes)<br>
received packet: from 10.0.0.1[4500] to 192.168.1.204[4500] (76
bytes)<br>
parsed TRANSACTION request 3502630840 [ HASH CPS(X_STATUS) ]<br>
XAuth authentication of 'USER' (myself) successful<br>
IKE_SA company[2] established between
192.168.1.204[<a class="moz-txt-link-abbreviated" href="mailto:company@SRX100-local.de">company@SRX100-local.de</a>]...10.0.0.1[10.0.0.1]<br>
scheduling reauthentication in 3402s<br>
maximum IKE_SA lifetime 3582s<br>
generating TRANSACTION response 3502630840 [ HASH CPA(X_STATUS)
]<br>
sending packet: from 192.168.1.204[4500] to 10.0.0.1[4500] (92
bytes)<br>
generating QUICK_MODE request 2418923618 [ HASH SA No KE ID ID ]<br>
sending packet: from 192.168.1.204[4500] to 10.0.0.1[4500] (396
bytes)<br>
received packet: from 10.0.0.1[4500] to 192.168.1.204[4500] (124
bytes)<br>
queueing TRANSACTION request as tasks still active<br>
received packet: from 10.0.0.1[4500] to 192.168.1.204[4500] (364
bytes)<br>
parsed QUICK_MODE response 2418923618 [ HASH SA No KE ID ID ]<br>
connection 'company' established successfully</font></p>
<p><br>
</p>
<p><br>
ipsec.conf</p>
<p><font size="-1">config setup<br>
charondebug="ike 3, knl 2, cfg 2, net 2, esp 2, dmn 2, mgr
2"<br>
<br>
conn %default<br>
ikelifetime=60m<br>
keylife=20m<br>
rekeymargin=3m<br>
keyingtries=1<br>
keyexchange=ikev1<br>
<br>
<br>
conn company<br>
left=%any<br>
<a class="moz-txt-link-abbreviated" href="mailto:leftid=company@SRX100-local.de">leftid=company@SRX100-local.de</a><br>
leftauth=psk<br>
leftauth2=xauth<br>
right=subdomain.company.com<br>
rightsubnet=192.168.xx.0/24<br>
rightid=10.0.0.1<br>
rightauth=psk<br>
auto=add<br>
xauth_identity=USER<br>
esp=aes256-sha1-modp1536<br>
ike=aes256-sha2_256-modp1536<br>
aggressive=yes</font></p>
<p><br>
</p>
<p>I searched but did not found a solution to this problem. Did
anybody ever have this problem?</p>
<p>I also postet on serverfault:
<a class="moz-txt-link-freetext" href="https://serverfault.com/questions/864799/strongswan-vpn-successfull-but-cannot-ping-anything">https://serverfault.com/questions/864799/strongswan-vpn-successfull-but-cannot-ping-anything</a></p>
<p>I'd really appreciate some help or hint.</p>
<p>Thank you very much and best regards,</p>
<p>David Sautter<br>
</p>
</body>
</html>